.

Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Mar 23, 2009 9:40 am

Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

This is the place to be following Part III of this webcast series that took place at 1:00 PM EST on Tuesday March 24, 2009:



EH-Net members are invited to keep the conversation going with Kevin Johnson, Josh Wright and Ed Skoudis from InGuardians. These 3 security experts will be with us for about a week (depending on their time constraints) after each webcast to answer your questions. We will also post the links to webcasts as they become available.

Please become an EH-Net Member, to post questions.

Feel free to ask away...

Many thanks to SANS and Core Security for making this possible,
Don
EH-Net
Editor-in-Chief
CISSP, MCSE, CSTA, Security+ SME
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Mon Mar 23, 2009 10:41 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Just for the sake f it, if you want to review the recordings of previous 2.

- View the recording of "The Pen Testing Perfect Storm Part I," originally broadcast in October 2008:
http://w.on24.com/r.htm?e=121680&s=1&k= ... erref=core

- View the recording of "The Pen Testing Perfect Storm Part II," originally broadcast in January 2009.
https://coresecurity.webex.com/coresecu ... 159B31CD77

Thanks

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Mar 24, 2009 1:16 pm

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Hey All,

Hope you enjoyed the webcast. Feel free to ask questions here that may not have been answered due to time constraints of the live venue. Also, if you want others to benefit from your live question or have Ed, Kevin or Josh expand further, asking the same question is also allowed.  :)

Thanks for visiting EH-Net,
Don
Last edited by don on Tue Mar 24, 2009 1:24 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Mar 25, 2009 6:49 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Is the recording up for this yet?
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Wed Mar 25, 2009 8:19 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

I guess this question is not particularly related to this WebCast, but maybe Kevin or Ed point me to some decent documentation for BeEF. Just looking for background info, setup and workings.

Thanks

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Mar 25, 2009 8:52 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Many of the tools mentioned in the entire webcast series are actually done by the InGuardians crew. Included are VistaRFMON, nm2lp, Project Yokoso and more. You can find them here:

http://www.inguardians.com/tools/

Thanks guys for contributing tools created for your own work to the community-at-large.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Mar 25, 2009 7:02 pm

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Jhaddix wrote:Is the recording up for this yet?

X2
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Mar 26, 2009 1:45 pm

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Hey Josh,

You mentioned off-hand during the 'Ghost in the AP' portion of the webcast, that cloaking or hiding SSIDs should not be done any more. Now I've heard this explanation before, but you do it much better than I do. So could you quickly recap why it is now a common practice not to cloak, even though it had been the way of the world for quite some time?

Thanks,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

KevinInGuardians

Newbie
Newbie

Posts: 15

Joined: Wed Oct 15, 2008 1:26 pm

Post Mon Mar 30, 2009 8:32 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Jhaddix wrote:Is the recording up for this yet?


Hi-

Yes, my understanding is that the recording is now available.

Kevin
<<

KevinInGuardians

Newbie
Newbie

Posts: 15

Joined: Wed Oct 15, 2008 1:26 pm

Post Mon Mar 30, 2009 8:35 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

vijay2 wrote:I guess this question is not particularly related to this WebCast, but maybe Kevin or Ed point me to some decent documentation for BeEF. Just looking for background info, setup and workings.

Thanks

VJ


I am not sure of any "good" documentation other then the bit on the bindshell.net web site.  It has a bit of information.  You can also find some postings on various blogs around the internet.

Kevin
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Mon Mar 30, 2009 9:20 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Thanks Kevin,

Sounds like a little research project :)

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 30, 2009 9:55 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

KevinInGuardians wrote:
Jhaddix wrote:Is the recording up for this yet?


Hi-

Yes, my understanding is that the recording is now available.

Kevin


You don't happen to have a link for it, do you?  Thanks!
~~~~~~~~~~~~~~
Ketchup
<<

KevinInGuardians

Newbie
Newbie

Posts: 15

Joined: Wed Oct 15, 2008 1:26 pm

Post Mon Mar 30, 2009 10:35 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

Ketchup wrote:
KevinInGuardians wrote:
Jhaddix wrote:Is the recording up for this yet?


You don't happen to have a link for it, do you?   Thanks!


The archive on SANS' website is at https://www.sans.org/webcasts/show.php?webcastid=92114

Kevin
<<

KevinInGuardians

Newbie
Newbie

Posts: 15

Joined: Wed Oct 15, 2008 1:26 pm

Post Mon Mar 30, 2009 10:36 am

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

vijay2 wrote:Thanks Kevin,

Sounds like a little research project :)

VJ


That would be wonderful!

Kevin
<<

joswr1ght

Newbie
Newbie

Posts: 11

Joined: Wed Oct 15, 2008 12:55 pm

Post Mon Mar 30, 2009 4:42 pm

Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery

don wrote:You mentioned off-hand during the 'Ghost in the AP' portion of the webcast, that cloaking or hiding SSIDs should not be done any more. Now I've heard this explanation before, but you do it much better than I do. So could you quickly recap why it is now a common practice not to cloak, even though it had been the way of the world for quite some time?


The problem with SSID cloaking is that you force your client systems to constantly ask every AP they see "Are you my mother?" (queue the Dr. Seuss book ... SNORT!)  If you cloak the SSID of your work AP and the user is stuck in Terminal C of O'Hare Airport*, they are constantly sending out probe requests with the cloaked SSID.

A friend made the analogy to a military officer.  The officer is lost, and he is looking for his military base.  He asks everyplace he sees "Are you my military base?", "Are you?"  Eventually, someone will say "yes", which we otherwise would call Karmetasploit (http://trac.metasploit.com/wiki/Karmetasploit).

Other reasons SSID cloaking doesn't make sense:

1. It provides no security.  As any Kismet user will tell you, watching a legitimate user login to the AP discloses the SSID.
2. It leads to user confusion.  Users who can't find their wireless network are 18 times as prone to click on "Free Public WiFi" or any other nonsense SSID they come across (I read that statistic in the Journal of Clinical Neuroscience).
3. Users call your helpdesk more.  If they need special shared information about the SSID, they are going to call your helpdesk all that much more.  I found it was better to make friends with the helpdesk people than ... enemies.

I wrote a short article about this topic a few years ago for Network World which states similar points with more penache than I can muster at the moment:

http://www.networkworld.com/columnists/ ... urity.html

Thanks to all who attended the webcast!

-Josh

* The best place to eat in O'Hare Airport is a take-out place in the K concourse called "Burrito Beach".  You'll thank me for it.  If you know of a place in the C concourse where there are more than a handful of working electrical outlets for public use, please let me know and I think kindly of you often!
Next

Return to Special Events

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software