Archive for July, 2012

 

DEFCON XX

Jul 30, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
Just got back from Defcon 20!  Another successful Defcon and Bsides filled with hacking, partying, drinking, and just plain out breaking things.  Here are some of the things I found interesting:

1) Moxie’s talk on breaking encryption on PPTP VPNs and WPAv2 was big. He put a website up to use the cloud to crack the passwords from the MSCHAPv2 handshakes. https://www.cloudcracker.com/

2) HD Moore scanned the internet (TCP/UDP/UPNP) every 7 days, put a search page up, and owned the internet. This is SHODAN on steroids.

3) Dave Kennedy talked on abusing SCCM (System Center Configuration Manager) (aka SMS) and pxeboot during pentests to get mass shells across the enterprise. Pretty much every configuration he’s ever seen of SCCM is misconfigured. Tool is now included in SET: https://www.trustedsec.com/downloads/social-engineer-toolkit/. Also, about shell encoding/encryptors to avoid AV 100% of the time (hyperion is awesome… ask me for more details if nerdy and interested).

4) Georgia spoke on andriod pentest framework. https://github.com/georgiaw/Smartphone-Pentest-Framework

5) Don Weber – A SMART METER ASSESSMENT TOOLKIT for testing Smart Meters via the optical port. Tool is called OPTIGUARD, which will only be released to those in the utility field, built in python, and used to test both auth and unauth tests. *Excellent talk for smart meters!!! https://media.blackhat.com/bh-us-12/Briefings/Weber/BH_US_12_Weber_Eye_of_the_Meter_WP.pdf

Want to see all the recorded B-sides videos? Here you go.

http://www.youtube.com/playlist?list=PL6BDB3C7E02162BAB

I recommend you watch number:
5 – Must watch if you are a HD Moore fan boy.
15 – Smart Phone Pentesting
16 – Raphael Mudge is the creator of Armitage and is a great speaker.
20 – Those that are burp fans, this was actually pretty cool. It has potential to be a powerful addon.
21/22 -this is just cool stuff. Fun, if you like researching and breaking captcha.

Additional cool things.
-Ninja Badges this year were cellphones running custom android OS and using their own Cellular Network… omg
-There are too many people at defcon…
-GoldCoast Buffet is 9 dollars and pretty awesome!