Jan 2017 – Open Mic Night

January 12, 2017 / roanokeinfosec / Leave a comment

open-mic

We had a great time at our December meeting trying our hand at the SANS Holiday Hack and we are planning on our next meeting being just as entertaining. This month we will having an “Open Mic Night” at ECPI on January 12th at 5:30pm.

Here’s how it works, collect those burning IT Security questions and bring them to the group. We will give everyone an opportunity to ask the group questions and then see what we as a group of security professionals can contribute as a whole. The idea is that one of us is never as smart as all of us so let’s share our questions and our knowledge to better secure the valley. If you don’t have any questions that’s fine, we still need you to share your experiences with those of us that do have questions.

We look forward to seeing everyone on Thursday the 12th at ECPI.

Dec 2016 – SANS Holiday Hack Challenge Party

November 30, 2016December 1, 2016 / roanokeinfosec / Leave a comment

santa1

The SANS Holiday Hack Challenge is going to be released on Dec 9th, we’re going to party on Dec 15th:

A LOT of elves are working hard on the 2016 SANS Holiday Hack Challenge right now. So many cool parts and twists to it! Coming Dec 9! pic.twitter.com/UMMWgJ5lbt

— edskoudis (@edskoudis) October 23, 2016

santa2

If you’re not familiar with the challenge it is an annual event put on by Ed Skoudis and his team. It is essentially a game that involves a series of cyber security challenges designed to get you to learn a wide variety of skills. The team does a phenomenal job. It has elements for all skill levels and hints as you go along the way. Last year’s challenge was EPIC and I think my wife was ready to kill me if I didn’t stop playing. I’ll warn you, it can get addictive.

166-addiction

The challenges are kept online each year so you can continue to play, even if you didn’t complete it by the deadline. Here is last year’s challenge if you want take a look: https://holidayhackchallenge.com/ This link will likely update to the 2016 challenge on 12/9. If so, here is a list of past challenges: https://pen-testing.sans.org/holiday-challenge/

I can honestly say, after playing last year, I have looked forward to this year’s challenge all year long. My wife, maybe not so much, since I had my head buried in my laptop for 2 weeks last time 🙂 Here are just a few of the things I either learned about, or added skills to while playing last years challenge: sed, awk, scapy, python, JSON, SQL injection techniques, numerous web application pentesting techniques, Burp Suite, mondoDB, firmware extraction, DNS CnC and data exfil. And when I wasn’t pulling out my hair, I had an absolute blast doing it!

Join us on 12/15 to work on the Holiday Hack Challenge. It is for all skill levels and you will be surprised how much you will learn. We will have wifi access available so everyone can work on the challenge. If you are a student and want to participate but don’t have a laptop, let us know and I will make arrangements so you will have somethig to work on.

To make the best use of the time at the party, go ahead and sign up for an account once the challenge is posted on 12/9. You can start playing anytime after you get an account. I also recommend having some sort of virtualization software on your laptop such as VirtualBox or VMWare Player, both are free. And having a VM running Kali set up. Or if Kali is your main OS you may want to have a Windows VM setup. All of that will aid you in the challenge.

gladiator

As usual we’ll have beer/soda and snacks. Just bring your brains because you’re going to need them.

dan-akroid-santa

The meeting will be at 5:30pm on 12/15 at R&K Solutions, 2797 Frontage Rd NW, STE 1000, Roanoke, VA 24017. Google Maps.

Notes from Oct 2016 Ransomware Meeting

November 30, 2016November 30, 2016 / roanokeinfosec / Leave a comment

notes

Special thanks to Brad at malware-traffic-analysis.net (http://www.malware-traffic-analysis.net/index.html), we used his examples for the October meeting. His site is an excellent resource for learning. He also posts updates and other malware related info on his twitter @malware_traffic.

Here is the traffic we walked through: http://www.malware-traffic-analysis.net/2016/05/13/index.html

And here is the solution: http://www.malware-traffic-analysis.net/2016/05/13/page2.html

To use Security Onion to analyze the traffic you can get the Security Onion ISO here and install it in a VM: https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Here is how to replay the traffic in Security Onion for analysis:

We also had some discussion on how to identify what different types of files really are, regardless of what the extension is; and also how you can carve them out of traffic streams using hex editors. To determine file types you use the “Magic Bytes”: https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/

Here are some resources on ways to extract files (file carving) from pcaps:

SANS paper on file extraction using different tools: https://www.sans.org/reading-room/whitepapers/tools/extracting-files-network-packet-captures-36562
Some more info on some of the same tools in the paper above: http://www.behindthefirewalls.com/2014/01/extracting-files-from-network-traffic-pcap.html
Carving using hex editors: https://www.security-sleuth.com/sleuth-blog/2015/4/18/the-perks-of-being-a-file-carver-1
Carving SMB and SMB2: http://chrissanders.org/2011/11/packet-carving-with-smb-and-smb2/
Carving with Wireshark: https://malwerewolf.com/2014/04/wireshark-primer-manual-carve-http-objects/

We talked about some quick ways to get info on IPs and domains when researching potential incidents. Here is a quick hit list:

Oct 2016 – Your Money or Your Data

October 11, 2016November 30, 2016 / roanokeinfosec

robbery-ransomware

Join us for an interactive forensics scavenger hunt analyzing a pcap with some of the latest variants of ransomware. We will be looking at how Angler EK can, and often will deliver multiple infections such as Locky, CryptXXX and even some unknown goodies.

