skip to main content

DEF CON 24 Hacking Conference

DEMO LABS

DEMO LABS

The DEF CON Demo Lab is a dedicated area for hackers to show off what they have been working on, to answer questions, and even coax attendees into giving feedback on their projects. Demo labs will be held in the grand salon of Bally's on Saturday, August 6.

10:00-11:50

12:00-13:50

14:00-15:50

16:00-17:50

WebSec: a cross platform large scale vulnerability scanner

Dragos Boia

This demo shows the architecture and implementation details for WebSec, a dynamically scalable system that benefits from a modular architecture that allows scalability to millions of endpoints that can be receiving hundreds of tests. WebSec addresses the need of scaling up to test multiple sites, including some of those with the top traffic and largest attack surfaces on the Internet (like Bing and MSN) and also identifying vulnerabilities in connected applications that make use of online services for their functionality.

Dragos Boia is currently a Senior Software Engineer for Microsoft. Has almost 2 decades of experience in designing and building software. His experience range from security, machine learning, big data to distributed systems. Currently focusing more on security and distributing systems. He holds several patents. He has a B.Sc and a M.Sc in Math/Computer Science from the University of Bucharest in Romania.

Boscloner - All in One RFID Cloning Toolkit

Phillip Bosco

The Boscloner is an All in One RFID Cloning Toolkit designed to make RFID badge cloning during a penetration testing engagement trivial, accessible, and lightning fast. The Boscloner’s core functionality set revolves around its ability to capture RFID badges from three feet away, automatically clone the captured badge (in seconds!), and allow the penetration tester to reach into a pocket and pull out a cloned and fully functioning badge providing instantaneous access to a restricted area. Access granted!

With its open source nature, high accessibility, and focus on furthering the security industry through community collaboration, the Boscloner has become the new golden standard for RFID penetration testing engagements.

Phillip Bosco possesses over 10 years of experience information security via both commercial and government positions. While currently employed as a Senior Security Consultant for Rapid7, Phillip’s previous employment includes the United States Marine Corps as a Cyber Marine and CSC as a penetration tester. Phillip is active in research, focusing primarily on social engineering and physical security. During his research into home security systems, he discovered a flaw that allows malicious individuals to break into a house without triggering an alarm and the attack works against multiple vendors. His discovery has captured the media’s attention by such publications as Wired Magazine, Washington Times, NetworkWorld, ArsTechnica, ZDNet, CSO Online, InfoSecurity Magazine, The Verge, and more. Phillip is scheduled to complete his Master’s Degree in Information Security Engineering from SANS Institute by the Fall of 2016. Phillip holds the following information security credentials: OSCP, OSWP, CISSP, GSEC (Gold), GCIA (Gold), GPEN, GWAPT, GCIH, CEH, ECSA, CNDA, A+, Network+, Security+

Automated Penetration Tooklit (APT2)

Adam Compton

Nearly every penetration test begins the same way; run a NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated!

Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement.

Adam Compton has been a programmer, researcher, professional pentester, and farmer. Adam has over 15 years of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has worked for both federal and international government agencies as well as within various aspects of the private sector.

OWASP ZSC Shellcode

Johanna Curiel
Ali Razmjoo Qalaei

OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

Johanna Curiel is software developer with emphasis in secure coding. She is an active OWASP volunteer and has mainly worked in the area software development, testing and quality control. She understands different types of programming languages such as Java and PHP and different types of scripting languages.At the moment she works as an independent security engineer and researcher, living in the Dutch Caribbean.

Ali Razmjoo Qalaei is the OWASP Iran Chapter leader and architect of OWASP ZSC tool . He recently graduated from the University of Sadra University - Tehran, and right now works as the Chief Technology Officer at Faranegar Knowledgeware Company (FaraSecurity) in Iran

DEF CON Wireless Collection Service (DCWCS)

darkmatter

Lots of information is encoded on electromagnetic radiation, especially WiFi. The aim of this project is to listen to the WiFi bands (2.4gHz/5gHz) and see if we pick up anything interesting during DEF CON. This presentation will discuss the hardware decisions, what software is used and how to build and configure your own WiFi monitoring devices so you too can begin passive mass surveillance using WiFi. And yes, we are listening.

darkmatter is a hardware and software hacker. His skills include generating electron-hole pairs, reverse engineering, web stuff, rainbow team 4, and wifi. He thinks he's a computer scientist.

minimega

David Fritz
John Floren

minimega is a tool for setting up large networks of virtual machines. It simplifies the process of specifying & launching VMs, connecting them to networks, and managing the virtual machines as your experiment progresses. Emulate a full corporate network complete with Windows infrastructure, or replicate a portion of the Internet, including the backbone itself. minimega is faster and easier than OpenStack and requires essentially no configuration to set up. It can even self-deploy itself across a cluster to expand your experiment.

David Fritz and John Floren are researchers at Sandia National Laboratories. Their work in Emulytics focuses on new ways to emulate real-world computing environments in controlled ways for experiments in cyber security.

PKI for the People

Ze'ev Glozman

We are creating a public system that will monitor the public SSL infrastructure from user mobile or desktop endpoints and alert users to any intervention by a third party, be it state or non-state actor. We will be able to detect and categorize those changes as legitimate or illegitimate. This is an open source tool using a peer-to-peer network based on a mobile and desktop app. The tool will be available both as source code and as the actual application. This node net is used to audit and monitor changes in real-time to the global security infrastructure. This includes DNS records, IP addresses, domain names, certificate IDs, and public roots. The final product is an application able to tell a user, "Are you being mitm-ed right now?"

Ze'ev Glozman started working computers at a very young age in the Soviet Union. He was introduced to System V Unix at age 14. He used to work in healthcare technology, and his current focus is the public trust and public key infrastructure.

LAMMA (beta)

Ajit Hatti

LAMMA Framework (beta) aims to be a comprehensive suite for Vulnerability Assessment & auditing of crypto, PKI and related implementations.

Written in Python, LAMMA an extensible framework and supports automated assessments at large scale. LAMMA has 4 different modules to cover major aspects of Crpto-Implementations

REMOTE Module : Tests a Server TLS/SSL configurations and Public Certificate. It Checks for all known vulnerabilities from CRIME, BEAST to OFF by 20. + it has unique checks like certificate timeline analysis and detection of weak modulus.

CRYPTO Module : checks the various crypto primitives right from Random Numbers, Private keys, HASHes generated by any underlying framework (like Openssl, Java KeyTool etc) for Quality, Backdooring & Sanity.

TRUST Module : checks certificates in the trust stores of TPM, Browser, Apps to find any pinned, un-trusted certificates like "SuperFish". It also looks for stolen, insecurely stored private keys to avoid spreading of MASK APT like malware.

SOURCE Module : Helps to enforce "Cryptography Review Board" recommendations of your organisation. It uncover use of weak/backdoored schemes like "Dual_EC_DRBG" in Juniper's case.

Best thing of LAMMA is, its a command line and completely Open Source tool

Ajit Hatti is a founder of "SECURITY MONX" & author of LAMMA project, an Open Source Initiative to - improve security of Crypto Implementations & - better consume Cyber Threat Intelligence, which also is his primary area of research.

Currently Ajit is Principle consultant (Cryptography & System Security) with Payatu Technologies. He has worked as a Security Researcher with Symantec, Emerson, IBM, Bluelane Technologies in past & has presented his research at BlackHat, Defcon-CnPV & Nullcon.

Ajit is also a co-founder of "null Open Security Community", a hardcore volunteer and contributor through the community efforts of Null, Nullcon, SecurityTube.net & BSidesLV. Ajit is also a Marathon Runner and Organizes "World Run By Hackers" during these conferences.

