Saturday 6^th^ August 2011, Defcon 19, Las Vegas
Smartfuzzing
I missed Smartfuzzing the Web: Carpe Vestra Foramina, by Nathan
Hamiel et. al., which I had wanted to attend. I went through the pdf of
the presentation just now, and I wouldn’t exactly call it smartfuzzing,
but I did note the cleverness of the presenters’ idea to use wordlists
comprised of words taken from the robots.txt file of websites for
fuzzying purposes. Their new tool, RAFT, is being released soon,
though it is currently available as an svn checkout.
Creating Cracks and Keygens for .NET Applications
The first presentation I attended was Hacking .Net Applications by
Jon McCoy. He detailed the extensive uses of his GreyWolf and
GreyDragon tools, including the production of cracks, keygens, and
malware. GreyWolf, which is currently in Beta, is a reverse
engineering tool which allows extraction of source code from .dll files,
and GreyDragon is a .NET injection tool. It was astounding
how little actual security is put into authentication of enterprise
applications. The funniest use of GreyDragon was an instance in the demo
in which McCoy altered a Boolean string controlling a password check
from var a=true to var a!=true, which meant that only wrong passwords
would allow access to the program. He was also able to extract source
code from .dlls, find the security and authentication mechanisms, and
then create a keygen for the demonstrated program – a commercial
keylogger – within five minutes.
VoIP Botnetting
The presentation which might possibly rank as the most impressive was
Sounds Like Botnet by Itzik Kotler and Iftach Ian Amit, on VoIP
botnetting. The idea is that certain networks which do not allow active
connections to the outside internet usually do allow VoIP traffic, and
these packets are not often paid much attention. Basically, SIP (Session
Initiation Protocol) is quite similar to HTTP and has little security
built in. SIP supports TSL, but even with this type of encryption
enabled the traffic can be easily sniffer. What this means is that SIP
traffic can easily transverse firewalls, and SIP-to-PSTN (Public Service
Telephony Network, a.k.a. standard telephone lines) can be used to relay
commands to botnetted machine within a closed network, or a network
which does not allow internet access.
Researchers Kotler and Amit used an Asterisk server hosted in the
cloud as the Command-and-Control (C&C). Conference calls were used to
link botnetted boxes together and issue commands from the botmaster,
which also allows for more anonymous direction of the botnet with
conference call bridge numbers. Moshi Moshi, an open source VoIP
botnet, was used to communicate with the botnet using Text-to-Speech
engines for output to the botmaster and DTMF tones for input. DTMF
stands for Dual-Tone Multi-Frequency signalling, and, if you remember
the adventures of phreaker Captain Crunch and his 2600Hz whistle tones
which allowed for free telephone calls, you’ve basically got the idea.
With DTMF, standard keyboard inputs are mapped to certain tonal
frequencies, and when a machine with such translation software
installed, complete binary files and commands can be sent over the wire
through music. Seriously. You make techno music out of a binary file,
play it to your zombies, and they execute the binary. Fucking awesome.
So, the botmaster calls into the conference call on the server, and
receives Text-to-Speech information on the number of machines connected.
During the demo, when the presenters called into the Asterisk server,
they were greeted with a robotic voice saying, “There are currently two
others in this conference room.” Next, they played a .wav file of DTMF
tones, and the machines went off to do their bidding.
I really, really, really want Botnet to become a new EBM subgenre.
Really badly.