carnal0wnage [Shared Reader]

Thursday, October 2, 2008

ToorconX Wrap-Up

Joe and I had the opportunity to teach our 2 day Crash Course In Pentesting workshop at Toorcon X. I felt like the workshop went pretty well and we got some good feedback from the students. Joe has spent that last year really working on web application pentesting and can really break down SQL injection and XSS type assessments and attacks. He had day two of the workshop and I thought it was really good. We even had a custom bookstore web application built for the students to practice SQLI, XSS, and LFI/RFI. I had day one. Frankly I covered too much material and not enough time for the students to actually do anything with the lab images but they did get the hard drives to take that stuff home along with the lab manual for the web application thing and the draft version of the LSO Metasploit Mini-Course.

Here is the breakdown of the seminars.
http://sandiego.toorcon.org/content/section/5/7/

9:30 Jay Beale: Owning the Users with The Middler
11:00 James O'Gorman & Matthew Churchill: Digital Forensics - Footsteps in the Snow
14:00 Travis Goodspeed: Repurposing the TI EZ430 Development Tool
15:30 Ryan Sherstobitoff: The Evolution of Cyber Crime
17:00 Jared DeMott: AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jay Beale's talk was cool, it was on his tool middler which I had heard about before but hadnt played with (I think because it wasnt released). It will MITM the user's browser and hijack EVERY web session, grab the cookies, insert any javascript of your choosing. I dont think the tools website is up yet but his slides from Defcon16 are, you can check those out for more info:
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf

James O'Gorman & Matthew Churchill from Continuum World Wide gave a good talk on forensics. The had some great slides on dispelling forensics myths and gave everyone a chance to ask questions about the current state of forensics.

I missed Travis Goodspeed's talk.

I caught most of Ryan Sherstobitoff's talk. He was from Panda Security and talked about some stats they had accumulated on different types of malware in the wild.

Jared DeMott talked about reversing 101 and exploitation 101. quite a bit to cover in 90 minutes. He covered alot on IDA Pro and then talked about doing some simple exploitation and shellcode development. Fun stuff.

Here's the link to the breakdown of the conference, I wont paste it all.
http://sandiego.toorcon.org/content/section/3/9/

Dan Kaminsky's keynote was awesome, he of course talked about the DNS bug but more importantly he talked about how exploitation and vulnerabilities really have to be though of in groups. Its not so much one vulnerability breaking the internet, but now you can string several together for total world domination. *btw, NONE of that is a quote from his talk.
http://toorcon.org/tcx/1_Kaminsky.pdf

I really enjoyed Ben Feinstein's talk on the "Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln." He did a good job explaining SSL and showing the steps with wireshark and then doing a live demo showing what could happen if you are doing SSH with a bad cert.
http://toorcon.org/tcx/3_Feinstein.pdf

Ariel Waissbein is from Core Security and talked about some new tool they are releasing that will do simulated exploitation by reading in virtual machine config files and interfacing that will core impact "to test to see if you were vulnerable in the past". I wasn't too impressed. If i was taking the I was owned in the past stance I should just go start looking for evidence of the hack rather than testing to see if the Core Impact module works.
http://toorcon.org/tcx/5_Waissbein.pdf

Joe McCray of course rocked the SQLI.
http://toorcon.org/tcx/9_McCray.pdf

Grutz rocked the NTLM pass the hash with windows authentication and squirtle. If i hear the talk one more time I might be able to take in the full impact of what you can do with it.
http://toorcon.org/tcx/10_Grutz.pdf

Sunday was the 20 minute talks.

I caught Christian Heinrich's "Googless" talk where his OWASP group is writing some code to use the google SOAP API to do some searches.

I caught a bit of Marc Bevand's "Breaking UNIX crypt() on the PlayStation 3" talk but had to leave early to get set up for my talk

Got in late for Dan Griffin's "Hacking SharePoint" but it seemed good, looking forward to the slides from it.

Here's what I caught the rest the of the day:
Dan Hubbard's "P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing"

Joshua Brashars' "Owning telephone entry systems (aka why you shouldn't sleep so well)" basically what the title says, default passwords are great, default passwords of 0000 are even better.

Stephan Chenette's "Ultimate Script Deobfuscation: Browser Hooking versus simulation" discussed a very cool tool that would hook IE and document.write and other function I cant remember right now so you can read what the obfuscated java is doing after the browser has done its thing with it. very cool.

David Byrne's "Advanced Techniques in Automated Web Application Testing" talked about Grendal-Scan and the Grendal-Scan blog.

Luis Miras & Zane Lackey's "Mobile Phone Messaging Anti-Forensics" talked about F'ing up the SD card on cell phones that would crash any SD forensics software.

All in all a great con. Huge props to all toorcon crew.

No comments: