 I see the love from DC757. Thanks, guys. Hey, I'm Squidley One. I'm going to be giving a presentation on thinking outside of the console. Basically, I'm going to be talking about game systems and how those game systems can be used to leverage access or at least get that initial toehold into a network, a real network. So there we go. The first little bit, I wanted to actually send a little bit of information. If people were interested, yesterday I was wearing a Haxler Red t-shirt, and you can see Mark G, or I'm sorry, G Mark, over at Hacker Jeopardy about that. It's for a good cause. Also, please check out savedarfor.org. It's still a problem over there. Read up on it and see if you can help out. And now for me. All me. All right, who am I? I'm basically, I'm still a computer network defense team lead for the United States Navy, first class petty officer. I definitely unfortunately don't work with these toys at work. I really wish that that was something I could do. I was a former red team leader. Basically got to get out of jail free card to do bad things. And it was nice. It was fun. I'm an independent security researcher, software engineering student, wireless explorer, heavy gamer. Not great, but at least I have fun. A fervent geek, and I'm also a member of the DC757 and the Sploitcast podcast group. Cyber Eagle. All right. Why am I talking about this? With my background in red team, I was kind of curious about covert testing. What is covert testing? It's to be used by, if it's used legally, it's used by legitimate vulnerability assessment firms and red teams in order to better help companies and organizations learn how to protect themselves. The focus of this testing is to find methods to help said entity identify possible intrusions, faulty equipment, software, bad security processes, blah, blah, blah, blah, blah. All right. You have that basically. That's the best you're going to get as far as for covert testing in the most legal sense. Next you have it's used by companies and governments in order to serve for their own gain and not necessarily on themselves, it's on others. Corporate espionage is my angle for that. Oops. All right. In February of 2004, the Department of Justice pulled covers off of previously sealed case of corporate espionage by a former DuPont scientist who stole $400 million in intellectual property from his employer. In 20 April, the register reported that a UK based organization lost a lot. This is corporate espionage. It is every day. It occurs all the time and through various means. So that's kind of the angle I'm going for. All right. And then you've got us. Basically we have no allegiance, no political motive, no fiscal gain. We're just looking and passing through. Okay. Thanks. Bye. Have fun. The true hacker. Have fun. All right. Am I high? I don't think so. Well, I don't think so. You'll probably judge me as so later on, but hopefully not. Not literally. Not literally. No p-test after I'm going back to work. Anyway, basically what happened was I had an awakening count who's in the audience right now had a modified Xbox. I thought that was hot. I wanted one. Excellent. So what did I do? Well, I talked to him. He had a modded one. They had a mod chip in it. And I saw all the goodies that he could do with it. About two weeks later, I found somebody who had a nice little article online, how to soft mod your Xbox. She didn't have to pull that thing open at all. He just ran a save game off of a couple of different games. James Bond 007, Agent Under Fire, and Mike Warrior. Thank you. And I think there was one more. Splinter Cell. Excellent. Splinter Cell. God bless Microsoft. Exactly. It's amazing what you can do with that tiny amount of data, how you can defeat an entire game system. But anyway, I won't go there. I won't dwell. Others have dwelled much more technically in it, and they've done a much better job. I think it was Damke, Frank Damke, over at the Chaos Computer Club Congress. The last two years have just torn that apart. He's done an outstanding job. I highly suggest that you go out and find those archives, download those talks, and watch. It's awesome. Anyway, so I realized, wow, just doing that, I can now load Linux on there. I can do whatever I want to this little system. Wow, this little system's a little computer. Shit. That's amazing. So that was the first thing. And then prior to 2002, there was very little going on as far as console hacking. That's definitely changed. Since then, the game industry, this is talking about the hardware itself, has moved towards using even more powerful main processors and GPUs in order to both satisfy and build up gamer desires for the next best thing. I'm there with you. I'm there with you. We'll be talking about the cell processors a little bit later. Anyway, let's see. Now we have true computers with the ability to network, and you're playing games on them basically. After you've modified them, you can share, you can probe, you can perform vulnerability scans, you can find your network, you can get on a network, and oh my god, do all sorts of other stuff. All right. This is a little bit of food for thought. I pretty much took a look at sixth and seventh generation game systems. The sixth and seventh generation systems are an arbitrary thing that was put on the game systems. You can go to Wikipedia and find this out like you can trust everything you read on Wikipedia, but this is actually true. Sixth generation systems came out, I want to say, what was it, 2003 and 2004? I'm sorry, 2002 and 2003. And then seventh generation systems we've seen in the last year and a half to two years. That was the delineator, what year they were made, not necessarily