GET YOUR VULNERABILITY AND THREAT DATABASE SUBSCRIPTION
EKOLABS 2016


Arsenal

Published on August 21st, 2014 | by NJ Ouchn

4

Black Hat Arsenal USA 2014 – Wrap up Day 1

Each year, most of us head to Las Vegas to attend 3 of the most recognized security events: Blackhat, Defcon and BsidesLV and thus for several reasons. The first is simply to grow technically. Thousands of security experts and hackers would ride from far and wide to share their knowledge and latest research in matters of computer security and hacking. They become unwittingly ambassadors for their countries. 

the mandalay
View of the Mandalay Bay

As time went by, some of them become friends which brings us back to the other reason: Partying. The marketers call it vulgarly “Social Networkingto justify to their bosses the hefty bill associated with alcohol consumption. Therefore in a security conference like Black hat, you can party with people from different cultures and nationalities. Just the folks around during the blackhat Arsenal I can count several nationalities : American, Italian, Russian, Israelian, German, Turkish, Argentinian, Brazilian, Canadian, Colombian, Mexican, Spanish, Croatian, Venezuelan, Iranian, Japanese, Chinese, Indian. Amazing hein !

day1_meeting_jessica_ubmTeam

With Jessica Horst – One of the Blackhat/UBM team working hard behind the scenes

This year again, I have, alongside my friend Rachid of NETpeas, the great pleasure to co-manage the Arsenal event that starts to make his small place slowly but surely. The principle of the Arsenal is simple: Interactive sessions in which the author delivers demonstrations in front of the audience. 

These sessions are highly beneficial to the two parties. During these years of Arsenal I saw raised significant collaborations between speakers. As I have been witness to guests suggesting features or helping to fix bugs. And that’s what the Arsenal is really about. Connecting Hackers with Hackers !

day1_with_ping
With Ping Look (Crusher of Souls) – She was behind designing the first sessions of the Arsenal.

And to satisfy a wide audience, we have selected 54 diverse and varied tools, beating the record of previous Arsenal sessions. From Forensics, Mobile hacking  through VoIP attacks, Hardware hacking or TV sets hijacking. There’s been something for everyone.

arsenal_large_view2

Large view of the Audience at the Arsenal

The Blackhat Arsenal becomes an absolute must if you make a jump to Vegas for the annual security events and especially if you want to attend live demonstrations with only a table and a screen separate you from the great hackers on earth. The Arsenal is definitely the only event that brings together in the same room a large  number of renowned tools authors and hackers.

day1_team3
With Rachid (@netpeas) – My bud from the old and future days.

As for myself, this year has been excellent because several authors have done us the honor to release their tools during the event. On the other hand I had the pleasure meeting my old friends and make new ones. Similarly, I enormously appreciate some of my twitter followers who stopped by to say hi.  Thanks guys, I really appreciated it.

The Arsenal_Schedule

Finally, I had a thought during the Arsenal for my friend and ToolsWatcher Maxi Soler (@maxisoler) who could not join us for this session. Your help was invaluable throughout the preparation and especially maintaining toolswatch.org Your absence has been felt because we should run series of 90 seconds mini interviews entitled “Tool Stories by ToolsWatch.org” in which every hacker should explain why he / she created his tool. Unfortunately and despite all the goodwill, we were overwhelmed by the flow of the audience.

misc_with_ScriptWatch2

 Introducing my kiddo Rafael to the Blackhat – Young generation of ToolsWatchers 🙂

 I‘ll let you relive with picture 2 wonderful days we spent alongside great hackers who help us every day to accomplish our menial tasks. Henceforth and each time you use a tool quoted here, you should have a gratifying thought for those folks.

FlowInspect – Yet Another Inspection Tool – Ankur Tyagi

Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.

day1_flowinspect3

The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such, if for a flow certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection can be done in any of the following inspection modes (selected through appropriate command-line arguments):

  • regex: PCRE-compatible regular expressions
  • fuzzy: fuzzy string matching techniques
  • shellcode: libemu based (x86 compatible) shellcode detection
  • yara: yara-project based signature detection

There are a few mode-specific options that a user can use to tweak the behavior of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, generation of shellcode profile output that lists detected system calls, their arguments, and return values, etc. can be enabled, detected shellcode can be disassembled, and output could be dumped to a file. Once inspection completes, matching flows are passed to the output module that gathers statistics like match size, start of the match offset inside inspection buffer, packet IDs for a match, direction of the match (CTS/STC/ANY), etc. Matched content can also be dumped to a file or pcap generation for matched flows could also be requested.

day1_Flowinspect4

Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be limited to interesting flows only using Berkeley Packet Filter (BPF) expressions, or via Snort-like offset/depth content modifiers, or via max packet-stream count options. Matches results can be negated, matched TCP flows could be killed, etc.

The current production version includes all the above features. Flowinspect is, however, under active development and new features/bug fixes are being pushed frequently.

Changelog presented at the Arsenal

[x] network/pcap based flow extraction (pynids)
[x] tcp.kill
[x] invert match
[x] ignore 0 byte matches
[x] disable inspection – linemode
[x] support for multiple patterns
[x] write/append matched packets/streams to a file
[x] add snort-like content modifiers (offset-depth)
[x] support for different cts, stc and any patterns
[x] out modes: quite, meta, hex, ascii, raw (+write)
[x] stats (longest/shortest match and packet/stream #)
[x] stop tracking a stream when a match is found (tcp.collect = 0)
[x] cli to switch the first-match behavior
[x] inspection modes:
[x] regex
[x] pylibemu
[x] libemu profile output
[x] libemu memory size cli
[x] pyyara (peid/clamav)
[x] fuzzy match (fuzzywuzzy)
[x] udp stream tracking (cts/stc/any)
[x] show matching tcp packet ids (handy when pattern spans many packets)
[x] write matching flows to pcap
[x] write all packets in a matched flow (ones coming after match as well)
[x] write packets seen only untill the match happened (+a few more)
[x] ip/tcp/udp header checks – via BPF
[x] use colors if term supports
[x] verbose should be incremental
[x] include bpf expression for matching flows (verbose >= 3)
[x] timestamped (non)debug output
[x] linemode should not honor inspection specific flags (offset, depth, …)
[x] pcap write wont work in linemode
[x] invertmatch not working for regex and shellcode inspection modes
[x] -T should operate on flows and not packets
[x] make dfa memberids optional
[x] nonzero offset corrupts packet span calculation
[x] span offsets don’t include custom offset (2 instead of 1002)
[x] ip flow tracking should be in sync with tcp flow tracking
[x] direction identification for UDP flows needs more work
[x] multimatch offsets are incorrect for ANY direction
[x] cli to disable banner/summary
[x] multimatch not working with yara
[x] packet offset not shown for fuzzy match
[x] fuzzy match ratio not shown in meta output
[x] packet count fails when yara gives multiple matches

Download link >> https://github.com/7h3rAm/flowinspect

Maltrieve – Kyle Maxwell

Maltrieve retrieves malware directly from the location where the bad guys serve it. This allows researchers to acquire fresh samples, verify detection systems, and research infrastructure

matrieve

Maltrieve includes proxy support, multi-threading, Cuckoo submission, and categorization. The tool is community-developed and available under the terms of the GNU General Public License.

day1_Maltrieve

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

These lists will be implemented if/when they return to activity.

Other improvements include:

  • Proxy support
  • Multithreading for improved performance
  • Logging of source URLs
  • Multiple user agent support
  • Better error handling
  • VxCage and Cuckoo Sandbox support

Download Link >> https://github.com/technoskald/maltrieve

Morning Catch – Phishing Industries – Raphael Mudge

Morning Catch is a Virtual Machine environment, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks. Morning Catch is a fictitious seafood company with a website, self-contained email infrastructure to receive phishing emails, and two desktop environments.

