The NMRC Warez 2005 Extravaganza

1. The NMRC Warez 2005 Extravaganza DefCon 2005 nomad mobile research centre

2. “With just a few keystrokes, cybercriminals around the world can disrupt our economy.” - Ralph Basham, Director of the U.S. Secret Service at RSA 2005. “With just a few keystrokes, pundits can disrupt our freedoms.” - Daaih Liuh, NMRC, 2005 “With just a few keystrokes, I can turn those pundits off and watch porn instead.” – jrandom, NMRC, 2005

3. Who We Are

4. On To The Warez….

5. Updated Ncrypt • New features and bug fixes • Includes Todd MacDermind’s nrm, a drop-in replacement for rm for secure file erasure • More features for script integration (the users demanded it!)

6. Nmap Tools • nmap-report • Generate a list of IPs from your run of Nmap • nmap-diff • Diff on 2 days of nmap runs • nmap-wrapper • Nmap lots of hosts quickly

7. SPA • SPA is Single Packet Authentication, a single packet that can authenticate a user to a system • It is a protocol for allowing a remote user to authenticate securely on a “closed” system (limited or no open services) • Uses GPG to sign/encrypt a message to a sniffing server in a single TCP, UDP, or ICMP packet • Work across NAT • Free

8. TCP, UDP, or ICMP Packet Encrypted for 0xdeadbeef Signed with 0x12345678 ID,session keys, Timestamp, Command and control info Visual Representation Client 0x12345678 Server 0xdeadbeef

9. Sample Code Layout spa_client.pl spad GPG spa_client.pl spa_engine.pl spa_client.pl User Configs Firewall State

10. The Scanner – http-scan.pl • The beauty of a CLI • Easy to change XML config file • HTTP, some FTP (anon access and writability), some SQL (finds Slammer-vuln boxen) • Very fast, will fork off children (default 32) and will only scan systems that have been “identified” (this can be overridden) • Very few false positives • Free

11. Route Detector • Detect Multihomed Boxes and Misconfigured Network Devices • Scan Large Networks Quickly • Client Forges ICMP Echo Request with Signed Payload using Share Key • Server Sniffs ICMP, Compares Payload with Expected

12. NPC • NPC is Nearly Perfect Crypto. Seriously…. • It includes a utility for creating large one time pads (using the PRNG ISAAC) • Fast, simple and quick • If you can manage the key exchange, it is nearly the most perfect and unbreakable crypto you can get (one time pads are considered the ultimate crypto) • Key management is a bitch, and may render this impractical for modern humans

13. Why NPC Is So Fast and Secure /* main "crypto" loop */ while(1) { guaranteed_memset(iblock, 0, 16); guaranteed_memset(kblock, 0, 16); guaranteed_memset(oblock, 0, 16); isize = fread(iblock, 1, 16, ifp);  Read in a block of plaintext ksize = fread(kblock, 1, 16, kfp);  Read in a block of the key (remember, key mgmt is hard...) if(isize <=0) { fprintf(stderr,"%s: === Unable to read data: %s\n",PACKAGE,ifile); exit(-1); } if(ksize <=0) { fprintf(stderr,"%s: === Unable to read data: %s\n",PACKAGE,kfile); exit(-1); } for(i = 0; i < isize; i++) oblock[i] = iblock[i] ^ kblock[i];  wicked crypto (XOR! Fast!) osize = fwrite(oblock,isize,1,ofp);  write out the ciphertext if(osize <= 0) { fprintf(stderr,"%s: === unable to write data: %s\n",PACKAGE,ofile); exit(-1); } if(ofilesize<17) break; ofilesize -= isize; }

14. Q & A • We will spank audience members during the Q & A • You must sign our Ass Release Form before you can be spanked • You may choose any NMRC member to spank you • If you do not choose a particular NMRC hacker to spank you, the NMRC hacker answering the question will spank you while giving the answer

15. Thanks to CAU, DC214, Jon Callas for SPA ideas, and the rest of NMRC Shouts – Mike Rash (fwknop) Photo session by Duy Nguyen and Amy Lee Muir Art Manipulation by Weasel NMRC Fetish Model – Bethany FIN, Biatchez Images © 2005 NMRC www.nmrc.org