Whitepapers

Articles

Friendly Traitor: Our Software wants to kill us

This presentation series covers flawed features in many applications and devices that we use every day. From Adobe Flash to Verizon’s MiFi devices, we have found features that can be abused in a trivial nature, yet often with disastrous results.

 

Advanced Metering Infrastructure Attack Methodology

This paper describes an attack framework designed by InGuardians to evaluate the security of AMI technology. Intended for use by vendors creating AMI products and customers testing their technology, this framework seeks to provide guidance to engineers charged with assessing and attacking the security of AMI technology. Developed in conjunction with the AMI-SEC Task Force (part of the UCA International Users Group), this methodology represents the standard security analysis framework for AMI technology and related systems.

 

KillerBee: Practical ZigBee Exploitation Framework

Josh Wright debuts KillerBee: an attack framework designed to explore vulnerabilities in ZigBee and wireless sensor networks.In this presentation, Josh examines how ZigBee technology interacts with the kinetic world in scary ways, exploring vulnerabilities in the ZigBee protocol and opportunities to exploit these deficiencies.

 

Smart Grid AMI Security Concerns

Josh Wright and Matthew Carpenter release a presentation on Smart Grid Security. Smart Grid and Advanced Metering Infrastructure technologies hold great promise for modernizing the power grid. However, they may also introduce security vulnerabilities with potentially significant ramifications ranging from billing fraud to widespread sabotage. In this presentation, Industrial Defender and InGuardians discuss security issues associated with various components of the Smart Grid. We will address attack vectors and scenarios, highlighting defensive strategies and tactics that organizations can apply to mitigate risks. We will also look at industry initiatives to help standardize secure and resilient deployments

 

SANS SCADA Summit Presentations

Matt Carpenter releases two presentations on SCADA!Matthew Carpenter recently participated in two keynote panels at the SANS SCADA Summit, where he gave a turbo-talk-style overview of hacking Advanced Metering Infrastructure (AMI) and the principles of penetration-testing in the AMI space. Click here for Slides for both presentations as well as a formal response to a question posed at the summit: “How do we fix it?”…

SANS SCADA Pentesting Presentation

SANS SCADA Hacking AMI Presentation

SANS SCADA Summit Keynote Q & A

Ed Skoudis and Frank Kim release a great paper on application security.

Increasingly, computer attackers are exploiting flaws in Web applications, exposing enterprises to significant threats, including Personally Identifiable Information breaches and uploads of malware onto vulnerable corporate Websites for distribution to customer browsers. Many of these Web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.

 

Mike Poor’s webcast slides: Pillage the village!

Mike Poor gives a Core sponsored webcast Titled: Pillage the Village. Pilfering & Plundering for better Penetration Tests. This one hour presentation covers using sniffers and pilfering techniques during a penetration test to gain further access. Sure, sniffing passwords off the wire is good… but how about stealing the RSA seed file? Pulling SSL certs and passphrases. “Sniffing” memory?

Ed Skoudis  releases 3 new awesome cheet sheets! 

Ed Skoudis releases 3 new cheat sheets for the most useful Windows command-line tools, Netcat, and other useful attack tools (Metasploit, Fgdump, and Hping). Get ’em while they are  hot!

Windows Command Line Tools

Super Netcat Cheat Sheet

Useful Attack Tools

Josh Wright releases article: Decrypting Debian-Vulnerable SSH Traffic

Josh’s favorite security flaw from 2008 is the Debian OpenSSL vulnerability. Lots of analysis work has been done to understand the ramifications of this flaw, interesting because the effect of the flaw lasts long after vulnerable systems have been patched. Full recovery requires that all keys generated on a vulnerable system be replaced.

Pen Test Perfect Storm Trilogy – Part 2!!!

InGuardians is pleased to announce the release of the slides from Part 2 of the Pen Testing Perfect Storm webcast trilogy – featuring the return of SANS Pen Testing swashbucklers Ed Skoudis, Josh Wright and Kevin Johnson.Covering network, web app and wireless pen testing techniques, the second installment of Perfect Storm trilogy focuses on assessing the enterprise-wide fallout from a seemingly innocuous endpoint compromise – including how an exposed low-level Windows Vista box can quickly open the hatch to full-scale network subversion.During the webcast, you’ll learn how to proactively test your network’s vulnerability to sinking at the hands of a Client-Side Mutiny – and how to emulate what can happen after the initial compromise, including: discovering wireless devices from exploited hosts with Josh Wright’s newly released VistaRFMON scanning and exploiting web applications with w3af exploiting systems with Metasploit’s integrated pass-the-hash functionality Building on the premise that cyber threats don’t exist in a vacuum, the Perfect Storm webcast series presents tips for replicating real-world attacks that traverse multiple layers of infrastructure using combined network, web app, and wireless attack techniques.

