00:00:00.267,00:00:05.005
>> Alright, so. My name's Mike,
thank you for coming to the
talk, sorry for those... the

00:00:05.005,00:00:10.711
long delay there. They make us
test our VGA to HDMI converters
in the green room, but it turns

00:00:10.711,00:00:14.348
out that the green room
equipment is not the same as the
equipment in this room, so,

00:00:14.348,00:00:19.853
didn't work. Anyway, um, I'm
going to talk about loading code
from a copier. Now I've

00:00:19.853,00:00:23.657
mentioned this title sereval
times over the weekend, you know
with the blue badge people ask

00:00:23.657,00:00:28.195
me all the time what I'm talking
about, so I had to disabuse some
notions right away. I'm not

00:00:28.195,00:00:32.833
infecting the printers I'm
talking about here, the
scanners, by doing the firmware,

00:00:32.833,00:00:38.472
I'm using them as designed as a
scanner and moving documents
from the scanner to a target

00:00:38.472,00:00:42.409
workstation on a closed network
and interpreting those documents
in a way to draw binary files

00:00:42.409,00:00:47.014
onto the, uh, onto the target
machine. So I just wanted to
make sure you understood that

00:00:47.014,00:00:50.717
right away. Um, and this is a
definitely an insider attack,
this is for something I worked

00:00:50.717,00:00:56.023
on to do, um, work on a closed
network to load arbitrary tools.
Here's what I'm going to go

00:00:56.023,00:01:01.728
over, um, and it's, uh, it's a
phased attack, and each step of
the phase kind of changes the

00:01:01.728,00:01:07.834
amount of, uh, data I get per
page on the scanner into the
machine until I go from basic

00:01:07.834,00:01:13.807
just text, uh, analysis down all
the way to getting about 80
kilobytes of data, uh, per page

00:01:13.807,00:01:16.810
onto a targetted machine So
that's the different phases that
we're going to go through that

00:01:16.810,00:01:22.149
all with you. So, the way this
all started is I was at work on
a closed network and it had a

00:01:22.149,00:01:25.786
collaboration portal on that
network, and it was kind of
Sharepoint based, kind of thing,

00:01:25.786,00:01:30.457
um, and it had these text entry
boxes, like you can see here,
um, and it didn't take me long

00:01:30.457,00:01:35.629
to discover that they are being
uh, the data's being [inaudible]
on the client side with some

00:01:35.629,00:01:39.199
javascript. And I was like "oh,
well I bet I can beat that and
put some cross site scripting

00:01:39.199,00:01:44.604
attacks on my colloaboration
portal at work." Um, but, uh,
and that's easy to do when

00:01:44.604,00:01:47.874
you're at home, right, when
you're using your machine, you
do something like Tamper Data,

00:01:47.874,00:01:51.845
or Burp Suite to intercept the
call and modify it after its
been through the javascript

00:01:51.845,00:01:57.417
modification. Um, but I didn't
have any those tools available
to me. So I said, I kept trying

00:01:57.417,00:02:01.688
to think through, what would I
do to make this happen? I was
like, well, um, like I said,

00:02:01.688,00:02:05.158
Tamper Data, Burp Suite to
intercept the post call, don't
have those, I could forge the

00:02:05.158,00:02:09.463
post call but I didn't have Perl
or wget available to me, and
eventually I came to the

00:02:09.463,00:02:12.566
conclusion that what I really
wanted to know how to do was put
whatever tool I wanted on this

00:02:12.566,00:02:17.571
machine without making anybody
mad. Without getting caught,
really. So um... [laughter] So,

00:02:22.776,00:02:26.813
uh, that's kind of where I ended
up working on this particular
problem. So these are the

00:02:26.813,00:02:31.084
conditions that I had to work
with. I had a closed network,
uh, sort of, right, there are no

00:02:31.084,00:02:36.490
really truly closed networks
anywhere because they're
basically not useful. Um, but

00:02:36.490,00:02:41.094
this is for all intents and
purposes a closed, secure
network. Uh, and this network

00:02:41.094,00:02:45.298
the USB ports are secured,
monitored, sometimes they're
physically locked, uh, CD use is

00:02:45.298,00:02:48.068
secured and monitored, typically
from a, uh, a writing
standpoint, not so much a

00:02:48.068,00:02:53.840
reading standpoint, but
nonetheless it is monitored. Uh,
there's a endpoint security

00:02:53.840,00:02:57.744
system on this, on my
workstation, um, and, you know,
it's generating logs for

00:02:57.744,00:03:01.114
everything I do down to the
mouse click I guess, I don't
know, but only certain things it

00:03:01.114,00:03:04.584
logs are gonna draw attention
from any kind of security
people, right? So I wanted to

00:03:04.584,00:03:10.023
avoid those things. There does
exist a data transfer point
between my... between a less

00:03:10.023,00:03:14.461
secure network that's closer to
the internet than this secure
network, um, but I didn't know

00:03:14.461,00:03:20.100
how it worked, um, I didn't
know, um, what it logged, I
didn't know what rules it had

00:03:20.100,00:03:24.237
per scanning, I didn't know who
it alerted, and I wasn't really
in the mood to try and keep

00:03:24.237,00:03:28.008
poking at it to see what I could
figure out and raise my noise
level til I got through what I

00:03:28.008,00:03:34.147
wanted to, um, because I didn't
want to get fired, so... um, I
didn't want to use that. And

00:03:34.147,00:03:38.618
basically its a Windows and
Microsft Office environment.
These are the tools I had

