I see the low from DC 757 thanks guys hey I’m squiggly 1 i’m going to be giving a presentation on thinking outside of the console basically i’m going to be talking about game systems and how those game systems can be used to leverage access or at least get that initial toehold into a network a real network so there we go the first little bit i wanted to actually send a little bit of information if your people were interested yesterday i was wearing a haxel red t-shirt and you can see marc gené I’m sorry gee Marc over at hacker jeopardy about that it’s for a good cause also please check out save darfur org it’s still a problem over there read up on it and see if you can help out and now for me Oh me all right who am i I’m basically I’m still computer network defense team lead for the United States Navy first class petty officer I definitely unfortunately don’t work with these toys at work I really wish that that was something I could do I was a former red team leader basically got get-out-of-jail-free card to do bad things and it was nice it was fun I’m in an independent security researcher software engineering student wireless Explorer heavy gamer not great but I’m at least I have fun perfect geek and I’m also a member of the DC 757 and thus Floyd cast podcast group cyber eagle all right why am I talking about this I with my background in Red Team I was kind of curious about covert testing what is covert testing it’s it’s to be used by if it’s used legally it’s used by legitimate vulnerability assessment firms and red teams in order to better help companies and organizations learn how to protect themselves the focus of this testing is to find message to help set entity identify possible intrusions faulty equipment software a bad security processes blobby blobby to block all right you have that basically that’s that’s the best you’re going to get as far as for covert testing and the most legal sense next you have it’s used by companies and governments in order to serve for their own gain and not necessarily on themselves it’s on others corporate corporate espionage is my angle for that oops alright in February of 2004 the Department of Justice pulled covers off of previously sealed that case of corporate espionage by a former DuPont scientist who stole four hundred million dollars in intellectual property from his employer in 20 april the register reported that the UK based organization lost a lot this is corporate espionage it is every day it occurs you know all the time and through various means so that’s kind of the angle I’m going for all right then you’ve got us basically we have no allegiance no political motive no fiscal gain we’re just looking and passing through kay thanks bye have fun the true hacker have fun all right am i high I don’t think so base well I don’t think so you’ll probably judge me as so later on but you know hopefully not not literally not literally no pee test after I’m going back to work anyway basically what happened was I had an awakening count who’s in the audience right now and had a modified xbox and I thought that was hot I wanted one excellence so what did I do well I talked to him he had a modded one they had a mod chip in it and I saw all the goodies that he could do with it about two weeks later I found somebody who had a nice little article online how to softmod your xbox she didn’t have to pull that thing open at all he just ran a save game off of a couple of different games james bond 007 agent under fire and mike warrior it thank you i think there was one more excellent Splinter Cell hey god bless Microsoft exactly it’s amazing what you can do with that tiny amount of data how you can defeat an entire game system but anyway I won’t go there I won’t dwell others have boiled a much more technically in it and they’ve done a much better job Frank I think it was dumb k Frank Frank danke over at the chaos computer club congress the last two years have just torn that apart he’s done an outstanding job I highly admit a highly suggest that you go out and find

those archives download those Epis talks and watch it’s awesome anyway so I realized wow just doing that I can now load linux on there I can do whatever I want to this little system wow this little systems a little computer that’s amazing so that was the first thing and then prior to 2002 there was very little going on as far as console hacking that’s definitely changed since then the game industry this is talking about the hardware itself has moved towards using even more powerful main processors and GPUs in order to both satisfy and build up gamer desires for the next best thing I’m there with you I’m there with you we’ll be talking about the cell processors a little bit later anyway let’s see now we have true computers with the ability to network and you’re playing games on them basically after you’ve modify them you can share you could probe you could perform vulnerability scans you can find your network you get on a network and oh my god do all sorts of other stuff all right the this is a little bit of food for thought we have City much took a look at sixth and seventh generation game systems the sixth and seventh generation systems are an arbitrary saying that was was put on the game systems you gotta like Wikipedia and find this out like you can trust everything you read read on Wikipedia but this is actually true sixth generation systems came out want to say what was it 2003 and 2004 I’m sorry 2002 in 2003 and then seventh generation systems we see in the last year and a half to two years that’s what that was the delineator what year they were made not necessarily how powerful they are and then we have got handheld systems which you can put on your person anywhere anywhere that you feel comfortable putting them no goat seas were harmed and then we’ve got a ubiquitous online connectivity and a mini thanks to panera and starbucks and all those truck stops that i stayed at starbucks i’m sorry yeah i’m not i’m not giving out advertisement and then we’ve got the thought but it’s just a video game console what can it do oh my god there’s a video game console on my network what all right my goals now that I’ve gone through that my goals are to cover the three key features for a covert tester what they look for it for penetration hardware and why game consoles may fit that bill look at available homebrew applications on various game systems especially those that expand system use usage and functionality show how a couple of game systems can be used to infiltrate your network and collect data or collect data I should say suggest things that you can do to mitigate this threat it actually is exceedingly simple in order to defeat everything I’m going to show you today and then we have open discussion on what the future holds for these systems and that’s probably going to flow onto the Q&A session because I may actually kind of go over and I apologize for that ahead of time if anybody actually wants to carry on this conversation and they cannot stick around like they got a party to go to because I know air everybody’s got a party to go to tonight you can contact me at game consoles with a Z at the end @ gmail.com and i will definitely get it back to you especially if you’ve got something that contradicts anything that I’ve got up here I definitely want to hear that so all right the three important things or what is important to a covert tester power you’ve got your potential programmability that improves your flexibility what can this device do what can I make it do and they have concealment which is basically plausible deniability I don’t have anything scanning your network on me yeah Pat me down please I don’t have any song any uh any memory modules actually let me show you this for those who have not actually seen one of these and I would kind of be shocked that there’s a lot of you that haven’t but we have these we now have the micro SD chips which are smaller than my thumbnail and about three hair Brits wit I mean a wide I mean yeah why this is one gigabit all right gigabyte you can get two gigabytes and larger shortly Pat me down please because you won’t find that at all all right primary platforms that I actually looked at in coming up with this presentation there are there’s actually two slides to this the sony playstation 2 Microsoft Xbox the original nintendo gamecube the

gameboy advance SP the nintendo wii and those are all counted as well technically the wii has when i was first looking into this there was a debate whether to keep the sixth and seventh generation separate because we have the wii and it’s considered seventh generation but it’s definitely six generation type hardware so now outstanding system and i try to be a fairly system agnostic I have all these game systems so I love them to death so I don’t want to hear any get any flames from any fan boys from any particular groups please please all right then we’ve got the PlayStation 3 the PlayStation Portable which I was carrying on my person the xbox 360 nintendo wii which by at least the date standards is a seventh generation system and we have the nintendo DS and DS lite and all the systems that I own I ran out gotta I got lucky around Christmas time I got a 2 3 PlayStation 2s sold the other one and I had a bunch of ps3’s sold those couple of them so i could afford the ps3 and got lucky third time camping out overnight got a wii yay all right hardware and potential or geek porn so feast your eyes exactly all right under the hood of an Xbox the old xbox she have a 733 megahertz custom p3 you have 60 for megs of ddr sdram now both of those can be updated if you want to do a little bit of soldering you have a lot of patience or you have a little bit of money and you want to set it down it could be bumped up to 1.4 gig celeron or 128 megs of ram that’s all you get but you can do quite a bit with even then the GPU I just list these these bits just down for your you’re at ification has a 10100 ether Ethernet port proprietary USB ports DVD optical drive generally came with either a 6 or an 8 gig hard drive depending on how how old the system was and it has a proprietary memory cartridge port downs and that’s why I pretty much went over I’m sorry its 1.3 gigs celeron 128 my gram you could actually get an adapter to actually connect yourself wirelessly to a b or g network you can add extra hard drives one extra hard drive and actually still have your optical drive connected and the maximum that i found that was practical was 320 gigs however yes you can do 500 I was going to mention that there there’s actually a good website and I have it in the notes on these slides that you can go to there’s like hundreds of people that have tried out various hardware I’m sorry various hard drives and they reported which one’s worked and which one’s worked under which circumstances and things like that so you don’t blow your money trying it and then failing repeatedly because it is very frustrating that same site also tracks ps2 hard drive sides it’s at exspect calm so extech SP EC I think it is but again check the check the notes it’s definitely there and then you can of course attach a USB keyboard and mouse and and then the Linux fanboys went yay all right xbox360 under the hood you now have a PowerPC with three symmetrical cores each one I’m running at three point two big gigs each you have 512 megs of ram and I’ve got sitting here 500 megahertz xenos custom ati GPU everything that i’ve read about the 360 people are screaming over that GPU and in fact there’s a lot of heated debate as far as between the the fanboys for the 360 and the fanboys for the ps3 and the ps3 says well we got the self processor and we kick ass and then we’ve got the 360 guys and said but if we unlock the GPU and we were able to do the folding at home stuff that you ps3 geeks do we kick your ass so exactly so until it really happens we’re just going to point fingers and say we’re going to kick your ass so and I got both systems so it’s a it’s an interesting internal battle that I have you have built into it a 10100 Ethernet USB poor’s DVD optical drive a 10 or now much larger than 120 gig hard drive they’re talking about putting out a Mitch much larger one sometime soon and that’s all vaporware of course and then you have a

