Flipping Bits on NSRL

ShmooCon XVI - 2020

Presented by: Billy Trobbiani
Date: Friday January 31, 2020
Time: 19:30 - 19:45
Location: Firetalks

The National Software Reference Library (NSRL) is a project run by NIST, where they collect and archive file hashes for operating system files. These enormous data sets could not be queried with ease until 2011 when the NSRL Server (nsrlsvr) and NSRL Lookup (nsrllookup) tools were produced by Robert Hansen and posted on GitHub. The tools were largely designed for forensics professionals to compare files in their custody to system files designated as known-good by NIST. In 2019, I thought I would test out the application and see if there was room for the abuse of implied trust between the lookup tool (nsrllookup) and the server (nsrlsvr). Developing a man-in-the-middle capability, I was able to alter the responses from the server to give false and erroneous information. This presentation is to showcase the evolution of this project with code samples/tools/infrastructure that made it possible.

Billy Trobbiani

Billy Trobbiani (@billycontra) is currently a threat hunter that works for IronNet Cybersecurity. In his past, he has spent thirteen years working at the Department of Defense in a variety of roles involving the expenditure of $1.7B on contract vehicles to leading operations against state-sponsored intrusion sets. He holds a Master of Science in Computer Science from Johns Hopkins University and the top score on Q-Bert at Crabtown USA. Action figures sold separately.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats