We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Blinkie Lights: Network Monitoring with Arduino

00:00

Formal Metadata

Title
Blinkie Lights: Network Monitoring with Arduino
Title of Series
Number of Parts
122
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Remember the good old days, when you'd stare at Rx and Tx on your shiny new Supra 1200bps modem, and actually know what the heck was going on? Systems tend to talk a lot more nowadays, and somewhere along the line I completely lost track of who mine hangs out with. And I kind of miss my blinkie lights. But we live in a world of Arduino and cheap LEDs - maybe there's a way to play with electronics, talk about security, and show the kids a thing or two - all at the same time. Imagine if one of those USB toys on your desk could actually give you an indication of which countries you were trading packets with, or alert you to unusually long-running sessions. 'cerealbox' will demonstrate how an 8x8 multicolor LED matrix, Arduino, and a network monitoring program can be used to make an LED-based sniffer for around $60. And if that doesn't sound interesting, just wait until you see Port Scan Inferno. Steve Ocepek was one of the original team behind Wholepoint, a computer security consultancy that later merged with Trustwave. As Director of Security Research for Spiderlabs, he is in charge of all signature development for all products, maintaining and updating open source projects, researching new threats, providing intelligence to premier clients, pursuing security advisories, and supporting other SpiderLabs teams during technical engagements. Ocepek's accomplishments include discovering and patenting a new method of detecting wireless clients from the wired network, as well as creating the "thicknet" framework to analyze protocols for Man-in-the-Middle attack surface. He has a featured as a keynote speaker at industry conferences such as Blackhat in both the USA and Europe, and OWASP AppSec. Ocepek is a Certified Information Systems Security Professional (CISSP) and a member of Northeast Ohio Information Security Forum.
Computer networkBitReal numberSoftware
Computer-generated imageryArithmetic progressionNormal (geometry)Solid geometryMathematical analysisComputer networkInformation securitySystem administratorDifferent (Kate Ryan album)Grass (card game)RootCommunications protocolPoint cloudSoftwareLine (geometry)Slide ruleRule of inferenceLevel (video gaming)Bit ratePresentation of a groupMedical imagingSystem administratorFeedbackTrailInternetworkingInformation securityLink (knot theory)YouTubeVisualization (computer graphics)Existential quantificationExpert systemExtreme programmingWordPhysicalismSign (mathematics)Computer fileVariety (linguistics)Virtual machineConnected spaceStatisticsHecke operatorTouchscreenRight angleGame controllerCognitionPhysical constantComputer networkModemMultiplication signPlanningRAIDKeyboard shortcutSolid geometryNatural numberMetropolitan area networkSerial portComputer animation
Intrusion detection systemTheoryMathematical analysisBroadcast programmingModemPeripheralVisualization (computer graphics)CognitionComputer-generated imageryTerm (mathematics)Condition numberDirected setVideoconferencingGame theoryPattern languageOperations researchSequenceContinuous functionReal numberAerodynamicsArchaeological field surveyReal-time operating systemOperator (mathematics)Tap (transformer)Symbol tableCognitionProjective planePie chartSequenceArc (geometry)Data conversionPattern languageRight angleVisualization (computer graphics)Forcing (mathematics)Metropolitan area networkVideo gameDataflowCuboidSimultaneous localization and mappingConnected spaceWordVarianceSoftwareLogicRule of inferenceHecke operatorMathematical analysisFeedbackAsynchronous Transfer ModeQuicksortEmailDifferential (mechanical device)Different (Kate Ryan album)ExpressionGraph (mathematics)Set (mathematics)NeuroinformatikMultiplication signTerm (mathematics)BitFluid staticsScheduling (computing)Cycle (graph theory)Spectrum (functional analysis)Service (economics)TelecommunicationStructural loadGoodness of fitDiscrete groupFigurate numberComputer animation
TouchscreenGUI widgetFirst-person shooterPeripheralSystem programmingPattern matchingComputer networkSurjective functionMatrix (mathematics)VolumenvisualisierungSound effectPattern languageWhiteboardSerial portTelecommunicationIntegrated development environmentBefehlsprozessorReduced instruction set computingData storage deviceCodeFluid staticsStatic random-access memoryComputer hardwareRight angleStatic random-access memoryForcing (mathematics)Fluid staticsHacker (term)BefehlsprozessorBitComputer programVarianceSpacetimeComputer hardwareCuboidMaizeDynamical systemModemFirst-person shooterSoftwarePattern recognitionFlash memoryReal-time operating systemRun time (program lifecycle phase)StatisticsNetwork topologyCartesian coordinate systemProjective planeChaos (cosmogony)LaptopSerial communicationGoodness of fitExistential quantificationData structureQuicksortPeripheralComputer iconGUI widgetPixelVibrationVolumenvisualisierungDefault (computer science)Graph coloringWindowTouchscreenLimit (category theory)Physical systemFocus (optics)Point (geometry)Real numberWordMultiplication signRevision controlPattern languageMathematical analysisSurvival analysisMechanism designReduced instruction set computingInformationFeedbackWhiteboardSquare numberStress (mechanics)Compilation albumData storage deviceWritingTelecommunicationHand fanComputer animation
