Sunday, 24 June 2018

OzSecCon 2018

On 2-3rd of June 2018 I attended OzSecCon in Melbourne. I'm not really a locksport enthusiast by any stretch of the imagination, I'm happy to fiddle with a lock and pick during social night - but I don't go out of my way to find the locksport village at a conference. However - the atmosphere at OzSecon was overall amazing. Notwithstanding, it is hosted by Topy - the Australian who has lugged his locksport stores up, down, east and west across Australia, at his own personal expense, hosting the locksport villages at AusCert, Ruxcon, PlatypusCon, BSides Canberra and probably many more I'm forgetting. He is the drive behind growing Locksport in Australia - so if you are remotely into Locksport, OzSecCon is where you should be.

I've done a brief writeup of the talks and workshops I attended below.


‘Keynote: Red Teaming’, by Jek Hyde

Jek works on Walmart Red team. She made it clear that her position on the red team is to achieve physical access - not work on computers. She referred to herself as a “Professional burglar”. She discussed secure facilities syndrome - in which facilities tend to be very hard to get into but once in, is all soft and squishy on the inside due to wanting to promote a good culture. She did a walkthrough of a pentest she did in Canada. Started with dumpster diving. Found out about meeting, made a fake pass, wore fake pregnant belly, used a Bose cloner to clone a pass and got in.
Installed keyloggers, Dropbox, rubby ducky & listening devices. Heard a lady going out for lunch and used her office to gain access to systems. Key takeaway point was that physical and logical are treated separately when they affect each other so much and should be looked at together.

‘Manipulation aids in opening safe locks’, by Jaakko Fagerlund

 Jaakko is from Finland and is a machinist by trade and loves breaking all things mechanical.
Discussed through the techniques of cracking dial combination safes. The wheels within the dial can be different shapes and graphing (turning the wheel through each number). Right contact point (sloped) is the one that is most useful to measure. Showed graphs on the non-roundness of wheels - 0.5mm deviation at some points. Exploits are based on dialing tolerances, cheap electronics, reading wheels in the order W3, W2, W1.
Advanced exploits use electronics to graph the wheel pack, ultimate way is a manipulation robot (autodialler with a microphone - softdrill)


‘Cognitive biases and how to be less wrong’, by Alex Hogue

Alex discussed base rate rejection. He explained that people are more likely to look at the evidence without looking at the base rate. Eg. creaks in a plane == evidence of impeding crash despite base rate of crashes being low
He also discussed confirmation bias. Eg. Verifying your hypothesis only with tests that will result in positive confirmation. This can be beaten by using null hypothesis - proving yourself wrong.
Availability Heuristic - if there are more examples in public media, then people assume it is more common eg. Ransomware. Leads to “after a disaster we prepare more”
Others: scarcity bias, loss aversion, sunk-cost fallacy, the halo effect, outcome bias, inattentional blindless, bias bias, cognitive dissidence creates more bias.
Alex concluded with a very entertaining slight of hand routine done to a volunteer from the audience.

‘Tamper resistance bypasses’, by Connor and Emily Morrison

Covered different types of tamper evident seals with some recorded demos of removing them









‘How to disappear completely’, by Attacus

Atticus provided an overview of “Senseface” - which is a product that detects faces. She showed an admin interface of a Westfield Info booth that records faces estimating gender and age for advertising purchases. Atticus discussed Detection vs Recognition. Detection is allowed without consent because it doesn’t relate to personal or sensitive information. She spoke about the Identity-matching Services Bill 2018 - the Capability will be provided to Home Affairs for national security, identity safety etc. She noted that the Attorney-General's department is in discussion about selling facial records to private companies.
Second part of talk moved to techniques of avoid facial recognition. Talked about how facial recognition worked and old school mitigation techniques include, wearing a balaclava, wearing sunglasses or pulling weird faces to avoid facial recognition. - Adam Harvey, provides solutions to avoiding facial recognition.

