Where have you been!?

I've been busy... :-(

But i do have some upcoming conference speaking engagements coming up.

So. If you are heading to BruCon

catch me and Joe McCray talk about Pentesting High Security Environments.

If you are heading to DerbyCon

Catch me and Rob Fuller talk about The Dirty Little Secrets They Didn’t Teach You In Pentesting Class


Lastly, if you'll be in Switzerland for Hashdays







You can catch me talk about From Low to Pwned.

I'll also be giving a talk at the Management workshop on Information Operations for Management (sorry the info isn't on the site yet but should be here https://www.hashdays.ch/management-session.html at some point).

I'm sure there will be more stuff in November/December its just not scheduled yet.

Attacking Oracle with Metasploit Blackhat USA 2009

Here's my Attacking Oracle with Metasploit Blackhat USA 2009 talk

Attacking Oracle with the Metasploit Framework BH USA 2009 from carnal0wnage on Vimeo.

Carnal0wnage will be a BruCon!

I'm happy to announce that I'll be speaking at Brucon in September (18-19) on Open Source Information Gathering.

This is an update to my set of talks last year. After a year of doing OSINT work I've revised the methodology and it should be a pretty good update to the previous talk. I'm planning on focusing a lot on Person/Organization Information Gathering (IG) and should be followed by Chris Nickerson talking about Red and Tiger Team Testing(I call it Full Scope testing) aka putting all the "stuff" we found in my talk to actual use.

should be a good time. plus hoeagaarden on tap!

check the Brucon blog for up to date info
http://blog.brucon.org/

Client-Side Penetration Testing Notacon Edition

Here's the video from the Notacon talk. Audio sucks, sorry...blame the video guy.

Full Scope Security Attacking Layer 8: Client-Side Penetration Testing Notacon '09 Edition from FullScopeSecurity on Vimeo.

Back from Notacon

g0ne and I just got back from presenting on Client-Side Attacks at Notacon. You can check out his write up here. I have pretty much the same things to say.

It was definitely a unique con especially that it was more "everything tech" versus hardcore security...so like g0ne said we ended up with lots of down time in between talks we were interested in. We spent a bit of time in the lockpick village so that was fun. I usually don't have time to do that stuff because I have talks I want to see.

that's about it...

Up next ChicagoCon in May. I'll also be up there for the Social Engineering Master Class so I'm excited about that.

-CG

carnal0wnage on Exotic Liability Podcast

Chris Nickerson was kind enough to ask me to join him for his Exotic Liability podcast.

You can check it out here:
http://exoticliability.qb1.libsyn.com/index.php?post_id=453598

Main Exotic Liability Page:
http://www.exoticliability.com/

I had a blast! I'm really looking forward to hearing the rest of the interviews/podcasts. They had some really sharp people come on the show including Mike Murray, Val Smith, Delchi, and Max Caceres.

Next time we'll get Dean in on the call.

Notes from the podcast (or stuff I forgot to mention but should have)

Oracle Demo video from ShmooCon Firetalk
http://www.vimeo.com/3118559

Metasploit Oracle API and some code (still beta)
http://metasploit.com/users/mc/

**requires Oracle Instantclient and rubydbi and probably some other stuff

SOURCE Boston video of Vince and I's client-side talk
http://www.vimeo.com/3665163

Check out Michael Santarcangelo's book on Defending against Breaches, which has alot to do with educating users, user awareness programs, defending against SE, and handling data breaches....a must read!
http://www.intothebreach.com/

g0ne and I will be giving the client-side talk at NotaCon 6 in April and ChicagoCon in May

Maltego for Network Infrastructure Enumeration

New article on Using Maltego for Network Infrastructure Enumeration posted on EthicalHacker.net

Any organization that has an Internet presence needs to have some form of infrastructure to support their presence. During Infrastructure Enumeration you attempt to discover how much of it exists, what type of infrastructure is used, where it is located, what technology is used and how it is structured. This type of information is interesting for:

* Security assessments (as this is the first and most tedious phase of any external assessment).
* Getting an idea of the organization’s Internet and geographical presence.
* Gaining insight into the technology used by the organization.
* Making connections between seemingly unconnected organizations (as they might be sharing common infrastructure).
* Getting a list of brands or affiliations supported by the organization.

Read the article over on EthicalHacker.net
http://www.ethicalhacker.net/content/view/251/24/

Presentation on Client-Side Attacks at SOURCE Boston

Alright its time for SOURCE Boston!

I'm happy to announce that g0ne and I will be there presenting on:

Attacking Layer 8: Client-Side Penetration Testing

We'll be talking about why you should be allowing your penetration testers to use client-side attacks during their assessments , how to use the metasploit framework to deliver client-side attacks with demos (yes other tools do CS attacks but we're poor), and some remediations for client-side attacks.

It will be an extra special big day because we'll be presenting as Full Scope Security, our new security consultancy. More on that later.

If you're not going to make it to SOURCE, we will also be at Notacon 16-19 April 09
http://www.notacon.org and ChicagoCon 8-9 May 09 http://www.chicagocon.com

New Shool Information Gathering Toorcon X Edition Video

I ripped the DVD from my talk at Toorcon X on New School Information Gathering.

Should be embedded below.


Toorcon X Gates: New School Information Gathering from carnal0wnage on Vimeo.

Sorry I dont have other videos and dont know when/if they will ever be released.

Metasploit Adobe util.printf() Client-side Exploit Video

A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.


Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.

New School Information Gathering ToorconX edition

Here is the outline for my New School Information Gathering talk that I gave at ToorconX.

Open Source Intelligence Gathering (OSINT)‏
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools: ServerSniff/DomainTools/CentralOps/Clez.net/Robtex/Spoke
Tying it all together with Maltego

I hid several slides to get the talk into the 20 minute time frame but you should see them in the posted slide deck.

Slides are available here:
http://www.carnal0wnage.com/research/Carnal-NewSchool-ToorconX.pdf

Comments and feedback are always welcome even though I received nothing back from all the people that emailed me asking for them last time :-(

-CG

Toorcon X Workshop

As I mentioned before, Joe and I are doing a Crash Course In Pentesting 2 day workshop at ToorconX

http://sandiego.toorcon.org/content/section/4/8/

Here's a piece from the description:

"This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection."

But I wanted to give a few more details.

Day 1 is network level pentesting and Day 2 is web application pentesting.

Network level is mostly my responsibility and I'll be focusing on black box information gathering, client side attacks, and post exploitation. Its hard to cover pentesting in a day, so I'll be talking heavily on client side attacks and how to implement those into your pentests and some of the tools you'll need to do it. A little bit on local/priv escalation attacks that you'll need to do once you have that userland shell and post exploitation. There is also a block on metasploit and the students will take home a copy of LSO's Metasploit Mini Course.

Web application is Joe's responsibility and it should be really good. We've had a custom web app built with vulnerabilities intentionally built in. So the students will be able run the tools he is going to discuss and then exploit the vulnerabilities they find. They also get to take the VM home with them.

If you have questions feel free to post up or email me with them.

Lack of usable emails for your pentest got you down...metagoofil FTW!

Hopefully a useful day in the life of a pentest post...

So there I was, trying to gather emails for our pentest. The only problem is that we were doing an assessment of city.domain.com but all the emails are listed as @domain.com. Just for clarification, searching domain.com for email addresses wouldn't necessarily give me emails that were in scope, so I had to think of something.

First step was some google-fu of "site:city.domain.com + @domain.com" that brought in a few emails addresses in. Next step was metagoofil. Metagoofil is awesome because it will download ms office, open office, and pdf documents from the domain you specify. It will parse the metadata and give you a list of the usernames in the documents and the path to where the document was saved.

How it works (images from the Edge-Security site)


It downloads the documents to your local computer so you can view them for extra info gatherings. It also gives you a nice little html page with the results.



After that I took the possible usernames, put them in the proper naming convention for the domain, rocketed off my SE email and crossed my fingers.

The result? Metagoofil for the win! Overall I had about 160 possible email addresses, 20 actually made it to someone's inbox...sad face but not bad considering how I got the possibles.

5 of the 20 opened it :-)
2 were forwarded (meaning the user that opened it was not initially emailed), 1 was from google, and 2 of the 5 were from metagoofil :-)

Not bad if you ask me.

Maltego for Information Gathering Part I

The first part of my article on Maltego for Information Gathering is available on EthicalHacker.net

http://www.ethicalhacker.net/content/view/202/24/

"According to their web site, "Paterva invents and sells unique data manipulation software. Paterva is headed by Roelof Temmingh who is leading a light and lethal team of talented software developers." On May 6 2008, they released a new version of a very kewl tool named Maltego.

"Maltego, is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the forensics.security and intelligence fields!"

Chris Gates' talk at ChicagoCon 2008s entitled "New School Information Gathering" touched on many tools and techniques. One of the tools he introduced to the audience is Maltego v2. This first in a two part series expands on this new tool with a basic introduction to Maltego followed by step-by-step personal recon tutorials. Part II will focus on infrastructure enumeration with Maltego."

Hacker Defender Article in Hakin9 Magazine

Its been a year, might as well release to everyone else who hasn't bothered to just email me and ask for it :-)

from June 07 issue: http://www.hakin9.org/prt/view/back-issues/issue/690.html

Keep in mind

1. I wrote this over a year ago
&
2. I probably wont be rewriting it, so tailor comments accordingly

Hacker Defender: Rootkit for the Masses -- Link

New School Information Gathering Talk at ChicagoCon

Gave my New School Information Gathering talk at ChicagoCon. I think it went pretty well and I got some good feedback on it afterwards.

here was the agenda:

Open Source Intelligence Gathering (OSINT)‏
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools
Netcraft/ServerSniff/DomainTools/CentralOps/Clez.net/Robtex
Maltego

I was pretty surprised that most people had not heard of the tools and only like 3 people had heard of Maltego. I should have a Maltego v2 review getting pushed out on EthicalHacker.net soon.

slides and audio should be out next week on the ChicagoCon site. If you are really anxious you can email me and I will probably send them to you.

ChicagoCon "Con" portion 16 & 17 May 2008

I'll be speaking at The "Con"portion of ChicagoCon on "New School Information Gathering".

http://www.chicagocon.com/content/view/38/46/

if you are in the chicago area its only 100 bucks for a ticket and EthicalHacker.net Don always has tons of stuff to give away, so it gonna be worth the money.

The link has the schedule but of interest is the two keynotes.

One by the Tiger Team guys on

The Art of Espionage (Tactics, Defense, and your Corporation)

TruTV's Luke McOmie, CISSP, NSA-IAM, NSA-IEM &
Chris Nickerson CISSP,CISA, NSA-IAM,17799 Lead Auditor

and one from Intelguardian Matt Carpenter

Windows Command-Line Ninjitsu

Matthew Carpenter, SANS, Intelguardians

all the other talks look good to me as well, so it should be a good time.

see you there!

ChicagoCon 08

-Joe McCray & Chris are currently slated to do a workshop at ChicagoCon 08 on Saturday

-Chris is slated to talk about "New School Information Gathering" on Friday

-Dean is supposed to talk as well

Here are the details:

ChicagoCon 2008s: White Hats Come Together in Defense of the Digital Frontier

May 12 – 18, 2008

www.chicagocon.com

The Spring Edition of ChicagoCon features all new keynoters, additional security boot camps, exams on-site followed by a two-day ethical hacking conference. And without an exhibit hall full of sales pitches, you're free to learn from the pros, network with peers and advance your InfoSec career. Not just another boot camp or hacker con, ChicagoCon adds value to your training dollars with top instructors and well known certifications. 13 courses including CISSP, CEH, CHFI, Advanced Hacking, BackTrack to the Max (First Time EVER), Cisco, Microsoft, SANS, SOX, Security+ and more. The 2 days of “Con” Activities May 16 – 17 are only $100 (free for training students) and offers presentations, breakout sessions & hacking contests. >From the novice, to the ultimate techie, to the CISO chair... everyone interested in a career in security will find something at ChicagoCon, your one-stop shop for security training and certification. Keynotes: Geahan (FBI), Echemendia (Hacking Instructor), McOmie (TruTV's Tiger Team), Murray (Neohapsis) & Carpenter (SANS, Intelguardians). Presented by www.ethicalhacker.net.

carnal0wnage mention on ITSecurity.com

carnal blog got a shoutout over on IT Security.com

http://www.itsecurity.com/blog/20080310/why-life-is-tough-for-the-ethical-hackers/

Book Review Criteria

I got an email asking how I base my reviews, so I came up with this as my stated review criteria.

5 stars: Book brought new detail or information to light, nothing else like it out there or a great update. Well written, few typos, well edited.

4 stars: Good information but nothing "new", written pretty well; good but not outstanding, has some issues.

3 stars: In some form or fashion the book has flaws whether it be editing or content, usually just average content.

2 stars: Shouldn't be used to start fires, but possibly pretty close.

1 stars: Probably shouldn't have been published and I want my money back, brings nothing of value whatsoever.

**Ideally, all those stars are qualified/explained with the write-up

If you disagree or have some things to add, PLEASE leave a comment :-)