DefCon 18 is the computer security conference in Las Vegas following the Black Hat conference, famous for releasing many important exploits that force software and systems providers, telecommunications companies to fix low level security issues that effect us all. It’s a huge reverse engineering, hacking and intellectual critique fest. Many federal agencies, contract providers, reverse engineers, genius kids and other rogues (like me) appear to enjoy the deep virtual and human packet inspection.
Highlights from DefCon 18: http://www.defcon.org/
1) Docsis
Docsis (most recent is 3.0) is the modem protocol for cable modems which includes channel bonding capabilities that vastly expand regular cable data transfer capabilities beyond T1 speeds. A firmware upgrade with a linux based stack to most commonly available cable modems allows for “network diagnostics”, which vastly expands speed via interface bonding, channel security and much more.
Defcon 16 showcased various modifications and techniques to
gain free and anonymous cable modem internet access. Analyzed and
discussed were the tools, techniques, and technology behind hacking DOCIS 3.0.
Haxomatic USB JTAG/SPI firmware was released by programmer Rajkosto &
SBHacker and updated DOCSIS 3.0 hacked firmware for TI puma5-based cable modems
was made available.
Blake
Self is most widely known for
co-authoring the first commercial encrypted instant messenger with Dr. Cyrus
Peikari while at VirusMD. He has also worked as a SIPRNET Administrator,
Department of Defense Red Team Analyst, and R&D at various corporations
including Airscanner and Ontario Systems. He currently works in the automated
data collection industry as well as doing research for S2ERC (http://www.serc.net).
Bitemytaco is a well-known person in the DOCSIS research community and
one of the root admins at SBHacker.net, the largest modem hacking community in
the world. He funded the development of Haxorware (coded by Rajkosto) - the
most popular and innovative diagnostic cable modem firmware ever released. He
also coordinated the development of the current hacked SB6120 firmware and
released it to the public on Christmas 2009. Taco has been researching cable
modem networks since 1998 and has been involved in the modem hacking scene for
many years. "DOCSIS: Insecure By Design" was presented at DEFCON 16
by Taco along with teammates Blake of SERC and devDelay of SBHacker.
History:
Docsis is at the heart of Net Neutrality legislations: http://www.wired.com/threatlevel/2010/04/net-neutrality-throttle/
Sniffing Cable Modems from DefCon 16:
https://media.defcon.org/dc-16/video/Defcon16-Guy_Martin-Sniffing_Cable_Modems.m4v
Quote: “Unless you steal the cable you are “testing”, the laws for expanding cable services exist in the grey area we all work within”.
2) WPA2 Hole 196:
Using the inherently broken GTK handshake to bypass security (and user encapsulated network isolation keys) in WPA2 (full toolset released), allowing for instant transparent Man in the Middle attacks using multicast,unicast and broadcast packets, (works once you have a shared network session [5 minutes to crack any WEP/WPA/WPA2 using BackTrack4/Aircrack-ng (7 minutes with MAC address filtering or hidden SSID)]; Hole 196 allows for instant exploits of all user services once sharing and Enterprise WPA2 system and includes the addition of only 4 lines of code to existing exploit tool-chains to target openly transmitted GTK keys.
Excerpt:
AirTight Networks (a wireless security vendor) presented a demo of a new WPA2 vulnerability that affects even 802.1X-authenticated networks.
Several press releases note the attack uses information of a vulnerability found on page 196 of the IEEE 802.11 wireless specification.
Possible
attacks:
- Compromise authentication server (AS) which participates in key
distribution
- Compromise pairwise (individual station) keys
- Reuse of GTK (only for broadcast/multicast)
- Spoof AP or authentication server (AS) for MITM attack
- Implement an 802.1X EAP method which is insecure (ie EAP-MD5) and compromises
the keys
- Attack on TKIP (versus CCMP)
The documented 802.11 standard vulnerability:
Page 196, Section 8.5 Keys
and Key Distribution
Under that section is this paragraph:
NOTE—Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate an error. GTKs do not have this property.
http://www.networkworld.com/news/2010/073010-airtight-wpa2-vulnerability.html
3) Powershell automatic Metasploit and Meterpeter exploits:
Powershell comes in Windows 7 by default (cannot be disabled), and is a powerful command line addition to Windows applications allowing for bypassing even .Net and .dll protection. Hopefully, Windows users are protected by adequate network OSI layers, as this application allows for instant integration with Metasloit/Meterpreter/FastTrack tools for point and click exploits.
http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Kennedy
Feel free to attend the Phoenix Linux User’s Group HackFests 2nd Tuesday of Every Month 18:30-20:00 at the Cowden Center at JCL hospital in North Phoenix for a video replay of these presentations and the complete seminars.
We will be showcasing the actual video (produced professionally at DefCon) of all the sessions all year long.