Intelligence Sport

Recently the Layer One security conference had its annual gathering in Monrovia, California. This year though, I did something different for the con – I elected to not speak, but to participate in contests – I know many very talented folks who go to conferences and essentially avoid the talks to spend time with people they only get to see a couple times a year, and to play in contests designed for this very particular, very clever demographic.

Several years ago, Dark Tangent invented a contest at Defcon called ‘tamper evident’. The intention was to train hackers on how to defeat security seals of various types ranging from stickers, to clasps, to ziptie-like things and all sorts of bizarre stuff in between. The contest essentially was a box that that teams were given, and the box was sealed with anti-tamper tape or stickers, and inside the box there were more envelopes and seals that the team had to ‘undo and redo’ without any evidence of shenanigans ( This particular form of contest never really got me excited – because – well … it’s a box. And you had to come up with like, a $5000 chemistry set to tote with you, and the teams got so enamored with it that they’d rent ANOTHER ROOM and set that second room up as a fucking lab to do the contest. Well more power to those guys, but that sort of investment to defeat a bunch of stickers was silly to me.

… Until this year. This year the logic to the contest was applied practically (or as I said it at con, this is “the practical application of tamper”). The organizers of the contest rented a room at the hotel, and renamed the contest to ‘The Room’. In the room they had placed a few items with tamper-evident seals, as well as meticulously positioned things within the room to leak if they had been touched or altered in any way. Things like positioning coat hangers a certain way, moving books around, or cutting sections out of book pages to leave items inside. False light bulbs, coins hidden in various places, rugs and towels carefully arranged.. They really took the time to turn what used to be ‘a contest about a box’ into a full blown spy game.

The thing that made this contest DISTINCTLY different were the theatrics. The point of The Room wasn’t just to ‘get in and defeat seals’ (we were worried that once we got in the room it would just be a box on a table and a stopwatch and they’d say ‘GO!’), it was the concept of tamper in practice – this was a room that someone was staying in, and our mission was to ‘find out as much as we possibly could about them’. Clues, props, receipts, the position of things, hidden documents – it was straight up out of a bond/bourne movie. We were graded not only on the physical tamper items, but we were graded on how well we understood the plot/narrative. Since this was a mock ‘intelligence operation’, the objective was more than just ‘defeating stuff’ – and that made it SUPER SUPER interesting.

We arrived to the con a day early knowing that we would need some time for prep – and we ended up hitting home depot, REI and another store to buy a bunch of kit. Hilariously, the only kit I personally used was my flashlight (a headlamp would have been better), and my camera. My teammate and I brought full kits with us and used practically nothing. He used a heat gun and a bit of acetone and tweezers for a couple tamper seals, but overall the “actual tamper” part was only a small component of the other physical stuff in the room.

The theatrics really were top notch. At the start of the contest we were given envelopes. They instructed us to find a man with a suitcase handcuffed to him, and to ask him about ‘the cobbler’. Once we did that, he asked us who we were looking for, and we gave the name that was on our envelope. At that point we were handed a burner phone and told to expect a call. The call came in and instructed us to go to a certain floor to meet someone – and when we did we were given a room key and told “You have 30 minutes, tell me everything you can about the person staying in the room”.

At the end of the day, after all of the teams had made their runs, we were gathered up to do a walkthrough of the room so the organizers could show us all the things they did, and where they were hidden. At the end of the walkthrough, Schuyler says ‘And props to whoever planted the buttplug, that was hilarious and amazing’. The room went dead silent and everyone looked around at eachother. One team spoke up saying ‘we found the thing – we thought it was part of the contest. It wasn’t part of the contest?’. Schuylers eyes get the size of dinner plates ‘Wait.. so NOBODY HERE planted the buttplug in the room?’ – a volley of head-shaking and looking around at everyone else in the room followed.  .. then roaring laughter.

“Do you mean to tell us that out of EVERY POSSIBLE ROOM that the contest could have happened in, we HAPPENED to find the one where some previous guest had left a buttplug hidden behind a drawer, then forgot it when they left?”

This contest is bound by the rules of reality – in that without great involvement, “every aspect” of the environment simply cannot be controlled – we were at the mercy of the hotel for the room, and we were randomly issued one with a secret buttplug.

“Fate, it seems, it not without it’s sense of irony” –Morpheus

I spent the rest of the weekend laughing and shouting ‘what are the odds?!’.

Everyone who played thoroughly enjoyed themselves, and supported the idea of doing it again. Hilariously now the “buttplug incident” has set a precedent to stash sex toys after your room-toss for the next team to find.

Overall the contest was wonderful, completely immersive and a great time. If you dig on spy movies and ever had the inclination to play in that world for a little bit, this contest is your chance. I really hope to either see it at other cons, or again at Layer One next year.

So, you pillaged a domain controllers hashes…

So you’ve managed to find your way to a domain controller, perhaps used metasploits meterpreter, perhaps got system, migrated to lsass.exe and perhaps were able to use incognito to smart_hashdump and nab all the password hashes.  Well, you can hand those off to john the ripper and it will happily crack the LM portion of what you’ve got – but you’ll end up with a bunch of uppercase passwords.

Enter – a dandy little perl script that will take the uppercase password and use it as a dictionary to crack the NTLM password for you. Only trouble is that since it was written, the awesome guys  at openwall who develop john the ripper have changed the output format of cracked password files. The lm2ntcrack input format was written for a ~2009 version of JtR, so to get it properly working someone had to go and make a tiny tweak in the script where it analyzes the syntax/order of the input file.

So I did it! First time, actually, that I’ve done something like this. And it appears to work! – at least it works on the ntlm hashes I have from a demo network.


Anyhow, here’s my updated copy of the script –


Save that as a .pl file (it’s a .txt so it doesn’t get run on the site).

Feedback welcome!

Quickly spotting social engineering attempts with TinEye.

TinEye is a great service that you can use to search for similar photos on the web. You provide a photo and it compares it to its database looking for similar and modified images.

You can use TinEye to quickly spot fake accounts on social networking sites.

For example. I received this LinkedIn network request the other day.








Not only have I never worked with a “Jennifer Gray”, her profile photo looks like it may be a stock photo. TinEye returned 4 results for stock photography.












Looks like this account may be a recruiting bot or something.


TinEye can also be used to verify the authenticity of a photo and to see if it is a repost or duplicate of another photo. It even has Firefox and Chrome plugins!

Kinesics Training / Peoplehacking Class

For the last several barcamps, and the last two toorcons I’ve been presenting to large and small groups about the neat things that can be done with kinesics. I keep all the historic material (yes, including that spreadsheet) HERE.

I’ve found an organization out of San Francisco that does kinesics training, and based on all the feedback I’ve gotten from doing my talks over the last few years – people really dig this stuff. I thought it would be cool to have the pros come down and drop some knowledge on us all.

I’ve managed to arrange a training scenario with Humintell – 4 hours of clasroom training for $250 per person. We need at least 20 people to nail everything down so they’ll come see us down here in San Diego. Currently I have 13 people who have expressed interest in the class.

The idea is that I’ll arrange for the location (going to aim for Intuit, where we do barcamp) and the interested people, and they come to the location to do a 4 hour talk/workshop on a Saturday.

If this sounds in any way interesting, please email me or leave a comment! We’re getting really close to the target figure!

Android Phone = rogue access point!

So when I get a new phone, I immediately want to try to get as much access on it as possible (read: root it). Custom roms are wonderful, but in the case of the HTC Incredible I don’t think there are custom roms (yet).

After I rooted my HTC Incredible I started doing searches in the market for interesting things. I found some neat wireless utilities, I found a file manager that lets you browse SMB fileshares on the lan (NEAT.), I found a packetsniffer, and some more interesting tools.

The light came on over my head when I realized “Wait, a packet sniffer AND a wireless access point? .. can .. I sniff.. the wifi with this?!”. As it turns out the answer is yes – it takes some fenagling, and if you do it in the wrong order one application stomps the other (I’ve already written the author of the packet capture application about this but have not gotten a response yet).

Here is a quick walkthrough on how to turn an HTC Incredible into a rogue wireless access point:

  1. Root the phone. This can be done by visiting, downloading the app, and running it.
  2. Once the phone is rooted, go to the market, and install the wifi tether application: Be aware though, that with the HTC incredible there are additional steps to get this application to work (see their wiki page:

  3. Install the packet capture application. This also will need additional steps after the installation. (
  4. Once you have the packet sniffer installed, configure it to log to a file instead of a sql database. I wasn’t able to find the actual database this thing logs to, but the text file appears right at the root of the sdcard. It looks just like the ‘live’ output though, which I don’t think is a proper format. It doesn’t log raw traffic at all.
  5. Don’t start the sniffer or wifi tether yet – they must be configured beforehand.
  6. Go back to wifi-tether and configure the SSID. Name it something which will attract people in search of free wifi. Linksys. Dlink. Netgear. 2WIRE858. The SSID of a target network, perhaps. Again, do not turn on tethering here yet.
  7. Open up the packet sniffer again, and go to the ‘wifi capture’ section, then enable the capture, and if you’d like, enable logging packets to the screen.
  8. Hit the phones ‘home’ button to exit without stopping the packet capture tool, and re-open the wifi tethering tool. Once in the tethering tool, enable tethering.
  9. Hit home again, and go re open the packet capture tool. If anybody connects, wifi tether will tell you in the status bar at the top of the display, and you will start seeing arp traffic and dhcp traffic scroll in the live feed window as you would with any other packet sniffer.

There are several caveats to this though:

  1. This tool appears to not capture raw packets. You can do this from a terminal using TCPdump if you feel so inclined – the packet capture tool installation instructions have you install a new version of tcpdump. You should be able to use this to capture raw traffic and not just clear text
  2. Packet capture has to be running before wifi tether – if you try to do it the other way around wifi tether will hang and you’ll have to kill it.
  3. This will also capture all the traffic from your phone to the internet, so if you’re trying to do a bunch of stuff on your phone while running a rogue access point, it will  muddy your results.

