Blackhat Europe 2013 Arsenal Tools Event Wrap-up

I finally found time to write a wrap-up about the activities of the Arsenal Tools Event during the last session of Blackhat Amsterdam Europe 2013.

While there has been a little change of scenery. Indeed, Arsenal shared a dedicated room with our friends from the OWASP Netherlands. It was a rewarding experience and little painful because of the skills with which Martin Knobloch (@knoblochmartin) handles the OWASP Rockets. The speakers had a projector to share their screens. It is always impressive to see a tool rocking the stage in wide screens. While there has been some minor annoyances certainly due to the room locality. This was fixed by OWASP hacker Samantha Groves (@SamanthaOWASP) that put signs everywhere so people find the place easily. Fortunately, Ping Look (@vlkyri ) is always in the vicinity to give us a helping hand by retweeting the event in-progress.

OWASP Rocket.

No Hackers were harmed during the OWASP Rockets War (Photo Courtesy of Seb. Gioria I think)

For this fourth edition of the Arsenal (yes, already the 4th edition, dear how time flies by so fast), the quality of demos and speakers speak for themselves. 9 tools were presented over a period of 2 days. Here is a short summary of this fabulous adventure.

DAY 1

The starting signal was given by Xinyu Xing student researcher at the University of Georgia Institute of Technology. It’s about a Google Extension called “Bobble“. It is a working proof of concept to demonstrate the approach of ‘Filter Bubble’ (http://en.wikipedia.org/wiki/Filter_bubble) coined by the Internet activist Eli Pariser (http://en.wikipedia.org/wiki/Eli_Pariser). In fact, the “Bobble” tool takes as example Google to highlight, according to information about the users ( location, history …), how results provided are quite different.

Xinyu with Ajit Hatti (Co-Founder of NullCon)

Case Study: Negative opinions on some U.S. companies are never shown to an US user. Here where Bobble magic comes into play by revealing piece of information not accessible to this specifi US user (this is just an example. It’s applied to any circumstance). Booble is certainly a pun to describe the action of “poping Bubbles”.

Bobble on Wide Screen (See the map and colorful bubbles, that’s Bobble)

The project page for Bobble http://bobble.gtisc.gatech.edu/.
By the way, Xinyu told me that Google team have contributed to this project so there’s nothing illegal for using it.

For two sessions, we had the honor to receive and for the first time Phil Polstra hacker and computer security professor at the University Dubuque in the state of Iowa . Dr. Phil did in presenting original work. The Deck: A small distribution of Pentesting set of tools completely running over hardware “BeagleBoard“. You understand that the ingenuity of the project is not in the myriad of security tools but in the hardware hacking and fabulous things we can do with embedded systems with size of a credit card.

Dr Phil proudly exhibiting The Deck (Photo Courtesy of Ajin Abraham)

Dr. Phil also made the demo of a distributed radio communication with several drones. Imagine a distributed pentest drones each had a particular task (password cracking, scanning, Exploiting …). Due to their low power consumption and low prices, it was possible to create an effective attack system. Cost of operation: a fistful of dollars, a few lines of Python, a lot of imagination and a tremendous moment of fun.

Dr. Phil also talked about possible projects with this kind of hardware. The following Dr Phil’s awesome idea caught my attention. Imagine a miniature helicopter with camera and sensor built with a Beaglebone hardware. It could be leveraged to do remote Social Engineering by landing on the building roofs of some secured facilities. Then, launch some tasks such as “scanning wifi, cracking, probing IPs etc etc …”. You might wonder what the Sensor is for ? The sensor will be very useful if someone get closer your helicopter. The Takeoff is imminent then.

Before you embark onto crazy projects, look at this page http://beagleboard.org/project. Some projects are already made. According to Phil Polstra, Your imagination is the only limit for the all hacks you can do with BeagleBoards & BeagleBones.

