This presentation series covers flawed features in many applications and devices that we use every day. From Adobe Flash to Verizon’s MiFi devices, we have found features that can be abused in a trivial nature, yet often with disastrous results.
This paper describes an attack framework designed by InGuardians to evaluate the security of AMI technology. Intended for use by vendors creating AMI products and customers testing their technology, this framework seeks to provide guidance to engineers charged with assessing and attacking the security of AMI technology. Developed in conjunction with the AMI-SEC Task Force (part of the UCA International Users Group), this methodology represents the standard security analysis framework for AMI technology and related systems.
Josh Wright debuts KillerBee: an attack framework designed to explore vulnerabilities in ZigBee and wireless sensor networks.In this presentation, Josh examines how ZigBee technology interacts with the kinetic world in scary ways, exploring vulnerabilities in the ZigBee protocol and opportunities to exploit these deficiencies.
Josh Wright and Matthew Carpenter release a presentation on Smart Grid Security. Smart Grid and Advanced Metering Infrastructure technologies hold great promise for modernizing the power grid. However, they may also introduce security vulnerabilities with potentially significant ramifications ranging from billing fraud to widespread sabotage. In this presentation, Industrial Defender and InGuardians discuss security issues associated with various components of the Smart Grid. We will address attack vectors and scenarios, highlighting defensive strategies and tactics that organizations can apply to mitigate risks. We will also look at industry initiatives to help standardize secure and resilient deployments
SANS SCADA Summit Presentations
Matt Carpenter releases two presentations on SCADA!Matthew Carpenter recently participated in two keynote panels at the SANS SCADA Summit, where he gave a turbo-talk-style overview of hacking Advanced Metering Infrastructure (AMI) and the principles of penetration-testing in the AMI space. Click here for Slides for both presentations as well as a formal response to a question posed at the summit: “How do we fix it?”…
Increasingly, computer attackers are exploiting flaws in Web applications, exposing enterprises to significant threats, including Personally Identifiable Information breaches and uploads of malware onto vulnerable corporate Websites for distribution to customer browsers. Many of these Web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.
Mike Poor gives a Core sponsored webcast Titled: Pillage the Village. Pilfering & Plundering for better Penetration Tests. This one hour presentation covers using sniffers and pilfering techniques during a penetration test to gain further access. Sure, sniffing passwords off the wire is good… but how about stealing the RSA seed file? Pulling SSL certs and passphrases. “Sniffing” memory?
Ed Skoudis releases 3 new awesome cheet sheets!
Ed Skoudis releases 3 new cheat sheets for the most useful Windows command-line tools, Netcat, and other useful attack tools (Metasploit, Fgdump, and Hping). Get ’em while they are hot!
Josh’s favorite security flaw from 2008 is the Debian OpenSSL vulnerability. Lots of analysis work has been done to understand the ramifications of this flaw, interesting because the effect of the flaw lasts long after vulnerable systems have been patched. Full recovery requires that all keys generated on a vulnerable system be replaced.
InGuardians is pleased to announce the release of the slides from Part 2 of the Pen Testing Perfect Storm webcast trilogy – featuring the return of SANS Pen Testing swashbucklers Ed Skoudis, Josh Wright and Kevin Johnson.Covering network, web app and wireless pen testing techniques, the second installment of Perfect Storm trilogy focuses on assessing the enterprise-wide fallout from a seemingly innocuous endpoint compromise – including how an exposed low-level Windows Vista box can quickly open the hatch to full-scale network subversion.During the webcast, you’ll learn how to proactively test your network’s vulnerability to sinking at the hands of a Client-Side Mutiny – and how to emulate what can happen after the initial compromise, including: discovering wireless devices from exploited hosts with Josh Wright’s newly released VistaRFMON scanning and exploiting web applications with w3af exploiting systems with Metasploit’s integrated pass-the-hash functionality Building on the premise that cyber threats don’t exist in a vacuum, the Perfect Storm webcast series presents tips for replicating real-world attacks that traverse multiple layers of infrastructure using combined network, web app, and wireless attack techniques.
The Pen Testing Perfect Storm webcast series brings you a deluge of security assessment tactics and strategies from the combined forces of three penetration testing experts:
Kevin Johnson: web guru and senior security analyst
Josh Wright: wireless wizard and senior security researcher
Ed Skoudis: network security penetration tester
This trio of experts will show you how to assess an organization’s real business risks by taking a holistic, comprehensive look at your information security – just as determined and skilled attackers do in the wild. You’ll learn techniques for safely replicating chains of threats that can pivot throughout your infrastructure, including:
Web — SQL injection, cross-site scripting, remote file inclusion, etc.
Wireless — wireless LAN discovery, crypto and protocol attacks, client duping, etc.
Network — port scanning, service compromise, client-side exploitation, etc.
This webcast series is ideal for anyone seeking to go beyond point-focused, “tunnel-vision” assessments to real-world penetration testing – mimicking the sophisticated, multi-staged threats that pose the most significant information security risks to organizations today.
Authored by Co-Founder and senior security analyst Ed Skoudis, this presentation covers some little-known but extremely helpful technical and procedural tips for maximizing the effectiveness of pen tests. These secrets can help testers save huge amounts of time, improve the likelihood of successful compromise, and lower the chance of negatively impacting target systems during a test. Based on experiences learned from in-the-trenches tests by a dozen pen testers over the past year, Ed examines crucial secrets associated with scanning, password attacks, exploitation, and many other aspects that readers will be able to apply immediately in their own penetration testing regimen.
