Pass-the-Hash still works on XP SP3

Ok, so Windows XP SP3 is out.

With this new version:

whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more ‘gentle’ and ‘stealth’ 🙂 version of the tool and requires precise memory addresses.

But that’s why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.

And that’s also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.

This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it :)).

I haven’t tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.

In case you were wondering, the new addresses you need for Windows XP SP3 English are:

whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54

From Hexale’s BlogDownload Pass-the-Hash Toolkit.


Videos of Hacker Cons

Almost every security conference we’ve attended in the last year has uploaded videos from their speaker tracks. Explore the archives below, and you’re bound to find an interesting talk.

Found on Hack-a-day.

DecaffeinatID: A Very Simple IDS

This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games” that often happen at coffee shops and hacker cons. For more information on the sort of attacks I’m talking about see my article Caffeinated Computer Crackers.  It’s not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:

Read more and download DecaffeinatID from Irongeek.

Redbook Draft: z/OS Mainframe Security and Audit Management using IBM Tivoli zSecure

Every organization has a core set of mission-critical data that must be protected. Security lapses and failures are not simply disruptions—they can be catastrophic events, and the consequences can be felt across the entire organization. As a result, security administrators face serious challenges in protecting the company’s sensitive data. IT staff are challenged to provide detailed audit and controls documentation at a time when they are already facing increasing demands on their time, due to events such as mergers, reorganizations, and other changes. Many organizations do not have enough experienced mainframe security administrators to meet these objectives, and expanding employee skillsets with low-level mainframe security technologies can be time-consuming.

The IBM Tivoli zSecure suite consists of multiple components designed to help you administer your mainframe security server, monitor for threats, audit usage and configurations, and enforce policy compliance. Administration, provisioning and management components can significantly reduce administration, contributing to improved productivity, faster response time and reduced training time needed for new administrators.

This book is a valuable resource for security officers, administrators, and architects who wish to better understand their mainframe security solutions.

Table of Contents

Part 1. Architecture and design

  • Chapter 1. Business context
  • Chapter 2. Tivoli zSecure component structure
  • Chapter 3. zSecure Admin
  • Chapter 4. zSecure Alert
  • Chapter 5. zSecure Audit
  • Chapter 6. zSecure Visual
  • Chapter 7. zSecure Command Verifier
  • Chapter 8. z/OS compliance enablers
  • Chapter 9. zSecure CICS Toolkit
  • Chapter 10. Planning for deployment

Part 2. Customer scenario

  • Chapter 11. Delft Transport Authority
  • Chapter 12. Project requirements and design
  • Chapter 13. Implementation phase I
  • Chapter 14. Implementation phase II
  • Chapter 15. Implementation phase III

Part 3. Appendixes

  • Appendix A. Troubleshooting
  • Appendix B. An introduction to CARLa
  • Appendix C. User roles for zSecure Visual
  • Appendix D. A look at the Consul/Tivoli transformation

Download the PDF here.

‘The Best Of 2600’ To Be Released At Last Hope

Since its introduction in January of 1984, 2600 has been a unique source of information for readers with a strong sense of curiosity and an affinity for technology. The articles in 2600 have been consistently fascinating and frequently controversial. Over the past couple of decades the magazine has evolved from three sheets of loose-leaf paper stuffed into an envelope (readers “subscribed” by responding to a notice on a popular BBS frequented by hackers and sending in a SASE) to a professionally produced quarterly magazine. At the same time, the creators’ anticipated audience of “a few dozen people tied together in a closely knit circle of conspiracy and mischief” grew to a global audience of tens of thousands of subscribers.

In The Best of 2600, Emmanuel Goldstein collects some of the strongest, most interesting, and often controversial articles, chronicling milestone events and technology changes that have occurred during the last 24 years – all from the hacker perspective. Examples:

  • The creation of the infamous tone dialer “red box” that drove Radio Shack and the phone companies crazy. It was in the pages of 2600 that this simple conversion was first brought to light. By modifying an inexpensive Radio Shack touch tone dialer with a readily available crystal, free phone calls could easily be made from all of the nation’s payphones.
  • An historical chronology of events in the hacker world that led to the founding of the Electronic Frontier Foundation.
  • A close looks at the insecurity of modern locks through an article entitled “An Illusion of Security” that debunked the value of Simplex pushbutton locks, used on everything from schools to homes to FedEx boxes.
  • The stories of famed hackers Kevin Mitnick, Bernie S., and Phiber Optik as they unfolded. Through 2600, the world heard these controversial tales despite the efforts of authorities and the mass media.

Hackers invariably find the one hole in an otherwise perfect system or will spend inordinate amounts of time to get around a barrier previously thought to be impenetrable. But the one thing hackers do more than anything else is share information with those who are interested. This book is a gateway into this mysterious yet familiar world of endless technology and security experimenting.

Man am I drooling!  It’s going to be release at the Last Hope in NY next month.  Here’s the post on and here’s where you can preorder it on Amazon.  You bet I am going to preorder it.  Now I have to figure out what to do with my large stack of 2600 zines in my closet.  Ebay?

IBM releases FISMA add-on for Tivoli Compliance Insight Manager (TCIM)

IBM has released a module for its IBM Tivoli Compliance Insight Manager that watches traffic for compliance with the Federal Information Security Management Act. The FISMA Compliance Management Module includes automated log collection, a compliance dashboard, regulatory compliance reports and report distribution. Agencies can generate FISMA-specific reports using the module’s policy and report definition engines. It can be used as a part of an agency wide program to ensure FISMA compliance, according to the company.

Government Computer News picked this one up.

On Amazon’s Outage…

Amazon suffered an outage today starting 10:30 am PST. For a few hours the main page of Amazon seemed inaccessible and users would get an error message ‘HTTP/1.1 Service Not Available’. There are reports though that users are now able to access the site since 1:30 pm PST.

Using NarusInsight Secure Suite, we are continuing to investigate whether this outage was a result of a network-initiated attack against Amazon. Preliminary analysis doesn’t suggest any Distributed Denial-of-Service (DDoS) attack or any other foul play against the main web site.

Contrary to emerging reports that sites that use Amazon Web Services (AWS) do seem to be running well, we’ve seen that IMDB (Internet Movie DataBase) does appear to have been affected by the outage. My preliminary analysis using NarusInsight Secure Suite shows that at least one of the ip-addresses used to host IMDB was under a sustained denial-of-service attack.

I got a good look at the Narus suite of tools a while back and was impressed. The team behind them are equally impressive. Keep a lookout on their blog for updates.