 We're going to get this talk started in just a minute. We ready? All right. It is my pleasure to introduce a few guys from SensePost who are going to give the talk today, When the Tables Turn, dealing with passive strike back attacker on networks. First is Ralph Temming, Harun Mir, and Charles Vandevolte. Take it away. I can see how this is going to become a little bit of a problem. All right. Excellent. Thanks. Welcome. I'm glad to see we have such a big turnout after last night. I thought that nobody would ever be here after a night like last night. All right. We're doing a talk today. It's called When the Tables Turn. This is my beautiful assistant Harun. Sorry. Can't hear me. Should I speak like this? Is this better? Gee, where is it? Is there any chance that we might turn this up a bit? Because I don't know if I can sustain this for this long. Okay. Okay, let's go. So basically, this is the agenda. This is what we're going to go through. Thinking about the concept, a little bit of introduction. We gave this talk at Black Hat as well. And we kind of run out of time at the last couple of slides. So I'm not going to spend a whole lot of time on the introduction. I'd rather get to the interesting bits, which is a demo. At Black Hat, we didn't actually do the demo because we had some interesting issues with hardware. This time around, I think we're going to be able to do that. I've got the screenshots on the presentation as a backup as well. So if it doesn't work, then we'll just revert back to the screenshots in the presentation. But I think everything is good. Okay. So I'm going to start off by saying if you don't know this, we, from a small little country at the southern tip of Africa called South Africa, it is a country. It's not a region. Okay. And in South Africa, we have lots and lots and lots of robberies and crimes and hijacks and those kind of things. So I want to quickly tell you a story about a friend of mine. There's a road in Pretoria called Etiberi Road, which is, there's a big sign up there. I must actually show you the picture that says hijacking hotspot. Okay. It's official government sign. It's not a small little poster that someone put on there. So the government tells you, if you go there, you know, skip the robot. You don't talk about robot, right? You talk about traffic light. Okay. Skip the traffic light and just, you know, go on because otherwise you're going to get hijacked. That's for sure. Okay. It's not that bad. Okay. So a friend of mine actually got robbed over there. They smashed his window and they took something out of his car, his wallet and stuff. And they ran into the bushes. We also have a lot of bushes in there. It's not like, you know, America. No. Right. So, anyhow, so my friend said to me, he wished that he had this little sea fall, piece of sea fall attached to his wallet with a remote detonator. So that if someone steals his wallet, he can just go, you take it, there you go, and pull out his remote and go, okay. You get the same kind of thing if you think about electric fencing, okay? So electric fencing, everybody in South Africa has got electric fencing around their properties. And the idea there is really that if you don't want to climb over the wall to steal stuff from my house, that electric fencing is not going to bother you at all, all right? It's not very pretty, but, you know, that's the idea. The idea is that this talk is about attacking attackers, right? But doing it in a clever way so that we don't attack the wrong people and we attack them by basically throwing them poison out. You see the same thing in the natural world, in the insect world, you get these bugs that are very acidic, is that what you call it? Yeah, they taste like shit, okay? So basically what happens is when something eats this bug, they're like, ah, that's not nice, all right? And you get the electric eel which got the same concept. You know, it's mining its own business, swimming through the water, and hello. Yeah. His son, his son is safe. Okay, never mind, you know, private joke in here. All right? And an electric eel won't do anything to you unless you touch it, okay? If you start prodding it and agitating it, it's going to shock you, right? We see the same in the information world with this information, right? One country feeding another country shit, right? Saying you should know this, actually, you know, it's terrible bullshit. Okay, so we're going to quickly go through this again. Like I said, there's a lot of stuff we want to show you. What we find at the moment is current trends in the assessment space, and I put assessment there in brackets because I don't want to say the hacking space, right? We're finding that technology is really getting smarter and smarter and smarter. Everybody is building a better scanner these days. People are getting lazy. In the good old days, you had the concept that a hacker, a good hacker, was really someone that was technically clever. These days, you find the perception that someone is really clever if they have a big toolbox and they've got lots of tools that sits in this toolbox. And we find scanners and tools for every possible level of attack. Also, the