GET YOUR VULNERABILITY AND THREAT DATABASE SUBSCRIPTION
EKOLABS 2016


Arsenal

Published on June 30th, 2016 | by NJ Ouchn

1

The Black Hat Arsenal USA 2016 Remarkable Line-Up !

Here we are !

This year, the selection was really tough and hard. We got an impressive Tsunami of submissions. It never happened before. Why  ? Because the Arsenal Event is getting famous after each session. Audience and hackers just love it.

special-events-arsenal
It is the only event in the World where hackers alongside users can get so close without the bureaucracy and all that crap. Just a table and a screen separate the beauties from the beasts and nothing else ! When i started using security tools in the mid of the 90’s it was pratically impossible for me to meet or reach their authors.

bh16usa_logo_black_updated

Now, it is like a dream comes true. I’m surrounded by the biggest and the smartest hackers in the world. And you can join me during the Black Hat Security Event to see them rocking the scene with mind blowing tools.

Black Hat Arsenal USA 2016 is officially the Biggest Security Tools Event in the World with over 80 tools demoed during 2 days. This year, we have introduced The Arsenal Theater a seating area with a bigger Plasma screen.

Please say hi to the Arsenal USA 2016 Line-up.

.NET Security Guard

presented by

Philippe Arteau

.NET Security Guard is a code analyzer using the brand new Roslyn API, a framework built to develop analyzers, refactorings tools and build tools. It allows developers to scan their C# and VB.net code for potential vulnerabilities directly from Visual Studio. The analyzers are able to find a wide range of vulnerabilities from injection flaws to cryptographic weaknesses. Example of vulnerable applications will be analyzed in a live demonstration.


A Black Path Toward The Sun

presented by

Ben Lincoln

Web application servers and appliances are often one of the most highly-visible entry points into an organization or high-security network. If the server is misconfigured or hosting vulnerable code, existing tools can frequently be used by attackers to convert it into a gateway to the internal network. However, taking full advantage of such a system typically requires a network-level connection between the attacker and the web application server. For example, an internet-facing Linux web application server may have network-level connectivity to an internal Windows domain controller, but appropriate client tools may not function correctly when used via a web shell or similar interface. An interactive session (SSH, RDP, et cetera) on the vulnerable system, or port-forwarding to allow direct connectivity to internal services from the attacker’s system becomes necessary. If the organization responsible for the server has done everything else correctly (including blocking tunneling via ICMP/DNS), then there may be no additional network-level connectivity possible in either direction between the attacker and the web application server. This closes off SSH, RDP, and similar interactive remote access, and prevents the use of port-forwarding agents such as Meterpreter.

This presentation provides a solution to this problem – A Black Path Toward The Sun, a tool (released as open source in conjunction with the presentation) which tunnels TCP traffic through the web application server using the server’s existing HTTP/HTTPS interface. That is, a JSP/WAR/ASPX file is deployed on the server (just as a web shell would be), and a Python script is executed on the attacker’s system which performs TCP port-forwarding through that deployed server-side component. The tool also incorporates novel measures to make the network communication challenging to detect using traditional IDS/IPS/WAF-type systems. Java/JSP and ASP.NET editions of the server-side component will be included in the initial open source release, but porting the component to other web application servers should be straightforward.


Accelerating Cyber Hunting Project ASGARD

presented by

Joshua Patterson  &  Michael Wendt

Rethinking the cyber security problem as a data-centric problem led Accenture Labs Cyber Security team to use best of breed open source big-data tools and emerging technologies to accelerate detection, response, and hunting. Project ASGARD, utilizing new approaches such as graph databases and analysis, GPUs, and Spark, exploits the connected nature of cyber security data to give cyber analyst more efficient and effective tools to combat evolving cyber threats. ASGARD allows organization to store more data than ever, while still gaining 2-3 orders of magnitude more speed and performance than traditional SIEMS. In this talk you can watch us analyze data real-time, learn more about our cluster and architecture, and see how we’ve integrated leading big data technologies to outperform expensive appliances with a fraction of the cost. In addition, we will demonstrate how advanced data science can be used to identify threats and accelerate cyber analysis, instead of just adding more noise.


Aktaion

presented by

Joseph Zadeh  &  Rod Soto

Crypto Ransomware has become a popular attack vector used by malicious actors to quickly turn infections into profits. From a defensive perspective, the detection of new ransomware variants relies heavily on signatures, point solution posture and binary level indicators of compromise (IOC). This approach is inefficient at protecting targets against the rapid changes in tactics and delivery mechanisms typical of modern ransomware campaigns. We propose a novel approach for blending multiple signals (called micro behaviors) to detect ransomware with more flexibility than using IOC matching alone.

The goal of the approach is to provide expressive mechanisms for detection via contextual indicators and micro behaviors that correlate to attacker tactics, even if they evolve with time. The presenters will provide open source code that will allow users and fellow researchers to replicate the use of these techniques. We will conclude with a focus on how to tie this approach to active defense measures and existing infrastructure.

This tool will be applied to PCAPS and will then mine and display relationships of Micro Behaviors particular to ransomware traffic. Built with Spark notebook https://github.com/andypetrella/spark-notebook we are leveraging Apache Spark (http://spark.apache.org/) for scalable data processing and MlLib for an anlalytics API (http://spark.apache.org/mllib/). The notebook will provide an interface for the ingestion of heterogenous data and the ability to build a combination of behavior based risk indictors combined with classic signatures. Prototype examples of different risk profiles will be demonstrated with the API via spark notebook but the libraries themselves should be usable in any Java backed code base.


AMIRA: Automated Malware Incident Response and Analysis

presented by

Jakub Sendor

Even for a larger incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Our malware analysts have spent a lot of time chasing digital forensics from potentially infected Mac OS X systems, leveraging open source tools, like OSXCollector. Early on, we have automated some part of the analysis process, augmenting the initial set of digital forensics collected from the machines with the information gathered from the threat intelligence APIs. They helped us with additional information on potentially suspicious domains, URLs and file hashes. But our approach to the analysis still required a certain degree of configuration and manual maintenance that was consuming lots of attention from malware responders.

Enter automation: turning all of your repetitive tasks in a scripted way that will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We went ahead and turned OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to follow the investigation. Thanks to that, the incident response team members can focus on what they excel at: finding unusual patterns and the novel ways that malware was trying to sneak into the corporate infrastructure.


Android-InsecureBankv2

presented by

Dinesh Shetty

Ever wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying InfoSec job. Watch as Dinesh walks you through his new and shiny updated custom application, “Android-InsecureBank” and some other source code review tools, to help you understand some known and some not so known Android Security bugs and ways to exploit them.

This presentation will cover Mobile Application Security attacks that will get n00bs as well as 31337 attendees started on the path of Mobile Application Penetration testing. Some of the vulnerabilities in the Android InsecureBank application that will be discussed (but not limited to) are:

  • Flawed broadcast receivers
  • Weak authorization mechanism
  • Root detection and bypass
  • Local encryption issues
  • Vulnerable activity components
  • Insecure content provider access
  • Insecure webview implementation
  • Weak cryptography implementation
  • Application patching
  • Sensitive information in memory

Expect to see a lot of demos, tools, hacking and have loads of fun.


AndroidTamer

presented by

Anant Shrivastava

AndroidTamer started out as a VirtualMachine for Android (security) Professional, we are slowly making Android Tamer a single point of Reference for Android Professionals. We will be demoing multiple projects that we have created under AndroidTamer umbrella,

  • AndroidTamer Debian based VM Customized to the core debian 8 based virtual machine environment with preloaded tools for usage in Android Pentesting
  • Android-emulator customised for pentesting (both x86 and arm version) Customized emulator to be used in place of a device in both x86 and arm version which can be coupled with Tamer VM.
  • Most extensive Tools Documentation https://tools.androidTamer.com: hosts the most extensive single location documentation for largest array of tools needed for android security.
  • DEB / YUM Repository for tools / software distribution. https://repo.androidtamer.com: Only repository which is actively maintained and support both debian and Redhat distributions.
  • Knowledge Base https://kb.Androidtamer.com: contains various documentation around android which is useful to many people around the world. includes our very famous “Android Security Enhancement” sheet.

All this will be part of the jam packed demo’s that will be presented at BlackHat USA Arsenal.


AppMon

presented by

Nishant Das Pattanaik

AppMon is an automated framework for monitoring and tampering system API calls of native apps on iOS, Mac OS X and Android apps (upcoming). You may call it the GreaseMonkey for native mobile apps. 😉 AppMon is my vision is to make become the Mac OS X/iOS/Android equivalent of the this project apimonitor and GreaseMonkey. This should become a useful tool for the mobile penetration testers to validate the security issues report by a source code scanner and by inspecting the APIs in runtime and monitoring the app’s overall activity and focus on things that seem suspicious. You can also use pre-defined user-scripts to modify the app’s functionality/logic in the runtime e.g. spoofing the DeviceID, spoofing the GPS co-ordinates, faking In-App purchases, bypassing TouchID etc.

In the current release, we have the ability to hook both the Apple’s CoreFoundation API’s as well as the Objective-C methods (even if its done in a Swift app via the bridging header).


Arsenal Theater Demo: Aktaion

presented by

Joseph Zadeh  &  Rod Soto

Crypto Ransomware has become a popular attack vector used by malicious actors to quickly turn infections into profits. From a defensive perspective, the detection of new ransomware variants relies heavily on signatures, point solution posture and binary level indicators of compromise (IOC). This approach is inefficient at protecting targets against the rapid changes in tactics and delivery mechanisms typical of modern ransomware campaigns. We propose a novel approach for blending multiple signals (called micro behaviors) to detect ransomware with more flexibility than using IOC matching alone.

The goal of the approach is to provide expressive mechanisms for detection via contextual indicators and micro behaviors that correlate to attacker tactics, even if they evolve with time. The presenters will provide open source code that will allow users and fellow researchers to replicate the use of these techniques. We will conclude with a focus on how to tie this approach to active defense measures and existing infrastructure.

This tool will be applied to PCAPS and will then mine and display relationships of Micro Behaviors particular to ransomware traffic. Built with Spark notebook https://github.com/andypetrella/spark-notebook we are leveraging Apache Spark (http://spark.apache.org/) for scalable data processing and MlLib for an anlalytics API (http://spark.apache.org/mllib/). The notebook will provide an interface for the ingestion of heterogenous data and the ability to build a combination of behavior based risk indictors combined with classic signatures. Prototype examples of different risk profiles will be demonstrated with the API via spark notebook but the libraries themselves should be usable in any Java backed code base.


