IRON::Guard Security, LLC is a full-service information security consulting firm. Our Professional Services range from Penetration Testing, Vulnerability Assessments, Audits/Compliance - GRC, Incident Response, Managed Security Services, Physical Threat Assessments, Training Services and DR/Business Continuity Planning.
Wednesday, February 27, 2008
Blackhat 2 Day Recap [Bettalatethaneva]
After walking out of Starbucks cup in hand, there was a look in each mans eye, a pep in his step, for lack of better terms we had ENERGY! On to the Blackhat Tales.
Day One
We registered, claimed our badges and bags and immediately went schwag hunt...er I mean talked to some of the vendors including Paraben, SAINT and Sunbelt Software. We missed most of the introduction and most of the keynote address. We also bumped into Chris Gates from LSO and Brian Wilson and hung out with them most of the day including lunch.
We attended the following talks:
Cracking GSM
RFIDI0ts!!!--Practical RFID Hacking
Bad Sushi: Beating Phishers at their Own Game
Oracle Hacking
Scanning Applications 2.0
We grabbed a quick bite to eat and chatted with Steve Adegbite of Microsoft (always a pleasure!) before we had to leave to do the 1.5 hour commute (sigh)
Day Two
We slept in till noon and decided that a 1.5 hour commute both ways just wasn't going to happen. Instead we packed our suitcases and jumpbags, went bar hopping, shopped at WalMart, and had dinner at a Chinese Buffet. (not necessarily in that order)
All in all it was pretty cool, the talks were a step up from Shmoocon overall and the atmosphere is nice (they also have Starbucks drip coffee going for them). Its much smaller than BH USA Las Vegas which was a great time last year. I think that next year I might just do Shmoo and then Defcon/BH Vegas in the summer.
Tuesday, February 26, 2008
802.11 Attacks
I regret that I was unable to see Joshua Wright and Brad Antoniewicz talk on PEAP: Pwned Extensible Authentication Protocol at Shmoocon 4. Josh was kind enough to put up slide of the talk on willhackforsushi.com. Brad also made slides available that are complimentary to the ones from the presentation.
In conjunction this is a very informative compilation of slides that should interest anyone interested in 802.11 security and I would like to thank the both of them for making these resources available!
UPDATE: A related article can be found here.
Your Client Side Security Sucks [really, it does]
This is an excellent read that I would suggest to anyone trying to understand why client side security is so vulnerable and error prone on the development side of things.
Data Breach Notification Laws, State By State
Enjoy!
Sunday, February 24, 2008
MySQL, SHA1 and me
While hacking around with SQL injection on the LSO (LearnSecurityOnline) labs, the subject of being able to crack a MySQL SHA1 password hash came up and became a topic of interest and a challenge of sorts. I have never come across this one before so I impulsively decided to pick it up and see what I could do with it before I had to get on a plane back to Seattle.
./poc
A quick Google search turned up this tool.
A proof of concept (hence the name) MySQL password hash cracker. Optimized for quad core CPU implementations
Can be downloaded from http://www.sqlhack.com/poc.c
gcc -O3 -o poc poc.c
I ran this for about 12 hours until it determined that the password was beyond 8 character and therefore out of scope for this particular program.
Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM
./mysqlfast
Some initial Googling turned up this tool. I was able to run this one the longest albeit without any success.
http://packetstorm.linuxsecurity.com/Crackers/msqlfast.c
gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast
I ran this tool for about 15 hours without success. It was checking 9 character passwords when I ended execution of the program.
Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM
./unhash
I came across this one looking for MySQL SHA1 crackers on PacketStorm Security. I was only able to run it for a few hours before I had to pack up my laptops in preparation to catch my flight.
http://packetstorm.codar.com.br/Crackers/unhash-0.9.tgz
Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM
Cain & Abel
Identified the hash as MySQL v3.23. I attempted to use the built in dictionary running as many permutations as possible without any success. It took about an hour or so to make it through the dictionary file.
Performed on a HP nc6000 Pentium M 1.6 Ghz laptop with 2 GB of RAM
John the Ripper (Joe McCray performed this test)
John is not natively capable of cracking MySQL SHA1 hashes and requires a patch to do so.
