Skip navigation

daily bits – 24.09.2009

Open Source Information Gathering
First things first: you need to download Chris Gates‘ Brucon presentation “Open Source Information Gathering” [PDF] NOW!  I wasn’t fortunate enough to attend Brucon, but I took away a lot of great information from this presentation.  Lots of talking about the use of Maltego and other great sources/sites to help you gather information on businesses, people, etc.  By the way, if you do any sort of information gathering/recon work and you’re not using/haven’t tried Maltego – you need to give it a try!  They have a Community Edition that’s free to use and a license of it is VERY reasonable!  There, I’ve officially whored out my first product on my blog!

Powershell Ping Sweep
I’m a HUGE fan of powershell!  I’m definitely not a master at it, but I can definitely get around with it.  If you don’t know much about powershell or how to use it – this would be a good introduction!  The blog entry at securitywhole.com deconstructs the powershell command for a very helpful ping sweep.  Make sure to check their blog often – the next post over there is going to be the powershell version of nslookup and brute-force reverse DNS lookup!

Bank Sues Google After Email is Sent with Sensitive Info to Wrong Address
I’m not going to lie – I’m not a huge fan of Wired.  However, when I read this story it make me chuckle a bit.  Brief summary: bank employee sends an email with sensitive information unencrypted (information that isn’t supposed to sent in the first place) – employee realizes that it’s going to the wrong address – employee tries to contact email owner – employee receives no answer – Bank sues Google to try and get information about the owner of the email address.  Oh, they’re also asking the court that the information be under seal so that the information isn’t disclosed.  Since a good part of my life revolves around compalince, it just leaves me saying that if you’re going to send confidential information: encrypt it!  In this case, don’t send information that isn’t supposed to be leaving the confines of the office in the first place!

A Stick Figure Guide to AES Encryption

I check Jeff Moser’s blog from time to time – the guy is wicked smart and his posts are always very interesting and educational.  This week’s post is no exception: A Stick Figure Guide to the Advanced Encryption Standard (AES)!

MSF Unleashed: Mastering the Framework

Offensive Security has officially released the free version of their online training course for Metasploit!!  The best part about it: as Metasploit evolves, so will this training/documentation!  Since MSF evolves on an almost-weekly basis, they definitelyhave their work cut out for them!  After perusing the site a little bit, I have to say that this training is very thorough and will help the folks new to MSF and even the more experienced folk may learn a thing or ten.

The current course is being offered as donation-only.  So, if you take the course and you like what you learned – make a donation to help a great cause!  There’s going to be a video/PDF version of this as well in the future, but it’s currently being held back until MSF v3.3.

Tool: BeEF v0.4

HOT OFF THE PRESS: The fine folks at liquidmatrix just got word that a new version of BeEF has been released!  I believe Dave sums it up the best by saying “For those of you who might not be familiar with the tool its a browser exploitation framework that’s full of WIN!”  As an added bonus, it includes integration with Metasploit!  For more information and screen shots, head on over to Dave’s post at liquidmatrix or just visit BindShell.net!

@Jabra just released this video showcasing all of the new features in BeEF 0.4 – check it out!

daily bits – 17.09.2009

SMB2 Remote Exploit Released
Last week an exploit was released dealing with SMB2 casing a DoS on Vista, 2008 Server boxes and the Win7 RC. This week, a well-known security company released a module that contains the remote exploit for this vulnerability. So now you have a choice: DoS the box or 0wn the box. The SANS ISC has released a blurb about this and some workarounds that’s probably worth a look-see and The Register has a decent story about it as well.

HITECH Act Encryption Loophole
The HITECH Act (as well as PCI-DSS) has consumed my time (read: overtaken my life) for quite some time now, so it’s no surprise that I bring up things from this from time to time.  The Register talks about how the Act states that if an organization utilizes encryption (mainly at a disk-level), they’re under no obligation to report a breach to their clients – essentially giving these companies a ‘get out of jail free’ card if a breach were to happen.  Just because you can encrypt your data doesn’t mean you shouldn’t be held liable for a breach of information!

Other Fun Tidbits:

daily bits – 16.09.2009

Social-Engineer.org is LIVE
What better way for me to really expand my horizons by leaps and bounds in the realm of social engineering than to have a great resource such as an all-inclusive website focusing solely in this field?!  Social-Engineer.org has some amazing authors and contributors – most I’d say are top in their field (Chris Nickerson, David Kennedy, H.D. Moore, and Mike Murray just to name a few) and will bring a ton of information to the table!  Some other notable parts of the site include:

  • The monthly newsletter that’s going to contain “tips and tricks on Social Engineering, Deception Detection, Influence, Neuro Lingusitic Programming, Interviews, tactics, skill enhancers and early bird announcements on some very important industry related items.”
  • The Resources page that contains helpful tutorial videos and tools
  • Most importantly, the Framework – this contains the newest and most innovative information regarding social engineering and is constantly growing thanks to the contributors to the site

Sharing Files Over SocNets??
Ever wanted to share files on your hard drive with people on Twitter and Facebook? NOW YOU CAN! This gets filed in the ‘Are You $#%&ing Kidding Me!?’ category.  From what I’ve read, the PogoPlug device sits on your external USB hard drive and allows you to share whatever resides on that drive.  Can you say P2P via SocNets??  I have a feeling that maybe @Agent0x0 will take this a bit further at some point (I hope, I hope, I hope!)?

New Security Tools Released by Microsoft
HelpNet Security released a quick blurb about the Software Development Lifecycle team at MS releasing two new tools: BinScope Binary Analyzer and MiniFuzz File Fuzzer.  Both I believe are pretty self-explanatory.

Securabit Live Podcast Tonight!
The good folks at Securabit are doing a live podcast tonight (actually…it’s right now) with their special guest: Paul Asadorian from PaulDotCom.com!  Take a listen and learn a thing or two!

MSF Unleashed Course Releasing 9.22.09! IT’S (almost) ALIVE!

The fine folks over at @BacktrackLinux made a great announcement today: the online version of the “Metasploit Unleashed: Mastering the Framework” training course will be released on 09.22.09!  I’m no n00b to MSF by any means, but I know I could learn a hell of lot more than I already know!

According to previous posts by Offensive Security, there will be a free version which will include the PDF and offline labs.  However, if you want to become an OSMP (Offensive Security Metasploit Professional), you’ll need to purchase the videos for a small fee.  All proceeds are going towards a great cause: Hackers for Charity!  If you don’t know about HFC, click on that link and check out Johnny Long’s story!  More preliminary info about MSF Unleashed can be found in this entry on Offensive Security’s blog.

it begins…

Well, it’s finally happened: b10w started a blog! I know…I’m just as shocked as you all are. I’m hoping that this blog will expound on the “micro-blogging” (or whatever term they now deemed for it) I do on Twitter. Granted, most of what I do on Twitter is absorb the information of others and try to build upon the 140 character seedlings people toss about.

I enjoy the work I do. I enjoy the work that I do outside of work even more. I want to look back and say that I kicked much ass and I took many-a-name in regards to my work. I’m not saying that a blog is going to really change a whole lot, but I’m hoping that it’ll be another place where I can post my thoughts, projects, rants, etc. and get some feedback from my fellow geeks that’s longer than 140 characters! Also, if I get to educate/help a person or three along the way – that’d be swell.

Follow

Get every new post delivered to your Inbox.