(Tiny) Tool Release: Pwnpattern

Just a quick note to go with something I dropped on Github recently: pwnpattern is a python library and stand-alone script that replicates most of the functionality of Metasploit Framework’s pattern_create.rb and pattern_offset.rb. The patterns created are identical to those from Metasploit, so you can even mix and match tools.

There are several reasons I wrote this:

  • You don’t need a full copy of metasploit installed for creating patterns for e.g., wargames, CTFs, etc.
  • It loads much more quickly: on my machine, Metasploit’s pattern_create.rb takes 2.29s, my script takes 0.01s. This is due, of course, to dependencies (MSF’s requires the entire Rex library to be loaded) but it is kind of nice to not wait for things.
  • It can be embedded in python scripts (just like Rex can be embedded in Ruby scripts).

BSides SF: Saturday

Much like my notes from BSides Seattle, this will just be a quick dump of notes from the talks I attended today. (Almost) all talks are also being recorded by Irongeek, so this only serves to highlight what I considered key points of the talks I attended. Tomorrow, I’ll be doing my workshop (stop by and say hi) so my notes are likely to be considerably lighter.

Keynote: A Declaration of the Independence of Cyberspace

John Perry Barlow, co-founder, EFF

While not at all a technical talk, John Perry Barlow is an inspiring speaker and an amazing visionary. His appreciation of the politics involved in “cyberspace” is on point, and it really made me think.

While he first related the story of the events leading up to the founding of the EFF, including the writing of the Declaration of the Independence of Cyberspace, but to my mind, the most interesting part of his keynote was the Q&A.

  • What does it mean to be patriotic in cyberspace?
    • First have to define patriotism in general.
      • JPB defines as “allegiance to a common belief system”
    • The biggest threat is dismantling the common belief system under the guise of patriotism: as in the erosion of the bill of rights, etc.
    • The government is currently fighting for cultural dominance
      • It’s a battle that’s beeen going since the mid-60s, government powers are stuck in the 50s, the cold war, etc.
      • Government doesn’t adapt to times well
      • 60s culture is slowly winning, but still not certain
  • How can we create more awareness of the EFF in young professionals & CS students?
    • That’s a really tough question, and if I [JPB] had the answer, the EFF would already be doing it.
    • However, informed individuals sharing the information helps.
    • EFF will continue defending the open network end-to-end.

Scan, Pwn, Next! – exploiting service accounts in Windows networks

Andrey Dulkin, Matan Hart, CyberArk Labs

  • Service Accounts have a variety of properties that make them interesting to an attacker
    • May not have password complexity/expiration
    • Often overprivileged as privileges may be granted to try to fix a problem, even if not needed
    • Account may be used on multiple machines, exposing the credentials more
  • Account types
    • Out accounts: automated processes, reach out to others
    • In accounts: listening services
    • Mixing an account into both types makes lateral movement trivial (compromise service, use to move to other box)
  • Service principal name (SPN)
    • Created Automatically
    • Password hash used as shared secret
  • Any user can request a ticket to any SPN
    • Encrypted with unsalted RC4 by default, key is NTLM hash of SPN password
    • Can be configured to use AES-128 or AES-256
    • Hashcat can offline crack the ticket to recover plaintext password
      • 7 mixed case alphanumerics takes about 10 hours on single GPU

Breaking Honeypots for Fun and Profit

Itamar Sher, Cymmetria

  • Can be used to introduce the “fog of war” aspect
  • OODA loop: Observe, Orient, Detect, Act
  • Honeypots also serve as a decoy
  • Several general types
    • Low interaction
      • Useful mainly for malware & scanning detection
      • Can be easily fingerprinted
    • High Interaction
      • Real machine
      • Heavily instrumented
  • Only thing worse than an ambush that fails is an ambush that is detected by the adversary
    • Can be used to distract incident responders
    • Can be used to send malicious/misleading data
    • Constants are easily detected (e.g., conpot)
  • Artillery Honeypot
    • low interaction
    • Blocks IP
    • Spoofing leads to DoS
  • Kippo
    • Medium interaction
    • Allows some simulated commands
    • Team is good at fixing issues
    • wget allowed now
      • Could be used for DDoS
      • or portscanning/host enumeration
  • Dronaea
    • Low interaction
    • Goal is to gain copy of malware
  • General Problems
    • Fixed values
      • Build dates
      • Sizes
      • Names
      • Serial numbers
      • etc.
    • Partially implemented services
      • missing implementations of most commands
    • Users that respond to multiple passwords

