Black Hat USA 2014 – Arsenal Tools Speaker List

Black Hat USA 2014 – Arsenal Tools Speaker List

We are very pleased to announce that Black Hat Team has released the Lineup for Arsenal Vegas 2014.

BH Arsenal is a Tool/Demo area where independent researchers and the open source community will showcase some awesome weapons.


When and Where

  • August 6, 2014 | 10:00 – 18:00 | Breakers DEJK | Schedule

  • August 7, 2014 | 10:00 – 18:00 | Breakers DEJK | Schedule

Hashtags: #BHUSA #BHArsenal



Android Device Testing Framework

The Android Device Testing Framework (“dtf”) is a data collection and analysis framework to help individuals answer the question: “Where are the vulnerabilities on this mobile device?” Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.

Presented By: Jake Valletta

Automated Memory Analysis

Automated Memory Analysis is a set of new innovative Cuckoo Sandbox plugins that adds new dynamic and memory analysis abilities such as:

  • Trigger-Based memory analysis: Taking multiple memory dumps during execution in “strategic moments” by analyzing API calls, CPU performance counters, and tracing execution with Dynamic Binary Instrumentation techniques.
  • Memory Dump differential analysis: Detecting malicious artifacts during binary execution using Virtual Machine Introspection techniques.
  • Mis-behavioral analysis: Detecting malware that evade traditional API-call behavioral analysis using low-level kernel hooks.

Demonstrations will cover how the plugins can help security researchers analyze advanced malware.

Malware samples such as Snake (Uroburos), Stuxnet, and friends that evaded analysis will be dissected live to demonstrate the toolkit abilities.

Presented By: Tomer Teller



A bag of fresh and juicy 0days is certainly something you would love to get as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The examples will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We’ll delve into Chrome and Firefox extensions (automating various repetitive actions that you’ll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, this is for you.

Presented By: Michele Orrù (antisnatchor)

BReWSki (Burp Rhino Web Scanner)

BReWSki (Burp Rhino Web Scanner) is an extension to the Burp Suite scanning and reporting functionality. BReWSki provides Burp Suite users with a JavaScript interface to write custom scanner insertion points, passive, and active scan definitions for Burp quickly without having to understand the internals of the Burp API. BReWSki comes with useful checks to help identify application vulnerabilities.

Presented By: Alex Lauerman & Chris Bellows

C-SCAD: Assessing Security Flaws In ClearSCADA Web-X Client!

C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. Web-X client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the Web-X client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WEB-X client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports. C-SCAD is authored in Python and is capable of the following:

  • Enumerates active users configured for the Web-X access
  • Enumerates configured databases and SQL lists for the ClearSCADA
  • Performs complete configuration check for exposed components
  • Verifies access to diagnostic page and dumps required information
  • Executes dictionary attacks for checking weak credentials
  • Triggers Shodan search queries for exposed ClearSCADA Web-X client on the Internet

Presented By: Aditya K. Sood



We will present CHIPSEC, an open source framework for platform security assessment. We will briefly describe some publications related to platform security (Secure Boot bypasses, badbios, etc.) and explain related tests in CHIPSEC. Then we will demonstrate how to use CHIPSEC to detect insecure platform configuration and perform forensics of SPI flash images.

Presented By: Yuriy Bulygin



The stream of malicious software artifacts (malware) discovered daily by computer security professionals is a vital signal for threat intelligence, as malware bears telling clues about who active adversaries are, what their goals are, and how we can stop them. Unfortunately, while security operations centers collect huge volumes of malware daily, this “malware signal” goes underutilized as a source of defensive intelligence, because organizations lack the right tools to make sense of malware at scale.

To contribute to addressing this problem we will be launching at the opening of Black Hat USA 2014. Cynomix will include three key, novel capabilities that we hope will broadly impact the way malware analysis is performed:

  • A subsystem for revealing “social network” style relationships between malware samples based on their shared characteristics. This subsystem allows analysts to see a group of malware samples in relation to a population-scale database of millions of malware samples.
  • A subsystem for revealing malware sample capabilities based on correlations between samples’ extracted technical symbols and a machine-learning model trained on web question-and-answer documents.
  • A subsystem for automatically generating statistically principled Yara signatures for malware samples and malware sample groups based on Bayesian reasoning at scale. This subsystem will allow users of Cynomix to quickly defend against new malware families before anti-virus companies generate signatures for them.

In our demonstration presentation at Black Hat Arsenal we will introduce Black Hat attendees to, which will host a freely available version of our system. As part of our demonstration we will give detailed explanations of our platform’s visualizations and algorithms while also helping people to sign up to use the system in their own security operations work.

Presented By: Giacomo Bergamo


DAMM: A Tool For Differential Analysis Of Malware In Memory

Detecting malware is difficult, and analyzing a detected piece of malware’s behavior is even more difficult. Techniques for analysis generally fall into one of three camps: static analysis of the malicious binary on disk, dynamic analysis as the binary executes, or a hybrid approach using a snapshot of physical RAM taken as the malware executes. As the result of our DARPA Cyber Fast Track (CFT) funded research, we extend this third approach. We present a novel technique for leveraging information including multiple snapshots of physical RAM for malware detection and analysis. The technique is implemented as DAMM, a tool for differential analysis of malware in memory. DAMM functions by leveraging multiple snapshots of RAM, domain knowledge about known-benign in-memory artifacts, and indicators of malicious activity to present to the user a powerful view of malicious execution in memory.

Presented By: Dr. Vico Marziale



Does your application have dependencies on third party libraries? Do you know if those same libraries have published CVEs? OWASP Dependency-Check can help by providing identification and monitoring of the libraries your application uses, notifying you that vulnerabilities (CVEs) have been published for third party code your application uses. Jeremy will be demonstrating the tool and the various ways enterprises can use the tool to perform continuous monitoring of their applications’ dependent libraries.

Presented By: Jeremy Long



Dradis is an extensible, cross-platform, open source collaboration framework to manage security assessments. It can import from over 15 popular tools including Nessus, Qualys, and Burp. Started in 2007, the Dradis Framework project has been growing ever since.

This year at Black Hat 2014 we want to liberate a major release: Dradis Framework 3.0 with a ground-up rewrite of all the core basic components, a new, clean, modern web interface, API layer (with client bindings), new plugins, and several enhancements that will make managing your security assessments a breeze.

Come and check it out – we’ve got new stickers!

Presented By: Daniel Martin


Filibuster – Filtering Testing Tool

Filibuster is used to map port filtering / protocol filtering devices and is useful for both red and blue team engagements.

It is written in Python without the 1000 port limitation in other egress scanners.

FREE, which is cheaper than other commercial solutions without the exposure of egress rules to said third party companies.

Presented By: William Coppola


Flowinspect: Yet Another Network Inspection Tool

Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.

The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such, if for a flow certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection can be done in any of the following inspection modes (selected through appropriate command-line arguments):

  • regex: PCRE-compatible regular expressions
  • fuzzy: fuzzy string matching techniques
  • shellcode: libemu based (x86 compatible) shellcode detection
  • yara: yara-project based signature detection

There are a few mode-specific options that a user can use to tweak the behavior of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, generation of shellcode profile output that lists detected system calls, their arguments, and return values, etc. can be enabled, detected shellcode can be disassembled, and output could be dumped to a file. Once inspection completes, matching flows are passed to the output module that gathers statistics like match size, start of the match offset inside inspection buffer, packet IDs for a match, direction of the match (CTS/STC/ANY), etc. Matched content can also be dumped to a file or pcap generation for matched flows could also be requested.

Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be limited to interesting flows only using Berkeley Packet Filter (BPF) expressions, or via Snort-like offset/depth content modifiers, or via max packet-stream count options. Matches results can be negated, matched TCP flows could be killed, etc.

The current production version includes all the above features. Flowinspect is, however, under active development and new features/bug fixes are being pushed frequently.

Presented By: Ankur Tyagi



FSExploitMe is a purposely vulnerable ActiveX Control to teach you about browser exploitation. Along the way you’ll learn reverse engineering, vulnerability analysis, and general exploitation on Windows.

Presented By: Brad Antoniewicz


Heybe  – Penetration Testing Automation Kit

Heybe is Penetration Testing Automation Kit. It consists of modules that can be used to fully automate pen-tests and make them mode effective. With Heybe you can 0wn all systems in a target company in matter of minutes.

Heybe modules:

  • Fener: fast network discovery tool optimized for speed. Fener leverages several networking tools to discover all hosts within target network.
  • Kevgir : automatic vulnerability scan tool. Kevgir is an automated vulnerability scanning tool optimized for speed. With Kevgir, an entire internal network can be scanned for specific vulnerabilities within minutes.
  • Sees: high precision social engineering tool. Sees is used for performing tail-made social engineering campaigns with high success ratio.
  • Kacak: automatic domain admin takeover tool. Kacak is developed to discover target windows machines in network and take over entire Windows domain automatically.
  • Depdep: post exploitation tool. Depdep is a merciless sentinel which will seek sensitive files containing critical info leaking through your network
  • Cilingir: remote password cracker. Cilingir is a tool used to automate password / hash capturing and cracking process. Captured credentials are automatically sent to a remote password cracking server and cracked passwords are automatically stored in a local loot for usage during pen-test.
  • Levye : brute force tool. Levye is used for automating brute forcing process against common and not so common protocols like openvpn.

Toolkit will be released during the conference.

Presented By: Gokhan Alkan & Bahtiyar Bircan



Ice-Hole is a phishing awareness email program. It is designed to help security analysts/system administrators keep track and test end users. The tool can be used in conjunction with various third party software, like SET, for further leverage. 1.7 has some new features and enhancements like IRC triggers, integrating with a new portal feature, automatic times, dates, and sending reports on a schedule.

Presented By: Darren Manners


IDB – Simplified Blackbox iOS App Pen-Testing

More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. During this Arsenal demonstration, we show how our new tool called ‘idb’ can be used to efficiently test iOS apps for a range of common flaws.

In order to enable this, idb’s graphical user interface greatly simplifies the interaction with an iDevice as it automates a large number of previously tedious and manual tasks. Based on this, we demonstrate how to use idb in order to quickly and easily uncover flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications. This will illustrate how apps commonly fail to safeguard sensitive data and show how idb can arm security professionals and developers with the means necessary to find these flaws from a black-box perspective.

idb is open source and available on Github at

Presented By: Daniel Mayer


IMAS – iOS Mobile Application Security Libraries

iOS App Integrity – Got Any?

iOS apps are vulnerable to static analysis and attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app data stolen, and even cloned. The iMAS research team, the team that brought Encrypted CoreData (ECD) to Github open source, has your back! At this talk we will introduce open source Encrypted Code Modules (ECM) as a technique to protect sensitive enterprise iOS applications. Using ECM as the base we will demonstrate an iOS app anti-tamper technique that is considerably more resistant to patching. We will walk through this step-by-step process to make your iOS apps more secure and … authentic.

Presented By: Gregg Ganley



Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB, SMB and MSRPC and DCOM. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

The following features will be demoed:

  • New RPC and NDR runtime (located at impacket.dcerpc.v5, old one still available):
  • Support marshaling/unmarshaling for NDR20 and NDR64 (experimental)
  • Support for RPC_C_AUTHN_NETLOGON (experimental)
  • The following interface were developed based on its standard definition:
    • [MS-LSAD] – Local Security Authority (Domain Policy) Remote Protocol (
    • [MS-LSAT] – Local Security Authority (Translation Methods) Remote Protocol (
    • [MS-NRPC] – Netlogon Remote Protocol (
    • [MS-RRP] – Windows Remote Registry Protocol (
    • [MS-SAMR] – Security Account Manager (SAM) Remote Protocol (
    • [MS-SCMR] – Service Control Manager Remote Protocol (
    • [MS-SRVS] – Server Service Remote Protocol (
    • [MS-WKST] – Workstation Service Remote Protocol (
    • [MS-RPCE]-C706 – Remote Procedure Call Protocol Extensions (
    • [MS-DTYP] – Windows Data Types (
  • Most of the DCE Calls have helper functions for easier use. Test cases added for all calls (check the test cases directory)
  • ESE parser (Extensive Storage Engine) (
  • Windows Registry parser (
  • TDS protocol now supports SSL, can be used from mssqlclient
  • Support for EAPOL, EAP and WPS decoders
  • VLAN tagging (IEEE 802.1Q and 802.1ad) support for ImpactPacket, done by dan.pisi
  • WMI query and execution

Presented By: Andrés Blanco



Frustrated with the lack of mature tools for iOS security assessment? Wouldn’t you like an integrated toolchain to pull together many of the existing tools, but also integrate new and interesting tools? Perhaps you’d like to use some more advanced iOS hacking/reversing/debugging but don’t have time on the job to learn gdb. Maybe you just want to pick up iOS hacking fast and would like a mature toolchain to help you.

We can help. We’ll be bringing goodies to the table:

  • A “reverse sandbox” in which iOS apps can be run on jailbroken devices. It provides easily configured monitoring, hooking, disabling/enabling, and logging of Objective-C methods, C functions, and other goodies. We’ll show you how to use this to defeat common anti-jailbreaking checks in a matter of minutes.
  • Automated tools to help cover the routine aspects of iOS app security:
    • Insecure functions
    • Insecure network transmission
    • Insecure compiler settings
  • Hands up if you’d rather choke on a pretzel than write a report. Yeah, us too. We’ll be presenting tools that not only do security work, but that provide data that can be easily incorporated into deliverables.
  • We’ll help you streamline your testing by automating a lot of the grunt work, leaving you free to do what you do best: hack.
  • We might even drop some mobile device management 0day! (pending serious people in suits telling us it’s ok)

Presented By: Joe DeMesy


JTAGulator is an open source hardware hacking tool that assists in identifying on-chip debug interfaces from test points, vias, or component pads on a circuit board. The tool can save a tremendous amount of time during reverse engineering, particularly for those who don’t have the skill and/or equipment required for traditional processes. Released at Black Hat USA 2013, the tool supports detection of JTAG and asynchronous serial/UART interfaces. New features are being added as they’re developed to expand the functionality and increase support for other protocols.

Presented By: Joe Grand (formally ‘Kingpin’ of L0pht)


Maltrieve retrieves malware directly from the location where the bad guys serve it. This allows researchers to acquire fresh samples, verify detection systems, and research infrastructure. Maltrieve includes proxy support, multi-threading, Cuckoo submission, and categorization. The tool is community-developed and available under the terms of the GNU General Public License.

Presented By: Kyle Maxwell


Melkor – An Elf File Format Fuzzer

Since its adoption as the standard binary file format for *nix systems, a variety of vulnerabilities in ELF parsers have been found and exploited in OS kernels, debuggers, libraries, etc. Most of these flaws have been found manually through code review and binary modification. Nowadays, 15 years later, common programming mistakes are still being implemented in many ELF parsers that are being released these days very often, either as debuggers, reverse engineering tools, AV analyzers, plugins or as malware (yes, malware has parsers too). Here’s where ELF file format fuzzing comes into the game to help you to identify these bugs in an automated fashion.

In this presentation, I will show you the security risks involved in the ELF parsing process as well as the materialization of such risks by showing different bugs found during this research. After that, I’ll explain how intelligent file format fuzzing can help greatly in the flaw discovery process. Having a good background about the ELF file format and how smart fuzzing could help, I’ll continue with a detailed explanation on how I mixed and implemented both concepts in Melkor – an ELF file format fuzzer.

Melkor, written in C, it’s an intuitive and easy-to-use ELF file format fuzzer. Its fuzzing rules were designed using three inputs: ELF specification violations, programming patterns seen in ELF parsers, and other misc ideas and considerations. In order to have higher code/branch coverage in the programs to be tested, certain metadata dependencies must be in place; I’ll show you how Melkor implements these rules when creating malformed ELF files.
In the end of the presentation, the code of Melkor will be released and I’ll show you how to use it with some live demos where some real-world applications will be tested against fuzzed ELF files.

Happy ELF fuzzing !

Presented By: Alejandro Hernández



ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Come checkout the new advancements in ModSecurity and try some hands-on evasion challenges!

Presented By: Ryan C. Barnett


Morning Catch – Phishing Industries

Morning Catch is a Virtual Machine environment, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks. Morning Catch is a fictitious seafood company with a website, self-contained email infrastructure to receive phishing emails, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other desktop environment is a vulnerable Windows client-side attack surface. Yes, you’ll get to attack a Windows software target and use Windows payloads against this virtual environment. This Arsenal session will demonstrate some of the things you can do with the Morning Catch environment.

Presented By: Raphael Mudge


Mozdef The Mozilla Defense Platform

Attackers have all the fun. With slick, integrated, real-time, open suites like metasploit, armitage, SET, and lair they quickly seek out targets, share exploits, gain footholds, and usually win.

The time has come for defense to get the same capabilities in an open source platform dedicated to defense and based on modern technology.

To this end the operations security group at Mozilla has developed MozDef: The Mozilla Defense Platform to take on traditional SIEM functionality of event management, alerting and correlation, and expand the real-time capabilities of the defender into automated defense and shared incident response.

Come take a look at what we are building and join in won’t you?!

Presented By: Jeff Bryner



NFCulT stands for NFC ultralight Toolkit. It is the ultimate open source Android app that will let you research and exploit vulnerabilities in ultralight implementations.

It is very useful for finding bugs in transport system all over the world where Mifare Ultralight is very common. It will allow the user the possibility to see, change, and edit every single bit of a ticket to gain an in-depth understanding on how their own utralight implementation works.

It has been used to find the three major vulnerabilities in ultralight implementations for transport systems in the past year.

Presented By: Matteo Beccaro & Matteo Collura


Oops, RFIDid It Again

Last year, we delivered the definitive guide for pen-testers on hacking low frequency (LF – 125KHz) RFID badge systems to gain unauthorized access to buildings and other secure areas. In this second installment, we’re raising the stakes, peeling back the onion even further, and directly confronting the RFID elephant in the room – hacking High Frequency (HF – 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz).

This presentation will serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware/software that you’ll need to build out your own RFID penetration toolkit. We’ll also be releasing a slew of new/free RFID hacking tools that employ Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing.

The applications for HF and UHF technologies extend far beyond the realm of simple physical access control, and can also be found in modern credit cards, e-Passports, enhanced driver’s licenses, ski passes, NFC reward cards, public transit passes, and are even used as the foundation of Disney’s new MyMagic+ initiative. Unfortunately, the security and privacy concerns introduced by HF and UHF RFID systems are just as diverse and plentiful.

Some of the topics we will explore are:

  • Overview of best HF/UHF RFID hacking techniques and tools available to get for your toolkit
    • Tools to exploit known weaknesses of various HF RFID access control technologies, such as iClass, MIFARE/DESFire, and LEGIC product family variants
    • Hacking tools/techniques: credit cards, e-Passports, Enhanced Drivers Licenses, …
    • Analysis of Disney’s MyMagic+ RFID deployment
  • Stealing RFID HF badge info from unsuspecting passers-by
    • Overcoming enhanced security features in “contactless smart card” systems, such as encryption, mutual authentication, and challenge/response authentication methods
    • Exploiting default encryption keys and insecure implementations of HF RFID systems
    • Bypassing added security of PIN and biometric controls
  • Replaying RFID badge info and creating fake cloned cards
  • RFID hacking on the move: mobile phone and tablet apps
    • PwnPads, iPads, NFC apps, and much more..
    • Safe data retrieval via Bluetooth Low Energy and 3G cellular channels
  • Attacking badge readers and controllers directly
    • Dumping encryption keys and cached card info directly from target badge readers
  • New RFID tools we’ll be releasing
    • 3D printed custom cases/tools to conceal RFID stealing devices, and implant in readers
    • Arduino and Raspberry Pi based tools for attacking readers directly
    • Android/iPhone/iPad apps for retrieving RFID information
  • Defending yourself from HF/UHF RFID hacking threats

This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the RFID penetration testing field.

Presented By: Francis Brown



The PCI toolkit is based on a decision tree assessment methodology, which helps you identify if your web applications are part of the PCI-DSS scope and how to apply the PCI-DSS requirements. By decomposing, one by one, you will be able to create an assessment and a final report of your scope delimitation and which OWASP guidelines must be used

Presented By: Johanna Curiel


OWASP Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is currently the most active open source web application security tool and competes effectively with commercial tools.

While it is an ideal tool for people new to appsec, it also has many features specifically intended for advanced penetration testing.

Simon will give a quick introduction to ZAP and then dive into the more advanced features as well as giving an overview of where its heading.

Presented By: Simon Bennetts



PowerSploit is a popular collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. Come see how PowerShell can be leveraged to accomplish things that would otherwise be impossible such as, loading binaries directly into memory. Joseph Bialek and Chris Campbell will demonstrate how to utilize PowerSploit to bypass security products through all phases of a mock penetration test which includes enumeration, exploitation, privilege-escalation, credential theft, and pivoting to other hosts. They will share tips and tricks to leverage PowerShell in your own tools and highlight the new privilege escalation module being introduced at ToolsWatch.

Presented By: Chris Campbell



Praeda – Latin for “plunder, spoils of war, booty”. Praeda is an automated data/information harvesting tool designed to gather critical information from various embedded devices.

Praeda leverages various implementation weaknesses and vulnerabilities found on multifunction printers (MFP) and extracts Active directory credentials from MFP configurations such as SMTP, LDAP, POP3 and SMB settings.

Praeda also test for default passwords on targeted devices and gathers SNMP community strings from network cameras, sans, UPSs and other embedded devices on the network.

During demonstration we will introduce everyone to the features and functions of this tool and how to effectively leverage it during internal penetrations testing to gather credentials that can be used to gain access to critical internal system.

Presented By: Deral Heiland



ProxyMe is a modular HTTP/S proxy based on plugins. It’s designed and oriented for pen-testing or research purposes. It also has support for analyzing and modifying the traffic, SSL included. It can be used as a regular proxy or as a reverse proxy, supporting also transparent connections, making it perfect for combined attacks of Man In The Middle (or even as a load balancer if you want!).

Some of the current plugins allow you to perform attacks as ‘Cache poison’, an attack technique for browsers showed in owning “bad” guys {and mafia} with Javascript botnets’ in Black Hat USA 2012 by Chema Alonso and Manuel Fernández.

ProxyMe could also be used for the purposes of:

  • Analyzing and modifying HTTP/S protocol
  • Creation of malware or backdoors embebed into HTTP/S protocol
  • Web Application Firewall (WAF)
  • … whatever you can create with plugins using your imagination

And of course, it’s freeware and open source.

Presented By: Manuel Fernández


In 2008 we released reDuh (, a network tunnelling tool that allowed port forwarding via a web-shell and HTTP/S to backend services. reDuh has since become part of any attackers standard toolkit, featuring in several books and notoriously described as “insidious” by HBGary in their leaked e-mails.

However, when doing any sort of tunnelling, targeting multiple hosts and ports can be frustrating as it requires a tunnel to be setup for each unique host:port combination. Enter reGeorg; this is a rewrite of reDuh to support a full SOCKS4/5 proxy interface. This allows one tunnel to be used to make multiple connections, including port scans. Additionally, capabilities to take advantage of HTML5 websockets (where available) have been built for faster connections.

In short, if you can get a webshell up, you can use reGorg to gain access with your favourite tool (Nmap, Metasploit, etc.) to the entire internal network range your compromised server has access to.

The list of currently supported web frameworks are: ASP.NET, JSP, PHP, ASP
The list of currently supported transports are: HTTP, HTTPS, HTML5 WebSockets

Presented By: Willem Mouton


Rickrolling Your Neighbors With Google Chromecast

Take control over your neighbors’ TVs like you see in the movies! Google Chromecast is a handy little gadget that lets you stream video to your TV from a variety of sources like Netflix and YouTube. It also allows streaming from nearby hackers.

I’ll demonstrate how to hijack any Google Chromecast — even if it’s behind a secure Wi-Fi network — to do your bidding. I’ll also be revealing a new tool to fully automate the hijacking and playing of arbitrary video to the victim’s TV. Let the prank war commence.

Presented By: Dan Petro


SecureScan SaaS Free Scanner

Tripwire SecureScan™ is a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability among many others. Fast, free, and simple to use – no license required.

Presented By: Edward Smith



Serpico is a report generation and collaboration tool. Serpico’s primary function is to cut down on the amount of time it takes to write a penetration testing report. When building a report the user adds “findings” from the template database to the report. When there are enough findings, the user clicks ‘Generate Report’ to create the docx of the report. New Report templates can be added through the UI making the reports easy to customize. The Report Templates themselves use a custom Markup Language that includes common variables (i.e. finding name, customer name, customer address, etc.) along with more complex requirements. It is meant to be simple and intuitive.

Serpico is already in use by a number of consultants, but we think it is time to get the word out. Serpico was built by penetration testers with a pen-testers methodology in mind. It might make you hate report writing just a little bit less.

Presented By: Will Vandevanter & Peter Arzamendi


ShinoBOT Suite

ShinoBOT is a RAT (backdoor malware) simulator, released at the previous Black Hat Arsenal. The new tool, ShinoBOT Suite, is a total malware package which contains the RAT simulator, downloader, dropper, encryptor, CandC server, decoy files, etc. All of them are customizable.

You can create your own malware by ShinoBOT suite and it can be used to simulate the recent targeted attack. The new ShinoBOT works also on the standalone / offline environment.

Presented By: Shota Shinogi



As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it. After officially debuting at Black Hat 2013, SimpleRisk, a simple and free tool to perform risk management activities, is back with many significant improvements. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded at SimpleRisk is truly Enterprise Risk Management simplified.

Presented By: Josh Sokol


Smartphone Pen-Test Framework

As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. SPF can be used as a pivot to gain access to an internal network, gaining access to additional vulnerabilities. SPF can be used to bypass filtering, using SMS to control an exploited internal system. Demonstrations of SPF functionality will be shown.

Presented By: Georgia Weidman



Snoopy is a distributed tracking, data interception, and profiling framework. The software can run on small, cost-effective hardware (BeagleBone, RaspberryPi) and be deployed over a large area (we call these ‘drones’). Each Snoopy drone passively or actively collects information on people who walk past from the array of wireless (Wi-Fi, Bluetooth, etc.) devices that they carry on their person. This information is synchronized to a central server where we can visually explore it with tools like Maltego.

