Purple Teaming - Lessons Learned & Ruxcon Slides

Note:
I wrote a bunch of this while still at Facebook but have since changed jobs.  Anything FB is now replaced with $previousjob since I cant speak for them anymore. This was supposed to go on  their Protect The Graph post but never happened. The content was useful (I hope) so hopefully people will get something from it.  Also slides release here and at the bottom.

---

Recently Chris Gates from the $previousjob Incident Response team presented at Ruxcon (https:// ruxcon.org.au) on “Purple Teaming: One Year After Going From Full Time Breaker To Part Time Fixer”. The talk was used to highlight some of $previousjob’s experiences “Going Purple” over the last 18months.

What is Purple Teaming?
Purple Teaming is “Putting more Offense in your Defense” and “More Defense in your Of-
fense”. We do this to iteratively improve the quality of both our Red and Blue Teams by conducting focused Red Teams with clear training objectives for the Blue Team.

The talk highlighted observations and lessons learned during this process.

1. Acknowledging the need for the creation of an internal Red Team. The maturity of the security program coupled with the complexity of the organization made it necessary to have internal knowledge to craft more interesting attacks for Red Team exercises.
2. The creation of an internal Red Team and the location of the internal Red Team on the organizational chart. Many companies have both Red and Blue teams operating as separate entities. This frequently causes animosity between the two teams that can lead to growth stagnation because the two teams become focused on catching or defeating each other rather than innovating together in order to better defend their company. $previousjob’s Red Team is a component of the Incident Response team giving both the Red an Blue teams the same reporting structure. This placement was intentional as an attempt to avoid animosity and the “us vs. them” mentality that can frequently plague internal Red and Blue teams.
   
3. Changing the typical definition of a “Red Team” to be less focused on vulnerability discovery and instead serve as a training event for the Blue Team. For $previousjob, a Red Team exercise tests our ability to respond to an incident and find broken tools and processes. The offensive part of the exercise is required to tell a good story, model the chosen attacker profile, and craft real world attacks for the Blue Team’s training objectives. The Post Exploitation, Persistence, Lateral Movement portions of the attack are far more important than the initial method of exploitation. With this is in mind, it is deemed “OK” for a trusted insider to be the initial exploitation vector (phish, browser attack, etc) and for the Incident Response manager to suppress any initial alerts that may come about from the initial exploitation vector in order to let the attack play out and allow the Red Team to move on to the post exploitation, persistence, and lateral movement pieces of the attack.
   
4. Having a Red Team in-house allows $previousjob the ability to test vs. believing assumptions or information provided from other teams. It allows us to more easily validate answers to really important questions like “where can an attacker go if they had a certain set of credentials” or "what can an attacker REALLY do with a certain level of access" vs. what we THINK they can do with that access. The in-house Red Team is also required to stay up to date with the latest tools and techniques and can use that information to write detection signatures to catch these tools.
   
5. Our Red Team reports have both the Red and Blue narrative making the report more valuable as readers see both sides of the attack. Red Team reports are typically only offensive oriented with no mention of incident response, defense, or how well the organization fared against the attackers. By having both the Blue and Red teams tell their respective sides of the story, we tell a much more complete story in our reports. This has the added benefit of highlighting to leadership and the company as a whole the value of the Incident Response team and show wins with new initiatives, gear, training, etc.

The talked wrapped up with a walk-thru of one of the latest Red Team exercises. The slides are available here:

Going Purple : From full time breaker to part time fixer: 1 year later from Chris Gates

link

Where have you been!?

I've been busy... :-(

But i do have some upcoming conference speaking engagements coming up.

So. If you are heading to BruCon

catch me and Joe McCray talk about Pentesting High Security Environments.

If you are heading to DerbyCon

Catch me and Rob Fuller talk about The Dirty Little Secrets They Didn’t Teach You In Pentesting Class


Lastly, if you'll be in Switzerland for Hashdays







You can catch me talk about From Low to Pwned.

