United States
Anatomy of an ARP Poisoning Attack
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

High-tech Hijinks in Sin City

Surviving the Running Man Competition at Defcon 12, Las Vegas

By Scott Pinzon, Corey Nachreiner, and Steve Fallin,
WatchGuard Technology's LiveSecurity Reporters

The rent-a-guard at the Alexis Park Resort and Spa in Las Vegas, Nevada, looks nervous. Defcon 12 has completely taken over the hotel, and almost all of the crowd looks shady. "What about that guy in the black trench coat?" the guard asks a Defcon staffer, pointing across the room at a man wearing shoulder-length red hair and a lengthy fu Manchu. "Makes me think of Colombine. Who wears a trench coat in 104 degrees?"

The staffer, Tim, smiles. "He's been with us from the beginning. He's actually a nice guy."

You can't judge by appearances at Defcon, which bills itself as "the largest underground hacking event in the world." Defcon annually draws hundreds of hackers (and the Feds who watch them) for a unique combination of computer science, underground culture, and partying. Underlying the jubilant sloganeering and counter-culture bravado, a lot of very smart people are having fun learning about computer security. What do they do with that knowledge? Some are actually corporate security officers trying to see what the bad guys are up to. Many others well, it's better if you don't ask.

And then there are some who learn about the technology so they can take it outside and play with it.

Gathering of The Five

It is Saturday, July 31, approaching one in the afternoon. The Defcon 12 Running Man contest is about to begin. Five teams gather in the Alexis Park Hotel's Athena room, which the Defcon Goons have repurposed as the Contest Room. The teams' purpose: to find California Governor Arnold Schwarzenegger.

Sort of. Actually, they'll look for his face scowling from the poster for his 1987 movie, The Running Man. But it'll be impossible to find without radio directional equipment, because the poster isn't physical. It's on an Apache Web server hosted on a mobile WiFi device, intentionally dampened to low power and concealed on someone in or around the grounds of the Alexis Park. That mysterious someone is today's Running Man. The teams have 60 minutes to find him, her, or it.

Contest designer Frank Thornton of Blackthorn Systems has added a technological wrinkle or two to this year's contest. The Running Man Web page has a secret message on it, which will require cryptographic and puzzle-solving skills to decode. Competitors can't run around the hotel simply asking everyone, "Are you the Running Man?" Instead, they have to decode the message and say it to the Running Man. The first team to do so wins.

Running Man Roll Call

Despite the junk-culture flavor of the contest, the teams look like serious competitors.

A bespectacled, slender young man known as RenderMan has fashioned a custom frame for his laptop from PVC pipe. It holds the laptop open on his back, turning it into a "backtop," so his teammate can run behind him and type. Before the competition has begun, the laptop is already running NetStumbler and lists six Access Points (APs) it has detected, with the help of the dual Yagi antennas RenderMan clutches. A fedora completes his outfit -- black, naturally. Black is the preferred wardrobe color for Defcon attendees.

Andre, a 30-something Swede from Stockholm, is also well-equipped. His dual cable, dual diversity directional antenna cost about 30,000 kroner ($4,000 US) and boosts his detector by 8 dBi. The antenna has a range of one thousand meters in open country, which should be good for at least a couple hundred yards in the confines of the Alexis Park. Unlike others working from a full laptop, Andre has attached his antenna to a Compaq PDA, mounted on a custom frame that makes it easy to hold. The PDA is running AirMagnet, a commercial tool that helps track down the physical location of a signal. Andre will be able to use his antenna like a Geiger counter, pinpointing the direction any signal comes from. As an infosecurity expert and previous WiFi contest winner, Andre looks like an early favorite to win.

