Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: brucon

UA-Tester 1.0 released: Now with 38% more pimp!

After a few months of playing around with the UA-Tester Alpha release, I’ve finally got the code to a point where I’m happy enough to do a 1.0 release… UA-Tester 1.0, codename Purple Pimp!

Changes since the alpha are far too many to list. However the new version does complete header matching, including some funky stuff like tracking cookie setting changes between user-agent strings (where HTTPonly or Secure might be set for 1 user-agent string, but not for another).

You can find a download link for the UA-Tester Python script, and a PDF of my BruCON lightening talk in the Tools/Scripts section above, or through the links below.

Feedback is always gratefully received…


[BruCON] Top 5 ways to destroy a company

Top 5 ways to destroy a company (Chris Nickerson)

No one cares about your findings. We work all day and the ignore your reports!

Well why does that happen?

  • What we give them isn’t important. Managers don’t care about shells!
  • They don’t care about what we care about!

What do they care about?

  • The product line
  • The brand
  • The employees
  • The bottom line

What do you know about the company’s product line? If you didn’t research it, then why not! Don’t you think you should care about what the company cares about.

How do you figure out whats important

  • Step 1: Your opinion doesn’t matter (unless you’re one of the execs that really are in the know)
  • Step 2: Think like them. You need to translate your speech to something they understand.
  • Step 3: Do work.. not on shells, on process, models, information

If you get paid to just go in and hack fuck somebody, then you’re a prostitute.

What kind of stuff are you looking for?

  • Secret
  • Confidential
  • Internal Use Only
  • Public

Going for the secret stuff is great, but what if the Confidential stuff gives you access to the secret stuff? what if the public stuff should be secret?

The business understand CIA (Confidentiality, Integrity, Availability)… all of these factors link into criticality. If you don’t do this, you’re a bad tester!

Customer needs to give you information on what assets exist, the risks, and therefore how critical it is to a company.

Sometimes you’re wrong… email isn’t the most important thing in your company!

You only have a limited time to test, you don’t have an unlimited time to test like blackhats do!

Top 5 ways to destroy a company

  • Tarnish the brand
  • Alter the product
  • Attack the employees
  • Effect financials directly
  • ** Your turn! **

Tarnish the brand (How to do it)

  • Understand the brand
  • Identify key words to market
  • Knowledge of the competitor advantage/disadvantage
  • Intelligence profiles on the “keepers of the brand”
    • Face of the brand
    • Executives
    • Key personnel
    • Entire marketing/design team
  • Reverse engineering the “go to market”
  • Take over the “indicators of quality”
    • False issues (product misdirection)
    • Negative reviews
    • Use by non standard customers
    • False company response

Alter the product (How to do it)

  • Compare listing of products/services depending on the organization
  • Chain of command for product development or service integrity
  • Historical review of the products timeline

Attack the product (How to do it)

Company specific!

  • Software companies
    • Create bugs
    • Make backdoor (then tell the media)
    • Cause errors in function
    • Add hidden features!
    • Divert their code to your servers….
  • Hospitals
    • Change patient diagnosis
    • Attack HVAC and crank the heat
    • Disable critical alerts
    • Attack crash carts to disable on the fly care
    • Attack narcotic dispensing stations
    • Alter patient doses
  • Manufacturing plants
    • Alter the product line (make something different)
    • Change design specs
    • Speed up the line… overflow
    • Slow down the line… underflow (deadlines)
    • Add or remove the product features
    • Decrease quality
    • Break shit.. a lot

Attack the employees (How to do it)

  • Profile who they are (Nessus doesn’t tell you that!)
  • Find out where they live
  • Figure out what “dangers” they might have at the office
  • Figure out there daily routine then make a kidnapping profile
  • Use the company against them
    • Food?
    • Manufacturing equipment?
    • General Terrorism
    • Release the horde?
  • Kill their benefits
  • Reduce their pay
  • Change their accounts (amex DOS)

If you affect their employees, you affect their money!

Directly affect the bottom line (What you will need)

  • Understand how they really make their $$$
  • Identify systems that generate income
  • Do they take credit cards?
  • Do they have cash?

No you know, go and take the money.

SQLi I can see your tables == Ineffective

SQLi I can see your tables to I made a new account and transferred all your money to == OMG!

What can we take away from this

  • Shell doesn’t do anything
  • Speak their language
  • Remove the white/black hat and do the work!
  • Stop trying trying to rationalize why you are right… and change the game!