Arsenal Theater Demo: BSOD HD: An FPGA-Based HDMI Injection and Capture Tool

presented by

Joe Grand

BSODomizer HD is an open source, FPGA-based, covert electronic device that injects and captures HDMI signals. Currently a proof-of-concept design, this much anticipated follow-up to the original BSODomizer released in 2008 (www.bsodomizer.com) improves on the graphics interception and triggering features, and can capture screenshots of any non-HDCP target up to 1080p resolution. Uses of the tool include penetration testing, video display calibration, mischievous acts, or as a reference design for exploration into the mystical world of FPGAs.

Co-developed by Joe Grand (aka Kingpin) of Grand Idea Studio and Zoz of Cannytrophic Design.


Arsenal Theater Demo: CAN Badger

presented by

Javier Vazquez Vidal

The car hacking topic is really hot at the moment, and many vulnerabilities affecting entire fleets are found from time to time. But is this all that there is regarding this topic? We want to introduce the CAN Badger, a tool designed to ease the way a vehicle is reversed. It is a hardware tool, not just an interface connected to a PC.

Like its predecessor, the ECU Tool, the CAN Badger is able to handle the Security in ECUs in an easy way, as well as provide verbose information on what’s going on in the buses. Want to learn how to approach vehicle electronics security in a practical way? Come and visit us at Arsenal


Arsenal Theater Demo: ChipWhisperer

presented by

Colin O’Flynn

ChipWhisperer is the world’s first complete open-source (hardware+software+documentation) toolchain for advanced embedded hardware security analysis such as side-channel power analysis and glitching attacks. In 2016 the software has been completely overhauled to improve the modular design and make it easier than ever for researchers to develop their own plug-ins.

We’ll be demoing some of the previous open-source hardware (such as the ChipWhisperer-Lite which was a Kickstarter during 2015) along with brand-new hardware, and the release of overhauled software tools with improved API, performance, and features. Don’t miss your chance to see ChipWhisperer in action!


Arsenal Theater Demo: CrackMapExec

presented by

Marcello Salvati

CrackMapExec is fully open-source and hosted on Github: it aims to be a one-stop-shop for all of your offensive Active Directory needs by combining the power of Python, Powersploit and the Impacket library!

Taking inspiration from previous tools such as:

  • smbexec
  • smbmap
  • credcrack

It allows you to quickly and efficiently import credentials from Empire and Metasploit, replay credentials, pass-the-hash, execute commands, powershell payloads, spider SMB shares, dump SAM hashes, the NTDS.dit, interact with MSSQL databases and lots more in a fully concurrent pure Python script that requires no external tools and is completely OpSec safe! (no binaries are uploaded to disk!).


Arsenal Theater Demo: FakeNet-NG

presented by

Peter Kacherginsky

FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. FakeNet-NG was inspired by the original FakeNet tool developed by Andrew Honig and Michael Sikorski. FakeNet-NG implements all the old features and many new ones; plus, it is open source and designed to run on modern versions of Windows. FakeNet-NG allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware’s functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG’s configurable interception engine and modular framework highly useful when testing application’s specific functionality and prototyping PoCs. During the tool session attendees will learn the following practical skills:

  • Use FakeNet-NG to mimic common protocols like HTTP, SSL, DNS, SMTP, etc.
  • Configure FakeNet-NG’s listeners and interception engine to defeat malware and target specific application functionality.
  • Perform interception on the analysis, secondary or gateway hosts.
  • Use process tracking functionality to identify which processes are generating malicious network activity and dynamically launch services in order to interact with a process and capture all of its network traffic.
  • How to use FakeNet-NG’s detailed logging and PCAP capture capabilities.
  • Quickly develop a custom protocol listener using FakeNet-NG’s modular architecture. (Includes live malware demo).

Bring your Windows analysis Virtual Machine for the demo. The hands-on section of this session will analyze real world malware samples to tease out network-based signatures as well as demonstrate how it can be used to perform security assessments of thick client applications. The challenges start at a basic level and progress until you dive into how to extend FakeNet-NG by writing modules in Python


Arsenal Theater Demo: Faraday

presented by

Federico Kirschbaum

Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.

The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 50 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn’t have a plugin, you can create your own. During this presentation we’re going release Faraday v2.0.0 with all the new features that we were working on for the last couple of months.


Arsenal Theater Demo: Highway to the Danger Drone

presented by

Francis Brown  &  Dan Petro  &  David Latimer

Do you feel the need… the need for speed? Then check out our brand new penetration testing drone. This Raspberry Pi based copter is both cheap and easy to create on your own, making it the first practical drone solution for your pentesting needs. Drones have emerged as the prevailing weapon of choice in modern warfare, so it’s only logical that we’d also explore the potential applications of this formidable tool in cyber warfare. While there have been presentations before on weaponizing drones for the purposes of pentesting, these efforts were not easily replicated by anyone other than experienced drone aficionados with several thousands of dollars to spend – ultimately resulting in somewhat clunky, partial solutions. Conditions have finally matured enough to where pentesters who are inexperienced with drones can get up and running fairly quickly and spending only a couple hundred dollars on a Raspberry Pi based drone copter solution. Our talk will be aimed at this target audience, helping equip pentesters with drone tools of the future.

In this talk, we’ll demonstrate how this drone can be used to perform aerial recon, attack wireless infrastructure and clients, land on a target facility roof, and serve as a persistent backdoor. In fact, we’ll show you how to attack ‘over the air’ protocols such as RFID, ZigBee, Bluetooth, Wi-Fi, and more. We’ll even demo a special edition “RickMote Danger Drone” that you can use to patrol your neighborhood and rickroll Google Chromecast-connected TVs.

Additionally, we will showcase the best-of-breed in hardware and software that you’ll need. This will include the release of our custom Raspberry Pi SD card image, parts list, 3D print objects, and necessary instructions for you to create a Danger Drone of your own. We’ll also be giving away a fully functional Danger Drone to one lucky audience member – guaranteed to leave your friends feeling peanut butter and jealous! This DEMO-rich presentation will benefit both newcomers and seasoned professionals of drone and physical penetration testing fields. Someone better call Kenny Loggins, because you’re in the Danger Drone.

…No, no boys, there’s two ‘O’s in Bishop Fox.


Arsenal Theater Demo: ShinoBOT

presented by

Shota Shinogi

ShinoBOT Suite is a malware/target attack simulator framework for pentest, education. The new version becomes “suiter” than the previous version.It includes those new features, components. You can now test your security performance against ransomware with it. ShinoLocker behaves just like a real ransomware but does not ask for any money to get the crypt key.

1) ShinoLocker (Ransomware Simulator)

  • Get the Crypto key from server
  • Scan files to encrypt
  • Encrypt -Ask decryption key
  • Decrypt
  • Uninstall itself

2) ShinoBuilder (Full customization for ShinoBOT)

  • Anti dynamic analysis
  • Extremely Targeted Attack *You can make a malware that works only on your specific environment.
  • C&C URL (for ShinoProxy)
  • Polymorphic function

3) ShinoC2 (ShinoBOT’s Server)

  • SSL support (Thanks Let’s Encrypt Project)
  • DNS Tunneling
  • C2 communication can be done by just DNS

4) ShinoStuxnet(tentative)
ICS malware simulator.

  • Scan ICS/SCADA system.
  • Talks some ICS protocols.

Arsenal Theater Demo: SIEMonster

presented by

Chris Rock

SIEMonster is a turnkey, open source, Enterprise grade Security Incident and Event Management (SIEM), built on scalable, non-licensed components, fully documented and developed. It is completely free and provides a fully functioning SIEM/SIM/SEM for a corporate client. The SIEM has automated ticket creation, OSINT, OSSEC Wazuh fork, Dashboards and Slack integration. We have taken the best open framework presentations from Blackhat and Defcon and put them into a free SIEM for clients without a budget. Kustodian has developed it for all companies as a viable alternative to commercial SIEM solutions. The product is free, fully documented, there is no data or node limitations. Kustodian will continue to develop SIEMonster for its existing clients and support SIEMonster with the community We recently worked with HP and built them a SIEM specific for printer monitoring of both security and printer/toner usage for free available to everyone.


Arsenal Theater Demo: Subgraph OS

presented by

David Mirza Ahmad

Subgraph OS is a desktop operating system with built-in privacy and security features that make it resistant to attacks against the endpoint, especially those that involve exploitation of software vulnerabilities. The kernel is hardened with grsecurity + PaX, and key applications run in sandbox environments implemented using Linux containers, seccomp bpf, and desktop isolation. Subgraph OS also includes an application firewall and integration with Tor.


Arsenal Theater Demo: WarBerryPi Troops Deployment in Red Teaming Scenarios

presented by

Yiannis Ioannides

What if the only requirements for taking down a corporate network are a bit of smooth talking, 60 minutes and $35? Traditional hacking techniques and corporate espionage have evolved. Advanced attacks nowadays include a combination of social engineering, physical security penetration and logical security hacking. It is our job as security professionals to think outside the box and think about the different ways that hackers might use to infiltrate corporate networks. The WarBerryPi is a customized RaspBerryPi hacking dropbox which is used in Red Teaming engagements with the sole purpose of performing reconnaissance and mapping of an internal network and providing access to the remote hacking team.

The outcome of these red teaming exercises is the demonstration that if a low cost microcomputer loaded with python code can bypass security access controls and enumerate and gather such a significant amount of information about the infrastructure network which is located at; then what dedicated hackers with a large capital can do is beyond conception.


autoDANE

presented by

Dane Goodwin

autoDANE: Automatic Domain Admin & Network Exploitation
autoDANE is a tool to automate the process of mapping and compromising internal networks. It is available at https://github.com/sensepost/autoDANE Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks globally; one of the first goals of any internal penetration test is to get Domain Administrator (DA) level access. In demonstration of how common a goal and practise this is, a plethora of tools and techniques exists to assist with this process, from the initial “in” through to to elevation of privilege and eventually extracting and cracking all domain credentials.

