User:M3m0r3x

m3m0r3x

Generated SHA Flag with Name (experiment here)

Arrival	2017/08/03 00:00
Departure	2017/08/09 10:00
BuildupVehicle	Car, Transporter
Bringing	Arduinos, Raspies, LTE-Router, Switch, Powercoard, some soldering stuff, Hacking Gadgets, UpriBox, FruityWiFiPi
Village	Village:1838, Village:Foodhackingbase
Working on
Contributions
Contact
Twitter	@_m3m0r3x_

Orga

Things I want to visit

Talks (Live or Recording)

Camp Notes

Things done on Camp

Day Zero

We arrived at Zeewolde at approximate 01:00 pm. Of course first we build up our village "1838". The rest of the day we were carrying our luggage and equipment from the parking lot to the camp at the Turing field. Then of course we built up the infrastructure to our tents (power and LAN from the Datenklo). I was setting up an accespoint for our village wich is based on an raspberry-pi wich connects all the traffic by tor and separates us from the Camp LAN. It is not that we don't trust the SHA2017 people but...

After work was done we drank some beer and walked over the camp ground to check out different locations. We of course visited the SHA-Habour wich was build up just for this event for people who come by (House)boat. After that we tried to find the food curt. As we found it, it was unfortunately closed. Some people of our village registered their DECT phone at event phone. There was not much built up at day zero. Just some big projects built up there stuff but most of the people where normal campers. We visit also the so called "Food Hacking Base" were a bunch of people do all things with food. There are also workshops like a cheese and a whisky tasting, molekular kitchen and so on. And we all donated a bit of money to get three meals a day (breakfast, lunch and dinner) on every day.

Fun Fact of the day The Finish Embassy have their own sauna.

Day One

Opening Talk
This was just the opening talk for the awesome SHA2017 Camp. Stitch, the main organizator of this event told in this Talk who it was rganizing the camp and what has gone wrnge at the very first beginning for example with the batch production. But in the end all has gone good and he celebrated with us the opening of this camp.
Recording: sha2017_opening

Crypto Wars 2.0: Lessons learned from the past, for the present
Phil Zimmerman, founder of PGP, held a very political keynote at the beginning. In his talk he speaks about the willing from different politics to backdoor or harm cryptography for instigation purposes. This was in the history done on many other technologies. For example in the time of Bonnie and Clyde, the police was not able to catch them up because after every robbery the drove away fast. As consequences the politics wanted to shorten the tanks of the car so that the police is able to catch them up while they were going out of gas. The main statement of his talk is: backdoors for the good guy are backdoors for the bad guys.
It was really an honor to se the man live on stage who brought the people PGP, strong Crypto for the masses.
Recording: cryptowars_2_0_lessons_from_the_past_for_the_present

Attacking OpenSSL using Sidechannel Attacks
Not seen live but later in the recording because of the parallel keynote from Phil Zimmermann. But it was very interesting how to get on Information on Side channels. An embedded device or a computer has some interfaces like Keyboard, Monitor, Speaker etc. that are intended. But there are also some unintended interfaces. They are there and you can't do anything to hide or manipulate them. For example: Time, power consumption electro magnetic radiation etc. On a short example they demonstrated a 4 digit brute force attack on how they exploit the side channel of power / EM. On a given 4 digit pin they monitored the normal power behavior. Then they started with figure one to brute force the pin. on one number (8) they saw that the pattern of the verification was shifted a little bit to the right. This means more power was used due to a abnormal behavior. Same with the second digit. when the correct number was entered the pattern for verification moved again a bit to the right, and so on. For a four digit pin this can be done in short amount of time. But on a 2048bit RSA secret key this would take years. In the further talk the presenters explained how to solve this by math and improve the efficiency. Unfortunately this is not my grade of math :-). After that they showed some lab setups how they analyze those side channels for example by the use of an oscilloscope.
Recording: attacking_openssl_using_side-channel_attacks

Famous C&C servers from inside to outside
The speaker gave a in depth look in botnet architectures. He describes who he brokes in the cryptolocker botnet and shows how a Man in the browser Attack works. He speaks about the NAS Botnet which infected QNAP devices, hack them, infected them, armed them and patched them. He gives an overview of the Kins Botnet which has a better E-Banking web application as his bank. :-). He discloses in the End the PoC of the "Vodafone NL Dray Tek Vigor2132FVn Hack" which was already fixed by VF-NL.
Recording: famous_c_c_servers_from_inside_to_outside
PDF-File: Research_Articles_.pdf
Batch soldering
In a soldering session in our village we soldered the SMA LEDs and the vibrating motor to our Batch. For me SMA soldering was a new experience. We got different tips how to do this best. For me the best methods is to give a bit solder on the soldering pads, attach the SMA LED with a tweezers and heat the solder on the pads again. Another tip was to only to give solder to one pad heat it again an push the SMA LED with your finger to the pad. So the SMA LED is fixed and play to the circuit board. Then just add solder to the other three pads.

