Steff left the following comment on the Backtrack 4 how-to page. thing is now to figure how to have the second partition encrypted so that every collected info will stay safely encrypted on the “change” partition....

I hadn't really thought about that and promptly started kicking myself repeatedly in the rear end. Having the output of a penetration test on a USB drive is an awfully good reason to make sure that data is not accessible should we lose said drive.

This got me started on a search for a method to encrypt data on our thumb drive. I found two that work although I am sure there are plenty of other ways to accomplish the same thing. This post describes how to setup an Encrypted Private Directory. A later post will describe the second method.


  1. You have already created a bootable Backtrack 4 thumb drive with persistent changes.
  2. You are using Backtrack 4 as root. You can do this with a non-root user also, just make sure to perform the apt-get install as root and then execute the ecrypt  setup as the user.

Encrypted Private Directory

Backtrack 4 is built on Ubuntu 8.10. This is great news for us because Ubuntu 8.10 supports something called encrypted private directories. This is a directory in your home directory, ~/Private by default, with a nifty feature. Any file written to this directory is automatically encrypted using the AES algorithm by default.

Setting this up is very easy and the Ubuntu documentation has almost all the information you need. I found you will need to perform an initial 'apt-get update' before you will be able to install the packages. Don't be concerned when you receive an error during the apt-get update. This is normal and can be fixed, but isn't vital at this point. Here are the steps to take:

apt-get update
apt-get install ecryptfs-utils

After you execute the last command, you will be prompted to enter your login password and either choose a mount pass phrase or generate one.

Logout and log back in to establish the mount

There you have it. You now have a directory in your home directory called Private. Any files written into that directory will be encrypted. Those changes will also be persisted into the changes folder.

Caveat: File and directory names are not encrypted. Be careful what you use for file and directory names.

The Ubuntu documentation gives more details of how you can use the directory such as setting up symlinks to common files. Those directions should be taken into account with your Nessus install. Nessus by default saves information in the users home directory.

As always, feel free to leave a comment with your thoughts and/or questions.


Reblog this post [with Zemanta]


Yup. You guessed it. A new how-to that walks you through creating a bootable Backtrack 4 USB thumbdrive. This time we don't need to worry about updating Firefox or nmap though. You can find it at the link below.

Backtrack 4 - USB/Persistent Changes/Nessus

As always, let me know if you find any problems or have any suggestions.



@hevnsnt posted the following message to Twitter this morning.

hevnsnt watching Strand's hacker vids at

There are some nice videos there. Here are the titles of a few with direct links:

Definitely worth spending some time on.


, , ,


Interviewing Tips

by kriggins on December 10, 2008

in Career, Tips

A couple of things have brought this particular topic to my mind recently. First is the amount of layoffs that we are seeing in just about every sector of the economy. Second is last weeks MentorNet topic.

Most of us are familiar with the first issue, some on a more personal level than others. The second may be a little more obscure. MentorNet is a great organization that I started participating in last year. From the website:

MentorNet is the award-winning nonprofit e-mentoring network that positively affects the retention and success of those in engineering, science and mathematics, particularly but not exclusively women and others underrepresented in these fields.

Anyway, last weeks topic asked mentors to share with their mentees any tips they might have for interviewing.

Here is what I shared.

One of the best resources I know of that deals with interviewing skills is "Knock'em Dead" by Martin Yate.

That being said, here are a few tips that you might find helpful:

  1. Regardless of what is said about dress for the interview, always show up in business attire. You only have a few seconds to make that first impression. How you are dressed is one of the first weapons you have to make that first good impression.
  2. Make sure you do your research on the company that you are interviewing with. Solid knowledge of what the company does is always a good indicator of an applicant's seriousness. Ask questions that show this knowledge throughout the interview so they know you spent the time to become familiar with the company.
  3. Write out answers to common interviewing questions before you start interviewing.  The book above and many websites have lists of commonly asked interview questions.  You will be much better prepared for them if you have already thought about those questions and written answers to them. Just to be clear, don't read these answers to the interviewer 🙂
  4. Have somebody do mock interviews with you. Have them ask the questions you have prepared answers for. Also have them ask some questions that you don't have answers for.
  5. Write down some questions you have about the company and the person you will be reporting to. Good questions are what's the corporate culture like, management styles, career path, etc. Again, the book above has some great ones. Take the list with you and bring it out when they ask if you have any questions. I did this for my last two interviews and it was viewed positively by both.
  6. Ask about next steps when the interview is shutting down if they haven't already shared them.
  7. Finally, never say 'yes' immediately. If the company pressures you to do so, you might want to think about whether that is a good company to work for or not.

What are your tips for preparing for and excelling in an  interview?



Snort, Base, MySQL and a de:ad:ca:fe:ba:be

by kriggins on December 2, 2008

in Tips

A friend of mine came to me today with an interesting problem. He recently set up a Snort sensor and was using Base as his front-end. He was getting some alerts and he wanted to track down the workstation they were coming from. To do this he needed the MAC address of the offending workstation.

This should be easy. Snort is capturing all the information he needs right? He fires up his handy dandy Base interface, selects the alert, and tells Base he wants the payload in pcap format. Pcap format is a format for storing information captured from a network interface. It can be viewed using many different programs like Wireshark, a graphical network traffic analyzer, and tcpdump, a command line network traffic analyzer.

Well, when he opens the file with Wireshark, the source MAC address was 11:22:33:44:55:66 and the destination MAC address was de:ad:ca:fe:ba:be. That didn't seem right so he checks a couple other alerts. They all have the same source and destination MAC addresses. That means one of two things. He either has a miracle network or the data is not real.

I didn't have an answer for him so I posted a question on Twitter. Within an hour, I had the answer we were looking for. @clayshek remembered having a similar issue.  He went to the trouble to dig into the Base source code and found where those values are hard coded into the subroutine that builds the pcap file for downloading. Odd, but mystery solved....or is it?

I couldn't think for the life of me why the developers of Base would be hard coding the MAC addresses into a payload download. So, this evening I installed Snort and Base and started digging. It turns out the issue is not with Base.

As near as I can tell, Snort does not log link layer information to the database when mysql logging is used. Don't know why and can't find any way to turn it on or configure it to do so. However, it does log this information to the file system in you have it setup to do so.

Moral of the story: If you want to get MAC address information from snort captures, you better make sure you are logging to a file system in addition to your database. Otherwise, you are going to be looking at Dead Cafe Babes all day 🙂



The best anti-malware software out there…

by kriggins on October 2, 2008

in Tips

Now that I have made such a bold statement, let me back off a little and admit that I don't know what anti-malware software is the best.  What I do know is that we can actually leverage a behavior that a lot of malware exhibits. "What behavior is that?" you ask.  Well, I'll tell you.

My primary machine at home, the one that has "important stuff" on it, is a virtual machine that runs on my main server.  What type of environment does more and more malware not run in? Yup, a virtual one.

So, there you go, install a lightweight Linux OS with a virtualization platform or something thing VMWare ESXi and then load your daily OS on top of that.  Wah la! Best anti-malware software == malware itself.

Of course, I am not saying you have nothing to worry about with type of configuration. There is a whole host (pun intended) of issues that need to be dealt with and, of course, not all malware is quite this accomodating.  But it did make me stop and go hmmm.

What do you think?



OT: Workflow for Interesting Bits posts…

by kriggins on September 23, 2008

in Tips

This weekend I decided I wanted a more automated way to publish my 'Interesting Information Security Bits' posts. To do that I decided I needed two things 1) a workflow process and 2) some tools to do the dirty work for me. So that is what I set out to setup. The rest of this post gives details of the work flow and the script that I came up with to create the posts.


I decided to use Delicious to collect the things that I want to appear in the posts.  They were going to end up there anyway and an API exists to get at them in an automated fashion.  In order to be able to selectively get just the posts I wanted for a given day, I had to come up with a tagging scheme that would differentiate these bookmarks from any others I might save. I did this by tagging them by date, in YYYYMMDD format, and with 'iisb.'  For this first iteration of the script, I am only using the date portion.  The iisb tag will be used later as I expand this effort.  So my workflow goes like this:

  1. Find interesting things (web, twitter, RSS,etc.)
  2. Bookmark them on Delicious.
  3. Run script once a day.
  4. Profit (not really)

A couple notes about how I bookmark things on Delicious.  I use the Firefox add-in for this.  It makes it so much easier.  When I bookmark something, I make sure to enter a description.  This becomes the text explaining why I think that particular item is interesting. Finally, I also tag the item with other tags.  These tags are for my personal use and also will be used in future expansions of the script.


