Black Hat Arsenal USA 2014 – Wrap up Day 1

Black Hat Arsenal USA 2014 – Wrap up Day 1

Each year, most of us head to Las Vegas to attend 3 of the most recognized security events: Blackhat, Defcon and BsidesLV and thus for several reasons. The first is simply to grow technically. Thousands of security experts and hackers would ride from far and wide to share their knowledge and latest research in matters of computer security and hacking. They become unwittingly ambassadors for their countries. 

the mandalay
View of the Mandalay Bay

As time went by, some of them become friends which brings us back to the other reason: Partying. The marketers call it vulgarly “Social Networkingto justify to their bosses the hefty bill associated with alcohol consumption. Therefore in a security conference like Black hat, you can party with people from different cultures and nationalities. Just the folks around during the blackhat Arsenal I can count several nationalities : American, Italian, Russian, Israelian, German, Turkish, Argentinian, Brazilian, Canadian, Colombian, Mexican, Spanish, Croatian, Venezuelan, Iranian, Japanese, Chinese, Indian. Amazing hein !


With Jessica Horst – One of the Blackhat/UBM team working hard behind the scenes

This year again, I have, alongside my friend Rachid of NETpeas, the great pleasure to co-manage the Arsenal event that starts to make his small place slowly but surely. The principle of the Arsenal is simple: Interactive sessions in which the author delivers demonstrations in front of the audience. 

These sessions are highly beneficial to the two parties. During these years of Arsenal I saw raised significant collaborations between speakers. As I have been witness to guests suggesting features or helping to fix bugs. And that’s what the Arsenal is really about. Connecting Hackers with Hackers !

With Ping Look (Crusher of Souls) – She was behind designing the first sessions of the Arsenal.

And to satisfy a wide audience, we have selected 54 diverse and varied tools, beating the record of previous Arsenal sessions. From Forensics, Mobile hacking  through VoIP attacks, Hardware hacking or TV sets hijacking. There’s been something for everyone.


Large view of the Audience at the Arsenal

The Blackhat Arsenal becomes an absolute must if you make a jump to Vegas for the annual security events and especially if you want to attend live demonstrations with only a table and a screen separate you from the great hackers on earth. The Arsenal is definitely the only event that brings together in the same room a large  number of renowned tools authors and hackers.

With Rachid (@netpeas) – My bud from the old and future days.

As for myself, this year has been excellent because several authors have done us the honor to release their tools during the event. On the other hand I had the pleasure meeting my old friends and make new ones. Similarly, I enormously appreciate some of my twitter followers who stopped by to say hi.  Thanks guys, I really appreciated it.

The Arsenal_Schedule

Finally, I had a thought during the Arsenal for my friend and ToolsWatcher Maxi Soler (@maxisoler) who could not join us for this session. Your help was invaluable throughout the preparation and especially maintaining Your absence has been felt because we should run series of 90 seconds mini interviews entitled “Tool Stories by” in which every hacker should explain why he / she created his tool. Unfortunately and despite all the goodwill, we were overwhelmed by the flow of the audience.


 Introducing my kiddo Rafael to the Blackhat – Young generation of ToolsWatchers 🙂

 I‘ll let you relive with picture 2 wonderful days we spent alongside great hackers who help us every day to accomplish our menial tasks. Henceforth and each time you use a tool quoted here, you should have a gratifying thought for those folks.

FlowInspect – Yet Another Inspection Tool – Ankur Tyagi

Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.


The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such, if for a flow certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection can be done in any of the following inspection modes (selected through appropriate command-line arguments):

  • regex: PCRE-compatible regular expressions
  • fuzzy: fuzzy string matching techniques
  • shellcode: libemu based (x86 compatible) shellcode detection
  • yara: yara-project based signature detection

There are a few mode-specific options that a user can use to tweak the behavior of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, generation of shellcode profile output that lists detected system calls, their arguments, and return values, etc. can be enabled, detected shellcode can be disassembled, and output could be dumped to a file. Once inspection completes, matching flows are passed to the output module that gathers statistics like match size, start of the match offset inside inspection buffer, packet IDs for a match, direction of the match (CTS/STC/ANY), etc. Matched content can also be dumped to a file or pcap generation for matched flows could also be requested.


Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be limited to interesting flows only using Berkeley Packet Filter (BPF) expressions, or via Snort-like offset/depth content modifiers, or via max packet-stream count options. Matches results can be negated, matched TCP flows could be killed, etc.

The current production version includes all the above features. Flowinspect is, however, under active development and new features/bug fixes are being pushed frequently.

Changelog presented at the Arsenal

[x] network/pcap based flow extraction (pynids)
[x] tcp.kill
[x] invert match
[x] ignore 0 byte matches
[x] disable inspection – linemode
[x] support for multiple patterns
[x] write/append matched packets/streams to a file
[x] add snort-like content modifiers (offset-depth)
[x] support for different cts, stc and any patterns
[x] out modes: quite, meta, hex, ascii, raw (+write)
[x] stats (longest/shortest match and packet/stream #)
[x] stop tracking a stream when a match is found (tcp.collect = 0)
[x] cli to switch the first-match behavior
[x] inspection modes:
[x] regex
[x] pylibemu
[x] libemu profile output
[x] libemu memory size cli
[x] pyyara (peid/clamav)
[x] fuzzy match (fuzzywuzzy)
[x] udp stream tracking (cts/stc/any)
[x] show matching tcp packet ids (handy when pattern spans many packets)
[x] write matching flows to pcap
[x] write all packets in a matched flow (ones coming after match as well)
[x] write packets seen only untill the match happened (+a few more)
[x] ip/tcp/udp header checks – via BPF
[x] use colors if term supports
[x] verbose should be incremental
[x] include bpf expression for matching flows (verbose >= 3)
[x] timestamped (non)debug output
[x] linemode should not honor inspection specific flags (offset, depth, …)
[x] pcap write wont work in linemode
[x] invertmatch not working for regex and shellcode inspection modes
[x] -T should operate on flows and not packets
[x] make dfa memberids optional
[x] nonzero offset corrupts packet span calculation
[x] span offsets don’t include custom offset (2 instead of 1002)
[x] ip flow tracking should be in sync with tcp flow tracking
[x] direction identification for UDP flows needs more work
[x] multimatch offsets are incorrect for ANY direction
[x] cli to disable banner/summary
[x] multimatch not working with yara
[x] packet offset not shown for fuzzy match
[x] fuzzy match ratio not shown in meta output
[x] packet count fails when yara gives multiple matches

Download link >>

Maltrieve – Kyle Maxwell

Maltrieve retrieves malware directly from the location where the bad guys serve it. This allows researchers to acquire fresh samples, verify detection systems, and research infrastructure


Maltrieve includes proxy support, multi-threading, Cuckoo submission, and categorization. The tool is community-developed and available under the terms of the GNU General Public License.


Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

These lists will be implemented if/when they return to activity.

Other improvements include:

  • Proxy support
  • Multithreading for improved performance
  • Logging of source URLs
  • Multiple user agent support
  • Better error handling
  • VxCage and Cuckoo Sandbox support

Download Link >>

Morning Catch – Phishing Industries – Raphael Mudge

Morning Catch is a Virtual Machine environment, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks. Morning Catch is a fictitious seafood company with a website, self-contained email infrastructure to receive phishing emails, and two desktop environments.


One desktop environment is a vulnerable Linux client-side attack surface. The other desktop environment is a vulnerable Windows client-side attack surface. Yes, you’ll get to attack a Windows software target and use Windows payloads against this virtual environment. This Arsenal session will demonstrate some of the things you can do with the Morning Catch environment.