other perception that you have is that administrators are dumb and hackers are clever. So you read about something in the paper or you see it on the news when a hacker broken into a site and everybody goes, whoa, you know, that guy must be smart. Next to the here, nobody breaks into the site and nobody goes, wow, that administrator must be good. So it's a little bit unfair towards the administrators. And what we find is that in many cases, the attacker's network, the guy that's attacking you, his network is not secure and his tools are not patched and he's not running the latest service packs. So in many cases, the mechanics car is always broken. And in this talk, we're going to see how we can exploit that or make it interesting or create a little bit of paranoia on the side of the attacker's side before he attacks a site. Okay? Okay, so let's look at the type of defenses technologies that we have out there today. And I'm going to kind of map it back to the analogies that I've given you. So with the robbery analogy, a firewall would be preventing the attack, right? So imagine you have this big tank that rolls up to the highway which takes you to your office. Someone is not going to smash the windows of this tank, right? So it's preventing it. You have the technology called IDS Intrusion Protection Systems which is basically a little bit like the South African police, right? They always arrive at the scene two hours late. And IDS tends to be like that. IDS tends to tell you, you've been hacked, right? So then you move a little bit a step up which is IPS. In IPS, what's basically happening is we're trying to avoid the attack, right? So when we detect there's something happening, we try to block that, correct? And that can be seen as simply, you know, driving away. You see someone walking to you or you just drive away. Then you have some people that think it's really clever that if they see something in the IDS logs that seems a little bit strange or they see a machine attacking them, the next thing that they do is they attack that machine back, right? And we know that that is very scary. That's a very scary thing because IPS can be spoofed and decoys can be put into NMAP and that kind of thing. So that's a little bit like carrying a gun in your car and if someone walks up to your car, you go, right? And you blast them straight away. And that's also not a clever idea. And the fence and allergy have the same thing. The fence, the wall itself is the firewall. Again, the IDS is the police. The IPS is a kind of armed response and a back hack would be my wife with a shotgun that sits there, you know, quite paranoid and when you walk into the house at three o'clock in the morning or drunk, she goes, I don't know you. And there you go. Right, so what you're trying to do with this is basically saying we want to raise the cost of an assessment. And I have cost in brackets and I have assessment and I'm not brackets, inverted commas, quotes, whatever, curly brackets, underscores, whatever. Raising the cost of assessment. When I'm in cost, I mean a whole lot of different things. It could be the time that you spend on it, the level of certainty you have about your own network it could be a whole lot of different things that we mean in cost. We don't mean cost in terms of real money and in the assessment we mean all sorts of attacks, all different kind of attacks. It's not really an assessment. And in all of these cases, what we're trying to do is we're trying to attack the technology and not the person that sits behind the technology. So one of the things that you will see that we're doing is attacking automation. In that case, we just make it so difficult to attack our sites that a would-be attacker goes, yeah, this is going to take a long while. I can just as well move on to my next target. It used to be today it is a thing that says, are you sure when you attack a machine that you're not sitting on a honeypot? So you're going to go, well, I'm not quite sure. But what we want it to be is a situation where you say, before I attack something, I've got to be sure that the tools that I am using is secure against attacks back into the tools. I'm going to show you how we're doing that. We have to worry, is our network safe when we attack something? Do we have all the service packs installed on our machines? And what we find is we go to clients and we do it ourselves. We go to clients and say, you guys should really look at this, this, this and that. They think that you didn't do quite a good job in securing your network. But do we measure ourselves as we measure our targets? And I find that just about nobody does that, right? Very quick of the mock to tell someone that he should patch his machines, but you don't do it yourself. Okay, so I'm going to skip this slide. Okay, and so what we're going to do here is we're going to look at different types of attacks that we'll be doing and look at different levels where we can do those attacks. So at the time of attacks, there's four categories. In the first instance, it's really avoiding or stopping the individual attack. The second thing would be to create a lot of noise and confusion within