Friday, January 15, 2016

Shmoocon Firetalks 2016

So the below are my fairly raw and hopefully mostly-accurate notes on the firetalks given tonight (Friday, 15 Jan 2016) at Shmoocon. If some flow better than others... sorry, it's not prose, just stream-of-consciousness.

Amazing panel of judges at Firetalks this year: Jayson Street (), Brian Krebs (@briankrebs), Space Rogue (@spacerog), and... sorry, I did not catch the other fellow's name! (Probably someone very famous whom I should know on sight. Well, geek-famous, anyway.)

Matt Nelson (@enigma0x3) - "Red Team Upgrades - Using SCCM for Malware Deployment"

Abusing SCCM for malicious purposes, and how some admins fail to secure it properly.

"If you administer SCCM as a domain admin, you're doing it wrong!"

Why use SCCM in Red Teaming (seems like a question that answers itself!

  • manages a ton of clients
  • live off the land/blend in
  • helps identify strategic targets
  • provides a built-in persistence mechanism
Abusing SCCM in hunting, helps identify 

Abusing SCCM for compromise
  • Create a powershell script to fetch and execute your code
  • Since the org uses SCCM to install code this way all the time, your malcode install shouldn't stand out.
I have to say, getting into an organization's software distribution server as a red teamer is brilliant. The only higher level of 0wn@ge I've seen was when an APT got an organization to include their RAT in the IT team's gold build (Ghost image). It doesn't get any better than that!

Travis Goodspeed (@travisgoodspeed) - "Jailbreaking a Digital Two-Way Radio"
"I love China!"

Tytera MD380  中国排名第一  ("China's best-ranked!")

  • STM32F405 CPU
  • 1MB Flash / 168K RAM
  • HRC5000 Baseband
  • Two-slot TDMA (Poor man's GSM?)
  • Internationally trunked (repeaters

Programmed via a Windows application (as frustrating
Some of the error messages are in English, some in Chinese)

All frequencies used by emergency services, etc., are registered with FTC and easy to look up.
HOWEVER, there is a "talk group" number (26 bits) that you need to have in order to listen in/participate in their conversations.
Travis, however, patched the firmware to just match every

The firmware updates are encoded with 512-bit XOR.

Eliminating the Chinese font (which took up 1/4 of the RAM on the device) freed up a lot of memory for other things.

Dean Pierce (@deanpierce) - " Low-end Bug Bounties for the Masses"
"Technology is good. The proliferation of technology is what drives humanity."

"Bugs should be rare."
"Does anyone remember Full Disclosure?"

No more free bugs (circa 2009).
Industry-sponsored bug bounties are the new thing.
Of course, the underground 0-day trade is also a thing: shady people selling to shady organizations.

But there are still the small bugs in the small software, that are too small to
So I made a crappy website! It's a private mailing list, $10/mo subscription. (@cheapbugs)
People can post random crappy apsec/webapp bugs and get paid.
The money from the subscription fees goes to the researchers finding the bugs.

One of the key aspects is that it's not just about the bug; the write-ups are important. How they found it, the tools they used, etc. Also fully-functional POC exploits.

The philosophy is that the small bugs matter, too. No bugs left behind!

The judges helpfully pointed out that publicly dropping zero-days might not necessarily be... entirely OK from a legal perspective!

Wendy Knox Everette (@wendyck) - "Failure to Warn You Might Get Pwned"
Looking at software defects from a product liability law perspective.

In general product liability, consumers can recover based on three theories of liability:

  • Manufacturing defects
  • Design defects
  • Failure to warn

In most cases, modern EULAs are used to shield software manufacturers from liability; if you agreed to the EULA, you are bound to recover based on the terms of that contract.

Manufacturers can provide "risk reduction warnings" or "informed choice warnings," i.e., "hey, use at your own risk!" Obvious and generally-known risks don't necessarily require a warning.

One problem in the software realm is that different users with different purposes and levels of skill/experience would need very different warnings.

If a researcher finds a bug, reports it to the vendor, vendor doesn't fix... what is the liability situation?

Fear of stifling innovation is one policy reason why holding software makers liable could be undesirable.

Michael Ossmann (@michaelossmann) - "GreatFET, A Preview"

Based on the GoodFET project, for hardware hacking. "The GoodFET is an open-source JTAG adapter, loosely based upon the TI MSP430 FET UIF and EZ430U boards, as described in their documentation."

GreatFET is intended to make the virtues of GoodFET available to people who don't want to build their own boards.

The GreatFET project includes a main board and stackable add-on boards ("neighbors"). It has a beefy microprocessor with a high-speed USB interface (much faster than existing GoodFET boards). It also features a ONE HUNDRED PIN expansion bus. At that, it is still cheaper to mass-produce that the existing GoodFET boards.

  • Azalea - the primary board
  • Begonia
  • Crocus - inspired by The Next Hope Badge
  • Daffodil

When Space Rogue asked about cost, Michael's guess was about $30.

Best question: "Why not 'BobaFET'?"

@Da_667 (Tony) (umm... @Da_667) - "Fuck You, Pixalate!"

Amateur threat intelligence provider and malware analyst.
Threat, Inc. co-founder. Honeypot herder.

So Tony told a story about a claim from Pixalate about clients having been infected with "Xindi Botnet". Pixalate provided no IOCs, and Tony and friends were unable to find any info on this alleged malware. Yet Pixalate was stating they were going to go to the media about the matter. So Pixalate did so, and several media outlets ran with story.

Pixalate, by the way, is a data analytics firm involved in RTB ("real time bidding") for web ads. They also claim some "threat intelligence" capabilities related to ad analytics.

When Pixalate finally published their report...
They claimed to have discovered this botnet in 2015. They claimed that 6-8 million machines in over 5k organizations were infected/involved. The botnet allegedly was exploiting a bug in the OpenRTB protocol to manipulate the ad buying/bidding process. No hashes, no IPs, no other actual IOCs. Pixalate said in the report that any named organizations could contact them for infected IPs.

Finally, Pixalate did end up providing some URLs that were involved in the botnet (presumably as C2 servers).

Ron Bowes (@iagox86) - "DNS C&C"

How DNS works in 2 minutes. Ron clearly moving blazing fast,

DNS tunneling with dnscat2

DNS is awesome, because it bypasses (well, is allowed unaltered through) most firewalls and other security controls. The challenge is that DNS is totally stateless and has little insight into sources of requests. Also, the protocol only allows for queries in one direction.

The solution is to use the session_id field for state maintenance. Ron created a custom TCP-like protocol over top of DNS. The latest version encrypts all sessions by default, and also authenticates sessions with a shared secret. Another new development is the ability to tunnel other traffic over dnscat2, similar to "ssh -L".

Very entertaining demo, showing the fifteen or so commands available. First time the tunneling function was ever demonstrated in public. The amount of DNS traffic involved is astounding!

Link to his slides (actually, way MORE slides than he actually presented!)

No comments:

Post a Comment