how powerful they are. And then we have got handheld systems, which you can put on your person anywhere that you feel comfortable putting them. No goat's ears were harmed. And then we've got ubiquitous online connectivity and many thanks to Panera and Starbucks and all those truck stops that I stayed at. Starbucks, I'm sorry, yeah. I'm not giving out advertisement. And then we've got the thought, but it's just a video game console. What can it do? Oh my God, there's a video game console on my network. What the? All right, my goals, now that I've gone through that, my goals are to cover the three key features for a covert tester, what they look for for penetration hardware and why game consoles may fit that bill. Look at available homebrew applications on various game systems, especially those that expand system usage and functionality. Show how a couple of game systems can be used to infiltrate your network and collect data or collect data, I should say. Suggest things that you can do to mitigate this threat. It actually is exceedingly simple in order to defeat everything I'm going to show you today. And then we have open discussion on what the future holds for these systems and that's probably going to flow on to the Q&A session because I may actually kind of go over and I apologize for that ahead of time. If anybody actually wants to carry on this conversation and they cannot stick around like they got a party to go to because I know everybody's got a party to go to tonight, you can contact me at game consoles with a Z at the end at gmail.com and I will definitely get back to you, especially if you've got something that contradicts anything that I've got up here. I definitely want to hear that. All right, the three important things or what is important to a covert tester. Power, you've got your potential. Programmability, that improves your flexibility. What can this device do? What can I make it do? And then you have concealment, which is basically plausible deniability. I don't have anything scanning your network on me. Pet me down, please. I don't have any memory modules. Actually, let me show you this. For those who have not actually seen one of these and I would kind of be shocked that there's a lot of you that haven't, but we now have the microSD chips, which are smaller than my thumbnail and about three hairbrits width. I mean, wide. This is one gigabyte. You can get two gigabytes and larger shortly. Pat me down, please, because you won't find that at all. All right, primary platforms that I actually looked at in coming up with this presentation. There's actually two slides to this, the Sony PlayStation 2, Microsoft Xbox, the original, Nintendo GameCube, the Game Boy Advance DSP, the Nintendo Wii, and those are all counted as, well, technically, the Wii has, when I was first looking into this, there was a debate whether to keep the sixth and seventh generation separate, because we have the Wii and it's considered seventh generation, but it's definitely sixth generation type hardware. It's an outstanding system, and I try to be fairly system agnostic. I have all these game systems, so I love them to death, so I don't want to hear any, get any flames from any fanboys from any particular groups. Please, please. All right, then we've got the PlayStation 3, the PlayStation Portable, which I was carrying on my person, the Xbox 360, Nintendo Wii, which by at least the date standards is a seventh generation system, and we have the Nintendo DS and DS Lite, and all the systems that I own. I ran out, I got lucky. Around Christmas time, I got a PlayStation 2's, sold the other one, and I had a bunch of PS3's, sold those, a couple of them, so I could afford the PS3, and got lucky. Third time camping out overnight, got a Wii. Yay. All right, hardware and potential. Or geek porn. So feast your eyes. Exactly. All right, under the hood of an Xbox, the old Xbox, you have a 733 megahertz custom P3, you have 64 megs of DDRSD round. Now, both of those can be updated if you want to do a little bit of soldering, and you have a lot of patience, or you have a little bit of money and you want to send it out. It could be bumped up to a 1.4 gig Celeron, or 128 megs of RAM. That's all you get, but you can do quite a bit with even that. The GPU, I just list these bits just down for your edification. It has a 10100 Ethernet port, proprietary USB ports, DVD optical drive. Generally came with either a 6 or an 8 gig hard drive, depending on how old the system was, and it has a proprietary memory cartridge port. Danons. That's why I pretty much went over. I'm sorry, it's 1.3 gig Celeron, 128 meg RAM. You could actually get an adapter to actually connect yourself wirelessly to a BRG network. You could add extra hard drives, one extra hard drive, and actually still have your optical drive connected. And the maximum that I found that was practical was 320 gigs. However, yes, you can do 500. I was going to mention that. There's actually a good website, and I have it in the notes on these slides that you can go to. There's hundreds of people that have tried out various hardware, I'm sorry, various hard drives, and they reported which ones worked and which ones worked under which circumstances and things like that, so you don't blow your money trying it and then failing repeatedly because it is very frustrating. That same site also tracks PS2 hard drive sites. It's xspec.com, so XTAC, SPEC, I think it is. But again, check the notes. It's definitely there. And then you can, of course, attach a USB keyboard and mouse, and then the Linux fanboys went, yay. All right. Xbox 360, under the hood, you now have a power PC with three symmetrical cores. Each one