karniv0re's Journal: Security Initiative 2008: Learn2Attack

With half of the year gone, I feel it's time for an update on Security Initiative 2008. So far, I have:

• Been religious about triple locking my doors.
• Set up an encrypted 1TB external HDD.
• Implemented a shredder for my mail.
• Implemented a recycling scheme - Maybe not security related, but it makes me happy.
• Learned about Wi-Fi hacking - Admittedly this is far overdue, but better late than never
• Learned about Bluetooth hacking - This is also far overdue.
• Got back into reading Aggressive Network Self-Defense. This is an amazing book.
• Started using Nessus and Metasploit, and nmap more effectively
• Allowed open wireless connections onto my router.
  • This is security-oriented because it shows that my machines are secure in front of or behind my firewall
  • And it allows me to investigate those connecting to my network - If you connect, you assume the rist.
• Gotten my laptop up and running with Wi-Fi.

Here's what I have left to do:

• Wipe/format/encrypt unused external drives
• Encrypt laptop partition
• Implement an "Internet only" connection and a "work only" connection to secure my network and increase proficiency and work ethic.
• Set up an OpenBSD firewall
• Implement a Strike Back policy
• Set up a Honeypot
• Obtain a collection of pwnd boxes from people who have attacked me.
• Become 1337 and untouchable.

I think this is a feasable goal to reach by the end of the year. So here's the story for today. I have a list of about 16 hosts that have attacked my machine. Basically, they just tried a bunch of brute force logins on SSH. Nice try, fuckwits. So my original assumption was that these motherfuckers must die. But after reading ANSD, I realized that they are probably just pawns used by another source. So I did some scans. Both nmap and Nessus, and Nessus reported that the ones that were up were indeed vulnerable to the infamous "FTP Bounce" attack. This basically allows you to proxy your scans through one machine to another.

So right now I have two main targets. One in China, and one in Egypt. They are both interesting boxes, both seemingly Linux with a ton of open ports just begging to be pwned. So I scanned the China box, being my preferred favorite. Those Chinese motherfuckers hack us all the goddamned time. Why not hack them back? BlackHat FTW!

So Nessus reported that the China box was open to the FTP Bounce. Unfortunately, other than some kind of lame db2 local exploits, there's not much else. So I am now bouncing scans off of China to scan Egypt. Will report in with more info. Here's the command:

$ sudo nmap -v -O -sS -P0 -b anonymous:anon@<FTP SERVER IP> <HOST TO SCAN>