Black Hat Arsenal Europe 2015 Line-Up
ToolsWatch team is delighted to present the Tools selected for Black Hat Arsenal Europe, the Best InfoSec Tool Event in the World. This european session comes with 32 Tools ranging from Vulnerability and exploitation research to hardware and electronics gadgets. This is the highest score for Arsenal in Europe. This means that the Arsenal event has become a must !!
Black Hat Arsenal is going into its 10th session and we’re still excited to promote tools from great folks. So here is the outstanding lineup for the Arsenal Europe 2015.
Android Device Testing Framework v13
presented by
The Android Device Testing Framework (“dtf”) project started back in 2014 as a collection of scripts and utilities that aimed to help individuals answer the question: “Where are the vulnerabilities on this mobile device?” Since then, dtf has grown into a robust and extensive data collection and analysis framework with over 30 modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.
Android InsecureBank
presented by
Ever wondered how different attacking and exploiting a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.
Watch as Dinesh walks you through his new and shiny updated custom application – “Android-InsecureBank” and some other source code review tools, to help you understand some known and some not so known Android Security bugs and ways to exploit them.
This presentation will cover Mobile Application Security attacks that will get n00bs as well as 31337 attendees started on the path of Mobile Application Penetration testing.
Some of the vulnerabilities in the Android InsecureBank application that will be discussed (but not limited to) are:
– Flawed Broadcast Receivers
– Root Detection and Bypass
– Local Encryption issues
– Vulnerable Activity Components
– Insecure Content Provider access
– Insecure Webview implementation
– Weak Cryptography implementation
– Application Patching
– Sensitive Information in Memory
Expect to see a lot of demos, tools, hacking and have lots of fun.
Android Tamer
presented by
Android Tamer is a Virtual / Live Platform for Android Security professionals. This reduces the needs to configure your own environment. This Environment allows people to work on large array of android security related task’s ranging from Malware Analysis, Penetration Testing and Reverse Engineering.
BinProxy
presented by
DongJoo Ha & Ingyu Tae & Jisun Kim
It has been a while since the attackers have been targeting various fields in the IT industry, including binary applications, mobile apps, embedded devices, web applications, and the like. One of the biggest problems for the whitehats that focus on defending these attacks, is “Lack of time and manpower”. We try to compensate that issue. Basically, what it does is create an easy environment to dynamically analyze executables.
We made a new framework to analyze applications called “BinProxy” inspired by web proxy. Our approach can be used to analyze the normal(binary) applications with a web proxy, and applied to Windows, Linux and Mac environments as well as mobile environments such as Android and iOS.
Our framework solves the lack of time and manpower through the following functions without using any debugger, decompiler and other undesirable reversing and hooking tools since there is no need to learn and look up the manual how to use those tools:
– Finding function needed to analyze and monitor
– Modifying function parameters and return values by using web proxy
– Reading/Writing memory, executing certain function and code by using web proxy
– Controlling function using script languages
We want to this framework be a open source project.
Proof of Concept : https://www.youtube.com/playlist?list=PLNa87eQJGfPXbgj9hMGqijWlzxIHJ8brp
BladeScanner
presented by
BladeScanner is an Open Source Security Tool used for detecting Reflective DLL Injection on the Windows Operating System written in C with python bindings. Picking up where the RID.py tool, presented at DefCon 20 by Andrew King left off, BladeScanner builds upon the heuristics introduced in that presentation.
BTA
presented by
When it comes to the security of the information system, Active Directory domain controllers are, or should be, at the center of concerns, which are (normally) to ensure compliance with best practices, and during a compromise proved to explore the possibility of cleaning the information system without having to rebuild Active Directory. However, few tools implement this process and several ways exist to backdoor Active Directory. We propose to present some possible backdoors which could be set by an intruder in Active Directory to keep administration rights. For example, how to modify the AdminSDHolder container in order to reapply rights after administrator actions. Moreover, backdoors can be implemented in Active Directory to help an intruder to gain back his privileges. Then, we will present BTA, an audit tool for Active Directory databases, and our methodology for verifying the application of good practices and the absence of malicious changes in these databases.
The presentation will be organized as follows:
– We begin by describing the stakes around the Active Directory, centerpiece of any information system based on Microsoft technologies.