We are not communication business impact… we are the ones that are ruining the world! It’s on us to fix it.


[BruCON] Head Hacking – The Magic of Suggestion and Perception

Head Hacking – The Magic of Suggestion and Perception (Dale Pearson)

Language is a strange thing, by listening to this presentation your brain is processing things in a way you may not understand. If we can learn more about this process, then we can use it to improve our social engineering.

How can you get the Jedi powers talked about so much by professional social engineers.

5 different types of social engineer:

  • Type 1: Opportunist
    • Uses physical skills (attractiveness)
    • Some skills, but doesn’t do this everyday
    • Possible first timer
  • Type 2: Natural Confidence
    • Talks the talk
    • Doesn’t always walk the walk
    • Good communicator
    • Comfortable interacting (loves themselves)
    • Lacks experience
  • Type 3: Professional
    • The geek
    • Skilled in InfoSec
    • Regimented processes
    • Knowledgable
    • More Art, Less Science (Not sure why things work)
  • Type 4: Seasoned Pro (i.e the Ninja)
    • Repeatable process
    • Experience
    • Handles confrontation
    • Passionate
    • Think they know everything
  • Type 5: Master manipulator
    • Understands how things work and why
    • Has a game plan
    • Multiple outs
    • Passion and Dedication
    • Tried and tested
    • Constant evolution (new vectors)
    • Creative
    • Cocky

The result of 24 months research is how to work towards becoming a master manipulator.

Best tool for the job: Be mindful, use your mind to think on your feet and understand how to change how people think.

  • Limbic System – Animatistic responses (Fight or Flight)
  • Subconscious – Power House (11,000,000 pieces of information a second)
  • Conscious – Our Reality (16 to 40 pieces of information, based on what we perceive to be a priority)

Get committed

  • Focused
  • Planned Path
  • Persuasion
  • Agreement
  • Choosing the right ear
  • “We stay true to what we say”

Make the leap for the subject, believe what you’re trying to convey. Give off the correct signals. This increases your success rate.

<demo> using language to subtly effect the subconscious decision processing of a subject (in this case the audience).

Neuro-Linguistic Programming

  • Study of Therapy
  • NOT science
  • Art / Process

One of the most important things found is the Rapport. We like others that like us. When two people have good rapport, they often mirror each other.


  • We all have a frame of our existence
  • Changing your frame of reality through ReFraming

What would it take to make it happen… Ask! What would it take to get what I want!

NLP Pattern Examples

  • Redefinition – Change the focus and question
    • It’s not about why you don’t have a badge, it’s about the problems if you don’t get your task done. Who’s going to explain that to the manager!
  • Agreement – Agree on the negative, focus to positive, your idea/requirement
    • Agree that you don’t agree
  • Awareness – Bring attention to something, key words
    • “I don’t have my badge but I need to get _in_”
  • Interruption – Confusion, overflow, derailment
    • Change their process before they start
    • 1-3 second gap to “inject your code” before they get back on track

NLP.. good, but disappointing. NLP practitioners as a group aren’t interested in discussing social engineering.

So what about hypnosis? What if you simply ask for the password?

We always answer at some level, Maybe not verbal, but physical reactions


  • Been around since the 1840’s
  • Based on neuro-hypntosism
  • James Braid (Scottish Surgeon)
  • Focused state of attention
  • Subconscious Communication
  • Art of vagueness and assumptions
  • Rapid induction techniques
    • Can’t get a subject to lay on a bed and be talked to for an hour after all!
  • Stateful inspection
  • Keep it simple

Many different techniques and strategies

Anthony Jacquin – Reality is plastic –> Book about Rapid Induction Techniques

Negative = Positive

Brains don’t do negative too well

“Don’t think about a pink elephant” makes you think of a pink elephant

So try “you don’t have to let me in”

Guardian of the mind

Protects the mind. Can be bypassed by saying a series of true sentences until the brain takes for granted that the things are true.

Buffer Overflows

Inserting unfinished stories until the subject has so many unfinished loops until confusion is caused

Create a YES set by only talking the truth until it’s taken for granted that you’re telling the truth about everything.


  • Pacing and Leading
  • Direct and Indirect
  • Share the experience
  • Perspective of the subject

Alternate Reality

Through hypnosis, you can’t make a person do something they don’t want to do. You can however alter their reality.