Fun Fact of the day A driving sofa was at the camp site. Under the sofa was chassis mounted which is controlled by a RC remote. Later one there were more driving things like a Kartent (Kartents were tents made of carton).

Day Two

TOR de-anonymization techniques
This talk was about TOR anonymity. The speaker is the founder of the TOR hiddden service search engine Ahemia. In his talk he gave a little overview on how TOR and Hidden Services work. Further in his talk he mentioned on examples from official leaked presentations like from the Snowden Leak that de-anonymizing a specific user is really hard and kind of a pain in the a... . It is easy to de-anonymize random users but not specific ones. The speaker described on current takedowns the different techniques that are used for it. First, OpSec failures. As example he took the Alphabay and SilkRoad takedown. Both leading administrators made OpSec failiures. In he case of Alphabay the welcome mail after registration came from his private E-Mail Account on hotmail. This was the weak link which identified the admin. In the case of SilkRoad the Admin asked questions regarding hidden service configurations in the Stack Overflow Forum under his real name, Ross Ulbricht and brought up the name off silkroad. The Second topic of de-anonymizing hidden Services or user is by attacking the end device it self. This technique was used by the FBI when they ran a child abuse platform after they seized the servers. They were able to do this by the third topic. They attacked the hidden service wich was misconfigured and by this it has some vulnerabilities wich were used to leak the real IP. The last point on how a specific user can be deanonymized is by traffic and timing correlation. But this is really complex and both, the used TOR entry node and the exit node must be owned by the observer. So it seems, tor is a really good anonymizing network.
Recording : tor_de-anonymization_techniques
An academic view on incident response
Cidre Tasting
At the food hacking base there was a ciders tasting. Our complete village took part there. Different ciders were presented from low cost supermarket ciders to really high cost ciders from the Normandy. For me cider is not my taste. It doesn't matter which one I tasted. The best drink during the tasting was an apple juice from the Normandy :-).

Day Three

Data Exploitation
This talk is manly about data privacy. It make aware of what different kind of products collect what kind of data. Among these are even very sensitive data. The Talk even shows that it is somtin´mes easy to get on this (sensitive) date, even you should not. The speakers are from Privacy International. For introduction the speakers make aware of different privacy failes were data of persons were leaked. They described the Roomba case were Roomba is selling the maps their robots make while cleaning. Or different GSM Codes on Smartphones wich users not aware of. The main part of their Talk is about who they do reversing different types of connected thing (IoT) One example is who they reversed cars (Jaguar/Landrover/BMW) by the CANbus, a protocol for connected cars. Their Aim is to have a look on the collected data by the cars. Another Topic was healthcare products (Drug pumps, defibrillators, pacemakers....). Even data from those devices while given to third parties. A special guest speaker from cameo with an implanted pacemaker told about her Projekt "Pacemaker Hacking". She was able to hook up to the device and was able to read out all collected data. She called it a project of her own critical infrastructure. She startet her project after she was in hospital because of a malfunction of her pacemaker. She was interested in the data output. She even asks if she can get that file. The doctor even copied it on her flash drive. After analyzing she noticed, it is a memory dump (of her heart). This guest speaker part of the talk was very scary to me.
Recording: data_exploitation
A look at TR-06 FAIL and other CPE Configuration Management Disasters
This Talk is, as the name suggests , about the TR-06X protocols and related vulnerabilities (TR-06FAIL, Misfortune Coockie...) and hacking ACS Servers. TR-XXX are DSL Forum specifications. For interest in this talk are TR-064 and TR-069.
TR-064 is LAN-Side DSL CPE Configuration. It is a SOAP based protocol to allow configuration of CPE devices from the LAN side, for example, by "Broadband Setup" software shipped to consumers. It allows managing any setting on a CPE device. It has total read and write to full device configuration, for example ACS configurations, DNS settings wireless security and so on. Some of it's security specifications are: Access to any action that allows configuration changes to the CPE must be password protected. Access to any password protected action must require HTTP digest authentication. Sensitive information, such as passwords must not be readable at all. Its also ment to listen on te LAN interface... The reality shows TR-06Fail... Password protected --> No, Actual credentials (WiFi Keys) readable --> yes, accessible from the internet --> yes and trivial vcommand injection vulnerabilities on top. This was used in the Deutsche Telekom and TalTalk Before the hack. Before the TR-06FAIL there was the Misfortune Cookie Vulnerability. It affected the same RomPager server. It allowed remotely accessing the device without authentication.
TR-069 is the CPE WAN Management Protocol (CWMP). It outlines the protocol for management of CPE devices over WAN. Also SOAP based. It is a kind of backdoor in the false hands. Before the TR-06FAIL there was the Misfortune Cookie Vulnerability. It affected the same RomPAger server. It allowed remotely accessing the device without authentication. It allows overwriting internal state variables on the TR-069 service on the router. It was able to bypass the CWMP port check and the password check. The TR-069 says it has TLS and authentication but it is bot optional. The authentication from CPE to ACS uses often basic-auth. It often uses the username as identifier. From ACS to CPE is often TLS (client cert) u can be a shared secret without TLS. One big mess is the use of different XML stuff wich makes a immense attack surface... Hacking an ACS server is a way quicker than hacking millions of CPE's one at a time. The speaker audited five different ACS products (FreeACS, OpenACS, LibreACS, a PHP CWMP library and Perl cwmp). In every product he found vulnerabilities to compromise it remotely to take over possible managed CPE's. This recording is really worth a look. His next projects are: Auditing more ACS stuff (GenieACS, FreeACS-NG, Draytek, Cisco...), Auditing more CPE device implementation and Looking into TR-111 (TR069 for IoT like set top boxes....)
Recording: "a_look_at_tr-06fail_and_other_cpe_configuration_management_disasters
Cheese Tasting
In the evening there was another tasting like yesterday. This time cheese. Different sorts were presented from mild to strong. Highlight was a truffle cheese from the Normandy. It was really delicious. But there were other sorts from Germany, the Netherlands (old Amsterdam, old Rotterdam...) and the Normandy (Camembert and Brie). This tasting was really good to get an overview of different cheese sorts.
Fun Fact of the Day
Late at night some people noted a notice on their badge that said: Your Badge is locked! Please go to ### to unlock it. Unfortunately on the given location nobody was there to unlock it. A member of our village was infected, too by this malware and he only flashed his badge to the current firmware and all was fixed again...

