rm -rf /blackhat

Through a series of strange decisions I found myself on the way to Las Vegas over the same week of Black Hat, however, without a ticket to the Black Hat Briefings. This didn’t phase me in the slightest as I attended Black Hat last year and to be quite frank, I wasn’t impressed. This did raise an interesting question though: if I’m not wasting my time at Black Hat, what could I be doing?

This question was easily answered as just about every person I look up to in the InfoSec industry was heading to one place…BSides LV at the Tuscany Hotel. I’d never attended a BSides conference before and had no idea what to expect. How much are the tickets? How long are the queues for the talks? How much is the food and drinks? It turns out the answer is pretty much nothing to all of the above.

What I want to take away from an InfoSec conference is to have learned something, meet some interesting people, help other people who may have questions and generally have a good time doing it. Walking into BSides on Tuesday morning, I was warmly greeted and given a badge and a smile. That’s it. No spammy email address, no dollars, just a badge. Walking around BSides I saw that there is an abundance of tracks, workshops and a large chill out area with free drinks (as in beer), raffles and competitions.

I spent the large majority of the con on the red team for the “Joes vs Pros CTF” competition, which gives defensive security and network engineers a chance to feel the heat of a red team bashing the hell out of their network. Uptime is important for points and there is a gold team sending the blue team’s help desk requests, which need to be actioned whilst frantically trying to secure their network and kill our shells.

After competition closed on Tuesday, I had a chat with the winning blue team who did a really good job of locking us out whilst maintaining uptime on critical services. These guys got pummelled last year and came away with new skills and ideas that they implemented this year. A few of the members shared appreciation that they had learned more from competing in Joes vs Pros for a single day than they had from attending years of college and certifications. They mentioned that dealing with an active attack where they are forced to keep vulnerable software up and running taught them to look farther than just simple patching exercises. The creativity that they came up with was astounding – from setting up spoofed sites that had no back-end connected to it, to serving us honeypots and ban-hammering us on their firewalls.

The following day, the blues got their own red team members and needed to engage their opposing blue team. With a red team member assisting them with exploitation of the target machines, which were compromised the day before, the blues got to experience the attack from the red team’s point of view and learned how targets are enumerated as well as what weaknesses are exploited in the discovered applications. This information was then used to modify their own applications to make exploitation by the opposing team much more difficult or even impossible.

What I took away from this experience is that these blue team members are getting valuable training, whilst having a good time, essentially for the price of getting to Las Vegas. BSides volunteers make the con what it is and sponsor donations go towards the cost of setting up the competitions or providing prizes and drinks.

I learned a lot about BSides over my two days there. I attended some good talks, snuck into a workshop where attendees were taught to build a RFID reader that works from 4 feet away with only $35 of hardware, met some awesome people and had a great time doing it all.

All this made me really REALLY angry.

Even though there was good work being done and great knowledge being shared at the Tuscany Hotel, several blocks away the worlds largest “security” conference was being held and doing a fine job at advancing just about everything that is wrong with this industry.

Since starting work as a Penetration Tester, I’ve noticed one very big problem within the Information Security realm. By far, the biggest problem that currently exists in Infosec is that people still believe that they can “buy” security. Right out of the gate I will tell you “this is bullshit!” You cannot buy anything from any vendor that will stop your company getting compromised. Buzzwords like Next-Gen, Multi-Tiered, Smart and APT are just marketing turd-speak for devices that basically do nothing. And Black Hat is the single biggest culprit of promoting the use of these “magic bullets.”

After you’ve cleared away all the fluff around Black Hat, what you’re left with is a room full of “magic bullets” being shown off by booth babes and a bunch of “researchers” giving presentations to massive audiences about why they should buy them. To make matters worse, the amount of money spent on these devices each year is astronomical – yet more and more companies are getting compromised every day, now more than ever before.

I borrowed a ticket to visit the vendor-fest on Thursday for a couple of hours to see what, if anything, was better about this year than last. After all, 8000 people can’t be wrong, right? After looking at the briefings and seeing that there was hardly anything of value worth watching, I wandered over to the the vendor area. I ended up speaking to a golf shirt about his “magical DLP machine” which uses sophisticated algorithms and cutting edge buzzwords to hunt down people leaking trade secrets and PII. I asked him if the machine would catch someone exfiltrating credit card numbers and the response was a resounding “Oh definitely!” When asked what the machine would do if someone base64’d this same information first, he ran off to find someone with a brain. I then spoke to one of the “magical DLP machine” developers who told me that the CPU cycles taken to decrypt the traffic would be too much for such high throughput and base64 traffic would not be decoded before checking the contents.

Then I see the big one…a box that can detect 0-day malware. Oh wow. Problem solved. These guys have cracked the code. They have made a device smarter than all the Russians, Ukrainians and Belize malware-devs combined. Or have they? I challenge you. Deploy that thing in a public network and offer $1 million dollars to the person who deploys malware on the same network which the “magical DLP machine” cannot detect.

