Interview: Kevin Johnson of SANS, InGuardians

| May 30, 2009

kj.jpgReview by Jason Haddix, Security Aegis

Anyone who knows training (or InfoSec for that matter) knows SANS is probably THE most recognized name in InfoSec training. While the foundation of SANS is Stephen Northcutt and Alan Paller, his superstars are the InGuardian’s crew. Call them security divas, we don’t care. We know that Ed Skoudis, Kevin Johnson, Mike Poor, and Joshua Wright are instructors with whom we’d give the whole of our security budget to train. We can’t decide what we like best: their stellar tool development, their helpful whitepapers, their nifty cheat sheets, their open source projects, or the fact that their courses are the most interesting and engaging we’ve seen.

Web application pen testing is a huge focus for the security space right now, and SANS just turned their 4-day SEC542 – Web App Penetration Testing and Ethical Hacking into a 6-day class. We had the chance to pick the brain of its instructor/creator Kevin Johnson, InGuardian pen tester, father, and all around great guy.

Read on as he answers our questions on a wide array of our web-app security queries. Cool 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:/root}



inguardians_logo.jpg

Jason Haddix (JH): Thanks for joining us Kevin! Can you tell us a little about who you are and what your history is in the security field?

Kevin Johnson (KJ): Sure.  I have been working with computers for WAY too long and have done lots of different things.  Everything from installing a modem for the little old lady down the road, to building complex web sites with mainframe back ends.  I started getting into security because it touched everything I did.  The final push was when a company I worked at was compromised.  It was nothing substantial but the fact that someone used “my” machines pissed me off.

I have since started and run quite a few open-source security projects and author/teach the SANS web pentesting course, Sec542.

As to who I am, that is pretty simple.  I am a nerd that has a wife that supports what he does and the two best daughters in the world.  My ultimate goal is to turn both Brenna and Sarah into the biggest nerds I can.  It helps that my hobbies are what I do for a living.

kj_pic.jpg 

JH: Can you give us a high level overview of your current projects like: yokoso, samuraiWTF, and SecTools?

KJ: Most of them are related to web security, which is my main focus.  But here is a short description of the major ones.

SamuraiWTF – A live CD that focuses on web penetration testing
Yokoso! – Infrastructure fingerprinting delivered via XSS.
Laudanum – Injectable scripts to increase our foothold after finding SQL injection flaws
BASE – Web interface for monitoring and managing Snort alerts
SecTools – Catch-all project where things like Hping2 (Windows) and WebArmor end up
SocialNetworkBots – Exactly what it is named.

JH: Some people feel that web app pen testing is the new open vector and network pen testing is in decline. What do you think? Do you think there is a long future in network and web app hacking?
 
KJ: Wow, I can’t believe that anyone would think network pen-testing was going away any time soon.  I will agree that web app flaws are getting more attention right now, but I think that what we will see in the future is combined testing.  Ed Skoudis, Josh Wright and I did a series of web casts outlining how the three types of testing are related and scenarios combining the attacks.  I really think those outline what I see quite well.

Editor’s Note: Pen Testing Perfect Storm Webcast Series – Part I, Part II, Part III

JH: What does InGuardians do? Can you give us a day in the life of an Inguardian’s pen tester?

KJ: InGuardians does quite a bit actually.  I am always amazed at the incredible skill I am surrounded by.  Our services include everything from penetration tests and security architecture review to forensics and incident response.  We also regularly take on research projects for our clients.  Our staff regularly teaches, mainly through SANS, and we present at many different venues.

A day in the life of an InGuardians agent is varied based on what is going on and which projects we are working on.  If we are on-site at a client or a conference our day is focused on doing what needs to be done there.  When not, I work out of my home office handling the various requests or projects going on then.  The main point of my day is the constant support and communication that happens between the staff.  We have adapted well to the distance between us and the virtual nature of our collaboration.  I am constantly sending messages or talking within our internal systems to the other members.  That collaboration is what I think makes up the best part of being an InGuardians agent.  When I am working a project, the best of the best is only a bit of typing away from supporting and improving what I am doing.

JH: What is the hardest or coolest web app hack you’ve pulled off, what about the most challenging pen test?

KJ: I will have to go with coolest since most of the problems we find are actually quite simple.  (Which is pretty sad if I may say so myself.)  I personally think that some of the attacks performed by injecting malicious code through help desk ticketing systems are a ton of fun.  And of course the fact that they almost guarantee elevated privileges makes me like them even more. 

The other attack I really like is when we have an XSS flaw and we use it to inject Yokoso!.  This allows us to fingerprint what apps and infrastructure they are running internally.  If we find they are running something that has a CSRF flaw, we can then inject the exploit for that and cause the admin’s system to add an account for us or what ever.

I also think that one of the cooler ones was a physical attack Justin Searle and I did.  We told the security guard we had left one of our cell phones in the secured area and they let Justin into the area.  People are the fun link to attack.
 