Matrix (mathematics)MereologyPhysical systemSerial portGame controllerTouchscreenStatic random-access memoryProcess (computing)UDP <Protokoll>CodeAddress spacePoint (geometry)Formal languageArray data structureProgrammschleifeHash functionTable (information)Library (computing)NumberASCIIRandom numberGreen's functionMaxima and minimaYouTubeCommunications protocolType theoryOnline helpCodeWhiteboardProcess (computing)Library (computing)Virtual machineElectronic mailing listHookingSemiconductor memoryView (database)Video gameConnected spaceStatic random-access memoryGraph coloringGoodness of fitJava appletCodeMassCuboidOpen sourceGodTable (information)Source codeSerial communicationInheritance (object-oriented programming)String (computer science)CoprocessorRow (database)Flash memoryBookmark (World Wide Web)Set (mathematics)PixelDirection (geometry)WordTouchscreenComa BerenicesMatrix (mathematics)High-level programming languageExistential quantificationEmailPointer (computer programming)TelecommunicationPoint (geometry)TranscodierungAddress spaceRight angleInformation securityTwitterLink (knot theory)Electronic data processingMultiplication signHexagonMetropolitan area networkIP address
TouchscreenGoodness of fitMereologyComputer animationMeeting/Interview
Execution unitOpen setTouchscreenRight angleReal numberEmulatorScripting languageSerial portMultiplication signPattern matchingConnected spaceOpen sourceSharewareQuicksortAnalogy1 (number)View (database)Closed setNumberWebsiteComputer animation
Real numberCodeView (database)Real-time operating systemParameter (computer programming)Scripting languageType theoryIntrusion detection systemLecture/Conference
SoftwarePlastikkarteModemBitConnected spaceWebsiteMereologyKey (cryptography)Uniform resource locatorWeb 2.0Server (computing)GoogolWindowOpen setMultiplication signCodeMathematicsGreen's functionComputer animation
TelecommunicationData modelData storage deviceType theoryView (database)Equaliser (mathematics)Asynchronous Transfer ModeMetreAsynchronous Transfer ModeScripting languageMathematicsPosition operatorFunctional (mathematics)MetreView (database)GodData storage deviceTransport Layer SecurityDifferent (Kate Ryan album)Matrix (mathematics)HexagonCodeComputer animation
View (database)Asynchronous Transfer ModeView (database)MetreCodeComputer animation
Menu (computing)Local ringLink (knot theory)NP-hard1 (number)Row (database)Level (video gaming)Local ringVideo gameComputer fileMatching (graph theory)Arithmetic meanComputer programAdditionPublic domainGame controllerEnterprise architectureTerm (mathematics)Direct numerical simulationMetreRemote procedure callEmailEqualiser (mathematics)CodeWeb 2.0Communications protocolRight angleView (database)Line (geometry)Matrix (mathematics)Different (Kate Ryan album)
Normed vector spaceView (database)EmpennageRule of inferenceWhiteboardCodeComputer configurationDirect numerical simulationDenial-of-service attackMetreView (database)Computer programVirtual machineFlagGraph coloringLocal area networkTouchscreenServer (computing)NumberQuicksortLocal ringGame controllerStructural loadWeb 2.0Serial portComputer animation
Row (database)Direct numerical simulationMetrePort scannerQuicksortExistential quantificationComputer fileCartesian coordinate systemMetropolitan area networkMereologyMultiplication signCommunications protocolPattern languageGraph coloringHookingMessage passingWebsiteDifferent (Kate Ryan album)Web 2.0Information securityLinked dataWeb pageCall centreLetterpress printingNoise (electronics)View (database)Point (geometry)Right angleGodZoom lensNeuroinformatikSoftwareLink (knot theory)Computer animationLecture/Conference
Online helpView (database)Message passingLink (knot theory)Electronic visual displayAsynchronous Transfer ModeInformation overloadMereology2 (number)MiniDiscCoprocessorNeuroinformatikCASE <Informatik>MathematicsAsynchronous Transfer ModeMetreInformation overloadTrailRight angleNumberComputer scienceConnected spaceMetropolitan area networkMessage passingConservation lawExistential quantificationPort scannerComputer animation
Asynchronous Transfer ModeRight angleLevel (video gaming)Port scannerSound effectComputer animation
Information overloadAsynchronous Transfer ModeScripting languageComputer networkLogicSerial portUDP <Protokoll>Message passingOpen setCommunications protocolCodeGame controllerLibrary (computing)Computer programmingLink (knot theory)Point (geometry)Message passingWindowMaxima and minimaFigurate numberScripting languageSoftwareOpen setCuboidRevision controlComputer programBitSerial portRight angleOpen sourceHecke operatorCodeWebsiteLink (knot theory)Computer animation
Transcript: English(auto-generated)
So, got the, got to talk about freaking blinky lights today. I'm going to be talking a little bit about how to do something kind of off the wall, network monitoring with Arduino. I always want to play with electronics and get some stuff going with blinky lights and I've always been just real fascinated, kind of one of those people that sit there and stare at the switch and watch the lights kind of turn off and on and just
kind of get mesmerized. I don't know what the deal is with me, but stop lights, whatever, you can pretty much just get me to stop what I'm doing if you, you know, put something in front of me that's turning on and off. So, my name is Steve, Steve was epic, no Steve, so this is my, this is my talk.
