The other side of anonymity?

You must understand that all routers, firewall and servers log every activity. We send it to a syslog server most of the time and use software like splunk to analyse it send alerts. Personally, I keep track of everything in the past year… Of course, we detect hundreds of attack every minutes… so as long as you don’t break anything… administrator will probably not pay attention to you or run after you…

You must be aware that we are not only able to track your IP address… We can get information about your system… Even your hard drive as a fingerprint that can’t be modified. Your network adapter as a MAC adress… You should also realize that your own computer log a lots of information… use a live cd (unplug the hard drive just to be sure)… or maybe use a disposable netbook. Throw it in the garbage when you are done.

Never use your computer. Never use a connection related to you. Don’t go to you favorite cafor library. Pay attention to camera. If you go one night for war driving, don’t use a unsecured connection in your neighborhood. If you have to make transaction or phone call use prepaid card (which you buy with cash of course).

Also…. be prepared to run… Don’t get too fat!

DaGr8

And of course, if you are able, it’s alway a good idea to destroy every log file on the system you hack before you go. Your best bet is to hack the syslog servers! haha!

Now that is what i was looking for! thanks for that, i’m currently trying to figure a way of spoofing my MAC address, so I can tunnel with a fake address, but I’ve never tried syslog servers……. Ill see what I can come up with, thanks!

I’ve been having a look around at syslog….. not as much information as I wanted…..Can you help? So the syslog server sits on the network, but what port? is there anyway of connecting to it? and if so, how to clear it. I was thinking if you were to spam the server with loads of spoof log files, it must have some sort of automatic deletion….. otherwise it would just fill up….. any ideas? thanks,

Syslog run on UDP port 514. You have to scan for open ports on the server if you want to connect to it. Of course, since it’s a security system, it might not be easy (depending on the admin). Retention depends on the administrator too. You are correct about automatic deletion. If the admin didn’t think about this, you could even try to fill the drive. But keep in mind that it’s text data… 1 character = 1 bytes, 1GB = 1,073,741,824 characters. You got to send a lot of crap if you expect to succed. Hard drive are cheap those days…

Personnaly, I have hundreds of network devices sending hundreds of messages every seconds and I’m not worried about hard drive space…

I have found this, to anyone reading i found this a useful article: http://www.hackinglinuxexposed.com/articles/20030220.html
Spamming it looks possible, could be done from a script, however, there must be another way. I’m thinking either to stop the logging altogether….. Any way to temporarily bring the server down? Does the syslog server log attempts to log on to it? I know that you can log on to it from a Unix port, so as a user on the network. But then the same problem exists, by trying to find yourself a way in you are already being logged. This may be an odd thought, but what about the old non-subtle brute force programs? they have the ability to send hundreds of requests. Could you run something like hydra, logging on to the syslog server? thanks,
Nick

Just had another thought, DDos it? slow it down to a point of failure?

theres also exploiting the IPV6 that would crash the server if they hadnt disabled it

I need to start testing, ill set up a box as a syslog server and see what i can do with it. I’ll keep tabs on what I do incase i have any sort of success, I can do a write up. DaGr8, could you tell me your syslog set up? as in what you do and dont have enabled, I’m guessing you dont listen over the network? Just so I have a real world example to base my test on, thanks,
Nick

Personnaly my log server is not really hardened… (might change this if I keep talking too much ;) ) It’s only reachable from inside (not the DMZ or Internet). I only log the network devices (firewalls, switches, routers and wlan controller). It runs on Windows 2008 R2, no firewall activated. I can RDP to it with a domain admin account. It’s also reachable over HTTPS with a local database account. It runs Splunk which is the most fantastic software of all time! Take a look at it if you are an admin… The non-free version is expensive (5000$) but it sends alerts so it’s really kewl. Plus, it’s wonderful to monitor any kind of server (AD, PHP, Exchange, name it…) I have no log rotation. If the hard drive is filled it will stop logging…

Well I guess that’s it… I will take a look at this tomorrow!!! :(

I choose Splunk but Solarwinds and IPSwitch offer popular products too. I didn’t use a linux server but their must be nice software too and network guys really enjoys linux tools as you might know.

DaGr8

Edit: One more point of failure, I don’t filter the senders! Doh!

DaGr8, thanks for that, i’ll try and get it set up tonight and see what I can do with it, I’ll leave it listening on the network so I can see what happens when I try and connect. Interesting that you dont cycle the logs, so with a large amount of log files sent to it, it would stop logging altogether, giving anonymity while I have a go at whatever it is I want to.

Yea I have been lazy on this. Now it’s fix. I have set up a cycle for the logs and I accept data only from a whitelist.

Thanks for pointing me this.

DaGr8