  • Alter the scenario
  • Modify the game
  • Truth and Lies
    • Ask a person to lie about everything
    • Repeat asking them to be truthful (slip in your question)

What can you do with hypnosis then?

  • Make people forget
  • Catalepsy (go stiff)
  • Anesthesia
  • Hallucinations
  • Regression / Progression
  • Time distortion
  • Post-hypnotic suggestion


Because if hypnosis doesn’t work, you look like an idiot. Backup plan, an out!

  • Magic
  • Illusion
  • Cold Reading
  • Mind Control
  • Psychological subtleties
  • Telepathy
  • Hypnosis


These things won’t work the same for everybody

  • Visual people
  • Auditory people

Confidence doesn’t really exist, it’s all about controlling fear.

To fail is to learn, because difficult isn’t impossible!


  • Educate
  • Empower
  • Test
  • Communicate
  • Make it personal
  • Don’t be a target
  • Be mindful


[BruCON] Project Skylab 1.0: Helping You Get Your Cloud On

Project Skylab 1.0: Helping You Get Your Cloud On (Craig Balding)

The Cloud Security Broken Record

It’s time to stop talking the same stuff and start talking about what you can do.

Don’t just disengage when you hear cloud. It’s time to use it for something useful.

People are criticizing something they might not have ever used. Lots of people are making opinions about cloud without real experience.

It’s easy to read somebody else’s opinion… but what are you doing to keep up!


  • The hard disk space is always in the wrong place
  • The box you want is always busy
  • There’s no space

So how do you get around these issues?

What does your test lab need

  • Interoperability: Ability to interact with multiple cloud providers
  • Security: Protect your systems (pay per use is pricey if others are using it as a torrent site)
  • Visibility: You need to know what your tools are doing to the system (CPU usage, etc…)
  • Workshop: A place to do your testing

Startup mantra: Fail as fast as you can!

Because you don’t want to waste time on something that won’t work!


  • Learn
  • Get practical
  • Home server is RIP
  • Geekin’ Out
  • Open Source
  • Community Projects

Why not just use VMware for Skylab? Because tying yourself to a single provider is an invitation to fail.

3 Questions for you

  • Do you use cloud storage?
    • Answer: 33% YES
  • Have you booted a machine in a public cloud?
    • Answer: About 12 people
  • Have you played with cloud network overlays?
    • Answer: 1 person

These answers are typical for European conferences and show that few people played with cloud.

Use Cases

  • Target Practice
    • New tools
    • New attacks
  • Assurance Testing
    • Testing patches
    • New software interaction
  • During a Pen-Test
    • Random IP-Addresses

Skylab == Infrastructure as a Service

What else should it be!

  • Hit common use cases
  • On demand
  • Infrastructure as code (Configure your datacenter as a conf file)
  • Cost-conscious
  • Hardware re-use

Design principles

  • Hypervisor agnostic
  • Security test lab “features”
  • Freedom: Open-Source
  • Pragmatic: Don’t reinvent the wheel
  • Scriptable and Fun!

Sharing a whole VM is overkill. We should be able to convey what needs to be in a system without the need to download what we already have!

Shopping for a cloud platform

Things to look for –>Openness

  • API
  • Core
  • Source
  • Development
  • Decision Making

OpenNebula.org: The Open Source Toolkit for Cloud Computing

The ability to share and sell your Cloud systems to others.

Hybrid interaction with a range of other providers. Using OpenNebula and RedHats Delta-cloud. With a single command, you can start and manage remote cloud systems from any provider supported.

Pay as you go… Don’t forget to turn it off!

Terms of service… Check it allows what you need. TOS do change!

Cloud Networking

We need to simulate not only single isolated systems, but complete networks.

Amazon VMs only provide a single ethernet. Using Amazon Security Group you can divert traffic. However we just want to use routing!

Overlay Networks –> VPN infrastructure (e.g. Amazon VPC)

Some other providers don’t offer this as a solution… in this instance you can use a paid service like VPNcubed.

Configuration Management –> Configure/Script what you want your network to look like.

Various options to do this. Different languages.


“apache2” => {
“listen_ports” => [ “80, “443”]

Things still to do

  • Establish Amazon VPC Connection
  • Build Visibility VM (Splunk, Nagios, + extras)
  • Chef Recipes for Security Extras & CM
  • Build Range of Victim/Enterprise VMs
  • Create Easy “DC Creator” front-end script

Making it simple is the hard part!