I’m pleased to announce the selected tools for the next coming session of Arsenal that will take place in Las Vegas Nevada in July 31-August 1, 2013 | 10:00-18:00.
And this year, the Arsenal returns with new exciting changes. One of the significant is a dedicated room “Milano Ballroom”.
The Schedule and more information about Arsenal will be posted later on blackhat.com and toolswatch.org. I will keep you updated.
So, the selected tools (list is huge and awesome) for this new session are (there is no particular order) :
OSfooler: Remote OS Fingerprinting is over by Jaime Sanchez
Using commercial tools to secure your network is recommended, but it is necessary to be one step further to keep the system secure. With this technique you can give that step in order defend your servers against the first phase of all attacks Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.
This tool is a practical approach for detecting and defeating:
– Active remote OS fingerprinting: like Nmap or Xprobe
– Passive remote OS fingeprinting: like p0f or pfsense
– Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting
Some features are:
– No need for kernel modification or patches
– Highly portable
– Will emulate any OS
– Capable of handling nmap and p0f fingerprint database (beta phase)
– Transparent for the user
– Undetectable for the attacker
– Available for your Linux laptop, server and mobile device
Sorry guys, remote OS fingerprinting is over.
Registry Inspector Forensics (RIF) by Lodovico Marziale
Registry Inspector Forensics (RIF), based on the widely used Registry Decoder, is a powerful registry forensics platform. It features the ability to acquire and analyze numerous registry hives simultaneously, intelligent search, a plugin-based architecture, both GUI and full command line support and the ability to parse and analyze memory-resident hive files including the volatile hives. This functionality is perfectly suited for forensic investigations, malware analysis, and incident response scenarios. The project is free and open source and under active development.
Dalvik Inspector by Joe Sylve
Dalvik is the process Virtual Machine used by Android that powers all non-native applications used on Android devices. Through Dalvik memory analysis, a wealth of insight can be gained into the workings of a running application, including all instantiated objects (classes) and the variables, methods, and other per-instance class information. Analysis of structures at this level will allow investigators to see internal application-level state in its “native” form. This is an important evolution in state of cutting edge memory forensics, which allows the investigator to move above the kernel level and see higher-level structures in readable form and with broad context.
Our new tool, Dalvik Inspector, provides an easy-to-use graphical interface which allows parsing Dalvik-level constructs from memory captures of Android devices, and facilitates deep, standalone analysis of Android application-internal structures. Dalvik Inspector will be immediately useful for malware analysis, incident response, and traditional forensics investigations.
SocialKlepto by Jason Ding
We will demonstrate two tools, which one can launch effective social attacks to conduct corporate espionage, and the other one can defend users from such attacks.
The first toolkit SocialKlepto can collect valuable competitive intelligence and steal your competitors’ customers without infiltrating their computer networks. SocialKelpto can monitor every social activity of your competitors or any company using a controlled network of fake social accounts, REST APIs, database search, and data analysis. Specifically, the SocialKlepto system can build effective fake LinkedIn accounts, establish trust within business circles, send bulk of persuasive invitations, and monitor every activity of your competitors. Finally, using big data analysis, it can extract valuable information that can turn into sales opportunities and revenue.
The second tool is an open and free Chrome plugin for LinkedIn privacy settings. We will release this defensive tool that easily help LinkedIn users check and set their privacy settings, in order to protect them from such social attacks.
Smartphone Pentest Framework by Georgia Weidman
As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. SPF can be used as a pivot to gain access to an internal network, gaining access to additional vulnerabilities. SPF can be used to bypass filtering, using SMS to control an exploited internal system. Demonstrations of SPF functionality will be shown.
PyPTP by Matthew Bergin / Core Impact Team
PyPTP is a Python based Pointer-to-Pointer fuzzer which allows for dynamic mapping of Python modules making calls through ctypes into C/C++ DLLs
PyPTP boasts a 90-96% code mapping feature that allows for you to easily crawl through python code and extrapolate function calls and the datatypes required to execute those functions.