Emo-Tool/OldYeller/Ransomware-Simulator

Weston Hecker

Emo and Old Yeller are tools that make your computer Immune to 26 different variants of Ransomware including SAMSAM Locky Cryptowall and Cryptolocker. these tools use sandbox evasion methods built into the malware against its self "Emo makes malware kill itself Oldyeller makes you crash your own system upon infection."

11 years pen-testing, Security Research, Programming. Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. worked on several opensource tools. Including Skimbad Anti-CC-Fraud Platform,Opencodec, Hacker tools such as "CompanyBAN" a AD automated company wide lock out tool. Several SDR tools, Reversing Engineering of Malware. Telephone DDOS tools. Open-CV. Hardware includes ATM Shimmers Anti-Skimmers, Gaspump (Anti)Skimmers and OldyellerUSB.

Deep look at back end systems of the future of credit card fraud

Weston Hecker

Taking a deeper look at the future of credit card fraud platforms including custom built carder site for sale of live skimmed data, Designing a "Blockchain" style deliver systems for live credit card data to Cash out devices. building a banking and credit processor back end from scratch. The DMVPN network design of the Carder site back end building "Lacara" and automating credit card cash out runs the devices behind the attack.

Weston Hecker 11 years pen-testing, Security Research, Programming. Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. worked on several opensource tools. Including Skimbad Anti-CC-Fraud Platform,Opencodec, Hacker tools such as "CompanyBAN" a AD automated company wide lock out tool. Several SDR tools, Reversing Engineering of Malware. Telephone DDOS tools. Open-CV. Hardware includes ATM Shimmers Anti-Skimmers, Gaspump (Anti)Skimmers and OldyellerUSB./p>

DNS Analyse

John Heise

Want to know who was patient zero from that recent phishing campaign? Or what about what’s going through that ssh tunnel? DNS is an integral part of all internet traffic both benign and malicious, despite this it can be ignored as a part of network monitoring in favor of more active protocols such as HTTP. This is a major mistake as a large amount of intelligence can be gathered from this single source, dns traffic can easily be used to determine information about hosts and users on a network and an essential tool for defending a network.

Utilizing packet sniffing libraries, open source queueing and storage projects a flexible monitoring system can be assembled relatively easily. With this tool in hand and some simple RPZ’s a security engineer can have more impact than most network analysis and prevention products on the market.

This presentation will cover a walk through of a design for dns monitoring system, then how that system can be used to watch for malware traffic, exfiltrating data on dns, and peering into ssh tunneled traffic, and finally how this system can be used to feed RPZ as a defensive mechanism.

John Heise has done operations work from many year prior to joining the LinkedIn Security team. Jon has also been involved in organizing Hack Fortress since its inception in 2010.

VirusTotalego

Christian Heinrich
Karl Hiramoto

VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware. Maltego performs link analysis of actionable Open Source INTelligence (OSINT) A set of Maltego Remote/TDS Transforms have been created which integrate with the VirusTotal's Public and Private APIs.

Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA, ToorCon (USA), Shmoocon (USA), BlackHat (USA and Asia), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), RUXCON (Australia), and AusCERT (Australia). Christian Heinrich has published Maltego Transforms for @haveibeenpwned and Taia Global, Inc that are available for free on the Transform Hub.

Karl Hiramoto has been working at VirusTotal for about two years. In that time he's worked on open source code available on github: (https://github.com/VirusTotal), working with partners, development of in house tools, and Mac OSX sandbox (http://blog.virustotal.com/2015/11/virustotal-mac-os-x-execution.html) work. Prior to joining VirusTotal, Karl worked, on big data mining, and embedded linux systems. www.linkedin.com/in/karlhiramoto

Graylog

Lennart Koopman

Graylog is a free and open source log management tool, aiming to be an affordable alternative to many expensive commercial solutions.

Lennart Koopman is founder and original developer of Graylog. Before that he was a software architect a XING in Germany.