IoT on Easy Mode (Reversing Embedded Devices)

Elvis Collado

30 minute speed talk on reverse engineering & exploiting vulnerabilities in embedded devices.

  • Useful things:
    • Binwalk
    • IDA
    • Radare2
  • Use Qemu, build basic source in C, disassemble to understand assembly of architecture
    • Use breakpoints to understand what particular instructions do (break, before/after comparison)
  • GPL to see plain source
  • Beginning kit
    • FT232H adapter
    • Multimeter
    • Soldering Iron
      • Solder
      • Wick
      • Desoldering pump
    • Header pins
    • wire
  • Intermediate kit
    • (Beginning +)
    • Shikra
    • JTAGulator
    • Logic Analyzer
    • USB Microscope
  • Find UART
    • Use FCC ID to find high-res photos to find pinouts, etc.
    • Find Ground First
      • Multimeter with sounds help
    • TX/RX swapped
  • DVRF (Damn Vulnerable Router Firmware) project
    • Inspired by DVL, DVWA
    • MIPS 32 LE
    • E1550 router based
    • https://github.com/praetorian-inc/DVRF

BSides Workshop

I probably should’ve posted this days ago, but on Monday, I’ll be teaching a Web Security workshop at BSides San Francisco along with Niru. While capacity is limited, we may have a few additional seats, so if you’re interested, drop by and see what we’ve got.

Workshop description:

Web applications can fail in a variety of ways, from Cross-Site Scripting to SQL Injection and more. Join us for a look at a variety of common web vulnerabilities, including Cross-Site Scripting, Cross-Site Request Forgery, Weak Authentication, Logic Errors, and more – and an opportunity to test your web hacking skills against a simulated online bank. We’ll be covering the vulnerabilities from the ground up, but a basic understanding of web applications (i.e., HTTP, HTML, and JavaScript) and browsers would be useful background.

Participants will need to bring a laptop. Prior experience with server-side programming and an understanding of how web apps are built is recommended.


BSides Seattle

These are just (essentially) my raw notes dumped from the talks I attended at BSides Seattle (2015-ish). Unfortunate I developed a migraine so I only caught the morning talks.

Active Directory

  • Use scripts to dump AD
  • Use scripts to sync with 3rd party providers
  • Lots of story, not much technical depth