Just a quick note, the quality of some of the images in the presentation are of the homemade variety because of some legality reasons, we're not allowed to use the copyright images and things of that nature, so I do apologize in advance for some of the quality
here. So, just kicking right off, so this is kind of where I came from, right, the idea of modeming and there used to be kind of this concept that you could kind of see what
the heck you were doing while you were online. You had RD and SD, my kind of original like blinky, my favorite blinky lights in the world, which meant actually RD was always the best because it meant you were downloading something. So, there was this kind of visual cognition, tactile feedback, probably tactile is the
wrong word because I think it's like physical whatever, but it's like a feedback kind of like I do something, I push something on the, you know, on my keyboard, I see it on the screen, and then I know what's going over my serial port, going off the phone line because I see this kind of blinky light thing happening, right, so then a lot of
stuff happened from then, so progressing through time, I kind of just took arbitrary things out of the history of networking, so I think like there was like 56K and then
Netsplosion, thank you, I think there was like a splosion of internet stuff and then YouTube was somewhere in there and a bunch of other stuff and then mobile and now there's a cloud and I think he's like smoking a cigarette, I got one of these like disclaimers here about that, you shouldn't do that, but it's like a, it's, so it's kind of like this,
a lot of stuff has happened, right, the whole idea of this slide I think, I think what I was thinking was basically stuff's a lot faster, TCP IP, protocol diversity, it's not just as simple as RD and SD anymore because you're talking about a lot of different protocols, a lot of different hosts, a lot of different stuff going on at the same time, it's a very,
very chatty thing we got going on, somewhere along the line we sort of lost track of what our machines are doing, it's just, and so we've got this, you know, this idea, this link light, we also have like connection pools and longer sessions and stuff like that, I don't know what the hell my machine's doing anymore, right, and yeah,
you know, my net stat hurts, I'm actually thinking about getting a bumper sticker that says that, but I guess the bad sign is when a two minute PCAP file is larger than a two minute MP3, I think we have some serious stuff going on in the wire, so it all comes down to the fact that dude, the activity light is solid, man,
it's just not, basically we have one LED, right, it's like a total missed opportunity because you got like this one LED and it says something's happening and so you, anything you do, it's like is something happening, it says yeah, something's happening, it's like solid, it's like that's all we can ask, that's all we can,
that's all we really know, so again, I really apologize to this, especially for this, especially like whoever's involved, because apparently whoever takes pictures of these guys, copyrights their images too, but the, basically it comes down to this,
Richard Batelich and Bruce Schneier, if you want, you know, if I want to legitimize what I'm doing up here, the industry experts are saying monitoring first, monitoring first on the grass roots most lowest level is what we're talking about here, which is the little blinky lights on the front of the modem, you know, monitoring first if you take it to its extreme is kind
of knowing what the hell your machine's doing at any time, the actual quote from Bruce, by the way, those are muscles, I want to make sure you knew he had a shirt on there, okay, that's, but basically what Bruce Schneier said in cryptogram, actually 2001, about 10 years ago, monitoring should be first step
in a network security plan, something administrator can do today to provide immediate value, so that makes me feel a little more legitimate in this talk, but basically that's the concept, right, if you know what the hell's going on, you can do something about it, and I think we skip monitoring, we go right to enforcement, I know that's what happened, you know, with network access control,
I was in that business for a long time, and we would come into networks and say, hey, we're going to kick everyone's ass, and that's not supposed to be here, we'll kick everybody off, and you get them all fired up, and people would come up with these really cool rules, it sounds really nice, like hey, if they're transferring this much data, this data rate at this time of day,
then kick their butt, and then the CEO would come in, be on his way out of town at 9 p.m., try to copy the presentation down from the boardroom, and get kicked off the network, and everybody get fired, and we'd lose the account, so the idea is that, why is that, why did that happen, why do people want to enforce before monitoring, right,
that's kind of goofy, because if you're monitoring, you know that that kind of stuff happens, you know that that rule is crazy, right, we try to create this kind of big brain that says, oh, we're going to feed this brain all this data, and then the data, it's going to learn, and it's going to understand your network better than you do, and then it's going to make these kind of interesting rules, you know, if you take it a step farther, and you're talking about some of this, you know,
the learning mode and things like that, don't get me wrong, I mean, we need that stuff, we need to make it better, but we need to also understand what the heck's going on. So, you start talking about monitoring, and it's like, well, wait a minute, we have all this cool stuff, and I, you know, I, on the side, I like to write these little miniature screenplays and throw them in the trash, so you get to see one, so basically, you mean like IPS, IDS, NAC, Sniffers,
scrapers, yeah, okay, and then, no, I mean like what the, you know, okay, yeah, WTF, the box is doing, right, and then, yeah, but try Wireshark, newbie, and then, it just kind of devolves from there, I don't really know what happened after that,
but there's something about the fact that Wireshark is for analysis, and then, I don't think that has any value at all, but basically, yeah, so the idea is that Wireshark, the takeaway is that Wireshark's for analysis, okay,
and not for the kind of thing I'm talking about, which is this real time kind of tactile, I keep using that, misusing that word, but this sort of real time feedback that you're getting from the thing, so like the old days, right, something, it's a good excuse for Arduino, it sounds good on a Def Con schedule,
freaking blinky lights, it's, and of course, something gives you visibility, so now I'm going to start butching some other words, okay, visibility versus visualization, I don't know, there's no,
this is me talking about trying to figure out how to do like the differentiation, it's not that these words totally, you're going to look them in the dictionary, and they have this difference, this is just me kind of trying to express something, but I'm going for something that's peripheral, okay, I'm trying something that is going to tap into your cognition, okay, cognition, we'll talk about that in a little bit here, I'm making up my own distinctions,
but visualization I'm thinking of as like the wire shark, right, I'm thinking of visualization as maybe even these beautiful graphs that do stuff, and they're like big pie charts and top kind of looking things, and all sorts of beautiful things you do with static data sets,
because you have a lot of computational time to kick this thing's butt, right, you have like a big bunch of data, and you've always got all these cycles, and you can visualize something statically, I'm trying to go for something a little different, on the other end of the spectrum, which is like the real-time stuff, okay, so it's more tactical, military term, visibility is thinking about, I used to, I think my closest stint with the Navy was playing Secret Service on the Converse 64,
so it was like, it said visibility low, visibility poor, and then like battleship would sneak up on you and kill you, and then I'd load the trainer and kill everyone else, but the thing was that there's this idea that you only have a certain amount of visibility,
only a certain amount of ability to react to what's happening based on what you can see, right, so visualization taps into our ability to reason, right, to figure things out, it answers questions, visibility might, or visualization, excuse me, might cause us to, it might answer questions, visibility is more like it taps into our cognition,
okay, and maybe it causes us to ask questions, I only sort of know what I'm talking about, real-time cognition, but examples are driving like video games and like things like sports, and I just kind of realized it's probably like a really bad thing to bring up at DEF CON,
but basically, yeah, so it's like the real-time kind of like, why are you good at sports, and it's not because, well, I sit down, I get the basketball, and I sit down, I project the arc, and I'm going to exert the right amount of force to get in the basket,
it's because I don't know, man, I just, that's what I do, right, I just, whatever it is they do in basketball, I just like slam on those guys all day, or something, it's like the one where they, yeah, okay, so direct connection between the senses, right, so it's because you're able to like react to something, you're able to see it,
it's out of the corner of your eye, but you're able to do something about it, right, it's the same with video game, a little sniper and, you know, whatever, you can get really good at that, but you're not thinking about it, you're just doing it, it's acute perception of a sight variances in stimuli, which sounds like freaking awesome.
Here's the scholarly reference that I think this means what I think I'm talking about, which is real-time cognition best described not as a sequence of logical operations performed on discrete symbols, kind of hanging in there on that one, but as a continuously changing pattern of neuronal activity. So, what I take away from that, this poor Michael Spivey who got cited at Def Con
and Rick Dale of University of Memphis and Cornell University, there you go, what I take away from that is it's a flow, it's not so much that you stop doing something, it's not like chunked up like general analysis is, it's more like this flow,
it's like this tie-in to human stuff. So, with that, that's enough of that crap, let's play with electronics. All right, so, this whole USB thing, so, it's going to light up here in a minute, I'll show you, the idea of these peripherals, I thought, well, if you have things like,
you know, USBs, Nerf shooters and Ninja detectors and LED Christmas trees, this huge market like ThinkGeek makes, you know, a lot of money on this stuff, if you have all this stuff that's hanging around your desk, maybe that's the place to put this. I started off this idea actually a while ago thinking that I was going to put it
in some little window in the side, like you put in maybe a little square or something somewhere on the screen. And that's all well and good except every stinking application just is like a, it'll just grab focus from you all day long. If you ever try to preserve something on the screen, unless you tap into some sort of OS call
like stay on top or, you know, whatever, you know, you're not going to be able to do that, it's just going to get thrown away. There's also like the dashboard icons and stuff, like you could flip to dashboard, but that's not always there, right, you have to hit the dashboard button, dashboard pops up, and I don't want this big flashing thing that says you got,
you know, you got owned like 20 minutes ago, you know. I'd rather have something, there's also like little widgets in the system tray where you have about five pixels to work with. So I thought, you know, I want something on the desk because, look, there's a lot of room around the desk where the laptop sits, okay, there's actually a lot of room there, so that's a good reason, another good excuse to do something with Arduino.
The crazy idea is I want to render network data on LED matrix in real time. Okay, I want to use things like color of motion, stuff that I can do, any creative whatever thing I can somehow put together to actually show what's happening, I want to get a feel for it, I want to tap into this pattern matching,
people are real good at this, I mean, it's like that thing where something's wrong with the car, I'm terrible at this stuff, I'm not a mechanic by any stretch of imagination, but I know that, you know, if something's going on and I turn the wheel a certain way and I get this little bit of vibration, I get this little bit of feedback, I notice that it's different, you know, maybe there's some cars that move a certain way
and some, you know, and you kind of get just, you just naturally sort of take in how this thing's working and you start driving around, you know, whatever, and then it starts vibrating, you know, hey, that's different. I think it goes back to the cavemen, it's like they came out and there's like seven buffalo out there and then they came out the same time next year and it's like there's two buffalo out there and it's like, dude,
it's time to get the hell out of here, you know, we got to find more buffalo. It's like this pattern matching, it's actually based on our ability to survive. I think it's a survival mechanism, to be honest with you. So, cereal box is the name of this thing, no cute name, anything. The word cereal box, like the cute version with S-E-R-I-A-L was taken by some, I don't know,
something out of the 90s, some other program. So, I just was like, well, hell, I just got cereal box. And the reason I call it that is because, I don't know, how many people in here like have read the back of cereal boxes? I mean, do you guys kind of know what I mean? I see some fans are like nodding, yeah, I know what you mean. I mean, it's just the most inane bullshit on the back of those things, you know.
It's like, why the hell am I doing the maze to get like, you know, the cocoa bird or whatever to the freaking, you know, so he can get his hookup at the end of this. I don't get it, you know, but I do it. Why? Why do I do this to myself? And the reason is, honestly, the reason is because it's there.
That's why. I wish I could tell you something smarter than that. I wish it was, I wish I could actually say that it's because, I don't know, something to do with my childhood and something that had to do with, you know, market analysis. But it's just because it's there, okay. And the thing is that we're big on that.
If it's there, we'll play with it. And that's what I want. I want this thing to be there, right. I want it to be in the background. I want it to be something we can kind of see out of the corner of our eye. That's why I call it, by the way, cereal box, in case, you know. So pattern detection, it lets us see the variances without digging in. It's just enough.
It's just enough information. I can't, I mean, I got, you know, I'll show this here in a minute when I get it doing stuff. But I've got this much space to work with, okay. I've got a tiny, tiny little bit of space to work with. So I can't do all the things I would want to do. I can't see all the things I want to see. But maybe that's good. Maybe that's forcing me to think, well, what do I really need to see, right.
So I based it on the Arduino Uno, which is real cool. It's a little board based on a chip called the Atmel ATmega328. I'm not a hardware hacker. I have any stress in my imagination. These tools are really nice. Makes it really easy to do this stuff. It's an 8-bit CPU. It's 16 megahertz, so pretty powerful. But I'll tell you, it's got 32k of flash,
which means that's how big your program can be once it's compiled. But it's only got 2k. It's got 2k of SRAM, which is a real, real interesting thing, especially if you're going to do anything, you know, kind of higher end. You definitely will push that pretty much with any project you do. 2k SRAM, what that means is that's how much space you actually have to
actually do your stuff, right. That's where you store your dynamic data structures. Your static data structures, those can sit in flash. You can access those at run time. But your static, your dynamic data structures, which of course, network data is anything, you know, if anything, it's dynamic.
You have to store that in your SRAM. USB power. There's a consumer communication with a chip. It's called, it's the ATmega8U2. The only reason I bring that up is there's no hardware handshaking. So those of you who go back to the modem days, it's like, I'm sitting here in 2001, and I'm talking about this hardware.
And RTS CTS would be like a feature. I almost had to write X on X off on this thing. But I could, as you know, you can't, I mean, I'd have to flash the thing, and I don't know how to do that. So basically, I just made it run kind of slow. I decided, well, at that point, I remember 9600 baud was pretty good. It's pretty, you know, that's the speed that it's kind of rated at,
or comes at by default. So I just figured, well, anything I do, I'm gonna keep it inside of this window. One of my limitations is 9600 baud. You can get that for about 30 bucks. There's also something called a color shield. This is a really cool little thing. This is something that, the things for Arduino are called shields. So when you see the word shield, that means that's an add-on board for the Arduino.
And this one is a shield that has a chip on it to control LEDs. So it makes it very easy. You'll see a lot of, if you go on to YouTube and you type in Arduino LEDs, you'll see a lot of wire wrap and breadboards and stuff, where people are doing a lot of cool stuff,
but they're having to do it all manually and hook all this stuff up together. This makes life a lot easier if you're gonna play with LEDs, with blinky lights. IT Studio sells it for $15. It's, and they also sell a multicolor LED matrix for about 21. So at the end of the day, we're at about 66 bucks for this, so not too bad.
I mean, if somebody picked this up and started making a whole bunch of them, mass producing, probably get it down really cheap, you know, probably produce something like this for 10 bucks or something. But for hobbyist electronics, you know, that's not too bad. And you can do a lot of other stuff with this. It's a nice thing. You're not just stuck with whatever this is. So the design goals have to be simple, have to, I'm gonna send stuff from the host.
The host, of course, it can't sniff. It's just USB. So I have to have a sniffer on the box, on my own box. But then the sniffer's going to send that data, whatever data I'm interested in, over the serial link, and it's gonna render it on the Arduino. Serial box, the code that's running on the Arduino, is in charge of rendering that to the screen.
Okay, that's its job. Its job is to render anything I send it to the screen. I have 2KS RAM, minimal data processing, should be easy. I want you guys to be able to play with this. The source code, you already have it. This is kind of fun. I don't know if you know this, you already have this. It's on the, the source code for it is on the Def Con DVD.
So you actually have it right now. So I was hoping, I'm kind of glad that not everybody got up and left. I thought maybe that was gonna do it. So I saved it to the middle, but I think we're okay. So data points, here's what I'm sending. MAC address, IP address, TCP or UDP port and country code.
Here's the, here's what it looks like. Okay, this is, so I can say I wrote my own protocol, but really all I did was I just took like, one was open, two was closed, and then I just put a bunch of other stuff in hex, separated by commas. So if you could call that a protocol, yeah then. So when I'm trying to show off in front of the girls, I say I wrote my own protocol.
But really, you guys know the truth. It's just, it's just nine, it's just that many characters, however many characters that is, across serial link. All that stuff's already there. By the way, basic C, good enough. I know you guys are getting antsy to see some stuff. So by the way, text processing in C, this is the kind of thing
that where I'm kind of a purist, and I always think, well, or I think of myself as a purist, which is probably completely false. But I think of like, man, why do we have all these high level languages like Java and Ruby and all this stuff, when I could just be programmed C, and it was like the good old days, and I really, really want to just take advantage
of every little register on my processor and do everything super fast. And you kids these days, and all that kind of curmudgeon-y stuff. But then you actually sit down. It's like, OK, rock star, now you have to process a string in C, right? And it's like, oh, son of a bitch. So this is the thing.
I mean, you just see a lot of this kind of stuff. It's probably full of God knows what security. Somebody's going to like totally pwn your cereal box. But it's basically just taking one character in at a time, going through the ASCII table. I have the ASCII table in dot com or whatever in my bookmarks
now, and just staring at it. So this is the cool stuff. Colordoino library. It's huge help in dealing with the LEDs. Setting an LED. So for those of you who are trying to figure out how to do this, it's very simple. There's some basic code there to do it. If I want to set coordinate 3, x3, y8 to blue,
I'm going to do set pixel directly. Or I could do it using a pointer and do increment. I didn't write this. This is by this dude, Linkomatic. And he's awesome. I sent him an email, let him know I'm going to be doing this talk. So I sent him a recording of this. But I was just very impressed with it.
It's a very, very cool library. This is something I did. This was kind of my contribution, right? I had this problem where I only have 32K of flash and 2K SRAM. I didn't want to store a big stack table in memory to convert country code. You're going to see why this is important here
in a minute, to RGB values. So what you're going to see is one of the views. There's two views I'm going to show you. One view is going to show you all the connections that are on. It's going to fill up the matrix, the LED matrix, with all the different sessions that are being done by the machine.
It's going to color code them according to what country, using GeoIP, what country I'm talking to. How I did that was basically took the country code and using the random thing that's inside of C, I just kind of made up a color on the fly. The random is pseudo-random, so it's not really random.
