Pen Test Summit 2009 Documents
Pen Test Summit 2009 Documents
All of the talks from all of the presenters at the 2009 SANS Pen Test Summit are located here.
My closing remarks on the major issues and trends discussed during the summit are here.
And, finally, during the 2009 SANS Pen Test Summit, I tweeted the major items and announcements from each talk. In response to frequent requests, below are all my tweets associated with these amazing talks from the summit.
Thanks to all the presenters for their great work and inspiring presentations!
----
7:55 AM June 3rd: #sanspentestsummit Thanks to all the speakers. It was an honor to see you guys in action. You were awesome! Thanks to attendees for great Qs
7:54 AM June 3rd: #sanspentestsummit Vinnie sparks fascinating debate betw Josh Wright & Jeremiah Grossman on automated vuln assessment vs. human pen testing.
7:53 AM June 3rd: #sanspentestsummit Vinnie Liu presents on code review & HQL injection, long-term parameter manipulation, and his hilarious workweek.
7:52 AM June 3rd: #sanspentestsummit Once victim is unwittingly logged into attacker throwaway account via CSRF, victim may enter data for attacker to harvest
7:51 AM June 3rd: #sanspentestsummit @jeremiahg says "CSRF on login pages is sleeping giant of vulns". Demos tricking victim into logging into attacker acct.
7:50 AM June 3rd: #sanspentestsummit @jeremiahg says "Pen Testers must beef up Flash skills cuz' automated tools not good at finding its vulns." Shows demo.
7:48 AM June 3rd: #sanspentestsummit @jeremiahg talks GIFARs and gens one live. Goes over fascinating stats on web app vulns.
7:47 AM June 3rd: #sanspentestsummit Seriously, U gotta check out Grendel-scan's manipulation of AMF (Action Message Format) for Flash, etc. Blew me away.
7:45 AM June 3rd: #sanspentestsummit Grendel 1.1 also has dynamic SSL wildcard generator for IE for HTTPS. AMF parsing and editing in Proxy completely r0x0rs!
7:43 AM June 3rd: #sanspentestsummit David & Eric talk Grendel. Released 1.1 yesterday for summit. /me is touched. Lots new. Rev proxy for thick clients.
7:41 AM June 3rd: #sanspentestsummit Steve Sims shows tools & methodology for custom exploit dev and applies it live to tftpd... Nice demo & slides.
7:39 AM June 3rd: #sanspentestsummit @haxorthematrix Extreme recon using doc metadata tools like exiftool. Me: Gotta include technique in pen test recon step!
7:37 AM June 3rd: #sanspentestsummit Panel: Josh, Paul, Ralph Durkee & me on biggest mistakes of PenTest Career. Josh w/ truly touching vuln disclosure story.
7:35 AM June 3rd: #sanspentestsummit @pauldotcom: Advice: Always have Nessus import Nmap results. Do NOT have Nessus launch Nmap. Also use -oA for Nmap output
7:34 AM June 3rd: #sanspentestsummit @pauldotcom: Art of internal pen testing, good tips for integrating Nmap, Nessus, Metasploit in practical ways.
7:33 AM June 3rd: #sanspentestsummit Awesome Day 2! Great talks - Paul, Larry, Sims, David Byrne & Eric Duprey, Jeremiah Grossman, Vinnie Liu. Highlights...
7:28 AM June 3rd: RT @hal_pomeranz for i in *; do echo -n "$i "; grep TEST $i | wc -l ; done | awk '{t... <snip> Me: I love it when you talk sexy like that!!
8:36 AM June 2nd: @joeuser47 @GregFeezel & @FVT Yes, much fun at #sanspentestsummit. Best part? Watching speakers question each other. Talks posted next wk.
7:12 AM June 2nd: #sanspentestsummit Day ended with Pauldotcom live, whole team there: Paul, Larry, Strand, Mick, Dark0perator. A great way to end the day.
7:11 AM June 2nd: #sanspentestsummit Evening Core hospitality suite - Atari 2600 theme. Old games, much fun. Every speaker showed up for lots of great chats.
7:10 AM June 2nd: #sanspentestsummit Day finishes w/ Paul from Tenable, Anthony from Core, & Billy from SAINT comparing & contrasting products & philosophies.