I'm running at 3.2 gigs each. You have 512 megs of RAM. And I've got sitting here 500 megahertz Zeno's custom ATI GPU. Everything that I've read about the 360, people are screaming over that GPU. And in fact, there's a lot of heated debate as far as between the fanboys for the 360 and the fanboys for the PS3. And the PS3 says, well, we got the cell processor and we kick ass. And then we've got the 360 guys and said, but if we unlock the GPU and we were able to do the folding at home stuff that UPS3 geeks do, we kick your ass. So, exactly. So until it really happens, we're just going to point fingers and kick ass. And I got both systems. So it's an interesting internal battle that I have. You have built into it a 10100 Ethernet, USB ports, DVD optical drive, a 10 or now much larger than 120 gig hard drive. They're talking about putting out a much larger one sometime soon. And that's all vaporware, of course. And then you have proprietary memory cartridge port. Your add-ons. You can upgrade the hard drive to 120 gigs right now. Throw $180 at somebody and you'll get it. You can get a wireless G adapter, a camera for those intimate moments that you want to show everybody on Uno. Please don't do that because I've been caught twice watching people do nasty stuff and I didn't like it. I can thank J0757 for getting one of those guys taken care of. Anyway, sorry, I'm not here to bitch. And then you've got a USB keyboard and mouse and the Linux guys go yay, but it doesn't work for us yet. We're close but not there. And the PlayStation 2 you have under the hood Toshiba 300 megahertz, our 5900 MIPS 4 processor, 32 megs of direct RAM bus RAM, 150 megahertz GPU, USB Wi-Fi, I'm sorry, not Wi-Fi, USB firewire, an optical drive, and you're able to read a punch of different types of memory. No. It does not. Yeah, if you go out and you actually have an intent to actually do something funky with your PS2, get the fat one. There's some people that are trying to deliver items with the slim version, but it hasn't hit the market yet. And until I actually see something, I won't believe it. The opinion in the audience was, it's a piece of shit. In case you didn't catch that. All right. AdHons. Now, I don't know, I was pretty amazed. I heard about this a while ago. There were 70 PS2s that were all chained together and I'm trying to remember which university did that, but I didn't put it in my notes. Bad presenter. But they were able to actually get surprising numbers off of that Beowulf cluster and it didn't cost them a whole hell of a lot of money. They made it in, I think, 2003 and ran it as much as they could and they're not using it anymore. It's actually been decommissioned, but they did post some of the numbers on it and it was pretty impressive how much you could do with those 70 little machines. The air conditioning unit, however you had to put on it, just kind of was a little ridiculous because they did get hot. Imagine that. All right. AdHons, because the original PlayStation 2 did not come with any sort of Ethernet, you could buy in the attachment that gave you a modem, an HD assembly, which I got from one of the 757 guys. Thank you very much. I actually hacked my PlayStation 2 after that happened and the maximum for the PlayStation 2, shockingly, is you can actually stuff a 500 gig hard drive in there. It's up to you as to why you would want to put that much in there, but hey, if you turn it into a Linux box, then you can use it. And then, of course, the keyboard and mouse. All right. PlayStation 3, the Cell Broadband Engine Processor. It's a heterogeneous CPU. It has one controller and eight computational SPEs or SPUs. I hear them interchanged. Actually, they're kind of interchanged even in IBM's technical papers. So anyway, when you hear... Actually, when you download the discussion by the guys over at the Chaos Computer Club last year, they'll call it SPU. So it's the same thing. All right. You get 256 megs of RAM for basically those processors, another additional amount of RAM for the system itself. And I'll kind of show a block breakout of how that works. 550 megahertz custom GeForce GPU. And let's see. Up to a gigabit ethernet. That's nice. And if you got the 60 gig version, then you also got wireless built-in. USB ports, DVD Blu-ray optical, 2060 gig, now 80 gig drive, and a bunch of different memory that you can plug into it. If you got the 60 gig version. The 20 gig version, I was told that there was an attachment and that actually is recognized by the game operating system. So you don't even have to have the other operating system loaded on there in order to use it. Which is kind of nice. All right. Very quickly, I'm not going to go too much in depth because I'm kind of running long already. This is a very, very simplified version of what the PS3 hypervisor looks like. And you'll notice that there is a gap over the USB. According to the write-ups that I've read, by it's Kana Shimizu, my apologies. She's one of the security architects over at IBM Systems. She wrote a very good paper on this particular process and the security that's unique to the hypervisor on the PlayStation. And specifically the security that's on the processor itself. After I read it, I was bummed because now I realize it's going to be a lot harder to hack that system. And I'll go into that very quickly. All right. You got your game application. Generally, just like any other hypervisor, you have your hardware down below. You have your hypervisor that runs interference or basically runs a virtualized pathway between the operating system, whether it's Linux, another operating system, or even the game operating system that came on the PlayStation and the game application that's running on top of either one of those. But for some strange reason, for USB, there is absolutely no hypervisor controlling what you're doing. All right. This is a very simplified block diagram of the PS3 cell process and security. If you want to read really good technical documentation, I invite you to go over to IBM's CBE section. I mean, it's full disclosure. They give you everything that you need. What's unique about this, and you'll see that you have your main processor. It's a modified PowerPC core. Basically, everything goes through, of course, the main memory, the IO comes across the interconnect bus. The main processor goes, okay, I'm going to split this up. It goes off to SP1, SP2, SP3, blah, blah, blah, to be worked on. Well, each one of these little sub-processors, when it starts processing, shuts itself from everything else on the box. So once you've put something in there, there's no way to modify the thread while it's being processed. So that was kind of bumming. There was another bit of information in those technical documents. Again, they go into great gory detail. I'm just going through it very quickly, is that when the application sends in its threads for processing, each one of those processes, I'm sorry, the application itself is checked and verified as being legitimate. So you can't run arbitrary code, and this is locked down at the processor. So scoop that thing out and see what you can do with the rest of that box. But anyway, it's checked at the processor, and each thread is verified based off of the original verification of the application itself. So everything has to be kosher in order to be processed. And then when it is processed, as I said, individual SPEs, as they are called on, shut themselves off even from the main processor. The only thing they respond to is stop. And when they receive the stop, they clean themselves. There's nothing in the registry to play with. So I was like, uh-oh. That sucks. All right. As far as the potentials for the PlayStation 3, I've seen people actually jam in there a 250-gig hard drive. You have to have a 2.5 serial ATA. So whatever the maximum is, you can try jamming different ones in there. I expect that same website that I spoke of earlier to probably set up a database before too long showing people putting in different hard drives. It uses the different types of memory again. There's right now the maximum size that I'm aware of. Last time I checked Amazon, at least, the authority Amazon was, sorry, was 8 gigabytes. So I was all excited because I found out, wow, I can jam that in my PSP also. Woo-hoo. All right. The Infectus firmware, that was thought to be a downgrader. It doesn't work 100% of the time. And there is a certain chance that you will break your PS3 in that blows. All right. It does Bluetooth and has USB and keyboard connections built into it. Tricks. It runs Linux, many flavors. You just have to go online and find the individual instructions on your particular flavor that you would like to run. I advise that if there is a custom version for the PS3, download that one. Don't even play with any other flavor and try to get it to work on your own because it's a huge pain in the butt. And I'm showing a picture right here. That gentleman right there has, I think it's eight, yeah, eight different PS3s. So there's already people that are trying to make clusters out of these things. That is nice. All right. Oh, the last little bit, there was a talk by, I think it was, Garner's Steve Prentice, he fears criminals would use the PS3 for crypto hacking and I have the article at the bottom of this page in tiny URL. And basically he would be correct as long as whoever is creating the anti-encryption software utilized or wrote it to the strengths of the PS3's processor, which it's outstanding at single precision mathematics, double precision, not so good, things like that. So, okay, so Sony as a media server and then Apple for the, was that the ITV? Oh, okay, I'll do that, thank you very much. Whatever I find from what the gentleman had spoken to me about it will be up on my blog. So, all right, here's more sexiness. That is not my PSP, I would never defile it in quite such a way. That was Lixang, may they rest in peace, they were sued into oblivion by Sony. Anyway, you have basically two little MIPSR 400 processors in there, they run literally from 1 MHz to 333 MHz. You can downclock it and you can upclock it up to 333. Sony still maintains that it's not a good idea to run it at 333, but people are now. And various home brews definitely take advantage of that clockability. I know, down, down out there. All right, you can run wireless on B, there is no G. I actually have on order right now the new PSP so I'm going to see if that got changed, that would be nice. You have an IRDA transmit and receive node on top which is really sexy and the reason why I think that's sexy, you need to see major malfunctions discussion on old school hacking from what I think about two or three years ago. Watch that or read his information on that and you'll find why that is so cool. And then I'll show you a couple of home brews as to how you can use that IRDA port. You have a mini USB connection on top which allows you to hook up all sorts of little attachments to it, which I will show shortly. UMD optical drive and memory. All right, your add-ons. You have one unit which is the GPS unit. You cannot buy it in the United States. You have to order it from Japan directly. It's about $60 from good reputable places and you'll get it really quick. All right, oh, the shipping. That's after shipping, shockingly so. All right, you have a microphone and you have a camera. If you want to do some surveillance or something like that, you want to take pictures and it starts looking a little odd when your PSP runs around with extra attachments dangling off of it. So I would advise not to really do something else super spy like. All right, here's somebody who went crazy and decided they wanted to have an external antenna actually hooked up. It's got a high-rose connector on it. The daughter board does. And if you decide to do something like this, just be very gentle with that connector because it has a propensity to just drop right off of the daughter board. And that sucks. So anyway, if you've got that thing attached to your PSP, guess what? You look suspicious. All right, GameCube hardware. You have the 485 megahertz gecko. It's a custom IBM processor, 40 megs of RAM. You had a fairly decent GPU at the time. You had a proprietary optical disk and proprietary memory cards. The add-ons, you had modchips. In fact, modchips, these guys went crazy. You had Linux running on this thing. All sorts of crazy stuff running on this thing. It was a great system. And in fact, again, the Chaos Computer Club discussion downloaded it. They elucidate greatly on how the GameCube was really cool and how they might have been able to use the same hacks that were used on the GameCube on the Wii. It's really cool. And Linux again. The Wii, we have a little bit beefier. It's a 729 megahertz Broadway IBM PowerPC CPU. That's pretty impressive. 88 megs of RAM total. There are actually several memory banks, but it's basically total 88. You have a nice little ATI GPU, BG capabilities, and strangely enough an attachment so that you can actually get on Ethernet. You have to buy that separately, of course. 512 megs of flash memory. SD memory is its primary removable memory source. It has a couple of USB ports and the optical drive, strangely enough. I don't know why. It does not support DVDs or even play music off of CDs. I don't know why. Hardware of the DS Lite, two 32-bit processors. They're both arms. Four megs of RAM. Main RAM, I should say. You are capable of getting on 802.11b and the NiFi. It's the Nintendo's idea of Wi-Fi. You can get on that. This was kind of interesting. When all of these pornographic pictures of circuit boards appeared on the Internet, the most fervent hardware geeks started really zooming in on those images and trying to look up information on the various chips that were soldered to those boards. And one of the things that was kind of weird was, and you can check this on the Internet right now, if you type in Matsumi MM3205B module and that is the wireless module for the DS, there's no information at all about it. The only information you will find is like three hits. It's basically three blogs talking about, I can't find any information about this. Does anybody know anything about this? So it's kind of odd. I'm just pointing that out because of that. It uses SD removable memory. It has a microphone built in. It has a touch sensitive display. And it's got a couple of custom ports for gameplay, both for GBA, backwards compatibility, and the Nintendo DS. All right, add-ons, removable memory storage. I don't know of any memory limitations. Like you can jam it with, say, an 8-gig stick. I don't know if that's a limitation yet. Supposedly it takes everything. There is Linux that runs on it, but it's only sash. It's very limited. I have DS Linux on my system, but it has a very limited, but it is kind of cool. Huh? Oh, Boost Controller? Okay, I'll have to talk to you afterwards and I'll post that on my blog also. I wasn't aware of that. All right, programmability and flexibility, or what can I make this thing do? Oh, hell's yes. Exactly. All right, guys. Basically anybody who's had a PSS, PSense at least release day, firmware 1.0 was in Japan, 1.5 in the United States was what was available to us. I still have my virginal untouched 1.5 system. Those were actually vulnerable to running arbitrary, or I'm sorry, running unsigned code. And that was a bad thing, according to Sony. You now have custom firmwares. Dark Alex unfortunately has left the scene. I privately believe that he probably received a couple of threatening phone calls from lawyers. Season to sister else. And of course we saw the picture of Licks saying and they're gone, so that or else definitely has some teeth. So this was a few weeks ago. The reason why he's actually beloved in the PSP fanboy group is he created one of the best custom firmwares. His last one was based off of the 3.40 firmware. Allowed you to have all the access to all the cool stuff, be able to access to your PS3 wirelessly and to play all the new games. Yeah, yeah, yeah, yeah. And do all the stuff for homebrew. There is another group, M33. It's a Russian hacker group. They have picked up that baton and are running fast. They actually have a newer one that's based off of firmware 2.52. And the newest one that's out by Sony is, I'm sorry, 3.52 is what they have. The newest one by Sony is 3.53. Please don't download it unless you read it. After I put up on the forums, hey, I'm going to show you guys at the Y5 Village how to do all of this stuff, blah, blah, blah, blah, blah. One of the poor guys had actually hooked up to Sony's official site, had downloaded, yes, and they had just changed it. And I said, dude, you should have known better. Come to my website. I've got everything. So, unfortunately, he didn't hear me. All right, gateway firmwares 2.71, 3.02, and 3.50. Why are the gateway? Because you can downgrade from there. And when you downgrade, you can upgrade to those custom firmwares that we all love. Vulnerable games that allow this gateway behavior. Luminous. I have a copy with