EH-Net

This is the place to be following Part III of this webcast series that took place at 1:00 PM EST on Tuesday March 24, 2009:


EH-Net members are invited to keep the conversation going with Kevin Johnson, Josh Wright and Ed Skoudis from InGuardians (http://www.inguardians.com). These 3 security experts will be with us for about a week (depending on their time constraints) after each webcast to answer your questions. We will also post the links to webcasts as they become available.

Please become an EH-Net Member, (http://www.ethicalhacker.net/component/option,com_smf/Itemid,35/action,register/) to post questions.

Feel free to ask away...

Many thanks to SANS (http://www.sans.org/info/25034) and Core Security (http://www.coresecurity.com) for making this possible,
Don
EH-Net
Editor-in-Chief

Just for the sake f it, if you want to review the recordings of previous 2.

- View the recording of "The Pen Testing Perfect Storm Part I," originally broadcast in October 2008:
http://w.on24.com/r.htm?e=121680&s=1&k=A0A9EE250B2691348F1218E5F1B16CEA&partnerref=core
 
- View the recording of "The Pen Testing Perfect Storm Part II," originally broadcast in January 2009.
https://coresecurity.webex.com/coresecurity/lsr.php?AT=pb&SP=EC&rID=6730442&rKey=6A102E159B31CD77

Thanks

VJ

Hey All,

Hope you enjoyed the webcast. Feel free to ask questions here that may not have been answered due to time constraints of the live venue. Also, if you want others to benefit from your live question or have Ed, Kevin or Josh expand further, asking the same question is also allowed.  :)

Thanks for visiting EH-Net,
Don

Is the recording up for this yet?

I guess this question is not particularly related to this WebCast, but maybe Kevin or Ed point me to some decent documentation for BeEF. Just looking for background info, setup and workings.

Thanks

VJ

Many of the tools mentioned in the entire webcast series are actually done by the InGuardians crew. Included are VistaRFMON, nm2lp, Project Yokoso and more. You can find them here:

http://www.inguardians.com/tools/

Thanks guys for contributing tools created for your own work to the community-at-large.

Don

X2

Hey Josh,

You mentioned off-hand during the 'Ghost in the AP' portion of the webcast, that cloaking or hiding SSIDs should not be done any more. Now I've heard this explanation before, but you do it much better than I do. So could you quickly recap why it is now a common practice not to cloak, even though it had been the way of the world for quite some time?

Thanks,
Don

Hi-

Yes, my understanding is that the recording is now available.

Kevin

I am not sure of any "good" documentation other then the bit on the bindshell.net web site.  It has a bit of information.  You can also find some postings on various blogs around the internet.

Kevin

Thanks Kevin,

Sounds like a little research project :)

VJ

You don't happen to have a link for it, do you?   Thanks!

That would be wonderful!

Kevin

The problem with SSID cloaking is that you force your client systems to constantly ask every AP they see "Are you my mother?" (queue the Dr. Seuss book ... SNORT!)  If you cloak the SSID of your work AP and the user is stuck in Terminal C of O'Hare Airport*, they are constantly sending out probe requests with the cloaked SSID.

A friend made the analogy to a military officer.  The officer is lost, and he is looking for his military base.  He asks everyplace he sees "Are you my military base?", "Are you?"  Eventually, someone will say "yes", which we otherwise would call Karmetasploit (http://trac.metasploit.com/wiki/Karmetasploit (http://trac.metasploit.com/wiki/Karmetasploit)).

Other reasons SSID cloaking doesn't make sense:

1. It provides no security.  As any Kismet user will tell you, watching a legitimate user login to the AP discloses the SSID.
2. It leads to user confusion.  Users who can't find their wireless network are 18 times as prone to click on "Free Public WiFi" or any other nonsense SSID they come across (I read that statistic in the Journal of Clinical Neuroscience).
3. Users call your helpdesk more.  If they need special shared information about the SSID, they are going to call your helpdesk all that much more.  I found it was better to make friends with the helpdesk people than ... enemies.

I wrote a short article about this topic a few years ago for Network World which states similar points with more penache than I can muster at the moment:

http://www.networkworld.com/columnists/2007/030507-wireless-security.html

Thanks to all who attended the webcast!

-Josh

* The best place to eat in O'Hare Airport is a take-out place in the K concourse called "Burrito Beach".  You'll thank me for it.  If you know of a place in the C concourse where there are more than a handful of working electrical outlets for public use, please let me know and I think kindly of you often!

That archive doesn't seem to work (for em at least) atm,

Here is the link from Core:

•  Webcast recording:

https://coresecurity.webex.com/coresecurity/lsr.php?AT=pb&SP=EC&rID=7322987&rKey=1231C582ECF723AE

 

•  Slide presentation:

https://coresecurity.webex.com/coresecurity/lsr.php?AT=pb&SP=EC&rID=7325532&rKey=41C163EE4464BA8F

Enjoy!

Thanks for posting the link.

Thanks for the link been searching for this