Day Four

Blockchains for a Better World
MISP threat sharing platform
It was a very interesting talk about the MISP tool. It is a free an open source threat information sharing platform with tons of different features for sharing information and collaboration. You can input for example IOCs from an email in raw format and MISP filters out all relevant information. The collaboration factor helps by eliminating false positives because other people can have look over provided information so they can correct for example typos of an IP-address. MISP is a community driven Project initiated an supported by CIRCL (Computer Incident Response Center Luxembourg). A tool which is really a look worth for us.
Recording: misp_threat_sharing_platform
Regulating Law Enforcement use of Trojans
Computer crime and criminal law 101
Physical Penetration Testing
Fun Fact of the Day
On the camp ground there was a little lake with an island. With an inflateable boat we went to the island. As we just arrived there was an octacopter drone flying over the lake. It seems someone was trolling the people that were swimming in the lake with it. Suddenly the drone motors turned off a few centimeters above the water level the motors turned on again on high power. But, too late :-) It crashed into the water.

Day Five

Exploiting Twitter with Tinfoleak for investigative purposes
This talk is about investigation on twitter. In his talk the speaker describes why he use Twitter to do intelligence. Twitter has a lot of activity. And it is very easy to send tweets. Most of the content is public and is text information. The target of investigation could be an individium or even a organisation, terror group and so on. Tinfoleak by it self is a tool written in python, it is open source and it can extract information from different social networks, not only twitter. In his presentation the speaker shows what kind of information of an account can be extract by tinfoleak. For example apps, use frequency, hashtags, media and metadata, visited places and top location and so on. In a live demo he shows based on coordinates from a specific location wich information can gathered by tinfoleak. He then explains the final html-report of this research. A second example from the live demo is the investigation of an specific twitter user. It is really a worth looking it.
Recording: exploiting_twitter_with_tinfoleak_for_investigative_purposes
DDoS attack and defense
FaceDancer 2.0
This talk is about a USB attack device called Face Dancer 2.0. It is capabel to fuzz / monitor or mitm USB Devices, even embedded ones like in cars. The speakers gave a deep dive on how USB works. It was a really complex, technically talk. The Face Dancer 2 is capable to emulate four different device types. It will be available as shield for RPi or Beaglebone board and other implementations. So what can the Face Dancer do? It can attack USB hosts and driver stacks, fuzzing for example with umap. It can fingerprint USB implementations to identify host OS e.g. And it can emulate USB devices for (HID, USB Mass Storage, FTDI, DFU (steal device firmware))
Recording : facedancer_2_0
Infrastructure review
Lockpicking and IT Security
SHA2017 Closing Event
In this last talk the event was recapped and celebrated. It is a must see talk on every conference to say bye!
Recording: SHA2017-252-sha2017_closing
Fun Fact of the Day
No Fun Fact due to tear down and bad weather :-)

Day Six

Since it rained yesterday all the day we waited for the sunny weather to get our tents dry. We carried our luggage back to the cars and later at about 14:00 o'clock we left the camp ground. It was an awesome event and I am really thankful to be part of it. I will definitely be at CCCamp in 2019 in Germany, too. It was a great chance to talk to awesome people who had different knowledge. Quiet good for networking. Chaos Communication Congress is quiet good but camps can top this atmosphere... It is hard to describe it if you was not there.

User:M3m0r3x

Contents

Orga

Things I want to visit

Talks (Live or Recording)

Friday

Saturday

Sunday

Monday

Tuesday

Self organized sessions

Projects

Camp Notes

Things done on Camp

Day Zero

Day One

Day Two

Day Three

Day Four

Day Five

Day Six

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Forms

Information

Wiki

Tools