Friday, April 16, 2010

Hackito Ergo Sum, Day 3

The last day of HES has begun with a conference about new generation of botnets presented by Itzik Kotler and Ziv Gadot from Radware. According to their presentation, lots of technologies have been introduced by botnets so it's one reason why they are interested. Of course, botnets are also re-using technologies invited by researchers and others people. Botnet masters use different kinds of protocols to communicate with theirs botnets, for example HTTP (Twitter...), IRC or P2P network architecture can be used. If we analyse Conficker, we can see that in its 3 first versions (A, B, C), it was based on HTTP and random domain name to communicate. Last versions (D, E) was based on a more flexible communication way : the P2P.
An important thing that a botnet master wants for his botnet is that it is SPOF (Single Point Of Failure) resilient. The utilization of protocols like HTTP permits to blend botnet traffic into the common traffic which will pass organization security policy, work behind NAT and minimize potential network footprint.
Their aim was to do a blend botnet with SPOF resilience, so they have looked to communication methods which respond to this criteria :
- Internet clipboard e.g.
- Disposable E-mail Address (DEA)
- User generated content e.g. comments on
- Url shortening e.g.

They have introduced the "room concept" which correspond to the communication method. It's possible to use private room to communicate with one bot, this will send an unicast message. The negotiation of the room between the bot and the bot master is a 4 steps action, I advise you to look slides it's very well explained. Their proof of concept is written in python and is called Turbot (this name has no relation with the speed of their botnet, because at this moment it's quite slow). We didn't have a demonstration of their botnet POC because of a network problem at the conference. [Slides]

 After the lunch, Renaud Lifchitz has started the afternoon with a very interesting talk which was the first in french (2 others will follow). First, I will define "clock-skewing". This is a little clock variation in comparison to a reference clock. The aim is to create a footprint from clock-skewing (because all clock are different), so the measure precision is very important.
A computer has 2 clocks :
- hardware clock (Real Time Clock)
- software/system clock managed by the OS
Here, it's the second clock which is interesting. To measure clock-skewing, Renaud takes an interest in NTP protocol which contact atomic clock using UDP on port 123. According to the time difference between the atomic clock and the system clock, NTP will increase or slow down clock rate to put right the time (if time changements will be curt, some processes could be disturbed). NTP is the most precise method to measure time, but it's also possible by sniffing packets or by sending ICMP Timestamp request (Type 13, Code 0) and answer is ICMP Timestamp reply (Type 14) wich return number of millisecond after midnight. So Renaud has chosen NTP for its precision.
These are steps to fingerprint a machine :
- every 5 seconds, adjust the clock (of your computer) with a NTP server and save victim's timestamp
- after 1 or 2 minutes, you will be able to have a precise fingerprint (which correspond to an average skew).

"more imprecise is victim's clock, more precise is fingerprint"

This method can be used to identify a stolen hardware on a LAN (even if IP address, MAC address and hard drive have changed it works, but not if operating system has changed), detect virtual machines (all VM can have the same clock than host machine) ... But there are some disadvantage with this method, it's imprecise on the Internet and results can be affected by network latency, temperature variation, altitude and victim's activity. To protect you against this fingerprint method, you can often sync your clock (every 5-10 seconds) and disabled TCP/ICMP Timestamp Request/Replies. [Slides]

This talk has been followed by another french one named "A5/1 application & crack via GPU" and presented by Gloire Gwendal (Kalkulator’s Knights Project). He has presented the A5 protocol family :
- A5/1
- A5/2
- A5/3
A5/1 is a weak encryption algorithm wich use only a 64 bits key in theory (and 54 in practice because 10 are fixed to zero). Because of its weakness, lots of researcher have tried to owned A5/1 :
- 1997 : first attack, A5/1 complexity reduction
- 1999 : publication of A5/1 which has been discovered by Reverse Engineering
- 2000 : some complexity reductions
- 2003-2004 : attacks on the key
- december 2009 : Karsten Nohl announced his attack during the Chaos Computer Congress. It's a rainbow table attack which can be done in 30 minutes. A demonstration will be done in august 2010.
There is few risks to see attacks on A5/1 in a near future, because a superpower calculation is needed (GPU cluster, FPGA cluster ...) and rainbow table generation needs some months. [Slides]

Then Julien Vanegue from Microsoft has talked about "Automated vulnerability analysis of zero-size heap allocations" [Slides] and this conference day ended with the conference "Stack Smashing Protector in FreeBSD" presented by Paul Rascagneres (in french). [Slides]

These 3 days at Hackito Ergo Sum in Paris was very interesting, I'm very happy to have assisted to these different talks and I think that I'll be present at HES2011. I want thank HES team for its work and I want to say : "See you in 2011 ;)".

