Black Hat T-Shirts!
Well, it's a week or so until DEF CON 23, and since you're all busy prepping all your demos and presentations and panels and things, I figured I should remind you that among all your gear, you should probably toss some clothes in your bag before you head out the door. In case this slips your mind, though, don't sweat, we have you covered.
Pictured at right is the winning design from the annual Metasploit T-Shirt contest, submitted by LewisFX, lovingly rendered as 100% cotton and ready for Vegas.
So, if your conference experience is turning out like that high school stress dream where you have to stand in front of the class and you suddenly notice that you're nude, be sure to swing by our booth and pick one up before your speaking slot -- you're on your own for pants, though.
Thanks so much to all of this years' contestants -- you all have set quite a bar for next year's design goals!
DEF CON Shirts, Too!
By the way, this isn't the only shirt we're offering. We have another design put together for the DEF CON vendor room which celebrates our commitment to, and passion for, open source security software, pictured here:
We'll have a spot in the DEF CON vendor room where we'll be selling these insanely boss T-shirts to raise money for our buddies over at the Electronic Frontier Foundation.
The EFF helps keep well-meaning security researchers like yours truly on the Internet and out of prison, and that can be an expensive job. If you love freedom, swing by and pick one up. You and your kids will love them. If you are a kid, you will love them twice as much.
A whole pile of Metasploit engineers will be staffing the table, just like last year, so you're likely to run into me (Tod Beardsley), Dave TheLightCosine Maloney, Trevor Rosen, and/or egypt, depending on what time of day you pop in. If you're a Metasploit contributor, say so, unless you don't want some near stranger fawning all over you for five minutes, gushing over how you're the reason why we show up to work most every day.
Thanks especially to our own community manager, Maria Varmazis, for her doodling of these critters. The security world needs more adorable cartoons, given our usual scruffy, devil-may-care stance on things. Also thanks to Marshall Kirk McKusick for blessing Maria's interpretation of the BSD Daemon (used with permission).
With all the Black Hat / DEF CON / BSides prep, looks like we only have two new modules this week. The first, from long-time contributor Ramon de C Valle, is an implementation of the latest "OprahSSL" bug, where anyone can impersonate a CA authority, given a valid leaf certificate. Using this module can effectively demonstrate the risk posed by an unpatched OpenSSL client in your environment, but the set up can be a little tricky, given that it's a man-in-the-middle attack. You'll want to take a look at the original PR for the testing and implementation notes from Ramon and Juan.
The second is from resident post-exploitation artiste, OJ TheColonial Reeves, which implements the time-honored "sticky keys hack" as a post module. This is a fine mechanism to ensure that your first compromise of a target device is not your last, so long as you can get to an interactive login terminal. Handy!
As usual, you can see the full diffs between last week's Metasploit Framework and today via this compare view.
See you next week!
Auxiliary and post modules
- OpenSSL Alternative Chains Certificate Forgery MITM Proxy by Adam Langley, David Benjamin, and Ramon de C Valle exploits CVE-2015-1793
- Sticky Keys Persistance Module by OJ Reeves