 I think that's for real this time Can anybody hear me? Okay Thank you for coming. Good afternoon, and I'm West Brown and this has got done up my partner and we both do security research as a interest and we have Previously we work in security industry penetration testers and security assessment and application assessment and all that What is miss what is mosquito? Biscuit is a lightweight framework to deploy Run-coder remotely and securely in the concept of penetration test it makes a best effort to ensure that the Communication is to cheer Special care is taken to ensure that the point code is not stored outside of process memory space It protects the confidentiality and trade secrets of code that is deployed and run on Pathology this could be an exploit or a methodology from past experience with working with our proprietary zero days I Have hesitated to puddle jump using the exploit Because I'm afraid of losing control of the exploit That somebody could be eavesdropping or somebody could be watching the file system for the exploit And I cannot ensure that they can do file recovery on the disk But this way we can ensure that the exploit only remains in memory the process space No time is the exploit written to this unless you swap That's one case. We can't really control if you force a swap I Had discussed the why Often is desirable to leverage zero-day code, but doing so is that in uncontrolled fashion can have repercussions Many practices have trade secrets and methodologies distilled in the form of an exploit code that they would like to keep out of a target hand it is of me also very important is One problem. I've had it with many exploits is it transmits data and control information in the clear I Transmit the control and data in the clear. I am in danger in my claim I'm using that cat and all that is great But you're sending your quiet confidential data over a clear text connection So that's one problem. I'm hoping to resolve Well, here we have a technical overview. We have written proof of concept code to Prove that this idea works Um, the interpreter is Lula many of you may know Lula as an extension language for games like wars of warcraft We use a synchronous cycle called RSA, which all of you know is used for the initial handshaking between the client and server And it's a competition really expensive operation So once handshaking is done, we move to a synchronous cycle called Isaac Where we trade a cycles and then the clone and drawing Communicates that synchronous cycle One another another component is entropy generation Cryptography is worthless without good entropy. We were out a good pseudo random number generator As you have may have figured out we use a console drone model And one big plus is this code is extremely portable We have personally tested and built on when 32 open BST for Intel 386 and Darwin By testing on Darwin Mac OS X we have resolved any Indian issues By order Indian issues between 32 bit 64 bit or risk and system platform Why did we pick Lula? It is a lightweight and powerful procedural language as it's easily Extensible with bindings we have created bindings for RSA and open SSL It's bytecode compiled which is a plus when you're trying to deploy code It's highly portable. It's written in straight in CC and it has run on palm pilots without any changes It is easy to learn. It takes about one hour to learn if you already know a procedural language Moving on we need to talk about the asynchronous safe safer As I've said before the asynchronous safer is used for initial negotiation and handshaking of a secure channel We pick RSA because it is well known in the cryptographic community While it has weaknesses these weaknesses are known and that is more important to us Than trying out some new cycle. We we invested a Electrical of cryptography and we we might enable that but RSA is a known quantity Um, we use 496 bit keys for the handshaking. That's very unlikely that you will crack it But synchronous cypher We ran into issues when we were looking for a synchronous cypher because many of them were um had packet problems where and packet implementation or copyright problems But we we found one that we like and it's Isaac It's a synchronous cypher used for console and your own communication the actual communication itself Once the synchronous keys or it's changed Um, the stream safer is one bite at a time. It is very fast and very safe um And one of the nice things is we can use a large key I want any two bits because I said does not penalize you for scaling the key We could use a 16 take that key or 32 take that key and it would make no difference to computational performance now of all with the good We will be remiss a security researchers that we need to talk about the bad things about our proof of concept and that is entropy generation It is essential to great quick progress security The problem is it uses always facilities for entropy The pseudo random number generally in many offerings systems are not very good at all But um on unit machines, we use never you random How good it is depends on a unit's derivative open BSD is not surprisingly is very good We use wouldn't and when this 2000 and an HP has a very good cryptographic libraries And because we use the OS facilities as a possible avenue of attack We will probably investigate this in more detail The quick talk be library was using a little time crypt has some entropy generation function, but they are too slow When we tested it it took two minutes to generate entropy Um Mosquito is divided into several components. We got the core which are provides a basic functionality Required by drone and console The drone provides a remote process that Contacts this match console and It can execute scripts and commands that the console sends to it over the secure channel The console provides a local process that controls the deploy your own One of the neat features that we put in mosquito was transport and it's an abstracted way To connect the drone and in the console. I'll talk about talk about that more in a bit Um Let's talk about core Core is really nothing more than an augmented ruler interpreter. It's stinted with the following functionalities We have our say encryption function isack encryption function Networking functions and trophy gathering functions and structured buffered functions Um The drone is the mosquito component that is deployed under the target machine It are Integrates the core with drone only functionality meaning it's a super set of a core It execute rule code sent by secured communication and Rule code sent by the console is stored only in process memory It is not stored on a disk The console is the mosquito component that provides a local process that controls the deploy drone Integrates the core with console only functionality. It's a super set of the core Um Uploads code to the drone by secure communication and Even more neat is the user can also interact with your own in real time We can hide we can interact the lure interpreter remotely So you can do debugging and you can do code on the fly on the drone Transport It's an abstract functionality for the console and my drone to communicate with each other It transparently revealed negotiate a communication channel between the drone and console and provides a read and write methods and Read and write a separate And it's really neat because we can do Different transport methods for different channels We have TTP transport which is implemented at the default, but we have skeleton code to implement DNS transport ICOMP transport UDP transport XT3 transport So you could send HTTP in the pacifier wall But you can only go out by ICOMP you can do that. You can send a message by HTTP go out by ICOMP or you can mix and match however you want Affiliation is hand shaking is the process of identifying Inpoints as valid to each other that they are who they are they are who they are and It's a pathway to each other So unless somebody gets a hold of a drone It's very hard to intercept And during during the handshaking they are changing synchronous keys for ISAC This is the outline the flow of console affiliation we have When the console affiliation begins it starts and it waits for the drone to contact it And if it times out we actually have a timeout feature because We don't want it to go for too long or other people may intercept the drone and Modify it and then do whatever evil things they want to do with it So we will have maybe a one-minute timeout or 30 second timeout and We have a drone in the secret in the secret matches it generates the key to Send to a drone and that's the key of the drone is going to use to send to the console and Then we got the console affiliation mode a Drone mode is a little more simple. It generates the key It sends its handshakes to the console and in that affiliation It sends the key and then it awaits the response to the console if it times out it poops it's gone And then if the console secret match Then it enters operation mode where the console can send lower commands to the drone um One of the neatest thing about mosquito is to build environment is the virtual machine is static We link for easy deployment in a project is to ensure that all libraries are needed to function are available Glue is a deep blue script. It takes the attitude of what file the stub with the binary C code Functions that the virtual machine the interpreter the socket library the Cryptography library and then it will it will attach the script and bite code Warmer to the end of it's a treatable and when it's a suitable runs It will go through the bite code and and then you have all the functions defined In the payload so there's two ways to get code in the drone One is to embed it in the drone and the other is to send it over the network So we have library functions that you're not concerned about you can put it in the drone itself and have them available for all penetration, yes But then you can have exploit functions used for library code um Now we have some ways to attack mosquito we have Introspective debugging if somebody is sitting on the machine with soft ice. There's not much we can do about it We have I've discussed they use entropy attacks and You can you can if you are fast enough you can modify the drone binary itself before it's invoked But you have to be very very quick because the interval between The drone being deployed and being invoked is very short to three four seconds at most and of course it always could talk of the attack that known types of hats There are some neat uses of the framework as he is We can are we back to exports into Lula for security appointment on the target It is easily extensible if additional cryptographic methods or transport one We can do we can write port scan code. We can write SMB scan code and deploy it on the drone So if you deploy the drone, you have all your export code all your functionality there We also it will also simplify the deployment of all three tools if you have one VM for all the platforms to attack All the dependencies are included with the drone When we deploy a drone, we have functions that will detect the target architecture Look in the stub library of executable We have a win32 executable. We have a Darwin executable, and then we have a Open VST executable it