Blackhat Arsenal USA 2013 Wrap-Up Day 2

After the first day at Arsenal (http://www.toolswatch.org/2013/08/blackhat-arsenal-usa-2013-wrap-up/), the night was very long because of all those parties planned by various vendors to entertain folks.

 View from some Party late at Night

The parties at Blackhat are a great excuse to socialize and “break the ice” and conclude on few technical discussions around a glass. But I assure you the technical discussions do not last long, giving way to some fun things.

Once recovered from the parties, the craziness of the City and the madness of the first day at the Arsenal, we are ready to welcome a new wave of tools.

Wave 1: Those demos took place from 10:00 to 12:30

Station 1 : Ice-hole

Ice-Hole 1.4 is a new update for the tool which brings BYOD targeting via user agents, scheduling of phishing emails from a bank of templates, executable injection via javascript, and can clone websites based upon a URL to include keystroke logging.

Darren wisely demoing his tools

Ice-Hole is a phishing awareness email program. It is designed to help security analysts/System Administrators keep track and test end users. The tool can be used in conjunction with various third party software like SET for further leverage.

Demo by:  Darren Manners
Version demoed at Blackhat Arsenal : v1.5
Link for download : https://fmd-4f6382847b23a6-86172945.sharefile.com/d/sb9884c46c0f4686b   Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Manners-Ice-Hole-Slides.pdf

Darren about Arsenal: “I though the arsenal was awesome :)”

Station 2 : Armitage – A Scriptable redteam collaboration tool

Armitage is a scriptable red team collaboration tool built on top of the Metasploit Framework. Through its programming language, Cortana, it’s possible to integrate outside tools into Armitage’s workflow and make them available in a team friendly way.

Raphael playing with Armitage at Turbo Talk

Reloaded at Station 2 with the same energy and sense of humor

This demonstration will introduce Armitage’s collaboration features and highlight Cortana’s improved abilities to integrate tools into Armitage’s collaboration architecture

 Fun moment between Raphael and Darren. Raphael just found out (thump up to Darren) that Darren has integrated Cortana in his tools. That’s what i really love about Arsenal. Hackers can meet, exhange and improve things.

 At Toolswatch booth, loading stickers for attendees

Demo by:  Raphael Mudge
Version demoed at Blackhat Arsenal : 06.05.13
Link for download : http://www.fastandeasyhacking.com/download

Station 3 : Information disclosure in Facebook with Graph API

The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.

Michael Hudson preparing his booth with the help of Maxi Soler (BH Arsenal dude)

Anyone can access the data from ANY user due to the release of information that produces the “Graph API” because of the functionality they have given to this API for developers. The “excess” functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information from the target It is possible to identify people according to their id as will be seen in the proof of concept and insecure http protocol also makes it vulnerable to a brute force attack

Demo by:  Michael Hudson
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 4 : BinFuzz.js

Binfuzz.js is a library for fuzzing structured binary data in JavaScript. Structured binary data is data that can be easily represented by one or more C structures: it is composed of fixed size fields and any variable length fields are counted by another structure member. Numerous network and file formats are structured binary data, including SSL, DNS, and most image formats. Things that aren’t structured binary data include languages (such as HTML or JavaScript) or text-based protocols (such as HTTP) or text-based file formats (such as PDF).

Artem demoing the BinFuzz.js technique and tool

A live example will be shown using Binfuzz.js to generate Windows ICO files to stress a browser’s icon parsing and display code. ICO is a complex format that contains images of different sizes for optimal display based on context. Binfuzz.js will try generating edge cases such as an icon with 0xFFFF images of size 0xFFFFFFFF by 0xFFFFFFF, and cases such as saying that there are 128 images but only supplying data for one, among many other permutations. It is the author’s hope that others will extend binfuzz.js for other use cases.

Demo by:  Artem Dinaburg
Version demoed at Blackhat Arsenal : First release (at Arsenal)
Link for download : https://media.blackhat.com/us-13/Arsenal/us-13-Dinaburg-Binfuzz.js-Code.zip  —— Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Dinaburg-Binfuzz.js-Slides.pdf

Station 5 : HTexploit – Bypassing .htaccess like pass-the-hash

HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process.

Matias loading his weapon

By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.

Matias showing a live SQL Injection even if .htaccess is enabled. It was a great demo. Mati also challenged folks to assess live their websites with .htaccess. I called this tool “.htaccess pass the hash like” 😉

Demo by:  Matias Katz
Version demoed at Blackhat Arsenal : v0.8 released at Blackhat Arsenal with new features (awaiting details)
Link for download : http://www.mkit.com.ar/labs/htexploit/

Station 6 : Invoke-ReflectivePELoader Powershell script

PowerShell is a powerful scripting language which has the capability to run scripts on remote systems without writing to disk.

Invoke-ReflectivePEInjection is a PowerShell script which can reflectively load and execute a windows PE file such as an EXE or DLL inside the PowerShell process on a remote computer without writing to disk. This is accomplished by (partially) rewriting the Win32 functionality which loads EXEs/DLLs in PowerShell.

The cool Joe at Station 6. We had a chat and Joe is an awesome hacker.

