Applying the "32" Zombieland Rules to IT Security Presentation

Yes, here are the slides in PDF. This is the most updated version reflecting the changes made up to Derbycon. Again, any feedback and suggestions are welcome!

Mid-Atlantic CCDC Special Event Station, W3P

CQ, CQ, calling CQ! This is Whiskey Three Papa, the Mid-Atlantic CCDC Special Event Station, calling CQ!

Yes, folks, you'll soon be hearing that on the airwaves. I wanted to get this out there in support of the blog post over at the MACCDC site entitled What's Larry been up to?.

Additionally, some of these Items are subject to change, but any updates will be made to this posting, and cross posted to Twitter at @haxorthematix.

So, with that, here is our operating schedule:

April 10: Setup and testing in the late afternoon (EDT)
April 11: Operating from approximately 8AM to 5:30 PM (EDT) - 12:00 to 21:30 GMT
April 12: Operating from approximately 8AM to 5:30 PM (EDT) - 12:00 to 21:30 GMT
April 13: Operating from approximately 8AM to 5:30 PM (EDT) - 12:00 to 21:30 GMT

(times to be posted in GMT at a later date)

We will be using the following frequencies:

20M: 14.285 alternate 14.250
40M: 7.285 alternate 7.200
2M: Evening hours after 5:30 EDT (21:30 GMT) in the Columbia, MD area(sporadic) 146.52

We will also be investigating the use of Echolink

We will switch between 20 and 40 Meters during the day and a yet to be specified interval, or as band conditions fluctuate.

How I use GISkismet for more than mapping

I'll say up front, I love GISkismet for interpreting kismet .netxml output for sending to Google Earth. However, I find that sending the .nextml output to Sqlite3 also gives me plenty of options for reporting on issues as well!

In many cases when I do assessments, I won't have GPS location available; I'm walking around inside of the assessment environment without a clear view of the sky. In this case, this gives me the ability to see the environment just like the clients see it, often times revealing some risk that is oft forgotten about.

Based on the information that I won't always have information about GPS based location I need to import ALL of the collected AP information into the Sqlite3 database. We can accomplish this with the --ignore-gps option which will add all of the APs even though no location information was found in the .netxml

$ ./giskismet -x somefile.netxml --ignore-gps --database nogps.dbl

In this case, I've chosen to output the contents to the Sqlite3 database named nogps.dbl.

Great! Now, I understand that I can use GISkismet to run SQL queries against the database, but why not enhance my skill set and learn how to use Sqlite3 to do those same queries? Once Sqlite3 is installed (with say "sudo apt-get install sqlite3") let's get it to start an interactive shell with our new database:

$ sqlite3 nogps.dbl

Let's also be sure there's stuff in there. Show us all of the wireless networks my good man!

sqlite> select ESSID from wireless;

How 'bout we show the encryption type with that too?

sqlite> select ESSID, Encryption from wireless ORDER BY ESSID;

That was easy, wasn't it? Yeah, now here's where the "hard work" comes in...

One of the things that I like to point out during an assessment from within the environment is open access points that are likely not associated with the customer. Why? If the customer allows end users to configure new wireless network connections on their devices, this can be an issue. Let's say the customer does the best they can securing their wireless networks, and when client machines are connected to gain access to internal resources, they are also prevented by policy from gaining access to some websites, say Facebook, Twitter, etc. What happens when the users MUST get on Facebook? Thy go join the open network next door, get on Facebook, get compromised, and then come back to the corporate network because they can't access their e-mail...now the customer has "pre-pwned" machines on their network...

Let's get a list of the open APs, shall we?

sqlite> select ESSID from wireless where Encryption = 'None';

...or to eliminate duplicates:

sqlite> select DISTINCT(ESSID) from wireless where Encryption = 'None';

The other use case that I like to point out is when cloaked or hidden wireless networks are discovered. Again, you ask, why? The hiding of networks can be argued to introduce more risks in some scenarios, ultimately when a wireless device travels outside of the environment into a public one, where tools such as Karma, Karmetasploit or the WiFi Pineapple some into play.

Let's get us a list of cloaked networks:

sqlite> select DISTINCT(ESSID) from wireless where Cloaked = 'true';

Now based on these two scenarios, we can us the info from GISkismet for more than just mapping.

6-13-12 LBCAV Slides

As promised, here are the PDF versions of the slides from the 6-13-12 Late Breaking Computer Attack Vectors Webcast with Darren and I.

Sides (PDF)

CyberGuardian goodies

As promised here are a few things that I promised you all from SANS CyberGuardian in April 2012.

Smartphone Photograph Geostalking:

CyberGuardian-geostalking.pdf

Zigbee captures from Las Vegas at the worlds largest Zigbee installation and form a recent wardrive road trip to NJ:

vegas-zigbee.zip
njzigbee-wardrive.zip

Enjoy!

Thanks for being patient....

It has taken a while to make it happen, but I finally have this site up! Sometimes life and work get in the way, but as least I I'm having fun at both.

In any case, I've promised slides for the last few Late Breaking Computer Attack Vectors Webcasts. While I've dutifully e-mailed them to those who have asked, it is time for a more permanent home. Here they are:

LBCAV-Feb1-2012.pdf

LBCAV-March21-2012.pdf

SecFail-Dec-2011.pdf

SecFail-Mar-2012.pdf

Find recent content on the main index or look in the archives to find all content.