Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: HAR2009

Stoned Bootkit

Information and slides from the presentation can be found on the HAR2009 Wiki and the project website.

Since his Blackhat presentation, Peter Kleissner has been fired from his job due to his presentation at Blackhat. He is now starting a consultancy in Vienna –> Please support him if you can

Bootkits are rootkits in the Master Boot Record (MBR) and loads prior to the OS bootloader.

Historically there have been a varierty of bootkits, from stoned in 1987 through to the latest 2009/2010 bootkits  (including the new Stoned Bootkit, Kon-boot, etc..).

The original stoned bootkit printed the message “your PC is now stoned”. More modern bootkits can bypass OS features such as encryption, passwords (kon-boot) and malicious activity, such as steal passwords.

The new Stoned Bootkit is designed for forensic and law enforcement to enable them to bypass encryption and passwords on a machine to be examined.

A breakdown of the Windows Vista / 7 copyright protection was discussed. The protection can be bypassed by fooling Windows into thinking that the system BIOS and certificate match a valid OEM. This allows the user to bypass the activation of the software. This bypass can be performed in a per-boot basis, or by editing the BIOS directly.


  • Physical Access
  • Administrator rights (elevated on Vista)
  • – Shell Execute () at runtime

The environment used is old school real mode using 16bit. It must be programmed in assembly because of this reason.

BIOS vendors are scared to fix this on systems incase they brick user systems.

Bypassing full volume encryption is implemented using a double forward for intercepting the enncryption and decryption disk I/O. The bootkit doesn’t modify the decryption software (independent).

Owning the OS from boot is implemented byloading before the OS and then injecting itself into the boot process of the OS. This process allows for multiple OS support, and splits up each part of the process. As the bootkit has it’s own PE Loader, it cannot be detected by AV vendors.

It is also possible to inject the bootkit code directly into a Hibernation file. Checksums are not validated (blank the checksums and it passes). This method can be used with the Stoned Bootkit.

Solutions to prevent bootkits

Using the TPM (Trusted Platform Module) in connection with full disk encryption. Disable MBR overwrites in Windows.

Bootkits uses

Bootkits can be used by law enforcement as it removes the issues of full disk encryption, and should be undetectable on a machine.

Stones bootkit

Support on all versions of Windows 2000 and greater.

Bypass for Truecrypt, and Diskcrypter full disk encryptions.

  • Modularised
  • Boot applications
  • Plugins
  • Proof of concept payload (cmd.exe priv escalation to SYSTEM)

Demo: Stoned v2 Infector (LiveCD) – based on WinPE

As with live demos, things don’t always go well. Still, it looked good from what I saw.

A number of example plugins are provided.

  • co² plugin – slows the processor down to 80% speed
  • Extraction of unpacked kernel drivers

Future considerations – 64bit, Linux support, and addressing the TPM module issue (bypass)

DNS Security in the Broadest sense

The presentation is available here. There is also information available on the HAR2009 Wiki.

Presenter is the writer of PowerDNS (written in 1999). HAR2009 is using PowerDNS for all DNS resolution at the camp. 40% of all NL domains, and 50% of all DE domains are hosted using PowerDNS.

DNS is scary and complex, it’s also used almost everywhere.

DNS compression – Used to make the DNS requests smaller by using pointers to the previously used domain. This could be a problem.

Whole field of research looking at how the (NULL char) effects DNS –> see SSL talks for more info 😉

DNS is hard, perhaps too hard for the current sploied generation of coders

  • Variable length fields
  • Internal packet pointers
  • Implementations that implement the bare minimum

€20 ADSL routers are now in the path of almost all home based internet connections. These routers have not always implemented DNS correctly. Some even reset when given RFC compliant DNS replies to requests.

DNS isn’t only in your PC – Phones, Cameras, printers (HP – it orders it’s own toner!), Scanners, ….

DNS Threats

  • Availability
  • -No DNS = No Service = “My Internets don’t work”
  • -One typical resolver services up to 100,000 subscribers
  • -Largest authoritve server host 8,000,000+ zones
  • Exploitation
  • -Once exploited, integrity & availability are damaged
  • -Plus all other software on same server/client!
  • Integrity
  • -DNS sends you the wrong way ­> the internet changes (and your Euros follow!)

DNS Availability is bad news, especially resolvers – 10K well-designed queries will kill most resolvers, 50K well-designed queries will kill most auth servers.

DNS Exploitation

  • Stubs – Many DNS implementations date from 1984 and have been copy pasted ever since. No one really cares about DNS. Originally Windows XP used ‘1’ or ‘2’ as it’s random DNS transaction ID.
  • SOHO routers – Designed to be quick andd nasty. The less they cost the better as they’re given away for free. Exploiting one, normally means you can exploit them all (similar code base). Good target
  • Servers – Often more secure. Often subject to regular attacks and are better secured.

DNS Integrity / spoofing

If you can’t trust DNS, you can’t trust the web.

DNS resolution is like throwing a brick into the crowd and hoping it hits the right resolver. The resolver then throws back a brick, hopefully, with the right transaction ID and resolution information. Becoming harder to spoof these responses. May issues to overcome.

  • Spoofing using a static source port, it’s possible to achieve this with 50% reliability within 2 seconds.
  • Spoofing using a random source port, it takes 10 hours to reach 50% chance

This is theoretic, as it would require a gigabit connection dedicated to DNS traffic. Problem is, it would kill the DNS server. People tend to notice that.