I'll also be giving a talk at the Management workshop on Information Operations for Management (sorry the info isn't on the site yet but should be here https://www.hashdays.ch/management-session.html at some point).

I'm sure there will be more stuff in November/December its just not scheduled yet.

Attacking Oracle with Metasploit Blackhat USA 2009

Here's my Attacking Oracle with Metasploit Blackhat USA 2009 talk

Attacking Oracle with the Metasploit Framework BH USA 2009 from carnal0wnage on Vimeo.

Carnal0wnage will be a BruCon!

I'm happy to announce that I'll be speaking at Brucon in September (18-19) on Open Source Information Gathering.

This is an update to my set of talks last year. After a year of doing OSINT work I've revised the methodology and it should be a pretty good update to the previous talk. I'm planning on focusing a lot on Person/Organization Information Gathering (IG) and should be followed by Chris Nickerson talking about Red and Tiger Team Testing(I call it Full Scope testing) aka putting all the "stuff" we found in my talk to actual use.

should be a good time. plus hoeagaarden on tap!

check the Brucon blog for up to date info
http://blog.brucon.org/

Client-Side Penetration Testing Notacon Edition

Here's the video from the Notacon talk. Audio sucks, sorry...blame the video guy.

Full Scope Security Attacking Layer 8: Client-Side Penetration Testing Notacon '09 Edition from FullScopeSecurity on Vimeo.

Back from Notacon

g0ne and I just got back from presenting on Client-Side Attacks at Notacon. You can check out his write up here. I have pretty much the same things to say.

It was definitely a unique con especially that it was more "everything tech" versus hardcore security...so like g0ne said we ended up with lots of down time in between talks we were interested in. We spent a bit of time in the lockpick village so that was fun. I usually don't have time to do that stuff because I have talks I want to see.

that's about it...

Up next ChicagoCon in May. I'll also be up there for the Social Engineering Master Class so I'm excited about that.

-CG

Why SOURCE Boston was the best con I've ever been to

You don't have to just take my word for it...

http://g0ne.wordpress.com/2009/03/15/thoughts-on-source-boston/
http://blog.attackresearch.com/?q=node/28

So we just got back from SOURCE Boston. It was by far the best conference I have ever been to from pretty much all perspectives.

Pretty much all the talks were great, I found myself sitting in talks and wishing I had a second me (I wish that quite frequently actually) so I could sit in one of the other talks. Now this happens often a other cons, but this was for the whole con schedule. The SOURCE advisory board picked great talks. The location of the hotel was great, it wasn't too crowded, and the SOURCE organizers totally took care of the speakers with free food and booze (I felt very well taken care of), the securitytwits with free food and booze, and the con-goers with free food and for pay booze but threw a really nice party. It was also extremely cool to get to interact with some of the Original Gangster l0pht guys and all the other con attendees especially the Attack Research guys, the NYSEC guys, and many many others.

I had such a good time that I'm currently trying to scheme a way to pull off FRHACK, BruCon and SOURCE Barcelona in September.

Oh and for shameless self promotion Chris Wysopal gave our client-side talk a nice review:
http://www.veracode.com/blog/2009/03/source-boston-conference-was-a-blast/

BlackHat Day 1 Writeup

As promised...

The keynote was pretty good, there is lots of buzz about it on the net. BlackHat was nice enough to post the video: https://media.blackhat.com/bh-dc-09/video/Kurtz/blackhat-dc-09-kurtz-keynote-slide.mov

Like usual it seems I picked the wrong talks...at least for my first talk... There is tons of buzz about the SSL talk which I did not attend. But will be watching tomorrow since BH was nice enough to share it as well.

Instead I went to Travis Goodspeed's Reversing and Exploiting Wireless Sensors Travis is amazing at hardware hacking. I didn't take alot of notes on the talk because most of it was over my head but for me the big takeaway is that just because things aren't PC's doesn't mean they aren't on the network and certainly doesn't mean they aren't pwnable. Travis basically demonstrated the various ways to defeat two popular micro controllers which could lead to all kinds of fun things if you have zigbee network in your infrastructure .

I left the Vista Security Internals one, too much Windows code for my brain to handle. The jist was that there were some major changes to LSASS with Vista SP1 that would make stealing password hashes out of memory via dll injection much much harder to do. If someone stayed for the whole thing I'd appreciate a wrap up of what the dealio was and if it has been defeated yet. I went over the OS X talk but he had already talked about whatever it was about and was doing demos.

After lunch I went to the Attacking Intel Trusted Execution Technology talk. very cool stuff. I'll skip my "jist of the talk" you can just watch it for yourself. Bottom line lots of Bios and computers are completely backdoorable and all your trusted computer platform stuff wont even know...very cool stuff.

Michael Sutton's A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage covered four big issues; HTTP Cookies, Flash Local Shared Objects, Google Gears, and HTML 5.

Most notable was Google Gears, now just Gears, and HTML5 which allows for client side relational databases. Very interesting attack vectors start to come into play where with the client side db all in need is an XSS on any site to read database out of the client side db. The issues with discovering tables names and structure are gone because the attacker would have aready have copy of their own database to discover that, all the attacker would need to do is determine the username for the victim.
https://www.blackhat.com/presentations/bh-dc-09/Sutton/blackhat-dc-09-Sutton-persistent-storage.pdf

Adam Laurie talked about Satellite Hacking for Fun and Profit. I caught the tail end of the talk but it was also very interesting. Rather than butcher a synopsis, you can watch it. But in short, capturing TCP & UDP as well as other fun unlisted channels over your home satellite box.
https://media.blackhat.com/bh-dc-09/video/Laurie/blackhat-dc-09-Laurie-Satellite-Hacking.mov

Also...Media Archives are up: https://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html

ChicagoCon 2009s is coming up!

Don has published info ChicagoCon 2009s. The Social Engineering training by Chris Nickerson and Mike Murray should be awesome and the Con portion always has really great speakers. So if you are in the Chicago area you should definitely check it out.

ChicagoCon 2009s
Training: May 4 - 8
Conference: May 8 - 9

This is a small regional event that has grown organically. It will only continue to be successful with your help. Please help spread the word by mouth, blog, banner (feel free to steal pics from EH-Net), email... all is appreciated.

Just a quick announcement about the upcoming spring edition of ChicagoCon. As you know, we have completely separated the training from the conference. It was such a success, that we are continuing with that model. Registration is now open for all courses and the Ethical Hacking Conference. If you are taking one of our training courses, then the Conference is included in the price of your class. If not, Conference Only Tickets are just $100.

Training Details May 4 - 8

All courses are 5 days in length except CISSP which is 7. All courses feature most meals, computers are provided, all exams are held on site and a FREE ticket to the Ethical Hacking Conference. We are now offering a $200 Discount Off Training for Early Registration. Discount ends March 15, 2009! Here's the lineup (See Details on the site including pricing):

* Exclusive Course Offering: Social Engineering Master Class by Chris Nickerson (TruTV's Tiger Team) & Mike Murray (Expert and International Speaker)

* Popular Cert Classes by Training Camp
- CISSP
- CEH
- CHFI
- Fundamentals with Network+ & Security+

* Adv. Tech. Courses by InfoSec Institute
- Expert Pen Testing (CEPT)
- Reverse Engineering Malware (CREA)
- Web App Security (CASS)

Ethical Hacking Conference Details May 8 - 9

Only 250 Conference Only Tickets are being made available, so get yours NOW!! Talks by Chris Gates, Craig Heffner, Jack Koziol, Ryan Linn, Mike Murray, Chris Nickerson, Tim Rosenberg, Andrew Whitaker, and many more.

