The nmrc warez 2005 extravaganza
This presentation is the property of its rightful owner.
1 / 15

The NMRC Warez 2005 Extravaganza PowerPoint PPT Presentation

The NMRC Warez 2005 Extravaganza. DefCon 2005 n omad m obile r esearch c entre. “With just a few keystrokes, cybercriminals around the world can disrupt our economy.” - Ralph Basham, Director of the U.S. Secret Service at RSA 2005.

Download Presentation

The NMRC Warez 2005 Extravaganza

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

The nmrc warez 2005 extravaganza

The NMRC Warez 2005 Extravaganza

DefCon 2005

nomad mobile research centre

Warez extravaganza

“With just a few keystrokes, cybercriminals around the world

can disrupt our economy.” - Ralph Basham, Director of the

U.S. Secret Service at RSA 2005.

“With just a few keystrokes, pundits can disrupt our freedoms.”

- Daaih Liuh, NMRC, 2005

“With just a few keystrokes, I can turn those pundits off and watch porn instead.” – jrandom, NMRC, 2005

Who we are

Who We Are

On to the warez

On To The Warez….

Updated ncrypt

Updated Ncrypt

  • New features and bug fixes

    • Includes Todd MacDermind’s nrm, a drop-in replacement for rm for secure file erasure

    • More features for script integration (the users demanded it!)

Nmap tools

Nmap Tools

  • nmap-report

    • Generate a list of IPs from your run of Nmap

  • nmap-diff

    • Diff on 2 days of nmap runs

  • nmap-wrapper

    • Nmap lots of hosts quickly

Warez extravaganza


  • SPA is Single Packet Authentication, a single packet that can authenticate a user to a system

  • It is a protocol for allowing a remote user to authenticate securely on a “closed” system (limited or no open services)

  • Uses GPG to sign/encrypt a message to a sniffing server in a single TCP, UDP, or ICMP packet

  • Work across NAT

  • Free

Visual representation

TCP, UDP, or ICMP Packet

Encrypted for 0xdeadbeef

Signed with 0x12345678

ID,session keys,


Command and control info

Visual Representation





Sample code layout

Sample Code Layout







The scanner http scan pl

The Scanner –

  • The beauty of a CLI

  • Easy to change XML config file

  • HTTP, some FTP (anon access and writability), some SQL (finds Slammer-vuln boxen)

  • Very fast, will fork off children (default 32) and will only scan systems that have been “identified” (this can be overridden)

  • Very few false positives

  • Free

Route detector

Route Detector

  • Detect Multihomed Boxes and Misconfigured Network Devices

  • Scan Large Networks Quickly

  • Client Forges ICMP Echo Request with Signed Payload using Share Key

  • Server Sniffs ICMP, Compares Payload with Expected

Warez extravaganza


  • NPC is Nearly Perfect Crypto. Seriously….

  • It includes a utility for creating large one time pads (using the PRNG ISAAC)

  • Fast, simple and quick

  • If you can manage the key exchange, it is nearly the most perfect and unbreakable crypto you can get (one time pads are considered the ultimate crypto)

    • Key management is a bitch, and may render this impractical for modern humans

Why npc is so fast and secure

Why NPC Is So Fast and Secure

/* main "crypto" loop */



guaranteed_memset(iblock, 0, 16);

guaranteed_memset(kblock, 0, 16);

guaranteed_memset(oblock, 0, 16);

isize = fread(iblock, 1, 16, ifp);  Read in a block of plaintext

ksize = fread(kblock, 1, 16, kfp);  Read in a block of the key (remember, key mgmt is hard...)

if(isize <=0)


fprintf(stderr,"%s: === Unable to read data: %s\n",PACKAGE,ifile);



if(ksize <=0)


fprintf(stderr,"%s: === Unable to read data: %s\n",PACKAGE,kfile);



for(i = 0; i < isize; i++)

oblock[i] = iblock[i] ^ kblock[i];  wicked crypto (XOR! Fast!)

osize = fwrite(oblock,isize,1,ofp);  write out the ciphertext

if(osize <= 0)


fprintf(stderr,"%s: === unable to write data: %s\n",PACKAGE,ofile);



if(ofilesize<17) break;

ofilesize -= isize;


Warez extravaganza

Q & A

  • We will spank audience members during the Q & A

  • You must sign our Ass Release Form before you can be spanked

  • You may choose any NMRC member to spank you

  • If you do not choose a particular NMRC hacker to spank you, the NMRC hacker answering the question will spank you while giving the answer

Fin biatchez

Thanks to CAU, DC214, Jon Callas for SPA ideas, and the rest of NMRC

Shouts – Mike Rash (fwknop)

Photo session by Duy Nguyen and Amy Lee Muir

Art Manipulation by Weasel

NMRC Fetish Model – Bethany

FIN, Biatchez

Images © 2005 NMRC

  • Login