Hacker Summer Camp 2017: Pros vs Joes CTF

I’ve returned from this year’s edition of Hacker Summer Camp, and while I’m completely and utterly exhausted, I wanted to get my thoughts about this year’s events out before I completely forget what happened.

The Pros vs Joes CTF was, yet again, a high quality event despite the usual bumps and twists. This was the largest PvJ ever, with more than 80 people involved between Blue Pros, Blue Joes, Red Cell, Grey Cell, and Gold Cell. Each blue team had 11 players between the two Pros and 9 Joes, making them slightly larger than in years past. (Though I believe that’s a temporary “feature” of this year’s game.)

I was also incredibly happy by the diversity displayed by the event this year: at least 3 of the blue teams had women on them, as did both Gold and Grey cells. Teams had experienced players, with some being veterans, as well as players with no professional experience (students) and professionals working outside the information security industry (my team alone had two electrical engineers). This mix is part of what makes Pros vs Joes so good – everybody has something to contribute, and you get such a wide range of views and experiences. Two players on my team absolutely crushed the Windows aspects of the game, which was incredible because everyone knows I’m a hardcore Linux guy. (The last version of Windows I used as a “daily driver” was Windows XP SP 2. In 2003.)

Game mechanics were incredibly different this year than in years past. No longer did a team turn in “integrity flags” for local points. More hosts had multiple scored services. Tickets incurred a penality if they were reopened. Most signiciantly, there was a store where teams could buy a variety of things, including the services of a Red Team member, a Security Onion box (I gotta give Security Onion a try!), or “outsourcing” a grey team ticket. My team chose to make little use of this store, but other teams made extensive use of Dichotomy’s Emporium. (I’m not convinced that either is an “optimal” strategy, because a lot depends on the strengths and weaknesses of their own team.) I can’t wait to see the analysis from our data scientist on the different aspects of the game.

The game environment, on the other hand, was essentially unchanged from last year. The same vulnerabilities and hosts were present. This lead to quite a bit of surprise when, during scorched earth, I was able to use the same BIND 9 bug to take out DNS (and consequently, the ability of Scorebot to reach any services) for all 3 other teams (which was a repeat of my same scorched earth tactic from last year). A note to future captains: DNS is important, perhaps you’d like to patch that machine.

Scorched Earth

I’ll leave any major announcements about the game to Dichotomy, but I do want to mention that I envision more collaboration between the Pros & Staff over the next year. Pros vs Joes is a learning CTF first, and this will allow us to build a more immersive environment and a better set of resources for the blue staff to use in mentoring Joes.

I was exhausted by the end of this PvJ, but it was a kind of good exhaustion. No matter how tired I was, I was satisfied to know that all of my players seemed to have learned something throughout the course of the game, and the cherry on top was a victory for ShellAntics. Thanks to Dichotomy, Gold Cell, Red Cell (no hard feelings t1v0?), and of course, the awesome Joes on my team.

Hacker Summer Camp 2017 Planning Guide

My hacker summer camp planning posts are among the most-viewed on my blog, and I was recently reminded I hadn’t done one for 2017 yet, despite it being just around the corner!

Though many tips will be similar, feel free to check out the two posts from last year as well:

If you don’t know, Hacker Summer Camp is a nickname for 3 information security conferences in one week in Las Vegas every July/August. This includes Black Hat, BSides Las Vegas, and DEF CON.

Black Hat is the most “corporate” of the 3 events, with a large area of vendor booths, great talks (though not all are super-technical) and a very corporate/organized feel. If you want a serious, straight-edge security conference, Black Hat is for you. Admission is several thousand dollars, so most attendees are either self-employed and writing it off, or paid by their employer.

BSides Las Vegas is a much smaller (~1000 people) conference, that’s heavily community-focused. With tracks intended for those new to the industry, getting hired, and a variety of technical talks, it has something for everyone. It also has my favorite CTF: Pros vs Joes. You can donate for admission, or get in line for one of ~450 free admissions. (Yes, the line starts early. Yes, it quickly sells out.)

DEF CON is the biggest of the conferences. (And, in my opinion, the “main event”.) I think of DEF CON as the Burning Man of hacker conferences: yes, there’s tons of talks, but it’s also a huge opportunity for members of the community to show off what they’re doing. It’s also a huge party at night: tons of music, drinking, pool parties. At DEF CON, there is more to do than can be done, so you’ll need to pick and choose.

Hopefully you already have your travel plans (hotel/airfare/etc.) sorted. It’s a bit late for me to provide advice there this year. :)

What To Do

Make sure you do things. You only get out of Hacker Summer Camp what you put into it. You can totally just go and sit in conference rooms and listen to talks, but you’re not going to get as much out of it as you otherwise could.

Black Hat has excellent classes, so you can get into significantly more depth than a 45 minute talk would allow. If you have the opportunity (they’re expensive), you should take one.

If you’re not attending Black Hat, come over to BSides Las Vegas. They go on in parallel, so it’s a good opportunity for a cheaper option and for a more community feel. At BSides, you can meet some great members of the community, hear some talks in a smaller intimate setting (you might actually have a chance to talk to the speaker afterwards), and generally have a more laid-back time than Black Hat.

DEF CON is entirely up to you: go to talks, or don’t. Go to villages and meet people, see what they’re doing, get hands on with things. Go to the vendor area and buy some lockpicks, WiFi pineapples, or more black t-shirts. Drink with some of the smartest people in the industry. You never know who you’ll meet. Whatever you choose, you can have a blast, but you need to make sure you manage your energy. I’ve made myself physically sick by trying to do it all – just accept that you can’t and take it easy.

I’m particularly excited to check out the IoT village again this year. (As regular readers know, I have a soft spot for the Insecurity of Things.) Likewise, I look forward to seeing small talks in the villages.

Whatever you do, be an active participant. I’ve personally spent too much time not participating: not talking, not engaging, not doing. You won’t get the most out of this week by being a wallflower.

Digital Security

DEF CON has a reputation for being the most dangerous network in the world, but I believe that title depends on how you look at it. In my experience, it’s a matter of quality vs quantity. While I have no doubt that the open WiFi at DEF CON probably has far more than it’s fair share of various hijinks (sniffing, ARP spoofing, HTTPS downgrades, fake APs, etc.), I genuinely don’t anticipate seeing high-value 0-days being deployed on this network. Using an 0-day on the DEF CON network is going to burn it: someone will see it and your 0-day is over. Some of the best malware reversers and forensics experts in the world are present, I don’t anticipate someone using a high-quality bug in modern software on this network and wasting it like that.

Obviously, I can’t make any guarantees, but the following advice approximately matches my own threat model. If you plan to connect to shady networks or CTF-type networks, you probably want to take additional precautions. (Like using a separate laptop, which is the approach I’m taking this year.)

That being said, you should take reasonable precautions against more run of the mill attacks:

  • Use Full Disk Encryption (in case your device gets lost/stolen)
  • Be fully updated on a modern OS (putting off patches? might be the time to fix that)
  • Don’t use open WiFi
  • Turn off any radios you’re not using (WiFi, BT)
  • Disable 3G downgrade on your phone if you can (LTE only)
  • Don’t accept updates offered while you’re in Vegas
  • Don’t run random downloads :)
  • Run a local firewall dropping all unexpected traffic

Using a current, fully patched iOS or Android device should be relatively safe. ChromeOS is a good choice if you just need internet from a laptop-style device. Fully patched Windows/Linux/OS X are probably okay, but you have somewhat larger attack surface and less protection against drive-by malware.

Your single biggest concern on any network (DEF CON or not) should be sending plaintext over the network. Use a VPN. Use HTTPS. Be especially wary of phishing. Use 2-Factor. (Ideally U2F, which is cryptographically designed to be unphishable.)

Personal Security & Safety

This is Vegas. DEF CON aside, watch what you’re doing. There are plenty of pick pockets, con men, and general thieves in Las Vegas. They’re there to prey on tourists, and whether you’re there for a good time or for a con, you’re their prey. Keep your wits about you.

Check ATMs for skimmers. (This is a good life pro tip.) Don’t use the ATMs near the con. If you’re not sure if you can tell if an ATM has a skimmer: bring enough cash in advance. Lock it in your in-room safe.

Does your hotel use RFID-based door locks? May I suggest RFID-blocking sleeves?

Planning to drink? (I am.) Make sure you drink water too. Vegas is super-hot, and dehydration will make you very sick (or worse). I try to drink 1/2 a liter of water for every drink I have, but I rarely meet that goal. It’s still a good goal to have.

FAQ

Are you paranoid?

Maybe. I get paid to execute attacks and think like an attacker, so it comes with the territory. I’m going to an event to see other people who do the same thing. I’m not convinced the paranoia is unwarranted.

Will I get hacked?

Probably not, if you spend a little time preparing.

Should I go to talks?

Are they interesting to you? Go to talks if they’re interesting and timely. Note that most talks are recorded and will be posted online a couple of months after the conferences (or can be bought sooner from Source of Knowledge). A notable exception is that SkyTalks are not recorded. And don’t try to record them yourself – you’ll get bounced from the room.

What’s the 3-2-1 rule?

3 hours of sleep, 2 meals, and 1 shower. Every day. I prefer 2 showers myself – Vegas is pretty hot.

The Many Badges of DEF CON 25

If you follow DEF CON news at all, you’ll know that there’s been some kind of issue with the badges. But don’t worry, DEF CON will have badges, but so will the community!

What do I mean by this? Well, badge hacking has long been a DEF CON tradition, but in the past few years, we’ve seen more and more unofficial badges appearing at DEF CON. This year seems to be a massive upswing, and while I’m sure some of that was in progress before the badge announcement, I believe at least some of it is the community response to the DEF CON badge issue. (Edit: All of the listed badges were apparently in the works before the DEF CON announcement. Thanks to @wbm312 for setting me straight.)

