• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
[2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las Vegas
 

[2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las Vegas

on

  • 670 views

2012 CodeEngn Conference 06 ...

2012 CodeEngn Conference 06

데프콘은 매년 라스베이거스에서 열리는 세계적으로 가장 권위 있는 보안 컨퍼런스 중 하나로 CTF 대회를 진행하고 있다. 데프콘 컨퍼런스에서 발표를 한다거나, CTF 본선 대회에 진출하는 것이 “해커들의 꿈” 이라는 말이 오고 갈 정도로 권위 있는 대회라고 할 수 있다. 때문에, 전 세계의 실력 있는 보안 그룹들이 이 CTF 대회의 본선 티켓을 두고 매년 경쟁을 하고 있으며, 올해에도 어김없이 데프콘 CTF를 위한 예선전이 진행되었고 세계적으로 유명한 해킹 그룹들이 참가하였다. 2012년 데프콘 CTF 예선에 출제된 여러 흥미로운 문제들을 풀이해보고, 필자의 본선 경험을 토대로 데프콘 CTF 대회의 전체적인 흐름과 운영 방식 그리고 전략 등에 대하여 설명한다.

http://codeengn.com/conference/06

Statistics

Views

Total Views
670
Views on SlideShare
670
Embed Views
0

Actions

Likes
2
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    [2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las Vegas [2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las Vegas Presentation Transcript

    • 박 병진 (Posquit0) | B10S / POSTECH CSE | 2012.07Defcon 20th :The way to go to Las Vegaspbj92220@postech.ac.krhttp://hackcreative.orgwww.CodeEngn.comCodeEngn ReverseEngineering Conference
    • 1-1 Who1-2 What1 WTF is Defcon?2 For Las Vegas2-1 Criteria2-2 How About This Year?2-3 No Money?3 Interesting Problems3-1 So Easiness3-2 So Bombness3-3 So Funniness3-4 So Mathness3-5 So Puzzlingness4 In Las Vegas4-1 Waiting For You4-2 Capture The Flag4-3 Advanced Tips4-4 Conclusions목차
    • WTF is Defcon? :Who
    • Jeff Moss (The Dark Tangent)WTF is Defcon?WhoThe founder of the Black Hat and Defcon computer hacker conferencesShow me the money, bro ...
    • WTF is Defcon? :What
    • DefconWTF is Defcon?WhatOne of the world’s largest annual computer hacker conventionsThe dream of many hackersEvery year in Las Vegas, NevadaI love girl, casino and Las Vegas !!
    • Defcon CTF (Capture The Flag)WTF is Defcon?WhatThe best known contest among several Defcon Contests.CTP(Capture The Packet), Open CTF, and etc...The most prestigious network attack and defense competition in the worldTo be best of best !!
    • For Las Vegas :Criteria
    • If you want to participate in CTFFor Las VegasCriteria+ =
    • Last WinnersFor Las VegasCriteria1 The returning winners from last Defcon CTFIt is the hardest way, but I want to do this way... And you?History of Capture the FlagWinners• DDTEK: 2009 - Present• KENSHOTO: 2005 – 2008• GHETTO HACKERS: 2002 - 2004OrganizersDC Winner OS N (Teams)16 Sk3wl0fr00t FreeBSD 8 Teams17 Vedagodz FreeBSD 10 Teams18 ACME Pharm FreeBSD + Debian 10 Teams19 The European Nopsled Team FreeBSD 12 Teams20 WOWHACKER-PLUS or KAIST GoN!?? ????? 20 Teams
    • The Other WinnersFor Las VegasCriteria8 Winning teams from other CTF events (in DC 20)May be, it is also good way :DOther CTF Contests (be qualified in DC 20)• UCSB iCTF 2011• CodeGate 2012• NCCDC• Hack In The Box 2012 Amsterdam• Positive Hack Days 2012• Nuit Du Hack 2012 CTF• Defcon 19 Open CTF• RuCTF 2011
    • QualificationFor Las VegasCriteria10 teams pre-qualify onlineIt is normal and best way.For 48 hours. No limit the number of team members.Making union with another team may possibly be good choice :-)
    • Qualification (in DC 20)For Las VegasCriteriaFields• Grab bag – Web, Network, Programming and etc.• /urandom – Trivial, Crypto, Algorithm and etc.• binary l33tness – Reverse Engineering• Pwnables – Remote Exploits• Forensics – Digital ForensicsSolvedNot SolvedNot Solved (Any teams)SolvingNot OpenedTotal Score• 1500 * 5 = 7500 pts
    • For Las Vegas :How About This Year?
    • Last WinnersFor Las VegasHow AboutThis Year? Defcon 19th CTF Winner - European Nopsled TeamOh, handsome guys :D
    • The Other WinnersFor Las VegasHow AboutThis Year?Years Contests Winner2011 UCSB iCTF We_0wn_You2012 CodeGate KAIST GoN2012 NCCDC Team Hillarious2012 Hack In The Box Amsterdam SiBears2012 Positive Hack Days More Smoked Leet Chicken2012 Nuit Du Hack HackerDom2011 Defcon 19 Open CTF Team Vand2011 RuCTF 0ldEur0pe
    • QualificationFor Las VegasHow AboutThis Year?9%9%9%9%8%8%8%8%8%8% 8%8%Hates IronyPPP侍sutegoma2ShellphishTwoSixNineEuropean Nopsled TeamMore Smoked LeetChicken4%5%6%14%20%19%32%More than 4000 pts 3000 ~ 3900 pts2000 ~ 2900 pts 1000 ~ 1900 pts500 ~ 900 pts 200 ~ 400 pts100 ptsTotal 303 Teams
    • QualificationFor Las VegasHow AboutThis Year?Rank Team Score1 Hates Irony 4900 Qualified!2 PPP 4800 Qualified!3 侍 4400 Qualified!4 sutegoma2 4400 Qualified!5 Shellphish 4400 Qualified!6 TwoSixNine 4400 Qualified!7 European Nopsled Team 4200 DC 19 Winner!8 More Smoked Leet Chicken 4100 Positive Hack Days Winner!9 Our name sucks 4100 Qualified!10 ACME Pharm 4100 Qualified!11 WOWHACKER-PLUS 4100 Qualified!12 Routards 3900 Qualified!Only one team is Korean – WOWHACKER-PLUSCome back as Defcon 20th CTF Winner :D
    • For Las Vegas :No Money?
    • Defcon CTF PrizesFor Las VegasNo Money?No prizes, only honor !It’s so cool contest :DDefcon CTF SupportOnly support two hotel room for 4 days, not airfares :-(Not good...