Blog Post from Mudge >>

Download Link  (Torrent link) >>

ShinoBOT Suite – Shota Shinogi

ShinoBOT is a RAT (backdoor malware) simulator, released at the previous Black Hat Arsenal. The new tool, ShinoBOT Suite, is a total malware package which contains the RAT simulator, downloader, dropper, encryptor, CandC server, decoy files, etc. All of them are customizable.


You can create your own malware by ShinoBOT suite and it can be used to simulate the recent targeted attack. The new ShinoBOT works also on the standalone / offline environment.


Material >>

Download link >>

Smartphone Pentest Framework – Georgia Weidman

SPF is designed to make it easy to gather information, launch attacks, and perform post exploitation including pivoting on mobile devices.


Open source and primarily written in Python, SPF is actively under development adding new interfaces, attack vectors, and post exploitation methods.


Manual >>
Download Link >>
Videos >>

Snoopy – Gleen Wilkinson

Snoopy is a distributed tracking, data interception, and profiling framework. The software can run on small, cost-effective hardware (BeagleBone, RaspberryPi) and be deployed over a large area (we call these ‘drones’).


Each Snoopy drone passively or actively collects information on people who walk past from the array of wireless (Wi-Fi, Bluetooth, etc.) devices that they carry on their person. This information is synchronized to a central server where we can visually explore it with tools like Maltego.


Download Link >>
Google Group >>!forum/sensepost-snoopy

TriForce ANJP – David Cowen

TriForce is a set of analysis tools made for those who want to go deeper. With a focus on file system journaling forensics, we make use of artifacts that allow us to turn them into a forensic time machine. With tools that cover NTFS, HFS+, and Ext3, we are pushing forward a new era of analysis based on file system journaling.


The NTFS file system is our first production tool to leave beta and allows an examiner to review the master file table, metadata journal, and change the journal to determine the following:

  • Timestamp changes, detection and original time
  • Names of files being wiped, detection, and original names and metadata
  • Files being exfiltrated via CD Burning
  • Attachments being accessed from Outlook
  • Low-level file system changes and activity for dynamic analysis of exploits and malware
  • Determining if alternative file system drivers have written to a disk
  • Determining what was accessed from external devices


Download link >>

ZitMo NoM – David Schwartzberg

ZitMo NoM (No More) is the web tool created to help you detect and possibly disable ZitMo on your Android mobile device without installing a mobile app.


We have accomplished this by understanding how the mobile malware communicates with the C&C and use those commands to detect the mobile malware. This is a new tool and we are looking for community support to help improve several features.


Download Link >>

BreWski ( Burp Rhino Web Scanner) – Alex Lauerman & Chris Bellows

BReWSki (Burp Rhino Web Scanner) is an extension to the Burp Suite scanning and reporting functionality. BReWSki provides Burp Suite users with a JavaScript interface to write custom scanner insertion points, passive, and active scan definitions for Burp quickly without having to understand the internals of the Burp API. BReWSki comes with useful checks to help identify application vulnerabilities.


Currently BReWSki checks provide tentative results that require more manual analysis. Some checks should never produce a false positive, and other checks will produce a high number of false positives.


Download link >>

Chipsec – Yuriy Bulygrin

CHIPSEC (Platform Security Assessment Framework)  is a framework for analyzing security of PC platforms including hardware, system firmware including BIOS/UEFI and the configuration of platform components. It allows creating security test suite, security assessment tools for various low level components and interfaces as well as forensic capabilities for firmware.


CHIPSEC can run on any of these environments:

  1. Windows (client and server)
  2. Linux
  3. UEFI Shell


Download link >>

Material >>

Dependency-Check Jeremy Long

Dependency-check is a utility that identifies software dependencies and checks if there are any known, publicly disclosed vulnerabilities. Currently Java and .NET application dependencies are supported.


This tool can be part of a solution to the OWASP Top 10 2013 A9 – Using Components with Known Vulnerabilities.


Changelog at Arsenal

* Improved report – enhanced TOC
* Improved accuracy due to reported issues
* Initial integration with vFeed (
* Improved documentation including a guide on how to use the report effectively


Download link >>
OWASP Page >>
Documentation >>

Dradis Framework – Daniel Martin

Dradis is an open source framework to enable effective information sharing, specially during security assessments.


Dradis is a self-contained web application that provides a centralised repository of information to keep track of what has been done so far, and what is still ahead. [screenshotsdemo]

Features include:

  • Easy report generation.
  • Support for attachments.
  • Integration with existing systems and tools through server plugins.
  • Platform independent.


Changelog at Arsenal

* New redesigned, clean HTML5 interface
* Additional tool connectors: Qualys, Nexpose, etc.
* Templatable plugin output
* HTTP API + client bindings


Download Link >>

NFCult – Matteo Beccaro & Matteo Collura

NFCulT is a comprensive toolkit for exploring and exploiting MIFARE ULTRALIGHT cards. It can be used for understand how those cards works, and to exploiting misconfiguration as well.

Such bad configuration are very common in transport systems, as we will demostrate in the preview. NFCulT can actually handle all known attacks and be useful to develop new ones.


Download Link >>

OWASP Zed Attack Proxy (ZAP) – Simmons Bennetts

The Zed Attack Proxy (ZAP) is currently the most active open source web application security tool and competes effectively with commercial tools.

While it is an ideal tool for people new to appsec, it also has many features specifically intended for advanced penetration testing. Simon gave a quick introduction to ZAP and then dive into the more advanced features as well as giving an overview of where its heading.


OWASP Page >>
Download Link >> >>

ProxyMe – Manuel Fernandez

ProxyMe is a modular HTTP/S proxy based on plugins. It’s designed and oriented for pen-testing or research purposes. It also has support for analyzing and modifying the traffic, SSL included. It can be used as a regular proxy or as a reverse proxy, supporting also transparent connections, making it perfect for combined attacks of Man In The Middle (or even as a load balancer if you want!).


Some of the current plugins allow you to perform attacks as ‘Cache poison’, an attack technique for browsers showed in owning “bad” guys {and mafia} with Javascript botnets’ in Black Hat USA 2012 by Chema Alonso and Manuel Fernández.


ProxyMe could also be used for the purposes of:

  • Analyzing and modifying HTTP/S protocol
  • Creation of malware or backdoors embebed into HTTP/S protocol
  • Web Application Firewall (WAF)
  • … whatever you can create with plugins using your imagination

Download link >>

Rickmote Controller – Dan Petro

With a simple $35 dongle that plugs right into your TV, it’s possible to enjoy your favorite TV shows, YouTube channels, and everything else Chromecast has to offer. Being a WiFi enabled device, it’s also possible to hijack a Chromecast, forcing your neighbors to watch [Rick Astley] say he’s never going to give you up.


The rickmote, as this horrible device is called, runs on a Raspberry Pi and does a lot of WiFi shennaigans to highjack a Chromecast. First, all the wireless networks within range of the rickmote are deauthenticated. When this happens, Chromecast devices generally freak out and try to automatically reconfigure themselves and accept commands from anyone within proximity.


The rickmote is more than happy to provide these commands to any Chromecast device, in the form of the hit song from 1987 and 2008.

Live Demo >>


WhatsApp Privacy Guard – Jaime Sanchez

With the PRISM scandal, we began to question whether Microsoft, Google, Apple, and Facebook were the only companies working with governments to spy on the behavior of its citizens. Will WhatsApp be one of these companies? Does WhatsApp store its user conversations? These sort of things make us think that users are defenseless and have no current measures to ensure the privacy of content shared on these platforms.


The main objective of the research is to add new layers of security and privacy to ensure that in the exchange of information between members of a conversation both the integrity and confidentiality cannot be affected by an external attacker. This is achieved through a system to anonymize and encrypt conversations and data sent via WhatsApp, so that when they reach the servers they are not in “plain text” and only readable to the rightful owners.