By comparison, the other teams look less flashy. Eric Smith and Bill Barnes flew in from Pennsylvania to compete. They've been friends since college, and as it turns out, are each system administrators at different nearby universities: Eric, at Bucknell U in Lewisburg; Bill, at Bloomsburg in, well, Bloomsburg. Their casual garb and nondescript laptops mask their careful preparations. Their laptops run Fedora RC1 (a Red Hat Linux variant), Kismet, and several custom Perl scripts Eric wrote. They've also got an iPAQ in "Tricorder mode" to obtain directional signal strength measurements. It sports a home-brewed directional hood, giving a beamwidth of approximately 30 degrees with a little gain, so they can focus on areas of interest. Can their custom gear outplay RenderMan's dual Yagis or Andre's expensive directional rig?

Another team features an earnest young man in a Boonie hat, who looks so young, you wonder if his parents know he is at Defcon. He offers only his hacker name, CK3K. He and his teammate check their gear intently, neither laughing nor smiling as they wait for the contest to begin.

At about 1250, Chris Hurley, who has run the WiFi contests at Defcon for years, rehearses the rules aloud for the teams. He specifies that the desired device has an IP address of 10.10.10.10, an ad hoc SSID of "RunningMan," and a MAC address of 00:06:25:4B:DC:F0. The teams earnestly take notes.

A small crowd of onlookers, including print, online, and television press, surrounds the contestants as last-minute questions get answered. Then the clock counts down to 1300 hours. Chris shouts, "Go!" The teams dash out of the room in all directions, into the 104-degree desert heat -- all, that is, except Eric and Bill.

Running in All Directions

00:59 Knowing the devious mind set that often characterizes Defcon, Eric and Bill stay near the Running Man judge's table and take some base readings. What if the Running Man is in this very room? Clever thought. Unfortunately, not the case. Emphasizing strategy over speed, Eric and Bill exit the room and begin a slow, methodical sweep of the most densely populated areas of the Alexis Park.

00:56 The Alexis Park buildings form a giant U around the swimming pool, more or less. Andre's strategy is to cover as much ground as possible, so he rushes straight up the U. Reasoning that the Running Man would stand out too obviously if he hangs out alone, Andre works his way from one cluster of Defcon attendees to the next, scanning them with his antenna. He figures the crafty Running Man organizers would find it easier to hide an AP in a crowd.

Andre's AirMagnet beeps whenever it enters the range of a new AP. Moving almost at a run, Andre hears the beeps coming faster and faster: Boop. Boop. Boop boop boop, boopboopboopboop ... within minutes, he's logged 60 APs. He stops short. The SSID of one of them says RunningMan. He checks the MAC address. It's wrong. Some anonymous joker has mounted a fake RunningMan AP as a prank.

The contest has barely begun and Andre is already perspiring. It never reaches 104 degrees in Stockholm.

00:52 Eric and Bill have found a few spoofed RunningMan servers, too, but know better than to take them seriously -- especially when some of them have misspelled "RunningMan".

00:48 RenderMan and his partner have already checked the obvious crowded places, like the pool area, the hotel lobby, and the snack shop. They have not found the real RunningMan AP yet, despite diligent use of the dual Yagi antenna. They start hustling through less-obvious areas like the vendor room and the "root fu" hacking competition room. No luck.

00:45 RenderMan's team crosses paths with Andre. "Anything?" RenderMan asks. Andre shakes his head no, a puzzled look on his face. After briefly comparing notes, the teams take off in separate directions.

00:43 Like the others, Eric and Bill have quickly run through the probable hiding places and now are investigating less likely locations. The Alexis Park resort is not that large, so to accommodate the breakout sessions, Defcon has pitched a large enclosed tent that holds a few hundred people. Eric and Bill's thorough sweep takes them to the air conditioners on the back side of the tent. A security guard eyes them suspiciously as they wave their instrumentation like a divining rod.

00:40 Back in the Contest Room, the game organizers relax a little. "I thought they'd find the AP in the first ten minutes," Frank mentions to Tim. "Then they'd spend the rest of the time solving the cryptographic puzzle."

"Let's make sure the RunningMan AP is still broadcasting," Tim says. He borrows Frank's PDA, running miniStumbler, and saunters out of the room. Within three minutes he's back. "Everything's good," he smiles. He shows the miniStumbler to Frank. There's the RunningMan AP, plain as day.