Pen Test Perfect Storm Trilogy – Part 1

The Pen Testing Perfect Storm webcast series brings you a deluge of security assessment tactics and strategies from the combined forces of three penetration testing experts:

Kevin Johnson: web guru and senior security analyst
Josh Wright: wireless wizard and senior security researcher
Ed Skoudis: network security penetration tester

This trio of experts will show you how to assess an organization’s real business risks by taking a holistic, comprehensive look at your information security – just as determined and skilled attackers do in the wild. You’ll learn techniques for safely replicating chains of threats that can pivot throughout your infrastructure, including:

Web — SQL injection, cross-site scripting, remote file inclusion, etc.

Wireless — wireless LAN discovery, crypto and protocol attacks, client duping, etc.

Network — port scanning, service compromise, client-side exploitation, etc.

This webcast series is ideal for anyone seeking to go beyond point-focused, “tunnel-vision” assessments to real-world penetration testing – mimicking the sophisticated, multi-staged threats that pose the most significant information security risks to organizations today.

Secrets of America’s Top Pentesters

Authored by Co-Founder and senior security analyst Ed Skoudis, this presentation covers some little-known but extremely helpful technical and procedural tips for maximizing the effectiveness of pen tests. These secrets can help testers save huge amounts of time, improve the likelihood of successful compromise, and lower the chance of negatively impacting target systems during a test. Based on experiences learned from in-the-trenches tests by a dozen pen testers over the past year, Ed examines crucial secrets associated with scanning, password attacks, exploitation, and many other aspects that readers will be able to apply immediately in their own penetration testing regimen.

Vista Wireless Power Tools for the Penetration Tester

By Josh Wright.This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of “Unix Power Tools” by Sherry Powers, et al, this paper presents several “article-ettes” describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks.This paper also presents two new tools, vistarfmon and nm2lp, both available on the InGuardians Tools page.

IDS Deployment on Switched Networks Using Taps

By Brian Liang and Jimmy Alderson. This How-to Guide demonstrates how to scale IDS on a large network or ambiguous perimeter using network taps, comparing this to prior methods using network hubs and switch spanning ports.

Research

Client-side Vulnerability Assessment and IPS: ToorCon, ShmooCon and NAISG talk by Jay Beale

Network Early Warning Systems: SANSFIRE Keynote on Early Warning Systems by Mike Poor

Complex Signatures: Correlating System and Application Logs with Traffic Traces and IDS Alerts by Mike Poor

Packet Craft for Defense in Depth: Learning to use packet crafting tools to test our defenses by Mike Poor

Snort GUIs: Exploring the ins and outs of Snort front ends by Mike Poor

Load Balancing IDS: By Brian Laing and Jimmy Alderson

 

 

 

 

InGuardians routinely creates tools in the course of action. We make many of these tools available for free, without warranty, to you. 🙂 Enjoy!

Tool: WeaponizedFlash.as

Find it on GitHub at: WeaponizedFlash

Kevin Johnson and Mike Poor released this weaponized flash action script, as part of their “Friendly Traitor: Our software wants to kill us” presentation series.

Tool: ssh_decoder.rb 

Link: ssh_decoder.rb

Josh Wright has an article on decrypting SSH sessions based on the 2008 Debian OpenSSH vulnerability, with helpful hints on how to do it, and some patches to publicly available tools to make them work even better.

Tool: wlan2eth

Article Link: wlan2eth

Wlan2eth is a simple tool to convert packet captures in 802.11 format to Ethernet format. Lots of tools can only understand Ethernet link types, so I wrote this tool to convert captures to a format that they can understand. For each packet in an input 802.11 capture file, wlan2eth examines header values to ensure it is a data frame, then it creates a new output packet with an appropriate Ethernet header (source and destination address and embedded protocol field are preserved from the 802.11/802.2 header). Timestamps are also preserved from the original capture. This tool is really only useful for encrypted traffic, though you could use it with a tool such as airdecap-ng to decrypt an encrypted capture first, then convert the unencrypted output file to Ethernet format.

