Monday, October 7, 2013

Day 3 at DerbyCon 2013

As I return to trying to write-up my notes on DerbyCon 2013, I'm more amazed than ever at the efforts of Adrian Crenshaw (aka Irongeek) in getting all of the presentations online so fast.  He's already been posting presentations from his next security conference and I'm still just trying to write a few terse thoughts on the presentations that I saw over a week ago.  So, again I want to send out thanks for his contributions in particular, not just at DerbyCon but to the entire infosec community.  Thanks also to the entire staff at the conference.  It wouldn't have been possible without all of you.  Thanks especially to Dave Kennedy, his wife and family for their immense efforts in organizing the Con.  That takes a lot of work across many months.

Sunday was another good day at DerbyCon. Rick (Minga) Redman's presentation on Cracking Corporate Passwords started the day for me.  Intuitively, I think you're right, Rick, auditors should be auditing password quality on a statistical basis.  But, when you talk about going from 85% being easily cracked down to only about 65%, I'm not sure how this is actually going to help stop attackers.  I mean, if I only have passwords for 65 of your users I can still access a lot of stuff and quite possibly, everything that I want.  At best, I think we'll improve our odds of defeating the attacker by a miniscule amount.  In doing pentests, I think on only one engagement was I ever kept away from total ownership of the network by good passwords, and even in that case I got all the data I wanted.  Either way, I highly recommend viewing Rick's presentation.  It's very eye-opening for those of us trying to build good password policies and develop security awareness in our users.

Robert Salgado's talk on SQL injection was another highlight.  He gave a good synopsis on some of the techniques out there and presented quite a few methods I hadn't seen before.  He talked about firewall fuzzing with allowed whitespace characters and showed off the SQL Injection Knowledgebase, which was new to me.

Terry Gold's presentation on physical access control systems was the last big standout for me and came just before the closing ceremonies.  He covered a number of weaknesses in these systems and ways to leverage them for unauthorized access, including brute-forcing of card numbers.  I have a better idea now about the capabilities and differences between low- and high-frequency access cards.  Some other fun tools were shown.

While not as useful to me directly, the talk by Solomon Sonya and Nick Kulesza on the remote administration tool (RAT) they've developed points toward a lot of promise.  It has some really cool features and may be useful to you.

The presentation by Luis Santana on phishing on the tool that he's developed to automate these campaigns was also really good.  PhishPoll is a really nice addition to the pentester's tool set.

You can find all of the videos from these presentations on by just clicking the YouTube link at the very bottom.  Irongeek also has a good index with abstracts up on his site here:

Other links to people and things mentioned above include:

Any links to commercial sites does not imply an endorsement of specific products.  They're just a place to connect with the people that I found interesting and helpful.

Friday, October 4, 2013

How many auditors does it take to change a lightbulb?

Changing the lightbulb would be a conflict of interest for Audit.  In evaluating Management's lightbulb changing practices, 2 out of 20 sampled lightbulbs were found not to have been changed in a timely manner.  Additionally, 8 of the 20 sampled lightbulbs were found to have fingerprints on them, which has been shown to reduce the useful life of lightbulbs.  Based upon these findings, audit concludes that the design of the lightbulb management control does not include proper guidance for implementers.  Further, monitoring of troubletickets for lightbulb changes are not monitored to ensure timely resolution and issue closure.

The risk entailed with these control gaps is that insufficient lighting may lead to personal injury and financial losses to the organization.

Sunday, September 29, 2013

Day 2 at DerbyCon 2013

Presentations that I caught on Day 2 were not as useful to me as on Day 1. Part of that may be I chose the wrong ones and that I may also not have background needed to make the most of them. 

There was one great highlight worth mentioning though, which is that I anti'd up the bread to get one of the USB Rubber Ducky's from the Hak5 crew. This is basically a keyboard emulator (HID) on a key fob. Corporate restrictions on USB mass storage devices limit our ability as pentesters to obtain data exfiltration. But who blocks USB keyboards? OK, I've seen a few environments where they do; but that's pretty rare. 

I've been aware for a couple of years of the attacks that this kind of device could enable. But I didn't know where to get one or what kind of tools I would use to work with it. Hak5 has made this easy. You thought your DLP was going to save you? BWAHAHAHAHA!

If this isn't clear, the USB HID sends commands to the victim system exactly as if they were typed at super-human speed. This does not limit attacks to just plain text. We can encode full executable files as text and then convert to executable on your host. And, of course PowerShell is just plain text anyway and is extremely powerful. 

We can script the attack to work with any platform; Windows, Linux, Mac. We're all in trouble. Lock your workstation every time you walk away. This attack takes seconds and no, I was not the one who sent that email to your boss from your PC. is the primary resource for these.  The link will re-direct to an IP address.  Sorry, but that's the address.  All of the other resources I could offer are linked from that page, including alternative firmware, scripts, encoders, forums and the user guide.


Friday, September 27, 2013

Day 1 At DerbyCon 2013

Welcome to this new blog.  Pardon the spartan appearance as I begin to get things setup.  I hope that if you check back later it will look much more engaging.

I'm going to take the opportunity with post #1 to collect some notes on Day 1 at DerbyCon 2013.

The best nuggets for me came from the talks by Tim Tomes (LaNMaSteR53), HD Moore and Mark Baggett. These are things that I can use in my work to look smarter and get better results right now and will easily pay for the trip.

Tim Tomes' talk was on the Recon-ng framework. He and his friends have clearly put a lot of great work into this and you have to check it out. He had a very successful live demo that shows how you can drastically cut your time for doing target reconnaissance in penetration tests and get a lot more information out of the process. Where I'm doing IT security audits and don't necessarily get the information I need from stakeholders or permission to carry-out my own scans, I need to verify that I have complete information about subject populations, risks and threat analysis. This tool is going to help me get some stronger assurance around all of that. I've used some of the tools Tim has put together in the past for password discovery. He's a smart guy you should be acquainted with.

Put all that together with information from some of the different projects that HD Moore discussed and it is clear that the information I need is already out there in the public domain, I just need to start mining it. HD enlightened us about results gathered byUniversity of Michigan researchers, including Zakir Durumeric, and collected in the Internet-Wide Scan Data Repository. He mentioned some of his own contributions to that data repository. He also enlightened us about the 2012 Internet Census results. All this comprises a very powerful set of tools for scoping your estate and identifying potential weaknesses, all without having to run a single scan. And while I was certainly aware of Shodan, I got a few more ideas on how I can better use that resource too.

Mark Baggett's presentation, titled “Windows 0wn3d By Default”, presented work that was new to me concerning tools built into Windows that provides rootkit-like functionality right out of the box. He aptly described it as "living off the land". Many of us have been aware of the uses for alternate data streams for some time, but other ways of hiding files were frankly startling:
  • Inside of VSS copies and executing directly from there with no copy in the file-system needed;
  • Inside directories named with forbidden key words, like AUX, LPT1, \.. and \.
  • Using the Windows Application Compatibility Toolkit to hide all kinds of illicit behavior from users, administrators and programs that might try to restrict such activities
This stuff just blew me away. I'm also thrilled to have the chance just to hang out with this fine collection of smart and inquisitive people.

People and material referenced above and in the talks includes: