Fosswar 2011 – How we did it

Intro
As said in my previous post about Fosscomm 2011, during the conference there was a wargame consisting of 5 challenges. We played in a team consisting mainly of the following members: manji/manjiki, trelo_mpifteki, mickflemm and me. Along with us was maisk mainly acting as our manager (!!) shouting at us when we did something he did not like. He was of course a great help (sometimes :P).

Few words about the team
As most people who regularly read this blog already know, I consider myself a sysadmin even though I currently work at a company that produces Linux based xDSL routers where I do most of the things required about networking and system interaction like QoS, VoIP, IPv6, firewall, etc. My coding is confined among the realms of scripting languages. Manji is also a sysadmin who has lately started to mess with VoIP. Trelo_mpifteki is mostly a java developer and so is maisk. mickflemm is a coder and a very good one, frequently messing with Linux kernel’s wireless driver support. Obviously, we are certainly not the typical wargame players…

The challenges
Be sure to download the challenges from: http://patras.fosscomm.gr/fosswar/

As soon as the wargame was on we split the challenges among us. Since mickflemm was the only coder he started to mess with challenge number 5 (reverse engineering). Me and trelo_mpifteki started to look at challenge number 1 (networking) while manji started poking at challenge number 3 (networking).

Challenge 1:
Type: Networking
Players: kargig, trelo_mpifteki
The first challenge said just this:

Connect to the elite port and find the secret message.

Everyone knows that elite = 31337
So we just did a nc X.Y.Z.W 31337 (where X.Y.Z.W is the IP address of the server) and the following message appeared:

IP protocol = 1
Timestamp
id = 1337
seq = 0xCAFE
orig = 0xDEAD

As it is easily understood one must create a packet, the problem is what kind of packet. And then was when I did a huge mistake stalling my team for more than 10 mins by insisting that Protocol 1 is IP. So we started trying to create an IP packet using scapy. Obviously we hit lots of problems because IP’s header clearly misses most of the above options, especially timestamp. Our next idea was to create a TCP packet in order to embed some of the options. This also lead to a dead end. The I looked again at my /etc/protocols file and I saw that Protocol 1 is ICMP. Timestamp is type 13, code 0 and the rest are just options. So our solution was this:

>>> packet_2= IP(dst='X.Y.Z.W')/ICMP(type=13, id=1337, seq=0xcafe, ts_ori=0xdead)
>>> send(packet_2)

Using Wireshark we captured the response packet which looked like this (this setup is on my box atm):

One can see the message: feedadeadface in it.

Hint:
If you need to compile listenicmp.c yourself you have to do something like this:

 # aptitude install libpcap-dev
# gcc -o listenicmp listenicmp.c -lpcap

Challenge 2:
Type: Steganography
Players: kargig,trelo_mpifteki,maisk
For this challenge the organizers gave us a hint what we needed to find was close to the end of the image.jpg and after “BAADF00D”.

# hd image.jpg | tail -n 4
000152a0  d4 4d 77 22 b9 9a 68 ba  ad f0 0d 78 9c 0b c9 c8  |.Mw"..h....x....|
000152b0  2c 56 00 a2 44 85 e2 d4  e4 a2 d4 12 85 dc d4 e2  |,V..D...........|
000152c0  e2 c4 f4 54 3d 00 72 da  08 ef                    |...T=.r...|
000152ca

so we found “ba ad f0 0d” and the next characters were “78 9c”. We googled those and came up with the result that it was the magic of zlib compression. So what we had to do was get the rest of the file after “ba ad f0 0d” and then uncompress that. To get the rest of the file we found the size of the file and subtracted the bytes (31) that were of interest to us:

# du -b image.jpg
86730  image.jpg
# split -b 86699 image.jpg koko
# mv kokoab final

Then we run python to decompress “final” file.

>>> import zlib
>>> ourfile=file('final')
>>> ourfile
<open file 'final', mode 'r' at 0xb7473020>
>>> chunk=ourfile.read()
>>> chunk
'x\x9c\x0b\xc9\xc8,V\x00\xa2D\x85\xe2\xd4\xe4\xa2\xd4\x12\x85\xdc\xd4\xe2\xe2\xc4\xf4T=\x00r\xda\x08\xef'
>>> zlib.decompress(chunk)
'This is a secret message.'

Challenge 3:
Type: Networking
Players: manji,maisk,kargig

While me and trelo_mpifteki were trying to solve challenges 1 and 2, manji was looking into challenge 3 pcap file for weird things. Once again we were given a hint that we needed to look at strange headers. Finding strange headers in a 800+ kb pcap file is not an easy task though. At a point manji was looking for very big sequence numbers…and then we got another hint, that we shouldn’t look at those big numbers at all. When me and trelo_mpifteki finished the other two challenges we started looking at Wireshark.
We applied the following filter:
(ip.host == 64.22.109.100) && ((tcp.seq == 0) || (tcp.seq ==1))
And the we had the following results in front of us:

Since we knew that the message was sent to “64.22.109.100” we needed to look at packets originating from “192.168.1.3”. The first thing I noticed were packets with strange TTLs, they were going up and down..so I made a guess that the secret message could be hidden there. Transforming those TTL values to ASCII was a dead end. Then we started to look closer at every packet that 192.168.1.3 sent to 64.22.109.100 and we grouped them by destination port. There was clearly something going on with destination port 58900. A careful eye will also notice that packets towards port 58900 don’t have an MSS set while others mostly do. So, we expanded our filter with packets that also had destination port 58900:
((ip.host == 64.22.109.100) && ((tcp.seq == 0) || (tcp.seq ==1))) && (tcp.dstport == 58900)
and came up with this:

If you look closely at the selected packet from Wireshark, you’ll see that the sequence number while set to 0 (zero) contains the letter ‘r’ inside it. The next packet contained the letter ‘o’ and the next one the letter ‘t’. Writing all these letters down we had this sequence:

r
o
t

q
r
n
q
o
r
r
s

That was a rot13 encrypted message! with google’s help we found a rot13 decryptor. The decrypted message was:
D E A D B E E F

That’s it! we had 3 out of 5 while no other team had more than 2. So we had wooooon! Congrats to everyone on our team!

Fosscomm 2011 – My review

Generic comments
I just got back home from Fosscomm 2011 and I must admit it has been one of the best organized events of this kind I’ve seen in Greece ever. The single most important fact was that presentations and workshops were always _on time_. They started on time, they finished on time. The organizers had to face even a power cut by the national energy company but they still managed not to fall behind on schedule. My only remark would be about the selection of the presentations that took place in the big room (called BA). Most of them gathered far less people than other presentations which took place in smaller rooms (B3 for example) and those rooms got extremely crowded from time to time. Maybe the organizers thought that generic open source presentations would attract more people than the technical ones but, unfortunately for them, and fortunately for “the greater good”, they were very wrong. This doesn’t reduce their achievement though. Another thing I would like to see on the next Fosscomm is less material given out to participants and instead spend this money on paying for travel expenses of people coming to speak on Fosscomm from abroad. Giving one (or even more) of the phones that HTC kindly provided to the voted by the participants best talk/presentation/workshop would also be very nice. My sincere congratulations to the organizing committee.

My IPv6 workshop
On my application to Fosscomm I had asked for one presentation and a separate workshop. This unfortunately wasn’t accepted, probably due to the large amount of other presentations/workshops, so I was given the first workshop on the very first day of Fosscomm, about “Using IPv6”- on Linux. Since I only had one hour, my original plans were to do a quick 15 min introductory presentation on IPv6 and then a 45 min hands-on lab. Since University of Patras could not provide IPv6 connectivity to the Lab, my other option was to have some remote VMs that would have upstream IPv6 connectivity and people on the Lab would ssh to. These VMs were kindly provided to us by Grnet and I have to publicly thank them one more time. My planning was bad though, people had far more questions about introductory IPv6 issues than I expected and the intro presentation was not finished until more than 35 mins had passed. This lead to the unfortunate result that the workshop could not be completed as I had planned. I am glad though that almost everyone logged into the VMs and had the chance to at least set up an IPv6 IP manually as well as an IPv6 default route. They also had their first ping6s. Some got even further by setting up ip6tables rules…What I definitely wanted to have shown during the workshop, and I didn’t have enough time to, was auto-configuration (SLAAC) which I consider to be one of the most intriguing features of IPv6. Next time I am doing either a presentation or a hands-on workshop, definitely not both in one session. Lesson learned.

Presentation/Workshop material:
Quick Intro to IPv6
Using IPv6 on Linux (workshop notes)

Talks I attended
All the talks I attended were very interesting, I probably did a very good job picking them 🙂 The ones I attended were:
Saturday
a) “A unified user account manager using LDAP/KRB5/CIFS” by Giorgos Mamalakis, Chariton Karamitas
b) “Network Exploitation with Ncrack” by Fotis Chatzis
c) “Wargames” by Patroklos Argyroudis, Fotis Chatzis, Chariton Karamitas
Sunday
a) “Intro to Arduino” by Pierros Papadeas, Kostas Antonakoglou
b) “Φωνή VoIPόντως εν τη ερήμω” by Effie Mouzeli
c) “Bright side of the Darknets” by Athanasios Kostopoulos
d) “Automated Testing Framework” by Giorgos Keramidas
e) “Performing Digital Forensics with Open Source tools” by Dimitrios Glynos
f) “Patras Heap Massacre” by Chariton Karamitas, Patroklos Argyroudis

I consider the most well presented one being: “Performing Digital Forensics with Open Source tools” while the one with the best slides was definitely: “Patras Heap Massacre”. If you weren’t there to see them, definitely try and find at least the slides if not the video.

Wargames
I had never participated before in any wargames because I considered that to be out of my league. That’s the reason I had not even registered for Fosscomm’s wargame called “fosswar”. I was curious though about what it’s like, so me and 3-4 more friends decided to stand in line and enter the room among the other people. The Lab room was crowded, really crowded. At first I thought that one reason for this would be the prize for the winner, an Android phone donated by HTC. I was later proven wrong though. Fosswar started and the organizers presented us with the 5 challenges. Two of those had to do something with networking…so I said to my self that I would be lucky even if I understood what one of those asked. Another challenge had to do with steganography, another one with exploiting a vulnerability in C and the last one was about reverse engineering. While this game could only have one winner, since me and my friends were not actually interested about the prize we decided to work as a team and see whether we can solve anything. Me and a friend looked at the first challenge, another 1 was looking at the third while 2 more were each looking at the fourth and fifth. During the wargame HTC asked for the names of people that wanted to take part in the competition, there nobody actually wanted to give his name. Most of them were there “just for the kicks”. That was even more exciting! HTC then told us that if nobody wanted to give his name the phone would be given on a lottery…so 10-15 people decided to give our names so the phone would “stay” at the fosswar. After solving the first challenge we got so excited that we just had to try the others, we couldn’t give up. So, after 3 hours of thinking and coding, the result was that our team managed to solve 3 of the five challenges, the details on what the challenges were and how we dealt with them will follow in a separate blog post, and we ended up being the winners because no other team had solved more than two. Yes, we had won! We had managed to solve the two networking challenges and the steganography one. That was soooo unexpected!

Pictures
My pictures from Fosscomm 2011 are at: https://picasaweb.google.com/kargig/2011050720110508Fosscomm2011#

My conclusion
Fosscomm this year definitely showed a trend. People don’t need generic presentations about open source any more, they know what it is, they believe in it, they use it. People really ask for technical presentations, and we need more of them.

Whoever couldn’t manage to attend Fosscomm 2011, should definitely attend Fosscomm 2012. I am certainly looking forward to it!

IPv6 workshop at Fosscomm 2011

This weekend, 7-8 May 2011, I’ll be doing a workshop about “IPv6 usage on Linux” at Fosscomm 2011 conference. Fosscomm is the biggest Greek Open Source conference with lots of interesting presentations, workshops and events. In the spirit of enabling IPv6 wherever possible, I am very happy to have managed to enable IPv6 connectivity for the website of Fosscomm this year!

During the workshop I will try to show the necessary tools to use, debug network problems and configure various services for IPv6. My goal is to explain to participants the abolishment of NAT, introduce the concepts of SLAAC and DHCPv6 and show them how to configure their networks to effectively use IPv6. If there’s enough time some issues related to IPv6 security will also be discussed. Target audience is people who are not afraid of the command line, have basic networking skills and are eager to learn things regarding IPv6!

Unfortunately it was impossible to have IPv6 upstream connectivity at the LAB, so participants will be testing everything on an IPv6 enabled remote infrastructure. Due to the limited number of LAB computers and Virtual Machines available, only 35, there is a registration form for participants to fill in. Please take the time to fill in the form any specific topics that you would like the workshop to pay attention to.

The workshop is taking place on Saturday 07/05/2011 and it will start _exactly_ at 10:45 in order to take full advantage of the time given to us by Fosscomm’s organizers.