– We will continue by demonstrating some backdoors in order to keep admins rights or to help an intruder to quickly recover admins rights.
– We will present BTA and the methodology developed to analysis Active Directory.
– We conclude with a feedback on real world usage of BTA.
More information can be found on the Bitbucket repository: https: //bitbucket.org/iwseclabs/bta
Commix: Detecting And Exploiting Command Injection Flaws
presented by
Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed.The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application. A prime example of a real, infamous command injection vulnerability that clearly depicts the threats of this type of code injection was the recently discovered Shellshock bug.Despite the prevalence and the high impact of the command injection attacks, little attention has been given by the research community to this type of code injection. In particular, we have observed that although there are many software tools to detect and exploit other types of code injections such as SQL injections or Cross Site Scripting, to the best of our knowledge there is no dedicated and specialized software application that detects and exploits automatically command injection attacks. This paper attempts to fill this gap by proposing an open source tool that automates the process of detecting and exploiting command injection flaws on web applications, named as commix, (COMMand Injection eXploitation).This tool supports a plethora of functionalities, in order to cover several exploitation scenarios. Moreover, Commix is capable ofdetecting, with high success rate, whether a web application is vulnerable to command injection attacks. Finally, during the evaluation of the tool we have detected several 0-day vulnerabilities in applications.
Overall, the contributions of this work are: a) We provide a comprehensive analysis and categorization of command injection attacks; b) We present and analyze our open source tool that automates the process of detecting and exploiting command injection vulnerabilities; c) We will reveal(during presentation) several 0-day command injection vulnerabilities that Commix detected on various web based applications from home services (embedded devices) to web servers.
Credmap: The Credential Mapper
presented by
It is not uncommon for people who are not experts in security to reuse credentials on different websites; even security savvy people reuse credentials all the time. For this reason “credmap: the Credential Mapper” was created, to bring awareness to the dangers of credential reuse. Credmap takes a user and password as input and it attempts to login on a variety of known websites to test if the user has reused credentials on any of these. New websites can be easily added with simple knowledge of Python.
Credmap is also capable of searching in public credential dumps of compromised websites (e.g. r0ckyou, AM, Adobe, etc.) and collecting the user’s password from there to then test with on other websites. Credmap was written purely in Python and is open-source and available on GitHub.
D1c0m-X2
presented by
In this second version of the tool, a plugin for the exploitation of ORACLE database will be added, which will become an even more attractive exploit.
DICOM (Digital Imaging and Communications in Medicine) is recognized worldwide for the exchange of medical tests, designed for handling, display, storage, printing, and transmission standard. It includes defining a file format and a network communication protocol.
Target:
D1c0m-X.2 is a tool that is responsible for searching the TCP / IP ports of Robot surgery or x-rays, CT scans, MRI or other medical devices that use this protocol, and once found, check if the firmware is vulnerable. If they are not vulnerable, it will try to exploit using scripts, which are intended to block the connection between the server and the Robot, making a DDOS or accessing the System.
Before launching the attack, D1c0m-X.2 also explores the possibility of an intrusion through the Corporative Web of the Hospital or Clinic, if the intrusion is achieved, we proceed to interact with shell console, applying different vulnerabilities, such as SQLI, Default password, etc.
Finally, the DUMP of critical information of Patients, Doctors and Staff is automated.
Dockscan
presented by
Dockscan is a vulnerability assessment and audit tool for Docker and container installations. It will report on docker installation security issues as well as docker container configurations. The tool helps both system administrator administering Docker to help them secure Docker, as well as security auditors and penetration testers who need to audit Docker installation.
Dvcs-Ripper
DVCS-Ripper will rip web accessible (distributed) version control systems ranging from Subversion and git to Mercurial and Bazaar. It can rip repositories even when directory browsing is turned off. The new release adds support for ripping packed refs in git and it speeds up git ripping drastically. Currently it is the fastest and most feature packed source code ripper tool.
Exploit Pack
presented by
Exploit Pack is an open source security framework for exploit developers, pentesters and security enthusiasts. Exploit Pack uses an advanced software-defined interface that supports rapid reconfiguration to adapt exploit codes to the constantly evolving threat environment. Objectively measure threats, vulnerabilities, impact and risks associated with specific cyber-security incidents by rapidly reacting on the integration of both, offensive and defensive security.
