To share a few random observations and cool things:
- At this point it should be clear that browser vulnerabilities are this "generation's" OS-level vulnerabilities. Owning the client means you can do just about anything, including full-fledged attacks against internal networks. David Byrne's anti-DNS pinning really drove this home, particularly when he used Java LiveConnect to proxy a full Nessus scan against an internal host through the browser.
- A presentation on extrusion detection systems by Matasano ended up being far more interesting than I expected. While their research focused on vulnerabilities in agent-based tools designed to prevent information leakage, it conceptually applied to any agent-based product (I'm thinking of SIM tools in particular). Through reverse engineering, they revealed how trivial it would be to take over agents, execute code at the Windows kernel level, spoof reporting data, and cause other havoc. It made me really want to grab a copy of PaiMei and learn more about reversing and fuzzing.
- The Metasploit team gave a fantastic two-part presentation (available on their site) on tactical penetration testing. Their message was one we've always preached to our clients: pen-testing should not just be vulnerability scanning and firing off exploits. They covered some interesting new resources for footprinting targets and network discovery, such as DomainTools.com and Paterva.com.
The presentation also included a demo of a new Metasploit component that facilitates NTLM hijacking. You basically capture the victim's NTLM hash through a man-in-the-middle attack (the WPAD proxy hijack technique works great for this), and can then re-use this hash to authenticate with the user's credentials. There's no need to crack the NTLM hash! I plan on testing this one out in our lab - although our rules of engagement unfortunately often forbid us from performing network redirection attacks against clients.
- SensePost had a presentation on timing-based attacks that I wish I had not missed. They demonstrated "SensePost-aTime", which leverages timing information to perform SQL injection and extract data. I couldn't find it on their web-site yet, but will post as soon as a link is available. Until then, you can check out a recent post on ha.ckers.org that covers a "res://" timing attack that enumerates a user's local files through the browser.
- My "Best Booth Gimmick" award goes to Fortify Software - their Borat-inspired "Discover Hackistan" promotion was pretty damn funny.
Personal goal for next year: to put together a presentation that I can at least attempt to submit for BlackHat or Defcon.