By Josh Wright.This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of “Unix Power Tools” by Sherry Powers, et al, this paper presents several “article-ettes” describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks.This paper also presents two new tools, vistarfmon and nm2lp, both available on the InGuardians Tools page.
By Brian Liang and Jimmy Alderson. This How-to Guide demonstrates how to scale IDS on a large network or ambiguous perimeter using network taps, comparing this to prior methods using network hubs and switch spanning ports.
Client-side Vulnerability Assessment and IPS: ToorCon, ShmooCon and NAISG talk by Jay Beale
Network Early Warning Systems: SANSFIRE Keynote on Early Warning Systems by Mike Poor
Complex Signatures: Correlating System and Application Logs with Traffic Traces and IDS Alerts by Mike Poor
Packet Craft for Defense in Depth: Learning to use packet crafting tools to test our defenses by Mike Poor
Snort GUIs: Exploring the ins and outs of Snort front ends by Mike Poor
Load Balancing IDS: By Brian Laing and Jimmy Alderson
InGuardians routinely creates tools in the course of action. We make many of these tools available for free, without warranty, to you. 🙂 Enjoy!
Find it on GitHub at: WeaponizedFlash
Josh Wright has an article on decrypting SSH sessions based on the 2008 Debian OpenSSH vulnerability, with helpful hints on how to do it, and some patches to publicly available tools to make them work even better.
Article Link: wlan2eth
Wlan2eth is a simple tool to convert packet captures in 802.11 format to Ethernet format. Lots of tools can only understand Ethernet link types, so I wrote this tool to convert captures to a format that they can understand. For each packet in an input 802.11 capture file, wlan2eth examines header values to ensure it is a data frame, then it creates a new output packet with an appropriate Ethernet header (source and destination address and embedded protocol field are preserved from the 802.11/802.2 header). Timestamps are also preserved from the original capture. This tool is really only useful for encrypted traffic, though you could use it with a tool such as airdecap-ng to decrypt an encrypted capture first, then convert the unencrypted output file to Ethernet format.
GitHub Link: vistarfmon
Monitor mode is a valued feature for both the wireless penetration tester and security analyst. It allows the penetration tester to disconnect from a network and capture all frames in the network with full IEEE 802.11 headers and associated detail. By cycling through multiple channels supported on the wireless adapter, it is possible to capture detailed information for wireless network discovery and analysis purposes. On Windows, this was previously limited to commercial drivers. vistarfmon uses Vista’s Wireless LAN API (wlanapi) to help the penetration tester leverage all the power of monitor mode.You can read more about vistarfmon in Josh Wright’s “Vista Wireless Power Tools for the Penetration Tester” paper.
Tool: nm2lp (NetMon to LibPcap)
GitHub Link: nm2lp
While the NetMon UI has powerful features for analyzing packet captures, few attack tools include the ability to natively read from the NetMon stored capture file format. In order to leverage tools such as Aircrack-ng, coWPAtty and Cain for wireless analysis, the capture file format needs to be libpcap- compatible. Some tools such as Wireshark support reading and converting NetMon Ethernet captures, but do not correctly interpret NetMon wireless captures.Fortunately, the NetMon API allows developers to write custom applications and interpret data from NetMon stored captures. Combined with the ability to create a libpcap capture file, it is possible to convert the NetMon file to a libpcap file. nm2lp converts NetMon wireless captures to libpcap format, making them useful in these other tools.You can read more about nm2lp in Josh Wright’s “Vista Wireless Power Tools for the Penetration Tester” paper.
External Tool: Microsoft’s Wlsample tool for Windows Vista
GitHub Link: Wlsample
Microsoft included a tool called “wlsample.exe” with the Windows Software Development Kit (SDK) for Windows Server 2008. This program allows a penetration tester to connect to a network without generating a saved profile. Microsoft has released source code for this tool and cleared it for public redistribution.Josh Wright references Wlsample in section 3.3 of his “Vista Wireless Power Tools for the Penetration Tester” paper.
Project: YokosoURL: yokoso.inguardians.com
Project: SamuraiURL: samurai.inguardians.com
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
GitHub URL: ServifyThis
InGuardians’ ServifyThis program takes any Windows executable and converts it into a form suitable for use as a Windows service. Read more about this on the ServifyThis page.
InGuardians YouTube Channel Interviews, presentations, tools and how-tos.
Security Weekly Episode #400 Mike Poor talks about Intrusion Detection, Incident Response and more.
Security Weekly Episode #454 InGuardians talk about perimeter protection.
Security Weekly Episode #436 Passwords cracking with Larry Pesce.
Brakeing Down Security 2016-026 Jarrod Frates talks about pentest, security assessment and more.
Brakeing Down Podcast 2016-029 Adam Crompton and Tyler Robinson talk about things a company should do to protect themselves against data exfil.
Security Weekly Episode #264 Part 1 Mike Poor talks about IDS, “smart firewalls” and more.
Nessus Network Auditing by Jimmy Alderson, Jay Beale, et al
Ethereal Packet Sniffing by Jay Beale, et al
Red Hat Linux Internet Server by Jay Beale, et al
Stealing The Network: How to Own a Continent by Jay Beale, et al
Stealing The Network: How to Own an Identity by Jay Beale, et al
Unix Unleashed by Jay Beale, et al
Snort 2.1 by Mike Poor, Jay Beale, et al
Counter Hack by Ed Skoudis
Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis and Tom Liston
Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser
* All links are non-affiliated