Archive for category Uncategorized

Every year we head to the desert to learn the newest attack/defenses in the world, to share groundbreaking ideas… but not least of all, to have some fun!

Who?	When? (July)	Time	Where?	Link/RSVP	Why?
ModSecurity Happy Hour	Wednesday 28th	4-6pm	munchbar @ Caesar's Palace	open to anyone	modsecurity is awesome
MAD & Nitro Security Party	Wednesday 28th	8PM-10PM	TBA	Invite only	Go to the Nitro Security booth for invite
Black Hat Crawl by Stonesoft	Wednesday 28th	6PM-9PM	Trevi Room, Caesar’s Palace	http://www2.stonegate.com/l/1912/2010-07-13/2895X	pinata and ipad contests
Tenable Party	Wednesday 28th	8:00 p.m. – 10:00 p.m	Margaritaville	http://www.tenable.com/bhparty2010/	Nessus is win, most of the time. Beer and Margaritaville's world famous margaritas will be served. The first 100 people through the doors will receive a Tenable Hawaiian Shirt and a Nessus Cigar.
IOActive Cocktail Party	Wednesday 28th	8:00 p.m. – 10:00 p.m	Spago	Invite only	pick up invites at booth #63
Mcafee Party	Wednesday 28th	8:00 p.m. – 11:00 p.m	Vanity @ Hard Rock Hotel	Invite only	stop by McAfee booth #18
Rapid 7 Party	Wednesday 28th	9:00 p.m. – 02:00 a.m	Palms Fantasy tower	http://www.rapid7.com/forms/black-hat-rsvp.jsp	Open Bar, GoGo Dancers, HD Moore.
Qualys Party	Wednesday 28th	8:00 p.m. – 02:00 a.m	Jet Mirage Club	http://www.qualys.com/company/events/tradeshows/blackhat10/	Dance the night away to Tainted Love (a top 80's cover band) and DJ DIRTYHERTZ at one of the hottest Las Vegas nightclubs JET (JET is really nice)
Madiant Schmooze	Wednesday 28th	7:00 p.m. – 09:00 p.m	Shadow Bar Inside Caesar's Palace	http://www.mandiant.com/news_events/forms/shadow_bar	Random Google Find – dunno – open bar sounds like.
SourceFire VRT Adobe Haters Ball	Wednesday 28th	8:00 pm to 11:00 pm	Casa Fuente, Caesars Palace	Invite only	beg @VRT_Sourcefire for an inv? I dunno -_-
NetWitness	Wednesday July 28	9 pm – 12 am	PURE @ ceasars	http://netwitness.com/resources/register/blackhat2010.aspx	???
FishNet	Wednesday July 28	?	Rhumbar	http://is.gd/dy4RY	???
Cenzic/Dasient	Wednesday July 28	9 pm – 12 am	Caesar's Rainman Suite	http://blog.cenzic.com/public/item/256749	stop by the Cenzic booth (#38)
TippingPoint ZeroDayInitiative 5 Year Anniv Party	Wednesday July 28	8 pm – 12 am	Hard Rock Hotel SkyBar	Invite only	i hear ZDI throws a good party
BSides	Wednesday & Thur 28/29 ·	???	2810 East Quail Ave., Las Vegas, NV, 89120	http://www.securitybsides.com/BSidesLasVegas	While not an "official" party, Bsides is a party by itself. Ask around and i'm sure there will be something going down… I mean c'mon… it's Chris Nickerson running it!
WhiteHat & Accuvant	Thursday July 29	?	PURE @ ceasars	Invite only	"swing by the booth and say hi and if we have any left – grab an invite for our party at Pure for Thursday night"
Security Twits	Thursday July 29	8 pm – ?	Caesar's (suite TBD)	???	???
Defcon Fundraiser	Thursday July 29	???	Riviera Penthouse	???	Cost $40
KartCON	Thursday July 29	7:30pm – 11pm	FastLap – 4288 Polaris Avenue Las Vegas, NV 89103-8100	http://kartcon2010-owasp.eventbrite.com/	50mph Gokart tourney, with bar… win.
Defcon Toxic BBQ	Thursday July 29	5:30pm – 9pm	Sunset Park 7.6 miles from Riviera	http://www.toxicbbq.com/	BYOBBQ and some utensils. People will cook for you if you bring meat!
EFF Vegas 2.0 Party	Thursday July 29	???	Top of Riviera	Open to all, $40 at the door (donation)	All monies go to the EFF (you get a 1 yr. membership for your donation). DualCore, Minibosses, raffle, open bar and much, much more
Microsoft Party	Thursday July 29	9 pm – 11 pm	Vanity	Invite Only	Speakers and top notch security researchers.
Core Security Party	Thursday July 29	???	Sushi Roh	Invite Only	I've been to a CORE shindig before, they can sure throw a party, or atleast spend a grip of cash
ISEC Partners Party	Thursday July 29	10:00pm-TBD	V-Bar @ the Venetian	Invite Only	ISEC peeps are awesome.
Spiderlabs Party	Friday July 30	10:00 p.m. – TBDam	Riviera SkyBoxes	Invite Only (ask a lab spider for an inv)	DJ Keith Swiat, Open Bar, Spiders are 31337.
HackerPimps Party	Friday July 30	???	Riviera SkyBoxes	Invite (email pimpsparty at gmail dot com) @hackerpimps	Caption says it all…
Attack Research Party	Friday July 30	7pm – 2 am	Top of the Riv	Invite only.	Dr Raid, Dj Sailor Gloom , Thee Swank Bastards , Dj Dark Mark, Regenerator, Dj Style.
Ninja Party	Saturday July 31	9 pm – ?	Secret Offsite Loc	Invite Only – https://forum.defcon.org/showthread.php?t=11511&highlight=ninja	Last year i went as part of "the event that didn't happen" the EFF Sec Pillow fight. This year i might be SOL on an invite. The Ninja Party is the most 31337 party there is. I heard finding a ninja and asking them works well… but they are invisible! ='(
IOActive FreakShow	Saturday July 31	9 pm – 1 am	Top of the Riviera	http://www.facebook.com/event.php?eid=135300963167159 & http://www.ioactive.com/news_events_freakshow.html	Tower of Bendy Girls, DJ Keith and Crew, the Return of the Bungee Run, and Gladiator Joust.

This is what I know of atm, im sure im not privy to all the madness and will update accordingly. Also i heard @gattaca is gonna blog on parties too soon. =)

I'll be in Vegas from 23rd to the 1st. See ya there. Twitter DM's go to my mobile or you can email admin -a-t- securityaegis.com to meetup, shoot the sh*t, and have a good time!

*More party updates as they come… Thanks for reading!

* 7/18 Thanks for all the info from everyone on here and through twitter. Updated with toxic bbq, Qualys, Attack research, Sourcefire VRT.

*7/18 Massive update

*7/19 More parties added

*7/19 looking for info on mcafee party

*7/20 added 3 more parties by request of vendors…

*7/22 Added Mcafee party info

I just finished playing in the yearly smpCTF with team MRL. MRL is Midnight Research Labs based out of Boston, who do some really cool research/presentations/tools. You might remember them from their release of SEAT (Search Engine Assessment (Tool) a year or so back. 

smpCTF is a yearly top tier CTF, akin to the Defcon CTF qualifiers, etc.

The challenge areas were: Web, Forensics, Crypto, Pwnables, Trivials, and Misc. Looks like we placed somewhere around 23rd out of 196 registered teams (76 of whom scored points).

Props to all the MRL people and other teamates who made this the best CTF i have played in:  @sussurro @jaredbird @timmedin  and more!

As writeups come i'll post =)

Unofficial Scores

Challenge Page

Writeups:

Challenge #3 (Crypto level1)

Profiling, or OSINT (open source intelligence), is an art. Private investigators have been doing it for years now but, it has just started to show real promise in application to Penetration Testing and Red Team Testing.  A lot of work has been done recently by  Chris Gates and Chris Nickerson on bringing it into the security world.

OSINT gathering is a far more manual process than general profiling. It is usually not included in a regular pentest or assessment, but sometimes is included for an extra fee (from what we’ve seen) .

Why OSINT? It opens up your attack surface and gives you a sprinting start before even sending any packets directly to your target. Just entering in some of the RS engineers' data i was able to get a list of previous addresses, blogs, twitter names, emails, phone numbers, parents names, news articles, etc.  I'd say that's useful.

For a place holder, until we get done with a nice framework, we have compiled a list of links for OSINT gathering web sites we use, by target type; People and Organizational Targets and Infrastructure Targets :

Infrastructure:

Netcraft (Uptime Survey, server info)

Domain Tools (Whois Lookup and Domain info)

Centralops.net  (traceroute, nslookup, automatic whois lookup, ping, finger)

Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap)

whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info)

MSN IP Search

SSL Labs – Projects / Public SSL Server Database – SSL Server Test

SHODAN – Computer Search Engine (indexed port scans and banner grabs)

Don't forget to combine this kind of "research" with great tools like wikto, metagoofil, SEAT, FOCA, theHarvester, and Maltego. We also suggest you listen/watch to some of the collective presentations and video from Chris Nickerson and Chris Gates (btw Dale Pearson is the man for setting up the Brucon videos last year).

