Defcon 18

2010-07-18 Thread Lisa Kachold 
Opps, I did it.  I read the list of presentations, so now I HAVE to go to
Defcon 18:

https://www.defcon.org/html/defcon-18/dc-18-news.html

Who else is going?

-- Forwarded message --
From: Fyodor 
Date: Fri, Jul 16, 2010 at 10:50 AM
Subject: Nmap Defcon Release: Version 5.35DC1
To: nmap-hack...@insecure.org


Hi folks.  It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time.  So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor.  The Defcon
name is because that conference is awesome!  And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108).

This release includes 131 NSE scripts (17 new), 6,622 version
detection signatures, 2,608 OS fingerprints, and more.  I'm
particularly excited about the new db2 and ms-sql scripts, and nfs-ls
really makes NFS discovery easy!  We also added Eugene Alexeev's
clever new dns-cache-snoop script.  Nping and Ncat were significantly
improved as well.

The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and
Windows are available for download at the usual place:

http://nmap.org/download.html

This is a BETA release, but we hope it works well for you. If not (or
if you have any suggestions for improvement), please let us know on
nmap-dev as described at http://nmap.org/book/man-bugs.html.

Here are the 83 most significant changes in this release:

o [NSE] Added 17 scripts, bringing the total to 131! They are
 described individually in the CHANGELOG, but here is the list of new
 ones:
  afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
  http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
  ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
  ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist
 Learn more about any of these at: http://nmap.org/nsedoc/

o Performed a major OS detection integration run. The database has
 grown to 2,608 fingerprints (an increase of 262) and many of the
 existing fingerprints were improved. These include the Apple iPad
 and Cisco IOS 15.X devices. We also received many fingerprints for
 ancient Microsoft systems including MS-DOS with MS Networking Client
 3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
 integration work at http://seclists.org/nmap-dev/2010/q2/283.

o Performed a large version detection integration run. The number of
 signatures has grown to 6,622 (an increase of 279). New signatures
 include a remote administrative backdoor that a school famously used
 to spy on its students, an open source digital currency scheme named
 Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
 Frozen Bubble. You can read David's highlights at
 http://seclists.org/nmap-dev/2010/q2/385.

o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
 attributes. The nfs-acls and nfs-dirlist scripts were deleted
 because all their features are supported by this script. [Djalal]

o [NSE] Add new DB2 library and two scripts
 - db2-brute.nse uses the unpwdb library to guess credentials for DB2
 - db2-info.nse re-write of Tom Sellers script to use the new library
 [Patrik]

o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
 scripts are:
 - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
 - ms-sql-config retrieves various configuration details from the server
 - ms-sql-empty-password checks if the sa account has an empty password
 - ms-sql-hasdbaccess lists database access per user
 - ms-sql-query add support for running custom queries against the database
 - ms-sql-tables lists databases, tables, columns and datatypes with
optional
   keyword filtering
 - ms-sql-xp-cmdshell adds support for OS command execution to privileged
   users
 [Patrik]

o [NSE] Added the afp-serverinfo script that gets a hostname, IP
 addresses, and other configuration information from an AFP server.
 The script, and a patch to the afp library, were contributed by
 Andrew Orr and subsequently enhanced by Patrik and David.

o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
 The Windows RAS RPC service vulnerability MS06-025
 (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
 and the Windows DNS Server RPC vuln MS07-029
 (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
 Note that these are only run if you specify the "unsafe" script arg
 because the implemented test crashes vulnerable services. [Drazen]

o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
 cache snooping by either sending non-recursive queries or by measuring
 response times.

o [Zenmap] Added the ability to print Nmap output to a
 printer. [David]

o [Nmap, Ncat, Nping] The default unit for time specification

DefCon 18

2010-07-27 Thread Lisa Kachold 
Too bad I can't take off for Friday, I would enroll in this:

https://forum.defcon.org/showthread.php?t=11627

Capture the Packet Contest

Encrypt or be Sorry!

-- 
IvedaXpress.com Systems Engineer
Office: (480)307-8712
AT&T: (503)754-4452

"Faith is, at one and the same time, absolutely necessary and altogether
impossible. "
--Stanislav Lem
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Re: Defcon 18

2010-07-23 Thread Ben Trussell 
I'm indeed giving a trip to Vegas that weekend some serious thought =)

BTW I bought Fyodor's Nmap book and love it.

