From SHA2017 Wiki
Jump to: navigation, search
m3m0r3x Verfied.png
Generated SHA Flag with Name (experiment here)
Arrival 2017/08/03 00:00
Departure 2017/08/09 10:00
BuildupVehicle Car, Transporter
Bringing Arduinos, Raspies, LTE-Router, Switch, Powercoard, some soldering stuff, Hacking Gadgets, UpriBox, FruityWiFiPi
Village Village:1838, Village:Foodhackingbase
Working on
Twitter @_m3m0r3x_

Camp Notes

Things done on Camp

Day Zero


We arrived at Zeewolde at approximate 01:00 pm. Of course first we build up our village "1838". The rest of the day we were carrying our luggage and equipment from the parking lot to the campground at the Turing field. Then of course we built up the infrastructure to our tents (power and LAN from the Datenklo). I was setting up an access-point for our village which is based on an raspberry-pi which connects all the traffic by tor and separates us from the Camp LAN. It is not that we don't trust the SHA2017 people but...

Parts of luggage.jpg

After work was done we drank some beer and walked over the camp ground to check out different locations. We of course visited the SHA-Habour wich was build up just for this event for people who come by (house)boat. After that we tried to find the food curt. As we found it, it was unfortunately closed. Some people of our village registered their DECT phone at the info tent. There was not much built up at day zero. Just some big projects built up there stuff but most of the people where normal campers. We visit also the so called "Food Hacking Base" were a bunch of people do all things with food. There are also workshops like a cheese and a whisky tasting, molecular kitchen and so on. And we all donated a bit of money to get three meals a day (breakfast, lunch and dinner) on every day.

Fun Fact of the day The Finish Embassy have their own sauna.

Finish sauna.jpg

Day One

Opening Talk
This was just the opening talk for the awesome SHA2017 Camp. Stitch, the main organizator of this event told in this Talk how it was to organizing the camp and what has gone wrong at the very first beginning for example with the batch production. But in the end all has gone good and he celebrated with us the opening of this camp.
Recording: sha2017_opening

Crypto Wars 2.0: Lessons learned from the past, for the present
Phil Zimmerman, founder of PGP, held a very political keynote at the beginning. In his talk he speaks about the willing from different politics to backdoor or harm cryptography for instigation purposes. This was in the history done on many other technologies. For example in the time of Bonnie and Clyde, the police was not able to catch them up because after every robbery they drove away fast. As consequences the politics wanted to shorten the tanks of the car so that the police is able to catch them up while they were going out of gas. The main statement of his talk is: backdoors for the good guy are backdoors for the bad guys.
It was really an honor to see the man live on stage who brought the people PGP, strong Crypto for the masses.
Recording: cryptowars_2_0_lessons_from_the_past_for_the_present

Attacking OpenSSL using Sidechannel Attacks
Not seen live but later in the recording because of the parallel keynote from Phil Zimmermann. But it was very interesting how to get on Information on Side channels. An embedded device or a computer has some interfaces like Keyboard, Monitor, Speaker etc. that are intended. But there are also some unintended interfaces. They are there and you can't do anything to hide or manipulate them. For example: Time, power consumption, electromagnetic radiation etc. On a short example they demonstrated a 4 digit brute force attack on how they exploit the side channel of power / EM. On a given 4 digit pin they monitored the normal power behavior. Then they started with figure one to brute force the pin. on one number (8) they saw that the pattern of the verification was shifted a little bit to the right. This means more power was used due to a abnormal behavior. Same with the second digit. When the correct number was entered the pattern for verification moved again a bit to the right, and so on. For a four digit pin this can be done in short amount of time. But on a 2048bit RSA secret key this would take years. In the further talk the presenters explained how to solve this by math and improve the efficiency. Unfortunately this is not my grade of math :-). After that they showed some lab setups how they analyze those side channels for example by the use of an oscilloscope.
Recording: attacking_openssl_using_side-channel_attacks