‘Back in time: Finnish lock industry’, by Thomas Covenant

Thomas covered off the history of locks in Finland, which is a leading region of lock production because of the rockiness of the country.
Karelian locks (a region ceded to the Soviet Union from Finland) date back to medieval Finland.
She talked through wooden locks, development of metal and ornamental locks and the spiritual beliefs around locks keeping people safe.
1920s industrialisation heralded Abloy locks in Finland. Designed by Finnish man who repaired a cash till, and saw the rotating disks. 1918 patent registered, sold in 1919 for 34 euros


‘The ALC Galaxy Lock: an in-depth look’, by Adam Foster

Adam talked about how he bought and disassembled a galaxy lock, released by the Australian Lock Company (ALC). He discussed how it worked and possible ways to attack it. He stated that he had managed to pick it but he hadn't recorded it and couldn’t replicate.

‘Challenge locks’, by nullwolf

Nullwolf started off explaining reasons why you would build challenge locks - Reddit lock-picking awards profile flair for building challenge locks. He covered off on the rules for building a challenge lock eg. At least 6 modifications, working key
Covered shopping list required.
Using a dremel to do pin sculpting



Impressioning Workshop

I attempted the impressioning workshop... twice! I was terrible at it. But I learnt a lot about the technique and skill involved to impression a key.








Milling your own cutaway lock 

This is when I realised the value of OzSecCon being run at Melbourne Polytech. Access to all the machining tools allowed a live demo of creating cut away locks (plus many more machining demos that I missed). @anarchy_won did the demo and was patient and willing to answer any questions we had on mill types, techniques and other hints. It was fantastic seeing his passion and knowledge.

As well as the talks and workshops, OzSecCon had an inclusive and welcoming environment. I was greeted with friendliness and helpfulness the whole conference. I attended the female lunch and the Friday night party - both were really enjoyable. The party was catered with Turkish and a neverending bartab!

Overall, I've heard the locksport community likened to what the computer hacker community was 20 years ago. A little edgy and considered borderline inappropriate. However, like the trailblazers that made computer hacking mainstream, OzSecCon is breaking down barriers and making this important topic visible and accessible to everyone. Well done Topy & the OzSecCon Crew!!

Tuesday, 12 June 2018

Kernel Hacking to achieve custom FC frames - incomplete

This post covers the incomplete work I did on trying to modify FC drivers to send custom FC frames. I hope someone can pick it up and use it because I don't think I have time to finish it.


To determine what symbols have been exported by the kernel, run:


library functions -> run in user space
system calls -> run in kernel mode

Connecting to the SAN:

[425303.444353] lpfc 0000:07:00.0: 0:1303 Link Up Event x1 received Data: x1 xf7 x10 x0 x0 x0 0
[425305.532359] scsi 6:0:0:1: Direct-Access     LIO-ORG  storage1         4.0  PQ: 0 ANSI: 5
[425305.532945] sd 6:0:0:1: Attached scsi generic sg1 type 0
[425305.534874] sd 6:0:0:1: [sdb] 1048576000 512-byte logical blocks: (537 GB/500 GiB)
[425305.534878] sd 6:0:0:1: [sdb] 4096-byte physical blocks
[425305.535976] sd 6:0:0:1: [sdb] Write Protect is off
[425305.535981] sd 6:0:0:1: [sdb] Mode Sense: 43 00 10 08
[425305.536109] sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, supports DPO and FUA
[425305.605769]  sdb: sdb1
[425305.606899] sd 6:0:0:1: [sdb] Attached SCSI disk
[root@localhost new-modules]# ls -la /dev/sdb*
brw-rw----. 1 root disk 8, 16 May 12 16:10 /dev/sdb

brw-rw----. 1 root disk 8, 17 May 12 16:10 /dev/sdb1

From within: /usr/src/linux/Documentation/devices.txt
  8 block       SCSI disk devices (0-15)
                  0 = /dev/sda          First SCSI disk whole disk
                 16 = /dev/sdb          Second SCSI disk whole disk
                 32 = /dev/sdc          Third SCSI disk whole disk
                240 = /dev/sdp          Sixteenth SCSI disk whole disk

                Partitions are handled in the same way as for IDE
                disks (see major number 3) except that the limit on

                partitions is 15.