00:03:38.618,00:03:42.589
available when it got right down
to it. I had Microsoft Office
which provides access to Visual

00:03:42.589,00:03:46.827
Basic for applications. Uh, I
had professional level printers
and scanners, uh, that can, you

00:03:46.827,00:03:49.930
know, print and scan to a very
fine level which is really
useful for what I was doing, and

00:03:49.930,00:03:55.902
Adobe Acrobat with optimal
character recognition is what I
used. Alright, so first is

00:03:55.902,00:04:00.006
getting Excel into attack mode,
and this is just turning on
delevoper mode in Excel. Now,

00:04:00.006,00:04:03.310
you know, we all get those
little pop ups that say "hey,
don't, you know, don't run the

00:04:03.310,00:04:06.179
macros" that kind of stuff, or
"do you want to approve these
macros" but if you're the

00:04:06.179,00:04:11.618
insider writing the macros, that
kind of is pointless, right? So,
um, and, I call Excel 'attack

00:04:11.618,00:04:16.890
mode' because inside of Excel
you can write arbitrary script,
and Excel with Visual Basic for

00:04:16.890,00:04:22.129
applications can modify files at
the byte level. Uh, and not only
that, you can call arbitrary

00:04:22.129,00:04:27.534
DLL's with arbitrary functions,
with arbitrary inputs to those
functions. And that's an awful

00:04:27.534,00:04:32.272
lot of arbitrary for any insider
to have available to them as an
attack service. So I call it

00:04:32.272,00:04:35.642
putting Excel into 'attack
mode', and it's not hard to do,
and I'm sure you guys all know

00:04:35.642,00:04:39.646
how to do it, but you just go to
the File, Options, you turn on
Customized Ribbon, you turn on

00:04:39.646,00:04:44.651
the Developer checkbox, then you
get a new ribbon on your
Microsoft Excel, um, uh, page,

00:04:47.354,00:04:50.891
and you click the ribbon there
and you click Visual Basic and
then you would now have access

00:04:50.891,00:04:55.362
to a fully functional integrated
development environment on your
workstation. Now I think the

00:04:55.362,00:04:59.199
important point here is you're
an unpriveleged user and you
know have an integrated

00:04:59.199,00:05:05.172
development environment, and I
know in many places the users
who are developers, who

00:05:05.172,00:05:10.443
[inaudible] to write binaries,
they, they get, you know, extra
monitoring, they get extra

00:05:10.443,00:05:15.448
scrutiny. But the point is every
user on a Microsoft Office based
network, um, can do this, and

00:05:17.551,00:05:22.189
it's probably not being watched.
So this is called putting, I
call this putting Phase 0,

00:05:22.189,00:05:26.927
getting it set up. Now the next
thing you want to do is you want
to get an arbitrary script into

00:05:26.927,00:05:33.400
your Microsoft Excel. Um, and
the way I do that is by, uh,
printing it and scanning it,

00:05:33.400,00:05:39.306
basically. There's some, there's
some tricks to it, uh, I'll show
it you here, this is a Mac so

00:05:39.306,00:05:43.410
I'm gonna mess this up, but
that's alright, let's see... So
this is the script that I'm

00:05:43.410,00:05:48.014
gonna talk about a little bit
later, this is a script is the
Phase 1 of the attack. Um, and

00:05:48.014,00:05:52.319
you can see some things you need
to do is you don't have any
indentation, because indentation

00:05:52.319,00:05:58.558
on the OCR messes up the order
of execution in the script. So
that's not super useful. Um, and

00:05:58.558,00:06:03.496
a lot of other things will kind
of go wrong here... um, when you
do this. Now, um, let's see...

00:06:11.338,00:06:15.542
[inaudible] Alright, now, I
would show you if my Windows
machine were here, that I would

00:06:15.542,00:06:19.045
do this live here, I would just
cut and paste this whole thing,
so basically you scan this on

00:06:19.045,00:06:22.649
your work computer, your work
scanner, you have it emailed to
you, that's how the documents

00:06:22.649,00:06:29.356
get to you, you just, uh, you
OCR it, you highlight it all,
um, and then cut and paste it

00:06:29.356,00:06:34.261
into Visual Basic. Now let's see
what happens if I do that
here... of course Visual Basic

00:06:34.261,00:06:40.400
isn't turned on here, because
this is not my machine, and I
don't know how to do it on a...

00:06:40.400,00:06:44.638
[audience member yells] Yeah...
I don't know how to do it on a
Mac. Alright, so we're not gonna

00:06:44.638,00:06:49.609
do the scripts. Okay, so, um, I
have some samples in my
presentation though, so let's go

00:06:49.609,00:06:54.614
back to my presentation. Nope,
no... so we're not gonna drop
out of that anymore, okay...

