We currently have a job opening at the National Forensics Training Center for a full-time instructor/research associate.  This is at our Jackson, MS location (the Cyber Crime Fusion Center), which is about 2 hours away from the Starkville location where I work.  You would be responsible for managing our lab at the Jackson location, conducting our training classes, and working closely with us on developing new material.

I’m advertising this here, as I imagine some of the readers of this website have the interest and experience that would make for a candidate that we’d really like to work with.

You can find more information about the job and how to apply over at the NFTC site here:


Last night, while my wife had a girl’s night out with some friends, I had the opportunity to hang out in the lab and observe CTF until nearly 10 PM.  Teams were busy in the lab, hacking away the entire time, and I hear that even after I left, there were people in there at 1 AM, and possibly later.  The scores have moved a bit:

  1. Hash Puppies – 15
  2. COPE – 10
  3. SwaffleU – 6
  4. Team 4 – 3
  5. BitBangers – 2
  6. Team 2 – 1

Teams discuss strategy for holding onto flag submissions until the last minute, but often it’s too much to bear to see your team fall down in the current rankings.  A few points placed on the board by one team will often result in points posted by other teams.  I suppose they want to look good on the blog updates ;) .


The students in the CSE 4243/6243 Information Security class at Mississippi State University will begin their end-of-semester CTF exercise today, and in a change of format, it will be for a much longer period of time.  In previous semesters, we have run this exercise during class time, with laptops in one of the classrooms.  This semester, in order to give them more time and opportunity to research obstacles in their way, I have set the game up in our security lab, and it will run from the end of class today (10 AM) to the beginning of class on Monday (9 AM).

There are five teams of students, and each will be racing to find a series of “flags” (10-character hexadecimal students l strings) that are scattered among a series of target computers.  As they find these flags, they will be submitting them to a scoring server to increase their score.  Since the are of varying levels of experience, we have strict rules against attacking other teams directly (though passive monitoring is allowed).

The students have always enjoyed the CTF in the past, and I believe that the new time format will make it even more fun and instructive.  The student teams have been meeting and preparing for some time now, and are very excited.  My favorite team name so far is “The McGrewchebags”.

If all goes well, I will be posting scores and commentary as the competition carries on through the weekend.

If you are a student in the class, here’s a free flag: ff8551ef39


This is just a quick note to serve as a warning to anyone who might be considering buying “Stealing the Network: The Complete Series Collector’s Edition” after reading the description on the Elsevier site:

While I was reading the book and preparing my review, I found that the publisher’s description was inaccurate and misleading, emailed a contact at Syngress, and I thought I had verified that it had changed.  Either I was mistaken and was only looking at the more-accurate Amazon product description, or the changes on the Elsevier site have been reverted.

Here’s what it looks like right now:

The “Stealing the Network Series” has developed a passionate, cult following which includes more than 30,000 readers. Over 3,000 readers have registered their copies of Stealing on the Syngress Web site. The Stealing book signings at the Black Hat Briefings in Las Vegas have become an annual event, attracting hundreds of readers, who want to meet the authors who serve as the heroes and villains of the series. These are true fans. They want the inside scoop. They want their picture taken with the legend, Kevin Mitnick. They want to know if the elaborate hacks in the stories are actually based on real-life, close-encounters. They want to know it all?.Did Jay Beale base his character on the movie “Real Genius”?…..Does FX ever smile?…How tall is Thor?…Is ?Blah? really Roelof Temmingh? Did the guys from Sensepost really receive death threats in South Africa for ?revealing too much?. But maybe most importantly?..they want to know: How does the story end?

Stealing the Network: The Complete Series Collector’s Edition, Final Chapter, and DVD answers all these questions and more. Not only will longtime fans of the series find out how the story ends in the much anticipated “Final Chapter” (The “Final Chapter” will also be available separately as an E-Only product six months after publication of the Collector’s Edition). They will get much more than this. The collector’s edition also contains author-annotated versions of the entire series: How to Own the Box, How to Own a Continent, How to Own and Identity, and How to Own a Shadow. For the first time, the authors will reveal which of the stories and characters are actually based on fact. The authors will share e-mails they exchanged during the writing of the books….and even a few flames directed at one another! Fans of the series have always been attracted to the “rock stars” of the hacking underground who have contributed to the series over the years including: Dan Kaminsky (Effugas), Fyodor, Tim Mullen (Thor), Johnny Long, Ryan Russell (Blue Boar), Jay Beale, Joe Grand (Kingpin), Jeff Moss, and Kevin Mitnick…just to name a few. Friends and foes alike of the authors scour the internet for information on the authors, and some some have even successfully hacked into their computers and e-mail to find out more about them. Now…they can find out everything they ever wanted to know without risking federal prosecution in Stealing the Network: The Complete Series Collector’s Edition, Final Chapter, and DVD.