The script allows a penetration tester to:

• Execute EXEs/DLLs on remote computers without writing to disk (detection is extremely difficult)
• Execute existing tools inside the PowerShell process (potentially bypassing application whitelisting)
• Hide reflectively loaded EXEs/DLLs from tools such as ListDLL’s which lists all loaded DLL’s
• Bypass antivirus by never writing anything to disk, everything happens in memory using PowerShell remoting

PowerShell hacking in action

Demo by:  Joe Bialek
Version demoed at Blackhat Arsenal : Beta release
Link for download : https://github.com/clymb3r/PowerShell

Station 7 : IOCWriter_11 – Tool to create / modify OpenIOC documents

With the impending release of the OpenIOC 1.1 format for sharing threat intelligence, Mandiant will be releasing a set of open source tools for creating and manipulating OpenIOC objects and moving data in and out of the OpenIOC format.

William talking and showing how to use IOCwriter

Demonstrations will cover how the tools can be used to create and modify OpenIOC documents, show how it is possible to store Snort and Yara signatures in OpenIOC format and convert those OpenIOC documents back into their native formats. In addition, the integration of these tools into other open source applications will be demonstrated with tools that can automatically extract IOCs from unstructured content.

Demo by:  William Gibb
Version demoed at Blackhat Arsenal : v0.1.0
Link for download : https://github.com/mandiant/ioc_writer/  —- Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Gibb-IOCWriter_11-Slides.pdf

Station 7 : Watobo – Open Source Web Application Assessment

WATOBO is a security tool for web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.

Andreas demoing Watobo new features to Audience (we can also spot Federico Massa from Vscan)

Most important features:

• WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
• WATOBO can act as a transparent proxy (requires nfqueue)
• WATOBO can perform vulnerability checks out of the box
• WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
• WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
• WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
• WATOBO is written in (FX)Ruby and enables you to easily define your own checks
• WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
• WATOBO is free software ( licensed under the GNU General Public License Version 2)

Watobo – Web Application Assessment Tool in action with a neat UI and cool features

Demo by:  Andreas Schmidt
Version demoed at Blackhat Arsenal : v0.9.13 New release at Arsenal (full changelog)
Link for download : http://sourceforge.net/projects/watobo/files/

Wave 2: Those demos took place from 12:45 to 15:15

Station 1 : Sphere of Influence

The purpose of sphere of influence was to address the shortcomings of visualizations with regards to a tactical awareness. The IP address-to-geographical location and organization was designed to aid in the removal of false positives. It also provides details about location, latitude/longitude and organizational information. It addressed the fact that the majority of attacks were coming from the United States and China or from countries with high levels of broadband access.

The geographical data was also used to visually show traffic from countries that would not normally be connecting to a particular address space. Although not popular with the internet philosophy that everyone should be able to connect to everyone, it makes sense to limit your exposure to your own sphere of influence.

When looking at organizations we can start to examine false positives in a different way. Hackers, viruses and Trojans tend to attack weaker systems. Historically Universities, colleges and home users tend to be the playground of such endeavors. We can use this knowledge against them by examining traffic from these entities for any useful information.

Demo by:  Darren Manners
Version demoed at Blackhat Arsenal : v3.2
Link for download :  https://fmd-4f6382847b23a6-86172945.sharefile.com/d/s11c020c8b8c4cd28 —-   documentation >> http://www.sycomtech.com/images/uploads/Sphere%20Of%20Influence%203_2.doc

Station 2 : SET – Social Engineering Toolkit

Let’s take a deep dive into the newest and brand spanking new of the Social-Engineer Toolkit (SET). This talk will demonstrate the effectiveness of targeted attacks and how easy it is to circumvent today’s technology effortlessly.

Dave loading his weapon in front of mass audience

Learn from the creator of SET and the most effective way to perform targeted attacks.

Hijacked #AwkwardHug by Dave (using probably SET capability). Jayson said it’s alright. AwkwardHug is open source material. All in all, it was an honor to have this awesome hacker at the Arsenal

The audience at Dave’s show

Demo by:  David Kennedy
Version demoed at Blackhat Arsenal : v5.3
Link for download : https://github.com/trustedsec/social-engineer-toolkit/

Station 3: Vega the free and open source web security scanner

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting/scanning proxy for interactive web application debugging and fuzzing.

David demoing the latest capabilities of the awesome Vega multi-platform open source tool

One of the most interesting features about Vega is that the modules (fuzzing, signature detection) are written in Javascript, users can easily modify them or write their own.

The Vega web vulnerability scanner runs on Linux, Windows, and OS X. Vega is released under the EPL 1.0

Demo by:  David Mirza Ahmad
Version demoed at Blackhat Arsenal : 1.0 build 97 (Proxy scanning, macro authentication, improved detection modules,
improved crawler, bugfixes)
Link for download : http://www.subgraph.com/vega_download.php

David about the Arsenal: “It was very nice to have a generous sized room with various pods
people could wander through and visit. More space than last year”

Station 4: Dependency-Check

Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies.

Jeremy demoing an awesome tool about CVEs and monitoring dependencies on 3rd party libs. I had an awesome chat with Jeremy about interaction with my own tool (vFeed). And yeah, something could be done.

The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. Dependency-Check’s new build plugins will be demonstrated as well as how the tool can be used to perform continuous monitoring of your applications and their dependencies.

Jeremy spotted in good company at VIP Party probably rehearsing for Dependency-check before the Arsenal 😉

Demo by:  Jeremy Long
Version demoed at Blackhat Arsenal : 1.0.1
Link for download :https://github.com/jeremylong/DependencyCheck/tree/v1.0.1  — http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.0.1-release.zip — http://search.maven.org/#search%7Cga%7C1%7Cdependency-check — http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-1.0.1.jar

Awesome demo about how easy breaking into VoIP networks with Viproy. Fatih is a very nice, talented and cheerful hacker. I had a great pleasure talking with before his show.