Sunday, February 17, 2008

Shmoocon 2008 - Day 2

A pretty interesting day. Attended:
  • Active 802.11 Fingerprinting: Gibberish and "Secret Handshakes" to Know Your AP (Sergey Bratus, Cory Cornelius, and Daniel Peebles)
  • SIPing Your Network (Radu State, Humberto Abdelnur, and Oliver Festor)
  • Passive Host Characterization (Matt Wollenweber)
  • VoIP Penetration Testing: Lessons Learned (John Kindervag, John Ostrom)
  • Advanced Protocol Fuzzing - What We Learned When Bringing Layer2 Logic to "SPIKE Land" (Enno Rey, Daniel Mende)
The 802.11 fingerprinting talk was based around the idea that devices can be indentified by looking at the responses to requestes with various header flags turned on, in a manner similar to how NMap does OS identification by messing with the IP and TCP header flags. The tool they were working on is called Baffle. It's not available yet but we should probably keep any eye on this one as there is still a lot of interesting work to be done on/with it. Larry Pesce managed to squeeze in a talk on Access Points For Pentesting, during the same hour.

The SIP talk could have been better. They couldn't get the video for their demo to work so they had to talk about the tool they're working on, KiF (not sure what that stands for), a state fuzzer for VoIP. In some architectures, KiF can "borrow" authentication from other phones to be able to make calls.

The Passive Host Characterization was a bit dry (but still interesting). Matt is a former Trickler programmer for those that know what it is. He's posted a demo for his tool, PHC.

The VoIP Pentesting talk cetnered around some of the common configurations and shortcomings in VoIP architectures. They showed how VoIPHopper can impersonate a phone so that it can access an organization's internal network, often through the firewall (based on assumptions made during rollout of the infrastructure).

The Advanced Protocol Fuzzing talk wasn't what I thought it was going to be (Layer 2 discussions usually mean wireless) but it was interesting regardless. The group is basically working on reverse engineering and testing various Layer 2 management protocols, such as Cisco's WLCCP, using a tool called Sulley.

Here's a short view of the news/gossip from day 2:

  • Ethan's walking without a cane! (For those that don't know him, he's taken a lot of ribbing for managing to generate a compound break in his leg via a Segway.)
  • Rob and I got to talk with Dave Aitel and, later, with an Army Academy student (Dude, take one of our first three choices for intership! You'll get more out of it and you'll get to meet/know "interesting" people.)
  • Southern Vriginia is well represented at the conference this year, having 757 (HRGeeks), Sploitcast, and Hak5 present. I managed to donate a couple items for one of Walcy's giveaways.
  • Shouts to Squidly1! Who knew your offer would generate sales at the local Best Buy? (heh)
  • I think hotel management finally found a couple groups that didn't "mix" badly with the Shmoocon attendees. There were actually two smaller conferences: one for "business resource managers" (salesmen) and one for Anime fans. No one really wanted to mess with the guys wearing tuxedos (they also kept to themselves) and the Anime fans were considered a bit weird by most of the geeks (though a 19-year old girl in a Sailor Moon outfit can be quite distracting). But seriously, they were wearing their costumes into the same restaurants that we were in and were making our freaks/rebels (you know, body piercings, tatoos, etc.) look normal. Most of the anime attendess just wore bunny or cat ears but some had full blown costumes which somehow were a mix of faux ancient Japanese, faux American Indian, and New York City hooker. (heh)

In any case, day 2 was fun. Got to catch up with a lot of friends that I hadn't seen since last year. I triend to hang around and particpate in the Sploitcast podcast recording but I was too tired and too hungry to stick around (my hotel is in Bethesda, MD).