It's always going to be the same. So once you learn the color for a country, and oddly enough, US was green. So I thought that was kind of interesting. But some other countries were red, and you'll find those out on your own. But it was kind of apt, I'm just saying. So just the way that it worked, you just sort of realize
how basically, yes, that's US, because I've memorized that. I don't even have a list. I couldn't give you a list. I would have to actually send all the country codes to this thing to give you a list of all the colors. It's going to do it on the fly, but it's always going to be the same. And then, so yeah, the first letter
turns to green, the resulting green, and it turns into blue and all that stuff. OK, so now is the part of the talk where I try to show you how this works. First, what I'm going to do, so here's the challenge. As you can see, I was wearing a shirt there. Don't let them fool you, OK? It's just V-neck or something.
It was late at night, but here's my main problem. You can't tell what the hell's going on there, right? I mean, the whole thing is that it's all blown out. So this was the challenge. I was like, how am I going to go up in front of Def Con? I'm going to show these guys how this works. So I'm going to do two ways.
I'm going to show it on there and just kind of do the little hold it up, like show and tell in front of the school thing. And then I've got a movie that will show up on the big screen where I found this old camcorder. It's like the only way I could do this. The old camcorder had like an exposure switch, and I could turn the exposure way down. It actually looks real good. So let me, now I worked this out with the AV guy.
We'll see if this works here. OK, cool. So let me jump over here. Here's what I'm doing. Basically, this is a Perl script that comes with it.
It's also on the DVD. I'm doing Perl. Let me make this a little bigger. Perl-cbl, it gives you usage if you don't know how to do it. The interface, the IP, the source IP, and the actual serial port that it's going to talk to.
So remember this is going over serial. It's actually serial emulation over USB. I guess it's not really emulation. It's actual serial. But so Perl, cbl, blah, blah, blah, and get that going. And then from there, down here, I'm just, I'm doing the TCP replay thing.
So what should happen, if we're lucky, and the demo gods don't frown on us, there we go. OK, so what's happening here is I'm doing a TCP replay from some PCAP stuff I recorded. And what's happening is every time something comes up, it's going to render it to the screen. Actually, I think I picked the wrong one.
But you can kind of get an idea of what this looks like. Actually, I think this is about to freak out. I picked the port scan one. I think I picked the port scan one. Yeah, I picked the port scan one. So it just kind of, well, OK, now. So you spend $66 on this thing, and everybody comes by your desk and like, really? Seriously?
OK. So let's try another one that's not quite as crazy as that. Actually, I stopped the wrong thing. I worked through this stuff like 20 million times, and then I get up here and crap all over myself. Let's do browsing.
Browsing sounds good. So let's start up our daemon again. It's real simple to reset itself if you stop it. Just give you a feel for playing around with this stuff and how this works. So don't worry. Guys in the back, we're going to show it on the big screen here in a minute. But just to give you sort of a feel, right? Again, it's going to be much better on the screen,
because on the screen, you can see what I'm doing, and there's this analog. And remember, this is all about comparing and pattern matching. But what's happening is, as I connect to different websites, the lights are turning on, lights turn off. As connections open and close, they're turning. Here we go. Here's some more, some more. And it's just kind of floating around like that. So that's view number one.
This sits on your desk. You have 128. You have 128 lights, actually. It's two screens of 64. So if you go over 64, what will happen is, and I hope I'm not underserving anyone here. This is kind of a wide room. But the lights will, if it goes over 64, you'll start getting two different screens.
It'll switch back and forth using a timer. So I'll just set that there and let it sort of just, see, it's kind of like active right now, like I was doing a whole bunch of stuff there. So it's just, oh, there's some blue. There's some blue. There it flipped over to the other screen. OK. So you see, I get really excited about that. I have a hard time setting it down.
So now we'll show the movie. And the movie will help. Let me see here. So first one is the session. This is where we're doing the session view. So again, very similar to what you just saw in real code in real time. So zooming in here, this is the Arduino IDE.
So this is going to, this is where you type the code. If you want to write code, I mean, you can type in whatever you want. But this has the upload button. It's actually handy. You push the upload button, you send it over to serial. And then it flashes the Arduino with the code from the thing.
So then coming over here, there's our Perl script thing. Again, you just fire that off. Really the only argument is just getting it set up. And then from there, I'm going to pan down. And this is much easier on the eyes. You can see the little guy start to fill up there. So there's some stuff going on.
So if your network card was a giant modem and it had LEDs on it, I think this is something like what it would look like. And so then I zoom out a little bit. And you start seeing where I'm browsing the web and doing other stuff. I'm trying to be cognizant that this is being presented at DEFCON. So I'm going to kind of unoffensive sites and things
that don't have my session key in the URL. I also cleared out the Google search window ahead of time. And so, yeah, pretty much, pretty boring stuff here. But there is something coming up that is particularly interesting as far as like the country code.
You notice everything's green. So all the stuff I've been going to is in the US. So here in a second, it's going to go. And we can just kind of keep talking. It's going to go to another country. And we'll see how the lights kind of change. So you notice that as it's just sitting there, nothing's happening. This is kind of interesting. Interesting to me, anyway, that these connections
stick around as long as they do. They all went away. That's just the way the web servers work, right? They have that connection open thing. You're connecting to Apache. It's leaving the session open for a while. It's preserving its connection pools. Here we go, here's some blue, some blue. You're going to tell other people out there talking to me like, there was this part. And he hit something, and it was blue. It was awesome.
And so that's because I went to BBC UK. So you see there's still a smattering of other things. It was like green and blue. And Tigerwood's on there. And then there's a guy with a frowny face, so I had to click on him. And that wasn't at all what I was expecting, by the way.
So basically, this is the thing, right? This is the session thing. OK, so that's cool. Now, back to, let's see if I can get back here. This is going to be the trick. Cool.