proprietary memory cartridge port your add-ons you can upgrade the hard drive to 120 gigs right now throw one hundred eighty dollars at somebody and you’ll get it you can get a wireless g adapter a camera for those intimate moments that you want to show everybody on uno please don’t do that because I’ve been caught twice watching people to nasty stuff and I didn’t like it I can thank jay a 757 for getting one of those guys taken care of anyway sorry I’m not here to and you’ve got a USB keyboard and mouse and the Linux guys go yay but it doesn’t work for us yet we’re close but not there now playstation 2 you have under the hood toshiba 300 megahertz hour 5,900 minutes 4 processor 32 megs of direct Rambis ram 150 megawatts GPU USB wire Wi-Fi i’m sorry i’m not Wi-Fi USB firewire an optical drive and you’re able to read a bunch of different types of memory no it does not yeah if you if you go out and you actually have an intent to actually do something funky with your ps2 get the fat one there there’s some people that are trying to deliver items for the PSR I’m sorry the slim version but it hasn’t hit the market yet and until I actually see something I won’t believe it the opinion and the audience was it’s a piece of in case you didn’t catch that all right addons now I don’t know I I was pretty amazed I heard about this a while ago there were 70 70 ps2’s that were all chained together and I’m trying to remember which university did that but I didn’t put it in my notes bad presenter but they were able to actually get surprising numbers off of that beowulf cluster and it didn’t cost them a whole hell of a lot of money they made it and I think 2003 and ran it as much as they could and they’re not using it anymore it’s actually been decommissioned but they did post some of the numbers on it and it was pretty impressive how much he could do with those 70 little machines the air conditioning unit however you had to put on it just kind of was a little ridiculous because they did get hot imagine that alright addons because the original playstation 2 did not come with any thoughts sort of Ethernet you could buy in the attachment that gave you a modem and HD assembly which i got from one of the 757 guys thank you very much I actually hacked my playstation 2 after that happened and the maximum for the playstation 2 shockingly is you can actually stuff a 500 gig hard drive in there it’s up to you as to why you would want to put that much in there but hey if you turn it into a linux box then you can use it and then of course you know the keyboard mouse all right playstation 3 the cell broadband engine processor it’s a heterogeneous CPU has one controller and eight computational s PE zor SPU’s I hero men are changed actually they’re kind of interchanged even in IBM’s technical papers so anyway when you hear actually when you taught when you download the discussion by the guys over at the chaos computer club last year they’ll call it SP you so it’s the same thing all right you get 256 megs of ram 44 basically those processors another additional amount of RAM for the system itself and I’ll kind of show a block breakout of how that works 550 megahertz custom geforce GPU and let’s see up to a Gigabit Ethernet that’s nice and if you got the 60 gig version then you you also got wireless built in USB ports DVD blu-ray optical 20 60 gig now 80 gig drive and a bunch of different memory they can plug into it if you got the 60 gig version the 20 gig version i was told that there was an attachment and actually is recognized by the game operating system so you don’t even have to have the other operating system loaded on there in order to use it which is kind of nice alright very quickly i’m not going to go to too much in depths because I’m kind of running long already this is a very very simplified version of what what the ps3 hypervisor looks like and you’ll notice that there is a gap over the USB according to the the write ups that I’ve read hold on by its

kana asumi are shimizu my apologies she’s one of the security architects over at IBM systems she wrote a very good paper on on this particular process and the security that’s unique to the hypervisor on the three on the on the PlayStation and specifically the security that’s on the processor itself which after I read it I was bummed because now I realize it’s going to be a lot harder to hack that system and I’ll go into that very quickly alright you got your game application generally just like any other hypervisor you have your hardware down below you have your high hypervisor that runs interference or basically runs a virtualized pathway between the operating system the guy whether it’s linux another operating system or even the game operating system that came on the playstation and the the game application that’s running on top of either one of those but for some strange reason for us be there is absolutely no hypervisor controlling what you’re doing all right this is a very simplified block diagram of the ps3 cell process some security this if you want to read really good technical documentation i invite you to go over to ibm’s CBE section and they I mean it’s full disclosure they give you everything that you need what’s unique about this and you’ll see that you have your main processor it’s a modified PowerPC a core basically everything goes through of course the main memory the IO comes across the elementary interconnect bus the processor the main processor goes ok I’m going to split this up it goes off to the sp1 sp2 sp3 blah blah blah blah to be checked to be worked on well each one of these little subprocessors when it starts processing shuts itself from everything else on the box so once you once you’ve put something in there there’s no way to modify the thread while it’s being processed so that was kind of bumming there was another bit event information in those technical documents that again they go into great gory detail i’m just going through it very quickly is that when the application sends in its threads for processing each one of those processes aren’t sorry the application itself is checked and verified as being legitimate so you can’t run arbitrary code and this is locked down at the processor so scoop that thing out and see what you can do with the rest of that box but anyway it’s checked at the at the processor and each thread is verified based off of the prone the original verification of the application itself so everything has to be kosher and ordered we processed and then when it is processed as I said individual SPE s as they are called on shut themselves off even from the main processor the only thing they respond to is stopped and when they they receive the stop they collect they clean themselves there’s nothing in the registry to play with so it’s like uh oh that sucks all right as far as the potentials for the PlayStation to earn playstation 3 you have I’ve seen people actually jam in there a 250 gig hard drive you have to have a 2.5 serial ATA so whatever the maximum is you can try jamming different ones in there I expect that that same website that I spoke of earlier to probably set up a database before too long showing people putting in different different hard drives uses the different types of memory again there’s right now the maximum size that I’m aware of last time I checked amazon at least the thought the authority Amazon was sorry was a 8 gigabytes so I was all excited because I found out wow I can jam that my PSP also all right the infect is firmware that was thought to be a downgrade er it’s it doesn’t work a hundred percent of the time and there is a certain price are certain chance that you will break your ps3 and that blows all right it does bluetooth and has USB and keyboard connections built into it tricks it runs linux many flavors you just have to go online and find the individual instructions on your particular flavor that you would like to run I advise that if there is a custom version for the ps3 download that one don’t even play with any other flavor and try to get at work on your to work on your own because it’s a huge pain in the butt and I’m showing a picture right here that gentleman right there as has I think it’s eight yeah eight different ps3 so there’s already people that are trying to make clusters out of these things that is nice all right Oh the last little bit they were there was a talk by I think it was Garner’s Steve

Prentice he fears criminals would use the ps3 for crypto hacking and I have the article at the bottom of this page in tiny or URL and basically he would be correct as long as whoever is creating the the anti encryption software utilized wrote it to the strengths of the ps3’s processor which its outstanding as single-precision mathematics double precision not so good you know things like that so okay so Sony as a media server and then Apple for the was that the IE t be here oh okay okay I’ll do that thank you very much whatever I find from what the gentleman had spoken to me about it will be up on my blog so alright here’s more sexiness that is not my PSP I would never defile it in quite such a way that was lik saying may they rest in peace they were sued into oblivion by Sony anyway anyway you have basically two too little MIPS are 400 processors in there they run literally from one megahertz 2 333 megahertz you can down clock it and you can up clock it up 2 333 sony still maintains its not a good idea to run it at 3333 but people are now and various homebrews definitely take advantage of that clock ability I know down down out there all right you can run the wireless on be there is no g I actually have on order right now the the new PSP so I’m going to see if that got changed that would be nice you have an RDA transmit and receive note on top which is really sexy and the reason why I think that’s sexy you need to see major malfunctions discussion on old-school hacking from I think about two or three years ago watch that or read his his information on that you’ll find why that that is so cool and then I’ll show you a couple of home brews as to how you can use that our idea our IRDA port you have a minute mini USB connection on top which allows you to hook up all sorts of little attachments to it which I will show shortly UMD optical drive and memory alright your add-ons you have one unit which is the GPS unit you cannot buy it in the United States you have to order it from Japan directly it’s about sixty dollars from good reputable fleet places and you’ll get it really quick alright though the shipping that’s after shipping shockingly so alright you have a microphone and you have a camera if you want to do some surveillance or something like that you want to take pictures and it starts looking a little odd when your PSP runs around with a you know extra attachments dangling off of it so I would advise not to really difficult you know do something else super spy like all right here’s somebody who went crazy and decided they wanted to have an external antenna actually hooked up it’s got a high Rose connector on it the daughter board does and if you decide to do something like this just be very gentle with that connector because it has a propensity to just drop right off of the daughter board and that sucks so anyway if you’ve got that thing attached to your PSP guess what you look suspicious all right gamecube hardware and you have the for 485 megahertz gecko it’s a custom IBM processor 40 megs of ram you had a fairly decent GPU at the time add a proprietary optical disc and proprietary memory cards the add-on Jed my chips and in fact mod chips these guys went crazy he had Linux running on this thing all sorts of crazy stuff running on this thing it was a great system and in fact again the cows Computer Club discussion download it they elucidate greatly on how the gamecube was really cool and how you could how they might have been able to use the same hacks that we used on the Gamecube on the week it’s really cool and Linux again the we we have a little bit beefier it’s 729 megahertz Broadway ibn powerpc CPU that’s pretty impressive 88 megs of ram total there are actually several memory banks but it’s basically total 8088 you have a nice little ati GPU BG capabilities and a strangely enough an attachment so that you can actually get on ethernet you have to buy that separately of course 512 megs of the flash memory SD memory is its

primary removable memory source has a couple of USB for and the optical drive strangely enough I don’t know why does not support DVDs or even play music off of CDs don’t know why all right hardware of the DS Lite to 32-bit processors they’re both arms for megs amount of RAM main ram i should say you’re capable of getting on 802 dot11 be and the knife I it’s the Nintendo’s idea of Wi-Fi you can get on that this was kind of interesting when all of these pornographic pictures of circuit boards appeared on the internet the most fervent hardware geek started really zooming in on those images and trying to look up information on the various chips that were soldered to those boards and one of the things that was kind of weird was and you can you can check this on the internet right now if you type in but to me mm 3205 be module and that’s that is the wireless module for the DS there’s no information at all about it the only information you will find is like three hits is basically three blogs talking about I can’t find any information about this day anybody know anything about this so it’s kind of odd that i’m just pointing that out because of that uses SD removable memory mine has a microphone built-in is 10 has a touch-sensitive display and it’s got a couple of custom ports for 4 gameplay both for GBA backwards compatibility and the Nintendo DS all right add-ons removable memory storage I don’t know of any memory met limitations like you can jam it with say an eight gig stick I don’t know if that’s a limitation yet supposedly it takes everything there is Linux that runs on it but it’s only sash it’s a it’s very limited I have DS linux on my my system but it’s as a very limited it is kind of cool huh Oh boost controller yeah okay I’m going to have to talk to you afterwards and i’ll post that on my blog also I wasn’t aware of that alright programmability and flexibility or what can I make this thing do oh hell yes exactly alright guys basically anybody who’s had a PS p sense at least release day firmware 10 was in Japan 1.5 in the United States was what was what was available to us I still have my virginal untouched 1.5 system those were were actually vulnerable to running arbitrary are I’m sorry running unsigned code and that was a bad thing according to Sony you now have custom firmwares dark Alex unfortunately has left the scene I privately believe that he proud to probably received a couple of threatening phone calls from lawyers season desist or else and of course we saw the picture of liq saying and they’re gone so that or else definitely has some teeth so he this is a few weeks ago he the reason why he’s actually beloved in the PSP fanboy group is he created one of the best custom firmwares his last one was based off of the 3.40 firmware allow you to have all the access to all the cool stuff be able to access to your your ps3 wirelessly and to play all the new games yay yay yay and do all the stuff for homebrew there is another group m33 it’s a Russian hacker group they are have picked up that baton and our running fast they actually have a newer one that’s based off of firmware 2.52 and the newest one that’s out by Sony is I’m sorry 3.52 is what they have the newest one by Sony is 3.53 please don’t download it unless you read after I put up on the on the forums hey i’m going to i’m going to show you guys at the Wi-Fi village how to do all of this stuff la one of the poor guys had head down actually hooked up to lund Sony’s official site had downloaded yes and they had just changed it I said dude you should have known better come to my website I’ve got everything so unfortunately he didn’t hear me all right gateway firmwares 2.71 3.02 and 3.50 why are the gateway because you can downgrade from there and when you downgrade you can upgrade to those custom firmwares that we all love vulnerable games that allow this gateway behavior luminous I will I have a copy