However, the overall process followed is still manual and time consuming. Even where tools exist, the orchestration from one to the next is manual. The time required both detracts from potentially more dangerous attacks that may be specific to the organisation under assessment, as well as limits those who know of their organisation’s vulnerabilities to those with offensive security skills or willing to pay for an assessment. Observing this, we decided to construct a framework for automating such activities. This framework orchestrates the industries currently favoured tools to get DA on internal networks.The goal for the project is to get Domain Admin rights as quickly as possible, so that analysts can start an internal assessment as a privileged user, rather than finishing as one. This will allow analysts to spend time on engagements emulating real life hacking scenarios, such as going after business critical applications, while still comprehensively assessing the internal network. Combining the software vulnerabilities, as well as a realistic idea of how people with malicious or criminal intent might reach them, will provide organisations the information they need to actually improve their defensive posture.For Arsenal, several updates have been made and will be released:

  • Detailed scope definition and proportionality limits
  • Support for adding hosts/ranges during runtime
  • Domain pivot tables a list of which credentials worked where and which users are in which groups
  • Detailed filtering and full-text searching across tool-run logs
  • One click RDP to hosts with confirmed credentials
  • SQL Server discovery
  • Basic password cracking when hashes are pulled

Automated Penetration Testing Toolkit (APT2)

presented by

Adam Compton

Nearly every penetration test begins the same way; run a NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated!

Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement.


AVLInsight Mobile Threat Intelligence Platform

presented by

Tom Pan

AVLInsight Mobile Threat Intelligence Platform that aggregate multiple threat intelligence sources and several analysis tools to help mobile threat researchers easier to analyze mobile threat activities, find the relations between them. AVLInsight Mobile Threat Intelligence Platform will open multiple sources to researchers: mobile malware information source, mobile OSINT source, structured mobile TTP source. Mobile researchers can search keyword in each source which they expected, or can link to the other source for search the relations.

AVL Insight also provides a set of threat analysis tools: Smaliviewer for malware sample static analysis and RMS for dynamic analysis, Spoof Apps Analysis Tool, and a graphic threat analysis tool supported TTP analysis. We will demonstrate AVLInsight with several mobile threats to show how to discover these kinds of threats and the relations between them.


BinProxy

presented by

Ryan Koppenhaver

BinProxy is a tool for understanding and manipulating binary network traffic; it’s designed to provide straightforward and useful out-of-the box functionality, with a convenient, powerful environment for developers and penetration testers to build protocol-specific extensions.

The core functionality of BinProxy is an intercepting TCP proxy. With no coding, users can view and edit intercepted traffic as text or a hex dump, but the real power of the tool comes from protocol-specific parser classes (built with Ruby and the BinData gem) that present higher-level representations of a protocol. BinProxy comes with a few sample parsers, and a number of utility methods that allow users to easily create their own.

The tool also supports pluggable filters to unwrap TLS, act as a SOCKS proxy, or perform other pre- or post-processing of messages. The demo will also include a simple “”BinProxy in a box”” setup with a dedicated wireless router.


BloodHound

presented by

Andy Robbins

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then — and only then — we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken.

By combining the concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we have developed a capability called BloodHound, which can reveal the hidden and unintended relationships in Active Directory domains. BloodHound is operationally-focused, providing an easy-to-use web interface and PowerShell ingestor for memory-resident data collection and offline analysis.

BloodHound offers several advantages to both attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. Most possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. BloodHound has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.


Brosec

presented by

Gabe Marshall

Brosec is a terminal based reference utility designed to help infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. Brosec’s most popular use cases is the ability to generate one-liner reverse shells (python, perl, powershell, etc) payloads that get copied to are then copied to the clipboard.


Browser Exploitation Framework (BeEF)

presented by

Christian Frichot

The little browser hacking framework that could; BeEF (Once again voted in the top 5 security tools on ToolsWatch.org) is back again for another hands on JavaScript-filled arsenal session of insanity. If you’ve seen people talk about BeEF, and haven’t gotten around to getting your hands dirty, then now is the perfect time to look under the cover and see how hook.js works. While the framework itself is hanging together with duct tape, Ruby and JavaScript, the capabilities of BeEF have been slowly marching forward year by year, with new features being added almost as quickly as new HTML5 APIs are added to browsers. Two of the larger additions to the framework have been the Autorun Rules Engine (ARE) and the Network Extension, the brain-children of @antisnatchor and @_bcoles. But BeEF isn’t just about client-side testing, it’s also a great tool if you need to quickly PoC JavaScript-based payloads.

This session will cover the following:

  • Hands on with the Autorun Rules Engine (clever scheduling and automation of multiple payloads)
  • Network Extension (just how much local network can a browser see?)
  • Having fun with CSRF
  • So you think HttpOnly & Secure flags really help?

Attendees will hopefully have a better appreciation of how BeEF works, and how custom modules and extensions can be developed to meet any custom requirements you may have.


BSOD HD: An FPGA-Based HDMI Injection and Capture Tool

presented by

Joe Grand

BSODomizer HD is an open source, FPGA-based, covert electronic device that injects and captures HDMI signals. Currently a proof-of-concept design, this much anticipated follow-up to the original BSODomizer released in 2008 (www.bsodomizer.com) improves on the graphics interception and triggering features, and can capture screenshots of any non-HDCP target up to 1080p resolution. Uses of the tool include penetration testing, video display calibration, mischievous acts, or as a reference design for exploration into the mystical world of FPGAs.

Co-developed by Joe Grand (aka Kingpin) of Grand Idea Studio and Zoz of Cannytrophic Design.


Burp Extension for Non-HTTP Traffic

presented by

Josh Summitt

The Burp Non-HTTP proxy is specifically designed to help in testing thick client and mobile applications. It adds to BurpSuite a DNS server to help test applications that are difficult to route through proxies and adds interceptors to manipulate/mangle binary and non-HTTP protocols.

The tool stores traffic in a sqlite database that can be exported or imported to save and analyze later. It can intercept and modify traffic automatically based on rules you assign or it can be modified manually as the traffic hits the proxy server. The tool also support SSL/TLS and signs certificates based on Burps CA certificate. If your testing on a mobile device that already has Burp’s CA cert then the traffic will be seamlessly decrypted without errors into the tool for you to mangle before sending it on to the outgoing server.

This tool arouse out of the need to test applications that were switching to more realtime protocols in both mobile applications and some web based Silverlight applications I had been testing. I wrote this tool as an easy extension to add to burp that would also be platform/OS independent vs some other tools out there that did similar functions.


BurpBUddy

presented by

Tom Steele

BurpBuddy is a tool originally released in 2014. Arsenal will mark the release of version 3, which will be complete rewrite and will provide Smörgåsbord of new functionality. Including the ability to quickly share your entire Burp state, request/response, issues etc with your team.

BurpBuddy is a plugin for BurpSuite Pro that exposed the Extender API over a HTTP and WebSocket Interface. Allowing you to use call endpoints using plain-old JSON as well as develop your own event-driven plugins. By operating in this manner, you can now write your own plugins for Burp in any language you want! Go, Node (aka JavaScript), Erlang, Haskell, whatever is popular on Hacker News this week, or even plain old shell scripts with curl, if it has an HTTP library you’re in business. We will discuss the functionality of the API, and have plenty client demonstrations written in various languages. Some practical and some that are just awesome for the sake of being awesome.


CAN Badger

presented by

Javier Vazquez Vidal

The car hacking topic is really hot at the moment, and many vulnerabilities affecting entire fleets are found from time to time. But is this all that there is regarding this topic? We want to introduce the CAN Badger, a tool designed to ease the way a vehicle is reversed. It is a hardware tool, not just an interface connected to a PC.

Like its predecessor, the ECU Tool, the CAN Badger is able to handle the Security in ECUs in an easy way, as well as provide verbose information on what’s going on in the buses. Want to learn how to approach vehicle electronics security in a practical way? Come and visit us at Arsenal!


CAPE

presented by

Kevin O’Reilly

The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware. Within the fields of malware research and threat intelligence, one of the biggest challenges faced by the security industry is the significant time and skill required to reverse engineer new malware samples. This has led to the emergence of a number of systems designed to automate this process, but such solutions are often limited in their ability to implement the skilled techniques required to unravel the malware’s secrets. For nation-state malware research in particular there is often a dependency on skilled analysts, who, even when faced with a familiar malware family will often have to repeat time-consuming and highly skilled procedures in order to extract useful information from a new sample. In conflict with this, consumers of threat intelligence demand indicators of compromise (IOCs) from new samples instantaneously, with the indicators being at their most useful to the defender in the time immediately following the malware’s discovery. We unveil the open-source launch of our solution CAPE, which automates many of the complex tasks routinely performed by skilled analysts when dissecting common nation state malware families. CAPE allows for the extraction of payloads, configuration and other indicators from these malware families via a single intuitive malware analysis platform.

We begin the demonstration by outlining some of the methods that malware authors use in order to hide or obfuscate the malicious functionality of their creations. Malware authors regularly make use of techniques designed to hide or obfuscate the actual payload or intended functionality of their creations, in order to thwart or slow down the process of reverse engineering and analysis. The most obvious example is the use of executable packers, but other techniques include DLL or shell code injection, ‘process hollowing’ or the decryption and/or decompression of further embedded binaries. We will also look at state-sponsored malware families and the methods used to obfuscate their payloads and configuration, examining some of the most high-profile and prevalent malware families suspected as being linked to Chinese and Russian state-sponsored origins.

We will then present our solution CAPE: ‘Configuration And Payload Extraction’. We show how this new system complements the general function of the underlying malware analysis platform Cuckoo(1), and automates the extraction of payloads and indicators, providing in a matter of minutes (and at scale) what would take a skilled analyst many hours to perform manually. CAPE can detect when malware uses process hollowing, DLL or shellcode injection, many common executable packers or other methods of payload obfuscation by using a combination of static signatures and dynamic behavioural monitoring. If, during its initial analysis run, CAPE detects the use of any of these tools or techniques, it will submit the sample for a second execution where, using a combination of API hooking and an automated debugger, it will control the flow and automatically extract or dump the malware payload(s) and other configuration details. The payloads and indicators are then presented in the web interface and can simply be downloaded or exported by the analyst for further study or dissemination.


Certbot

 

The majority of the world’s Web traffic is still unencrypted and sent using the insecure HTTP. Despite SSL/TLS having existed for decades, it has seen limited adoption on modern webservers. This is largely due to the plethora of obstacles one must over come to enable HTTPS. The process of obtaining a certificate can be expensive and convoluted. Additionally, creating a secure TLS configuration is difficult, especially when it must be constantly updated in response to new attacks against the protocol and implementations of it.

To attempt to solve this problem, EFF, Mozilla Cisco, Akamai, IdenTrust, and a team from the University of Michigan have created Let’s Encrypt, a free and automated certificate authority. Since the project entered beta in October of last year, the CA has issued millions of certificates making it one of the largest certificate authorities in the world today.

