HD Moore – BreakingPoint
Title: Metasploitation (and a dash of IPS)

What can I say, I’m in the fan club!
Metasploit is deserving of a design award. HD covered the new version 3 of Metasploit and also new IPS evasion techniques that are awesome!

http://cansecwest.com/slides06/csw06-moore.pdf

The tool and the presentation speaks for itself.

The only color I could add is this: I don’t know HD but he thinks like a gamer. What I mean is that in terms of game theory and the principles involved in ‘game play’, he gets it. Most of the evasion techniques leverage one of two tactics:
#1 remove as many deterministic factors from your opponents observation of your actions while staying within the boundary of your functional objective.
#2 learn as much as you can, get as much intel’ as possible prior to your move.

Reality Check: IPS vendors and customers spending lots and lots of money on IPS solutions that make big claims, review the slides. v3 of Metaspoit will redefine the effectiveness of any and all IPS solutions.

I was happy to see that the new class of modules – aux modules – are all about gaining intelligence of the environment. This intelligence then supports smarter execution of metaspoits offensive actions.

Yes, version 3 of metaspoit is a complete re-write in Ruby.
Yes, Ruby does rock. Some things are just self evident.

Other tools that got mentioned in his talk:
‘skape’ like IDA pro stuff (research toolkit)

‘vinnie’ Anti Forensics tool (Completely hoses Encase)
It can mess with attributes important to these forensic tools.
Apparently, windows will allow one to seek past end of a file and hide data there. I have not tried it but that sounds ugly.

‘IDARub’ – IDA plugin that will interface with Ruby (spoonm)
'Hamachi' – public available (hdm) client-side fuzzer.

As always, most of this great work is somewhere in the vicinity of:
Metasploit.blogspot.com
Metaspoit.com

[HD, if you read this, how about asking Cansec to get better projectors next year.]

--tk