[j0e@LinuxLaptop john-1.7.2]$ wget
http://openwall.com/john/contrib/john-1.7-all-4.diff.gz
[j0e@LinuxLaptop john-1.7.2]$ gunzip -c john-1.7-all-4.diff.gz | patch
-p0
[j0e@LinuxLaptop john-1.7.2]$ cd src/
[j0e@LinuxLaptop src]$ su
Password:
[root@LinuxLaptop src]# make linux-x86-any
John was fed a 7 million entry password dictionary
[j0e@LinuxLaptop run]$ ./john
--wordlist=../../../wordlistz/MassiveDictionary.txt mysql_hash.txt
Loaded 1 password hash (Raw SHA1 [raw-sha1])
guesses: 0 time: 0:00:00:03 100% c/s: 862538 trying: zwolle
This was NOT the correct password.
Performed on a Dell D620 Core Duo 2 1.83 laptop with 2GB of RAM
If anyone out there has any suggestions on more efficient ways to go about this I would LOVE to hear about them.
UPDATE: Sandro Gauci of SipVicious.org pointed me to a great resource. Any other feedback and suggestions are welcome!
May Your Skill Prevail.
Tuesday, February 19, 2008
The DC/Maryland Saga Continues
Today we actually made it back in by 2AM after eating dinner at Applebee's while watching the NBA All Star Game and then doing some wardriving of Aberdeen, Maryland (~800 Aps). Joe, evil1, Law and myself all stayed up most of the night hacking away and talking.
Around noon we all had to drag ourselves out of bed to get evil1 to the airport to catch a 4:30pm flight. After dropping him off Lawrence and I had to stop at Starbuck's coffee (Burger King coffee is like kryptonite to Seattle denizens) and note that it appears that we had brought the overcast cloudy and rainy weather with us.
Since we were already in the area and had our wardriving gear with us we decided that some good 'ol AP detection was in order. We were able to get a pretty good haul of ~10,000 AP's after about 3 hours then headed north for the long journey home.
Tomorrow we are planning to drive back down to DC and do the BH DC 2008 Briefings early registration. If all goes well we may drive up to Philadelphia and do some wardriving before it gets too late.
Sunday, February 17, 2008
Shmoocon Day Three
After 3 nights of 2-3 hours of sleep and a 1 ½ hour commute both ways everyone was exhausted today. We made the decision to stay at the house and catch up on our rest before we got to a BBQ at Wolf's house. I regret missing the PEAP: Pwned Extensible Authentication Protocol by Josh Wright and Brad Antoniewicz presentation.
As I type this Joe and Lawrence are sitting at the dining room table with laptops with evil1 still in his room sleeping. Overall shmoocon was a blast, the talks were o.k. but the people and side channel conversations we had were excellent.
Will I be going next year? Absolutely!
Shouts out to to CG, Kev, Marco and Steve A. I'll catch those who are going to BH Federal at the briefings next week or at DefCon later in the year. If not see you guys on SILC.
Saturday, February 16, 2008
Shmoocon Day Two
We were able to actually make it in on time today after getting 2 hours of sleep! Watched the Active 802.11 Fingerprinting: Gibberish and "Secret Handshakes" to Know Your AP by Sergey Bratus, Cory Cornelius and Daniel Peebles. I found this to be an interesting talk and hope that this research begins to delve into the client realm in the near future.
I also had the pleasure of catching the following talks:
Got Citrix? Hack It! By Shanit Gupta and Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" by Enno Rey and Daniel Mende. There was also an impromptu talk by muts covering AV circumvention using ollydebug and Windows Vista ASLR circumvention.
I had lunch with Kevin Figueora of K&T International Consulting, Marco Figueroa of MAF Consulting, Inc, Joe McCray of LearnSecurityOnline, Lawrence White of IGS and evil1 at the Chipotle down the street from the hotel. All of us also got together later in the evening and had the most amazing time eating dinner, watching the All-Star 3 point shooting and Slam Dunk contest and having drinks and talking shop. The talks at any convention are good to go to but these are the experiences that stay with you for a lifetime.
Shmoocon Day One
Overslept like a bunch of jet lagged bums! Arrived 2 hours late and missed all of the talks getting social with my peers. Met some cool guys: muts from Offensive Security/Back|Track, Aaron Petersen from MRL (Midnight Research Labs) and Rick Farina from AirTight. As is usual for my con experiences hung out with the LSO (LearnSecurityOnline) j0e and Chris and evil1 (mad props for webapp kung fu).