Faraday
presented by
Since collaborative pentesting is more common each day, sharing the information generated by the pentesters between each other could become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.
The idea of Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the result and share that with the rest of the team in real time. Faraday has most than 40 plugins (and counting) available, including a the most used tools (msf, nmap, sqlmap to name a few), and if you use a tool for which Faraday doesn’t have a plugin, you can create your own.
During this presentation we’re going to show you the latest version of the tool, and how can be used to improve the effectiveness of your team during a penetration test.
FindSecurityBugs
presented by
FindSecurityBugs is a plugin for the Java static analysis tool FindBugs. This plugin consists of set rules that focus only on security weaknesses. It can be use by developers or security analysts to find vulnerabilities in their code.
From XSS to RCE 20
presented by
This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload.
Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications.
HackSys Extreme Vulnerable Driver
presented by
HackSys Extreme Vulnerable Driver is an intentionally vulnerable Windows Kernel driver developed for security enthusiasts to learn and polish their exploitation skills. HackSys Extreme Vulnerable Driver caters to a wide range of vulnerabilities ranging from simple Buffer Overflow to complex Use After Free, Pool Overflow, Type Confusion and Arbitrary Memory Overwrite. This allows researchers to explore different exploitation techniques for every implemented vulnerabilities. HackSys Extreme Vulnerable Driver also comes with the mitigation for each implemented vulnerability which helps kernel driver developers understand how these mitigations are applied.
Source Code: https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
Haka – An Open Source Security Oriented Language
presented by
Haka is an open source security oriented language that allows to specify and apply security policies on live captured traffic. Haka is based on Lua. It is a simple, lightweight (~200 kB) and fast (a JiT compiler is available) scripting language.
The scope of Haka is twofold. First of all, Haka enables the specification of security rules to filter unwanted streams and report malicious activities. Haka provides a simple API for advanced packet and stream manipulation. One can drop, create and inject packets. Haka supports also on-the-fly packet modification. This is one of the main features of Haka since all complex tasks such as resizing packets, setting correctly sequence numbers are done transparently to the user. This enables to specify and deploy complex mitigation scenarios.
Secondly, Haka is endowed with a grammar allowing to specify protocols and their underlying state machine. Haka supports both type of protocols : binary-based protocols (e.g. dns) and text-based protocols (e.g. http). The specification covers packet-based protocols such as ip as well as stream-based protocols like http. Thanks to that grammar, we were able to specify several protocols including ip, icmp, tcp, udp, http, dns, smtp and ssl.
Haka is embedded into a modular framework including multiple packet capture modules (pcap, nfqueue), logging and alerting modules (syslog, elasticsearch), and auxiliary modules such as a pattern matching engine and an instruction disassembler module. The latter allow to write fine-grained security rules to detect obfuscated malware for instance. Haka was designed in a modular fashion enabling users to extend it with additional modules.
Haka is intended to be used by all security communities: network security officer wishing to deploy quickly new security controls, academics wishing to evaluate the detection efficiency of a new algorithm, or security experts trying to investigate an incident on a specific protocol such as a scada protocol.
Hardsploit: Like Metasploit But For Hardware Hacking
presented by
Why we chose to create HardSploit: It is clear that something is needed to help the security community to evaluate, audit and/or control the level of security in embedded systems.
HardSploit is a complete tool box (hardware & software), a framework which aims to:
– Facilitate the auditing of electronic systems for industry ‘security’ workers (consultants, auditors, pentesters, product designers, etc.)
– Increase the level of security (and trust!) of new products designed by the industry
HardSploit Modules & Framework:
Hardsploit is an all-in-one tool hardware pentest tool with software and electronic aspects. This is a technical and modular platform (using FPGA) to perform security tests on electronic communications interfaces of embedded devices.
The main hardware security audit functions are:
– Sniffer
– Scanner
– Interact
– Dump memory
Hardsploit’s Modules will let hardware pentesters intercept, replay and/or send data via each type of electronic bus used by the hardware target. The level of interaction that pentesters will have depends on the features of the electronic bus.
Hardsploit’s Modules further enable you to analyze electronic bus (serial and parallel types), JTAG, SPI, I2C’s, parallel addresses & data bus on chip.
Assisted Visual Wiring Function:
No more stress with that tremendous part of Hardware pen testing: You will know what needs to be connected and where!