Famous C&C servers from inside to outside
The speaker gave a in depth look in botnet architectures. He describes how he brakes in the cryptolocker botnet and shows how a Man in the browser Attack works. He speaks about the NAS Botnet which infected QNAP devices, hack them, infected them, armed them and patched them. He gives an overview of the Kins Botnet which has a better E-Banking web application as his bank. :-). He discloses at the end the PoC of the "Vodafone NL Dray Tek Vigor2132FVn Hack" which was already fixed by VF-NL.
Recording: famous_c_c_servers_from_inside_to_outside
PDF-File: Research_Articles_.pdf

Batch soldering
In a soldering session in our village we soldered the SMA LEDs and the vibrating motor to our batch. For me SMA soldering was a new experience. We got different tips how to do this best. For me the best methods is to give a bit solder on the soldering pads, attach the SMA LED with tweezers and heat the solder on the pads again. Another tip was to only give solder to one pad heat it again an push the SMA LED with your finger to the pad. So the SMA LED is fixed and flat to the circuit board. Then just add solder to the other three pads.

Fun Fact of the day A driving sofa was at the camp site. Under the sofa was chassis mounted which is controlled by a RC remote. Later one there were more driving things like a Kartent (Kartents were tents made of carton).

Day Two

TOR de-anonymization techniques
This talk was about TOR anonymity. The speaker is the founder of the TOR hidden service search engine Ahemia. In his talk he gave a little overview on how TOR and especially hidden services work. Further in his talk he mentioned on examples from official leaked presentations like from the Snowden Leak that de-anonymizing a specific user is really hard and kind of a pain in the a... . It is easy to de-anonymize random users but not specific ones. The speaker described on current take downs the different techniques that are used for it. First, OpSec failures. As example he took the Alphabay and SilkRoad take down. Both leading administrators made OpSec failures. In he case of Alphabay the welcome mail after registration came from his private E-Mail Account on hotmail. This was the weak link which identified the admin. In the case of SilkRoad the admin asked questions regarding hidden service configurations in the Stack Overflow Forum under his real name, Ross Ulbricht and brought up the name off SilkRoad. The Second topic of de-anonymizing hidden Services or user is by attacking the end device it self. This technique was used by the FBI when they ran a child abuse platform after they seized the servers. They were able to do this by the third topic. They attacked the hidden service which was mis-configured and by this it has some vulnerabilities which were used to leak the real IP. The last point on how a specific user can be de-anonymized is by traffic and timing correlation. But this is really complex and both, the used TOR entry node and the exit node must be owned by the observer. So it seems, tor is a really good anonymizing network.
Recording : tor_de-anonymization_techniques

An academic view on incident response
This talk is mainly forensics. In his talk the speaker talks about challenges, do's and don'ts in incident response. Nearly to the end he talks about what can be done to be prepared. Incident response is to detect intrusions in time. Companies that failed are for example Ashly Madison, Hacking Team, RSA.... The press wants to adapt a new buzzword for hacks like these. APT. For this APT is of course the wrong word. A spearfishing campaign is not an APT. At the beginning the nature of an incident is that you don't know what is happening. The goals are to react to the security related event and to containment the an affected system or find other ways to prevent this. This could be ideally a live forensic under time pressure and the incident manager should move faster like the attacker, even remotely. Everything went wired if press is involved, then the stress level will rise. Standards in the field of IR are:

  • RFC 3227: Guidelines for Evidence Collection and Archiving
  • NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response

What are the current challenges? (Simson Garfinkel) Observed upcomming issues

  • flash storages
  • lack of time (==storage size)
  • cloud
  • encryption
  • multiple devices
  • broader diversity

Still a problem is storage capacity (hash the data, copy it and hash again). Special devices do this, they are very expensive. Imaging a 12 TB hard drive takes ages. encryption make investigations even more tricky. But encryption can still be bypassed, fingerprinted or meta data can be analyzed. Another Challenge is the heterogeneity of Systems. Cloud forensics is another big challenge. Do's and don'ts: 1 Rule: Take a RAM image. it has much valuable information like encryption keys. 2 Rebooting the machine or pull the plug? Don't shut down, pull the plug! Everything will cleared on a clean shutdown. When you pull the plug you can try a cold boot attack.

