Following our 2010 Shmoocon special we’re joined in studio by security expert and programmer extraordinaire Robin Wood to talk about his proof of concept botnet command and control tool KreiosC2. We also discuss tools for detecting traditional Man-in-the-Middle attacks. And stay tuned for a special season seven announcement.

Download HD Download MP4 Download XviD Download WMV


Botnet Command and Control with Kreios C2

Using social networks as its communications channel, Robin Wood‘s Kreios C2 is far more sophisticated than the traditional IRC based approach for controlling hordes of zombie computers. Version 3 was recently released and demoed at the Shmoocon 2010 Social Zombies talk (32MB AVI).

Man-in-the-Middle Attack Detection

With Robin Wood, master of hardware based Man-in-the-Middle tools, in studio Darren decides to give the traditional ARP poisoning method some love. White-hat love that is. Your typical ARP Poisoning Man-in-the-Middle attack which can be easily performed using tools such as ettercap, arpspoof, or even Cain & Abel on Windows. Generally speaking the goal is to convince the victim, using spoofed ARP packets, that your MAC address is associated with the IP address of another machine on the network — typically the router or gateway.

Of course in the real world the MAC address of your router doesn’t happen to change very often, so if it does it’s a tell-tale sign that something weird is happening. In this segment we demo Irongeek’s ARPWatch-like tool for Windows, DecaffeinatID. On the Linux side check out arpwatch.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

34 Comments

  • poopypants 4 years ago

    wow. quite the bombshell. but i do think its awesome because the hak5 goodness will be just down the street from me instead of thousands of miles away :D.

  • I really hope this show keeps on going for a very long time!!! Keep up the good job!

  • IT Ninja 4 years ago

    btw, the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :

    http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html

  • re: Kreios.. Why not just use an SSL irc on a nonstandard port?

  • Steve 4 years ago

    Hey, if either of you need a couch in the Windy City, e-mail and we (my wife and I) would be more than happy to open our home to you. Best wishes on the new path your lives are taking.placeplace

  • Wow thats alot to take in, but I will watch every episode of season 7 none the less. Ha out takes where funny!! :)

  • Good luck to you guys in your journeys!

    Have you thought about doing a Hak5 auction for the possessions that you are going to sell? I think there are enough Hak5 fans out there that would be willing to help support your move out to the West Coast and purchase some authentic Hak5 used merchandised in the progress.

    Again, good luck to you and I’m glad to hear that the show will live on (even through the move)!

  • jEriko 4 years ago

    What’s Paul the camera guy gonna do now?

  • nimble2 4 years ago

    I really love the show.
    I will always be wishing you guy’s and gal the best of luck and good times in the future.

    P.S. I live about 15 miles from the Trail of Tears in Illinois.
    If your in need when passing thru the area, shoot me an email.

  • Alexander 4 years ago

    Is the download buttons not working for anyone else?

  • 6@73|2 |3 `/73 4 years ago

    HOLY CRAP! HAK5 Is Coming to Cali!

    You have to pass threw Ridgecrest, Ca, See the pinicals in Trona, Go threw death valley, Dude!!!! You Gotta tweet were your going! Open Dojo/lab here for ya!

  • I love your show, keep it up if you can! I have an open spare room if you pass through Cheyenne, Wyoming on your trip.

  • IT Ninja 4 years ago

    btw,the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :

    http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html

  • WOW! big bombshell. i’ve been watching this since Season 1 Episode 1. i’ve saved every show in every format. hopefully i’ll be able to get my home server back up and seeding the torrents for the past episodes. best of luck on the move. i’m considering one too. whatever you do, don’t stop in michigan. nothing to see here. good luck darren and snubs. if you ever need a tech hand, drop me an e-mail. long live hak5 and their inspiration.

  • Re: Kreios C2

    Very interesting, but why not just use an SSL ircd on a nonspecific port

  • Terren 4 years ago

    Choosing between “the grind” and “passion.” Does that mean Hak5 is going to become your day job?

    Also, is Paul coming along to SF?

  • Frank 4 years ago

    Dear Hak5 staff,

    Thanks for all great shows, great luck with the new format.

    Safe riding for Darren.

    Looking forward to season 7.

    From Canada,

    Frank

  • You guys are awesome, I’m jealous of your adventures. Good luck and safe travels! I’d offer a place to stay but I’m in a dorm room and theres not much room anyway ;). Have fun!

  • Awesome… Hope you’ll enjoy it… Wish you all the best guys… And Snubs, I hope your dad gets well soon :)

  • You guys are so cool – good luck with season 7. Cheers \o/

  • esrevinU 4 years ago

    WOW! Way to start a season!

    I’m also wondering about Paul, Matt, and some of the other familiar faces from seasons past…

    Darren – You’ll like it here in California! I’m sure you’ll have the Bay Area rooted in no time. If you’re ever in Sacramento, I’ll buy drinks! Think you need to start selling those studios-in-a-duffle-bag! There’s probably a big market for a kit like that by DIY HDcasters. I think this is going to be the year for internet media such as Rev3. Glad to see you moving close to them. Also, TWIT/Leo mentioned Rev3/Hak5 in his coverage of CES this year so it will be nice to be closer to that group as well.

    Shannon – Take good care of your dad! Proud of you for putting your priorities straight.

    Robin Wood – Woh… Botnet C&C has a lot more room underground left to explore than I ever though possible. Domain fluxing seemed pretty sophisticated until I listened to you; now all info can be fluxed! If anybody needs anything beyond proof of concept on this, please buy a new white hat!

    Safe journeys,

  • two_ovens 4 years ago

    I chose two_ovens because it’s what Mutch used as a password during his AT&T MITM attacks.

    So I was wondering my the Brit decided that the only reason to for a default router MAC addr to change was multihoming/load balancing when extended service sets (ESSs; WLANs with more than on access point) do exactly that, by design. Especially in you example: airports. Airports utilize a huge ESS wireless network. The SSID remains containt the default router’s MAC – that which the AP connects to – remains constant, but the AP’s MAC, which is passed to the client, changes as the user roams and changes from access point to access point.

    I also had a problem with the tool you advertised for, CaffeinatID or whatever. From a technical perpective, the demonstration with that tool was that it could watch ARP information by querying the DARP list on the local machine. So if the tool is started after the poisoning occurs, the tool is useless; or less than useless because after the offending packets stop coming at your host, it will pop-up a false-positive of “Hey, now you’re using the correct router. You should have been worried, but I couldn’t tell”

    Also, you mentioned Ettercap. Ettercap itself, IIRC, allows and assists in the use of 4 different kinds of MITM attacking. The one I’d like to focus on is DHCP poisoning because it applies to the situation of wireless access points more so than ARP.

    You see, ARP can me made semi-static: A simple shell script in any real OS (or a lengthy program in Windows) has the ability to grab the very first ARP response from the default router (note: a legitimate response and not an unrequested “reply” like those that arpspoof sends), and put it into a file and drop the connection, alert the user (syslog, zenity, both?). Therefor ARP is a terrible medium for MITMing due to predictability (I won’t even get into timing of responses from legitimate routers). Furthermore, ARP poisoning can be bypassed easily with static ARP tables. And less easily with another shell script (if an unrequested reply comes in, filter all activity and wait for the next out-of-line “reply”. when it comes, find out the difference in time from the first so we can predict when another one will come. put the user back online. everytime an unreq’d arp reply comes in take the user offline, request an arp for the default router’s IP. time the response so we have a better idea of if it’s right. use THAT arp. put the user back online. and later on.. if we get more than, say, 180 unrequested replies, then put a static entry for the correct router in the arp cache.

    DHCP poison-based MITM attacking is much cleaner. Even with a race condition between attacker and router (to get to client). At that point, though, why not just FakeAP?

    Longer story short, you covered one the oldest and most thought-about poisoning techniques…… Bombshell? Why not cover something interesting?

    like rooting an android and performing tcpdump from it… without it ever leaving you pocket :)

  • two_ovens 4 years ago

    I chose two_ovens because it’s what Mutch used as a password during his AT&T MITM attacks.

    So I was wondering why the Brit decided that the only reason for a default router MAC addr to change was multihoming/load balancing when extended service sets (ESSs; WLANs with more than on access point) do exactly that, by design. Especially in you example: airports. Airports utilize a huge ESS wireless network. The SSID remains containt the default router’s MAC – that which the AP connects to – remains constant, but the AP’s MAC, which is passed to the client, changes as the user roams and changes from access point to access point.

    btw, multihomes and load balancers won’t change their mac addresses because my connection to my default gateway is much faster than my gateway’s connection to the internet. and all of your routers have static port-security for their next hop addresses anyways. right?

