EC2 Metadata Extractor

While performing a security assessment this last week I found that the applications ran in a containerized environment on AWS EC2 instances. The EC2 meta-data service was available to be queried from within these application containers (not a best practice) and exposes a rich array of information for any would-be attackers who can gain a shell into the container or cause the application to perform SSRF against the local metadata service endpoint.

I wanted a quick way to query all of the meta data and user-data exposed by the EC2 meta-data service and created this metadata extractor script.

Get SmallWorld 2 running on Ubuntu 16.04

I'm a big fan of the Small World board game and was pleased to see they have a version available on Steam. Unfortunately it did not run correctly on my primary system (Ubuntu 16.04). In fact, it did not start at all. When I ran it at the CLI I found error messages that aided me in my quest to get the game running. Read on for the details.

DEF CON 26 Notes

This is my 6th DEF CON and I plan on coming back for more! There is a lot of life and energy at the con that I haven't been able to find at other conferences. A big appeal to me is that DEF CON itself is kind of a wrapper event where you find a number of mini-conferences (called Villages), so even if the main tracks don't interest you, odds are you'll find something at the 27-ish villages that run at the same time.

Black Hat 2018 Session Notes

This year's Black Hat USA conference was pretty solid. Every timeslot had something available that I found interesting and often times I had to pick between competing sessions that captured my interest. Conference organization and crowd control was excellent again as usual. The mobile app this year had more features than in previous years, which I appreciate, though it does lose a few points for complicated and missing capabilities.

For a quick reference on the sessions and tool demos, see the Briefings and Arsenal pages

Review of Black Hat Advanced Infrastructure Hacking Training (2 day edition)

I had the chance to attend Black Hat this year and attend a 2 day of my choice. This year I took the Advanced Infrastructure Hacking - 2018 Edition: 2 Day session sponsored by NOTSOSECURE. It can be hard to find reviews of these trainings so I think it's worthwhile to post my thoughts here.

Rough Notes From RSA 2018 Conference Sessions

My notes from RSA 2018 sessions and labs. I've sanded off the rough-edges from my raw notes. Might still be a bit 'bumpy'

RSA 2018 - Highlights & Thoughts

When the opportunity to attend RSA came up, I decided to take a chance to see how it compares to other security conferences I've attended in the past (like DEF CON, BlackHat and BSides). After attending the 5 days of the conference I can say that RSA definitely has a different 'feel' to it than the other conferences and depending on what you are trying to accomplish, it may or may not be a good value for the $$$ spent.

Preparing an offline installation of Python 3.4 (+packages) for CentOS 6

We ran into an interesting situation on a legacy system where we were unable to allow outbound traffic on a CentOS 6 server to the internet, yet we needed to install Python 3.4 and the 'requests' library on the server.

Guide to Troubleshooting the Dreaded OpenVAS 8.0 503 Status Code (service temporarily down)

OpenVAS is an open source vulnerability scanner that I have used (and seen used) over the last few years. It's history goes back to 2005 as a fork of a previously open source (now commercialized) vulnerability scanner. This tool tends to be used when the dollar-cost of a commercial solution appears to outweigh the time and effort needed to maintain an effective OpenVAS installation.

The most common problem that I encounter using OpenVAS is the 503: service temporarily down error. When I see this message it almost invariably ties back to an expired self-signed certificate. I've seen this error enough times that I want to document the process in case I end up using this tool again in the future.

Reverse engineering a 'secure' system data collection tool

Awhile ago at a previous employer I worked with a VAR to do a system and software inventory of our workstations. They had written a custom application in C#.NET (for windows systems) and a bash script (for Mac OS) that captured the inventory data and encrypted it for us to email back to them. Sounds pretty straight forward, right?

I asked them about how the data would be protected on collection and being transmitted to them and surprisingly heard back from the VAR that their encryption mechanism 'cannot be disclosed publicly'. Hmm.... Before agreeing to run the programs and send back results, I performed a secure code review and found some interesting things about their collection tools.