 what's up guys? guys are nuts. look at this fricking crowd. all right we have we have so much stuff to go over. let's break some things eh? but but the beer is all the way over there and and I'm here and the and the wire doesn't move. oh wait. so this is my seventh talk here and um for people who've been coming to my talks for a while this is the freaking remix. there are little pieces of all the old talks that have been abused in really new ways and why I have discovered the web and it is glorious. oh oh dear that's totally not a moon that's a web browser. okay they say this is like a new operating system. no no no it's a new network stack but you get to like send it code to teach it how to parse your packets. holy hell. oh and you know just to make sure I'm not being uh too abusive here. oh oh iPhone's in on it too. the best part was not having to photoshop the scene it looks enough like an iPhone already. all right so this is where the wild stuff seems to be lately. we're just cross-site scripting and cross-site request forgery. I've gotten ridiculous in terms of what they can do. the Super Bowl we had a WMF attack. O-Day. two days before the Super Bowl. malicious image placed on this site. these guys got a couple million boxes but then then there's what really caught my attention and this was actually the DNS rebinding test by a group at Stanford run by Dan Benet. actually there's one of the guys is actually here from it. his name is uh Andrew Bortz. his alias is Abortz. this is awesome. so what these guys did you know we've all known in the security realm that ad networks are like the way to put crap on lots and lots of different places and it's been a bit of a problem lately uh well what they did is they put an ad on lots and lots of places and they were a bit of a problem uh they had their little applet it got network connectivity to all these different networks and they got like in for 50 bucks 100,000 networks. whoa. so you have my attention. um you know I was trying not to look at DNS anymore you know I've really kind of you know I did DNS over DNS what more could there possibly be? okay when the words DNS tunneling and behind firewalls come up my ears prickle like oh this sounds like fun. so it turns out what we're talking about is an old old old old old bug. this goes back to like 1996 people dealt with it back then and promptly forgot about it. you know what's great about design bugs they freaking come back from the dead they're like zombies. um what Benet's group found is that uh you know what happened is martin johns went ahead revived the attack said hey look I know all this stuff from 11 years ago it works against flash and java and msxml and all these other things Benet started going after it our snake went started looking after it and so I got in. now the effect of this bug and I'm going to explain it is that it breaks the security policy of the web. you know nothing important. so to understand what's going on we're going to start from scratch here. the web is interesting on the web components are pulled in from all over the place you can get an image from over here you can get some text from over there maybe get a little javascript you know you can even embed an entirely different web page inside of the web page you're looking at. this is what's called an iframe and it's a little window that can actually be any web page on the internet. now from a security perspective this could be scary you know what if you had a little window that was hotmail and what if you were logged into hotmail would this other site that created the little window would it be able to read your mail? well the answer is actually no they have something called the same origin policy which you can think of as look but don't touch a web page any web page you go to can go ahead and they can embed hotmail they can show it to you you can even read your mail inside the little embedding they can show it to you but they don't get to programmatically read it themselves so the model is that you get to look inside your things from your own site but not from others so food.com has an iframe to food.com yeah I can look inside change things update it whatever but if food.com has an iframe to bar.com no not as much access at all so it's a reasonable security policy right you know two things come from the same place they must be trusted the same and of course same place equals the same name right no the problem is is that names don't host anything on the internet everything comes from ip addresses so we use dns to convert between a name food.com to an ip address 1.2.3.4 now the assumption is that the translation between food and 1.2.3.4 is relatively static it doesn't change much it is what it is and you know food.com would only return its own ip addresses no food.com can return whatever it damn well pleases whenever it damn well pleases the problem is food.com can return ip addresses of things completely outside its security domain so what this means I'll go to bar.com one moment bar.com oh no that's some server out in europe next moment uh dude that's your printer down the hall okay bar.com now has both resources the resource downloaded from the european server is able to script against the resource downloaded from your printer so your printer is behind the firewall that that server on europe can't go ahead and access the printer directly but you know what it can access is you you have a browser and it will do whatever the server out in europe says and if it says hey uh go go mess with the printer this way your browser will do it you actually have a situation where the internet can go ahead bounce off your browser and do things on your internal network now of course this was originally done you know from a corporate perspective how many people here run like lynxes and little home routers and so on yeah yeah you know that web interface on this yeah at one moment it's the server on europe at the other moment it's the web interface at your lynxes box dude I mean uh yeah you better have a good password on that so the attack works because the browser doesn't know that bar.com from the external ip is different than bar.com from the internal ip this is totally by design look you go to google you go to yahoo you go to cnn you go to akamai you know all these freaking places all these providers all these content distribution networks are actually distributed across lots and lots of different ip addresses and they don't want to care that you know oh you downloaded this script from this instance of akamai but it actually is now scripting against this instance of akamai my god this terrifies these guys it wouldn't scale so we have two problems first we've got to detect that we've even done this cross ip script at all that you know hey you know food.com's moved dude and like what's going on the second is what do we do about it and what scared a lot of people is well what if what we do about it means that yahoo doesn't work anymore because let me tell you yahoo likes working so the canonical attack is the firewall bypass most corporate networks draw a significant distinction between the external network and the internal network now there are all sorts of arguments about whether this is good or bad but it's this nice thing it's called reality get with it the model is that things can route out but things outside cannot route in the attack is by lower bouncing off a lured browser an attacker on the outside can access resources inside so what are our levels of exploitation the basic one you don't use any plugins at all the browser gives you i-frames you can move them around you can just use that and what you end up with is you know one i-frames from europe and inside that i-frames another one it's a machine down the hall they're from the same name they conscript against one another what do you get here http resources that's it no special magic the next level of attack actually comes from web plugins that be your msxml your xml http request and even silver light what you get here is the addition of not just http but because these things were built to interact with web services now you get to go ahead have all these arbitrary headers and you know messages you know things to control the infrastructure a bit more but the real thing the fun stuff you know for all the love of web services out in the professional world you know the corporate world man these guys are excited about getting back to raw sockets um so turns out both flash and java have ways of giving you raw tcp and udp access to things so now you have a bunch of things that aren't the web at all that you're now reaching through your browser and what we're seeing is oh man you can do bad things with this so let's look at java first java was the original target of the 1996 princeton attack and you know they kind of solved the problem in their applet interface 11 years ago and not only did they solve it 11 years ago they kept it solved freaking awesome except they had two different interfaces so you could run a little java applet and it would totally be safe and it would be unre bindable because java would do its own download sweetness and light unfortunately you could also use the second model that supported in firefox and safari called live connect where javascript gets to call java objects correctly and one of these objects is socket no applet no security it's one of these situations where they put this big huge wall over here but look over there there's a little bit of a back door don't don't don't pay attention no works like a charm you actually get some udp out of that which is kind of terrifying but flash flash is the big thing that i've been playing with flash has worked hardest to make arbitrary socket connections work when they're supposed to you know i feel bad about attacking flash i mean these guys have worked their butt off to make this stuff actually safe and secure and they made a beautiful security model i mean we're talking this is exactly what they should have done at every step of the way they unfortunately did not deal with dns rebinding so all of their security model just collapses this is what happens when you download your security policy from the wrong ip address crap so what are the mechanisms for actually rebinding an address there are lots of ways of using it but you know how do you actually make this move in the first place now i don't actually have it on my slide but the reason i bring this up is there are a kind of sort of a few people bringing up apocalyptically bad solutions to this problem there's this whole class of solutions that pretty much can be defined as there's not a hacker in the room when the solution was brought up please all of you your career goal should be be the hacker in the room when dumb solutions are proposed this is our value to society um so how do you actually cause the dns infrastructure to accept a change of address it actually was built to hold things around for a long period of time so you know there's a reason people have this delusion well there are three mechanisms right we've got a temporal mechanism where we change things in time well i'll just walk through them temporal spatial ridiculous so our traditional rebinding method and by far the easiest look records in dns that map names to ip addresses these records have a little time to live value let's say how long they're valid you know what you can totally put a zero in there and now it won't cash so every single time it tries to make a connection it'll go ahead and say hmm i'm making another connection has the address changed has the address changed amazingly enough that's exactly the behavior we want um so some networks actually say aha we have our security solution we'll say an address has to be valid for at least five minutes or at least 10 minutes and this is awesome we have protected our customers because you know hackers are really impatient people and can't wait five or 10 minutes oh oh it gets worse watch this here's another hack you know you can return multiple addresses at the same time in dns so when they ask for the address you say oh it's both the machine out in europe and the machine down the hall and you can store that for like a day and this works great now of course every once in a while the browser will go ahead and pick the wrong one so guess what you do you try again it turns out you can totally detect when you did it right and when you did it wrong and i don't have time to go into the full method but trust me it's not that hard the ridiculous method this one's fun every once in a while a bit of a tangent every once in a while you get people who try to use things as security technologies that really weren't they're trying to use dns ttls as a security technology i even seen us grew up this bad since people tried to use virtualization as a security technology tommy the tank engine security you know guys know what that is i think it's safe i think it's safe i think yeah you know what virtual means not real okay enough okay so overwriting a ttl when you actually control the record turns out to be really easy and this is by design this is not surprising watch out it's like call it sniping you know when you look up a name you can get back not just an address you can get back like a different name says yeah i know you looked up fu but what you really wanted is bar it doesn't just say that it goes and bar's real ip address is this okay when it says bar's real ip address is this it overrides any ttls that are already there so watch here's the demo right we're gonna look up one dot fu dot mallory dot com it's gonna say oh yeah i'm really bar dot fu and here's bar dot fu's ip address you know that's now bar dot fu's ip address and it's gonna be valid for 111 seconds unless i do a second query where i look up two dot fu dot mount not mallory dot com and says oh you know this is at bar dot fu dot mallory dot com as well but look at this new ip address it's all nice and fresh and has 120 seconds to be valid oh look bar's now moved yeah do not use do not use ttls as some kind of magic security check it doesn't actually work so review by swapping addresses from out from underneath the web browser by any of a number of means we can get arbitrary tcp and sometimes udp access to host reachable behind the client well what can we do with this i'm thinking vpn so it's actually totally easy okay yeah it takes like seven programming languages and six protocols totally easy freaking web coders you guys change languages like that's like you're in the middle of china and it's like oh i've walked 10 blocks i have a new dialect it's great so we got three actors in this little dance right we got a browser the browser's got the good stuff it has access to the internal resources we got the attacker he wants that access to the internal resources and then we got a proxy and this proxy is going to send code to the browser to copy messages back and forth to and from the attacker now we're going to start with a proxy running software that i wrote i'm calling it slurpee the reason behind the name will be clear uh shortly so slurpee slurpee is a multi protocol server it's built using the pearl object environment um pearl is great because of all of its massive libraries that mean i don't need to code things from scratch um it kind of speaks a few languages so the first thing it does is it talks to uh the act it talks to the attacker and gets tcp streams that need to be delivered through the browser and these streams contain routing data saying where it would like it really to go you got htb requests from the browser browser says hey what am i supposed to copy where you've got dns requests that this server also has to handle hey you know i'm swapping dns around so my proxy needs to own dns and then there's this fourth thing which is xml socket requests it turns out there's a routing policy mechanism in flash telling you these guys worked pretty hard um unfortunately i can provide that too so the basic theme is that the attacker connects to the proxy which manages the appropriate resources on the browser to service the attackers connection so let's talk about how we actually build this so we start out with an iframe i call it a bucket and what this bucket does is says hey proxy got anything for me and now that can be nothing there might be no uh no connections requests but eventually eventually the bucket says oh yeah i totally got something for you here you go i want a connection to 10 001 port 80 and uh the browser goes oh crap i gotta go service this so what it does is for every individual ip address that it sees it's going to need to talk to it goes and opens another iframe and this iframe all it's supposed to do is service connections for that ip address and this iframe is called a socket it's like a socket but it sucks so what you end up with is that this this child iframe actually comes from a different dns name meaning it can have a different mapping as far as the browser knows even it can have a different ip address than the parent and it will just not yet so we end up here with a bucket of sockets and now we need to go ahead and service these sockets we need to actually get them into doing sockets this brings up the obvious question how many dns requests does it take to get to the center of your corporate network you have no idea how happy i was with the answer so we have query one query one involves loading the movie and that comes from one we have query two that involves loading the security policy we're still gonna go ahead and we're gonna have i want to host the security policy and i want the real guy doing it two now we need to go ahead and tell the server hey server next time there's a lookup don't come to me go to that ip over there and we arm it and we do query three and we connect to 10 01 food proxy host calm port 80 all of a sudden now this dns lookup resolves oh 10 01 food proxy host calm i'm thinking 10 01 is the address three it takes three so okay i'm totally going to do something i'm never supposed to do you know what the difference between black hat and defconn is i actually want to do a live demo for you guys that and i have wired net so i actually can all right i have no idea if