In addition to The Final Chapter and the Annotated Complete Series, the fanatics will also receive a DVD containing extended, personal interviews with the primary authors and editors of the series. The DVD also contains digital photographs from exclusive and secretive author dinners and meetings at Black Hat and Defcon.

Long time fans of the series as well as a new generation of hackers will be drawn to this unique collector’s edition either for themselves or as a gift for their favorite hacker.

This is an excellent description of what the book should have been.  Unfortunately it’s not the book that you’re ordering.  I’m sure the intent was to have all of these features that would make it a must-buy for fans of the series, but it just doesn’t.  None of the books in the compilation are “author-annotated”.  There is one email shared in the introduction, not the back-and-forth and flames the description claims.  There are no photos on the DVD.  These are all features that were intended for the book, but did not make the cut (presumably a deadline thing).

What you get:

  • A new foreword
  • Each book in the series, as it was published, no editing/corrections, bound together
  • The final chapter
  • A 20-minute DVD that has weird audio issues in some players
  • That’s it.

Depending on how much you pay for it, it could be a really good deal if you do not already have the series (which I do like).

I tried to get the publisher to change the misleading description back when I wrote my review, but apparently it didn’t do any good.  I’m just posting this to make sure that readers of this site and others that stumble across it googlin’ are informed.


Tommorow I fly up to Seattle for The 13th Colloquium for Information Systems Security Education.  I will be participating in Monday’s SCADA Panel discussion, which I’m excited to be a part of.  My contribution to this panel discussion will (hopefully) be to discuss how recent control system vulnerabilities provide us with great educational opportunities and case studies to present classic and theoretical principles to students in security classes.  There are many skills and concepts that educators can expose their students to in the SCADA realm that are useful whether you wind up protecting critical infrastructure or not.

I have run the recently released 60-day Cyberspace Policy Review through the Stanza converter for my iPod Touch, to read it on the long hop from ATL to SEA.  I have a feeling it will be a focal point of many discussions at CISSE (and countless other conferences), so I’m looking forward to becoming familiar with it.  I may share any insights I have after reading it at the conference, and possibly on this blog.

On the outside chance that anyone reading this blog will be there, I should be easy to find.  Please feel free to contact me ahead of time, or track me down there!


…they’re already training up their user base for you.  Here’s how you’d want your email to look:


Yeah, it’s a legitimate email.  It appears that after a year of inactivity, the “My UPS” service will disable/deactivate/expire/do-something to your account.  Are they trying to save a row’s worth of space in their database?  I don’t know.

The problem is that every time you send a legitimate email to your users asking them to update or log into an account, you’re conditioning them, and not in a good way.  Users who may normally be suspicious (and rightfully so) of emails asking them to update their account will be less cautious if it is known to them that the service normally sends out that kind of mail.  Phishers can cash in on this familiarity by mimic’ing real “update your account” messages, instead of having to make official-looking ones up out of thin air.

This is why myspace/facebook phishers are so successful.  You already get tons of legitimate email from them.  It’s easy to craft an evil one that slips right in with the rest.

In this case, UPS has made a wise decision in not directly including a link in the “simply log in to My UPS…” text.  This may condition users into going to the UPS site on their own to log in, rather than trusting wherever a link would send them.  However, with all of the other links in the email, an additional link to log in added by a phisher would not look out of place.

In conclusion: don’t help the phishers out by negatively training users in this way, especially without good reason.  It would probably be better to either keep the accounts around indefinitely, or delete them quietly.  After all, I’m obviously not getting a lot of use out of this one.


