From Security Weekly Wiki
Jump to navigationJump to search

Vulnerability Hunting With Nessus - Part II - Fuzzing

In part I, we talked about how when Nessus causes a listening service to crash, it can mean many things. Sometimes it means that the application has a buffer overflow, or some other potentially exploitable condition that causes a crash. Capturing the packets, analyzing them, and then manualy sending some data was our answer (btw, the bug I found was fixed in more recent versions).

I have taken this a step further, and decided to automate some of my testing. I found one new bug, and verified an existing bug using a small little shell script and Netcat. While this is nothing new, and many have their own fuzzers, and there are many to download, it provides a good example of fuzzing and something to build upon.

Existing Bug - An overly long HTTP version string causes the web server to crash. How do we test this condition?

telnet webserver 80 GET / HTTP/[2048 bytes of crap]

Nessus plugin does this relatively simple, but what if it was an FP? I decided to write a tool to help me verify these bugs:

./portfuzzer -a webserver -p 80 -f [File Containing 2048 bytes]

PortFuzzer is nice because it uses standard tools, like bash and netcat are all you need, making it very portable. Also, your payloads can be generated by anything, further enhancing the portability. For example, I created a directory called "httppayloads" and added a bunch of stuff, like POST requests, DELETE requests, and other various garbage HTTP requests (good web servers will respond with a 401 method not supported or similar message).

New Bug - This was a CPU spike rather than a crash. Analyzing the tcpdump output proved nothing special. But, sending a particular port crap over and over, I could make the CPU spike to 60%. I used my handy new tool to do it:

./portfuzzer -a vulnserver -p vulnport -l -d [directory of files containing random crap]

By looping through multiple files, my payloads can be dynamic and the -l flag just makes it keep going as I watched the CPU climb.

PortFuzzer 0.9


- Add a check to make certain the port is still open before sending more crap

- Specify multiple hosts and multiple ports

- Specify a wait time in between sending payloads

- Allow for a numbering system to send payloads in order

Other Cool Fuzzing Type Resources:

dfuz - A more elaborate version of my tool written in C. Must play around more with this one.

Writing Exploits for Metasploit - They do a similar thing in Perl using the metasploit library Pex, which is now in 3.0 called Rex, written in Ruby. Not as portable, but would be cool to have a fuzzer written in Ruby that used this library, dynamically generated payloads, etc...

Simple Protocol Fuzzer - A great little tool, very similar to my shell script one, written in perl. (Note: Requires Algorithm::GenerateSequence])

An Enormous List Of Fuzzing Tools

Vista (In)security,289142,sid14_gci1242296,00.html - Eeye to disclose Vista flaw at RSA, native Vista vulnerability. More info:,1759,2090825,00.asp

OneCare/Vista fails to detect malware - [Paul] - Of course most A/V engines do, but still...

INSECURE Magazine #10 - Microsoft Windows Vista: significant security improvement? - In-Depth article on Vista security, bitlocker, User Access Control, the new firewal, TCP/IP stack, ASLR, etc... One thing, many new features, but these features need configuration, help desk calls?

Ivan Arce, CTO of Core Security writes in:

Unfortunately it wasn't anything very elaborated or even remotely cool. Third party software simply does not use ASLR and by default Vista has DEP enabled for Windows processes and services only, so we just had to port one of our existing exploits (BrightStor ARCsere backup for XP/2000) by changing an offset in the payload...and it worked, deploys a fully functional agent, etc.

We felt it was necessary to let the community know about it and hence the PR -which came out at RSA during Gates' keynote..oops-. So unless your third party software was recompiled and relinked to use Vista's ALSR and unless DEP is turned on for all processes, exploiting a bug in Vista is as easy/hard as exploiting it on XP SP2 or win 2003 (hmm perhaps its harder on win 2003). You need to recompile your application using Visual Studio 2005 (which last time I checked was not free either, but I may be wrong on this). Oh and btw you need VS 2005 SP1 installed because before that SP their linker didn't even have the proper flag to link binaries that were ALSR-capable.

