Cupfighter.net

By Fyodor and David Fifield

After the presentatioin I joined Fyodor end David in the Q&A room to talk further about the Nmap NSE session. Here are some of the questions and answers…

Is there anything like XML output to glue the output of the scripts together? Script output is included in the normal XML output, but it is not yet in any structured format. The cool guys from the nmap project has not yet figured out how to do that.

Will the password cracking capabilities in nmap make stuff like John the Ripper obsolete? The passwordcracking functionality demoed is not a replacement of John the Ripper, but work is in progress to make the capabilities of nmap better, especially on the ncrack project which will release a rdp password cracking in the next few days.

Is there a way to run scripts with a declared dependancy so one script runs and thenthe other script runs based on the results? The is fully supported.

Why lua over other languages? It was a fight over the scheme laguage or another language. In the end we settled on lua. Perl and pyhon where too big to ship with nmap. Lua really fitted with what we needed and wasn’t too big.

Is nmap turning into the new Nessus? Well, it could, but is will never include all scripts to find all vulnerabilities. Each product has its own use, but nmap is getting nearer and nearer to becoming a vulnerability scanner. Conflicker is a great example of that nmap was the first scanner that was able to remotely detect conflicker infected machines.

Are there plans to include hping functionality in nmap. Yes, there is nping, which has similar functionality and more.

Is there raw packet functionality in NSE? There are packet creation functions in the lua libraries and there is an interface to pcap as well.

Read more…

By Fyodor and David Fifield

In this talk Fyodor and David are giving an in depth overview of the nmap scripting engine. The Nmap scripting engine allow users to create and share scripts for all ip related tasks from vulnerability detection to exploitation.

There are a lot of NSE scripts already available for tasks like discovery, authentication tests, Denial of Service, Exploitation and lots of other stuff. All come with nmap by default, there are 131 NSE scripts bundled with Nmap at the moment.  There are two catagories the are of special interest; disruptive and safe and they mean exactly what you would expect them to do.  In 3.5 years the number of available nse scripts has grown from 20 to over 130.

In the next part of the presentation Fyodor shows an example of a scenario where NSE really enables a big assessment. Fyodor applied the scripts submitted by Ron Bowes around SMB vulnerabilities against Microsoft’s public IP space, a space of over 1,000,000 ip addresses. First step was a quick scan of over 1 million hosts to find interesting targets. Nmap is currently smart and fast enough to scan these ip addresses in about 26 hours.

Read more…

A the DefCon social engineering contest, contestants are given a list of information they have to obtain and a target company that they have to obtain it from, along with a list of phone numbers of people to get it from. They are given a limited amount of time to get as much of the information as they can.

I walked into the social engineering contest just as the second contestant was ready to start his assignment. His target was a major US automotive company. During his session he was able to speak to two people.

It is very good to hear that at least the first guy they got on the line was actually not comfortable to answer the questions ask them by the contestant.

The second victim was a person that only worked with the company (a major automobile manufacturer) for 2 months as a security engineer. He was eased into answering mundain but valuable questions like his work and break times, but also about food service at the company etc.

Read more…

By Moxie Marlinspike

Moxie’s talk does not have anything to do with IT security but talks about some of his heroes. Het started his talk talking about a young solo sailer who is very heavily supported by technology. If you compare the attempt with a previous attempt from 1985 which highlight of technology was a plasic sextant the contrast is huge.

Attempts to race non stop around the world non-stop have created a number of stories about sailors and fortune seekers who risked all to win the gloden globe race. Races like the Golden Globe Race will not happen anymore. Technology allows current solo sailers to set their autopilot and litterally tweet their way around the world in two months.

Is less technology really more? Is it about less technology, or is it about having less communication opportunities?

The Gloden Globe Race prompts athe question who are the heroes of our generation? Is it Twitter, is that a satisfying answer? Where did all the lunatics/weirdoes go? History seems to be full of them, but where are they now?

It appears that the increase of communication is causing a narrowing of culture. While individuals are experiencing more and thus feel that culture is widening, it is actually narrowing because diversity is decreasing.

Sing It Back, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from alphadesigner's photostream

By Josh Corman, Dennis Fisher, HD Moore, Jack Daniel

The idea of infosec speed debates is to pick a topic and debate it betweeen the two panalists. A flip of the coin determines if the panel member has to argue for or against the idea in under 5 minutes.

Topics of the discussion

User authentication doesn’t work. Conclusion: Maybe.

End user education works. Conclusion: Dream on.

Is it posssible to talk about security research and not represent your employer? Conclusion: “Its the faukt of he press”

Do vulnerabilities still matter? Conclusion: It matters, but we are becoming unsensitive to them.

Metrics are bunk. Conclusion: A fool with a tool, is still a fool.

Besides of getting the opinion of some smart people, this panel was a lot of fun too.

Sent from my iPad

By Jonathan Pollet

The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

Read more…

By Nicholas J. Percoco (@c7five) and Jibran Ilyas

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

Read more…

By Fyodor Yarachkin

To clear up a common misunderstanding, this Fyodor is not the same Fyodor as the author of Nmap.

XProbe-NG was written to discover a rouge server in a network of the major Taiwanese internet provider. It turned out that XProbe was not sufficient to handle all the application level stuff that was going on in this case.

However doing level 7 probes introduced two problems:

• Bandwidth – Having to send far more data
• Time – Making sure you finish in time

Other motivations for XProbe-NG include:

• Scanning other protocols then IP only
• Bulk scanning
• Probing “en-route” systems
• Migration to IPv6
• Honeypots/nets
• Improving precision

Read more…

By Frank Breedijk – During Hack in the Box Amsterdam I had the opportunity to sit down with its founder and CEO Dhillon Andrew Kannabhiran. I asked him about the Hack in the Box organisation, the conferences and why it was located in Amsterdam.

Q: What is Hack in the Box?

A: There is not simple answer to that, but let me give it a try. There are two parts to the Hack in the Box: the websites and the conferences. But mostly HitB is a group of people bundled in a not-for-profit organisation.

Read more…

By Roelof Temmingh

Maltego is like a box of Lego’s, but then for open source information gathering. Open source information gather refers to gathering information that is publicly available on the Internet.

Maltego has release version 3.0 about two weeks ago , and I previously blogged about the preview at Black Hat EU. Paterva has added quite a few new features, the most interesting is NER, Named Entity Recognition. NER gets text and marks entities like person names / companies / phone numbers. NER can be used to get to a big brother scenario where SMS, radio signals and web pages are constantly monitored for named entities.

Roelof demoed NER by trying to find the winner of the Fifa World Cup. He searched for all websites containing the phrases: FIF, “win the world cup”. Het found the top 50 sites that contained the phrases and got the urls on these sites. NER was run against these urls.

Using Maltego Paterva come up with the prediction that Brazil will win the World Championship.

Read more…