Sunday 24 June 2018

OzSecCon 2018

On 2-3rd of June 2018 I attended OzSecCon in Melbourne. I'm not really a locksport enthusiast by any stretch of the imagination, I'm happy to fiddle with a lock and pick during social night - but I don't go out of my way to find the locksport village at a conference. However - the atmosphere at OzSecon was overall amazing. Notwithstanding, it is hosted by Topy - the Australian who has lugged his locksport stores up, down, east and west across Australia, at his own personal expense, hosting the locksport villages at AusCert, Ruxcon, PlatypusCon, BSides Canberra and probably many more I'm forgetting. He is the drive behind growing Locksport in Australia - so if you are remotely into Locksport, OzSecCon is where you should be.

I've done a brief writeup of the talks and workshops I attended below.

DAY ONE

‘Keynote: Red Teaming’, by Jek Hyde



Jek works on Walmart Red team. She made it clear that her position on the red team is to achieve physical access - not work on computers. She referred to herself as a “Professional burglar”. She discussed secure facilities syndrome - in which facilities tend to be very hard to get into but once in, is all soft and squishy on the inside due to wanting to promote a good culture. She did a walkthrough of a pentest she did in Canada. Started with dumpster diving. Found out about meeting, made a fake pass, wore fake pregnant belly, used a Bose cloner to clone a pass and got in.
Installed keyloggers, Dropbox, rubby ducky & listening devices. Heard a lady going out for lunch and used her office to gain access to systems. Key takeaway point was that physical and logical are treated separately when they affect each other so much and should be looked at together.

‘Manipulation aids in opening safe locks’, by Jaakko Fagerlund

 Jaakko is from Finland and is a machinist by trade and loves breaking all things mechanical.
Discussed through the techniques of cracking dial combination safes. The wheels within the dial can be different shapes and graphing (turning the wheel through each number). Right contact point (sloped) is the one that is most useful to measure. Showed graphs on the non-roundness of wheels - 0.5mm deviation at some points. Exploits are based on dialing tolerances, cheap electronics, reading wheels in the order W3, W2, W1.
Advanced exploits use electronics to graph the wheel pack, ultimate way is a manipulation robot (autodialler with a microphone - softdrill)

 

‘Cognitive biases and how to be less wrong’, by Alex Hogue


Alex discussed base rate rejection. He explained that people are more likely to look at the evidence without looking at the base rate. Eg. creaks in a plane == evidence of impeding crash despite base rate of crashes being low
He also discussed confirmation bias. Eg. Verifying your hypothesis only with tests that will result in positive confirmation. This can be beaten by using null hypothesis - proving yourself wrong.
Availability Heuristic - if there are more examples in public media, then people assume it is more common eg. Ransomware. Leads to “after a disaster we prepare more”
Others: scarcity bias, loss aversion, sunk-cost fallacy, the halo effect, outcome bias, inattentional blindless, bias bias, cognitive dissidence creates more bias.
Alex concluded with a very entertaining slight of hand routine done to a volunteer from the audience.

‘Tamper resistance bypasses’, by Connor and Emily Morrison

Covered different types of tamper evident seals with some recorded demos of removing them

 

 

 

 

 

 

 

 

‘How to disappear completely’, by Attacus

Atticus provided an overview of “Senseface” - which is a product that detects faces. She showed an admin interface of a Westfield Info booth that records faces estimating gender and age for advertising purchases. Atticus discussed Detection vs Recognition. Detection is allowed without consent because it doesn’t relate to personal or sensitive information. She spoke about the Identity-matching Services Bill 2018 - the Capability will be provided to Home Affairs for national security, identity safety etc. She noted that the Attorney-General's department is in discussion about selling facial records to private companies.
Second part of talk moved to techniques of avoid facial recognition. Talked about how facial recognition worked and old school mitigation techniques include, wearing a balaclava, wearing sunglasses or pulling weird faces to avoid facial recognition.
cvdazzle.com - Adam Harvey, ahprojects.com provides solutions to avoiding facial recognition.

‘Back in time: Finnish lock industry’, by Thomas Covenant

Thomas covered off the history of locks in Finland, which is a leading region of lock production because of the rockiness of the country.
Karelian locks (a region ceded to the Soviet Union from Finland) date back to medieval Finland.
She talked through wooden locks, development of metal and ornamental locks and the spiritual beliefs around locks keeping people safe.
1920s industrialisation heralded Abloy locks in Finland. Designed by Finnish man who repaired a cash till, and saw the rotating disks. 1918 patent registered, sold in 1919 for 34 euros




DAY TWO


‘The ALC Galaxy Lock: an in-depth look’, by Adam Foster

Adam talked about how he bought and disassembled a galaxy lock, released by the Australian Lock Company (ALC). He discussed how it worked and possible ways to attack it. He stated that he had managed to pick it but he hadn't recorded it and couldn’t replicate.