the results coming back. In the third section, we're looking at actually stopping the tool or killing the tool itself that the person is using to attack you. And if you get really hectic, then you can see if you can attack the attacker through his own tools and through his own methods. And we're going to look at that on three levels. You're going to look at it on a network level, on a network application level, and finally on an application level. Now, consider this, right? If somebody attacks you, every single bit of information going back into the attacker's tool or into his network is really under your control. You control what the attacker is seeing. You control the data that's been sent back to the attacker. All right? So let's just look at the examples of that. You can look at the packets. The packets itself that's going back to the attacker plus all its features are under your control. You control the forward and reverse entries, DNS entries that the attacker will be seeing. You control the banners that spew back to the attacker. You control the error codes and the messages within web pages. You can actually control the whole web page itself if you're looking at a web application level, right? And this data that is under your control that you're sending back to the attacker could be used where the scanner or the tool actually reads the data, right? Where the tool stores the data, when it writes it into a database, give it into a file, and when the scanner or the tool renders the data to you, okay? And we're going to look at examples of what you can do with this. Am I doing full time? Okay? Time, 15 minutes? Right. Now, before we start showing you the interesting parts and demos and that kind of thing, there's two things that you really must consider over here. The first is the legal implications of what you are doing. So I'm not an expert in law, and I don't know really how it would work, but I could guess that, you know, someone would want to look into this and say, well, you know what, we know that this guy was really out there to get you and he was attacking your network, but you wiped out his whole corporate network where he was attacking you from, and that could lead to some legal ramifications, okay? So before you implement this stuff, speak to someone that's in a suit and a tie and knows the law and drives a big car, okay? The second thing is, the stuff that we build here, we're not going to give it away. I'll tell you why. It's a little bit sucky in terms of its implementation. Okay? We're not hardcore programmers, so the stuff that we build is only meant for a demo, and before you start deploying this or this kind of idea on your corporate network, look at it a little bit in more detail technically, right? Because the stuff that we build is not made to be robust. That's why we don't want to give it out. Okay, so I'm going to quickly go through here. Let's look at the examples. First of all, in the first part of our assessment, what we're going to do is we're going to try to do a footprint of this company, right? And you all know that SenseBose is very passionate about footprinting, so we looked at ways that we can break our own footprinting tools. Avoiding, we can really go into DNS obfuscation to hide ourselves away, which can actually be done quite nicely. You can have MX records that's off-site with split DNS between you and that MX record. You can hide away your website to put it totally off your network so that nobody can actually get the IP numbers where your network is located. It's not that hard, especially when you don't offer services that need to interact with your internal network. If we want to create noise, one of the things that we do is we create a zone file which we allow people to do a zone transfer from our network, and in this zone, we put a whole lot of IP numbers and names in there. At one stage, we had something like 25,000 entries within our zone file, pointing to all sorts of interesting places which you don't want to attack. So someone gets our zone file, they basically go through all the IPs, and they say, well, yes, look at this network, it's rather large. Let's attack all of these machines automatically. Remember, we want to attack automation, and they will be attacking very interesting machines around the world. You do not want to attack the FBI, for instance. In terms of stopping footprinting, what we can do is we can build a name server that basically sends back an endless loop of entries when we do our zone transfer. It never stops. It always keeps on going. Now, manually you would detect that it never stops, but if you have something that runs automatically, that will just run forever. And in terms of killing, we can control, like I said, the forward and reverse entries, DNS entries for our zone. So with the forward entries, we are a little bit limited in terms of what our IP numbers should look like. But in the reverse entries, if we build our own DNS server, we can be very creative with the kind of entries that we give for our reverse DNS. I'm going to show you an example of that. Okay, that's a name server that's basically running, it's kind of an evil name server. If