day1_morningcatch2

One desktop environment is a vulnerable Linux client-side attack surface. The other desktop environment is a vulnerable Windows client-side attack surface. Yes, you’ll get to attack a Windows software target and use Windows payloads against this virtual environment. This Arsenal session will demonstrate some of the things you can do with the Morning Catch environment.

day1_morningcatch4

Blog Post from Mudge >> http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/

Download Link  (Torrent link) >> http://www.fastandeasyhacking.com/morningcatch.zip.torrent

ShinoBOT Suite – Shota Shinogi

ShinoBOT is a RAT (backdoor malware) simulator, released at the previous Black Hat Arsenal. The new tool, ShinoBOT Suite, is a total malware package which contains the RAT simulator, downloader, dropper, encryptor, CandC server, decoy files, etc. All of them are customizable.

day1_ShinoBOT3

You can create your own malware by ShinoBOT suite and it can be used to simulate the recent targeted attack. The new ShinoBOT works also on the standalone / offline environment.

day1_turbotalk_shinotBOT3

Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Shinogi-ShinoBOTSUITE-Slides.pdf

Download link >> http://shinoc2.shinosec.cloudns.org/

Smartphone Pentest Framework – Georgia Weidman

SPF is designed to make it easy to gather information, launch attacks, and perform post exploitation including pivoting on mobile devices.

day1_spf3

Open source and primarily written in Python, SPF is actively under development adding new interfaces, attack vectors, and post exploitation methods.

day1_spf2

Manual >>  http://www.bulbsecurity.com/smartphone-pentest-framework/spf-user-guide/
Download Link >>  https://github.com/georgiaw/Smartphone-Pentest-Framework
Videos >>  http://www.bulbsecurity.com/smartphone-pentest-framework/spf-videos/

Snoopy – Gleen Wilkinson

Snoopy is a distributed tracking, data interception, and profiling framework. The software can run on small, cost-effective hardware (BeagleBone, RaspberryPi) and be deployed over a large area (we call these ‘drones’).

day1_snoopy

Each Snoopy drone passively or actively collects information on people who walk past from the array of wireless (Wi-Fi, Bluetooth, etc.) devices that they carry on their person. This information is synchronized to a central server where we can visually explore it with tools like Maltego.

Snoopy

Download Link >> https://github.com/sensepost/snoopy-ng
Google Group >> groups.google.com/forum/#!forum/sensepost-snoopy

TriForce ANJP – David Cowen

TriForce is a set of analysis tools made for those who want to go deeper. With a focus on file system journaling forensics, we make use of artifacts that allow us to turn them into a forensic time machine. With tools that cover NTFS, HFS+, and Ext3, we are pushing forward a new era of analysis based on file system journaling.

day1_TriForce

The NTFS file system is our first production tool to leave beta and allows an examiner to review the master file table, metadata journal, and change the journal to determine the following:

  • Timestamp changes, detection and original time
  • Names of files being wiped, detection, and original names and metadata
  • Files being exfiltrated via CD Burning
  • Attachments being accessed from Outlook
  • Low-level file system changes and activity for dynamic analysis of exploits and malware
  • Determining if alternative file system drivers have written to a disk
  • Determining what was accessed from external devices

day1_Triforce2

Download link >> https://www.gettriforce.com/product/anjp-free/

ZitMo NoM – David Schwartzberg

ZitMo NoM (No More) is the web tool created to help you detect and possibly disable ZitMo on your Android mobile device without installing a mobile app.

day1__zitmo2

We have accomplished this by understanding how the mobile malware communicates with the C&C and use those commands to detect the mobile malware. This is a new tool and we are looking for community support to help improve several features.

