Back to authors

Matt Gardenghi

Matt took a SANS class with Ron back in like 2005, and used to hang out with us in IRC. He contributed a couple of cool blogs way back then!


Finding Mapped Drives with Meterpreter

This post written by Matt Gardenghi

This is going to be a series of short “how to” articles so that I have a resource when I forget how I did something. Your benefit from this post is incidental to my desire to have a resource I can reach when I’ve had a brain cloud.

When cracking into a computer via Metasploit, I often (OK, usually) install meterpreter.  It just makes life simpler.  Well, the other day, I was chatting with @jcran about my inability to get access to network drives on a Novell network.  The problem is that Novell maps drives in a sorta funny method compared to Active Directory. At least that was my thought.  The problem generally is that Novell handles things extremely differently then AD, that I assumed that things would be different.  #facepalm

Continue reading

Information Security For College Students

I’ve thought about this off and on over the last few years.  Today I noticed that Kees Leune (http://www.leune.org/blog/kees/2010/07/teaching-agai.html) is going to be teaching a class this school year.  He was asking for comments and so here’s mine….

I’d like to see a threefold class system.  The first class would entail an overview of the 10 Domains.  The second would be Offensive Security and the third would be Defensive Security.

There is a reason for that ordering.  Without a good understanding of the fundamentals of security (10 domains) the second two classes will have less value.  Understanding the idea of physical security as well as separation of duties and such really support defensive and offensive security.  Defenders are better when they understand the threats.  Therefore, I place Offensive Security before Defensive Security.  But that’s preference.  You could teach them together and make it a two-part class (firewall defense/offense; Linux offense/defense and so forth).

Continue reading

Metasploit Express Beta – First Look

This post was written by Matt Gardenghi

This is just initial impressions of a beta product.

I’ve been playing with this for about a week now in an internal network.  I have a dedicated box running Ubuntu 10.04 and Metasploit Express.  I’ve noticed that Express loves CPU time but is much less caring about RAM.  It’s also not multi-threaded.  I’d recommend a dual core box as Express will peg one core.  If you want to do anything else while Express is running, you need two cores. Still, Express does not require an expensive RAM build out. I’ve run top plenty of times and seen that the RAM usage remains low even when I’ve had 170+ shells running.  :-p  Hopefully, we’ll get multi-threading down the road.  When multiple tasks are running simultaneously, this lack of multi-threading becomes an issue.  Everything slows to a crawl.

Continue reading

Confidential Information in the Cloud

This is another special blog written by Matt Gardenghi!

My boss passed around a document about database security in the cloud.  It raised issues about proper monitoring of the DB, but offered no solutions.

This got me thinking.  I hate it when that happens.  Its like an automatic “boss button” that I can’t switch off.  /gah

For the sake of argument, let’s assume we are discussing VMs hosted on some provider’s (Amazon) VMWare ESX cluster.  This could really apply to any VM on any company’s specific VM host, but VMWare is big, popular, and a good basis to work from.  Let’s say, some marketing exec bought a package that would hold data on a machine in the cloud.  (You may shoot him later; right now, you have to deal with the issues of integration into your secure environment.)

Continue reading

Exotic XSS: The HTML Image Tag

There are the usual XSS tests.  And then there are the fun ones.  This is a story about a more exotic approach to testing XSS….

I was testing a company that had passed all XSS tests from their pentester.  I found that they allowed users to write HTML tags.  Of course they didn’t permit <script> tags or <iframe> tags.  (Well, they did allow those, but that was an oops - no server side filtering.)  This company had whitelisted a variety of “safe” tags for use by clients.

That’s boring, right?  Heh, thanks to Ron, I had a way to abuse their whitelist.  (I’ve since found this in Web Application Hackers Handbook, but I seem to have overlooked it at the time I read it.)  Three HTML 4 tags in particular allow javascript to be run from one of the elements and these are: <img>, <object>, and <style>.

Continue reading

Are you a “Real” hacker or just a skiddie?

This is yet another guest post from our good friend Matt Gardenghi! If you enjoy this one, don’t forget to check his last one: Trusting the Browser (a ckeditor short story).

Often, I hear arguments that go like this: real hackers write code and exploits; everyone else is a script-kiddie.

That is a dumb argument from all sorts of levels.  For starters, those who make this observation are usually those who can write code.  Therefore, everyone who can’t meet their personal standards/abilities as a coder are “skiddies” who demean the profession.

I find it intriguing that everyone defines the basis for a good pentester by their own capabilities.  Clearly you think that you are good and it’s normal to think that everyone will want to be good just like you.  Consequently, they should all do as you do, right?  Wrong.  We need diversity of backgrounds, skills, and opinions.  It’s healthy not to inbreed (intellectually or otherwise).

Continue reading

Trusting the Browser (a ckeditor short story)

My name is Matt Gardenghi. Ron seems to think it important that this post be clearly attributed to someone else (this fact might worry me). I’m an occasional contributor here (see: Bypassing AV). I handle security at Bob Jones University and also perform pentests on the side. (So if you need someone to do work, here’s my shameless plug.) I have acquired the oddly despised CISSP and the more respectable GCFA, GPEN, and GWAPT.

I know a company that purchased some Web 2.0 services.  We’ll leave it at that, to protect the guilty.  :-p

So, one day a bored user decided that the editor used on the site was annoying.  He used GreaseMonkey to replace the editor with his preferred editor.  This was “Clue #1” that a problem existed with the Web 2.0 service.

Continue reading

Bypassing AV over the Internet with Metasploit

I performed all of this to learn more about data exfiltration, remote control, etc… over a tightly controlled corp environment. It was depressing actually…. It’s far too easy to gain control of a corp network even one that is conscientious. This work is built on the info at metasploit.com.

Oh, let me just say thanks for Metasploit.  Words fail to describe how nice this project is.  Thanks guys.

So, I want to share what I’ve learned and offer some thoughts for pondering.

Continue reading