This will be an interactive session and I will try to come up with some small goodies to give away for those that solve the pieces to the puzzle first. Please bring a laptop with Wireshark installed to participate. Wireshark is a free protocol analyzer and an excellent tool for you toolbox. You can download it here: https://www.wireshark.org/

If you aren’t sure how to use Wireshark you can review the notes from our May session about Wireshark. There are also some good tutorials on Youtube. These both use the old Wireshark interface, the new one looks a bit different. All of the concepts are the same, some of the menus have just been moved around. If you have it installed, and are familiar with it, the session will be a lot more beneficial to you.

The meeting will be on 10/13 at R&K Solutions, 2797 Frontage Rd NW, STE 1000, Roanoke, VA 24017 at 5:30pm. Google Maps.

Presenter Bio:

Nate Sykes is the IT Director at R&K Solutions. Nate has worked in all areas of system and network administration. He has been involved in different aspects of security for the last 6yrs, mostly involving prevention and detection. He holds GSEC, GMON and Security+ certifications.

Twitter: @n8sec

Sept 2016 – Bad, Bad USB

September 1, 2016 / roanokeinfosec / Leave a comment

Screen_Shot_2014-08-01_at_4.55.11_PM_1024x1024

We are in for a treat in September! Jeremy Dorrough is going to do an updated version of the presentation he did at DEF CON last year.

woo hoo

USB Attack to Decrypt Wi-Fi Communications

Jeremy Dorrough Senior Network Security Architect / Genworth Financial

The term “Bad USB” has gotten some much needed press in last few months. There have been talks that have identified the risks that are caused by the inherent trust between the OS and any device attached by USB. I found in my research that most of the available payloads for the USB rubber ducky would be stopped by common enterprise security solutions. I then set out to create a new exploit that would force the victim to trust my Man-In-The-Middle access point. After my payload is deployed, all Wi-Fi communications will be readable, including usernames, passwords and authentication cookies. The attack will work without the need of elevating privileges, which makes it ideal for corporate environments.

usb-flash-drive-skull-ring-2-Check Flash

Bio: Jeremy has built his career around protecting assets in the most critical IT sectors. He started his career working in a Network Operations Security Center for the US Army. He then went on to work as a Network Security Engineer defending Dominion’s North Anna Nuclear Power Station. He is currently a Senior Network Security Engineer/Architect at Genworth Financial. He is a MBA, CISSP, CEH, GIAC GPPA, CSA CCSK, ABCDEFG… Blah Blah Blah.

Jeremy has spent over 10 years researching and implementing new ways to defend against the latest attacks. He enjoys creating new exploits and feels it makes him a more well-rounded defensive Security Engineer. He is happily married and a father to two soon to be hackers. When he’s not staring at a command prompt, he is busy building and driving demolition derby cars.

Twitter: @jdorrough1

ECPI was kind enough to host this month, the meeting will be on Sept. 8th @ 5:30pm.

Taming the Shark

May 13, 2016May 14, 2016 / roanokeinfosec / Leave a comment

105687

Another great meeting with a lot new faces and a lot of familiar ones. Big “Thanks!” to David Raymond (@dnomyard) for presenting and ECPI for hosting. David was kind enough to provide us a copy of the slides, you can grab them here:

If you want some more practice with pcaps and malware definitely check out: http://www.malware-traffic-analysis.net/ Just be careful if you export HTTP Objects hazmat out of those as they do contain actual malware. Don’t infect yourself! 🙂

Brad (@malware_traffic), who runs that site, does an outstanding job posting tutorials as well as breakdowns of current samples and traffic patterns. He joined Unit 42, Palo Alto’s Threat Research group,which does some excellent in depth write-ups on malware. This write-up on Locky ransomware and Nuclear EK is a good example: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-through-nuclear-ek/

David Raymond presenting

David, Michael and Rob

Just talkin’ shop

Also, don’t forget the RBTC Vulnerability Management forum is coming up as well as RVASec. If you know of other “local” security events please email roanokeinfosec@gmail.com and we will get them posted to the site.

Last but not least, if there is a topic that you would like to request for a presentation please let us know. We will do our best to line up a speaker. Or if you can speak on a topic please let us know and we’ll get you in the line up!

May 2016 – Deep Dive with Wireshark

April 29, 2016April 29, 2016 / roanokeinfosec / Leave a comment

sharks-1

Meeting info: May 12th, @6pm, at ECPI (directions below).