To be prepared: Log all the things. Log helps tremendously on both network and operating system.

At the end of his talk the speaker mentioned a tool called grr. It is developed and used by Google for incident response and it is free for use and open source. It can be found here an should worth a look.
Recording: an_academic_s_view_to_incident_response

Cidre Tasting
At the food hacking base there was a ciders tasting. Our complete village took part there. Different ciders were presented from low cost supermarket ciders to really high cost ciders from the Normandy. For me cider is not my taste. It doesn't matter which one I tasted. The best drink during the tasting was an apple juice from the Normandy :-).

Day Three

Data Exploitation
This talk is manly about data privacy. It makes aware of what different kind of products collect what kind of data. Among these are even very sensitive data. The Talk even shows that it is somtimes easy to get on this (sensitive) date, even you should not. The speakers are from Privacy International. For introduction the speakers make aware of different privacy fails were data of persons were leaked. They described the Roomba case were Roomba is selling the maps their robots make while cleaning the rooms. Or different GSM Codes on Smartphones which users not aware of. The main part of their Talk is about how they do reversing different types of connected thing (IoT). One example is how they reversed cars (Jaguar/Landrover/BMW) by the CANbus, a protocol for connected cars. Their aim is to have a look on the collected data by the cars. Another Topic was healthcare products (Drug pumps, defibrillators, pacemakers....). Even data from those devices are given to third parties. A special guest speaker from Cameo, with an implanted pacemaker told about her project "Pacemaker Hacking". She was able to hook up to the device and to read out all collected data. She called it a project of her own critical infrastructure. She started her project after she was in hospital because of a malfunction of her pacemaker. She was interested in the data output. She even asks if she can get that file. The doctor even copied it on her flash drive. After analyzing she noticed, it is a memory dump (of her heart). This guest speaker part of the talk was very scary to me.
Recording: data_exploitation

A look at TR-06 FAIL and other CPE Configuration Management Disasters
This Talk is, as the name suggests , about the TR-06X protocols and related vulnerabilities (TR-06FAIL, Misfortune Coockie...) and hacking ACS Servers. TR-XXX are DSL Forum specifications. For interest in this talk are TR-064 and TR-069.
TR-064 is LAN-Side DSL CPE Configuration. It is a SOAP based protocol to allow configuration of CPE devices from the LAN side, for example, by "Broadband Setup" software shipped to consumers. It allows managing any setting on a CPE device. It has total read and write to full device configuration, for example ACS configurations, DNS settings wireless security and so on. Some of it's security specifications are: Access to any action that allows configuration changes to the CPE must be password protected. Access to any password protected action must require HTTP digest authentication. Sensitive information, such as passwords must not be readable at all. It's also meant to listen on the LAN interface... The reality shows TR-06Fail...:

  • Password protected --> No,
  • Actual credentials (WiFi Keys) readable --> yes
  • Accessible from the internet --> yes
  • and trivial command injection vulnerabilities on top.

This was used in the Deutsche Telekom and TalTalk Before the hack.

Before the TR-06FAIL there was the Misfortune Cookie Vulnerability. It affected the same RomPager server. It allowed remotely accessing the device without authentication.
TR-069 is the CPE WAN Management Protocol (CWMP). It outlines the protocol for management of CPE devices over WAN. Also SOAP based. It is a kind of backdoor in the false hands. It allows overwriting internal state variables on the TR-069 service on the router. It was able to bypass the CWMP port check and the password check. The TR-069 says it has TLS and authentication but it is both optional. The authentication from CPE to ACS uses often basic-auth. It often uses the username as identifier. From ACS to CPE is often TLS (client cert). One big mess is the use of different XML stuff which makes a immense attack surface...

Hacking an ACS server is a way quicker than hacking millions of CPE's one at a time. The speaker audited five different ACS products (FreeACS, OpenACS, LibreACS, a PHP CWMP library and Perl cwmp). In every product he found vulnerabilities to compromise it remotely to take over possible managed CPE's.

This recording is really worth a look. His next projects are: Auditing more ACS stuff (GenieACS, FreeACS-NG, Draytek, Cisco...), Auditing more CPE device implementation and Looking into TR-111 (TR069 for IoT like set top boxes....)
Recording: a_look_at_tr-06fail_and_other_cpe_configuration_management_disasters

Cheese Tasting
In the evening there was another tasting like yesterday. This time cheese. Different sorts were presented from mild to strong. Highlight was a truffle cheese from the Normandy. It was really delicious. But there were other sorts from Germany, the Netherlands (old Amsterdam, old Rotterdam...) and the Normandy (Camembert and Brie). This tasting was really good to get an overview of different cheese sorts.

Fun Fact of the Day
Late at night some people noted a notice on their badge that said: Your Badge is locked! Please go to ### to unlock it. Unfortunately on the given location nobody was there to unlock it. A member of our village was infected, too by this malware and he only flashed his badge to the current firmware and all was fixed again... >Later someone developed a second ransomware.The Ransom in this case was to bring a "Club-Mate" to unlock it.

Day Four

Blockchains for a Better World
I just choosed to see this talk, to get some intro in the blockcain. In the first part of his talk the Speaker gave this introducton. The rest was not really interissting from my point of view. The speaker has worked on a new technology/language to adopt processes on a blockchain, if i understrand it correct. This talk went verry fast very complex.
Recording: blockchains_for_a_better_world
MISP threat sharing platform
It was a very interesting talk about the MISP tool. It is a free an open source threat information sharing platform with tons of different features for sharing information and collaboration. You can input for example IOCs from an email in raw format and MISP filters out all relevant information. The collaboration factor helps by eliminating false positives because other people can have look over provided information so they can correct for example typos of an IP-address. MISP is a community driven Project initiated an supported by CIRCL (Computer Incident Response Center Luxembourg). A tool which is really a look worth for us.
Recording: misp_threat_sharing_platform
Regulating Law Enforcement use of Trojans
This was a talk on a bill how to use Trojans for Law Inforcement in Italy. For developing the Bill there where different stakeholders and even from the hacker community as expert. There where different topics to consider. To regulate the use you have for example to limit the use of the trojen specified by the crime.For example for cyber bulling on facebook the police can't use a trojen for wiretaping. And there must be a registrar where the lawenforcement gan check weather there is a trojen installed on the victims device or not. It must be ensured how long the trojan can be used in what scope. Al trojan activity has to be logged so that the defender can understand what has been done and that no function of trojan was used which was not permitted by warrent. Ideally the trojan should have a functin that the defender can destroy the trojan. It must be regulated that only the functions are used, that ar permitted by the specified crime. So for turning on the microfone, there has to be defined a range in wich the crime is expacted. But for organized crime or terrorism you can observe by 24 hours on every place because it is to be expected that crime is done all the day every where. There were discussions on who should controll the trojans. Police forces in italy are no Computer - or networkspezialists. So they want to get the job done by a contractor. But they will check the doing of the contrator. But when the policemen is not a specialist how can he or she understand what the contractor is doing? This was a really interesting talk for me because of my previous job. I think not all interssting for us at cyber defense.
Recording: regulating_law_enforcement_use_of_trojans
Computer crime and criminal law 101
As the title let expect, this was a non technical talk. Even more political and juridical. And it is referring to dutch law. The speaker had 3 main topics in his talk. In the first topic he explained, why the cyber criminals always one step ahead. This is due to their laws in the Netherlands. He gave different examples. For example in the Netherlands there is a kind of blacklisting law. Everything is permitted and legal until it is written down to be forbidden or illegal. He gave the example, that it is forbidden to chat with children for intend to sexual abuse. And there was the case that a guy was chatting with a child to meet each other for sexual intent. But the child was a police officer. The bad guy later was not sentenced because he technicaly chated with a adult. Which ist not forbidden. The intent was to spea to a child but in this particular case it was just the intend and that is not illegal. Another example he gave was a case in which ther was investigated an canabis plant in a facility. The Police officer ordered a warent to raid this facility. Later in court it turned out that the system prosecutor who accepted the warrant was not passing his exams so the bad guy were not sentenced, too. Another thing that makes it more complex in the "virtual" world is that in the netherlands only the theft of stuff and things is illegal. But what about digital goods or cryptocurrencies. And then the Lawyers try to adapt old laws to new technology (for example money landering cash = cryptocurrency). The last topic is about Cryptocurrencies and the state of the art investigation in the netherlands. Interesting on this part is the Q&A. A discussion between a lawyer and the hacker community which made clear the standpoints of both sides. Is this the right event/audience for a lawyer or isn't it?
Recording: computer_crime_and_criminal_law_101
Physical Penetration Testing
In this Talk the speaker demonstrate how he does physical pentesting for different clients. He shows tricks which are well known from getting in to the building, getting to the desired places where the data are. How to open a data centre rack. He shows different tricks, specialized tools and how to do some of the tricks in the hackers way, with self made tools or life hacks. At the end he gives a little introduction into lockpicking.
I don't want to describe all techniques here. This recording is a must see! Some of the techniques a quiet easy that it is daunting for me.
Recording : physical_penetration_testing
Fun Fact of the Day
On the camp ground there was a little lake with an island. With an inflateable boat we went to the island. As we just arrived there was an octacopter drone flying over the lake. It seems someone was trolling the people that were swimming in the lake with it. Suddenly the drone motors turned off a few centimeters above the water level the motors turned on again on high power. But, too late :-) It crashed into the water.

