Dustin D. Trammell
I am currently seeking opportunities in Information Security Research & Development such as vulnerability and exploit development,
reverse code engineering, and general advanced security research of new technologies. Any opportunities falling within these areas of
the broader Information Security domain are inline with my chosen career path and will allow me to provide value to my employer
through utilization and improvement of my skills.
My current expertise is in the following areas:
• Vulnerability Research & Development in the realm of network communication protocols and computer software,
currently focusing on network attack and vulnerability exploitation
• Security tools design and/or development
Attack and Exploitation
Research is focused on development of network attacks, vulnerability exploits, and new attack and exploitation methods and
A number of vulnerability exploits - See Software; exploits below.
Context-keyed Payload Encoding - A new method of keying an encoder which is based entirely on contextual information that
is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed
at the target. See papers below.
hcraft - hcraft is a HTTP systems penetration testing framework designed to make exploitation of known vulnerabilities in
HTTP systems a dynamic, simple process.
Metasploit Telephony Library and Wardialer - The Metasploit Telephony core library provides an interface to hardware
telephony devices enabling exploitation of dialup targets. The MSF Wardialer is intended to be used for telephone network
and DID number scanning.
Voice over IP (VoIP)
Research is focused on the non-carrier VoIP technology domains including signaling and media protocols, system architecture, network
devices such as call-servers and proxies, and endpoint devices such as physical embedded devices and soft phones.
enumIAX - Implementation of a method for enumerating an Inter-Asterisk Exchange (IAX) based registration server. The tool
is also capable of determining whether or not an enumerated identity requires a password to register or not.
libfindrtp - C shared library implementation of a method for detecting Real-time Transfer Protocol sessions by watching for
setup of the session via various VoIP signaling protocols.
DisAsterisk - An Asterisk plug-in which implements functions useful to security researchers and quality assurance engineers.
Some functions include VoIP protocol fuzzers.
SteganRTP - See Steganography
Steganography & Covert Communications
Research is focused on raising awareness of steganography within the Information Technology community as well as development of
new methods and tools for using modern methods of steganography.
hcovert - Implementation of a method for sending steganographic messages via web server log files.
SteganRTP – Implementation of a full-duplex steganographic communications channel operating within the audio payloads of
Real-time Transport Protocol (RTP) session packets, as described in my research paper Real-time Steganography with RTP.
This research was presented at the DEFCON 15 hacker conference and published in Uninformed Journal Vol. 8.
Research is focused on development of new anti-spam methods, technology, and tools.
Sender Permitted From (SPF) v.1 - SPFv1, standardized by the IETF as RFC 4408, fights email address forgery and makes it
easier to identify spam, worms, and viruses. Domain owners identify sending mail servers in DNS. SMTP receivers verify the
envelope sender address against this information, and can distinguish legitimate mail from spam before any message data is
Spamhole - Implementation of a method for defeating spam. The tool pretends to be an open SMTP relay and lies in wait for
spammers to find and attempt to use it. The tool appears to be accepting spam sent to it for delivery but in reality it is not,
wasting the spammer’s time, effort, and bandwidth.
Limited research in the field of secure password generation and recall.
Publication of a research paper entitled “Mnemonic Password Formulas” which describes my original research to create a
method for dynamically generating and remembering secure passwords.
