Lineup for the Blackhat Arsenal Europe 2014

Desenmascara.me

Emilio Casbas

Desenmascara.me is a public resource which will extract metadata from any website (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive, just like browsing the website, otherwise the tool couldn’t be online for public use. It’s based mainly on HTTP headers and metadata. Some features of the tool are:

• Easy to use, only enter a website address to see what’s behind the scenes
• Available in English and Spanish (based on the browser language)
• Testing for web application fingerprinting
• Brief summary about the website configuration
• Different report colors to highlight web security awareness
• Some special websites will show a message showing whether they are official or fake (keep counterfeit products from circulation)
• Detection of CMSs and versions (whatweb core)
• Warnings about old software being exploited in the wild like joomla-1.5, RoR CVE-2013-0156…
• Detection of properties file leak in Ruby on Rails. Ref: Fugas de informacion en aplicaciones ruby on rails
• Warnings about OpenSSL version affected by heartbleed
• Detection of hardening signs such as WAF, CDN, reverse proxy…
• In case of CloudFlare protected websites, it will show the real server IP
• Detection of blacklisted websites by GoogleSafeBrowsing
• Detection of suspicious iframes or hidden spam
• Detection of misconfiguration on robots.txt files (i.e: exposing confidential information)
• Detection of defacements, directory listings, private IP address in comments…
• In the case of very known websites (Forbes, EA, .gov…) will inform about known security incidents which they were victim of
• Stats about general web security awareness and some details of compromised websites (i.e: Forbes compromised)

Exploit Pack

Juan Sacco

Exploit Pack is an open source GPLv3 security tool; the means is fully free and you can use it for any period of time without any kind of restriction.

But why? Because other security products like metasploit, canvas, or impact are so incredibly expensive that unless you sell your kidney, you will not be able to buy it.

Oh I forgot to mention that they are not GPLv3? Exploit Pack is 100% GPLv3, so if you feel like coding, just checkout the code and go for it.

This tool was made thinking of the end-user; it’s not going to replace any other security tool on the market, but it’s for sure a must-have for every security enthusiast, researcher, or paranoid user.

Lights Off Hardware Demo

Javier Vazquez Vidal

Are you interested in the “Lights Off! The Darkness of the Smart Meters” talk that will be presented at Black Hat Europe? Then you should check this out! Since Arsenal brings the invaluable opportunity of allowing the attendees to get a closer look at researchers work, we want to show you the real stuff. We want you to be able to see, feel and touch the process of reversing we experienced, and show you the tools we used.

There will be IDA, Logic Analysers, GDB, Arduino, blown hardware (literally!) and a lot of wires!

Lynis

Michael Boelen

Lynis is a free and open source security and auditing tool. It runs on Unix, Mac and Linux based systems. Lynis helps DevOps and security professionals detect vulnerabilities and configuration management weaknesses.

When running the tool, an in-depth scan of the system will be performed. Therefore it is much more thorough than network based vulnerability scanners. It starts with the boot loader and goes up to installed software packages. After the analysis, it provides the discovered findings, including hints to further secure the system.

NAFT Online

Didier Stevens

Memory forensics is the next step the forensic community has taken. With NAFT Online, you can learn memory forensics for Cisco IOS. Learn how to use the Network Appliance Forensic Toolkit with a real Cisco IOS router.

NFCulT

Matteo Beccaro

NFCulT is an ultimate android application for exploiting and researching in NFC Mifare Ultralight security. Its first focus is against transport systems, but during the time, it has been applied to research vulnerabilities in bike sharing service, etc.

It also implements the following published attacks:

• Lock Attack
• Time Attack
• Replay Attack

In this presentation, we will give a short view on the tool’s new features for the release 2.0, which will be released live at Black Hat Arsenal.

PeStudio

Marc Ochsenmeier

Potential of early Triage of malware based on static analysis. Presentation of PeStudio based on a few malware.

reGeorg

Willem Mouton

In 2008, we released reDuh, a network-tunneling tool that allowed port forwarding via a web-shell and HTTP/S to backend services. reDuh has since become part of any attackers standard toolkit, featured in several books and notoriously described as “”insidious”” by HBGary in their leaked e-mails.

However, when doing any sort of tunneling, targeting multiple hosts and ports can be frustrating as it requires a tunnel to be setup for each unique host:port combination. Enter reGeorg; this is a rewrite of reDuh to support a full SOCKS4/5 proxy interface. This allows one tunnel to be used to make multiple connections, including port scans. Additionally, capabilities to take advantage of HTML5 websockets (where available) have been built for faster connections.

In short, if you can get a webshell up, you can use reGeorg to gain access with your favorite tool (Nmap, Metasploit, etc.) to the entire internal network range your compromised server has access to.

The list of currently supported web frameworks are: ASP.NET, JSP, PHP, ASP. The list of currently supported transports are: HTTP, HTTPS, HTML5 WebSockets.

VOYEUR

Juan Garrido

VOYEUR’s main purpose is to generate a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies (just .Net Framework 3.5 and Office Excel if you want an useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, or security researchers who want to quickly analyze threats in Active Directory Services.

The main capabilities of VOYEUR tool are:

• Fast.- Retrieving only the main interested attributes and perform intelligent uses of them.
• Powerful.- Return a huge number of attributes on computers, users, containers/OUs, groups, ACL, printers, etc.
• Useful.- Easily perform data mining to create valuable data.
• Secure.- VOYEUR does not require domain admin permissions so you do not need to log on as an administrator account to use it. Only needs a domain user-password with read permissions.
• Useful Reports – Export results to CSV file for use in other processes or report all huge data in a pretty and useful report in Excel format.
• Multi-Domain.- Enter a domain name and credentials, VOYEUR will make the rest.
• Free.- VOYEUR project is free and open source.

WhatsApp Privacy Guard

Jaime Sanchez

With the PRISM scandal, we began to question whether Microsoft, Google, Apple, and Facebook were the only companies working with governments to spy on the behavior of its citizens. Will WhatsApp be one of these companies? Does WhatsApp store its user conversations? These sorts of things make us think that users are defenseless and have no current measures to ensure the privacy of content shared on these platforms.

The main objective of the research is to add new layers of security and privacy to ensure that in the exchange of information between members of a conversation both the integrity and confidentiality cannot be affected by an external attacker. This is achieved through a system to anonymize and encrypt conversations and data sent via WhatsApp, so that when they reach the servers they are not in “”plain text”” and only readable to the rightful owners.

WhatsApp Privacy Guard is a tool completely transparent to the users and we will show how this technique can be used against other IM protocols and apps.

When You Don’t Have 0days: Client-side Exploitation for the Masses with BeEF

Michele Orrù

A bag of fresh and juicy 0days is certainly something you would love to get as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The examples will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We’ll delve into Chrome and Firefox extensions (automating various repetitive actions that you’ll likely perform in your engagements), HTML applications (HTA), abusing User Interface expectations, (Open) Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, this is for you.

ZAP

Zakaria Rachid

The Zed Attack Proxy (ZAP) is currently the most active open source web application security tool and competes effectively with commercial tools.

While it is an ideal tool for people new to appsec, it also has many features specifically intended for advanced penetration testing.

Zack will give a quick introduction to ZAP and then dive into the more advanced features, presenting some useful scripts as well as giving an overview of where its heading.