with me and I actually was pretty damn shocks that right after that news came out that version 3.50 all you needed to do was download this modified save game for luminous the stock and luminous went through the roof you couldn’t find a copy online for less than a hundred dollars and places around town at least according to the internet where we’re quickly running out of copies people were buying them up and sell them on ebay bastards whoa well come back come back huh that scared me I’m talking too long all right any had Grand Theft Auto that allowed you to do other things dsds light you have hardware modifications you just plug into the end of the unit you don’t have to open it up unless you really want to I advised not to and everything pretty much runs Nintendo’s opinion about how it does things with the homebrew community is almost diametrically opposite from sony Sony hates you even though they’re now saying oh we like the homebrew community we’re just going after the hackers wait a minute that is the homebrew community community anyway Nintendo shirt as far as I know has ensued anybody into oblivion and hasn’t put anybody sick their lawyers on anybody the Xbox the original Xbox you use the pond handler in it basically you can hack it that way you had to remove the xbox dashboard you have the a20 memory handling flaw games running and definitely run in kernel mode that the problem and that allows you to run those three games that are listed below and use their saved games because now they’re in kernel mode to pone that machine thank you alright then this the PlayStation 3 you have an internet browser flaw I had an individual give me a heads up that he had found one and I anathemas his name but at current hasn’t gone too much further than just crashing the flow the browser yet and I saw something just in the last week somebody was loading an unnamed ps2 game and it was causing it to crash and the screen started flickering and I didn’t know whether it was crashing the video because some ps3 s do have a problem with syncing video with some televisions and I thought maybe that’s really what was going on but I’m just mentioning it because it was interesting and it if it’s not a hoax and it’s in then it should be looked into current neither of these approaches it is all that approaching or is all that promising I’m talking about the PlayStation 3 besides who wants to break a six-hundred-dollar system I don’t all right Linux is everywhere and generally i’m pretty much assuming that if you can put linux on something it is game over for the most part it’s game over yeah you can get in you can use all of the tools at your disposal as a standard Linux user however i just i was reading something about the ps3 that was unusual you cannot put the Wi-Fi units or module in the ps3 in promiscuous mode at current all right game console coding you have various operator various things that you can use while in Linux you can program and C Python Perl etc whatever is out there you take your pick after modification however there are native they’re small and there’s still kind of proof of concepts a couple of them are but you can actually program in Python on the PSP Lua on the PSP nds and as there wasn’t a simpler for the PSP there was a seat compiler for the PSP and of course there’s basic 40s all right homebrew it’s a term frequently applied to only video games that are produced by consumers on proprietary games platforms in other words game platforms that are not typically user program programmable or use proprietary hardware for storage sometimes games developed on official development kit such as the net euros or ps2 Linux are included in that definition some however also refer to all non-commercial home developed games for open architectures as homebrew games though these typically go under more frequently used labels such as freeware all right here we go this is the goodies and this all kind of fly through actually I apologize I’m running long all right the PSP this is the IRDA capture I actually got to met to meet the kid who actually programmed this at torque on he came out with this and pretty much dropped the project afterwards but it opened up the floodgates for grabbing information and turning it into something you can use on the PSP natively you have PSP I our

commander which supports over 2,000 controllable infrared devices and also its successor the IRS shell which does more things each one of those came with a handful of already pre-programmed pretty much devices that you can actually control from the get-go you go on the internet and i have a link in the in the notes where you can get these yet i think they’re up to like 2,300 devices now that you can download and they’re totally compatible pone everything now now we’ve got a short video this is the pnp ESP portable VNC viewer it’s based off of a portable VNC program that was created for palm OS so here I am I decided not to trust Murphy while I was here so I decided to do everything pre-recorded oh my goodness what’s up there there’s my little PSP all you need is these cables what I’m demonstrating right here is that systems you can just plug this thing in and thank God for modern operating systems they’re so helpful thank God makes my life a little easier and there I am plugging it into an unassuming little hub dude to do then I fire up my little system and what I’m going to do is I’m going to tell it go into USB mode make yourself available to the operating system at the other end of this this cable so that it can read and write to you and the full memory on the 10 the memory stick on in the system itself is usable and there we go Vista is very nice look at this no warning either hi I found it for you you can use it now I’m not being a smartass it’s probably coming off that way but alright here’s my little laptop running vista and now that I’ve got unfortunately I didn’t really plan this really