Blackhat Arsenal USA 2013 Wrap-Up Day 2

Blackhat Arsenal USA 2013 Wrap-Up Day 2

After the first day at Arsenal (, the night was very long because of all those parties planned by various vendors to entertain folks.

 View from some Party late at Night

The parties at Blackhat are a great excuse to socialize and “break the ice” and conclude on few technical discussions around a glass. But I assure you the technical discussions do not last long, giving way to some fun things.

Once recovered from the parties, the craziness of the City and the madness of the first day at the Arsenal, we are ready to welcome a new wave of tools.


Wave 1: Those demos took place from 10:00 to 12:30

Station 1 : Ice-hole

Ice-Hole 1.4 is a new update for the tool which brings BYOD targeting via user agents, scheduling of phishing emails from a bank of templates, executable injection via javascript, and can clone websites based upon a URL to include keystroke logging.


Darren wisely demoing his tools

Ice-Hole is a phishing awareness email program. It is designed to help security analysts/System Administrators keep track and test end users. The tool can be used in conjunction with various third party software like SET for further leverage.

Demo byDarren Manners
Version demoed at Blackhat Arsenal : v1.5
Link for download :   Slides >>

Darren about Arsenal: “I though the arsenal was awesome :)”

Station 2 : Armitage – A Scriptable redteam collaboration tool

Armitage is a scriptable red team collaboration tool built on top of the Metasploit Framework. Through its programming language, Cortana, it’s possible to integrate outside tools into Armitage’s workflow and make them available in a team friendly way.

Raphael playing with Armitage at Turbo Talk

Reloaded at Station 2 with the same energy and sense of humor

This demonstration will introduce Armitage’s collaboration features and highlight Cortana’s improved abilities to integrate tools into Armitage’s collaboration architecture

 Fun moment between Raphael and Darren. Raphael just found out (thump up to Darren) that Darren has integrated Cortana in his tools. That’s what i really love about Arsenal. Hackers can meet, exhange and improve things.

 At Toolswatch booth, loading stickers for attendees

Demo byRaphael Mudge
Version demoed at Blackhat Arsenal : 06.05.13
Link for download :

Station 3 : Information disclosure in Facebook with Graph API

The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.

Michael Hudson preparing his booth with the help of Maxi Soler (BH Arsenal dude)

Anyone can access the data from ANY user due to the release of information that produces the “Graph API” because of the functionality they have given to this API for developers. The “excess” functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information from the target It is possible to identify people according to their id as will be seen in the proof of concept and insecure http protocol also makes it vulnerable to a brute force attack

Demo byMichael Hudson
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 4 : BinFuzz.js

Binfuzz.js is a library for fuzzing structured binary data in JavaScript. Structured binary data is data that can be easily represented by one or more C structures: it is composed of fixed size fields and any variable length fields are counted by another structure member. Numerous network and file formats are structured binary data, including SSL, DNS, and most image formats. Things that aren’t structured binary data include languages (such as HTML or JavaScript) or text-based protocols (such as HTTP) or text-based file formats (such as PDF).

Artem demoing the BinFuzz.js technique and tool

A live example will be shown using Binfuzz.js to generate Windows ICO files to stress a browser’s icon parsing and display code. ICO is a complex format that contains images of different sizes for optimal display based on context. Binfuzz.js will try generating edge cases such as an icon with 0xFFFF images of size 0xFFFFFFFF by 0xFFFFFFF, and cases such as saying that there are 128 images but only supplying data for one, among many other permutations. It is the author’s hope that others will extend binfuzz.js for other use cases.

Demo byArtem Dinaburg
Version demoed at Blackhat Arsenal : First release (at Arsenal)
Link for download :  —— Slides >>

Station 5 : HTexploit – Bypassing .htaccess like pass-the-hash

HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process.

Matias loading his weapon

By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.

Matias showing a live SQL Injection even if .htaccess is enabled. It was a great demo. Mati also challenged folks to assess live their websites with .htaccess. I called this tool “.htaccess pass the hash like” 😉

Demo byMatias Katz
Version demoed at Blackhat Arsenal : v0.8 released at Blackhat Arsenal with new features (awaiting details)
Link for download :


Station 6 : Invoke-ReflectivePELoader Powershell script

PowerShell is a powerful scripting language which has the capability to run scripts on remote systems without writing to disk.

Invoke-ReflectivePEInjection is a PowerShell script which can reflectively load and execute a windows PE file such as an EXE or DLL inside the PowerShell process on a remote computer without writing to disk. This is accomplished by (partially) rewriting the Win32 functionality which loads EXEs/DLLs in PowerShell.

