·:[ Jason On A Shtick ]:·
• • • • •

While driving down the Martha Layne Collins Bluegrass Parkway this weekend, it occurred to me that something has changed about the way we honor people in our society. Specifically, we don’t wait until they are dead anymore. Does this practice bother you as much as it does me?

For some reason, I always thought that we honored people by naming a road or building or something else after them once they passed away. It seems egotistical and maybe even just a little creepy to have something named for you while you are there to see it. Sure, people give big sums of money to schools or institutions and get a building named after them right then. But isn’t it supposed to be different for how we honor our famous leaders and heroes? Isn’t it more special, even more honorable, to give something their name to help us remember what they did for us once they are gone?

I am freaked out even more about this trend appearing on college basketball courts. Mike Krzyzewski is still Duke’s active basketball coach and yet when he’s on the bench, he is standing just a few feet away from the “Coach K Court” logo. Doesn’t that freak you out? He’s right there! Better yet, doesn’t it freak him out? This weekend, I watched Arizona play on “Lute and Bobbi Olson Court” – Lute is Arizona’s coach, Bobbi was his wife who died of cancer. Couldn’t they just name it “Bobbi Olson Court”?

Martha Layne Collins helped bring Toyota manufacturing to Kentucky, which brought jobs and tax revenue to our state in a big way. And, dare I say it, Coach K might rank as one of the top college coaches of all time. For me, however, their achievements are cheapened just a little by seeing their names already engraved on things as if they were one of our greatest ever role models. Heroes are supposed to be the kind of people that shrug off recognition and say “I just did what I was supposed to do” or “Anyone would have done what I did”. Did anyone ask Martha and Mike if they wanted these things? More importantly, did they say yes?

Asking these questions leads me right to one of the things that really irks me about people today. In my experience, very few people want to take responsibility for anything but almost everyone wants recognition for what they do right, even when it was what they were supposed to do anyway. College basketball coaches are supposed to put together great teams. Governors are supposed to bring big businesses into their states. Once they are gone, let history and society judge whether they were good enough to have their names etched on something for posterity. Otherwise, don’t scratch it on there too deep – we should be able to replace it with the next person’s name that is vain enough to allow it.

My two year old daughter is a huge Chuck E. Cheese fan. When we left there after visiting for the very first time, she cried "CHUCKY! CHUCKY!" over and over, the way Kramer cries for "KENNY!" in that episode of Seinfeld about the Kenny Rogers Roasters. When she is a good little angel (which is most of the time!) and makes good efforts at using the potty (our latest form of bribery) we take her there.

So basically, what you don’t want to happen at Chuck E.’s is for the ice cream dispenser machine to run out of ice cream, especially after a few kids have gotten the last ones and are taunting your child with them. You will have a riot on your hands, as we did tonight. Thank goodness a Dairy Queen is in the same area – I was able to sell her on the idea of a Dilly Bar, a tasty treat from my own childhood.

My question is: HOW CAN CHUCK E. RUN OUT OF ICE CREAM??? This seems to be a problem with a very simple solution: you keep extra ice cream on hand in the back. Get yourself a $300 deep freeze from H.H. Gregg and you are all set! You just have to train one of the hired help to open up the machine and fill it back up. While I am at it, here’s some things that will go much, much differently at the Jason-owned Chuck E. Cheese replica:

• We won’t run out of ice cream. EVER. We won’t run out of ANYTHING. I can count, and I can certainly figure out how to stock more of something than I think I’ll need. I can also instruct even the most hard headed of people to tell me when something is running low. Kids don’t understand what it means to run out of something, so this is a very important issue.
• We will have Chuck E. (or whatever our central character will be named) come out every hour to visit everyone. I can’t tell you how many times I’ve been to CEC only to never see Chuck E. in person. And if he does come out, he spends about 10 minutes with the kids having birthday parties and completely ignores the regular guests. I have had to make up all kinds of stories like "Chucky is sleepy" or "Chucky had to go to the potty" to explain why Chuck E. didn’t come to see us. I mean, college mascots walk around in those suits for hours at a time! Why can’t we get someone to come out for a few minutes every hour to instill joy in all the children? And don’t even give me some crap about how it would be over use of Chuck E.! Kids can’t get enough of that stuff! They would love him EVEN MORE if he actually came to see them every time!
• The dude that we get to walk around in the Chuck E. suit – we’ll have him actually operate one of those wimpy manual swiffer vacuum cleaners around the place while he’s not in costume. Pick up some garbage, geez!
• You know how at the Fazzoli’s they have someone walking around handing out bread sticks? We are going to have someone walking around with a basket of baby wipes handing them out like candy. Baby wipes are the best thing even conceived. Instant mess remedy. I carry a pack in my car and keep some in my office.
• Kids are germ magnets. They lick their fingers, pick their ears and noses, and handle every knob, button, hand rail, corner edge, toy and loose item that they find. Every hour while our Chuck E. is out entertaining the kids, we’ll have some other folks wiping down all the knobs, buttons, hand rails, corner edges, toys and other loose items for your sanitary pleasure.

Just let me know if you want to pony up some money to make this kids’ paradise a reality!

The ScanLite module used by NetReg to fire a Nessus scan against registering machines takes a list of Nessus plugins to run against the target. The job of anyone using this thing seriously is to keep the list of plugins up to date in order to detect the most recent threats.

Unfortunately, Nessus doesn’t make this very easy for us. They have tens of thousands of plugins that can be searched by category, name, etc. The problem is that they don’t easily tell you if the plugin employs a passive or active scan. By passive, I mean that they try to detect the particular vulnerability by crafting packets to expose the flaw. Active, on the other hand, means that they look through registry entries or use other methods requiring privileged access in order to determine if a particular hole is patched.

For a completely effective Nessus scan, you need to have some sort of access to the machine in question and it probably needs to be running certain services. This might be a workable scenario for lab machines where you control everything and maybe have some admin account set up on every one. But for the masses of students and faculty, this simply won’t work. So, you want to limit the list of plugins to only the ones that use passive scanning, but the only way to figure that out in most cases is to look at the code of the plugin to see what it does.

Here is a list of plugins that we use and what each one scans for. We aim for the big name vulnerabilities and simple version checks while trying to keep the list small so the user doesn’t wait too long for the scan to finish when they register. At the end is the line from Variables.pm that you can just copy and paste in order to use the same plugin list. I hope to keep this list updated as frequently as possible. For you Nessus people, give us a way to search for plugins that use passive scanning, please!

• 11808 – Microsoft RPC Interface Buffer Overrun (823980) – Windows
• 11835 – Microsoft RPC Interface Buffer Overrun (KB824146) (network check) – Windows
• 11890 – Buffer Overrun in Messenger Service (real test) – Windows
• 12054 – ASN.1 Parsing Vulnerabilities (NTLM check) – Windows
• 12204 – Microsoft Hotfix for KB835732 IIS SSL check – Windows
• 12209 – Microsoft Hotfix for KB835732 (SMB check) – Windows
• 18027 – Vulnerability in MSMQ Could Allow Code Execution (Network Check) – Windows
• 18028 – Vulnerabilities in TCP/IP Could Allow Remote Code Execution (network check) – Windows
• 18502 – Vulnerability in SMB Could Allow Remote Code Execution (896422) – Network Check - Windows
• 19407 – Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) – Network Check – Windows
• 19408 – Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) – Network Check – Windows
• 20008 – Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) – Network check – Windows
• 21334 – Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580) – Network check – Windows
• 21696 – Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) – Network check – Windows
• 21783 – iTunes AAC File Integer Overflow Vulnerability (network check) – Gain a shell remotely

Make sure you paste this as one line!
$NESSUS_PLUGIN = "11808;11835;11890;12054;12204;12209;
18027;18028;18502;19407;19408;20008;21334;21696;21783";

Determining if a plugin is active or passive is not a clear cut exercise, at least not that I can tell. First, you can view the source of the plugin from the Nessus page for that plugin. If you see something that looks like data is being specifically crafted into a packet of some sort, that may indicate that the plugin is passive. For example, here’s a section from 12054:

ntlmssp = "NTLMSSP" + raw_string (0x00);
ntlmssp += raw_dword (d:1); # NTLMSSP_NEGOTIATE
ntlmssp += raw_dword (d:NTLMSSP_NEGOTIATE_UNICODE |
  NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_NTLM |
  NTLMSSP_NEGOTIATE_NTLM2); # Flags
ntlmssp += ntlmssp_data (data:NULL,offset:0); # workstation domain NULL
ntlmssp += ntlmssp_data (data:NULL,offset:0); # workstation name NULL

It appears that this plugin is building a packet in a certain way in order to test for the vulnerability. Sometimes, the source will contain a comment about how it works, but I don’t see many of those.

You can also look for dependencies on other scripts that handle gaining access to a machine. Here is a bit from 21725:

script_dependencies("netbios_name_get.nasl", "smb_login.nasl",
  "smb_registry_full_access.nasl", "smb_enum_services.nasl");
script_require_keys("SMB/name", "SMB/login",
  "SMB/password", "SMB/registry_full_access",
  "SMB/transport");
script_require_ports(139, 445);

This one is pretty obviously going to look for an entry in the Windows registry to see if a particular item is installed.

Examining the Nessus scan logs can also help. If scripts require access, you will see errors indicating that a plugin doesn’t have what it needs in order to run. There is also some information on the Nessus site about network checks which indicates that if the plugin has that phrase in the name, it uses a passive method.

Maybe if I took the time to learn the Nessus plugin language, things would be more clear to me.

The school uses NetReg’s DHCP server to support lab machines as well as students and faculty. They want the lab machines to automatically be registered with NetReg so that users don’t have to register them with their own personal IDs. NetReg provides a manual registration function for one MAC address at a time, but that gets cumbersome for entering hundreds of lab machines. In addition, clearing all registrations will clear the manually registered machines, too.

I added functionality to admin.cgi to allow multiple user name/MAC address combinations to be entered at once. Under the covers, this new function calls the manual registration URL over and over for each entry. This way, all the checks and file locking that are already in place for the single manual registration will still be used.

Additionally, these bulk entries are saved into a separate file. I also provide new functions to load the registrations from this file into NetReg and to clear them out. So, you can clear all registrations without having to enter the bulk registrations all over again. After you clear all registrations, you simply reload all of your previous bulk registrations from the special file with the push of one button.

Now, for the scary part. I wrote all of this new functionality using PHP. I don’t know Perl very well (in fact I find the syntax mind numbing), so I had to do some trickery to integrate the PHP scripts with the existing Perl. Yes, I am a bad person. I’m sure that Martin Fowler has written a book about my kind and made millions from it. But, if you are not horrified, read on!

I made changes to add new forms and buttons for these functions to the “Manual Registration” page (seemed easier than dealing with the image map of links). Between the submit button and print_footer() call of reg_form() in admin.cgi, here’s what is new:
admin.cgi.txt

These new PHP files are installed in the same directory with admin.cgi:
netreg.php
bulkregstart.php
bulkreg.php
reloadbulk.php
clearbulk.php
viewbulk.php
clearregs.php

The functions to support clearing all registrations are also included in these changes.

Very simply, it looks like a successful manual registration encounters a "premature end of script" error. I noticed that the append_host_entry function was not calling print_header() or print_footer() around the call to print_manreg() at the end of the routine, so I added those calls.