this is going to work it's live demo tastic all right so here we have our little window i know you can't see it much but it's going ahead and it's updating hey you know do you have a you got a connection for me and i'm repeatedly saying no well now what i'm going to do is i'm going to go over to my other window and i'm going to say hmm i'd like to go to 209 8142.254 port 80 protocol six because i want to say tcp and now i hit enter oh you look at that an iframe opened up in the back i wonder why that happened so it gives me a little error message for fun but wait maybe oh wait it's socketed it's connected so now i know you can't read it just trust me we do get slash we'd enter and hey i didn't write it for perf let me tell you look at that browser just went ahead made a connection grabbed the web page now i did this all by plain text protocols you can do freaking anything over this you can even do dns because dns runs over tcp port 53 so told you it worked so how did i actually pull it off so there are data flows going on we kind of have is this language called jason which again i know the screen sucks but what jason actually is is it goes ahead and says okay well we've got our ip 10 oh one we've got our connection on 10 oh one which is connection three and then we have a bunch of things we have a two browser field which is data from the attacker to the browser we have a from browser field which is data from the browser to the attacker and everything else is about state exchange and we have acknowledgments and okay i admitted i ported tcp to javascript and then it got really scary but that's at the end of the talk i should actually have my timer here so i know where the heck i am all right what what it keeps the throat lubricated all right so here's how we're managing our data flows so data is going to arrive by flash flash has a little event handle that says oh my god i got data and what it does is it flash doesn't send the data back to the attacker itself doesn't even send it to the proxy oh no no no we got a web browser for that so flash actually goes back into the webpage that hosted it and says all right i got some data here here you go now the socket the socket does not send the data either what happens is the bucket goes around each of the suckets and says you got any data for me you got any data for me you got it okay so it turns out that iframes are actually running simultaneously with you know their parents so um i had threading bugs in a web browser shoot me so i had to build a concurrency clean framework my god computer science came in useful so the bucket goes around goes to each of the suckets finds out that there's data to send and then it goes ahead and sends this big list that looks exactly like that up to the server server proxy gets this big list says okay let's pick out what's got to go where let's send acknowledgments for what's got to go where goes ahead passes out data well the attacker goes great i got data now here's what i want some more of attacker provide some data attacker provide some data it shows up in the exact same data structure gets sent to the client the bucket goes ahead and passes things out to each of the suckets this architecture not so much fast frickin flexible so obscure little things one thing you might notice is that the iframes inside are actually in a different domain now i told you earlier that if uh if food.com tries to do bar.com different domain well you can't look inside you can't go ahead and read the dom out you can't read these variables what are you doing well it turns out this same origin policy actually has a little bit of an exception if two pages are in the same domain so they're both in you know proxyhost.com or not malry.com or whatever and they both say hey you know what even though we're in different subdomains we want to be treated in the same domain they can both claim this and if they both do it they'll both will be allowed to script against each other so yeah i actually use the same origin policy to attack the same origin policy it's great so that's it you know a little bit of housekeeping for opening and closing sockets and uh you're pretty much done but what about the attacker you know i gave you a live demo and i showed you know typing things out is it possible for us to do something more flexible than typing get slash into a tcp selection oh yeah who here was at my first defcon talk ever was anyone awesome so check this out back in the day i used to use a tool called slurp who here used slurp back in the day you my people slurp is fantastic slurp was in 1995 the way you got from uh your text connection just a shell that you dialed into slurp let you get images and web browsers and graphics and pretty pretty pictures in fact the pvp protocol is supported i'm pretty sure stands for pretty pretty pictures now i talked about slurp in 2001 okay it was an old school back then we know what it is now uh slurp does this given the stream of packets create sockets just like the web browser create sockets and send the data in the packets to each of these sockets slurp was nat circa 1995 now if you want to go out and find slurp the latest versions kind of disappeared i don't know what happened to them i ended up having to go back to old hard drives from like three machines ago and will you look at that it's right there oh yeah i'm bringing slurp back that's right check this out so we've got this code called pop top and what pop top does is pop top is a vpn server that works with windows and it'll actually go ahead and take the vpn connection you know we say i want to make a connection to my workplace network well one of the protocols it'll use is pptp now pptp is an abomination i have no desire to express how horrifying a protocol it is just understand pptp ends up putting all of your packets through many layers of encapsulation into a stream of pptp data well it turns out you can hand this stream of pptp of pptp to slurp which wants to go ahead and make socket connections okay so we have all the data from the applications coming into pptp it comes