Red Team

  • Presenter: Sean Malone, FusionX

  • Types of Security Assessment
    • Vulnerability Assessment
      • Find vulnerability
      • Limited Scope
      • Broad & Shallow
      • Cooperates with SecOps
    • Pentesting
      • Achieve Technical Compromise/Domain Admin
      • Moderate Depth
      • Techniques include Network, Application Assessment
    • Red Team
      • Narrow Scope
      • Whole Enterprise is In Scope
      • Techniques include Social, Physical, Technical
      • RT Objectives
        • Simulate Sophisticated Adversary
        • Achieve “Nightmare Scenario” without detection
      • Client Objectives
        • Understand resiliency
        • Risk reduction, not just vulnerability count
  • Effective Red Teams
    • Hyper-realism (go all the way)
    • Do No Harm
    • Zero-Knowledge
      • Offensive team does not use any inside knowledge
    • Zero-Notice
      • No notice to defensive team
  • Developing Steps
    • Adversary Scenario
      • Who?
        • Nation-state?
        • Commercial Competitor?
        • Hacktivist?
      • Why?
        • Steal information?
        • Destabilize?
      • Impact
      • Objective
      • Starting Point
    • Campaign Plan
      • Be Creative
        • Wide Variety of Approaches
        • Webapps
        • USB Drives
        • Social Networking
        • Legal limits: can’t bribe someone, can’t blackmail someone, etc.
      • Be Adaptive
        • Can’t know how everything will go
        • May have several different approaches planned out, use as needed
      • Be Resilient
        • Even if detected, engagement is not over
        • Keep different techniques/footholds isolated
      • Even if technique is known to work (phishing, link clicking, social engineering), there is value in doing it
        • Is it detected?
        • Can mitigations come into place in time to prevent lateral movement/escalation?
    • Scope
      • Think Globally, Strike Precisely
      • Whole Enterprise in Scope
      • Stay Focused
        • Only move towards objective
        • May not be linear path, but still move to goal
        • Exploiting unnecessarily increases risk of detection
      • Right to Audit clause in Vendor Agreements Critical
      • Client should not limit scope
        • Confirmation bias
        • If concerned about availability, pretty big sign that system is already too weak
        • Forcing red team into small box does not simulate adversaries
    • Rules of Engagement
      • Should not need to get pre-approval for every exploit/phishing email/etc.
      • RoE should allow autonomy to exploit, move laterally, and escalate
      • Client should still be informed, have ability to push “big red button”, but red team should not wait for ACK (too slow)
      • Attacker should have 24x7 window (again, better simulates real-world adversary)
        • Vulnerability in timing is just another vulnerability
      • Predefined rules for sensitive data
        • Access is necessary to simulate adversary; avoid unrealistic limitation that impacts the accuracy of the assessment
        • Expectation should be that Red Team may see any data on any system (IP, passwords, HR data, whatever)
        • Rules for what can be used (i.e., personal credentials generally off-limits)
        • Rules for how to dispose of data at end of engagement
        • Rules for where data can be moved (i.e., shipping PII outside network?)
        • Retrieve minimum number of records to demonstrate impact
        • Redact in report
    • Communication & Escalation Plan
      • Need-to-Know Basis
        • Statement of Work vague, have separate authorization signed by CISO to avoid leaking even to procurement team
      • Keep Blue Team in the dark (adversaries don’t call ahead!)
        • Can’t accurately evaluate detection & response if they know
        • Point of Contact should have visibility into SOC
        • If SOC is overwhelmed by exercise (+ real intrusion?), suspend exercise
  • Summary
    • Only executive has authority to approve something broad enough
    • Technical compromise doesn’t matter if you can’t show impact
    • Stay focused
    • Maintain OpSec
    • Keep objective in mind
    • Risk/Reward to get closer to objective
    • Agile, Adaptive, Opportunistic

Hacker Summer Camp Planning Guide

A couple of coworkers who have never been to DEF CON, BSides Las Vegas or Black Hat (collectively, “Hacker Summer Camp”) asked me about planning their first trips, so I decided to collect my tips here. I’m going to be splitting my advice into two parts: this planning guide for travel/scheduling/registration information, and a Hacker Summer Camp survival guide for advice that’s more relevant while you’re at the conferences.

Manage Your Energy

There’s a lot to do, the hours tend to be long, and unless you’re used to both the environment (typically hot, this is Las Vegas in August!) and the crowds, it’s going to burn a lot more energy than you’re going to expect. Two years ago, I attended all 3 of the conferences, helped run a company suite, and taught classes at R00tz (formerly DEF CON Kids). This was a serious mistake on my part, and failure to manage my energy adequately. I ended up not getting as much out of any of the events as I should have, and when I returned, I ended up sick for several days due to the toll of these events on my body. It was more than a full week afterwards before I felt fully recovered.