Presented By: Glenn Wilkinson


Spotlight Inspector – OSX Forensics

Spotlight Inspector is a free application for computer forensic investigation of Mac OS X computers. Until now, there has never been an effective cross-platform forensics tool for accessing Spotlight internal data from Mac OS X systems – which is where all of the information about files indexed on a computer can be accessed by forensic investigators. This information gathering is crucial to digital investigators.

Spotlight is the name of Apple OS X’s desktop search functionality. It indexes all the files on a volume storing metadata about file system object (e.g. file, directory) in an effort to provide fast and extensive file searching capabilities.

The metadata stored includes familiar file system metadata, as in MAC times as well as file-internal metadata like image dimensions and color model and file usage count. Spotlight allows users to search for documents with the Author tag “Snowden,” for example. These databases are created by OS X on each volume the machine can access, including flash drives.

Spotlight Inspector parses Spotlight metadata databases and provides functionality to work with the internal data in a clean and useful way.

Presented By: Joe T. Sylve


Research in taint tracking and taint inference is hot in the scientific community these days. I have studied all tools and ideas developed for automated SQL injection prevention using scientific methods, and in an attempt to evaluate them, broken them all down. This tool summarizes methods to detect and break all these methods, such as Diglossia (2013), Sekar’s Negative Taint Inference (2011) and etc.

On top of that, I have created Joza (2014), a new hybrid system that automatically detects and prevents all SQL injection attack with zero false positives. This research and tool is patented, and will be published in ACM CCS 2014.

Finally, Taintless will demonstrate how to break Joza; though it’s very hard and requires much processing and intelligence by the tool; it proves that all these approaches are not bullet proof in general.

Presented By: Abbas Naderi Afooshteh



ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

Presented By: Dan Cornell


TriForce ANJP

TriForce is a set of analysis tools made for those who want to go deeper. With a focus on file system journaling forensics, we make use of artifacts that allow us to turn them into a forensic time machine. With tools that cover NTFS, HFS+, and Ext3, we are pushing forward a new era of analysis based on file system journaling.

The NTFS file system is our first production tool to leave beta and allows an examiner to review the master file table, metadata journal, and change the journal to determine the following:

  • Timestamp changes, detection and original time
  • Names of files being wiped, detection, and original names and metadata
  • Files being exfiltrated via CD Burning
  • Attachments being accessed from Outlook
  • Low-level file system changes and activity for dynamic analysis of exploits and malware
  • Determining if alternative file system drivers have written to a disk
  • Determining what was accessed from external devices

Our research continues, but we believe we can show you data that existed on your disks that you never knew to look for, which will provide you new capabilities in your work and research.

Presented By: David Cowen



The Veil-Framework is an open source project that aims to bridge the gap between pen-testing and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult, and branched into Powershell functionality with the release of Veil-PowerView for domain situational awareness. This Arsenal presentation will cover the inner workings of all of these tools, and demonstrate various use cases where the Veil-Framework can help facilitate engagements.

I will also demonstrate a newly developed post-exploitation framework, Veil-Pillage, which is being released publicly during an associated DEF CON presentation. Veil-Pillage’s modular structure makes it easy to implement the wealth of existing post-exploitation techniques out there, publicly or privately developed. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities.

Presented By: Will Schroeder



Viper is a modular framework for the collection, management, and analysis of arbitrary files.

The main purpose of Viper is to become a unified solution to implement all those analysis and correlation tasks you perform during your daily analysis and research work, for which there are a myriad of scripts lying around all over your filesystem. It provides easy ways to store, tag, search, and mine your local repository of malware and it provides you with an interface to create any sort of module you might want to execute against your samples.

It already integrates modules for analyzing PE32, Office and PDF documents, automatic RAT config decoders, modules for online lookups, and much more.

Presented By: Claudio Guarnieri


Viproy Voip Penetration Testing And Exploitation Kit

Viproy Voip Pen-Test Kit is developed to improve the quality of VoIP Penetration Tests. First version of Viproy had SIP trust hacking, SIP proxy bounce scan and advanced SIP attacks. Viproy 2.0 will provide improved SIP penetration testing features such as TCP, TLS, vendor (Cisco, Microsoft Lync) supports and multi-thread fixes. Furthermore, the new version will have Cisco Skinny protocol and Cisco HCS (VOSS) server supports to initiate unauthorised call redirection attacks, speed dial manipulation, unauthorised calls using Skinny and information gathering attacks.

Presented By: Fatih Ozavci


Volatility Framework 2.4

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples of Windows, Linux, Mac OS X, and Android systems. Our last release received over 40,000 downloads and we’re equally as excited to get 2.4 into the hands of forensic investigators and malware analysts. Some of the key features of the 2.4 release that we’ll be demoing are:

  • Extraction of cached Truecrypt passphrases and master keys (AES, Twofish, Serpent, etc.)
  • Support for Windows 8.1 and 2012 R2 x64 memory dumps, including on-the-fly decoding of the kernel debugger data block
  • Tracking Mac OS X Mavericks user activity by recovering unencrypted PGP emails, OTR (off-the-record) chat messages, contacts, calendar items, notes, and saved Keychain credentials
  • Detection of advanced Linux rootkits, such as those that leverage GOT/PLT in user mode and Netfilter hooking in the kernel
  • Circumventing the new compressed swap facility implemented in Mac OS X and Linux operating systems

Presented By: Michael Ligh



VOYEUR’s main purpose is to generate a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies (just .Net Framework 3.5 and Ofiice Excel if you want an useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, or security researchers who want to quickly analyze threats in Active Directory Services.

The main capabilities of VOYEUR tool are:

  • Fast.- Retrieving only the main interested attributes and perform intelligent uses of them.
  • Powerful.- Return a huge number of attributes on computers, users, containers/OUs, groups, ACL, printers, etc.
  • Useful.- Easily perform data mining to create valuable data
  • Secure.- VOYEUR does not require domain admin permissions so you do not need to log on as an administrator account to use it. Only needs an domain user-password with read permissions
  • Useful Reports – Export results to CSV file for use in other processes or report all huge data in a pretty and useful report in Excel format
  • Multi-Domain.- Enter a domain name and credentials, VOYEUR will makes the rest
  • Free.- VOYEUR project is free and open source

Presented By: Juan Garrido


w3af: Web Security Scanner

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Our framework is proudly developed using Python to be easy to use and extend, and licensed under GPLv2.0.

Presented By: Andrés Riancho


WATOBO – The Web Application Toolbox

WATOBO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
Most important features are:

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOB can act as a transparent proxy (requires nfqueue)
  • WATOBO can perform vulnerability checks out of the box
  • WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easily define your own checks
  • WATOBO runs on Windows, Linux, MacOS … every OS supporting (FX)Ruby
  • WATOBO is free software (licensed under the GNU General Public License Version 2)

WATOBO is written in (FX)Ruby and was initially released in May 2010 as an open source project on SourceForge (

Presented By: Andreas Schmidt


WhatsApp Privacy Guard

With the PRISM scandal, we began to question whether Microsoft, Google, Apple, and Facebook were the only companies working with governments to spy on the behavior of its citizens. Will WhatsApp be one of these companies? Does WhatsApp store its user conversations? These sort of things make us think that users are defenseless and have no current measures to ensure the privacy of content shared on these platforms.

The main objective of the research is to add new layers of security and privacy to ensure that in the exchange of information between members of a conversation both the integrity and confidentiality cannot be affected by an external attacker. This is achieved through a system to anonymize and encrypt conversations and data sent via WhatsApp, so that when they reach the servers they are not in “plain text” and only readable to the rightful owners.

WhatsApp Privacy Guard is a tool completely transparent to the users and we will show how this technique can be used against other IM protocols and apps.

Presented By: Jaime Sanchez



ZigTools is a Python Framework, which was developed to reduce the complexity in writing additional functionality in communicating with the Freakduino (Low cost arduino based 802.15.4 platform). Features such as initializing the radio, changing channels, sending data and processing that data can be written in just a few lines, allowing developers to focus on writing more complex applications without worrying about the low-level communications between the radio and computer.

Presented By: Mike Warner


ZitMo NoM

A world without malware is ideal but unlikely. Many of us would prefer *not* to install another layer of protection on our already-resource-constrained handheld mobile device. Alternatively, Android malware detection sans anti-virus installation has become a reality. Learn about how it’s possible to detect mobile malware using simple text messages with ZitMo NoM. ZeuS in the Mobile, known as ZitMo, is infamous for intercepting SMS transmissions then redirecting them to a Command and Control in order steal banking and personal information. Research with SMS transmissions directed at mobile malware has resulted in the ability to detect ZitMo’s presence without anti-virus applications installed. Turning cyber criminals’ tools against them makes this even more of a rewarding endeavor. We are looking for malware researchers to contribute to the continued development of this open tool. The presentation will include the research, the infrastructure, and a demonstration of ZitMo NoM. Live malware will be used during this presentation, assuming we get it to behave.

Presented By: David Schwartzberg


Black Hat USA 2014 – Arsenal

ToolsWatch Team




MaxiSoler @maxisoler