H2HC19 - Packetwars - P0wn Th3 H0m3
Since our first Packetwars at H2HC in 2015, it has somehow become a fun tradition. Although not having been involved in 2018, I was back this year and brought a few fun but seemingly too uggly challenges. Here is a short write up on the concepts, ideas and challenges.
I’ve been wanting to do a network based Packetwars for quite a while now and finally got the chance to do one this year and will hopefully again in the next (with a new setup). By network based I mean live access to the traffic between multiple machines via physical man in the middle. Which brings us to the first challenge.
In this year’s scenario, “P0wn Th3 H0m3”, the attendees had to gain access to the smart home functonality of a house and gain access to all controls. Our back story played around a hostage rescue mission in which the attendees would prepare to play a vital role by controlling alarms, lights and cameras during the final raid. Thus, the primary mission: Gain initial access by cutting a network cable and crimping on a simple 8P8P Western plug to the one side and an LSA receptable to the other side. The attendees would then have to initially sniff some packets and could gain points for collecting information.
When both ports were up and after a certain reconnection period, a PPTP VPN between two systems would appear on the cable. The communicating systems were “locked” into a /30 IP address space and thus present the first networking challenge. The attendees had to configure the IP addresses of their physical mitm in such a way, that they also gained logical mitm.
While the encapsulated traffic was visible in a sniff, the client actually authenticated towards the VPN server using CHAP. This then posed the next challenge: How to break open the VPN and also become mitm here?
Luckily the authentication scheme was only enfored server side, thus a quick downgrade to PAP later a plaintext password appeared.
Within the VPN the attendees got access to 4 core communication channels, in addition to some decoys
For the sake of nostalgia (telco research) I decided to use SCTP as one of the protocols.
- The core aspect of the application was a request containing “0x42” which returned a binary vector and a CRC32 - the states of the cameras in the house.
- The decoy message “0x11” actually returns a great recipe for brownies.
- A bunch of seemingly random messages, where each response was the original message encoded with ROT13. If the channel broke down, an alarm was triggered.
Due to a bit of, let’s call it “external inspiration” I added a little decoy challenge, which looks as follows:
Request: vib5c0b187fe309af0f4d35982fd961d7e Response: TTDWSCPPOHCMYYJJWCQI Request: vib5c0b187fe309af0f4d35982fd961d7e Response: TOYXSWIOZTTSFTTSFFVVXGPTWWAXPRA Request: vib5c0b187fe309af0f4d35982fd961d7e Response: EMDRRMJYCVVMCWITWODXDOWSGSA Request: vib5c0b187fe309af0f4d35982fd961d7e Response: EVZPJFZWSOKIZTTSFFVVXGVROGCSFZYICGA Request: vib5c0b187fe309af0f4d35982fd961d7e Response: EVZWZTOGFFQIZTTSFFRMYRDRRVZEOV Request: vib5c0b187fe309af0f4d35982fd961d7e Response: YCHIWCYCTGNAPSOICTISCQJYWRJVAVZYD Request: vib5c0b187fe309af0f4d35982fd961d7e Response: DCCEGSWIHWOGSSYLTHCMYYJJEVDWQ Request: vib5c0b187fe309af0f4d35982fd961d7e Response: LBYEWZHCFBDZPFNIMSXSXSNTPFAINHDSYV Request: vib5c0b187fe309af0f4d35982fd961d7e Response: MIOAPFZCZIDRXMVVXGAHPOMPZJZJ Request: vib5c0b187fe309af0f4d35982fd961d7e Response: EVZLLDKMYSNWHCPPOHVOPATFCSVXSOREJT Request: vib5c0b187fe309af0f4d35982fd961d7e Response: YCOLZIBLEQJYWRHEEQCXSOOINGOEDMA Request: vib5c0b187fe309af0f4d35982fd961d7e Response: YCNSYUZRNCHTLGNMETISZHCICKJVWRNL Request: vib5c0b187fe309af0f4d35982fd961d7e Response: TTDWSCPPOHCMYYJJWCQIQ Request: vib5c0b187fe309af0f4d35982fd961d7e Response: TOYXSWIOZTTSFV
Bespoke “external inspiration” managed to crack it (Irresistible!!). Can you? If so, drop me a message :)
The backend was running a Rabbitmq MQTT Server with a single queue, which received and forwarded switching actions as binary vectors with a CRC32. In contrast to the CRC32 in SCTP, it was here calculated over last_message + current_message, where last_message also contained it’s checksum. Thus, the responses are always based on the previous messages.
The target house was running an externally available web/json/api server which was regularly accessed by a remote system. When connecting to the base directory of the server, it only responded with a 404, thus it was necessary to have closer look at the requests. To break open the TLS connection, well, let me just stress how many IoT devices actually don’t validate the certificates of the remote host, or just validate the Common Name.
