Blackhat Arsenal USA 2013 Wrap-Up Day 1

Blackhat Arsenal USA 2013 Wrap-Up Day 1

The 5th session of the Blackhat Arsenal just ended and with it countless memories and strong  moments. For this edition, the small team of toolswatch.org (Maxi Soler @maxisoler and I) were present at the Arsenal’s booth to serve and guide you. And it was a tremendous pleasure for us.

IMG_20130731_092801
Maxi Soler @maxisoler (Toolswatch Team) /  Blackhat Arsenal Dude.
He was recovering from the Blackhat VIP Party 🙂

I bet you have noticed that Arsenal came back greater than ever and unlike the previous editions with several changes. The most significant is a whole dedicated “Ballroom”. The Arsenal took place in this central place “Milano Ballroom” just in front of “Sponsors Area”. It was so easy to find us.

IMG_20130731_085213

Arsenal Schedule

A major difference was also introducing: the “Turbo Talks” space where the speakers had average 45 minutes to perform a demo on a large screen in front of a seated audience.

IMG_20130731_091510The Turbo Talks Space 

The conventional pods were replaced by “Station booths” equipped with all the necessary connectivity. Finally, during the breaks, coffee, beverages and lunch were served to audience. It’s always nice to stroll between stations and hug speakers with something to bite and to sip on.

  IMG_20130731_092046
View from Milano Ballroom – Day 1

Before relating the  two days of madness at the Arsenal, I would like to take this opportunity to thank from my heart all the Blackhat / UBM team who worked hard and behind the scenes to give this event the right place it deserves. A special big hug  to Trey Ford (General Manager Blackhat) and Shannon O’Fallon (Special Events Director at Blackhat) for their sense of professionalism.


Trey the General Manager at Blackhat

IMG_20130731_105252

With Shannon at the Arsenal. She worked hard to coordinate everything.
A big thank you.

A bunch of security tools for this first day. Exactly 22 tools presented in the 8 stations plus 7 Turbo Talks demos. The choice was wide and ranged from Web application, Mobile hacking, Malware analysis, Forensics,  Fuzzing, Vulnerability assessment, Cars hacking, mastering shellcodes,  Social network intelligence to Hardware hacking and so on

Here is the list of the tools presented this first day. I will try to keep this post updated with exact versions, major changelog and releases announced during the Arsenal. I still miss some pictures from speakers. Because it was a bit tough to bounce from station to station and cover everything. This event was huge

For now, I received few feedbacks from the speakers. Many are recovering after the Blackhat, the Defcon and all Parties.

Wave 1: Those demos took place from 10:00 to 12:30

Station 1 : OSfooler, Remote OS Fingerprint is Over

OSfooler intercepts all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.

IMG_20130731_095734
Jaime at the booth & booting

This tool is a practical approach for detecting and defeating:

  • Active remote OS fingerprinting: like Nmap or Xprobe
  • Passive remote OS fingeprinting: like p0f or pfsense
  • Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting

IMG_20130731_110944
OSfooler demo

Some features are:

  • No need for kernel modification or patches
  • Highly portable
  • Will emulate any OS
  • Capable of handling nmap and p0f fingerprint database (beta phase)
  • Transparent for the user
  • Undetectable for the attacker
  • Available for your Linux laptop, server and mobile device

Demo byJaime Sanchez
Version demoed at Blackhat Arsenal : First Release at Arsenal
Link for download : http://code.google.com/p/osfooler/

Jaime about Arsenal: “It has been a pleasure staying in the Arsenal. It was really awesome, thank you for the opportunity of being there. Hope to see you again in next Arsenal”

Station 3 : RAFT 3

RAFT (Response Analysis and Further Testing) is an open source Python tool designed to assist with web application assessments.

IMG_20130731_095714

Greg & Nathan at the Station before the show

RAFT is based on the embedded WebKit browser features available in PyQT. In today’s modern web applications, page generation is highly dynamic with heavy reliance on JavaScript and asynchronous requests. RAFT uses the built-in web browser support to provide analysis capabilities for stored response information. RAFT can interact directly with the rendered content using the browser DOM and injected JavaScript callbacks. This provides interesting capabilities such as fuzzing for DOM based XSS injections in previously captured responses or simulating Clickjacking attacks.