We integrated into the tool an assisted visual wiring function to help you connect your wires to the hardware target:
– GUI will display the pin organization (Pin OUT) of the targeted chip.
– GUI will guide you throughout the wiring process between Hardsploit Connector and the target
– GUI will control a set of LEDs that will turn ON and OFF to easily let you find the right Hardsploit Pin Connector to connect to your target
The software part of the project will help to conduct an end-to-end security audit and will be compatible (integrated) with existing tools such as Metasploit. We will offer integration with other APIs in the future.
Our ambition is to provide a tool equivalent to those of the company Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of embedded systems/electronics.
IntelMQ
presented by
IntelMQ is a solution for collecting and processing security feeds, pastebins, and tweets using a message queue protocol. It’s a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
Jack
presented by
Jack is a novel web based tool to assist in the identification and illustration of abusing web resources in terms of ClickJacking. Jack allows implementers to identify if certain online resources are vulnerable to ClickJacking and also allows implementers to generate a PoC to harvest submitted user credentials to illustrate the affect of the vulnerability. Jack also allows implementers to generate a local instance of the PoC site and deploy it a HTTP container such as Apache.
Kautilya – Fastest Shells Youll Ever Get
presented by
Kautilya is a framework which enables using Human Interface Devices (HIDs) in Penetration Testing. Kautilya is capable of generating ready-to-use payloads for a HID.
In this demonstration, you will see how Kautilya could be used to get access to a computer, dumping system secrets in plain, data, executing shellcode in memory, installing backdoors, dropping malicious files and much more. New payloads to backdoor a Windows machine will be released in this presentation.
Lynis
presented by
Most of us have performed some level of system hardening, using checklists or custom scripts. The next level is to keep the security defenses of your systems compliant with your baselines. Lynis is an open source tool to help you with this goal. It is portable, flexible and specialized on Linux/Unix based systems. It performs an in-depth health check of your systems and tells you what additional steps you can take to lock things down. In this demo, we will see how easy it is to use, yet flexible enough to support much more than initially is visible.
Nishang – Tracking A Windows User
presented by
In this demonstration, we will see how scripts based on built-in Windows tools Windows PowerShell PowerShell, VB Script, .Net Framework, native commands, Registry etc. could be used to keep track of a Windows user. In addition to having backdoor access, these tools and scripts provide capabilities like taking pics from user webcam, recording MIC, screen-shot/live-streaming of user screen, logging keys, internet history, location tracking and much more.
All the scripts in the demo would be a part of Nishang framework.
OSXCollector
presented by
OSXCollector is an open source forensic evidence collection and analysis toolkit for Mac OS X. It automates the forensic evidence collection and analysis that previously Yelp’s team of responders has been doing manually.
We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific malware alerts. Host based detectors like antivirus software will tell us about known malware infestations or weird new startup items. Network based detectors see potential CnC callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “Hey, I think I have like Stuxnet or conficker or something on my laptop.”
When alerts fire, our incident response team’s first goal is to “stop the bleeding” to contain and then eradicate the threat. Next, we move to “root cause the alert” figuring out exactly what happened and how we’ll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) based on our past experiences when dealing with the malware infections and other threats haunting Yelp’s corporate network.
https://github.com/Yelp/osxcollector
OWASP Security Knowledge Framework
presented by
Riccardo ten Cate & Glenn ten Cate
Over 10 years of experience in web application security bundled into a single application. The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. Use SKF to learn and integrate security by design in your web application.
In a nutshell:
– Training developers in writing secure code
– Security support pre-development (Security by design, early feedback of possible security issues
– Security support post-development(Double check your code by means of the OWASP ASVS checklists)
– Code examples for secure coding
Panoptic
Since it’s debut 2 years ago, Panoptic has become the go-to open source penetration testing tool for automating the process of search and retrieval of common log and config files through path traversal vulnerabilities. For the brand new release, Panoptic will have new and enhanced capabilities, such as being able to automate the escalation of a Local File Inclusion (LFI) vulnerability to Remote Code Execution (RCE) and even spawn a meterpretrer session.
peepdf
presented by
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it’s possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it’s able to create new PDF files and modify/obfuscate existent ones.