Just then eight strapping young men in prom gowns and combat boots tramp into the Contest Room and present themselves to three judges sitting behind a fold-up banquet table labeled, "Scavenger Hunt." The judges jot notes. The blond guy in the off-the-shoulder number is particularly fetching, since his shoulders are too broad for him to zip his dress up all the way.

00:30 The real RunningMan AP pops up on Eric and Bill's laptop screen. All right! The signal from the low-power AP is pretty weak. Before they can access the Web site it's broadcasting, the signal fades away. Maybe that's why they call the Running Man the, um, Running Man. They swing the iPAQ in various directions, trying to pick up the signal again. Arrgh! Their elusive quarry has vanished.

00:27 Kevin Mitnick, the world's most famous hacker, saunters past the Running Man control center. He stops for a handshake and a brief chat with Chris Hurley, then wanders on. The Defcon crowd either does not recognize him, or respects his privacy, because he wanders through the packed room undisturbed.

00:25 Ignoring the objections of hotel security guards, Andre barges into the lecture rooms, where speeches are in progress. Each has a few hundred attendees listening to talks on computer security. He stands in the back and waves his scanner at the audience. Nothing useful. He wanders upstairs, into the corridors of the hotel rooms. Back down to the lobby, then the hotel gift store. The cashier thinks Andre looks shifty, waving his PDA near the tchotchkes. In the crowded lobby, other geeks stop Andre everywhere he turns, wanting to know about his cool antenna. Andre tries to respond kindly but is growing frustrated by the delay.

Back outside, he tries sweeping the entire perimeter of the hotel grounds, even though it involves going down the obviously deserted sides of the hotel. When he gets to the hotel's driveway, he sees a long-haired man in the parking lot who acts out of place. He has a cast on one arm. The man sees Andre and two reporters, and ducks down, hiding behind a big Tahoe truck. As Andre's sweep of the area takes him near the truck, the man in the cast jumps up and walks away quickly. This suspicious behavior makes the reporters with Andre think the cast conceals a directional antenna and AP. Andre scans the departing figure, but gets no reading.

00:21 CK3K returns to the Contest Room with his teammate. They're panting. Their faces glow red from their exertions in the heat, and sweat trickles from under the hat. The kid shows his laptop screen to the Running Man staff. He says, "There are at least 16 or 17 fake RunningMan APs out there now." The organizers laugh and read CK3K's screen. "Check this one," Tim smiles. "They've even spoofed the last four digits of the MAC address." The staff grins and shakes their heads. The contest rules had specified that this might happen. It's considered part of the challenge.

A bare-chested, twenty-something young man strides into the room, wearing nothing except swimming trunks made of aluminum foil. He presents himself to the Scavenger Hunt judges, posing gingerly. He looks distinctly uncomfortable.

00:19 RenderMan is passing through a crowd in the corridor that connects the snack concession with the Contest Room when a cute strawberry-blonde named Dara spots his dual Yagi antenna and backtop get-up. "Cool!" she exclaims. She draws a digital camera from her purse and takes his picture. RenderMan has no time to flirt; he is on a mission. "Remember," he tells his teammate. "The Running Man could be anyone... even someone like her!" He waves his Yagi antenna cursorily in Dara's direction. NetStumbler shows that there is indeed an AP nearby. The MAC address is even similar to the real RunningMan MAC address, but the first part of the address is incorrect. There must be another spoofer nearby. RenderMan moves on.

00:15 Eric and Bill have caught the real RunningMan AP again twice, but not long enough to cache the Web site it broadcasts. The heat feels like a stack of blankets crushing them. They're hanging in there, though.

00:11 All the teams seem to be running out of steam. They keep crisscrossing each other's paths because no one has any strong ideas left about where to look.

00:10 RenderMan has thought of a new angle, and charges through the Contest Room, hot on the trail of something-or-other. "You hid it too well!" he calls to the Running Man staff as he passes. One of the staffers calls a taunt after him: "Hidden in plain site, baby!"