IMG_20140806_103929

Download Link >> http://www.zitmonom.org/

BreWski ( Burp Rhino Web Scanner) – Alex Lauerman & Chris Bellows

BReWSki (Burp Rhino Web Scanner) is an extension to the Burp Suite scanning and reporting functionality. BReWSki provides Burp Suite users with a JavaScript interface to write custom scanner insertion points, passive, and active scan definitions for Burp quickly without having to understand the internals of the Burp API. BReWSki comes with useful checks to help identify application vulnerabilities.

day1_brewski2

Currently BReWSki checks provide tentative results that require more manual analysis. Some checks should never produce a false positive, and other checks will produce a high number of false positives.

day1_brewski2

Download link >> https://github.com/Burp-BReWSki/BReWSki

Chipsec – Yuriy Bulygrin

CHIPSEC (Platform Security Assessment Framework)  is a framework for analyzing security of PC platforms including hardware, system firmware including BIOS/UEFI and the configuration of platform components. It allows creating security test suite, security assessment tools for various low level components and interfaces as well as forensic capabilities for firmware.

day1_prep_chipsec

CHIPSEC can run on any of these environments:

  1. Windows (client and server)
  2. Linux
  3. UEFI Shell

IMG_20140806_131002

Download link >> https://github.com/chipsec/chipsec

Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Bulygin-CHIPSEC-Slides.pdf

Dependency-Check Jeremy Long

Dependency-check is a utility that identifies software dependencies and checks if there are any known, publicly disclosed vulnerabilities. Currently Java and .NET application dependencies are supported.

day1_dependency2

This tool can be part of a solution to the OWASP Top 10 2013 A9 – Using Components with Known Vulnerabilities.

day1_dependency

Changelog at Arsenal

* Improved report – enhanced TOC
* Improved accuracy due to reported issues
* Initial integration with vFeed (https://github.com/toolswatch/vFeed)
* Improved documentation including a guide on how to use the report effectively

day1_dependency3

Download link >> https://github.com/jeremylong/DependencyCheck/wiki
OWASP Page >> https://www.owasp.org/index.php/Projects/OWASP_Dependency_Check
Documentation >> http://jeremylong.github.io/DependencyCheck/

Dradis Framework – Daniel Martin

Dradis is an open source framework to enable effective information sharing, specially during security assessments.

day1_dradis2

Dradis is a self-contained web application that provides a centralised repository of information to keep track of what has been done so far, and what is still ahead. [screenshotsdemo]

Features include:

  • Easy report generation.
  • Support for attachments.
  • Integration with existing systems and tools through server plugins.
  • Platform independent.

IMG_20140806_130244

Changelog at Arsenal

* New redesigned, clean HTML5 interface
* Additional tool connectors: Qualys, Nexpose, etc.
* Templatable plugin output
* HTTP API + client bindings

day1_dradis3

Download Link >> http://dradisframework.org/

NFCult – Matteo Beccaro & Matteo Collura

NFCulT is a comprensive toolkit for exploring and exploiting MIFARE ULTRALIGHT cards. It can be used for understand how those cards works, and to exploiting misconfiguration as well.

day1_NFcuit2
Such bad configuration are very common in transport systems, as we will demostrate in the preview. NFCulT can actually handle all known attacks and be useful to develop new ones.

day1_NFcuit3

Download Link >> https://github.com/securenetwork/NFCulT

OWASP Zed Attack Proxy (ZAP) – Simmons Bennetts

The Zed Attack Proxy (ZAP) is currently the most active open source web application security tool and competes effectively with commercial tools.

day1_owaspZap2
While it is an ideal tool for people new to appsec, it also has many features specifically intended for advanced penetration testing. Simon gave a quick introduction to ZAP and then dive into the more advanced features as well as giving an overview of where its heading.

day1_turbotalk_owaspZap2

OWASP Page >> https://www.owasp.org/index.php/ZAP
Download Link >> https://code.google.com/p/zaproxy/wiki/Downloads?tm=2Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Bennetts-OWASP-Zap.pdf

ProxyMe – Manuel Fernandez

ProxyMe is a modular HTTP/S proxy based on plugins. It’s designed and oriented for pen-testing or research purposes. It also has support for analyzing and modifying the traffic, SSL included. It can be used as a regular proxy or as a reverse proxy, supporting also transparent connections, making it perfect for combined attacks of Man In The Middle (or even as a load balancer if you want!).

day1_proxyme

Some of the current plugins allow you to perform attacks as ‘Cache poison’, an attack technique for browsers showed in owning “bad” guys {and mafia} with Javascript botnets’ in Black Hat USA 2012 by Chema Alonso and Manuel Fernández.

day1_proxyme2

ProxyMe could also be used for the purposes of:

  • Analyzing and modifying HTTP/S protocol
  • Creation of malware or backdoors embebed into HTTP/S protocol
  • Web Application Firewall (WAF)
  • … whatever you can create with plugins using your imagination

Download link >> https://code.google.com/p/proxyme/

Rickmote Controller – Dan Petro

With a simple $35 dongle that plugs right into your TV, it’s possible to enjoy your favorite TV shows, YouTube channels, and everything else Chromecast has to offer. Being a WiFi enabled device, it’s also possible to hijack a Chromecast, forcing your neighbors to watch [Rick Astley] say he’s never going to give you up.

day1_rickmote2

The rickmote, as this horrible device is called, runs on a Raspberry Pi and does a lot of WiFi shennaigans to highjack a Chromecast. First, all the wireless networks within range of the rickmote are deauthenticated. When this happens, Chromecast devices generally freak out and try to automatically reconfigure themselves and accept commands from anyone within proximity.

day1_turbotalk_Rickmote2

The rickmote is more than happy to provide these commands to any Chromecast device, in the form of the hit song from 1987 and 2008.

Live Demo >> http://www.bishopfox.com/news/2014/07/hack-day-hacking-chromecast-rickmote-controller/

 

WhatsApp Privacy Guard – Jaime Sanchez

With the PRISM scandal, we began to question whether Microsoft, Google, Apple, and Facebook were the only companies working with governments to spy on the behavior of its citizens. Will WhatsApp be one of these companies? Does WhatsApp store its user conversations? These sort of things make us think that users are defenseless and have no current measures to ensure the privacy of content shared on these platforms.

day1_whatsapp

The main objective of the research is to add new layers of security and privacy to ensure that in the exchange of information between members of a conversation both the integrity and confidentiality cannot be affected by an external attacker. This is achieved through a system to anonymize and encrypt conversations and data sent via WhatsApp, so that when they reach the servers they are not in “plain text” and only readable to the rightful owners.

day1_turbotalk_whatsapp2

WhatsApp Privacy Guard is a tool completely transparent to the users and we will show how this technique can be used against other IM protocols and apps.

misc_jaime_fyodor

Download Link >> Soon

 

Filibuster – William Coppola

Useful tool with Red and Blue teaming engagements in mind. Helpful for identifying weaknesses in egress port and protocol filtering.

day1_filibuster3

Filibuster is used to map port filtering / protocol filtering devices. It is written in Python without the 1000 port limitation in other egress scanners.

day1_filibuster4

FREE, which is cheaper than other commercial solutions without the exposure of egress rules to said third party companie

Download link >> https://github.com/subinacls/Filibuster

idb – Simplified Blackbox iOS App Pentesting – Daniel Mayer

idb is a tool to aid in iOS penetration testing and research. idb’s graphical user interface greatly simplifies the interaction with an iDevice as it automates a large number of previously tedious and manual tasks: idb provides functions for analyzing applications and application binaries, data storage, inter-process communication, the iOS log and keychain, as well as tools to simplify setup and configuration.

day1_idb

idb is written in ruby with a Qt GUI frontend and should run on OS X and Linux (with some restrictions). The code can be found at https://github.com/dmayer/idb under the MIT License.

day1_turbotalk_idb

Changelog during Arsenal

* Integration of weak_classdump by Elias Limneos to dump class and method information in the form of header files
* /etc/hosts file editor
* Fixing of the CA certificate installer / manager.
* Adding documentation and increasing visibility for the screenshot utility

Download link >> https://github.com/dmayer/idb
Documentation >> https://github.com/dmayer/idb/wiki/Manual-and–Walk-Through
Blog >> http://cysec.org

Immuniant Compiler – Per Larsen

The Immunant compiler delivers improved hardening against ROP attacks. Unlike ASLR, code randomization is done at a fine-granularity while preserving program performance. As a result, universal exploits fail and pointer leaks are no longer enough to bypass code randomization.

day1_immunant

On OS X and Linux, the Immunant compiler sits atop the production grade LLVM compiler framework. The Windows version integrates with the Visual Studio compiler suite. We will demonstrate protected versions of Firefox running on Windows, OS X, and Linux.

Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Larsen-Immunant-Compiler-WP.pdf

 

oops, RFDid it Again – Francis Brown

Last year, we delivered the definitive guide for pen-testers on hacking low frequency (LF – 125KHz) RFID badge systems to gain unauthorized access to buildings and other secure areas. In this second installment, we’re raising the stakes, peeling back the onion even further, and directly confronting the RFID elephant in the room – hacking High Frequency (HF – 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz).

IMG_20140806_160100

This presentation will serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware/software that you’ll need to build out your own RFID penetration toolkit. We’ll also be releasing a slew of new/free RFID hacking tools that employ Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing.

IMG_20140806_160132

The applications for HF and UHF technologies extend far beyond the realm of simple physical access control, and can also be found in modern credit cards, e-Passports, enhanced driver’s licenses, ski passes, NFC reward cards, public transit passes, and are even used as the foundation of Disney’s new MyMagic+ initiative. Unfortunately, the security and privacy concerns introduced by HF and UHF RFID systems are just as diverse and plentiful.

Some of the topics we will explore are:

  • Overview of best HF/UHF RFID hacking techniques and tools available to get for your toolkit
    • Tools to exploit known weaknesses of various HF RFID access control technologies, such as iClass, MIFARE/DESFire, and LEGIC product family variants
    • Hacking tools/techniques: credit cards, e-Passports, Enhanced Drivers Licenses, …
    • Analysis of Disney’s MyMagic+ RFID deployment
  • Stealing RFID HF badge info from unsuspecting passers-by
    • Overcoming enhanced security features in “contactless smart card” systems, such as encryption, mutual authentication, and challenge/response authentication methods
    • Exploiting default encryption keys and insecure implementations of HF RFID systems
    • Bypassing added security of PIN and biometric controls
  • Replaying RFID badge info and creating fake cloned cards
  • RFID hacking on the move: mobile phone and tablet apps
    • PwnPads, iPads, NFC apps, and much more..
    • Safe data retrieval via Bluetooth Low Energy and 3G cellular channels
  • Attacking badge readers and controllers directly
    • Dumping encryption keys and cached card info directly from target badge readers
  • New RFID tools we’ll be releasing
    • 3D printed custom cases/tools to conceal RFID stealing devices, and implant in readers
    • Arduino and Raspberry Pi based tools for attacking readers directly
    • Android/iPhone/iPad apps for retrieving RFID information
  • Defending yourself from HF/UHF RFID hacking threats

This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the RFID penetration testing field.

 

PowerSploit – Chris Campbell & Joe Bialek

PowerSploit is a popular collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. Come see how PowerShell can be leveraged to accomplish things that would otherwise be impossible such as, loading binaries directly into memory.

day2_turbotalk_powersploit

Joseph Bialek and Chris Campbell demonstrated how to utilize PowerSploit to bypass security products through all phases of a mock penetration test which includes enumeration, exploitation, privilege-escalation, credential theft, and pivoting to other hosts.

day1_turbotalk_powershell

They will share tips and tricks to leverage PowerShell in your own tools and highlight the new privilege escalation module being introduced at ToolsWatch.

Download Link >> https://github.com/mattifestation/PowerSploit

Taintless – Abbas Naderi & Mandana Bagheri

Research in taint tracking and taint inference is hot in the scientific community. We have studied all tools and ideas developed for automated SQL injection prevention using scientific methods, and in an attempt to evaluate them, broken them all down.

day1_Taintless

This tool summarizes methods to detect and break all these methods, such as Diglossia (2013), Prof. Sekar’s Negative Taint Inference (2011) and etc. On top of that, we have created Joza (2014), a new hybrid system that automatically detects and prevents all SQL injection attack with zero false positives. This research and tool is patented, and will be published shortly.

day1_taintless2

Finally, Taintless will demonstrate how to break Joza; though, the process is rigorous and requires multiple layers of intelligence in the tool, it proves that all these approaches are not bullet proof and need improvement.

