Sunday, September 29, 2013

Day 2 at DerbyCon 2013

Presentations that I caught on Day 2 were not as useful to me as on Day 1. Part of that may be I chose the wrong ones and that I may also not have background needed to make the most of them. 

There was one great highlight worth mentioning though, which is that I anti'd up the bread to get one of the USB Rubber Ducky's from the Hak5 crew. This is basically a keyboard emulator (HID) on a key fob. Corporate restrictions on USB mass storage devices limit our ability as pentesters to obtain data exfiltration. But who blocks USB keyboards? OK, I've seen a few environments where they do; but that's pretty rare. 

I've been aware for a couple of years of the attacks that this kind of device could enable. But I didn't know where to get one or what kind of tools I would use to work with it. Hak5 has made this easy. You thought your DLP was going to save you? BWAHAHAHAHA!

If this isn't clear, the USB HID sends commands to the victim system exactly as if they were typed at super-human speed. This does not limit attacks to just plain text. We can encode full executable files as text and then convert to executable on your host. And, of course PowerShell is just plain text anyway and is extremely powerful. 

We can script the attack to work with any platform; Windows, Linux, Mac. We're all in trouble. Lock your workstation every time you walk away. This attack takes seconds and no, I was not the one who sent that email to your boss from your PC. is the primary resource for these.  The link will re-direct to an IP address.  Sorry, but that's the address.  All of the other resources I could offer are linked from that page, including alternative firmware, scripts, encoders, forums and the user guide.


Friday, September 27, 2013

Day 1 At DerbyCon 2013

Welcome to this new blog.  Pardon the spartan appearance as I begin to get things setup.  I hope that if you check back later it will look much more engaging.

I'm going to take the opportunity with post #1 to collect some notes on Day 1 at DerbyCon 2013.

The best nuggets for me came from the talks by Tim Tomes (LaNMaSteR53), HD Moore and Mark Baggett. These are things that I can use in my work to look smarter and get better results right now and will easily pay for the trip.

Tim Tomes' talk was on the Recon-ng framework. He and his friends have clearly put a lot of great work into this and you have to check it out. He had a very successful live demo that shows how you can drastically cut your time for doing target reconnaissance in penetration tests and get a lot more information out of the process. Where I'm doing IT security audits and don't necessarily get the information I need from stakeholders or permission to carry-out my own scans, I need to verify that I have complete information about subject populations, risks and threat analysis. This tool is going to help me get some stronger assurance around all of that. I've used some of the tools Tim has put together in the past for password discovery. He's a smart guy you should be acquainted with.

Put all that together with information from some of the different projects that HD Moore discussed and it is clear that the information I need is already out there in the public domain, I just need to start mining it. HD enlightened us about results gathered byUniversity of Michigan researchers, including Zakir Durumeric, and collected in the Internet-Wide Scan Data Repository. He mentioned some of his own contributions to that data repository. He also enlightened us about the 2012 Internet Census results. All this comprises a very powerful set of tools for scoping your estate and identifying potential weaknesses, all without having to run a single scan. And while I was certainly aware of Shodan, I got a few more ideas on how I can better use that resource too.

Mark Baggett's presentation, titled “Windows 0wn3d By Default”, presented work that was new to me concerning tools built into Windows that provides rootkit-like functionality right out of the box. He aptly described it as "living off the land". Many of us have been aware of the uses for alternate data streams for some time, but other ways of hiding files were frankly startling:
  • Inside of VSS copies and executing directly from there with no copy in the file-system needed;
  • Inside directories named with forbidden key words, like AUX, LPT1, \.. and \.
  • Using the Windows Application Compatibility Toolkit to hide all kinds of illicit behavior from users, administrators and programs that might try to restrict such activities
This stuff just blew me away. I'm also thrilled to have the chance just to hang out with this fine collection of smart and inquisitive people.

People and material referenced above and in the talks includes: