skip to main content

DEF CON 27 Hacking Conference

Demo Labs

Demo Labs

Antennas for Surveillance applications

Friday from 10:00 – 11:50 in Sunset 1 at Planet Hollywood
Audience: All

Kent Britain & Alexander Zakharov

The antenna is one of the most important pieces of a good receiver. Yet it seems technical specifications are made up by the Marketing Departments, not by the Engineers. Wild claims about gain and misleading data seem to be the norm. In this Demonstration you will be able to see and hear the effects of gain and have a better understanding of beamwidths and patterns. Over a dozen different antennas will be available for demonstration, and our miniature antenna range can do some quick tests on your antenna.

http://WWW.WA5VJB.COM

Kent Britain
Kent Britain has been professionally designing antennas for over 25 years. He has developed over 1200 specialized antennas for consumer products, government agencies, military applications, and satellites. The antenna columnist for Monitoring Times, Popular Communications, CQ, CQVHF, and DUBUS magazines.

Alexander Zakharov
Alex has over 25 years of experience in the Telecommunications, Information Technology and IT Security fields. He was responsible for the creation and deployment of solutions protecting networks, systems and information assets for a large number of organizations in both the private and public sectors.

Alex is a brain and architect behind Airbud appliance - the ultimate wireless development and testing platform ready to use with a full spectrum of wireless applications like pentesting and monitoring or router and firewall projects. Number of custom models developed are using antennas created together with Kent's help and advice. Reference - www.alftel.com

Back to top

bedr

Saturday from 12:00 – 13:50 in Sunset 6 at Planet Hollywood
Audience: Defense, Linux

Mark Ignacio

bedr is a Linux syscall monitor that uses Berkeley Packet Filters that hook via kernel tracepoints. It collects the holy trinity of EDR data - proc events, filemods, and netconns – and ships them off to somewhere else for off-machine detection and response. Basically, it’s half of what you need to make an EDR!

https://github.com/mark-ignacio/bedr

Mark Ignacio
Mark is a security engineer that does operating system security things on Windows and Linux. He likes coding in Go a lot and is a consistent believer that this year will be the Year of Linux on the Desktop.

Back to top

BEEMKA – Electron Post-Exploitation Framework

Friday from 10:00 – 11:50 in Sunset 3 at Planet Hollywood
Audience: Offense – Especially red teamers that want to establish persistence and egress data.

Pavel Tsakalidis

BEEMKA is a tool that allows Red-Teamers to establish persistence on a compromised host, or even egress data from the it. In addition, it allows them to execute code from within the context of the compromised application (Slack, Skype, WhatsApp, Bitwarden, VS Code) allowing them to access otherwise inaccessible data. Come find out how you can extract all passwords from Bitwarden, or how to egress all the source code files from VS Code!

https://github.com/ctxis/beemka/

Pavel Tsakalidis
Pavel is a security consultant for Context Information Security, based in London. Other than security related interests, hobbies include playing around with raspberry pi’s, making “books to read” lists that will never be read, and starting side-projects that never finish. Also, for 10 years he’s been a PHP developer therefore spends his extra time defending PHP.

Back to top

Burpsuite Team Server for Collaborative Web App Testing

Saturday from 14:00 – 15:50 in Sunset 1 at Planet Hollywood
Audience: Offense, AppSec

Tanner Barnes

During large scale engagements against multiple applications teams often split the workload across many testers. Currently, sharing Burpsuite states requires exporting large files that are point in time requiring multiple exports and shares if new developments in engagement occur which restricts the ability for teams to collaborate on an application. With my new Bursuite plugin, coupled with a lightweight server, multiple testers can share traffic in real time across multiple applications allowing for quick collaboration! Have a repeater payload your team needs to see? Simply right click the request and select share to populate their repeater tabs! Need help with a intruder payload? Have another tester create it and send it to you! Come listen and see how this plugin can help your teams hack collaboratively!

https://github.com/Static-Flow/BurpSuite-Team-Extension

Tanner Barnes
Tanner Barnes is a cyber security consultant for AON Cyber Solutions providing full scope security assessment services for clients. When he isn't assessing clients security he's building new tools to help improve the lives of others hackers.

Back to top

Chaos Drive, because USB is still too trustworthy

Friday from 14:00 – 15:50 in Sunset 4 at Planet Hollywood
Audience: Offense, Social Engineers, Hardware, Privacy

Mike Rich

If you’ve never thought USB devices could become even less trustworthy, then this is the talk for you. We already know USB devices might try to automatically run code when connected, or act like a hyperactive keyboard and mouse, or attempt to physically destroy the host, or masquerade as an innocent charging/data cable. But it can, actually, get worse. Say hello to the Chaos Drive, a USB drive with just a little too much chaotic energy. I’ll demonstrate how a Linux-based USB mass storage device can be set up to change the storage it presents to the host based on a set of user-defined conditions. On the offensive side this can be used to circumvent USB scanning procedures and on the defensive side this can be used to store private files that will be undetectable without time-consuming analysis. Attendees will learn the steps I took to build the POC and see what it can do. For best results bring a USB OTG-capable device such as a Pi Zero or Pocketbeagle, an OTG cable, and some spare microSD cards to flash.

Mike Rich
I’m a blue-team lead professionally. I delight in thinking of ways to defeat my own processes and then admitting these flaws publicly. I spoke at DEF CON 24 about using copiers to load code on closed networks, at the Lockpick Village at DEF CON 26 about exploiting human laziness on multi-dial combination locks, and at BSidesLV 2018 on quantitative risk analysis. Lastly, I'm the only person I've ever met that's literally been bitten by an otter. You think they are cuddly and cute; I think they are underestimated aquatic apex predators.

Back to top

CIRCO: Cisco Implant Raspberry Controlled Operations

Saturday from 10:00 – 11:50 in Sunset 2 at Planet Hollywood
Audience: Offense, Hardware

Emilio Couto

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low-profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection from IDS/IPS or monitoring systems. This tool gathers information and use a combination of honeypots to trick Automation Systems to give us their network credentials! We will build a physical network & infrastructure lab to show how CIRCO works (live demo) Major features for release v1.5 (Aug):

- Allow existing IP-Phone to co-exist with CIRCO
- Eliminate template files (craft all packets)
- Support NTP exfiltration
- Software encrypted via Bluetooth (prevent forensic)
- Self destroy and alarm switch
- Bypass active & passive fingerprinting (NAC)
- Credentials integration into Faraday

https://github.com/ekiojp/circo

Emilio Couto
Emilio Couto (@ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT and presenting tools in conferences (BlackHat Asia, HITB, AV Tokyo, SECCON and HamaSec) In his spare time he enjoys 3D printing, tinkering electronics and home-made IoT devices.

Back to top

Combo Password

Friday from 14:00 – 15:50 in Sunset 5 at Planet Hollywood
Audience: Defense

Fabian Obermaier

Combo Password is a PoC for using (as the name suggests) key combinations in passwords. There is one nice implication that might justify the increased complexity and other possible gripes: Compared to a normal password, a combo password of the same length has far more possible combinations. This effect is increasing with password length and the number of usable keys. With three available keys and a length of two there are 9 combinations for normal passwords and 15 for combo passwords. Increasing the length to three we get 27 vs 69 combinations. This could lead to less strict password requirements while increasing the security. The goal of this project is to develop a free standard, a browser plugin for using combo passwords in regular login forms and implementations for popular languages, frameworks and PAM. Visit Demo Labs and try to break a real hackers password, there will be a small reward for the fastest brute force tool!

http://combo-pw.tech/

https://gitlab.com/FalkF/combopassword

Fabian Obermaier
Fabian Obermaier is a software engineer specializing in web technology. He is currently working in the health sector and visits DEF CON to see if his claims hold up against a crowd of hackers. His passions include free and open source soft- and hardware, the web and it's security.