I’ve set up an IRC channel for McGrew Security on irc.freenode.net, and you’re welcome to join up and idle alongside me.  I’ve placed a more permanent link to IRC info on my sidebar over <–there–, but here’s basically what you need to know:

  • Server: irc.freenode.net
  • Channel: #mcgrewsecurity
  • I’m cs_weasel

It’s on freenode mostly because I’m already idling there in the local Linux User’s Group channel, #bullylug (slogan: “The LUG that takes your lunch money”), and the Exotic Liability podcast’s channel, #exoticliability.  EFnet is definitely more l33t, but I’m already on freenode, and I like not having to work hard to prevent channel takeovers.

I’m on IRC inside of a screen session, so if I don’t respond to you, it’s probably because I’m detached from it.  I’ll reattach and respond when I’m at-keyboard.

Feel free to idle, basking in pre-web-1.0 goodness, chat with others (and me), and just hang out.


I’ve had to (at least temporarily) remove the slides from my previous post.  

Hopefully they’ll be back in at least some form at some point.

Edit: A few folks have asked: SANS did not ask for the slides to be removed.  They’re totally cool, and have been great to me and the other speakers during this conference.


The other day I decided that I wanted to become more familiar with the internals of the Metasploit Framework, so with the latest svn of the framework and a couple of books on Ruby, I started digging.  I decided a fun project would be to port some of my existing tools and scripts into the framework.  I have started this with this ground-up rework of GooSweep (which has fallen into disrepair), and I have to say: Putting this together in Ruby with the Metasploit framework was a very enjoyable experience, and resulted in something that’s useful and usable way beyond what GooSweep used to be.  I’m definitely going to be writing stuff in the framework more often, now.

This module, web_search_scan, will perform search engine queries (Google by default, but configurable) for each IP address (and, optionally, hostnames found by rDNS) in a range specified by the user.  If there are hits on the search engine for a host, the module will display the number of hits, and URLs to view the results.  If you have a database connected, it will also log notes to the database for each host that it finds.

It’s a simple idea, but I’ve found the technique to be very useful.  It requires a little manual work to check out the results, since there’s no way of really knowing what you’re going to find, but you can find some interesting things like this.  For example:

  • Publicly-accessible and indexed web logs and stats – You can tell if someone at that IP has visited a site, and possibly even when, how often, and what their user agent was
  • Wiki edits and IP user pages
  • Mailing list and newsgroup posts – Hits from the mail/post headers, or occasionally admins asking for configuration help that don’t censor addresses
  • Abuse reports for open proxies, spammers, etc.
  • Posts to forums, comments, or guestbooks that log and display IP addresses

With a little detective work, you can map out some known active hosts on a network, and some information about those hosts, without having to actively probe the network.  This is great for the information-gathering phase of a penetration test.  I’ve also found it to be very helpful for learning more about potential attackers when doing incident response.

Here’s what the module’s info looks like in Metasploit (output edited for width):

HacBook:framework wesley$ ./msfconsole

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|

       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf > use auxiliary/scanner/misc/web_search_scan
msf auxiliary(web_search_scan) > info

       Name: Web Search Engine IP Address Scanner
    Version: 5612

Provided by:
  Wesley McGrew <wesley@mcgrewsecurity.com>

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  LOOKUP       false            yes       Reverse lookup IPs and
                                          search hostnames too? (Not
  PROXYCHAINS                   no        Pipe-delimited (|) list of
                                          proxy chains to use
  QUIET        false            yes       Quiet output (still logs to
  RETRIES      3                yes       Number of times to retry
                                          queries if they fail
  RHOSTS                        yes       The target address range or
                                          CIDR identifier
  SLEEP        3                yes       Minimum time to sleep between
                                          requests (seconds)
  SLEEPRAND    3                yes       Random additional time to
                                          sleep (seconds)
  THREADS      1                yes       The number of concurrent threads

  This scanner will do a web search engine query for each IP address
  (optionally, rDNS names as well) and record the number of hits and a
  URL to the query results. This is a useful for determining some
  active hosts and information gathering about a network without
  having to directly probe the network. Common results include
  publicly accessible web access logs, mailing list posts, abuse
  reports, and wikipedia edits. (WARNING: If you set LOOKUP to true,
  your target may notice the reverse DNS lookups.)

msf auxiliary(web_search_scan) >

A quick overview of these options:

  • RHOSTS - Set of IP addresses you want to scan.  You can comma-delimit sets of hosts, do dash-seperated ranges, or masks, just like with any Metasploit module
  • LOOKUP - If you like, the module can do a reverse-DNS query for each IP address and perform search engine queries for each hostname found.  If you're trying hard to be stealthy, you may want to avoid this option, as the target's DNS will see the queries.
  • SLEEP and SLEEPRAND - After each search engine query, the module will sleep for SLEEP + rand(SLEEPRAND+1) seconds.  Many web search engines will freak out if you throw queries at it faster than a normal/human user would.  You can adjust this to be faster or slower, depending on how dangerous you feel.
  • RETRIES - Sometimes, even when we're careful, a search engine will respond with something we have no idea how to parse.  Or stops responding altogether.  This is the number of times the module will attempt a query before giving up.  At the end of a complete scan, the module will display all the queries that failed, so that you are aware of any false-negatives.
  • QUIET - If set to "true", the module will only output status at the beginning and end of its run.  If you set this, you will want to have a database connected, as that's the only place the results will be going.  You can set this, use "run -j" to execute the scan, and it will run in the background fairly quietly, letting you do other things in metasploit while this slowwww scan runs :) .
  • PROXYCHAINS and THREADS - Many metasploit modules allow you to specify a proxy chain to work with.  This one allows you to specify multiple chains, which will allow you parallelize and run a scan faster, even with all the necessary sleeping.  For best results, set THREADS to a few greater than the number of proxy chains.  Each thread will claim a proxy for duration of each individual query.  I apologize that this feature isn't extremely well tested (I left my botnet in my other pants).

There's also some "advanced" options, that allow you to tweak where and how the module gets its results.  This can be useful if you need to use a different search engine, or fix the current one if it's changes and breaks the regex.  Here's what you can tweak:

msf auxiliary(web_search_scan) > show advanced
Module advanced options:
   Name           : NOHITSREGEX
   Current Setting: (?:No results found)|(?:did not match any documents)
   Description    : Regex to match a zero-hit search
   Name           : NUMHITSREGEX
   Current Setting: of (?:about )?<b>((?:[,\d])+)<\/b> for <b>
   Description    : Regex to match number of hits
   Name           : SEARCHHOST
   Current Setting: www.google.com
   Description    : Hostname of search engine
   Name           : SEARCHPORT
   Current Setting: 80
   Description    : Search Port
   Name           : SEARCHURI
   Current Setting: /search?hl=en&q=*&btnG=Google+Search
   Description    : Search URI (* for query location)
   Name           : TIMEOUT
   Current Setting: 10
   Description    : Timeout for the search engine to respond
   Name           : USERAGENT
   Current Setting: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv: Gecko/2008070208 Firefox/3.0.1
   Description    : The User-Agent header to use for all requests

One thing you could do with the SEARCHURI option is add in extra parameters such as “site:example.com” to look for mentions IP addresses and hosts only on a specific site.

Here’s what a scan might look like (searching non-routable ranges guarantees some results, but it’s a bit pointless too :) ):

So there you have it!  Here’s the code, if you want to drop it in the framework (tested with the latest SVN of metasploit) and use it yourself:


It’s a weekend, so I’m all for a fun post.

The sexyhacking.com videos are not safe for work, however they’re probably even less arousing than you’d think.  They are hosted on YouTube, after all.  You might want to have a look, though, since they’re funny (intentionally and unintentionally), and who knows how long they’ll actually be around.

In the second video, described as Episode 1 in a series called “Naughty Script K1dd13″, basic compilation and usage of nmap is covered by a somewhat disinterested teacher.  It must be hot in the classroom, since she’s unbuttoned her shirt about halfway down.  Strangely enough, while nmap is displaying its scan, they censor the IP addresses involved with COPS-style pixelization:


If you’re paying more attention to the terminal than the girl, you’ll notice that they’re not very thorough.  At 3:49, we catch the video editor asleep at the wheel as the traceroute pops up :


…and at 3:50, the censor wakes up :) :


I’m not even sure why they’re attempting to hide the IP address.  It’s stated in the narration that sexyhacking.com will be used as the target, and the IP address revealed above is simply what you’d get doing a DNS lookup of sexyhacking.com…

(so long as Dan Kaminsky isn’t angry at you)

So, to sum it up:  If you’re redacting information out of a video you’re publishing, you not only have to worry about people being able to reverse engineer your pixelation (just black it out!), you’ll also have to make sure you blot it out of every frame :) .

© 2012 McGrew Security Suffusion theme by Sayontan Sinha