From Security Weekly Wiki
Revision as of 16:22, 25 October 2013 by Jdaniel (talk | contribs) (→‎Panel)
Jump to navigationJump to search

Watch Live!

Wings For Warriors

Please help support our charity for this event, Wings For Warriors!
Donate By Clicking Here

Episode 350

October 25, 2013 9:00AM-6:00PM EDT

Welcome to our very special episode 350! We have a very special episode, all in support of wounded veterans in our armed services. Please take the time to donate using the links above. We've got an epic day in store for you, including contests, panel discussions, technical segments and more!

Watch Live!

Intro 9:45AM-10:00AM

Crypto Challenge 10:00AM-10:10PM

Anthony Ameen - Wings for Warriors : Interview 10:10AM - 10:30AM


Active Defense: Taking The Fight To Attackers: Should We? 10:30AM-11:30AM


BenWright.jpg JoshCorman.jpg Dittrich dave.jpg RobGraham.png BenJackson.png

Ben Wright:

Benjamin Wright is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With over 25 years in private law practice, he has advised many organizations, large and small, private sector and public sector, on privacy, computer security, e-mail discovery, outsourcing contracts and records management. Nothing Mr. Wright says in public is legal advice for your particular situation. If you need legal advice or a legal opinion, you should retain a lawyer.

"Relevant background article on Offensive Countermeasures: http://legal-beagle.typepad.com/security/2011/08/crime.html"

Josh Corman:

Joshua Corman is the Director of Security Intelligence for Akamai. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting incentives.

Dave Dittrich:

Dave Dittrich is an Affiliated Research Scientist with the Office of the Chief Information Security Officer at the University of Washington. He is also a member of the Honeynet Project and Seattle's "Agora" computer security group.

Rob Graham:

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats.

Ben Jackson:


We've all heard the term "Hacking Back". We all have mixed feelings about this term. Lets be clear, its not about feelings! The revenge-based "hacking back" was doomed for failure from the beginning. On the flip side, we're losing the battle against attackers on many fronts. What can we do? Setting traps, tracking attackers, luring them into areas of the network and systems deemed "honeypots" is on the table, or is it? What are the legal ramifications to this activity?

  1. What is "hacking back" and how does it apply to our conversation?
  2. Should we "hack back"?
  3. What do you think of the model that Microsoft has setup with MARS? They claim recent successes such as: Operation b49 (the Waledac takedown), Operation b107 (the Rustock takedown) and Operation b79 (the Kelihos takedown)
  4. What types of traps are suggested? What is different about setting traps than hacking back?
  5. What is active defense? How is it different?
  6. Where are the legal lines drawn?
  7. Should everyone implement active defenses?
  8. What is the future of active defense?

SCADA: Attack & Defense: Securing Critical Infrastructure 11:30AM -12:30PM


Justinsearle.jpg Joellangil.jpg Dale peterson.jpg PatrickMiller.png

Justin Searle:

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing.

Joel Langill:

Joel Langill is the SCADAhacker. His expertise was developed over nearly 30 years through in-depth, comprehensive industrial control systems architecture, product development, implementation, upgrade and remediation in a variety of roles covering manufacturing of consumer products, oil and gas including petroleum refining, automation solution sales and development, and system engineering.

Dale Peterson:

Dale Peterson is the founder and CEO of Digital Bond, a control system consulting and research practice. He performed his first SCADA assessment in 2000, and Dale is the program chair for the S4 conference every January in Miami Beach.

Patrick C. Miller:

Patrick Miller provides services as an independent security and regulatory advisor for the Critical Infrastructure sectors as Partner and Managing Principal of the Anfield Group.


SCADA systems are being attacked and making headlines. However, this is not news, or is it? There is a lot of new found "buzz" around attacking SCADA and defending SCADA. Technology has evolved and many systems are Internet connected and more advanced than ever. Water, power, electric, manufacturing all have SCADA.

  1. What are the gaps in SCADA security?
  2. Are "air gapped" systems effective or realistic with the advances of wireless and cellphone hotspots?
  3. How does an Industrial Control System begin the approach to assess its security when the NIST SP-800-53 and related documents are so vast and complex?
  4. What systems are being targeted and why?
  5. What are some examples of "bad things" happening as a result of SCADA systems becoming compromised?
  6. What can SCADA vendors do better?
  7. How do we accurately and safely assess the security of SCADA systems?
  8. What can we do to raise awareness?

BREAK 12:30PM - 12:45PM

Stogie Geeks 12:45PM-2:00PM

Tech Segment with Greg Hetrick 2:00PM - 2:15PM


Java - Can't Uninstall? Whitelist it?

As with most sizable organizations it is near impossible to uninstall or completely disable Java which sent us on a hunt for a feasible way to contain Java based attacks. What we came up with was restricting it to run only in trusted zones. This worked for APPLET tags when encountered in IE. 

What this does is block any applet from running if it is not part of a trusted internet zone. First thing is to identify all the internal trusted zones and add them. Next allow the user to trust their own zones. Most of the time it seemed they knew when there was an applet they wanted to run. To enable this there is a simple registry change value 1C00 in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 to a value of 0 

*Note: (original 10000). 

This will prohibit Java from running in the “Internet Zone.” Now for internal sites you can just whitelist them as a “Trusted Zone” for java to run properly. Of course this can be done via GPO for all internal sites and if there are some identified external sites that java is required. 

For some fun stats, an enterprise of 15,000 endpoints went from ~1.5 take aways per day down to about 1-2 per month due to Java a java drive by style attacks.

For most organizations updating java is a Herculean effort. So the whitelisting method from within Windows can be a viable alternative that can be quite effective. In recent months Oracle has released Java 1.7U40 which includes whitelisting. This is nice because it will work for browsers other than IE but odds are if you can get to 7U40 you have a good handle on patching anyway so this is less of an issue (except for 0-day).

Java calls their implementation “Deployment Rule Sets” (DRS). DRS is just a XML configuration file listing the location or hash of a jar and the action to take. You can bypass some of the pop-ups (some pop-ups can’t be disabled such as JAR unsigned), you can flat out block the jar or run the default actions as you would if DRS wasn’t defined. The XML file is parse sequentially so place your allowed jars at the top of the file and place a catch all block rule at the bottom.

Deployment of the rule set is as simple as packing in a signed (from a trusted 3rd party) jar file named DeploymentRuleSet.jar and deploying to the endpoints to be controlled.

Java based whitelisting is a very powerful feature but it is limited. With MSFT based whitelisting users can individually whitelist java for their own uses, but it is limited only to IE. Java based on the other hand does stop end users from whitelisting however it is a larger effort to whitelist and you either have to manage many lists for individual or groups of users or you have to whitelist sites for everyone, package and re-push. Also, deploy EMET


Oracle docs on the setup.

Deployment Rule Sets (Full Doc)

Introducing Deployment Rule Sets

Push TrustedSites via GPO

Configure TrustedSites via GPO

Java Whitelisting from MSDN

Controlling Java in IE

Tech Segment Angelo & Leon from The Honeynet.org 2:15PM - 2:30PM




Angelo Dell'Aera is currently employed as Information Security Officer at International Fund for Agricultural Development (IFAD), a specialized agency of the United Nations. He's currently Chief Executive Officer at Honeynet and leads the Sysenter Honeynet Project Chapter. His interests are mainly related to botnet tracking, honeyclient technologies and malware analysis. Angelo started working as an independent researcher in networking and security research in 1998 focusing his research both on attack and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked as researcher in Politecnico of Bari until June 2004 where his main research argument was TCP congestion control algorithms. His research led to the design of the TCP Westwood+ algorithm and the implementation of its support in the official Linux kernel. He's the lead developer of the low-interaction honeyclient Thug.


Leon works an a Senior Analyst for a government based CERT team in The Netherlands. He's involved in infosec for more then 13 years. He likes to catch and analyse malware. He tries to be the Chief PR Officer and promote other peoples work :) He's been working with various type of honeypots for years.



facebook TheHoneynet Project




They can also be reached on twitter:




BREAK 2:30PM - 2:45PM

Tech Segment with Intern Dale (@Rag1nDra90n) 2:45PM - 3:00PM

Nmap Scripts: http-comments-displayer.nse

About & Why: http-comments-display.nse

Description: Extracts and outputs HTML/JS comments from HTTP responses.

Why would someone use the tool or technique ? : "The attached script makes use of patterns to extract HTML comments from HTTP responses. There are times sensitive information may be present within HTML comments. While this does not necessarily represent a breach in security, it can give an attacker leverage useful for exploitation."

Author: George Chatzisofroniou

How to use http-comments-displayer:

The nmap scripting engine is a very powerful addition to nmap. Nmap has come a long way over the years from just a tool that did just network discovery to a full suite, which includes Better version detection, Vulnerability detection, Backdoor detection, and Vulnerability exploitation. This tech segment is going to be one of many, which will give you a different perspective on using nmap primarily on utilizing the scripting engine along with a combination of other nmap options. I will briefly go over some basic scans in nmap which I use in the examples below and then lead into the usage of the scripting engine by using a script called http-comments-displayer. Currently nmap has approximately 459 scripts. These scripts are categorized which indicate whether they are safe or intrusive. The categories that the scripts are placed in: “auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln”. Its stated on the nmap site that the scripts are not ran in a sandbox, so firing off a script(s) by default would be a bad thing since some scripts are exploitation which can set off alarms or damage your system or the targets(nmap --script=all <target>). Its also a good habit to also review the code which can be access in the /usr/share/local/nmap/script directory before running it. The scripts are Lua based which is a very easy to learn scripting language. There are links which show you how to script in Lua specifically for nmap. Below are examples on how we can invoke nmap scripts. The script we will be focusing on in this segment is http-comments-displayer. The first example below will show basic scanning options for nmap and as mentioned before lead into the use of an nmap script.


Exmaple 1: Standard nmap scan without scripting options

root@kali:~# nmap

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-23 23:55 EDT

Nmap scan report for

Host is up (0.00018s latency).

Not shown: 977 closed ports


21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

139/tcp open netbios-ssn

445/tcp open microsoft-ds

512/tcp open exec

513/tcp open login

514/tcp open shell

1099/tcp open rmiregistry

1524/tcp open ingreslock

2049/tcp open nfs

2121/tcp open ccproxy-ftp

3306/tcp open mysql

5432/tcp open postgresql

5900/tcp open vnc

6000/tcp open X11

6667/tcp open irc

8009/tcp open ajp13

8180/tcp open unknown

MAC Address: 00:0C:29:FA:DD:34 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

As you can see in the example above you can get a general scan without nmap options enabled. This is known for those seasoned and or generally familiar with nmap. Hopefully this will help people just learning nmap. When you learn more about nmap you will see that running certain options help evade detection of a target you’re scanning. This segment is again is to give you a new and or different perspective of nmap if you have not used it before or are just starting out and learning. I won’t be going into too much detail because of time constraints, but as you can see in the above example it scans for any open ports and returns with a list of those open ports and the possible services running on them. View the references for more information as well as the man pages. The next example I will be using the -A option which enables OS detection, version detection, script scanning, and traceroute along with -T4 which helps with the scans timing.


Example 2: nmap with ‘-A’ and -’T4’

root@kali:~# nmap -A -T4

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-24 00:49 EDT

Nmap scan report for

Host is up (0.00039s latency).

Not shown: 977 closed ports


21/tcp open ftp vsftpd 2.0.8 or later

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)

|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

23/tcp open telnet Linux telnetd

25/tcp open smtp Postfix smtpd

|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX

| Not valid before: 2010-03-17T13:07:45+00:00

|_Not valid after: 2010-04-16T13:07:45+00:00

|_ssl-date: 2013-10-24T04:49:38+00:00; -2m08s from local time.

53/tcp open domain ISC BIND 9.4.2

| dns-nsid:

|_ bind.version: 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Metasploitable2 - Linux

111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

5900/tcp open vnc VNC (protocol 3.3)

| vnc-info:

| Protocol version: 3.3

| Security types:

|_ Unknown security type (33554432)

6000/tcp open X11 (access denied)

6667/tcp open irc Unreal ircd

| irc-info:

| server: irc.Metasploitable.LAN

| version: Unreal3.2.8.1. irc.Metasploitable.LAN

| servers: 1

| users: 1

| lservers: 0

| lusers: 1

| uptime: 0 days, 3:08:32

| source host: E3C0344B.CBD5D423.168799A3.IP

|_ source ident: nmap

8009/tcp open ajp13?

| ajp-auth:

|_ ERROR: Failed to connect to AJP server

| ajp-methods:

|_ ERROR: Failed to connect to server

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :




MAC Address: 00:0C:29:FA:DD:34 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.33

Network Distance: 1 hop

Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>

| smb-os-discovery:

| OS: Unix (Samba 3.0.20-Debian)

| NetBIOS computer name:

| Workgroup: WORKGROUP

|_ System time: 2013-10-24T00:49:35-04:00


In this example, I just used the two options: The -A option invokes OS Detection, Version Detection, Script scanning, and Traceroute. As you can see from the above example the scripts run based on the port states found by the scanner. -T4 was used to control the timing of the scan. There are times where you want to slow down or speed up your scan. For the next example we will start using the --script option and run the http-comments-displayer script with a script argument which changes the default output of the script.


Example 3: With singlepages script argument: http-comments-displayer.singlepages={"/ghost/index", “/dvwa/login.php”}

note: ‘nmap -sC http-comments-displayer.nse’ does not invoke the specified script, it runs the as if you invoked --script=default which runs scripts from the default category.

http-comments-displayer.singlepages: is a script argument that allows you to check specific pages within the field {"/"}. The script can parse multiple pages from a site to further the search

for the possibility of a potential vulnerabilities in a given site. e.g {"/", "/index.php", "/guests.php"}. This will show the pages within the same output.

root@kali:~# nmap -n -Pn -p80 --open --script http-comments-displayer.nse --script-args 'http-comments-displayer.singlepages={"/ghost/index.php","/dvwa/login.php"}'

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-24 04:35 EDT

Nmap scan report for

Host is up (0.00044s latency).