Ben

On Sun, Jul 18, 2010 at 6:32 AM, Lisa Kachold  wrote:
> Opps, I did it.  I read the list of presentations, so now I HAVE to go to
> Defcon 18:
>
> https://www.defcon.org/html/defcon-18/dc-18-news.html
>
> Who else is going?
>
> -- Forwarded message --
> From: Fyodor 
> Date: Fri, Jul 16, 2010 at 10:50 AM
> Subject: Nmap Defcon Release: Version 5.35DC1
> To: nmap-hack...@insecure.org
>
>
> Hi folks.  It has been 3.5 months since the last Nmap release
> (5.30BETA1 on March 29), and anyone following the nmap-dev list knows
> that we've been very busy during that time.  So I'm pleased to release
> Nmap version 5.35DC1 containing the fruits of that labor.  The Defcon
> name is because that conference is awesome!  And also because David
> Fifield and I have an exciting Nmap talk planned there and at Black
> Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108).
>
> This release includes 131 NSE scripts (17 new), 6,622 version
> detection signatures, 2,608 OS fingerprints, and more.  I'm
> particularly excited about the new db2 and ms-sql scripts, and nfs-ls
> really makes NFS discovery easy!  We also added Eugene Alexeev's
> clever new dns-cache-snoop script.  Nping and Ncat were significantly
> improved as well.
>
> The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and
> Windows are available for download at the usual place:
>
> http://nmap.org/download.html
>
> This is a BETA release, but we hope it works well for you. If not (or
> if you have any suggestions for improvement), please let us know on
> nmap-dev as described at http://nmap.org/book/man-bugs.html.
>
> Here are the 83 most significant changes in this release:
>
> o [NSE] Added 17 scripts, bringing the total to 131! They are
>  described individually in the CHANGELOG, but here is the list of new
>  ones:
>   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
>   http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
>   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
>   ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist
>  Learn more about any of these at: http://nmap.org/nsedoc/
>
> o Performed a major OS detection integration run. The database has
>  grown to 2,608 fingerprints (an increase of 262) and many of the
>  existing fingerprints were improved. These include the Apple iPad
>  and Cisco IOS 15.X devices. We also received many fingerprints for
>  ancient Microsoft systems including MS-DOS with MS Networking Client
>  3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
>  integration work at http://seclists.org/nmap-dev/2010/q2/283.
>
> o Performed a large version detection integration run. The number of
>  signatures has grown to 6,622 (an increase of 279). New signatures
>  include a remote administrative backdoor that a school famously used
>  to spy on its students, an open source digital currency scheme named
>  Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
>  Frozen Bubble. You can read David's highlights at
>  http://seclists.org/nmap-dev/2010/q2/385.
>
> o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
>  attributes. The nfs-acls and nfs-dirlist scripts were deleted
>  because all their features are supported by this script. [Djalal]
>
> o [NSE] Add new DB2 library and two scripts
>  - db2-brute.nse uses the unpwdb library to guess credentials for DB2
>  - db2-info.nse re-write of Tom Sellers script to use the new library
>  [Patrik]
>
> o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
>  scripts are:
>  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
>  - ms-sql-config retrieves various configuration details from the server
>  - ms-sql-empty-password checks if the sa account has an empty password
>  - ms-sql-hasdbaccess lists database access per user
>  - ms-sql-query add support for running custom queries against the database
>  - ms-sql-tables lists databases, tables, columns and datatypes with
> optional
>    keyword filtering
>  - ms-sql-xp-cmdshell adds support for OS command execution to privileged
>    users
>  [Patrik]
>
> o [NSE] Added the afp-serverinfo script that gets a hostname, IP
>  addresses, and other configuration information from an AFP server.
>  The script, and a patch to the afp library, were contributed by
>  Andrew Orr and subsequently enhanced by Patrik and David.
>
> o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
>  The Windows RAS RPC service vulnerability

DEFCON 18 Slides Online

2010-09-02 Thread Lisa Kachold 
While these are not the complete production quality of all the video taken
with the speaker on the left side and the content on the right promised by
Steve Kaplan (and I [shared costs]) for the Hackfest presentations through
the reduced "at CON" purchase price of $299.00.

They are the production presentations posted online (which are good enough
for those of us just looking to get the meat of the technology (depending on
how you learn):

https://www.defcon.org/html/links/dc-archives/dc-18-archive.html

-- 
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com 

“Achieving life is not the equivalent of avoiding death.” Ayn Rand
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

DefCon 18 HighLights (& Complete Video)

2010-08-02 Thread Lisa Kachold 
DefCon 18 is the computer security conference in Las Vegas following the
Black Hat conference, famous for releasing many important exploits that
force software and systems providers, telecommunications companies to fix
low level security issues that effect us all.  It’s a huge reverse
engineering, hacking and intellectual critique fest.  Many federal agencies,
contract providers, reverse engineers, genius kids and other rogues (like
me) appear to enjoy the deep virtual and human packet inspection.



Highlights from DefCon 18:  http://www.defcon.org/



1)  Docsis



Docsis (most recent is 3.0)  is the modem protocol for cable modems which
includes channel bonding capabilities that vastly expand regular cable data
transfer capabilities beyond T1 speeds.  A firmware upgrade with a linux
based stack to most commonly available cable modems allows for “network
diagnostics”, which vastly expands speed via interface bonding, channel
security and much more.