you look at the reverse entries that we have there, if we start taking, doing a host command and piping it through something like CED, or ORC, or GRIP, you can see that there's, to start off with some HTML in there for rendering when we start rendering the stuff. Well, we can just do back tick, and see if we, not back tick, single quote, see if we can break the actual query, not query, the actual command, break out of that command and start executing stuff. So that LS, for instance, pipe LS, could be interesting when someone just runs it from a command line, do the host lookup from a command line. And then we can get really creative with it, like, you know, maybe RN minus RF, slash, you know, those kind of things. Now what we've done is, we've implemented the very large zone files on our domain, and then just to see how the tools have reacted, we used a tool called the, it's actually the trial kind of free demo of the QALUS network discovery tool to see how QALUS would share our network. Now, before I share this picture, keep in mind that we have one class C network, and we've got about 25 machines in there. Okay, so it's not a big network. When you let QALUS run on it, however, it looks like this. Okay, so it thinks we've got a hell of a big network. And eventually it starts saying, your discovery has exceeded the time limit to view your entire map, sign up for QALUS code. Okay, so you can see that just by looking at the reverse entries, this thing thinks me everywhere around the world. Okay, so that's about what we can do on our footprinting side. So I'm going to go on to network level. What's the time? We're doing good for time. You want to go? You want to go? Okay, so on network level, what we can do is avoiding the stuff is obvious. Right? We put a firewall in there. It's as easy as that. When we want to create noise, we can play with interesting stuff. We can play with the Honeydee kind of configurations. I've played with transparent reverse proxy just because I found it to be a little bit easier at the time. And what we can do is we can take random IPs. We put random IPs up to be alive. We can have random ports open on those machines. This is not a big deal. We can have fake network broadcasts. And the nice thing that we can do is we can do a trace route interception in this direction. Now if you look at trace route, what does it actually do? It sends a packet, right? And it accepts back ICMP TTL expired. Correct? Now that IP address that's sending out the ICMP TTL expired can obviously be spoofed. And if we spoof that IP address, our trace route engine at the other side is going to think that's the next hop, which means we can basically control the next hop or where we are going. We'll show you that. We're going to show you that live. Are we going to do it now? Okay, let's do it now. Okay, what we used here is just to visually show it, we brought up again a demo version of visual route. Okay, and visual route at this point tracing to some host behind a gateway that we control. We're not going to get name resolution here because we're not live on the net. But what we should see is once it tries to get its name resolution going, if the demo gods are kind to us, just give it a few seconds, we hope. Okay, at this point there's no packets actually going out on the network. We should be seeing it come up on TCP dump. Okay, what you're seeing here is ICMP packets getting to our gateway, and here you've got our gateway picking random hosts, sending results back to the trace route server. Okay, as it gets a packet, it just repackages it, sends it back at the moment using a list of IPs that we picked from random three-letter agencies around the world. Okay, so at this point it's going to keep going. Unfortunately, we're not live on the internet, or you'd see interesting lines as this thing bounces around trying to figure out where in the world you are. We got that on a screenshot, so I'm going to show you that on this side. But that's pretty much what this does. Okay, the first hop you see it hitting our gateway, okay, and after that it's literally taking the IPs from our list until it decides to stop trying. Okay, the IPs we can pick up, you can make it as believable as you want, so you don't have to go Russia, Mongolia, UK. You could bounce it around in the UK, bounce it around a little more just to add to effect, and it should be pretty good. The interesting thing that we thought about there was actually showing the route going back into the attacker's network. So I'm going to show you what the slide looks like when we actually show, we've done it at the other side. And it looks like this. Okay, so we got it going through the Russian Information Agency, the Bulgarian Government Network, and all sorts of interesting places where you wouldn't expect it to go, correct? Okay, like I said, what you can do as well is basically intercepting or basically putting random machines live on this network as we wish. We actually have it in a crumb drop. That will change this every five minutes, so it shuffles the whole network around a little bit. Okay, so for now we're just going to kick off a ping scan against the subnet. Pretty straightforward. What we're looking for here, as Rolf mentioned, is also just how most tools will interpret broadcast addresses. Okay, there was recently a whole long thread on one of the security focus mail lists on how to determine a subnet of a company. Okay, just about everyone uses broadcasts as a good indication of where networks are subnetted. In this case, the tool randomly picks subnets and decides to return multiple replies for that. So at this network you've got, I think, about 15 different subnet broadcast addresses and random hosts that appear to be up at any given time. Yeah, and we can do this easily if we look on this screen. Sorry, we're going to take you from here to there to there. Okay? It's like ten hours. You go... We can see here's a simple pull script that does that. We say we want seven web servers, three FTP servers, and 20 generic ports spread across 12 IPs with five broadcasts. Okay? This results into a whole lot of IPFW rules to set up the transparent proxies. And then we have specialized listeners that gets those ports. We're going to show you some of those just now. Okay, that was for if the demo didn't work. Okay, so we move on to the next level, which is your network application level. Avoiding, you just need to install your patches. When you do noise in the system, that can get interesting. We do fake banners, which is also not that cool. But we can also start to play with combined banners. Combined banners is basically a thing that says, I'm a WFTP 4.2.2 server, and I'm a Microsoft FTP server, and in fact, I've got a bigger entity crisis. I'm all of the servers in the world that I can be. Now, if you look at a Nest's plugin and how they determine that banner, and some of the plugins look at it for the beginning of the stream, right? But a lot of the plugins actually looks at it anyway within the stream. And those plugins, if they look at the banner, they're all going to fire up now and say, well, you're running a bad version. Again, in fact, go as far as saying, we're going to build a Nestle reverse interpreter, which says, if you see, normally how the Nestle stuff works is, we send this and we accept that, and we're waiting for this kind of output. That output is going to trigger. This case, what we can do is we can do it the other way around. And so when you see this kind of request respond in such a way so that all the plugins is going to trigger on that thing, right? We haven't build it, it's a little bit difficult. In killing a network application level scanners, we can look for buffer overflows within the scanner itself, see if there's a buffer overflow there. We can look where renders data, and a lot of the scanners actually render data in HTML. So how cool is that? As soon as the scanner renders stuff in HTML, what do you think happens when I put a HTTP redirect to your porn site within my banner, right? So the scanner's going to pick it up. It's going to display that banner at some stage. And if my application that's displaying that data is not escaping the HTML, I can basically put anything into the report, okay? We can look at where the scanner actually puts data into a database. So we've all played with SQL injection, correct? And we love playing with SQL injection on our victims. Well, imagine if someone is now playing with SQL injection, I don't want to say on your tool, that just sounds wrong. Well, someone is actually using SQL injection on your scanner. Now, you've got to look at how you pause your input, your input being the output of the banners, right? We're going to look at an example of that just now. And then, of course, scanners that use other scanners, everybody's going to scatter these days. And basically, we only have a couple of real good scanners, but people build a scanner and then they use inMap or Nexus within their scanner to actually do the work. So you've got to be careful when you're getting the data off your actual scanner, okay? We're going to go into examples of that. Let me just see what I'm having here. That's just some of the tools. Okay, what we've got here quickly, just to set up a concept, is an example of a bad banner running on an FTP server. Okay, in this case, the FTP server is a generic listener. An FTP to it gives back a whole bunch of meta characters. Okay, but one of the things that's really interesting is a concept that we borrowed from a paper written by H.D. Moore on terminal security. Okay, in this case, the X term that we're running it allowed the banner that came back to inject characters into the title bar. Okay, so as soon as the guy connects, what he's got up here is messing with since post you are owned, you will become. Okay, we're going to bottle that again in a few minutes. But also what you see is at this point we're just spraying and playing. Okay, we've got a pipe RM minus RF in there. We've got an HTTP redirect in there. So pretty much we're saying, let us scan and hit this and let's see what results come out of it. Are you going to go into that? No, no, just hang up. Okay, so for the people that can't see over there, I've got a little bit in large over here. So you see the banner over there? You see me trying A-Scal