INFOSEC NIGHT: War Stories from the Red Team (09/21)

DATE: 21SEP2017

TIME: 1900-2100

TOPIC: INFOSEC NIGHT: War Stories from the Red Team

SUMMARY:

Penetration testers attack systems, exploit people, process, and technology. We break in, root around, and cause mischief and mayhem, and they pay us for it. Why? Because knowing what the bad guy can do helps corporations prevent the real bad guys from getting in. We are the sexy rogues than you don’t take home to meet your mother… Unless we have her under contract first.

Red teaming is an adversarial engagement where the objective is to breach, compromise, and otherwise invade a companies resources paid for by that same company to help them map their exposure and develop a plan to shore up risks. Red teamers assume a scope and persona, and make things happen. We may be required to break in to computers, buildings, or secure areas. Our goals might be to gain domain admin or to access the recipe for the secret sauce.

Tomorrow, join me as I tell all (that my NDA will allow). The good, the bad, the ugly. War stories from the front line, and a Q&A.

GOAL: To tell stories and have fun

WHAT TO BRING: Questions and comments

SKILL LEVEL: Everyone

PRESENTER: httplov3craft

Posted in Workshop | Leave a comment

OSCP Study Group – Friday Sept 22nd

PURPOSE: Hack things to help prep for the OSCP Certification.
TIME: 7pm Fridays (Except 1st of the month)
Check the meetup to RSVP: https://www.meetup.com/Unallocated-Space/events/242846500/

FORMAT: This week it is — Lecture & Lab time (~40/60)

SKILL LEVEL: Intermediate – Advanced
Go through exercises & reading for weeks: 1 – 4
https://pentesterlab.com/bootcamp

SUMMARY: We talk about hacking boxes then we hack boxes.
This week we’re covering weeks 3-4 from
https://pentesterlab.com/bootcamp and using the oscp simulated network in hands-on activities led by Rhett.

EQUIPMENT: Kali (VM or Bare Metal)

POST MEETING MINUTES: To be updated after meeting

LAST SESSION:

    • ATTENDANCE: 9

We took a break from walking through the pentest bootcamp materials to participate in CSAW CTF 2017 because CTF’s are fun. Before we jumped in we ran two demo’s.

  • Meatbunny gave a nice live demo on http for the newbies, and reminded us all that you can just use the python SimpleHTTPServer instead of setting up a full web server. Here’s the spell python -m SimpleHTTPServer
    This project has been moved to http.server in python3. Find out more by clicking on this Fancy Link
  • flay walked through a python script to communicate over sockets using the socket.makefile method instead of handling buffer data manually. (Used this exact thing on the solution for ‘ serial ‘ in CSAW.
  • Then we all started banging on CTF problems. Ask for our hideous code / solutions. We’ll probably share.
    If you want to play, join #ctf ; we’re competing until it ends.
Posted in Events, Workshop | Tagged | Leave a comment

Arduino Night – Wednesday September 20th

Purpose

Arduino Night is a meetup for those interested in learning more about microcontrollers and their applications. Each month we’ll explore a new topic and get some hands on experience using the Arduino environment. All experience levels are welcome; we will cover basics for beginners and discuss more advanced topics for those with more experience who are interested.

Format

The intent is to be workshop focused. I may cover some topics in a short powerpoint, but I want you to walk away from every class having built/written something, or at the very least have you started down the path to building/writing something.

The actual focus of each class will vary, depending on what people are interested in. If there is a topic you would like to explore, or a project you would like to build, please don’t hesitate to ask!

Equipment

Hardware

You’ll need a board that can be programmed by the Arduino IDE.
There are countless available but you can buy both the component kit and an Arduino (uno) for $20 dollars each during the class ($40 dollars total).

If you want to build your own kit, Here’s a very brief overview of different Arduino compatible boards.

  • Arduino Uno (or compatible) – The ‘vanilla’ Arduino board. It has the basic input/output, and will give beginners plenty to play with. However, it doesn’t have any connectivity built-in, so if you want to do more than just control things you’ll need more hardware. You can order these online, or pick one up at Microcenter.
  • Arduino Nano – Small and compact version of the Uno.
  • ESP8266 Based Boards – A family of boards based on the ESP8266 wifi module. These boards can be programmed by the Arduino IDE and come with wifi built-in. There are a number of libraries available to do a bunch of intersting things. Here are some available options:
  • Many, many, many more

If you’re just getting started, an Uno (or Uno clone) is a good starting point.

I would also recommend some basic components: LEDs, buttons/switches, resistors, transistors, buzzers and 7-segment displays. There are a variety of kits available that come with everything you need to get started. Check Amazon, Adafruit and Sparkfun for some available options. Adafruit and Sparkfun also sell individual components. We will also have some components
available for those who are not able to bring their own.

Software

If you are just getting started, please install the Arduino IDE, or set up the Web IDE.

If you have some experience under your belt, and you hate the Arduino IDE (I don’t blame you), I’d recommend Platformio. It’s a good step up from the standard Arduino IDE.

September Class Project

We’re going to build a stopwatch/timer!

The hardware for this will involve at least two 7-segment displays, a piezo-buzzer, two buttons, and your Arduino. We will have resistors on hand for those who do not have their own. We will have kits available in limited quantity with all these parts (and more) for $20. If you have a board with limited I/O, you will also need a shift register.

We will use this as an opportunity to explore the various libraries available on the Arduino platform. We’ll also explore some basic programming techniques and practices.

Instructor Note

Hi, I’m Clegg. I work as a Firmware Engineer and have a passionate interest in embedded computing. I love the intersection of hardware and software, where resource constraints call for interesting solutions to difficult problems. I hope to encourage others to take an interest in this growing field.