Back to top

Cotopaxi: IoT Protocols Security Testing Toolkit

Saturday from 10:00 – 11:50 in Sunset 3 at Planet Hollywood
Audience: IoT, AppSec

Jakub Botwicz

Cotopaxi is a set of tools for security testing of Internet of Things devices using specific network IoT/IIoT/M2M protocols (e.g. CoAP, MQTT, DTLS, mDNS, HTCPCP). These tools will be used by penetration testers or security researchers to identify IoT services and verify security vulnerabilities or misconfigurations. Currently available tools used for security testing, like nmap or OpenVAS, do not support all new IoT protocols. So possibilities to test IoT products and discover such devices in tested networks are limited. We are working to fill this gap with Cotopaxi toolkit. Main features of our toolkit are:

- Checking availability of network services for supported IoT protocols at given IPs and port ranges ("service ping")
- Recognizing the software used by remote network server ("IoT software fingerprinting") based on responses for given messages using machine learning classifier
- Discovering resources identified by given URLs ("dirbusting")
- Performing black-box fuzzing of IoT protocols based on corpus of packets prepared using coverage-based fuzzer
- Identifying known vulnerabilities in IoT servers
- Detecting network traffic amplification.

New features in release for Defcon27 are:

- client-side versions of protocol fuzzer and vulnerability tester
- support for new protocols: SSDP and HTCPCP.

https://github.com/Samsung/cotopaxi

Jakub Botwicz
Jakub Botwicz works as a Principal Security Engineer at the Samsung Poland R&D Center leading a team of security researchers. He has more than 15 years of experience in information security and previously worked in one of the worlds leading payment card service providers, Big4 consulting company and vendor of network encryption devices. Jakub holds a PhD degree from the Warsaw University of Technology and multiple security community certificates including: GWAPT, CISSP, ECSA. Currently, he works providing security assessments (static and dynamic analyses) of different mobile and IoT components. His hobbies are rock climbing and mountaineering (especially on volcanoes!).

Back to top

Burp Plugin: Cyber Security Transformation Chef (CSTC)

Saturday from 12:00 – 13:50 in Sunset 1 at Planet Hollywood
Audience: Offense, Defense, AppSec, Mobile.

Ralf Almon & Sebastian Puttkammer

CSTC is a Burp Suite extension for various input transformations. It implements a generic solution that can replace numerous specialized extensions. The CSTC solves the problem of having too specific burp plugins by being a more generic problem solving tool. It contains a wide range of very simple operations that can be chained into complex transformations. This allows a penetration tester to create the exact transformation they need to test a specific product without having to write any code. As we all know, writing code and setting everything up is time consuming. You can configure complex input transformations for both requests and responses simply by using drag and drop. You can calculate HMACs for parts of the request, refresh timestamps, update sequence numbers or encrypt parts of the request. You can chain together different operations to create more complex transformations. You could extract parts of the request, decompress them, insert your payload using the repeater or utilizing the scanner and put it back in and compress it again before sending it. Since there are already many basic operations implemented, you can easily focus on testing the application instead of searching for extensions performing such transformations.

https://github.com/usdag/cstc

Ralf Almon
Ralf Almon is a Security Analyst with years of experience in penetration testing. He works at usd AG in Germany and holds a master’s degree in Information Security from TU Darmstadt. He gained a lot of industry knowledge working as a consultant in various industries ranging from aerospace and aviation to the finance sector.

Sebastian Puttkammer
Sebastian Puttkammer is a Security Analyst working for usd AG in Germany. His main interests are network/web app security and reverse engineering. He holds a master’s degree in computer science from TU Darmstadt. He is currently in charge of the Code Review Team at usd AG and performs black-box and white-box pentests.

Back to top

Dr.ROBOT: Organized Chaos and the Shotgun Approach

Saturday from 12:00 – 13:50 in Sunset 5 at Planet Hollywood
Audience: Defense/Offense

Aleksandar Straumann & Jayson Grace

Companies are large, and the number of subdomains they expose is even larger. There are a number of tools to uncover subdomains an organization is exposing, but individually they do not give you the complete picture. In the event that you use multiple tools, you are given an overwhelming amount of data to piece together into an aggregate view. In this talk we introduce Dr.ROBOT, a domain reconnaissance tool that was developed to run a large variety of subdomain enumeration tools. It was designed to trivially incorporate new tools as they are released by leveraging Docker and Ansible. Dr.ROBOT has three stages: gathering, inspection, and publishing. In the gathering stage, it gathers as much information as it can and aggregates the results. In the inspection phase, it captures screenshots and other information regarding the target. Finally, in the publishing phase it sends the data gathered during the previous two phases to an endpoint for manual review. Dr.ROBOT was created to serve as a comprehensive source on subdomain exposure by gathering information from as many resources as possible. It is a versatile utility for bug bounty hunters, blue teams, red teams, and many others.

https://github.com/sandialabs/dr_robot

Aleksandar Straumann
Aleksandar recently received his Masters in Computer Science from the University of Minnesota Duluth. In addition to his studies, he works part time at Sandia National Labs as a graduate intern. He works on various projects involving penetration testing, reverse engineering, and tool development. A security enthusiast, he has also pursued certifications in web penetration testing and offensive security. Aleksandar enjoys practicing his skills with CTFs, developing tools, and working on projects to make the security community better.

Jayson Grace
Jayson Grace is a Security Engineer at Splunk. He holds a BS in Computer Science from the University of New Mexico (2016). He has previously worked as a tool developer, penetration tester, systems administrator, and DevOps Engineer. Passionate about empowering engineers to create secure applications, Jayson also enjoys hunting for 0-days, automating offensive security processes, and strongly believes that in-house offensive security researchers are essential to maintaining a secure environment.

Back to top

EAPHammer

Friday from 12:00 – 13:50 in Sunset 1 at Planet Hollywood
Audience: Offensive security professionals, security analysts and network administrators, executive leadership, end-users

Gabriel Ryan

EAPHammer is a toolkit for performing targeted rogue access point attacks against enterprise wireless infrastructure. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus has been placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration.

This summer will mark the third anniversary of EAPHammer since it was released at DEF CON Demo Labs and BlackHat Arsenal in 2017. It's also the most exciting and complete version of the tool yet, with the addition of a number of features that were requested directly by users at Demo Labs in 2018.

EAPHammer now supports most of the bleeding edge attacks that have been discovered by the wireless community over the past few years, including:

- WPA3 Transition Mode and Security Group Downgrade Attacks
- Reflection and Invalid Curve attacks against EAP-pwd
- GTC-Downgrade, Fixed Challenge, and EAP Relay attacks against WPA/2-EAP
- PMKID attacks against WPA/2-PSK networks
- Known Beacons Attack and Legacy SSL Support
- External Certificate Handling and Import

Perhaps most excitingly, we've also included some never-before-seen attacks against Opportunistic Wireless Encryption (OWE), which is better known as "Enhanced Open".

https://github.com/s0lst1ce/eaphammer

Gabriel Ryan
Gabriel Ryan is an offensive security R&D and consultant at SpecterOps. He is the author of EAPHammer, a toolkit for performing targeted rogue access point attacks against enterprise wireless networks. Gabriel has presented at DEF CON, DerbyCon, Hackfest, and several Security BSides conferences on topics ranging from infrastructure security to access control protocols and red team tradecraft. His professional interests include wireless security, systems internals, low-level programming, and infrastructure automation.

Back to top

EXPLIoT - IoT Security Testing and Exploitation Framework

Friday from 14:00 – 15:50 in Sunset 3 at Planet Hollywood
Audience: Offense, Hardware, IoT, Pentesters

Aseem Jakhar & Murtuja Bharmal

EXPLIoT is a framework for security testing and exploiting IoT products and IoT infrastructure. Source code and documentation - https://gitlab.com/expliot_framework/expliot It provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones. The name EXPLIoT (pronounced expl-aa-yo-tee) is a pun on the word exploit and explains the purpose of the framework i.e. IoT exploitation. It can be used as a standalone tool for IoT security testing and more interestingly, it provides building blocks for writing new plugins/exploits and other IoT security assessment test cases with ease. EXPLIoT supports most IoT communication protocols, hardware interfacing functionality and test cases that can be used from within the framework to quickly map and exploit an IoT product or IoT Infrastructure. It will help the security community in writing quick IoT test cases and exploits. Currently, the framework has support for analyzing and exploiting various IoT, radio and hardware protocols including BLE, CAN, DICOM, MQTT, Modbus, I2C, SPI, UART We have released a comprehensive documentation including User and Developer guide to help the security community kick start quickly and easily with the framework.

https://gitlab.com/expliot_framework/expliot

Aseem Jakhar
Aseem Jakhar is the Director, research at Payatu Software Labs https://payatu.com a security testing company specialized in IoT, Embedded, cloud, mobile security. He is the founder of null-The open security community, a registered not-for-profit organization https://null.co.in and also organizes https://nullcon.net and https://hardwear.io security conferences. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, bayesian engine to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including:

- EXPLIoT - IoT Exploitation Framework
- DIVA (Damn Insecure and Vulnerable App) for Android
- Jugaad/Indroid - Linux Thread injection kit for x86 and ARM
- Dexfuzzer - Dex file format fuzzer

Murtuja Bharmal
Murtuja Bharmal is an application and network security enthusiast, having 15+ years of industry experience on the offensive as well as the defensive side of security. He is the Co-Founder and Director at Payatu Software Labs, a security testing company specialized in IoT, Embedded, cloud, mobile security. He is also the Founder of null (The Open Security Community) - http://null.co.in, nullcon (International security conference) - http://nullcon.net and hardwear.io security conference - http://hardwear.io. He has worked extensively on network and web application security assessment and served various financial organizations in India, Middle East, South East Asia, and Europe in a personal and professional capacity. He is X-IBMer and has worked on IBM-ISS (Internet Security System) product as Senior System Engineer. He started his career as a security product developer and developed a UTM (Unified Threat Management) product with features such as Firewall, IPS, VPN, and Application Proxies.

Back to top

Flatline

Friday from 12:00 – 13:50 in Sunset 4 at Planet Hollywood
Audience: Hardware and OpSec.

East

Flatline is a deterministic hardware credential manager. It can generate passwords, burner accounts, shortlinks, and BIP39 seeds. Based on a single mnemonic seed, with Flatline it is possible to store millions of dollars in cryptocurrency, and shortlinks that map to sensitive or stolen data. Store a criminal empire in your head, maintain a map of leaked documents that are hosted on the internet while storing nothing on your local disk, or maintain access to your assets when your house burns down and you have to flee to eastern Europe.

https://gitlab.com/e4st/flatline

East
East is a professional megalomaniac and dedicated troll. He lives in an underground bunker on an island in the south Pacific, where he spends his days eating Doritos, playing Counter Strike, and plotting world domination. When he is not busy destabilizing foreign governments, his hobbies include trolling phone scammers, hang gliding, and golf.

Back to top

Go Reverse Engineering Tool Kit

Saturday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Defense

Joakim Kennedy

The Go Reverse Engineering Tool Kit (go-re.tk) is a new open-source toolset for analyzing Go binaries. The tool is designed to extract as much metadata as possible from stripped binaries to assist in both reverse engineering and malware analysis. For example, GoRE can detect the compiler version used, extract type information, and recover function information, including source code line numbers for functions and source tree structure. The core library is written in Go, but the tool kit includes C-bindings and a library implementation in Python. When using the C-bindings or the Python library, it is possible to write plugins for other analysis tools such as IDA Pro and Ghidra. The toolset also includes “redress”, which is a command line tool to “dress” stripped Go binaries. It can both be used standalone to print out extracted information from the binary or as a radare2 plugin to reconstruct stripped symbols and type information. The tool kit consists of:

* Core library written in Go
* C-bindings
* Python library using the C-bindings
* A command line tool for easy analysis

https://github.com/goretk

Joakim Kennedy
Joakim Kennedy is the Threat Intel Manager for Anomali Research. His job involves playing with malware, tracking threat actors and everything else around threat intelligence.

Back to top

Hachi: An Intelligent threat mapper

Friday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Defense, Malware, Threat Intelligence

Parmanand Mishra

ATT&CK framework has become a benchmark in the security domain. ATT&CK provides data about each technique used across different attack stages. Hachi was created to contribute to the ATT&CK community. Hachi is based on the radare2 framework and uses data provided by ATT&CK to map the symptoms of malware on ATT&CK matrix.

Following modules of Hachi make this tool a great addition to an analyst’s or company’s armaments:

• Threat Intel: Hachi provides threat intelligence data like a possible parent campaign or author of a malware file.
• Malware behavior: It uncovers core malware behaviors using automated static analysis coupled with symbolic execution to explore multiple execution paths and maps it on ATT&CK matrix.
• RESTful API: Hachi provides RESTful API which enables this tool to seamlessly integration with malware processing frameworks.
• Visualization: It allows for the creation of detailed visual reports.
• Integration with Threat Intel feeds: It can be integrated with different threat intelligence feeds for enhanced security or expanded insights.

The primary aim of this tool is to act as a force multiplier for the InfoSec community and aid the analysis of malware.

https://github.com/Kart1keya/Hachi

Parmanand Mishra
Parmanand Mishra is a security enthusiast who is currently working as Senior Malware Researcher at Qualys Inc. He works on malware analysis and adversary simulation based on ATT&CK and loves creating tools on the same. He has spoken at security conferences like c0c0n and goes by Kart1keya on GitHub.

Back to top

Browser extension to hunt low hanging fruits (Hacking by just browsing)

Friday from 14:00 – 15:50 in Sunset 1 at Planet Hollywood
Audience: Bug bounty hunters, Penetration testers, developers, open source contributors

Rewanth Cool

Automated scanners won’t yield you bugs these days. They take tens of hours to get completed and with too with a high false rate. You need a minimal smart scanner with easy installation, easy configuration, and relatively high accuracy while hunting for bugs. This talk is focused on creating such a browser extension to yield better results in less time. The browser extension requires less manual effort and produces more accurate results in just a few seconds.

https://github.com/rewanth1997/vuln-headers-extension

Rewanth Cool
Rewanth Cool is a security consultant at Payatu Software Labs, India. Speaker at HITB (twice), Positive Hack Days(PHDays), CRESTCon, Bsides, Null Pune and trainer at MIT Pune. He is a programmer and open source contributor. Currently, he is focused on vulnerability research, web application security and contribution to security tools apart from his ongoing research on Machine Learning. One of his finest works include his collaboration with Nmap maintainer, Daniel Miller a.k.a bonsaviking and added 17,000 lines of code to Nmap.