This has been a fairly simple howto – you creative types will easily be able to find more interesting things to do with this.

My wishlist after figuring this out? – An app that acts like airodump – I want to see clients probing for networks so that I can “give them what they want”. I also want this packet capture tool to log raw data, not just plaintext stuff.  Now that this is possible, I wish for tools like drifnet, dsniff, and others of that sort to become available on the android platform. The objective here would be to use this during a pen test as a tool to capture data, then bring it back to the labs for analysis.

Language and Security

Every time I mention using language in security folks assume I’m talking about social engineering. Social engineering has historically been things like calling the front desk of an organization claiming that you’re, say, a new fedex delivery driver and you need to be let into their shipping/receiving department, so you ask who you need to talk to for that to happen.

Language can be used for a lot more than simply convincing a part time employee to let you have more access than you should somewhere – Language can be used to full on exploit “memory corruption” in the mind. The use of the right language is powerful enough to overwrite peoples memories if even temporarily.

Below I’ve linked some information pertinent to the techniques employed when language is the tool used to achieve things like memory corruption, buffer overflows, execution of arbitrary code – except on people. In particular, pay attention to the cognitive biases – see if you think any of them apply to you 🙂

Then combine the cognitive biases with things like NLP anchoring and subliminal suggestion and you quickly end up with a recipe for gaining someones trust, convincing them to give you access somewhere or to something, or telling you secrets – all without having to don a fedex uniform and pretend you’re someone else. You can even have someone give you their phone and car keys – willingly.

Language is a very very powerful tool and put in the hands of information security professionals (or attackers) it becomes even more weaponized.

Apologies for the videos that wont embed – if you click through you can view them on their youtube page.

Cognitive Biases – A Visual Study Guide by the Royal Society of Account Planning

foursquare sending passwords in the clear

In this case, I’ll be arguing:

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

Continue reading

Cyber Detective Work

I talk shop a lot. I talk to people who are security concious, I talk to people who aren’t, and I talk to people who think that ‘security’ means evil hackers from russia who are going to steal their credit cards. Think of security this way:

You run a shop. In this shop you sell things. Some things are physical, and some things are purely informational. In this store you run, do you put the combination to your back safe on a post it note on the cash register? Do you leave the keys to the front door out where the customers can get at them? Do you lock the safe and doors when you leave? Are there security cameras? Will you know if something gets stolen, or if someone is shoplifting, or if an employee is embezzling? These concepts are exactly the same, and sometimes when it comes to data, they’re far far more important. Data controls all of our financial transactions, for example. Data controls how we do most of our buisness these days. Who *DOESNT* use data for business transactions, banking information – or keeping secret data secret?

I keep saying to folks who I talk shop with: “Security isn’t what you think it is”. This is a perfect example. Tiny flaws in ones security strategy, or even lack of any security can lead to an attacker (or law enforcement or a private investigator) being able to glean information to further their purposes.

Continue reading

Security 101 at Refresh SD – Jan 13, Qualcomm campus

I thought that doing security101 at places like oggis may have been a tactical mistake because I want people to actually learn and benefit from some of this stuff, so having the discussion broken by the wait staff frequently simply murdered all the momentum the discussion had and the event turned into a hacking 101 lab where I just demonstrated attacks.

That being the case doing a security101 class in an actual classroom environment where I can have the attendees comfortable and perhaps even have a projector would likely be far far better. Phelan was gracious enough to let me usurp the january installment of refreshsd to give my security101 talk in a more meaningful and more formal environment. Refresh this month is on the 13th – see for details, or see the meetup group.
Here is my proposed curriculum:

Basic networking
– How do computers talk?
– what is a packet?
– whats IN a packet?

clear text versus encryption (http, ftp, dns)
how websites pass information around
How to tell if the site you’re on is passing your information encrypted or not.
Some network voodoo – watching the stream
-watching dns queries
(the next three may or may not be permitted depending on qualcomms network configuration)
basic man in the middle example
faking ssl certs
changing dns

Hope to see you all there!

Log Auditing for fun and profit

Again I find myself in a postion where I am in need of full time work. I was able to sustain myself as a full time freelancer for 8 months (not too shabby!), but now it seems the market is drying up and while not for a lack of effort on my part to find sales people or to promote myself by basically bribing people with a 10% commission I’ve not been able to get enough business to sustain myself any longer. I’ll not go into any of the nasty business of clients who decided they didn’t feel like paying me, or clients that had me draw up proposals only to vanish into the ether – because this post is about fun stuff!

All that being said – I like to be clever. I like to use ingenuity to do basically what everyone else does but put a fancy little twist on it. Historically when someone is looking for a job, they will hit some job search sites like monster and dice and then send their resume to people – never knowing if it gets seen with human eyes, or ever gets any attention. Who knows? Does your resume even get read? If it does, how soon? Wouldnt it be nice to see the time correlation between when you sent your resume to someone and when they actually looked at it – or even if they looked at it at all?

Continue reading