EH-Net

This is the place to be following Part I of this webcast series that took place at 1:00 PM EST on Wednesday October 15, 2008:


EH-Net members are invited to keep the conversation going with Kevin Johnson, Josh Wright and Ed Skoudis from InGuardians (http://www.inguardians.com). These 3 security experts will be with us for about a week (depending on their time constraints) after each webcast to answer your questions. We will also post the links to webcasts as they become available.

If you are not an EH-Net Member, please register now (http://www.ethicalhacker.net/component/option,com_smf/Itemid,35/action,register/) to post questions.

Feel free to ask away...

Many thanks to SANS (http://www.sans.org/info/25034) and Core Security (http://www.coresecurity.com) for making this possible,
Don
EH-Net Editor-in-Chief

---

You can click on the same link when first viewing the webcast to see it again... or the first time if you are just joining us. Just in case:

Thanks Don, and thanks to everyone who caught the webcast today.  Please post your questions and comments here; looking forward to hearing your thoughts!

-Josh

Great webcast guys! I enjoyed it and am looking forward to the next one.

There was a tool mentioned on the 'Using XSS to pivot' slide... it was briefly mentioned about comparing administrative interface fingerprints (or something similar). Can you post a link/name of that tool or maybe a brief rundown of what it does if I misunderstood?

Thanks again!

BillV

The live Q&A is asking about tools. Ed mentioned that he will do his best to list them here. To get you started, a number of great software can be found in our Tools Board (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/board,26.0/).

Don

Another of the live Q&A questions was about virtual images for your pen testing labs. VMware has a great repository of images:

http://www.vmware.com/appliances/

Also, Josh mentioned getting bootable versions of distros. One cool thing you can do is set VMware to boot the ISO of the bootable distro you just downloaded. This way you can run multiple of them at the same time both on the attacker and victim side.

Hope this helps,
Don

Hey guys, thanks for taking the time to do this presentation.  It was very helpful and informative.  I have a ton of question as I am new to the field, but I won't bother you with those.  My only real important question that I didn't hear much about during the presentation is hardware related.  I've had trouble getting the right wireless cards to work with software that I've tried in the past.  Do you have any recommendations as to which hardware to use for wireless testing?

Again, thanks for the webinar!

One of the additional areas that I would like to see discussed in relation to pen testing is from the forensic side.  For example are there markers to be read in a memory grab, magic numbers for the processes that can be grepped from an image (or the memory), what are some of the tell tales that can be found post-mortem.  I know 508 covers some of the post-mortem topics, but in a live forensic environment there has not been as much presented.

I’d also like to thank all those who joined us on the webcast today.  We really appreciate your interest and participation!  Thanks also to Core Security Technologies, our gracious webcast sponsor.

On the webcast, I promised I’d post a list of some of the tools we referenced.  This list isn’t exhaustive, but does represent the majority of the functionality we discussed.

BeEF, the Browser Exploitation Framework, by Wade Alcorn, available at http://www.bindshell.net/tools/beef

AirCSRF, “Air-Sea-Surf”, by Garland Glessner, not yet released publicly… stay tuned.

Yokoso!, by Kevin Johnson, et al, release imminent, to be available at http://sourceforge.net/projects/yokoso/

Samurai Web Testing Framework, by Kevin Johnson, et al, available at http://sourceforge.net/projects/samurai

Metasploit, by HD Moore, et al, available at http://www.metasploit.com

AirPwn, by Toast, available at http://airpwn.sourceforge.net/Airpwn.html

Of course, the techniques we discussed can be stitched together from any number of tools, but the items above were specifically mentioned and are very useful.

Hope this helps—
--Ed Skoudis.
InGuardians

A lot of people really like the Alfa card; it is USB and high-powered (500 mW with external antenna connector!) and is plug-and-play with just about any modern Linux distribution.  Here is one site that sells this card (no affiliation):

http://www.netgate.com/product_info.php?products_id=665

I still use Atheros 5211 cards with the madwifing drivers.  One madwifing-compatible card that supports 802.11a/b/g with an external antenna connector is at:

http://www.netgate.com/product_info.php?products_id=130

The madwifing cards work great with distributions like Backtrack 3, but will require patching and recompiling your kernel for other Linux distributions.  The patch for this card is on the Aircrack-ng site:

http://patches.aircrack-ng.org/

Best of luck!

-Josh

Yokoso!, by Kevin Johnson, et al, release imminent, to be available at http://sourceforge.net/projects/yokoso/.

Yokoso! is a tool to identify the administrative interfaces used through fingerprinting techniques.  This can be helpful to sort through the page history of a browser controlled by a pen-tester to identify valuable targets to exploit (e.g. previously logged-in administrative pages).

-Josh

Excellent! Thanks, Josh! Will keep a watch out for its release :)

Unfortunately I was only able to make it until the last half of the presentation and I was wondering if it will be available online again for people to watch (such as the Pentest Ninjitsu series).  Thanks in advance.

No worries, you can catch the recorded version.  Visit:

https://www.sans.org/webcasts/show.php?webcastid=91601

And click "Click here to register for this webcast."; you'll need to fill in a form but you can de-select "share this information with the sponsor".

-Josh

Great webcast. Will also the slides be available soon??
Thanks so far.

EDITED: Thanks, found them. I'm looking forward to PART II. See you.

Hi BillV,

The tool we mentioned is Yokoso! and will be at yokoso.inguardians.com.  We are currently looking to get fingerprints from people and are hoping to get the first set of tools out this weekend. (Depending on my copious amounts of free time)

If you would like to help out,  yokoso@inguardians.com or the developers mailing list are perfect places.

Kevin

Awesome Present Guys! Cant wait for the next one.
My question is more toward the certification process of doing the trifecta of Network, Wireless and Application based Pen testing disciplines. I know that you guys have the SANS programs that you teach for. Is there any other certs that you would recommend for someone who is hard core dedicated to the EH and Pen Testing disciplines?

Also, Have any of you had good success using the techniques discribed yesterday using BeEF over a bluetooth access point that uses more of a PPPoE Model??? or is it more geared towards standard 802ABGX related????

Thanks again for the great presentation, Makes a pen test knowledge hungry person like me feel more in the loop.

This morning, a good friend of mine asked two questions based on our webcast yesterday.  They were such good questions, I figured I’d address them here.

First off, he asked about how a pen tester could verify that the hooked browser near the start of our sample scenario is within the scope of the project.  It’s a great question, and we plan on getting into details about how to do that in the second and third webcasts in the series.  We’ll talk about different architectural approaches using client-side and web-server-side code to determine where on the network the browser is located to make sure it is kosher to include it in the pen test.   So, stay tuned on that one.  We’ve got a bunch of slides summarizing a variety of approaches.

His second question revolved around how to get customers who procure pen tests to include such combined work in their tests.  I jokingly responded saying that you should do webcasts on the subject and hope your customers listen in and get the idea.  But, more seriously, I explained that we do try to discuss combined tests up front during the initial scoping meetings with our clients to gauge their interest.  Sometimes, they do sign up for a test that is a combination of the two or three vectors we discussed: network, web, and wireless.  But, rather often, they tell us that they only have budget for one of those vectors, such as wireless.  I told my friend that we then commence on the given test that the client has planned.  Then, when we make some progress and get some form of access, we ask our client, “Do you want us to see how far we can go here?”  They often do, thereby placing the more complex and powerful combined attack vectors in play.  Customers often get excited by this, because they can see that we’ve scratched the surface and, with the increase in scope, will likely be able to help them make their case for security improvements.  So, the short answer to my friend’s second question is to try to scope it in up front, and if that fails, consider running it by the client after a major discovery during a traditional non-combined pen test.

Any chance this series will be hosted offline somewhere (recorded).

i got an email that it was recorded and hosted on the sans site (webcast archives)

This was a great webcast. Now I think about pentests in a different manner. Something that I found particularly helpful were slides 28-30. It had a list skills and knowledge needed for the different kinds of pentesting. It gave me a baseline for me to build on. I forgot all about beef; I am going to have to play with BEEF this weekend.

Ed => great seeing you at CSAW. I will get first place next time !

