Selected tools for Blackhat Arsenal Europe 2013
Dear all,
I’m very happy to announce the selected tools to be demoed during the Blackhat Arsenal Event 2013 in Amsterdam. So, pop up at the floor if you are around and see some great tools in action. The best part is that you can have direct interactive talk with their authors (prepare your questions and your cameras 😉 . And that’s what the Arsenal is all about.
Here are the tools (no specific order) :
Cuckoo Sandbox
Presented by Claudio Guarnieri : Cuckoo Sandbox is an open source tool for automating malware analysis, born under the umbrella of The Honeynet Project and evolved into becoming a leading solution adopted by organizations and researchers worldwide. It performs dynamic analysis of given malware artifacts of any nature or malicious URLs and thanks to its highly customizable nature, it provides the analyst flexibility to perform any sort of automated forensic investigation. It’s mainly written in Python and C and it’s designed to be highly modular, easy to integrate and completely independent. Some of the information that it’s able to provide are:
- Extensive log of Windows API calls performed by the malware
- Dumps of dropped files
- Dumps of malware processes memory
- Full memory dump of the analysis machine
- Dump of network traffic
- Screenshots
Mercury Android Pentesting Framework
Presented by Tyrone Erasmus : Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits. Mercury allows you to assume the role of a low-privileged Android app, and to interact with other apps and the system. It allows the user to:
- Use dynamic analysis on Android applications and devices for quicker security assessments
- Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
- Write custom tests and exploits, using the easy extensions interface
On a more technical level, Mercury allows you to:
- Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
- Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
- Find information on installed packages with optional search filters to allow for better control
- Use built-in commands that can check attack vectors on installed applications and native OS components
- Create new modules to exploit your latest finding on Android, and play with those that others have found
- Mercury does all of this over the network and it does not require ADB
Does it sound like with a bit of tweaking Mercury could be the perfect post exploitation tool? Well…it was used as a RAT that was deployed to a vulnerable Galaxy SIII over NFC at Mobile Pwn2Own 2012! It allowed the MWR Labs team to exfiltrate all data from the exploited phone. See more info about that here: http://dvlabs.tippingpoint.com/blog/2012/10/05/eusecwest-mobile-pwn2own-2012-recap
CuckooMX
Presented by Xavier Mertens :CuckooMX is a tool which interconnects with your MTA (currently Postfix) and automatically submit decoded attachments to a Cuckoo instance.
The goal is to automatically analyze all piece of crap received in your mailboxes.
HookMe*
Presented by Manuel Fernandez :HookME is a software designed for intercepting communications by hooking the desired process and hooking the API calls for sending and receiving network data. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the
packet. It also has a python system plugin to extend the HookMe functionality.
It can be used for a lot of purposes such as:
- Analyzing and modifying network protocols
- Creation of malware or backdoors embebed into network protocols
- Protocol vulnerability memory patching
- Firewall at protocol layer
- As postexplotation tool
- whatever you can create with plugins using your imagination
* New tool to be announced & released during Arsenal
Smartphone Pentest Framework*
Presented by Georgia Weidman : As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools.
The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization.
We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown
* New version to be released during Arsenal
Xinyu Xing*
Presented by Xinyu Xing: Personalization by search providers is intended to be helpful, but which can also represent a form of censorship. To address the potential issues created by these “filter bubbles”, a free tool Bobble is developed and deployed. Bobble uses a global, Tor-like network (PlanetLab) to depersonalize search results.
* New tool to be announced & released during Arsenal
The Deck*
Presented by Philip Polstra: The Deck is a full-featured penetration testing Linux distribution that runs on the BeagleBoard-xM, BeagleBone, and similar platforms. A single device running The Deck can be used as a powerful drop box or as a replacement for a pentesting laptop. Thanks to the low power requirements of the Beagle devices, a device running The Deck can operate for days to weeks off of battery power. These devices are also easily hidden thanks to their small size.
The Deck debuted in September 2012 at the 44CON conference in London. The first add-on module the 4Deck (for USB forensics) was also released at that time. The second module, the MeshDeck, is being released March 15, 2013 at BlackHat Europe 2013. The MeshDeck adds 802.15.4 networking to The Deck which permits multiple devices to execute coordinated attacks. The MeshDeck also adds the ability to attack from a distance of up to 1.6km away.
* New module to be announced during Arsenal
OWASP Xenotix XSS Exploit Framework
Presented by Ajin Abraham: Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. It is basically a payload list based XSS Scanner and XSS Exploitation kit. It is having the world’s second largest XSS Payload list. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader and a XSS Reverse Shell. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.
Prasadhak (and offensive PowerShell)*
Presented by Nikhil Mittal : Prasadhak is useful in scenarios where you need to check basic “malware sanity” of a target. A powershell tool which checks running processes for malware by searching their hashes on virustotal database.
There will also be neat demos for off sec guys of my other tool Nishang – on demand!
* New tool to be announced & released during Arsenal
