This was already the third edition of BSidesLondon today! Time flies! Being busy yesterday, I just reached London in the morning and arrived just in time for the administrative tasks (registration, pick-up a t-shirt, goodies), grabbing some coffee and shaking some hands. BSidesLondon is definitively growing in size and quality: A huge number of attendees, two tracks, a rookie track, a job fair, workshops and lightning talks. Even the sun was present over London, no fog at all! Two tracks means you have to make choices! Here is the brief overview of my schedule.
Read More →
The last weekend, an ethical hacking event was organised in Belgium. The Hacknowledge Contest joined Charleroi and was hosted at the CPEHN. This event was previously organised only in France thanks to the initiative of the ACISSI. Last year, they decided to open their challenges to other countries. The current list of participating countries is: Côte d’Ivoire, Maroc, Benelux, Espagne and France. The organisers are already looking to extend their list with other countries. If you are interested, maybe contact them.
Initally, I registered a small team with a colleague and finally we were five ethical hackers/friends to participate as “UID(0)“. So, we joined Charleroi Saturday afternoon to attend a bunch of small talks around information security. Small event and a relaxed atmosphere. The covered topics were:
- Zataz.com, the well-known French website and the process in place to notify organizations of data breaches and/or security issues.
- The security of our payment cards starting from old models based on a magstripe up to the state-of-the-art (but not from a security point of view) NFC chipsets.
- A nice presentation about social-engineering with lot of funny examples (my preferred presentation by Seb Baudru, see the picture below)
- IPv6 & security
- An overview of the security landscape in Belgium (latest major security incidents and who contact in case of issues – CERT.be, FCCU, etc)
After a break and the registration of all teams, the challenges started for a period of 12 hours (Saturday 10PM to Sunday 10AM). No CTF, no blue team nor read team but a list of challenges to solve similar to the SANS Netwars. Each challenge solved gives you points. Seventy challenges were categories were split in the categories like:
- Web technologies
- Hardware (lockpicking, Teensy, barcodes, …)
It was very friendly with good times, music. We finished at the third position but very close to the second team… Only the first two teams won, too bad! The final contest will be organised in France and the winning team will receive a very nice price: a trip all-inclusive to Las Vegas to attend the DefCON security conference!
I don’t often participate to events like this one. I liked the limited number of teams (5) and the friendly atmosphere between the team. Not too small, not too big, well organized. The event was also covered by some Belgian media.
The contest is closed. All tickets have been assigned.
Dear readers, I’ve some gifts for you! I’m very proud (and surprised!) to have been nominated to the European Security Bloggers Awards in two categories: “Best Personal Security Blog” and “Best Security EU Twitter“. To thank you for these nominiations (and first of all for reading/following me), I’ve some tickets to distribute for two nice security events in Paris (DisneyLand Convention Center).
The first one is Hack In Paris which will be held from 17th to 21st of June. Then, La Nuit du Hack will follow during the weekend. Both are very good events with renowned international speakers. To give you an idea, have a look at my 2012 wrap-ups (day 1 and day 2). A first version of schedule has already been published. The organizers provided me 2 x 10 tickets for both conferences. It won’t be fair to simply distribute them to the first comers so here is a small contest! Answer the following question: (tip: the answer is on my blog)
“After the last edition of BlackHat Europe in Barcelona, I waited my flight back to home with a good friend of mine. Who is it?”
Send your answer by email only to xavier[at]rootshell[dot]be. The following information must be provided in the mail:
- Subject: Contest HIP/NDH 2013
- My friend’s nick, Twitter or full name
- Your ticket preference (HIP, NDH or both)
Good luck! Some rules:
- Be sure to attend the conference (in Paris, June 2013) and not waste tickets
- Travel & hotel costs are not covered and must be paid by the winners
- HIP tickets are not valid for trainings (only talks)
This year, I won’t be able to attend the conference during the week. But I will join Paris for the weekend, see you there!
PS: Don’t forget to vote!
“I’m not a number, I’m a free man” said Number 6 in the serie called “The Prisoner” (for the oldest amongst us). The serie was broadcasted in the Sixties but we have to admit that, still today, we are only numbers! And this will be worse in the coming years.
Personally, I’m not against being a number if controls are properly implemented. Numbers are easy to be indexed, to be sorted and searched. Numbers are a good way to identify things or people but they can easily be spoofed. As Wikipedia says:
“In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data (in this case the number) and thereby gaining an illegitimate advantage.“
Read More →
And we are back for a second day full of fun and pwnage! It was a rainy day on Amsterdam today but water will not prevent hackers to meet again! I joined the hotel for the breakfast in time.
Read More →
I back in Amsterdam for the third time this month. Today, it is to participate to the Hack In The Box conference. This is already the 4th one, time flies! Like the previous editions, the event is organised at the Okura hotel, a very nice place. Thanks to the Easter break, roads were clear to Amsterdam and I arrived in time to register and grab some coffee.