HoneyPy and HoneyDB

Phillip Maddux

HoneyPy is an extensible low to medium interaction honeypot written in Python. It can be used as research or production honeypot and can easily be integrated with other tools for alerting and analysis (e.g. Slack, Twitter, Splunk, Elastic Search, etc).

HoneyDB is a web site that collects data from HoneyPy sensors on the Internet and publishes this data in an easy to consume format via APIs.

Phillip Maddux recently joined Signal Sciences as a Senior Solutions Engineer where his goal is to help organizations protect their web applications by enabling visibility into web application attacks and anomalies. Prior to Signal Sciences he focused on application security in the financial services industry. In his spare time he enjoys coding and experimenting with various open source security tools.

BurpSmartBuster

Patrick Mathieu

Bruteforcing non-indexed data is often use to discover hidden files and directories which can lead to information disclosure or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the tools are lacking the application context and aren't using any smart behaviour to reduce the bruteforce scanning time or even be stealthier. BurpSmartBuster, a Burp Suite Plugin offers to use the application context and add the smart into the Buster!

This presentation will reveal this new open-source plugin and will show practical case of how you can use this new tool to accelerate your Web pentest to find hidden treasures! The following will be covered:

- How to add context to a web bruteforce tool
- How we can be stealthier
- How to limit the number of requests: Focus only on what is the most critical
- Show how simple the code is and how you can help to make it even better

Patrick Mathieu is cofounder of Hackfest.ca the largest security event in Eastern Canada and has been involved in computer security for more than 10 years in the hacking community around Quebec, Canada for more than 20 years starting when he found text about hacking in the last online BBS. He is currently employed as Senior Security Consultant where he’s specialised in application security for both offence and defence currently assign to multiple webapp pentests and trainings. Patrick holds a Bachelor and College degree in computer science.

DataSploit

Shubham Mittal

-Performs automated OSINT on a domain / email / username / phone and find out relevant information from different sources.
-Useful for Pen-testers, Cyber Investigators, Product companies, etc.
-Correlates and collaborate the results, show them in a consolidated manner.
-Tries to find out credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target.
-Available as single consolidating tool as well as standalone scripts.
-Available in both web GUI and Console.

Shubham is an active Information Security researcher with 4 years of experience in offensive and defensive security, with interests in defensive security and OSINT. He has given training, conducted numerous workshops and delivered talks at local security chapters and multiple conferences, including Nullcon 2016, Blackhat Asia 2016, Null Delhi and Bangalore chapters, IETF, etc. In his free time, he loves to craft open source tools in python, and if the weather is nice, he loves to ride his bike. Twitter handle: @upgoingst

Dirt Simple Comms v2 (DSC2)

Tyler Oderkirk
Scott Carlson

Secure decentralized wireless text messaging using the Raspberry Pi Zero and LoRA modulation in the 900MHz band.

Tyler Oderkirk Fullstack Computer Security Engineer

Scott Calrson Systems Engineer (Mechatronics)

CuckooDroid 2.0

Idan Revivo

To combat the growing problem of Android malware, we present a new solution based on the popular open source framework Cuckoo Sandbox to automate the malware investigation process. Our extension enables the use of Cuckoo's features to analyze Android malware and provides new functionality for dynamic and static analysis. Our framework is an all in one solution for malware analysis on Android. It is extensible and modular, allowing the use of new, as well as existing, tools for custom analysis.

Idan Revivo is a Mobile Security Technology/Team Leader at IBM-Trusteer focusing on mobile malware, previously a mobile malware researcher at Checkpoint's malware research team. He has presented at numerous security conferences. He specializes in Android internals and sandboxing techniques. This includes automated static and dynamic malware analysis. He has a diverse security background, which includes vulnerability analysis and electronic warfare providing him with a broad and unique perspective on the cyber arena. Idan holds a bachelor's degree in Software Engineering, specializing in Mobile Systems.

CrackMapExec

Marcello Salvati

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!

Written in Python and fully concurrent, it allows you to enumerate logged on users, spider SMB shares, execute psexec style attacks, auto-inject Mimikatz/Shellcode/DLL's into memory using Powershell, dump the NTDS.dit and much much more!

Equipment Requirements (Network Needs, Displays, etc): Internet connection is preferred but not necessary. 1 Display to clone laptop screen.

Marcello Salvati is a full-time pentester/security consultant at Coalfire Labs who has a passion for creating tools and eating Sushi in his free time. He is an active contributor to multiple open-source projects/tools such as Responder, Impacket, Kali Nethunter, the Veil Framework and has also created and been actively maintaining multiple open-source projects.

Addroid-InsecureBank

Dinesh Shetty

This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source.

Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id amongst others

Disable Single Step Debug with Xmode Code

Ke Sun
Ya Ou

Single step execution is a very important debug function in modern computer programming for effective and efficient trouble shooting. How to stop single step is also a critical research topic from anti-debug perspective. During the research of xmode code obfuscation (code with runtime 32bit/64bit mode switch), we found a very interesting point that WinDbg is not able to properly carry out single step command under certain situation. We wonder what's the reason behind it, is it a WinDbg bug or due to something else? We made in-depth investigation to answer these questions.

This open-source project will demonstrate how to disable single step debugging in WinDbg with xmode code. We will also reveal the details of this issue from system perspective.

Ke Sun is an independent security researcher. He focused on malware analysis, and reverse engineering. Dr. Sun graduated from UCLA.

Ya Ou is an independent security researcher. His work has been focusing on new exploit development, malware analysis, and reverse engineering.

Cloakify Exfiltration Toolset

TryCatchHCF

The Cloakify Toolset is a data exfiltration tool that uses text-based steganography to hide data in plain sight, evade DLP/MLS devices, perform social engineering of SecOps analysts, and evade AV detection. Very simple tools, powerful concept, proven in real-world ops. Too many secure enclaves rely solely on the combination of AV + Automated Data Inspection + Analyst Review to prevent data exfiltration. This toolset easily defeats them all.

TryCatchHCF is the Principal InfoSec Engineer & Lead Pentester at LifeLock. He has 25+ years of security- and software engineering experience, mostly in US gov't/DoD sectors, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. He hacked into his first systems in 1981 and wrote his first malware the following year, all while nearly being eaten by a grue. More recently he took 1st place in the 2013 Lockheed Martin Cyber Challenge. Education includes a bachelors degree in Cognitive Science, a masters degree in Information Assurance, and the collective hivemind of the global hacking community.

Visual Network and File Forensics using Rudra

Ankur Tyagi

Rudra aims to provide a developer-friendly framework for exhaustive analysis of pcap files (later versions will support more filetypes). It provides features to scan pcaps and generates reports that include pcap's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These help to know type of data embedded in network flows and when combined with flow stats like protocol, Yara and shellcode matches eventually help an analyst to quickly decide if a test file deserves further investigation.

Ankur Tyagi is a research engineer at Qualys Inc., where he analyzes malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include developing algorithms and analysis tools that apply stochastic and machine learning models for classifying large collections of uncategorized samples. He has completed MS in Software Systems with focus on Applied Security from BITS-Pilani. Contact him at 7h3rAm@gmail.com.

OXML XXE

Willis Vandevanter

The tool assists the user in inserting XML based exploits (e.g. XXE) into different file types.The goal is to programmatically test for XML based attacks in web applications or software that allow for file imports.

Willis Vandevanter is a principal at Silent Robot Systems. Prior to SRS, Will was a Senior Researcher at Onapsis and Lead Penetration Tester at Rapid7. He has previously spoken at Blackhat, DEF CON, TROOPERS, and other conferences. In his spare time, he writes code and contributes to different projects.