80/tcp open http

| http-comments-displayer:

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=

| | Path: /dvwa/login.php

| Line number: 57

| Comment:



| Path: /dvwa/login.php

| Line number: 61

| Comment:



| Path: /ghost/index.php

| Line number: 13

| Comment:


MAC Address: 00:0C:29:09:39:67 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

With the http-comments-displayer it can make scanning a sites source for any possibility of a vulnerability a bit easier. It cuts out the source code and just displays the comments and blocks of inline javascript if found. In the above example we can see that the developer left a comment with the username and password, which in a real world scenario this would lead to the access to the production server’s Content management Page which can lead to a compromised site.


Example4: With context added to the --script-args

http-comments-displayer.context: along with the previous argument pulls additional lines of code which pertains to a previous comment giving more insight to a sites weaknesses.

This again helps in gathering information much faster.

root@kali:~# nmap -n -Pn -p80 --open --script http-comments-displayer.nse --script-args 'http-comments-displayer.singlepages={"/ghost/index.php","/dvwa/login.php"} http-comments-displayer.context=2'

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-24 10:24 EDT

Nmap scan report for

Host is up (0.00043s latency).


80/tcp open http

| http-comments-displayer:

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=


| Path: /ghost/index.php

| Line number: 12

| Comment:




| Path: /dvwa/login.php

| Line number: 57

| Comment:




| Path: /dvwa/login.php

| Line number: 61

| Comment:

|_ >

MAC Address: 00:0C:29:09:39:67 (VMware)

All comment blocks have a line number ("Line number ") so you can easily locate an area of code that may have something of interest follow by the comments details. By using the "http-comments-displayer.context" syntax we can trim or expand the information displayed by adding changing the value to the context parameter from 1-100. By running “http-comments-displayer.singlepages{“/”}” followed by “http-comments-displayer.context=10” you will overall better control of your output if your auditing the information stored in html source code.

Some of the addition options used in my example scans “-n: do not do reverse dns lookup”, “-Pn: Treat all hosts as online -- skip host discovery”, “-p: specify the port or port ranges you want to scan for”, “--open: only show open ports”. Because the http-comments-displayer only scans for comments on a page I wanted to narrow down the scanning process which didn’t require me to invoke the “-T(0-5)” option.


http://nmap.org/presentations/BHDC10/ - Fyodor and David Fifield

Special Guest Interview: Jayson Street 3:00PM-3:30PM



Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of dissectingthehack.com He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006. ;)

The best way to contact Jayson: @jaysonstreet

Special Guest Interview: Kevin Finisterre 3:30PM-4:00PM



Kevin Finisterre is a Senior Research Consultant with Accuvant, has hacked everything from utilities providers to police cars and is keen on disseminating information relating to the identification and exploitation of software vulnerabilities on many platforms.

Veteran Panel 4:00PM-5:00PM


MichaelFarnum.jpg Davekennedykatie.jpg RazorEQX.jpg

Nik Seetharaman:

Nik Seetharaman is a consultant for a government client in the DC area. He spent 11 years in the United States Air Force where he served in the intelligence and joint special operations communities.

Nathanael Kenyon:

Michael Farnum:

Michael Farnum has worked with computers since he got a Kaypro II and an Apple IIc during his middle school years. Michael served in the US Army, where he drove, loaded, and gunned on the mighty M1A1 Abrams main battle tank (which is where he got his "m1a1vet" handle).

Dave Kennedy:

Dave worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions. He also holds the World Record for most hugs given at a conference and is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio.


A CEH, OSCP certified Security professional with over 25 years’ experience and a proven leadership track record.

Experience in most aspects of Information Technology, in a wide range of industries and disciplines; specializing in in-depth Malware, intelligence collaboration the past 4 years.


Episode 350 is dedicated to Veterans, so we found it only fitting to have a panel with InfoSec individuals who are also Veterans. We want to discuss how serving in the military has helped these people in their careers.

Privacy 5:00PM - 6:00PM


RobGraham.png Dan auerbach.jpg

Rob Graham:

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats.

Dan Auerbach - EFF:

Dan is a Staff Technologist who is passionate about defending civil liberties and encouraging government transparency. Dan works on EFF's various technical projects and helps lawyers, activists, and the public understand important technologies that might threaten the privacy or security of users.

Corey Thuen:

Corey Thuen is co-founder of Southfork Security, a security services company specializing in ICS. Corey recently found out first-hand how fragile privacy can be when a large corporation decides to sue you over your open source software.

Government Contractor uses Copyright fear


  1. The modern idea of "privacy" is fairly new in human experience. How do we reconcile traditional (tribal) human privacy with the globally-connected world?
  2. So we've lost "privacy". But the EMT knows my blood type and medical allergies before the ambulance arrives in my driveway. The MD in the ER knows my complete medical history before the ambulance arrives. Isn't that a fair trade-off.