    ;-)

    I also had a problem with the tool you advertised for, CaffeinatID or whatever. From a technical perpective, the demonstration with that tool was that it could watch ARP information by querying the DARP list on the local machine. So if the tool is started after the poisoning occurs, the tool is useless; or less than useless because after the offending packets stop coming at your host, it will pop-up a false-positive of “Hey, now you’re using the correct router. You should have been worried, but I couldn’t tell”

    Also, you mentioned Ettercap. Ettercap itself, IIRC, allows and assists in the use of 4 different kinds of MITM attacking. The one I’d like to focus on is DHCP poisoning because it applies to the situation of wireless access points more so than ARP.

    You see, ARP can me made semi-static: A simple shell script in any real OS (or a lengthy program in Windows) has the ability to grab the very first ARP response from the default router (note: a legitimate response and not an unrequested “reply” like those that arpspoof sends), and put it into a file and drop the connection, alert the user (syslog, zenity, both?). Therefor ARP is a terrible medium for MITMing due to predictability (I won’t even get into timing of responses from legitimate routers). Furthermore, ARP poisoning can be bypassed easily with static ARP tables. And less easily with another shell script (if an unrequested reply comes in, filter all activity and wait for the next out-of-line “reply”. when it comes, find out the difference in time from the first so we can predict when another one will come. put the user back online. everytime an unreq’d arp reply comes in: take the user offline, request an arp for the default router’s IP. time the response so we have a better idea of if it’s right. use THAT arp. put the user back online. and later on.. if we get more than, say, 180 unrequested replies, then put a static entry for the correct router in the arp cache and wait for the skiddie to lose interest)

    DHCP poison-based MITM attacking is much cleaner. Even with a race condition between attacker and router (to get to client). At that point. You only talked about WLANs though, why not just FakeAP?

    Longer story short, you covered one the oldest and most thought-about poisoning techniques…… Bombshell? Why not cover something interesting?

    like rooting an android and performing tcpdump from it… without it ever leaving you pocket :)

    BTW, Love the show. Where are you guys out of?
    Regards,
    Tener Hades.

  • two_ovens 4 years ago

    sheesh… sorry ’bout that. noscript and your human detector gave me grief

  • two_ovens 4 years ago

    huh.. sorry for the triple-post, but it appears i’ve accidentally found a way around your human-detection AND you moderation…

    to whom it may concern,
    in order to bypass the human detector and moderation mailing, use firefox 3.5.2 and noscript (whatever the newest one is). post your comment with noscript blocking. when the human detector comes up, no image will be displayed. hit continue and you’ll get an error. hit back twice to go back to your post. disable noscript (allow all) then post the comment again.
    once that’s done, both comments will be displayed (bug 1) and the second of those will post directly without waiting for moderation (bug 2).
    sorry about the double posting. and the posting without moderation.

    keep up the good work.

    Regards,
    Tener Hades.

  • lukeab 4 years ago

    Hey guys, Best of luck with the move! That’s great you’re going to SF, feels like it’ll open up the action to you guys.

    Snubs, hope things go well for your Dad.

    Anyway, live on pashion! So vicariously through you, I can too!

    Good luck guys.

  • soupman 4 years ago

    Great episode. I’ve missed a lot because I had a while without internet (switching ISP). Seems like a few episodes are missing for the Episodes page so I guess youtube quality will have to suffice lol. Wishing you the best of luck with your travels! Keep bring the techolust ;)

  • Thanks for mentioning my tool. :)

  • Vosester 4 years ago

    What is the name of the tune at the start of this episode, I want it :)

  • Sniper 4 years ago

    all the patch in the world can never completely eradicate this problem as long there are an abundant supply of bad codes from hastily-made products. take for instance the bunch of live NASA server exploits listed at pinoysecurity. the list just goes on…

  • Do none of the popular Windows firewalls have ARPWatch-like functionality?

  • Sanity 4 years ago

    Interesting episode.

    Robin’s segment regarding ARP was good value, even if two_ovens’ comment regarding multiple APs is true (you do get a different MAC for every AP when extending a ESSs). The tool comes with source so this could be fixed with a white-list. A good method to defend yourself against mitm IP attacks is to use a layer-2 authenticated PPPoE connection to your gateway or OpenVPN with cert stored on USB key and hung around your neck.

    The botnet stuff is good, just another reason to white-list known outbound traffic and push all http via a logged proxy.

    Make sure you get the Google map road blogging stuff setup cause I want to follow the journey.

    Snubs, hope your father gets well soon.

    Good luck!