‘Challenge locks’, by nullwolf

Nullwolf started off explaining reasons why you would build challenge locks - Reddit lock-picking awards profile flair for building challenge locks. He covered off on the rules for building a challenge lock eg. At least 6 modifications, working key
Covered shopping list required.
Using a dremel to do pin sculpting

 

 






Impressioning Workshop

I attempted the impressioning workshop... twice! I was terrible at it. But I learnt a lot about the technique and skill involved to impression a key.
 


 

 

 

 

 

 

 








Milling your own cutaway lock 

This is when I realised the value of OzSecCon being run at Melbourne Polytech. Access to all the machining tools allowed a live demo of creating cut away locks (plus many more machining demos that I missed). @anarchy_won did the demo and was patient and willing to answer any questions we had on mill types, techniques and other hints. It was fantastic seeing his passion and knowledge.















As well as the talks and workshops, OzSecCon had an inclusive and welcoming environment. I was greeted with friendliness and helpfulness the whole conference. I attended the female lunch and the Friday night party - both were really enjoyable. The party was catered with Turkish and a neverending bartab!


Overall, I've heard the locksport community likened to what the computer hacker community was 20 years ago. A little edgy and considered borderline inappropriate. However, like the trailblazers that made computer hacking mainstream, OzSecCon is breaking down barriers and making this important topic visible and accessible to everyone. Well done Topy & the OzSecCon Crew!!

Monday 28 May 2018

BGP route injection - extending VIRL externally


This simulation a demonstration of route injection in a BGP network with 6 AS' - which I demonstrated at CrikeyCon 2018. However, at that time I hadn't been able to extend outside of the VIRL environment so had to browse via wget commands on the server CLI.

Today I had the time to configure my VIRL instance to extend to outside the environment to external devices (in this case a Windows VM).

In retrospect, this wasn't very difficult. But there is very little clear documentation on how to do this. The steps to achieve this were.

1. Configure the flat network under the VIRL Web GUI. Here we specify the IP address range of the external network and the interface on the VIRL VM/machine that we want to link to the external connection. Note down the flat network address.



3. On the VIRL CLI we now find the bridged interface that has been allocated the flat IP Address 172.16.1.254

 virl@virl:~$ ifconfig
br1       Link encap:Ethernet  HWaddr 00:0c:29:37:1c:0e
          inet addr:172.16.1.254  Bcast:172.16.1.255  Mask:255.255.255.0


4. Then make sure eth1 has been associated to the appropriate bridge

virl@virl:~$ brctl show
bridge name     bridge id               STP enabled     interfaces
br1             8000.000c29371c0e       no              dummy1
                                                        eth1


if this isn't the case use the command brctl addif br1 eth1 and check again

5. Add a flat device to your simulation. If connecting to a linux server and wanting to access the rest of the network, make sure you enable routing (ipv4_forward & iptables rules).


6. Ensure the network is configured to use the flat network that you've just setup


7. When the simulation starts you should be able to attach to eth2 however you intend to, and ping/ssh to every device in your simulation (provided you have setup routing within the simulation to enable this)



I wish someone had walked me through this last Feb when I was fairly time poor - but now it's done. I hope it helps someone. Happy simulating!!

Sunday 6 May 2018

Getting Familiar with Scapy

Getting Familiar with Scapy

https://blogs.sans.org/pen-testing/files/2016/04/ScapyCheatSheet_v0.2.pdf

Navigating Classes/Layers:

Check the details of each class/layer using ls():

>>> ls(IP)
version    : BitField             = (4)
ihl        : BitField             = (None)
tos        : XByteField           = (0)
len        : ShortField           = (None)
id         : ShortField           = (1)
flags      : FlagsField           = (0)
frag       : BitField             = (0)
ttl        : ByteField            = (64)
proto      : ByteEnumField        = (0)
chksum     : XShortField          = (None)
src        : Emph                 = (None)
dst        : Emph                 = ('127.0.0.1')
options    : PacketListField      = ([])


Check commands available using lsc()

Format is command(packet)

Sending a Packet:


>>> pkt=IP(dst="google.com")/ICMP()

sr - send & receive
srp - send & receive layer 2

>>> sr1(pkt)
Begin emission:
..................Finished to send 1 packets.
........................................................................................................................................................................................................................................................................................................................................................................................................................^C
Received 426 packets, got 0 answers, remaining 1 packets

sr1 = send and receive 1 packet, will send one and wait for one response

Using just send will just send and not wait for a response
>>> send(pkt)
.
Sent 1 packets.