Also, i had been working with some browser scripting earlier and i made  a quick OSINT script in iMacro. iMacro can record and script up your day to day browser activities. Sometimes this is easier to do than coding something in Ruby or Python due to the AJAX nature of these people search sites. Download the firefox plugin for iMacro here then make a new macro with the below code:

Read the rest of this entry »

A new interview with Ferruh focusing less on Netsparker and more on web security in general. Published in Hakin9 Magazine, Pages 56-58 =)

Download the issue!

http://download.hakin9.org/en/hakin9_04_2010_EN.pdf

Also, Since it was con-time near deadline-time, Ferruh might expand a bit here on some of the questions he didn't get to cover, so stay tuned.

From @ap3r on the Redspin Labs Blog by Nathan Drier on Apr.16, 2010:

With the incorporation of Burp Suite Professional into our audit processes, we (the redspin engineers) discovered that there was not an easy method to extract results from Burp’s session file without having to manually re-run Burp.

In order to automate this process, we have developed a standalone Python script to process Burp’s session files into XML, and have released it under the GPLv3 License here

burp2xml.py

XML will allow you to pull out all types of useful data and feed it to other tools or make scripting an output report much easier. We will be blogging about tips (here) to use this pretty soon, let us know what you think. Shoutout to Paul Hass for all the hard work =)

Just wrote a quick review and jotted down some insights to Google's new web application security scanner. Skipfish. Read the whole thing at the link or just check out the "skinny" 

The Skinny:

We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, and is blazing fast. Also if you have seen the dev track the developer Michal Zalewski has been quick to update for problems (1.01b fixes some crashing problems) and has some great upcoming features planned (pause/resume, VIEWSTATE testing, etc.) Although no scanner will ever replace a smart web app assessment engineer, Skipfish shows some great potential in the security space and… its free. It wont replace any of our manual processes but we will definitely use it when applicable. Thanks Google.

http://www.redspin.com/blog/2010/03/19/skipfish-google-enters-the-web-scanner-fray/

You think you've come, you've seen, and you've conquered all the training in the pentest field? Think again.

J0e McCray, Learn Security Online creator, has brewed up a new course to address the needs of the upper echelon of pentest monkeys out there. If you don't know j0e from from his various speaking engagements at the hacker cons (Defcon, BruCon, ToorCon, LayerOne, etc), check out our quick Q&A with him at EthicalHacker.net. J0e has seen it all, and has put together a class that focuses on the advanced topics in penetration testing aka the things that will save your a** in a pentest.

J0e has done some tremendous work with many of the industries best pentesters/researchers including Chris Gates (LearnSecurityOnline/Attack Research) Sandro Gauci, Wendel Guglielmetti, and Marcus J. Carey. J0e's experience stems from being director of penetration testing at some very hush-hush security firms, as well as leading pentest ninjas and red-teams on engagements for over 8 years.

Really, if you have a budget, we highly suggest this new course. J0e takes the time you need to cover the attacks you want to cover and he makes himself personally available to each student. Also he's dropped the price for SA and EthicalHacker.net readers, grab that discount here. The course takes place in  Greenbelt, Maryland from May 17th – 21st 2010. Dont miss it.

What's the content you ask?

Advanced Penetration Tester (APT) – Penetration Testing High Security Environments

• Advanced Scanning
• Bypassing Network Filtering
• Stealth Scanning
• Bypassing IDS/IPS
• Attacking From the Web
• XSS to command-shell
• SQL Injection to command-shell
• File Handling to command-shell
• File Upload to command-shell
• RFI to command-shell
• LFI to command-shell
• Client-Side Pentesting
• Bypassing Antivirus
• Packing Binaries
• Modifying Binaries with OllyDBG
• Writing Custom Trojans
• Email Collection
• Pivoting into the LAN
• Attacking From the LAN
• USB Hacksaw/USB Switchblade
• Bypassing Port Security
• Bypassing NAC Solutions
• Breaking out of Restricted Environments
• Citrix in Kiosk Mode Hacking
• Restricted Desktops Workarounds
• Bypassing Group Policy Object Restricted Applications
• Advanced Enumeration the network
• Defeating and Identifying IDS/IPS Signatures
• Privilege Escalation in Windows XP
• Privilege Escalation in Windows Vista
• Post-Exploitation
• Remote Command Execution
• Automating Pentest Tasks
• Enabling RDP/VNC for Staying Power
• Persistence After Attacks

Checkout j0e in one of his conference talks:

Like GI Joe always said: Knowing is half the battle… And so it is the same with hacking.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

Read the rest of this entry »