As for UAC..well, its quite clear that you need to *modify* your application so you are sure that you're not annoying the hell out of your users because you now decided to run your app. without privileges.

And DEP is either for all Windows processes and services or for ALL processes (with an opt-out exception list) and requires the corresponding HW support (NX bit CPU). By default Vista comes out with DEP enabled for windows processes and services, whereas Windows 2003 has DEP enabled for all processes by default.

All these tiny little details are not being actively publicized by the Vista PR machinery and organizations and the user community may get the wrong impression than just by upgrading to Vista their security posture will be magically improved.

Listener Feedback #5 - Part 1

Jim S.

Jim writes in:


Thought you might be interested in an article that ran in the Risks newsletter, <> scroll down to the article "RFID access control tokens widely open to cloning", this references the author's web site <> which references tools and some of his experiments.

I'm a bit behind listening to the show, there is unfortunately more show than I have commute but I am soldiering on trying to catch. I figure you'll all take a holiday break and I'll get my chance then. Keep up the good work, I learn something every time.

--jim schimpf

Crazy Steve

Steve writes in:

Technical Correction: <in the voice of Triumph Insult Comic Dog> Kissing your sister does not count as kissing a girl! You will die alone! YOU SUCK! YOU SUCK! YOU SUCK!

[Paul Asadoorian - We thank you for such insightful and intelligent feedback]

Female Listener Sandy

Dear Paul, Larry, Joe, & Twitchy

First and foremost, I'm a huge huge fan.

I have a question that isn't specifically related to security but something I am trying to understand. Not because I am interested in "beating the system" but because being anonymous on the net is almost impossible and I would like to understand how they "knew".

Three people I know were playing online poker on their laptops from the same house. They were comparing hands and the 2 weaker hands would lay down and let the strong hand play. They were fairly quickly caught and their accounts frozen, how did they get caught ??

Obviously they were all being routed from the same IP, but there are many situations where that happens, ie Starbucks - are there thresholds or patterns in play that they have "signatures" for ??

I can't over emphasis how much I enjoy and learn from your podcasts - look forward to every new episode.

Sandy (your lone Idaho listener (according to Frapper))

[Paul Asadoorian - Just a note, online gambling in the US is unregulated, i.e they don't ever have to pay out winnings]

John F.

Keep the shows rolling. Good stuff...



[Paul Asadoorian - Official IDA Pro downloads, version 5 demo available]


I think you mentioned the need for some better tools for dealing with nessus data on a pentest/va. I recently wrote a few scripts to start down this path, you can find them at


[Paul Asadoorian - Looks like a good foundation that could be greatly expanded upon, nice work!]

Mike (aka kraigus)

I don't know if you read Jennifer Granick's weblog at all - I know you guys mentioned her in ep52 or thereabouts - but she has a brief posting on the Stored Communications Act. I know something like this would grind Nick's gears (geahs?) so I pass it on in the hopes that he'll froth entertainingly on the subject, if he hasn't already. :-) (I'm a few episodes behind yet, but I didn't see it in a brief perusal of shownotes.) links to

Kind of makes me wonder what the laws are up here in the Great Not-So-Frozen-Right-Now North.


I just start listening to your podcast, most of my favorite podcasts are on TWIT network. I have to say, after I downloaded some of your older episodes, the current audio quality is much better than the older one(which I have to say, crappy). To tell you the truth, if I were to start listening to your podcast a year ago. I would have drop it after I heard it just 1 time. Let me just get back to the real subject. Several episodes ago, you guys were mentioning hackers movies. The truth is, these two movies should deserve a mention if not on one of your favorite lists. They are "Pirates of Silicon Valley", and "Antitrust" well at least antitrust is on my favorite list. Dude, how many time have you seen a movie that actually show the geek using a real linux console.

Jack D

In case you missed it:

Since PHP has been a topic of late I thought you might be interested in this tidbit from Ben's blog.

Happy New Year Jack

Mike L

Hey guys. You've probably already seen this, but in case you haven't.... Seems like somebody came up with a creative way to identify pc's hiding behind TOR. Link to the Wired article<,72375-0.html?>

Keep up the good work!


Pat (nutjob)

Hi whoever reads these :-)

NSA Security Doc Tables of allowed ICMP messages as for the not allowed table

DENY em all?

Video (All good) Cant vouch for the German ones though

Cheers, Pat aka Nutjob

Jim K

Paul Hope you and yours had a good holiday. Just read about pbnj in Sysadmin magazine.

"PBNJ is a suite of tools to monitor changes on a network over time."


I've been a listener for about 5 months and love the show!

I am the Sys Admin for a small non-profit and am alway on the look out for great training. I really wish I could afford some of the SANs training but unfortunately my budget won't allow it. I was reading though the Backtrack site and came across some training for their bootable CD. Do you think this might be a useful option? Can you recommend any other training that isn't a waste of money other than SANs?

Thanks, Eric

Mike M

Hey I was listening to Episode 53 and you guys where talking about HIPAA. I have worked for a medium sized HMO in West Michigan and I am now living else where. My wife happens to be a health care provider (Doctor) as well. I will not go to a provider at any of the offices where she works because there EMR ( Electronic Medical Records ) system is not secure. Let's just say they have wireless and it's CISCO and there EMR happens too be web biased and hosted on IIS. All authentication is NOT via SSL at all. None of the web sessions into the EMR are encrypted via SSL or anything else. Better yet it uses Java script to build forms and other functions. It's back end database is MS SQL that anyone can connect too in side the organization. Anyway just because of these issues I will not go to any of the offices or providers in the organizing my wife works for.

You can meantion this story in on the pod cast. I would like it that you not use my name.


Mike M

Jeff (aka mrheffe)

Hey guys - saw this on digg and though it might be a funny piece for the show..Basically shows a technique for having some non-destructive fun with people who leech off your wifi connection.<>

Cheers, Jeff

[Paul Asadoorian - We love the upside down internet, I actually prefer browsing the web that way, makes it harder for ppl to shoulder surf my images, or something like that :)]


Actually, I'll make it two, since you guys are the WRT54G gurus (I love the show!)...

1. Will your "Hacking WRT54G" book be out any time soon?

2. I've looked at several sites and Wikis, and I'm still not sure how to make sure that a WRT54G that I order online will run DD-WRT. Is it safest to buy a GL? Is there any way to know for sure?

thanks, karl.

[Security Weekly - Carl, see and]


Hey there!

I fell off the world for a bit there, just wanted to check in, say hi, see how things are going with the podcast and see how you are and how Security Weekly is doing in general!

Got the tix to shmoocon yet?! I am excited!!

Miss Jackalope

Andy W.

Hey guys,

I just saw this and haven't read it yet, but I thought I'd send it to y'all and get your take on it. I know wireless (in)security is your specialty.

Andy Willingham

Jack D (again)

Internet Explorer!

Actually, I had high hopes for this. Dreams of freeing machines from running Windows just to have IE6- but without fully functional ActiveX,many IE only sites still are broken when viewed with IE on Linux. Firefox works better on some IE-only pages than IE on Ubuntu and Xubuntu. (I know, Twitchy wants the world to use Gentoo- but Gentoo hates me and every machine I have ever tried to install it on). There is a bizarre satisfaction in heading over to Windows Update with this and confusing the crap out of their detection scripts, though.


[Paul Asadoorian - IE on linux!!! whaaaaaaat? how about a VM that is a stripped down version of windows that runs IE and automattically rolls back after each use?]

Josh G.


I was reading the article linked below and a very simple idea occurred to me: if phishing expeditions returned so much garbage that the gold couldn't be panned out of it, would users (admittedly the foolish users who would be caught by phishing) be protected? In other words, if vigilantes (it's a pretty toothless version of a vigilante, but...) set up systems/software/botnets to spam phishing sites with fake logins would the evildoers be prevented from making the quick money they're after? For instance, at 100:1 fake logins to real logins you might lose your ability to sell your list, or risk giving away what you're doing when you tried to test them (or it would just take for freaking ever to use them over TOR.)

While this thought occurred to me, it also occurred to me that this may just be a plan along the lines of "let's spam the spammers!" or "let's DoS the DoSers!" --the kind of well intentioned but poorly thought-out schemes for saving the world that we all see all the time. So I thought it would be interesting to run past your esteemed panel on the podcast.



Heh. That cracks me up when you guys say that.

So much so that I went out and bought the domain name. Taking suggestions for its use....

Keep up the good work. And oh, Paul... I do believe you've redeemed yourself.



Erwin (Netherlands)


Listening to your show 57 right now. Just a quick note to let you know that I had some real problems with greylisting and online merchants sending confirmation emails and registrationcodes from their php driven websites. They tend to not like the 450 'busy' message...

Love the show! -erwin (from The Netherlands)

Freeman (again)

I have the new N800 also, but I'm not in Rhode Island. Why not ask around the forums, it's easier to find people there.

Listener Feedback #5 - Part 2

Mike (kraigus)

The URL may change at some point, but I'll put in a redirect.

You have my permission, of course, to use the picture as you see fit (call it a Creative Commons license or something :) ), I don't particularly care if you crop it or blur out my name or like that there - just nothing obscene. ;)

I'll post more to the gallery and let you guys know, if I see any more around.



Re: SE Linux

Martin, I'm CC'ing the Security Weekly crowd,

I actually IMed (is that considered a verb now?) with Larry about this the other day. I find it very "interesting" that several security people are not familiar with a security platform that comes on all new Fedora/RedHat/CentOS (others?) Linux Installs and is turned on by default.

I did some reading today (the network at work was slow) and it seems very impressive. I'm surprised more people haven't tried running this or is it that people run it and just don't talk about it? Is this a well kept security secret? Or is it that it was sponsored or co-developed by the NSA and we just don't trust anything that comes out of them?

Paul etc., I'm sorry to include you in the middle of the thread, but Martin suggested I email you guys and see what you guys think.


[Paul Asadoorian - Yes, we actually suck, which is why we are not all using SeLinux :)]


Quick story that I thought you guys might find interesting. About 4 years ago my fiance went to a grad school on the east coast who required her to buy a laptop from them. Price was reasonable, solid enough laptop, Windows XP. Of course when she got it I just had to have a poke around and play with it. It was running a Novell client and her user account was configured as a local account (not a domain user).

After she logged on I discovered that her account was enabled as a local admin. For mobile users I can understand why this would be the case back then, but I don't agree with it anymore. Windows updates weren't configured and there were a few updates pending, so I configured the client and installed them. After rebooting I asked her to logon. To my dismay, I discovered her default password was set to her SOCIAL SECURITY NUMBER. It turned out that by default, all students laptop passwords (meaning local, not domain) were their SSN's. And of course their usernames were their FULL NAME. Quite a faux pas. Can someone say, 'keyloggers wet dream'?

Just curious but was this a standard practice within Universities way back then? If it was, please say it ain't so anymore?