WhatsApp Privacy Guard is a tool completely transparent to the users and we will show how this technique can be used against other IM protocols and apps.


Download Link >> Soon


Filibuster – William Coppola

Useful tool with Red and Blue teaming engagements in mind. Helpful for identifying weaknesses in egress port and protocol filtering.


Filibuster is used to map port filtering / protocol filtering devices. It is written in Python without the 1000 port limitation in other egress scanners.


FREE, which is cheaper than other commercial solutions without the exposure of egress rules to said third party companie

Download link >>

idb – Simplified Blackbox iOS App Pentesting – Daniel Mayer

idb is a tool to aid in iOS penetration testing and research. idb’s graphical user interface greatly simplifies the interaction with an iDevice as it automates a large number of previously tedious and manual tasks: idb provides functions for analyzing applications and application binaries, data storage, inter-process communication, the iOS log and keychain, as well as tools to simplify setup and configuration.


idb is written in ruby with a Qt GUI frontend and should run on OS X and Linux (with some restrictions). The code can be found at under the MIT License.


Changelog during Arsenal

* Integration of weak_classdump by Elias Limneos to dump class and method information in the form of header files
* /etc/hosts file editor
* Fixing of the CA certificate installer / manager.
* Adding documentation and increasing visibility for the screenshot utility

Download link >>
Documentation >>–Walk-Through
Blog >>

Immuniant Compiler – Per Larsen

The Immunant compiler delivers improved hardening against ROP attacks. Unlike ASLR, code randomization is done at a fine-granularity while preserving program performance. As a result, universal exploits fail and pointer leaks are no longer enough to bypass code randomization.


On OS X and Linux, the Immunant compiler sits atop the production grade LLVM compiler framework. The Windows version integrates with the Visual Studio compiler suite. We will demonstrate protected versions of Firefox running on Windows, OS X, and Linux.

Material >>


oops, RFDid it Again – Francis Brown

Last year, we delivered the definitive guide for pen-testers on hacking low frequency (LF – 125KHz) RFID badge systems to gain unauthorized access to buildings and other secure areas. In this second installment, we’re raising the stakes, peeling back the onion even further, and directly confronting the RFID elephant in the room – hacking High Frequency (HF – 13.56 MHz) and Ultra-High Frequency (UHF – 840-960 MHz).


This presentation will serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID tag information, specifically for HF and UHF systems. We will showcase the best-of-breed in hardware/software that you’ll need to build out your own RFID penetration toolkit. We’ll also be releasing a slew of new/free RFID hacking tools that employ Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing.


The applications for HF and UHF technologies extend far beyond the realm of simple physical access control, and can also be found in modern credit cards, e-Passports, enhanced driver’s licenses, ski passes, NFC reward cards, public transit passes, and are even used as the foundation of Disney’s new MyMagic+ initiative. Unfortunately, the security and privacy concerns introduced by HF and UHF RFID systems are just as diverse and plentiful.

Some of the topics we will explore are:

  • Overview of best HF/UHF RFID hacking techniques and tools available to get for your toolkit
    • Tools to exploit known weaknesses of various HF RFID access control technologies, such as iClass, MIFARE/DESFire, and LEGIC product family variants
    • Hacking tools/techniques: credit cards, e-Passports, Enhanced Drivers Licenses, …
    • Analysis of Disney’s MyMagic+ RFID deployment
  • Stealing RFID HF badge info from unsuspecting passers-by
    • Overcoming enhanced security features in “contactless smart card” systems, such as encryption, mutual authentication, and challenge/response authentication methods
    • Exploiting default encryption keys and insecure implementations of HF RFID systems
    • Bypassing added security of PIN and biometric controls
  • Replaying RFID badge info and creating fake cloned cards
  • RFID hacking on the move: mobile phone and tablet apps
    • PwnPads, iPads, NFC apps, and much more..
    • Safe data retrieval via Bluetooth Low Energy and 3G cellular channels
  • Attacking badge readers and controllers directly
    • Dumping encryption keys and cached card info directly from target badge readers
  • New RFID tools we’ll be releasing
    • 3D printed custom cases/tools to conceal RFID stealing devices, and implant in readers
    • Arduino and Raspberry Pi based tools for attacking readers directly
    • Android/iPhone/iPad apps for retrieving RFID information
  • Defending yourself from HF/UHF RFID hacking threats

This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the RFID penetration testing field.


