Defcon/Blackhat Slides, Whitepaper, Tools

 blackhat, defcon, forensics  5 Responses »
Aug 092011
 

I apologize to those in my talk (and throughout the rest of the cons last week) that asked about availability of the tools I describe in my talk. I stated that they should’ve been in the Metasploit trunk on the day of my Black Hat USA talk this past Wednesday, backed by assurances from Rapid7 that it would be there. Apparently I was talking to someone at Rapid7 that was unable to make those assurances, so it looks like I’ll be starting over the process of getting it available in the main distribution today. Edit: It’s in now.  If you svn update metasploit, enum_drives and imager will be in “modules/post/windows/gather” and nbd_server will be in “modules/post/windows/manage”.

In the meantime, you can drop the following files into your own copy of Metasploit to use the tools introduced in my talk today:

  • enum_drives.rb – Enumerates physical disks and logical volumes for use in the other two modules
  • imager.rb – Images physical/logical drives over a meterpreter shell. Options are similar to those that forensics folk use in dd
  • nbd_server.rb – Maps a remote physical/logical drive to a local network block device server.  You can then mount and/or use any forensics tools you’d like on it.

Also, here are the final slides as I presented them, and the whitepaper that I originally submitted with my talk proposal:

Video of both the Black Hat USA and DefCon versions of the talk will be available at some point.

 Posted by wesley at 7:58 am

McGrew Security at Black Hat USA 2011 and DEFCON 19

 blackhat, defcon, forensics  2 Responses »
Aug 012011
 

This is just a quick post to remind readers that I will be in Vegas for Black Hat and DEFCON this week, and I’m looking forward to meeting as many of you as possible. I will be giving a talk at both Black Hat and DEFCON:

  • Wednesday, August 3rd, 3:15 PM – Black Hat USA 2011 – Track 7
  • Friday, August 5th, 3:00 PM – DEFCON 19 – Track 2

My talk is entitled “Covert Post-Exploitation Forensics With Metasploit”, and I’ll be talking about a set of Metasploit Post-modules that I have developed for performing forensic analysis of machines over a meterpreter connection. With these modules, penetration testers (as well as other roles) will be able to run currently-available/popular forensic tools on remote drives in the same way that forensic examiners currently use them on local drives. Through some protocol trickery and using Railgun to pipe the Windows API over meterpreter, you can essentially make a local block device that maps to the victim’s. I’ll have some discussion, including a basic introduction to disk/file-system forensics for penetration testers, a demo, and some time for questions and discussion.

The presentation and tools will be available on the disc, as well as “latest” versions on here as soon as I can manage to put them on here after my talk. The modules ought to be available in the Metasploit SVN soon as well.

I’ll also be actively attending/prowling around the conference, so feel free to track me down to talk shop about breaking things, forensics, etc. I have lots of fun stories that aren’t appropriate for the blog/twitter.

Edit:

I will also be bringing 20 of the challenge coins we normally hand out at the end of the Advanced Forensics class at the Mississippi State University National Forensics Training Center. If you want one, track me down at Black Hat or DEFCON and offer me something cool/interesting for one ;) :

Double Secret Edit:

I also have fun 0-day for Tiny Tower on all IOS devices (iPhone, iPad, iPod Touch), which I will disclose to attendees for the price of one drink and a handshake Non-Disclosure Agreement (negotiable). You’re not going to be hacking the Gibson with this one anytime soon, but it’s *fun*.

 Posted by wesley at 8:47 am

Speaking at Black Hat USA 2011

 blackhat, forensics  16 Responses »
Apr 192011
 

The reviewers at Black Hat have notified me that my submission has been accepted and I will be speaking at BlackHat USA 2011 in Las Vegas this year. As you can imagine, I’m thrilled, as I was not able to attend BlackHat or Defcon last year. I’m looking forward to being there as a speaker this time, interacting with all the great folks I met two years ago there, and anyone new I meet.

The title of my talk is “Covert Post-Exploitation Forensics With Metasploit”, which will be accompanied by the release of a set of meterpreter scripts and a white-paper that details how they can be used. The abstract of my work has been posted on the Briefings page at the USA 2011 site:

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the”subject” (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.

 

In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

The associated scripts and more information will be released with the conference proceedings, and here on this site at the time of my talk (probably also a coordinated release into the Metasploit trunk, but I haven’t talked to those guys about it yet.).