Back to top

ioc2rpz

Saturday from 12:00 – 13:50 in Sunset 2 at Planet Hollywood
Audience: Defense

Vadim Pavlov

DNS is the control plane of the Internet with unprecedented detailed views on applications, devices and even transferred data going in and out of a network. 80% of malware uses DNS to communicate with Command & Control for DNS data exfiltration/infiltration and phishing attacks using lookalike domains. Response Policy Zones or DNS Firewall is a feature which allows us to apply security policies on DNS. Commercial DNS Firewall feeds providers usually do not allow user to generate their own feeds. Cloud only DNS service provides do not provide feeds for on-prem DNS. ioc2rpz is a DNS server which automatically creates, maintains and distributes DNS Firewall feeds from various local (files, DB) and remote (http, ftp, rpz) sources. This enables easy integrations with Threat Intel providers and Threat Intelligence Platforms. The feeds can be distributed to any open source and commercial DNS servers which support RPZ, e.g. ISC BIND, PowerDNS, Infoblox, BlueCat, Efficient IP etc. With ioc2rpz you can create your own feeds, actions and prevent undesired communications before they happen.

http://ioc2rpz.com

Vadim Pavlov
Vadim is a senior product manager at Infoblox where he manages Security Ecosystem integrations, Security API, BloxOne Threat Defense. He has more than 15 years of experience in the network and security industry in various roles. He is an author of open source tools such as ioc2rpz (DNS RPZ feeds distribution server) and others. Vadim earned a Master of Science degree in Computer Science (Software Engineering) from a state university in Russia.

Back to top

Let's Map Your Network

Friday from 14:00 – 15:50 in Sunset 2 at Planet Hollywood
Audience: Defense, Monitoring

Pramod Rana

Let’s Map Your Network (LMYN) aims to provide an easy to use interface to security engineer and network administrator to have their network in graphical form with zero manual error. It is utmost important for any security engineer to understand their network first before securing it. In a mid to large level organisation’s network having a network architecture diagram doesn’t provide the complete understanding and manual verification is a nightmare. Hence in order to secure entire network it is important to have a complete picture of all the systems which are connected to your network, irrespective of their type, function, technology etc. BOTTOM LINE - YOU CAN'T SECURE WHAT YOU ARE NOT AWARE OF. LMYN does it in two phases:

1. Learning: In this phase LMYN 'learns' the network by performing the network commands and querying the APIs and then builds graph database leveraging the responses. User can perform any of the learning activities at any point of time and LMYN will incorporate the results in existing database.

2. Monitoring: This is a continuous process, where LMYN monitors the 'in-scope' network for any changes, compare it with existing information and update the graph database accordingly.

https://github.com/varchashva/LetsMapYourNetwork

Pramod Rana
Pramod Rana works as a Senior Security Engineer with Coupa Software (The All-In-One Business Spend Management Platform). Pramod is responsible for implementing DevSecOps functions in Coupa like penetration testing, threat modelling, secure source code review. He has presented at Black Hat Europe 2018 before. He loves to do offensive security research, coding and running in his personal time.

Back to top

Local Sheriff

Saturday from 12:00 – 13:50 in Sunset 3 at Planet Hollywood
Audience: AppSec, Code Assesments, and privacy researchers

Konark Modi

URL is the most commonly tracked piece of information, the innocent choice to structure a URL based on page content can make it easier to learn a users’ browsing history, address, health information or more sensitive details. While you as a user normally browse the internet Local Sheriff works in the background and helps you identify what sensitive information(PII—Name, Date Of Birth, Email, Passwords, Passport number, Auth tokens.) is being shared/leaked to which all third-parties and by which all websites. The issues that Local Sheriff helps identify:

- What sensitive information is being shared with whom?
- Which companies are own these third parties?
- What can they doing with this information? EG: de-anonymize users on the internet, create shadow profiles.
- Data points that can be used for tracking a user across the web.
- Insights into which companies know what about you on the internet.

Local Sheriff can also be used by organizations to audit:

- Which all the third-parties that are being used on their websites.
- The third-parties on the websites are implemented in a way that respect user’s privacy and sensitive data is not being leaked to them.

Local Sheriff is a browser extension that can used with Chrome, Opera, Firefox, Brave, Cliqz.

https://github.com/cliqz-oss/local-sheriff/tree/master/scripts

Konark Modi
Konark works as a Tech lead with Cliqz GmbH developing privacy-focused search engine and browser. He works on projects ranging across Privacy by design, Anonymous Data collection like Human Web, Anti-Tracking etc. Prior to Cliqz, Konark was working with one of the largest e-commerce website in India(Makemytrip.com) in data platform and security team, solving interesting challenges related to DWH, BI and data security. His recent personal projects, in an endeavor to help organizations fix vulnerabilities have spanned across browsers, health trackers, Government services, travel mobile apps etc.

Back to top

Memhunter - Automated hunting of memory resident malware at scale

Saturday from 10:00 – 11:50 in Sunset 6 at Planet Hollywood
Audience: Defense

Marcos Oviedo

Memhunter is an endpoint sensor tool specialized in detecting memory-resident malware. The detection process is performed through a combination of endpoint data collection and memory inspection scanners. The tool is a standalone binary that, upon execution, deploys itself as a windows service. Once running as a service, memhunter starts the collection of ETW events that might indicate code injection attacks. The live stream of collected data events is feed into memory inspection scanners that use detection heuristics to down select the potential attacks. The entire detection process does not require human intervention, neither memory dumps, and it can be performed by the tool itself, at scale, improving the threat hunting analysis process and remediation times. The tool was designed as a replacement of memory forensic mechanisms such as volatility malfind and hollowfind plugins, which requires human analysis and memory dumps to find suspicious artifacts on memory. Besides the data collection and hunting heuristics, the project has also led to the creation of a companion tool called minjector that contains +20 code injection techniques. The minjector tool can be used to exercise memhunter detections, and as a one-stop learning solution on well-known code injection techniques out there.

https://github.com/marcosd4h/memhunter

Marcos Oviedo
Marcos Oviedo is an experienced, self-motivated, and results-driven software architect who loves to develop software not only to create code but to create value. He has had extensive experience with heterogeneous technologies and computer architectures. Over his years of professional work experience, computer security has long been his passion—whether it has been around designing exploit prevention capabilities of an endpoint security solution, or doing vulnerability research on carrier-grade telco charging software, or just participating on CTFs for fun. Marcos is currently working as an Endpoint Software Architect at McAfee. Marcos also organized the first-ever BSides conference in Cordoba, Argentina.

Back to top

OSfooler-NG: Next Generation of OS fingerprinting fooler

Friday from 14:00 – 15:50 in Sunset 6 at Planet Hollywood
Audience: Defense

Jaime Sanchez

An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine. There are lot of reasons to hide your OS to the entire world: Revealing your OS makes things easier to find and successfully run an exploit against any of your devices. Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion. Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL. It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running). And finally, privacy; nobody needs to know the systems you've got running. OSfooler was presented at Blackhat Arsenal 2013. It was built on NFQUEUE, an iptables/ip6tables target which delegate the decision on packets to a userspace. It transparently intercepted all traffic that your box was sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system. OSfooler-NG has been complete rewriten from the ground up, being highly portable, more efficient and combining all known techniques to detect and defeat at the same time: Active remote OS fingerprinting: like Nmap Passive remote OS fingeprinting: like p0f v2 Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting Some additional features are: No need for kernel modification or patches Simple user interface and several logging features Transparent for users, internal process and services Detecting and defeating mode: active, passive & combined Will emulate any OS Capable of handling updated nmap and p0f v2 fingerprint database Undetectable for the attacker

https://github.com/segofensiva/OSfooler-ng

Jaime Sanchez
Jaime Sánchez (aka @segofensiva) has worked for over 20 years as a specialist advisor for large national and international companies, focusing on different aspects of security such as consulting, auditing, training, and ethical hacking techniques. He holds a Computer Engineering degree and an Executive MBA. In addition, he holds several certifications, like CISA , CISM , CISSP , just to name a few, and a NATO SECRET security clearance, as a result of his role as advisory of many law enforcement organizations, banks and large companies in Europe and Spain. He has spoken in renowned security conferences nationally and internationally, as in RootedCON , Nuit du Hack , Black Hat , Defcon , DerbyCON , NocOnName , Deepsec , Shmoocon or Cyber Defence Symposium , among others. As a result of his researches, he has notified security findings and vulnerabilities to top companies and vendors, like Banco Popular, WhatsApp, Snapchat, Microsoft, Apple etc. He is a frequent contributor on TV (TVE, Cuatro, LaSexta, Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and radio programs, and writes a blog called 'SeguridadOfensiva'

