Blackhat Arsenal USA 2013 Wrap-Up Day 2
After the first day at Arsenal (http://www.toolswatch.org/2013/08/blackhat-arsenal-usa-2013-wrap-up/), the night was very long because of all those parties planned by various vendors to entertain folks.
The parties at Blackhat are a great excuse to socialize and “break the ice” and conclude on few technical discussions around a glass. But I assure you the technical discussions do not last long, giving way to some fun things.
Once recovered from the parties, the craziness of the City and the madness of the first day at the Arsenal, we are ready to welcome a new wave of tools.
Wave 1: Those demos took place from 10:00 to 12:30
Station 1 : Ice-hole
Darren wisely demoing his tools
Ice-Hole is a phishing awareness email program. It is designed to help security analysts/System Administrators keep track and test end users. The tool can be used in conjunction with various third party software like SET for further leverage.
Demo by: Darren Manners
Version demoed at Blackhat Arsenal : v1.5
Link for download : https://fmd-4f6382847b23a6-86172945.sharefile.com/d/sb9884c46c0f4686b Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Manners-Ice-Hole-Slides.pdf
Darren about Arsenal: “I though the arsenal was awesome :)”
Station 2 : Armitage – A Scriptable redteam collaboration tool
Armitage is a scriptable red team collaboration tool built on top of the Metasploit Framework. Through its programming language, Cortana, it’s possible to integrate outside tools into Armitage’s workflow and make them available in a team friendly way.
Reloaded at Station 2 with the same energy and sense of humor
This demonstration will introduce Armitage’s collaboration features and highlight Cortana’s improved abilities to integrate tools into Armitage’s collaboration architecture
Fun moment between Raphael and Darren. Raphael just found out (thump up to Darren) that Darren has integrated Cortana in his tools. That’s what i really love about Arsenal. Hackers can meet, exhange and improve things.
Station 3 : Information disclosure in Facebook with Graph API
The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.
Anyone can access the data from ANY user due to the release of information that produces the “Graph API” because of the functionality they have given to this API for developers. The “excess” functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information from the target It is possible to identify people according to their id as will be seen in the proof of concept and insecure http protocol also makes it vulnerable to a brute force attack
Demo by: Michael Hudson
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)
Station 4 : BinFuzz.js
Artem demoing the BinFuzz.js technique and tool
A live example will be shown using Binfuzz.js to generate Windows ICO files to stress a browser’s icon parsing and display code. ICO is a complex format that contains images of different sizes for optimal display based on context. Binfuzz.js will try generating edge cases such as an icon with 0xFFFF images of size 0xFFFFFFFF by 0xFFFFFFF, and cases such as saying that there are 128 images but only supplying data for one, among many other permutations. It is the author’s hope that others will extend binfuzz.js for other use cases.
Demo by: Artem Dinaburg
Version demoed at Blackhat Arsenal : First release (at Arsenal)
Link for download : https://media.blackhat.com/us-13/Arsenal/us-13-Dinaburg-Binfuzz.js-Code.zip —— Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Dinaburg-Binfuzz.js-Slides.pdf
Station 5 : HTexploit – Bypassing .htaccess like pass-the-hash
HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process.
By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.
Matias showing a live SQL Injection even if .htaccess is enabled. It was a great demo. Mati also challenged folks to assess live their websites with .htaccess. I called this tool “.htaccess pass the hash like” 😉
Station 6 : Invoke-ReflectivePELoader Powershell script
PowerShell is a powerful scripting language which has the capability to run scripts on remote systems without writing to disk.
Invoke-ReflectivePEInjection is a PowerShell script which can reflectively load and execute a windows PE file such as an EXE or DLL inside the PowerShell process on a remote computer without writing to disk. This is accomplished by (partially) rewriting the Win32 functionality which loads EXEs/DLLs in PowerShell.
