In my previous post I mentioned the three talks which I found the most informative and useful. I’ve posted the talks’ associated presentations and whitepapers in the Reference Material section for your downloading pleasure. I hope you enjoy these as much as I did.

The third day of DEFCON is always a slow day, at least for me. Many people party their asses off Saturday night only to either stumble into the early morning sessions half drunk or just not show up at all. As for me, neither scenario held. I was only interested in two talks both which turned out to be excellent!

First up for me was Jesse D’Aguanno’s “LAN Protocol Attack – ARP Reloaded.” He began by reviewing the traditional ways to perform ARP cache poisoning and the weaknesses with those techniques in today’s LAN environments. He detailed both client cache limitations as well as CAM (Content-Addressable Memory) tables.

The technique is rather trivial once explained. In the past, most people sent gratuitous ARP replies to the target or broadcast address on a network. The attacker had to keep up this ARP flood in order to pull off the attack. However, Jesse noticed from reading the ARP RFC that if a target receives a request for it’s IP address from an attacker, the target automatically adds the attacker’s IP/MAC address pair to it’s ARP cache. The beauty is that the attack now takes place with a single packet! Genius!! Simple and written in black and white, but genius! I always felt that if more people took the time to actually read RFCs (yawn!) then more tricks like this could be found. I like this.

The second talk was “Intranet Invasion with Anti-DNS Pinning” by David Byrne. For some background on DNS Pinning, go here and here. The talk was great because not only did David confirm all I’ve read on the net about this technique, but he also demonstrated actual attacks live. He was able to trick a victim into loading and running some Javascript that eventually allowed the attacker to run a Nessus scan on the internal network from an outside location. This holds extreme potential for some serious intranet attacks from the outside world.

Every year my goal is to come away from DEFCON with just one new technique that I can play with and improve upon. This year I was fortunate to find at least three: (1) the use of SMB/CIFS and WPAD to gain access to targets without needing an exploit, (2) the ability to perform ARP poisoning in a stealthy manner and (3) the ability to infiltrate an intranet from the outside using anti-DNS pinning techniques.

In addition to the technical gems found, I feel the information gleaned from the two panel discussions, “Meet the VCs” and “Self-Publishing in the Underground,” will help me with my own professional and career development plans. Overall, DEFCON 15 turned out to be better than I had hoped. Now maybe I can go out and enjoy Vegas before my 7:00 am flight tomorrow!

Day two was… interesting. However, it was not as interesting as this!

I started the day by taking in some Web 2.0 attacks and threats at Steve Orrin’s talk. I’ll admit that I’m not up to speed on this Web 2.0 stuff, XML, SOAP, etc. However, some of the attack vectors revealed piqued my interest enough to at least give the technology a shot. Since the web is moving in this direction, it’s only logical to understand this new threat.

Aaron Peterson’s talk on “Pen-testing Wi-Fi” held promise. I’m a Wi-Fi junkie. I’m always looking for something new, unique and novel. Unfortunately, the talk was anything but. I’ll give the guy props for taking existing tools and bundling them together into one useful suite of apps, but come on! There’s nothing new here folks. Next talk.

If there was one talk I had high hopes for, it had to be King Tuna’s “Hacking EVDO.” Now here’s something relevant and new! New because it’s never been talked about before. Relevant because I use EVDO when I’m on the road. In fact, I’m using it as I post this report. Wi-Fi networks are so easily hacked, I refuse to use them.

This presentation revealed ways to modify the firmware of a certain model EVDO card used on the Verizon Wireless Broadband network. By downloading some proprietary software from a torrent, he demonstrated various ways the firmware of the card could be manipulated to do things it shouldn’t do. He did suffer some technical difficulties during his demos which was painful to watch. However, I would expect to see future talks on this subject in the coming years.

If memory serves me correctly, I first heard of a rouge wireless access point referred to as an “Evil Twin” at a past DEFCON talk presented by the Shmoo Group. K.N. Gopinath’s talk, “Multipot: A More Potent Variant of Evil Twin” didn’t do it for me either. Am I being too critical? Am I asking too much when I want to see new material, something cutting edge? I don’t think so. I left the talk early.

