Re: DD -> Netcat NT Imaging

From: Dragos Ruiu (drat_private)
Date: Mon Jun 03 2002 - 08:11:46 PDT

Next message: Iain Craig: "[incident] IIS defacement through FTP, possible DoS"

Previous message: Anton A. Chuvakin: "Re: Capturing and Reconstructing Image files using NAI Sniffer (or ot her Network Packet Analysis Products)"
In reply to: Estes, Matt CPR / FCBS: "RE: DD -> Netcat NT Imaging"
Next in thread: Kruse, Warren G, II (Warren): "RE: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If data confidentiality is a concern, stunnel might be of
assistance too.  There are some other encrypted tunnels
too...

If you use cryptcat, please remember to change the fixed
key. :) But _do_ expect to incurr some performance penalty
for the crypto :-).

cheers,
--dr

P.s. to Matt, if you need a trinux "proxy" let me know :-),
odd that it would be blocked by anyone. Time to break out
traceroute?

On Mon, 3 Jun 2002 09:44:32 -0400 
"Estes, Matt CPR / FCBS" <Matt.Estesat_private> wrote:

> Thanks for all the responses...
> 
> Imaging Security:
> Yes, netcat pumps all those bits in the clear, to prevent interception...
> 
> 1.) Disconnect host machine from LAN and use a private hub, might be a good
> idea if you suspect compromise regardless.  Thanks Jesse.
> 
> 2.) As Shawn said, use cryptcat.
> > Perhaps an alternative to nc is cryptcat
> > <http://farm9.com/content/Free_Tools/Cryptcat> to add 
> > encryption of the data passed over the network.
> 
> Dangers of dd (aka. Delete Drive)...
> It only takes one typo to ruin an entire drive with dd (like dd of=\\.\C:
> instead of dd if=\\.\C:).  I'm using two unused partitions for testing.
> 
> Imaging a drive...
> Replacing "if=\\.\C:" with "if=\\.\PhysicalDrive0" on the  windows side.
> Thanks for the info from Mr. Syring... and thanks for porting this dd.exe.
> Replacing "of=/dev/hdb1" with "of=/dev/hdb".
> Again, dd is dangerous and now your entire drive is vulnerable to a typo,
> and not just one unused partition.  I have NOT tested this.
> 
> Other Stuff:
> I'm using netcat 1.10 on the windows side (latest from @stake's website) and
> 1.10 on the linux side.
> I never could get to trinux... maybe someone upstream from me has issue with
> Trinux :-).
> 
> 
> 
> 
> 
> 
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 


-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Iain Craig: "[incident] IIS defacement through FTP, possible DoS"
Previous message: Anton A. Chuvakin: "Re: Capturing and Reconstructing Image files using NAI Sniffer (or ot her Network Packet Analysis Products)"
In reply to: Estes, Matt CPR / FCBS: "RE: DD -> Netcat NT Imaging"
Next in thread: Kruse, Warren G, II (Warren): "RE: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 04:35:55 PDT