Back to top

OWASP Amass

Saturday from 14:00 – 15:50 in Sunset 2 at Planet Hollywood
Audience: Red Team, Blue Team, Bug Bounty Hunters, Penetration Testers

Jeff Foley & Anthony Rhodes

Today, organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult for an organization to maintain visibility of its Internet-facing assets and an ability to track down systems that pose a risk to its security posture. The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery. During this talk, contributors to the project will discuss how OWASP Amass uses OSINT, network reconnaissance, graph databases and information sharing to provide both attackers and defenders better visibility of target organizations. Presenters will be providing an in-depth tour of all OWASP Amass features with tips and tricks shown along the way.

https://github.com/OWASP/Amass

Jeff Foley
Jeff Foley is the Founder and Project Leader of OWASP Amass. Jeff has spent nearly twenty years as an innovative technologist taking on challenges in the area of cyber warfare. He started the Amass project after noticing the need for practical OSINT tools that aid information security professionals in mapping complex networks.

Anthony Rhodes
Anthony Rhodes has over five years of industry experience as a penetration tester, red teamer, and software engineer. He has been following the OWASP Amass Project since its inception and has recently joined as a contributor to help enrich its functionality beyond DNS enumeration and network mapping.

Back to top

PcapXray

Friday from 12:00 – 13:50 in Sunset 2 at Planet Hollywood
Audience: Defense, Forensics, Networks

Srinivas Piskala Ganesh Babu

PcapXray is a Network Forensics tool that performs pcap visualization to help/speed up traffic investigation offline. [ in n00b terms, Draws a Network Map and Highlights what needs to be looked for in a packet capture. ]

* Creates visual drawing (map) of a pcap file and highlights/extracts details for faster/robust traffic forensics/analysis
* Reverse Engineer a Pcap [Packet Capture] File ( Wireshark always is the best goto ), PcapXray plays as a sidecar to speed things up with the investigation ( where/what to look at/for? )
* Promote navigation of a packet capture
* Accomplish Simple goal In the best way ( I could not easily find an offline tool to draw/map/highlight a pcap file ) --> [ Just for Security Fun! ]

Capabilities include

* Converting a packet capture into a diagram/graph/visual representation
* Segregating and filtering with respect to traffic type, the current list includes HTTP, HTTPS, Tor, Possible Malicious, ICMP, DNS
* Extracting payload and present traffic on a session/flow basis
* Enriching the traffic data with host scans to generate Reports
* Identifying covert communication and possibility to extract files included in the traffic

https://github.com/Srinivas11789/PcapXray

Srinivas Piskala Ganesh Babu
Sri is a Security Software Engineer at Oblong Industries spending time on collaborative-conferencing platform security. During other times, he has fun with security, capturing flags & building tools at https://srinivas11789.github.io and github.com/srinivas11789.

Back to top

PCILeech and MemProcFS

Saturday from 12:00 – 13:50 in Sunset 4 at Planet Hollywood
Audience: Offense, Defense, Forensics, Hardware

Ulf Frisk & Ian Vitek

PCILeech and MemProcFS: The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers, governments and game cheaters alike. We will demonstrate how to take total control of still vulnerable systems with PCIe DMA code injection using affordable FPGA hardware and the open source PCILeech direct memory access attack toolkit. MemProcFS - The Memory Process File System is memory forensics and analysis made super easy! Analyze memory by clicking on files in a virtual file system or by using the C and Python API. A wide range of memory acquisition methods are supported. Analyze memory dump files by point and click, analyze live memory acquired using PCILeech PCIe FPGA hardware devices or even live memory acquired in real time from remote hosts over the network. Zero-cost open source memory forensics and incident response?

https://github.com/ufrisk/pcileech https://github.com/ufrisk/MemProcFS

Ulf Frisk
Ulf is a pentester by day, and a Security Researcher by night. Ulf is the author of the PCILeech direct memory access attack toolkit and the Memory Process File System. Ulf has previously presented his work at DEF CON, the Chaos Communication Congress and BlueHatIL. Ulf is interested in things low-level and primarily focuses on Memory Analysis and Direct Memory Access.

Ian Vitek
Ian Vitek has a background as a pentester but now works with information security in the Swedish financial sector. Ian has held several presentations at DEF CON, BSidesLV and other IT security conferences. The last years also performed as a DJ (VJ Q.Alba) at DEF CON and related private parties. Interested in web, layer 2, DMA and local pin bypass attacks.

Back to top

PhanTap (Phantom Tap)

Friday from 10:00 – 11:50 in Sunset 2 at Planet Hollywood
Audience: Red Teams, it could also be used by Blue Teams.

Diana Dragusin & Etienne Champetier

PhanTap (phantom tap) is an ‘invisible’ network tap aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X - 2004). PhanTap will analyze traffic on the network and mask its traffic as the victim device. It will mount a tunnel back to a remote server, giving the attacker a foothold in the network for further exploitation and pivoting. The physical device for PhanTap is currently a small, inexpensive and disposable router running OpenWrt, we've been testing the GL.iNet GL-AR150. Moreover, PhanTap is fully based on Linux packages and can be ported to any Linux distribution.

Diana Dragusin
Diana Dragusin is currently a Senior Security Consultant at NCC Group, where she performs a variety of types of penetration tests, with a focus on networks, hardware, and embedded systems. Diana previously worked as a Network Security Architect, with the goal of building more secure internal and external infrastructures. In addition to hardware hacking, Diana also enjoys applying her creativity and curiosity to world travel and the culinary arts.

Etienne Champetier
Etienne Champetier is an Operations Engineer at Anevia (a video software company). Day to day he troubleshoots complex ecosystems with lots of vendors and moving parts (i.e. uses tcpdump and strace), automates everything he can with Ansible, helps migrate Anevia softwares to Kubernetes, and does all kinds of small developments. He loves to understand how everything works and he contributes to open source software, like OpenWrt, when he can (@champtar on Github).

Back to top

Phishing Simulation

Friday from 12:00 – 13:50 in Sunset 5 at Planet Hollywood
Audience: Defense

Jyoti Raval

Phishing Simulation tool mainly aims to increase phishing awareness & understanding by providing an intuitive tutorial and customized assessment to assess people's action on any given situation without performing actual phishing activity; and further gives analysis of what is the current awareness posture of targeted users.