me, and I actually was pretty damn shocked that right after that news came out, that version 3.50, all you needed to do was download this modified save game for Luminous. The stock in Luminous went through the roof. You couldn't find a copy online for less than $100. And places around town, at least according to the internet, were quickly running out of copies. People were buying them up and selling them on eBay, bastards. Whoa. Well, come back. Come back. That scared me. I'm talking too long. All right, and then you had Grand Theft Auto that allowed you to do other things. You have SDS Lite, you have hardware modifications. You just plug into the end of the unit. You don't have to open it up unless you really want to. I advise not to. And everything pretty much runs. Nintendo's opinion about how it does things with the homebrew community is almost diametrically opposite from Sony. Sony hates you, even though they're now saying, oh, we like the homebrew community. We're just going after the hackers. Wait a minute. The homebrew community, anyway. Nintendo, as far as I know, hasn't sued anybody into oblivion and hasn't put anybody, sick their lawyers on anybody. The Xbox, the original Xbox, you use a font handler, and it basically, you can hack it that way. You have to remove the Xbox dashboard. You have the A20 memory handling flaw. Games running, definitely run in kernel mode. That's a problem. And that allows you to run those three games that are listed below and use their save games because now they're in kernel mode to hone that machine. Thank you. The PlayStation 3, you have an internet browser flaw. I had an individual give me a heads up that he had found one. Anathema is his name. But at current, it hasn't gone too much further than just crashing the browser yet. And I saw something just in the last week, somebody was loading an unnamed PS2 game and was causing it to crash and the screen started flickering. And I didn't know whether it was crashing the video because some PS3s do have a problem with syncing video with some televisions and I thought maybe that's really what was going on. But I'm just mentioning it because it was interesting if it's not a hoax then it should be looked into. Current neither of these approaches is all that promising. I'm talking about the PlayStation 3 besides who wants to break the $600 system? I don't. Alright, Linux is everywhere. And generally I'm pretty much assuming that if you can put Linux on something, it is game over for the most part. It's game over. You can use all of the tools at your disposal as a standard Linux user. However, I was reading something about the PS3 that was unusual. You cannot put the Wi-Fi unit or module in the PS3 in promiscuous mode at current. Alright. Game console coding. You have various things that you can use while on Linux. You can program in C, Python, Perl, etc. Whatever is out there, you take your pick. There's no modification, however. There are native, they're small, and there's still kind of poof of concepts a couple of them are. But you can actually program in Python on the PSP. Lua on the PSP and DS. There was an assembler for the PSP. There was a C compiler for the PSP. And, of course, there's basic for DS. Alright, Homebrew. It's a term frequently applied to only video games that are produced by consumers on proprietary games platforms. In other words, game platforms that are not typically user-programmable or use proprietary hardware for storage. Sometimes games developed on official development kits such as the NetYaru's or PS2 Linux are included in that definition. Some, however, also refer to all non-commercial home-developed games for open architectures as homebrew games. Though these typically go under Alright, here we go. This is the goodies. This all kind of flies through, actually. I apologize. I'm running long. Alright, the PSP. This is the IRDA capture. I actually got to meet the kid who actually programmed this at Torcon. He came out with this and pretty much dropped the project afterwards. But it opened up the floodgates for grabbing information and turning it into something you can use on the PSP natively. You have a PSP IR commander which supports over 2,000 controllable infrared devices and also its successor, the IR shell, which does more things. Each one of those came with a handful of already pre-programmed pretty much devices that you can actually control from the get-go. You go on the internet, and I have a link in the notes where you can get these. I think they're up to 2,300 devices now that you can download and they're totally compatible. Pone everything. Now we've got a short video. This is the PSP portable VNC viewer. It's based off of a portable VNC program that was created for Palm OS. So here I am. I decided not to trust Murphy while I was here, so I decided to do everything pre-recorded. Oh, my goodness, it's up there. There's my little PSP. All you need is these cables. What I'm demonstrating right here is that systems, you can just plug this thing in and thank God for modern operating systems. They're so helpful. Thank God. It makes my life a little easier. And there I am plugging into an unassuming little hub. Doo-de-doo. Then I fire up my little system and all I'm going to do is I'm going to tell it, go into USB mode, make yourself available to the operating system at the other end of this cable so that it can read and write to you. And the full memory stick in the system itself is usable. And there we go. VISTA is very nice. Look at this. No warning either. Hi, I found it for you. You can use it now. I'm not being a smartass. It's probably coming off that way, but... All right. Here's my little laptop