TECHNICAL SKILLS AND EXPOSURES
Platforms / Operating Systems
UNIX: Linux (Slackware 2-12.0, Red Hat 7.1-9, Red Hat Enterprise 3-4, Fedora Core 3), OpenBSD,
Solaris 2.x-10, HP-UX 11/11i, AIX 5.2/5.3
Microsoft: Windows 2003 Server, Windows 2000 Server / Advanced Server / Professional, Windows XP
Network Device: Cisco IOS, ScreenOS
SmartCards (ICC): PCSC, CardOS, MultiCard
Virtualization: VMware (Workstation, Server, GSX, ESX)
Network Systems and Protocols
Routing/Transmission: TCP/IP v4/v6, NAT, Various Proxies, Bridging+STP, IPsec, PPTP
File-system/File-transfer: SMB/CIFS, NFS, FTP (ProFTPD, wu-ftpd, vsftpd), TFTP, SCP/SFTP (SSH)
Electronic Mail: SMTP, POP3, IMAP 4, Exchange Service, MAPI (qmail, Exchange 5.5/2000, Evolution,
Resolution/Lookup: ARP, DNS (BIND 8.*/9.*), SunRPC, DCERPC
Remote Access: SSH (OpenSSH), Telnet, rservices, VNC, Microsoft Terminal Services / RDP (MSTSC.exe,
Miscellaneous: IDENT, NNTP (Dnews), NTP, IRC (Hybrid IRCD, Hybrid IRC Services, ircii, mirc), SILC (silcd,
silc), syslog (syslogd, syslog-ng, NTSyslog), FIX/FIXT
Voice over IP (VoIP)
Enterprise: Proxy Trapezoid, Intelligent Endpoint, Master/Slave Endpoint, P2P
Signaling: SIP, SCCP (Skinny), MGCP, IAX, IAX2, H.323, RTSP
Media: RTP/RTCP, SRTP/SRTCP, ZRTP
Tools: Ethereal/Wireshark, cain & able, Vomit, tcpkill, sip-kill, sip-proxykill, sip-redirectrtp, rtpproxy,
PROTOS SIP Suite, ohrwurm, Fuzzy Packet, Teardown, Registration hijacker, Registration
eraser, Registration adder, SIPCrack, enumIAX, SIPSCAN, DisAsterisk, custom tools
Load / Call Generation: SIPp, InviteFlood, IAXFlood, UDPFlood, RTPFlood, BreakingPoint, custom tools
Call Management / Control: Asterisk PBX, Cisco Call Manager, Microsoft Live Communications Server, CrystaLAN Server
Hard Phones: Cisco 7912, Cisco 7940, Cisco 7960
Soft Phones: Xten, Cubix, Microsoft Office Communicator, CrystaLAN Client, IAXPhone, Skype
Debuggers: gdb, Microsoft Debugger (windbg)
Tracers: strace, ltrace, smem-map
Binary Utilities: GNU BinUtils (objdump, readelf, strings, etc.), Metasploit tools (memdump, pescan) vi,
Dissassembler / Decompiler: IDA Pro, dcc
Source Code: vi, splint, cscope, grep
Binary: BinDiff, GNU BinUtils (objdump, readelf, strings, etc.), Process Explorer, Filemon, Regmon,
Fuzzers: Sharefuzz, Peach, Fuzzy Packet, ohrwurm, DisAsterisk, netdude, BreakingPoint, custom tools
Capture: Ethereal/Wireshark, tcpdump, Kismet, custom tools
Generate: scapy, tcpprep, tcpreplay, paketto keiretsu, SIPp, Protos, custom tools
Tools: MetaSploit, shellforge
Libraries: libcex, libexploit, libpcap, libnet, libipq, GPGme, Rex
Compiled: IA-32/x86 Assembly, ANSI/POSIX C (UNIX environments)
Interpreted: Ruby, bash, POSIX compliant shells, expect
Exploit: libcex, libexploit, Rex
Cryptography: OpenSSL, GPGme
Data Management: libXML, libpq
Networking: libpcap, libnet, libdnet, libipq
User Interface: libncurses
Smartcard: pcsc-lite, libmusclecard
Editors: vi (vim, elvis), 010Editor
Compilers: nasm, gcc
Build: ld, make
Debuggers: gdb, Microsoft Debugger (windbg)
IDEs: Eclipse, vi
Revision Control: CVS, Subversion
10.07 to Present BreakingPoint Systems Inc. Security Researcher
Providing Security Research for BreakingPoint includes:
• Discovery of new security vulnerabilities
• Analysis of publicly and privately disclosed vulnerabilities and/or software patches
• Development of vulnerability exploits and attacks
• Team Lead for the Application Simulator content team
Accomplishments at BreakingPoint include:
• Development of a significant number of “strikes” for the flagship product line of testing appliances
• Strike coverage for RFC 4475, SIP Torture Tests
• Re-design of the BPS system’s protocol handler, uniting the Application Simulator, Security Component, and
Protocol Fuzzer components in a single protocol generation framework.
• Speaking at Cisco’s internal tools conference, Toolapalooza 2008 regarding the BreakingPoint product.
• Speaking at CSI-SX 2008, Presentation entitled “Keeping ‘em Honest: Testing and Validation of Network
• Authored a whitepaper on simulating Distributed Denial-of-Service (DDoS) attacks using the BreakingPoint
• Enabling the Sales organization to close multiple product sales via rapid development of customer requests.
03.06 to 09.07 TippingPoint, a division of 3Com VoIP Security Research
Providing VoIP Security Research for TippingPoint’s DVLabs included:
• Deployment and security assessment of various VoIP platforms, technologies, commercial products, and
• Speaking at information security and hacker conferences on VoIP security topics and original research.
• VoIP security tools development.
• Assisting the Digital Vaccine group with development and testing of VoIP related filters for the TippingPoint
IPS product line.
Accomplishments at TippingPoint include:
• Speaking at the DEFCON 15 hacker conference; Presentation entitled “Real-time Steganography with RTP”
• Research and Development of a method for real-time use of steganography with Real-time Transport Protocol
(RTP), with implementation entitled “SteganRTP”
• Speaking at the ToorCon Seattle (beta) hacker conference; Presentation entitled “DisAsterisk: Sneak-Peek”
• Joint Design & Development of an Asterisk IPBX module entitled “DisAsterisk” providing VoIP protocol fuzzing
and other capabilities useful to vulnerability researchers.
• Speaking at the EUSecWest information security conference; Presentation entitled “VoIP Attacks!”
• Capabilities extension of the RTPMixSound and RTPInjectSound tools using libfindrtp.
• Design & Development of an RTP session identification C library entitled “libfindrtp”.
• Speaking at the ToorCon 8 information security conference; Presentation entitled “VoIP Attacks!”
• Design & Development of an IAX username enumeration tool entitled “enumIAX”
• Design & Development of an XML-based protocol session emulation tool providing capabilities such as load
generation, session tracking, and protocol fuzzing, entitled “NetSamhain”.
• Maintaining IPS coverage of major VoIP related vulnerabilities, attacks, and protocol anomalies.
08.05 to 02.06 Sipera Systems Inc. VoIP Vulnerability Research & Development
Providing VoIP Vulnerability Research & Development for Sipera included:
• Management of the VIPER Lab research group.
• System, protocol, and software analysis and vulnerability development
• Architecture / Infrastructure assessment & penetration testing
• Black-box testing of various closed-source / proprietary appliances and components
• Security tools development
• Prepare whitepapers and presentations for publication and presentation to customers as well as at industry
• Build and manage a more extensive vulnerability research team as workload for the above responsibilities
Accomplishments at Sipera Include:
• Creation of a mobile assessment platform for use in various vulnerability assessments
• Design, implementation, and deployment of two Linux based site firewalls with site-to-site IPsec VPN
connectivity including a PPTP VPN server enabling user VPN-client connectivity.
• Designed and managed a team of developers to implement a protocol fuzzing tool.
• Determination, documentation, and implementation of protocol fuzzing profiles for various VoIP and VoIP
related protocols such as RTP, RTCP, Skinny, and UMA/GSM protocols in an XML format for the
aforementioned fuzzing tool.
• Development of various smartcard (GSM-SIM) interface and analysis tools.
• Managed and provided technical lead to a team of developers to integrate the open source VPN tool
racoon2’s IKEv2 implementation with FreeRADIUS’s EAP and EAP-SIM implementations.
• Created and managed the VIPER Lab research group.
04.03 to 08.05 Citadel Security Software Vulnerability Remediation Alchemist / R&D
Providing Development of Vulnerability Remedies for Citadel included:
• Research of existing vulnerabilities for Linux, Solaris, HP-UX, AIX, and other UNIX platforms.
• Determination / development of one or more applicable remedies for aforementioned vulnerabilities.
• Development of a Hercules Remedy (product instruction set) from said remedies for use by the Hercules
product in automated vulnerability remediation.
• Unit-testing of developed Hercules Remedies.
Providing Research & Development for Citadel included:
• Documentation and preparation of analysis white papers, reports, advisories, etc. for discovered
vulnerabilities and flaws in software, technologies, methodologies, processes, etc.
• Developing new and improving existing methodologies, processes, and procedures.
• Reviewing and approving information security industry news stories and other content for release via
Citadel’s “2 Minute Warning” daily podcast.
Accomplishments at Citadel include:
• Development of a large portion of the Hercules product’s UNIX remedy library.
• Development of an automated unit-testing suite for the RedHat Linux and Solaris platforms.
• Development of an exploit development source code library.
• Development of a shell script function library for use in Hercules Remedies.
• Security and functionality analysis of various potentially acquired technologies.
• Creation of exploit and shell-code T-Shirt payloads for use as marketing and conference swag.
• Development of an exploit database for exploits both found in the wild as well as re-worked and original
• Developed, documented, and maintained the Hercules Baseline Remedy Dataset for UNIX platforms.
03.02 to 04.03 Penson Financial Services, Inc. Information Security Specialist
Providing Information Security for Penson included:
• Secure network architecture consulting to the Connectivity Group
• Firewall/VPN management including policy, topology, and process design.
• Intrusion detection / Incident response
• Accounting and reporting management
• Network visibility & surveillance
• Linux related projects and migrations
Penson Financial’s public and private networks consist of the following components:
• The full range of Cisco routers
• Cisco Catalyst switches
• Checkpoint FW1/NG Firewall/VPN devices (Secure Platform, Win2000)
• Linux Netfilter / FreeS/WAN Firewall/VPN devices
• Netscreen Firewall/VPN appliances
• Radware Linkproof/Fireproof Load-balancers
• Foundry Load-balancers
• Intel based Compaq and Dell servers and workstations
• WYSE Winterm thin clients
Accomplishments at Penson Financial include:
• Design, development, and deployment of a centralized logging, accounting, and reporting system
enabling automated systems and the IT department groups to react to network, security, and desktop
issues in real time.
• Development and implementation of an enterprise-wide information security strategy.
• Development and implementation of an Incident Response procedure.
• Implementation and policy design of a Snort Intrusion Detection System.
• Design and implementation of an NTP architecture.
• Design and implementation of an IRC network, IRC Services, and management / accounting IRC
• Development of a Slackware Linux software package management tool similar to Windows Update.
• Modified existing Linux+ Certification training courseware to better suit the Penson environment and
trained most of the IT Department in general Linux environment and administration using this
• Design and implementation of multiple Firewall and VPN solutions on the Linux IPTables, Checkpoint
4.1/NG, and Netscreen platforms, including bridged, high availability, and load balanced configurations.
A complete employment history is available upon request.
INDUSTRY / COMMUNITY PROJECTS
Metasploit Project - http://www.metasploit.com
10.2007 - Present
Metasploit provides useful information and tools to security professionals who perform penetration testing, IDS signature
development, and exploit research. This project was created to provide information on exploit techniques and to create a
useful resource for exploit developers and security professionals.
Contributions: Development of the context-keyed encoding system for MSF payloads, development of the Metasploit
Telephony Library enabling exploitation of dialup targets, development of the MSF Wardialer used for telephone scanning,
and various exploit modules (see Software; exploits below)
Uninformed Journal - http://www.uninformed.org
02.2007 - Present
Uninformed is a research journal providing a technical outlet for research in areas pertaining to security technologies, reverse
engineering, and low-level programming.
Contributions: Member of the Article Review Board.
VoIP Security Alliance (VoIPSA) - http://www.voipsa.org
03.2006 - Present
VoIPSA is a vendor-neutral community project which aims to fill the void of VoIP security related resources through a unique
collaboration of VoIP and Information Security vendors, providers, and thought leaders.
Contributions: Member of the Technical Advisory Board, active participation in the VoIPSec e-mail forum., contribution to
the “Voice of VoIPSA” Blog via original articles and commentary on news items, joint maintainer of the VoIPSA “VoIP Security
Tools” list project, and Document Editor for the VoIPSA Best Practices project.
Sender Policy Framework (SPF) v.1 - http://www.openspf.org
04.2003 - 07.2004
SPFv1 (RFC-4408) fights email address forgery and makes it easier to identify spam, worms, and viruses.
Domain owners identify sending mail servers in DNS. SMTP receivers verify the envelope sender address against this
information, and can distinguish legitimate mail from spam before any message data is transmitted.
Contributions: Assisted in protocol version 1 syntax design, discussion in regards to barriers to implementation, technical
caveats, security of the protocol, and other issues that arose on the discussion list.
A complete account of involvement in community and industry projects is available upon request.
PUBLISHED WORKS / SPEAKING ENGAGEMENTS / MEDIA
For paper abstracts, please see http://druid.caughq.org/papers/
Context-keyed Payload Encoding
Uninformed Journal, Volume 9, Article 3
Metasploit Framework Telephony
BlackHat USA 2009 Conference Proceedings
Mnemonic Password Formulas: Remembering Secure Passwords
Uninformed Journal, Volume 7, Article 3
Real-time Steganography with Real-time Transfer Protocol
Uninformed Journal, Volume 8, Article 1
For presentation abstracts, please see http://druid.caughq.org/presentations/
Context-keyed Payload Encoding
2007.10.21 - ToorCon 9, San Diego, California, USA
2007.05.12 - ToorCon Seattle (beta), Seattle, Washington, USA
Keeping ‘em Honest: Testing and Validation of Network Security and Monitoring Devices
2008.04.27 - Computer Security Institute Security eXchange (CSI SX 2008), Las Vegas, Nevada, USA
Metasploit Framework Telephony
2009.07.29 - BlackHat USA 2009, Las Vegas, Nevada, USA
2009.08.01 - DEFCON 17, Las Vegas, Nevada, USA
Mnemonic Password Formulas
2007.05.16 - IEEE Computer Society, Austin, Texas, USA
2005.07.20 - dc214 (Dallas DefCon Chapter), Dallas, Texas, USA
Real-time Steganography with RTP
2007.08.04 - DEFCON 15, Las Vegas, Nevada
SmartCard Security: GSM-SIM
2006.08.30 - AHA! (Austin Hackers Association), Austin, Texas, USA
2006.11.30 - IEEE Consultants Network of Central Texas, Austin, Texas, USA
2006.10.12 - Austin Linux Users Group, Austin, Texas, USA
2006.03.04 - North Texas Snort Users Group @ University of Texas Dallas, Dallas, Texas, USA
2005.01.12 - dc214 (Dallas DefCon Group), Dallas, Texas, USA
2007.11.06 - Computer Security Institute Annual Conference (CSI 2007), Washington D.C., USA
2007.03.01 - EUSecWest Conference, London, England
2007.02.22 - IEEE Consultants Network of Central Texas, Austin, Texas, USA
2006.10.01 - ToorCon 8 Conference, San Diego, California, USA
Advisories authored by I)ruid: http://www.caughq.org/advisories/
CAU-2006-0001: Myspace.com Trojaned Navigation Menu
CAU-2004-0002: imwheel Predictable PidFile Name Race Condition
CAU-1999-0001: HP JetDirect Printers and Print Servers - DoS / spam
CAU-1998-0005: Yahoo Search Engine - Search Engine Reply Manipulation
CAU-1998-0004: GTE Cybercenter - Software Restrictions Subversion
CAU-1998-0003: GTE Cybercenter - Web Browsing Access Control Subversion
CAU-1998-0002: Cytlok for Windows 95 - Site (URL) Access Control Subversion
CAU-1998-0001: Cytlok - Local Network Segment Remote DoS
1994 – Current
http://www.caughq.org/exploits/ (Exploits authored by I)ruid)
A detailed overview of past development projects is available upon request.
Television / Radio
CNN LIVE – Corporations Fight Back
April 6th, 1998 - Aired at 6:24pm CST, Cable News Network (CNN)
During this interview, a colleague and I demonstrated a system penetration attack using netcat to take control of processes
on Windows 95/98/NT via a custom Trojan application.
The New Face of Cybercrime, Fortify Software Productions
A short video clip from my interview was included in this documentary film regarding corporate security and covert channels.
Hackers are People Too, Ashley Schwartau
A forty-five minute documentary on Hackers, hacker culture, and hackers in everyday real life.
A complete account of published works, speaking engagements, and media involvement is available upon request.
References are available upon request.