Blackhat 2 Day Recap [Bettalatethaneva]

It was another cold, long drive into Washington DC from Aberdeen, MD. The hour and a half commute was definitely wearing on us. We had to leave Joe's house by 6:15am to get to the 8am registration on time. Something had to give...it was as if Law could read my mind. He looked at me, "Hey Ant, we have to have a Starbuck's coffee on the way in today." "Your right", I mused. He punched STARBUCKS into the Garmin GPS in Joe's car without waiting for affirmation from me. "Eight miles" the cold electronic voice said. "DAMN" was the response in unison. We went ahead and hit the nearest highway on our way to DC and lo and behold...a sign for Starbucks at the next truck stop 1.5 miles up the highway. It had to be done, bless Joe's heart but he had violated our Seattle coffee sensibilities when we asked him to stop for coffee earlier in the week and he stopped at Burger King. Yes my dear readers, Burger King. Being a Seattle native born and bred I can only do that once a lifetime.

After walking out of Starbucks cup in hand, there was a look in each mans eye, a pep in his step, for lack of better terms we had ENERGY! On to the Blackhat Tales.
Day One

We registered, claimed our badges and bags and immediately went schwag hunt...er I mean talked to some of the vendors including Paraben, SAINT and Sunbelt Software. We missed most of the introduction and most of the keynote address. We also bumped into Chris Gates from LSO and Brian Wilson and hung out with them most of the day including lunch.

We attended the following talks:

Cracking GSM

RFIDI0ts!!!--Practical RFID Hacking

Bad Sushi: Beating Phishers at their Own Game

Oracle Hacking

Scanning Applications 2.0

We grabbed a quick bite to eat and chatted with Steve Adegbite of Microsoft (always a pleasure!) before we had to leave to do the 1.5 hour commute (sigh)
Day Two

We slept in till noon and decided that a 1.5 hour commute both ways just wasn't going to happen. Instead we packed our suitcases and jumpbags, went bar hopping, shopped at WalMart, and had dinner at a Chinese Buffet. (not necessarily in that order)


All in all it was pretty cool, the talks were a step up from Shmoocon overall and the atmosphere is nice (they also have Starbucks drip coffee going for them). Its much smaller than BH USA Las Vegas which was a great time last year. I think that next year I might just do Shmoo and then Defcon/BH Vegas in the summer.

802.11 Attacks

I regret that I was unable to see Joshua Wright and Brad Antoniewicz talk on PEAP: Pwned Extensible Authentication Protocol at Shmoocon 4. Josh was kind enough to put up slide of the talk on willhackforsushi.com. Brad also made slides available that are complimentary to the ones from the presentation.

In conjunction this is a very informative compilation of slides that should interest anyone interested in 802.11 security and I would like to thank the both of them for making these resources available!

UPDATE: A related article can be found here.

Your Client Side Security Sucks [really, it does]

I returned to Seattle from Shmoocon/BH DC last Friday and have been experiencing a serious case of jet lag. To get through the fatigue I have been spending time getting caught up on the 266 RSS feeds that I follow via Google Reader and came across the following OWASP presentation by Kurt Grutzmacher.

This is an excellent read that I would suggest to anyone trying to understand why client side security is so vulnerable and error prone on the development side of things.

Data Breach Notification Laws, State By State

I have long been an avid follower of breach notification legislation but usually in reagards to the west coast of the USA. While reading my RSS feeds yesterday I came across an interesting resource. The link will take you to a map of the US that shows the breach notification status of each state in the Union via color coding and a nifty popup. Far too useful and interesting to keep to myself.

Enjoy!

MySQL, SHA1 and me

While hacking around with SQL injection on the LSO (LearnSecurityOnline) labs, the subject of being able to crack a MySQL SHA1 password hash came up and became a topic of interest and a challenge of sorts. I have never come across this one before so I impulsively decided to pick it up and see what I could do with it before I had to get on a plane back to Seattle.

./poc

A quick Google search turned up this tool.

A proof of concept (hence the name) MySQL password hash cracker. Optimized for quad core CPU implementations

Can be downloaded from http://www.sqlhack.com/poc.c

gcc -O3 -o poc poc.c

I ran this for about 12 hours until it determined that the password was beyond 8 character and therefore out of scope for this particular program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

./mysqlfast

Some initial Googling turned up this tool. I was able to run this one the longest albeit without any success.

http://packetstorm.linuxsecurity.com/Crackers/msqlfast.c

gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast

I ran this tool for about 15 hours without success. It was checking 9 character passwords when I ended execution of the program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

./unhash

I came across this one looking for MySQL SHA1 crackers on PacketStorm Security. I was only able to run it for a few hours before I had to pack up my laptops in preparation to catch my flight.

http://packetstorm.codar.com.br/Crackers/unhash-0.9.tgz

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

Cain & Abel

Identified the hash as MySQL v3.23. I attempted to use the built in dictionary running as many permutations as possible without any success. It took about an hour or so to make it through the dictionary file.