Demo by: Gregory Fleisher and Nathan Hamiel
Version demoed at Blackhat Arsenal : 3.0.1-pre
Link for download : https://code.google.com/p/raft/

Greg about the Arsenal:My experience overall was very positive. I think the Arsenal is a great way to demo tools and give people an opportunity to interact with conference attendees”

Station 4 : PyPTP

PyPTP is a Python based Pointer-to-Pointer fuzzer which allows for dynamic mapping of Python modules making calls through ctypes into C/C++ DLLs

IMG_20130801_165926

Matt performing at Turbo Talk

PyPTP boasts a 90-96% code mapping feature that allows for you to easily crawl through python code and extrapolate function calls and the datatypes required to execute those functions.

Demo by: Matt Bergin
Version demoed at Blackhat Arsenal : (awaiting information)
Link for download : (awaiting information)

Station 5 : Smartphone Pentest Framework

The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization.

IMG_20130731_113915

G. at Station 5

IMG_20130801_153508
G. at Turbo Talk

SPF can be used as a pivot to gain access to an internal network, gaining access to additional vulnerabilities. SPF can be used to bypass filtering, using SMS to control an exploited internal system. Demonstrations of SPF functionality will be shown.

Demo by: Georgia Weidman
Version demoed at Blackhat Arsenal : 0.2.1 with backdooring APKs and Master Key Vulnerability (2 improvements released at Arsenal)
Link for download : https://github.com/georgiaw/Smartphone-Pentest-Framework

Station 6 : FSFlow

SFlow is a social engineering telemarketer-style call flow application. A call flow guides the social engineer during the call to their target, providing step by step talking points, quick logging of target responses, and an easy way to track pieces of information gained during the call. XML-Based call flows allow anyone to create the a flow and share it with others so they can reproduce the attack.

IMG_20130731_092106
Brad just arrived at the Booth

Demo by: Brad Antoniewicz in replacement of Pat McCoy
Version demoed at Blackhat Arsenal: v.0.1.2
Link for download:  https://github.com/OpenSecurityResearch/fsflow  — Documentation >> http://blog.opensecurityresearch.com/2013/08/fsflow-social-engineering-call-flow.html

Station 7 : ShellNoob

ShellNoob is a tool that eases the writing and debugging of shellcode by taking care of all the parts that even a noob could do, and leaving only the fun part for the artist.

IMG_20130731_152054

With Yanick the italiano just before his demo

ShellNoob can convert shellcode from and to many different formats: asm (both Intel and ATT syntax), bin, hex, object, executable, C, Python, bash, Ruby and pretty. It can also automatically resolve the numeric value of all the constants (e.g., O_RDWR) and, similarly, of all the syscalls: as this is performed by generating and executing code on-the-fly, it’s easy to extend this feature to a variety of different architectures.

IMG_20130731_152214

ShellNoob Keynote at Turbo Talks space

A debug switch is implemented as well, that conveniently put a breakpoint at the beginning of the shellcode: with that, it’s immediate to assemble the shellcode and have gdb ready to single-step into it. Finally, ShellNoob comes with an interactive opcode-to-binary (and binary-to-opcode) conversion mode, where one can quickly check to which bytes a given instruction is assembled to: this is really valuable when specific bytes cannot be used to successfully exploit a vulnerable program.

IMG_20130731_155301

Kind word from Yanick. Really appreciate buddy.

Demo by: Yanick Fratantonio
Version demoed at Blackhat Arsenal : v2.0.0.0.1 (version released at Arsenal)
Link for download : https://github.com/reyammer/shellnoob

Yanick about Arsenal: “Thank you for having me there, I met a shitton of awesome people! “

Station 8 : VScan – Open Source Vulnerability Management Solution

Usually, after we performed a Vulnerability Assessment in our organisation, we continue our work with the development of an plan of security improvements with the ultimate goal of reducing the risk and threats and be in conformity with security politics and requirements.

IMG_20130731_093840

Federico before starting the demos

This security improvements plan can be difficult to carry out in time, if we cannot in a simple way measure our progress and simplify the process of resolution of vulnerabilities.

To address these issues Federico developed VScan, an open source Vulnerability Management System.

