Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

BruCon 2010 Training & Conference Wrap-up

Brucon is a security conference held in Brussels, Belgium. This was the second year of Brucon and it was comprised of two days worth of training and two days worth of presentations. It’s a decent sized conference of about 300 people total, including speakers and attendees. Everyone at the conference was extremely nice and very hospitable. The organizers went above and beyond to make sure that attendees had a good time, were able to get around the city and (most importantly) share ideas about information security in an open environment.

Picture 370.png

Advanced Nessus Training

I ran the "Advanced Scanning Techniques Using Nessus" course, which is a two-day class designed to explore all of the Nessus features, including the impact of various settings, scanning with credentials, customizing audit files, web application scanning and using the Nessus API. I have to say that the students in the class were outstanding. We even had some extra time and were able to do some more advanced stuff such as run Hydra from within Nessus along with some extra debugging.


Every time I teach this class, the students tend to have a few of what I call "Aha!" moments. Most of my students are already familiar with Nessus, know how to run basic scans, review results and configure scan policies. After taking this class, they learn about some of the other Nessus capabilities such as:

  • How Nessus can scan web applications. I break this down into three categories:
    1. Identifying vulnerabilities in the operating system, database or web server the web application is running on
    2. Identifying known vulnerabilities in installed web applications
    3. Fuzzing the web application parameters for several different types of vulnerabilities
  • The power of .audit files - We customize a Nessus .audit file and run it against the target provided in class. Students really like the ability to be able to run a Linux command and check the results from within a .audit file.
  • Making use of the API

I can't wait to teach this course again, and I already have ideas for several updates and additions including:

  • Writing your own small script to use the Nessus API and scan systems
  • Writing and modifying NASL scripts
  • Adding more vulnerable web applications to scan
We visited Antwerp, where several fellow instructors had dinner and exchanged ideas. There was plenty to see, including this clock tower in the center of the city.


There were several excellent presentations at Brucon. I will provide a brief summary here of some of the talks I attended. For more detail, check the Brucon web site for the presentation papers and slides:

Joe McCray gave a talk titled, "You Spent All The Money And You Still Got Owned…" Just from the title, I could relate to where he was going with this topic. Joe pointed out that at one time it was not difficult to impress clients. You could "scan" the network, find vulnerabilities, exploit them, gain shell access, tell the customer to patch the vulnerabilities and collect a check. The industry has evolved significantly over the years; according to Joe, organizations have learned how to scan themselves and implement patches (I couldn't agree with these practices more!). However, incidents still happen. Web applications are hacked and information is stolen. Joe then covered several techniques for bypassing IPS, IDS and web application firewalls - all technologies that should keep us safe, but can be bypassed with varying levels of effort. Joe has come up with some defensive measures that go beyond patching and has written a document detailing his methods, which you can obtain by contacting Joe via email (joe [at] learnsecurityonline.com).

If Samy wasn't my hero before, he is now. I met Samy Kamkar, most famous for the "MySpace" worm, right before his talk titled "How I met your girlfriend". I had only really known Samy from his code. I studied the original MySpace worm code and was amazed how he was able to design the worm to avoid filters and weave his way through the protections in place. I then found out that he got into a bit of trouble for creating the worm, not by MySpace, but from the U.S. government. After some time away from computers, Samy was back and could talk openly about the MySpace worm and some new attacks he had been working on. In the ten minutes before his talk he asked if anyone had any questions or topics to discuss. I raised my hand and asked him to tell us about the Javascript obfuscation techniques he used in the Myspace worm (I guess it’s hard for me to not be a podcast host asking questions!). He covered all sorts of interesting techniques, that you can read more about in his original write-up. As for his current research, Samy presented techniques for brute forcing PHP session cookies in about an hour, opening up ports in users’ home firewalls and locating people's homes based on a wireless SSID and MAC address.

Chris Nickerson gave an entertaining talk titled "Top 5 ways to steal a company 'Forget root, I want it all'". I think some people missed the point on this one. Chris covered several ways in which attackers "could" disrupt operations of an organization. The basic premise is that people's lives could be affected, industrial plants could have horrible accidents or business operations could be completely shut down due to attackers penetrating the security of a network. As security professionals, we need to do a better job of explaining these risks to management. Chris says that security assessments often point out that an attacker could just "get shell", but we need to go deeper.

I gave a presentation titled "Embedded Systems Hacking and My Plot to Take Over the World". I took a humorous approach to pointing out the sad state of embedded systems security and outlined a plan for world domination largely based on exploiting vulnerabilities in embedded systems. Since embedded systems are everywhere, no one pays attention to them until they are broken, and they are vulnerable to very easy-to-exploit vulnerabilities such as default passwords. They’re a prime target to aid in a plot to take over the world. The goal of the talk was to raise awareness about how serious and wide-spread the embedded system security problem is, and how we need to work together in order to get vendors to change. A new web site was launched called http://www.securityfail.com/ where people will be able to register for an account, log in and write-up their stories on how embedded systems security has failed them.

Antwerp town hall.

Workshop - Learning DVWA (Damn Vulnerable Web App)

I got the chance to meet Ryan Dewhurst, the author of DVWA.. He gave a workshop that showed people how to use DVWA and enumerate the vulnerabilities present in the application. I only spent a small amount of time at the workshop and was able to pick up a few new techniques. For example, in the post where I described how to create a new PHP file that allows for command execution, I explained that you need to provide a valid table name. In the example Ryan gave, he used "null" for a table value and was able to accomplish the same attack. The workshop went well and all participants received a DVWA DVD that contains a VMware image with all the software installed.

I found it ironic that a camera was in the way of taking this picture.

Podcaster Meetup

For the first time, security podcasters from three different continents joined together to record a rare international edition of the security podcasters meet-up panel discussion. As if that is not groundbreaking enough, we had a fantastic discussion with each other and the crowd! We covered quite a few topics, such as:

  • How to learn about security and penetration testing
  • The best ways to mentor and teach people
  • The best way to educate developers and the state of software security

The audio is available for download on various security podcast feeds, or from the Brucon podcast media page. For those sensitive to explicit language, you may want to skip this one.


Brucon is a fantastic conference and I highly recommend it. You can find out more information about the conference, including links to all of the slides from all the presentations (and eventually videos) on the Brucon web site.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.