00:05 In the Contest Room, the guy who formerly wore tin foil trunks returns, this time wearing only a hula-length skirt made of miniature Christmas lights. Which are all lit. The Scavenger Hunt judges actually crack smiles. When an observer comments on the skirt, Frank says, "My favorite one was yesterday. Three guys come in lugging this really heavy suitcase, which is squirming. They haul the suitcase in front of the judges and unzip it. Out steps another of their team members."

00:01 Promptly, the five teams reconvene in the Contest Room. No one has the Running Man secret message. Comparing notes, the teams discover there are now nearly 60 spoofed RunningMan APs. The directional antennas indicate two of them are in this very room, bearing Orinoco MAC addresses. One AP is even serving up a spoof Web page: it has the Running Man poster, but not the official secret message.

Chris Hurley has been detained in another room. Five minutes of uncertainty follow. Finally Chris shows up and hears the news: no one has correctly identified the Running Man. "What's the matter with you guys?" he chides in mock dismay. "I know for a fact some of you have passed the Running Man four or five times." The teams look thunderstruck. "I want someone to win this thing!" Chris insists. After a quick conference, the Running Man staff agrees to a 30-minute extension (ten minutes of which have already elapsed in the general confusion). The teams disperse again.

Countdown to Surprise

00:19 With all the teams out of the Contest Room, Tim surreptitiously phones the Running Man and says, "Chris extended it twenty more minutes. Okay? Good." He disconnects.

00:18 The lecture sessions have let out, and the Contest Room suddenly fills with chattering people. A DJ in the corner starts spinning electronica, adding to the chaos. Near the Scavenger Hunt table, a brown-haired, bearded guy bellows, "I need six people to dogpile on me right now!" He lays on the carpet on his back, limbs spread. After a few seconds of good-natured banter from the crowd, a husky guy in black does a passable imitation of a WWE wrestler's elbow drop, landing on the prostrate guy. Another man lays on top of them, and another, and another, until suddenly about nine guys are piled on top of the scavenger hunter. A pause. A digital camera flashes. The guy on the bottom of the pile frantically screams, "Up! Up!" Laughing, the mountain of men breaks up. One of them wears a black T-shirt that reads, in heavy-metal Gothic print, "Everything louder than everything else!"

00:16 As Eric and Bill pass the bar adjacent to the Alexis Park's lobby, they consider ducking inside for a quick drink. They scanned diligently for an hour and found nothing; what's gonna change in a few more minutes? They're out of ideas. Maybe a cold one would stimulate a brain cell or two. As they stand in the corridor considering what to do, Bill notices something new on the screen. "Hey!" he says. His laptop has just acquired the real Running Man SSID and MAC address again. He switches to his browser, and there's the Running Man poster. But is it real? It's signed with a GPG key, so Bill quickly pulls up tools on his laptop and verifies it. Ha! The real Web site, cached at last!

But now they're staring at an encrypted message on the site:


QVFWG 5TOJC FWHSP CCY
NQJJE JCIWJ XNKQC DPPKU KQXU


Bill sighs. "I didn't expect any encryption," he tells Eric. "I expected a few pictures and a puzzle, like a close-up shot of the Running Man's shoelaces or something silly like that."

"This might not be too tough," Eric says. "You can tell the encryption is some kind of Caesar shift."

Bill looks again. "Hey, you're right!" With mere minutes left, Eric and Bill feverishly start decrypting the message.

00:12 Eric and Bill speedily find that the most commonly-used Caesar shift (ROT 13, achieved by rotating characters 13 places in the alphabet; thus, A = N) doesn't work. But there are only 25 total possibilities: A = B, or A = C, or A = D, etc. (There are 25 possibilities because the 26th possibility would be A = A.) Bill starts throwing together a quick Perl script to cycle through the 25 possible ciphers. But even if they decrypt the message in time, how will they find the Running Man in time to find the person and say the message?

00:07 None of the other teams has found the real Running Man AP.

00:04 Bill finishes his script in about 15 minutes, but it doesn't work right. He rushes into the Contest Room to let the Running Man staff know that his team has the message, but are still decoding it. He asks if anyone else has won the contest yet. Nope. They still have a chance.

