 Naomi, which is probably most of you. My name is Weasel. I'm a member of the Nomad Mobile Research Center It's an international group of hackers. It's been around for Oh seven eight years Something like that. Yeah, and we've just you know had thousands of projects that we all worked on and probably Maybe one percent of them have actually been finished and made it to fruition Hopefully we've got a few here that we can Picture well hopefully we got a few here that might might impress a few people if anything maybe inspire them to take them and Do something useful with them instead of them just sitting on our file server Okay, I don't know I'm not supposed to read these things. No, okay These are a few quotes feel free to read Let me go ahead and introduce a few of the members. Most of you know Simple Nomad he started the group. He's I think he's known for his goat porn. So He's there. Yeah, and Pandora So if anybody has any support questions with Pandora, that's the gnome at NMRC.org Anyway next to him is Jay random. He's another long-term member and He probably his claim for fame is I won't I won't embarrass you Is he was the maintainer of the hack-fack for many years and if we actually have time at the end of our presentation he'll go over Kind of what's happened with that and why it's not as up-to-date as it probably should be or if it even should be up to date And then over there is mad hat if there are any single ladies in the audience. He will buy you a car. So You know speak to him afterwards He's the I'll let you introduce your personal life and I'll this mad hat and He's recently joined the group and he's coming up some really exciting projects And that's who we are Okay, we'll go on to the where section and I'll see what tools we've been going over here and this is yours First off a tool that I had worked on previously called encrypt And I talked about it previously at other conferences. I'm not going to go into a whole lot of detail on it. It's a symmetrical crypto tool The one thing and it also had some like, you know file wiping features that came with it and it was kind of nice did AES And serpent and two fish Included in that Todd McDermott who's contributed code He's contributed code to the project. I don't know if Todd is here. It's Todd McDermott in the audience anywhere That's gonna have him stand up. Anyway, he's contributed a lot of code to the project And it's that on source forage if you're looking for it But anyway, I'm hoping to get up Todd wrote a drop-in replacement for RM called NRM Which does basically secure wiping of a file where it does multi passes and It forks off into the background and and kind of runs and does all the passes so you get your prompt back And that's the main thing that we've added into that the other thing is believe it or not we put in We had a lot of people asking for integration for the encrypt tool into scripts Where they actually and this was requested sake We want to be able to pass the password on the command line or from a text file, which is horrid However, they're wanting to do it for encrypting log files before transmitting them from one machine to the other I'm not exactly sure I don't do that use that feature, but I had enough people do it I put it in there and it's in the man pages. This is highly dangerous But nonetheless, it's in there in case you want to assume that the box that was broken into make sure that those log files that you know, they get across there in a secure fashion anyway Next mad hat. Why don't you go and talk about that? All right I'll take that as a yes. All right, so these are actually three different tools I had a project where I had to scan a large number of ideas in a daily basis and figure out what exactly was changing What was going on? Love in math and all the work that a few orders done on that Unfortunately, it wasn't quite fast enough for what I needed So I wrote the in-map wrapper and what that does is it runs a bunch of in-map processes in parallel Stores all of it to flat files right now using the graphical output the other two tools work off of those databases in map report basically allows you to go in and Specify what you want to see so show me all the hosts that are windows show me all the hosts that are that force me to open In-map diff allows you to specify two specific dates and give you the diff on all the hosts or any particular hosts The whole idea is being able to monitor large networks for changes by default It only shows you new things are added, but you can also show whenever things go away You know a whole new host that comes up It just makes it a whole lot easier than you know Trying to look at something that you only see a snapshot once every week or something of that Oh, yeah, so I was for this particular project. I was scanning around a hundred and fifty thousand ITs a day and I had it down to around ten hours to scan all hundred fifty thousand ITs So I could have done it twice a day as necessary From a single box three BSD box Sitting in a DMZ scanning host worldwide. This was not like a single location This was boxes all around the world I had to deal with network latencies, you know and well the speed of light So it came in extremely handy All right, so for those of you who are a black hats we went over this to black and the idea is a single packet authentication. This was really a Project just to see if it could be done. I run the local DC group in Dallas with the DC 214 We started discussing Year and a half or so ago, you know after Fort knocking came out Is there a better way of doing this, you know, do we really need to send multiple packets? Can we do it with a single packet and make it not replayable and make it, you know, secure and Actually do more than just open a port, you know, can we run commands? Can we do things like save reverse shell? Do we have to have any ports actually listening, you know, so this is what we came up with? It's a simple protocol allows a remote user communication system. There's nothing listening. It sniffs all the packets that are coming in we use PGP or GPG to encrypt the data and Whenever you do that if you just use raw encryption 8 bytes in there are four bytes that are the GPG ID of The key that can decrypt it. So basically we look for that. We see that we pass it on to the processing engine Of course, it's free Why not? well And of course one of the issues we wanted to deal with was working across that because we always hated, you know Having somebody call us up. Hey, I need to be able to check my mail and such and such host Okay, what IP are you on? I'm on 192 16 no no no no no what IP you're gonna be coming from well It says 192. Oh Jesus, so they can send, you know with the client They can send a single packet and it looks at the source address. It's okay So we'll open it up for that IP and then of course it monitors the traffic and after a certain timeout It'll automatically close the port Working with the idea of doing a reverse shell. So you send a single packet and it connects back to you And then we can also have it to where in our sample code where you can run arbitrary commands and The commands are specified in the config file So it's not like anybody who has access to it can run any command You have a comma-separated list of the commands that are allowed to be run by that particular user This is a visual representation of basically how it works so over on the left-hand side you have the client with you know It encrypts all the data which includes, you know an ID session keys time stamp and then the command and control data for the application was using the spot protocol It's encrypted and signs, you know encrypted for security and signs for authenticity and then it can be you know It's a data packet. So I mean it can be TCP, UDP, ICMP anything like that We've implemented TCP and UDP in our sample code Then of course, you know it encrypts it with the server's key server gets it Verifies that it's you know encrypted data passes it on Kind of an idea of how it's laid out I'm a pearl hacker, so the parts that I worked on are a pearl The client right now, you know can be on whatever host sends the data spaD is Basically a simple sniffer Once it verifies, you know what it's looking for sends it on to the spa engine Which then calls DPC as necessary to decrypt checks the user config to verify, you know, whatever they're asking to do can be done and It also keeps track of firewall state So for some reason the demon you have to restart the demon and it's gonna know what ports were already open and still keep track I'm gonna close them as necessary And a whole new one And we will have time for questions All right, so At the job where I was mentioning where I wrote the in-map tool in that tool my primary responsibility was scanning and monitoring of large groups of hosts Web servers and unit boxes At the time whenever I first started on this particular project There wasn't a lot out there to be able to scan all those same IPs on a daily basis, you know for Basic misconfigurations vulnerabilities things such as that so I wrote I started off writing a very simple HTTP scanner And it kept growing and growing and growing Works off command line or it has a web-based doing you know same script just depends on how you call it The config for all in XML, so it's really easy to Expand them lots of command line options to specify exactly what you want to scan for how you want to scan it Runs a whole bunch of processes in parallel according to you know, whatever your system can handle so it's fairly quick I had it in I started adding in some other features Like FTP to look for anonymous access look for writable directories things such as that The sequel stuff was added because you know, I happen to be working on parts of it whenever Came around so it was easy to add in other features There was also some SMTP stuff, but It is it is extremely fast. That was the whole idea You know once again, I was scanning large number of hosts Needed to get it done, you know in a short amount of time The way the output works there are multiple outputs, you know, there's a verbose output They would actually tell you here's the vulnerability and here's the fix and you know standard stuff for a scanner But it also another thing was it was written so