Once the basics were covered Jason got into the meat of testing for SQLi both manually and through automated tools. I really appreciated the manually testing, there is a lot to be said about good old-fashioned trial and error by hand. He did note that using multiple testing methods is important as there may be different responses from differing tools, this is where I really think testing my hand is a great validation method. Coverage of browser plugins I thought was a good approach since we all have browsers and if you can perform advanced testing within a browser, I’d prefer this method over installing yet another app to test. Jason then presented SQLMap, my favorite SQLi tool. I use it with BurpSuite.

As the primary goal of the talk was to educate attendees on the reality of SQLi and that it can be prevented, Jason covered preventing SQLi. This portion of the talk drew some questions and Jason was well prepared to answer them. Last Jason provide several resources and tools on the subject rounding out a very solid presentation on the subject matter.

The ability to pull off this off in 30 minutes says a lot about the presenter and being an instructor, all I can say is well done! I understand SQLi quite well and I gleaned insight into how to exploit it in better ways and got some ideas. Well done Jason Pubal.

Jason has a blog http://intellavis.com/blog/ and the slides from the DerbyCon talk are here: http://intellavis.com/blog/?p=498, also Jason can be followed on Twitter @pubal.

Shai Saint

DerbyCon just held its second year and it was awesome! This year I decided about two weeks beforehand to put together a CTF team to have a little fun while at the conference. We knew we would be grossly unprepared as most of us do not have penetration testing jobs, we are on the flip side in defensive security, hacking is a hobby. With that being said we did try to cover all the bases, we had a reverse engineer, cryptographer, developer, and generalist. We did not expect to achieve much but we ended up 23 of 120+ teams, not too shabby considering two of us are swamped writing books and developing hacking video games so hacking has not been our daily routine for several months. None of us have ever done a CTF so we had no idea what it was going to be like, it was awesome. I wanted to share our experience from a high level perspective, not going into breaking any of the puzzles but what types of things we encountered, lessons learned, and how we plan to prepare for next year as we are hooked.

The CTF Setup

The CTF started at 1500 EST on Friday 09/28/12 to run until 1300 EST Sunday. There was wired and wireless connectivity to reach the hosts included in the challenge. We were late to the room so wireless was our only option, this proved to be a significant challenge. The CTF team quickly realized that the number of participants and the hotel interference would require more APs as most of us could not connect consistently for several hours, this was much better on Saturday, hats off to the CTF team. Since the rooms provided were too small for all the participants, we were soon scattered anywhere we could get a good wireless signal. We did eventually make it into the CTF room Saturday. As for the CTF network, there were initially 3 hosts with various services available including web applications and OS services. As the CTF continued more hosts were added with various services running. The CTF hosts were only accessible via the wired or wireless connection configured for the CTF. The CTF network permitted access to the Internet which was helpful for getting vulnerability info and exploits for enumerated services and applications.

Our Experience with The CTF

We began by identifying live hosts and service enumeration. It was quickly apparent that some hosts were hosting web applications that warranted further investigation, what was to be made of the other open ports we divided amongst the team. On hosts that had web services, I simply browsed to the URL and one had directory listing, while others hosted blogs and other web applications some with really new exploits requiring Metasploit to be updated. The first host in the network range had directory listing for the web services running on TCP 80 and there were several flags just in the data posted that did not require exploitation. An example is a 3-D image, the kind where you have to stare at for a while until you see it. Well, none of us could, so we set it aside initially to dig into the other files. What we found was executables that needed reversed to get a flag, hashes that needed cracked, and a mysterious video that I still don’t know if it was relevant or not. As two of us tackled the first system the others moved on to the other hosts. We divided and conquered the other hosts and we started using our various skills on what we were finding. We began to get a layout for the web apps and various portals that had simple password brute forcing that once successful the flag was presented. We found several flags in web error messages for both generic page errors and for unsuccessful basic auth attempts on various pages. Flags were also hidden in pages, just had to be looking at everything, some were in plain site. There were of course more advanced crypto type flags where the encrypted and plain text were made available and using the proper method the crypto could be cracked and the flag captured. One web application was running TestLink which has multiple vulnerabilities but an update in Metasploit was required to get the exploit to get a shell on the system. The system was a full compromise system from what I was told by the winning team, however, we did not achieve prior to the CTF ending. At the end we had scored 210 after we lost 15 points for not paying close attention to the rules. We submitted flags in the wrong format with a deduction of 5 points each. Pay attention to details, kind of a big point in penetration testing and exploitation, right?! What I have covered indicates how far we got, there was a lot more to the challenge! The CTF team is incredible and we have a lot of love and respect for the team.