Cheers Lads,


Freeman (yet again)

I just listened to your security weekly episode 58, and you guys were talking about a way to detect fuzzy password. Well, bad news here, you don't and probably never gonna get one. The key here is most of time password aren't sent through the wire, whether you are on the LAN or on the net. You guys probably already knew this, but here goes anyway. In most cases, upon making establishing an authenticated connection, server will send you a random piece of info, and say hey use this info and your password to generate a hash, depending on what kind of encryption the server and client decide. Then the hash got send to server, the server perform the same hash, and compare the two. If they both match, then the password user used probably the same as the one store on the server, and therefore the user are authenticated. Well, there is a tiny chance like one in a trillion that the wrong password is being used, but the hash are the same, but the number is consider being insignificant. And because even if a tiny mistake in you password, a hash generated could be way off and there for you can't guess if the password is fuzzily correct. Well, and if the server could in fact decrypt the hash and get the incorrectly password you typed to see if it's fuzzily correct. Well, I guess you have other more serious problem to think about. If you could decrypt the password in one session, guess if somebody else who is snooping the line can do also? I'm no security expert and I don't do security for a living, just a geek. This is based on my limited understanding, and I could in fact misunderstood how certain thing work.


Hi Guys-

First off, great job on the show. I listen to it every week and always gain a ton of useful knowledge. It's a great way to keep up on security and to get more exposure to the field.

I am writing because I know that some of your listeners sometimes ask how they can get into the field of information security. I wanted to let you know that there are some significant scholarships available for any US citizens interested in studying an information assurance related discipline through the National Science Foundation. I'm currently a student funded through this program at George Washington. The scholarship pays for all school, books, etc. as well as provides approximately 20k in stipend/ year. To "repay" you must obtain employment at a government agency for the period of time equal to the time you were funded (2 years of school, 2 years of service). It's a great way to get a Master's degree with minimal financial burden. It's offered at a few different schools around the country such as CMU, Johns Hopkins, JMU, George Mason, and GW to name a few. The link for the scholarship details at GW is (If you google "cybercorp", "scholarship for service" you'll find more links).

I don't know if you can mention something like this on your program, but if you decide to, it'd be cool and I'm sure it would be quite valuable to your listeners.

Also, I heard you'll be in town for SchmooCon. Do you have anything specific planned for that time? I'd love to get together at some point that weekend since I'll be at the conference as well.

Keep up the good work.

Best Regards, Greg


Listened to show #58 (18-January-2007) and as usual found out things I never knew before and more how to think like a security geek. But you finally talked about areas I know something about and thought I would comment.

(1) The comment about authenticating the user by his typing patterns. I think it works (like Larry I remember some articles about it) <> <>

<snipped out some, would have wreaked havic in the wiki>

My point is all API calls have gotchas and lord knows it's hard to think of all the possibilities when you use the call. So mistakes will be made, good habits can prevent some of these but there's always that little thing you added in 2 minutes to fix a bug or something that will come back to bite you.


Hola there PSW crew...

Curious if any of you have played with any bluetooth pentest software on the n800 yet? I see a lot of stuff around for the 770, but everything I find dies hard on my new n800....

If so, let me/us all know how =) I'll mess around with a cross compile environment later.


[Paul Asadoorian - Thats a cool name!]


If you haven't seen this, it's pretty hot:

[Paul Asadoorian - Interview with a corpse article, which we didn't talk about, but will starting.....NOW! GO!]

Joe V (Birmingham, AL)

Thanks for playing my sweeper. That was cool...


I have a question about DNS egress filtering. I have been researching this and want to get your opinion.

Scenario. DNS port UDP 53 vs. TCP 53. SMTP server in DMZ. DNS provided by ISP.

Which should be blocked outbound from a DMZ (Specifically from a smtp server)

Blocking TCP 53 out causes DNS lookups to fail (firewall logs shows this) Eventually the service falls back to UDP 53 and works.

So what do you think?

Thanks, Keep up the rockin show.

Joe V Birmingham, Al


Hey guys,

First off let me say I love the show. Just started listening about two weeks ago after seeing a reference to it on Irongeek's site; Right now I've got a job that requires a 1 1/2 hour commute each way, so I load up the iPod with 5 episodes at a time and let the MaxLAWLZ roll!

On one of the previous episodes (I think it was 53 or 54), there was a story someone was telling about a guest speaker in their CSC class who had set up wireless at a new non-profit medical clinic with WEP, and the ramifications of this. At my previous job, I worked for a 3rd party consulting company who installed networks. I was doing a big job for a practice group of about 5 doctors who was migrating away from their serial over ethernet system that ran on VMS to an IP based network and practice management system with all new servers, switches, T1's, and of course wireless access points for the tablet PCs. I got everything set up and configured my access points to use WPA2. During testing, the tablets connected to the wireless started throwing ambiguous cryptic errors while the practice management software was running. After trying a few things on my own I contacted the vendor...Guess what their response was? "It must be that your encryption is slowing down the

transmission speeds too much.  Turn off your wireless security."  Unbelievable huh? This is a major practice management vendor who is developing software to comply with HIPPAA telling me to run an open wireless network inside a practice.   I refused, and of course when we tested it with no encryption had the same issue.  A second call and eventually being transferred to the developer yielded that a certain module in the program was trying to communicate over the wired connection instead of the wireless.  Go figure.

On a completely unrelated tangent (I know you guys like those), I have been using OpenSuSE since version 8. I think it's very sad that Novell has sold out all credibility the OS had by partnering with Microsoft because it really is one of the more solid Linux distros I've found. Anyways, just wanted to throw that in for you. Rock on guys...looking forward to a great show next week, and maybe I'll see you around in the IRC channel.

Russell (or tcstool in IRC)


Hey Gang,

First of all let me say that I have been listening for a fairly long time now and your show is the one that I never miss. Other podcasts have to wait when a new Paul dot com episode comes out. You guys are doing a great job, keep up the good work.

I do have some questions and comments on the show.

First of all after hearing your show several weeks ago where you talked about the Nokia N800, I went out and bought one myself - I had been thinking about getting an N770 for awhile and the release of the new one sealed the deal for me. Besides web browsing, I'm not sure what else I'm going to do with it at the moment - it does not play Xvid/Divx movies as far as I can tell and I cannot get it to pair with my Motorola Q from Verizon so my web browsing is limited to places with 802.11. I'm sure that more stuff will come out for it, but I'm also hoping that you guys talk about it more on the show, particularly when you find a cool application you are using.

Secondly, a couple of weeks ago, you were talking about the MOAB project and mentioned that one of the ways you test exploits is to use a VM sandbox. I'm curious how you do this for an Apple system. To the best of my knowledge, there is no VM product that allows OSX guest machines. Have you found one? I use sandboxing on the time on my Windows/Linux guests, but it would be cool if I could also use it to create Apple guests.

I have another somewhat interesting scenario that I would like your advice on. My university has wireless access in each class room but allows the instructor to determine whether the users in that classroom have full internet access, access only to the local university net, or no access at all. The way they do this is to place a wireless access point in the instructor's podium in each classroom. The individual classroom settings control that particular access point along with all clients that connect to it. Since the classroom access point is always broadcasting the strongest signal to the clients in the classroom, everyone in that class connects to it. Now, it would seem to me that if I could tell my wireless client to ignore that particular AP, it could connect to one of the other access points that might have a less restrictive policy configured. What are my options? I generally bring an Apple MacBook pro to class with me, but I could certainly trade it for either my Windows PC or my Ubuntu one if the I needed a tool on a different platform. Just a quick note here - I am not interested in a solution that would require any kind of denial of service or similar attack on the AP itself - I am not looking to disrupt anything - just to be able to exempt myself from the restriction. I'm thinking that there has to be a way to selectively associate with particular access points, but I just can't think of it.

I want to ask Twitchy a question. He is very clear in his disdain for the Mac as well as Windows and anything it seems that does not run a text based interface. I would love it if Twitchy could point out some specific incidents where a Mac exploit was actually used to cause serious mischief to a large number of users.

That all said, I have a tremendous amount of respect for Twitchy. He sounds a whole lot smarter than I will ever be and I'm glad he's on the show. I would just like him to occasionally consider providing some concrete examples to support his recommendations.


Jim B

Kerry K

There was a quick comment made a couple of podcasts ago, that I was looking for more information on.

Someone made reference to the ability to use BASH instead of Netcat, since most distributions had some binary modules turned on by default? Not sure how accurately that portrays it, but I haven't been able to google anything that sounds similar to me.

Thanks, Kerry

MS. S. M.

Dear Paul,

I enjoy your show. In the short time I've been listening, I've found it to be a great source of information. Unfortunately, I'm never quite sure exactly who is talking at any time.

Which makes it difficult to determine who is the idiot, that likes to loudly yell "ooouuu!" into the microphone. Would this be twitchy?

As a listener, I find this very annoying. Please lower the gain on his microphone. Better still, roll up a newspaper and give him a good smack on the nose every time he does this. Over time, it will condition him to behave professionally on the air.

Sincerely, MS. S. M.


So since we're talking about HIDS, I have recently played with free tripwire again, as well as aide, but really fell in love with a HIDS tool called Osiris ( Was wondering if you guys have run into it? It's open source, it's clients build on just about anything- they even have a client for Winders. Any comments good or bad on Osiris ? It seems to run well, detects changes, is modular and allows centralized reporting, etc..


Thanks much for the podcast, it makes my hellish southern california commute sane.


Nils (Germany)

Hey guys, first of all: I’m addicted to your show since last summer! Thanks! :-)

My question: As you are talking a lot about Shmoocon and you are presenting there... I wonder what kind of conference you guys would suggest to go to. It should be one which is worth coming over to from Germany.

About me: I´m 33 and working for a big telecommunication supplier (no, not the one you bought you Nokia N800 from ....the better one!:-) as Sys/Network engineer.

Take care guys and I really appreciate your good work!


PS. In case I come over I’ll bring you some really good German beer ;-)

Jeremy (Australia)

Hi guys - obligatory I love the show and the tangents.

Just wanted to drop you an email to bring a few related topics to your attention. I work for an Australian telco as an Information Security Specialist and we have recently been subjected to a few attacks that has shed light on some interesting items. I'm hoping that you might include them in the show, if it's not old news, so that general awareness can be raised.

Webattacker Not unusually we have had plenty of SPAM and phishing emails. A few caught my attention because they seemed to have no payload at the end of the link. Just golf jokes and a flash game. Looking at the page source more closely I discovered an i-frame that lead to a PHP page that then sent some javascript. This javascript included an encoding function and some ASCII, which when decoded on the local machine contained html and more javascript. The decoded javascript interrogates the browser version and chooses a relevant exploit. It even had one for Firefox. Pushing the right variables to the PHP page we were able to extract the final payload, which when sent to our AV vendor turned out to be a new variant of a keylogger. This is not all that unusual, but after some Google-ing I found that this PHP code can be purchased as a package from a group in Russia. It's called Webattacker and can be purchased for about USD$300. Websense did a write up as well. Links below: Websense - Wikipedia - Russian group - ***beware turn off javascript before heading here***

DollarRevenue and ShadowServer The existence of webattacker made me think of a few other sites that I monitor. One is DollarRevenue, these guys pay you for each machine that you infect with their executable. They give you 3 cents for each US based machine, 2 cents for Canadian etc. Some guys are making a bit of money out of this. Hence the market for a tool like Webattacker. The other site is ShadowServer, which completes the picture with up-to-date reports of how many botnets are out there as they track them the best they can.

DollorRevenue (Google cache) -

ShadowServer -

In my environment, this is pretty big news as we have put a fair bit of energy into perimeter security and antivirus as protection mechanisms against this sort of stuff. But both of these technologies were useless in this instance as the keylogger was a new variant and IE is coming out with new vulnerabilities all the time, and our biggest vulnerability (the users) just got bigger. I'm not trying to bash users, it's just the truth.

So hopefully this is newsworthy, if you need any more information I'm happy to send it on. Especially the javascript encoding function was pretty special. Let me know.

Thanks for going to the effort of making InfoSec interesting and even fun with your Podcast.

BTW - I won't send Fosters, Coopers is the Australian beer of choice. If the info above is not perceived as way behind the eight ball then I will see what I can do about getting you some Coopers.



Nick (not twitchy)

Hey guys, I was wondering if you might be able to help. At 12:11 PM today I tried getting tickets during the last round for Shmoocon but they were sold out. Do you know of any other decent East Coast conferences or do you know anyone selling their tickets to Shmoocon? You snooze you lose I suppose.

The podcast is great and definitely the best security focused podcast out there. I know you always mention to send suggestions and or feedback but to be honest I can't think of any besides sometimes I wish I could figure out who some of the samples you play are.

Thanks, Nick


Hi guys,

I'm soon going to find myself in the interesting position of being broke in a country where I am unable to work locally. I'm wondering what kind of work is available to security geeks who need to be able to operate entirely online / over the phone.

Thanks for the help and keep up the good work on the podcast.



PS. Please note that income need only be US$100 per week to meet expenses.

John (From NY)

However, I can't find a SINGLE product that addresses whole disk encryption on the Mac (and BootCamp will likely make this more complex, too.) PGP for Mac doesn't encrypt boot drives, which is just about worthless. Apple's File Vault ONLY addresses the user's directory. TrueCrypt may be coming to Mac OS X, but it still won't do whole disk encryption. I've contacted a few vendors, including Win Magic, and they say they're looking into a Mac product but don't give any time frames.

Perhaps you or your listeners may know of something? How are you handling encryption with your Mac?

Thanks, John B

Pete (Spain)

I have chosen as my first project to get LINUX installed on an old laptop running Fedora Core 6 and get Kismet running. That blew up on me and so I want to take a step back and get your opinions on a good book for LINUX concepts and workings. I am using the documentation over at:

And was unable to get it up and running. Ever heard of this site?

I would like to use Ubuntu because Larry and Paul both said it was a good starter platform but the promised material for getting Kismet up and going on Ubuntu never materialized . I remember Twitchy saying it took him minutes to get MadWifi drivers installed and a quick promise to get that documented and out there. Was anything ever published by you guys on this?

Then I would like to get familiar with Metasploit, Canvas, an IDS solution (ideas?). SANS training is out of the question because of price. I make a decent salary but even so a typical SANS course is way more than I make in a month. So like everything else I have gotten done (MCSE,CCNA,CCNP)I will have to tech myself with books, labs and simulators . I need the names of like 3-4 books. I should also mention I cant program for jack shit.

Tim R

Hey Paul,

I just finished listening to the most recent podcast and really enjoyed it!

Since you had brought up InProtect in the interview, I thought I'd ping you and point you to a product called nessquik, which I'm the maintainer of.

Thanks again for posting the interview! Tim R


Hey guys,

Hope you don't mind this but I was hoping you could give me some advice; I'm 3 years into my IT career, 2 as a network engineer at a consulting company, and one as administrator of a medium sized network. Well I'm starting to get bored, and security concepts have really sparked my interest lately (thanks to your podcast and Irongeek's site...I met Irongeeek at Phreaknic, what a cool guy, but that's a tangent...). Anyways, I want to start moving my career in that direction, so I took the CompTIA security+ exam, which was..well...Let's just say not the most hardcore exam I could have taken, but hey I got an 876/900 on it. So anyways, long story short, the SANS certs are WAY out of my price range right now, even for self-study, but I've been taking a look at the Certified Ethical Hacker exam. The material is interesting and it looks pretty comprehensive. What do you guys think of this cert? Does it have a pretty good rep in the industry? Thanks for the help. Keep up the

great podcast.