Register & Demo Your Open Source Tool at The Black Hat Arsenal USA 2016
Black Hat Arsenal


Arsenal special-events-arsenal

Published on September 1st, 2014 | by NJ Ouchn

0

Black Hat Arsenal USA 2014 – Wrap up Day 2

The second day of the Arsenal came back with a new bunch of tools. We were ready to rock the scene even if the hangover was a killer. The ambiance was awesome and the audience huge as usual.

Here is the second wave of the Arsenal narrated through pictures. You better think twice before you miss the next session of Blackhat Arsenal.

 

Android Device Testing Framework – Jake Valletta

The Android Device Testing Framework (“dtf”) is a data collection and analysis framework to help individuals answer the question: “Where are the vulnerabilities on this mobile device?” Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges).

day2_AndroidDevice2

These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities

day2_androiddevice3

Download link >> https://github.com/jakev/dtf

Material >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Valletta-Android-Device-Testing-Framework-Slides.pdf

Automated Memory Analysis – Tomer Teller

Automated Memory Analysis is a set of new innovative Cuckoo Sandbox plugins that adds new dynamic and memory analysis abilities such as:

  • Trigger-Based memory analysis: Taking multiple memory dumps during execution in “strategic moments” by analyzing API calls, CPU performance counters, and tracing execution with Dynamic Binary Instrumentation techniques.
  • Memory Dump differential analysis: Detecting malicious artifacts during binary execution using Virtual Machine Introspection techniques.
  • Mis-behavioral analysis: Detecting malware that evade traditional API-call behavioral analysis using low-level kernel hooks.

day2_automatedMemory

Malware samples such as Snake (Uroburos), Stuxnet, and friends that evaded analysis will be dissected live to demonstrate the toolkit abilities.

 

day2_automatedMemory3
Download >> https://github.com/djteller/MemoryAnalysis

Whitepaper >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Teller-Automated-Memory-Analysis-WP.pdf

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Teller-Automated-Memory-Analysis-Slides.pdf

 

C-Scad: Assessing security flaws in ClearSCADA Web-X Client Aditya K Sood

C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. Web-X client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture.

day2_cscad2

Primarily, the Web-X client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WEB-X client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.

day1_cscad4

C-SCAD is authored in Python and is capable of the following:

  • Enumerates active users configured for the Web-X access
  • Enumerates configured databases and SQL lists for the ClearSCADA
  • Performs complete configuration check for exposed components
  • Verifies access to diagnostic page and dumps required information
  • Executes dictionary attacks for checking weak credentials
  • Triggers Shodan search queries for exposed ClearSCADA Web-X client on the Internet

 

day2_turbotalk_cscad

 

Download link >> http://cscad.secniche.org

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Sood-C-Scad-Slides.pdf

 

Heybe – PenetrationTesting Automation – Gokhan Alkan & Bahtiyar Bircan

 

Heybe is Penetration Testing Automation Kit. It consists of modules that can be used to fully automate pen-tests and make them mode effective. With Heybe you can 0wn all systems in a target company in matter of minutes.

day2_heybe

Heybe modules:

  • Fener: fast network discovery tool optimized for speed. Fener leverages several networking tools to discover all hosts within target network.
  • Kevgir : automatic vulnerability scan tool. Kevgir is an automated vulnerability scanning tool optimized for speed. With Kevgir, an entire internal network can be scanned for specific vulnerabilities within minutes.
  • Sees: high precision social engineering tool. Sees is used for performing tail-made social engineering campaigns with high success ratio.
  • Kacak: automatic domain admin takeover tool. Kacak is developed to discover target windows machines in network and take over entire Windows domain automatically.
  • Depdep: post exploitation tool. Depdep is a merciless sentinel which will seek sensitive files containing critical info leaking through your network
  • Cilingir: remote password cracker. Cilingir is a tool used to automate password / hash capturing and cracking process. Captured credentials are automatically sent to a remote password cracking server and cracked passwords are automatically stored in a local loot for usage during pen-test.
  • Levye : brute force tool. Levye is used for automating brute forcing process against common and not so common protocols like openvpn.

IMG_20140807_102833

Download link >> https://github.com/galkan/  (you must download all the tools under Galkan repository. Heybe is a set of separate modules)

 

JTAGulator – Joe Grand former ‘Kingpin’ of L0pht

JTAGulator is an open source hardware hacking tool that assists in identifying on-chip debug interfaces from test points, vias, or component pads on a circuit board. The tool can save a tremendous amount of time during reverse engineering, particularly for those who don’t have the skill and/or equipment required for traditional processes.

day2_jtagulator

Released at Black Hat USA 2013, the tool supports detection of JTAG and asynchronous serial/UART interfaces. New features are being added as they’re developed to expand the functionality and increase support for other protocols.

 

day2_jtagulator2

day2_jtagularor3

Download Link >> https://github.com/grandideastudio/jtagulator

Material from Arsenal >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Grand-JTAGulator-Tool.zip

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Grand-JTAGulator-Slides.pdf

 

Melkor – An ELF File Format Fuzzer

Since its adoption as the standard binary file format for *nix systems, a variety of vulnerabilities in ELF parsers have been found and exploited in OS kernels, debuggers, libraries, etc. Most of these flaws have been found manually through code review and binary modification. Nowadays, 15 years later, common programming mistakes are still being implemented in many ELF parsers that are being released these days very often, either as debuggers, reverse engineering tools, AV analyzers, plugins or as malware (yes, malware has parsers too). Here’s where ELF file format fuzzing comes into the game to help you to identify these bugs in an automated fashion.

day2_melkor

In this presentation, I will show you the security risks involved in the ELF parsing process as well as the materialization of such risks by showing different bugs found during this research. After that, I’ll explain how intelligent file format fuzzing can help greatly in the flaw discovery process. Having a good background about the ELF file format and how smart fuzzing could help, I’ll continue with a detailed explanation on how I mixed and implemented both concepts in Melkor – an ELF file format fuzzer.

day2_melkor1

Melkor, written in C, it’s an intuitive and easy-to-use ELF file format fuzzer. Its fuzzing rules were designed using three inputs: ELF specification violations, programming patterns seen in ELF parsers, and other misc ideas and considerations. In order to have higher code/branch coverage in the programs to be tested, certain metadata dependencies must be in place; I’ll show you how Melkor implements these rules when creating malformed ELF files.

In the end of the presentation, the code of Melkor will be released and I’ll show you how to use it with some live demos where some real-world applications will be tested against fuzzed ELF files.

Download Link >> http://www.brainoverflow.org/code/melkor-v1.0.tar.gz

Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Hernandez-Melkor-Slides.pdf

ModSecurity – Ryan Barnett

ModSecurity is an open source, cross-platform web application firewall (WAF) module.

day2_modsecurity

Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Come checkout the new advancements in ModSecurity and try some hands-on evasion challenges!

day2_modsecurity3

New features presented at Arsenal
* JSON Parser is no longer under tests. Now it is part of our mainline;
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list;
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request;
* ModSecurity status is now part of our mainline;
* New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality;
* Append and prepend are now supported on nginx (Ref: #635);
* SecServerSignature is now available on nginx (Ref: #637).

Download link >> https://www.modsecurity.org/

 

MozDef The Mozilla Defense Platform – Jeff Bryner

Attackers have all the fun. With slick, integrated, real-time, open suites like metasploit, armitage, SET, and lair they quickly seek out targets, share exploits, gain footholds, and usually win.

 

day2_mozdef

The time has come for defense to get the same capabilities in an open source platform dedicated to defense and based on modern technology.

To this end the operations security group at Mozilla has developed MozDef: The Mozilla Defense Platform to take on traditional SIEM functionality of event management, alerting and correlation, and expand the real-time capabilities of the defender into automated defense and shared incident response.

day2_mozdef2

Download link >> https://github.com/jeffbryner/MozDef/

 

Volatility Framework 2.4 – Michael Ligh

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples of Windows, Linux, Mac OS X, and Android systems.

day2_volatility

Our last release received over 40,000 downloads and we’re equally as excited to get 2.4 into the hands of forensic investigators and malware analysts. Some of the key features of the 2.4 release that we’ll be demoing are:

  • Extraction of cached Truecrypt passphrases and master keys (AES, Twofish, Serpent, etc.)
  • Support for Windows 8.1 and 2012 R2 x64 memory dumps, including on-the-fly decoding of the kernel debugger data block
  • Tracking Mac OS X Mavericks user activity by recovering unencrypted PGP emails, OTR (off-the-record) chat messages, contacts, calendar items, notes, and saved Keychain credentials
  • Detection of advanced Linux rootkits, such as those that leverage GOT/PLT in user mode and Netfilter hooking in the kernel
  • Circumventing the new compressed swap facility implemented in Mac OS X and Linux operating systems

 

day2_turbotalk_volatilityD

Download link >> https://github.com/volatilityfoundation

Documentation and everything Volatility >> http://www.volatilityfoundation.org/

 

FSExploitMe – Brad Antoniewicz

FSExploitMe is a purposely vulnerable ActiveX Control to teach you about browser exploitation. Along the way you’ll learn reverse engineering, vulnerability analysis, and general exploitation on Windows.

day2_FSexploitMe

 

Download link >> https://github.com/OpenSecurityResearch/FSExploitMe

 

Ice-Hole – Darren Manners

Ice-Hole is a phishing awareness email program. It is designed to help security analysts/system administrators keep track and test end users.

day2_IceHole

The tool can be used in conjunction with various third party software, like SET, for further leverage. 1.7 has some new features and enhancements like IRC triggers, integrating with a new portal feature, automatic times, dates, and sending reports on a schedule.

Download link >>  https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Manners-Ice-Hole-Tool.zip

 

Impacket – Andres Blanco

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB, SMB and MSRPC and DCOM. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

day2_impacket2

The following features will be demoed:

    • New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available):
      • Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
      • Support for RPC_C_AUTHN_NETLOGON (experimental)
      • The following interface were developed based on its standard definition:
        • [MS-LSAD] – Local Security Authority (Domain Policy) Remote Protocol (lsad.py)
        • [MS-LSAT] – Local Security Authority (Translation Methods) Remote Protocol (lsat.py)
        • [MS-NRPC] – Netlogon Remote Protocol (nrpc.py)
        • [MS-RRP] – Windows Remote Registry Protocol (rrp.py)
        • [MS-SAMR] – Security Account Manager (SAM) Remote Protocol (samr.py)
        • [MS-SCMR] – Service Control Manager Remote Protocol (scmr.py)
        • [MS-SRVS] – Server Service Remote Protocol (srvs.py)
        • [MS-WKST] – Workstation Service Remote Protocol (wkst.py)
        • [MS-RPCE]-C706 – Remote Procedure Call Protocol Extensions (epm.py)
        • [MS-DTYP] – Windows Data Types (dtypes.py)

day2_impacket

Most of the DCE Calls have helper functions for easier use. Test cases added for all calls (check the test cases directory)

  • ESE parser (Extensive Storage Engine) (ese.py)
  • Windows Registry parser (winregistry.py)
  • TDS protocol now supports SSL, can be used from mssqlclient
  • Support for EAPOL, EAP and WPS decoders
  • VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
  • WMI query and execution

Download link >> https://code.google.com/p/impacket/

Documentation and cool stuffs >> http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket

 

iSpy – Joe DeMesy

Frustrated with the lack of mature tools for iOS security assessment? Wouldn’t you like an integrated toolchain to pull together many of the existing tools, but also integrate new and interesting tools? Perhaps you’d like to use some more advanced iOS hacking/reversing/debugging but don’t have time on the job to learn gdb. Maybe you just want to pick up iOS hacking fast and would like a mature toolchain to help you.

day2_iSpy

We can help. We’ll be bringing goodies to the table:

  • A “reverse sandbox” in which iOS apps can be run on jailbroken devices. It provides easily configured monitoring, hooking, disabling/enabling, and logging of Objective-C methods, C functions, and other goodies. We’ll show you how to use this to defeat common anti-jailbreaking checks in a matter of minutes.
  • Automated tools to help cover the routine aspects of iOS app security:
    • Insecure functions
    • Insecure network transmission
    • Insecure compiler settings
  • Hands up if you’d rather choke on a pretzel than write a report. Yeah, us too. We’ll be presenting tools that not only do security work, but that provide data that can be easily incorporated into deliverables.
  • We’ll help you streamline your testing by automating a lot of the grunt work, leaving you free to do what you do best: hack.
  • We might even drop some mobile device management 0day! (pending serious people in suits telling us it’s ok)

day2_ispy3

Download link >> https://github.com/BishopFox/iSpy

 

Praeda – Deral Heiland

Praeda – Latin for “plunder, spoils of war, booty”. Praeda is an automated data/information harvesting tool designed to gather critical information from various embedded devices.

day2_praeda

Praeda leverages various implementation weaknesses and vulnerabilities found on multifunction printers (MFP) and extracts Active directory credentials from MFP configurations such as SMTP, LDAP, POP3 and SMB settings.