The great thing about the CTF configuration was that it was designed for all skill levels from beginner to advanced and all ranges of expertise were present. I personally enjoyed the friendly jabs teams were giving each other and the occasional hint to a flag. We were somewhere in the middle, certainly not advanced but we did not care, it was the fun of the challenge that mattered to us. The staff running the CTF were extremely cool especially dealing with so many of us. The CTF had several flags still not captured which means they had some serious stuff in there that I am intrigued to know what exactly. The team is looking forward to next year and we will be more prepared as we think we can improve a score of 210 significantly now that we know what the experience is like. Below are a few things that each person and team must know like the back of your hand.

Things to Know

• Enumeration
• Reverse Engineering
• Creativity
• Crypto (Hashes, etc.)
• Your Tool Set (be familiar with BackTrack and tools within)
• The devil is in the DETAILS
• Strengths of the Team, Use them Accordingly
• Web Application Exploitation
• Use the Internet and ExploitDB on BackTrack for Exploits

What We Are Doing to Prepare

• Buying dedicated systems for the challenge (with oclhashcat+ supported GPU(s) (I used my primary laptop a pimped out Macbook Pro with 16GB of RAM)
• Obtain Rainbow tables for Hash cracking
• Practice Reversing
• Practice Web App Enumeration Techniques
• Practice with Metasploit
• Leverage MagicTree
• Practice with vulnerable distros to learn new techniques and think out of the box (see my Resources page for a few)

I recommend any level of hacker or penetration tester to participate in the DerbyCon CTF, it is a great learning experience and humbling. You will get to meet new people or put faces with handles and forge new friendships. The whole “IamtheJavier” team is really happy that we participated and we all look forward to next year! Congrats to team “JollyandFriends” for winning the CTF, it is well deserved.

In the meantime, check out PacktPub, there are 1000+ books!

Later n00bs!

Shai Saint

Here are the highlights:

• Top-Notch Speakers
• Relevant and Well Developed Training
• Tons of Free Activities
• Friendly Environment for meeting New People
• Get Challenged to be better

All of this great stuff in Louisville, KY, away from the glitz and glamour of Vegas. It is a very real environment with much less of the vendor infringement and no private parties. At DerbyCon everyone is family and I felt welcome being a nobody in the “hacking” world. This year is supposed to be more impressive with more tools and extensive training. Another highlight this year is the screening of the hacker film “Reboot”. I have watched the trailer and follow the film on twitter (@reboot_film), should be a good time. All this and general admission only cost $150, that is 3 full days of talks!  The tracks available for training are really well developed and will not disappoint those looking for real training. I am paid to help companies secure their network and being able to learn defensive security is a refreshing aspect of DerbyCon when we hear daily how we are doing it wrong. I think that DerbyCon brings a decent balance to offensive and defensive security. This is also a benefit for those who need to justify attending a “Hacker” conference. I also found myself challenged by attending talks for topics I do not fully understand and immediately came home, built VMs, and starting diving in.

DerbyCon Site

DerbyCon Schedule

I encourage you to attend this conference especially if you live near Kentucky and can drive (like me), it is well worth the $150 and if you can swing it, attend training. I am really excited about attending this year and I hope to see you there.

Shai Saint

As a client advocate, I jump at the opportunity to find the best ways to use everyone’s time. It is precious, not only for you but for the vendor resources too. When a sales meeting is planned the vendor is thinking, I need to give an overview of product, you know… sell their story on what value their product brings to you. So the meat of the presentation will be flashy cool stuff that is designed to make you, the client goo goo eyes over their product. The problem with this is that usually no real conversation occurs and you are no closer to figuring out if the product is what you need. The vendor is a wealth of knowledge on their product and the sales team will bring a techie with them to answer the “difficult” questions. In fact, they are eager to dive in and show the real value of the product beyond the beautiful marketing slide deck and perfect “live” demo. Ask the right questions.

Shame on you if you haven’t done some homework on the product and have generated a list of question as they pertain to your perception of how the product works and what you expect from the product. If you have not done this, then do not call a meeting. Develop use cases, and know who the stakeholders are that you need to get buy-in and budget dollars from. Determine how you can show the product value to the stakeholders.

