Shmoocon! The Shmoo Group's 2022 Infosec/hacking conference in Washington D.C.

Wait…what? Shmoo….what?

What the heck is Shmoocon? Shmoocon is an Information Security conference hosted by the Shmoo group, a group of Infosec experts who are masters of their craft with quite the sense of humor to boot. The founders of the annual event are Bruce and Heidi Potter, who have been throwing the conference since 2005. Since that time, the attendee allowance amount has nearly quadrupled to the roughly two thousand which we see in their current 2022 iteration of this fantastic event. Shmoocon is made possible through both it's volunteer base as well as it's sponsors. And as endearingly goofy and off-the-cuff as the founders/hosts of the event are, you might not expect some of the big names that appear in the sponsor list, such as Lockheed Martin, Oracle Cloud, and Accenture. It is inspiring that very large corporate companies such as these recognize the value in Shmoocon. Shmoocon is not some stuffy corporate event comprised of clean-pressed suits and ties, but rather an absolutely casual, goofy geekfest of Infosec collaboration. Researchers, developers, vendors, pentesters, sysadmins and more all come together under one roof to learn, share their knowledge, compete against one another in challenges, and just straight up have a good time.

This year, Shmoocon was thrown in Washington D.C. at the Hilton Garden Inn hotel. Ever the exclusive event, Shmoocon's tickets go on sale online in 2 separate rounds at a widely publicized time and are literally sold out within seconds of going live. They do this to keep their conference more intimate and less chaotic than cons such as the more-well-known Defcon in Las Vegas. Defcon has been called "The EDC of hacker conferences", which is not necessarily always meant as a term of endearment. Because of the very nature of Shmoocon, photography is almost entirely prohibited. The anonymity of many of it's attendees is taken very very seriously. Photographs of individuals can seriously compromise those engrained deep in the world of cybersecurity or pentesting and that is something that needs to be respected by all spectators.

The crowd at Shmoocon varied wildly across the IT/Security spectrum. I met a variety of pentesters, including some who focused more on network intrusion, with others who focused solely on web apps. There were also security-obsessed (hey, that’s a good thing!) Sysadmins, Security software vendors/developers, Wireless hacking gurus, as well as those part of the upper executive tier of organizations, such as Infosec Directors and Chief Information Security Officers. Students were certainly not underrepresented at Shmoo. I met students from elite online infosec school such as SANS. Rochester Institute of Technology, infamous for their top tier infosec department, was present as well.

Shmoocon featured rows of vendors. Electronic Frontier Foundation, a digital privacy and free speech rights organization, was there. Other vendors included security software platforms, consultant groups, and vulnerability research groups. Active Directory hardening consultants Trimarc were happy to discuss their product and their youtube channel also boasts some incredibly useful videos for any Sysadmins out there looking to take things up to the next notch when it comes to locking down AD. Other security providers such as SynAck were also among the vendors, explaining the services they offer and what sets them apart from typical bug bounty research/reward groups and security as a service providers. Polarity, a developer of software catered toward data analysts were ever eager to discuss their software's pioneering features to compile data from many different running services/apps such as Servicenow, Wireshark, Salesforce, etc etc. Also featured was Hack for Charity, a group that works tirelessly to educate, and house displaced persons from countries in turmoil. Black Hills Infosec was in attendance as well, famous for their consulting and SOC services as well as online instructor-led VM courses. BHIS is a personal favorite of mine. Owner John Strand teaches pay-what you can courses that cover SOC basics, Intro to Security, as well as Cyber Deception (think Honeypots and other ways of making offensive hackers cry).

As keynote speakers presented throughout Thursday to Saturday, anywhere from dozens to hundreds of attendees filtered in to listen and take notes on talks that ranged from discussions of the dangers of commercial VPN services to cryptography to GO language to Wardriving (a wireless hacking technique) to name just a small few.

Beyond just the cornucopia of engaging keynote speeches, there were several other eye-opening sub-conference rooms. One of those including an intro to lockpicking. Each table in this room had a friendly lockpicking coach there to help guide beginners in this ever-so-delicate practice. The tables included different levels of key locks (think the lock mechanism gutted from a padlock). They were numbered from #1 to #4 depending on difficulty level (# of pin mechanisms the inner lock was comprised of). This was my first time attempting to lockpick and within the span of about 2 hours, I managed to eventually pick 3 levels of locks using a very basic lockpick set.