into slurp and slurp wants to make socket connections what if we modified slurp to instead of making it themselves go through the web browser i just told you about well we now have slurp connected to ie thus the name of the software slurpee so the way it works the attacker runs the applications that run sockets the sockets get their traffic sent over pptp to slurp slurp goes ahead and says hey slurpee i got all these sockets go handle them for me proxy tells the browser open the appropriate sockets the browser opens the sockets which themselves provide sockets the proxy mediates the traffic between the attacker sockets and the browser sockets and it all just works you want to run nesses over ie you got nessie you want to run world of warcraft over ie you got wowie pretty much anything over tcp and if it's firefox safari you got some udp too that's right kids vpn over ie what could possibly go wrong more toys so lots of people have been looking into this and i was wondering well what else can i use this for you know i'm kind of curious this is kind of fun well one thing that's been a big problem is click fraud you know if you can drive people's browsers around you can go ahead and make them seem to click on things and do this and do that spam your browser will now send spam that's exactly what i want to do when i go to a website make penis fast what else can we do though well one thing that's pretty much inevitable is what's called stealth tour this is where you go to a website and you are involuntarily added to a worldwide proxy network man that's exactly what i think when i see a web ad that could be a web proxy crap um something else you can do is protect network neutrality oh by the way there's this stuff with peer to peer networking and um see java provides udp support what that means is we can make the browsers go ahead and make all these udp packets go around and udp is very nice in that it deals with gnats very very nicely you could actually build a cloud of browsers talking to each other with no central server managing them it's not supposed to work oh but it does then there was this one thing was anyone here at tcpib drinking game last year anyone hear me talk very drunkenly about ip over spam okay so i'm smashed right and there's this question that comes up which is how would you get around the great firewall of china now of course the person asking the question was expecting me to be like oh yes you know drop all the reset packets and then you know it's harry potter attack okay i'm smashed i got much better ideas i'm like look china sends a crap ton of spam china receives a crap ton of spam that's a high bandwidth low latency channel let's just copy our stuff into that okay i was joking and then i'm looking at this like well the browser does have ip inbound well the browser does have spam outbound crap i actually built it by accident damn it hate when that happens so um i had no idea people were so interested in this network neutrality thing last year i messed with packets and i'm like oh that's kind of cool i can find when a provider is messing with me sweet um i've gotten so many people wanting that tool so many people wanting that method it's got a little bit of a bug my method from last year for detecting messed up networks kind of sort of involved flooding it with so much traffic that it actually started dropping packets yes that's exactly what i want to do i want to be the guy who tested networks by destroying them okay that doesn't work so i've actually been working over the last year you know kind of thinking you know what else could i do to try to detect and then i realized we're talking about it wrong it's not about defending network neutrality network neutrality is a freaking status quo that what's actually suggested is provider hostility okay just a little secret every single person that i know working in router hardware is building stuff to make hostile networks what do i define as hostile if you're sniffing my traffic you might very well be a hostile network if you're altering my traffic you're really a hostile network and if you're selling my traffic to people okay look we nabster music they nabster us the size of the b2b personal information market is way larger than the size of the music market um so for hostility though here's a nice little standard for um if you know you're deploying a hostile network um if the u.s military would fucking kill you for doing it you might be a hostile network i'm just saying so what do we need to detect provider hostility well one of the problems is is that if you download two things from two different pages and it comes at two different speeds uh so they could have like different isp's different back halls different this different that it doesn't really tell you anything and that's why they think they can get away with it i came along so um what we actually need is the ability for lots and lots and lots of different sites to actually seem to be hosted from the exact same place on the internet and it turns out we need to do two things first see if it's faster or slower and second see if they actually host the content from the website one of the things um that is actually a real problem and that it's starting to grow and it's starting to spread is something that i refer to as the time square effect and as i realize it i realize in horror oh dear god i'm going to use awesome packet tools to save internet advertising this is not what i intended to do but okay this is the time square effect watch this when you watch a movie and time square in new york city is in that movie uh those ads aren't actually physically there they're all digitally added now why are they digitally added well because they can be it turns out there's no contractual relationship between the movie maker and the actual you know physical place that has those ads up on buildings um there's no contractual obligation well you know what your isp is actually under no contractual obligation to actually host the real contents of google to actually host the real contents of myspace there's