- Keynotes & Technical Presentations
- Capture the Flag with White Wolf Security
- "The Doctor Is In" Career Counseling
- Lock Picking 101
- Resumania
- Evening Entertainment

Subject to change, so please keep an eye on the site. Specifics and schedules will be posted in the coming weeks Right HERE!

BlackHat Day 1...writeup coming soon

Yeah I fully intended to do my day 1 write up, but Lost was on, sorry...

But I do have notes and if i'm motivated in the morning will do it on the train in for Day 2.

Couple of quick highlights with more tomorrow.

Travis Goodspeed is a hardware ninja and all zigbee are belong to Travis.

Michael Sutton with client side SQLI is the new hotness. Go Google Gears!

Adam Laurie is still the RFID man! and now I have to buy satellite gear because his commercial satellite hacking was the shizzle!

I got to see HD Moore in the flesh...thats always cool.

Lunch was way better than last year

some gripes...

no free BlackHat T-shirt! what the F**k!!! for $1200+ people deserve their free BlackHat T-shirt and shouldn't have to pay 20 bucks for one. man, that really started me off on a downer for the day

no phone signal in the con area so no twitter :-( ...yeah i don't have an iphone so i couldn't just connect to the wifi because i have verizon and they border on cruel and unusual punishment.

Day 2

looking forward to Valsmith and Collin's talk and David Litchfield's talk.

BlackHat D.C. picks

still recovering from shoulder surgery and have been checking out the BlackHat D.C Agenda. Unlike last year for BlackHat USA I actually have a ticket this year so its not just wishful thinking. So here's what I plan on checking out.

Day 1

10:00 - 11:15
Reversing and Exploiting Wireless Sensors
Travis Goodspeed

Toss up between

11:30 - 12:45
Windows Vista Security Internals
Michael Muckin

and

11:30 - 12:45
Let Your Mach-0 Fly
Vincenzo Iozzo

will probably decide on which one has seats that dont suck.

13:45- 15:00
Attacking Intel® Trusted Execution Technology
Joanna Rutkowska and Rafal Wojtczuk

15:15 - 16:30
A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage
Michael Sutton

16:45 - 18:00
SQL Server Anti-Forensics
Cesar Cerrudo


Day 2

09:00 - 09:50
Dissecting Web Attacks
Val Smith and Colin Ames

10:00 - 11:15
dont know yet, probably the flash one

11:30 - 12:45
Defending Your DNS in a Post-Kaminsky World
Paul Wouters

13:45 - 15:00
dont know yet, probably TOR one

15:15 - 16:30
The Forensic Investigation of a Compromised Oracle Database Server
David Litchfield

16:45 - 18:00
Snort My Memory
Peter Silberman

Is there a talk better than what I picked? let me know!

Shmoo & the 'con within a con'

DC is a blast as always! Hanging and catching up with everyone is always a good time. I met a bunch of folks for the first time too, put names to faces and saw a lot of old friends too.

I'm not going to give a review or opinion of any of the presentations as cg has already done that. I really did not attend that many either to be honest. :) It's becoming more and more apparent to me that the true value of the cons are in the opportunity to network and bounce ideas off your peers.

Walking around I saw small clusters of people everywhere. All talking and sharing ideas and information. A group of us all got together in on of the hotel rooms. A few of the guys broke out their laptops and showed some research and work that by far was the coolest stuff I saw the whole weekend. cg redid his Oracle stuff and it was really cool to brainstorm and come up with ideas to extend the apps, concepts and P0C's that were presented by everyone.

I'm sure that we were not the only guys that were doing this too. These 'cons within cons' are, in my view, a great byproduct of the con itself and I'm looking forward to next one for that reason alone.

Shmoocon Day 2 & 3

Shmoocon is over, according to twitter good times were had by all.

I missed a few talks I wanted to see due to it being too crowded in alot of them and also me not getting my butt in gear on Saturday morning.