    • Airfares, Hotel bills and etc ...For Las VegasNo Money?If you are qualified, don’t worry about money :DMay be, it is also good way :DSponsorsThere are many Security VendorsThey will be your sponsor!
    • Interesting Problems :So Easiness
    • Grab Bag 100Introduction• Hack the planet_• It’s so trivial :DHow to solve?What is last character?Interesting ProblemsSo Easiness
    • Auth KeyInteresting ProblemsSo Easiness
    • Interesting Problems :So Bombness
    • Binary l33tness 200Introduction• Running on 140.197.217.155:18703• ELF 32-bit LSB executable for FreeBSD 9.0, stripped• Username : grease• Hash Collision challengeInteresting ProblemsSo Bombness
    • How to solve – I. Binary PatchInteresting ProblemsSo BombnessFor convenience, patch the SIGALARM codeI used Radare2 to fix binary.Before the patch
    • How to solve – I. Binary PatchInteresting ProblemsSo BombnessFor convenience, patch the SIGALARM codeI used Radare2 to fix binary.After
    • How to solve – II. Code Analyze (1)Interesting ProblemsSo BombnessRecv Passcode 4 Times
    • How to solve – II. Code Analyze (2)Interesting ProblemsSo BombnessGet Input Size & Two Input
    • How to solve – II. Code Analyze (3)Interesting ProblemsSo BombnessIf has collision, success :D
    • How to solve – III. Approach (1)Interesting ProblemsSo BombnessIs it a known Hash Algorithm?Then, it’s so easy :D
    • How to solve – III. Approach (2)Interesting ProblemsSo BombnessEnter to Hash FunctionUnknown table :D
    • How to solve – III. Approach (3)Interesting ProblemsSo BombnessGoogle is GOD :DFound !!The Tangle Hash Function !!
    • How to solve – III. Approach (4)Interesting ProblemsSo Bombness<Untangled> DTU Mathematics, Technical University of DenmarkTangle Hash CollisionCollision!!
    • How to solve – IV. Attack (1)Interesting ProblemsSo BombnessI used Python :DLovely Python !!4 Passcode forentering Main-routine
    • How to solve – IV. Attack (2)Interesting ProblemsSo BombnessI used Python :DLovely Python !!Length: 40Tangle Hash Collision :D
    • How to solve – V. ResultInteresting ProblemsSo BombnessGo! Go! Go!My Precious :D
    • Auth KeyInteresting ProblemsSo BombnessThe key is 437f085141d357c5d28850d5119aacb5
    • Interesting Problems :So Funniness
    • /Urandom 100Introduction• How many developers;) did it take to secure Windows 8?Interesting ProblemsSo Funniness
    • How to solveInteresting ProblemsSo FunninessBrute force attack!I know, you did it, haha.
    • How to solveInteresting ProblemsSo FunninessBrute force attack!I know, you did it, hahaSteve Ballmer in Techno Developers!Omg, is it True !?
    • How to solveInteresting ProblemsSo FunninessBrute force attack!I know, you did it, hahaSteve Ballmer in Techno Developers!Omg, is it True !?Auth Key
    • Interesting Problems :So Mathness
    • Binary l33tness 400Introduction• No takebacks! Running on 140.197.217.239:11553• ELF 64-bit LSB executable for FreeBSD 9.0, stripped• Username : takeback• Personally, the most interesting challengeInteresting ProblemsSo Mathness
    • How to solve – I. Binary PatchInteresting ProblemsSo MathnessFor convenience, patch the SIGALARM codeI used Radare2 to fix binary.Before the patch
    • How to solve – I. Binary PatchInteresting ProblemsSo MathnessFor convenience, patch the SIGALARM codeI used Radare2 to fix binary.After
    • How to solve – II. Code Analyze (1)Interesting ProblemsSo MathnessRecv Passcode 4 TimesI referenced SapHeads’s pseudo code :D
    • How to solve – II. Code Analyze (2)Interesting ProblemsSo MathnessGet Count for Big Loop
    • How to solve – II. Code Analyze (3)Interesting ProblemsSo MathnessImportant Big Loop
    • How to solve – II. Code Analyze (4)Interesting ProblemsSo MathnessSmall Loop
    • How to solve – II. Code Analyze (5)Interesting ProblemsSo MathnessIf you success
    • How to solve – III. Approach (1)Interesting ProblemsSo MathnessHow to satisfy the following conditions?r14 is 64-bit register :D
    • How to solve – III. Approach (1)Interesting ProblemsSo Mathnessr14 register must be 0xFFFFFFFFFFFFFFFFAll of the bits must be switched on.
