Skip to main content

Posts

Showing posts from March, 2009

Welcome to Mark Baggett - In Depth Defense



I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

Senior SANS Instructor
GSE #15
Internet Storm Center Handler
Penetration Testing and Incident Response Consultant
Technical Advisor to DoD for The SANS Institute
Founding President of the Greater Augusta ISSA
Cofounder of BSidesAugusta Security Conference


Tools:
FREQ SERVER - Tool and technique for detecting Malware Command and Control domains
DOMAIN_STATES - Tool for detecting "Baby Domains" used for phishing and Malware distribution
SRUM_DUMP - Forensics tool for extracting System Resource Utilization Monitoring artifacts
LIAM_NEESON - Proof of Concept Linux Hash Protection
HONEY_HASHES - Certainly Honey Tokens have been around since 2003 but I created a cool technique for creating fake SATs in memory that was turned into Dell Secure Works DCEPT framework.
VSSOWN - Tool & Technique for Using Microsoft Volume Shadow Copies for hiding malware and extracting artifacts
SDB Hacking - Using Application Compatibility in unexpected ways.
SET-KBLED - Utility for Managing Clevo and Sager Laptop LED Backlit Keyboards
Reassembler.py - Scapy based fragement reassembly engine
eapmd5crack.py - A password cracker for the EAP protocol


and more. Most of these tools are available on my github page. Follow me on twitter @markbaggett





No exploit Metasploit usage - VNC and Keylogging

OK.  I admit it.  I use metasploit at work.  Of course, I have permission to use it as a penetration testing tool, but I find it to be very useful in other circumstances as well.    I often use the PSEXEC "exploit" to provide username and password to fully patched machines for administrative purposes.   For example, it has come in handy when the standard remote access tools have been removed and there is a remote machine that the support center is unable to access.   They, rightly so,  have figured out that if the security team can get in to their machines without usernames and passwords, it should be pretty easy for them to help recover a managed machine with known usernames and passwords.   One option to troubleshoot the broken admin software is to remotely (and temporarily) install VNC on the stranded host.  I use to connect to the remote c$ with administrator credentials, copy up vnc, import the required registry keys, start the server, fix the problem, clean up the regi…

Metasploit adds new keylogger and Mac payloads

Metasploit added some pretty interesting payloads to its arsenal this week.   First, Meterpreter (the only payload you'll ever need) added a keylogger.  Plus, they have added some cool payloads for the Mac.   There are a set of isight payloads that will snap a picture from the isight camera (bind_tcp, reverse_tcp, etc).   This payload is an part of the "bundle inject" payload which are documented in the Mac OS X hackers handbook  this looks like it could be the beginning of a meterpreter like plug-able payload for OSX.    Charles Miller, winner of the new Macintosh Powerbooks at both the 2008 and 2009 Pwn2Own contests is coauthor of the payloads along with Dina Dia Zovi.   That is definitely a book I will be adding to my library.   Here is a recent presentation with some interesting information on the payloads.

SANS 504 - Hacking Techniques, Exploits and Incident Response Augusta, GA

I'm going to mentor another SANS 504 session this fall.  Hacking Techniques, Exploits and Incident response is one of my favorite SANS classes.   This is my third mentor session and my second time running 504.   Last year SANS gave me the Mentor of the year award so they are giving me some additional flexibility in the mentor format.    This time we are running a modified mentor format.  We will have 13 more hours of class time than the normal mentor session.   That's more time for covering the materials and doing exercises.  If your interested get full details and sign up here.   Greater Augusta ISSA members contact me for a very special discount code.