So what I did catch.

Zero_Chaos' talk on 802.11 ObgYn or "Spread Your Spectrum" which was about his updated drivers to open up some wifi ranges that were only not accessible because of software driver limitations. very good talk.

Enno Rey and Daniel Mende's talk on All your packets are belong to us - Attacking backbone technologies was interesting but I had to leave par tof the way through.

I unfortunately missed Dave Kennedy's talk on Fast-track that I really wanted to see.

Sunday morning I caught Matt Weir's Enough with the Insanity: Dictionary Based Rainbow Tables. He talked about optimizing the rainbow crack code to be able to do some "smart" rainbow table generation. Tool site: http://reusablesec.googlepages.com & blog http://reusablesec.blogspot.com

Lastly Chris Padget completely demoralized Electronic Drivers License and US Passport Cards, I mean slapped around, spanked, sent to bed without dinner. Great presentation. Really layed out all the reason the technology is wrong for what they are trying to do and how really really wrong the implementation is...ouch.

On other fronts. Dean was there so its always good to hang with Dean. I redid the Oracle talk in my room to some people and got some really good feedback and some things to work on for future functionality.

I also got to put tons of faces to names so shout outs to all the people that I met at shmoo for the first time (too many to list).

ShmooCon Day 1 wrap up

So quick wrap up on Day 1.

The only talks I caught were the end of the smart key one, which seemed cool and the Watching the Watchers one by the cadets. It was good, not overly technical, but still good.

Did lots of chatting with old friends and met some new ones which is always good. Its always nice to turn names into faces.

ShmooCon Firetalk on Attacking Oracle with the Metasploit Framework went pretty good, its hard to look at everyone when you are in a circle and there was no mic so I pretty much had no voice by the end of it but I think it went pretty good and I got some good feedback and questions from some people in the audience after. The demo video is posted.

Jack Daniel talked about FOI, Failure On Investment as the only measure people are using to actually measure anything security related, which is true but is also why most senior security professionals in the US make 6 figures, you get paid enough to educate and push through those types of issues.

I didnt catch the name for the guy after Jack but he talked about how powerpoint has removed the ability for people to tell a story and other standard tufte quotes. I've had similar discussions with Michael from Security Catalyst. Again I don't disagree but there are times for powerpoint and if powerpoint rules are applied a presentation can be tolerable. The common counter for powerpoint is to just handout the slides with notes or whatever. That works great for a presentation to 10 people at work but certainly doesn't scale to a security conference. I like slides for people that do talks at security conferences that actually have content in the slides. Slides that consist of pictures of a lock, turtle, toilet, cigarette, and a trash can probably make/made perfect sense for the people who were actually sitting in the crowd but if all I get is the slides later it doesn't mean crap. I dont see how I could have pulled off my talk without powerpoint, its hard to talk about code or see the output from metasploit without actually showing it. But comments always welcome.

Ok, that is all for now...trying to get g0ne up and moving from his house so we can head back into D.C. for the talks today.

ShmooCon Time!

ShmooCon is almost here and I'm exited to see old friends and meet/make new ones.

I'm currently scheduled to do a "Fire Talk" sometime between 2100-2200 on Friday nite. I'll be talking for a few minutes on "Attacking Oracle with the Metasploit Framework" and I have a video demo to go with it. Hopefully it will wet the appetite to download the mixin and play/test with the code and make suggestions on features and functionality.

More info on the Fire Talks and other podcasting type stuff here: http://www.podcastersmeetup.com/

I will of course be blogging and tweeting throughout the con.

See everyone this weekend!

Congrats To My Aura Software Security Friends

Just wanted to give a big congrats to my Aura Software Security friends over in New Zealand for the good things I'm hearing about their hacking netscreen talk.