Day Five

Exploiting Twitter with Tinfoleak for investigative purposes
This talk is about investigation on twitter. In his talk the speaker describes why he use Twitter to do intelligence. Twitter has a lot of activity. And it is very easy to send tweets. Most of the content is public and is text information. The target of investigation could be an individium or even a organisation, terror group and so on. Tinfoleak by it self is a tool written in python, it is open source and it can extract information from different social networks, not only twitter. In his presentation the speaker shows what kind of information of an account can be extract by tinfoleak. For example apps, use frequency, hashtags, media and metadata, visited places and top location and so on. In a live demo he shows based on coordinates from a specific location wich information can gathered by tinfoleak. He then explains the final html-report of this research. A second example from the live demo is the investigation of an specific twitter user. It is really a worth looking it.
Recording: exploiting_twitter_with_tinfoleak_for_investigative_purposes
DDoS attack and defense
The speaker of this talk works at a hostingprovider and in his talk he talks about basic of DDoS and goes deeper into some DDoS Attacks. In his presentation he will talk about Detection and defense, also. And he points out some Aggressive network defense techniques. DoS Vunerabilities can caused by different thing, Missconfiguratins, License Problems etc. He described some Attacks on layer 3 and 4. (IP, TCP, UDP and Layer 7 Attacks like slow lories. He shows some tools like Web LOIC. Later he explaines how some DDoS-Aplliences work and he further gave some examples how different Vendors (Aplliences) do their job. He explaines many Countermesures. He allso talks about Counter-Countermessures.Some of them are verry new to me. Because of the technicaly detailed talk it is really worth to watch in the recording below. This talk was verry interesting
Recording : ddos_attack_and_defense
FaceDancer 2.0
This talk is about a USB attack device called Face Dancer 2.0. It is capabel to fuzz / monitor or mitm USB Devices, even embedded ones like in cars. The speakers gave a deep dive on how USB works. It was a really complex, technically talk. The Face Dancer 2 is capable to emulate four different device types. It will be available as shield for RPi or Beaglebone board and other implementations. So what can the Face Dancer do? It can attack USB hosts and driver stacks, fuzzing for example with umap. It can fingerprint USB implementations to identify host OS e.g. And it can emulate USB devices for (HID, USB Mass Storage, FTDI, DFU (steal device firmware))
Recording : facedancer_2_0
Infrastructure review
Key Facts:

139 Videos relesed
90% completed on event

Chaosvermittlung and POC (Phone Operation Center)
3,5 km of additional cabeling
28+ Base stations for DECT
Spoke and Hub Model with 4 PBX
connected to the fibre Cabeling
working witout interruption