Using sendp will send the packet at layer 2 (all classes with p are at the layer 2 level)
>>> sendp(pkt)
.
Sent 1 packets.

To see the result, sr always has tuples
>>> (ans,unans) = sr(IP(dst='google.com')/ICMP())

Iterations:
>>> pkts = IP(dst='192.168.0.0/28')
>>> [pkt for pkt in pkts]
[<IP  dst=192.168.0.0 |>, <IP  dst=192.168.0.1 |>, <IP  dst=192.168.0.2 |>, <IP  dst=192.168.0.3 |>, <IP  dst=192.168.0.4 |>, <IP  dst=192.168.0.5 |>, <IP  dst=192.168.0.6 |>, <IP  dst=192.168.0.7 |>, <IP  dst=192.168.0.8 |>, <IP  dst=192.168.0.9 |>, <IP  dst=192.168.0.10 |>, <IP  dst=192.168.0.11 |>, <IP  dst=192.168.0.12 |>, <IP  dst=192.168.0.13 |>, <IP  dst=192.168.0.14 |>, <IP  dst=192.168.0.15 |>]
>>>
 

Reading/logging traffic:


Sniff packets on the interface:

>>> pkts = sniff(count=24)>>> pkts
<Sniffed: TCP:19 UDP:4 ICMP:0 Other:1>






Write the packets to a pcap file:

>>> wrpcap('./cap.pcap', pkts)
 

Write the pcap file back to a rpkts variable:

>>> rpkts = rdpcap('./cap.pcap')
>>> rpkts
<cap.pcap: TCP:19 UDP:4 ICMP:0 Other:1>








Use str() and hexdump() to also see the raw packet


Fuzzing:

verify which fields will be fuzzed by doing something similar to:




>>> (IP(dst='8.8.8.8')/fuzz(UDP()/BOOTP())).show()


State machine!!
http://www.secdev.org/projects/scapy/doc/advanced_usage.html#automata


Photo Journey


2016 - Opening Ceremony of the first BSides Canberra

2016 - Opening Ceremony of the first BSides Canberra

2015 - Sydney CCIE bootcamp:



2012 - Participating in my first CTF - Ruxcon

2012 - Participating in my first CTF - Ruxcon

1995 - ANU hosting Women in Engineering

Me on far left in black


Monday 30 April 2018

L2 Attacks against Virtual Devices - CHCon 2017

My presentation at Christchurch Hackercon (ChCon) 2017 on L2 attacks against virtual device.

Sunday 29 April 2018

BGP Route Injection



A recording of my CrikeyCon 2018 talk on using VIRL to demonstrate BGP route redirection:



Sunday 7 January 2018

Trialing Cisco Talos' Mutiny

These instructions are based off the Cisco Talos video tutorial: https://www.youtube.com/watch?v=FZyR6MgJCUs&sns=em

Setup the Server


On Ubuntu in the home directory run the following commands:
 
git clone https://github.com/Cisco-Talos/mutiny-fuzzer.git
git clone https://github.com/Cisco-Talos/Decept
cd mutiny-fuzzer/
tar xvzf radamsa-0.3.tar.gz
cd radamsa-0.3/
make
cd ..

Run the sample App

cd ~/mutiny-fuzzer/sample_apps/pidlisten/source/
python pid_listener.py

python test_client.py 8888 (in a new terminal)

Use the Decept Proxy to get sample input:

Test Decept:
cd ~/Decept/
python decept.py 127.0.0.1 8888 127.0.0.1 9999 --timeout .2

cd ~/mutiny-fuzzer/sample_apps/pidlisten/source/ (in a new term)
python pid_listener.py

python test_client.py 8888 (in a new terminal)


Generate sample input:
pythonNew decept.py 127.0.0.1 8888 127.0.0.1 9999 --timeout .2 --fuzzer fuzzer.pid
cd ~/mutiny-fuzzer/sample_apps/pidlisten/source/
python pid_listener.py

python test_client.py 8888 (in a new terminal)


Modify input and move to correct diretory:
vi fuzzer.pid
mv fuzzer.pid ../mutiny-fuzzer/

 

Run Mutiny:

python mutiny.py fuzzer.pid