As promised in a previous blog entry, here’s my review of DefCon 15 Day 1. In the next few days I’ll be posting days 2 and 3.
DefCon….where do I start….
First it’s in Las Vegas. Ok, I’m done talking, no?
For those not familiar with DefCon, it’s an annual hacking conference held in Las Vegas and immediately follows it’s more formal sister conference BlackHat. The conference costs $100 and is pretty much a free for all (no registration required and first come first serve to the sessions). I had the opportunity to attend DefCon again this year and it didn’t disappoint (generally). The conference was held August 3 through 5th at the Riviera Hotel. I personally stayed over at the Las Vegas Hilton which is a short walk from the Riviera and has nicer rooms. The other close hotel is Circus Circus, but trust me you don’t want to stay there!
I’d like to talk for just a moment about the DefCon badges. When you get to the conference and complete you registration, etc. you’re given a badge that you wear at the conference to allow entry into the speaking rooms. The DefCon badges were designed by Joe Grand / kingpin (as they were last year), but they were REALLY sweet this year. The badges had a array of LEDs that supported customizable text at various speeds of scrolling and a POV display as well. Rather than rehashing and displaying photos that are already elsewhere, I’ll just point you to this cool blog entry over a Hack A Day that shows the badge.
The other news item on the conference that’s been reported all over the Internet is the apparent attempt by NBC Nightline to send an undercover reporter into DefCon to spy on the conference attendees/hackers and try to glean some information or confession or some crap like that. Needless to say, she was discovered and exposed during a session where Priest and Dark Tangent asked the crowd what should be done with her (Ask her to leave nicely, or escort her out of the building). I swear I wasn’t the one that yelled “Burn her!” Anyway, here’s a link to George Ou’s blog where this whole fiasco is discussed and a YouTube video of her walking out to her car is shown.
On to my thoughts on the sessions I attended on Day 1:
The Church of WiFi’s Wireless Extravaganza – This was a great session last year. And I’m sure that Church of Wifi’s session was probably great this year too, but I wouldn’t know because the goons were preventing anyone else from getting into the overcrowded room. Looks like I’ll have to review the deck later. Ugh! I can’t be too upset though, because this is typical DefCon logistical problems. I suppose a pre-registration would help in this regard, but then again I’ve never had to put on a 7,000 person conference so I’ll quit complaining now 😉
Patrik Karlsson – SQL injection and out-of-band channeling – This was an awesome session where Patrik demoed some Perl script that he wrote that pretends to be a valid DNS server, but instead is basically a console echo of info supplied via DNS queries. Then via SQL injection Patrik sends details from the SQL server such as servername, dbschema, user IDs/Passwords, etc. embedded in the DNS queries themselves. So think of it this way, you’ve got some good SQL data you want to extract from the server you’ve just performed your injection on. So, you make a call to any type of stored procedure that makes a DNS query, such as xp_dirtree where the FQDN of the UNC specified is the OOB channel where the db data is sent back to the attacker’s system (something like username_password.hackerdomain.com, where the hackerdomain DNS server just spits out all of that info to a log). Awesome stuff. It’s also probably pretty reliable since many hardened server’s still allow DNS queries from them. There’s many other people who’ve discussed DNS as being a huge information hole (like Dan Kaminsky).
Thomas Wilhelm – Turn-Key Pen Test Labs – The premise behind this session is the concept of having a turnkey lab environment to conduct penetration testing. While there may have been some point in time when this presentation got good, I just couldn’t stand being there any longer listening to things like “So there’s these things called Live CDs that let you boot an operating system from your CD or a mounted ISO in a VM”. BLEH! I’m not quite sure what part of “You’re presenting at DefCon” that Thomas didn’t understand. This type of session reminds me that DefCon probably needs session levels defined (i.e. 100, 200, 300, etc).
Jacob West – How I Learned to Stop Fuzzing and Find More Bugs – While I heard complaints from some people that thought this session was a sales pitch for Fortify Software, I didn’t think this was the case. The premise of Jacob’s session was that while general purpose fuzzing can help identify code bugs, in order to really get a good quantity/quality of bugs, one would have to invest some time into customizing the fuzzing techniques. Jacob’s argument is that the time spent doing so could be more effectively used doing static code analysis. While Fortify does make a product that helps speed the static code analysis process, Jacob made it clear that human code review would be the absolute best. I think pretty much everyone knows that, but a code analysis tool can greatly improve the speed at which low to medium hanging fruit can be found. I personally enjoyed this session.
