Friday, September 27, 2013

Day 1 At DerbyCon 2013

Welcome to this new blog.  Pardon the spartan appearance as I begin to get things setup.  I hope that if you check back later it will look much more engaging.

I'm going to take the opportunity with post #1 to collect some notes on Day 1 at DerbyCon 2013.

The best nuggets for me came from the talks by Tim Tomes (LaNMaSteR53), HD Moore and Mark Baggett. These are things that I can use in my work to look smarter and get better results right now and will easily pay for the trip.

Tim Tomes' talk was on the Recon-ng framework. He and his friends have clearly put a lot of great work into this and you have to check it out. He had a very successful live demo that shows how you can drastically cut your time for doing target reconnaissance in penetration tests and get a lot more information out of the process. Where I'm doing IT security audits and don't necessarily get the information I need from stakeholders or permission to carry-out my own scans, I need to verify that I have complete information about subject populations, risks and threat analysis. This tool is going to help me get some stronger assurance around all of that. I've used some of the tools Tim has put together in the past for password discovery. He's a smart guy you should be acquainted with.

Put all that together with information from some of the different projects that HD Moore discussed and it is clear that the information I need is already out there in the public domain, I just need to start mining it. HD enlightened us about results gathered byUniversity of Michigan researchers, including Zakir Durumeric, and collected in the Internet-Wide Scan Data Repository. He mentioned some of his own contributions to that data repository. He also enlightened us about the 2012 Internet Census results. All this comprises a very powerful set of tools for scoping your estate and identifying potential weaknesses, all without having to run a single scan. And while I was certainly aware of Shodan, I got a few more ideas on how I can better use that resource too.

Mark Baggett's presentation, titled “Windows 0wn3d By Default”, presented work that was new to me concerning tools built into Windows that provides rootkit-like functionality right out of the box. He aptly described it as "living off the land". Many of us have been aware of the uses for alternate data streams for some time, but other ways of hiding files were frankly startling:
  • Inside of VSS copies and executing directly from there with no copy in the file-system needed;
  • Inside directories named with forbidden key words, like AUX, LPT1, \.. and \.
  • Using the Windows Application Compatibility Toolkit to hide all kinds of illicit behavior from users, administrators and programs that might try to restrict such activities
This stuff just blew me away. I'm also thrilled to have the chance just to hang out with this fine collection of smart and inquisitive people.

People and material referenced above and in the talks includes: