Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Dustin D. Trammell FOCUS I am currently seeking opportunities in Information Security Research & Development such as vulnerability and exploit development, reverse code engineering, and general advanced security research of new technologies. Any opportunities falling within these areas of the broader Information Security domain are inline with my chosen career path and will allow me to provide value to my employer through utilization and improvement of my skills. EXPERTISE My current expertise is in the following areas: • Vulnerability Research & Development in the realm of network communication protocols and computer software, currently focusing on network attack and vulnerability exploitation • Security tools design and/or development RESEARCH FIELDS Attack and Exploitation Research is focused on development of network attacks, vulnerability exploits, and new attack and exploitation methods and techniques. Accomplishments: A number of vulnerability exploits - See Software; exploits below. Context-keyed Payload Encoding - A new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. See papers below. hcraft - hcraft is a HTTP systems penetration testing framework designed to make exploitation of known vulnerabilities in HTTP systems a dynamic, simple process. Metasploit Telephony Library and Wardialer - The Metasploit Telephony core library provides an interface to hardware telephony devices enabling exploitation of dialup targets. The MSF Wardialer is intended to be used for telephone network and DID number scanning. Voice over IP (VoIP) Research is focused on the non-carrier VoIP technology domains including signaling and media protocols, system architecture, network devices such as call-servers and proxies, and endpoint devices such as physical embedded devices and soft phones. Accomplishments: enumIAX - Implementation of a method for enumerating an Inter-Asterisk Exchange (IAX) based registration server. The tool is also capable of determining whether or not an enumerated identity requires a password to register or not. libfindrtp - C shared library implementation of a method for detecting Real-time Transfer Protocol sessions by watching for setup of the session via various VoIP signaling protocols. DisAsterisk - An Asterisk plug-in which implements functions useful to security researchers and quality assurance engineers. Some functions include VoIP protocol fuzzers. SteganRTP - See Steganography Steganography & Covert Communications Research is focused on raising awareness of steganography within the Information Technology community as well as development of new methods and tools for using modern methods of steganography. Accomplishments: hcovert - Implementation of a method for sending steganographic messages via web server log files. SteganRTP – Implementation of a full-duplex steganographic communications channel operating within the audio payloads of Real-time Transport Protocol (RTP) session packets, as described in my research paper Real-time Steganography with RTP. This research was presented at the DEFCON 15 hacker conference and published in Uninformed Journal Vol. 8. Anti-SPAM Research is focused on development of new anti-spam methods, technology, and tools. Accomplishments: Sender Permitted From (SPF) v.1 - SPFv1, standardized by the IETF as RFC 4408, fights email address forgery and makes it easier to identify spam, worms, and viruses. Domain owners identify sending mail servers in DNS. SMTP receivers verify the envelope sender address against this information, and can distinguish legitimate mail from spam before any message data is transmitted Spamhole - Implementation of a method for defeating spam. The tool pretends to be an open SMTP relay and lies in wait for spammers to find and attempt to use it. The tool appears to be accepting spam sent to it for delivery but in reality it is not, wasting the spammer’s time, effort, and bandwidth.
  2. 2. Passwords Limited research in the field of secure password generation and recall. Accomplishments: Publication of a research paper entitled “Mnemonic Password Formulas” which describes my original research to create a method for dynamically generating and remembering secure passwords. TECHNICAL SKILLS AND EXPOSURES Platforms / Operating Systems UNIX: Linux (Slackware 2-12.0, Red Hat 7.1-9, Red Hat Enterprise 3-4, Fedora Core 3), OpenBSD, Solaris 2.x-10, HP-UX 11/11i, AIX 5.2/5.3 Microsoft: Windows 2003 Server, Windows 2000 Server / Advanced Server / Professional, Windows XP Professional Network Device: Cisco IOS, ScreenOS SmartCards (ICC): PCSC, CardOS, MultiCard Virtualization: VMware (Workstation, Server, GSX, ESX) Network Systems and Protocols Routing/Transmission: TCP/IP v4/v6, NAT, Various Proxies, Bridging+STP, IPsec, PPTP File-system/File-transfer: SMB/CIFS, NFS, FTP (ProFTPD, wu-ftpd, vsftpd), TFTP, SCP/SFTP (SSH) Electronic Mail: SMTP, POP3, IMAP 4, Exchange Service, MAPI (qmail, Exchange 5.5/2000, Evolution, Outlook) Resolution/Lookup: ARP, DNS (BIND 8.*/9.*), SunRPC, DCERPC Remote Access: SSH (OpenSSH), Telnet, rservices, VNC, Microsoft Terminal Services / RDP (MSTSC.exe, rdesktop) Miscellaneous: IDENT, NNTP (Dnews), NTP, IRC (Hybrid IRCD, Hybrid IRC Services, ircii, mirc), SILC (silcd, silc), syslog (syslogd, syslog-ng, NTSyslog), FIX/FIXT Voice over IP (VoIP) Architectures: Enterprise: Proxy Trapezoid, Intelligent Endpoint, Master/Slave Endpoint, P2P Carrier: UMA Protocols: Signaling: SIP, SCCP (Skinny), MGCP, IAX, IAX2, H.323, RTSP Media: RTP/RTCP, SRTP/SRTCP, ZRTP Security: Tools: Ethereal/Wireshark, cain & able, Vomit, tcpkill, sip-kill, sip-proxykill, sip-redirectrtp, rtpproxy, PROTOS SIP Suite, ohrwurm, Fuzzy Packet, Teardown, Registration hijacker, Registration eraser, Registration adder, SIPCrack, enumIAX, SIPSCAN, DisAsterisk, custom tools Testing: Load / Call Generation: SIPp, InviteFlood, IAXFlood, UDPFlood, RTPFlood, BreakingPoint, custom tools Products: Call Management / Control: Asterisk PBX, Cisco Call Manager, Microsoft Live Communications Server, CrystaLAN Server Hard Phones: Cisco 7912, Cisco 7940, Cisco 7960 Soft Phones: Xten, Cubix, Microsoft Office Communicator, CrystaLAN Client, IAXPhone, Skype Vulnerability Development Reverse Engineering: Debuggers: gdb, Microsoft Debugger (windbg) Tracers: strace, ltrace, smem-map Binary Utilities: GNU BinUtils (objdump, readelf, strings, etc.), Metasploit tools (memdump, pescan) vi, 010Editor Dissassembler / Decompiler: IDA Pro, dcc Application Analysis: Source Code: vi, splint, cscope, grep Binary: BinDiff, GNU BinUtils (objdump, readelf, strings, etc.), Process Explorer, Filemon, Regmon, Winalysis, 010Editor Black-Box Testing: Fuzzers: Sharefuzz, Peach, Fuzzy Packet, ohrwurm, DisAsterisk, netdude, BreakingPoint, custom tools Protocol Analysis: Capture: Ethereal/Wireshark, tcpdump, Kismet, custom tools Generate: scapy, tcpprep, tcpreplay, paketto keiretsu, SIPp, Protos, custom tools Exploit Development: Tools: MetaSploit, shellforge Libraries: libcex, libexploit, libpcap, libnet, libipq, GPGme, Rex Application Development Languages: Compiled: IA-32/x86 Assembly, ANSI/POSIX C (UNIX environments) Interpreted: Ruby, bash, POSIX compliant shells, expect Libraries: Exploit: libcex, libexploit, Rex Cryptography: OpenSSL, GPGme Data Management: libXML, libpq Networking: libpcap, libnet, libdnet, libipq User Interface: libncurses Smartcard: pcsc-lite, libmusclecard
  3. 3. Development Environments: Editors: vi (vim, elvis), 010Editor Compilers: nasm, gcc Build: ld, make Debuggers: gdb, Microsoft Debugger (windbg) IDEs: Eclipse, vi Revision Control: CVS, Subversion EMPLOYMENT EXPERIENCE 10.07 to Present BreakingPoint Systems Inc. Security Researcher Austin, Texas Providing Security Research for BreakingPoint includes: • Discovery of new security vulnerabilities • Analysis of publicly and privately disclosed vulnerabilities and/or software patches • Development of vulnerability exploits and attacks • Team Lead for the Application Simulator content team Accomplishments at BreakingPoint include: • Development of a significant number of “strikes” for the flagship product line of testing appliances • Strike coverage for RFC 4475, SIP Torture Tests • Re-design of the BPS system’s protocol handler, uniting the Application Simulator, Security Component, and Protocol Fuzzer components in a single protocol generation framework. • Speaking at Cisco’s internal tools conference, Toolapalooza 2008 regarding the BreakingPoint product. • Speaking at CSI-SX 2008, Presentation entitled “Keeping ‘em Honest: Testing and Validation of Network Security Devices” • Authored a whitepaper on simulating Distributed Denial-of-Service (DDoS) attacks using the BreakingPoint product. • Enabling the Sales organization to close multiple product sales via rapid development of customer requests. 03.06 to 09.07 TippingPoint, a division of 3Com VoIP Security Research Austin, Texas Providing VoIP Security Research for TippingPoint’s DVLabs included: • Deployment and security assessment of various VoIP platforms, technologies, commercial products, and open-source projects. • Speaking at information security and hacker conferences on VoIP security topics and original research. • VoIP security tools development. • Assisting the Digital Vaccine group with development and testing of VoIP related filters for the TippingPoint IPS product line. Accomplishments at TippingPoint include: • Speaking at the DEFCON 15 hacker conference; Presentation entitled “Real-time Steganography with RTP” • Research and Development of a method for real-time use of steganography with Real-time Transport Protocol (RTP), with implementation entitled “SteganRTP” • Speaking at the ToorCon Seattle (beta) hacker conference; Presentation entitled “DisAsterisk: Sneak-Peek” • Joint Design & Development of an Asterisk IPBX module entitled “DisAsterisk” providing VoIP protocol fuzzing and other capabilities useful to vulnerability researchers. • Speaking at the EUSecWest information security conference; Presentation entitled “VoIP Attacks!” • Capabilities extension of the RTPMixSound and RTPInjectSound tools using libfindrtp. • Design & Development of an RTP session identification C library entitled “libfindrtp”. • Speaking at the ToorCon 8 information security conference; Presentation entitled “VoIP Attacks!” • Design & Development of an IAX username enumeration tool entitled “enumIAX” • Design & Development of an XML-based protocol session emulation tool providing capabilities such as load generation, session tracking, and protocol fuzzing, entitled “NetSamhain”. • Maintaining IPS coverage of major VoIP related vulnerabilities, attacks, and protocol anomalies. 08.05 to 02.06 Sipera Systems Inc. VoIP Vulnerability Research & Development Richardson, Texas Providing VoIP Vulnerability Research & Development for Sipera included: • Management of the VIPER Lab research group. • System, protocol, and software analysis and vulnerability development • Architecture / Infrastructure assessment & penetration testing • Black-box testing of various closed-source / proprietary appliances and components • Security tools development • Prepare whitepapers and presentations for publication and presentation to customers as well as at industry conferences • Build and manage a more extensive vulnerability research team as workload for the above responsibilities requires Accomplishments at Sipera Include: • Creation of a mobile assessment platform for use in various vulnerability assessments
  4. 4. • Design, implementation, and deployment of two Linux based site firewalls with site-to-site IPsec VPN connectivity including a PPTP VPN server enabling user VPN-client connectivity. • Designed and managed a team of developers to implement a protocol fuzzing tool. • Determination, documentation, and implementation of protocol fuzzing profiles for various VoIP and VoIP related protocols such as RTP, RTCP, Skinny, and UMA/GSM protocols in an XML format for the aforementioned fuzzing tool. • Development of various smartcard (GSM-SIM) interface and analysis tools. • Managed and provided technical lead to a team of developers to integrate the open source VPN tool racoon2’s IKEv2 implementation with FreeRADIUS’s EAP and EAP-SIM implementations. • Created and managed the VIPER Lab research group. 04.03 to 08.05 Citadel Security Software Vulnerability Remediation Alchemist / R&D Dallas, Texas Providing Development of Vulnerability Remedies for Citadel included: • Research of existing vulnerabilities for Linux, Solaris, HP-UX, AIX, and other UNIX platforms. • Determination / development of one or more applicable remedies for aforementioned vulnerabilities. • Development of a Hercules Remedy (product instruction set) from said remedies for use by the Hercules product in automated vulnerability remediation. • Unit-testing of developed Hercules Remedies. Providing Research & Development for Citadel included: • Documentation and preparation of analysis white papers, reports, advisories, etc. for discovered vulnerabilities and flaws in software, technologies, methodologies, processes, etc. • Developing new and improving existing methodologies, processes, and procedures. • Reviewing and approving information security industry news stories and other content for release via Citadel’s “2 Minute Warning” daily podcast. Accomplishments at Citadel include: • Development of a large portion of the Hercules product’s UNIX remedy library. • Development of an automated unit-testing suite for the RedHat Linux and Solaris platforms. • Development of an exploit development source code library. • Development of a shell script function library for use in Hercules Remedies. • Security and functionality analysis of various potentially acquired technologies. • Creation of exploit and shell-code T-Shirt payloads for use as marketing and conference swag. • Development of an exploit database for exploits both found in the wild as well as re-worked and original exploits. • Developed, documented, and maintained the Hercules Baseline Remedy Dataset for UNIX platforms. 03.02 to 04.03 Penson Financial Services, Inc. Information Security Specialist Dallas, Texas Providing Information Security for Penson included: • Secure network architecture consulting to the Connectivity Group • Firewall/VPN management including policy, topology, and process design. • Intrusion detection / Incident response • Accounting and reporting management • Network visibility & surveillance • Linux related projects and migrations Penson Financial’s public and private networks consist of the following components: • The full range of Cisco routers • Cisco Catalyst switches • Checkpoint FW1/NG Firewall/VPN devices (Secure Platform, Win2000) • Linux Netfilter / FreeS/WAN Firewall/VPN devices • Netscreen Firewall/VPN appliances • Radware Linkproof/Fireproof Load-balancers • Foundry Load-balancers • Intel based Compaq and Dell servers and workstations • WYSE Winterm thin clients Accomplishments at Penson Financial include: • Design, development, and deployment of a centralized logging, accounting, and reporting system enabling automated systems and the IT department groups to react to network, security, and desktop issues in real time. • Development and implementation of an enterprise-wide information security strategy. • Development and implementation of an Incident Response procedure. • Implementation and policy design of a Snort Intrusion Detection System. • Design and implementation of an NTP architecture. • Design and implementation of an IRC network, IRC Services, and management / accounting IRC eggdrop bots. • Development of a Slackware Linux software package management tool similar to Windows Update. • Modified existing Linux+ Certification training courseware to better suit the Penson environment and trained most of the IT Department in general Linux environment and administration using this courseware. • Design and implementation of multiple Firewall and VPN solutions on the Linux IPTables, Checkpoint 4.1/NG, and Netscreen platforms, including bridged, high availability, and load balanced configurations.
  5. 5. A complete employment history is available upon request. INDUSTRY / COMMUNITY PROJECTS Metasploit Project - http://www.metasploit.com 10.2007 - Present Metasploit provides useful information and tools to security professionals who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. Contributions: Development of the context-keyed encoding system for MSF payloads, development of the Metasploit Telephony Library enabling exploitation of dialup targets, development of the MSF Wardialer used for telephone scanning, and various exploit modules (see Software; exploits below) Uninformed Journal - http://www.uninformed.org 02.2007 - Present Uninformed is a research journal providing a technical outlet for research in areas pertaining to security technologies, reverse engineering, and low-level programming. Contributions: Member of the Article Review Board. VoIP Security Alliance (VoIPSA) - http://www.voipsa.org 03.2006 - Present VoIPSA is a vendor-neutral community project which aims to fill the void of VoIP security related resources through a unique collaboration of VoIP and Information Security vendors, providers, and thought leaders. Contributions: Member of the Technical Advisory Board, active participation in the VoIPSec e-mail forum., contribution to the “Voice of VoIPSA” Blog via original articles and commentary on news items, joint maintainer of the VoIPSA “VoIP Security Tools” list project, and Document Editor for the VoIPSA Best Practices project. Sender Policy Framework (SPF) v.1 - http://www.openspf.org 04.2003 - 07.2004 SPFv1 (RFC-4408) fights email address forgery and makes it easier to identify spam, worms, and viruses. Domain owners identify sending mail servers in DNS. SMTP receivers verify the envelope sender address against this information, and can distinguish legitimate mail from spam before any message data is transmitted. Contributions: Assisted in protocol version 1 syntax design, discussion in regards to barriers to implementation, technical caveats, security of the protocol, and other issues that arose on the discussion list. A complete account of involvement in community and industry projects is available upon request. PUBLISHED WORKS / SPEAKING ENGAGEMENTS / MEDIA Papers For paper abstracts, please see http://druid.caughq.org/papers/ Context-keyed Payload Encoding Uninformed Journal, Volume 9, Article 3 Metasploit Framework Telephony BlackHat USA 2009 Conference Proceedings Mnemonic Password Formulas: Remembering Secure Passwords Uninformed Journal, Volume 7, Article 3 Real-time Steganography with Real-time Transfer Protocol Uninformed Journal, Volume 8, Article 1 Speaking Engagements For presentation abstracts, please see http://druid.caughq.org/presentations/ Context-keyed Payload Encoding 2007.10.21 - ToorCon 9, San Diego, California, USA DisAsterisk Sneak-Peek 2007.05.12 - ToorCon Seattle (beta), Seattle, Washington, USA Keeping ‘em Honest: Testing and Validation of Network Security and Monitoring Devices 2008.04.27 - Computer Security Institute Security eXchange (CSI SX 2008), Las Vegas, Nevada, USA Metasploit Framework Telephony 2009.07.29 - BlackHat USA 2009, Las Vegas, Nevada, USA 2009.08.01 - DEFCON 17, Las Vegas, Nevada, USA Mnemonic Password Formulas 2007.05.16 - IEEE Computer Society, Austin, Texas, USA 2005.07.20 - dc214 (Dallas DefCon Chapter), Dallas, Texas, USA Real-time Steganography with RTP 2007.08.04 - DEFCON 15, Las Vegas, Nevada
  6. 6. SmartCard Security: GSM-SIM 2006.08.30 - AHA! (Austin Hackers Association), Austin, Texas, USA Steganography Primer 2006.11.30 - IEEE Consultants Network of Central Texas, Austin, Texas, USA 2006.10.12 - Austin Linux Users Group, Austin, Texas, USA 2006.03.04 - North Texas Snort Users Group @ University of Texas Dallas, Dallas, Texas, USA 2005.01.12 - dc214 (Dallas DefCon Group), Dallas, Texas, USA VoIP Attacks! 2007.11.06 - Computer Security Institute Annual Conference (CSI 2007), Washington D.C., USA 2007.03.01 - EUSecWest Conference, London, England 2007.02.22 - IEEE Consultants Network of Central Texas, Austin, Texas, USA 2006.10.01 - ToorCon 8 Conference, San Diego, California, USA Security Advisories Advisories authored by I)ruid: http://www.caughq.org/advisories/ CAU-2006-0001: Myspace.com Trojaned Navigation Menu CAU-2004-0002: imwheel Predictable PidFile Name Race Condition CAU-1999-0001: HP JetDirect Printers and Print Servers - DoS / spam CAU-1998-0005: Yahoo Search Engine - Search Engine Reply Manipulation CAU-1998-0004: GTE Cybercenter - Software Restrictions Subversion CAU-1998-0003: GTE Cybercenter - Web Browsing Access Control Subversion CAU-1998-0002: Cytlok for Windows 95 - Site (URL) Access Control Subversion CAU-1998-0001: Cytlok - Local Network Segment Remote DoS Software 1994 – Current Exploits: http://www.caughq.org/exploits/ (Exploits authored by I)ruid) http://www.milw0rm.com/author/248 SourceForge Projects: http://sourceforge.net/users/druid-cau/ http://sourceforge.net/users/dustintrammell/ Other Projects: http://druid.caughq.org/projects/ http://www.dustintrammell.com/projects.html Misc. Code: http://druid.caughq.org/src/ A detailed overview of past development projects is available upon request. Television / Radio CNN LIVE – Corporations Fight Back April 6th, 1998 - Aired at 6:24pm CST, Cable News Network (CNN) During this interview, a colleague and I demonstrated a system penetration attack using netcat to take control of processes on Windows 95/98/NT via a custom Trojan application. The New Face of Cybercrime, Fortify Software Productions A short video clip from my interview was included in this documentary film regarding corporate security and covert channels. Hackers are People Too, Ashley Schwartau A forty-five minute documentary on Hackers, hacker culture, and hackers in everyday real life. A complete account of published works, speaking engagements, and media involvement is available upon request. REFERENCES References are available upon request.