none of it and um do you realize how much money you can make if you could sell the top link on google okay google has built a neutral playground a neutral framework where the way to get to be the top link is to actually have the top best material for that subject it turns out that uh it's a lot would be a lot easier and in fact google would theoretically make a lot more money if they just sold that top link now google won't do it because their long term brand is defended by actually having the best search results but let me tell you there are people out there who want to pay and they want to pay a lot of money and the isp are starting to realize we like money the web has been built on a model that man in the middle attacks aren't going to happen and what we're seeing is that entire companies are spawning that are doing man in the middle attacks against advertising believe it or not you don't mind ads that much you might some of them do but you know what you're the guys don't click on them now because of that at least we expect that the ads we're seeing are going to you know the people actually running the web pages no the providers want to show their ads instead and that's a problem so here's a modest proposal for actually building this i've kind of noticed with my you know newfound knowledge of flash hey look uh we actually can do all sorts of crazy things with the dom from flash we can hop things around it turns out one of the things we can do is we can have a secure loader we load this flash outlet over ssl and then it goes ahead and it grabs stuff from all over the place just like the browser does but our loader has a list of hashes and it says hey okay well this is what i'm supposed to get back if i get something else back if i get back a different ad crap i'm one of those evil networks those bastards all right let's go zoom in the meantime let's host the ad over a secure link like it or not this is probably what the web is going to have to do because the providers are getting really really creepy so i'm building a tool frame tool set to do this it's going to be called ndk stands for not domo koon because i would never go ahead and use the slogan of some big japanese television show to name my software that would just be wrong so not domo koon so i know a lot of you guys might think oh you know why why am i helping the commercial realm well guess why you have crypto in your browser in the first place about you know a couple years back the people who wanted you to put your credit card over the internet they're like uh we like money too in order for us to get money we need good crypto therefore we need good crypto because we like money the whole goal is aligning their goal was with ours so um is it possible interesting question is it possible to get better data regarding the spread of provider hostility and it turns out we can totally start using all the dns rebinding tools well what you know we we now have all sorts of mad control over the browser network which means all these things that were hard before in terms of checking up on networks we now have the web browsers that are going to help us so here's what we're going to do all right who here knows what a transparent proxy is rock all right so check this out transparent proxies the way they work yeah think you got a real connection to the internet but it turns out if you send out a request on port 80 all your traffic gets routed to this one guy and then he looks at the host header on your request and says oh oh oh i know it came to me but who you really wanted was cnn who you really wanted was yahoo who you really wanted was whatever now on its face this causes real problems for flash and java because flash and java are like okay we only want you to be able to connect back to the guy you got your applet from unfortunately the guy you got your applet from was the transparent proxy and guess how much of the internet is behind the transparent proxy oh yeah all of it not just the external network the internal network too it's like hey transparent proxy hey one dot two dot three four give me this host that's inside this network thing goes okay here you go crap okay proxies are so horrifyingly broken it doesn't work so um what we can do it turns out remember i said earlier what we want out of a neutrality test what we want out of a hostility detection framework is to filter out all the changes that might come from the weirdness of the internet and instead just have the provider network well there's a great thing about transparent proxies they live on the provider network so if a transparent proxy would uh i don't know perhaps be willing to go ahead and provide uh two different websites at two different speeds well that's entirely within the provider network straight up test for hostility awesome but there's a difference though there's something called the silent sensor it turns out none of the big isps much to my surprise actually seem to have transparent proxies deployed you know your comcasts your AT&T's your you know all these guys they don't seem to do this i think it's for scalability reasons yeah these proxies fall over and now you have a bunch of pissed off customers however they may have filter boxes what these filter boxes might do is they'll go ahead and they'll say hmm you connected to this ip address and you ask it for a host cnn yahoo myspace google whatever and i either like it or don't like it well now what we can do with flash is we can go to an ip address testyournetwork.com port 80 and be like uh uh yeah this block of one meg this one's from cnn i promise you can do it faster or slower and it'll tell you and it'll totally do the rules now here's the problem problem is is that i assume there's a jackass as smart as me and all these different carriers this guy's like ah i can totally detect him doing this he'll have the wrong ip he'll have the wrong this he'll have the wrong that so i was kind of curious can i make a detection framework that even i can't defeat either way i win well so here's the problem you know we want to spoof sites on