Defcon 16 showcased various modifications and techniques to gain free and
anonymous cable modem internet access.  Analyzed and discussed were the
tools, techniques, and technology behind hacking DOCIS 3.0.  Haxomatic USB
JTAG/SPI firmware was released by programmer Rajkosto & SBHacker and updated
DOCSIS 3.0 hacked firmware for TI puma5-based cable modems was made
available.

*Blake Self* is most widely known for co-authoring the first commercial
encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has
also worked as a SIPRNET Administrator, Department of Defense Red Team
Analyst, and R&D at various corporations including Airscanner and Ontario
Systems. He currently works in the automated data collection industry as
well as doing research for S2ERC (http://www.serc.net).

*Bitemytaco* is a well-known person in the DOCSIS research community and one
of the root admins at SBHacker.net, the largest modem hacking community in
the world. He funded the development of Haxorware (coded by Rajkosto) - the
most popular and innovative diagnostic cable modem firmware ever released.
He also coordinated the development of the current hacked SB6120 firmware
and released it to the public on Christmas 2009. Taco has been researching
cable modem networks since 1998 and has been involved in the modem hacking
scene for many years. "DOCSIS: Insecure By Design" was presented at DEFCON
16 by Taco along with teammates Blake of SERC and devDelay of SBHacker.



History:

Docsis is at the heart of Net Neutrality legislations:
http://www.wired.com/threatlevel/2010/04/net-neutrality-throttle/



Sniffing Cable Modems from DefCon 16:

https://media.defcon.org/dc-16/video/Defcon16-Guy_Martin-Sniffing_Cable_Modems.m4v



Quote: “Unless you steal the cable you are “testing”, the laws for expanding
cable services exist in the grey area we all work within”.



2)   WPA2 Hole 196:



Using the inherently broken GTK handshake to bypass security (and user
encapsulated network isolation keys) in WPA2 (full toolset released),
allowing for instant transparent Man in the Middle attacks using
multicast,unicast and broadcast packets, (works once you have a shared
network session [5 minutes to crack any WEP/WPA/WPA2 using
BackTrack4/Aircrack-ng  (7 minutes with MAC address filtering or hidden
SSID)];  Hole 196 allows for instant exploits of all user services once
sharing and Enterprise WPA2 system and includes the addition of only 4 lines
of code to existing exploit tool-chains to target openly transmitted GTK
keys.



Excerpt:

AirTight Networks <http://www.airtightnetworks.com/> (a wireless security
vendor) presented a demo of a new WPA2 vulnerability that affects even
802.1X-authenticated networks.

Several press releases note the attack uses information of a vulnerability
found on page 196 of the IEEE 802.11 wireless specification.

*Possible attacks:*
- Compromise authentication server (AS) which participates in key
distribution
- Compromise pairwise (individual station) keys
- Reuse of GTK (only for broadcast/multicast)
- Spoof AP or authentication server (AS) for MITM attack
- Implement an 802.1X EAP method which is insecure (ie EAP-MD5) and
compromises the keys
- Attack on TKIP (versus CCMP)

*The documented 802.11 standard vulnerability:*

Page 196, Section 8.5 Keys and Key Distribution
Under that section is this paragraph:

NOTE—Pairwise key support with TKIP or CCMP allows a receiving STA to detect
MAC address spoofing and data forgery. The RSNA architecture binds the
transmit and receive addresses to the pairwise key. If an attacker creates
an MPDU with the spoofed TA, then the decapsulation procedure at the
receiver will generate an error. GTKs do not have this property.

http://www.networkworld.com/news/2010/073010-airtight-wpa2-vulnerability.html





3)  Powershell automatic Metasploit and Meterpeter exploits:



Powershell comes in Windows 7 by default (cannot be disabled), and is a
powerful command line addition to Windows a

HackFest Tomorrow 6:00is to 8:00 DefCon 18 Review

2010-08-09 Thread Lisa Kachold 
We will be going over a CD review of some of the content from DefCon 18
while we wait for the DVD Video/Audio series which we plan to present
through the next sessions this year.

Join us at JCL Cowden Center http://plug.phoenix.az.us/security

-- 
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com <http://it-clowns.com/wiki/index.php?title=Obnosis>

"Faith is, at one and the same time, absolutely necessary and altogether
impossible. "
--Stanislav Lem
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Hackfest Presentation Tuesday JCL Hosp. Cowden Center 6:00 - 8:00 Defcon 18 Videos

2010-09-13 Thread Lisa Kachold 
PLUG Linux Security Team will be presenting Professional Videos from Defcon
18 over the next 10 months,

The Videos are excellent quality purchased at the con and include speaker
and overheaf with high quality audio.

http://plug.phoenix.az.us


See you there!



-- 
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com <http://it-clowns.com/wiki/index.php?title=Obnosis>

“These capitalists generally act harmoniously and in concert, to fleece the
people”  --Abraham Lincoln
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss