Monday, August 11, 2014


Below are point form notes on a number of different DEFCON talks that I was able to attend.

1. 20140808-1100 Track 3 - Abusing Automated Systems

  •  <-- barcode generator
  • Correlating goods with barcodes, and feeding data to things like health insurance providers.  Abusing the VIP card space and enjoying it!
  • Want a VIP card?  You can create your own.  Check out xlogic's site for Perl scripts.
  • Forensics: "Scalpel" - headers and footers searching for identifying files
    • Scalpel sigs:  "ext and title", "case sensitive", "max size", "head"
    • can abuse Scalpel --> magic bomb by xlogicx
  • Xlogic had a thing called Tumor which is an A/V denial of service / disk space grower.  Everytime the file was scanned, it grew in size!  weird..
  • Having fun with IDS consoles?  Send in XSS in attacks and watch the analyst get owned.
  • - generates traffic from IDS rule file.
  • check out
    • reads a rules file and generates a packet for ALL of the rules.
  • regular expression denial of service (REDOS)
    • long circuiting - does not match but takes a long time to get there
2. 20140808-1200 Penn/Teller - OSSMAN (NSA playset, RF RetroReflectors)
  • RF Retro-Reflectors
    • an implant that is a low power small device; modulates a radio signal send to it, and reflects it back
    • irradiating a target is also called illumination.
  • Forward engineering tools based on the NSA ANT catalog
  • Passive Attacks
    • TEMPEST - refers to unintentional emissions
    • writings of Marcus Kuhn
  • Active Attacks
    • The Thing (great seal bug) - 1940's technology consisting of a microphone and an antenna
    • changes in air pressure modulate the impedance which modulates reflection coming back to a radar unit illuminating
    • uses NO local power supply
    • almost no research progress between 1960 and 2013.
    • soft tempest (Kuhn and Anderson) have a brief mention in one paper.  No implant installed in the target.  Equipment was vulnerable out of the box.
    • Hints that there might well be reflected returns possible without putting implants into devices such as video display, and keyboards.
  • Method of communication is called "RF Backscatter" (lots of public research)
    • very first public research paper in 1948 (well after the Thing was deployed)
    • lot more research especially around UHF RFID.  Design info on UHF RFID tags.
  • To see our returns we need a Radar system.  Which one?  Old police radar?  
    • police radars are above 20 Ghz which is high.
    • Hot Wheels radar gun operates at 10 Ghz which is much closer.
      • just need the radio board component.
    • also there is Arduino Radar on Ebay.
    • Coffee Can radar at 2.4Ghz is another possibility.
  • Mike Ossman is using HackRF One for his radar.  Software defined radio radar if you like.
    • Official range is 10Mhz - 6Ghz.  Baseband bandwidth is 20Mhz.
    • Half-duplex transceiver
    • using band right above 2.4Ghz 802.11 band.  A little used band area in the US.
  • Mike's first RF-RetroReflector is called "CONGAFLOCK"
    • hardware design - centered on a MOSFET
    • 10Kohm resistor to protect the MOSFET gate.
    • Antenna connector to the top, target connected to the left.
    • When the input signal is going up and down in voltage, the MOSFET switches on/off the antenna.   This creates an impedance changes which modulates a signal.
      • input must swing through +/- 3.3 - 5 volts
    • a kit to build your own in the HH village.
    • solder the gadget INTO something.   A PS/2 keyboard cable for example.
  • FLAMENCOFLOCK is version 2.
    • two PS/2 connectors and retroreflector in center
    • tap the clock line or data line.  ideally both.
    • tapping the data line.   Picking up the signal with HackRF one and doing AM demodulation.

3. 20140808-1300 Firewall Bypass Techniques
  • Context - I want access to an RDP server with persistant C2
    • in an ideal world, 
      • infect desktop client
      • steal RDP password
      • connect to RDP server
  • The challenge?   RDP server not reachable from Internet, and 2-Factor in use.
    • hardware firewall between users, and RDP server.
    • Very tight security - only single TCP inbound port of 3389 allowed, and no outbound traffic permitted.
    • This is post-exploitation technique - user workstation already owned.
  • Numerous different challenges
    • how can I drop the malware to the server?
    • how can I start it?
    • how do I elevate privs?
    • how do I get my traffic outbound?
  • Step 1: New tools we can use:
    • Windows key scripting tool
    • What does it do?
      • Waits for the user to connect to RDP server with 2 factor
      • After successful, tool creates screenshot and shows it to user
      • user thinks this is a screen freeze.
      • program starts typing in the background...  
      • starts winword, drop ascii encoded payload.  
        • create VB-Macro code, and start binary.
      • instruct A/V gui to add exclusion perhaps?
      • can also install custom software
    • Lots of possibilities for use.
  • Step 2: Bypass application whitelist?
    • set the flag to bypass applocker as Admin.
    • can also load DLL's directly from VB macro code.
    • DLL loads will bypass applocker already.
    • MS-Office is really useful.
  • Step 3: elevate privileges
    • exploit vulnerable 3rd party service
    • file replacement for doing so
    • interactively logged on users can stop/services
  • Step 4: Bypass hardware firewall?
    • how do we can shell's outbound with high level restriction?
    • why don't I use the TCP source to indicate that the traffic is special
    • used a kernel driver to inspect traffic and provide a covert carrying mechanism over the RDP traffic stream.   Author wrote a kernel driver that carried outbound traffic in the TCP source port.   This is a TCP covert channel.
      • Editorial:  Had I been doing this work, I would more likely have used a different header field (such as TCP timestamp option or similar)
      • TCP source port could still be stopped by firewall.
      • ?? Source port on egress will be 3389 - I think the author meant dest port assuming the firewall maintained state based on initial SYN/SYN-ACK on 3389 and ignored the ephemeral port in traffic stream

4. 20140808-1500 VEIL Framework
  • Veil Framework
    • bridge the gap between pen testing and red teaming
    • modular framework that generates A/V evading payloads
    • veil catapult - upload and execute binaries
    • helps to not waste time scripting.
    • Editorial note:
      • not to different from my own jofftools kit but more polished.
  • Goals
    • lot of trigger options
    • good modularity, easy to implement additional stuff
    • other tool integration, and flexibility.
    • good cleanup
  • Veil-Pillage
    • pth-wmis - no service created
    • pth-winexe - run as system, binary dropped
    • impacket-smbexec - service created, no binary dropped
    • all catapult functions as modules into veil-pillage
    • catapult will be obsoleted
  • exe delivery
    • EXE are uploaded/triggered with a  \\UNC path
    • hosted with an SMB server
    • stand up and host file on an SMB server.  trigger it and EXE is loaded direct into memory on the host.
    • check out the Schmoocon presentation for demo.
    • python injector is very similar to powershell injection.
      • the only files that touch disk are the trusted python libraries etc.
  • New modules
    • enumeration
      • host/credential_validation - what creds work?
      • domain/user_hunter - where is our high value user?
      • host/enum_host - basic host enumeration
    • management
      • enable/disable uac
      • enable/disable RDP
      • force logoff to trigger post exploitation actions
    • persistence
      • bitsadmin
      • registry/sticky_keys
      • registry/unc_dll - append UNC path to environment variable.
    • powersploit
      • standup temp web server
      • trigger download string, run in memory
      • easier to run powersploit across large number of machines
  • new features
    • pure powershell meterpreter stagers
    • chooses correct powershell binary to use for injection
  • output cleanup
    • universal activity log
    • breaks out by module
    • all actions have a reciprocal cleanup action as a script.
  • random features
    • state preservation
    • MSF database interaction
    • tab completion, error checking
  • hash dumping / plaintext grabbing (new hotness)
    • powerdump.ps1
    • WCE binaries
    • powershell integrated mimikat  (powersploit project)

5. DEFCON 20140809-1000 Mass Scanning
  • scanning the entire Internet
  • tool called masscan.
  • NMAP is a synchronous scan.   Masscan transmits packets, and does not wait for the response.  Uses SYN cookies to validate the responses.
  • Masscan is design for large scale and is really aggressive.
  • Need to block TCP reset packets, or use another machine to receive the responses.
  • can do load testing.   '--infinite --banners --source-ip <range>'
  • spoof scan.  Receive on one IP address.   Send from co-lo data center that has no egress filtering.
    • have the receiver be a mobile phone for example!
  • Internet scanning result glimpses:
    • VNC scanning - setup a script to capture VNC connect screens
    • heartbleed scan - 300k systems still vulerable
    • TN3270 live mainframe scans

6. DEFCON 20140809-1100 Pawning ISP's like a boss  (TR-069)
  • residential gateway security sucks
  • TR-069
    • technical report (TR) by the broadband forum.
    • consortium of players in broadband market
    • This is a CPE-WAN Management Protocol
  • TR-069 provisioning sessions
    • TR-069 server is called an ACS.
    • they communicate in SOAP RPC initiated by the client side
  • Protocol description
    • client sends INFORM
    • ACS responds with GET/SET packets
    • all exchanges are SOAP
  • Widely used defacto device mgmt standard.
    • AT&T, Verizon, Comcast etc...
    • ZMAP guys (port 7547) is the second most popular open port in the word!
  • What can you do with ACS?
    • zero touch configuration
    • remote management
    • performance measurements, deploy firmware etc.
  • Who do you trust to run code on your devices no demand?
    • silently, remotely, without consent etc.
  • TR-069 was hidden in his router using HTML comments!!
  • How do we find ACS in the wild?
    • scanning for TCP 7547 and friends
    • Internet and DNS census
  • ACS authentication?  SSL recommended but not always used!
    • HTTP basic auth is common.
    • few hundred ISP's surveyed
    • 81% not encrypting!  
    • the ACS URL can be changed.
  • Recap:
    • protocol is dangerously powerful
    • servers are high value targets
    • lot of implementations are broken
  • OpenACS project
    • open source java
    • 3 days got remote code exec.
  • AUDIT your own TR-069 settings
    • ensure SSL certificate is turned on
    • add your own NAT/FW router on the inside of your net.
    • ACS vendors need to write MUCH better software

Wednesday, August 6, 2014

BSIDES Las Vegas 2014

Some brief notes from BSIDES LV 2014.

1. SAP is horribly broken.   Most passwords in most aspects of the application use XOR encryption with static keys that are included within the application / accessible somehow.     Talk was "All your SAP Passwords belong to us" (Dimitri / Alex)

2. Matthew Marx has released a dictionary generating tool called WordHound.  It is context specific (think Recon-NG) whereby it can yield data from domain websites, PDF meta-data and the like.  It is very language localized using Corpus Language set approach.    This will generate a really good context specific dictionary of words for a specific company etc.  For password guessing, and cracking, this rocks.

3. Richard Thieme has been the highlight of my BSIDES experience.   A fierce intellect who has examined his path through spiritual, and scientific paths.   An individual that truly questions the meaning of what has, and is transpiring around us.    I bought his book "Mind Games" and he signed it.

Richard covered the new world reality across his lifetime that has transformed society post WWII and beyond.   Since the Edward Snowden disclosures, Richard is now more about to speak publicly about the ethical dilemmas faced by the intelligence agencies in a post 911 world.  How the directives that fly directly in the face of privacy became reality in the first decade of the 21st century.   Richard was also a UFO researcher, and does write about the idea that our society was technologically seeded by the much covered Roswell crash in 1947.

One of his many themes is that post modern society is largely an intellectually created construct of the intelligence driven state since the post WWII era.   One of many things expressed, and I paraphrase somewhat.   Please forgive any inaccuracies.
  • that which we fight, we become
  • democracy can only be defended by undermining democracy
  • truth is only attainable in a post event analysis through the reading of fiction
  • lies can only be fought with lies
  • fictional creations are created by the intelligence state to keep democracy in a certain belief state
Another book to check out.  "The Covert Sphere" by Tom Melley.   Truly an amazing and inspiring speaker that is closely connected to the Internet community, and feels a special connection to the security community because we question things.   

Thursday, January 16, 2014

Sending 802.11 Packets with Scapy

To accompany my recent technical segment on Paul Assadorian's Security Weekly show, here is a functional Python example of sending 802.11 beacons, probe requests, ARP and DNS requests.   Enjoy!

#!/usr/bin/env python

802.11 Scapy Packet Example
Author: Joff Thyer, 2014

# if we set logging to ERROR level, it supresses the warning message
# from Scapy about ipv6 routing
#   WARNING: No route found for IPv6 destination :: (no default route?)
import logging
from scapy.all import *

class Scapy80211():

    def  __init__(self,intf='wlan0',ssid='test',\

      self.rates = "\x03\x12\x96\x18\x24\x30\x48\x60"

      self.ssid    = ssid
      self.source  = source
      self.srcip   = srcip
      self.bssid   = bssid
      self.intf    = intf
      self.intfmon = intf + 'mon'

