Last year (if this intro doesn’t work, I give up trying to post this :) ), I presented at B-Sides Ottawa, which was put on by Andrew Hay and others (and sorry I waited so long before posting this… I kept revising it and not publishing). I got to give a well received talk, meet a lot of great folks, see Ottawa for the first time, and learn that I am a good solid Security D-lister. w00t!
Before I talk about the fun part, where I completely faked out my demo, if you want the slides you can grab them here: http://svn.skullsecurity.org:81/ron/security/2010-11-bsides-ottawa/. You can find more info about the conference and people’s slides at the official site. And finally, here’s a picture of me trying to look casual.
B-sides conferences, for those of you who don’t know, are awesome little conferences that often (but not always) piggyback on other conferences. They are free (or cheap), run by volunteers, and have raw and technical talks. B-sides Ottawa was no exception, and I’m thrilled I had the chance to not only see it, but take part in it. I really hope to run our own B-sides Winnipeg next year! Anyway, my talk was on the Nmap Scripting Engine. I wrote a talk and a couple demoes, both of which are available at the above link. My plan was to do two live demoes, coded on stage, with no safety net. Pre-recording demoes is cheating! The demoes were the following:
- Perform a DNS lookup and scan a host's mailservers
- Look up the router's MAC address in a geolocation service and show the google map
I practiced them over and over, and they were looking great, so I showed up at B-sides ready to go!
Then I found out I had no Internet connection.
So, that night I had a lot of work to do, re-writing my entire talk to work with no Internet connection. As a natural procrastinator, I ended up hanging out with people until the middle of the night, so when I finally made it back to the hotel I couldn’t do anything. So, four hours later, first thing in the morning, I got to work.
Problem 1: DNS
So the first problem was that I had to perform DNS queries, both for MX and A records. I briefly considered using a shellscript and netcat to do this, but I’m not that crazy. Instead, I made some minor changes to dnsxss to return a few fake mailservers for MX queries.
The default behaviour of dnsxss returns 127.0.0.1 for all A queries, and that’s exactly what I wanted.
Finally, I set the DNS server of my laptop to 127.0.0.1. Now, no matter what I requested, the right results came back. Problem solved!
Problem 2: No mail servers!
The next problem I ran into is that I wanted to scan a mailserver. That was a simple matter of installing a SMTP server and making sure it ran on startup. Another option would have been faking it with netcat and a static response.
With those two problems solved, I had a workable first demo! On to the second…
Problem 3: No MAC address
My second script was supposed to look up a MAC address’s geolocation information, but what can I do without a MAC address? The easy way would have been to hardcode a MAC into the script, but that’s cheating. Nmap doesn’t return the MAC address for the loopback address, so I had to find a better way to cheat than simply redirecting DNS.
There’s probably a far better way to do this, but I decided to simply set one of my VMWare instances to auto-start on boot. I could then scan it as if I was scanning my router with no one the wiser. Of course, its MAC address isn’t going to be in the geolocation database, but that’s okay because….
Problem 4: Geolocation
To use Google’s geolocation service, you obviously need to connect to Google (specifically, www.google.com/loc/json). Requests to www.google.com were already heading to localhost, thanks to my fake DNS server, so this was pretty easy. I created a valid JSON request that appeared to go to Google, and that appeared to have the proper MAC address embedded in it. Of course, it wasn’t really going to Google, and it wasn’t really the wireless MAC address. But because my Web server running on localhost always returned the proper coordinates, that didn’t matter very much.
As a bonus, if I fudged up the MAC address encoding in any way, it wouldn’t matter because it was returning a static page.