Vendor after vendor pitched me their next-gen, cutting edge, complex algorithm, layer-7 flashy box and each and every time, I could outwit their machines in under 5 minutes. Again, if you didn’t read it earlier…”YOU CAN’T BUY SECURITY!” Walking into Black Hat and throwing money at everything with a flashing light and a web console is not going to make you or your company more secure. Even if you bought each and every single device and had them professionally installed with maximum protections enabled, any pentester worth their salt could still compromise your network with a smile or a cleverly worded email. And that is the main reason why all these products do not work.

Chris Nickerson put it best. “You say your device can do this? Prove it! You say your company is secure? Prove it! You say the bad guys can’t get your customer data? Prove it!” If for one second you actually believe the hype regurgitated out by these pretty boys with their sunglasses and golf shirts who market some box that protects against everything, then you have already lost. If it could genuinely solve all your information security problems as soon as you plug it in, they could genuinely sell it for a bazillion dollars and you would gladly buy it.

But the reality is that you’re actually buying nothing. You’re buying a marketing pitch. Maybe you’re buying a few nights of peaceful sleep. Maybe you’re buying a bigger budget next year. Maybe you’re buying an alliance with some vendor. But you are not buying security and the vendors cannot prove that their solutions do anything to stop a determined attacker. All they can do is show you that in a perfect simulated test environment, it does something. Would it work in your environment? Maybe. Will it make you more secure? Probably not. Does the machine do all the things it says on the tin? Doubtful.

I’m not saying that there is no value in Black Hat. I’m saying there is no value in purchasing a $1500 ticket to attend a convention where you are encouraged to purchase more things. If you are in the security industry and attend Black Hat to network with clients, great. You could probably do that for free at one of the million parties held after hours. Just avoid all the golf-shirt, booth-boys running around with their sunglasses on at night calling themselves hackers because they work for a company whose product can detect SQLi vulnerabilities. “Shut up, you’re a sales monkey!” There are also some good talks at the briefings. Black Hat is not without any interesting material but from an attacker’s point of view, I find the content of Black Hat weak and lacking in this area compared to BSides.

If you are the principal or manager of a pentest team, please, don’t send your testers to Black Hat, allow them to attend BSides instead where they can actually learn, meet, teach and have fun.

P.S. All of the above is my opinion, which I’m entitled to. However, if you managed to read this far and wish to bitch at me for saying what I did, use the comment feature below and I’ll make every effort to respond if required.

installing unicornscan on debian/ubuntu

Looking back, I can’t remember a time where I used Nmap to perform UDP port scans. Pentesters are far too impatient to spend hours waiting for a UDP scan to finish in the hope of finding some badly configured service. Which is why I found it odd when I received a message saying “why do UDP scans take hours?

It never occurred to me that this poor dude was staring at the screen, Nmap torturing him every 30 seconds by telling him he won’t be done with this machine any time this week. I told him about this gem of a payload transmitter that just also happened to be an epic UDP port scanner, largely forgotten since the sad departure of the late Jack C. Louis. And seeing as this was a client supplied ‘jump-box’ and not something handy like Kali, I decided to take a crack at installing and showing the tester good ol’ unicornscan. (I didn’t realise installing unicornscan would take longer than the Nmap UDP scan itself)

Many, MANY hours later I finally got unicornscan working and decided to make a note on how to deploy this on an updated debian distro circa 2014.

Get the dependencies installed

sudo apt-get install postgresql libdnet-dev libpq-dev libpcap-dev bison flex

Download and Install unicornscan

wget http://sourceforge.net/projects/osace/files/unicornscan/unicornscan%20-%200.4.7%20source/unicornscan-0.4.7-2.tar.bz2/download -O unicornscan-0.4.7-2.tar.bz2
tar jxvf unicornscan-0.4.7-2.tar.bz2
cd unicornscan-0.4.7/
./configure CFLAGS=-D_GNU_SOURCE
make
sudo make install

Hope this helps.

norsec0de

data exfiltration over SSL with srvdir

Every now and then I come across some application that may or may not have been developed with penetration testing in mind but it ends up being damn helpful all the same. Yesterday I found a post about ‘srvdir‘ (surv~durr?) which is designed to share content over SSL/TLS via a public site.

When trying to exfiltrate data from a client site I normally spend a lot of time setting up tunnels, using disposable A records from afraid.org and one of my boxes in some east-european cave just so I can get the damn ‘payroll-summary-june-2014.pdf’ trophy off some box that is swimming in ssh-tunnel-fu. srvdir is the perfect answer to this problem and testing it has been awesome and full of those “Why didn’t I think of this?!!” rants.

Essentially, what srvdir does is to create a SSL tunnel to the mothership ‘srvdir.net’ and issue a subdomain that can be accessed externally to siphon the files off. Grabbing files is relatively painless with the odd 404 for the permission snobs. It supports basic http-auth for the paranoid and by the looks of it, tokens as well. It runs seamlessly on Windows, Linux and OSX and is relatively small.

read more