Conferences
Defcon talks – Videos available online..
A recent maillist thread shows that the DC15 videos are anow available online [here]
Our video (although my voice sounded alot better in my head than it does on video) is available [here]
Thunks from hacking games
In Vegas I bought Herman “Exploiting Online Games” by Greg Hoglund and Gary McGraw. Being the saint that I am, I looked at the book thoroughly on the plane on the way home. Fortunately I was able to verify that most of the pages were there and intact and that were no blatant spelling or grammatical errors – it wouldn’t do to give Herman a broken book.
Whilst I was checking the Herman’s gift *anyway* I figured it wouldn’t hurt to also read and absorb some of the content – just to make sure I wasn’t giving him nonsense (with all due respect to Greg and Gary). In particular what interested me was whether their thinking on online games held any lessons for the work we more traditionally do on online financial and e-commerce systems. I thought the book was fascinating, particularly in this context. What follows is a mind dump of some of the thoughts I had as I was reading.
On hamsters, Escaping, Escaping of Hamsters and the Lack of escaping in Hamster…
OK.. So as i mentioned before, I saw Robert Graham from Erratasec demo hamster live on stage and wondered if hamster was doing useful input/output sanitization.. If it wasn’t, he was setting himself up for a pop-up that read “owned on stage” or worse a re-direct to tubgirl.. He didnt get owned on stage, which suggested that either the crowd was really well behaved or the tool was doing some tidying up so i decided to wait till i got home to check..
mh.blackhatFeedback(Side-jacking, Hamster)
Ok.. so its a lot later than i promised, but i did mention that i would post some feedback on some of the talks i ended up catching at this years BlackHat. By far the talk that grabbed the most press was the Erratasec talk on Side-Jacking.
Essentially the researchers demonstrated a tool (hamster) that allows an attacker on a shared network (wifi was used as an example, but i guess any shared medium would suffice) to hi-jack users accounts by sniffing their session-ids.
F(inally)ull Release of BlackHat-Defcon Timing Stuff..
The slides | tool | paper from BlackHat07/DefCon07 have been posted online for your wget’ing pleasure.
More details on squeeza (the tool) can be found on the squeeza page, but in a nutshell is a sql injection tool that uses Metasploits concept of splitting exploit/payloads/etc with SQL Injection attacks. Current modules are written for MS-SQL server but include functionality for (user defined sql queries, some db schema enumeration, command execution, file-transfer, db_info) and the information is returned (channel selection) via one of (application error messages, DNS, Timing). The modularity’ness means that these all mix and match – I.e. if you write a module to “extract data from all tables that look like username*”, the results would be available on any of the available channels.. (Its a pretty neat tool.. and saved our bacon more than once) So check it out, and send feedback to research@sensepost.com
BlackHat Roundup – Ajax and h.323 and iax
The bulk of security research pertaining to VoIP call control, setup and signaling protocols has focused on the Session Initiation Protocol (SIP), due to the ubiquity and widespread adoption of this protocol. However, a number of other protocols and protocol suites are in use in many organizations and have been adopted by many of the VoIP vendors. Some examples of these protocols are Cisco’s Skinny Client Control Protocol (SCCP or Skinny), the H.323 suite of protocols, and Asterisk’s Inter-Asterisk eXchange (IAX).
Squeeza: The SQL Injection Future?
During our talk we demo’d squeeza.. We will link to the slides and .ppt as soon as we can, but have been getting a few requests already for the code, so here it is..
For those who missed the talk, squeeza is a SQL Injection tool, that once given an entry point can simply a bunch of things. Its the first tool i know of that facilitates full binary file transfers (download from the remote SQL Server), database enumeration, etc via a number of channels (Currently via DNS, via HTTP Error messages and Via Timing).
Late BlackHat Update..
ok.. so im in my room finally catching up on sleep (or will be in a few minutes) while most people are finishing Microsofts booze at the PURE microsoft party.. BlackHat is over, which means tomorrow we are off to the riviera for defcon..
Marco and i got a lot of positive feedback from our talk, including from guys like rob auger of wasc fame and andrew bortz who we quote in our paper, so it was pretty cool.. all our demos went of smoothly (where one of them was using javascript (and timing) to create a distributed brute-forcing tool, which had every opportunity to go south) so we were happy..
BlackHat Progress Report
(always wanted to say that!)
2 SensePost Training sessions are over, and as i type The weekday sessions are at about 50%. Feedback so far has been pretty cool and its been fun to meet new people / bump into some old friends..
The next “biggie” on the horizon is Wednesdays talk.. We have had a fair bit of interest so far and even though the slot has some stiff competition its seems like all will be well :). The talk should be interesting to developers, pen-testers and even just people with a vague interest in see’ing cool stuff.. Marco has been adding functionality to “squeeza” like a demon and as it stands its probably the only SQL Injection tool i know that will allow (file downloads, arb sql queries, database mining) all purely in T-Sql over a variety of transport channels (dns, error messages, timing). We will post the link to it for download just before we talk..
BlackHat, DefCon, Las Vegas
Ok.. so the 2nd plane with SensePost’ers has touched down in LasVegas and the first cheeze-pizza from the caesars food court has been consumed.. So little changes in caesars that it always adds to the surreal feeling that lasts for the entire stay..
We will be in the training rooms over the weekend, and during the week, and will then give our bh-talk, before moving to defcon for the talk there..
in between, as usual its a chance to meet old friends, make new ones and get sun-burnt! Grab us if you see us, and we can grab coffee/beer/chocolate-milk..