/* Shitty globals */

This is nothing earth-shattering so I'll try to make it short and sweet.  And I'll add the pertinent links later.  If I feel like it.

A couple of weeks ago, the InfoSec Institute announced a privilege escalation problem with wicd in Backtrack 5 R2, which caused the BT people to go into Butthurt Mode and emit a Class 3 Shit Storm.

"Tut, tut," they proclaimed, "you can't escalate privileges on a system designed to be run as root and besides it's not our fucking code."

The InfoSec people said "Ooopsie!", the wicd wonks fixed it, and everyone went on with their lives.

Meanwhile, Hinky stumbles onto a really insecure network while he's hacking around on BT5 R2.  Digging into the available BT tools, he finds netdiscover-0.3beta7, which is basically an arp-spoofing tool in the Information Gathering→Network Analysis→Identify Live Hosts "hive".

It worked great, except the built-in OID list was ancient and didn't identify over 90% of the hosts I found.  So I search around for the code and found this, in which the author states:

I’ve written a patch for NetDiscover 0.3-beta7 (the last release) that eliminates libnet dependency. 

Apparently he had some religious objection to linking the software with both libnet (old) and libpcap (well maintained), so he fixed it.  He then gives a link to the package at backtrack.it, the Italian headquarters of Backtrack.  So I figure hot damn this must be the place!  He then gives a link to the package, and the link doesn't fucking work.

Just my luck.

But this is the Internet, so it has to be somewhere.  I find "an equivalent package" here, also with the same notes about eliminating the dependencies on libnet.

Great.  Well that settles that.  And there's an OUI update script!  Great stuff.  I update the OUIs and compile the program and then...

I am disappoint.  : (

It works, but it doesn't find the hosts that the stock BT5/R2 version finds.  WTF is going on here?

So I run both programs through Wireshark to see the differences.  And the difference is: the BT5 version sends the correct MAC address of my NIC and the "equivalent package"—same version number and beta level, mind you—sets my MAC to...

ca:fe:ca:fe:ca:fe

How about that?  So I look into the code and sure enough, in the source file ifaces.c, under a comment titled...

/* Shitty globals */

... is an array of unsigned chars representing just that value.  As an experiment, I change the array to my MAC address, recompile, and run it.

It works fine.  It finds the same hosts that the standard, off the shelf, BT5 code—same version number and beta level—finds.  And now it identifies the OIDs properly.

So... what is the difference in the code, besides the OID issue?  Intrigued, I ran both executables through "strings" and discovered that the BT5 version is linked to libnet.  Try it yourself:

#~strings /usr/local/sbin/netdiscover | grep libnet

No denying this is not the same code.  The fine folks at Backtrack took "netdiscover-0.3beta7" and put the libnet stuff back in.

Like I said, this is not earth-shattering, but I have to take Backtrack's "not our code" position with a grain of salt from now on.  I ended up hacking "netdiscover-0.3beta7" to put the real MAC into the "CAFE" array, but I wouldn't have had to do that if BT would release their code.

Shitty globals or not.

I Hate ATI - FINAL EDITION

After a very long hiatus I decided to lose 45 minutes of my life and finally upgrade the drivers for my Radeon X1300 on my "old" (circa 2003 - JESUS! That is old!) Windows XP box.

So I sashayed over to ATI/AMD and looked around for the driver-of-the-month.

To my astonishment, the driver was three months old!

Not only that, it was classified as a legacy driver.

Yes, Windows XP is on its last legs, boys and girls. I suppose I could upgrade it but I very rarely use the Old Girl for anything except running Virtual Machines. It currently hosts the VM for the Proxy Project, which runs 24x7, but it still runs UT99 better than my dual AMD64 Windows 7 laptop (recently upgraded from Vista).

Anyway, I downloaded the last ATI driver and played some UT today. It ran nicely, but it made me nostalgic for the Good Old Days back when a 3.4mHz "single core" P4 was a hot system.

And now I can't even complain about the drivers anymore.

CSO PWN3D!!!!

Here's a little bedtime story about Life in Hinky Dink's Security World.

Back in the Old Days, when l33t H@X0Rs and scriptkidz wrote viruses just for lulz and masssive IT butthurt (as well as worldwide credz) and had no clue how to make The Big Bucks pimping juicy 0day hax for e-gold, anti-virus companies used to send out newsletters enumerating newly discovered lulzware.

Back then (c. 2001-2005), people used to like to make the Security Team look bad by being better informed about such matters. We had to stay one step ahead, ready with a risk assessment at the drop of a hat. It was simple. In those days, viruses and worms travelled from East to West. Some guy in Hong Kong would go to work at 8AM, open an email, get infected, and begin the process of spewing lulz all over the Intertubes. By the time 8AM rolled around to New York City, most of Europe and Asia would be already infected and the security mailing lists would be well ahead of the anti-virus vendors (it was a funny time - all the "security experts" on those lists got hit the hardest and were generally the most butthurt of them all).

Scanning the lists and sending out local alerts became part of my job. If something was serious enough an email would be blasted to the entire IT department. Since this tended to make otherwise only mildly neurotic server room Trevs completely shit their pance and go into Full Panic Mode, it was avoided as much as possible. It was more important to keep them calm and focused. Otherwise they'd get so scared they wouldn't come back from lunch. For days (I'm not kidding).

At the very least, I would email the security team just to keep them informed. The same went for security patches and the like. It was extrememly important to keep on top of things. It still is.

That was then, this is now. Anti-virus companies can't keep up with the malware anymore and they don't send out alerts (in fact, AV is hardly any defense anymore). The Security mailing lists are just short of useless. The oneupsmanship is gone, mostly because now it's all about patches and the server room Trevs hate patching. As far as they're concerned patches don't exist and they never heard anything about them.

And instead of three people in the Team, there are now nine security droids. Most of them are newbs, and will freely admit it. And with minor exceptions they appreciate the "heads up" email I - used to - send.

Everyone except His Nibbs, the Chief Security Officer.

To be fair, the CSO gets a lot of email and it causes him unbearable butthurt. It's so bad he's just now answering emails from last May (again, totally serious). In this respect he is an extremely poor communicator. I'm convinced he does this on purpose for "plausible deniability", but a large part of the problem is all his responses must be perfect in every detail, the right font, the right bullet, the right signature, pertinent hyperlinks, etc. so it takes him the better part of an hour to respond - masterfully - to a single e-mail.

It was no big surprise that the Directive came down to "Stop Discussing Things In Email". The Team didn't stop. We simply refrained from cc'ing him. This worked very well, the CSO was oblivious, and everyone was happy, until one day His Nibbs got a hard-on for a huge, steaming pile of Microsoft SHIT called SharePoint.

Then we got a new Directive, "Start Discussing Things In Sharepoint".

OK, fine. I moved my "alerts'n'stuff" to the SharePoint Discussion Board. Only there was one problem: when you discuss something it sends everyone in the Team an email notifying you of the new discussion. When someone joined into the discussion, everyone got another e-mail. Net effect: no change in the amount of e-mail you received.

Frankly, this is configurable. You don't have to do it and there are other ways (RSS) to get some kind of notification. So then Mr. CSO had a Bright Idea: we would vote on whether or not to turn off e-mail notifications. The "Or Not's" won.

Honestly, I think most of the Team voted it down because the CSO was such a whiner about e-mail. (Note to CSOs who may be reading this: Democracy does not work in your favor. Whether you like it or not - and most do - you are a Dictator. So start acting like one and stop being a Whiny Little Bitch.)

After that, Yet Another Directive came down from the CSO: "Only Discuss Things That I Want To Discuss On The Discussion Board".

That immediately put an end to all discussion, all email notifications, etc. The crickets moved in and the Discussion Board promptly died. Not only did he not want to discuss anything, but the things he wanted to discuss amounted to nothing but Boring Shit. Plus he used it as a venue for new Directives, which, in his perfect and sublime mind, require no discussion. Who would dare argue with the CSO? Problem solved.

Naturally, the Team went back to e-mailing each other without cc'ing the CSO. "Fuck that noise" was the general consensus.

Noticing the Discussion Board traffic dropped down to nothing, and thoroughly annoyed by the all chirping crickets, the CSO decreed SharePoint should be expanded to include Blogs.

Therefore, New Directive: "Discuss Things I Don't Want To Discuss In Your Blog" or, more aptly, "Put That Shit Somewhere I'll Never Have To See It".

OK. Fine.

I became a reluctant, but prolific, Corporate SharePoint Blogger, starting out with a series on Why You Shouldn't Blog At Work Or Anywhere Else (there are no guidelines, no policy, no list of "Do's and Dont's", nothing). I made certain all my blogs were simple Cut & Paste articles. No original content whatsoever, with proper attribution and a link to the original whenever possible. I don't "say" anything and I'm going to keep it that way until these bozos can tell me what kind of trouble I'm getting myself into.

So that goes on for a few days and one morning I get a call from the CSO. It seems the CFO got her panties all in a bunch about the Pentagon getting infected with a virus and he wanted to know what the Hell was going on.

"Oh," I said, nonchalantly, "DIDN'T YOU READ MY BLOG? I WROTE ABOUT THAT TWO DAYS AGO."

PWN3D!