NORTHSEC CANADA’S LARGEST NON-PROFIT CYBERSECURITY CAPTURE-THE-FLAG & CONFERENCE MAY 2017 

AGENDA Our Capture-The-Flag (CTF) Intro to the CTF Previous scenarios Balance a Competition Scale an Infrastructure MD5 Collision Challenge (bonus) Scale Sourdough Bread Build 600 hardware badges (bonus) Coming in NorthSec 2017 Conference Training Social Events Sponsorship 

No content

CAPTURE THE FLAG (CTF) ❏ Largest on-site CTF in the World* ❏ Scenario-driven ❏ Several types of challenges ❏ Forensics ❏ Cryptography ❏ Web Application Security ❏ Reverse Engineering ❏ Exploitation ❏ Lockpicking *: according to our own non-scientific survey that consisted of asking on Twitter what is the “largest in-person CTF” and verifying that our event was larger than the event we were told about 

PAST CTF SCENARIOS ❏ 2013: Onionotar ❏ 2014: Associated Nation Organization (ANO) ❏ 2015: Revolution against Rao’s Intricate Kingdom ❏ 2016: Marcus Madison Bakery ❏ 2017: ??? 

2016 CTF IN NUMBERS ❏ 39 teams ❏ 8310 submitted flags ❏ 951 valid flags (11.4%) ❏ 330 participants ❏ 42 volunteers ❏ 500 liters of locally-roasted coffee ❏ 950 liters of craft beer on tap ❏ 768 Bottles of Prime Mate 

HOW TO BALANCE CHALLENGES BETWEEN EXPERTS AND BEGINNERS ❏ Problem: Over 40 challenges per year! ❏ Problem: Over 20 challenge designers, different skills sets, etc. ❏ Problem: Multiple crowds, different skill levels and crowd (students, GOV, Enterprise, Professional testers) 

TESTS, TESTS, TESTS ❏ A good challenge is: - Easy to understand WHAT to do - Easy/Hard/Tough to know HOW to do it - A good challenge is TESTED, in production by *other* people than the designer 

AN EASY TRACK ❏ Solid Success: Every year, we have an “easy” track. This allows for pros to warm up their elite muscles while enabling more entry level people to learn. ❏ 1- Web4kids ❏ 2- N00bZone ❏ Mystery in 2017 :) 

MIXED AUDIENCE ❏ In the past, one team took the whole weekend to install Kali Linux ❏ Other participants found 0-days in PhpSimpleCatcha, Chrome and MongoDB 

CTF INFRASTRUCTURE 

EVERYONE LIKES NUMBERS, RIGHT? ❏ 41 Internet simulations ❏ 82 Windows virtual machines 2 per team ❏ 11387 Linux containers 277 per team + 30 infrastructure, about 2850 per host ❏ 10004 BGP routers 244 per team ❏ 3324895 IPv6 routing table entries 81095 per team 

WHAT DOES THAT ALL RUN ON ? 

LXD - THE CONTAINER LIGHTERVISOR 

4432 containers THE ACTUAL SETUP SuperMicro 4432 containers 1108 containers 1108 containers LXD API SuperMicro HP HP VM VM VM VM VM VM VM VM VM VM VM VM 

ONE OF MANY SIMULATIONS nsec-infra@management01:~$ lxc exec n-contest12:team00 -- lxc list +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | bgp-51merica01 | RUNNING | | 9000:3201::9f30:6bb4:9123:17a2 (local) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | bgp-51merica02 | RUNNING | | 9000:3201::dc41:4eac:a4c5:7317 (local) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ … a few hundreds of those later +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | ctn-4chin1 | RUNNING | | 9000:470:abcd:4242::bced (eth0) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | ctn-apiSploit | RUNNING | | 9000:470:b2b5:1000:8ace:bbeb:0:1986 (eth0) | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ … a few dozen of those later +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | tpl-base | STOPPED | | | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ | tpl-php-nginx-v1 | STOPPED | | | PERSISTENT | 0 | +--------------------+---------+------+-----------------------------------------------+------------+-----------+ 

I SAID, WE SIMULATE THE INTERNET! ~ # mtr core01.tor.rednet.net.ctf --report Start: Sat Aug 20 22:16:35 2016 HOST: bgp-ggs05 Loss% Snt Last Avg Best Wrst StDev 1.|-- gw.busan.toto.in.ctf 0.0% 10 0.5 0.6 0.4 1.5 0.0 2.|-- gw.shanghai.toto.in.ctf 0.0% 10 14.7 14.9 14.6 15.2 0.0 3.|-- gw.hongkong.toto.in.ctf 0.0% 10 32.6 32.9 32.6 35.1 0.6 4.|-- gw.singapore.toto.in.ctf 0.0% 10 70.7 70.8 70.6 71.4 0.0 5.|-- gw.kualalumpur.toto.in.ct 0.0% 10 74.8 74.9 74.7 75.1 0.0 6.|-- gw.yangon.toto.in.ctf 0.0% 10 94.9 95.0 94.7 96.5 0.5 7.|-- gw.kathmandu.toto.in.ctf 0.0% 10 119.6 120.5 118.9 131.4 3.8 8.|-- gw.karachi.toto.in.ctf 0.0% 10 149.3 150.0 149.1 156.6 2.3 9.|-- gw.dubai.toto.in.ctf 0.0% 10 167.3 167.2 167.1 167.5 0.0 10.|-- gw.doha.toto.in.ctf 0.0% 10 173.6 173.4 173.2 173.6 0.0 11.|-- gw.jerusalem.toto.in.ctf 0.0% 10 202.3 201.6 201.4 202.3 0.0 12.|-- gw.antalya.toto.in.ctf 0.0% 10 212.0 211.7 211.3 213.0 0.3 13.|-- gw.istanbul.toto.in.ctf 0.0% 10 219.8 219.8 219.5 220.5 0.0 14.|-- gw.bukarest.toto.in.ctf 0.0% 10 228.6 227.9 227.5 228.6 0.0 15.|-- gw.zurich.toto.in.ctf 0.0% 10 256.1 255.9 255.7 256.2 0.0 16.|-- pop11.zurich.tp.net.ctf 0.0% 10 255.6 255.8 255.6 256.0 0.0 17.|-- po7.london.tp.net.ctf 0.0% 10 273.1 273.3 273.1 273.9 0.0 18.|-- pop8.ny.tp.net.ctf 0.0% 10 392.9 393.1 392.9 393.8 0.0 19.|-- pop1.toronto.tp.net.ctf 0.0% 10 403.1 403.4 403.1 403.9 0.0 20.|-- gw01.tor.videopacman.net. 0.0% 10 402.8 403.1 402.8 403.5 0.0 21.|-- core01.tor.rednet.net.ctf 0.0% 10 402.8 405.4 402.8 415.5 4.3 

NORTHSEC 2017 ❏ New servers All our contest servers will now be identical ❏ New scoring system Askgod is being rewritten to improve scalability ❏ Unified networks The same setup will now be used for trainings, conference and CTF ❏ Even less IPv4 Even our guest network will be IPv6-only ❏ Upgrade to Ubuntu 16.04 Keeping up with the latest Ubuntu LTS releases 

GITHUB.COM/NSEC ❏ the-internet ❏ nsec_badge ❏ askgod 

CHALLENGE: MD5 COLLISION 

MD5 HASH COLLISION CHALLENGE ❏ In the context of the “Marcus Madison Bakery”, You were hired as a pentesting consultant and asking to perform various tasks. ❏ With regards to the “Strawberry Strudel Maker” challenge You had to Code Review the update manager of the system. ❏ It was presented at MontréHack - Find it on GitHub https://github.com/montrehack/challenges/tree/master/2016-06-20/Proulx-RC4-MD5_Collision 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION Hint #1 - The scenario ❏ It’s a Code Review challenge Check the HTML source ❏ Notice some odd comment and debug trace Try going to /?support=authorized ❏ Notice some new block with a POST You can change CSS to display: block to show it ❏ Try uploading some file Nothing happens ❏ Notice debug = false Change to debug = true before uploading ❏ Notice the

 block with the exact name and file
hash


CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION Hint #2 - The real challenge ❏ MD5 Collision to the rescue ! ❏ Huh… Very few practical attacks realistic within the span of a 2 day competition NO, we are NOT expecting you buy 500$ worth of EC2 GPGPU cluster to run some fancy tool like HashClash ❏ There are simpler, faster attacks BUT, it requires some very “special conditions” ❏ Of course, this is a challenge meant to be cracked So those “special conditions” are probably present ❏ You need one file that matches your target hash Look under the rug…. Leftover static files maybe? 