    • How to solve – III. Approach (2)Interesting ProblemsSo MathnessHow to set bits of the r14 register to 1?One looping makes one of the bits to be 1
    • How to solve – III. Approach (3)Interesting ProblemsSo MathnessCount for Big Loop must be at least 64 :DPick 64 !!
    • How to solve – III. Approach (4)Interesting ProblemsSo MathnessWe have two restrictions :-(How can traversal all of the bits?1st restriction:Offset
    • How to solve – III. Approach (4)Interesting ProblemsSo MathnessWe have two restrictions :-(How can traversal all of the bits?2nd restriction:modulo 8
    • How to solve – III. Approach (5)Interesting ProblemsSo MathnessShift is signed int type !!Very G00D :D
    • How to solve – III. Approach (6)Interesting ProblemsSo MathnessWhat happen if shift is negative ?Bye~ modulo 8 :DNegative % 8 =Negative
    • How to solve – III. Approach (6)Interesting ProblemsSo MathnessWhat happen if shift is negative ?Bye~ modulo 8 :DWe can freely pick some offsets:-15, -6, +10, +17
    • How to solve – III. Approach (7)Interesting ProblemsSo MathnessHow to select a sequence of numbers?Think mathematically :DGCD(-15, 64)= GCD(+17, 64)= 1= generators of additive modulo 64{X + [n*(-15) or n*(+17)]} mod 64can generate[0 .. 63]
    • How to solve – IV. Attack (1)Interesting ProblemsSo MathnessI used Python :DLovely Python !!4 Passcode forentering Main-routine
    • How to solve – IV. Attack (2)Interesting ProblemsSo MathnessI used Python :DLovely Python !!My Choice:-15
    • How to solve – V. ResultInteresting ProblemsSo MathnessGo! Go! Go!My Precious :D
    • Auth KeyInteresting ProblemsSo MathnessThe key is 59e22b484b703801c019d4da0f7a3316
    • Interesting Problems :So Puzzlingness
    • Grab Bag 300Introduction• This is semi-real. :-(• 140.197.217.85:10435• Password: 5fd78efc6620f6Interesting ProblemsSo Puzzlingness
    • How to solve – I. AnalyzeInteresting ProblemsSo PuzzlingnessSame Positions :DTimeout ...
    • How to solve – I. AnalyzeInteresting ProblemsSo PuzzlingnessSame Positions :DTimeout ...
    • How to solve – I. AnalyzeInteresting ProblemsSo PuzzlingnessSame Positions :DTimeout ...
    • How to solve – I. AnalyzeInteresting ProblemsSo PuzzlingnessSame Positions :DTimeout ...
    • How to solve – II. ApproachInteresting ProblemsSo PuzzlingnessOnly 3 steps :DTry it !!ParsingNumber TableGetPIN NumbersCalculatePositions
    • How to solve – III. Attack (Demo)Interesting ProblemsSo Puzzlingness
    • Auth KeyInteresting ProblemsSo PuzzlingnessThe key is $9238740982570237012935.32
    • In Las Vegas :Waiting For You
    • Las VegasIn Las VegasWaiting For YouWelcome to Las Vegas!A beautiful city :D
    • CasinoIn Las VegasWaiting For YouHave you ever been to Casino?Do not become addicted :(
    • GirlsIn Las VegasWaiting For YouAnywhere you can see sexy girlsIf you have girl friend, avoid it :D
    • In Las Vegas :Capture The Flag
    • Defcon CTF (Capture The Flag)In Las VegasCapture The FlagThis year, the 20 top qualifying teams are pitted against each other in an all out digital warLast year, only 12 teamsAttack and defend custom services provided to each teamsIt’s importantThe Winning team will receive coveted Defcon Black Badges.Hmm... Give me badge! lol
    • CTF BlueprintIn Las VegasCapture The FlagGatewayTeam 2ServerTeam 1ServerTeam 3ServerAuthServerTeam 3Team 2Team 1
    • Defcon CTF Director & USBIn Las VegasCapture The FlagDirector provide USB for CTF• root password• Home Folder (vulnerable daemons)• key, cert File for authentication• readme
    • Defcon CTF DispositionIn Las VegasCapture The Flag• Contest Room• Lounge or AnywhereContest RoomLounge or Anywhere
    • Defcon CTF DispositionIn Las VegasCapture The FlagContest Room8 PeopleLounge or Anywhere• Contest Room – 8 Members• Lounge or Anywhere – No limits :D
    • Defcon CTF AttackIn Las VegasCapture The FlagRead KeySteal informationOverwrite KeyCorrupt informationKeys are periodically updated by the contest organizersContinue to attack
    • Defcon CTF Attack – Read KeyIn Las VegasCapture The FlagRead Other team’s ‘~/key’ file and auth itSteal informationTeam 1AttackerTeam 2Vulnerable DaemonAuthServerPeriod : 600sPeriod : 600s
    • Defcon CTF Attack – Overwrite KeyIn Las VegasCapture The FlagOverwrite Other team’s ‘~/key’ fileCorrupt informationTeam 1AttackerTeam 2Vulnerable DaemonPeriod : 600sPeriod : 600sAuthTeam1Key?AuthTeam1Key?AuthServerI don’t knowcorrectly :-(I don’t knowcorrectly :-(
    • Defcon CTF Attack – AuthIn Las VegasCapture The FlagHow to auth?• Using SSL (Secure Socket Layer)• Files in USB for SSL• server.cert• team_X_key• team_X_key.cert
    • Defcon CTF Attack – AuthIn Las VegasCapture The Flag
    • Defcon CTF Attack – AuthIn Las VegasCapture The Flag
    • Defcon CTF DefendIn Las VegasCapture The FlagPatch daemon’s vulnerabilityDon’t touch daemon’s serviceFix ‘/bin/’ permissionPrevent remote shell
    • Defcon CTF Defend – Binary PatchIn Las VegasCapture The FlagUse Hex Editors, or etc.010 Editors, WinHex, IDA, Radare2, etc.Radare2 is Disassembler, Hex Editor, Dubugger, etc.Posted on Phrack :D
    • Defcon CTF Defend – Binary Patch with Radare2 (1)In Las VegasCapture The FlagOpen binary file with ‘-w’ option‘-w’ : write mode
    • Defcon CTF Defend – Binary Patch with Radare2 (2)In Las VegasCapture The FlagSet address for edits : set address
    • Defcon CTF Defend – Binary Patch with Radare2 (3)In Las VegasCapture The FlagAnalyze Function & Print Disassembled Functionaf : Analyze functionpdf: Print disassembled function
    • Defcon CTF Defend – Binary Patch with Radare2 (4)In Las VegasCapture The FlagEnter to Visual Mode -> Look like VIM EditorV : Visual Modeh, j, k, l : Scroll key
    • Defcon CTF Defend – Binary Patch with Radare2 (5)In Las VegasCapture The FlagChange Disassemble Mode : input ‘p’ for changing View-modep : Change view mode
    • Defcon CTF Defend – Binary Patch with Radare2 (6)In Las VegasCapture The FlagSearch a position for patch using cursor : input ‘c’ for enabling cusrorc : Enable cursor
    • Defcon CTF Defend – Binary Patch with Radare2 (7)In Las VegasCapture The FlagEdit Code : input ‘w’ for hex or ‘a’ for assembled opcodew : Change code with hex valuea : Change code with assembled opcode
    • Defcon CTF Defend – Binary Patch with Radare2 (8)In Las VegasCapture The FlagPatched :D
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculate• Each daemon has 100 points• For a given attacker, V – victim, S – service,The attacker’s partial score for the service =their percentage (0-100) of all keys stolen from V via service S• Overwrite is also same
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculateAttack : steal or overwrite keyTeam 2Vulnerable DaemonTeam 1AttackerTeam 3AttackerTeam 4AttackerTeam 5AttackerTeam Auth ScoreTeam1 10 times 10 ptsTeam3 40 times 40 ptsTeam4 20 times 20 ptsTeam5 30 times 30 pts
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculateAttack : steal or overwrite keyTeam 2Vulnerable DaemonTeam 1AttackerTeam 3AttackerTeam 4AttackerTeam 5AttackerTeam Auth ScoreTeam1 2 times 100 ptsTeam3 0 times 0 ptsTeam4 0 times 0 ptsTeam5 0 times 0 pts
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculateAttack : steal or overwrite keyTeam 2Vulnerable DaemonTeam 1AttackerTeam 3AttackerTeam 4AttackerTeam 5AttackerTeam Auth ScoreTeam1 3 times 75 ptsTeam3 1 times 25 ptsTeam4 0 times 0 ptsTeam5 0 times 0 pts
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculateAttack : steal or overwrite keyTeam 2Vulnerable DaemonTeam 1AttackerAttackAttackTeam Auth ScoreTeam1 1 times for each 1900 ptsAttackAttackTotal 19 TeamsBreakthrough !!Team 20Vulnerable Daemon
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculateAttack : steal or overwrite keyTeam 2Vulnerable DaemonTeam 1AttackerAttackAttackTeam Auth ScoreTeam1 1 times for each 3800 ptsAttackAttackTotal 19 TeamsBreakthrough !!Team 20Vulnerable DaemonRead & Overwrite
    • Defcon CTF ScoringIn Las VegasCapture The FlagHow to calculateAttack : steal or overwrite keyTeam 2Vulnerable DaemonTeam 1AttackerAttackAttackTeam Auth ScoreTeam1 1 times for each 3800 ptsAttackAttackTotal 19 TeamsBreakthrough !!Team 20Vulnerable DaemonRead & Overwrite