The tool has below modules:

- Tutorial -> To increase the awareness by providing an interactive and intuitive tutorial
- Assessment -> To evaluate the current understanding and actions of user on any given situation
- Setup Test -> This module let's any user to create the customized campaign and target multiple users at same time
- Analysis -> Graphical representation to understand the current awareness posture

https://github.com/jenyraval/Phishing-Simulation

Jyoti Raval
Jyoti Raval works as a Senior Web Application Security Analyst with Qualys. Jyoti is responsible for researching on improving Dynamic Application Security Testing(DAST)Tool, perform web application pen-testing; and understanding new security trends. She is also OWASP Pune chapter leader. She loves to assess things and hence presenting an assessment tool ;)

Back to top

PivotSuite: Hack The Hidden Network - A Network Pivoting Toolkit

Saturday from 14:00 – 15:50 in Sunset 3 at Planet Hollywood
Audience: Offense (Red Teamers / Penetration Testers)

Manish Gupta

PivotSuite is a portable, platform independent and powerful network pivoting toolkit, Which helps Red Teamers / Penetration Testers to use a compromised system to move around inside a network. It is a Standalone Utility, Which can use as a Server or as a Client. PivotSuite as a Server : If the compromised host is directly accessible (Forward Connection) from Our pentest machine, Then we can run pivotsuite as a server on compromised machine and access the different subnet hosts from our pentest machine, Which was only accessible from compromised machine. PivotSuite as a Client : If the compromised host is behind a Firewall / NAT and isn't directly accessible from our pentest machine, Then we can run pivotsuite as a server on pentest machine and pivotsuite as a client on compromised machine for creating a reverse tunnel (Reverse Connection). Using this we can reach different subnet hosts from our pentest machine, which was only accessible from compromised machine.

https://github.com/RedTeamOperations/PivotSuite

Manish Gupta
Manish Gupta is a Cyber Security Analyst at Societe Generale in India. Where he specializes in Offensive Security and Red Teaming Activities on Banking Environment. A part-time Bug Bounty Hunter and CTF Player. His Research interest includes Real World Cyber Attack Simulation and Advanced persistent Threat (APT). He currently working on developing Open-Source Offensive Security Toolkit which helps Red Teamers / Penetration Testers.

Back to top

QiLing

Sunday from 10:00 – 11:50 in Sunset 6 at Planet Hollywood
Audience: Reverse Engineers, Hardware (IoT) Hackers

KaiJern, Lau & Dr. Nguyen Anh Quynh

QiLing, a cross platform and multi architecture binary emulator, it will also able to do the following:

To execute binary applications for (Windows, Mac, Linux, Android, iOS, etc) and CPU architectures (Intel, Arm, AArch64 and Mips).
To be executed multiple platforms: Windows, MacOS, Linux, BSD. Sandbox analysis, so potential malicious activities are under control.
Provide Python instrumentation framework, so users can build add-on plugins to customize runtime analysis.
Analyze & report the code execution in friendly and fully customizable high-level format.

Besides working as an independent tool, QiLing also provides plugins for disassemblers such as Ghidra & IDA Pro. QiLing is designed to be alightweight and pluginable emulator. To handle real binaries reasonably, it should be fast, and offer instrumentation capability for users to build customized analysis.

- Able to handle hardware emulation
- Dynamically patch binary during execution in order to redirecting execution flow to bypass non critical check.
- Handle full binary emulation, not just raw code without context. To achieve this, emulate some parts of OS (such as syscalls , system libraries and part of kernel).
- Enable user-customized analysis via a Python framework.

QiLing is a opensource project.

KaiJern, Lau
KaiJern (xwings), is Lab Director of The ShepherdLab, of JD Security by JD.COM. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, Brucon, H2HC few different Defcon group and etc. He also conducted hardware Hacking course in various places around the globe.

Dr. Nguyen Anh Quynh
Dr.Nguyen Anh Quynh is a regular speaker at various industrial cybersecurity conferences such as Blackhat USA/Europe/Asia, Defcon,, Deepsec, XCon, Hitcon, Brucon, Zeronights, Tensec, H2HC, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS. Dr. Nguyen is also the founder and maintainer: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).

Back to top

Reverse Engineering Embedded ARM with Ghidra

Friday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
Audience: Offense, Defense, AppSec, Mobile, Hardware

Max Compston

The ARM processor is the most prevalent processor in the world. ARM devices encompass mobile phones, network devices and appliances, and devices comprising what is now called the Internet of Things. Before April 2019, the only professional tool available for Reverse Engineering ARM processors was IDA Pro. With the release of Ghidra by the National Security Agency (NSA) to the Open Source Community this April, a professional grade Reverse Engineering tool is now available for ARM. This Demo Lab setup will include a Linux Host Laptop running Ubuntu Linux. The target system is an embedded Raspberry Pi ARM v8a running Ubuntu Linux Core. This demonstration will consist of static Reverse Engineering a demonstration Banking Application daemon using Ghidra. Static analysis of the fictitious application with this tool should reveal areas prone to PLT/GOT infection. This analysis will focus on shared libraries prone to infection. Next, an Injection / Hook program will perform Linux PTRACE Injection / Function Hooking on the Banking Application. The function hooking is based upon the results from the Ghidra analysis performed earlier. The hook function will send the user data back to our host using a method unknown to the developer of the Banking Application.

Max Compston
Max Compston is the Principal Software Engineer with Embedded Software Solutions. He has 30+ years of embedded software development experience. He has worked for 20+ years as a government defense contractor developing embedded systems. He has worked 10+ years in the commercial sector on mobile devices, network devices, network access points and IPTV set-tops. Max has a love of the outdoors. He plays tennis, hikes, bikes and is always training for his next triathlon. He has an undergraduate education in Computer Science with graduate work in Computer Security and Info Assurance.

Back to top

Rhodiola

Sunday from 10:00 – 11:50 in Sunset 5 at Planet Hollywood
Audience: Offense

Utku Sen

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named ”mask attack” where the attacker needs to assume a password’s structure. Even if it narrows the combination pool significantly, it’s still too large to use for online attacks or offline attacks with low hardware resources. In the real world, a password’s structure is an unknown value, just like the password itself. Even if we specify a password structure with masks, we are still brute forcing characters in the mask. When we analyzed Ashley Madison and Myspace wordlists, we saw that they are mostly consists of sequential alpha characters. Which means that there is a high probability that they are meaningful words. Our research shows that 30% of the Ashley Madison wordlist and 36% of Myspace wordlist contains meaningful English words. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist. Wordlist consists of most used nouns & proper nouns, paired nouns & proper nouns, cities and years related to detected proper nouns.

Utku Sen
Utku Sen is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.

Back to top

Shadow Workers: Backdooring with Service Workers

Saturday from 14:00 – 15:50 in Sunset 6 at Planet Hollywood
Audience: Offensive Security, AppSec

Emmanuel Law & Claudio Contin

This presentation is focused around Shadow Workers, a tool that came out of our research on service workers. Service Workers are a new addition to modern browser and often used to extend offline capabilities to a website. With this tool, we weaponized service workers to include the ability to implant a pseudo backdoor in the browser and ghost through a victim's browser session to sniff, manipulate, and even proxy data silently. We'll demo the various persistence mechanisms our tool provides to keep service workers alive and demo how MITM can be done at the browser layer.

https://github.com/shadow-workers/shadow-workers

Emmanuel Law
Emmanuel Law (@libnex) is currently a security engineer in the Bay Area. He spends his free time researching news ways to break stuff and has presented at various international conferences such as Black Hat Arsenal, Ruxcon, Kiwicon, Troopers etc.

Claudio Contin
Claudio Contin (@claudiocontin) is a security consultant with ZX Security in Wellington, New Zealand. Before working in security, he spent several years developing web applications. He has presented at Bsides SF, Kiwicon and OWASP conferences. During his free time, he contributed to various open-source projects such as BEeF framework and Gophish.