00:00 Time's up! All the teams reappear in the Contest Room, which is now filled with curious bystanders. Tim calls the Running Man via cell phone and says, "Come on in. It's over." As Defcon attendees get word that something is happening, more and more pack into the Contest Room and gather around Chris Hurley.

"The contest is over," Chris tells the standing-room-only crowd. "But turn on your gear. It should be firing right now, because the Running Man is standing next to you." The teams look mildly disbelieving, checking and rechecking their gear. They look around for the Running Man.

Standing front and center in the crowd, Dara, the young lady who photographed RenderMan, reaches into her purse and pulls out a pocketbook. She unzips the pocketbook and pulls out a Zaurus handheld running Linux. The pocketbook is lined with a Lay's potato chip bag, the aluminum in the bag dampening the radio signal by about 7 or 8 dBm. She holds up the Zaurus, and sure enough -- it shows up on nearby wireless laptops as the real RunningMan AP.

The onlookers chuckle at this plot twist, while some of the teams looked surprised. "I played fair!" Dara says. "I never went in the lady's room."

"Then where were you this whole time?" someone asks.

Dara shrugs. "I wasn't moving around that much. I went in the refreshment room and ate some pizza. Then I stood around and painted my nails. Finally I went in the bar."

Which, of course, is where Bill and Eric picked up her signal.

Chris declares Eric and Bill the winners, since they came the closest to decoding the secret message and finding the Running Man. Andre and RenderMan seem visibly disappointed. Both of them had scanned Dara during the contest, and both of them were using NetStumbler, which showed a slightly inaccurate address for what turned out to be the real AP. Weeks after the contest, RenderMan's questions about this on the NetStumbler forum will still be unresolved.

Someone in another corner of the Contest Room picks up a microphone and announces that the semi-finals of the Lock Picking Contest are about to begin. The crowd drifts away from the Running Man table as the staff get Eric and Bill's contact information. True geek that he is, Bill can't leave the puzzle unsolved. He debugs his Perl script, finds that it contains one typo, and five minutes after being declared a winner, he has the messages decrypted. When passed through ROT 14, the first phrase, QVFWG 5TOJC FWHSP CCY, turns into CHRIS' FAVORITE BOOK. This minor puzzle is pretty easy to solve, since just before the Running Man contest, Chris and Frank were busily signing copies of their new book for a crowd of book-buyers in the vendor room. The answer has to be Wardriving: Drive, Detect, Defend.

When passed through ROT 22, the second phrase, NQJJE JCIWJ XNKQC DPPKU KQXU, becomes RUNNINGMAN BROUGHT TO YOU BY. The answer to this puzzle is also simple, since the Defcon Web site, printed brochure, and Running Man contest rules advertise that the sponsor is Blackthorn Systems. If more of the teams had found Dara, the winner would have been the first to say to her, "Wardriving, and Blackthorn Systems." She would have verified the answers by showing them her Running Man badge.

So was it worth it for the participants? They prepared and hauled all kinds of sophisticated gear from wherever in the world, by plane, then charged around in 104 degrees without winning anything. Eric and Bill are elated, of course, but what about the rest of the teams? Before the question can be asked, CK3K turns to his partner. "Let's go back to our room and charge up our gear. The next wireless contest starts in four hours!"

At the Scavenger Hunt table, five team members earn points by lustily singing the wordless theme to Super Mario Brothers. Yet another guy wearing a black t-shirt passes the Running Man table. His t-shirt reads, "One by one, the Penguins steal my sanity." ##

Network security professionals Scott Pinzon, Corey Nachreiner, and Steve Fallin, the authors of this feature, also write the free security news feed, WatchGuard Wire, and the subscription-based security alert service, LiveSecurity Informer. The Wire is provided free of charge, and LiveSecurity Informer can be tried free for 30 days at http://www.watchguard.com/products/informer.asp.


What did you think of this article? Let us know at lsseditor@watchguard.com.

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.