CHALLENGE - MD5 COLLISION Hint #3 - The magic bytes! ❏ Look very very carefully at every byte in that special file ❏ Remember, Marcus asked you to do a Code Review ❏ Oh, look there’s a Command Injection vulnerability ! ❏ But …. You cannot use it unless…. ❏ And AGAIN, you don’t need 1000$ AWS cluster 

CHALLENGE - MD5 COLLISION Hint #4 - The evil cryptographer ❏ In that special file, there’s the name of a person… ❏ Apparently it’s the person who designed the Strudel Maker update manager cryptosystem… ❏ Xiaoyun Wang ❏ Look up his academic work… ❏ Maybe he published some tools along with his work? 

CHALLENGE - MD5 COLLISION Hint #5 - The Ha Ha moment ! ❏ Get the `fastcoll` tool by Marc Stevens ❏ Study very carefully how it actually works 

CHALLENGE - MD5 COLLISION 

$ ls license_validator-NORMAL.py license_validator-SOLVED.py $ md5 * MD5 (license_validator-NORMAL.py) = 8280b4a5ea2300582e4590225ba415e4 MD5 (license_validator-SOLVED.py) = 8280b4a5ea2300582e4590225ba415e4 $ shasum * c87a36ecd716906be60a6697492efa6467f10898 license_validator-NORMAL.py ed4fd00b919abfc454cfeacbe626c96e6a677cec license_validator-SOLVED.py $ xxd license_validator-NORMAL.py > 1 && xxd license_validator-SOLVED.py > 2 $ diff 1 2 6,8c6,8 < 00000050: 65ca a9c6 5ea2 dee0 46f2 82c1 eb1e 8c97 e...^...F....... < 00000060: 141b bff3 70ec 5cc3 cbcf 4503 a181 7766 ....p.\...E...wf < 00000070: fed8 0e68 ba7f ac56 f914 fe73 d425 892e ...h...V...s.%.. --- > 00000050: 65ca a946 5ea2 dee0 46f2 82c1 eb1e 8c97 e..F^...F....... > 00000060: 141b bff3 70ec 5cc3 cbcf 4503 a101 7866 ....p.\...E...xf > 00000070: fed8 0e68 ba7f ac56 f914 fef3 d425 892e ...h...V.....%.. 10,12c10,12 < 00000090: 493e 7b57 df49 13ea 7e7b cb4b 5b61 a341 I>{W.I..~{.K[a.A < 000000a0: a260 ad8e 8405 7316 9a8f eb90 c438 6b2f .`....s......8k/ < 000000b0: 9252 d7bb a50d 9a09 8467 677b 17ec 7248 .R.......gg{..rH --- > 00000090: 493e 7bd7 df49 13ea 7e7b cb4b 5b61 a341 I>{..I..~{.K[a.A > 000000a0: a260 ad8e 8405 7316 9a8f eb90 c4b8 6a2f .`....s.......j/ > 000000b0: 9252 d7bb a50d 9a09 8467 67fb 17ec 7248 .R.......gg...rH CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION SOLUTION ❏ Get the “GOOD” the license_validator.py ❏ Get the `fastcoll` tool from Marc Stevens ❏ Study the code ❏ Notice that you can modify it slightly to do your bidding ❏ Change so that you can pass the GOOD file path as `argv` ❏ If you want to modify the least amount of code, you may need to massage the file before processing it. ❏ Boom - EVIL license_validator.py ❏ Upload evil 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION 

CHALLENGE - MD5 COLLISION You got the flag! Submit to AskGod for fun and profit $ ! The takeaway: ❏ Chosen-prefix MD5 collisions are trivial ❏ Similar collisions on SHA1 are possible ❏ This specific type of collision may not have much relevance in practice though. 

OP MARCUS DEI 

NORTHSEC AND THE 10X THINKING 

2015 2016 2017 THE BADGE EVOLUTION ? 