Over 750 registred DECT phones
180 used SIP accounts

Called the whole world:
India, Vatican, China and North Korea

Nearly 14h of incomming and 152h of outgoing calls
Germany, Austria and Netherlands

The single longest call was going to Wallis and Futuna (som)where in the pcific
2/12 hours

NOC (Network Operation Group)
Gugabit&10 Gigabit for all
3 Datacenter
Datenklos are uplinked with 10 GB single fibre

46 Datenklos
50 fibre cables (total 9000m)
75 access switches, 6 distribution switches
2 edge routers
120 accesspoints
300 transceivers
4x 40 GB uplink to edgerouter
Approx. 100 splices done

59km dark fibre provided by UNET
Fibre allready on-site
Tunable coherent 100GBits/s
Backup 10 GBit/s

Core Backbone 100GBits/s
10 GB peering NL-ix

0 Budget!

120 APs deployed
Peak 2800 clients & 1 GBit/s (rx and tx)
7400 unique devices
200 rogue APs discovered

FttT - Fibre to the Tent
FttB - Fibre to the Boat

Italien Embassy hacked ARTNet

About 380 abuse emails received
Mostly automated
- by scanning the whole network
Some serious hacking attempts
- Traffic was dropped

5 Truckloads worth of stuff
8 Generators --> 2 Backup
1.2 MegaWatt
300 Distribution boxes
20 km cabeling
3.5 km 400 Amp Cable (heavy)
10% of power was invested in Pizza Oven :-)
Recording : infrastructure_review
Lockpicking and IT Security
This Talk is really worth to look. It is about Lockpicking an compares flaws in Locks to flaws in IT-Security. The speaker is the president of TOOOL, the open organisation of lockpickers and he has 20 years of lockpicking experience and is also the fastest lockpicker. He has about 20 years of experience in IT-Security, too. In loocks there could be the same flaws that are possible in the Software Development Life Cyle (Requirements, Design, Development, Testing, Maintanance). First examüple of a design flaw in IT is the Areane V. There was build a System that shut down by a floating point exception wich causes to start the self destrruction of the Rocket... A Designflaw in a Lock is for example in a High Security electrical Lock which is used by the US Government which has two factor authentication (Code and Card). It is very expensive This Lock has two LEDs (red and green). It is possible to get in the Lock housing with a paper clip and make a short on the circuit board of the lock which cause opening the Lock. Another example was to bypass the lock mechanism by strong magnets.
An example for an implementation flaw in Locks is, whenn the pins in the lock are thicker than the holes in the sheerline. That causes you can open the Lock without the correct key.
An example for user error is a leck f awareeness. A French TV station was hjacked while ther was shown a password in the background. The same is wth keys. When you show your Lock key in a wide range broadcast e.g. TV it is possible to make a copy of this key. As example the speaker gave that someone sold Master Keys for LA Police on ebay. Soon there were duplicates of them.
Backdoors in software are not new. But some cheap safes have a "Backup" Lock, wich is often behind some plastic. This is a physicle lock wich is often very easy to pick.
These are just a few examples from this talk. But it is really a look worth because this talks shows many lockpicking techniques, some are quiet exotic. Further examples in this Talk are different attacks, which we know fromIT-Security. For example, timing attacks, dos attacks, password reuse, bruteforce
Recording: lockpicking_and_it_security
SHA2017 Closing Event
In this last talk the event was recapped and celebrated. It is a must see talk on every conference to say bye!
Recording: SHA2017-252-sha2017_closing
Fun Fact of the Day
No Fun Fact due to tear down and bad weather :-)

Day Six

Since it rained yesterday all the day we waited for the sunny weather to get our tents dry. We carried our luggage back to the cars and later at about 14:00 o'clock we left the camp ground. It was an awesome event and I am really thankful to be part of it. I will definitely be at CCCamp in 2019 in Germany, too. It was a great chance to talk to awesome people who had different knowledge. Quiet good for networking. Chaos Communication Congress is quiet good but camps can top this atmosphere... It is hard to describe it if you was not there.