Earlier this year, EFF unveiled Certbot, a free and open source tool which can be used to set up HTTPS on a webserver in the matter of seconds. Certbot communicates to the Let’s Encrypt CA through a protocol called ACME allowing for automated domain validation and certificate issuance. In this session, I plan to show how easy it is to use Certbot to enable HTTPS with certificates from Let’s Encrypt as well as answer any questions you may have about the project.


ChipWhisperer

presented by

Colin O’Flynn

ChipWhisperer is the world’s first complete open-source (hardware+software+documentation) toolchain for advanced embedded hardware security analysis such as side-channel power analysis and glitching attacks. In 2016 the software has been completely overhauled to improve the modular design and make it easier than ever for researchers to develop their own plug-ins.

We’ll be demoing some of the previous open-source hardware (such as the ChipWhisperer-Lite which was a Kickstarter during 2015) along with brand-new hardware, and the release of overhauled software tools with improved API, performance, and features. Don’t miss your chance to see ChipWhisperer in action!


CodexGigas Malware DNA Profiling Search Engine

presented by

Luciano Martins  &  Rodrigo Cetera  &  Javier Bassi

CodexGigas is a malware profiling search engine that allows malware hunters and analysts to really interrogate the internals of malware and perform searches over a large number of file characteristics. For instance, instead of relying on file-level hashes, we can compute other features such as imported functions, strings, constants, file segments, code regions, or anything that is defined in the file type specification, and that provides us with more than 142 possible searchable patterns, that can be combined.

Similar to human fingerprints, every malware has its own unique digital fingerprint that differentiates it from others. As a result, malware will always attempt to hide its true self by deleting or changing this information to avoid detection by antivirus companies and malware researchers.

Since malware developers go to great lengths to obfuscate their characteristics, it is often difficult for by researchers and malware analysts to identify multiple characteristics and correlation points. By analyzing malware internals, the algorithm is able to build characteristic families to which a new sample can be categorized and therefore identified for specific behavior, enabling early detection of new malware by comparing against existing malware. CodexGigas engine, framework, analysis plugins, and the web portal, will be released as open source at Black Hat.

Come to see how CodexGigas could be used to enhance your malware hunting. Link: https://twitter.com/codexgigassys


CrackMapExec

presented by

Marcello Salvati

CrackMapExec is fully open-source and hosted on Github: it aims to be a one-stop-shop for all of your offensive Active Directory needs by combining the power of Python, Powersploit and the Impacket library!

Taking inspiration from previous tools such as:

  • smbexec
  • smbmap
  • credcrack

It allows you to quickly and efficiently import credentials from Empire and Metasploit, replay credentials, pass-the-hash, execute commands, powershell payloads, spider SMB shares, dump SAM hashes, the NTDS.dit, interact with MSSQL databases and lots more in a fully concurrent pure Python script that requires no external tools and is completely OpSec safe! (no binaries are uploaded to disk!).


Cuckoodroid 2.0

presented by

Idan Revivo

To combat the growing problem of Android malware, we present a new solution based on the popular open source framework Cuckoo Sandbox to automate the malware investigation process. Our extension enables the use of Cuckoo’s features to analyze Android malware and provides new functionality for dynamic and static analysis. Our framework is an all in one solution for malware analysis on Android. It is extensible and modular, allowing the use of new, as well as existing, tools for custom analysis.

The main capabilities of our CuckooDroid include:

  • Dynamic Analysis – based on Dalvik API hooking
  • Static Analysis – Integration with Androguard
  • Emulator Detection Prevention
  • Virtualization Managers that support the popular virtualization solutions (VMware,Virtualbox, Esxi, Xen, and Kvm) and now also android emulator.
  • Traffic Analysis
  • Intelligence Gathering – Collecting information from Virustotal, Google Play etc.
  • Behavioral Signatures in cuckoodroid 2.0

New capabilities that will be presented in Black Hat for the first time:

  • Integration with cuckoo 2.0
  • New user interface
  • Android x86 support
  • Automatic unpacking – integration with Maltego
  • New Behavioral Signatures –
  • Dropped files
  • Malware Configuration Extractions

Examples of well-known malware will be used to demonstrate the framework capabilities and its usefulness in malware analysis.


Damn Vulnerable iOS App

presented by

Prateek Gianchandani

Damn Vulnerable iOS App (DVIA) is an open source iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try. This application also contains a section where a user can read various articles on iOS application security. The vulnerabilities and solutions covered in this app are tested up to iOS 9.2.


DataSploit

presented by

Sudhanshu Chauhan  &  Shubham Mittal  &  Nutan Kumar Panda

Overview:

  • Performs automated OSINT on a domain / email / username / phone and find out relevant information from different sources.
  • Useful for Pen-testers, Cyber Investigators, Product companies, defensive security professionals, etc.
  • Correlates and collaborate the results, show them in a consolidated manner.
  • Tries to find out credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target.
  • Available as single consolidating tool as well as standalone scripts.
  • Available in both GUI and Console.

“Data! Data! Data! I can’t make bricks without clay”. This quote by fictional detective Sherlock Holmes certainly suits every InfoSec professional’s daily struggle. Irrespective of whether you are attacking a target or defending one, you need to have a clear picture of the threat landscape before you get in. This is where DataSploit comes into the picture. Utilizing various Open Source Intelligence (OSINT) tools and techniques that we have found to be effective, DataSploit brings them all into one place, correlates the raw data captured and gives the user, all the relevant information about the domain / email / phone number / person, etc. It allows you to collect relevant information about a target which can expand your attack/defence surface very quickly. Sometimes it might even pluck the low hanging fruits for you without even touching the target and give you quick wins. Of course, a user can pick a single small job (which do not correlates obviously), or can pick up the parent search which will launch a bunch of queries, call other required scripts recursively, correlate the data and give you all juicy information in one go.

Created using our beloved Python, MongoDb and Django, DataSploit simply requires the bare minimum data (such as domain name, email ID, person name, etc.) before it goes out on a mining spree. Once the data is collected, firstly the noise is removed, after which data is correlated and after multiple iterations it is stored locally in a database which could be easily visualised on the UI provided. The sources that have been integrated are all hand picked and are known to be providing reliable information. We have used them previously during different offensive as well as defensive engagements and found them helpful.

Worried about setup? Well, there are two major requirements here:
1. Setting up the db, django, libraries, etc. We have got a script which will automate this for you, so can just go ahead and shoot the OSINT job.
2. Feeding specific API keys for few specific sources. We are going to have a knowledge base where step by step instructions to generate these API keys will be documented. Sweet deal?

Apart from this, in order to make it more useful in daily life of a pen-tester, we are working to make the tool as an extension of the other tools that pen-testers commonly use such as Burp Suite, Maltego etc. so that you can feel at home during the usage.


DET

presented by

Paul Amar

DET aims to provide a framework to assist with exfiltrating data using either one or several channels. Social media has become extremely popular in recent attacks such as HammerToss, campaign uncovered by FireEye in July 2015. Several tools are also publicly available allowing you to remotely access computers through “legitimate” services such as Gmail (GCat) or Twitter (Twittor). Often gaining access to a network is just the first step for a targeted attacker. Once inside, the goal is to go after sensitive information and exfiltrate it to servers under their control. To prevent this from occuring, a whole industry has popped up with the aim of stopping exfiltration attacks. However, often these are expensive and rarely work as expected. With this in mind, I created the Data Exfiltration Toolkit (DET) to help both penetration testers testing deployed security devices and those admins who’ve installed and configured them, to ensure they are working as expected and detecting when sensitive data is leaving the network.


Dradis Framework

Dradis is an extensible, cross-platform, open source collaboration framework for InfoSec teams. It can import from over 19 popular tools, including Nessus, Qualys, Burp and Metasploit. Started in 2007 and with over 2000 code commits the Dradis Framework project has been growing ever since. Dradis is the best tool to consolidate the output of different scanners, add your manual findings and evidence and have all the engagement information in one place.

Come to see the latest Dradis release in action. It’s loaded with updates including new tool, connectors (Metasploit, Brakeman, …), full REST API coverage, testing methodologies and lots of interface improvements (issue tagging, UX improvements and much more). Come and find out why Dradis is being downloaded over 300 times every week. This year we will make sure to bring enough stickers for everyone!

presented by

Daniel Martin


Droid-FF: Android Fuzzing Framework

presented by

Anto Joseph

Droid-FF is the very first Android fuzzing framework which helps researchers find memory corruption bugs written in c /c ++ – It comes as a VM which is ready to go and easy to work with. Why Droid-FF ? Native code is preferred over JIT languages due to their memory efficiency and speed, but security bugs within native code can result in exploits that can take over the Android system . The goal of the fuzzer is help researchers find security bugs by fuzzing Android.

What does it do?

  1. Data Generation Currently includes Peach, with some pre-populated pit files, which helps in generating data be it “dex,ttf,png,avi,mp4” etc
  2. Approaches a . Dumb fuzzing: From a large input section of valid data , the fuzzer generates new data with mutations in place. b. Intelligent Fuzzing: We create a file format representation of the target data and let the fuzzer generate data which is structurally valid, but has invalid data in sections.
  3. Fuzzing System The fuzzing system is an automated program which runs the dataset against the target program and deals with any error conditions that can possibly happen. It also maintains state so that we could resume the fuzzing from the right place in an event of a crash.
  4. Advanced Triage System In the event of a valid crash, the triage system collects the tombstone files which contains the dump of the registers and system state with detailed information. It also collects valid logs and the file responsible for the crash and moves it to the triage database. The triage database runs scripts on the data derived from crashes, like the type pf the crash, for eg : SIGSEGV, the PC address at this crash and checks for any duplicate, if found, the duplicate entry is removed and is moved to crashes for investigation.

What we’re using during this lab? The android system which we are going to fuzz is an Engineering build from AOSP which has symbols, thus in an event of a crash, it will be much easier to triage the crash. The system supports fuzzing real devices, emulators , and images running on virtual box. How Efficient is this Framework? We ran the fuzzer in Intelligent fuzzing mode with mp4 structure fed in for 14 hours on the stagefright binary and it was able to reproduce 3 crashes which were exploitable ( CVE’s) and lots of un-interesting crashes mostly dude to out of memory, duplicates or null pointers.

Goals of the Framework

  1. Make Fuzzing Easy and available for all
  2. Completely open source and extensible
  3. Make android eco-system more secure

Ebowla

presented by

Travis Morrow

Dropping a payload or malware onto a target is usually not an issue given the variety of vulnerable software in use. Your challenge is keeping the payload from working and spreading to unintended targets, eventually leading to reverse engineers, crowdsourced or professional, who pick apart your work, and start an industry to stop your success. Inspiration for the tool came from the effective use of environmental keying in Gauss malware (2012) that, to this day, has prevented the reverse engineering community around the world from determining the purpose and use of all operational modules used in various industry attacks [https://securelist.com/blog/incidents/33561/the-mystery-of-the-encrypted-gauss-payload-5/].