    • Defcon CTF ScoringIn Las VegasCapture The Flag+ =Total Score• Sum(Steals Score + Defaces Score) * SLA• SLA - Service Level Availability• SLA = Average number of daemons running (cumulative)= Sum(number of daemons running) / Sum(number of daemons)
    • Defcon CTF ScoringIn Las VegasCapture The FlagVIP (Very Important Points)• Breakthrough• SLA(ServiceLevelAvailability)–NoShutdown!
    • In Las Vegas :Advanced Tips
    • Network SettingIn Las VegasAdvanced TipsDummy HubDummy HubTeam Server(runningdaemons)Team Server(runningdaemons)Laptop formasqueradingLaptop formasqueradingGatewayGatewayLaptop forServerLaptop forServerMember’s LaptopsMember’s LaptopsProvidedMust Prepare
    • Network SettingIn Las VegasAdvanced TipsDummy HubDummy HubTeam Server(runningdaemons)Team Server(runningdaemons)Laptop formasqueradingLaptop formasqueradingGatewayGatewayLaptop forServerLaptop forServerMember’s LaptopsMember’s LaptopsProvidedMust PrepareRoute for AttackConnected toother teamsConnected toother teams
    • Network SettingIn Las VegasAdvanced TipsDummy HubDummy HubTeam Server(runningdaemons)Team Server(runningdaemons)Laptop formasqueradingLaptop formasqueradingGatewayGatewayLaptop forServerLaptop forServerMember’s LaptopsMember’s LaptopsProvidedMust PrepareRoute for DefendConnected toother teamsConnected toother teams
    • Network SettingIn Las VegasAdvanced TipsDummy HubDummy HubTeam Server(runningdaemons)Team Server(runningdaemons)Laptop formasqueradingLaptop formasqueradingGatewayGatewayLaptop forServerLaptop forServerMember’s LaptopsMember’s LaptopsProvidedMust PrepareConnected toother teamsConnected toother teamsMasquerading (Packet capture)Routing (Use both Internet & Intranet)Masquerading (Packet capture)Routing (Use both Internet & Intranet)VM Server (FreeBSD)Web Server (Share Information)IRC Server (Chat with members)VPN Server (For other members)VM Server (FreeBSD)Web Server (Share Information)IRC Server (Chat with members)VPN Server (For other members)Wireless InternetWireless Internet
    • Masquerading (Packet Capture)In Las VegasAdvanced TipsCapture the incoming attack packet of the other teamRepeat the other team’s payload against enemyCapture the outgoing packet that includes keyModify key in the packet or Drop the packetTeam Server(runningdaemons)Team Server(runningdaemons)Laptop formasqueradingLaptop formasqueradingGatewayGatewayCapturing Packet
    • Disposition for EfficiencyIn Las VegasAdvanced TipsServer Manager (1), Network Manager (2), Global Hogu Finder (1),Exploit Manager (1), Reverser & Exploiter (∞)Global Hogu Finder is very very important :DContest RoomLounge or AnywherePosition NServer Manager 1Network Manager 2Global Hogu Finder 1Reverser & Exploiter 3Exploit Manager 1Total 8Position NReverser & Exploiter ∞Total ∞
    • Positions – Server ManagerIn Las VegasAdvanced TipsTeam Server is only managed by Server ManagerImportant position :DTest daemon’s servicesFor high SLA (Service Level Availability)Manage Daemon’s versionChange daemon, set versionEx. tomato -> tomato.1
    • Positions – Network ManagerIn Las VegasAdvanced TipsCapture & Filter incoming packets Team, Share to other membersVery Important :DDrop or Modify outgoing packet that contains keyDepend !Manage Web Server, IRC Server, VPN Server, Masquerading ServerOnce in a while, Check Server Log
    • Positions – Global Hogu FinderIn Las VegasAdvanced TipsSocial Hacking the other team’s member ?If you can :DAnalyze the other team’s server environmentsHacking other team’s server or labtopBrute Forcing or Guessing Password for the other team’s daemon serverGet root, then you can read all of the keys.
    • Positions – Exploit ManagerIn Las VegasAdvanced TipsManage exploit codes from other membersIs it works correctly?Modify exploit codes on the other team’s situationsDifferent from all the teams defenseAuthenticate to Auth-ServerGet Points :D
    • Positions – Reverser & ExploiterIn Las VegasAdvanced TipsFind Vulnerabilities in DaemonsMostly, BOF or FSB vulnerabilities :DPatch Vulnerability & Give to Server ManagerAs soon as possibleAnalyze the other team’s packet and Get their payloadLovely :DProgramming Exploit Code & Give to Exploit ManagerPwn! Pwn! Pwn! HolyPwner !
    • ShellcodeIn Las VegasAdvanced TipsReverse ShellcodeFork processOpen Socket & Connect to listening serverdup2 about stdin, stdout and stderrexecve ‘/bin/sh’Read Key ShellcodeOpen the key fileRead the keyWrite the key to socketWrite Key ShellcodeOpen the key fileWrite auth key to key fileRead & Write Key ShellcodeOpen the key fileRead the keyWrite auth key to key fileWrite the key to socket
    • Shellcode – Read Key ShellcodeIn Las VegasAdvanced TipsRead Key Shellcode ExampleShould be made shellcode to suit the situation
    • ShellcodeIn Las VegasAdvanced TipsIf enemy do masqueradingOMG ...?EnemyEnemyLaptop formasqueradingLaptop formasqueradingGatewayGatewayDrop or Modify PacketMy TeamMy Team
    • ShellcodeIn Las VegasAdvanced TipsHow to avoid Masquerading?• Shellcode Encryption• Packing• Obfuscating• …• Key Encryption• XOR (Very easy and convenient)• ROT• …
    • Shellcode – Read XOR Key Shell CodeIn Las VegasAdvanced TipsXOR Key Encryption Shellcode ExampleAlso, should be XOR operation on the server side
    • ShellcodeIn Las VegasAdvanced TipsHow to avoid Repeating my payload?• Read Key using UDP Shellcode• Staged loading Shellcode• …
    • Shellcode – Staged Loading ShellcodeIn Las VegasAdvanced TipsWhy use Multi-Stage Loading Shellcode?• Small buffer for Shellcode• Avoid Masquerading• Avoid repeating payload• Excute Binary File using binary loader• …
    • Shellcode – Staged Loading Shellcode (1)In Las VegasAdvanced TipsStage 1 – minimum shellcode for connection• must be small• free of NULLs• new connection and read additional data• jumps to the data and execute itVulnerableDaemonPayload LoaderPayload LoaderAttacker
    • Shellcode – Staged Loading Shellcode (1)In Las VegasAdvanced TipsStage 2 – Payload to execute• Other Shellcodes• Read Key Shellcode• Reverse Connection Shellcode• ...VulnerableDaemonPayload LoaderPayload LoaderAttackerNew Connection&Read PayloadNew Connection&Read PayloadPayloadPayload
    • Shellcode – Staged Loading Shellcode (2)In Las VegasAdvanced TipsStage 1 – minimum shellcode for connection• must be small• free of NULLs• new connection and read additional data• jumps to the data and execute itVulnerableDaemonAttackerPayload LoaderPayload Loader
    • Shellcode – Staged Loading Shellcode (2)In Las VegasAdvanced TipsStage 2 – Binary Loader for executing binaryVulnerableDaemonAttackerPayload LoaderPayload LoaderNew Connection&Read PayloadNew Connection&Read PayloadBinary LoaderBinary Loader
    • Shellcode – Staged Loading Shellcode (2)In Las VegasAdvanced TipsStage 3 – Executable Binary for executing on Binary LoaderVulnerableDaemonPayload LoaderPayload LoaderAttackerNew Connection&Read PayloadNew Connection&Read PayloadBinary LoaderBinary LoaderRead DataRead DataExecutable BinaryExecutable Binary
    • ShellcodeIn Las VegasAdvanced TipsShellcode Generator
    • In Las Vegas :Conclusions
    • Look at the big picture :DThere are many things to cheat other teamsAttack is not only way to be winnerIn Las VegasConclusions
    • I wanna see the result below :D !!!Participate Defcon CTF Qualification, and Go to Las Vegas !!In Las VegasConclusionsRank Team Score1 KimchiMan 7900 Qualified!2 Since1999 7800 Qualified!3 Unji 7400 Qualified!4 Little H4ma 7400 Qualified!5 Phantom: Secret between 0 and 1 7400 Qualified!6 Be5t of B3st 7400 Qualified!7 SW M4e5tro 7200 Qualified!8 H4nGukSaRam 7100 Qualified!9 H4des 7100 Qualified!10 RolyPoly 7100 Qualified!
    • http://phrack.org/issues.html?issue=66&id=14#articleBinary Mangling with Radare by pancakeDefcon 101 by ramses@PLUS:D참고자료SapHeads’s Write-up for Binary 400http://x-n2o.com/bin400-dc20Multi-Stage loading Shellcode by Jarkko Turkulainenhttp://www.klake.org/~jt/mstage/
    • If you have questions, contact me :Dpbj92220@postech.ac.krThank you for listening.www.CodeEngn.comCodeEngn ReverseEngineering Conference