This meeting is a can’t miss opportunity for a hands on deep dive with Wireshark. David Raymond (@dnomyard, bio below) who has previously spoken at Black Hat USA, RSA and Scmoocon will be presenting.

wireshark2

Wireshark is a great tool for quick-and-dirty network traffic analysis and it is widely used for network troubleshooting and incident response. In this hands-on discussion, we will review the basics of Wireshark and discuss capture filters, display filters, and basic protocol analysis. We’ll then go beyond the basics to talk about more advanced features of Wireshark and touch on some of the command-line utilities that come with it, such as tshark, editcap, mergecap, and randcap.

To get the most from the discussion, attendees should bring a laptop with the latest version of Wireshark installed.

ECPI (5234 Airport Rd NW #200, Roanoke, VA 24012 or Google Maps) will be hosting the meeting and there will be some lab machines available for use by those without a laptop available.

David Raymond currently serves as Deputy Director in the Virginia Tech IT Security Office and Lab. In this position he helps oversee the security of the VT network, advises graduate students and undergrads doing cybersecurity research, and teaches courses in computer networking and security in the Department of Electrical and Computer Engineering. David holds a Ph.D. in Computer Engineering from Virginia Tech, a Masters in Computer Science from Duke University, and a Bachelors in CS from West Point. He has published over 25 journal and conference publications on a variety of topics and has spoken at numerous industry and academic conferences to include Black Hat USA, RSA, Shmoocon, and the NATO Conference on Cyber Conflict.

RBTC Cyber Security Forum: Vulnerability Management – May 24th

April 18, 2016May 13, 2016 / roanokeinfosec / Leave a comment

cyber-security-forum_post-image_may16-d

Don’t miss another great local opportunity to network with area security professionals. The RBTC Cyber Security Form next month is all about vulnerability management. Prior RBTC events have been excellent, and the hors d’oeuvres are not to be missed! Details on the event can be found on the RBTC website: https://rbtc.tech/2016/04/cyber-security-forum-vulnerability-management-may/

April 2016 – Here come the Feds!

April 1, 2016April 18, 2016 / roanokeinfosec / Leave a comment

gty_fbi_ferguson_ml_141121_16x9_992

Our next meeting is April 14th at ECPI in Roanoke (address is below) at 5:30pm. The speaker will be an FBI Special Agent who has been with the FBI for 12 years and is currently in the Richmond Division with a focus toward the Roanoke area. He is currently working national security matters and has agreed to come and share with us his experiences and his thoughts on how we can assist in protecting our companies, valley and country. fbi_logo_twitter

It’s always good to meet your local FBI liaison. If you have a serious breach at your company or discover illegal activity on your network, you need to know who to contact.

Special thanks to Michael for opening up the ECPI facility to us and to Stephan for lining up our speaker.

Meeting Location:

ECPI University
5234 Airport Rd NW #200
Roanoke, VA 24012

Google Maps:
https://www.google.com/maps/place/ECPI+University,+5234+Airport+Rd+NW+%23200,+Roanoke,+VA+24012/@37.319834,-79.959449,16z/data=!4m2!3m1!1s0x884d0e5e69f5c107:0x6c5be18e3d3f596f

March 2016 – Common Network Penetration Testing Techniques

April 1, 2016April 1, 2016 / roanokeinfosec / Leave a comment

hack all the things

Our discussion subject for the month of March was Network Pen Tests.

What are they?
Do they provide value?
How are they done?
What do you do with the results?

Our guest speaker was Russel C. Van Tuyl (@Ne0nd0g). Russel is an experienced Network Pen Tester with Sword & Shield in Knoxville, TN and has agreed to walk us through his Network Pen Testing procedures.

Here is a quick write up about his presentation:

Attackers can take complete control of a Windows domain by establishing full administrative rights to networks resources. This access can then be used to steal your organizations crown jewels, the thing that makes your organization money. This talk will introduce common attack paths used to compromise a domain. Additionally, a brief introduction to the tools used to perform some of these common attacks will be covered. This presentation will conclude by providing information on mitigating or detecting these common attacks. The audience will be provided with an opportunity to ask any questions, even if they’re not related to the presentation.

Update: Russel did a fantastic job presenting. His presentation was entertaining and had a ton of great information. He not only covered some of the techniques he uses when pen testing, he also talked about ways to mitigate them. If you didn’t walk away with a “To Do” list of things to check on your network, or a list of fun new things to try, you weren’t paying attention.

Here are the slides from the presentation:

Common Pen Testing Techniques

PowerShell Empire

He demonstrated how PowerShell can be an admins best friend, or worst enemy, by showing us how easy it was to use PowerShell Empire to compromise a box.

Our own Grant Sims has since created step by step video showing how to use one of the PowerShell techniques Russel spoke about. He shows how to use PowerSploit to get a meterpreter shell:

RISE – Roanoke InfoSec Exchange

The premier InfoSec group in the Roanoke, VA region!

Infosec