If you read some errors or want make some remarks, don't hesitate comments are here for that.

Tuesday, April 13, 2010

Hackito Ergo Sum, Day 2

The first speaker of the second day was Jorge Luis Alvarez Medina from Core Security. His talk was named "Internet Explorer turns your personal computer into a public file server" and it was the same theme that he has presented at the Black Hat DC 2010 (February 2-3th 2010). His talk explained how it is possible to blindly read every files (navigation history, cookies ...) on the victim's hard drive.

He has begun by presenting security implementations of IE : security zones, zone elevation attack (a web page in a given security zone loads a page from a less restrictive zone) and MIME type detection. The simplest scenario he has described is the following :
1- The attacker put a specific HTML file in the victim's shared folders
2- The attacker send a link to a malicious site to the victim
3- The malicious webpage redirects the navigation flow towards the uploaded file
4- HTML/script code runs in the context of

He has continued with a demo with a BeEf module specially developed for this vulnerability. So if you want to protect your computer about this vulnerability, you can for example :
- Set to high the security level of Internet and Intranet zones
- Use Internet Explorer in Protected Mode
- Disable administrative shares
- Change your browser :)

Jonathan Brossard @ HES2010 on TwitpicThe last talk of the morning was presented by Jonathan Brossard from P1 Security and was entitled "Breaking Virtualization by switching to Virtual 8086 mode". He has begun his talk by the definition of virtualization and the presentation of the different kinds of it (full virtualization, paravirtualization). Then he has presented an overview of the different kinds of virtualization vulnerabilities like :
- privilege escalation in a virtual machine
- from one VM, attack an other VM
- do a DOS attack on the host to disrupt VMs
- inside a VM to access the host
During his researchs, Jonathan has fuzzed Virtual Box in which he has found 2 bugs in the hypervisor and a bug concerning the guest machine in Virtual PC. He ended his presentation with a demonstration in which the exploitation of a bug he has found in vserver crash the host machine (his laptop in this case). [Slides]

During the lunch time, I've assisted to the lockpicking workshop which was mainly based on practice. I've learned how to build lockpicks and I've successfully lockpicked one lock.

The afternoon has begun with a conference of Matthieu Suiche from MoonSols about Mac OS X Physical Memory Analysis. He was talking about physical memory analysis on x86/x64 Intel processors macintosh (not PowerPC) running Mac OS 10.5 (Leopard) or 10.6 (Snow Leopard). Lots of informations can be found during analysis of memory like syscalls, processes, machine informations (minor & major OS version, kernel version) ... He is also able to found the password of an user account (used to log on his mac) just in analysing the memory. [Slides]

The next talk was presented by Sandro Gauci and was named "Attacking VoIP – attacks and the attackers".  He has introduced the SIP, SIP scanning and tools like SIPVicious and VoiPPack for CANVAS. [Slides]

Then Laurent Gaffié has started his "Fuzzing the SMB case" conference by the presentation of this old protocol. His approach for his research was the following :
- RFC, books and Microsoft documentation reading
- Set a lab representing a company network with Windows 3.1 to Windows 7
- Fuzz the different implementations of SMB
During his demonstration, the bug discovered has permitted to him to cause a bluescreen from a remote pc in few seconds on a victim Windows 7 machine. At this moment, he's working with Microsoft teams to resolve this bug and it should be patched next Tuesday (MS10-020). He has also discovered lots of other bugs in Vista, XP, 7, 2008 Server, Samba and Netware 6.5 SP8. Because packets are very small, all these bugs have taken less than 2 minutes to be found by Laurent's tools. [Slides]

Lutz Böhne has presented the last talk of the second day which was entitled "Peeking into Pandora’s Bochs: instrumenting a full system emulator to analyse malicious software".  Pandora’s Bochs is an automated unpacker written in python. [Slides]

Sunday, April 11, 2010

Hackito Ergo Sum, Day 1

Hackito Ergo Sum is a conference in IT security and hacking during 3 days in Paris. This year, it was the first edition of HES and it was from April 8th to 10th 2010. Between 50 and 70 of professionnal or passionnate people were present to assist to this event.