Posted in Workshop | Leave a comment

OSCP Study Group

Hey all,

For the next few weeks we’re shifting the format from doing liveshares on vulnerable machines to doing a more conventional class structure supported by instruction, followed by lab time.

Much of the instruction is being done by an OSCP / OSCE holder as well as a regular speaker, most recently at BSidesLV and Defcon25.

I’m currently in the process of building a vulnerable network which mirrors boxes found in the OSCP labs which should be done by the next meeting.
If you want to catch up go through weeks 1-2 on:

https://pentesterlab.com/bootcamp
Thanks!
– Flay

POST MEETING MINUTES 8/25/17:

  • cmdandcontrol did a live walkthrough of weeks 1&2 from pentesterlab (including writing the http clients).
  • httplov3craft shared A sick method for Bypassing Split-Token UAC on administrative accounts. This is current for fully patched and updated windows 10 as of 8/26/2017.

  • flay shared an enhanced interpreter called bpython and showed how it can be used to do speed up python script development. Its awesome, you should use it.

  • meatbunny and f13 threw in serious work in getting the infrastructure ready for the oscp simulated lab. I stayed through most of the night and got 8/10 of the vulnerable machines live, so as of now it is ready to use.

  • NEXT WEEK: Weeks 3 & 4 on ptl-ptl-bootcamp Read up on PHP & DNS as well as SSL / TLS and do the exercises.
  • Posted in Events, Hacking | Tagged , , | Leave a comment

    Arduino Night

    Purpose
    Arduino Night is a meetup for those interested in learning more about microcontrollers and their applications. Each month we’ll explore a new topic and get some hands on experience using the Arduino environment. All experience levels are welcome; we will cover basics for beginners and discuss more advanced topics for the more experienced who are interested.

    Format

    At the moment, the format is open. It will likely evolve depending on who shows up and what they are interested in. The current plan is to have a brief presentation about a certain aspect of microcontrollers, and then break up into a workshop where participants can build various circuits with their Arduino. I am open to suggestions, as I want to make the class entertaining and useful to those who are interested.
    Continue reading

    Posted in Workshop | Leave a comment

    Unallocated Space’s 7th Anniversary Party (Nov 11th)

    **You’re invited to the Unallocated Space’s Seventh Year Anniversary Party!

    The time is upon us again. It’s time to celebrate our successes with all our friends and patrons! Unallocated Space (UAS) cordially invites everyone to join us on Saturday, November 11, 2017 to celebrating 7 years of providing the community a place to teach, learn, and build.

    Expect copious amounts of food, drink, people, and music. What would be an UAS Party without a fire tornado ‽ (Interroban: U+203D) Thank goodness you don’t need to ponder this too long. There will be an epic fire tornado and mini conflagration (aka camp fire).

    Also we are excited about updating you on the good things we’ve been up to and love to thank all those outstanding individuals who’ve contributed to the space this year by making a few exciting announcements and changes within UAS. **If you like having fun and meeting people with similar interests, then this event is for you!

    • Date/Time: Saturday, November 11, 2017 / 3PM – 12AM
    • Location: Unallocated Space, 512 Shaw Ct Ste 105, Severn, MD 21144

    Continue reading

    Posted in Workshop | Leave a comment

    INFOSEC NIGHT: Practical Privacy with a slice of Pi

    DATE: 10AUG2017
    TIME: 1900-2200
    TOPIC: INFOSEC NIGHT: Practical Privacy with a slice of Pi
    SUMMARY:
    Our privacy online has never been under more threat than it is today. With bulk data collection rampant, and ISPs obtaining the right to sell browsing history how do you maintain a practical level of privacy and take control of your digital life back.
    Continue reading

    Posted in Workshop | Leave a comment

    INFOSEC NIGHT: Certifications Open Forum

    SUMMARY:  For those in INFOSEC and starting out in INFOSEC there is a small barrier to entry to some jobs.  Ok there are a few barriers but those are not tonight’s topic.  We will talk about all the Alphabet soup Certifications that keep popping up on job requirements and the best way to tackle them.  Maybe you don’t need them and you want a leg up on your resume.  Maybe you just wanna know where to get started.  Well this night is for you.  And on that note the night is not for old INFOSEC curmudgeons to come in and talk bad about certs or your opinion on certs validity.  You will be deemed a troll and dealt with accordingly.  I should not have to say that and you know who you are.
    Continue reading

    Posted in Events | Leave a comment

    INFOSEC NIGHT: Working Group Kali Sucks

    Thank you to Everyone for coming out to INFOSEC NIGHT.

    We started off a little slow and with some confusion and some help from the crowd I think we are on the right track.  I am not sure if I misrepresented what the idea was for the event.  I will just clarify so we are all on the same page.

    First and foremost this is a Working Group NOT a class.  This is a thought exercise and a reason to learn some stuff or find a better way to do something.
    Continue reading

    Posted in Events | Leave a comment

    InfoSec Night: Working Group-Build a better Kali Kick Off

    TOPIC: Working Group-Build a better Kali Kick Off
    SUMMARY: Kali Linux is like that Swiss Army Knife that everyone has with 127 tools on it. Some tools are used more often and for the most part the rest of it is just bloat and goes unused. I am not saying Kali is unusable and is terrible, but wouldn't it be nice to have your own build that is suited for you and updates and builds things the way you like every time. No matter what you do Blue Team or Red Team you have your go to tools and development environments. I want to start building scripts and use Dave Kennedy’s Pen Testers Framework (PTF) to create something people can use to deploy their own environment.
    Continue reading

    Posted in Events | Leave a comment