injection just with a simple one equals one. We've got the RM minus RF on template and it's just a nasty thing. When we run a, when we run a NASIS against this particular FTP server. Okay. Oh no, no, I don't have that. Sorry. Sorry. Okay. Okay. Yep. The second thing we want to go through pretty much in the same term or in the same issues, again, terminal server security is actually a strikeback at people running Metasploit on insecure terms. Okay. I'm not sure how many of you caught it, but Metasploit's absolutely killer. The guys gave a really good demonstration yesterday. In this case, we've got a fake web server sitting up here. Okay. And what we've got up here at the moment is the web server running in invisible mode. So I'm just going to kill that and instead run it invisible. Okay. That's just cool. Okay. Basically, I've got the MSF CLI here. Okay. So I'm just running Metasploit, picking an IIS printer overflow and asking for it to bind to port 80. Okay. As the connect goes through, okay, you should see it get a return connection. And then what it does, okay, if you're quick enough, you would have seen the title bar change briefly to LS minus AL. Okay. And then it goes and drops LS minus AL on the command line. Okay. This example taken straight from HTML's terminal server security paper. Okay. And basically the thinking here is what do you do the moment you get a remote shell pop up once you've run an exploit? Okay. Just about everyone, the first thing they do is hit enter. Okay. So if we're feeling particularly evil, we could kill this and instead, okay, I'm just going to drop the mic for a second or if my assistant holds it for me, we're going to run the same, we're going to run the same command again. If you get that out of my face. Okay. We're going to run the same thing again. Run it on port 80. This time we tell it to run in invisible mode. And this time we tell it RM minus. No. Okay. Let's just do LS minus AL again. Okay. So I'm going to run that. You got it listening in invisible mode. The exact same command that we just ran. Okay. And this time you see, get its reverse connection. Okay. And drop you into what looks like a shell. And this time it also includes the escape meta characters to make your text invisible. Okay. So what you're sitting with at your command line now is the command that we decided to inject. Okay. You hit your enter. And that's the results of the LS minus AL running on your invisible term. Okay. So the next time you get a remote shell pop up on your machine, you want to make sure that it's a shell and not something like screw term coming back at you. Okay. Again, it's not a problem with metasploit. Okay. Just to confirm again, it's not a problem with metasploit. What we are saying is, it's cool if you want to use tools. Now secure your term before you decide to tell me my network's insecure. Okay. So start. This is generic X term. Nothing special done to it. Okay. So let's look at... This was if they were doing work. Which they did. Okay. Now let's look at application level. Okay. So I'm going to look at application level generally at web server assessments. Well if you want to avoid it, we need an application level firewall which is beginning to become a reality nowadays. Just quite cool. You're on the line. You're on there now. Okay. And what you can do there, I don't know if you've seen Samuel Shah's talk on PHP God. Anyone see it at Black Hat? If you haven't then wait for the paper to come out. It really kick ass. Okay. What we're going to do there, I'm going to briefly explain to you what we're going to do there. Basically what we can do is we can return random 404s, 302s, 500s, 200s on any of the listeners that we have on that firewall, correct? Now we wanted to do it in two ways. We actually have two versions of these. The one version just don't return enough results for a tool like Netto to actually realize that it's getting too many fake 404s coming back, right? So it basically shows your report and all of those things are just nonsense. They're not really there because we can control exactly the error code that we're sending back. If you look at Nexus, they've got this plug-in that they call 404, right? What basically happens with no 404 plug-in is that we test for a couple of files that we know will never exist on the system, okay? And if we find that for those files that does not exist on the system, if we find that there's a 200 coming back for those, then we say, well, these guys are actually doing something, they're not really returning a nice 200 or a 404, so we better be careful what we do. But in our case, we can know exactly, we know what the string is that NASA's test for. It's called capital N, NASA's test, capital T. So when we see NASA's test coming through on the system, we send it a nice, gently formed 404, and for anything else, we just give it bogies information, which means that plug-in, the no 404 plug-in, never triggers. And now we can control all of the rest. I'm going to show you what it looks like. And within the application itself, we can go crazy, right? We can have bogies forms, bogies fields, as soon as we detect that someone is in there trying to scan