well my screen is extremely bright and it just overwhelmed my poor little camera so what I’m doing right here is that I’ve opened up the directory for the PSP and I’m grabbing a dragging tiny VNC version 1.2 nine works flawlessly I did try very the latest version which is 1.39 and it the video didn’t come through you got on the box but you couldn’t do anything alright so there we go okay copied it moved it over I have installed I’m starting to install it here doesn’t take very long and again the only thing Vista did was do you really trust this of course I to now I’m deleting it I you know just for you know regular users of course a good forensic analysis would definitely give me away and the only thing that betrays that is on there is that tiny little be on there I’ve been actually when I was at the Wi-Fi Church of Wi-Fi discussion earlier somebody came up with an interesting idea he said hey why don’t you write a little a little script for the registry run it you know drag it over with your with your installation run it after you’ve installed it and it’ll take that right off of there they won’t know the average user won’t know that the BNC is running oh god that’s darker than I thought it was all right I’m running the application itself what I’ve done the only thing I’ve done ahead of time is I’ve searched for an access point in order to get onto the network dupe to do and zoom in little action there and of course I did put trice I tried to put a password in there one two three and there I am I’m in the box that VNC software actually works with a number of ir wireless keyboards so you don’t have to Jack around with playing around with the buttons in order to get the alphabet you know somehow you know coming through so you can type as fast as you want yupo in the box because basically you’ve got that box and you use its trust on the network move out move out from there PSP has secured text it’s unfortunately just rc4 but it’s a good proof of content concept that you can actually encrypt and decrypt anything you want on the PSP by itself you can run the PSP as a web server or an ftp server you can chat with your friends when you get lonely on those stakeouts looking at other people using their computers using am i CQ msn gtalk and yahoo this is completely in the in the free it doesn’t this one does not support encryption however this does

p.s pssh it’s based off of drop bear and it is fully ssh to compliance and shout out to the 757 guys this is your server which you gave me it with a twitch they gave me access to I did not pone their server I’m not that lead all right here we go with the little demo and this is my 1.5 system that has never been modified so a lot of these tools you can run on either the modified home firmwares or the original firmware alright what I’ve done is running the application of course I’ve already got my a piece that picked out which one I want to actually access the internet with I’ve already put in my user information my server that I want to go to I’m logging into users it didn’t crash all right and unfortunately is really really dark but that’s the that’s the welcome screen that just popped up next I’ll be typing in I RSSI I will be screening it as instructed by count and and that from there on I go on to split casts go talk to the guys it’s Floyd cast I walked off and everything is encrypted we have a Wi-Fi sniffer this was kind of cool it was a little project that the students he dropped it the original idea was it would actually turn into a real sniffer you could find a PS select the AP and decide that you wanted to start collecting packet traffic this is kind of cool you have the PSP map this this is sexy little thing that you can use with the GPS I would love to see somebody code even if it’s not me a version of map this with that previous Wi-Fi and start walking around and having a little pinpoints on your map which you download from Google freely available and so you can you can remember and have geo use this as a geocaching toy I’m going to show very quickly there’s audio to this it talks to you and people can drive with it it’s not advised but you can drive with it the PA unfortunately no yeah the coder that actually put that in there I always screw up his name please check the notes he’s a cool guy but I don’t want to murder his name on tape but anyway he he actually had coded that from from scratch all by himself because when you buy this in Japan you get the entire Japanese map you get everything it’s very cool but he decided before this actually was released or available to Americans he had actually hacked together I think it was a Hilux GPS and hacked it so that actually would physically interact with the PSP through the mini USB port and he created that software all from scratch it’s an excellent program a PSP inside was kind of cool unfortunately it’s not really maintained anymore but if you were dying to find out what all the registers were doing in real time what anything that was pushed into memory that the PSP had to process you can see it in real time you could capture that information you could play it back you can modify some of it can you say buffer overflow and here’s the luminous downgrader this were some of the outrageous prices i saw you know amazon love them to death somebody was selling there’s for a penny that went quick and then the next one was 144 they’re only like four of them for sale and then he had ebay bastard $125 all right now we get into where the DEA’s fanboys can can strut their stuff where the d/s ftp it’s actually a server and client you can set up user accounts on it and your only limitation is the size of the stick you have in it Wi-Fi lib test is really cool i wished i had animated this i was walking around with this showing some people because I found out this is actually on the scavenger list if you could find a deus that was actually doing packet capture so I have one you can’t take it you can walk me over there and I’ll give you points so anyway this was a little application by a fellow named Steve Steven stare I did not code this a couple people thought I did I did not he did an outstanding job the all was of all of the packets that captures goes on to the memory stick so you can review them it’s not real fully