When under attack a smart nameserver will not be able to communicate with the nameserver anymore (due to the traffic levels) and not make any more queries to this server for the next few minutes. This makes the attack fail, as the DNS under attack is no longer listening for the responses. This means an attacker needs to throttle the attack to not overload the server and still perform the attack. This gives a 50% chance in roughly 6 weeks time. This kind of slow attack is probably already happening.

Unconfirmed reports from a Brazilian bank briefly got it’s IP address changed on Aptril 22nd this year – This was attributed to the Kaminsky DNS spoof attack.

Further issues: DNS’s that use source port randomization need to be wary of NAT boxes rewriting the source ports and re-enabling the attack vector.

Many solutions discussed

  • Use TCP – Issues of traffic levels (RFC says keep connection open 2 minutes)
  • Multiple queries and then take the majority answer
  • EDNS-PING – Extra numbers for attackers to guess (only works on 5% of domains currently)

Long-term solutions

  • DNSSEC – Will solve everything, however if it breaks even one thing, people won’t accept it as a solution to an issue that normal users have never heard of. Debugging (took 3 days for a bug in the top level .org to be fixed

All your packets are belong to us

Information on the talk can be found on the HAR2009 Wiki. The talk was limited by the time slot. Some information on the MPLS Layer 2 VPN was rushed, so there is limited information. I’d suggest checking out the slides once they’re posted (not currently listed in the program)

Main focus of the talk will be on

  • BGP
  • MPLS
  • Carrier Ethernet


Works over and relies on TCP/IP
Harder to spoof as it uses TCP (not a UDP, fire and forget packet)
No multicasting

BGP Trust model is based on manual configuration (or by script). This is referred to as “Intra Operator Trust”. Due to the manual basis of updates it is prone to human error (see AS7007 incident and Youtube/Pakistan).

“Once you’re a member of the “global BGP community” you might perform all sorts of nasty stuff” Pilsov / Kapela 2008

BGP Security isn’t based within the protocol itself, but relies on the security measures of TCP. This includes the use of the “generic MD5 signature option” (RFC 2385). Currently there is a working group looking at the TCP Auth options. Use of MD5 keys isn’t always used in large installs due to the complexity of management.

Tools (including live demos)

  • bgp_cli
  • bgp_md5crack


MPLS is defined in RFC3031 and is used in provider backbones to label traffic. Packets can carry multiple labels.

Both MPLS Layer 3 VPNs (RFC4364) and MPLS Layer 2 VPNs (RFC) will be discussed as they can be found in most large organizations.

MPLS Layer 3 VPNs

Comparable to Frame Relay/ATM in some respects
Highly “virtual” technology

During transport 2 labels are used.

  • First: Identifies the ‘egress PE’ / Route
  • Second: Identifies the customer/particular VPN

Due to the infrastructure, it is possible for multiple customers to use the same IP address space.

Once an attacker is inside the MPLS, they can do almost anything they want. The design of the technology prevents attack from outside of the network. Inside the network, there are not additional security restrictions.

POC attack tool for MPLS redirection – mps_redirect

The command-line tool edits the VPN labels of packets to redirect all traffic for the victim network to the attackers network.

MPLS labels are transmiitted in clear-text across the network. By sitting in the datapath it’s possible to rewrite the MPLS labels and communicate between VPNs.

This attack allows systems to be spoofed at the MPLS level. Examples, are replacing your DNS or LDAP server with attacker versions.

POC attack tool for MPLS injection – mps_tun

Creates a TUN interface that allows the attacker to inject packets into the VPN tunnel (use your favourite attack tools through the TUN interface).

60-80% of providers would allow complete control over an MPLS end-point. This would enable an attacker to perform these attacks.

Mitigation – Authenticate everything, Implement “borders of trust” that encrypt/decrypt all inbound traffic on a site level

MPLS Layer 2 VPNs

These networks expose the VPNs to current layer 2 threats, such as ARP spoofing across the VPNs. Most yersnia style attacks will also work in the MPLS-Cloud.

The presenters are running a workshop (full MPLS lab setup) at FuWaR village at 14:30 today

Update: Some of the tools and presentation can be downloaded on the ERNW.DE website, the presentation from BlackHat europe appears to be the most modern on the site.

A Hackers guide to surviving in the corporate world

Information (and hopefully soon, the slides) for the presentation can be found on the HAR2009 Wiki.

This talk is about working within large organizations (both for profit and non-profit). Any large organization has it’s issues whether or not it’s a government or a large corporate.

Sometimes it’s hard to get a large organization moving. However once it gets going, it’s hard to make it stop.

Alone you go quicker, together you can go further.

Power holds organizations together.

  • Power is about allocating resources
  • Power is about allocating risk
  • In the extreme, power can be about imposing a view of the world

Power struggles are inherent in large organizations – They resolve the necessary diversity of views. When carried to completion they lead to more balanced decisions. When not resolved the paralyze the progress.

Risk is a fact of life – Organizations hate risk, it is a threat to their existence. Organizations love risk, it allows them to be unique.

Once a large company has a stable IT infrastructure, they are adverse to taking risks with newer technologies.

“There is nothing more dangerous than to initiate a new order of things” – Machiavelli

It was discovered that the size of the organization had little effect on the speed of a project. The smaller organizations had the flexibility to simple “do” the work. The larger organizations had distinct “processes” in place to make sure that the project got completed. The slowest were found to be medium size organizations, as they were stuck between just doing it, and having processes to make it happen.

Over half of organizations have trouble planning change controls – Cannot give a date, lack of process