7:09 AM June 2nd: #sanspentestsummit Josh then talks Vista exploitation, Ghost in the AP attacks, glimpse of new Zigbee stuff he's working on. Scary cool.
7:04 AM June 2nd: #sanspentestsummit Josh then plays Chaka's "I'm Every Woman", sings along, dances, and changes lyrics to "I'm Every Network". Mayhem ensues.
7:03 AM June 2nd: #sanspentestsummit Josh's new MSF module, Chaka Kahn, beacons top SSIDs so Vista & XP SP3 probe for pref networks for karmetasploit attack.
7:00 AM June 2nd: #sanspentestsummit Josh continued: bluetooth & getting bdaddrs. Usefulness of Cisco Spectrum Expert to detect all kinds of protos ($3k tho)
6:55 AM June 2nd: #sanspentestsummit Josh Wright then showed how to make the most of wireless arsenal. Most effective custom channel hopping in Kismet...
6:54 AM June 2nd: #sanspentestsummit Rsnake showed 5 scenarios of attack: script to browser for long-term, bypass same origin policy w/ IP addr collision.
6:51 AM June 2nd: #sanspentestsummit Rsnake then describes brand new attack based on RFC 1918 addr collisions across VPN & over-aggressive caching in IE.
6:50 AM June 2nd: #sanspentestsummit Rsnake says CSRF defense - Nonce - overcome by click jacking. Click jacking to be with us "6 or 7 years at least."
6:49 AM June 2nd: #sanspentestsummit Then Valsmith demos the whole thing with a kit he wrote. Highly automated. Full release at Defcon. *Very* useful.
6:48 AM June 2nd: #sanspentestsummit Valsmith on workflow of file phish pen test. Describes doc dev, targeting, server set-up, applet signing, meterpreter.
6:46 AM June 2nd: #sanspentestsummit Day 1 PM talks were very cool. Valsmith, Rsnake, Josh Wright, & panel w/ Tenable, Core, & SAINT. Here are best of tweets.
3:03 PM June 1st: #sanspentestsummit Jason: UCsniff tool - sniff VoIP, ARP cache poison, MiTM, new CODECs, video support, all integrated and automated.
3:02 PM June 1st: #sanspentestsummit Jason: ACE tool for impersonating VoIP phone to grab corp directory. xtest tool to eval 802.1x security automatically.
3:01 PM June 1st: #sanspentestsummit Jason Ostrum: VoIP hopper features for CDP forging, Avaya & Nortel support. Mac addr spoofing.
3:01 PM June 1st: #sanspentestsummit Ron: If you do wireless pen test and report only on GPS, you are wasting time and money. Provide building, room, etc.
3:00 PM June 1st: #sanspentestsummit Toby: Make pen tests more effective by poking internal dev teams when they are in dev phase. Use enthusiastic newbies.
2:59 PM June 1st: Mac OS X Meterpreter, Linux Meterpreter, PHP Meterpreter in the works. MSF as Java Applet in JRuby. Win7 sploit fixes coming. Much more.
2:58 PM June 1st: Gen files on fly (not just PDF, but also Office docs) with obfuscation/evasion built-in. Metepreter multi-thread w/ SOCKS for better pivots.
2:57 PM June 1st: New and upcoming MSF features: Oracle sploits, full-blow web app scanner, browser autopwn extensions, Metepreter automation
2:56 PM June 1st: @hdmoore MSF project "the Janitors of the Internet for Sec Tools" making sure there is a reliable & flexible base on which to build tools.
2:55 PM June 1st: @hdmoore said MSF evolving from vehicle for exploit distro to distributed platform for tools and vuln research, with big user base.
2:54 PM June 1st: @hdmoore preso on Future of Metasploit had so much chocolatey goodness, it's hard to summarize it all.
2:54 PM June 1st: Beto: Find flaw in target web svr, create fake passwd reset page, & phish users having them go to your page on their own infrastructure.
2:53 PM June 1st: Beto: Create exploit PDF and XLS with look and feel of target based on discovered docs on Internet.
2:52 PM June 1st: Lots of great points in talks at #sanspentestsummit Beto from Core, @hdmoore, Toby, Ron, & Jason Ostrum so far. I'll do best-of tweets.