"Netscreen of the Dead: Developing a Trojaned Firmware for Juniper Netscreen Appliances"

http://www.ruxcon.org.au/files/2008/gn-netscreen-of-the-dead.ppt

http://www.zdnet.com.au/news/security/soa/Ruxcon-security-gurus-hit-Sydney/0,130061744,339

Publish Post

293503,00.htm

ChicagoCon Fall 2008

As usual Don has a great lineup for ChicagoCon 2008f.

http://www.chicagocon.com/content/view/103/51/

ChicagoCon, a bi-annual security event held in the Windy City, features an Ethical Hacking Conference for two days of cutting-edge talks, peer networking and career advancement in the exciting and growing field of computer security for only $100. Microsoft penetration testers AKA ethical hackers, Billy Rios and John Walton headline an impressive list of presentations by researchers, practitioners and executives on Oct 31 and Nov 1, 2008.

ChicagoCon 2008f: White Hats Come Together in Defense of the Digital Frontier

October 27 – November 2, 2008

www.chicagocon.com

The (f)all edition of this bi-annual security event features 12 boot camps (M-F), exams on-site followed by a 2-Day Ethical Hacking Conference (Fri – Sat) featuring Microsoft Hackers AKA Blue Hats Billy Rios and John Walton along with many other speakers and activities.

Con Only Tickets available for just $100.

Courses: CISSP, CISA, CEH, CHFI, ECSA, CWNA, Advanced Technical Hacking (Pen Testing, Web Apps and Reverse Engineering), Cisco CCENT/CCNA, Microsoft ISA Server and a combined CompTIA Network+/Security+ class. Novice, ultimate techie, CISO chair... everyone interested in a security career will find something at ChicagoCon.

Keynotes: Ed Skoudis (SANS, Intelguardians), Gregory Conti (West Point, Author "Security Data Visualization") and Daniel V. Hoffman (CTO SMobile Systems, EH-Net Columnist). Presented by www.ethicalhacker.net.

A list of the speakers is available here:
http://www.chicagocon.com/content/view/103/51/

OWASP APPSEC 2008 Conference Videos Online

OWASP APPSEC 2008 Conference Videos are online

http://www.owasp.tv

ToorconX Wrap-Up

Joe and I had the opportunity to teach our 2 day Crash Course In Pentesting workshop at Toorcon X. I felt like the workshop went pretty well and we got some good feedback from the students. Joe has spent that last year really working on web application pentesting and can really break down SQL injection and XSS type assessments and attacks. He had day two of the workshop and I thought it was really good. We even had a custom bookstore web application built for the students to practice SQLI, XSS, and LFI/RFI. I had day one. Frankly I covered too much material and not enough time for the students to actually do anything with the lab images but they did get the hard drives to take that stuff home along with the lab manual for the web application thing and the draft version of the LSO Metasploit Mini-Course.

Here is the breakdown of the seminars.
http://sandiego.toorcon.org/content/section/5/7/

9:30 Jay Beale: Owning the Users with The Middler
11:00 James O'Gorman & Matthew Churchill: Digital Forensics - Footsteps in the Snow
14:00 Travis Goodspeed: Repurposing the TI EZ430 Development Tool
15:30 Ryan Sherstobitoff: The Evolution of Cyber Crime
17:00 Jared DeMott: AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation

Jay Beale's talk was cool, it was on his tool middler which I had heard about before but hadnt played with (I think because it wasnt released). It will MITM the user's browser and hijack EVERY web session, grab the cookies, insert any javascript of your choosing. I dont think the tools website is up yet but his slides from Defcon16 are, you can check those out for more info:
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf

James O'Gorman & Matthew Churchill from Continuum World Wide gave a good talk on forensics. The had some great slides on dispelling forensics myths and gave everyone a chance to ask questions about the current state of forensics.

I missed Travis Goodspeed's talk.

I caught most of Ryan Sherstobitoff's talk. He was from Panda Security and talked about some stats they had accumulated on different types of malware in the wild.