00:07:01.421,00:07:05.925
Alright, um, so I talked about
how you do it, you can print
down to about 8pt font, you scan

00:07:05.925,00:07:08.962
it, no demo at the time, so
let's skip it. Alright, so these
are the screenshots from a

00:07:08.962,00:07:14.768
previous briefing I did on this,
um, so when you drop it into
Microsoft Excel Visual Basic it

00:07:14.768,00:07:20.473
doens't work exactly right, um,
you can see here that these, uh,
these lines here, these are all

00:07:20.473,00:07:25.445
comment lines. And uh, the
comment deliminer has fallen
off. So that's one kind of

00:07:25.445,00:07:30.450
error. Let's see, um, another
error, common one, is right
here, it gets rid of an equals

00:07:30.450,00:07:35.488
sign, uh, that happens quite a
lot. And, let's see if I can
find any of the function flow

00:07:35.488,00:07:41.828
ones... Nope, I don't see it.
Um, other kind of weird errors
that happen, um, sometimes it

00:07:41.828,00:07:46.700
interprets 1's as L's, so I had
a, uh, I have a function called,
uh, 'calculate checked',

00:07:46.700,00:07:51.705
'checksum', '1 byte', 'exclusive
or', it turned in to 'L byte
exlusive or', but it did that

00:07:51.705,00:07:56.209
for every instance of that word,
so basically it would still
work, even though it changed the

00:07:56.209,00:07:59.746
many names of the function, so
that was kind of a happy
failure. But you have to watch

00:07:59.746,00:08:06.019
out for all the, um, the change
in the program flow. Then I
wanted to go through [inaudible]

00:08:06.019,00:08:11.624
your stuff... um, you know,
you'll still find more errors,
when you go ahead and you click,

00:08:11.624,00:08:15.095
uh, you know, you click F5 to
run it, you can see there's one
highlighted right there, the

00:08:15.095,00:08:19.099
value is kind of in the middle
of nowhere there, and um, not
exactly sure where that came

00:08:19.099,00:08:22.836
from on this one... um, so, but
it'll help you fix it. The
bottom line is you can do this,

00:08:22.836,00:08:27.774
you can get an artibrary script
into place, um, using a scanner
without too much of a problem.

00:08:27.774,00:08:32.112
Now, um, you could also type
them, if you took out the
comment lines, my, the hex magic

00:08:32.112,00:08:36.716
stuff I'm gonna talk about in a
second isn't that long, it's ony
a few pages, so, um... but if

00:08:36.716,00:08:42.021
you had a really long
complicated script you could get
it in this way. Alright, so, the

00:08:42.021,00:08:46.192
goal is to use those methods I
just talked about to make a
script that will take an

00:08:46.192,00:08:52.599
arbitrary file, uh, encode it in
binary, sorry, encode it in hex,
um and make it so you can print

00:08:52.599,00:08:56.603
it out really nicely, um, and
then take those to work and scan
them. And why did I go with hex?

00:08:56.603,00:09:02.075
Well I did a bunch experiments,
um, I found that I could get
down to a much smaller, uh, size

00:09:02.075,00:09:06.112
font from a 12pt to 8pt so I
could get more data on there
between hex encoding and base64.

00:09:06.112,00:09:10.917
I didn't have any word length
errors meaning when it goes
through [inaudible] through the

00:09:10.917,00:09:14.854
document it interpreted the
length of the words as it was
supposed to be whereas base64,

00:09:14.854,00:09:19.859
about, you know, um, over 10% of
my words got messed up with
lengths, so like missing symbols

00:09:22.362,00:09:26.232
or added symbols. Um,
transcription errors, uh, I
didn't have any transcription

00:09:26.232,00:09:31.471
errors in my initial
experiments, it, uh, it decoded
every word correctly, every, um,

00:09:31.471,00:09:37.110
hex code correctly, whereas
base64 there was a ton of
errors. Um, now, other

00:09:37.110,00:09:40.880
experiments showed me that there
are errors in, uh, in hex
encoding, but they're usually

00:09:40.880,00:09:46.186
one for one, and they're usually
really easy, so it means, it's
like uh, an 8 goes to an S, and

00:09:46.186,00:09:50.423
it always does that, it always
interprets 8's as S's, so it's
easy to fix that, and it's also

00:09:50.423,00:09:54.894
easy to realize that an S is not
a valid hex code, so if it's an
S it's actually supposed to be

00:09:54.894,00:10:00.967
an 8. Uh, base64 that won't
work, because almost every
typable character is included in

00:10:00.967,00:10:04.671
the base64 encoding and so you
can't tell where your errors
are. You don't know what your...

00:10:04.671,00:10:08.541
what's going wrong, so I didn't
like base64 encoding even though
it gave me a lot more data per

00:10:08.541,00:10:14.814
page. So this is what it looks
like when you encode a file, um,
the script, the hex attacked,

00:10:14.814,00:10:20.453
which I would have loved to
shown you running real time, um,
will create this, and it

00:10:20.453,00:10:24.357
generates two columns. This is
the data column, uh, the
information in the file there,

00:10:24.357,00:10:29.696
and this is a 2 byte exclusive
or checksum which I'll talk
about here in a little bit. Um,

00:10:29.696,00:10:34.300
and then you just export those
as a CSV file and print them,
and you can take these pages and

00:10:34.300,00:10:39.005
scan them. And uh, transfer your
data into your uh, into your
closed network, as long as the

00:10:39.005,00:10:45.078
secretary's not watching you
scan. Alright, um, so, I
realized with hex encoding it

00:10:45.078,00:10:48.781
wasn't gonna be perfect, I was
gonna have errors, so I built
this kind of compact exclusive

00:10:48.781,00:10:53.319
or checksum in there. Now, the
reason why I used it, it needed
to be really small, 'cause every

00:10:53.319,00:10:56.956
byte I give over to my parody,
my checksums, is another byte
that I lose in data, and I

00:10:56.956,00:11:01.060
needed to get as much on a page
as possible. So on with this 2
byte exclusive or, I was taking

00:11:01.060,00:11:05.999
a gamble that I wouldn't have
that many collisions between,
uh, failure modes to show that

00:11:05.999,00:11:11.704
the data would work. And it did
work, um, and when you run the
code if it can't match the

00:11:11.704,00:11:15.842
checksums it'll give you this
little 'data is corrupt, cannot
decode the data', um, and then

00:11:15.842,00:11:21.414
it'll highlight the offending
line in red. Um, and, uh... I'm
gonna have a hard time showing

00:11:21.414,00:11:27.020
you what I usually show... Now,
the um, what you typically have
to do here is... see. I'll do

00:11:27.020,00:11:32.158
this in a second. But, um,
it's... you'd thing it'd be a
pain in the butt to find these

00:11:32.158,00:11:38.298
broken lines in your printout,
but it really isn't, you just
take this, this exclusive or,

00:11:38.298,00:11:42.635
and you would find it in your
Adobe document and find that
line, and after you do this a

00:11:42.635,00:11:47.540
few times you realize there's a
pattern to the failures. Uh,
there's certain symbols that

00:11:47.540,00:11:51.377
show up, like tildes and stuff
like that, and any dots that
happen to be between the lines

00:11:51.377,00:11:55.648
of your actual printout, um,
will cause errors. And so you
learn to find them very fast, it

00:11:55.648,00:12:02.388
doesn't take very long to fix,
even a large amount of hex data,
um, using this method. Uh, and

00:12:02.388,00:12:07.393
now, since I'm briefing at
defcon and I was warned that I
have to have pictures of cats,

00:12:07.393,00:12:12.332
um, if you were to decode this
hex code that generates this
picture of an ocelot, this is

00:12:12.332,00:12:15.201
something I was working on at
work, I didn't want to actually
draw up a binary file, but I

00:12:15.201,00:12:20.006
figured a formatted file would
work, so that's what that one
does. Now when I really took

00:12:20.006,00:12:25.712
this... took this to the next
step and I was going to use it
to drop my DLL in place, um, I

00:12:25.712,00:12:29.248
discovered very quickly that it
didn't work as well as I
thought, I had quite a bit of

00:12:29.248,00:12:32.952
error, although it's only about
1% error, it's still a lot of
problems to fix. And so I

00:12:32.952,00:12:38.424
discovered all of these kind of
errors that you see here. You
know B turns to 8 a lot, 1 to L,

00:12:38.424,00:12:43.262
5 to S, these kinds of things
here. Um, and some of these are
pretty bad, right, a B to a 8,

00:12:43.262,00:12:49.469
that's bad, because B's and 8's
are valid hex code. Um, 1 to
L's, not a problem, 5 to S is

00:12:49.469,00:12:55.475
not a problem, D to 0 or O, that
can be a problem, and 6's, uh,
get changed. So I came up with

00:12:55.475,00:13:00.446
some alternative characters that
actually show up in the
printouts. Um, we get, I used a

00:13:00.446,00:13:03.650
hash mark for a B and question
mark for a D, and I just chose
them because they didn't look

00:13:03.650,00:13:08.287
like anything else. So I thought
that they would OCR pretty well,
and I was right, they did work

00:13:08.287,00:13:13.059
really good. Um, and I auto
replaced the other major errors
and then, um, I put strong

00:13:13.059,00:13:18.831
visual indicators in the, uh, in
the decoding, to show you where
your problems are. Um, the only

00:13:18.831,00:13:22.769
thing I can show you about that
right now is the one you already
saw, the red one, um, but when I

00:13:22.769,00:13:27.206
did this with my actual DLL I
only had 1 manual correction in
1210 lines of text. That's

00:13:27.206,00:13:34.113
about, like, 19 pages of decoded
text. Um, and so it worked out
really well. Um, uh, I think I

00:13:34.113,00:13:39.118
can show you, maybe I can try to
show you... Let's see, I did
open it, where did it go... Yeah

00:13:42.522,00:13:47.527
so here is, um... Nope, nope...
there we go, okay. Alright so
you can see here here's the, uh,

00:13:50.830,00:13:55.835
2 byte exclusive or, and here's
the data line with the uh, the
questions for the D's and hash

00:13:55.835,00:14:00.773
marks for the B's, and I don't
think I can find the easy to see
errors real quick, but uh...

00:14:07.180,00:14:12.485
Nope... I can't do it fast
enough. So, it'll scan pretty
well. Alright, does anyone know

00:14:12.485,00:14:19.258
how to make Powerpoint come back
to the slide you just left?
[audience member yells] Say

00:14:19.258,00:14:24.263
again? [audience member yells]
I'm on it. [audience member
yells] Alright, there we go.

00:14:29.102,00:14:34.407
Thank you. Alright. Okay, so the
hex attack is really, uh, super
reliable. You really can get

00:14:34.407,00:14:39.178
data very easily onto a machine
and its not gonna fail, uh,
pretty much at all. And you can,

00:14:39.178,00:14:42.181
if you really had to, you can
enter in by hand. You can type
in those hex lines if you really

00:14:42.181,00:14:46.786
wanted to, um, and uh, I know it
get's kind of tedious after 19
pages but if you didn't have a

00:14:46.786,00:14:51.524
scanner available you could do
this and still get arbitrary
binaries on your system. The bad

00:14:51.524,00:14:56.763
part is it does have a low data
density, about 3.6 kilobytes of
data per page, and I put some

00:14:56.763,00:15:01.768
common tools here... No, go
back... Put some common tools
here between PowerSploit,

00:15:01.768,00:15:07.306
Mimikatz, like 200 pages of
data, you would be trying to
scan at work, so that would

00:15:07.306,00:15:11.778
probably raise some flags. Um,
so that's a little... little too
much. Um and there's no