Another fascinating portion of the conference is the Team Fortress 2 "Hack Fortress" event. It's actually a little difficult to explain this, especially without pictures, but I will do my best. There are two teams each sitting at their respective tables in the stage area up front, with spectators watching both teams from the bleachers. Each of the two teams is comprised of 6 players ( playing the Team Fortress 2 First Person Shooter) and 4 hackers behind them. The hackers are on their team and are engaging in capture the flag-type challenges on their computers. So what's the point of that? Well, each time one of these hackers completes a challenge, it actually effects the live gameplay, doing things such as freezing the gameplay for the other team. So essentially, the hackers on both teams are completing challenges to supplement their respective soldier's gameplay status. Basically, a unique handicap is leveraged against the other team with each point the hackers of that particular team obtain. So a team needs to have skill-full soldiers and hackers working for them in unison to win. Although it was nearly impossible to see exactly what was on the hacker's screen (set up this way by design), the FPS action and points mirrored on the large displays were fun to watch. A very unique experience indeed.

This was my very first foray into the Infosec conference realm and I have to say I found it refreshing, welcoming, and inspiring. Shmoocon prides itself in both showing you how far the rabbit hole goes as well as reminding you not to take yourself too seriously and have fun along the way. We could all take a page from the Shmoocon playbook.

The Flipper Zero has arrived! First look and a glimpse into the BadUSB Function and Rubber Ducky Scripts

You might be wondering what the heck this gadget is. This device is called a Flipper zero and as one of the early Kickstarter backers, I am one of the few thousand proud owners of this gizmo, as of this writing. In a nutshell, Flipper Zero is a wireless analyzer device, capable of analyzing, capturing, and replicating wireless frequencies, RFID data, and more. As I write this, mass amounts of data by Flipper Zero owners are being contributed to Github repositories. Databases of brand name TVs and their wireless remote codes is one example. Some consider the Flipper Zero's capabilities to currently be in their infancy, with firmware updates releasing on what seems like a near weekly basis as of late. You can get a firsthand look at the collaboration already in full steam by Flipper Zero owners over at their Discord channel : https://flipperzero.one/discord 

The Discord is separated into sub-channels that relate to each feature of the device (e.g. The infrared remote capability, the SubGHZ capability, the BadUSB capability, etc).

This device can scan NFC chips for data as well as RFID cards, badges, and fobs. It can also replicate wireless codes and by virtue of this, control ceiling fans, TVs, and more with it's SubGHZ and Infrared functionality. But it's abilities don't stop there. It can also be used as a "BadUSB", which utilizes Rubber Ducky Scripts.

By plugging the Flipper Zero into a computer (either Mac or PC, depending on the script you've written) and choosing the BadUSB option, you can choose to "Run" any of the scripts you've saved. We are provided with a demo script for both Windows and Mac by the developers of Flipper Zero, but what if we want to create our own? How do we do that? And what can these scripts truly do?

The idea of Bad USB/Rubber ducky scripts is that a device that has this feature, when plugged into a computer, tricks the computer into thinking that this device (which could either look like a conventional USB flash drive or in our case, our nifty Flipper Zero) is not a USB stick at all but rather a keyboard. The genius of these devices is that they are essentially keyboards that have a brain. That "brain" equates to the script you've prewritten and loaded onto it. So as soon as this imposter of a keyboard is plugged in (and in our case of the Flipper Zero, the specific script is selected to run), it goes to work executing said script and essentially taking control of the target computer as if there was a ghost in the room.

So what can that script do? Well, essentially anything. Aside from the more tech-savy and old school computer geeks out there, most of us can’t imagine using a computer without a touchpad or a mouse, but the reality is that all the data on your computer is accessible via command prompt in Windows or the terminal window in Mac and in the world of these non-GUI interfaces, no mouse is needed. These non-graphic terminal windows were the precursor to the modern-day graphic user interface we all know and love and yet, they still exist as an ancillary feature that runs under the hood, should we ever need or decide to use it.

Rubber Ducky Scripts for Windows, as an example, might begin with a “Windows+R key” command (written in Rubber Ducky script as "GUI R") to open the Run window in the Windows OS. From there, they go on to the next pre-scripted command, which might be “notepad.exe”. This opens the Notepad app from the Run window. Then, maybe we want it to display a message such as “Hello world!!”. Or the script could jump from that Run window over to cmd.exe (the Windows command prompt).

