Interview: Joe McCray of LearnSecurityOnline

| March 1, 2010

lso_logo.pngReview by Jason Haddix

Have you ever seen Man on Fire? If you haven’t and you like watching kick-ass, kick-you-in-the-teeth, relentless, Denzel-Washington-type of-action-flicks… you might want to Netflix that one. Our interview this week is kind of like Denzel in Man on Fire but with less guns and more SQLi strings meticulously crafted to pwn your databases.

Enter Joe (j0e) McCray of LearnSecurityOnline… Joe is a long standing friend of both Security Aegis and The Ethical Hacker Network, and, after wanting to keep the limelight off of himself and his teaching projects, we have finally pestered him enough to agree to sit back and answer a few of our questions about life, liberty, and the pursuit of root.

The great thing about Joe is that he will never make you feel like an idiot, even while he’s managing to teach you cutting-edge stuff. He keeps you engaged in a half comedy, half lecture style teaching format.  I have no reason to think that his energy and effectiveness won’t continue to shine through in his upcoming new advanced course, Pentesting High Security Environments. Make sure to check out his video at the end of the interview.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}

Jason Haddix (JH): So Joe, many of our readers don’t know much about you or your site LearnSecurityOnline. Why don’t you fill them in? (make sure to impart on the youngins your own history!)

Joe McCray (JM): For me it all started with the movie “Wargames,” and then several years later I was miserable wasting my life away working on the help desk telling people how to right-click all day. Someone convinced me to go to DEF CON. I went to DEF CON that weekend and lost my mind when I saw the Capture the Flag competition. I had heard of Linux but never used it, and had never even heard of OpenBSD – and 99.9% of everything I saw and heard was way over my head, but I knew then that I wanted to be able to do what those guys were doing. From there – I just jumped in with both feet (it was the most humbling experience in my life – it’s amazing how smart REAL HACKERS are).

JH: We’ve seen you around the conference/speaking track (DEF CON, Brucon, Dojosec, et al) with your stellar “Advanced SQL Injection” talk. How’s that been? What’s next on your plate?

JM: More SQL Injection (new tricks), and some anti-forensics stuff are subjects I’m researching for upcoming conferences. I put a lot of work into this stuff, and I really hope that people get something out of it.

JH: We’ve seen some of your research on identifying WAFs and breaking them in the end of some of your lectures. How’s that been going?

JM: Actually that’s been the most fun. Sandro Gauci and Wendel Guglielmetti have been doing the bulk of the research, but I chip in every now and then. I think WAF identification and bypass is the future of Web Application Penetration Testing, because so many companies are deploying them instead of actually fixing the security bugs and it’s an easy check in the box for PCI. So as a pentester, look forward to many years to come of dealing with WAFs.

JH: Since we know you have some pretty good pentest war stories, could you let us in on one of your most righteous hacks?

JM: Ok – so instead of bragging I’ll tell a story that I often tell when I’m teaching (I just can’t give too many details because of the sensitive nature of it all). There was pentest for a large organization a few years ago where the aggressors (pentesters) were from 4 separate entities in order to simulate a cyber war type scenario where several enemy entities attacked this one target organization.

One of the pentesters decided to do a man-in-the-middle attack, so he spoofed the default gateway and spoofed the DNS server.

LESSON FOR NEWBIES!!!!!!

When you are doing a man-in-the-middle attack, be sure to use fragroute or some other method of forwarding all of the network’s traffic that is now destined for your laptop due to the ARP spoof to the real default gateway, so you don’t cause a denial of service for the entire network!!!!! Which is exactly what happened in this engagement – Denial of Service for the entire network. All of the testers got kicked off site.

JH: What tools are in your pentest wallet these days? What have you been playing with the most?

JM: Pretty much everything I do is either manual or in Python. Yes, yes, yes I’ve gone to the dark side and switched from perl to python.

JH: We have to ask, what’s up with LSO’s training? We’ve seen it go from individual skills based type classes, to now full blown curriculum on Network Pentesting and Wep App Pentesting. What’s the new vision?

JM: I guess it’s the transition from LSO just being my toy to turning LSO into a real training organization. Something that people can use to learn something tangible. For example the new live course entitled ‘Advanced Penetration Testing (APT): Pentesting High Security Environments.’ It covers things never-before-seen like attacking Windows 7, Server 2008 and the latest Linux servers. This is not for the faint of heart. The learning curve is quite high, but so is the payoff. I also am offering a special discount to EH-Netters. ;-) Be sure to let me know you heard about the course from here or click on the link in the Forum Thread about the course.

JH: We know in our heart of hearts that your fu is some of the best, but with so many training packages coming out these days, what makes your new revamped course different?

JM: I’d say what makes it different is that the new courses are based on my pentest experience, so it’s a lot of headaches, heartaches, and pentester life lessons instead of just how to run nmap.

Thanks Joe. And for a little more of Joe, check out these videos. Be aware that they are PG-13 for adult language.

DojoSec Monthly Briefings – February 2009 – Joseph McCray from Marcus J. Carey on Vimeo.


Advanced SQL Injection – LayerOne 2009


sec_aegis_logo.jpgJason Haddix is a Junior Penetration Tester at Redspin, Inc. and Security Blogger at http://www.securityaegis.com. Jason has been working in information technology in one fashion or another for many years doing everything from admin work, component bench technician, and identity theft researcher. Jason is an auto-didactic polymath (constantly learning about everything he can) and has been reading, mapping, and planning out his future in IT security. Jason loves everything to do with (E)hacking, Social Engineering, the con community, et cetera. Jason’s current projects include numerous reviews of current pentesting and incident handling teaching curriculum as well as being a main contributor to PentesterScripting.com and Ethicalhacker.net.

Category: Haddix

Comments are closed.