HW FEATURES ❏ 2 ARM uControllers Nordic nRF51 STM32 ❏ Bluetooth Low Energy (BLE) ❏ Full-stack USB ❏ Touch buttons ❏ OLED display nRF51 STM32 USB 

WHY HAVE AN ELECTRONIC BADGE ? ❏ Identify participants, but also... ❏ Nice way to have a conference schedule handy ❏ Educative approach to the embedded security ❏ Using modern technology (USB, BLE, ARM) ❏ Low cost solution to hack the badge software ❏ Badge software source code available ❏ Make interesting challenges for the CTF competition ❏ Promotional item for the event 

IMPROVE YOUR SKILLS ❏ Use all those fancy embedded security tools that you bought over the years ❏ Applied electronic ❏ Reverse engineer and write exploits ❏ Gain code execution to dump the chip ❏ Play with the USB stack ❏ Bluetooth security ❏ ...keep your tamagotchi alive 

No content

1. Plan the features you want for your badge 2. Sum the price of all the components you need 3. If it’s too expensive for your budget GOTO 1 4. Make schematics and a cool design 5. Create prototypes 6. Test prototypes 7. Write the challenges 8. Press the button to make N copies 9. Profit! Stress so it arrives on-time for the conference... BADGE - THE MAKING OF 1. Plan the features you want for your badge 2. Sum the price of all the components you need 3. If it’s too expensive for your budget GOTO 1 4. Make schematics and a cool design 5. Create prototypes 6. Test prototypes 7. Write the challenges 8. Press the button to make N copies 9. Profit! Stress so it arrives on-time for the conference... 

No content

No content

No content

No content

CONFERENCE ❏ Why another infosec conference? Vision ❏ What’s new this year? * Workshops * and talks ❏ Keynote: Richard Thieme ❏ James Kettle (Burp) ❏ Babak Javadi (Toool / Alarm Systems) ❏ Thomas Pornin (Infosec StackExchange) ❏ Analysts from priv.gc.ca 

TRAINING ❏ Malware and Memory Forensics by Michael Ligh Author of The Art of Memory Forensics and Malware Analyst Cookbook Core contributor of the Volatility Framework ❏ Advanced Web Application Security by Philippe Arteau Author of static code analysis tools Find-Security-Bugs and Roslyn Security Guard Presented at BlackHat USA, JavaOne and more Found vulnerabilities in Google Chrome, Dropbox, Paypal, RunKeeper and Jira ❏ Training sessions includes Full access to the conference Lunch, coffee, refreshments and networking event 

SOCIAL EVENTS ❏ Hacker Jeopardy 6th edition May 20th Open to the public ❏ Arcade MTL Party 

SPONSORS & PARTNERS 

SPONSORS & PARTNERS What we do for our participants in regards of sponsorship & partnership: ❏ NorthSec is presented by our awesome volunteers, there will be no “NorthSec presented by __sponsor__”. ❏ We do not exchange emails/contact info for $$$ (every year someone will ask for it) ❏ Call-For-Papers for everyone, no sponsored talk ❏ talks are selected based on merit only 

❏ Yearly voting process by all the volunteers on acceptable sponsors & partners types, corresponding to our values and mission. ❏ Chill room and limited vendor area mixed together to create a perfect ambiance. ❏ No vendor area and limited visitors access during the CTF, concentration is everything! ❏ Sponsored local fresh croissants and bagels for everyone (we get them at 5am for you) ❏ Contact [email protected] SPONSORS & PARTNERS 

THE TEAM (PART OF) 

Gabriel Tremblay Président, Delve Labs Pierre-David Oriol VP Conférences, Delve Labs Olivier Bilodeau VP Formations, GoSecure, Co-fondateur MontréHack Benoit Guérette VP Partenaires, Desjardins Laurent Desaulniers Flag Weaver, $largeISP YOUR SPEAKERS François Proulx Senior Advisor to the Board, Intel Security / McAfee Stéphane Graber Infrastructure, Canonical Marc-Etienne M. Léveillé Badge Team, ESET Benjamin Vanheuverzwijn Badge Team, Google 

MERCI OWASP MONTRÉAL HTTPS://NORTHSEC.EVENTBRITE.COM YOUR FIRST FLAG - 10% OFF EVERYTHING 5th EDITION MAY 2017 TRAINING 15th, 16th and 17th CONFERENCE 18th and 19th CTF 19th, 20th and 21st