NorthSec - Applied Security Event

Transcript

1. NORTHSEC CANADA’S LARGEST NON-PROFIT CYBERSECURITY CAPTURE-THE-FLAG & CONFERENCE MAY 2017

2. AGENDA Our Capture-The-Flag (CTF) Intro to the CTF Previous scenarios

   Balance a Competition Scale an Infrastructure MD5 Collision Challenge (bonus) Scale Sourdough Bread Build 600 hardware badges (bonus) Coming in NorthSec 2017 Conference Training Social Events Sponsorship
3. None

4. CAPTURE THE FLAG (CTF) ❏ Largest on-site CTF in the

   World* ❏ Scenario-driven ❏ Several types of challenges ❏ Forensics ❏ Cryptography ❏ Web Application Security ❏ Reverse Engineering ❏ Exploitation ❏ Lockpicking *: according to our own non-scientific survey that consisted of asking on Twitter what is the “largest in-person CTF” and verifying that our event was larger than the event we were told about

5. PAST CTF SCENARIOS ❏ 2013: Onionotar ❏ 2014: Associated Nation

   Organization (ANO) ❏ 2015: Revolution against Rao’s Intricate Kingdom ❏ 2016: Marcus Madison Bakery ❏ 2017: ???

6. 2016 CTF IN NUMBERS ❏ 39 teams ❏ 8310 submitted

   flags ❏ 951 valid flags (11.4%) ❏ 330 participants ❏ 42 volunteers ❏ 500 liters of locally-roasted coffee ❏ 950 liters of craft beer on tap ❏ 768 Bottles of Prime Mate

7. HOW TO BALANCE CHALLENGES BETWEEN EXPERTS AND BEGINNERS ❏ Problem:

   Over 40 challenges per year! ❏ Problem: Over 20 challenge designers, different skills sets, etc. ❏ Problem: Multiple crowds, different skill levels and crowd (students, GOV, Enterprise, Professional testers)

8. TESTS, TESTS, TESTS ❏ A good challenge is: - Easy

   to understand WHAT to do - Easy/Hard/Tough to know HOW to do it - A good challenge is TESTED, in production by *other* people than the designer

9. AN EASY TRACK ❏ Solid Success: Every year, we have

   an “easy” track. This allows for pros to warm up their elite muscles while enabling more entry level people to learn. ❏ 1- Web4kids ❏ 2- N00bZone ❏ Mystery in 2017 :)

10. MIXED AUDIENCE ❏ In the past, one team took the

    whole weekend to install Kali Linux ❏ Other participants found 0-days in PhpSimpleCatcha, Chrome and MongoDB

11. CTF INFRASTRUCTURE

12. EVERYONE LIKES NUMBERS, RIGHT? ❏ 41 Internet simulations ❏ 82

    Windows virtual machines 2 per team ❏ 11387 Linux containers 277 per team + 30 infrastructure, about 2850 per host ❏ 10004 BGP routers 244 per team ❏ 3324895 IPv6 routing table entries 81095 per team

13. WHAT DOES THAT ALL RUN ON ?

14. LXD - THE CONTAINER LIGHTERVISOR

15. 4432 containers THE ACTUAL SETUP SuperMicro 4432 containers 1108 containers

    1108 containers LXD API SuperMicro HP HP VM VM VM VM VM VM VM VM VM VM VM VM

16. ONE OF MANY SIMULATIONS nsec-infra@management01:~$ lxc exec n-contest12:team00 -- lxc

    list +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | bgp-51merica01 | RUNNING | | 9000:3201::9f30:6bb4:9123:17a2 (local) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | bgp-51merica02 | RUNNING | | 9000:3201::dc41:4eac:a4c5:7317 (local) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ … a few hundreds of those later +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | ctn-4chin1 | RUNNING | | 9000:470:abcd:4242::bced (eth0) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | ctn-apiSploit | RUNNING | | 9000:470:b2b5:1000:8ace:bbeb:0:1986 (eth0) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ … a few dozen of those later +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | tpl-base | STOPPED | | | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | tpl-php-nginx-v1 | STOPPED | | | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+

17. I SAID, WE SIMULATE THE INTERNET! ~ # mtr core01.tor.rednet.net.ctf

    --report Start: Sat Aug 20 22:16:35 2016 HOST: bgp-ggs05 Loss% Snt Last Avg Best Wrst StDev 1.|-- gw.busan.toto.in.ctf 0.0% 10 0.5 0.6 0.4 1.5 0.0 2.|-- gw.shanghai.toto.in.ctf 0.0% 10 14.7 14.9 14.6 15.2 0.0 3.|-- gw.hongkong.toto.in.ctf 0.0% 10 32.6 32.9 32.6 35.1 0.6 4.|-- gw.singapore.toto.in.ctf 0.0% 10 70.7 70.8 70.6 71.4 0.0 5.|-- gw.kualalumpur.toto.in.ct 0.0% 10 74.8 74.9 74.7 75.1 0.0 6.|-- gw.yangon.toto.in.ctf 0.0% 10 94.9 95.0 94.7 96.5 0.5 7.|-- gw.kathmandu.toto.in.ctf 0.0% 10 119.6 120.5 118.9 131.4 3.8 8.|-- gw.karachi.toto.in.ctf 0.0% 10 149.3 150.0 149.1 156.6 2.3 9.|-- gw.dubai.toto.in.ctf 0.0% 10 167.3 167.2 167.1 167.5 0.0 10.|-- gw.doha.toto.in.ctf 0.0% 10 173.6 173.4 173.2 173.6 0.0 11.|-- gw.jerusalem.toto.in.ctf 0.0% 10 202.3 201.6 201.4 202.3 0.0 12.|-- gw.antalya.toto.in.ctf 0.0% 10 212.0 211.7 211.3 213.0 0.3 13.|-- gw.istanbul.toto.in.ctf 0.0% 10 219.8 219.8 219.5 220.5 0.0 14.|-- gw.bukarest.toto.in.ctf 0.0% 10 228.6 227.9 227.5 228.6 0.0 15.|-- gw.zurich.toto.in.ctf 0.0% 10 256.1 255.9 255.7 256.2 0.0 16.|-- pop11.zurich.tp.net.ctf 0.0% 10 255.6 255.8 255.6 256.0 0.0 17.|-- po7.london.tp.net.ctf 0.0% 10 273.1 273.3 273.1 273.9 0.0 18.|-- pop8.ny.tp.net.ctf 0.0% 10 392.9 393.1 392.9 393.8 0.0 19.|-- pop1.toronto.tp.net.ctf 0.0% 10 403.1 403.4 403.1 403.9 0.0 20.|-- gw01.tor.videopacman.net. 0.0% 10 402.8 403.1 402.8 403.5 0.0 21.|-- core01.tor.rednet.net.ctf 0.0% 10 402.8 405.4 402.8 415.5 4.3

18. NORTHSEC 2017 ❏ New servers All our contest servers will

    now be identical ❏ New scoring system Askgod is being rewritten to improve scalability ❏ Unified networks The same setup will now be used for trainings, conference and CTF ❏ Even less IPv4 Even our guest network will be IPv6-only ❏ Upgrade to Ubuntu 16.04 Keeping up with the latest Ubuntu LTS releases

19. GITHUB.COM/NSEC ❏ the-internet ❏ nsec_badge ❏ askgod

20. CHALLENGE: MD5 COLLISION

21. MD5 HASH COLLISION CHALLENGE ❏ In the context of the

    “Marcus Madison Bakery”, You were hired as a pentesting consultant and asking to perform various tasks. ❏ With regards to the “Strawberry Strudel Maker” challenge You had to Code Review the update manager of the system. ❏ It was presented at MontréHack - Find it on GitHub https://github.com/montrehack/challenges/tree/master/2016-06-20/Proulx-RC4-MD5_Collision

22. CHALLENGE - MD5 COLLISION

23. CHALLENGE - MD5 COLLISION

24. CHALLENGE - MD5 COLLISION

25. CHALLENGE - MD5 COLLISION

26. CHALLENGE - MD5 COLLISION

27. CHALLENGE - MD5 COLLISION

28. CHALLENGE - MD5 COLLISION Hint #1 - The scenario ❏

    It’s a Code Review challenge Check the HTML source ❏ Notice some odd comment and debug trace Try going to /?support=authorized ❏ Notice some new block with a <form> POST You can change CSS to display: block to show it ❏ Try uploading some file Nothing happens ❏ Notice debug = false Change to debug = true before uploading ❏ Notice the <pre> block with the exact name and file hash

29. CHALLENGE - MD5 COLLISION

30. CHALLENGE - MD5 COLLISION Hint #2 - The real challenge

    ❏ MD5 Collision to the rescue ! ❏ Huh… Very few practical attacks realistic within the span of a 2 day competition NO, we are NOT expecting you buy 500$ worth of EC2 GPGPU cluster to run some fancy tool like HashClash ❏ There are simpler, faster attacks BUT, it requires some very “special conditions” ❏ Of course, this is a challenge meant to be cracked So those “special conditions” are probably present ❏ You need one file that matches your target hash Look under the rug…. Leftover static files maybe?