PowerSploit – Chris Campbell & Joe Bialek

PowerSploit is a popular collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. Come see how PowerShell can be leveraged to accomplish things that would otherwise be impossible such as, loading binaries directly into memory.


Joseph Bialek and Chris Campbell demonstrated how to utilize PowerSploit to bypass security products through all phases of a mock penetration test which includes enumeration, exploitation, privilege-escalation, credential theft, and pivoting to other hosts.


They will share tips and tricks to leverage PowerShell in your own tools and highlight the new privilege escalation module being introduced at ToolsWatch.

Download Link >>

Taintless – Abbas Naderi & Mandana Bagheri

Research in taint tracking and taint inference is hot in the scientific community. We have studied all tools and ideas developed for automated SQL injection prevention using scientific methods, and in an attempt to evaluate them, broken them all down.


This tool summarizes methods to detect and break all these methods, such as Diglossia (2013), Prof. Sekar’s Negative Taint Inference (2011) and etc. On top of that, we have created Joza (2014), a new hybrid system that automatically detects and prevents all SQL injection attack with zero false positives. This research and tool is patented, and will be published shortly.


Finally, Taintless will demonstrate how to break Joza; though, the process is rigorous and requires multiple layers of intelligence in the tool, it proves that all these approaches are not bullet proof and need improvement.


Download Link >>

Material 1 >>

Material 2 >>

SimpleRisk – Josh Sokol

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk.


The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it.


After officially debuting at Black Hat 2013, SimpleRisk, a simple and free tool to perform risk management activities, is back with many significant improvements. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded at SimpleRisk is truly Enterprise Risk Management simplified.

Changelog during Arsenal

• New Functionality
– Added a report showing all closed risks ordered by date.
– Added a report showing all open risks ordered by team.

• User Interface Enhancements
– The project planning view now allows you to click on the name of the risk as a link to view the details of the risk it references.
– Changed the “Download most recent code here” link on the about.php page to point to the actual download page.
– Changed the project list drop down in the remove projects list to be in alphabetical order.

• Bug Fixes
– Found an issue where numerous columns in various database tables had their CHARACTER SET set to latin1 instead of UTF8.  Running the upgrade.php script will set these to the proper CHARACTER SET.
– Found an issue where certain versions of PHP did not handle nested require statements.  Updated all require statements to use the path relative to the directory, rather than trying to hardcode it.
– Found an issue where a project would not delete if it had a closed risk inside it.  Associated projects are now unset when a risk is closed.

• Database Changes
– Updated columns in all tables to use the utf8 character set instead of latin1.
– Updated all closed risks to have a project ID of 0 (Unassigned).

Download link >>
Documentation >>


Veil Framework – Will Schroeder

The Veil-Framework is an open source toolset that aims to bridge the gap between pen-testing and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult at Shmoocon ’14, and branched into Powershell functionality with the release in the spring of 2014 of Veil-PowerView for domain situational awareness.


The newest tool to the Veil-Framework, Veil-Pillage, is a post-exploitation framework being released publicly during an associated Defcon 2014 presentation.


Veil-Pillage’s modular structure makes it easy to implement the wealth of existing post-exploitation techniques out there, publicly or privately developed. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities.



Changelog during Arsenal
-Veil-Pillage will be released at Defcon ’14, and will be demoed at Arsenal

Download link >>
Official Website >>
Material >>

Voyeur – Juan Garrido

VOYEUR’s main purpose is to generate a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies (just .Net Framework 3.5 and Ofiice Excel if you want an useful and pretty report).