OK, so data storage. So how am I doing all that? Well, I do store it in an array. It does have to know. See, I was trying to make it as stupid as possible. I was trying to make the Arduino as stupid as possible. I was trying to make Perl script as stupid as possible. I just want everything to be stupid, right? I was just trying to make everything stupid. So I couldn't do that, because the Arduino
had to be smart enough to know, when I say close, where it's at, right? I have to be smart enough to know that I'm going to close the session. So how would I do that? I store the IP in the port in an array. There's nine bytes per array. I had to do the math. It came out to like 1.2k. I was like, oh my god, I took up 1.2k. That's such a beast.
It's like bloatedware, you know? So there's the array, multidimensional. Isn't that awesome? Say multidimensional. It's different positions of the LED matrix. And then I've got a little 2 hex command I wrote in there, a function to convert this stuff over.
So that's some code there. Meter mode. So I said there's two views. Meter mode is the next one. Let me go ahead and show you that. Think about, so this is the other thing I was thinking. And again, the main thing here is just try to get you being creative. I mean, the whole idea of this talk
is, OK, I did the session view. I did the meter mode. I want you guys thinking, or somebody smarter than me to say, hey, what about this mode? What about this view? What about this view? And it's all kind of stuff we could do. This is, and this is still on here. This is, you know, I just realized this is still running, right?
So I probably lost most of you. You're probably like staring at that thing. It's just distracting. Oh, here we go, so meter mode. So now we're going to upload the meter code. There's two different programs. I originally had them combined into one program. One thing was that when I combined them
in the same program, I think I ran out of SRAM. You don't know, except that the blinky lights start doing like some kind of stroby, nasty thing, I think is the scientific term. And it just, like, I'll tell you what. When this thing freaks out, it freaks out hard. It's kind of cool, because I want to go back and just see all the different ways to freak it out.
OK, what this is, what my recording self is trying to show you here is that the different things you're going to see, think about an equalizer view out of like the 80s or something, like your old stereo system.
It was really cool when you got a stereo system and all of a sudden it shows up and it's like, wow, I can see the notes. I can see the base and I can see all the trouble and I can see the notes and they're jumping up and down. Of course, that was a whole other stage of my life, right, where I sat in front of one of those all day. So this was where I took it, which is this stuff here,
we've got eight, so if we got an eight by eight matrix, we got eight lines to work with. So I'm going to define web, DNS remote, mail file. So these are different things, so web traffic, 80, 443, DNS traffic, remote protocols, like RDP, SSH, mail stuff,
like POP3 and SMTP, file protocols. I also put Kerberos and things you would use to get logged into your domain controllers or whatever in there. So enterprise file sharing, whatever stuff. And then if it doesn't match that, it's an under 10. Under 10 is exclusive with those other things. If it's some other port under 10, 1,000, other 10,000,
don't mean under finger or whatever it was, but under 10,000 is probably, I'm completely wrong. Somebody's like, no, it's not 10, somebody do it. So under 10, under 10,000, and then over 10,000 is going to be the other one, and then local is the only one
that will pop up in addition to the other ones, because if it's on local link, then it'll fire up there. So that's that. And actually, you know what I'm going to do? I'm kind of getting out of my own rule here. What I'm going to do before I do that is upload the, yeah,
I'm going to upload it to the board we're playing with here, so I'm going to control C that. I got to get off of the serial before I upload the code there, or bad things happen. So this is my other program. Originally, I had them both, like I said, originally I had them combined. There actually is a way to combine these.
You can do that. It's possible. It's definitely possible. The thing is that the, I didn't like the fact that my session view was getting clobbered by my meter view. So here's the meter view, OK, to give you an idea. Each of these be in different color. The colors we just looked at, you can define them however you want in the code.
But basically, those little guys are going to jump up and down based on what kind of traffic you see. So let me run same, really it's the same, I could do the same TCP replay thing. Let's fire this up again. It's going to reset, turn on, load up,
and then I'm going to replay that. And so what you're going to see is stuff start jumping up and down. So you notice Web is jumping up and down there. Don't worry, I'm going to show this on the big screen too. Web is jumping up and down a lot. You're going to see DNS, number of things just sort of,
actually I think I turned off DNS. This is something that's important about this program. I actually made DNS an option. There is one more little option here because I noticed that if you put DNS in the session view, you're just going to get flooded with DNS in there because your machine just fires those off like crazy. So actually, I'm going to do a redo here and add
the flag DNS so that you can actually see the DNS. There we go. And you notice that the white thing is jumping up and down too as the DNS is jumping up and down. Well, that's because the DNS server is on my local network. So anything that's a DNS session is also going to be a local session. So let's show the big screen here.
So let's see. So there, see my recording self is a lot smarter than Def Con's self because he remembered to put DNS in there. And actually, he's kind of flaunting it because he highlighted it. You see that? That guy's kind of a bastard. So here's the meter.
And there we go. So we're rocking out to DNS. We're rocking out like this. The bass is hitting. And somebody's just wailing the guitar. And so then you hit the different stuff, like I'm showing my kind of friendly web browsing here.
There we go. So you notice, now remember that this is session-based. If I sent every single packet over this link, it would be a fire hazard, right? So I can't send every packet. I have to send over 9600 baud. I have to send the link data. So you might be browsing and be opening up a bunch of pages on the same site. You'd be stupid, no, Steve, this shit doesn't work.
And it'll be like, no. And then you got to remember that I said this, that it's only when you open up a new session. So if you go to another page, then it'll start working again. And hopefully, it'll be off the hook. So there's just, like I say, just some generic browsing going to different sites. So that's kind of fun. And then I think here somewhere,
I start to get into another protocol. So again, now at this point, let's see. So there's some stuff. You know what that probably is? That's probably Skype. Skype is actually a really chatty son of a gun. What you'll see, too, this was actually kind of fun while I was working on this. I actually had it going a lot of times as I was working.