The cat’s meow by Matthew Bergin / Core Impact Team
The Cat’s Meow is a tool used during our penetration testing which analyzes the most common password scheme seen during our decoding and decryption stage of post exploitation. The tool reads in a password list of already obtained cleartext passwords and produces the most commonly seen Hashcat Masks which can then in turn be used to more quickly reverse other passwords.
g0tbeEF by Matthew Bergin / Core Impact Team
Multi-threaded Python based ARP Poisoning with an Asynchronous Queue using IPTables and QUEUE deigned to capture HTTP traffic and inject a BeEF hook.
Kfuzz by Matthew Bergin / Core Impact Team
Kfuzz was my take on kernel level device driver fuzzing with Python. I used Python’s ctypes module to interact with the OS kernel and from there manage memory and make subsequent calls to the driver loaded into the kernel.
Peaches & Cream Pie by Taylor Pennington / Core Impact Team
Peach is the definitive tool used today by Hackers for fuzz analysis. CORE Security wants to take this tool a step further and create a distributed platform with which we can fuzz large amounts of parameters and input. This allows for expeditious return of crashes from the fuzz analyzer. While Peach has the ability to distribute a fuzz job over multiple connections, there is no abstraction layer to manage the process. This is what we have developed using Peach, Python, VirtualBox, and PHP.
WebVerify by Luis Antonio Rosales Marco
WebVerify is a tool that aims to help in the recognition, vulnerability scanning and search patterns based on its own database. Unlike other tools, WebVerify first recognizes whether the target is a CMS to run other exploits… among its other advantages, WebVerify also provides command scripts to perform common WAF bypass techniques.
ThreadFix by Dan Cornell
ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static, and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto-generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.
RAFT 3 by Gregory Fleischer
RAFT (Response Analysis and Further Testing) is an open source Python tool designed to assist with web application assessments.
RAFT is not an inspection proxy, but is rather a tool to complement your testing toolkit. In addition to defining a custom capture XML format, RAFT also supports directly importing from Burp capture and vulnerability files as well as Paros and WebScarab proxy logs. The integrated web browser can be used to perform additional data capture, content examination, spidering, and vulnerability identification and testing.
This Beta release updates the tool to Python 3.3 and latest widely available version of QT. Also featured is an improved command line interface, updated import functionality, and enhanced scan and testing functionality.
RAFT is released under a GPLv3 license.
Lair by Tom Steele
Lair is an open-source project developed for and by pentesters. Built on Meteor and Node.js with a dash of Python, Lair is a web application that normalizes, centralizes, and manages diverse test data from a number of common tools including Nmap, Nessus, Nexpose, and Burp. Unlike existing alternatives, Lair encourages team-based collaboration by automatically pushing updates to team members in real time. Paired with it’s workflow and documentation management, Lair offers a single solution for performing a detailed, thorough penetration test individually or as a team in a manner that has not been done before.
FSFlow by Pat McCoy
FSFlow is a social engineering telemarketer-style call flow application. A call flow guides the social engineer during the call to their target, providing step by step talking points, quick logging of target responses, and an easy way to track pieces of information gained during the call. XML-Based call flows allow anyone to create the a flow and share it with others so they can reproduce the attack.
Dude, WTF in my car? by Alberto Garcia Illera
The car ECU tuning market is weird. There is little help from people already in it, and most of the equipment is expensive. Well, not anymore! We will show a tool that was built under $25, and that is able to bypass all the security in the car ECU, based of a BOSCH EDC15 and EDC16, which has RSA 256 and seed/key algorithm protection. We will show live demonstrations of how the tool works, with logic analyzer and explanation of all the processes that take place.
Blackhat Arsenal gives a unique opportunity to have a close look at tools, so we will explain the most practical side of our tool instead of going deep into the low level explanation, to exploit the most of BH-Arsenal concept. All of this will help the end user to realize that even cars, have secrets that can be “unlocked”..
HackRF by Michael Ossmann
The HackRF project is developing an open source hardware design for a low cost Software Defined Radio (SDR) transceiver platform. SDR technology allows a single piece of equipment to implement virtually any wireless technology (Bluetooth, GSM, ZigBee, etc.), and we hope the availability of a low cost SDR platform will revolutionize wireless communication security research and development throughout the information security community. Having distributed hundreds of beta units (HackRF Jawbreaker) and soliciting feedback, Black Hat Arsenal Tools USA 2013 is the first chance to see the next generation hardware design in person.
ThunderCell by Georgia Weidman
ThunderCell is a new all encompassing mobile security distribution providing the most comprehensive toolset for mobile vulnerability research, exploitation, forensics, and application auditing. The included tools span multiple mobile platforms including Android, iPhone, Windows Phone, BlackBerry, and Software Defined Radio, among others. Created and maintained by mobile researchers, ThunderCell is developed with mobile security practitioners in mind, with everything you need for your next engagement, class, or research project.
Triana by Juan Garrido
I am going to be presenting a new tool for analysing malware or possible threats in certain scenarios where the malware is not accessible or, because legal requirements, it’s not possible to provide access to the files to the researchers. This is also a good starting point for newcomers and well-established forensic and malware researchers who want to quickly analise possible threads.
In my talk we’ll start with current status of malware analysis. Companies that cannot afford having a security team dealing with incoming threads and still want to be responsive against targeted attacks. How they can do it? How we can provide them with a solution to prevent infections?
Altought this is a good start, people will find sometimes themselves without access to all the information… even without access to the file! How we can do the previously presented analysis if we cannot access the faulting file? We’ll present different solutions to obtain enough information about the malware using only public available information.
Finally we’ll present Triana, a tool for collecting and analysing all this information and integrate it into a report (DOCX and JSON) that will consolidate the results and provide a score about the malware thread.
An example of report can be found here:
Sparty by Aditya K. Sood
Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that . In the first release, Sparty is capable of performing following tasks:
• Checking access permissions of sharepoint inherent webpages and directories
• Checking access permissions for deployed frontpage extensions and directories
• Dumping passwords from misconfigured default files
• Information gathering from the configured sharepoint and frontpage extensions
• Automated exploitation of vulnerable configurations of sharepoint and frontpage architectures
Sparty is tool that provides complete information regarding sharepoint and frontpage environments to design threat models which greatly assist penetration testers in manual verification of flaws. Sparty is really helpful in time critical security assessments.
Note: The tool was written when I found it really hard to test each and every component of these web administration software.
Automated Electromechanical PIN Cracking: R2B2 and C3BO by Justin Engler
Password and PIN systems are often encountered on mobile devices. A software approach to cracking these systems is often the simplest, but in some cases a pen tester or forensic investigator may have no better option than to start pushing buttons.
Robotic Reconfigurable Button Basher (R2B2) is a robot designed to manually brute force PINs or other passwords via manual entry. R2B2 can operate on touch screens or physical buttons. R2B2 can also handle more esoteric lockscreen types such as pattern tracing. R2B2 can crack a stock Android 4 digit PIN exhaustively in 20 hours. Times for other devices vary depending on lockout policies and related defenses.
Capacitive Cartesian Coordinate Bruteforceing Overlay (C3BO) is a combination of electronics designed to electrically simulate touches on a capacitive touch screen device. C3BO has no moving parts and can work faster than R2B2 in some circumstances.
Both tools are built with open source software. Parts lists, detailed build instructions, and STL files for 3d printed parts will be available for download.
R2B2 and C3BO will be running against live devices at the kiosk!
Watobo by Andreas Schmidt
WATOBO is a security tool for web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
Most important features:
* WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
* WATOB can act as a transparent proxy (requires nfqueue)
* WATOBO can perform vulnerability checks out of the box
* WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
* WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
* WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
* WATOBO is written in (FX)Ruby and enables you to easily define your own checks
* WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
* WATOBO is free software ( licensed under the GNU General Public License Version 2)
* It’s by siberas 😉
OWASP Xenotix XSS Exploit Framework by Ajin Abraham
Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. It is basically a payload list based XSS Scanner and XSS Exploitation kit. It is having the world’s second largest XSS Payload list. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader and a XSS Reverse Shell. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.
ShinoBOT/ShinoC2 by Shota Shinogi
A RAT(remote administration tool) and C2 (command/control) server for measuring a target company’s may or may not provide enough insight, especially when simulating a highly focused attack. After launching the RAT, control will be established by C2 server.
The attacker can do everything by the C2 server.
-Get Local File
-Download & Exec
-Exec a command on cmd.exe, etc.
iocwriter_11 by William Gibb
With the impending release of the OpenIOC 1.1 format for sharing threat intelligence, Mandiant will be releasing a set of open source tools for creating and manipulating OpenIOC objects and moving data in and out of the OpenIOC format.
Demonstrations will cover how the tools can be used to create and modify OpenIOC documents, show how it is possible to store Snort and Yara signatures in OpenIOC format and convert those OpenIOC documents back into their native formats. In addition, the integration of these tools into other open source applications will be demonstrated with tools that can automatically extract IOCs from unstructured content.
OWASP Broken Web Applications VM by Chuck Willis
The Open Web Application Security Project (OWASP) Broken Web Applications project (www.owaspbwa.org) provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project VM and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.
Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents. New features and applications in the recently released version 1.1 of the VM will also be highlighted.
Mandiant Redline by Theodore Wilson
Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile. With Redline, users can:
• Thoroughly audit and collect all run processes, audit data, and memory images.
• Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
• Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
• Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
• Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
JMSDigger by Gursev Singh Kalra
JMSDigger is a new tool that can be leveraged to engage and assess enterprise messaging applications with the current release focuses on ActiveMQ. JMSDigger has following features:
1. Validate credentials and perform credential bruteforce
2. Dump destinations (topics, queues and queue browsers)
3. Create, dump and delete durable subscribers
4. Perform anonymous authentication
5. Password Decryption
6. Retrieve Statistics for Broker, Topic and Queues
7. Create dynamic queues and topics
Invoke-ReflectivePELoader PowerShell script by Joe Bialek
PowerShell is a powerful scripting language which has the capability to run scripts on remote systems without writing to disk.
Invoke-ReflectivePEInjection is a PowerShell script which can reflectively load and execute a windows PE file such as an EXE or DLL inside the PowerShell process on a remote computer without writing to disk. This is accomplished by (partially) rewriting the Win32 functionality which loads EXEs/DLLs in PowerShell.
The script allows a penetration tester to:
-Execute EXEs/DLLs on remote computers without writing to disk (detection is extremely difficult)
-Execute existing tools inside the PowerShell process (potentially bypassing application whitelisting)
-Hide reflectively loaded EXEs/DLLs from tools such as ListDLL’s which lists all loaded DLL’s
-Bypass antivirus by never writing anything to disk, everything happens in memory using PowerShell remoting
A beta version of the script is currently available for download on Github at: https://github.com/clymb3r/PowerShell. The final version will be a part of PowerSploit (and hopefully synced in to Kali linux).
iMAS – iOS Mobile Application Security libraries by Gregg Ganley / Shawn Valle
iOS application security can be *much* stronger and easy for developers to find, understand and use. iMAS (iOS Mobile Application Security) – is a secure, open source iOS application framework research project focused on reducing iOS application vulnerabilities and information loss. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which in turn pushes enterprises to augment iOS deployments with commercial or custom solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS has released five security controls (researching many more) for developers to download and use within iOS applications. This talk will walk through various iOS application vulnerabilities, iMAS security controls, OWASP Mobile top10 and CWE vulnerabilities addressed.
HTExploit by Matias Katz
HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.
Drozer (formerly known as Mercury) by Tyrone Erasmus and Daniel Bradberry
Drozer, previously known as Mercury, is the de facto tool for vulnerability-hunting on Android phones and in marketplace apps. In these demonstrations we are launching the new version of Drozer: one that has been extended to be a full-on, open-source exploitation framework for Android.
Sporting remote exploits for compromising Android devices and shipped with payloads that transcend your average reverse shell, this framework is first of its breed for Android. Drozer also provides standard shellcode that can be used by exploit developers to integrate their Android exploits into the Drozer framework.
Various devices will be pwned in these demonstrations, showing how Drozer can be used for initial targeted entry of a device to deploy a Drozer agent. Then, the post exploitation fun can begin: dumping of personal information, taking screenshots, stealing pictures, recording from the microphone and root are all possible.
The best part about all of this work is that it is an open-source project that cherishes submissions from the community.
Dependency-Check by Jeremy Long
Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies. The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. Dependency-Check’s new build plugins will be demonstrated as well as how the tool can be used to perform continuous monitoring of your applications and their dependencies.
SimpleRisk by Josh Sokol
As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it. At BlackHat 2013, I would like to formally debut SimpleRisk, a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded at http://www.simplerisk.org. SimpleRisk is truly Enterprise Risk Management simplified.
Binfuzz.js by Artem Dinaburg
TinyLane by Rob Bathurst
The TinyLANE™ is a small mobile encryption device developed by Peak Security, Inc. to allow individuals and businesses to create instant AES256 point-to-point tunnels between two or more TinyLANEs utilizing individual keys for each connection. The TinyLANE™ is capable of functioning on most hardware platforms including ARM, x86, and 64-bit based processors in addition to throughput at near line speed on most connects up to 10 Gigabit.
HookMe by Manuel Fernandez
HookME is a software designed for intercepting communications by hooking the desired process and hooking the API calls for sending and receiving network data. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the packet. It also has a python system plugin to extend the HookMe functionality.
It can be used for a lot of purposes such as:
- Analyzing and modifying network protocols
- Creation of malware or backdoors embebed into network protocols
- Protocol vulnerability memory patching
- Firewall at protocol layer
- As postexplotation tool
- whatever you can create with plugins using your imagination
P.i.c.h.u by Michael Hudson
Facebook Graph API Users ID (and others) Information Disclosure
# Exploit Title : Facebook Graph API Users ID (and others) Information Disclosure- OAuthException-
# *Vendor*: Facebook.com
The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.
Anyone can access the data from ANY user due to the release of information that produces the “Graph API” because of the functionality they have given to this API for developers.
The “excess” functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information from the target
It is possible to identify people according to their id as will be seen in the proof of concept and insecure http protocol also makes it vulnerable to a brute force attack
Armitage – A Scriptable Red Team Collaboration Tool by Raphael Mudge
Armitage is a scriptable red team collaboration tool built on top of the Metasploit Framework. Through it’s programming language, Cortana, it’s possible to integrate outside tools into Armitage’s workflow and make them available in a team friendly way. This demonstration will introduce Armitage’s collaboration features and highlight Cortana’s improved abilities to integrate tools into Armitage’s collaboration architecture.
Vega by David Mirza Ahmad
We will be exhibiting Vega 1.0.
Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting/scanning proxy for interactive web application debugging and fuzzing.
The Vega web vulnerability scanner runs on Linux, Windows, and OS X.
Vega is released under the EPL 1.0 and can be downloaded from the Subgraph website, http://www.subgraph.com.
ice-hole by Darren Manners
Ice-Hole is a phishing awareness email program. It is designed to help security analysts/System Administrators keep track and test end users. The tool can be used in conjunction with various third party software like SET for further leverage.
Sphere of Influence 3.2 by Darren Manners
The purpose of sphere of influence was to address the shortcomings of visualizations with regards to a tactical awareness. The IP address-to-geographical location and organization was designed to aid in the removal of false positives. It also provides details about location, latitude/longitude and organizational information. It addressed the fact that the majority of attacks were coming from the United States and China or from countries with high levels of broadband access.
De-Cloak by Darren Manners
De-Cloak is designed to take extract HTTP user agents from PCAP files and store known user agents in a database. Hackers often hide wget or http requests by using known user agents. However, if we change our own user agents (perhaps via a GPO) we can start to investigate what starts to stand out. Simple but effective.
SET – Social Engineering Toolkit by David Kennedy
Deep Dive into The Social-Engineer Toolkit – Let’s take a deep dive into the newest and brand spanking new of the Social-Engineer Toolkit (SET). This talk will demonstrate the effectiveness of targeted attacks and how easy it is to circumvent today’s technology effortlessly. Learn from the creator of SET and the most effective way to perform targeted attacks.
ModSecurity by Ryan Barnett
ModSecurity is a cross-platform (Apache, IIS and Nginx), open source web application firewall module maintained by Trustwave SpiderLabs Research Team. It’s popularity is mainly due to its powerful rules language which provides security personnel a means to quickly develop defenses for emerging attack scenarios or virtual patching for identified web application vulnerabilities. Along with its Lua API and data modification capabilities, it provides unparalleled flexibility for custom integrations and security logic. This Arsenal Demo includes many live setups where Blackhat attendees will be able to play with the ModSecurity defenses and try and evade its detections.
ShellNoob by Yanick Fratantonio
Writing shellcode is usually really fun, but some parts are boring, error-prone, and insanely difficult to debug without the proper arsenal. ShellNoob is a tool that ease the writing and debugging of shellcode by taking care of all the parts that even a noob could do, and leaving only the fun part for the artist.
ShellNoob can convert shellcode from and to many different formats: asm (both Intel and ATT syntax), bin, hex, object, executable, C, Python, bash, Ruby and pretty. It can also automatically resolve the numeric value of all the constants (e.g., O_RDWR) and, similarly, of all the syscalls: as this is performed by generating and executing code on-the-fly, it’s easy to extend this feature to a variety of different architectures. A debug switch is implemented as well, that conveniently put a breakpoint at the beginning of the shellcode: with that, it’s immediate to assemble the shellcode and have gdb ready to single-step into it. Finally, ShellNoob comes with an interactive opcode-to-binary (and binary-to-opcode) conversion mode, where one can quickly check to which bytes a given instruction is assembled to: this is really valuable when specific bytes cannot be used to successfully exploit a vulnerable program.
As it would be pointless to have a handy tool that requires hours to be properly setup, ShellNoob has been designed to be the most portable and flexible tool ever: it only relies on as/gcc/objdump and python! It has already been successfully tested on x86/x86_64/ARM, Linux/FreeBSD, and even on a Raspberry Pi! The tool is also uber-easy to be deployed: ShellNoob is just one self-contained python script. You push the file on the target machine, and you are done.
A nice set of “starting” points is included as well. Other than having a set of simple shellcode, ShellNoob comes with some handy scripts that automatically extract the register set and a comprehensive list of valid assembly instructions for a given architecture: in this way, the writer will not lose time to guess what’s the correct syntax for a specific assembly instruction. Moreover, even if ShellNoob comes with some already generated list, the heuristics used are general and they can be easily ported to work with other less-known platforms.
VScan by Federico Massa
Usually, after we performed a Vulnerability Assessment in our organisation, we continue our work with the development of an plan of security improvements with the ultimate goal of reducing the risk and threats and be in conformity with security politics and requirements.
This security improvements plan can be difficult to carry out in time, if we cannot in a simple way measure our progress and simplify the process of resolution of vulnerabilities.
To address these issues we developed VScan, an open source Vulnerability Management System.
Viproy VoIP Penetration and Exploitation Testing Kit by Fatih Ozavci
Viproy Voip Pen-Test Kit is developed to improve quality of SIP Penetration Tests. It provides authentication feature that helps to create simple tests. It includes 7 different modules with authentication support: options tester, brute forcer, enumerator, invite tester, trust analyzer, proxy and registration tester. All attacks could perform before and after authentication to fuzz SIP services and value added services.
Xenotix xBOT by Ajin Abraham
Xenotix xBOT is a powerful cross platform (Linux,Windows,Mac) bot written in Python that uses certain Google Services as Command & Control Center for the botnet. The bot works flawlessly with a single requirement of a decent internet connection. The xBOT’s communication is encrypted as it uses Google’s own SSL connection and is nowhere affected by any firewalls or your ISP’s tricky network configurations.