 If you’re wondering just what can be accessed from Command Prompt in Windows, well…the sky is the limit. It could be scripted to open popular applications, certainly those bundled with Windows, It could be used to access Windows' Registry editor (essentially the backbone of the OS, which contains settings for the entire system) to collect information or make changes. It could even tap into the windows files that contain saved SSID (Wireless networks) passwords and then be automated via the script to save those to a new file and email that file to an interceptor’s email. The email then arrives to the interceptor with an attachment of cleartext passwords for any private wifi network the laptop has EVER connected to.

If you happen to be the lucky owner of a Flipper Zero, you can follow this fantastic tutorial video by Ut4y0 to learn how to get set up for writing a Ducky script for your Flipper: https://www.youtube.com/watch?v=rf5UJFMSGtE )

The above video explains how to write Rubber Ducky Scripts in Notepad++. Think of Notepad++ as the evolution of the simple Notepad app we are all accustomed to on Windows. It’s used by programmers to better organize the syntax they are typing out and has automatic color coding that applies to text it recognizes as defined variables or commands for that particular language. There’s more to it than just that, but I am only interested in scratching the surface of this app for the purpose of this post.

Before you can write a Rubber Ducky Script, you need to download something called a User Defined Language file. This type of file comes in XML format and contains knowledge that Notepad++ needs in order to recognize the syntax you’re inputting as being that of the Duckyscript programming language (in this case).



Once that is imported into Notepad++ and selected as the language in use, you’re ready to go. Below is a sample of a very basic Ducky script. All this one does is use GUI R (Windows Key +R) to open Notepad and display the text “You’ve been Rubber Duckied courtesy of the Flipper Zero you just plugged in!”







And here is a much more complicated script:
(We see that this script uses GUI D (Windows key+D) to force display the desktop to ensure that the ensuing commands get applied to the proper part of the OS instead of getting hung up and executing the code to an unwanted area in any already-opened app. This one once again uses GUI R to open the Run window, but this time we’ve got much more powerful intentions than just displaying a message via Notepad. Notice that it has launched the Command Prompt and is accessing WIFI network names and passwords of all saved networks the machine has ever remembered. But this script goes even further than that, compiling this information and then sending it out to an interceptor’s email with a zip file attachment that contains all the credentials in the form of xml files that can be downloaded and then opened right in your browser. Lastly, this script even deletes the directory it created initially as part of the process. This cleanup measure is an important step in the data exfiltration process.

If you're wondering why you keep seeing "DELAY" throughout the scripts, it is used as sort of a safety buffer to ensure that there is proper pacing going on for the computer to recognize the superspeed commands being entered by our Flipper Zero's Rubber Ducky Script. If DELAYs were not used or were too short, the script would error out and the computer would simply not be able to process the sheer magnitude of characters and commands being thrown at it. This is also dependent on the speed of the computer, but when creating these scripts, the idea is to make them as universally effective as possible against any target computer, be it a slow or fast one.






If you’d like to take advantage of a pre-made WifiGrabber script, look no further than this one, courtesy of Giorman101:
https://github.com/Gioman101/BadUSBwifi-grabberFlipper
*You will need to enter your email address and your email password in place of the placeholders in the script to intercept the zip file containing the creds that it sends out. Please also note that for this to work with a gmail email, you will need to have Google generate a random third party app password for you for use of this functionality. You can do so by navigating to this page https://myaccount.google.com/security , then proceeding to sign in and click "App Passwords" section. Google may be stripping this feature away in May of 2022, so it is possible that beyond that date, this may only work with emails set up outside of the realm of Google/gmail (alternatives include Outlook email addresses, which are now free at their base level, as well as Proton email addresses) If using an alternative to gmail, a handy list of mail server addresses and ports can be found here: https://www.arclab.com/en/kb/email/list-of-smtp-and-pop3-servers-mailserver-list.html#:~:text=Email%20Marketing%20and%20Newsletters%20made%20easy%20...%20,sure%2C%20that%20POP3%20access%20is%20en%20...%20 This alternative server/email provider info will also need to be used to fill in placeholders in the event of a non-gmail email.