Pestudio
presented by
Pestudio is a unique tool that allows you to perform an initial assessment of a malware without even infecting a lab system or studying its code. Malicious executable often attempts to hide its malicious behavior and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of Pestudio is to detect these anomalies, provide Indicators and score the Trust for the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk. Pestudio has been in the top 10 list of “Best Security Tool” in 2013 and 2014 by the readers of ToolsWatch.org.
Reissue Request Scripter (Burp Plugin)
This Burp plugin has one focus built script to replay HTTP request with various scripting languages. It supports Python, Ruby, Perl, PHP, Powershell, and JavaScript. It is the swiss knife of the custom HTTP web exploits.
This plugin starts where other automated tools reach their limit. It integrates itself well with “python-paddingoracle” tool to create custom padding oracle attack. It can be used to build quickly malicious JavaScript request for XSS payload. It can be used along sqlmap to exploit second order SQL injection.The BH Arsenal demo will focus on the most common usage: Padding Oracle, SQLi and XSS payload.
The Burp plugin is available for download on GitHub and on the Burp App Store:
– https://github.com/h3xstream/http-script-generator
– https://pro.portswigger.net/bappstore/ShowBappDetails.aspx?uuid=6e0b53d8c801471c9dc614a016d8a20d
Rudra – The Destroyer of Evil
presented by
Rudra aims to provide a developer-friendly framework for exhaustive analysis of (PCAP and PE) files. It provides features to scan and generate reports that include file’s structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These details, alongwith file-format specific analysis information, help an analyst to understand the type of data embedded in a file and quickly decide if it deserves further investigation.
Rudra now supports scanning PE files and can perform API scans, anti{debug, vm, sandbox} detection, packer detection, authenticode verification, alongwith Yara, shellcode, and regex detection upon them. Additionally, following new features are being added for the first beta release:
– Interactive console providing access to all internal data structures and objects, exposing a rich API for users
– Plugin architecture to operate upon decoded file content (usecases might be to write a decoder for a new RAT found in the wild or to write a custom unpacker for a binary stub, etc.)
– Extracting subfiles and optionally scanning them if needed
– Heuristics to identify suspicious network flows and exe files
The report for each analyzed file can be dumped to disk as a JSON/HTML/PDF. If needed, analysis can be customized via CLI arguments, config file, or interactive console.
Rudra also supports protocol identification, decoding, and normalization. It can analyze embedded URLs and IP addresses within files and gather whois/geolocation information for them. Users can view live mapping of identified hosts and correlate the results from different analysis modules to perform deeper investigation.
VirusTotalcom
presented by
VirusTotal.com is the free online file and URL scanner that everyone knows. However there are many free features that many users don’t know about such as:
– IP address and domain reputation. See malware files known to be associated with a particular IP address or domain
– Passive DNS info
– Searching on file hash, and related files
– Carbon black integration
– Ctatic analysis of files, structural analysis of many file types (PE, ELF, APK, ZIP, RAR, MACHO, .NET, office, etc)
– Sandbox dynamic analysis of PE, and APK files
– ROMS, BIOS, and firmware files
– SSDEEP, authentihash, imphash, and other similarity indexes
– Certificate checks on signed files
– Whitelisting of trusted files
– Free desktop scanning applications for Windows, MAC, and open source for compilation on linux.
VolatilityBot
presented by
The Volatility Bot-Excavator: effective automation for executable file extraction. Made by and for security researchers.
Part of the work security researchers have to go through when they have to study new malware or wish to analyse suspicious executables, is to extract the binary file and all the different satellite injections and strings decrypted during the malware’s execution. This initial process is mostly manual, which can make it long and incomprehensive.
Enter the Volatility Bot-Excavator. This is a tool developed by and for malware researchers, leveraging the Volatility Framework. This new automation tool cuts out all the guesswork and manual extraction from the binary extraction phase. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses and so on.
Beyond the obvious value of having a complete extraction automated and produced in under one minute, the Bot-Excavator is highly effective against a large variety of malware codes and their respective load techniques. It can take on complex malware including banking trojans such as ZeuS, Cridex, and Dyre, just as easily as it extracts from simpler downloaders of the like of Upatre, Pony or even from targeted malware like Havex.
After the Bot-Excavator finishes the extraction, it can further automate repair or prepare the extracted elements for the next step in analysis. For example, it can the Portable Executable (PE) header, prepare for static analysis via tools like IDA, go to a YARA scan, etc.