Dr. Phil Polstra maintains a blog with all his research and activities. The Deck hardware and code are available at this location http://ppolstra.blogspot.fr/2012/09/introducing-deck-complete-pentesting.html

The 3rd tool was devoted to the network communication interception by hooking the appropriate APIs and processes used when sending and receiving information. HookMe made its debut in beta and it’s developed by the discreet Manuel Fernandez. Manuel is one of the developers of the famous project OSINT FOCA (http://www.informatica64.com/foca.aspx). (Yeah, we still fear the Foca !!)

HookMe neat UI.

In a few clicks, Manuel has shown us how easy it was to intercept the communication of certain applications such as MySQL and by the way inject a backdoor on the fly. Indeed HookMe is flexible and allows plugins integration (plugins are written in Python).

A template for creating plugins is given https://code.google.com/p/hookme/source/browse/trunk/hookme/hook/Scripts/MySQL_Backdoor.txt . It can inspire you to craft your own add-ons. Just give it a try. There are still things to do.

Audience attending HookMe Session

Several features are coming up for next releases. The plugins database will be expanded to add more add-ons. According to Manuel, HookMe should be interfaced with 3rd parties Malware analysis tools.

The tool and its source code are available here http://code.google.com/p/hookme/

For mobile systems and smartphone Hackers, the Blackhat Arsenal 2013 was particularly rich with two frameworks. The first was presented on the Day #1 by the fabulous team of Project Mercury. For more than 90 minutes (2 sessions), Tyrone showed brilliantly how easily Mercury can analyze vulnerabilities over an Android based smartphone. Mercury is incredibly well developed and recalls unequivocal Metasploit.

In fact, I called Mercury “The Metasploit for Android Plateform“. If you are enough comfortable with the Metasploit console, then the hands-on Mercury will be effortless. Nevertheless, one must understands the minimum security model of Android before embarking on security assessment or hacking. To be honest, Mercury is dedicated to those who have knowledge about the Android architecture. It is always possible to learn and hopefully the project has a solid documentation to rely on http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/

Tyrone has also explained the mistakes that most developers fall into when designing their Android apps. Therefore, it is not the Android security model that is challenged but the developers lack of the Security Development Lifecycle. At this juncture, the OWASP folks remind us they are always around willing to educate and help. Everyone bows in a religious silence.

Tyrone has demonstrated several types of attacks from bypassing permissions to launching remote exploit “à la Metasploit” 🙂

Exploiting an Android and take a photo with hacked Smartphone 🙂

The project and documentation are available here http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/. Also Take time to read the exploit of the team at EusecWest Mobile Context http://dvlabs.tippingpoint.com/blog/2012/10/05/eusecwest-mobile-pwn2own-2012-recap Pwn2Own

The first day ends gently with my friend Xavier Mertens alias @xme . The simplest ideas can lead to impressive success. This is the case for CuckooMX. By leveraging the capabilities of Cuckoo Sandbox (discussed later), Xavier has succeeded in creating a tool to check attachments enclosed with your mailboxes. For information, security company FireEye provides this feature but at higher cost. With Xavier’s hack, few lines of perl were enough to achieve this goal. This tool was unanimous amongst those who followed his old school demo 🙂

Xavier demonstrating how CuckooMX extracts and analyzes attachements (Live on remote servers)

Xavier had introduced another tool http://www.leakedin.com/ and pastemon https://github.com/xme/pastemon last year during the Arsenal. He also maintains an excellent blog http://blog.rootshell.be known for the security conferences and conventions wrap-ups as like you were there.

CuckooMX is accessible here https://github.com/xme/cuckoomx

After a long night with all those hackers at Rapid7 & IOActive Parties (Thanks guys for your parties). It’s always fun to meet new folks and shake their hands timidly before realizing that they are virtual good friends and followers . Partying is still the good excuse to make social networking and especially put faces on twitter handles. Please Blackhat Team, add Twitter handles on badges.

