Day 1 of the EUSecWest/core06 security conference in London...
by Justin Clarke
Related link: http://eusecwest.com
Here are my notes from day one of the first annual EUSecWest/core06
security conference in London:
from The Hacker's Choice
talked about IPv6 vulnerabilities, including the
differences, and similarities of performing certain types of exploits
in IPv4 and IPv6, and some of the new issues raised by the introduction
of IPv6. The
presentation can be downloaded from here.
Some of the interesting highlights from my point of view were:
- IPv6 is not in widespread use right now in Europe or
(it is in Japan and South Korea). A lot of the people using
IPv6 (especially over IPv4) at the moment are Blackhats
- A lot of the IPv4 reconnaissance techniques (such as
sweeping) are not possible on IPv6 due to the number of IP's in
the space - DNS is going to become key in identifying systems
- Once we can compromise a "public" server (i.e. one
find through DNS) we can use IPv6 multicast to find systems on that
- OSPFv3 relies on IPSec.... so we'd better be
or use another routing protocol
- vh has written a toolset (library?) for testing IPv6,
created a whole host of tools as part of the IPv6 attack suite:
- alive6 - for "alive" checking of hosts.
are on the
local subnet. Ping sweeping the Internet for live hosts is
going to be feasible in an IPv6 world
- parasite6 - for Man-in-the-middle attacks,
weaknesses in Neighbour Discovery protocol (the IPv6 replacement for
- dos-new-ipv6 - for preventing people from joining
network by claiming all IPs are already taken
- fake_router6 - for Man-in-the-middle attacks using
- smurf6 - local subnet DoS using multicast
- rsmurf6 - remote DoS for broken Linux IPv6 implementation
- redir6 - route implanting using "secure" ICMPv6 redirects
- toobig6 - reduce client's MTU
- vh tested various IPv6 implementations (Windows XP
SP2, Linux 2.6,
OpenBSD, FreeBSD 5.3), and found that all of the implementations were
vulnerable to one or more issues
- Source routing may make a
comeback, as all of the OS's tested passed on source routed packets,
and these can be disguised by putting a fragmentation header in front
of the routing packet, hence passing routers.
The next talk was by Barnaby
Jack (from eEye
about exploiting embedded
systems. This one was pretty interesting, and he was using a
standard D-Link DI-604 broadband router as the exploit target.
Here are some notes:
- A lot of embedded systems use ARM architectures, and
real time OS's such as ThreadX
- By using a JTAG emulator, and with some soldering,
hook up a debugger to the device and start debugging the firmware as it
- Because of the watchdog timer, the device may need
a patch to prevent the watchdog from resetting the device
- Modifying firmware involves figuring out how it is
encoded and checksummed by the vendor - from debugging the web server
- The demo was pretty impressive
- It used a LAN-side 0day bug in a function
the uPnP code for the router - the exploit removed the admin password,
and enabled the external WAN side admin port
- Uploaded modified firmware with a "payload" that
every .exe file downloaded through the router (popped up a command
prompt with "OWNED" on it)
Burroni and Carlos
Sarraute from CORE
Security gave a quite interesting talk on using
statistical methods and neural networks to more accurately determine
operating system versions from the network. They talked about
a couple of
- An improved DCE-RPC endpoint mapper, which much more
reliably determined what Windows version and service pack was running
- An OS detection tool using the nmap OS signature
designed to reduce false positives, and "improbable" results that you
can get with nmap
- first neural network to determine whether it is a
"relevant" OS or not (i.e. one we have exploits for)
- second neural network to determine what
OS family the system is - i.e. Linux, Windows, OpenBSD, FreeBSD,
- neural networks for each OS family to determine
what version is running.
Anh Quynh from Keio
University in Japan (he is involved
development of Xen) gave a talk on next generation honeypot technology
He talked about the weaknesses with Sebek in a honeynet environment -
specifically that there are several ways to detect that you are in a
honeypot, from detecting the presence of Sebek, to detecting the
traffic that it sends on the network.
He then talked about "Xebek", which uses Xen to run honeypot systems as
virtual machines ("user domains") within Xen, with the Xebek server
running on the "Domain 0" (host/first VM) on the machine.
Apparently this, patching the system calls in the kernel, and
using shared memory to share data with the server will fix most of the
weaknesses with Sebek.
There was a spirited discussion in the Q&A about how detectable
this approach will be versus the approach of Sebek. Quynh did
note that they are not attempting to hide the fact that the
in running in Xen, on the assumption that enough production systems
will be running Xen that it will not be suspicious.
Raynal from the EADS
Corporate Research Centre
talked about the (ab)use of crypto. This included discussion
number of scenarios where crypto, humans, and trust could be
abused, such as:
- breaking the crypto (mis)used in the SuckIt rootkit
versions 1 and 2 to take over a network of systems with SuckIt installed
- using the trust relations, and information stored in
user's directory to theorise the possibility of a SSH worm.
included noting the use of existing sessions and other methods of
capturing or leveraging existing access
- looked at methods/possibilities for preventing the
of a binary through the use of crypto, including differing situations
over keys and decryption
- looked at scenarios for performing Man-in-the-Middle
attacks against Skype.
Cerrudo from Argeniss
talked about Windows local shellcode injection. The technique
was demonstrating was based on the use of LPC named ports.
can see these things using Process Explorer from href="http://www.sysinternals.com">SysInternals.
He went through the process of connecting to a process's LPC
(including some of the problems, like how to find the name of the
port), create a shared memory section, and use the shared section to
put shellcode into the process's memory space. This also
you a pointer to where the shellcode resides, making exploit even
easier, more portable, and Windows version independant.
Cesar then went through and demonstrated his exploits for MS05-12 and
MS05-40 that leverage this approach.
Cushman from href="http://www.microsoft.com/security">Microsoft
came and talked about the work that MS is putting in on the security
front over their products. Andrew went through a lot of the
efforts that are going into Vista, as well as an interesting talk about
the Microsoft response to the WMF bug.