Jared DeMott talked about reversing 101 and exploitation 101. quite a bit to cover in 90 minutes. He covered alot on IDA Pro and then talked about doing some simple exploitation and shellcode development. Fun stuff.

Here's the link to the breakdown of the conference, I wont paste it all.
http://sandiego.toorcon.org/content/section/3/9/

Dan Kaminsky's keynote was awesome, he of course talked about the DNS bug but more importantly he talked about how exploitation and vulnerabilities really have to be though of in groups. Its not so much one vulnerability breaking the internet, but now you can string several together for total world domination. *btw, NONE of that is a quote from his talk.
http://toorcon.org/tcx/1_Kaminsky.pdf

I really enjoyed Ben Feinstein's talk on the "Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln." He did a good job explaining SSL and showing the steps with wireshark and then doing a live demo showing what could happen if you are doing SSH with a bad cert.
http://toorcon.org/tcx/3_Feinstein.pdf

Ariel Waissbein is from Core Security and talked about some new tool they are releasing that will do simulated exploitation by reading in virtual machine config files and interfacing that will core impact "to test to see if you were vulnerable in the past". I wasn't too impressed. If i was taking the I was owned in the past stance I should just go start looking for evidence of the hack rather than testing to see if the Core Impact module works.
http://toorcon.org/tcx/5_Waissbein.pdf

Joe McCray of course rocked the SQLI.
http://toorcon.org/tcx/9_McCray.pdf

Grutz rocked the NTLM pass the hash with windows authentication and squirtle. If i hear the talk one more time I might be able to take in the full impact of what you can do with it.
http://toorcon.org/tcx/10_Grutz.pdf

Sunday was the 20 minute talks.

I caught Christian Heinrich's "Googless" talk where his OWASP group is writing some code to use the google SOAP API to do some searches.

I caught a bit of Marc Bevand's "Breaking UNIX crypt() on the PlayStation 3" talk but had to leave early to get set up for my talk

Got in late for Dan Griffin's "Hacking SharePoint" but it seemed good, looking forward to the slides from it.

Here's what I caught the rest the of the day:
Dan Hubbard's "P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing"

Joshua Brashars' "Owning telephone entry systems (aka why you shouldn't sleep so well)" basically what the title says, default passwords are great, default passwords of 0000 are even better.

Stephan Chenette's "Ultimate Script Deobfuscation: Browser Hooking versus simulation" discussed a very cool tool that would hook IE and document.write and other function I cant remember right now so you can read what the obfuscated java is doing after the browser has done its thing with it. very cool.

David Byrne's "Advanced Techniques in Automated Web Application Testing" talked about Grendal-Scan and the Grendal-Scan blog.

Luis Miras & Zane Lackey's "Mobile Phone Messaging Anti-Forensics" talked about F'ing up the SD card on cell phones that would crash any SD forensics software.

All in all a great con. Huge props to all toorcon crew.

Toorcon X Workshop

As I mentioned before, Joe and I are doing a Crash Course In Pentesting 2 day workshop at ToorconX

http://sandiego.toorcon.org/content/section/4/8/

Here's a piece from the description:

"This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection."

But I wanted to give a few more details.

Day 1 is network level pentesting and Day 2 is web application pentesting.

Network level is mostly my responsibility and I'll be focusing on black box information gathering, client side attacks, and post exploitation. Its hard to cover pentesting in a day, so I'll be talking heavily on client side attacks and how to implement those into your pentests and some of the tools you'll need to do it. A little bit on local/priv escalation attacks that you'll need to do once you have that userland shell and post exploitation. There is also a block on metasploit and the students will take home a copy of LSO's Metasploit Mini Course.

Web application is Joe's responsibility and it should be really good. We've had a custom web app built with vulnerabilities intentionally built in. So the students will be able run the tools he is going to discuss and then exploit the vulnerabilities they find. They also get to take the VM home with them.

If you have questions feel free to post up or email me with them.