Tool: VistaRFMON

GitHub Link: vistarfmon

Monitor mode is a valued feature for both the wireless penetration tester and security analyst. It allows the penetration tester to disconnect from a network and capture all frames in the network with full IEEE 802.11 headers and associated detail. By cycling through multiple channels supported on the wireless adapter, it is possible to capture detailed information for wireless network discovery and analysis purposes. On Windows, this was previously limited to commercial drivers. vistarfmon uses Vista’s Wireless LAN API (wlanapi) to help the penetration tester leverage all the power of monitor mode.You can read more about vistarfmon in Josh Wright’s “Vista Wireless Power Tools for the Penetration Tester” paper.

Tool: nm2lp (NetMon to LibPcap)

GitHub Link: nm2lp

While the NetMon UI has powerful features for analyzing packet captures, few attack tools include the ability to natively read from the NetMon stored capture file format. In order to leverage tools such as Aircrack-ng, coWPAtty and Cain for wireless analysis, the capture file format needs to be libpcap- compatible. Some tools such as Wireshark support reading and converting NetMon Ethernet captures, but do not correctly interpret NetMon wireless captures.Fortunately, the NetMon API allows developers to write custom applications and interpret data from NetMon stored captures. Combined with the ability to create a libpcap capture file, it is possible to convert the NetMon file to a libpcap file. nm2lp converts NetMon wireless captures to libpcap format, making them useful in these other tools.You can read more about nm2lp in Josh Wright’s “Vista Wireless Power Tools for the Penetration Tester” paper.

External Tool: Microsoft’s Wlsample tool for Windows Vista

GitHub Link: Wlsample

Microsoft included a tool called “wlsample.exe” with the Windows Software Development Kit (SDK) for Windows Server 2008. This program allows a penetration tester to connect to a network without generating a saved profile. Microsoft has released source code for this tool and cleared it for public redistribution.Josh Wright references Wlsample in section 3.3 of his “Vista Wireless Power Tools for the Penetration Tester” paper.

Project: YokosoURL: yokoso.inguardians.com

Yokoso! is a project focused on creating fingerprinting code that is deliverable through some form of client attack. This can be used during penetration tests that combine network and web applications. One of the most common questions we hear is “so what can you do with XSS?” and we hope that Yokoso! answers that question.We will create JavaScript and Flash objects that are able to be delivered via XSS attacks. These code payloads will contain the fingerprinting information used to map out a network and the devices and software it contains.

Project: SamuraiURL: samurai.inguardians.com

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Project: ServifyThis

GitHub URL: ServifyThis

InGuardians’ ServifyThis program takes any Windows executable and converts it into a form suitable for use as a Windows service. Read more about this on the ServifyThis page.

Video

InGuardians YouTube Channel Interviews, presentations, tools and how-tos.

Security Weekly Episode #400 Mike Poor talks about Intrusion Detection, Incident Response and more.

Security Weekly Episode #454 InGuardians talk about perimeter protection.

Security Weekly Episode #436 Passwords cracking with Larry Pesce.

 

Audio 

Brakeing Down Security 2016-026 Jarrod Frates talks about pentest, security assessment and more.

Brakeing Down Podcast 2016-029 Adam Crompton and Tyler Robinson talk about things a company should do to protect themselves against data exfil.

Security Weekly Episode #264 Part 1 Mike Poor talks about IDS, “smart firewalls” and more.

 

 

 

Nessus Network Auditing by Jimmy Alderson, Jay Beale, et al

Ethereal Packet Sniffing by Jay Beale, et al

Nessus, Snort, & Ethereal Power Tools: Customizing Open Source Security Applications by Jay Beale, et al

Red Hat Linux Internet Server by Jay Beale, et al

Stealing The Network: How to Own a Continent by Jay Beale, et al

Stealing The Network: How to Own an Identity by Jay Beale, et al

Unix Unleashed by Jay Beale, et al

Snort 2.1 by Mike Poor, Jay Beale, et al

Counter Hack by Ed Skoudis

Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis and Tom Liston

Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser

Applied Network Security Monitoring: Collection, Detection, and Analysis by Chris Sanders

Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems by Chris Sanders

 

 

* All links are non-affiliated