The first day began with Jeremie Zimmerman from "La quadrature du net" which is an organization which defense citizen rights and freedoms on the Internet. This organization have been founded in 2008 by 4-5 persons. They tell them "law hackers" i.e. they search incoherence in french and european laws. According to Jeremie, there is one Internet, but for example, in China, internet users aren't using the Internet but the "Chinternet" because of the censorship applied by the autorities (see the Tiananmen case). The second example that he has quoted was about mobile Internet. He said that's not the Internet because we can't use P2P, newsgroups and some operators decrease traffic rate.

The second talk of the morning was named "Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get entry points in the walled garden" and was presented by Philippe Langlois from P1 Security. SS7 (Signaling System 7) is a group of phone protocols which are used in most of phone network in the world. At the moment, pentests are very rare on phone networks, like on IP networks in the 80's but should increase in the next 10 years. It's possible to scan and inject on these networks, for exemple we can use SCTPscan tool (developed by Philippe and included in Backtrack 4) to scan SCTP equipments. SCTP (Stream Control Transmission Protocol) is a protocol of transport layer of the OSI model like UDP or TCP protocols. To scan a SCTP equipment, we need to send an "INIT" packet. If the port is closed, it replies by an "ABORT", otherwise it replies with an "INIT-ACK" for a legitimate client and it doesn't reply to the attaquer. [Slides]

The afternoon began by a conference about the FPGA security challengeSebastien Bourdeauducq aka lekernel has briefly explained what is FPGA and then talked about the challenge which was available during the 3 days of HES 2010. If you need more informations on FPGA, I recommend you to go on Wikipedia. The challenge was composed of 6 levels with an incrementation of the difficulty level. [Slides]

The conference following the Sebastien one's was presented by Benjamin Henrion. He has talked about the modifying/hacking of one of the most widespread Linux equipement in Belgium : the Belgacom Box 2. This box is made by Sagem and have a similar hardware with Orange's Livebox. It runs an OpenRG Linux and is equipped of a VDSL interface, VoIP and an Atheros card. By default, telnet is opened and a default combinaison of login/password is used (admin/BGCVDSL2). He has also found a method to have a full admin access on the web interface just by putting login and password in the url as GET parameters. It is possible to load custom code on it, via USB key, telnet or tftp. For example, Benjamin has successfully transformed his box in a torrent box with Transmission with cli and web access, and has installed tools like Tcpdump and Airodump ... [Slides]

The third conference of the afternoon was about the utilization of artificial intelligence techniques to improve pentesting automation. The author of this talk, Carlos Sarraute, came directly from Argentina and works in Core Security, editor of the penetration testing product Core Impact. His talk has begun by a quick overview of pentests frameworks, the evolution of pentests and the description of an attack planning. He has talked about the PDDL (Planning Domain Description Language) and how we can use AI for pentests. For example, we can use different object types (host, network, port ...) and use predicates like TCP connectivity ... [Slides]

The last conference of this day was entitled "Evolution of Microsoft security mitigations" and was presented by Tim Burrell from Microsoft. Because I haven't assisted to it, I can't present you this talk. [Slides]

All comments about what I've written are welcome.

Conference's Website :
FPGA security challenge :

Saturday, April 3, 2010

My first post ...

Welcome to my blog :)
Here I will post some articles on computer security and computer science in general. Some posts will be in english, others in french and maybe some in both languages.

Here some links about me :

In few weeks I'll assist to Hackito Ergo Sum, an IT security conference in Paris, so next posts will talk about this event that promise to be awesome.
Thank you to read my blog.