that I could export the data imported into a database very easily Also worked a whole lot of time on false positives for anybody who's done any you know constant monitoring of hosts The big thing is oh look, there's a Apache vulnerability running on an IIS box Yeah, that makes sense So I spent a whole lot of time making sure that there were as few false positives as possible looking for a whole bunch of different things You know looking for custom 404s, you know things that it's starting to become a little bit more common in in scanners but at the time And of course once again, it's free Hey, I'm gonna stand up here for a while All right, so here's another one once again in pearl this one The idea is ICMP packets are sent out with a forged source address the whole idea was On the corporate network We wanted to check to see if people had DSL lines or modems You know something or even misconfigured network devices so that things were being sent out the wrong direction I Wrote a small pearl module that does allows for looping so all of these actually use the same for a module So you can actually specify ranges of hosts and you know almost any format makes it really easy to run so what this does is it forges an ICMP echo request the data contains the IP that it was supposed to be sent to as well as a Sign key which is using MD5 and a shared secret the server sniffs Those on that force the dress whenever it comes in it looks to see if the source where it was being where the Appliance coming from is the same as within the data portion is the nice thing about ICMP is whatever you send it in the data Portion it sends back in the data portion So it made it very easy to be able to do this so I was able to find DSL you know hooked up to a corporate network, you know somebody had gotten the DSL line run to their desk How I don't know I wasn't involved in that part, but basically their default route went out to you know, SBC So I'm sitting here spewing packets to the 192 space and all of a sudden I'm seeing data coming back from SBC and That's not a good thing and of course my favorite was the networking devices that had Routes added for no apparent reason Of course networking guys denied that it was on purpose or anything like that. They got changed rather quickly after you find it Once again fast simple very specific problem to solve Okay, here's my another contribution of mine. This is NPC nearly perfect crypto and I I'm so glad you're sitting right there in front of me. I really am What this does is it's mainly meant as an academic tool, okay? I got I got much up here Causing shit for me. It's it really is meant as an academic tool and I'll tell you why I mean There's a lot of people that don't understand how one-time pads work what this is is an implementation of a one-time pad Okay, and the reason I say it's nearly perfect crypto is because it is perfect except as is but it is as only reliable as Isaac the pseudorandom number generator that I've got in there and it is as Only as perfect as your key management, which is actually kind of the bad thing. So if I'm going to send let's say goat porn to to much Because it wouldn't be no wouldn't be the first time then what I would do as I say hmm Well, this file is you know 30 meg in size So then I need to generate a 30 meg key To make it happen and then the trick is is me getting that key to him and then us Never ever using that key ever again for anything destroying the key after is after it's done I mean literally if I put it on a CD and hand it to him and then we're done with it We need to destroy the key perhaps with that NRM file that I had previously or we you know throw the CDs into a vat of Acid or however you manage your paranoia with your CDs at home. However, that happens Anyway, because you're doing something with just like a one-time pad it makes the crypto part Really, it's not very complicated. Okay You're just doing a simple XR. So it is very fast very simple Just it's really nice to do like I said if you can manage the key exchange You're getting damn close to having pretty good crypto Anyway, so let's just to show you why this thing is so fast and secure here's a the the main and I have it in quotes there crypto loop because it's Hardly a little bit if you look look right down here toward the bottom Oh my god, I know why he showed up You'll know in a minute Where it says wicked crypto because we are X soaring okay, and you can see that massively intense one line of Code there that just kicks so much ass. All right So anyway, we have this tool there to kind of play with this and I'll tell you the truth The main reason actually truthfully the main reason I wrote this tool is because there's a friend of mine Who we would like to really really have some deep serious conversations with and we were talking about well How in the world could we actually do this in a secure fashion? Well, okay, we have a smart ass up front who thinks he knows something But nonetheless, we just kind of went over various scenarios and everything So I've come up with this thing by the way this and all the tools we're going to have a spot out there on the on the NMRC website We'll put something up on the on the front page Hopefully I'll get it done tonight and we'll have pointers to all the tools all the presentations Please all questions at the end, please All right, and oh well, you see now. It's at time for Q&A now This is the thing we're going to do for the Q&A because this is kind of a dry kind of tool talk All right, so what we're going to do something different from the Q&A is during the Q&A portion of this We're going to go ahead and spank audience members who want to be spanked now The the thing that we're going to do is the first thing is if you're coming up here We're going to I mean obviously there's no female members, although I think we've got we may be able to recruit some Females that we happen to know to come up here to help spank Lily come on up So you're going to have a choice of you know, not only being spanked by a guy But you can be spanked by a chick Okay. Now the thing is if you want to be spanked we do have a release form. You do have to sign If anyone has been reading on full disclosure We did post a link to the release form So if you filled out one previously that you printed off and filled out feel free to go ahead and bring it up Let me get out the stuff that you're going to be spanked with hold on just a second all right, the first thing that we're going to spank people with is a Shmucon This is from the shmugroop when I was at shmucon all the speakers got these because they handed out shmuballs to throw it Speakers that weren't behaving well or being stupid or causing shit So they gave this speaker something to fight back with so we have a Shmugroop paddle that you can be spanked with you can also be spanked via a nice firm hand Okay, and the final thing to be spanked with Is a copy of the third edition of a hacking exposed? So and just to show how it's going to work I Want to bring mud up here in spain camp. Let's get much up here You guys should have seen the rehearsals. I would have to look at the code specifically I stole some code now I stole some code from Todd McDermott because we worked on entropy stuff part of it is We're using a processor timing speeds and we're throwing in some I forget the exact call It's one where you're saying Slow down. I'm relinquishing the processor and so I get a random time and so that gives me Between that and some other stuff thrown in, you know like you know the times and stuff. Okay, there you go Okay, thank you Anyone else anyone else want to Comments instead of questions. Yeah, go ahead. You got a comment The two comments go ahead. All right. Are you you want to get spanked while you're getting your comments? Do you want do you want to spank you sign the release for him? He signed it? Oh Okay, so my first comment is your single packet authentication thing Right about using it, you know behind a net so that you could you know open up a service and so forth Aren't you opening? I mean you're opening up that service for everything behind that net and everyone behind that net Isn't that kind of insecure? Yes Yes, of course Okay, yeah, just a comment on that Yeah No, what what this what really what this is is like it's not considered true authentication on there All you're doing is you're opening up the port Obviously, you'd be opening up the port and then some other process So the tools misnamed Okay No, we are authenticating you know you actually you are authenticating you're saying you I am who I say I am if you trust PGP Okay, and then if you trust PGP and it says okay. I've signed that key then yes I know who you are so I will at least open up the port now You got to go ahead and provide credentials to getting access to the box So it's considered a consider it a layer. Okay, so so the second comment is your tool where you use spoofed ICMP in order to try to map network topology The fact that your client has not implemented anti spoofing measures on his network all the way down to layer 2 The fact that the tool even allowed is allowed to work on the network means that you need to recommend your client that he Implemented the anti spoofing technology so that your tool won't work because it's best practice not to allow spoofed traffic to To traverse your network or egress from it. You're assuming this is for business I think it's for any kind of IP Don't forget you come up here spanking Which which did you want? All right next question next question. We got to keep things moving Come on. There's got to be more questions than this and there's got to be more people to just want all right Who just wants to be spanked? Come on up. Come on up. We're not shy. Who wants to I see people. They're like like looking and thinking about it Come on. Let's get some I'm serious. I'm looking at people. Oh my god. We got people coming out Yeah, yeah, come on. All right sign a release form sign a release form and get your ass spank He's gonna read it first There's checkboxes on there. Oh like to who you want to be? Yeah, like I would like to be spanked by check all that apply Yeah, oh, we need a beer up here to someone can bring a hell I'm back a beer Yes, he hasn't anything to drink in three minutes, please