the internet we want to use their real ip's we want to have the real ttls we want to have the real ports we want to see what they would see even though we're not man in the middle we really don't want the real sites to mess with us as we're doing it good luck i mean we'd have to have like sequence numbers from the browser to know what the heck it's doing and we're certainly not getting tcp sequence numbers from a browser right oh hell no active x is redeemed there's an active x plugin that will put a packet sniffer in a web browser and fire javascript events when a packet arrives holy crap this really shouldn't exist okay now we can have some fun oh oh yeah i'm bringing packets back so check this out i'm building this tool it's called inspector packet i'm going to do paquette okay rich through 3.0 just to release this so what normally stops mallory from pretending to be a random site on the internet well you know mallory doesn't know the sequence numbers to use and mallory has to compete with a real server well what toy do we have now we've got a sniffer running on alice we got a sniffer running on the client so check out what mallory can do well first of all she can send all this data to alice with the exact right sequence numbers totally has the codes to get in well here's a problem you know the uh alice is going to acknowledge not to mallory because the ip address is still you know skin end myspace whatever alice is going to acknowledge and mallory and then you know the real server is going to be like what the hell are you talking about i didn't send you that data reset reset and less you know mallory has the actual sequence number to send a reset to the server too and it turns out mallory can shut down myspace be like you know what that client went away now normally normally what would happen is you know these packets arrive at these packets arrive at myspace or whatever and the server says you know i'm getting all the acknowledgments but i don't have a session open to you so client why don't why don't you shut down your session but then came security and security put in a firewall and the firewall says i don't have a session open to you i'm going to pretend like i don't exist i'm just going to be nice and silent so what this means is when mallory shuts down the connection to myspace myspace ignores now all the acknowledgments coming from from alice it totally works and now what this means is you know mallory is sending traffic to alice mallory's provider thinks myspace is sending traffic to alice and when alice acknowledges back well that goes back up to myspace but this is the great part you know alice has a has a sniffer and alice is actually tunneling all tunneling all those acknowledgments over an encrypted xctps stream that's right i'm doing tcpx over javascript not kind of i'm actually tunneling tcpx over javascript rock so why am i so eager to do this check out this level of evil here um you know the goal is to identify the applications being used on the network some of these devices can go much further those from a company like naras for instance can look inside all traffic from a specific ip address pick out the hdp traffic drill further down reassemble emails as they're typed out by the user these guys are so eager to spy on you they can't even wait for you to finish writing the email they're like watching you as you go what kind of creepy shit is this oh i'm so messing with these guys now i can go ahead they want to do deep packet inspection i can pretend to be any site on the internet providing any content i want and there's a real open question do i get to exploit them i'm sending traffic to my client i i have no idea who's in the middle hey if you're if you're deeply inspecting my traffic and you have no right to i'm not sure you have the right not to get exploited i'm just saying so um you know if any of you are worth one of these companies i uh i recommend inspecting this deeply so some conclusions and then it looks like i'll have time to show off my little toy um dns rebinding is threatening the boundaries of networks your link sys routers your corporate networks pretty much full tcp and partial udp connectivity is getting exposed this is not good we have to do something about this and you know what a lot of people really are working very very hard on fixing this beyond that though the web look i love the web the web was built for all resources that were publicly available that was the idea that was the model we really need to have some better thinking in terms of how we handle private resources stuff that you know i can access but you can't the web really wasn't built for access control and we need it because we're putting a crap ton of private stuff on websites beyond that because of the spread of these provider in the middle attacks everyone running a website that depends on advertising expect in a year or two that you're gonna have to try to find some way to encrypt all your traffic it sucks it's horrible in fact ssl really isn't built to be able to do it right but guess what if you don't other people's ads are going up instead of yours and finally people who are messing with my traffic i mess back so that's the big stuff i've got now the fun little toy because i got time so how did all this happen in the first place you know i sit down i relax put some music on i may kind of sort of when i build stuff get totally and utterly distracted it's happened before it'll happen again i end up writing some completely random crap and then finding out like a month later oh that's why i built that so last year i go ahead and i give this talk about dot plots they're a way of visualizing data similarity and i get back this two line piece of feedback that had almost as much punctuation as text it's like dot plots what the well thank you i i don't do you like it do you hate it so they're a mechanism for visually analyzing similarity across a data set you know go check out last year's talk for details um so i thought i'd go ahead and port it to win amp figure to be pretty i mean you know i originally