I missed it live but I watched the archive yesterday.  It was really good to see how different pen testers approach different customer scenarios.

I am looking forward to Part II and will spend some time with BeEF until then.

Glad to hear you enjoyed it.  I always love hearing tips and tricks from the perspective of other people also.


As you can tell from the webcast, BEeF is one of my favorite tools.  I recommend highly that you look into how to expand the system.

Kevin

I seldom find Bluetooth AP's using the RFCOMM, PPP or Bluetooth Network Encapsulation Protocol (BNEP).  Most of my experience with Bluetooth AP's has not been in manipulating clients using the device, but in leveraging it as a network access mechanism that escapes 802.11 rogue AP identification.

It's probably not common to find users leveraging a Bluetooth AP for wireless connectivity due to the greater cost associated with the hardware and the relative popularity of 802.11.  However, that doesn't mean there aren't other uses for Bluetooth AP's... ;)

Thanks,

-Josh

I have a general question for all 3 guys. I'm sure its an infrequent occurrence that you find a network you cannot hack. However in that rare occasion, what are some of the things that present the biggest obstacles to your pen test?

I'm interested in learning about when companies get security right. And not necessarily even certain technologies like WIDS or RSA authentication, it could just be use of procedures like patching, centralized logging or investments in user security awareness training.

Cheers!

Great webcast guys, finally got it it :). Now that I have listened to it, I have new tools to play around with.

Kevin - I was just browsing through the samurai CD and could not see BeEF on it. As there plans to put it there ?

Thanks

VJ

Glad to hear you are checking out Samurai.  As to BEeF, it is installed.  Since it is a web application, it is found in the bookmarks on Firefox.  The controller and the hook are in the "Samurai Tools" bookmark folder.

Kevin

In the next few posts, I am going to post some of the questions we received after the web cast was finished as well as answering them. :)

Kevin

We received many questions about the Tokoso! tool and where to look into it.

BEeF and metasploit actually fit into two different niches. 

Metasploit is an framework for creating, building and delivering exploits. 

BEeF is a framework for delivering browser payloads, but does not provide any means for creating or building them.

The hook script does not.  Currently it is not detected by any antivirus tools that I have tested.  The controller application is detected by antivirus.

Actually, the only prevention of BEeF attacks is to fix the XSS vulnerabilities within applications.

There are a number tools for SQL injection. 

SQLMap and Absinthe come to mind immediately.
SQLMap is available from http://sqlmap.sourceforge.net (http://sqlmap.sourceforge.net)
Absinthe is available from http://www.0x90.org (http://www.0x90.org)


I personally recommend w3af as it includes SQLMap and many other tools for web testing.
W3af is available from http://w3af.sourceforge.net (http://w3af.sourceforge.net)

Sorry I got here late, I'm about to watch it but I need the real player, so I headed over to get it at www.real.com/ downloaded it, uploaded it to virus total and got:
http://www.virustotal.com/analisis/78991ac2576070f4b3181865d202aa05
False Result? What you guys think?

I would guess false positive but wouldn't guarantee that.  :D  On a kinda unrelated question is there a reason virustotal misspells analysis as analisis?  Or is that a correct British spelling and I am being a stupid American?

1/36, so its either a really good piece of malware or a false positive.  or maybe a real result considering the installer probably calls home or to the net to grab updates.

if you are really paranoid run in a VM with a sniffer and see what it does.

Got ya, just I've seen safer files. Thanks.

Could we also leverage karmasploit for this type of attack to push clientside exploits, own the admin laptop, and then dump the password hashes, crack them, then use them to access other machines or the protected wireless internal network?

If that is functionally equivalent, which one of these attacks is better for a pentest? which one would be faster?

and on a side note, when is Jay going to release the middler? ;)

Thanks Inguardians crew!

Does anyone happen to have the full webcast (.arf file) posted somewhere? Core and SANS seem to have removed it.

Sorry to resurrect an old topic, but has anyone gotten the AirCSRF, “Air-Sea-Surf” tool that this webcast mentioned?   I had on my list to follow up and I still can't find it.  Any word on its release?

I still don't think it is available