I’ve tried to collect information about all the unofficial badges I can find, but I’d imagine there are many more that I haven’t heard about, or whose creator just isn’t talking about it. I know for a fact at least one such private badge exists!

Know of another badge? Ping me on Twitter (@Matir) and I’ll update. Sorry I have so many unknowns, but lots of the badges are keeping quiet!

Available for Sale

This includes badges that were available for sale at some point, even if now sold out. Basically, if at any point you could exchange cash, credit, bitcoin, litecoin, ethereum, gold ingots, or any other form of value for the badge, I’m putting it here. (I’d call it “commercial”, but most of these are a labor of love and the money just helps the creator not go broke with their labors.)

AND!XOR DEF CON 25 Indie Badge

2017 WiFi Badge

Mr Robot Badge

Puffy

The Ides of DEF CON

  • Link: https://dc25spqr.com/
  • Features: Sub-1GHz Radio, Blinky Lights, Sound, LED Screen
  • Availability: Sold Out, Kickstarter Only, Open Source
  • Price: $120

Queercon 14 Badge

Beyond Binaries Badge

DEF CON Furs

DEF CON Darknet

DC 801

Cryptovillage

Hacker Warehouse

NulliBadge

  • Link: http://nu.llify.com
  • Features: LEDs, IR Tag, Open Source
  • Availability: Onsite, limited pre-reg
  • Price: $60

Private Projects/Little Detail

@noidd

Pi Zero as a Serial Gadget

I just got a new Raspberry Pi Zero W (the wireless version) and didn’t feel like hooking it up to a monitor and keyboard to get started. I really just wanted a serial console for starters. Rather than solder in a header, I wanted to be really lazy, so decided to use the USB OTG support of the Pi Zero to provide a console over USB. It’s pretty straightforward, actually.

Install Raspbian on MicroSD

First off is a straightforward “install” of Raspbian on your MicroSD card. In my case, I used dd to image the img file from Raspbian to a MicroSD card in a card reader.

1
dd if=/home/david/Downloads/2017-04-10-raspbian-jessie-lite.img of=/dev/sde bs=1M conv=fdatasync

Mount the /boot partition

You’ll want to mount the boot partition to make a couple of changes. Before doing so, run partprobe to re-read the partition tables (or unplug and replug the SD card). Then mount the partition somewhere convenient.

1
2
partprobe
mount /dev/sde1 /mnt/boot

Edit /boot/config.txt

To use the USB port as an OTG port, you’ll need to enable the dwc2 device tree overlay. This is accomplished by adding a line to /boot/config.txt with dtoverlay=dwc2.

1
2
vim /mnt/boot/config.txt
(append dtoverlay=dwc2)

Edit /boot/cmdline.txt

Now we’ll need to tell the kernel to load the right module for the serial OTG support. Open /boot/cmdline.txt, and after rootwait, add modules-load=dwc2,g_serial.

1
2
vim /mnt/boot/cmdline.txt
(insert modules-load=dwc2,g_serial after rootwait)

When you save the file, make sure it is all one line, if you have any line wrapping options they may have inserted newlines into the file.

Mount the root (/) partition

Let’s switch the partition we’re dealing with.

1
2
umount /mnt/boot
mount /dev/sde2 /mnt/root

Enable a Console on /dev/ttyGS0

/dev/ttyGS0 is the serial port on the USB gadget interface. While we’ll get a serial port, we won’t have a console on it unless we tell systemd to start a getty (the process that handles login and starts shells) on the USB serial port. This is as simple as creating a symlink:

1
ln -s /lib/systemd/system/getty@.service /mnt/root/etc/systemd/system/getty.target.wants/getty@ttyGS0.service

This asks systemd to start a getty on ttyGS0 on boot.

Unmount and boot your Pi Zero

Unmount your SD card, insert the micro SD card into a Pi Zero, and boot with a Micro USB cable between your computer and the OTG port.

Connect via a terminal emulator

You can connect via the terminal emulator of your choice at 115200bps. The Pi Zero shows up as a “Netchip Technology, Inc. Linux-USB Serial Gadget (CDC ACM mode)”, which means that (on Linux) your device will typically be /dev/ttyACM0.

1
screen /dev/ttyACM0 115200

Conclusion

This is a quick way to get a console on a Raspberry Pi Zero, but it has downsides:

  • Provides only console, no networking.
  • File transfers are “difficult”.

Belden Garrettcom 6K/10K Switches: Auth Bypasses, Memory Corruption

Introduction

Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT (Magnum) series network switches. These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that GarrettCom undertake a full whitebox security assessment of these switches.

The version under test was indicated as: 4.6.0. Belden Garrettcom released an advisory on 8 May 2017, indicating that issues were fixed in 4.7.7: http://www.belden.com/docs/upload/Belden-GarrettCom-MNS-6K-10K-Security-Bulletin-BSECV-2017-8.pdf

This is a local copy of an advisory posted to the Full Disclosure mailing list.