10:00 AM
to 10:20 AM
Dino Dai Zovi: Macsploitation with Metasploit
68 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Dino Dai Zovi, Charlie Miller
While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed
by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
10:20 AM
to 10:40 AM
Mike Kershaw: Kismet and MSF
102 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Mike Kershaw
Airpwn-style TCP stream hijacking on wifi networks inside the MSF Framework. "You want urchin.js? Sure, we can do that. Here it is. Trust me." Demo client attacks against popular websites by poisoning the TCP stream, feeding MSF payloads to clients, and tail-modification of already transmitted tcp streams.
10:40 AM
to 11:00 AM
Chris Gates: Breaking the 'Unbreakable' Oracle with Metasploit
104 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Chris Gates
Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks.
11:15 AM
to 12:30 PM
Peter Silberman & Steve Davis: Metasploit Autopsy - Reconstructing the Crime Scene
71 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Peter Silberman, Steve Davis
Meterpreter is becoming the new frontier of malicious payloads, allowing an attacker to upload files that never touch disk, circumventing traditional forensic techniques. The stealth of meterpreter creates problems for incident responders. Such as how does a responder determine what occurred on a box exploited by meterpreter?
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes' address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session - completely from memory - and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes' address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session - completely from memory - and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.
1:45 PM
to 3:00 PM
Egypt: Using Guided Missiles in Drive-Bys - Automatic Browser Fingerprinting
66 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Egypt
The blackhat community has been using client-side exploits for several years now. Multiple commercial suites exist for turning webservers into malware distribution centers. Unfortunately for the pentester, acquiring these tools requires sending money to countries with no extradition treaties, taking deployed packs from compromised webservers, or other acts of questionable legality. To ease this burden, the Metasploit Project will present an extensible browser exploitation platform integrated into the metasploit framework.
3:15 PM
to 3:50 PM
I)ruid: MSF & Telephony
41 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Dustin "I)ruid" Trammell
An important attack vector missing in many penetration testing and attack tools available today is the tried-and-true telephony dial-up. With the recent surge in popularity of VoIP connectivity, accessing such attack vectors has become both cheap and easy. Using the new Metasploit telephony components, users are now able to both scan for and dial up directly to telephony-accessible exploitation targets.
3:50 PM
to 4:30 PM
Val Smith, Colin Ames & David Kerb: MetaPhish pt. 1
101 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Val Smith, Colin Ames, David Kerb
Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
4:45 PM
to 6:00 PM
Val Smith, Colin Ames & David Kerb: MetaPhish pt. 2
60 Attendees
Location
Florentine 1-2-3-4
Type Metasploit
Val Smith, Colin Ames, David Kerb
Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