I just sort of have it going on the desk. And actually, I got really attached to it. I go to bed with it at night now. So but the thing is that what you'll see is we have a dispersed team. And somebody over from Sao Paulo, my friend Rodrigo, will send me a message. Oh, there's me doing, there it is, remote desktop.
I know you guys would appreciate this. There's no CA, right? I thought you guys liked that. So look, there's some other colors. And then I think that one was purple. So then you can say, then after it was blue, it was purple. So then it goes to remote desktop because you get the picture.
You get different file sharing stuff. You get different colors based on what you're doing. So the whole thing is it was fun with the session view. What I would see is if Rodrigo was about to send me a message, is that thing that says, Rodrigo is typing in Skype. And so before I even knew Rodrigo was sending me anything,
I would see the color for Sao Paulo, for Brazil, which is magenta, it would show up. I'd be like, ah, Rodrigo is going to send me a message. And bam, Rodrigo sent me a message. It was really cool. And then it was like, my other buddy, Tom McKenzie, over in the UK says, he's going to send me a message. And all of a sudden I see blue. I'm like, ah, Tom McKenzie is going to send me a message, right? So that was kind of fun.
It's kind of cool. You actually learn a lot about how your different protocols work. Oh, here we go. I didn't show you this. I should have been talking about this. This is the whole thing, right? This is why this is kind of interesting. Security, this is the security application. What I'm doing here is I'm going to actually launch a port scan.
So it didn't really zoom in. I probably should have zoomed in there. Maybe I did. No. So I did an end map. Up there in the corner, left hand corner is an end map. And check it out. Holy crap, the thing's pegged. This is that part where it's like, I turn the car and it makes a funny noise. And I don't know what the hell is going on. And something's wrong. And you start talking about warranty. And you look at the fine print.
And you realize you're out $1,000. But this is that part where you know something's different, the pattern matching thing. It doesn't usually do that. If I was in a call center and I had no idea about computers, I had no idea about networks, I could stand up and say, something's effed up. Something's wrong. The blinky lights, they're doing weird shit, man.
So now we get to the fun part. Now we get to see. OK, we get to see something cool here in a minute. This was my thing about no handshaking. Message size 32 bytes, 37 messages per second
is probably about the most we can get. There is another thing, the great thing about embedded. The great, awesome, wonderful thing about embedded is anytime you have a really, really difficult computer science problem or whatever, you talk to people and they're like, disks are cheap. Processors are cheap.
Computers are cheap. Let's just solve it by throwing just a whole bunch of really, really heavy instructions at it and it gives a crap so I can go make it a happy hour. So that's not the case here, right? It's almost like playing Sudoku or something. It's a puzzle. You have to figure out, from the beginning, you're screwed.
You know that you have to be very, very careful and you have to be performance conscious from day one. So you have to do the math, do the 9600 baud, two bytes, and I have nine bytes or whatever. I did the math. I could get about top end, 37 messages per second, probably realistically only about 32 messages per second. So the other thing was in session mode,
I had this thing that, this concept that you're gonna hit a ceiling and the problem is you're gonna fill up 128 lights and then you're not gonna know if you're getting port scanned. I really want that whole thing about, oh man, something's screwed up, right? I want that concept. So I made something called Inferno Mode. Inferno Mode is this meter that needs to,
that basically keeps track of how many connections are coming in and I preferred, I was thinking preferably something's kind of psychedelic. At least if you're getting totally owned, you could be like, whoa, cool, look, man. My blinky lights are like, oh, fucked up. So overload detection, right?
Define overload 90. You can define this whatever you want. That's conservative. This is a very conservative number. If the number of commandos are overload, mode nine is the bad one, right? So I'm down to five here. So I think this is actually gonna work out just about right.
Here comes Inferno Mode. Port scan. So we're just gonna end map ourselves. You know, it's a good example. It's reconnaissance. Somebody's doing reconnaissance. Okay, so yeah, just one, three, six, five, five, three, five.
Da, da, da, da, da, da, da, da, da, da, da, da.
So I will let you know, I didn't do the plasma effect but I did the frowny face, okay? Yeah, so that's the whole thing, right? So I think that's kind of the international symbol of you're screwed, right? Actually, I tried to put, it's pretty sad because you don't have a lot to work with.
You know you're kind of screwed when you don't even have enough room to write LOL. So that is the high point. From there, just so you know, the little thing about the Perl script
I'm running on here, it does work on Snow Leopard which is cool. It does work on, of course, Linux, BSD, whatever. It's just Perl. Had a little bit of trouble getting to work on Windows. I think I'm gonna take another stab at that because I think, you know, to make it universal we gotta get Windows in there too. So I'll probably be putting something on the website about this, all open source, of course.
Fairly simple, it's using GeoIP. I tried to keep it to a minimum on the requirements of Perl scripts so hopefully it's not too hard to get going. There's only two messages, open and close. You can make your own. You don't have to use my Perl script. All it's doing is it's doing what, you know, you could do this in Ruby, Python. You could have a scapey to this thing.
You could do whatever you want as long as you can talk to the serial port over 9600 baud and send those funny little messages that we were talking about earlier. Heck, you could take the serial box code, figure out, you know, how it works, how a network engineer would approach this problem and change some stuff. The other ideas I had were like maybe you could make an Ethernet version of this. There is such a thing as Ethernet shield.
It would eliminate the whole USB thing but honestly I think it would probably be really, really poor performance. So I don't know about that. Maybe there's better host-side programs. Of course the most important one is bigger LEDs, right? That would be the big feature add there. And there's some links.
So what do you think? Pretty cool. So not so bad.