root@dafthack:~#‎ > ‎

Derbycon 2014

posted Oct 1, 2014, 10:36 AM by Beau Bullock
The following are my notes from the talks I attended at Derbycon 2014.

Johnny Long - Hackers Saving The World From A Zombie Apocalypse
  • Hackers For Charity helped rebuild a village that burned. 200 homes were destroyed.
  • After rebuilding HFC were able to create jobs for some of the villagers. They started a leather-working shop.
  • Johnny needs help building servers for remote sites to connect back to their computer center.
  • They need 13k for the computer center to operate and 6k for a new hackerspace.
  • UPDATE: At the closing ceremonies Johnny announced that two different individuals approached him at the conference and wrote him checks for both of those numbers. Also, the HFC merch table brought in 32k.

Ed Skoudis - How to Give the Best Pentest of Your Life
  • Write the report for operations teams so they can take action on any items you find. Help them to fix the problem.
  • Ed looks to PTES for inspiration
  • Ed recommends a minimum of five people on every pen test. Collaboration is key. If you don't have the resources to put five pentesters on a test there should at least be a designated collaboration time of the day where pentesters can bounce ideas off each other.
  • Work on the report during the test. It may be slower but there is less chance you would miss something (I.e. A screenshot containing an item you may have previously overlooked).
  • Tell the customer to utilize me as a pentester to get the resources they need. They probably already know about the weaknesses they have. If they can share those we can focus our report to detail how large the problem actually is, and hopefully get the point across to upper management.
  • Most pentesters don't operate in the zero day realm. Current numbers put zero day development in the 2-12 month timeframe, and usually they only have a 24 hour to 10 day shelf life before being patched.
  • Sometimes when Ed is having a really hard time of finding anything on a pen test he uses the "zero-day card". Basically, this means that we could spend 12 months and probably write a custom zero day for a given software but that is not feasible. Instead, let's assume a dedicated attacker already has a zero day for it and give us access to that system so we can move forward in the pen test.

Kevin Mitnick and Dave Kennedy - Adaptive Pentesting part 2
  • Unicorn - a tool for PowerShell injection into memory
  • IBM communicator - Dave discussed how he found this software on a system he was pentesting. He was not admin. Looking through the processes he found some unnamed ones. He started migrating to them and found that one was running with SYSTEM prigs.
  • List - Kevin used this site to register his phone number to Microsoft. When you Google his number it will show Microsoft.
  • Pidatabase - find ssn's, address, phone number of anyone. Kevin demonstrated this by getting a random volunteer to come up on stage and he showed them their SSN.
  • - find Mother's maiden name

Day One Talks
Larry Pesce - If It Fits It Ships: Adventures in Warshipping
  • Send a package containing WiFi hacking rig to someone who doesn't exist at an organization or is on vacation. Mail room at organization may leave it there for a few days before shipping it back.
  • Larry uses a Raspberry Pi B+ with AWUS051NH, and battery pack with 30 AA batteries. No need for GPS. We can geolocate based on BSSID's of AP's.
  • ISniffGPS - can query Apple for BSSID geolocation.
  • Larry wrote a tool that uses the Apple do as well called loc-nogps.
  • Larry mentioned that shipping active electronics is illegal.

Josh Schwartz – Red Teaming: Back and Forth – 5ever
  • Use OSINT to start crafting profiles on employees.
  • Josh created a CnC tool that creates encoded tweets to tell a compromised host to change CnC servers.
  • Internal recon – check internal wiki’s
  • osascript to tell osx to present a dialog to the user with a field.
  • osascript -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return & "Password:" default answer "" with icon 1 with hidden answer '
  • Get caught. If you make a lot of noise and didn’t get caught that is a finding.

Carlos Perez - Abusing Active Directory In Post-Exploitation
  • We can query AD as a computer object, not just a domain user.
  • Carlos considers AD as "Microsoft's way of doing LDAP"
  • Use AD management tools in post-exploitation.
  • RSAT - nltest.exe, dcdiag.exe, ntdsutil.exe.
  • extapi – Extended API in Metasploit. Carlos wrote modules to query the domain.
  • ADSI – Active Directory Service Interfaces – Can be used to add users, add users to groups, enumerate groups, etc.
  • If “Auditing” is enabled in a domain many windows will be generated when using ADSI.
  • It is possible to perform host discovery without sending a single packet to hosts on the network besides the DC. AD can be queried to find RDP, MSSQL, Exchange servers.
  • SPN – Service Principal Name
  • Carlos wrote Metasploit modules for enumerating the domain:
  • Carlos mentioned it is possible to enumerate phones connecting to OWA through the CAS server. May be able to get OS/phone number.
  • Some other items that can be gathered from AD: OU’s, GPO’s, subnet listings.
  • The enum_ad_users module writes to CSV for easy parsing.
  • In summary, as “NETWORK SERVICE” it is possible to get all systems FQDN’s, OS version, and OU from AD.