got the idea if you look at music it's very structural there's very much repeats there's things that go back and forth i'm listening to music i like pretty pictures i think i'll like listening to music that generates pretty pictures cool um i figured it'd be nice to have something that i'd never be showing at black hat now def con of course because it's cool but you know make something the security geeks over there don't need to know um and i actually got this is what i was showing at the beginning of my talk i actually got something that really generated very nice patterns out of arbitrary music what i do is i take the spectrum and i compare it vertically and compare it horizontally and it turns out i get these vertical lines that form when i have a beat i mean it's actual visual beat analysis and just to show that it's actually accurate when i speed up the beat the lines shrink in on each other when i uh slow it down they get farther and farther away sweet this is exactly what i wanted this is cool so the images are based on spectral similarity how similar is what i'm hearing now to what i've heard for the last n seconds so really dumb little method don't try this at home but the idea was bass would be red mid range would be green treble would be blue and if you actually look at various instruments various timbers of sound they actually have different layouts in terms of how much relatively they're using of each well that means you get different colors for different songs in different segments of songs um now our auditory system is almost certainly doing this kind of analysis the idea is you compare what you're hearing now to what you've heard for the last couple of seconds um i just did it really really badly but i still got pretty pictures see that's pretty and it's actually directly responsive so what we have end up ending up with is a two things first we get a visual hash of auditory segments based on the relative similarity and dissimilarity of bass mid range and treble we also end up with these vertical lines forming whenever the same signal is repeated if it takes a long time to repeat you get a long distance in the virtual in the in the line if it takes a short time they really really bunch up so if you have like drum beat this you get these lines are just vertical it's like you know right next to each other so there's a trade-off in terms of blurring well that is really blurry i'm sorry um the trade-off in blurring is this you know if you blur more you end up seeing more of the underlying structure of the audio you see the repeats better if you blur less you get a much higher accuracy in terms of being able to detect when one section ends and another begins of course that's what i was doing last year i was trying to fuzz files by finding out when one thing ended and one thing began so why was this here why did i present this back to black cat so i'm doing web research right well my buddy zane lackey who i think is he's totally in the room someone get this man a beer all right so i'm doing web research this is really not what i normally do and we go out for beers because you know this is zane specialty and i'm always happy to see zane when he comes to seattle seattle is also known by the way defcon north we all go out for beers and i'm like oh dude so i'm working on this really cool thing it makes pictures from sounds and he's like oh yeah for like audio captures it was just supposed to be for pretty pictures but that's a great idea dude like silent for a minute we end up going straight home and start looking into this now audio captures what are audio captures capture is a completely automated public touring test to tell computers and humans apart there are lots and lots of websites that really have a problem with bots and the idea is they want to know that a human is there so i get this email from someone about you know the fact that i'm doing capture research and i say well what are you doing with captures check this quote out capture is quite annoying i use a few programs as an auto messages and to steal friends from other pages now they had a way around the capture system for a while but not anymore i don't know i got five different accounts i have 300 people a day and i'm sitting there typing 250 capture codes a day on this damn thing captures exist to piss this guy off that is the purpose of a capture so the general idea is to use the humans superior ability to segment things uh segment data to uh differentiate humans and machines image captures use uh text audio captures use audio and they both put it over noise so it turns out audio is much much easier to hack you have a couple million neurons coming from your visual system you got about 35 000 coming from your auditory system this is why audio compresses so much better than not than video so i go ahead and i take this real world capture so you're not going to be able to see it unfortunately because it's too dark but eventually they're right with analysis there's a repeat of the number eight and there's actually a red line go ahead and grab the slides you see this big blob at eight you just heard nine one all right nine okay check this out there was a nine repeated at the end you see right near that mouse that big white blob oh yeah we're hands totally picking out the capture turns out all the noise they put in yeah that's fine and great but um you know you're saying the same things in the same ways and uh this method actually totally busts it so recommendations for better captures guys don't oh man don't make speech much louder than the noise it's like quiet quiet quiet quiet quiet big thing you're supposed to pay attention to quiet quiet quiet quiet don't do that um you know humans do recognize more than just numbers it would be nice if you use more than just numbers um use senses use more than even words in isolation because we're really good at parsing out sentences in a context um and finally humans are intelligent while some of them ask them simple questions they might be able to answer so those are my toys that's what I got done