JH: What are your views on the browser tri-fecta this year at CanSecWest in the Pwn to Own Contest? Were you surprised  Firefox, IE, and Safari were all pwned with zero days in a relatively short amount of time, or did you have a pretty good feel that today’s browsers are highly insecure?
 
KJ: I was not surprised at all.  Our client applications are, and will be for some time, the weakest part of our infrastructure.

JH: What are your views that Chrome was the only browser unscathed with its sandboxing feature? Do you think that Google’s sandboxing is an exemplary implementation of that technology?
 
KJ: While Chrome did escape unscathed, I am not sure I would call it an exemplary implementation.  It just isn’t the target the others are and since the others were in-scope, it didn’t fall.  Let’s talk next year. ;-)

JH: What are your thoughts on this years two zero-day Adobe exploits?  Do you feel the wide-spread implementation of Adobe technologies makes it a big target or is it a representation of something else?
 
KJ: Adobe, Adobe, Adobe… (Read that with the pitying voice I meant it in).  I think that the zero-days in Adobe products are caused by both the target size it represents and a problem with the client complexity it and others are increasing.  I think that we have seen an amazing jump forward in client complexity in the last few years and it isn’t stopping.  Client apps have to be securely written and very few organizations are working on it.  We, the consumers, need to start loudly complaining when problems like this are found.  And someone needs to solve the client patching issues that exist.  And no the Adobe/Java/whatever updater is not the answer.

JH: In your “Forget 0-day, Let’s Talk Zero Exploit” talk you gave an overview of Click Jacking. Have you seen these exploits in the wild yet? Do any tools exist yet or are you (or any colleagues) developing anything for the scope of pen tests regarding click jacking?

KJ: Yes we have seen these “exploits” in the wild.  The noscripts addon’s main site uses it to provide a download link.  The main point of the talk and this issue is that the client applications provide us so many ways to attack with out taking advantage of a flaw or vulnerability.

We do not currently have a tool that is focused on click-jacking, but I could see Middler being expanded to support it.
 
JH: How do you feel about Web Applications Firewalls and their lackluster performance, do you feel they can be improved to be a usable defense mechanism?

KJ: I have quite a few opinions of WAFs and the technology behind them.  I actually think they perform quite well, IF you take the time to configure and build their rule sets correctly.  The biggest improvements would come from integration with development environments and tools.
 
JH: You gave a presentation a few years ago on your projects and then ended in some awesome advice about open source projects; can you instill that on our readers?

KJ: Have you been stalking me???  ;-)   What I have found over the years is that lots of people want to help or offer help, but they then make the comment “I am not a developer so I won’t be able to do much!”  What I tried to get across back then was that projects need tons of different help, everything from coding to testing to documentation.  Some of the most important features or improvements in BASE and my other projects have come from someone that just had an idea.  The only way that OSS projects are successful, excepting things supported by corporations, is by individuals getting past our inherent lazyness and helping out.  Join the developer mailing lists and start talking.  Things just happen after that.  (But be prepared for the addiction that follows!)
 
JH: What are your top 5 tools you use in web app pen testing and what are some up-and-coming on that list?
 
KJ: W3af, w3af, w3af, w3af and w3af.

Seriously, I find w3af to be one of the best tools out there.  Andres has done incredible work and has built a team that continues to move the project forward.

Netcat is a close second, and anyone who remembers I work with Ed Skoudis would know this answer was coming.

I quite often say that python is probably the most flexible web pen-testing tool but people insist on calling it a programming language.

Burp Suite is also one of my favorite tools and it continues to improve.  The professional version is a requirement to anyone who wants to do this professionally.

BeEF is one of my favorite exploitation platforms.  It is commonly part of my presentations and job.

JH: Do you have any exciting tools or projects that you are currently working on that you can give us preview on?

KJ: I have a couple tools I am working on around my research into social networks and the problems they cause/increase.  I am working on a presentation that I hope is accepted at DEFCON this year. 

The Laudanum project is also moving forward quite quickly and Frank DiMaggio, Justin Searle and I are hoping it will be released at DEFCON.
 
JH: We’ve seen a lot on BeEF in your presentations, how is the development of BeEF going? Is there a large community behind it?  Do you leverage it in your everyday web app pen tests?

KJ: Wade seems to be continuing the project quite well.  He doesn’t have a huge group but there are some people like Jabra that appear to be contributing regularly.  Yokoso! includes a series of BeEF modules and I am hoping to clean up some code to contribute back to the project.
 
JH: What resources would you point a pen tester to for the large foray into web app hacking? We know that your web app class is stellar, but what about books, websites, software, links, etc, that you could recommend to us?
 