 

Download Link >> https://github.com/abiusx/taintless

Material 1 >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Afooshteh-Taintless-Tool.zip

Material 2 >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Afooshteh-Taintless-Slides.pdf

SimpleRisk – Josh Sokol

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk.

day1_SimpleRisk

The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it.

day1_simplerisk1

After officially debuting at Black Hat 2013, SimpleRisk, a simple and free tool to perform risk management activities, is back with many significant improvements. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded at http://www.simplerisk.org. SimpleRisk is truly Enterprise Risk Management simplified.

Changelog during Arsenal

• New Functionality
– Added a report showing all closed risks ordered by date.
– Added a report showing all open risks ordered by team.

• User Interface Enhancements
– The project planning view now allows you to click on the name of the risk as a link to view the details of the risk it references.
– Changed the “Download most recent code here” link on the about.php page to point to the actual download page.
– Changed the project list drop down in the remove projects list to be in alphabetical order.

• Bug Fixes
– Found an issue where numerous columns in various database tables had their CHARACTER SET set to latin1 instead of UTF8.  Running the upgrade.php script will set these to the proper CHARACTER SET.
– Found an issue where certain versions of PHP did not handle nested require statements.  Updated all require statements to use the path relative to the directory, rather than trying to hardcode it.
– Found an issue where a project would not delete if it had a closed risk inside it.  Associated projects are now unset when a risk is closed.

• Database Changes
– Updated columns in all tables to use the utf8 character set instead of latin1.
– Updated all closed risks to have a project ID of 0 (Unassigned).

Download link >> http://simplerisk.org/downloads
Documentation >> http://simplerisk.org/documentation

 

Veil Framework – Will Schroeder

The Veil-Framework is an open source toolset that aims to bridge the gap between pen-testing and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult at Shmoocon ’14, and branched into Powershell functionality with the release in the spring of 2014 of Veil-PowerView for domain situational awareness.

day1_turbotalk_veil

The newest tool to the Veil-Framework, Veil-Pillage, is a post-exploitation framework being released publicly during an associated Defcon 2014 presentation.

day1_turbotalk_veil2

Veil-Pillage’s modular structure makes it easy to implement the wealth of existing post-exploitation techniques out there, publicly or privately developed. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities.

 

day1_veil

Changelog during Arsenal
-Veil-Pillage will be released at Defcon ’14, and will be demoed at Arsenal

Download link >> https://github.com/veil-framework/
Official Website >> https://www.veil-framework.com/
Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Schroeder-The-Veil-Framework-Slides.pdf

Voyeur – Juan Garrido

VOYEUR’s main purpose is to generate a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies (just .Net Framework 3.5 and Ofiice Excel if you want an useful and pretty report).

day1_voyeur

The generated report is a perfect starting point for well-established forensic, incident response team, or security researchers who want to quickly analyze threats in Active Directory Services.

day1_voyeur3  day1_voyeur2

The main capabilities of VOYEUR tool are:

  • Fast.- Retrieving only the main interested attributes and perform intelligent uses of them.
  • Powerful.- Return a huge number of attributes on computers, users, containers/OUs, groups, ACL, printers, etc.
  • Useful.- Easily perform data mining to create valuable data
  • Secure.- VOYEUR does not require domain admin permissions so you do not need to log on as an administrator account to use it. Only needs an domain user-password with read permissions
  • Useful Reports – Export results to CSV file for use in other processes or report all huge data in a pretty and useful report in Excel format
  • Multi-Domain.- Enter a domain name and credentials, VOYEUR will makes the rest
  • Free.- VOYEUR project is free and open source

 Download Link >> https://github.com/silverhack/voyeur

 

 

What they said about the Arsenal !