Workshop is supported by the Greek IPv6 Taskforce and there miiiight be IPv6-related material distributed to the participants.

Please don’t forget to fill in the registration form!!!

Fosscomm 2009

Μετά από ένα τρομερό Σαββατοκύριακο στη Λάρισα γυρίσα πάλι πίσω στη Θεσσαλονίκη. Το Fosscomm 2009 ήταν πάρα πολύ καλά οργανωμένο και τα παιδιά του Linux Team ΤΕΙ Λάρισας αξίζουν πολλά συγχαρητήρια για την προσπάθειά τους.

Τα παιδιά μας είχαν κλείσει ξενοδοχείο και ήταν πάρα πολύ ωραίο να μένουν 60+ άτομα που όλοι κουτσά στραβά γνωρίζονται στο ίδιο ξενοδοχείο. Θυμίζε πενταήμερη! Επίσης είχαν τυπώσει μπλουζάκια (πρόλαβα και πηρα ένα), κονκάρδες και διάφορα άλλα. Μιας και η συμμετοχή στο συνέδριο ήταν μεγάλη, θεωρώ πως μόνο το Σάββατο πρέπει να ήταν πάνω από 200 άτομα, θα είχε μεγάλο ενδιαφέρον να δούμε τις απαντήσεις στο ερωτηματολόγιο αξιολόγησης της εκδήλωσης που είχαν στο stand τους και όποιος ήθελε συμπλήρωνε.

Έξω από το επαρκέστατα εξοπλισμένο αμφιθέατρο, υπήρχαν stand με έντυπο υλικό καθώς και CD/DVD από διάφορες κοινότητες. Εκεί ήταν το Foss.Ntua, η ΕΕΛΛΑΚ, ο HELLUG, η ελληνική κοινότητα Fedora και η ελληνική κοινότητα Freebsd. Φυσικά παρόν ήταν και η ομάδα του Linux Team ΤΕΙ Λάρισας με το δικό της stand. Το κλίμα ήταν γενικώς πάρα πολύ καλό και συνάντησα πολλούς φίλους και γνωστούς που είχα μήνες να τους δω.

Θεωρώ πως οι παρουσιάσεις ήταν γενικά καλές, θα τολμήσω να πω πως ήταν ανώτερες από το επίπεδο του περσυνού Fosscomm που είχε γίνει στο Μετσόβειο, αλλά κυριώς ευχαριστήθηκα τα workshops που πέρυσι έλειπαν εντελώς. Συγχαρητήρια σε όσους κόπιασαν για να τα διοργανώσουν γιατί ένα καλό workshop είναι πολύ πιο δύσκολο από μια απλή παρουσίαση…Δυστυχώς και φέτος υπήρξαν κάποιες ακυρώσεις ομιλιών, ελπίζω του χρόνου τα πράγματα να κυλήσουν πιο ομαλά 🙂

Αν και δεν είδα όλες τις παρουσιάσεις γιατί προτίμησα να περάσω κάποιο παραπάνω χρόνο με φίλους και γνωστούς στους διαδρόμους, από όσα είδα έμεινα εντυπωσιασμένος από την δουλειά που έχει γίνει στη Σχολή Ικάρων από τον κύριο Αντώνιο Ανδρεάτο. Είμαι σίγουρος πως πολλοί καθηγητές των δικών μας πανεπιστημίων, ακόμα και από σχολές πληροφορικής, θα ντρεπόταν αν έβλεπαν τα βήματα προόδου σχετικά με τη χρήση και διάδωση ελεύθερου λογισμικού που έχουν κάνει στην Σχολή Ικάρων. Επίσης ευχαριστήθηκα πάρα πολύ την παρουσίαση του Android που έκανε ο Κώστας Πολυχρόνης. Με έψησε ακόμα περισσότερο να αποκτήσω το HTC Magic…με τσουρούφλησε θα έλεγα. Δεν θα μπορούσα να παραλείψω φυσικά το workshop και την παρουσίαση του Gentoo, που είναι και το αγαπημένο μου distribution, και έγινε από φίλους. Επίσης το Xen workshop, από την κοινότητα ανοιχτού λογισμικού του Πανεπιστημίου Πειραιά, με έβαλε και πάλι σε σκέψεις για να αρχίζω να πειραματίζομαι ξανά με το xen. Η κοινότητα αυτή μας είχε κανει πέρυσι (2007-2008) την τιμή να ανοίξουμε (εγώ και ο Fuzz) μια σειρά από εκδηλώσεις/παρουσιάσεις που ακολούθησαν και μάλιστα βράβευσαν το iloog ως το καλύτερο ελληνικό open source project για το 2008 στην περσινή DTE!