KJ: Of course I would recommend that everyone takes the SANS Sec542 class, but I am biased. ;-)   I think that there are a number of places that people should look.  The Web Application Hackers Handbook was an excellent read as were AJAX Security by Billy Hoffman and XSS by Jeremiah Grossman.  As for software, w3af would be the starting point but anything within SamuraiWTF is great.  As for sites, the blogs of the people already mentioned as well as sla.ckers.org are wonderful.  I personally also recommend twitter.  I try to follow some of the “luminaries” within the field and learn something new every day.

JH: Can you give us one of your back pocket pen testing tricks? Some Kevin-fu perhaps?

KJ: The biggest “trick” I have is the combination of tools and custom scripts.  As I look over previous tests and the things we have accomplished they all used a combination of tools and scripts built upon the skewed perspective we approach every site with.  For example, on one site recently, we used a web interception proxy to determine all of the requests a flash object was making and then crafted a simple python script to abuse this portion of the application.  I also regularly use social networks to gather information about the target and then combine that within my attacks.  We have been able to retrieve enormous amounts of PII and complete control of various networks using the information users expose regarding themselves and their organizations.
 
JH: How do you feel about alphabet soup these days other than SANS (CISSP, CEH, OSCP, CPTS, NSA IAM/IEM, etc)?  Which credentials do you think hold up? What about associated methodologies?
 
KJ: “I love alphabet soup” says Kevin Johnson GCIA GCIH GCFA GWAS CISSP CEH IBM CSE Inet+ ad nauseum.

I think that certifications, including SANS/GIAC have a place within our industry.  I find that it depends on the person taking them and the person evaluating that person.  Some people think that certs are the be all end all, and I would say they are wrong.  I personally use my certs as a goal when I am trying to do something.  For example, my GCFA was a point where I wanted to formalize my understanding of forensics and its foundations.  While I could have just gotten some books and played with the tools we use, it helped focus my study to have a measurable goal.

As to which will hold up, I am not sure.  We all know that ISC2 and GIAC aren’t going anywhere.  And I am hoping that the GWAPT, GIAC’s new Web Pen-Testing cert will stand the test of time.  (Of course I feel very strongly that it will!)  As to the others, I think we will see some of them stay around where others such as EC Council’s will disappear.

JH: A lot of readers want to know how you feel about the OWASP LiveCD, and how would you leverage both it and SamuraiWTF in a webapp pentest?

KJ: Now that’s a loaded question.  ;-)   As the project lead for SamuraiWTF I think it’s the best.  The OWASP LiveCD has existed for a couple years now and when I formed the SamuraiWTF project, it just didn’t seem to be an active project.  Back then it seemed to be a summer of code thing that wasn’t being worked any longer.  Now it has picked back up and is actively being worked.  I think though, and of course I am biased, the SamuraiWTF project has a bit more momentum.  I would love to see the two projects work together since we have similar focuses but I am not sure it would work since the base OS and the goals are different.

As to how would I use them both, bluntly I wouldn’t.  Currently SamuraiWTF includes all of the tools in the OWASP LiveCD and many others.  But more importantly then a tool count, I am more comfortable within the SamuraiWTF environment, which makes sense since I have focused on building it out based on my way of working and the methodology we teach within Sec542.

JH: Anything you’d like to get of your chest or promote? Now’s the time!

KJ: Wow, that is an open-ended question….  There are a number of really cool things going on right now.  I am working with Frank DiMaggio on the social zombie projects, which are as exciting as anything I have ever worked on.  Tom Liston is doing some incredible work on utilities that people can use.  For example his CertGuard utility is being beta tested right now and LaBrea Tarpit is still one of the best worm mitigation techniques around.  Josh Wright has been focusing on some incredible Zigbee stuff including some tools he has just released.  Middler by Justin Searle, Matt Carpenter, Tom Liston and Jay Beale is improving daily.  All of this can be seen at http://www.inguardians.com/.  Frank DiMaggio and I are working diligently on research into information disclosure within social networks and will be bundling all of it into SocialButterfly.  Of course, I think I would be remiss if I didn’t at least mention that InGuardians is available to do security consulting and penetration testing for everyone.  :-)

I can be reached for questions at ‘Kevin at inguardians.com’ and am on Twitter at @secureideas


sec_aegis_logo.jpgJason Haddix is a Junior Penetration Tester at Redspin, Inc. and Security Blogger at http://www.securityaegis.com. Jason has been working in information technology in one fashion or another for many years doing everything from admin work, component bench technician, and identity theft researcher. Jason is an auto-didactic polymath (constantly learning about everything he can) and has been reading, mapping, and planning out his future in IT security. Jason loves everything to do with (E)hacking, Social Engineering, the con community, et cetera. Jason’s current projects include numerous reviews of current pentesting and incident handling teaching curriculum as well as being a main contributor to PentesterScripting.com and Ethicalhacker.net.

Category: Haddix

Comments are closed.