Read More →
I’m just back from an Easter break with $WIFE and $KIDS but it does not mean that I was completely disconnected. Between familly activities, I read some items pending in my todo list. One of them was the book called “Penetration Testing – Setting Up a Test Lab How-To” from Packt Publishing. This is the second book I read from their “Instant” collection.
The book, written by Vyacheslav Fadyushin, has only 88 pages but goes straight to the point: Helping you to set up your home lab to learn (or improve) your penetration testing skills. Building your own lab is a critical step. Most pentesting actions being against the law (wherever you are living), it is important to have safe (read: private) environments to test new tools, new attacks or exploits. Note that the targeted audience can be extended to security researchers, developers, etc. Everybody needs a lab!
The first part of the book describes the different pieces of software that will be used by the author. Today, it’s impossible to work without virtualization and the author covers briefly the pros and cons of most common virtualization solutions. His recommended list of software includes:
- Microsoft Windows Server 2003 & 2008
- Microsoft Windows XP & 7
- Ubuntu Server 12.04LTS
- Common web browsers (Mozilla, Chrome, Safari & IE)
Note that some of those softwares are commercial and require a valid license to work (temporary or permanent). The pentester is of course responsible to buy them (or to find them by its own mean – no more comments). What about the hardware?
- One “big” PC with many CPUs and memory
- One Wireless router
- One laptop
- One Android mobile device
The author talks about a PC with “at least 4 GB RAM“. With today’s prices, my suggestion is to start directly with 16 GB RAM! More you have more smoothly will run your guests. Of course, your future lab will depend on your requirements. To help you in this way, the author in the next chapter describes briefing what are the goals of pentesting and then gives interesting tables with the different skills you would like to practice and the required components. A few examples:
|Skills to practice
||Several different hosts with various operating systems
|OWASP Top-10 vulnerabilities
||Web server, database server and Web Application Firewall
||Wireless router, RADIUS server, laptop
The next chapters cover how to deploy your lab in different scenarios, again depending on your needs. Configurations are reviewed step by step with multiple screenshots. Finally, the author describes some online services to practice your skills based on websites or specific virtual machines ready to be downloaded and exploited. The examples described in the book will address most of the requirements for standard pentesting projects but some configurations or architecture will be simply impossible to reproduce at home.
More information about the book is available here.
The next edition of Hack In The Box gets closer! It will be held next week in Amsterdam. Thank to the organizers, I get a press pass and I’ll again be back for two days at the Okura hotel to cover the conference. I’ll tweet live (follow the official #HITB2013AMS hashtag) and write wrap-ups. The conference is organized in the classic format: two days of trainings and two days of high-level talks. They will be split in a three-tracks schedule. Here is my wishlist:
I had to make difficult choices due to the overlapping of very interesting tracks. At the end of the first day, I hope to be able to attend Itzik Kotler’s workshop about his new tool released just a few days ago (hackersh). The content looks amazing with very good speakers. Stay tuned for more details soon. Ping me if you want to meet!
An interesting reflexion about a situation I faced while performing a pentest for a customer. The scope was the internal network or “show me what an attacker could access from a rogue device“. A very wide scope indeed… The customer is using a NAC (“Network Access Control“) solution to allow only corporate devices to connect to the network. To briefly explain, a NAC is based on tools and protocol to identifiy end-point devices and grant (or deny) access to resources based on multiple factors like the operating system, the installed patches, the presence of a firewall, an antivirus, a security component or a specific software configuration. A device granted on the network will usually by switched to a specific VLAN corresponding to its profile. Some firewalls may also be dynamically reconfigured to allow new traffic flows. If you are interested, Google has plenty of results on this topic. Most security $VENDORS have a NAC solution in their portfolio.
The first idea to perform the pentest is to try to understand how the NAC is implemented. How to try to simulate a “good” device on a “rogue” one… Wait, wait, stop! Let’s take a deep breath… What will happen if a rogue device is detected? In most cases, it will be moved to a quarantine or guest VLAN. This allows the owner to access basic services on the Internet (web surfing, email, VPN) or to perform some remediation and solve the configuration issues (like upgrading the antivirus signatures).
How to take advantage of this? We could imagine the following scenario: Let’s connect a rogue laptop on the network. It will be logically be connected in the guest VLAN. Now, let’s wait for another device, try to pwn it and setup a permanent reverse backdoor. If you’re lucky, the next time it connects, it will join the right VLAN. In my case, it was even more easy: the guest VLAN was not properly configured and it was possible to reach servers as well as other devices in internal VLANs!
Attackers, don’t try to attack the big wall facing you, always try circumventing the difficulty by exploiting weaknesses on the side:
Defenders, don’t ruin your $$$ security solution by implementing poor controls or no control at all!