      # set Scapy conf.iface
      conf.iface = self.intfmon

      # create monitor interface using iw
      cmd = '/sbin/iw dev %s interface add %s type monitor >/dev/null 2>&1' \
        % (self.intf, self.intfmon)

    def Beacon(self,count=10,ssid='',dst='ff:ff:ff:ff:ff:ff'):
      if not ssid: ssid=self.ssid
      beacon = Dot11Beacon(cap=0x2104)
      essid  = Dot11Elt(ID='SSID',info=ssid)
      rates  = Dot11Elt(ID='Rates',info=self.rates)
      dsset  = Dot11Elt(ID='DSset',info='\x01')
      tim    = Dot11Elt(ID='TIM',info='\x00\x01\x00\x00')
      pkt = RadioTap()\

      print '[*] 802.11 Beacon: SSID=[%s], count=%d' % (ssid,count)

    def ProbeReq(self,count=10,ssid='',dst='ff:ff:ff:ff:ff:ff'):
      if not ssid: ssid=self.ssid
      param = Dot11ProbeReq()
      essid = Dot11Elt(ID='SSID',info=ssid)
      rates  = Dot11Elt(ID='Rates',info=self.rates)
      dsset = Dot11Elt(ID='DSset',info='\x01')
      pkt = RadioTap()\

      print '[*] 802.11 Probe Request: SSID=[%s], count=%d' % (ssid,count)

    def ARP(self,targetip,count=1,toDS=False):
      if not targetip: return

      arp = LLC()/SNAP()/ARP(op='who-has',psrc=self.srcip,pdst=targetip,hwsrc=self.source)
      if toDS:
        pkt = RadioTap()\
        pkt = RadioTap()\

      print '[*] ARP Req: who-has %s' % (targetip)

      ans = sniff(lfilter = lambda x: x.haslayer(ARP) and x.op == 2,

      if len(ans) > 0:
        return ans[0][ARP].hwsrc
        return None

    def DNSQuery(self,query='',qtype='A',ns=None,count=1,toDS=False):
      if ns == None: return
      dstmac = self.ARP(ns)

      dns = LLC()/SNAP()/IP(src=self.srcip,dst=ns)/\

      if toDS:
        pkt = RadioTap()\
        pkt = RadioTap()\

      print '[*] DNS query %s (%s) -> %s?' % (query,qtype,ns)

# main routine
if __name__ == "__main__":
    print """
[*] 802.11 Scapy Packet Crafting Example
[*] Assumes 'wlan0' is your wireless NIC!
[*] Author: Joff Thyer, 2014
    sdot11 = Scapy80211(intf='wlan0')

Wednesday, January 2, 2013

Remote Access VPN with Linux racoon and MAC-OSX

If you use a Linux based router gateway, and MAC-OSX Mountain Lion, being able to created an IPSEC VPN tunnel back to your home site can be very useful.     The MAC-OSX Lion IPSEC client will use ISAKMP over UDP port 500 to negotiate the appropriate phase one key exchange parameters in order to setup a UDP NAT-Traversal IPSEC tunnel over UDP port 4500 back to your home site.

Here I include a pre-shared key based example configuration of the Linux KAME “racoon” daemon to run as an IPSEC server, and configure the MAC-OSX native IPSEC client to connect to it.   The Linux based server system in this example is Ubuntu 12.04.1 server running on a Soekris NET6501-50.   For more information on what Soekris has to offer, visit the web URL  

Under Ubuntu, you will need to install two different packages in order to get started.

# apt-get install ipsec-tools
# apt-get install racoon

For the remainder of this example, I will assume that your Ubuntu Linux based system has a public IP address of, and that your desired VPN address range is   I will also assume that your router gateway is properly configured for Network Address Translation (NAT) using iptables for any address that is part of your internal network which I will consider as anything in the address range.   I will also assume that you are running your own internal network DNS server at   Proper configuration of iptables is not included in this blog entry.

Public network address:
Internal LAN Network:
VPN network pool:
DNS Server:   
DNS domain:             “domain.tld”

After you have installed the “racoon” package, the configuration file should be located as the file path /etc/racoon/racoon.conf.

We will start with a fully commented racoon.conf example based on the above information in order to illustrate how to configure an IPSEC VPN.  This configuration is based on a pre-shared key rather than certificate based VPN for simplicity sake, and due to the additional complexity involved with setting up your own certifying authority, generating, signing, and importing a certificate for use.

Racoon Configuration File

# set syslog level and pre-shared key file
log notify;
path pre_shared_key "/etc/racoon/psk.txt";

listen {
  adminsock disabled;     #do not listen on the admin socket
  isakmp [500]; #address for ISAKMP
  isakmp_natt [4500]; #address for ISAKMP NAT-Traversal
  strict_address;         #strictly bind these addresses

remote anonymous {      #anonymous matches ANY ipsec client
  exchange_mode main;   #ISAKMP phase 1 exchange mode
  ph1id 16;             #phase 1 proposal identifier
  proposal_check claim; #claim our own lifetime value
  lifetime time 12 hour;#phase 1 lifetime
  mode_cfg on;          #gather network information through ISAKMP
  generate_policy on;   #generate ipsec policy from initiator SA payload
  nat_traversal on;     #enable use of NAT-Traversal extension
  dpd_delay 3600;       #enable dead peer detection and set time at 3600 secs

  proposal {                  #phase 1 proposal
    encryption_algorithm aes; #phase 1 encryption algorithm
    hash_algorithm sha1;      #phase 1 hash algorithm
    authentication_method xauth_psk_server; #use xauth pre-shared key method
    dh_group 2;               #use diffie-hellman group 2 (modp1024)

# specific mode configuration
mode_cfg {
  auth_source system;         #user auth source (system=Unix user)
  group_source system;        #group validation source (system=Unix groups)
  conf_source local;          #user local pool information below
  network4;       #base/first address in VPN pool
  netmask4;     #VPN pool network mask
  pool_size 50;               #VPN pool size
  dns4;              #VPN pool DNS server
  default_domain "domain.tld";#optional VPN pool domain suffix
  banner "/etc/racoon/motd";  #optional VPN pool message of the day

# security association info
sainfo anonymous {                  #anonymous matches any/all SA
  encryption_algorithm aes;         #phase 2 encryption algorithm(s)
  authentication_algorithm hmac_sha1; #phase 2 authentication hash
  compression_algorithm deflate;    #phase 2 compression
  remoteid 16;                      #phase 2 remoteid to match phase 1

Linux Server Pre-Shared Key File

Although the /etc/racoon/psk.txt file would typically contain entries listing individual IP addresses, you can also have wildcard entries.   Naturally when travelling your MAC-OSX client is going to have a different public IP address depending on your location, and thus a wildcard pre-shared key file on the server end of things is the easiest solution.   A better solution, as mentioned above, would be to utilize a certificate rather than pre-shared key.

In order to generate a pre-shared key, I would suggest a relatively long random character string.   This is fairly easy to generate using a combination of “dd” and “base64” in the UNIX world, although other options exist.

$ dd if=/dev/urandom bs=1 count=18 2>/dev/null | base64

Within your /etc/racoon/psk.txt pre-shared key file on the UNIX/Linux server, you should list one entry as follows:

# pre-shared key for IPSEC VPN clients
* mylongrandomstring

Note that the string “mylongrandomstring” would actually be random characters you generated from the above command.

MAC-OSX Mountain Lion:  Cisco IPSEC VPN Client

To setup your MAC-OSX IPSEC client, you need to open Network Preferences, click on the “Lock” to make changes, and then click on the small “+” at the bottom left of the dialog to ADD a new interface.  

Set the interface type to “VPN”, and VPN Type to “Cisco IPSec”, and then type in a descriptive service name.

Click on your new IPSEC VPN connection, and enter the appropriate address or domain name of your remote server, as well as your UNIX/Linux username that you will use to connect.

Next, click on the “Authentication Setttings” button and set the “Shared Secret” to the same long random string you used for the pre-shared key on the server.  Leave the “Group Name” blank, and click OK.

Testing The Configuration

If you use the "strict_address" configuration in the "listen" section of the racoon configuration, you can only test from outside your home network.   However, if we assume that your home Linux router gateway also has a second interface for "internal" network traffic, the entire listen section of the racoon.conf file can be commented out during testing to make racoon listen on all interfaces as follows.

#listen {
#  adminsock disabled;     #do not listen on the admin socket
#  isakmp [500]; #address for ISAKMP
#  isakmp_natt [4500]; #address for ISAKMP NAT-Traversal
#  strict_address;         #strictly bind these addresses

For testing purposes, you should use either a console on your linux server, or ssh in from another machine, and then run racoon in debugging mode from the command line as root.

# service racoon stop
# /usr/sbin/racoon -F -d

The "-F" flag instructs racoon to log all output to stdout/screen.    The more "-d" flags you add to the command line, the more debugging output you should received.   After starting racoon on the command line, you should attempt to connect from your MAC-OSX system.

Assuming that your group pre-shared key matches, if you get through IPSEC key management negotiation phase 1, your MAC-OSX system should prompt you for a username and password.   This username has to be a UNIX/Linux based username that has been added to the server system.   If successful, you should see your "banner" message of the day displayed, and receive a VPN pool IP address in the network.   You can then put racoon back into normal running mode, and you have successfully configured a remote access VPN.

# /usr/sbin/racoon -F -d
# CTRL-c
# service racoon start

Good luck, and please post comments/questions on your experience.