Our framework, Ebowla [https://github.com/Genetic-Malware/Ebowla], implements techniques above and beyond those found in Gauss or Flashback to keep your payload from detection and analysis. Currently we support three protection mechanisms: AES file based keying, AES environmental based keying, and One Time Pad (closer to a digital book cipher) based off a known file on the target’s system. The protected payloads are generated with either a stand-alone python or golang in-memory loader for the target system.


Elastic Handler

presented by

David Cowen

Elastic Handler is a DFIR specific replacement for the Logstash

Elastic Handler allows you to take all the tools you currently run and make their output better by doing the following:

  1. It allows you to define a mapping from the CSV/TSV/Etc.. output you are getting now into JSON to that ES can ingest it
  2. It allows you to normalize all of the data you are feeding in so that your column names are suddenly the same allowing cross reporting searching and correlation.
  3. It lets you harness the extreme speed of Elastic Search to do the heavy listing in your correlation
  4. It lets you take a unified view of your data/report to automate that analysis and create spreadsheets/etc.. that you would have spent a day on previously

The idea here is to let computers to what can be automated so you can spend more time using what makes humans special. What I mean by that is your analyst brains and experience to spot patterns, trends and meaning from the output of the reports. In the GitHub repository we put out there are several mappings provided for the tools we call out to the most like; Tzworks tools, Shellbag explorer, our link parser, Mandiant’s Shimcache parser, etc.. But the cool thing about this framework is that to bring in another report all you have to do is generate two text files to define your mapping, there is no code involved.


Enumall – The Ultimate Subdomain Tool

presented by

Jason Haddix

Enumall leverages the Kali Linux distribution and the wildly popular recon-ng framework to find hidden gems in application assessments, asset discovery work, and OSINT engagements. These gems are acquisitions and subdomains. This isn’t just your standard DNS tool. Enumall pulls possible subdomains and acquisitions from Google, Yahoo, Bing, Baidu, Netcraft, Shodan, techcrunch and more! It gives a standard output that inter-operates with several tools (one of which we will be demo’ing is Eyewitness for further detailed discovery!). In addition, Enumall also has the largest and most curated DNS bruteforce list on the internet. Come by and let us show you how you can use Enumall to supercharge your bug hunting and find ripe subdomains and acquisitions!


eXpose

presented by

Joshua Saxe

From hiding their tools in innocuous-looking file paths to creating registry keys that hide malicious commands to inviting users to visit deceptive URLs, attackers frequently use deception to penetrate and hide on our networks. Currently our community uses URL blacklists and rule-based detection mechanisms to detect such deception. The eXpose deep neural network, which we will be releasing as free software simultaneously with Blackhat USA 2016, goes beyond these simple methods to provide artificial intelligence driven detection of these objects, detecting upwards of 90% of previously unseen malicious URLs, malicious file paths, and malicious registry keys at low false positive rates.

eXpose’s approach is based on recent advances in deep learning research, and uses neural network primitives such as character-level embeddings, heterogenously-sized convolutional filters, dropout, and batch normalization to achieve a high detection rate. We compared eXpose to conventional machine learning methods and found that eXpose achieves a significant boost in detection accuracy. In our presentation we will explain how eXpose works, demonstrate how to use it both from the command line and as a Python module, demonstrate its ability to detect new malicious URLs, file paths, and registry keys, and challenge our audience to beat eXpose at guessing which previously-unseen objects are malicious or not.


FakeNet-NG

presented by

Peter Kacherginsky

FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. FakeNet-NG was inspired by the original FakeNet tool developed by Andrew Honig and Michael Sikorski. FakeNet-NG implements all the old features and many new ones; plus, it is open source and designed to run on modern versions of Windows. FakeNet-NG allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware’s functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG’s configurable interception engine and modular framework highly useful when testing application’s specific functionality and prototyping PoCs. During the tool session attendees will learn the following practical skills:

  • Use FakeNet-NG to mimic common protocols like HTTP, SSL, DNS, SMTP, etc.
  • Configure FakeNet-NG’s listeners and interception engine to defeat malware and target specific application functionality.
  • Perform interception on the analysis, secondary or gateway hosts.
  • Use process tracking functionality to identify which processes are generating malicious network activity and dynamically launch services in order to interact with a process and capture all of its network traffic.
  • How to use FakeNet-NG’s detailed logging and PCAP capture capabilities.
  • Quickly develop a custom protocol listener using FakeNet-NG’s modular architecture. (Includes live malware demo).

Bring your Windows analysis Virtual Machine for the demo. The hands-on section of this session will analyze real world malware samples to tease out network-based signatures as well as demonstrate how it can be used to perform security assessments of thick client applications. The challenges start at a basic level and progress until you dive into how to extend FakeNet-NG by writing modules in Python.


Faraday

presented by

Federico Kirschbaum

Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.

The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 50 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn’t have a plugin, you can create your own. During this presentation we’re going release Faraday v2.0.0 with all the new features that we were working on for the last couple of months.


FingerPrinTLS

presented by

Lee Brotherston

FingerprinTLS is a tool which leverages TLS client fingerprinting techniques to passively identify clients realtime via a network tap or offline via pcap files. This allows network administrators to identify clients with TLS enabled malware installed, rogue installations of cloud storage solutions, unauthorised Tor connections, etc. Organisations which expose APIs can determine if unwanted clients, such as attack tools are accessing their APIs. The tool has an internal database of fingerprints which have already been discovered and automates the process of adding your own. FingerprinTLS is distributed as an opensource project and has been tested to work on Linux, OS X, and BSD based systems.


FLOSS

presented by

Moritz Raabe

The FireEye Labs Obfuscated String Solver (FLOSS) is an open source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files. Malware analysts, forensic investigators, and incident responders can use FLOSS to quickly extract sensitive strings to identify indicators of compromise (IOCs). Malware authors encode strings in their programs to hide malicious capabilities and impede reverse engineering. Even simple encoding schemes defeat the ‘strings’ tool and complicate static and dynamic analysis. FLOSS uses advanced static analysis techniques, such as emulation, to deobfuscate encoded strings.

FLOSS is extremely easy to use and works against a large corpus of malware. It follows a similar invocation as the ‘strings’ tool. Users that understand how to interpret the strings found in a binary will understand FLOSS’s output. FLOSS extracts higher value strings, as strings that are obfuscated typically contain the most sensitive configuration resources – including C2 server addresses, names of dynamically resolved imports, suspicious file paths, and other IOCs. I will describe the computer science that powers the tool, and why it works. I will also show how to use FLOSS and demonstrate the decoding of strings from a wide variety of malware families.


gopassivedns

presented by

Philip Martin

Passive DNS is an awesome data source. A growing number of companies out there will sell you access to huge repos of historical lookups across the internet. That data can be hugely helpful in detecting or responding to a security incident…but what about the DNS lookups that happen in your own backyard? gopassivedns is a network-capture based DNS logger, written in Go, designed to be run anywhere and everywhere you expect to see DNS lookups. It uses gopacket to deal with libpcap and packet processing. It outputs JSON logs to a number of log sinks (files, kafka, flumed, etc) and stats via statsd. Come, learn and never miss another DNS lookup again.


Halcyon

presented by

Sanoop Thomas


Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts. Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community.

Halcyon IDE can understand Nmap library as well as traditional LUA syntax. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while developing majority of test scenarios.

Following are the features provided by Halcyon IDE:

  • Improved user interface
  • Code intelligence workspace
  • Single click configuration
  • Code generator
  • Scan settings
  • Post script development actions

Highway to the Danger Drone

presented by

Francis Brown  &  Dan Petro  &  David Latimer

Do you feel the need… the need for speed? Then check out our brand new penetration testing drone. This Raspberry Pi based copter is both cheap and easy to create on your own, making it the first practical drone solution for your pentesting needs. Drones have emerged as the prevailing weapon of choice in modern warfare, so it’s only logical that we’d also explore the potential applications of this formidable tool in cyber warfare. While there have been presentations before on weaponizing drones for the purposes of pentesting, these efforts were not easily replicated by anyone other than experienced drone aficionados with several thousands of dollars to spend – ultimately resulting in somewhat clunky, partial solutions. Conditions have finally matured enough to where pentesters who are inexperienced with drones can get up and running fairly quickly and spending only a couple hundred dollars on a Raspberry Pi based drone copter solution. Our talk will be aimed at this target audience, helping equip pentesters with drone tools of the future.

In this talk, we’ll demonstrate how this drone can be used to perform aerial recon, attack wireless infrastructure and clients, land on a target facility roof, and serve as a persistent backdoor. In fact, we’ll show you how to attack ‘over the air’ protocols such as RFID, ZigBee, Bluetooth, Wi-Fi, and more. We’ll even demo a special edition “RickMote Danger Drone” that you can use to patrol your neighborhood and rickroll Google Chromecast-connected TVs.

Additionally, we will showcase the best-of-breed in hardware and software that you’ll need. This will include the release of our custom Raspberry Pi SD card image, parts list, 3D print objects, and necessary instructions for you to create a Danger Drone of your own. We’ll also be giving away a fully functional Danger Drone to one lucky audience member – guaranteed to leave your friends feeling peanut butter and jealous! This DEMO-rich presentation will benefit both newcomers and seasoned professionals of drone and physical penetration testing fields. Someone better call Kenny Loggins, because you’re in the Danger Drone.

…No, no boys, there’s two ‘O’s in Bishop Fox.


HL7deep

presented by

Michael Hudson

Health Level Seven International (HL7), ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services.

Target – HL7deep is a tool able to exploit different vulnerabilities in popular medical management platforms used in a host of services, obtaining remote access, assisting surgeries and electronic health records (EHR).


HonePy & HoneyDB

presented by

Phillip Maddux

HoneyPy is a low interaction honeypot with the capability to be more of a medium interaction honeypot. HoneyPy is written in Python and is intended to be easy to: deploy, extend functionality with plugins, and apply custom configurations. The level of interaction is determined by the functionality of its plugins. Plugins can be created to emulate UDP or TCP based services. All activity is logged to a file by default, but posting honeypot activity to Twitter, a Slack channel, or a web service endpoint can be configured as well. HoneyPy is ideal as a production honeypot on an internal network or as a research honeypot on the Internet.

HoneyDB is a web site dedicated to publishing honeypot data from HoneyPy sensors on the Internet. It also offers honeypot data for download via a REST API. Web site users can also log into HoneyDB and maintain a ThreatBin, which is custom list of honeypot session data bookmarked by the user. Future features include consolidated threat information from other honeypot Twitter accounts, and expanding the API.


King Phisher

presented by

Spencer McIntyre

What differentiates King Phisher from other phishing tools is the focus it has on the requirements of consultants needing a tool for penetration testing. It was built from the ground up with a heavy emphasis on flexibility to allow pentesters to tailor their attack for their current assessment. It also includes unique features not included in other phishing tools such as the ability to craft calendar invite messages.

King Phisher is an open source tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials and drive by attacks.


Koodous

presented by

Francisco López  &  Fernando Denis Ramírez

Koodous is a collaborative web platform for Android malware research that combines the power of online analysis tools with social interactions between the analysts over a vast APK repository (at this time, more than 10 million). It also features an Android antivirus app and a public API.

Some of the features included in the tool:

  • Navigate the repository using advanced search expressions (developer’s certificate and name, hash, package name, etc.) to locate samples of interest.
  • For each sample we provide a set of information: metadata, strings, static and dynamic analysis, etc. This set grows with new features. Also, you can download, tag, comment and vote any sample.
  • As an analyst, you will be able to create Yara rulesets. This rules will be run automatically against any new sample that enter the system (or any other sample on-demand) and you will be notified if a new match occurs. The rules can be set as private, public or social.
  • The Android app detects any threat detected by the community installed in an Android device. Also, it is possible to link the app with your analyst account to create a personal antivirus.
  • There is a free-to-use API and open source Python modules in case you want to interact with the system programmatically.
  • And it is totally free! The presenter will make a live demo of all this features. More information at: https://koodous.com/

Kung Fu Malware

presented by

Pablo San Emeterio

Focusing on Windows operating systems, we’ve developed an agent to try to activate some techniques that malware usually include to avoid being detected by a sandbox or malware analyst, emulating malware analysis computer inside a common PC. This agent would add a new layer of protection without interacting with the malware, because current malware will not run their malicious payload in a sandbox or while being debbuged. As we know the different malware families implement anti-reversing, anti-debuging and anti-virtualization characteristics along with other techniques such as to detect well known process and windows. Malware writers implement these techniques to prevent the execution of malicious code within a laboratory that could help researchers in their analysis and eradication.

Some of those are:

  • Detecting when a program is being debugged.
  • Detecting when a program is running in a virtual machine, by reading some registry keys or locating some files or processes used by the virtualization technology.
  • The detection programs used by malware analysts such as wireshark, IDA or process explorer.

The proliferation of those techniques and strategies has brought us to a new solution; pretend the behavior of a malware analysis device and / or sandbox, by using some of the techniques explained above, in order to prevent the execution of the malicious code.


LAMMA

presented by

Ajit Hatti

LAMMA (beta) is a Framework for Vulnerability Assessment & auditing of cryptography, PKI and related implementations. Developed in Python, LAMMA is a command line utility, built with the focus of automating the Crypto-Assessment for large infrastructures. The framework is highly extendable and allows usres to write and integrate their own plugins seamlessly.

LAMMA (beta) supports 4 modules which have many plugins for very specific purpose.

1. REMOTE – Module scans remote Hosts for SSL/TLS configuration, and reports any gap, vulnerabilities discovered with unique features like Time-Line-analysis of server Certificate, Deep mining of certificates and TLS/SSL session parameters.

2. CRYPTO – This Module checks the various crypto primitives generated by any underlying framework for Quality, backdoor & sanity. Few of Primary Checks :

  • Quality Test for Random Number Generated
  • Sanity Checks for shared Prime numbers in multiple RSA keys
  • Safe and Strong Prime test
  • Shared modulus test & MalSha, Malformed Digest Test

3. TRUST – Module checks various trust and key stores for – insecure Private keys and un-trusted certificates. Here are few novel feature of LAMA framework.

  • Extract Prime number and Modulus from Private keys for sanity and strength check
  • Track Private Keys across the network for insecure storage & Track multiple instances
  • Find and list List pinned & un-trusted certificates & Public Key, and track their presence

4. SOURCE – Module helps to enforce “Cryptography Review Board” recommendations of your organisation. This module scans source code for use of insecure and weak schemes like

  • MD*/SHA/SHA1 hashes
  • ECB/CBC block cipher mode
  • rand() or /dev/rand functions or back-doored schemes in use like Dual_EC_DRBG, p224r1, secp384r1

Maltego VirusTotal

presented by

Christian Heinrich

VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of all kinds of malware. Maltego is an open source intelligence and forensics application that offers gathering and mining of VirusTotal’s Public API in a easy to understand format.


MalTEm

presented by

Sasi Siddharth

Due to the importance of DNS in malware’s communication with its Command & Control server, recent malware detection systems try to detect anomalies in DNS request patterns. As one would expect, the suppliers of such detection systems claim that their solutions work as a catch-all for any malware that abuses the DNS system as part of its operation. Prior to deploying any malware detector, or when new malware is on the rise, one needs to evaluate the effectiveness of such detectors. One way of testing the effectiveness is to run real malware samples and check whether they are detected. However, this is infeasible in a production network, as there is always a risk that the malware might cause damage. Furthermore, malware samples often do not execute on demand, and therefore testing may be difficult.

In our contribution, we propose a tool and a framework for evaluating the effectiveness of DNS-based malware detectors using emulation. We offer the following approach: We emulate the DNS traffic patterns of a given malware family, inject it into a network, and observe whether the malware detector reports an infection. The injected traffic is completely benign and, therefore, testing poses no risk to the network. The generation of DNS traffic patterns can be based on individual research, or from information published by various members of the security community.

From malware analysis, typically, one or more of the following artifacts may be found for a given malware – a list of domains generated, a network packet capture (PCAP) of the malicious traffic, or a Domain Generation Algorithm (DGA). Our tool enables security professionals to utilize any of these three artifacts in an easy, quick, and configurable manner for generating DNS traffic patterns. The tool – MalTEm (Malware Traffic Emulator) is implemented in Python and will be released at BlackHat 2016 as a free and open source tool. We will demonstrate various use cases of the tool along with a suggested evaluation infrastructure. The tool is built using a plugin-based architecture, hence, we will also demonstrate how the security community can use, enhance and contribute plugins as well.


myBFF

presented by

Kirk Hayes

myBFF is a new open source tool which combines fingerprinting and brute forcing against some common web applications, including Citrix, HP, Juniper, and MobileIron, to add intelligence to password guessing. Better yet, this tool is modular, allowing the easy expansion of the tool to include not only other web applications, but also other services. The best part is that the tool will do more than just tell you if a credential pair is valid! You don’t want to miss this tool!


Needle

presented by

Marco Lancini

Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like “drozer” that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

“Needle” is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device. We will be releasing the tool and describing its architecture, capabilities and roadmap.

We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided).


NetDB – The Network Database Project

presented by

Bertin Bervis  &  James Jara

NetDB is an Internet of things Search engine created in 2014 by Bertin Bervis and James Jara. Using agents(crawlers) distributed in several countries, Netdb is scanning all Internet searching randomly 24 hours a day, indexing and parsing data based on responses. For each device, we are storing all banners and fingerprints but we are focused mostly in SSL Information of the device.

We will cover basic information about our architecture, query builder, API and enterprise access and finally about the future of NetDB with Machine learning plus IoT infosecurity.


NetNeedle

presented by

John Ventura

We believe that hiding a needle in a haystack is easier if the needle looks like hay. NetNeedle provides encrypted control channels and chat sessions that are disguised to look like other common network activity. It only transmits “decoy” data in the “payload ” section of any packet, so forensic analysts will only see packets that look identical to ordinary ping or HTTP GET requests. The actual data is encoded in IP headers in fields that typically contain random values. This tool was originally written to demonstrate network based steganography principals. However, it is usable in real world circumstances, and can assist in penetration testing within restricted network environments.

In addition to evasion features, penetration testers can use NetNeedle to maintain control over servers in environments with highly restrictive access lists. Because this tool subverts expectations surrounding network traffic, it enables users to set up back doors that use simple ICMP packets or TCP ports that are already in use. Administrators who believe that their systems are safe due to access control lists based on a “principle of least privilege” or who believe that ICMP ping is harmless will find themselves sadly mistaken.


NetSec-Framework

presented by

Josh Ewing

NetSec-Framework is a super lightweight Python CLI for performing network auditing tests. The CLI utilizes Arpspoof, Ettercap, sslstrip, tcpdump and Nmap. A user is able to copy/paste this script into any vanilla Debian-based system, install dependencies, configure iptables rules, port forwarding and execute MiTM attacks without leaving the CLI. It also includes an assisted Nmap wrapper for network scanning with an explanation of each scan type. The framework also has features that allow the user to install most Kali Linux tools at the users request in an easy menu based system.

The goal was to make network auditing more intuitive for an engineer just getting into security testing and make it easier for those who want to use certain Kali tools on the fly.


Nishang: The Goodness of Offensive PowerShell

presented by

Nikhil Mittal

In this presentation, you will see live demonstrations of how PowerShell can be used to execute different attacks. Techniques like advanced client side attacks (UAC avoidance, bypassing firewalls etc), trust abuse of Active Directory and SQL Servers, webshells, white-listing bypass, retrieving system secrets in clear and more will be demonstrated.

An updated Black Hat version of Nishang will be released! Come and learn a very interesting vector of attacks.


OBJECTIVE-SEE’S OS X SECURITY TOOLS

presented by

Patrick Wardle

Patrick drank the Apple juice; to say he loves his Mac is an understatement. However, he is bothered by the increasing prevalence of OS X malware and how both Apple & 3rd-party security tools can be easily bypassed. Instead of just complaining about this fact, he decided to do something about it. To help secure his personal computer he’s written various OS X security tools that he now shares online (always free!), via his personal website objective-see.com. So come watch as RansomWhere? generically detects OS X ransomware, KnockKnock flags persistent OS X malware, BlockBlock provides runtime protection of persistence locations, and much more. Our Macs will remain secure!


Otaku

presented by

Yoshinori Matsumoto

We’ve developed a tool gathering attack vectors against web application such as XSS, SQLi, CSRF, etc. First, We prepared a web server as a decoy based on a famous CMS, WordPress, and built Mod Secrity to collect all logs regarding to HTTP requests including POST body data. Generally speaking, a decoy web server needs web access to some degree as to attract users and attackers. We deployed a system named OTAKU-BOT which automatically collects and posts random information about Japanese ANIME and MANGA(cartoon) into the decoy web server. Very characteristic point of this system is that we can find whether Japanese ANIME is likely to be targeted or not by attackers. (or No correlation between them).

Furthermore, We developed another web application “WP Portal”, which visualizes these attacks in a real-time. This application enable us to monitor attack trend. WP Portal also has a vulnerability scanner for WordPress. You can start the scanner and view vulnerability reports on WP Portal.Dictionary Files for the scanner is created from honeypots and are updating daily. We will demonstrate this bot and the visualization tool. Participants can got attack vectors via WP Portal! Furthermore, our demo will show honeypots, a website, and analysis of attacks against WordPress.


pDNSego

presented by

Christian Heinrich

Passive DNS (pDNS) provides near real-time detection of cache poisoning and fraudulent changes to domains registered for trademarks, etc by answering the following questions: Where did this DNS Record point to in the past? What domains are hosted on a specific nameserver? What domains resolve into a given network? What subdomains exist below a certain domain name? pDNSego is a set of Maltego Transforms that perform link analysis of pDNS datasets based on a Fully Qualified Domain Name (FQDN), IP Address, Name Server (NS) or Mail eXchange (MX) DNS Record.


Rapid Bluetooth Low Energy Testing with BLE-replay and BLESuite

presented by

Greg Foringer  &  Taylor Trabun

In order to optimize testing with Bluetooth Low Energy (BLE) peripherals, we have created user-friendly tools that enable BLE packet replay, fuzzing, and on-the-fly scripted communications. BLE-replay is a Python tool for recording, modifying, replaying, and fuzzing writes to Bluetooth Low Energy (BLE) peripherals. It can be used for testing or reversing application layer interactions between a mobile application and a BLE peripheral. This tool is useful if an application writes some characteristics on the BLE device in order to configure/unlock/disable some feature. You want to quickly capture the relevant information from a packet log into a human-readable format and mess around with it from a laptop. It is the first tool built upon our new BLESuite library.

BLESuite is a Python library that enables application layer communication between a host machine and a BLE device. The library greatly simplifies the scripting of BLE activity. It provides a simple connection manager and supports scanning advertisements, service discovery, smart scanning of all services/characteristics/descriptors, and sync/async read/write. We will also demonstrate the BLESuiteCLI, which provides quick access to all of these features from the command line.


rastrea2r

presented by

Ismael Valenzuela

Rastrea2r: Hunting for IOC’s with gusto and style (or how to turn your AV console into an IOC hunting machine) In this session, SANS Instructor Ismael Valenzuela will explain the methods and techniques used by world-class IR teams to leverage the power of open source tools with ‘rastrea2r’, a new open source tool designed to assist with collecting and hunting for IOCs with ‘gusto’ and style.


Scout2

presented by

Loic Simon

Scout2 is an open source tool that helps when assessing the security posture of AWS environments. This tool uses the AWS API to fetch configuration data for various Amazon services, including IAM, EC2, S3, RDS and CloudTrail. The gathered configuration is analyzed for known configuration weaknesses, then made available via an offline HTML report. The report provides security-oriented views of the AWS resources that were analyzed, as well as a list of security risks that were identified.

Since its initial launch over two years ago, Scout2 doubled the number of services in scope and built-in security checks. If you worry that access to your AWS account — and the resources it holds — may not be secure enough, stop by and learn how you can easily identify security gaps. The presenter will demo multiple use cases, including use and comparison of various rulesets, customization of a ruleset, and creation of a new rule.


Serpico

presented by

Willis Vandevanter

SERPICO is a simple and intuitive report generation and collaboration tool; the primary function is to cut down on the amount of time it takes to write a penetration testing report. When building a report the user adds “findings” from the template database to the report. When there are enough findings, the user clicks ‘Generate Report’ to create the document of the report. New Report templates can be added through the UI making the reports easy to customize. The Report Templates themselves use a custom Markup Language that includes common variables (example, finding name, customer name, customer address) along with more complex requirements.

We are excited to be back at Arsenal and releasing a new version of Serpico! There are some exciting features to show off including new data imports, a bundled version for quicker reporting, and findings trending. Serpico was built by penetration testers with a pen-testers methodology in mind. It might make you hate report writing just a little bit less.


Shevirah

presented by

Georgia Weidman

Shevirah is a suite of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. Shevirah allows security teams to integrate mobility into their risk management and penetration testing programs. Given only a phone number, testers can design a simulated attack campaign against Android and iOS base mobile devices; execute phishing, client side, remote attacks, and extensive post exploitation capabilities to gauge the security of the users, devices, applications, and security infrastructure around mobility. The free version demoed here comes complete with professional features such as a full GUI and reporting capabilities as well as the traditional command line interface for the more purist hackers.


ShinoBOT

presented by

Shota Shinogi

ShinoBOT Suite is a malware/target attack simulator framework for pentest, education. The new version becomes “suiter” than the previous version.It includes those new features, components. You can now test your security performance against ransomware with it. ShinoLocker behaves just like a real ransomware but does not ask for any money to get the crypt key.

1) ShinoLocker (Ransomware Simulator)

  • Get the Crypto key from server
  • Scan files to encrypt
  • Encrypt -Ask decryption key
  • Decrypt
  • Uninstall itself

2) ShinoBuilder (Full customization for ShinoBOT)

  • Anti dynamic analysis
  • Extremely Targeted Attack *You can make a malware that works only on your specific environment.
  • C&C URL (for ShinoProxy)
  • Polymorphic function

3) ShinoC2 (ShinoBOT’s Server)

  • SSL support (Thanks Let’s Encrypt Project)
  • DNS Tunneling
  • C2 communication can be done by just DNS

4) ShinoStuxnet(tentative)
ICS malware simulator.

  • Scan ICS/SCADA system.
  • Talks some ICS protocols.

SIEMonster

presented by

Chris Rock

SIEMonster is a turnkey, open source, Enterprise grade Security Incident and Event Management (SIEM), built on scalable, non-licensed components, fully documented and developed. It is completely free and provides a fully functioning SIEM/SIM/SEM for a corporate client. The SIEM has automated ticket creation, OSINT, OSSEC Wazuh fork, Dashboards and Slack integration. We have taken the best open framework presentations from Blackhat and Defcon and put them into a free SIEM for clients without a budget. Kustodian has developed it for all companies as a viable alternative to commercial SIEM solutions. The product is free, fully documented, there is no data or node limitations. Kustodian will continue to develop SIEMonster for its existing clients and support SIEMonster with the community We recently worked with HP and built them a SIEM specific for printer monitoring of both security and printer/toner usage for free available to everyone.


SimpleRisk

presented by

Josh Sokol

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact it will have. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk, via spreadsheets. It’s cumbersome, time consuming, and just plain sucks.

After starting a Risk Management program from scratch at a $1B/year company, Josh Sokol ran into these same barriers and where budget wouldn’t let him go down the GRC route, he finally decided to do something about it. SimpleRisk is a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time. SimpleRisk is Enterprise Risk Management simplified.


SkyPhenomena

presented by

Wen Tao Tang

SkyPhenomena is aim to monitor the web threat and weakness in web respect of a company by simulating the hacker’s penetrating ideas,it mainly includes the following features:

First Stage — asset gathering:
1. Domain gathering. Including DNS zone transfer, brother domains, sub-domian bruteforcing, web crawler gathering, search engine, github, etc…
2. Port scanning and middleware fingerprint recognition
3. Site carwl and web application fingerprint recognition

Second Stage — information associating:
1. IP addresses locating and confirming C class network segment which belonging to the target.
2. Generating customized user&password dicts base on public information gathered in the previous stage and our social engineering databases.
3. The third party threat information base on relavent keyword matching and target site employee’s relation at GitHub.com.

Last stage — vulnerability discovery:
1. Scanning common vulnerability in web service and interfaces(SQLi,XSS,RCE,etc…).
2. Scanning universal vulnerability in collected fingerprints.
3. Automatic bruteforcing of middlewares,web applications that need authentication and form of background login page,base on the customized dicts.
4. Scanning sensitive files and folders in web service with high accuracy and compatibility.


Subgraph OS

presented by

David Mirza Ahmad

Subgraph OS is a desktop operating system with built-in privacy and security features that make it resistant to attacks against the endpoint, especially those that involve exploitation of software vulnerabilities. The kernel is hardened with grsecurity + PaX, and key applications run in sandbox environments implemented using Linux containers, seccomp bpf, and desktop isolation. Subgraph OS also includes an application firewall and integration with Tor.


The Pappy Proxy

presented by

Rob Glew

The Pappy Proxy is an open source intercepting proxy that takes a slightly different approach to testing websites than existing proxies such as Burp Suite and ZAP due to its console-based interface. The console interface and powerful history search make it extremely easy to find interesting requests in history and to discover promising areas for further testing. Along with standard features such as an interceptor and a repeater, Pappy allows users to generate most of the boilerplate needed for a Python attack script for more complex attacks. Pappy also has numerous other features such as response streaming, automatically modifying requests and responses on the fly, and support for upstream proxies.


ThreadFix

presented by

Dan Cornell

ThreadFix is an application vulnerability management platform that helps automate many common application security tasks and integrate security and development tools. It allows organizations to create a consolidated view of their applications and vulnerabilities, prioritize application risk decisions based on data, and translate vulnerabilities to developers in the tools they are already using.


Threat Scanner

presented by

Brian Codde

Threatscanner is an endpoint IOC scanner. It consumes OpenIOC and Yara rules and scans Windows machines, matching the rules. It produces a report for any matches detailing all the information about the matched items. In addition, it details the logic path used to arrive at the match – showing which predicates in the rule matched and which were missed. The system has many performance optimizations; such as aggregating rules so each potential item is only evaluated once regardless of the number of rules tested. This means that the running time for a single rule roughly matches the running time for 1000s of rules.


Tintorera: Source Code Intelligence

presented by

Simon Roses

Tintorera is a new static analysis tool developed in Python that uses the GCC compiler to build C projects aiming to obtain intelligence from them. GCC offers a powerful plugin architecture that allows tapping into its internals, and static analysis tools can benefit from it to gather information of the source code while compiling.

Some Tintorera features that a code auditor can benefit from:

  • Obtain many code metrics: Cyclomatic Complexity (CC), comment density, physical lines of codes, design complexity, code averages and etc.
  • Attack Surface analysis of the entire project, identifies all entry and exit of data.
  • Can identify Linux API and well-known libraries such as OpenSSL.
  • Perform different visualization maps of the source code such as function structure, logic and function calls relationship.
  • Context and code analysis of: comments, inline assembly, global variables, function parameters and more.
  • The entire source code is converted to a JSON representation allowing performing queries.
  • Creates HTML reports while the project gets compiled by GCC.
  • Extend Tintorera to fit your needs easily using Python.
  • Tap into GCC internals and passes.

By using static analysis techniques Tintorera can gather intelligence of a C source code allowing a code auditor to learn about the project faster. Tintorera is a tactical response as projects grow in complexity and code reviews are usually performed under limited time.


V3SPA: A Tool for Visually Analyzing and Diffing SELinux Security Policies

presented by

Robert Gove

SELinux policies have enormous potential to enforce granular security requirements, but the size and complexity of SELinux security policies makes them challenging for security engineers and analysts to determine whether the implemented policy meets an organization’s security requirements. Furthermore, as system complexity increases, so does the difficulty in assessing differential system modifications without requiring a ground up re-verification. Presently, policy analysts and developers primarily use text-based tools such as sediff, grep, and vi to develop and analyze policies. This can be challenging, however, because policies are often composed of tens or hundreds of thousands of rules, which can be difficult to sift through in text-based tools. Some GUI tools exist, such as apol, but these tools do not incorporate visualizations, which can represent dense information compactly and speed up analysis by offloading cognitive processes to the human visual system. In addition, the GUI tools do not support important tasks such as diffing two versions of a policy.

To address the challenges in developing and maintaining SELinux security policies, we developed V3SPA (Verification, Validation and Visualization of Security Policy Abstractions). V3SPA creates an abstraction of the underlying security policy using the Lobster domain-specific language, and then tightly integrates exploratory controls and filters with visualizations of the policy to rapidly analyze the policy rules. V3SPA includes several novel analysis modes that change the way policy authors and auditors build and analyze SELinux policies. These modes include:

1. A mode for differential policy analysis. This plugin shows analysts a visual diff of two versions of a security policy, allowing analysts to clearly see changes made. Using dynamic query filters, analysts can quickly answer questions such as, “What are the changes that affect passwd_t?”

2. A mode for analyzing information flow, identifying unexpected sets of permissions, and examining the overall design of the policy. This plugin allows users to see the entire policy at once, filter down to see only the components of interest, and execute reachability queries both from and to specified domains.

As part of our demonstration at Black Hat Arsenal, we will introduce attendees to V3SPA, which we will make freely available online. During our demonstration we will give detailed explanations of V3SPA’s algorithms and visualizations, and we will show how V3SPA can be used to assess whether a policy configuration correctly maps to security goals.


Visual Network and File Forensics Using Rudra

presented by

Ankur Tyagi

A typical approach towards investigating intrusion incidents is to collect files that might have been dropped from a compromised server. These files could be extracted from network traffic or if we are lucky they could be obtained from the compromised system itself. An analyst can then use her expertise to re-create the attack scenario and understand possible vectors. Depending on her skills, this process might prove easy or extremely difficult. Our aim is to provide a framework that provides a common ground for forensic analysis of network traffic and dropped files using intuitive visualization of structural properties of network traffic and data files, combined with the proven methods of behavioral heuristics.

This talk aims to help users understand how to visually classify streaming data such as a network traffic buffer for an active TCP connection or chunked data read from a file on disk. Both these objects under analysis could be considered a binary blobs which could be rendered as an image highlighting the binary structure embedded within them. When this approach is combined with statistical file-format independent properties (like the theoretical minsize, compression ratio, entropy, etc.) and certain file-format specific properties (like the Yara rules matching on parsed HTTP payload or heuristics rules matching on the sections of a PE file), it provides a completely new perspective into the analysis process.

Additionally, we want to emphasize on the fact that the most important aspect of analysis process is to quickly correlate attributes and identify patterns. The approach we propose is to minimize the noise and highlight significant behavior using heuristics targeted specifically towards structural pattern identification. The visual representation of the input file provides a concise overview of file’s data patterns and the way they are combined together. One glimpse of this visual representation is enough to quickly classify a file as suspicious.

In this talk, we will focus on presenting a framework that can help users with forensic analysis of intrusion artifacts using a novel visual analysis approach. This framework could be used to create standalone utilities or to enhance in-house analysis tools via the native API. For quick analysis, users could consume the framework output directly through the packaged commandline tool or via an external log analytic tool like Splunk.


Voyeur

presented by

Juan Garrido

VOYEUR’s main purpose is to automate several tasks of an Active Directory build review or security assessment. Also, the tool is able to create a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies like Microsoft Remote Administration tools. (Just .Net Framework 4.0 and Office Excel if you want a useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, security consultants or security researchers who want to quickly analyze threats in Active Directory Services.

Main Features

  • Return a huge number of attributes on computers, users, containers/OUs, groups, ACL, etc…
  • Search for locked accounts, expired password, no password policy, etc…
  • Return a list of all privileged account in domain. (The script search in SID value instead in a group name)
  • Return a list of group’s modification (Users added/deleted for a specific group, etc…)
  • Multi-Threading support
  • Plugin Support


Usage scenarios

  • Able for using on local or remote computer
  • Able for using on joined machine or workgroup machine


Reporting

  • Support for exporting data driven to several formats like CSV, XML or JSON.


Office Support

  • Support for exporting data driven to EXCEL format. The script also support table style modification, chart creation, company logo or independent language support. At the moment only Office Excel 2010 and Office Excel 2013 are supported by the tool.

Vulnreport – Pentesting Management and Automation

presented by

Tim Bach

Vulnreport is designed to accelerate management of penetration tests and security code reviews/audits, as well as generation of useful vulnerability reports. Using Vulnreport, security researchers can automate almost all of the overhead involved with penetration testing so that they can devote more time to the fun stuff – finding vulns. Vulnreport takes care of tracking vulnerabilities on your tests, providing a simple UI for managing them, and running analytics on what you’re finding and where you’re spending your time.

Vulnreport is also a platform that can be extended and hooked into whatever other management and vulnerability assessment tools are part of your process. Hook it up to your automated testing frameworks and watch the vuln data flow into your reports like magic.

This demo will walk through the upsides of automating this part of your pentesting process as well as show how the Salesforce Product Security team uses Vulnreport to save hundreds of engineer-hours per year. We will be open-sourcing and making the tool available for you and your teams to use, customize, and contribute to during the conference.


WALB (Wireless Attack Launch Box)

presented by

Keiichi Horiai  &  Kazuhisa Shirakami

The purpose of the WALB (Wireless Attack Launch Box) is to test or demonstrate the security issue of wireless devices. It can be used to evaluate the impact of GPS spoofing, fake ADS-B and others. WALB is a Raspberry Pi and HackRF based lunch box size portable RF signal generator. It can include the real time signal generation module for GPS, ADS-B and others. Therefor it does not require huge storage space for longer duration of the simulation time. You can choose any predefined scenario of GPS spoofing, fake ADS-B and power level settings from menu on LCD screen. By preparing any 8 bit signed I/Q binary file, it is possible to generate arbitrary signal within the frequency range available on HackRF.


WarBerryPi Troops Deployment in Red Teaming Scenarios

presented by

Yiannis Ioannides

What if the only requirements for taking down a corporate network are a bit of smooth talking, 60 minutes and $35? Traditional hacking techniques and corporate espionage have evolved. Advanced attacks nowadays include a combination of social engineering, physical security penetration and logical security hacking. It is our job as security professionals to think outside the box and think about the different ways that hackers might use to infiltrate corporate networks. The WarBerryPi is a customized RaspBerryPi hacking dropbox which is used in Red Teaming engagements with the sole purpose of performing reconnaissance and mapping of an internal network and providing access to the remote hacking team.

The outcome of these red teaming exercises is the demonstration that if a low cost microcomputer loaded with python code can bypass security access controls and enumerate and gather such a significant amount of information about the infrastructure network which is located at; then what dedicated hackers with a large capital can do is beyond conception.


WATOBO – The Web Application TOol BOx

presented by

Andreas Schmidt

WATOBO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits. Most important features are:

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOB can act as a transparent proxy (requires nfqueue)
  • WATOBO can perform vulnerability checks out of the box
  • WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easily define your own checks
  • WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
  • WATOBO is free software ( licensed under the GNU General Public License Version 2

WATOBO is written in (FX)Ruby and was initially released in May 2010 as an open source project on SourceForge (http://watobo.sourceforge.net).


Web Service Security Assessment Tool (WSSAT)

presented by

Mehmet Yalcin YOLALAN  &  Salih TALAY

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and performs both static and dynamic tests against the security vulnerabilities. It also makes information disclosure controls.

Objectives of WSSAT are to allow organizations:

  • Perform their web services security analysis at once
  • See overall security assessment with reports
  • Harden their web services

WSSAT’s main capabilities include:

Dynamic Testing:

  • Insecure Communication – SSL Not Used
  • Unauthenticated Service Method
  • Error Based SQL Injection
  • Cross Site Scripting
  • XML Bomb
  • External Entity Attack – XXE
  • XPATH Injection Verbose SOAP Fault Message


Static Analysis:

  • Weak XML Schema: Unbounded Occurrences
  • Weak XML Schema: Undefined Namespace
  • Weak WS-SecurityPolicy: Insecure Transport
  • Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
  • Weak WS-SecurityPolicy: Tokens Not Protected

Information Leakage:

  • Server or development platform oriented information disclosure

WSSAT’s main modules are:

  • Parser
  • Vulnerabilities Loader
  • Analyzer/Attacker
  • Logger
  • Report Generator

The main difference of WSSAT is to create a dynamic vulnerability management environment instead of embedding the vulnerabilities into the code. More information can be found here: https://github.com/YalcinYolalan/WSSAT.

 





About the Author

Principal Founder & Maintainer - Freelancer ICS/SCADA Security Expert As part of my research, I'm focusing into maintaining many projects as the DPE (Default Password Enumeration), vFeed® the open source correlated & cross-linked vulnerability database and FireCAT the Firefox Catalog of Auditing exTensions. Today, I'm the co-organizer of the major event Blackhat Arsenal Tools (US and Europe) since 2011 and since 2014 co-organizer of Rooted Warfare in Spain. I'm going by the handle of @toolswatch on Twitter and always willing to help, share and drink with friends from far and wide.



One Response to The Black Hat Arsenal USA 2016 Remarkable Line-Up !

  1. Pingback: The Black Hat Arsenal USA 2016 Remarkable Line-Up ! – sec.uno

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