00:15:11.778,00:15:15.681
exfiltration compression
advantage. If you wanted to
remove a binary file from this

00:15:15.681,00:15:19.585
closed network and print it out
in hex code and take it home and
recreate it, um, you wouldn't

00:15:19.585,00:15:25.057
really be able to do it, um,
with any kind of real, uh,
compression. If that file was

00:15:25.057,00:15:28.795
3.6 kilobytes long and you
printed it, it probably would be
a page long and you're not

00:15:28.795,00:15:34.167
getting any real benefit, unless
it's an unprintable, uh,
document. So, I needed to do

00:15:34.167,00:15:39.505
better. And so I got to
thinking. "What... how could I
possibly put more data on a

00:15:39.505,00:15:44.510
page? How could... if there was
just some technology somewhere
that would allow me to encode

00:15:44.510,00:15:48.314
data black and white, 2
dimensionally on a piece of
paper at the pixel level, what

00:15:48.314,00:15:52.318
could I possibly use?" Well
yeah, so, it didn't take me too
long to figure out that there's

00:15:52.318,00:15:57.790
an awful lot of 3D Barcode stuff
out there. And so I went with
uh, some barcode experiments.

00:15:57.790,00:16:01.861
First I had to practice with
data matrices, I wanted to see
how close I could get them down,

00:16:01.861,00:16:06.032
um, and I just took this big one
you see here and I kept
shrinking it using Powerpoint,

00:16:06.032,00:16:10.303
um, and saving it as an image,
until it got to the point where
the lines between the data bits

00:16:10.303,00:16:15.041
started to blur and it wouldn't
work anymore. Um, and I just
tried to see how small I get get

00:16:15.041,00:16:20.012
onto a page that way. But I kept
thinking about it, um, and with
the amount of error correction

00:16:20.012,00:16:24.450
built into most 2 dimensional
barcodes, I was only getting to
about 20 kilobytes of data per

00:16:24.450,00:16:29.589
page. Um, they have about 60%
error correction, it depends on
the, uh, barcode, but it's

00:16:29.589,00:16:33.326
because they're designed for
machine purposes. They're
designed for low light. They're

00:16:33.326,00:16:38.197
designed for weird orientation,
for people using cell phones,
um, and that's a different

00:16:38.197,00:16:41.500
design problem that I've got,
where I'm basically taking the
sheet, putting it on a scanner

00:16:41.500,00:16:46.405
that scans very well, in a, in a
perfect environment, and I
control the orientation from the

00:16:46.405,00:16:51.010
get-go. So, I thought about,
well, maybe I can make it
better. I took some features

00:16:51.010,00:16:56.515
from, uh, from these barcodes,
timing lines in order to help
locate the data and Reed-Solomon

00:16:56.515,00:17:00.553
error correction, but I was like
"I can make it better for my
purposes", so lo and behold I

00:17:00.553,00:17:06.025
generated the 8 and a half by 11
inch big barcode. [audience
reacts] And that's what it looks

00:17:06.025,00:17:11.697
like. Um, and with that I can
get, um, about 85 kilobytes of
data per page. And this is what

00:17:11.697,00:17:16.769
it looks like up close when you
zoom in, it has the timing line
on all 4 sides, um, and it has

00:17:16.769,00:17:21.474
the data, I caught the data,
meet in the middle. And if I
print that image at about 72

00:17:21.474,00:17:27.480
dots per inch I can get about 88
bytes of information accross a
single pixel line. Um, and uh,

00:17:27.480,00:17:31.751
[inaudible] is a bit, right, I
mean that's an off bit, those
are on bits, um, and uh, and I

00:17:31.751,00:17:37.223
get about 80 kilobytes of data
on a page. So I was pretty happy
with that, um, and, so

00:17:37.223,00:17:39.659
interpreting it, uh, I
basically, I start with a raster
scan going across the image

00:17:39.659,00:17:42.595
until I find the top, uh, top
left most timing mark, and then
I kind of stop, and from there I

00:17:42.595,00:17:45.264
do a thing which I, uh,
technically call 'wiggle fit',
where I've got my mask and I put

00:17:45.264,00:17:47.266
it over the timing mark that I
found, and I just keep moving it
around until I find the most

00:17:47.266,00:17:49.268
black part of it, because you
can see it when they scan, the
edges get pretty, uh, fuzzed

00:17:49.268,00:17:51.270
out. That was cool, the thing
got all big, anyway, um, and so
I wanted to find the most black

00:17:51.270,00:17:53.272
part, so, so what it does, it
moves the masks around... it
finds the mask that has the most

00:17:53.272,00:17:58.277
dark, it picks a center point
and move across to the next
timing line, uh, timing mark,

00:18:05.985,00:18:10.990
and it just finds the center of
the next timing mark, and it
works very well, and it, I do

00:18:19.131,00:18:25.371
this on all 4 sides. And in the
end I end up with this, uh,
where each of the centers are...

00:18:25.371,00:18:30.476
are indicated, and, um, and then
you end up with a, just a bunch,
a grid of intersections for each

00:18:30.476,00:18:35.214
of these lines, you know,
matching, this mark with the one
all the way at the bottom, uh,

00:18:35.214,00:18:38.384
makes a straight line, this...
this guy here matched all the
way to the right makes a

00:18:38.384,00:18:42.188
straight line, I calculate the
intersections and at the... at
the intersection of each one is

00:18:42.188,00:18:46.792
a data pixel, and I pick the...
I pick the data off that pixel,
and I decide whether it's an on

00:18:46.792,00:18:51.197
bit or an off bit. Um, and it
works fairly well, I do get some
errors, I didn't expect it to be

00:18:51.197,00:18:55.067
perfect, my first test runs I
ended up with something like
this, this is a heat map, all

00:18:55.067,00:19:00.639
the black is, uh, bits that were
read correectly in my scan, uh,
these red ones here are bad

00:19:00.639,00:19:04.410
bits, and there's a couple of
outliers, there's one here,
there's a couple over here, um,

00:19:04.410,00:19:07.813
and this is what I really expect
it to look like, uh, since I
start in the upper left I

00:19:07.813,00:19:12.985
figured it would start getting
bad by the bottom right. Turns
out I wasn't really correct, um,

00:19:12.985,00:19:18.024
when I took the 8 and a half
11... 11, uh, document, I get
this big heat problem in the

00:19:18.024,00:19:23.029
middle here. And, um... stop
that... So, the uh, the big
problem here is this is a lot of

00:19:25.064,00:19:31.003
error... Can't see the error?
The red mark? [audience member
yells] Yeah, okay, so imagine

00:19:31.003,00:19:35.641
red marks where I'm circling.
[laughter] Uh, and I was afraid
you weren't going to be able to

00:19:35.641,00:19:40.179
see it, um, when I was thinking
of doing this brief, and then,
sorry, but... So there's a bunch

00:19:40.179,00:19:44.950
of red marks in there kind of
clustered. Now, the problem is I
have to adjust my error

00:19:44.950,00:19:49.955
encoding, on the, um, on the...
on the big barcode to handle the
worst error, not the best error.

00:19:52.091,00:19:56.862
So, if you were able to see it,
you would be amazed at how clean
it is up here, and you would be

00:19:56.862,00:20:01.333
astounded at how nice it is
around here, but you see this
giant red stuff in the middle,

00:20:01.333,00:20:05.271
and that's what I have to base
my error correction on, which
causes a lot of data loss in

00:20:05.271,00:20:11.243
parody bytes. So, I knew
needed... I knew I needed error
correction. I knew it wasn't

00:20:11.243,00:20:14.547
going to work, so I went with
Reed-Solomon forward error
correction, and I, turns out I

00:20:14.547,00:20:19.318
don't understand Reed-Solomon
foward error correction at all,
and I don't understand the math

00:20:19.318,00:20:24.523
behind [inaudible] finite fields
either. So I was like, well, I
don't want to do this stuff from

00:20:24.523,00:20:27.493
scratch, I'm just going to find
a library, there's lots of
libraries out there, from

00:20:27.493,00:20:31.397
forward erasure correction and
forward error correction,
except, the pawn test I

00:20:31.397,00:20:35.534
discovered that the majority of
the forward error correction
ones I found out there just

00:20:35.534,00:20:42.274
don't work. I don't know who's
writing these opaque API
libraries that I can't figure

00:20:42.274,00:20:47.113
out and... I actually contacted
university professors and they
couldn't figure out, um, but...

00:20:47.113,00:20:51.417
but stop it. If you're going to
put something out there make
sure it works. So, but there's a

00:20:51.417,00:20:54.653
lot of forward erasure
correction libraries out there,
so I decided to go with forward

00:20:54.653,00:20:57.857
erasure correction to see if I
could use it. Now the problem is
forward erasure correction is

00:20:57.857,00:21:04.497
for a... a data stream, where
the, uh, your missing data, that
doesn't make it to the receiver.

00:21:04.497,00:21:10.202
That's what it's really for. Um,
and it works a bit like this.
You have a... you have, uh, some

00:21:10.202,00:21:15.741
data and you separate it into
blocks, you assign a parody byte
to each block, parody bytes to

00:21:15.741,00:21:20.646
each block, and then if one of
those blocks turns up missing,
um, you use the parody bytes in

00:21:20.646,00:21:24.216
the remaining blocks to recreate
the, the missing block, and
that's how forward erasure

00:21:24.216,00:21:29.955
correction works. Now my problem
is not missing data, my problem
is corrupted data. So I decided

00:21:29.955,00:21:35.728
"well what if I, uh, did a
checksum and if the checksum
didn't match I consider that

00:21:35.728,00:21:40.733
block dead and I just take it
out. So that's what I did. I got
my block of data, and my pardody

00:21:40.733,00:21:44.637
data, and then I've got my
checksum for the whole thing,
and if one of the one of the

00:21:44.637,00:21:49.041
parody bytes turns bad, or if
one of the checksums is bad,
then I ignore that block and try

00:21:49.041,00:21:54.246
and recreate it. But it didn't
work. Um, it uh, I had too many
collisions and so it was

00:21:54.246,00:21:59.018
actually trying to recreate the,
uh, missing data with corrupt
data, and the math will still

00:21:59.018,00:22:03.756
work and it will generally
generate a corrupted response,
generate a corrupted file. So it

00:22:03.756,00:22:07.493
just didn't work. So I knew I
had to go do forward error
correction, and forward error

00:22:07.493,00:22:11.830
correction is for corrupted
data. So you have a word of
data, you separate it into

00:22:11.830,00:22:18.370
bytes... um, you add parody
bytes to that data... um, if 2
of your bytes go bad, you can

00:22:18.370,00:22:22.841
use 2 parody bytes to find the
bad data, and then 2 parody
bytes to correct it, and it

00:22:22.841,00:22:26.078
works very well. And this is
what I needed. But like I said
the problem was there weren't

00:22:26.078,00:22:31.784
any working libraries out there
for me to use. Uh, so I had to
write one, um, much against my

00:22:31.784,00:22:38.023
will. Uh, but I found this
really good Python, uh based,
uh, library at Wikiversity, and

00:22:38.023,00:22:43.262
line for line I just recreated
it in C, basically, C++, until I
got the thing working, and it

00:22:43.262,00:22:46.866
was a lot of debugging, and pain
and suffering involved in there,
but I finally got it working,

00:22:46.866,00:22:51.237
um, and uh, and this is what I
had to do to get Reed-Solomon
forward error correction working

00:22:51.237,00:22:56.242
for my big barcode. Alright...
so, um, because of the big heat
map of error in the middle that

00:22:59.445,00:23:02.781
I told you about that you
couldn't see, but you're just
going to have to trust me, um, I

00:23:02.781,00:23:06.986
needed about 45% error
correction for it to work, um,
which means I only got about 47

00:23:06.986,00:23:12.658
kilobytes of data per page.
Which resulted in, um, uh, you
know, it's order of magnitude

00:23:12.658,00:23:16.996
better, so PowerSploit you can
get it in 18 pages versus 232,
so you can really get, really

00:23:16.996,00:23:20.733
start moving some data now. You
have a good, kind of, uh,
compression advantage over the

00:23:20.733,00:23:25.738
previous method. And, uh, the
demo is awesome, it really is,
so... [laughter] Uh... uh, I'll

00:23:27.806,00:23:32.111
show you how it all works, I'll
show you how you use a script...
[clears throat] ...and the DLL

00:23:32.111,00:23:38.250
to open the, uh, um... uh, to...
to create the barcodes and to
interpret them and I do live

00:23:38.250,00:23:41.587
drops of everything, so, yeah,
it's, uh... it was really good
in my room, you guys should have

00:23:41.587,00:23:46.592
been there last night. Alright,
um, but, so I decided to give
myself a grade on how this went

00:23:48.627,00:23:53.032
for me, um, so my goal was to
install PowerSploit on a
machine, uh, that didn't have it

00:23:53.032,00:23:57.036
on it, using these methods, and
not using magnetting media. So,
just some grades. Interpret a

00:23:57.036,00:24:01.373
page sized barcode, yeah, I
could do it. Um, the
Reed-Solomon encoder decoded,

00:24:01.373,00:24:05.377
uh, I was able to make it work,
uh, eventually, um, there's a
yellow mark there and I'll talk

00:24:05.377,00:24:11.684
about that in a second. Um, I
built the library, I caught side
loading, uh, I was able to get

00:24:11.684,00:24:16.488
the payload dedcoded onto my
target machine except because it
was like 18 pages of data I just

00:24:16.488,00:24:21.493
made a portion of PowerSploit,
so it was only 3 pages long, um,
so I only gave myself a yellow

00:24:21.493,00:24:26.899
on that, or I guess a orange.
Um, the hex encoder works, I was
able to implace the library I

00:24:26.899,00:24:32.538
used in the OCR method, and I
was able to generate... write my
DLL, hex encode it and drop it

00:24:32.538,00:24:36.308
on my target machine so that I
could read my big barcodes, it
all... it all works, after

00:24:36.308,00:24:41.313
much... much effort. Um, just
take my word for it. So, um...
so the POCOC status and the

00:24:43.949,00:24:47.920
constant stuff I learned from
this, was that, uh, standard
office tools provide a lot of

00:24:47.920,00:24:53.292
power to the user. Um, that, you
know, maybe you're not fully
aware of. We, uh, basically the

00:24:53.292,00:24:58.430
user can code, the system is not
secure, but the bottom line is
any user a Microsoft based

00:24:58.430,00:25:04.103
machine can code. Um, and that,
uh, is a big attack surface to
pay attention to, and a

00:25:04.103,00:25:08.340
determined insider can do it.
Um, and you can use an office
input output systems for

00:25:08.340,00:25:12.077
creative purposes that weren't
intended, and that no one's
really monitoring. Uh, no one's

00:25:12.077,00:25:18.183
really monitoring the printing
and scan load even of the secure
network that I was using, um,

00:25:18.183,00:25:22.955
they're not watching for
information to come in this way.
Uh, so, it just provides a, uh,

00:25:22.955,00:25:27.860
kind of a hole there, to kind of
squeeze throught. Alright, some
future branch research. I'd like

00:25:27.860,00:25:32.731
to reduce the size of the big
barcode DLL, the sideload DLL,
it was, uh, 19 pages of hex

00:25:32.731,00:25:37.035
code, I'd like to make that a
lot smaller, um, size
optimization is not really my

00:25:37.035,00:25:43.075
thing, but that's something
that, uh, I could, uh, work on.
The error rates, uh, I was... I

00:25:43.075,00:25:46.812
made an expirement to add more
timing lines into my big barcode
thinking it would help with the

00:25:46.812,00:25:50.949
error rates, for reading the big
barcode, and I was 100%
incorrect, it actually messed it

00:25:50.949,00:25:54.887
up. Um, and I still don't know
why, it doens't make any sense,
but I'd like to improve the

00:25:54.887,00:26:00.492
error rates so that I can use
less parody bytes. But, um, this
next line is the real key. If I

00:26:00.492,00:26:05.497
can use, pardon me... If I can
use 2 to the 16th Reed-Solomon
encoding, I can do a lot better.

00:26:09.768,00:26:15.641
Um, so, Reed-Solomon encoding it
at 2 to the 8th means that your
code words are 255 bytes long

00:26:15.641,00:26:19.178
and it has to include your
parody bytes, so you have to
base your error... on, the

00:26:19.178,00:26:25.017
amount of error you're expecting
at 255 bytes, and because of the
invisible heat map, um, the, I

00:26:25.017,00:26:29.254
have to plan that for the high
error areas, not the... not the,
not the really nice areas. 2 to

00:26:29.254,00:26:31.256
the 26th Reed-Solomon encoding
means that I can have a, uh, a
code word 135 kilobytes long

00:26:31.256,00:26:33.258
which is longer than my page,
um, and I only get about 1% of
error across that page as a

00:26:33.258,00:26:35.260
whole, so I wouldn't need very
many parody bytes at all if I
could use, um, 2 to the 16th

00:26:35.260,00:26:37.262
Reed-Solomon encoding, but I
coudn't get that math to work,
um, and, uh, it also runs much

00:26:37.262,00:26:42.067
much slower, and so running
experiments to debug it was
taking me too long. So, I didn't

00:26:42.067,00:26:45.604
keep pursuing that, but if I get
that working, it would improve
the amount of data I can put on

00:26:45.604,00:26:47.606
each page by quite a bit. Um, if
I could add color to the big
barcode, um, instead of just

00:26:47.606,00:26:49.675
black and white, you know, I did
a 4 color experiment to see is
that why I'm only using, uh, you

00:26:49.675,00:26:52.144
know, 4 blips instead of 8 to...
to find my bytes, uh, I was able
to get it to work, but there was

00:26:52.144,00:26:55.814
a lot of error and... and
decoding color from a scan,
quite frankly, um, but I think

00:26:55.814,00:27:00.752
it's an area for future
research. Uh, and also I got
real excited about using Excel

00:27:23.942,00:27:29.681
to mess with things, um, though
Visual Basic for applications is
kind of a... pain, um, the, uh,

00:27:29.681,00:27:34.586
it is powerful. Uh, the ability
to write at the byte level means
you can do anything with it you

00:27:34.586,00:27:38.524
want, making a hex editor out of
Visual Basic for applications
would be super wasy, I started

00:27:38.524,00:27:42.561
with that a little bit, um,
steganographic encoder decoder,
to, you know, I did that

00:27:42.561,00:27:48.100
already, so I could send
stuff... myself stuff to work,
um, that's easy to do. Restoring

00:27:48.100,00:27:50.502
the command prompt, if you're on
a machine where the command
prompt's locked down by the

00:27:50.502,00:27:54.706
security policy, it's just a
matter of flipping a byte to get
make work again, um, and you can

00:27:54.706,00:27:59.011
do that with Excel, and I don't
know for sure, but I think you
can get [inaudible] some direct

00:27:59.011,00:28:03.949
reflect DLL injection. Um, uh,
as well. Messing with the way...
Excel calls DLL's, and now, I

00:28:06.552,00:28:10.422
don't think any of this stuff is
Earth shatterring new, I mean,
people have been running macro

00:28:10.422,00:28:15.227
viruses forever, and they're,
you know, all back and vogue
now, um, but the, uh... this is

00:28:15.227,00:28:19.164
from the perspective of an
insider being able to just do
these things to your machine,

00:28:19.164,00:28:25.037
um, and it's something I think
you need to watch out for. Um, I
don't think I... can show you

00:28:25.037,00:28:30.042
much more, unfortunately, let's
see... I really wish I could
show you the demo. Um... let's

00:28:35.981,00:28:42.454
see. So here's some stuff that,
looks like it's left over when I
was practising. Let's see if I

00:28:42.454,00:28:49.027
can open this here real quick...
[inaudible] Yep, you guys are
watching me mess up this guy's

00:28:49.027,00:28:54.032
computer right here. [mumbling]
Ah, what the heck's the... text
editor, there you go. Alright,

00:29:04.276,00:29:07.713
uh, this thing here, I don't
know if you guys can read it and
I don't know if I can zoom in...

00:29:09.781,00:29:14.786
Nope. Say again? [audience
member yells] It's amazingly
hard to hear people down... from

00:29:18.156,00:29:20.158
down there... [laughs] Uh, I
don't know if you can read it or
not... a little bit... it

00:29:20.158,00:29:22.160
dropped a, ah, this data file
gets dropped when you do a
encoding with big barcode, and,

00:29:22.160,00:29:24.162
uh, these are the important
parts here. You have to have
this, encoded data length, and

00:29:24.162,00:29:26.164
you have to have the md5 sum in
order to decode it with the big
barcode on the backside. You

00:29:26.164,00:29:28.634
have to provide those as inputs
to your... to your script. Um,
so that's important there, uh...

00:29:28.634,00:29:33.639
Uh... when you decode the DLL it
also drops this file here, which
is a prototype for using the

00:29:48.520,00:29:54.826
DLL, um, because... Visual Basic
is very very picky about how
DLL's are called and used, so,

00:29:54.826,00:29:59.798
uh, this gives you the prototype
for it, and this is all, um, in
the... it's supposed to be in

00:29:59.798,00:30:06.304
the materials that are delivered
with the brief. Um, so that's
really about it, um, I'm sorry

00:30:06.304,00:30:11.309
that the... my machine was too
old in order to use these super
fancy, uh, screens, um... and

00:30:11.309,00:30:16.314
that's kind of all I've got. Any
questions? Alright, thank you
guys very much. [applause]