Back to top

Shellcode Compiler

Saturday from 14:00 – 15:50 in Sunset 5 at Planet Hollywood
Audience: Anyone interested in shellcode development

Ionut Popescu

Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows and Linux. It is possible to call any Windows API function or Linux syscall in a user-friendly way. The tool allows users to write custom shellcodes by providing an easy way to call functions or system calls. It does not have all the capabilities of a compiler, but it simplifies a lot the shellcode development process. There is no need to write assembler, it is only required to declare and call functions or system calls. Under the hood there is, of course, a custom compiler which compiles C/C++ style code into ASM which is later assembled using Keystone framework. Before the tool presentation, we will go into a deep dive on the shellcode development process for both Windows and Linux (32 bits only to keep it short and simple).

https://github.com/NytroRST/ShellcodeCompiler

Ionut Popescu
Ionut Popescu works as a Product Security Engineer for UiPath. His focus lies on web application penetration testing, source code review, security architecture review and providing security trainings. In his free time, he also likes to do research focusing on Windows internals, ASM and exploit development. Ionut is a regular speaker at different conferences, e.g. Defcon, Defcamp or OWASP.

Back to top

SILENTTRINITY

Saturday from 14:00 – 15:50 in Sunset 4 at Planet Hollywood
Audience: Offense

Marcello Salvati

SILENTTRINITY is an asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET's DLR (Dynamic Language Runtime), it attempts to weaponize and demonstrate the flexibility that BYOI (Bring Your Own Interpreter) payloads have over traditional C# implants. What are BYOI payloads? Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the "power" of PowerShell, without going through PowerShell in anyway! Additionally, you can nest multiple interpreters within each other to perform what I've coined "engine inception"! If you're interested in bleeding-edge and out of the ordinary C#/.NET offensive trade-craft, this is the demo for you!

https://github.com/byt3bl33d3r/SILENTTRINITY

Marcello Salvati
Marcello Salvati (@byt3bl33d3r) is a Security Analyst at BlackHills Information Security by day and by night a tool developer who discovered a novel technique to turn tea, sushi, alcohol and dank memes into somewhat functioning code. His passions include anything Active Directory related, trolling people on GitHub and developing open-source tools for the security community at large which he’s been doing for the past several years, some of his projects include SilentTrinity, CrackMapExec, DeathStar, RedBaron and many more.

Back to top

soFrida - Dynamic Analysis Tool for Mobile Apps with Cloud Backend

Friday from 10:00 – 11:50 in Sunset 6 at Planet Hollywood
Audience: Offense: Mobile Application Pentesters, Hackers Defense: Cloud Backend Operators Mobile Application Developers who use cloud SDK

Hyunjun Park & Soyeon Kim

Mobile app developers are increasingly using cloud services to implement features such as storage, push notifications, and user data analysis. Popular cloud service including AWS provides SDK and credential keys that allow mobile apps to authenticate and authorize cloud resources so that developers can implement features by calling APIs. However, we identify a vulnerability that those credential keys can be obtained by attackers. Within this demo, we will present how to steal cloud credential keys with soFrida: a dynamic analysis tool, powered by Frida. With soFrida, security researchers or engineers can quickly collect Android APKs and analyze cloud vulnerabilities in Android apps, helping to prevent serious security incidents such as data leaks. We have discovered 2,700 potentially vulnerable mobile apps by using soFrida and currently collaborate with the cloud service provider to eliminate security vulnerabilities. Detailed statistics can be found on our website:https://sofrida.github.io

https://sofrida.github.io

Hyunjun Park
Hyunjun Park is a senior engineer of Samsung SDS in South Korea and a graduate student of SANE Lab at Korea University (Supervisor: Seungjoo Gabriel Kim). His daily job is pentesting a broad range of Samsung products including smartphone, smart TV, wearable devices, etc. He also serves as the main staff of Kimchicon Security Conference in South Korea.

Soyeon Kim
Soyeon Kim is a security researcher of Samsung SDS in South Korea. She is mainly doing a security assessment of Samsung IoT products. She is interested in analyzing Android apps and IOS apps using Frida.

Back to top

Spartacus as a Service (SaaS)

Friday from 12:00 – 13:50 in Sunset 3 at Planet Hollywood
Audience: Offense for the end user

Mike Kiser

The Third Servile War was over. The slave army has been defeated, and the survivors are offered a pardon by their Roman captors. The only requirement was that they identify Spartacus, their leader (Kirk Douglas). Rather than give away his identity, however, they all begin to yell out "I'm Spartacus!"—thus preserving his anonymity by overwhelming the Romans with possibilities. (Spoiler alert: they all die as a result.) "Spartacus as a Service (SaaS)" is an open-source proof-of-concept is introduced that facilitates these obfuscation techniques. This will allow for automatic obfuscation of a chosen identity on a small scale, and lessons learned from its usage will be discussed. Current version at: https://github.com/derrumbe/Spartacus-as-a-Service Open-source tool written largely in Node.js under an MIT license OAuth is used for authentication and authorization Content is generated via a Markov chain using sources such as Jane Austen, political platforms, and Aaron Franklin’s book on BBQ Amazon Mechanical Turk may be used to circumvent captchas Note that this is not a tool that *prevents* targeted advertising — instead it seeks to dilute the value of information that companies know about a user. It obfuscates the real content so that outsiders cannot tell what the real content (or in some cases, who the person) actually is.

https://github.com/derrumbe/Spartacus-as-a-Service

Mike Kiser
Mike Kiser is insecure. He has been this way since birth, despite holding a panoply of security roles over the past 20 years—that might imply otherwise. In spite of this, he has designed, directed, and advised on large-scale security deployments for a global clientele. He is currently in a long-term relationship with fine haberdashery, is a chronic chronoptimist (look it up), and delights in needlessly convoluted verbiage. He is obsessed with identity’s role in security and is the co-host of a podcast illuminating all things identity. He warmly embraces the notion that security is more of a state of mind than a destination.

Back to top

Srujan: Safer Networks for Smart Homes

Saturday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
Audience: Defense, Network, Hardware, IOT Security

Sanket Karpe & Parmanand Mishra

Srujan is a new type of network segregation system, based on Raspberry Pi, that can be easily deployed on home networks. It allows home users to segregate the devices connecting to their home networks based on the threat profile. User can keep their smart home devices separate from their computers and mobile devices to mitigate risk of cross infection from low-trust devices like smart cameras, speakers and thermostats. Srujan was created to address the challenges around the plethora of IOT devices being deployed in smart homes that are vulnerable and do not receive patches. Srujan can intelligently segregate the home network into different zones based on the device type. It automatically identifies and alerts users when the IOT devices attempt to contact any IP or domain which has been blacklisted by Google Safe Browsing.

Srujan provides the following features:

-- Intelligent segregation of devices based on their type
-- Ability to create network usage stats for each device
-- Ability to quarantine untrusted devices
-- Easy to integrate with SIEM
-- Ability to lookup IP/Domain against Google Safe Browsing.
-- Integration with ANWI (All New Wireless IDS)
-- Prevent call-home pings to manufacturer for enhanced privacy.

Sanket Karpe
Sanket Karpe is a security researcher with over decade of experience on reverse engineering malware and incident response. He is currently working as a Manager, Malware Research at Qualys Inc where his primary responsibilities include malware analysis, creating new malware detection techniques and tools development. He is the author for ANWI - All New Wireless IDS and likes to work on various IOT projects in his free time.

Parmanand Mishra
Parmanand Mishra is a security enthusiast who is currently working as Senior Malware Researcher at Qualys Inc. He works on malware analysis and adversary simulation based on ATT&CK and loves creating tools on the same. He has spoken at security conferences like c0c0n and goes by Kart1keya on Github.