31. CHALLENGE - MD5 COLLISION Hint #3 - The magic bytes!

    ❏ Look very very carefully at every byte in that special file ❏ Remember, Marcus asked you to do a Code Review ❏ Oh, look there’s a Command Injection vulnerability ! ❏ But …. You cannot use it unless…. ❏ And AGAIN, you don’t need 1000$ AWS cluster

32. CHALLENGE - MD5 COLLISION Hint #4 - The evil cryptographer

    ❏ In that special file, there’s the name of a person… ❏ Apparently it’s the person who designed the Strudel Maker update manager cryptosystem… ❏ Xiaoyun Wang ❏ Look up his academic work… ❏ Maybe he published some tools along with his work?

33. CHALLENGE - MD5 COLLISION Hint #5 - The Ha Ha

    moment ! ❏ Get the `fastcoll` tool by Marc Stevens ❏ Study very carefully how it actually works

34. CHALLENGE - MD5 COLLISION

35. $ ls license_validator-NORMAL.py license_validator-SOLVED.py $ md5 * MD5 (license_validator-NORMAL.py) =

    8280b4a5ea2300582e4590225ba415e4 MD5 (license_validator-SOLVED.py) = 8280b4a5ea2300582e4590225ba415e4 $ shasum * c87a36ecd716906be60a6697492efa6467f10898 license_validator-NORMAL.py ed4fd00b919abfc454cfeacbe626c96e6a677cec license_validator-SOLVED.py $ xxd license_validator-NORMAL.py > 1 && xxd license_validator-SOLVED.py > 2 $ diff 1 2 6,8c6,8 < 00000050: 65ca a9c6 5ea2 dee0 46f2 82c1 eb1e 8c97 e...^...F....... < 00000060: 141b bff3 70ec 5cc3 cbcf 4503 a181 7766 ....p.\...E...wf < 00000070: fed8 0e68 ba7f ac56 f914 fe73 d425 892e ...h...V...s.%.. --- > 00000050: 65ca a946 5ea2 dee0 46f2 82c1 eb1e 8c97 e..F^...F....... > 00000060: 141b bff3 70ec 5cc3 cbcf 4503 a101 7866 ....p.\...E...xf > 00000070: fed8 0e68 ba7f ac56 f914 fef3 d425 892e ...h...V.....%.. 10,12c10,12 < 00000090: 493e 7b57 df49 13ea 7e7b cb4b 5b61 a341 I>{W.I..~{.K[a.A < 000000a0: a260 ad8e 8405 7316 9a8f eb90 c438 6b2f .`....s......8k/ < 000000b0: 9252 d7bb a50d 9a09 8467 677b 17ec 7248 .R.......gg{..rH --- > 00000090: 493e 7bd7 df49 13ea 7e7b cb4b 5b61 a341 I>{..I..~{.K[a.A > 000000a0: a260 ad8e 8405 7316 9a8f eb90 c4b8 6a2f .`....s.......j/ > 000000b0: 9252 d7bb a50d 9a09 8467 67fb 17ec 7248 .R.......gg...rH CHALLENGE - MD5 COLLISION

36. CHALLENGE - MD5 COLLISION SOLUTION ❏ Get the “GOOD” the

    license_validator.py ❏ Get the `fastcoll` tool from Marc Stevens ❏ Study the code ❏ Notice that you can modify it slightly to do your bidding ❏ Change so that you can pass the GOOD file path as `argv` ❏ If you want to modify the least amount of code, you may need to massage the file before processing it. ❏ Boom - EVIL license_validator.py ❏ Upload evil

37. CHALLENGE - MD5 COLLISION

38. CHALLENGE - MD5 COLLISION

39. CHALLENGE - MD5 COLLISION

40. CHALLENGE - MD5 COLLISION You got the flag! Submit to

    AskGod for fun and profit $ ! The takeaway: ❏ Chosen-prefix MD5 collisions are trivial ❏ Similar collisions on SHA1 are possible ❏ This specific type of collision may not have much relevance in practice though.

41. OP MARCUS DEI

42. NORTHSEC AND THE 10X THINKING

43. 2015 2016 2017 THE BADGE EVOLUTION ?