Danny Quist and Valsmith – Covert Debugging: Circumventing Software Armoring Techniques – This seemed to be a bit of a rehash of this session from last year’s DefCon session. The general premise behind the session that was Offensive Computing has created an auto-unpacker that works against many of the existing packers. When trying to fight malware it would be helpful to have an automated tool that could unpack the code for analysis. Again, unless I missed something this was pretty much the same as last year’s session (though I’m sure the tool has improved considerably).
HD Moore & Valsmith – Tactical Exploitation – hdm and valsmith gave a condensed version of their BlackHat 2007 session. The opening part of the presentation suggested getting back to the basics. To quote the deck “Vulnerabilities are transient (so..), target the applications, target the processes, target the people, and target the trusts. You WILL gain access”. As far as finding these targets, they re-educated folks about the basic premises of information gathering on your target. They mentioned several information gathering tools such as Google, Paterva Evolution,CentralOps.Net, DigitalPoint.com, and DomainTools.com (some of these have the obvious benefit of launching the information gathering from domains/IPs other than your own). I wasn’t familiar with Paterva Evolution, but in reviewing it since the conference I’m pretty impressed. It’s a GUI app that you add a particular piece of info to a canvas such as a person’s name, domain name, IP address, email address, telephone number, etc. and Evolution will search a variety of different internet sources for information on that entity. Think of it like a DNS dig that covers all types of informational resources. Anyway, it’s definitely a good approach to perform this type of info reconnaisance since most organizations use a logon ID that matches the email address. Once you have the email address, you’ve likely got a target. The latter part of the presentation was rather rapid fire since they only had 50 minutes versus the 2.5 hours at BlackHat. However, they demo’d an exploitation of a fully patched Windows XP system via a combination of an SMBRelay attack combined with a DNS/WINS wpad tampering. The jist of this attack goes something like this:
1) Attacker registers an entry with DNS or WINS named wpad.
2) Any time a system launches Internet Explorer it will attempt to resolve and connect to an alias named WPAD. WPAD is used for automatic location of proxy servers.
3) When the client resolves WPAD and receives the name of the attacker’s system, it makes a connection attempt to that system. At this point in time you’ve got a proxy / MITM situation.
4) The attacker utilizes the smbrelay attack to create a remote shell (or admin account, VNC session, or any other Metasploit payload) on the target system(s).
For further background on smbrelay, wpad, etc. see the following links:
The history of SMBRelay (Cult of the Dead Cow)
The MITM Evils of IE/WPAD – Discussed by Chris Paget of IOActive @ Shmoocon 2007
KB Article by Microsoft that describes the WPAD weakness and static entry workaround
All of this said, you can register the static DNS/WINS entries per the MS KB article to avoid the WPAD poisoning. But to stop the SMBRelay, you’d need to enable SMB Signing which most organizations are not willing to do because of the problems that it can cause.
Johnny Long – No Tech Hacking – Listening to Johnny Long is always entertaining. This session centered around low-tech hacking. Basically what could be done to learn information about your targets without using a ton of technology at your disposal. Johnny presented several cases of this where he captured photographs of government workers ID badges (which could of course be used to produce a fake badge). There was also quite a bit of shoulder surfing photos that were taken and Johnny walked the audience through a Q&A process of determining how l33t or n00b the end user was based on simple things like what was running in their system trays, etc. Overall, nothing that was presented was earth shattering, but it definitely brought a smile to one’s face. Johnny also taught the crowd the Jedi Wave which was basically his tactic of producing an authentic looking AT&T badge that you can wave in front of people of authority who will quickly see that you belong there and will response “Carry on, nothing to see here” just like Officer Barbrady. Johnny also talked about using smoke to pass through walls like a ninja which basically worked out to hanging out near a smokers outdoor area and asking someone if you can get into the building over there (which they of course obliege). While much of what was discussed sounds quite silly, you’d be surprised at how many people disclose way more information than they should. Overall, it was a great session and was filled with several laughs.
Stay tuned for Day 2…