Back to top

TaintedLove

Friday from 12:00 – 13:50 in Sunset 6 at Planet Hollywood
Audience: AppSec

Benoit Côté-Jodoin

TaintedLove is a dynamic security analysis tool for Ruby. It leverages Ruby's object tainting and monkey patching features to identify potentially vulnerable code paths at runtime. TaintedLove is library agnostic and provides a simple framework to extend the detection of unsafe method usage and user input tracking.

https://github.com/shopify/tainted_love

Benoit Côté-Jodoin
Benoit is an Application Security Engineer at Shopify having a strong interest in web application security and vulnerability research. Sometimes an active CTF player, he has taken part in multiple competitions with the team DCIETS/NorthernCoalition.

Back to top

USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks

Sunday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
Audience: Offense, Defense and Hardware.

Haowen Bai

USB-Bootkit, a new type of Bootkit via the USB interface, contains malicious code inside the USB device that gets executed every time the system boots up. The malicious device, located either on the motherboard or inside external HID devices such as the keyboard, is invisible to ordinary users and capable to re-infect the system after the OS getting reinstalled, the hard drive being formatted or even replaced.

In order to make it looks innocuous, we implanted the USB-Bootkit inside a keyboard without changing the outward appearance. Supply chain attacks could be leveraged to replace the device and modify boot sequences accordingly. Once it is used by the target, we are able to carry out attacks persistently. Legacy and UEFI mode are covered in one USB to adapt the target system automatically. In the demonstration, the attack originates from the malicious keyboard and is able to compromise the full patched Windows 10 x64 operating system since power-on. The USB-Bootkit will get disconnected automatically afterwards to avoid being discovered when the victim logs into the operating system.

https://github.com/RedDrip7/USB-Bootkit

Haowen Bai
Haowen Bai, a senior security research engineer at QiAnXin Threat Intelligence Center (@RedDrip7), has over 12 years’ work experience in network security with discovery of zero-day vulnerabilities in targeted attacks. Currently he is researching on innovative approaches to discover vulnerabilities and exploits on Windows platform, as well as to utilize big data analysis system to catch perilous threats in the wild.

Back to top

Vulmap: Online Local Vulnerability Scanners Project

Sunday from 10:00 – 11:50 in Sunset 3 at Planet Hollywood
Audience: Offense, Defense

Yavuz Atlas & Fatih Ozel

Vulmap is an open source online local vulnerability scanner project. It consists of online local vulnerability scanning scripts for Windows and Linux. These scripts can be used for defensive and offensive purposes. It is possible to conduct vulnerability assessments by using these scripts. Also they can be used for privilege escalation by pentesters/red teamers. Vulmap scans vulnerabilities on localhost, shows related exploits and downloads them. It basically, scan localhost to gather installed software information and ask Vulmon API if there are any vulnerabilities and exploits related with installed software. If any vulnerability exists, Vulmap shows CVE ID, risk score, vulnerability's detail link, exploit ids and exploit titles. Exploits can be downloaded with Vulmap also. Main idea of Vulmap is getting real-time vulnerability data from Vulmon instead of relying of a local vulnerability database. Even the most recent vulnerabilities can be detected with this approach. Also its exploit download feature helps privilege escalation process. Since most Linux installations have Python, Vulmap Linux is developed with Python while Vulmap Windows is developed with PowerShell to make it easy to run it on most Windows versions without any installation.

https://github.com/vulmon/Vulmap

Yavuz Atlas
Yavuz Atlas is a cyber security researcher. He has academic and professional experience in areas like cyber security, software development, data science and information visualization. He works as a Tech Lead for Biznet. His current work focuses on pentesting and secure code reviews. Yavuz is also developer of Vulmon project.

Fatih Ozel
Fatih Ozel specializes in web application assessments, penetration testing, and software development. He is a former software developer and an open source enthusiast. He holds a Computer engineering degree from Suleyman Demirel University. Fatih is currently working as a Penetration tester for Biznet Bilisim.

Back to top

WiFi Kraken – Scalable Wireless Monitoring

Saturday from 10:00 – 11:50 in Sunset 1 at Planet Hollywood
Audience: Offense, Defense, Hardware

Mike Spicer

This tool is the culmination of lessoned learned during the last 3 years of wireless monitoring at DEF CON using tools like the #WiFiCactus. This demo will show you the software and hardware needed to build a robust wireless monitoring sensor network that is capable of capturing everything up to 802.11ac including Bluetooth. This demo will include a distributed capture network that will take captured data from multiple nodes and send it back to a single capture server. This project will show you how to use advanced features of Kismet Wireless to increase the amount of data you capture. Wireless threats and attacker tactics will be discussed and identified as they happen in the environment. Data analytic techniques will be demonstrated and discussed using tools like Wireshark, NetworkMiner and PCAPinator.

http://palshack.org/def-con-27-demolab/

Mike Spicer
d4rkm4tter is a mad scientist hacker who likes to meddle with hardware and software. He is particularly obsessed with wireless. He has a degree in computer science from Southern Utah University which he has put to use building and breaking a wide array of systems. These include web application pentesting, wireless monitoring and tracking as well as good old fashioned reverse engineering. He is the creator of the #WiFiCactus and has been seen presenting Demolabs at DEF CON and DEF CON China Beta. He is a Kismet cultist and active in the wireless and wardriving communities.

Back to top

Zigbee Hacking: Smarter Home Invasion with ZigDiggity

Sunday from 10:00 – 11:50 in Sunset 2 at Planet Hollywood
Audience: Offense, Hardware, Product, IoT, Zigbee, Zigbee Hacking

Francis Brown & Matt Gleason

Do you feel safe in your home with the security system armed? You may reconsider after watching a demo of our new hacking toolkit, ZigDiggity, where we target door & window sensors using an "ACK Attack". ZigDiggity will emerge as the weapon of choice for testing Zigbee-enabled systems, replacing all previous efforts. Zigbee continues to grow in popularity as a method for providing simple wireless communication between devices (i.e. low power/traffic, short distance), & can be found in a variety of consumer products that range from smart home automation to healthcare. Unfortunately, existing Zigbee hacking solutions have fallen into disrepair, having barely been maintained, let alone improved upon. Left without a practical way to evaluate the security of Zigbee networks, we've created ZigDiggity, a new open-source pentest arsenal from Bishop Fox. Updates include migration to better hardware for testing (e.g. SDRs), and a slew of newly implemented Zigbee attacks types. Our DEMO-rich presentation showcases ZigDiggity's attack capabilities by pitting it against common Internet of Things (IoT) products that use Zigbee. Come experience the future of Zigbee hacking, in a talk that the New York Times will be hailing as "a veritable triumph of the human spirit." ... ya know, probably

https://github.com/BishopFox/zigdiggity

Francis Brown
Francis Brown is the Chief Technology Officer (CTO) at Bishop Fox, a consulting firm providing cyber security services to the Fortune 1000, global financial institutions, and high-tech startups. Before founding Bishop Fox, Francis worked for Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young. Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.

Matt Gleason
Matthew Gleason is a Senior Security Associate at Bishop Fox, where he focuses on application security penetration testing, source code review, and network penetration testing. Prior to joining Bishop Fox, Matthew worked as a software engineer for Boeing, where his work involved validation testing for the AH-64E attack helicopter. Matthew holds a Master of Science from Arizona State University in Computer Science. He also has earned a Bachelor of Science in Economics and a Bachelor of Science in Mathematics from Arizona State University.

Back to top