running VISTA. And now that I've got... Unfortunately, I didn't really plan this really well. My screen's extremely bright and it just overwhelmed my poor little camera. So what I'm doing right here is that I've opened up the directory for the PSP and I'm grabbing and dragging tiny VNC. Version 1.29 works flawlessly. I did try the latest version, which is 1.39, and the video didn't come through. You got on the box, but you couldn't do anything. All right, so there we go. I've copied it, moved it over. I'm starting to install it here. It doesn't take very long. And again, the only thing VISTA did was, do you really trust this? Of course I do. Now I'm deleting it just for regular users. Of course, a good forensic analysis would definitely give me a way. And the only thing that betrays that that is on there is that tiny little V on there. I've been... Actually, when I was at the Wi-Fi... Church of Wi-Fi discussion earlier, somebody came up with an interesting idea and he said, hey, why don't you write a little script for the registry? Run it, drag it over with your installation. Run it after you've installed it and it'll take that right off of there. They won't know. The average user won't know that the VNC is running. Oh, God, that's darker than I thought it was. All right, I'm running the application itself. The only thing I've done ahead of time is I've searched for an access point in order to get onto the network. Do-da-do, zoom in, a little action there. And of course I did try... I tried to put a password in there, one, two, three. And there I am. I'm in the box. That VNC software actually works with a number of IR wireless keyboards so you don't have to jack around with playing around with the buttons in order to get the alphabet, you know, somehow, you know, coming through. So you can type as fast as you want. You poem the box. Because basically you've got that box and you use its trust on the network. Move out. Move out from there. PSP has secured text. It's unfortunately just RC4, but it's a good proof of concept that you can actually encrypt and decrypt anything you want on the PSP by itself. You can run the PSP as a web server or an FTP server. You can chat with your friends when you get lonely on those stakeouts, looking at other people using their computers, using AIM, ICQ, MSN, G-Talk, and Yahoo. This is completely in the free. No one does not support encryption. However, this does. PSP SSH, it's based off of Drop Bear, and it is fully SSH2 compliant. And a shout out to the 757 guys, this is your server, which they gave me access to. I did not poem their server. I'm not that late. All right, here we go with the little demo. And this is my 1.5 system that has never been modified. So a lot of these tools you can run on either the modified firmwares or the original firmware. All right, what I've done is I'm running the application. Of course, I've already got my AP picked out, which one I want to actually access the internet with. I've already put in my user information, the server that I want to go to. I'm logging into users. It didn't crash. All right. Unfortunately, it's really, really dark, but that's the welcome screen that just popped up. Next, I'll be typing in IR SSI. I will be screening it as instructed by Count. And from there on, I go on to Splitcast, go talk to the guys at Splitcast, and I log off. And everything's encrypted. We have a Wi-Fi sniffer. This was kind of cool. It was a little project that this dude came out with. Unfortunately, after two modifications, he dropped it. The original idea was it would actually turn into a real sniffer. You could find APs, select the AP, and decide that you wanted to start collecting packet traffic. This is kind of cool. You have the PSP map this. This is a sexy little thing that you can use with the GPS. I would love to see somebody code, but it's not me, a version of map this with that previous Wi-Fi. And start walking around and having little pinpoints on your map, which you download from Google, freely available. And so you can remember and use this as a geocaching toy. I'm going to show very quickly. There's audio to this. It talks to you. And people can drive with it. It's not advised, but you can drive with it. Unfortunately, no. The coder that actually put that in there, I always screw up his name. Please check the notes. He's a cool guy, but I don't want to murder his name on tape. But anyway, he actually had coded that from scratch all by himself, because when you buy this in Japan, you get the entire Japanese map. You get everything. It's very cool. But he decided before this actually was released or available to Americans, he had actually hacked together. I think it was a Hilux GPS and hacked it so that actually would physically interact with the PSP through the mini USB port. And he created that software all from scratch. It's an excellent program. PSP inside was kind of cool. Unfortunately, it's not really maintained anymore. But if you were dying to find out what all the registers were doing in real time, what anything that was pushed into memory that the PSP had to process, you could see it in real time. You could capture that information. You could play it back. You could modify some of it. Can you save for overflow? And here's the luminous downgrader. These were some of the outrageous prices I saw. Amazon, love them to death. Somebody was selling theirs for a penny. That went quick. And then the next one was 144. There were only like four of them for sale. And then you had eBay bastard. $125. All right. Now we get into where the DS fanboys can strut their stuff. The DS FTP is actually a server and client. You can set up user accounts on it. And your only limitation is the size of the stick you have in it. Wi-Fi lib test is really cool. I wished I had animated this. I was walking around with this and showing some people because I found out this is actually on the scavenger list. If you could find a DS that was actually doing packet capture. So I have one. You can't take it. You can walk me over there and I'll give you points. So anyway, this was an application by a fellow named Steven Stair. I did not code this. A couple people thought I did. I did not. He did an outstanding job. All of the packets that it captures goes onto the memory stick so you can review them. It's not real fully functional, but it's cool to begin with. I mean, it's just cool to play with. You have Aircrack, which you can see. You have a lot of success running, but when I went on the forums, those that did get it run, it was fairly decent. It actually would attempt to crack web packets that had, or based off the packets that it had received. It wasn't really fast because you are talking about ARM processors, but it was something. You have pointy remote, which is a VNC controller for your DS. I thought that was cute. And we have Leloo FTP server. It's also an FTP server, but it's a bit more fully full-bodied as far as your FTP servers go. I would advise looking into this one if you were going to mimic an FTP server with your DS. And then we have Moongel. I list that only because it's exceedingly popular. It's very powerful, very fast, and it does almost everything that you want as a loading application. Now we got Concealment. Now when I walked up here, I whipped out two game systems. I don't have any more hidden anywhere deviously. But basically in this picture, who has equipment that they might be able to use in order to do a quick scan on any network, whether it's a smartass. I'll get you later. So we know that the games are probably in May, according to the people in the back, have that equipment. But this is another thing as far as for Concealment. When working in corporate offices and stuff like that, I've been in a couple where they're very anal-retentive as to what you can bring in, whether it's a cell phone, MP3 player, all of these things could be used to help leverage either physical access or digital access in restricted spaces. Do you have the same restrictions on video game machines? Do you have a restriction on the games machine that may actually have been purchased from your company and is in your break room? I actually visited two companies I want to say a little over a year ago and they actually had one hooked up to their regular business network and I about fell out. It's like, oh my God, how cool. Not. All right, Concealment for actually digital media. You can basically... I love my Altoids. They burn me horribly but I love them anyway. You can put all sorts of stuff inside of them. I've been searched several times and when I've done some red team stuff and they never looked under the wrapper, they also never checked in my shoe or anywhere else. And especially as I said with that teeny weeny micro SD chip, pat me down please. Are they playing a video game? Or are they doing something to your network? Other little tidbits. I did some really ghetto port knocking or fuzzing with Nexus and found the following ports were open on the PSP. I actually found these open before any of the big homebrew had come out. Nothing has changed but it was kind of neat. The Xbox 360, port 25-110 and strangely enough 1030. It was acting as a web server I don't know why. Honestly, I don't. And then we have for the PS3 only two ports were open. I had another port that was intermittent and I couldn't nail it down so you're only seeing two of them. It was 25-110 and that's not terribly shocking because they really do want to make this thing into an all-in-one box that you could use for your gaming and hopefully not business What? Okay. The other really quick thing on the bottom of these slides for IDS gritties if you don't secure your network at least you can catch these guys by looking at the MAC addresses and they habitually or every once in a while all of these systems will go back and check predictable places so that hasn't been modified by anybody so put those into your IDS logs oops Alright, nothing. As far as ports on the Wii and the DS I absolutely found nothing. Now you can sniff traffic all day long but I didn't see anything that was dependably open and the reason why I think this might be true or why this is is that the wireless on both the Wii and the DS Lite literally shuts off when it's not in use so I thought that was kind of cute. For the DS Lite it's a great way to save power and then we have really alternative ways this was on TourCon I went downtown to meet some friends at the sidebar being new to the area I had no idea where the sidebar was and luckily for me all the proprietors were nice enough to put the names of their businesses and their SSIDs so I had my PSP with me and started just checking around because actually the PSP is directional the antenna runs along the top part so all you have to do is just kind of like wave it around and you'll figure out where everything is so I found the sidebar strictly by using that it was about five blocks away it wasn't like it was a big thing these are all of my, most of my sources the rest of them are on my blog but these are the ones that provided me the most information I thank you all for sitting through my horrible talk my blog my blog is Haxis H-A-K-S-Y-S dot and then I'll have to spell this for you schlepping squid S-C-H-L-E P-P-I-N-G squid.net, sorry about that or just go to Google, search squiggly one, you'll find me thank you very much