Burp Suite has been my favorite web app testing tool for a while and seems like it keeps getting better with age & updates. Typically, I have avoided using other tools to parse the Burp output (xml) because most of what we report comes from manual testing. Somewhat recently, I started using extensions to add the manual testing results to Burp and thus it made sense to write a script to parse Burp xml output.
Table of Contents Honeypots Challenge Communications Add-ons Updates Easter Eggs Trivia Prototypes Conclusion DEF CON 27 has come and gone, and it was amazing to see folks get engaged with the badge, solving the challenges, having fun with the honeypots. We received lots of great feedback, and folks were very curious about the honeypot data. We had great conversations about what hacking actually happens at DEF CON, what kind of hacking can be expected, and we think there is enough evidence to at least partially answer that question.
Integrating Compliance Auditing with DevSecOps By now you have probably at least read about the benefits of merging development, security, and operations into a cohesive unit (if not also implemented to some degree). Now it’s time to take it a little further: integrating security compliance audits. Whether you face mandated audits, like PCI, FISMA and agency specific implementations like Security Controls Testing (SCA) or NISTIR 8011 flavored Adaptive Capabilities Testing (ACT), or self-imposed assessments for your own [good] reasons (or both), integrating an external audit with your system development and maintenance process can help your organization more efficiently remediate vulnerabilities and weaknesses, and the overall audit process will be less costly.
Table of Contents Background Inspiration Features Design Hardware Software Programming Photos Videos Conclusion Last Updated: 2019-10-10 This post is part 1 of 2. Visit Part 2 of 2 for spoilers and behind the scenes info. With the wave of low-cost PCBs and components, electronic conference badges are now pervasive. I decided to deviate a bit from our usual offensive security focus, have a little fun and build a mobile AP and honeypot which has now evolved to the DEF CON 27 Blue Team Village badge.
Having a vulnerability management tool like Tenable Security Center is great. They offer a lot of functionality to analyze, track, and report on the current and past state of systems in the environment. But sometimes that’s overkill. Sometimes you want something quick and easy. Hence we wrote a quick little python script that parses one or more .nessus files and produces a spreadsheet (Excel format). There are five worksheets in the workbook output file:
After the rules of engagement are finalized but before we actually start a penetration test, we perform no-touch reconnaissance or “recon”, all without sending a single packet to our target organization’s environment. The goal is to identify all the in scope assets and data exposures, as the more coverage we attain of a target environment the more thorough we can be with our penetration testing. This information can include things like ip addresses, subdomains, code repositories, employee data or anything that tells us more about the company and introduces a crack in the external defenses.
For a period of time, it was possible to read snippets of memory on a screen-locked mac OS system from the USB port. A while back we noticed some interesting files created by macOS when inserting a USB drive. These files were related to Spotlight, macOS’s built-in search functionality which indexes and enables searching of files on the system, among other things. The presence of the files is fairly standard, as an invisible /Volumes/<Volume Name>/.
I will be co-presenting [“Getting Social with the Smart Grid”] (https://defcon.org/html/defcon-18/dc-18-speakers.html#Morehouse) at this year’s DEF CON in Las Vegas. Littered with endless threats and vulnerabilities surrounding both social networking and the Smart Grid, the marriage of these two technologies is official, despite protests by the security community. Consumers love it because they can brag to their friends about how green they are. Businesses love it more because it provides fresh material for their marketing departments.
As an industry, we have failed. Miserably. Cyber security professionals have implemented a broken methodology and graduated from failing to properly identify the problem to failing to present an effective solution. The network security methodology of: 1. Find Vulnerabilities, and then 2. Apply Security Patch, simply does not work for the custom web application environment. This statement may seem obvious, but it’s exactly what the industry has tried to do.
In addition to the previously mentioned Nmap script, GuestStealer has now made its way into a [Nessus plugin] (http://www.nessus.org/plugins/index.php?view=single&id=44646) and a Metasploit module. Nessus Plugin 44646 was released by Tenable a few weeks ago and the Metasploit module was pushed up to the trunk last week. GuestStealer has been mentioned in several articles and blog posts recently, including [DarkReading – Tech Insight: Securing The Virtualized Server Environment] (https://www.darkreading.com/tech-insight-securing-the-virtualized-server-environment/d/d-id/1132946) and The Hacker News Network.