Demo by: Federico Massa
Version demoed at Blackhat Arsenal : Version 0.1 – Initial releas  (released to public at Arsenal)
Link for download : http://www.vanguardsec.com/VScan-BH_Arsenal.tar.gz ( install instruction http://www.vanguardsec.com/Install_VScan-BH_Arsenal.txt)

Federico about Arsenal: “My experience was totally positive, was a pleasure to share some days with great people and hackers.
The cordiality and professionalism of Toolswatch and Black Hat staffs was exceptional”

Wave 2: Those demos took place from 12:45 to 15:15

Station 1 : JMSDigger the Enterprise Messaging Application assessment tool

JMSDigger is a new tool that can be leveraged to engage and assess enterprise messaging applications with the current release focuses on ActiveMQ.

gursev

 At station 1, Gursev shows how the trick ActiveMQ

JMSDigger has following features:

  • Validate credentials and perform credential bruteforce
  • Dump destinations (topics, queues and queue browsers)
  • Create, dump and delete durable subscribers
  • Perform anonymous authentication
  • Password Decryption
  • Retrieve Statistics for Broker, Topic and Queues
  • Create dynamic queues and topics

IMG_20130731_095316
Brad & Gursev the Foundstone team before the show

Demo by: Gursev Singh Kalra
Version demoed at Blackhat Arsenal : Released at Arsenal
Link for download : https://github.com/OpenSecurityResearch/jmsdigger

Gursev about Arsenal:@ToolsWatch is totally awesome and he handsomely manages the great event within the @BlackHatEvents!”

Station 2 : ThreadFix – The Vulnerability Aggregation & Management System

ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static, and manual testing to provide a centralized view of software security defects across development teams and applications.

IMG_20130731_102622

 Dan doing a great demo and showing awesome dashboards

The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto-generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted.

ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.

Demo by: Dan Cornell
Version demoed at Blackhat Arsenal : 1.2RC2
Link for download : https://code.google.com/p/threadfix/

Station 3 : Lair – Centralize data from pentesting tools

Lair is an open-source project developed for and by pentesters. Built on Meteor and Node.js with a dash of Python, Lair is a web application that normalizes, centralizes, and manages diverse test data from a number of common tools including Nmap, Nessus, Nexpose, and Burp.

lair

Folks from FishNet Security demoing LAIR

Unlike existing alternatives, Lair encourages team-based collaboration by automatically pushing updates to team members in real time. Paired with it’s workflow and documentation management, Lair offers a single solution for performing a detailed, thorough penetration test individually or as a team in a manner that has not been done before.

Demo by: Tom Steele
Version demoed at Blackhat Arsenal : v0.1.5
Link for download : https://github.com/fishnetsecurity/Lair

Tom about Arsenal : “Arsenal was awesome”

Station 4 :  The Cat’s Meow

Cat’s Meow is a tool used during our penetration testing which analyzes the most common password scheme seen during our decoding and decryption stage of post exploitation.

Taylor kicking with his tools 

The tool reads in a password list of already obtained cleartext passwords and produces the most commonly seen Hashcat Masks which can then in turn be used to more quickly reverse other passwords.

Demo by: Taylor Pennington
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 5 : ThunderCell

ThunderCell is a new all encompassing mobile security distribution providing the most comprehensive toolset for mobile vulnerability research, exploitation, forensics, and application auditing.

IMG_20130731_134708

The included tools span multiple mobile platforms including Android, iPhone, Windows Phone, BlackBerry, and Software Defined Radio, among others. Created and maintained by mobile researchers, ThunderCell is developed with mobile security practitioners in mind, with everything you need for your next engagement, class, or research project.

Demo by: Awaiting name (in replacement of G. Weidman)
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 6 : Dude, WTF in my car ?

The car ECU tuning market is weird. There is little help from people already in it, and most of the equipment is expensive. Well, not anymore!

IMG_20130731_161341
Alberto & Javier talking about hacking cars

We will show a tool that was built under $25, and that is able to bypass all the security in the car ECU, based of a BOSCH EDC15 and EDC16, which has RSA 256 and seed/key algorithm protection.

IMG_20130731_130004
The proof of concept based on Arduino showcased during the Arsenal

We will show live demonstrations of how the tool works, with logic analyzer and explanation of all the processes that take place.

Black Hat Arsenal gives a unique opportunity to have a close look at tools, so we will explain the most practical side of our tool instead of going deep into the low level explanation, to exploit the most of BH-Arsenal concept.

IMG_20130731_125946
Audience at WTF in my Car

All of this will help the end user to realize that even cars, have secrets that can be “unlocked.”

Demo by: Alberto Garcia Illera and Javier Vazquez Vidal
Version demoed at Blackhat Arsenal : Proof of Concept released to public during Arsenal
Link for download : http://pastebin.com/EwVtNvsb (ECU tool Arduino DEMO code)

Station 7 : Automated Electromechnical PIN Cracking

Robotic Reconfigurable Button Basher (R2B2) is a robot designed to manually brute force PINs or other passwords via manual entry. R2B2 can operate on touch screens or physical buttons. R2B2 can also handle more esoteric lockscreen types such as pattern tracing. R2B2 can crack a stock Android 4 digit PIN exhaustively in 20 hours. Times for other devices vary depending on lockout policies and related defenses.

IMG_20130731_153421R2B2 in action and cracking mobile PIN code (based on Arduino to control it)

Capacitive Cartesian Coordinate Bruteforceing Overlay (C3BO) is a combination of electronics designed to electrically simulate touches on a capacitive touch screen device. C3BO has no moving parts and can work faster than R2B2 in some circumstances.

See here a small video i recorded. It was funny to see this Robot PIN cracking a mobile phone. Where the world is coming to ?

Both tools are built with open source software. Parts lists, detailed build instructions, and STL files for 3d printed parts will be available for download.

Demo by: Justin Engler
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Wave 3: Those demos took place from 15:30 to 18:00

Station 1 : Registry Inspector Forensics  RIF

Registry Inspector Forensics (RIF), based on the widely used Registry Decoder, is a powerful registry forensics platform. It features the ability to acquire and analyze numerous registry hives simultaneously, intelligent search, a plugin-based architecture, both GUI and full command line support and the ability to parse and analyze memory-resident hive files including the volatile hives.

IMG_20130731_154717
Lodovico showing RIF in action

This functionality is perfectly suited for forensic investigations, malware analysis, and incident response scenarios. The project is free and open source and under active development.

Demo by: Lodovico Marziale
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 2 : Dalvik Inspector

Dalvik is the process Virtual Machine used by Android that powers all non-native applications used on Android devices. Through Dalvik memory analysis, a wealth of insight can be gained into the workings of a running application, including all instantiated objects (classes) and the variables, methods, and other per-instance class information. Analysis of structures at this level will allow investigators to see internal application-level state in its “native” form. This is an important evolution in state of cutting edge memory forensics, which allows the investigator to move above the kernel level and see higher-level structures in readable form and with broad context.

IMG_20130731_154708
Joe about Dalvik at Station 2

Our new tool, Dalvik Inspector, provides an easy-to-use graphical interface which allows parsing Dalvik-level constructs from memory captures of Android devices, and facilitates deep, standalone analysis of Android application-internal structures. Dalvik Inspector will be immediately useful for malware analysis, incident response, and traditional forensics investigations.

Demo by: Joe Sylve
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 3 : SocialKlepto

The first toolkit SocialKlepto can collect valuable competitive intelligence and steal your competitors’ customers without infiltrating their computer networks. SocialKelpto can monitor every social activity of your competitors or any company using a controlled network of fake social accounts, REST APIs, database search, and data analysis. Specifically, the SocialKlepto system can build effective fake LinkedIn accounts, establish trust within business circles, send bulk of persuasive invitations, and monitor every activity of your competitors. Finally, using big data analysis, it can extract valuable information that can turn into sales opportunities and revenue.

IMG_20130731_113740
Jason talking to Audience before the show

The second tool is an open and free Chrome plugin for LinkedIn privacy settings. We will release this defensive tool that easily help LinkedIn users check and set their privacy settings, in order to protect them from such social attacks.

IMG_20130731_114902
Jason performing at the Turbo Talk

Demo by: Jason Ding
Version demoed at Blackhat Arsenal : Initiale Release
Link for downloadhttps://github.com/dingzj/linkedin_klepto  –  Slides here >> https://media.blackhat.com/us-13/Arsenal/us-13-Ding-SocialKlepto-Slides.pdf

Jason about Arsenal: “Excellent experience at arsenal this year, as we can have both demo hours and turbo presentation, seems better than briefing!. Thanks for the organizing Arsenal event, I really enjoyed it.

Station 4 : KFuzz

Kfuzz was my take on kernel level device driver fuzzing with Python. I used Python’s ctypes module to interact with the OS kernel and from there manage memory and make subsequent calls to the driver loaded into the kernel.

The tool machine “Matt” at Station discussing his tool(s)

Demo by: Matthew Bergin
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 5 : g0tbeEf

ulti-threaded Python based ARP Poisoning with an Asynchronous Queue using IPTables and QUEUE deigned to capture HTTP traffic and inject a BeEF hook.

Demo by: Taylor Pennington
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

Station 6 : HackRF

The HackRF project is developing an open source hardware design for a low cost Software Defined Radio (SDR) transceiver platform. SDR technology allows a single piece of equipment to implement virtually any wireless technology (Bluetooth, GSM, ZigBee, etc.), and we hope the availability of a low cost SDR platform will revolutionize wireless communication security research and development throughout the information security community.

IMG_20130731_152910
Michael setting the booth

IMG_20130731_154151

Audience hypnotized by Michael & Jared’s talk & demo

Having distributed hundreds of beta units (HackRF Jawbreaker) and soliciting feedback, Black Hat Arsenal Tools USA 2013 is the first chance to see the next generation hardware design in person.

IMG_20130801_123447
Impressive HackRF hardware stuff (see the book’s name 😉 )


Jared hacking the stuff

Demo by: Michael Ossmann & Jared Boone
Version demoed at Blackhat Arsenal : First release of Next Generation Hardware Design to public
Link for download : http://greatscottgadgets.com/hackrf/

Michael about Arsenal: “ Thanks for having us! We had a great time talking to people about #hackrf “

Station 7 : Triana

I am going to be presenting a new tool for analysing malware or possible threats in certain scenarios where the malware is not accessible or, because legal requirements, it’s not possible to provide access to the files to the researchers. This is also a good starting point for newcomers and well-established forensic and malware researchers who want to quickly analise possible threats.

In my talk we’ll start with current status of malware analysis. Companies that cannot afford having a security team dealing with incoming threats and still want to be responsive against targeted attacks. How they can do it? How we can provide them with a solution to prevent infections?

Altought this is a good start, people will find sometimes themselves without access to all the information… even without access to the file! How we can do the previously presented analysis if we cannot access the faulting file? We’ll present different solutions to obtain enough information about the malware using only public available information.

Finally we’ll present Triana, a tool for collecting and analysing all this information and integrate it into a report (DOCX and JSON) that will consolidate the results and provide a score about the malware thread.

Demo by: Juan Garrido
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)  — Slides here >> https://media.blackhat.com/us-13/Arsenal/us-13-Garrido-Triana-Slides.pdf

Station 8 : TinyLane

The TinyLANE™ is a small mobile encryption device developed by Peak Security, Inc. to allow individuals and businesses to create instant AES256 point-to-point tunnels between two or more TinyLANEs utilizing individual keys for each connection.

IMG_20130731_154906
Rob a very talented hacker

The TinyLANE™ is capable of functioning on most hardware platforms including ARM, x86, and 64-bit based processors in addition to throughput at near line speed on most connects up to 10 Gigabit.

IMG_20130731_164642
Folks at Peak Security during the show

Demo by: Rob Bathurst
Version demoed at Blackhat Arsenal : (awaiting info)
Link for download : (awaiting info)

 Fun moment with some security rockstars at the Arsenal

IMG_20130731_115140
Jayson E. Street, you may know him as #AwkwardHug dude. He is also author of many awesome security books (http://f0rb1dd3n.com/) and a great speaker at Blackhat & Defcon and many many other Sec Cons. (spotted without Pepsi WTF!!)

IMG_20130731_115104
That’s what i’m talking about. The #AwkwardHug

IMG_20130731_124104

Michelangelo Sidagni, CTO & Founder at Nopsec, finally we met. Nopsec is doing a great job by providing a new visionary solution to handle vulnerability management >> http://www.nopsec.com/

IMG_20130801_174104
Javvad Malik taking picture with Gursev (Foundstone dude) & Adi (Spary Tool). Javvad is now a security rockstar doing the best awareness video coated with a so-british sense of humor. Find his work here http://www.j4vv4d.com/ Did i mention he is also a talented security analyst at 451 https://451research.com/biography?eid=606


 Doing a “buddy cop audition” in Las Vegas. When Javvad does something, it’s always with some class. The car used for this montage is a White sexy Mustang 🙂

Jaime (OSfooler) at VIP Party trying to hack a Piano and Juan (Triana) telling him something fun (probably, hey amigo, the ethernet cable is not plugged). Did i mention that those folks have awesome tools ?

To be continued …. Blackhat Arsenal Day 2 Wrap-up coming next!

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"