There was one other talk on this day that I was looking forward to, “Geolocation of Wireless Access Points” by Ricky Hill. I was impressed! Here was a hardware system developed from scratch that uses triangulation to physically locate wireless access points. The system uses a yagi antenna mounted to a stepping motor combined with a digital compass and a GPS unit. With some Visual Basic code, the tool was able to geolocate wireless access points with better precision than anything else currently on the market that I’ve seen. It’s not ideal in any sense. It only seems to work well in open areas like water. If you place trees in the way or try this in an urban environment, it won’t work and the creator admits it. However, I think it represents a great first try. I hope others pick up the lead and improve on this work.

I ended the day by attending a panel discussion entitled, “Internet Wars 2007.” These discussions are always interesting because they’re very unstructured and anything goes. Personally for me, it was more for entertainment than actual useful knowledge.

Overall, day two provided a few golden nuggets in which I may find value. But for now, I think I’ll watch the video again!

The Con offered five tracks this year. The first talk I attended was by Sean Bodmer, entitled “Analyzing Intrusions & Intruders.” According to the official program guide, “… due to advances in network systems automation we now have time to pay more attention to subtle observations left by attackers…” I took this to mean we were to be treated to an enhanced form of packet analysis that could lead to clues and possible apprehension of the intruders. Instead, the talk focused on a more behavioral science and profiling approach. Not the talk I was expecting; therefore, I was disappointed in my first session.

The second session was right up my alley! Called “Meet the VCs,” we were provided a panel of real venture capitalists actively seeking new technology companies. They detailed what they look for in ideas, businesses and expectations when approached by companies seeking capital. The panel ranged from seed money VCs to well established VCs that may hold companies in their portfolios for many years before seeking an exit. This is definitely one talk worth following up with after the Con.

Since a break for lunch is never provided at the Con, some of us took the next hour and a half to grab some lunch and exchange thoughts and ideas.

Bruce Potter’s talk on “Dirty Secrets of the Security Industry” was standing room only. In fact, many people had to leave since their presence in the ailes and along the walls posed a fire hazard. Bruce loves to rant, and I love to listen! His talk can be summed up this way: There would be no need for “defense in depth” if people wrote secure code in the first place. Unfortunately, there is no formal body, organization or training program that teaches people a consistent way to write secure code. I have to agree.

“Self Publishing in the Underground” by Long, O’Hara & Wirth was an eye opener on how easy it is to get a book published in this day and age. They outlined a number of online alternatives from lulu.com to Amazon.com and their associated costs and headaches. This sounds like an easy way to quickly establish yourself as an expert in your field. It’s worth a look.

H.D. Moore and Valsmith’s “Tactical Exploitation” revealed ways to exploit or attack machines without the use of zero-day exploits. They simply used everyday protocols in ways they weren’t meant to be used! Try to research SMB/CIFS and WPAD and see if you can’t find devious ways to wreck some havoc!

BlackHat 2005 will always be known for Ciscogate. The Dark Tangent gave a behind-the-scenes blow-by-blow of the entire event from his perspective. It was an amazing tale of corporate irresponsibility run amuck with the little guy, The Dark Tangent, caught in the middle.

Sam Bowne recounted his tale of launching a hacking class at the City College of San Francisco in “Teaching Hacking at College.” He detailed how he pitched his idea to the administration, how the lab was set up, the program itself and the final outcome. This is a program worth spreading to other centers of higher learning.

And finally, for me, I ended the day with David Hulton’s talk on “Faster PwninG Assured: New Adventures with FPGAs.” Dave does nothing but amaze us with his FPGA programming foo! All I can say is this guy rocks! He’s a master with combining crypto solutions into an FPGA form factor. Is there anything FPGA related this guy can’t do?

Overall, my impression with day one ended on a positive note. I was worried during the first talk, but things soon shaped up for the better. Now it’s off to day two!

Today kicks off the fifteenth year of DEFCON. Team SSH is in the house. We hope to provide some commentary on this year’s talks. We won’t hold back. We never do.