DefCon 13

Jason R. Lee

Computational Research Division

Quick Stats

~80 Talks in 3 parallel tracks over 3 days
Last year ~5000 hax0rs, this year it was even bigger!
Auditor Security Colllection ISO from:
www.remote-exploit.org
2 pools turned purple
I've put the contents of the CD in at: http://dsd.lbl.gov/~jason/DC13/CD

And no, I haven't looked at all the presentations and code on the CD, feel free to play with whatever you find on it.

Nothing Here, go away

Quick Stats (2)

2226 Wireless Clients
130 Rouge Access Points
215 Man-In-The-Middle Attacks
80 Denial of Service Attacks
12G in / 1.2 G out
836 ARP/IP Spoofs

Yes, I left my laptop back at the hotel!!

Wall Of Sheep

NMAP and Its Many Uses

Fydor (author of nmap) gave a presentation, and distributed a new verions of nmap with a few new features.

ARP Scanning
XML output of OS fingerprinting
Idle Scans '-sI' (scan using another computer)
Service fingerprinting (does ssl services too!)

jason@foobar[2:22pm](217)> ./nmap -sT -sV -p 993,22,80  -v portnoy
[...]
PORT    STATE  SERVICE  VERSION
22/tcp  open   ssh      OpenSSH 4.1 (protocol 2.0)
80/tcp  closed http
993/tcp open   ssl/imap UW imapd 2004.357

[any material that should appear in print but not on the slide]

Phil Zimmerman

Phils next big thing is (drum roll please), Secure VOIP
It's for the mac (applause), and is written in python! Need I say more?
Its based on the open source project, Shtoom, which can be found here:
http://divmod.org/projects/shtoom
Looks like he might be trying to shop it to VC's so there is nothing to play with yet....

Unicornscan

Unicorn scan can be thought of as a port scanner on steroids. Very kewl.
Distrubuted (3 processes; master, sender and recv) can be be on 3 differnt machines!
pcap logging
db backend
Can be found here:
http://www.unicornscan.org/main.html

Trust Transience

Trust Transience: Post Intrusion SSH Hijacking

Coerce an existing ssh connection to supply you with another connection.
Allow this connection to be connected to any arbitrary endpoint.
This connection is pre-authenticated!
Simple, single python script.

Hacking Coffee Shops

Bypassing Authenticated Wireless Networks

Tool that passively sniffs the network looking for wireless clients
Reconfigures your wireless interface with someone elses MAC/IP !
Works under linux only currently, its called pickupline
I've put the tarball at:
http://dsd.lbl.gov/~jason/DC13

And no, I haven't personally used this one! (yet!)

Pickupline Example

Physical Bypass

Physical Security Bypass Techniques

Concentrated on Biometric
Leave the devices alone (for the most part) and concentrate on the backend server ;-)
Insert bogus data (extra users, extra fingers for known user, etc.)
Wires are usually easy to get to ;-) (card swipe $10 on ebay)

Attacking Web Services

Three points in Web Services that are ripe with hole...

XML
SOAP
Discovery

Newest slides at:
https://www.isecpartners.com/defcon.html

XML holes

XPath Injection
Use CDATA
XML injection

hackerman@bad.com</Email>
<UniqueID>0</UniqueID><Email>hackerman@bad.com

SOAP Problems

WSDL are EVIL!
A WSDL exposes ALL the interfaces of your program, are you sure you removed that debug method?
XML & SOAP allow you to create very complex (and deeply nested) documents, that have to be parsed before being handed to the application. This allows for easy DOS attacks
.NET creates and publish your WDSL when you use visual studio!

Discovery

Go to http://uddi.microsoft.com
Use your hotmail account ;-)
find your victim
download their WSDL
run WSBang on it

WSBang can be found at:
https://www.isecpartners.com/defcon.html

Visual Event Analyis

Visual Security Event Analyis

AfterGlow: tool to process events into directed graphs
GraphWiz tools (dot and neato) to graph 'interesting' events
Hand afterglow CSV list and presto....

    Jul 10 04:06:13 pinky snmptrapd[20843]: 192.168.1.1: 
    Enterprise Specific Trap (1) Uptime: 4 days, 17:41:16.95, 
    SNMPv2-SMI::enterprises.3093.1.1.0 = STRING: 
    "@in 61.235.154.92 50868 192.168.1.102 1026."
    

    % awk '{print $19","$22","$21}' fw.log | sed 's/\.\"//g' | \
    sort | uniq | perl afterglow.pl -c color.properties | \
    neato -Tgif -o /tmp/fw.gif"

Visual Event Analyis

Visual Event Analyis

Visual Event Analyis

The color.properties file is simple:


# sources (check for non-routable addrs
color.source="yellow" if ($fields[0]=~/^192\.168\..*/);
color.source="greenyellow" if ($fields[0]=~/^10\..*/);
color.source="lightyellow4" if ($fields[0]=~/^172\.16\..*/);
color.source="red"
# events
color.event="orange" if ($fields[1]<1024)
color.event="yellow" 
# targets
color.target="lightblue"
# lines
color.edge="green"

Recovery from Rootkit

Surgical Recovery from Kernel-Level Rootkit Installations

A kernel-level rootkit (such as SUCKit), installs itself into kernel memory, and changes the System Call Table (SCT) to point to the rootkits trojan functions (sys_open, sys_close, etc.).
Most common way to recover is/was reformat and reinstall.
This talk demostrated how to repair those tables, so that the point back to orignal functions, without any downtime, using the /dev/kmem interface on linux.

Shadow Walker

How to hide.
Fairly simple concept, very messy to really do!
The only way a scanner can check memory is to ask the OS for a pointer to memory, and walk through it looking for nasty strings. If we compromise the OS, we can make it hand back whatever memory we want.
This was demo'd on a Windows box, but I belive that same thing can/could be done on unix, and perhaps much easier....

And now

Putting my madz hax0r skillz to use ....