If this is your first time, don’t try to do everything. Firstly, it’s just not possible, and secondly, you will destroy yourself trying to do so. Prioritize, and make yourself okay with the fact that some things you’ll just miss out on. For myself, the most important parts of the week are:

  • Activities – I learn more by doing than by listening to some speaker try to tell you what he did in 45 minutes. I typically play in the BSides LV CTF and Capture the Packet at DEF CON. Others might find the DEF CON Shoot to their liking. (I’d probably like it too, but always end up busy on Thursday.)
  • Villages – Villages are a set of topical/related presentations and activities that are presented by people who are very into the particular topic. I’ll usually visit the tamper-evident village, lockpicking village, wireless village, and whatever is new. If you’ve never tried picking a lock, it’s really interesting just to see how the process goes, and the guys in the lockpicking village can tell you anything you wanted to know about any lock.
  • Networking – One of the most important aspects of DEF CON is networking, and it’s not just about lining up your next job. This industry is full of back-channel connections that help you get information, securely report a vulnerability, or help you find a solution to a problem. You’ll find out things that aren’t publicly known, learn who to talk to about esoteric technology, and generally meet some great people.
  • Talks – Talks are good and are obviously a core part of all of the conferences, but to me, they take a back seat to the above categories. This isn’t because I don’t like the talks (I do!) but because the other categories require your in-person presence and participation. Unless you want to ask the presenter a question, the talk won’t be recorded, or you really want to know about it before the recording becomes available, being there in person adds very little to the value of a talk.
  • Parties – Rumor has it that DEF CON, Black Hat, and BSides may also have parties. These rumors are completely unfounded. There is absolutely no partying, live music, alcohol consumption, or any other fun to be had in Las Vegas during these events.

Scheduling

Black Hat Briefings are Wednesday and Thursday, with trainings either Saturday-Sunday or Monday-Tuesday (or sometimes covering both for bigger trainings). BSides LV is Tuesday and Wednesday, with a pretty full schedule both days. DEF CON is Thursday-Sunday, but Thursday doesn’t really get started until the afternoon (and even then, the villages have not historically been open), and things start to wind down a little bit Sunday afternoon, so Friday and Saturday are the “core” for DEF CON.

1 Conference, 2 Conferences, 3 Conferences?

So which conferences do you want to go to? Well, that really depends on what you’re looking for. I strongly suggest not trying to do all 3: you’ll end up just half-doing all 3. (This is borne out by personal experience.) Here’s what I see as the tradeoffs:

Common Elements

All 3 conferences have excellent technical content, and many of the presentations will be at more than one conference. Many of the attendees will be at more than one as well, so you’ll be running in to the same people throughout the week.

DEF CON

DEF CON is, by far, the biggest of the 3 conferences – reportedly somewhere around 14,000 attendees. It has the most hands-on activities with the villages, and most of the parties (oh wait, what happens in Vegas stays in Vegas…). DEF CON is somewhere between casual and chaotic, and is, of course, the conference that started the whole week of Hacker Summer Camp 24 years ago. For me, DEF CON is the “can’t miss” part of the week, as it has the most learning opportunities, most social networking opportunities, and most of the people I look to catch up with will be at DEF CON. The Vendor area at DEF CON is not a trade show – it’s suppliers who will sell you tools, books, parts, lockpicks, t-shirts, and other things for the individual to use, rather than a “turnkey enterprise solution.”

Black Hat

Black Hat is the business side of the week. If you’re most comfortable in a shirt and khakis, then this might be the conference for you. If you need a large trade show-esque vendor area, they have it. The talks remain high-quality, but it’s definitely got the feeling of corporate-run, enterprise-focused, and very little “community.” It’s also worth noting that Black Hat is an order of magnitude more expensive than DEF CON, so that may influence your choices.

BSides Las Vegas

BSides LV started as the “B-Side” to Black Hat: an opportunity for smaller presenters, attendees without the budget for Black Hat, and more. It’s grown into a network of regional conferences, and has expanded to a number of tracks of talks in Las Vegas. Most interestingly, they have a track dedicated to first time speakers, so you can get to meet some up and coming presenters and support those new to the scene. BSides is the most calm and laid-back of the 3 conferences, and a very casual environment. BSides is also the cheapest ($25 last year, if I recall correctly) and held at a hotel with dirt-cheap room rates ($49/night or so), so is clearly a way for a hacker on a budget to enjoy hacker summer camp. (They also offer a shuttle between the BSides hotel and DEF CON, so you can enjoy their low room rate all week!)

Travel

I’m told driving to DEF CON can be a great deal of fun when done with the right people, but I haven’t managed to do so myself. I imagine doing it yourself isn’t much fun. Do keep in mind that you’ll be driving through the desert, so a reliable vehicle is a must, and bring water, just in case.

Las Vegas, as a center of tourist travel, has relatively convenient air travel options from pretty much anywhere. From the SF Bay Area, there’s several direct flights a day from any of the 3 local airports, and on several airlines, and it’s just over an hour gate-to-gate. Keep an eye on airfare early and look for deals – booking early can easily save more than $100 on airfare. When planning, particularly for your departure from Las Vegas, please keep in mind that DEF CON travelers on Sunday evening are numerous enough to cause significant delay at airport check-in and security, so allow extra time.

Hotel

There’s two schools of thought on hotel: stay at the conference hotel (for one of the conferences, if doing more than one), or stay away from the conference hotel. I personally prefer the DEF CON hotel (i.e., Bally’s or Paris for DEF CON 24), but I’ll review the pros/cons of each so you can make up your own mind:

Staying at the Conference Hotel
  • (Pro) You can easily get back to your hotel room after evening “social activities”.
  • (Pro) It’s easy to dump stuff in your room so you don’t have to carry everything around. (This can be somewhat mitigated if you have a friend staying there.)
  • (Pro) It’s fun to meet random people from the con around the hotel.
  • (Pro) Usually, DEF CON sets up “DEF CON TV” to the rooms in the DEF CON hotels, which will live stream the talks, so if there’s one you really want to see but the room is slammed, you can watch it from your room. (Or you can hang out with some new friends, drink a couple of beers, and watch talks from your room.)
  • (Con) Everywhere at the hotel will be busy. Everywhere. Every bar, restaurant, and shop, will be slammed at all hours. Seriously.
Staying Elsewhere
  • (Pro) You get a break by getting away from the conference. This can be a good option for introverts. (Though I personally find going to my room enough for that – I usually need to do so about once per day to mentally recharge.)
  • (Pro) You can often find much better deals off site, especially if you start looking early. DEF CON even has room block that is close by, but not Paris/Bally’s, and is generally cheaper than those hotels.
  • (Pro) Food options will be much less busy than at the conference hotel.
  • (Con) You’ll need to get back and forth to the conference, which may negate some of the potential savings. (You may think you can walk, but temperatures during this week often exceed 100°F (38°C))

Other Things to Be Aware Of

  • As of DEF CON 24, registration is $240, cash only at the door. Since DEF CON 20, pricing has fairly consistently been ($year * $10) – so $200 at DC 20, $220 at DC 22, $230 at DC 23, and this year will be $240 for DC 24. While historically, there have been crazy waits for badges, registration got much better with DEF CON 23.
  • Currently, even numbered years get electronic badges, and odd numbered years get non-electronic badges. The electronic badges tend to run out, so you may want to make sure you get a badge on Thursday (they’re usually good through Thursday) if that’s important to you.
  • International travelers: Las Vegas basically runs on tips. Nearly everyone expects to be tipped.
  • Be an active participant. I’ve personally spent too much time not participating: not talking, not engaging, not doing. You won’t get the most out of this week by being a wallflower.

Resources

There are a lot of resources for finding out more about what’s going on. Obviously, the conference websites are your first stop, but as DEF CON is a large community event, there’s also more opportunities out there:

Conclusion

I hope this proves helpful to those new to DEF CON. Get out there, meet people, and have fun. If you’re a seasoned veteran and see some suggestions I’ve missed, please email me or find me on twitter: @matir with your suggestion and I’ll add it.

Thanks to the @dc404 group for some of the additions and suggestions!