The generated report is a perfect starting point for well-established forensic, incident response team, or security researchers who want to quickly analyze threats in Active Directory Services.

day1_voyeur3  day1_voyeur2

The main capabilities of VOYEUR tool are:

  • Fast.- Retrieving only the main interested attributes and perform intelligent uses of them.
  • Powerful.- Return a huge number of attributes on computers, users, containers/OUs, groups, ACL, printers, etc.
  • Useful.- Easily perform data mining to create valuable data
  • Secure.- VOYEUR does not require domain admin permissions so you do not need to log on as an administrator account to use it. Only needs an domain user-password with read permissions
  • Useful Reports – Export results to CSV file for use in other processes or report all huge data in a pretty and useful report in Excel format
  • Multi-Domain.- Enter a domain name and credentials, VOYEUR will makes the rest
  • Free.- VOYEUR project is free and open source

 Download Link >>



What they said about the Arsenal !


“Back from and Arsenal kudos to and honored to be part of such a great event! It was a pleasure being invited to the event and I really enjoyed it. Great work, and hopefully see you soon!” – Daniel Martin author of Dradis Framework


“Thanks again and for bringing arsenal. and let me present . It’s always a great experience :)” – Andreas Schmidt author of Watobo Web App Scanner


“This guys are awesome. thanks for the great work. It has been a cool Arsenal again!” – Jaime Sanchez author of WhatsApp Security Guard


“Thank you everyone who stopped by our & !! It’s been a great experience. Almost 3 hrs non-stop intro to CHIPSEC :)” – Yuriy Bulygrin author of Chipsec


“Wanted to say thanks to the folks for the opportunity to talk at the Arsenal. Led to great conversations” – Dan Cornell author of ThreadFix


We really enjoyed demo-ing the new features at Arsenal. Cheers!” – Michael Ligh demoed Volatility Framework

thanks again. Arsenal ROCKS!!” – Willem Mouton author of reGeorg


“Blackhat Arsenal tool talk went great today. I had a blast sharing Praeda” – Deral Heiland of Praeda


“Thanks for the arsenal opportunity. I hope to see you next year as well! :)” – Tomer Teller author of Automated memory analysis


Celebrities and Fun moment at the Arsenal



Former jacque () (Now known as Oui-Oui) was there. Dont ask me why Oui-Oui, ask her 😉


Very Awkward hug with Jason (@j)
… Pepsi is also there

misc_with Dradis - Daniel Martin

 Finally met the awesome daddy of Dradis. Nice to talk with Daniel


  After years of Using OWASP ZAP, I finally had the honor to meet Simmons.


  Christian Martorella (author of theHarvester) stopped by to say hi. Here with Juan and  _missed_name_ (please send me your name)


  The great Ferruh CEO and father of NETsparker stopped by. Here with Darren Manners (ICE-hole)


  The guy in the middle is Mirko. You may know him as HelpNetSecurity. Yep, the (in)Secure Magazine folks. With @k0st (Android nmap amongst other hacking stuff and Dorian


Selfie with Rafael (my son) attending his first Arsenal & Rachid (@netpeas). You may spot me behind very proud 🙂


misc_with Veils Hackers 2

Hanging with the Veil Framework Folks. AWESOME and Amazing great team. Thanks for the great show


My bro Uduak meeting the awesome Mudge.


My bro Uduak meeting the crusher of souls Ping


 Blackhat VIP Party with awesome Arsenal speakers (from left) : Jaime Sanchez (Spain) , myself (citizen of the planet), Andres Riancho (Argentina), Andreas Schmidt (Germany), Juan Garrido (Spain) and Manuel Fernandez (Spain)


More pictures here >> Facebook ToolsWatch Album


 To be continued  Blackhat Arsenal Wrap-up Day 2 …

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"