Praeda also test for default passwords on targeted devices and gathers SNMP community strings from network cameras, sans, UPSs and other embedded devices on the network.

day2_praeda3

During demonstration we will introduce everyone to the features and functions of this tool and how to effectively leverage it during internal penetrations testing to gather credentials that can be used to gain access to critical internal system.

Download Link >> https://github.com/percx/Praeda

 

reGeorg – Willem Mouton

In 2008 we released reDuh (http://research.sensepost.com/tools/web/reduh), a network tunnelling tool that allowed port forwarding via a web-shell and HTTP/S to backend services. reDuh has since become part of any attackers standard toolkit, featuring in several books and notoriously described as “insidious” by HBGary in their leaked e-mails.

day2_regeorg

However, when doing any sort of tunnelling, targeting multiple hosts and ports can be frustrating as it requires a tunnel to be setup for each unique host:port combination. Enter reGeorg; this is a rewrite of reDuh to support a full SOCKS4/5 proxy interface. This allows one tunnel to be used to make multiple connections, including port scans. Additionally, capabilities to take advantage of HTML5 websockets (where available) have been built for faster connections.

In short, if you can get a webshell up, you can use reGorg to gain access with your favourite tool (Nmap, Metasploit, etc.) to the entire internal network range your compromised server has access to.

day2_regeorg4

The list of currently supported web frameworks are: ASP.NET, JSP, PHP, ASP
The list of currently supported transports are: HTTP, HTTPS, HTML5 WebSockets

Download link >> https://github.com/sensepost/reGeorg

 

ThreadFix – Dan Cornell

ThreadFix is the industry leading application vulnerability management platform that provides a window into the state of application security programs for organizations that build software.  The platform helps to bridge a challenging communication gap between security and software development teams by aggregating vulnerability test results from static and dynamic application security scanning tools.

day2_ThreadFix

ThreadFix also allows users to input the results of manual penetration testing, code review and threat modeling to provide a comprehensive view of software security for an organization. Once a unified list of security vulnerabilities has been created, ThreadFix allows application security managers to further prioritize discovered vulnerabilities via a centralized dashboard.  Our platform allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. As the development team resolves defects, status updates are synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm that security holes have indeed been closed. ThreadFix also auto-generates application firewall rules to block application attacks while remediation efforts occur.

day2_ThreadFix2

ThreadFix empowers managers with vulnerability trending reports that demonstrate software security progress over time.

Changelog during Arsenal

-Hybrid Analysis Mapping (HAM) to correlate SAST and DAST scanner results
-Scanner plugins for OWASP ZAP and BurpSuite that pre-calculate application attack surface
-Support for HP Quality Center and Version One integration
-Support for Cenzic/Trustwave Hailstorm and Checkmarx
-IDE plugins for Eclipse and IntelliJ

Download and great resources >> http://www.threadfix.org

Arsenal Keynote  >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Cornell-ThreadFix-Slides.pdf

 

W3af Web Security Scanner – Andres Riancho

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

day2_w3af

W3af is structured around plugins. They are very important to w3af, they extend the framework in various ways such as finding new vulnerabilities, identifying new URLs and writing these to different file types. The plugins are coordinated by the core strategy and consume the core features.

day2_w3af4

Our framework is proudly developed using Python to be easy to use and extend, and licensed under GPLv2.0.

IMG_20140807_142509

Download link and documentation >> http://w3af.org

Arsenal Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Riancho-w3af-Slides.pdf

 

Zig Tools – Mike Warner

ZigTools is a Python framework, which was developed to reduce the complexity in writing additional functionality in communicating with the Freakduino (Low cost arduino based 802.15.4 platform).

day2_ZigTools2

Features such as initializing the radio, changing channels, sending data and processing that data can be written in just a few lines, allowing developers to focus on writing more complex applications without worrying about the low-level communications between the radio and computer.

day2_ZigTools

Download link >> https://github.com/iSECPartners/ZigTools

 

BeEF – Michele Orru

 

A bag of fresh and juicy 0days is certainly something you would love to get as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

day2_beef

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The examples will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

day2_beef2

We’ll delve into Chrome and Firefox extensions (automating various repetitive actions that you’ll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

day2_turbotalk_beef3

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, this is for you.

Download link and BeEF resources >> http://beefproject.com/

 

Cynomix – Giacomo Bergamo

The stream of malicious software artifacts (malware) discovered daily by computer security professionals is a vital signal for threat intelligence, as malware bears telling clues about who active adversaries are, what their goals are, and how we can stop them. Unfortunately, while security operations centers collect huge volumes of malware daily, this “malware signal” goes underutilized as a source of defensive intelligence, because organizations lack the right tools to make sense of malware at scale.

day2_cynomix

To contribute to addressing this problem we will be launching Cynomix.org at the opening of Black Hat USA 2014. Cynomix will include three key, novel capabilities that we hope will broadly impact the way malware analysis is performed:

  • A subsystem for revealing “social network” style relationships between malware samples based on their shared characteristics. This subsystem allows analysts to see a group of malware samples in relation to a population-scale database of millions of malware samples.
  • A subsystem for revealing malware sample capabilities based on correlations between samples’ extracted technical symbols and a machine-learning model trained on web question-and-answer documents.
  • A subsystem for automatically generating statistically principled Yara signatures for malware samples and malware sample groups based on Bayesian reasoning at scale. This subsystem will allow users of Cynomix to quickly defend against new malware families before anti-virus companies generate signatures for them.

day2_cynomix2

In our demonstration presentation at Black Hat Arsenal we will introduce Black Hat attendees to Cynomix.org, which will host a freely available version of our system. As part of our demonstration we will give detailed explanations of our platform’s visualizations and algorithms while also helping people to sign up to use the system in their own security operations work.

Register to beta >> http://www.cynomix.org/

 

DAMM – Differential Analysis of Malware in Memory – Vico Marziale

Detecting malware is difficult, and analyzing a detected piece of malware’s behavior is even more difficult. Techniques for analysis generally fall into one of three camps: static analysis of the malicious binary on disk, dynamic analysis as the binary executes, or a hybrid approach using a snapshot of physical RAM taken as the malware executes. As the result of our DARPA Cyber Fast Track (CFT) funded research, we extend this third approach.

day2_damm3

We present a novel technique for leveraging information including multiple snapshots of physical RAM for malware detection and analysis. The technique is implemented as DAMM, a tool for differential analysis of malware in memory. DAMM functions by leveraging multiple snapshots of RAM, domain knowledge about known-benign in-memory artifacts, and indicators of malicious activity to present to the user a powerful view of malicious execution in memory.

day2_damm4

 

Download link >> Awaiting update from authors

 

iMas – iOS Mobile Application Security Libs – Gregg Ganley

iOS apps are vulnerable to static analysis and attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app data stolen, and even cloned.

day2_iMas2

The iMAS research team, the team that brought Encrypted CoreData (ECD) to Github open source, has your back! At this talk we will introduce open source Encrypted Code Modules (ECM) as a technique to protect sensitive enterprise iOS applications. Using ECM as the base we will demonstrate an iOS app anti-tamper technique that is considerably more resistant to patching. We will walk through this step-by-step process to make your iOS apps more secure and … authentic.

day2_imas3

Download link and documentation >> http://project-imas.github.io/

OWASP PCI Toolkit – Johanna Curiel

The PCI toolkit is based on a decision tree assessment methodology, which helps you identify if your web applications are part of the PCI-DSS scope and how to apply the PCI-DSS requirements. By decomposing, one by one, you will be able to create an assessment and a final report of your scope delimitation and which OWASP guidelines must be used.

day2_owaspPCI2

Changelog during Arsenal
Alpha Release 1.2 is Plan for End July 2014
-Analysis Report of Development Environment process and procedures
-Analysis Report of Testing Environment process and procedures

day2_owaspPCI3

Download link and documentation >> https://www.owasp.org/index.php/Category:OWASP_PCI_Project#tab=Main

 

SecureScan SaaS Free Scanner – Edward Smith

Tripwire SecureScan™ is a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks.

day2_SecureScan

This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability among many others. Fast, free, and simple to use – no license required.

day2_SecureScan3

Free registration and documentation >> http://www.tripwire.com/securescan/

Serpico – Will Vandevanter & Peter Arzamendi

Serpico is a report generation and collaboration tool. Serpico’s primary function is to cut down on the amount of time it takes to write a penetration testing report. When building a report the user adds “findings” from the template database to the report. When there are enough findings, the user clicks ‘Generate Report’ to create the docx of the report.

day2_serpico2

New Report templates can be added through the UI making the reports easy to customize. The Report Templates themselves use a custom Markup Language that includes common variables (i.e. finding name, customer name, customer address, etc.) along with more complex requirements. It is meant to be simple and intuitive.

day2_serpico

Serpico is already in use by a number of consultants, but we think it is time to get the word out. Serpico was built by penetration testers with a pen-testers methodology in mind. It might make you hate report writing just a little bit less.

Download link >> https://github.com/MooseDojo/Serpico/

 

Viproy VoIP Penetration Testing & Exploitation Kit – Fatih Ozavci

Viproy Voip Pen-Test Kit is developed to improve the quality of VoIP Penetration Tests. First version of Viproy had SIP trust hacking, SIP proxy bounce scan and advanced SIP attacks.

day2_turbotalk_viproy

Viproy 2.0 will provide improved SIP penetration testing features such as TCP, TLS, vendor (Cisco, Microsoft Lync) supports and multi-thread fixes. Furthermore, the new version will have Cisco Skinny protocol and Cisco HCS (VOSS) server supports to initiate unauthorised call redirection attacks, speed dial manipulation, unauthorised calls using Skinny and information gathering attacks.

day2_turbotalk_viproy3

Documentation and official website >> http://www.viproy.com/

Code published at Arsenal >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Ozavci-Viproy-Tool.zip

Arsenal Keynote >> https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Ozavci-Viproy-Slides.pdf

Watobo – The Web Application Toolbox – Andreas Schmidt

WATOBO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.

day2_watobo3

Most important features are:

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOB can act as a transparent proxy (requires nfqueue)
  • WATOBO can perform vulnerability checks out of the box
  • WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easily define your own checks
  • WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
  • WATOBO is free software (licensed under the GNU General Public License Version 2)

 

Changelog at Arsenal

* fixed ntlm authentication
* Fixed status bar infos
* if match value contains 3 digits it will be treated as response code (reduces false positives)
* CA serial now starts with current time to avoid serial number conflicts after reinitializing CA
* fixed cookie access in passive module ‘possible_login’
* little fix in xxe module
* fixed crash when selecting ‘scope only’ in sites-tree
* fixed transcoder, so all CRLF will be removed before Base64 decoding
* now removes Expect-100-continue headers from client
* added json support for table editor (only first level paramaters)
Download Link and documentation >> http://watobo.sourceforge.net

 

Nice moments at the Arsenal

misc_celebs_mikefromVolatility_toolswatch
With Michael of Volatility

 

misc_alejandro_daniela

Alejandro and Daniela. The mentor and the mentee.

misc_celebs_federico_ekparty

 Lookee who i finally met. Federico founder of EkoParty.

day1_misc_black and with

Black & White Selfie at morning.

misc_view_QualysParty

 View from Qualys Party at the Mandalay Bay. (you can spot few UFOs 🙂

misc_with_aliens

Alien from Donut Land. Definitely, he needs diet and some exercise

misc_with_william_alejandro

With William  and Alejandro

IMG_0194

   With Rachid, Alejandra, Daniela

See you all next year 🙁 

We had a Blast. Thanks for all the hackers (authors & audience) who attended the Arsenal.

Keep up the great work !

 





About the Author

Principal Founder & Maintainer - Freelancer ICS/SCADA Security Expert As part of my research, I'm focusing into maintaining many projects as the DPE (Default Password Enumeration), vFeed® the open source correlated & cross-linked vulnerability database and FireCAT the Firefox Catalog of Auditing exTensions. Today, I'm the co-organizer of the major event Blackhat Arsenal Tools (US and Europe) since 2011 and since 2014 co-organizer of Rooted Warfare in Spain. I'm going by the handle of @toolswatch on Twitter and always willing to help, share and drink with friends from far and wide.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