The cool Joe at Station 6. We had a chat and Joe is an awesome hacker.

The script allows a penetration tester to:

  • Execute EXEs/DLLs on remote computers without writing to disk (detection is extremely difficult)
  • Execute existing tools inside the PowerShell process (potentially bypassing application whitelisting)
  • Hide reflectively loaded EXEs/DLLs from tools such as ListDLL’s which lists all loaded DLL’s
  • Bypass antivirus by never writing anything to disk, everything happens in memory using PowerShell remoting

PowerShell hacking in action

Demo byJoe Bialek
Version demoed at Blackhat Arsenal : Beta release
Link for download :

Station 7 : IOCWriter_11 – Tool to create / modify OpenIOC documents

With the impending release of the OpenIOC 1.1 format for sharing threat intelligence, Mandiant will be releasing a set of open source tools for creating and manipulating OpenIOC objects and moving data in and out of the OpenIOC format.

William talking and showing how to use IOCwriter

Demonstrations will cover how the tools can be used to create and modify OpenIOC documents, show how it is possible to store Snort and Yara signatures in OpenIOC format and convert those OpenIOC documents back into their native formats. In addition, the integration of these tools into other open source applications will be demonstrated with tools that can automatically extract IOCs from unstructured content.

Demo byWilliam Gibb
Version demoed at Blackhat Arsenal : v0.1.0
Link for download  —- Slides >>

Station 7 : Watobo – Open Source Web Application Assessment

WATOBO is a security tool for web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.

Andreas demoing Watobo new features to Audience (we can also spot Federico Massa from Vscan)

Most important features:

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOBO can act as a transparent proxy (requires nfqueue)
  • WATOBO can perform vulnerability checks out of the box
  • WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easily define your own checks
  • WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
  • WATOBO is free software ( licensed under the GNU General Public License Version 2)

Watobo – Web Application Assessment Tool in action with a neat UI and cool features

Demo byAndreas Schmidt
Version demoed at Blackhat Arsenal : v0.9.13 New release at Arsenal (full changelog)
Link for download :

Wave 2: Those demos took place from 12:45 to 15:15

Station 1 : Sphere of Influence

The purpose of sphere of influence was to address the shortcomings of visualizations with regards to a tactical awareness. The IP address-to-geographical location and organization was designed to aid in the removal of false positives. It also provides details about location, latitude/longitude and organizational information. It addressed the fact that the majority of attacks were coming from the United States and China or from countries with high levels of broadband access.

The geographical data was also used to visually show traffic from countries that would not normally be connecting to a particular address space. Although not popular with the internet philosophy that everyone should be able to connect to everyone, it makes sense to limit your exposure to your own sphere of influence.

When looking at organizations we can start to examine false positives in a different way. Hackers, viruses and Trojans tend to attack weaker systems. Historically Universities, colleges and home users tend to be the playground of such endeavors. We can use this knowledge against them by examining traffic from these entities for any useful information.

Demo byDarren Manners
Version demoed at Blackhat Arsenal : v3.2
Link for download : —-   documentation >>

Station 2 : SET – Social Engineering Toolkit

Let’s take a deep dive into the newest and brand spanking new of the Social-Engineer Toolkit (SET). This talk will demonstrate the effectiveness of targeted attacks and how easy it is to circumvent today’s technology effortlessly.

Dave loading his weapon in front of mass audience

Learn from the creator of SET and the most effective way to perform targeted attacks.

Hijacked #AwkwardHug by Dave (using probably SET capability). Jayson said it’s alright. AwkwardHug is open source material. All in all, it was an honor to have this awesome hacker at the Arsenal


The audience at Dave’s show

Demo byDavid Kennedy
Version demoed at Blackhat Arsenal : v5.3
Link for download :

Station 3: Vega the free and open source web security scanner

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting/scanning proxy for interactive web application debugging and fuzzing.

David demoing the latest capabilities of the awesome Vega multi-platform open source tool

One of the most interesting features about Vega is that the modules (fuzzing, signature detection) are written in Javascript, users can easily modify them or write their own.

The Vega web vulnerability scanner runs on Linux, Windows, and OS X. Vega is released under the EPL 1.0

Demo byDavid Mirza Ahmad
Version demoed at Blackhat Arsenal : 1.0 build 97 (Proxy scanning, macro authentication, improved detection modules,
improved crawler, bugfixes)
Link for download :

David about the Arsenal: “It was very nice to have a generous sized room with various pods
people could wander through and visit. More space than last year”

Station 4: Dependency-Check

Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies.

Jeremy demoing an awesome tool about CVEs and monitoring dependencies on 3rd party libs. I had an awesome chat with Jeremy about interaction with my own tool (vFeed). And yeah, something could be done.

The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. Dependency-Check’s new build plugins will be demonstrated as well as how the tool can be used to perform continuous monitoring of your applications and their dependencies.

Jeremy spotted in good company at VIP Party probably rehearsing for Dependency-check before the Arsenal 😉

Demo byJeremy Long
Version demoed at Blackhat Arsenal : 1.0.1
Link for download :  —

Station 5 : Drozer, the former Mercury

Drozer, previously known as Mercury, is the de facto tool for vulnerability-hunting on Android phones and in marketplace apps. In these demonstrations we are launching the new version of Drozer: one that has been extended to be a full-on, open-source exploitation framework for Android.

Folks at MWR security preparing for the Turbo Talk and announcing the reasons of the smart move from the Mercury to Drozer with cool features and a brand new logo 😉

Sporting remote exploits for compromising Android devices and shipped with payloads that transcend your average reverse shell, this framework is first of its breed for Android. Drozer also provides standard shellcode that can be used by exploit developers to integrate their Android exploits into the Drozer framework.

Tyrone & Daniel doing awesome Android pentesting / assessment using Drozer

Various devices will be pwned in these demonstrations, showing how Drozer can be used for initial targeted entry of a device to deploy a Drozer agent. Then, the post exploitation fun can begin: dumping of personal information, taking screenshots, stealing pictures, recording from the microphone and root are all possible.

Rocking the Turbo Talk with Remote exploitation of android devices

The best part about all of this work is that it is an open-source project that cherishes submissions from the community.

Demo byTyrone Erasmus and Daniel Bradberry
Version demoed at Blackhat Arsenal : Released at Arsenal v2.3.0 with (Remote exploitation of android devices, Ported public exploits and included some of MWR Labs exploits and Generate Android payloads and custom agents)
Link for download

Tyrone about the Arsenal :“I really loved tools arsenal. It is much bigger and busier than BH Europe! Thank you very much for having us @ arsenal – it was really awesome!”

Station 6 : iMAS – iOS Mobile Application Security libraries

iOS application security can be *much* stronger and easy for developers to find, understand and use. iMAS (iOS Mobile Application Security) – is a secure, open source iOS application framework research project focused on reducing iOS application vulnerabilities and information loss. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which in turn pushes enterprises to augment iOS deployments with commercial or custom solutions.

Gregg during the Turbo Talk Session

The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS has released five security controls (researching many more) for developers to download and use within iOS applications. This talk will walk through various iOS application vulnerabilities, iMAS security controls, OWASP Mobile top10 and CWE vulnerabilities addressed.

Gregg demoing his tool at Station Booth

Demo byGregg Ganley
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download :  (awaiting info)  — Slides >>

Station 7 : Mandiant Redline

Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Mandiant folks before the Turbo Talk show

With Redline, users can:

  • Thoroughly audit and collect all run processes, audit data, and memory images.
  • Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
  • Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
  • Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
  • Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.

Theodore defeating malicious malwares with Mandiant Redline

Demo byTheodore Wilson
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download —- Slides >>

Station 8 : OWASP Broken Web Applications VM

The Open Web Application Security Project (OWASP) Broken Web Applications project ( provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project VM and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.

Chuck demonstrating how exploit Web App Vulnerabilities using OWASP BWA

Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents. .

Demo byChuck Willis
Version demoed at Blackhat Arsenal : v1.1
Link for


Wave 3: Those demos took place from 15:30 to 18:00

Station 1 : De-cloak

De-Cloak is designed to extract HTTP user agents from PCAP files and store known user agents in a database. Hackers often hide wget or http requests by using known user agents. However, if we change our own user agents (perhaps via a GPO) we can start to investigate what starts to stand out. Simple but effective.

Demo byDarren Manners
Version demoed at Blackhat Arsenal : v0.1 released at Arsenal
Link for download

Station 2 : Sparty – Python open source web application assessment tool

Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified.

Adi showing his first release to some hackers (Gursev from Foundstone spotted)

A number of automated scanners fall short of this and Sparty is a solution to that . In the first release, Sparty is capable of performing following tasks:

  • Checking access permissions of sharepoint inherent webpages and directories
  • Checking access permissions for deployed frontpage extensions and directories
  • Dumping passwords from misconfigured default files
  • Information gathering from the configured sharepoint and frontpage extensions
  • Automated exploitation of vulnerable configurations of sharepoint and frontpage architectures

Adi after the show with David Kennedy (SET) and I

Sparty is tool that provides complete information regarding sharepoint and frontpage environments to design threat models which greatly assist penetration testers in manual verification of flaws. Sparty is really helpful in time critical security assessments.

Demo byAditya K Sood
Version demoed at Blackhat Arsenal : v0.1 released at Arsenal
Link for download : — Slides >>

Station 3 : HookMe, Intercepting communication by hooking API calls

HookME is a software designed for intercepting communications by hooking the desired process and hooking the API calls for sending and receiving network data. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the packet. It also has a python system plugin to extend the HookMe functionality.

Manuel loading his tool for intercepting communications. Always great to see how easy SSL got hooked.

It can be used for a lot of purposes such as:

  • Analyzing and modifying network protocols
  • Creation of malware or backdoors embebed into network protocols
  • Protocol vulnerability memory patching
  • Firewall at protocol layer
  • As postexplotation tool
  • whatever you can create with plugins using your imagination

Demo byManuel Fernandez
Version demoed at Blackhat Arsenal :
Link for download :

Station 4 : SimpleRisk, Enterprise Risk Management

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks.

Josh demoing the awesome dashboards and how Risk Management could be handled by Open Source project. I actually had a great chat with him about risk scoring.

After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it. At BlackHat 2013, I would like to formally debut SimpleRisk, a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly.

Demo byJosh Sokol
Version demoed at Blackhat Arsenal : 20130718-001 Release Notes
Link for download : — Slides >>  — Pack for Blackhat attendees  It includes SimpleRisk documentation, a presentation, and the latest release.

Josh about the Arsenal: “It was a pleasure meeting you and thanks again for selecting me/SimpleRisk to participate in the Arsenal this year.  It was a fantastic experience that hopefully I can do again in the future. Very cool to see so many awesome
open source tools in one place”

Station 5 : ModSecurity,  Open Source WAF

ModSecurity is a cross-platform (Apache, IIS and Nginx), open source web application firewall module maintained by Trustwave SpiderLabs Research Team. It’s popularity is mainly due to its powerful rules language which provides security personnel a means to quickly develop defenses for emerging attack scenarios or virtual patching for identified web application vulnerabilities.

Ryan preparing for the Turbo Talk

Along with its Lua API and data modification capabilities, it provides unparalleled flexibility for custom integrations and security logic.

Demoing the impressive capabilities of ModSecurity

This Arsenal Demo includes many live setups where Black Hat attendees will be able to play with the ModSecurity defenses and try and evade its detections.

Always impressive to see this great hacker in person talking about ModSecurity

Demo byRyan Barnett
Version demoed at Blackhat Arsenal : v2.7.5 (announced during the Blackhat)
Link for download :  — Slides >>

Station 6 : Viproy, VoIP Penetration and Exploitation Testing Kit

Viproy VOIP Pen-Test Kit is developed to improve quality of SIP Penetration Tests.

Awesome demo about how easy breaking into VoIP networks with Viproy. Fatih is a very nice, talented and cheerful hacker. I had a great pleasure talking with before his show.
It provides authentication feature that helps to create simple tests. It includes 7 different modules with authentication support: options tester, brute forcer, enumerator, invite tester, trust analyzer, proxy and registration tester.
Fatih reloading the show at Station Booth.
All attacks could perform before and after authentication to fuzz SIP services and value added services.
Fatih about the Arsenal : “Blackhat Arsenal was really awesome event. I met many good security researchers and consultants there. Also their tools were unbelievable, my favorite tools were drozer and armitage. I have attended Raphael Mudge’s turbo briefing, he was amazing. He explained everything about armitage’s new features with good demos. Another good thing was organization and management, I accessed each materials and equipments easily. Everything was well-planned.
Thank you for this awesome event “

Station 7 : ShinoBOT/ShinoC2

A RAT (remote administration tool) and C2 (command/control) server for measuring a target company may or may not provide enough insight, especially when simulating a highly focused attack. After launching the RAT, control will be established by C2 server. The attacker can then do everything from the C2 server.

Shota talking to audience about the capabilities of this impressive RAT

  • Screenshots
  • Get Local Files
  • Download & Exec
  • Exec a command from cmd.exe, etc.

Demo byShota Shinogi
Version demoed at Blackhat Arsenal : v1.3.2.6
Link for download :  —  Slides >>

Shota about the Arsenal and Blackhat: “ I was invited in the VIP & Speaker Party which held on the penthouse of Caesar’s Palace, met many famous hackers, and absolutely became drunk. The Arsenal event was awesome. Many people came to my booth, they gave me advices, helpful for my road-map.

This was my first time to become a speaker in Black Hat and it was 100 times exciting than join as an attendee.”


To be concluded …. Next: “Blackhat Arsenal Prequel – From Paris and Buenos Aires to Las Vegas the Roadtrip”

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"