Finding the Link Up Event within the driver:

[root@localhost lpfc]# grep "Link Up Event" *
lpfc_hbadisc.c:                                 "1303 Link Up Event x%x received  

Function that brings the link up:
lpfc_mbx_cmpl_read_topology(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
        struct lpfc_vport *vport = pmb->vport;
        struct Scsi_Host  *shost = lpfc_shost_from_vport(vport);
        struct lpfc_mbx_read_top *la;
        MAILBOX_t *mb = &pmb->u.mb;
        struct lpfc_dmabuf *mp = (struct lpfc_dmabuf *) (pmb->context1);
                        lpfc_printf_log(phba, KERN_ERR, LOG_LINK_EVENT,
                                        "1303 Link Up Event x%x received "
                                        "Data: x%x x%x x%x x%x x%x x%x %d\n",
                                        la->eventTag, phba->fc_eventTag,
                                        bf_get(lpfc_mbx_read_top_link_spd, la),
                                        bf_get(lpfc_mbx_read_top_mm, la),
                                        bf_get(lpfc_mbx_read_top_fa, la),

Looking for file operations in the driver:

[root@localhost lpfc]# grep fops *

lpfc_init.c:    .fops = &lpfc_mgmt_fop,

vi lpfc_init.c
static const struct file_operations lpfc_mgmt_fop = {
        .owner = THIS_MODULE,

static struct miscdevice lpfc_mgmt_dev = {
        .minor = MISC_DYNAMIC_MINOR,
        .name = "lpfcmgmt",
        .fops = &lpfc_mgmt_fop,

[root@localhost lpfc]# cat /proc/kallsyms | grep lpfc_mgmt_fop

ffffffffa0162c60 r lpfc_mgmt_fop        [lpfc]

Setting up kernel source to modify drivers:

[kylie@localhost ~]$ uname -r

[kylie@localhost ~]$ koji download-build --arch=src kernel-4.4.8-300.fc23.x86_64
kernel-4.4.8-300.fc23.src.rpm                                                              | 168 MB  00:02:26 !!!

[kylie@localhost ~]$ ls
kernel  kernel-4.4.8-300.fc23.src.rpm  rpmbuild

[kylie@localhost ~]$ su -c 'dnf builddep kernel-4.4.8-300.fc23.src.rpm'

Different tact - using fcoe

1. Using fcoe tools to setup a ethernet interface with DCB to enable fcoe:

This example configures interface eth3 to automatically connect to storage over a discovered VLAN.

1) Configure FCoE on the interface
     # cd /etc/fcoe/
     # cp cfg-ethx cfg-eth3

2) Start lldpad and configure the interface for DCB.
    # service lldpad start
    # dcbtool sc eth3 dcb on
    # dcbtool sc eth3 pfc e:1
    # dcbtool sc eth3 app:fcoe e:1

As a convenience there is a script that will confirm if DCB has been configured correctly for FCoE. The script is run as follows,

    <fcoe-utils source>/debug/ eth3
    (note: this is on the root device, not the VLAN)

Follow the suggestions and repeatedly run the script until it states that DCB is configured correctly.

3) Start fcoe
    # service fcoe start
      After a few moments your storage should appear (assuming everything is
      configured correctly on the fabric)

4) Setup lldpad and fcoe to start when booting
     # chkconfig lldpad on
     # chkconfig fcoe on

2. Connect port to an FCoE switch set to span another port

need to source an FCoE switch... maybe on in datacentre? :/

3. Record the traffic

Use scapy to record a pcap - or record via wireshark

4. Replay traffic

Use scapy to replay traffic on the FCoE enable ethernet interface

5. Make changes to FC frames