BruCON 0x0B Network Post-Mortem Review

This BruCON edition (also called “0x0B”) is already over! This year, we welcomed more than 500 hackers from many countries to follow wonderful speakers and learn new stuff with practical workshops. Like the previous editions, I played with the network deployed for our attendees. Here is a short debriefing of what we did and found during the conference.

Basically, from an infrastructure point of view, nothing really changed. The same hardware was deployed (mainly wireless access for the attendees and wired network for specific purposes. We welcome the same number of attendees and we see every year more and more people trying to avoid wireless networks. Furthermore, all European travellers benefit now of the free data roaming across Europe. Also, the trend is to use encrypted traffic (SSL or VPNs), which means less “visible” traffic for us (No, we don’t play MitM 😉

First of all, we launched our wall-of-sheep like every year. It remains a very nice security awareness tool. New attendees ask me always how it works or “what’s behind the magic”. Of course, some dumb people keep trying to flood it with p0rn pictures. We used the same technology to reduce the number of offending pictures but it’s not bullet-proof. [Personal opinion: if you spent your time flooding the WoS with p0rn, you completely missed the point of a security conference… that to say!]

If we don’t play MitM, it does not mean that we don’t inspect most of the flows passing by our network. This is clearly stated on the website and the brochure. The first change that we implemented this year was an intercepting proxy to collect all URLs visited by our beloved attendees. Last year, we detected that many corporate laptops were trying to find WPAD files but we needed more data. Here are some stats about the proxy:

  • 274K HTTP requests (GET, POST or CONNECT)
  • 39K unique URL

What about the top-visited URLs? No Facebook etc this year, but many many (read: “way too many”) automatic updates URL! Many applications or systems still check and download their updates via HTTP! When you see how easy it is to manipulate this kind of traffic, it scares me. Bad practice: Do NOT enable automatic updates while connected to wild environments.

What about DNS traffic? Here again, we slightly changed the configuration. Many people don’t trust DNS provided by DHCP and use their own DNS or a public one (Google to the rescue with 8.8.8.8!). Blocking all DNS traffic to “force” people to use our own was nice but too intrusive. This year, we allowed all traffic but intercepted all UDP/TCP/53 traffic and port-forwarded it to our firewall. This way, people did not see that the DNS traffic was redirected to our own resolver. It was also an easy way to block some malicious or unwanted websites.

Here is the top-10 of resolved domains (without noisy and local domains like the ones used by the CTF):

QueryCount
coldchilli.de15346
softwareupdate.vmware.com11730
www.google.com9672
api.twitter.com8197
auth.gfx.ms7962
swscan.apple.com7955
ipinfo.io4032
twitter.com3698
http.kali.org3582
ftp.belnet.be3504

About DNS, we saw some DNS tunnelling and, for the first time, some DoH traffic! (DNS over HTTPS). Ok, only two different clients but it’s a sign!

DoH Traffic

Also, we collected interesting files transferred via HTTP:

Mime-TypeCount
HTML161391
PNG26772
Text20706
Jpeg14003
JSON6968
XML5729
Gif3744
ZIP365
JS168
Exe116
PHP14
BMP7
Doc2
SWF1
Unknown42258

About communications & chat, we detected IRC, Google Talk (both in clear text!), Skype & Teams.

We detected some juicy traffic which looked very suspicious but… it’s was just a guy testing a potential 0-day 🙂

About the logging capabilities, this year, we collected in real-time all data and indexed them into a Splunk instance. This is much more convenient when you need to investigate urgently an incident. We had to track a “bad guy” and he was discovered within a few minutes based on the MD5 of the downloaded picture! (I mean we discovered his MAC address and the device name).

To conclude, some extra numbers:

  • 3 Internet access lines (load-balanced)
  • 171GB downloaded
  • 847 devices connected to the network
    • 504 badges connected
  • 28515 pictures collected by the WoS
  • 282.244 collected files:
  • 898.638 DNS requests
  • 2.757.669 collected flows
  • 274K HTTP requests
  • 101.457 IDS events
  • 52 blocked p0rn sites
  • 4 network gurus 🙂

We are ready for the next editions and, based on what we learned, we already have nice ideas…

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.