44. HW FEATURES ❏ 2 ARM uControllers Nordic nRF51 STM32 ❏

    Bluetooth Low Energy (BLE) ❏ Full-stack USB ❏ Touch buttons ❏ OLED display nRF51 STM32 USB

45. WHY HAVE AN ELECTRONIC BADGE ? ❏ Identify participants, but

    also... ❏ Nice way to have a conference schedule handy ❏ Educative approach to the embedded security ❏ Using modern technology (USB, BLE, ARM) ❏ Low cost solution to hack the badge software ❏ Badge software source code available ❏ Make interesting challenges for the CTF competition ❏ Promotional item for the event

46. IMPROVE YOUR SKILLS ❏ Use all those fancy embedded security

    tools that you bought over the years ❏ Applied electronic ❏ Reverse engineer and write exploits ❏ Gain code execution to dump the chip ❏ Play with the USB stack ❏ Bluetooth security ❏ ...keep your tamagotchi alive
47. None

48. 1. Plan the features you want for your badge 2.

    Sum the price of all the components you need 3. If it’s too expensive for your budget GOTO 1 4. Make schematics and a cool design 5. Create prototypes 6. Test prototypes 7. Write the challenges 8. Press the button to make N copies 9. Profit! Stress so it arrives on-time for the conference... BADGE - THE MAKING OF 1. Plan the features you want for your badge 2. Sum the price of all the components you need 3. If it’s too expensive for your budget GOTO 1 4. Make schematics and a cool design 5. Create prototypes 6. Test prototypes 7. Write the challenges 8. Press the button to make N copies 9. Profit! Stress so it arrives on-time for the conference...
49. None
50. None
51. None
52. None

53. CONFERENCE ❏ Why another infosec conference? Vision ❏ What’s new

    this year? * Workshops * and talks ❏ Keynote: Richard Thieme ❏ James Kettle (Burp) ❏ Babak Javadi (Toool / Alarm Systems) ❏ Thomas Pornin (Infosec StackExchange) ❏ Analysts from priv.gc.ca

54. TRAINING ❏ Malware and Memory Forensics by Michael Ligh Author

    of The Art of Memory Forensics and Malware Analyst Cookbook Core contributor of the Volatility Framework ❏ Advanced Web Application Security by Philippe Arteau Author of static code analysis tools Find-Security-Bugs and Roslyn Security Guard Presented at BlackHat USA, JavaOne and more Found vulnerabilities in Google Chrome, Dropbox, Paypal, RunKeeper and Jira ❏ Training sessions includes Full access to the conference Lunch, coffee, refreshments and networking event

55. SOCIAL EVENTS ❏ Hacker Jeopardy 6th edition May 20th Open

    to the public ❏ Arcade MTL Party

56. SPONSORS & PARTNERS

57. SPONSORS & PARTNERS What we do for our participants in

    regards of sponsorship & partnership: ❏ NorthSec is presented by our awesome volunteers, there will be no “NorthSec presented by __sponsor__”. ❏ We do not exchange emails/contact info for $$$ (every year someone will ask for it) ❏ Call-For-Papers for everyone, no sponsored talk ❏ talks are selected based on merit only

58. ❏ Yearly voting process by all the volunteers on acceptable

    sponsors & partners types, corresponding to our values and mission. ❏ Chill room and limited vendor area mixed together to create a perfect ambiance. ❏ No vendor area and limited visitors access during the CTF, concentration is everything! ❏ Sponsored local fresh croissants and bagels for everyone (we get them at 5am for you) ❏ Contact [email protected] SPONSORS & PARTNERS

59. THE TEAM (PART OF)

60. Gabriel Tremblay Président, Delve Labs Pierre-David Oriol VP Conférences, Delve

    Labs Olivier Bilodeau VP Formations, GoSecure, Co-fondateur MontréHack Benoit Guérette VP Partenaires, Desjardins Laurent Desaulniers Flag Weaver, $largeISP YOUR SPEAKERS François Proulx Senior Advisor to the Board, Intel Security / McAfee Stéphane Graber Infrastructure, Canonical Marc-Etienne M. Léveillé Badge Team, ESET Benjamin Vanheuverzwijn Badge Team, Google

61. MERCI OWASP MONTRÉAL HTTPS://NORTHSEC.EVENTBRITE.COM YOUR FIRST FLAG - 10% OFF

    EVERYTHING <coupon code redacted, you had to be there ;) > 5th EDITION MAY 2017 TRAINING 15th, 16th and 17th CONFERENCE 18th and 19th CTF 19th, 20th and 21st