John Strand and Joff Thyer – How Not to Suck at Pentesting
  • John gave examples of how low and medium vulnerabilities can be devastating to an organization.
  • Manually visit web servers. Don’t trust your tools.
  • On a pentest Ethan found a web server that had a file called hello.php. This file was an injected web shell.
  • Get caught on a pentest. If you have successfully compromised an organization without being detected start to get noisier on the wire. This can help an organization find where their weakpoints and strongpoints are.
  • John mentioned that he still recommends application whitelisting products as an AV replacement but gave the caveat that they are not an end-all-be-all solution.
  • Most of the application whitelisting products still allow tools like PowerShell to run.
  • Management of these app whitelisting products can be tough and sysadmins may create broad rules to make management easier. For example they may whitelist entire folders or certain types of files.
  • Joff discussed some of the hunt teaming items BHIS are working on.

Benjamin Donnelly and Tim Tomes – Ball and Chain (A New Paradigm in Stored Password Security)
  • Storage of passwords needs to change so that offline password cracking can be eliminated.
  • The idea of Ball and Chain is that the mechanism used to store passwords is so large, in terms of file size, that an attacker wouldn’t be able to exfiltrate it from an organization.
  • Create a file multiple terabytes in size.
  • Implement an authentication platform that ties into this file.
  • An attacker may be able to still do online attacks but removing this file from an organization would be infeasible.
  • Even if an attacker were to get it there are protections in place that would still make cracking passwords with it very hard to do.

Day Two Talks
Casey Smith – Interceptor: A PowerShell SSL MITM Script
  • Can create and install dynamic certs with PowerShell.
  • Cert generation without makecert.exe.
  • A new cert is generated for each site the user visits.
  • Using HttpWebRequest to proxy traffic.
  • Interceptor gives you the ability to tamper with traffic. i.e. replace ‘cyber’ with ‘kittens’ on websites.
  • Need local admin to run this.

Egypt – More New Shiny in the Metasploit Framework
  • Egypt brought up the fact that Metasploit should be used for more than just exploits.
  • Posix Meterpreter.
  • Meterpreter has better thread management now.
  • Incognito v2 – Support for 2008+ systems
  • Clipboard management in Meterpreter now. Can steal clipboard data. “clipboard monitor” can be used to get a stream of items copied to the clipboard.
  • ROPDB – Produce ROP chains in Metasploit
  • jsobfu repo – Javascript Obfuscation tool
  • Some of the Android post-exploitation modules allow you to steal SMS messages.
  • PJL (Printer Job Language) – HP’s language for talking to printers. Some printers allow for the download of print jobs.
  • Reverse HOP – HTTP shells, pivot using HTTP only.

Wartortell – Shellcode Time: Come on Grab Your Friends
  • – site for shellcode gen
  • wartorshell – Tool that allows for shellcode gen, and may be a good tool to assist in building CTF challenges.

Brandon Perry – i r web app hacking (and so can you!)
  • Download trial virtual appliances to test against.
  • Set up a SOAP environment to test against.
  • Run SQLMap against SOAP Restful API’s / WSDL’s
  • Brandon mentioned that Java XML API’s are almost always vulnerable to XXE
  • Brandon demoed an exploit he wrote for F5 iControl systems. He mentioned he disclosed it to them back in February and it still hasn’t been fixed.

Mick Douglas – powercat
  • Powershell based version of Netcat.
  • Luke Baggett has helped with a PowerShell v3 version.
  • Having issues on v2 with synchronous vs. asynchronous connections.

Joff Thyer – Macro Malware Lives! – Putting the sexy back into MS-Office document macros
  • Joff gave an example of a MS Word doc containing a malicious macro. When launched it runs a PowerShell script to inject Meterpreter into memory.
  • Joff demoed his tool that automates macro creation called PSploitGen.

Kali Linux Dojo – The Ultimate Hardware Backdoor
  • Kali Linux + Raspberry Pi + LCD display with push buttons (Adafruit i2c 16x2 RGP LCD Pi Plate).
  • Python script displays multiple commands.
  • Kali sly-pi.
  • Current script sets a static IP.

Day Three Talks
Brady Bloxham – Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse
  • Throwback – HTTP/s Beaconing Implant. DLL on compromised system looks to a URL we control for commands.

Paul Coggin – Bending and Twisting Networks
  • SNMPBlow – Spoof IP Addresses in SNMP attacks, grab router configs.
  • Routemap – use to override route tables.
  • DLSw tunneling exfil via IPv6.
  • DHCP Option 82.
  • OSPF Tools – Quagga, NRL (Naval Research Lab) Core, Nemesis, Loki.
  • Recommends Netflow & Solarwinds Kiwi for protection.

Jim Wojno – Ok – so you’ve been pwned – now what?

  • IOCEditor – Write custom indicators of compromise rules to run through Redline.
  • PE Studios – Tool to help quickly perform static analysis of a binary.

Martin Bos and Eric Milam – What to expect when you’re expecting…a pentest
  • Prep your organization before getting a pentest. We shouldn’t be able to find MS08-067 on your network.
  • Make sure the customer knows the difference between a vuln assessment and a pentest.

Deral Heiland and Matthew Kienow - Simple Network Management Pwnd
  • They wrote a few different SNMP Metasploit modules that can be used to access sensitive items. i.e. Netopia WPA key exposure.
  • One example they gave was to look at SNMP logs. Sometimes they may contain sensitive data like passwords. They demoed it by typing their password in the username field of a telnet login. Through SNMP they were able to look at a log that showed a failed login for “their password”.