Packet Hacking with PowerShell–AKA Mass Defcon Pwnage

Every year, two of the biggest hacking / security conferences take place in Las Vegas: Black Hat, and DefCon.

Both are great experiences, and both have a common theme – hackers (“Intelligent folks that like to make machines do things they weren’t originally designed for”) getting together to educate each other and have fun.

Unsurprisingly, one of the places that people get together to have fun is the free open WiFi.

Aside: Open WiFi led to the nerdiest “social networking” experience I’ve ever had. I was monitoring my hotel network to see how much malicious activity was on it. One of the prominent protocols in a network is LLMNR: a name resolution protocol that queries the local subnet for computers before trying other name resolution protocols. I saw one computer making requests for another laptop (presumably to reconnect a shared drive) – looking for a machine called “johnsmithlaptop”. It was also making LLMNR requests for a couple of servers on the Microsoft internal network. I figured that this was probably John Smith that works in security at Microsoft – who I’d been meaning to catch up with anyways. I sent him a mail asking if he was at BlackHat at my hotel – he was, and we got together for drinks :)

At DefCon, they had two networks: a secure network where you downloaded user certificates and that was monitored for threats very heavily, and another. From the FAQ:

Is there a free network at DEF CON?

Why yes, DEF CON 21 is FULLY network-enabled. Now that we’ve perfected the art of a stable hacker con network, we’re ascending to a higher level – we’re providing you a network that you feel SAFE in using! Since DEF CON 18 we’re WPA2 encrypted over-the-air, with a direct trunk out to the Internet. No peer-to-peer, no sniffing, just straight to the net (and internal servers). We’ll provide login credentials at Registration. We know the 3G airwaves will be saturated so we’re putting our own cred on the line to give you a net that even we would put our own mobile phones on.

If you’re feeling frisky, we’ll still have the traditional "open" network for you – bring your laptop (we’d recommend a clean OS, fully patched–you know the procedure) because we don’t police what happens on that net. Share & enjoy!

So the free open WiFi is pretty frisky. People are constantly monitoring it with their packet analyzer of choice, looking for fun things to do.

In packet analyzers, most protocols have “wizards” coded that will parse the protocol and give you a high-level summary of what that packet was attempting to do. Here’s an example of NTP (Network Time Protocol) traffic being dissected by WireShark:

capture_ntp

Most of the details in the “Info” column are extremely constrained – for example, describing protocol options, or maybe an IP or DNS address. However, I found one protocol during a Google Hangout I was having that supported almost arbitrary text in the “Info”, and decided to have fun. The protocol was STUN – a protocol designed to help applications figure out all of the complicated NAT translation being done to a client.

If you were monitoring the DefCon network at all you might have seen a packet like this fly by:

stun_roll_flyby

If you put a filter on the STUN protocol, the full beauty of the packet hacking would be exposed:

stun_roll

So, that’s how you (Rick) roll on the free network at DefCon.

In the next post, I’ll go through the code that made the magic happen.

One Response to “Packet Hacking with PowerShell–AKA Mass Defcon Pwnage”

  1. Tapper7 writes:

    Nice content all up in this bitch…..ive given up on cygwin for this acer win7 laptop…but a lil data mining revealed .NET frmwk and a functional Powershell + GUI. I’ve got the JDK/JRE/Netbns8 rockin’…and now a shitty dupe of UNIX…I can wysywig, write html/js/css for my dumb site/blog skip-trace the url-pump-and-dump idiots who used an f—king amateur piece of js on their youtube pg…mousedown() in “like” puts “xxx viagra big cack do u has boners…..etc” in my GSR code-snippet on a GS of my online handle…very amateur. they got 150,000 accounts…but it was LOCAL to my machine…no backlinks either…sent the meth-head in AZ who owns 500,000 DNs the names of his 2 buddies in indonesia/malaysia, his full name, addy, home/wk and cell phone and the names of his wife and three kids…oh yeah…I sent him his SSN and his rap sheet too…said he was a cho-mo. Told him he f-ed w/ the wrong computer scientist. heh. still can’t get C/C++ to compile in Netbeans though. getting Dell laptop w/ Intel chipset and setting up a UNIX-based platform asap. Mac = gay. MS = shameful. take care, most of the shit I know about mudkipz doesn’t go on my blog…just news, op-ed, tech news and security warnings and AIDs jokes. it is really refreshing to scope a blog that doesn’t eat its own balls… ive seen over 5000 so far this yr…will be over 9000 by yrs end…and 4.2 of them are worth reading now…its an old software architect who uses blogspot (weird but the content is informative and he’s a shit-talker there and on stack), a mommy-blog who designs/markets and writes the f—- out her pg…and makes just enough to pay her rent despite 200,000 hits/mo. I found a materials engineer who mostly blogs about how stupid web “developers” from India are and his mom (LOVE the racist jokes, design is ridic…) but no updates in 2014. Same for the blogger who experienced the same bogus Content ID claim i did. we fought – we won, but he also is inactive. will b nominating you my 2014 “best of” for having an informative, interesting blog that is not from India/China/Nigeria, fun to read and not trying to sell me boner pills. bravo sir! -T

Leave a Reply