Performed on a HP nc6000 Pentium M 1.6 Ghz laptop with 2 GB of RAM

John the Ripper (Joe McCray performed this test)

John is not natively capable of cracking MySQL SHA1 hashes and requires a patch to do so.

[j0e@LinuxLaptop john-1.7.2]$ wget
http://openwall.com/john/contrib/john-1.7-all-4.diff.gz

[j0e@LinuxLaptop john-1.7.2]$ gunzip -c john-1.7-all-4.diff.gz | patch
-p0

[j0e@LinuxLaptop john-1.7.2]$ cd src/

[j0e@LinuxLaptop src]$ su
Password:

[root@LinuxLaptop src]# make linux-x86-any

John was fed a 7 million entry password dictionary

[j0e@LinuxLaptop run]$ ./john
--wordlist=../../../wordlistz/MassiveDictionary.txt mysql_hash.txt
Loaded 1 password hash (Raw SHA1 [raw-sha1])
guesses: 0 time: 0:00:00:03 100% c/s: 862538 trying: zwolle

This was NOT the correct password.

Performed on a Dell D620 Core Duo 2 1.83 laptop with 2GB of RAM

If anyone out there has any suggestions on more efficient ways to go about this I would LOVE to hear about them.

UPDATE: Sandro Gauci of SipVicious.org pointed me to a great resource. Any other feedback and suggestions are welcome!

May Your Skill Prevail.

The DC/Maryland Saga Continues

Today we actually made it back in by 2AM after eating dinner at Applebee's while watching the NBA All Star Game and then doing some wardriving of Aberdeen, Maryland (~800 Aps). Joe, evil1, Law and myself all stayed up most of the night hacking away and talking.

Around noon we all had to drag ourselves out of bed to get evil1 to the airport to catch a 4:30pm flight. After dropping him off Lawrence and I had to stop at Starbuck's coffee (Burger King coffee is like kryptonite to Seattle denizens) and note that it appears that we had brought the overcast cloudy and rainy weather with us.

Since we were already in the area and had our wardriving gear with us we decided that some good 'ol AP detection was in order. We were able to get a pretty good haul of ~10,000 AP's after about 3 hours then headed north for the long journey home.

Tomorrow we are planning to drive back down to DC and do the BH DC 2008 Briefings early registration. If all goes well we may drive up to Philadelphia and do some wardriving before it gets too late.

Shmoocon Day Three

After 3 nights of 2-3 hours of sleep and a 1 ½ hour commute both ways everyone was exhausted today. We made the decision to stay at the house and catch up on our rest before we got to a BBQ at Wolf's house. I regret missing the PEAP: Pwned Extensible Authentication Protocol by Josh Wright and Brad Antoniewicz presentation.

As I type this Joe and Lawrence are sitting at the dining room table with laptops with evil1 still in his room sleeping. Overall shmoocon was a blast, the talks were o.k. but the people and side channel conversations we had were excellent.

Will I be going next year? Absolutely!

Shouts out to to CG, Kev, Marco and Steve A. I'll catch those who are going to BH Federal at the briefings next week or at DefCon later in the year. If not see you guys on SILC.

Shmoocon Day Two

We were able to actually make it in on time today after getting 2 hours of sleep! Watched the Active 802.11 Fingerprinting: Gibberish and "Secret Handshakes" to Know Your AP by Sergey Bratus, Cory Cornelius and Daniel Peebles. I found this to be an interesting talk and hope that this research begins to delve into the client realm in the near future.

I also had the pleasure of catching the following talks:

Got Citrix? Hack It! By Shanit Gupta and Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" by Enno Rey and Daniel Mende. There was also an impromptu talk by muts covering AV circumvention using ollydebug and Windows Vista ASLR circumvention.

I had lunch with Kevin Figueora of K&T International Consulting, Marco Figueroa of MAF Consulting, Inc, Joe McCray of LearnSecurityOnline, Lawrence White of IGS and evil1 at the Chipotle down the street from the hotel. All of us also got together later in the evening and had the most amazing time eating dinner, watching the All-Star 3 point shooting and Slam Dunk contest and having drinks and talking shop. The talks at any convention are good to go to but these are the experiences that stay with you for a lifetime.

Shmoocon Day One

Overslept like a bunch of jet lagged bums! Arrived 2 hours late and missed all of the talks getting social with my peers. Met some cool guys: muts from Offensive Security/Back|Track, Aaron Petersen from MRL (Midnight Research Labs) and Rick Farina from AirTight. As is usual for my con experiences hung out with the LSO (LearnSecurityOnline) j0e and Chris and evil1 (mad props for webapp kung fu).

Shmoocon Day Zero

Law and I caught a red eye at 10pm out of SEA to BWI with a connecting flight through Detroit. One of the most uncomfortable experiences of my life. J0e picked us up from the airport and took us straight to the bar at 8:30am. Drove back to his place in Maryland, took a nap, took out got acquainted with local network and hacked around a little bit. Met Wolf, picked up evil1 from the Reagan airport in DC, went back to the bar (which caught on fire which is another story for another time), did some urban exploring (evil1 did), drove back to Maryland (j0e got a speeding ticket), and hacked until 5am.