 

“Back from and Arsenal kudos to and honored to be part of such a great event! It was a pleasure being invited to the event and I really enjoyed it. Great work, and hopefully see you soon!” – Daniel Martin author of Dradis Framework

 

“Thanks again and for bringing arsenal. and let me present . It’s always a great experience :)” – Andreas Schmidt author of Watobo Web App Scanner

 

“This guys are awesome. thanks for the great work. It has been a cool Arsenal again!” – Jaime Sanchez author of WhatsApp Security Guard

 

“Thank you everyone who stopped by our & !! It’s been a great experience. Almost 3 hrs non-stop intro to CHIPSEC :)” – Yuriy Bulygrin author of Chipsec

 

“Wanted to say thanks to the folks for the opportunity to talk at the Arsenal. Led to great conversations” – Dan Cornell author of ThreadFix

 

We really enjoyed demo-ing the new features at Arsenal. Cheers!” – Michael Ligh demoed Volatility Framework


thanks again. Arsenal ROCKS!!” – Willem Mouton author of reGeorg

 

“Blackhat Arsenal tool talk went great today. I had a blast sharing Praeda” – Deral Heiland of Praeda

 

“Thanks for the arsenal opportunity. I hope to see you next year as well! :)” – Tomer Teller author of Automated memory analysis

 

Celebrities and Fun moment at the Arsenal

 

misc_celebs_ouioui3

Former jacque () (Now known as Oui-Oui) was there. Dont ask me why Oui-Oui, ask her 😉

misc_awkwargHug

Very Awkward hug with Jason (@j)
… Pepsi is also there

misc_with Dradis - Daniel Martin

 Finally met the awesome daddy of Dradis. Nice to talk with Daniel

day1_celebs_Simons_owaspZAP2

  After years of Using OWASP ZAP, I finally had the honor to meet Simmons.

day1_celebs_juan_martorella

  Christian Martorella (author of theHarvester) stopped by to say hi. Here with Juan and  _missed_name_ (please send me your name)

day2_celebs_darren_ferruh

  The great Ferruh CEO and father of NETsparker stopped by. Here with Darren Manners (ICE-hole)

misc_mirko_kost

  The guy in the middle is Mirko. You may know him as HelpNetSecurity. Yep, the (in)Secure Magazine folks. With @k0st (Android nmap amongst other hacking stuff https://github.com/kost) and Dorian

misc_with_ScriptsWatch

Selfie with Rafael (my son) attending his first Arsenal & Rachid (@netpeas). You may spot me behind very proud 🙂

 

misc_with Veils Hackers 2

Hanging with the Veil Framework Folks. AWESOME and Amazing great team. Thanks for the great show

day1_uduak_mudge

My bro Uduak meeting the awesome Mudge.

day1_uduak_ping

My bro Uduak meeting the crusher of souls Ping

BH_VIP_Spanish_Argentinian_German3

 Blackhat VIP Party with awesome Arsenal speakers (from left) : Jaime Sanchez (Spain) , myself (citizen of the planet), Andres Riancho (Argentina), Andreas Schmidt (Germany), Juan Garrido (Spain) and Manuel Fernandez (Spain)

 

More pictures here >> Facebook ToolsWatch Album

 

 To be continued  Blackhat Arsenal Wrap-up Day 2 …





About the Author

Principal Founder & Maintainer - Freelancer ICS/SCADA Security Expert As part of my research, I'm focusing into maintaining many projects as the DPE (Default Password Enumeration), vFeed® the open source correlated & cross-linked vulnerability database and FireCAT the Firefox Catalog of Auditing exTensions. Today, I'm the co-organizer of the major event Blackhat Arsenal Tools (US and Europe) since 2011 and since 2014 co-organizer of Rooted Warfare in Spain. I'm going by the handle of @toolswatch on Twitter and always willing to help, share and drink with friends from far and wide.



4 Responses to Black Hat Arsenal USA 2014 – Wrap up Day 1

  1. Jake Kelland says:

    Top github link is broken.

  2. Mohammed Tanveer says:

    Nice compilation 🙂 Feels so nice to see so many familiar faces… Thanks much !!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