functional but it’s cool to begin with I mean it’s just cool to play with you have air cracked which you can see I didn’t have a lot of success running but when I went on the forums those that did get it run it was it was fairly decent and actually we would attempt to crack wet packets that had based off the packets that had received it wasn’t really fast because you are talking about ARM processors but it was something they have pointy remote which is a VNC controller for UDS I thought that was cute and we have lelu ftp server it does it’s also an ftp server but it’s a bit more fully full-bodied as far as your ftp servers go i would advise looking into this one if you are going to mimic an ftp server with your DS and then we have moonshell I list that only because it’s exceedingly popular it’s very powerful very fast and it does almost everything that you want as a loading application now we got concealment now when I walked up here I will tout to game systems I don’t have any more hidden anywhere deviously but basically in this picture who has who has equipment that they might be able to use in order to do a quick scan on any network whether it’s a I smart ass as far as it I’ll get you later all right okay so we know that the Geisha probably or may according to the people in the back we have that equipment but this this is another thing as far as for concealment when working in corporate corporate offices and stuff like that I’ve been in a couple where they’re very anal-retentive as to what you can bring in whether it’s a cell phone mp3 player all of these things could be used to help leverage either physical access or digital access in in restricted spaces do you have the same restrictions on video game machines do you have a restriction on the games machine that may actually be have been purchased from your company and is in your break room I actually visited two companies I want to say a little over a year ago and they actually had one hooked up to their regular business network and I about fell out it’s like oh my god how cool not all right concealment for actually digital media you can basically I love my all toys they burned me horribly but I love them anyway you can put all sorts of stuff inside of them I’ve been searched several times and when I’ve done some red team stuff and they never looked under the wrapper they also never checked in my shoe or anywhere else and especially as I said with that teeny weeny micro SD chip Pat me down please are they playing a video game or are they doing something to your network other little tit bits I did some really ghetto port knocking or port fuzzing with ness yeah with Nessus and found the following ports were open on the PSP I actually found these open before any of the big homebrew had come out nothing has changed but it was kind of neat the xbox 360 port 25 110 and strangely enough 1030 it was acting as a web server I don’t know why honestly I don’t and then we have for the ps3 only two ports were open I had another port that was intermittent and I couldn’t nail it down so you’re only seeing two of them it was 25 and 110 and that’s not terribly shocking because they really do want to make this thing into a and all in one box that you that you could use for your gaming and hopefully not business but other types of pleasures what quick okay the other way really quick thing on the bottom of these slides for ids goodies if you if you don’t secure your network at least you can catch these guys by looking at the MAC addresses and they habitually or every once a while both all of these systems will go back and check predictable places so that hat that hasn’t been modified by modified by anybody so put those into your ideas logs and you’ll catch them all the time oops all right nothing as far as ports on the wii and the d/s i absolutely found nothing now you can sniff traffic all day long but i didn’t see anything that was dependently open and the reason why i think this might be true or why this is is that the wireless on both the wii and the DS lite literally shuts off when it’s not in use so i thought that was kind of cute it’s a great for the DS lite it’s a great way to save power and then we have really alternative ways this was on torque on and went downtown to meet some friends at the sidebar

being new to the area i had no idea where the sidebar us and luckily for me all the proprietors were nice enough to put the names of their businesses in their SS IDs so I had my PSP with me shocked shocked and started just checking around because actually the PSP is a is directional there’s a the antenna runs rock or along the top part it’s all you had to do is just kind of like wave it around and you’ll figure out where everything is so I found this the sidebar strictly by using that it was about five blocks away it wasn’t like it was a big thing these are all of my most of my sources the rest of them are on my blog but these are the ones that provided me the most information I thank you all for sitting through my horrible talk my blog myblog is Hexis h aksys dot and then odds Phil this for us slepping squid SCH le PP ing squid done yet sorry about that or just go to Google search squiggly one you’ll find me thank you very much