At this point, you’ll have to take my word for it, but I assure you this isn’t a typical “Yet Another Metasploit Talk”. I would hope that the submission reviewers at Black Hat would not have accepted it if they felt this was the case. What I’m demonstrating is a way to use a whole suite of useful and mature tools in a penetration test (or other scenario) through Metasploit.

Assuming I’m not scheduled to present at the same time as Barnaby Jack, Dan Kaminsky, or the like, I’d definitely recommend showing up, as I think it’ll be a very fun talk and demonstration. See you at Caesars Palace!

 Posted by wesley at 2:19 pm

A few Black Hat USA 2009 talks are available now

 blackhat, defcon, links  2 Responses »
Aug 052009
 

Much like last year, a few of the more high-profile talks from Black Hat this year have been released on the web site pretty soon after the conference:

The following talks have video available, as of this posting:

  • The Language of Trust: Exploiting Trust Relationships in Active Content – Mark Dowd, Ryan Smith, David Dewey
  • Something About Network Security – Dan Kaminsky
  • More Tricks for Defeating SSL – Moxie Marlinspike

Slides and papers are available for most of the other talks.

If anyone has a public (or private) lead on getting audio/video recordings for the rest of the conference, contact me.  I’m going to keep an eye out, and when I see anything new that’s publicly available, I’ll link it in a new post here.

 Posted by wesley at 8:03 am

McGrewSecurity in Vegas (soon)

 blackhat, defcon  No Responses »
Jul 272009
 

Quick post while I take care of things around here before leaving:

I’ll be arriving in Las Vegas for Black Hat and Defcon tommorow (Tuesday) evening.  If you’re looking to run into me in Vegas, here’s a picture of me with current-facial-hair-status:

…extrapolate to plus-however-many-days of beard growth.

I just had business cards printed as well, so I’ll be able to hand out contact information easily.  The design isn’t bad for a 30-minute rush-job in Gimp.  If you want to see em, you’ll have to track me down ;) .  I’ll be on Twitter and email whenever I can, and I’ll have my cell phone with me if you want to contact me privately to get that number.  I’m always interested in grabbing a bite to eat or drink, talking shop, and sharing notes.

Here are the talks I’m likely to attend at Black Hat:

There are a lot of talks that look interesting that are going on at the same time, so I’ll have to wait for the videos to be released of some of them.  I haven’t really made any decisions yet about what talks I’ll see at Defcon.

 Posted by wesley at 8:16 am

Loading up your portable device for Vegas

 blackhat, defcon  2 Responses »
Jul 252009
 

A few days before I travel, I like to gather up information about my trip and load it up into my iPod Touch (substitute iPhone or netbook as needed) so that I have it handy.  Airport/hotel layouts, itineraries, schedules, etc., can be very useful to have quick electronic access to without requiring Internet access wherever you’re at.  I use “Air Sharing Pro”  to load the jpg’s, pdf’s, and other files onto my iPod for convenient viewing, however there are many other apps that do the same thing.

Here’s what I’m loading up, and you might too (links where appropriate):

  • Your flight itinerary.  Print it to PDF.  Go ahead and get it now and review it, but save it marked with today’s date and get it again right before you leave, because this stuff changes often.
  • Airport maps, especially for places where you’ll have a bit of a layover.
  • Caesars Palace, which is designed like a labyrinth to keep you inside and gambling
  • The Riviera
  • Las Vegas Monorail map – Print-option is on the site, print to PDF. (edit: Here is another option, might be a little more phone-friendly, thanks to @eugk on twitter)
  • Frequent flyer and hotel reward program numbers
  • Some documentation of your hotel reservation
  • Your Black Hat receipt and registration location/times!  Also have a printed copy of this as you will need it and identification at BH registration.
  • Schedule of talks you want to attend.  There’s a great online app for the Black Hat schedule where you can put together your own and share/print it.

Test it all out once you get it on your device to make sure the formatting is good enough, and that your PDF’s aren’t too “heavy” for a portable device.  You can always just take screenshots of what you really need out of them, as jpg’s and png’s are very easy to view.

 Posted by wesley at 10:56 am
© 2012 McGrew Security Suffusion theme by Sayontan Sinha