Είμαι επίσης πολύ χαρούμενος που αρκετός κόσμος με ρωτούσε τι γίνεται με το iloog και αν θα βγει ξανά καινούργια έκδοση. Μου έδωσαν ώθηση να συνεχίσω να ασχολούμαι μαζί του και υπόσχομαι να βγάλω μια έκδοση μέσα στους επόμενους μήνες. Ελπίζω φυσικά σε αυτό να βοηθήσουν και κάποιοι άλλοι …αν έχουν ακόμα όρεξη (στραβοκοιτάζω προς τον Fuzz και τον comzeradd αν δεν το έχουν ήδη καταλάβει)….

Το highlight του σαββατοκύριακου όμως ήταν η έξοδος μας το σάββατο το βράδυ. Τα παιδιά του ΤΕΙ Λάρισας ήρθαν και μας πήραν από το ξενοδοχείο και ένα τεράστιο τσούρμο 50+ ανθρώπων περπατούσαμε μέσα στην Λάρισα για να φτάσουμε τελικά σε ένα τσιπουράδικο. Εκεί οι φωτογραφίες, που θα αρχίσουν φαντάζομαι να δημοσιεύονται σε λίγες μέρες, θα μαρτυρύσουν το τι έγινε 😀

Τι μου άρεσε:
α) Η οργάνωση
β) Κάποιες παρουσιάσεις και κυρίως τα workshops
γ) Που είδα φίλους και γνωστούς

Τι δεν μου άρεσε:
α) Που φέτος ήρθαν λιγότεροι Αθηναίοι…
β) Που κάποιες παρουσιάσεις ακυρώθηκαν για λόγους που δεν ανακοινώθηκαν (δεν αναφέρομαι προφανώς σε εκείνους που τους έτυχε κάτι έκτακτο…)

Τι θα ήθελα για του χρόνου:
α) Αντί για 10 παρουσιάσεις κοινοτήτων θα προτιμούσα ένα session με εκπροσώπους από όλες τις κοινότητες σε ένα panel, όπου για 1h να μας παρουσιάσουν τα των μελών τους. Δεν χρειάζεται η κάθε κοινότητα να μας λέει πόσα μέλη έχει στο forum/mailing lists/etc σε ξεχωριστή παρουσίαση. Αυτό μπορεί να γίνει από όλους μαζί…
β) Περισσότερα projects από τις κοινότητες. Προσωπικά με ενδιαφέρει περισσότερο να δω ότι ένα άτομο από την τάδε κοινότητα ξεκίνησε κάτι και τον βοήθησαν οι υπόλοιποι παρά να βλέπω ότι 1500 καινούρια μέλη γράφτηκαν στο forum τους.
γ) Καλύτερη παρουσίαση όχι τόσο των events της κάθε κοινότητας αλλά περισσότερο του τρόπου με τον οποίο τα οργάνωσαν. Αυτό λείπει κυρίως, έλλειψη οργάνωσης και εκεί θέλουν βοήθεια οι περισσότερες κοινότητες (αλλά και οι σύλλογοι).
δ) Ακόμα περισσότερα workshops.

Το Linux Team ΤΕΙ Λάρισας ανέβασε πολύ ψηλά τον πήχη αλλά ελπίζω το επόμενο Fosscomm, το Fosscomm 2010, όπου και να γίνει, να είναι ακόμα καλύτερο!

Συγχαρητήρια και πάλι 🙂

Ετοιμασίες για το Fosscomm 2009

Μιας και άρχισα να ετοιμάζομαι για το Fosscomm 2009 πήρα το .kml από το χάρτη (google map) που έχουν φτιάξει τα παιδιά του ΑΤΕΙ Λάρισας και τον μετέτρεψα σε format κατάλληλο για το Destinator μου.

Για όποιον άλλο θέλει να έχει τα σημεία στο Destinator του: Fosscomm 2009 Destinator (.dat) POI

Ελπίζω να μαζέψει αρκετό κόσμο η εκδήλωση 🙂

Υ.Γ. Μην ξεχάσετε να φέρετε εκτυπωμένο το gpg key σας μιας και στα διαλείμματα κάθε μέρας θα γίνει GPG Keysigning Party