I’ve been meaning to post a quick review of this for a while, but better late than never…
Recorded at Notacon ’09 CG and g0ne gave a great presentation on client side attacks, video here. The talk starts of with explaining what client side exploits are, and more importantly why we should care. And finished off with some quick and dirty client side attack examples using Metasploit.
I’ve found this talk really useful and have listened through it on several occassions to get a better feel for the client side aspect of penetration testing. Client side is an area that has been targetted quite extensively by the ‘bad guys’ and is just starting to get wide ranging attention from the security industry as a whole.
Throughout the slides, and at the end of the presentation, there are several links to additional reading and sources used for the presentation. Like the presentation itself I’ve found these to be very informative and provide useful info and techniques with genuine real-world application. Highlights of these links come from Lenny Zeltser and two post from Carnal 0wnage.
I definitely agree with all those that believe that client side is the next (or current) source of pain for the security industry and that traditional security architecture and tools aren’t currently up to the job of protecting against the threat.
As though client-side attacks weren’t easy enough thanks to the power of Metasploit as demonstrated, I recieved a link to a blog post priming the world for the release of Assagai, a new phishing framework. If it can live up to the billing, then I can’t wait to get my hands on the framework at release.
— Andrew Waite