The script allows a penetration tester to:
- Execute EXEs/DLLs on remote computers without writing to disk (detection is extremely difficult)
- Execute existing tools inside the PowerShell process (potentially bypassing application whitelisting)
- Hide reflectively loaded EXEs/DLLs from tools such as ListDLL’s which lists all loaded DLL’s
- Bypass antivirus by never writing anything to disk, everything happens in memory using PowerShell remoting
PowerShell hacking in action
Station 7 : IOCWriter_11 – Tool to create / modify OpenIOC documents
With the impending release of the OpenIOC 1.1 format for sharing threat intelligence, Mandiant will be releasing a set of open source tools for creating and manipulating OpenIOC objects and moving data in and out of the OpenIOC format.
Demonstrations will cover how the tools can be used to create and modify OpenIOC documents, show how it is possible to store Snort and Yara signatures in OpenIOC format and convert those OpenIOC documents back into their native formats. In addition, the integration of these tools into other open source applications will be demonstrated with tools that can automatically extract IOCs from unstructured content.
Demo by: William Gibb
Version demoed at Blackhat Arsenal : v0.1.0
Link for download : https://github.com/mandiant/ioc_writer/ —- Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Gibb-IOCWriter_11-Slides.pdf
Station 7 : Watobo – Open Source Web Application Assessment
WATOBO is a security tool for web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
Most important features:
- WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
- WATOBO can act as a transparent proxy (requires nfqueue)
- WATOBO can perform vulnerability checks out of the box
- WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
- WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
- WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
- WATOBO is written in (FX)Ruby and enables you to easily define your own checks
- WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
- WATOBO is free software ( licensed under the GNU General Public License Version 2)
Wave 2: Those demos took place from 12:45 to 15:15
Station 1 : Sphere of Influence
The purpose of sphere of influence was to address the shortcomings of visualizations with regards to a tactical awareness. The IP address-to-geographical location and organization was designed to aid in the removal of false positives. It also provides details about location, latitude/longitude and organizational information. It addressed the fact that the majority of attacks were coming from the United States and China or from countries with high levels of broadband access.
The geographical data was also used to visually show traffic from countries that would not normally be connecting to a particular address space. Although not popular with the internet philosophy that everyone should be able to connect to everyone, it makes sense to limit your exposure to your own sphere of influence.
When looking at organizations we can start to examine false positives in a different way. Hackers, viruses and Trojans tend to attack weaker systems. Historically Universities, colleges and home users tend to be the playground of such endeavors. We can use this knowledge against them by examining traffic from these entities for any useful information.
Demo by: Darren Manners
Version demoed at Blackhat Arsenal : v3.2
Link for download : https://fmd-4f6382847b23a6-86172945.sharefile.com/d/s11c020c8b8c4cd28 —- documentation >> http://www.sycomtech.com/images/uploads/Sphere%20Of%20Influence%203_2.doc
Station 2 : SET – Social Engineering Toolkit
Let’s take a deep dive into the newest and brand spanking new of the Social-Engineer Toolkit (SET). This talk will demonstrate the effectiveness of targeted attacks and how easy it is to circumvent today’s technology effortlessly.
Learn from the creator of SET and the most effective way to perform targeted attacks.
The audience at Dave’s show
Demo by: David Kennedy
Version demoed at Blackhat Arsenal : v5.3
Link for download : https://github.com/trustedsec/social-engineer-toolkit/
Station 3: Vega the free and open source web security scanner
Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting/scanning proxy for interactive web application debugging and fuzzing.
The Vega web vulnerability scanner runs on Linux, Windows, and OS X. Vega is released under the EPL 1.0
Demo by: David Mirza Ahmad
Version demoed at Blackhat Arsenal : 1.0 build 97 (Proxy scanning, macro authentication, improved detection modules,
improved crawler, bugfixes)
Link for download : http://www.subgraph.com/vega_download.php
David about the Arsenal: “It was very nice to have a generous sized room with various pods
people could wander through and visit. More space than last year”
Station 4: Dependency-Check
Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies.
Jeremy demoing an awesome tool about CVEs and monitoring dependencies on 3rd party libs. I had an awesome chat with Jeremy about interaction with my own tool (vFeed). And yeah, something could be done.
The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. Dependency-Check’s new build plugins will be demonstrated as well as how the tool can be used to perform continuous monitoring of your applications and their dependencies.
Jeremy spotted in good company at VIP Party probably rehearsing for Dependency-check before the Arsenal 😉
Demo by: Jeremy Long
Version demoed at Blackhat Arsenal : 1.0.1
Link for download :https://github.com/
Station 5 : Drozer, the former Mercury
Drozer, previously known as Mercury, is the de facto tool for vulnerability-hunting on Android phones and in marketplace apps. In these demonstrations we are launching the new version of Drozer: one that has been extended to be a full-on, open-source exploitation framework for Android.
Sporting remote exploits for compromising Android devices and shipped with payloads that transcend your average reverse shell, this framework is first of its breed for Android. Drozer also provides standard shellcode that can be used by exploit developers to integrate their Android exploits into the Drozer framework.
Various devices will be pwned in these demonstrations, showing how Drozer can be used for initial targeted entry of a device to deploy a Drozer agent. Then, the post exploitation fun can begin: dumping of personal information, taking screenshots, stealing pictures, recording from the microphone and root are all possible.
The best part about all of this work is that it is an open-source project that cherishes submissions from the community.
Demo by: Tyrone Erasmus and Daniel Bradberry
Version demoed at Blackhat Arsenal : Released at Arsenal v2.3.0 with (Remote exploitation of android devices, Ported public exploits and included some of MWR Labs exploits and Generate Android payloads and custom agents)
Link for download : http://labs.mwrinfosecurity.com/tools/drozer/
Station 6 : iMAS – iOS Mobile Application Security libraries
iOS application security can be *much* stronger and easy for developers to find, understand and use. iMAS (iOS Mobile Application Security) – is a secure, open source iOS application framework research project focused on reducing iOS application vulnerabilities and information loss. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which in turn pushes enterprises to augment iOS deployments with commercial or custom solutions.
The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS has released five security controls (researching many more) for developers to download and use within iOS applications. This talk will walk through various iOS application vulnerabilities, iMAS security controls, OWASP Mobile top10 and CWE vulnerabilities addressed.
Demo by: Gregg Ganley
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info) — Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Ganley-iMAS-Slides.pdf
Station 7 : Mandiant Redline
Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
With Redline, users can:
- Thoroughly audit and collect all run processes, audit data, and memory images.
- Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
- Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
- Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
- Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
Demo by: Theodore Wilson
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : https://media.blackhat.com/us-13/Arsenal/us-13-Wilson-Mandiant-Redline.msi.zip —- Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Wilson-Mandiant-Redline-Slides.pdf
Station 8 : OWASP Broken Web Applications VM
The Open Web Application Security Project (OWASP) Broken Web Applications project (www.owaspbwa.org) provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project VM and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.
Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents. .
Wave 3: Those demos took place from 15:30 to 18:00
Station 1 : De-cloak
De-Cloak is designed to extract HTTP user agents from PCAP files and store known user agents in a database. Hackers often hide wget or http requests by using known user agents. However, if we change our own user agents (perhaps via a GPO) we can start to investigate what starts to stand out. Simple but effective.
Demo by: Darren Manners
Version demoed at Blackhat Arsenal : v0.1 released at Arsenal
Link for download : http://www.sycomtech.com/images/uploads/De-Cloak(3).zip
Station 2 : Sparty – Python open source web application assessment tool
Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified.
A number of automated scanners fall short of this and Sparty is a solution to that . In the first release, Sparty is capable of performing following tasks:
- Checking access permissions of sharepoint inherent webpages and directories
- Checking access permissions for deployed frontpage extensions and directories
- Dumping passwords from misconfigured default files
- Information gathering from the configured sharepoint and frontpage extensions
- Automated exploitation of vulnerable configurations of sharepoint and frontpage architectures
Sparty is tool that provides complete information regarding sharepoint and frontpage environments to design threat models which greatly assist penetration testers in manual verification of flaws. Sparty is really helpful in time critical security assessments.
Demo by: Aditya K Sood
Version demoed at Blackhat Arsenal : v0.1 released at Arsenal
Link for download : http://sparty.secniche.org/ — Slides >> http://fr.slideshare.net/adityaks/blackhat-usa-2013-arsenal-sparty?ref=http://sparty.secniche.org/
Station 3 : HookMe, Intercepting communication by hooking API calls
HookME is a software designed for intercepting communications by hooking the desired process and hooking the API calls for sending and receiving network data. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the packet. It also has a python system plugin to extend the HookMe functionality.
It can be used for a lot of purposes such as:
- Analyzing and modifying network protocols
- Creation of malware or backdoors embebed into network protocols
- Protocol vulnerability memory patching
- Firewall at protocol layer
- As postexplotation tool
- whatever you can create with plugins using your imagination
Station 4 : SimpleRisk, Enterprise Risk Management
As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks.
After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it. At BlackHat 2013, I would like to formally debut SimpleRisk, a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly.
Demo by: Josh Sokol
Version demoed at Blackhat Arsenal : 20130718-001 Release Notes
Link for download : http://www.simplerisk.org/downloads.php — Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Sokol-SimpleRisk-Slides.pdf — Pack for Blackhat attendees https://www.dropbox.com/sh/zsuhqlx3qhay4mu/jagGJwDDx6 It includes SimpleRisk documentation, a presentation, and the latest release.
Josh about the Arsenal: “It was a pleasure meeting you and thanks again for selecting me/SimpleRisk to participate in the Arsenal this year. It was a fantastic experience that hopefully I can do again in the future. Very cool to see so many awesome
open source tools in one place”
Station 5 : ModSecurity, Open Source WAF
ModSecurity is a cross-platform (Apache, IIS and Nginx), open source web application firewall module maintained by Trustwave SpiderLabs Research Team. It’s popularity is mainly due to its powerful rules language which provides security personnel a means to quickly develop defenses for emerging attack scenarios or virtual patching for identified web application vulnerabilities.
Along with its Lua API and data modification capabilities, it provides unparalleled flexibility for custom integrations and security logic.
This Arsenal Demo includes many live setups where Black Hat attendees will be able to play with the ModSecurity defenses and try and evade its detections.
Demo by: Ryan Barnett
Version demoed at Blackhat Arsenal : v2.7.5 (announced during the Blackhat)
Link for download : http://www.modsecurity.org/ — Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Barnett-ModSecurity.pdf
Station 6 : Viproy, VoIP Penetration and Exploitation Testing Kit
Viproy VOIP Pen-Test Kit is developed to improve quality of SIP Penetration Tests.
Awesome demo about how easy breaking into VoIP networks with Viproy. Fatih is a very nice, talented and cheerful hacker. I had a great pleasure talking with before his show.
Version demoed at Blackhat Arsenal : v1.5 released at Arsenal
Link for download : www.viproy.com/voipkit —- https://github.com/fozavci/viproy-voipkit — Slides >> https://media.blackhat.com/us-13/Arsenal/us-13-Ozavci-Viproy-VoIP-Pen-Test-Kit-Slides.pdf
Station 7 : ShinoBOT/ShinoC2
A RAT (remote administration tool) and C2 (command/control) server for measuring a target company may or may not provide enough insight, especially when simulating a highly focused attack. After launching the RAT, control will be established by C2 server. The attacker can then do everything from the C2 server.
- Get Local Files
- Download & Exec
- Exec a command from cmd.exe, etc.
Demo by: Shota Shinogi
Version demoed at Blackhat Arsenal : v22.214.171.124
Link for download : http://shinoc2.shinosec.cloudns.org/shinoc2/ — Slides >> http://www.toolswatch.org/wp-content/uploads/2013/08/ShinoBOT_ShinoC2.pdf
Shota about the Arsenal and Blackhat: “ I was invited in the VIP & Speaker Party which held on the penthouse of Caesar’s Palace, met many famous hackers, and absolutely became drunk. The Arsenal event was awesome. Many people came to my booth, they gave me advices, helpful for my road-map.
This was my first time to become a speaker in Black Hat and it was 100 times exciting than join as an attendee.”