Whilst attention gets paid to some of the technical risks, I don't think there's been a lot of focus on some of the more procedural/human aspects of it.

One example is the visibility/effect of configuration mistakes. In a traditional IT environment, mistakes can be partially contained by the network perimeter (albeit that containment is usually weaker than it used to be).

If someone makes an access control change which allows anonymous access to data, that mistake is likely only to be exploitable and visible to a limited group of people.

With the move to Cloud computing though, that same mistake could be instantly visible to the whole world and all it's attacker communities.

A really good example of this comes up in a vulnerability found by Jonathan Siegel (background story here and here).

In essence the problem seems to be that users of Amazon Web Services have made access control errors which set disk snapshots to be publicly available to everyone in a given region, and in the examples Jonathan gives this has included a database of user accounts for a web service and a full copy of a news services' web site.

So what would have likely been a relatively minor access control issue in an Internal network setup, becomes a situation where all the data in question should be considered compromised.

The talks were interesting as always, personal highlight for me had to be Jim Weirich managing to go from particle physics to functional programming seamlessly in a single talk!

my talk was on breaking things with ruby and was a pretty quick look at the world of penetration testing and some of the cool projects (primarily Metasploit) which use ruby in this area. My slides can be found here and if people are interested in more information on the topics I covered here's some good linkage to start with.

Metasploit

The Main Metasploit Website . This is the best place to start. There's also a wiki and source code repository on their redmine site here

Metasploit Unleashed. This is a free training course from Offensive Security which offers a good place to start with Metasploit, and covers a lot more ground than I could today.

Blog-wise there's a couple of places I consistently find good information on Metasploit. Carnal0wnage's blog and the Dark Operator blogs have lots of posts on what can be done with Metasploit, as well as the Official Metasploit Blog of course.

Also on twitter following @hdmoore, @carnal0wnage and @egyp7 is a good place to start.

Lastly if anyone's looking for videos demonstrating Metasploit, there's quite a few on Security Tube amongst other places.

More information here

That said I find it useful on the tests I do even when I work alone.

Essentially Dradis provides the base environment for users to work in, either from the command line or the rails based web interface, and then pretty much lets them get on with it, so it can be a bit difficult to work out how you want to use it at first, but once you get used to it it's very handy!

What I've done is started to create templates for information that I need to collect during a test and areas to review, that way it reduces the number of times I get into writing the report and realised I've missed something ;o). Once you create the tree structure in Dradis, containing any information you want, you can export it as a single file and then re-use it as a template on future tests (for example one for web application tests, one for infrastructure etc)

you can also import information from other tools (nmap, nikto, nessus and burp at the moment) into Dradis, meaning you've got a single place to view all the information relating to the test.

It's well worth a look, as it's under active development there are new features coming pretty frequently. Also there are guides on the site for prospective developers and as it's all done in ruby it's nice and easy to start coding for!

SNMPv1 and v2 do not respond when traffic is sent their way unless there is a valid community string in the message, a fact used by scanners like onesixtyone . So traditionally the theory is unless there's a known community string, the service running has a vulnerability or you can get in-line to sniff traffic, there's not a lot to get from SNMP services.

Turns out that SNMPv3 behaves differently from v1 and v2. Firstly the notion of using community strings for authentication is gone, replaced by username/passwords. Second the traffic can be encrypted to limit sniffing opportunites.

However it's not all bad from a testers perspective! unlike earlier versions SNMPv3 will respond to correctly formatted requests and provide some information about itself as part of the reply. This allows confirmation of the servers existence.

To get these responses there's a couple of different tools we can use. Nmap with version detection will confirm that a SNMPv3 service is running and looking at the traffic in wireshark

From this there's a couple of interesting pieces of information. The Engine Enterprise ID field seems to identify the server type that's running, net-snmp in this case and the msgAuthoritativeEngineTime parameter shows the time in seconds since the service was started (according to this page ).

In addition to using nmap, it's possible to use the inbuilt snmp tools to get some information out of the service including possible username enumeration and brute-force password attacks.

Issuing the snmpwalk command with an invalid username like so:

snmpwalk -v 3 -n '' -l noAuthNoPriv -u "invaliduser" 192.168.207.142 IF-MIB::ifName

provides the response snmpwalk: Unknown user name

but if we use a valid username and no password like so:

snmpwalk -v 3 -n '' -l noAuthNoPriv -u "snmpUser" 192.168.207.142 IF-MIB::ifName

we get Error in packet. Reason: authorizationError (access denied to that object)

So it's possible by parsing responses to figure out valid usernames for the service.

Update : Here's a ruby script (should work on linux with snmp tools and ruby installed) which iterates over a list of usernames and a list of IPs and attempts to guess whether the username is valid or not snmpv3enum.rb

A similar technique works with specification of passwords which would allow for brute-forcing those as well, (although that said the snmp tools try to stop people choosing passwords less than 8 characters, so unless a dictionary word is used it isn't too likely to be successful.

Additionally for people who're fond of metasploit, I've knocked up a very basic SNMPv3 scanner. At the moment all it does it take a range of IP addresses and say whether a valid SNMPv3 packet provokes a response from the server, but could be handy. it's here.

There's some good references on setting up and using SNMPv3 here, here and here.

There were several interesting presentations , here's some notes on some of the ones that I got along to. The CD is up at defcon.org, and you can get the slides for most of the presentations there.

SSL Talks - There were several presentations on ways to bypass or subvert SSL. From my point of view the drive was around 2 themes. The difficulty in correctly parsing SSL certs due to the complexity of the relevant RFCs and also the weaknesses in the issuing processes of some CAs (which is exacerbated by the fact that any CA can issue a "valid" cert. for any domain). Dan Kaminsky's white paper on the subject is here, Moxie's blackhat presentation is here and Michael Zusmans' blackhat presentation is here (the defcon presentations are on the CD linked above).

Metasploit - The Metasploit team had a whole track to themselves on Saturday and there's a load of interesting stuff in there, basically looks like Metasploit will have some coverage for most types of assessment eventually, which is very handy!

Egypts presentation on client-side attacks with Metasploit had some great content on browser fingerprinting (not just relying on User-Agent) and client side attacks with Metasploit.

The Oracle presentation from mc and Chris Gates had some good content on going through the steps of an Oracle attack purely using Metasploit (more information on this on CG's blog

Druid had a good talk on the war-dialer that he's added to the framework (unfortunately the slides for that one aren't on the CD, but I'd guess that they'll be around soon). Another interesting thing in the Metasploit track was the demos of the Mac OSX and POSIX versions of meterpreter which are both in active development.

Other Ruby Tools - There was a bit of a theme of ruby tools across some of the presentations. In addition to all the Metasploit stuff, there was a mobile device fuzzer (although the website for it, www.fuzzit.com isn't up yet). Also there was a good presentation on Dradis from etd , which is a Pen test management and reporting tool written in Ruby and Rails.

Password Cracking - There was a good presentation, from Matt Weir, on approaches to password cracking, speeding up brute-force attacks and picking good dictionary files . There's more informaton on this one on his blog as well as on the presentation slides.

Router Hacking - FX had some more information on how to create reliable exploits on Cisco devices and the difficulties in doing so (amazing to think that Cisco Maintain thousands of discreete monolithic router builds!). Slides from the Blackhat presentation are here and White paper here

USB Hacking - Interesting presentation from a guy from MWR on how they approached an assignment to assess the security of a USB device and the approaches to fuzzing that they took. Slides are up on their site here