Help Irongeek.com pay for bandwidth and research equipment:
Plunder, Pillage and Print - Deral Heiland & Peter Arzamendi Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)
Plunder, Pillage and Print
Deral Heiland & Peter Arzamendi
In this presentation I will go beyond the common printer issues and focus around penetration testing of internal networks by focusing on embedded devices such as multifunction printer (MFP). Discussing methods and techniques regularly used to plunder and pillage these devices for user credentials. Methods including authentication bypass, information leakage flaws, firmware attacks, and poorly designed security. By leveraging these methods and techniques I will discuss how we have successful gained access into core systems including email servers, file servers and Active directory domains on multiple occasions. Besides the manual methods and techniques a pentester can use to gather user credentials, I will also be discussing leveraging the open source tool Praeda for automated data harvesting. In conclusion I will also be discussing best practices for reducing risk while still effectively leveraging MFP devices within a business environment.
Deral Heiland CISSP, serves as a Senior Security Consultant for Rapid7 where he is responsible for security assessments, and consulting for corporations and government agencies. Deral is also founder of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous national and international security conferences including Blackhat, ShmooCon, Defcon, Derbycon, Securitybyte India, and Hackcon Olso Norway. Deral has been interviewed by and quoted by several media outlets and publications including Bloomberg UTV, MIT Technical Review, MSNBC and PCworld. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager.
Peter Arzamendi, CISSP, GREM Senior Security Consultant at Rapid7
Peter has over 10 years of experience in systems administration, computer engineering, and information systems security.
Peter has conducted penetration testing of systems and applications, security assessments, forensic investigations, and compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) for local, state government and the private sectors
Peter is active in the InfoSec community and has presented on security topics at Shmoocon and InfraGard and local venues. Peter also helps maintain the popular open source password dumping tool Fgdump. Peters hobbies include malware analysis, exploit research and hiking.
to Notacon 11 video list
15 most recent posts on Irongeek.com: