DefCon 18 HighLights (& Complete Video)

Lisa Kachold lisakachold at obnosis.com
Mon Aug 2 11:55:18 MST 2010


DefCon 18 is the computer security conference in Las Vegas following the
Black Hat conference, famous for releasing many important exploits that
force software and systems providers, telecommunications companies to fix
low level security issues that effect us all.  It’s a huge reverse
engineering, hacking and intellectual critique fest.  Many federal agencies,
contract providers, reverse engineers, genius kids and other rogues (like
me) appear to enjoy the deep virtual and human packet inspection.



Highlights from DefCon 18:  http://www.defcon.org/



1)      Docsis



Docsis (most recent is 3.0)  is the modem protocol for cable modems which
includes channel bonding capabilities that vastly expand regular cable data
transfer capabilities beyond T1 speeds.  A firmware upgrade with a linux
based stack to most commonly available cable modems allows for “network
diagnostics”, which vastly expands speed via interface bonding, channel
security and much more.



Defcon 16 showcased various modifications and techniques to gain free and
anonymous cable modem internet access.  Analyzed and discussed were the
tools, techniques, and technology behind hacking DOCIS 3.0.  Haxomatic USB
JTAG/SPI firmware was released by programmer Rajkosto & SBHacker and updated
DOCSIS 3.0 hacked firmware for TI puma5-based cable modems was made
available.

*Blake Self* is most widely known for co-authoring the first commercial
encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has
also worked as a SIPRNET Administrator, Department of Defense Red Team
Analyst, and R&D at various corporations including Airscanner and Ontario
Systems. He currently works in the automated data collection industry as
well as doing research for S2ERC (http://www.serc.net).

*Bitemytaco* is a well-known person in the DOCSIS research community and one
of the root admins at SBHacker.net, the largest modem hacking community in
the world. He funded the development of Haxorware (coded by Rajkosto) - the
most popular and innovative diagnostic cable modem firmware ever released.
He also coordinated the development of the current hacked SB6120 firmware
and released it to the public on Christmas 2009. Taco has been researching
cable modem networks since 1998 and has been involved in the modem hacking
scene for many years. "DOCSIS: Insecure By Design" was presented at DEFCON
16 by Taco along with teammates Blake of SERC and devDelay of SBHacker.



History:

Docsis is at the heart of Net Neutrality legislations:
http://www.wired.com/threatlevel/2010/04/net-neutrality-throttle/



Sniffing Cable Modems from DefCon 16:

https://media.defcon.org/dc-16/video/Defcon16-Guy_Martin-Sniffing_Cable_Modems.m4v



Quote: “Unless you steal the cable you are “testing”, the laws for expanding
cable services exist in the grey area we all work within”.



2)       WPA2 Hole 196:



Using the inherently broken GTK handshake to bypass security (and user
encapsulated network isolation keys) in WPA2 (full toolset released),
allowing for instant transparent Man in the Middle attacks using
multicast,unicast and broadcast packets, (works once you have a shared
network session [5 minutes to crack any WEP/WPA/WPA2 using
BackTrack4/Aircrack-ng  (7 minutes with MAC address filtering or hidden
SSID)];  Hole 196 allows for instant exploits of all user services once
sharing and Enterprise WPA2 system and includes the addition of only 4 lines
of code to existing exploit tool-chains to target openly transmitted GTK
keys.



Excerpt:

AirTight Networks <http://www.airtightnetworks.com/> (a wireless security
vendor) presented a demo of a new WPA2 vulnerability that affects even
802.1X-authenticated networks.

Several press releases note the attack uses information of a vulnerability
found on page 196 of the IEEE 802.11 wireless specification.

*Possible attacks:*
- Compromise authentication server (AS) which participates in key
distribution
- Compromise pairwise (individual station) keys
- Reuse of GTK (only for broadcast/multicast)
- Spoof AP or authentication server (AS) for MITM attack
- Implement an 802.1X EAP method which is insecure (ie EAP-MD5) and
compromises the keys
- Attack on TKIP (versus CCMP)

*The documented 802.11 standard vulnerability:*

Page 196, Section 8.5 Keys and Key Distribution
Under that section is this paragraph:

NOTE—Pairwise key support with TKIP or CCMP allows a receiving STA to detect
MAC address spoofing and data forgery. The RSNA architecture binds the
transmit and receive addresses to the pairwise key. If an attacker creates
an MPDU with the spoofed TA, then the decapsulation procedure at the
receiver will generate an error. GTKs do not have this property.

http://www.networkworld.com/news/2010/073010-airtight-wpa2-vulnerability.html





3)      Powershell automatic Metasploit and Meterpeter exploits:



Powershell comes in Windows 7 by default (cannot be disabled), and is a
powerful command line addition to Windows applications allowing for
bypassing even .Net and .dll protection.  Hopefully, Windows users are
protected by adequate network OSI layers, as this application allows for
instant integration with Metasloit/Meterpreter/FastTrack tools for point and
click exploits.



http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Kennedy

* *

*Feel free to attend the Phoenix Linux User’s Group HackFests  2nd Tuesday
of Every Month 18:30-20:00 at the Cowden Center at JCL hospital in North
Phoenix for a video replay of these presentations and the complete
seminars.  *



We will be showcasing the actual video (produced professionally at DefCon)
of all the sessions all year long.


-- 
IvedaXpress.com Systems Engineer
Office: (480)307-8712
AT&T: (503)754-4452

"Faith is, at one and the same time, absolutely necessary and altogether
impossible. "
--Stanislav Lem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100802/e8d1c596/attachment.html>


More information about the PLUG-discuss mailing list