us, and we can do that, someone will let it nicely, we didn't do it like that. But he says, let's put an invisible pixel on the screen, right? A user is never going to click on that invisible pixel, because you can't see it. But a trolling tool, kind of a spider tool, that kind of thing, is going to click on it, correct? Because it's a link that's there. And as soon as you see that tool clicking on that link, a trolling, clicking on the link, or a mirroring site, mirroring tool, then we know that it's a machine on the other side that's trying to attack us. Okay? If we want to stop this, if we want to stop automated application-level tools, we can build what we call a spider trap. And it also works for spiders, of course. And a spider trap is basically a page that contains links. When you click on a link, you get another link. And if you click on that link, you get another link, and so forth and so on. I'm going to show you a screenshot of that. What we can also do is, we can build in there what I call human detectors, or browser detectors, which we're going to go into just in a bit. And what we can do in the killing bit, this is the stopping bit. If you want to go into kill, actually, the application, or attack that application, I don't know how many of you have seen that page that says, you are an idiot. You've seen that. It's a small little flash that runs within the browser. And we can't ever stop that. If we try to kill that window, it spawns off another seven windows that starts bouncing around on the screen. You've seen that, right? Now, what we can do is, we can take code like that, or any other kind of malicious HTML code that we wish to want. And we can put that into our listener that's basically listening on random art piece. Okay? The other thing that we can do is we can simply take a file that's a very nasty virus, or let's say a very nasty denial of service attack tool, created directly on our website called slash admin, or slash secret, or something like this, right? Take that EXE, call it admin2.exe, and copy it in there. Now, a normal user will never see that, right? But someone that's scanning your necklace with something like Necto and Nasus is going to say, there's an interesting directory called secret. And we make that slash secret indexable so that if I can search to it, see the exec tool says admin2, or don't run this, or secret.exe. What do you think they're going to do? They're going to pull it down, run on the local machine, and take out the whole network. Okay? Again, remember the legal implication, okay? All right. So this is a screenshot of what Nasus looks like, the output of Nasus WX when you run it against one of these sites, and you'd find out that it's basically triggering on just about any plugin that you can find. The idea would be that if someone sees there's a thing called, what is this, VSetCookie.exe, if they actually go to that page and search to that page, we know that there's no such web server in there. It's one of our listeners. And that's going to result in a page like that on the right-hand side. Okay? We wanted to show you this live here, but there were some issues with the internet connectivity. Okay? And on the left-hand side, what you see is you see what a spider trap typically looks like. Okay? So you've got lots and lots of links, random links, basically just points into other links. And if you have automated web assessment tool that basically crawls the site, it's going to run into this, and it's never, ever going to stop. Okay? So the very last section where we want to tell you about is the thing that we called ompits. It was like we thought about topits, and then we thought about, you know, something that's smelly and nasty, and we thought about ompits. Okay? And ompits we use against automation, really worms and that kind of thing. So let me tell you how we got about that. On our website, we had this, the marketing people decided we need to have this flash intro to our website. Okay? And it had a little thing in there that says skip intro, which everybody clicks on always, right? So what I've done is I looked at that flash intro and I basically took away the link that says skip intro. And then if you try to mirror the site, you find that you can't mirror it because you're mirroring until you can't understand flash, and it can never get to the end of the movie that redirects the spider into the actual site. So I thought, hey, that's interesting. I spoke to the developer, I said, can you make me a movie that's one pixel big and that's zero seconds long? It's like, hey? You know? Well, just do it and give me the redirect into the site. So we started playing, we started to playing with flash stuff, okay? And basically what we built is a small little thing that runs on a network level, runs on a session level, and it acts as a proxy. And it sits between you and your website. And basically what happens is it uses flash to create a session ID. Dynamically it builds up a flashpad that creates a session ID in terms as a request to the site. When we see that request, a valid request with a valid checksum coming through, we generate a cookie. We send that cookie back to the browser. The browser now makes a new connection with that cookie. And if the cookie is there and the cookie's checksum is good, we say that's right. You can relay it through the site. I'm going to show you what that looks like. It looks a little bit like this. So we've got incoming connection. Is it a valid cookie? If it's not a valid cookie, the first request may be a valid cookie. We say, is it a valid request string? Is the checksum correct? If the checksum is correct, we'll build the flash page. We send it back to the client. Now it says, do we have a valid cookie? Now we don't. Is it a valid request string? Yes. We send a cookie to the user with the checksum in. Now the user's got the cookie. Makes a connection again. Doesn't have a valid cookie. Yes, he's got a valid cookie. And now we can relay this. So what our room's going to do, no, no, no, no, no. What our room's going to do is he's going to simply tell it to a site that's running that. If we tell it to that IP address that we're running that site, one on two, one six eight, one on two dot ten. Let's go. Okay. Can you just do a control L? Okay. Basically what you're going to see is before he even starts to send stuff in there. Okay. We immediately get back a flash page. Right? That's a flash page that we dynamically build. Okay. So it doesn't matter what it puts in there on a network level. We're always sending him back to this flash page. And in order to actually go to the site, he needs to interpret the flash. So you don't get a lot of guys coding the exploit going, well, you know, this exploit, we need to make this exploit flash aware. Okay. And this is the whole idea. The idea is that we can identify our browser. We can identify that the user is using a browser. We can combine that. Okay. That's just what it looks like. We can combine that with the firewall that only allows the stuff into our relay in different ways. We can do it either with the human detective area. We can have it running on port 80 and our real site running on port 81, which is exactly what we're doing over here. And lastly, what we can do is we can start combining that. See, this slide doesn't come up nice. We can combine this with the IPS. Okay. Which is, we basically now have a bad cookie jar over there. And if we see someone doing something wrong, we just send the guy, we close the connection, we knock the cookie is bad, and we basically now track bad cookies and not good cookies. Right. So what we're going to do on this side is we're just going to show you when he goes to the site what's going to happen. Now, we're running two VMware images in here so it's going to be a little bit slow. But what you will see is a quick flash there in the right-hand corner, which is the flash that's actually executing. And then there you saw it. And then you see it coming back to the actual page. Now, remember at this stage, he's got the cookie. So he can basically surf into the site as he wished from now. The cookie never expires. And he doesn't have to go through the whole flash exercise again. It's only the very first time that it connects there. So that's an interesting thing on a network, on a web application level. When he puts in something bad in there, we can detect it. So if he puts in a single quote, let's just do, let's just do, we don't have all our signatures in there. We basically, we don't want to build the IPS, right? Not right now. It says, you are naughty. I will blacklist your cookie. Now that cookie is destroyed. If the cookie is destroyed, he's got to go through the flash exercise again. So scanner is going to trigger that every time. Lastly, what we're going to look at is on content level, I'm just going to spend a minute on this. This is basically when you think someone is sniffing your traffic and reading your email. You can do a whole lot of interesting things within them. You can throw them in bait. I can send a mail to Irene saying, dude, you know what? There's lots of secret stuff on this website. There's no such, there's a website, nobody even looks at it. We basically just look at the logs and we put some very nice malicious HTML code in there and we see if someone hits that site ever. Now if anyone hits that site, hit that site, we know it's someone reading our email, correct? We can do the same thing with basically creating traffic that bites back. Like we know there's some issues in some of the sniffing technologies, which means if I send a particular string through there, it's going to break the sniffer, right? It's going to cause a buffer overflow in the sniffer itself and we can start looking at putting our offensive kind of technologies into a block. We can put our offensive technologies there and our sniffer is actually going to read our stuff. So we send through data all the time that's basically causing the sniffer to break and in that case, in some cases we might even attack the guy that's sniffing our traffic. So that on a content level and I think they want to stream off the stage by now. So if there's any questions, we're going to be outside basically at the pool area but I think we need to get off here. Thanks for your attention and I hope you enjoyed it.