So, now I have a bunch of things that I believe are interesting that I want to tell all of you about.  Instead of having to spend a lot of time with a blog post editor, I simply login to my linux machine and execute


Tada, magical blog post.

This script is written in perl because that's the language I can churn things out quickly in at this time.  It uses several CPAN modules, but the most important ones are Net::Delicious and WordPress::XMLRPC. Why reinvent the wheel.  Eventually, the posting part will be automatic using cron, but I still have some things I want to do before I turn it loose.

For those interested in the guts of the script, here it is.  It consists of the perl script and a config file.  Obviously, replace my comments below with your info if you want to try it.  I currently have it set to create the posts as drafts and I then go and publish them manually.  Again, this is because this is a pretty young process.

Config file (must be named dailypost.cfg and in the same directory as the script at this time)

  pswd="delicious password"
  prefix="What you want the opening to be."
  postfix="What you want the ending to be."
  category="Wordpress category"
  title="post title prefix. The date will be appended"
  password="wordpress password"
  xmlrpcurl="http://<your site>/xmlrpc.php"

Script.  (I apologize for the complete lack of comments. Quick and dirty was what I was after.)

#!/usr/bin/perl -CS

use Net::Delicious;
use WordPress::XMLRPC;
use Config::Simple;
use Log::Dispatch::Screen;
use Text::Unidecode;
use Date::Format;

my $config = new Config::Simple('dailypost.cfg');
my $description = '';
my $body = '';
my $postDate = time2str("%Y%m%d", time);

my $del = Net::Delicious->new($config);

my $o = WordPress::XMLRPC->new({
  username => $config->param("wordpress.username"),
  password => $config->param("wordpress.password"),
  proxy => $config->param("wordpress.xmlrpcurl"),
  blog_id => $config->param("wordpress.blog_id")

foreach my $p ($del->recent_posts({tag => "$postDate",
               count => $config->param("delicious.count")})) {
  $body .= "<li><a target='_blank' href='" . $p->href() .
               "'>" . unidecode($p->description) . "</a>\n" .
  unidecode($p->extended()) . "</li>\n";

$description = $config->param("wordpress.prefix") .
$body .
$post->{categories} = [$config->param("wordpress.category")];
$post->{title} = $config->param("wordpress.title") .
$post->{description} = $description;

$page_num = $o->newPost($post,$config->param("wordpress.publish"));

print $description . "\n";
print "page num = ", $page_num, "\n";

That's basically it.  I'm happy to have discussion about this with anyone who has questions and feel free to take and use anything you want.  I am also happy to email the config file and script to anyone who wants it.  Just drop me a note a kriggins _at_


{ 1 comment }

Backtrack 3 How-to updated…

by kriggins on September 16, 2008

in Security testing, Tips

Well folks, I made a rather stupid mistake in my Backtrack 3 how-to.  Instead of writing ">>" to append information to a file, I wrote ">" which overwrites the file.

Bad things happen when you overwrite the /etc/ file.

Thank you very much to David who left a comment pointing out my mistake.  The how-to has been updated.



Hacker conference media archive finds a new home…

by kriggins on September 15, 2008

in Tips, Tools

National Archives

Secyurity4all has previously mentioned that the hacker conference media archive has been looking for a new home.  He wrote yesterday that, thankfully, one has now been found.  You can find archived audio and video of presentations from conferences like Blackhat, Defcon, Hope and others at now.


Technorati Tags:


Backtrack/Nessus/Persistent Changes goodness…

by kriggins on September 7, 2008

in Tips

Hi everybody,

Some of you know that I have been working on a document that describes how to  build a bootable USB thumbdrive with Backtrack 3, persistent changes, Nessus, Firefox 3 and Fyodor's Blackhat 2008 nmap on it.

Well, it is ready for real world testing 🙂  I have tested it to make sure it isn't a complete waste of your time, but no warranties or guarantees are granted or implied 🙂

Now, please feel free to send comments or suggestions to me at kriggins [at] or just leave a note on either the how-to page or this post.

If you look in the header of this page you will see a tab titled "Backtrack 3 - USB/Persistent Changes/Nessus/Firefox 3/BH08 Nmap".  That is where the how-to is going to live. Direct link below.

Backtrack 3 - USB/Persistent Changes/Nessus/Firefox 3/BH08 Nmap

Good luck and have fun.