Steps to Properly Approach a Problem and Engage Vendors

1. Identify a Problem
2. Identify a Solution
3. Study the Solution
4. Build Use Cases
5. Build Value Proposition
6. BRING IN VENDOR – Be PREPARED
7. Proof of Concept (requires use cases and expected results)

Following a few simple steps will show your peers you really do care and you are not the cookie monster of IT security spend by showing value. Your vendors will also like and respect you too. Remember, their time is as precious as yours.

Einstein said it best, “strive not to be a success, but rather to be of value.”

The first 5-10 slides of every vendor presentation is the same unethical, sky is falling, fear propaganda crap that if were true would only mean everything they have been selling has been ineffective, but we need to buy the latest, pretty, shiny box with a slick name created by the marketing department. Why should anyone take these vendors seriously?

Let’s present the “hot” technologies; application aware firewalls, advanced persistent threat detection/mitigation, application whitelisting, all things cloud, and data loss prevention. Which of these will do the trick? Well, honestly not one of them individually would provide the coverage needed to protect against every threat. But, I think this is the issue. We are trying to protect against every threat, but why? Is every threat applicable, if so, threat to what? If , I buy these products, where should they go? Please do not tell me the perimeter. There is already too much there now!

We in the industry have accepted the standard knee jerk reaction, that perpetuates the mind numbing cat and mouse game where we will never catch the mouse. I feel like the kid with motion sickness who was forced to get on the security vendor carousel, I am tired of the carousel ride and want to punch the controls operator.

Lets take a step back and determine what we are protecting from who and what. Once we have determined this, lets make decisions on what is purchased to mitigate valid threats, meaning based upon the risk profile determined by the current placement of data, access, and value. For the love of all things holy and sacred please do not think the perimeter is the only place to place this stuff. In fact, if you are still thinking at the network level and not host, I should probably write another post as to why that is 1990′s thought and should be permanently erased with something like the “Men In Black” flashy thing. Perhaps security architecture as a whole has failed to keep pace with the changing enterprise, associated risks, and emerging technologies.

The fact is, security vendors are taking advantage of the apparent lack of preparation and foresight by us the security folks and making millions while we provide little security value to the enterprises we are suppose to be protecting.

Get your security architecture straight by finding your data, identify access methods, identifying users, and quantifying risk. This will go a long way towards deciding which solutions make sense, where in the network they should be deployed, and provide a roadmap for the overall security strategy.

All these security products are overrated. Do not buy into the hype. Make smart decisions based on real assessment data. Stop trying to fit everything into the obvious broken security architecture and models we have been using for decades. If the attackers have evolved beyond war dialing, perhaps we should stop using our archaic methods too.

shai_saint

See Pentest-Standard.org for more information on the Penetration Testing Execution Standard.

Enjoy!

shai_saint

shaisaint[at]n00bpentesting.com

Thanks!

shai_saint

Some highlights include:
pipal findmyhash metasploit joomscan hashcat-gui golismero easy-creds pyrit sqlsusvega libhijack tlssled hash-identifier wol-e dirb reaver wce sslyze magictree nipper-ng rec-studio hotpatch xspy arduino rebind horst watobo patator thc-ssl-dos redfang findmyhash killerbee goofile bt-audit bluelog extundelete se-toolkit casefile sucrack dpscan dnschef

Some of these were available before such as pipal, a really cool password analyzer. Pipal can be used very effectively in presentations to clients and a real eye opener for password policies, human behaviour and possible use in social engineering attacks. A DNS proxy tool called dnschef is particularly interesting because you can “spoof” for specific domains while technically proxying all DNS request traffic without modifying.

Also, note that Metasploit got an upgrade to 4.2! I can never say enough good about how awesome Metasploit is, but here is more info from the Metasploit Community. Here is the Metasploit 4.2.0 User Guide.

Here’s how to upgrade today: http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/

Remember, the official release is March 1st, 2012, be sure to get your ISOs!

It has been awhile since I have posted anything, but don’t fear, I will be adding content actively in the coming weeks. I have been traveling, teaching, and writing, getting inspiration for material from a lot of really smart people.

Things planned:

• Pre-Engagement Form
• Content for each section of PTES
• Recommended Tools including usage for each phase (best tools for learning)
• Capturing data during a penetration test
• Building a penetration testing team environment
• Reporting
• Random tidbits

Until Next Time,

Aaron Woody

@shai_saint