Also, if you the names that you want to be called during the spanking Such as you can check all that apply like biatch Script kitty scene whore Russ Cooper A number of different ones Oh, there we got a beer. You got a beer for you Any any other any other questions while we're while we're at it while we're getting some people ready to be spanks This guy's already Sign who do you want to spank you? All right, there we go I Who you want to have spank you you what me what instrument? An else guy Let's I want to bring a J ran over here. He talked about why the hackback hadn't been updated in in ages Basically, it's all your fault So I think we're here maybe two years ago. Was that the left panel? Yeah, so two years ago. I spent Maybe a good few months taking the hackback as no might had left it Updating the HTML. So it was all valid updating all the URLs. So they weren't broken Updating a good amount of the content so that it was relevant to today, you know stuff that had been documented back then But wasn't known at the time And so we basically came to people and said we've done everything all we need is your input We need more questions more frequently asked questions that we can get documented in the fact So we can improve the general knowledge in the community and we just got spam That's all we got heinous enlargements credit card bills So yeah, the fact is pretty much dead. We're gonna keep it online But clearly no one's really interested in adding to it. And so We'll just keep it as a kind of historical record. I guess I Think we're right back toward the end of the presentation. I wanted to go ahead and actually finish up with a couple of Specific announcements are the girl in the picture? Yes, she is wearing an NMRC t-shirt and Yes, I have the world's most understanding wife because I actually paid for the model and paid for the photo session They get these pictures in particular just for Defcon and we will make sure that some of the artwork is available on the NMRC website so that you can use it for backgrounds on your computers and Got a few shout outs in there CAU they're represented over here some there's some green guy that if you see the green guy then you know that CAU they've been very supportive For us obviously all the DC 214 people because a lot of the talks and stuff that we give we try them out on our local DC groups thing Also mad hats gonna be participating in the DC The DC groups panel that's on later this evening John Callas I saw the black cat His he had some ideas for spa that actually were pretty good that we had put in there and shout out to him Of course the rest of the NMRC people that aren't here Mike Rache who is somewhere out here in the audience. There he is right there FW knob, which actually was Here last year actually is very similar and we've been talking very similar to spa so we were talking with him And everything and I've got I just want you guys to know that we're trying we're going to be actually our first planning session for Defcon 14 is going to take place later tonight And we promise that we're going to have something We're going to have something really big and fantastic for you guys We really appreciate all the support that you guys have given us over this Wondrous time that we've been having so you know really do appreciate all the support from everyone We'll try to do our best to give back as much as we can Do everyone here. So if we have nothing else Just want to say thanks. Oh, well, we have something over here. Yes The rumors is what now? There are yes, of course, there are rumors that it's not going to be here at Alexis Park next year I don't know because there was those same rumors last year as well I know there's rumors flowing around at Schmucon for example that it might not be here this year But in fact it was So I don't know. I mean I You know I as much as I can I try to slide my tongue down the back of Jeff Moss's trousers, but he really doesn't tell me much in the has an exchange for kissing his ass So so I don't know take that up with Jeff actually got another question Okay, suggest this for the hackback. We'll take Get on that right away. Okay No, and again all the code and stuff that we're talking about we will have links up to that stuff I'll make sure that stuff gets put up tonight and So you can pull it down play with it break it A number of us have been writing code. We don't profess to be coders Okay, so if you come up with fix in fact like for example spa had a Remotely exploitable heap overflow in it until I found that and corrected it Okay, but so anything you guys can do to help add to the add to it And and if you come up with some better idea than what we've got then Then eat that's even better because and that means you know We've inspired someone to come up with something that's actually been coded by real colors instead of just hacker types Okay Oh Yeah, and if you find any as zero days in any of the code that we released We recommend that you go ahead and turn it into iDefense because they need the help. Okay. They really do All right, so that's it. We will see you guys next year and it cons in between so thanks a lot