would detect that take the stub latch on all the Lula library code you want And on the fly Stream it to be deployed That's one of the neat things we can use but glue because not only glue a script It's also a library function in mosquito We have future ideas that we could use one thing need this idea to be an integral high speed packet sniffer and generation in the drone That'd be great for the great for port scanning or listening to traffic and interpreting the traffic One thing that we wanted to do but weren't able to do that was drone to drone relay You got the car so you got the drone and then you got another drone and the communication It's relayed through the drones as many times as you want But at no time There's any of the drones in between know what's happening at the end point drone because we got nested encryption when you when you got the end point drone sending a It's got its own key the only the console knows it's past and encrypted again and how encrypted again Remember I said have no penalty So you can nest it as many times as you want And we would like to do further refinement of the automated configuration and drone console pairs and consoles that can Manage multiple drones right now. We can only manage one drone Who are we got work for us? I'm West Brown security consultant and security researcher and Got done up is a software engineer and security researcher He's more of a software engineer while I'm more of a consultant type We are available and actively seeking work. West is particularly interested me and Full-time employment as a security researcher We have a website fmo security calm Well one way of that fmo security calm. Do you want more information? Got any questions? As up tomorrow, we will be putting the The entire framework code a source for it is under the BSD license feel free to do whatever you want with it Scott will be taking the questions because I'm deaf and I can't hear the audience We didn't bring it binoculars so you can lip read Yes the 0.2 footprint was about 160k we hadn't done any optimizations with a C compiler flags We were hoping to target for about 80 to 90 k encountering some problems with the fact we have to bundle most of our dependencies With the actual drone. We're not making any assumptions about availability of things that we're just assuming Standard C a lot. I'm the case of win 32 You know the standard DLL the current 0.3 is a little bit heftier because we put in live Tom crypt and Well, uh, Tom crypt is very easy to strip down. We just have an edge chance to do it we We are supplying a general purpose socket library called lua socket It's not quite performing up the standard that we'd like but the goal was to Provide the ability to do further network penetration and auditing from the drone Very often an audit you have the situation where you've managed to breach an edge system And you need to get deeper in now that you're past the firewall and to see where you can go once again into the bastion And that was kind of the purpose of the drone. We certainly kicked around the idea of abusing some of the the DRM APIs and Windows XP. Unfortunately, most unixes don't provide these Open VST does provide some functionality for preventing writing into swap space But that is one of our main more major vulnerabilities is the possibility of Later analysis of the swap file Fortunately, I don't have a console running on win 32. I haven't linked one Get the max, but they're not cooperating with the projector today It's very embarrassing. Oh, I'm sorry yes We are relying on Live Tom Crypt, which is fairly simple and it is configurable and be stripped down and of course lua as you mentioned and Our only other major Dependencies have been just lua extensions the stuff that we've added in Destructed buffer and everything else are actually pretty simple If they're both for over funds and if there are buffer over funds in Lua There is a problem. However, the way the construction works Once the drone has been deployed There's a fixed a window which is configurable of how long the drone has to contact the console The first one to contact and correctly complete affiliation within that window Basically gets the connection after that we drop the listen socket and Basically, we just run without one transport until it dies so buffer overrun and exposure is pretty minimal as you mentioned there's always a possibility of So I'm trying to respond before the affiliation goes through But unless there's some kind of yeah Very specialized IBS, I don't see that happening. Yeah, we will investigating how to deploy this by shell code and And if we can do this then we would have no drone in the process. I'm at all to intercept You'll be in the process memory of whatever Program we bubble over and any other questions. You got to cover for a time not having a demo Well, you're always free to email the questions to address over there and Of course the Code itself would be available for your intervention tomorrow and force forage. We would employ it for Well, once you put something on source forage barring intervention by lawyers It's there pretty much permanently. I think their policies are pretty strict about Not taking something back out in the public domain once you put it there. So once it's there, it's there Yes, it really depends on public interest I don't have an act of use for mosquito of west does it was basically my Entertainment here was just getting it out in the open and just basically I wanted to see what everybody thought of the idea and the actual algorithm West of course, there's a more usable tool because it's more in his line Are you put alone for the laptop