DAY 2

The second day started hardly due to the very short night we all had (Thanks again Rapid7 and IOActive). To wake us up, my friend Nikhil Mittal has launched the heavy artillery: How to turn PowerShell into a perfect weapon for Pentesting and malware analysis. It was an opportunity to demo Prasadhak that collects the MD5 signatures of running windows processes and compare them with signature database provided by VirusTotal. This tool is written with Powershell v3 because this version has better JSON support. Indeed, the VirusTotal API returns its data in JSON format.

Subsequently, Nikhil made demos about bypassing AV and getting credentials by leveraging Nishang bundle of pentesting scripts. By the way, Nikhil has already performed at Arsenal in Vegas. The concept is simple, during a pentest all means are permitted (within the limits of the contract you signed with your customer) to bypass the defensive layers (if any) and compromise the network. Nishang collection provides a set of scripts to perform various advanced hacking tasks.

Nikhil maintains a blog with all his tools and research http://labofapenetrationtester.blogspot.fr/. Prasadhak Download http://labofapenetrationtester.blogspot.fr/2013/01/introducing-prasadhak.htmlNishang Download http://code.google.com/p/nishang/

The majority of pentesters could miss the power of XSS exploitation and post-exploitation. In fact by leveraging some techniques, XSS vulnerability can be the first step to compromise the whole inside network. Now thanks to the tremendous work of Ajin Abraham, you can go further in security testing with a simple XSS vulnerability. Throughout the description given here, it is not enough to describe the amazing stuffs you can do with OWASP Xenotix XSS Exploit Framework .

The word “Framework” makes sense when Ajin demonstrated the capabilities of Xenotix to scan and exploit XSS by injecting payloads in the Metasploit way.

I begin to think that Metasploit opens a new era in the development model of the security software. And so much the better, because OWASP Xenotix is well designed, modular (contains modules for scanning, exploitation and more) and ships with the largest XSS payloads database. Another remarkable fact Xenotix source code will be made available under open source license shortly.

Besides take your time to familiarize with the tool through videos made available by the author or otherwise do not miss the next demo at the Arsenal Blackhat event.

OWASP Xenotix is available here https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework

Today all security analysts will agree that the best open source software to achieve a malware analysis is by the far the Magnificent Cuckoo Sandbox. Rapid7 has selected it to be part of the consortium of Open Source projects humbly called “Magnificent7” https://community.rapid7.com/community/open_source/magnificent7

Cuckoo Sandbox was presented by one of the authors Claudio who demonstrated the latest development version (0.6dev). First, he went through the basic functionalities and then switched to a more technical case study (malware sample analysis).

The tool is very flexible and should be the keystone of your malware analysis lab or leverage its API to achieve specific tasks (eg Cuckoo MX). Claudio has also demonstrated the use of signatures and the ability to customize and to share them with the community. Hence, a repository exists and maintains signatures database https://github.com/cuckoobox/community/tree/master/modules/signatures

The following documentation will assist you to create your first signature http://docs.cuckoosandbox.org/en/latest/customization/signatures/

The Cuckoo Sandbox page is available here www.cuckoosandbox.org. Take time to read the documentation to set up your lab. However you are lazy, there is still a possibility to use Cuckoo as SaaS here https://malwr.com/

And to close the Arsenal session in style, Georgia Weidman was back with the so famous open source tool SPF Smartphone Pentesting Framework. The first thing you notice when the tool starts is the striking resemblance with the SET (Social Engineering Toolkit) menu. Moreover, Georgia has repeatedly mentioned this resemblance. Nevertheless, I assure you the functionalities and purpose are not the same. Although some attacks leveraged the Social Engineering to exploit users gullibility.

The approach of SFP compared to Mercury is different. Although Mercury is specific to Android, SPF is rather comprehensive. The tool has several modules to exploit remote and local vulnerabilities, to perform client side attacks and to craft social engineering payloads.

The project is available on this page http://www.bulbsecurity.com/smartphone-pentest-framework/
To download https://github.com/georgiaw/Smartphone-Pentest-Framework
it is also available on BackTrack