The house and the backend systems had an out-off-band style keep-alive communication. The backend regularly asked the house if everything was ok, if it was (all other data channels were running), the house gave an ok. Here is an excerpt for some tinkering
S2C: I.\\nThe H S2C: orror in Clay.\\n\\nTh S2C: e most merci S2C: ful thin S2C: g in the world, I th S2C: ink, is S2C: the inabilit S2C: y of t S2C: he human min S2C: d to correla S2C: te all its contents. S2C: We liv S2C: e on a placid isl S2C: and of ignorance in S2C: the midst o S2C: f black seas o S2C: f infinity, and S2C: it was not mea S2C: nt that we s S2C: hould v S2C: oyage S2C: far. The scien S2C: ces, each st S2C: raining in i S2C: ts own direction, h S2C: ave hitherto harmed S2C: us little; but some S2C: day the piec S2C: ing together o S2C: f dissoc S2C: iated knowledge wi S2C: ll open up s S2C: uch terrif S2C: ying vist S2C: as of reality, and o S2C: f our frightful pos S2C: ition th S2C: erein, S2C: that we sha S2C: ll either go mad from the C2S: revelation or fl C2S: ee from t C2S: he deadly ligh C2S: t into the peace an C2S: d safety of C2S: a new dark C2S: age.\\nTheoso C2S: phists ha C2S: ve gu C2S: essed at C2S: the awesome C2S: grandeur of the cos C2S: mic cycle wher C2S: ein ou C2S: r world an C2S: d human race f C2S: orm transient inc C2S: idents. They C2S: have hinted C2S: at strang C2S: e surv C2S: ivals in ter C2S: ms which wou C2S: ld freeze C2S: the blood if no C2S: t masked by C2S: a bland optimism. Bu C2S: t it is not fr C2S: om them that C2S: there came C2S: the singl C2S: e glimpse C2S: of forbidden ae C2S: ons which C2S: chills me wh C2S: en I th C2S: ink of C2S: it and madd C2S: ens me when I dr C2S: eam of C2S: it. That gl C2S: impse, l C2S: ike all drea C2S: d glimpses of truth, flas S2C: hed ou S2C: t from an acciden S2C: tal piecing S2C: togeth S2C: er of separate S2C: d things S2C: —in this c S2C: ase an old S2C: newspaper i S2C: tem and the S2C: notes of a dead pro S2C: fessor. I S2C: hope that no o S2C: ne else will acco S2C: mplish this S2C: piecing out; certai S2C: nly, if I live, I s S2C: hall never kno S2C: wingly suppl S2C: y a link S2C: in s S2C: o hideous a chain S2C: . I think th S2C: at the profe S2C: ssor, too, intended S2C: to keep silent S2C: regarding the part S2C: he knew, and S2C: that he would have S2C: destroyed S2C: his notes had not s S2C: udden death S2C: seize S2C: d him. \\nM S2C: y knowledge of the S2C: thing began in th S2C: e winter S2C: of 1926– S2C: 27 with the S2C: death of my grand-uncle G C2S: eorge Gammell Ange C2S: ll, Pro C2S: fessor Emeritu C2S: s of Semitic Lang C2S: uages in Bro C2S: wn Uni C2S: versity, Pro C2S: vidence, C2S: Rhod C2S: e Island. C2S: Professor A C2S: ngell was widely kno C2S: wn as an authorit C2S: y on anc C2S: ient i C2S: nscriptions, a C2S: nd had frequently C2S: been resorte C2S: d to by the C2S: heads o C2S: f promin C2S: ent museums; C2S: so that his C2S: pass C2S: ing at the age C2S: of ninety-t C2S: wo may be recalled C2S: by many. Locall C2S: y, interest C2S: was intensif C2S: ied by C2S: the obsc C2S: urity of the ca C2S: use of de C2S: ath. The pro C2S: fessor h C2S: ad been st C2S: ricken whils C2S: t returning fro C2S: m the C2S: Newport boat C2S: ; fall C2S: ing suddenly C2S: , as witnesses said, afte
Aftermath - Packetwars X-Treme Edition
Due to a little Brazilian style planning we weren’t able to run a single 3-4h Packetwars with all attending teams at once. Thus we made the call for an X-Treme session. Three approximately 60 minute long sessions in which a group of teams was allowed to access the battle space. While the first challenge was still the physical crimping, the teams could simply collect points for extracting details from the sniffed traffic.
What I hadn’t anticipated for, was that crimping was seemingly by far harder than expected and basically cost most of the teams the whole hour. Eventually only three teams actually managed to correctly crimp their cables.
Next year, we’ll be back with a more flexible setup (better at scaling), a full-length Packetwars and I suppose an extra speed crimping challenge! Might actually also add a speed soldering challenge, just for fun :P
Also we will have to make sure that the one and only Packet Master comes back next year! Give a shout out to @AngusBlitter to make it harder for him to resist!