Black Hat Arsenal Asia 2016 speakers Line-Up

Black Hat Arsenal Asia 2016 speakers Line-Up

Arsenal: March 31 | April 1






Android Tamer

Presented by: Anant Shrivastava

Android Tamer is a Virtual/Live Platform for Android Security professionals. This reduces the needs to configure your own environment and professional can focus on exploitation. This Environment allows people to work on large array of android security related task’s ranging from Malware Analysis, Penetration Testing and Reverse Engineering. Large number of tweaks and automations are build inside the Virtual Machine to make life easy for the User.


BTA: An Open-Source Active Directory Security Audit Framework

Presented by: Joffrey Czarny

When it comes to the security of the information system, Active Directory domain controllers are, or should be, at the center of concerns, which are (normally) to ensure compliance with best practices, and during a compromise proved to explore the possibility of cleaning the information system without having to rebuild Active Directory. Indeed, backdoors can be implemented in Active Directory to help an intruder to gain back his privileges. However, few tools implement this cleaning/survey process despite several ways existing for backdooring Active Directory.

We propose to present some possible backdoors which could be set by an intruder in Active Directory to keep administration rights. For example, how to modify the AdminSDHolder container in order to reapply rights after administrator actions. Then, we will present BTA, an audit tool for Active Directory databases, and our methodology for verifying the application of good practices and the absence of malicious changes in these databases. One of example, that we will show, is how to spot accounts which have DCSync rights and pulls account credentials through the standard Domain Controller replication API.

The presentation will be organized as follows:

  • We begin by describing the stakes around the Active Directory, centerpiece of any information system based on Microsoft technologies.
  • We will continue by demonstrating some backdoors in order to keep admins rights or to help an intruder to quickly recover admins rights.
  • We will present BTA and the methodology developed to analysis Active Directory.
  • We conclude with a feedback on real world usage of BTA.

More information can be found on the Bitbucket repository: https: //




Presented by: Marcello Salvati

CrackMapExec aims to be a one-stop-shop for pentesting Active Directory environments! Think smbexec on steroids, combining the latest and greatest techniques for AD ownage in a single tool!

From enumerating logged on users and spidering SMB shares to executing psexec style attacks, concurrently auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit, querying and executing commands through MSSQL DB’s and more!

The biggest improvements over the current tools are:

  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
  • Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)

Fully open-source and hosted on Github!




Presented by: Emilio Couto

Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.

The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 50 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn’t have a plugin, you can create your own.

During this presentation we’re going to show you the latest version of the tool, and how it can be used to improve the effectiveness of your team during a penetration test.



HackSys Extreme Vulnerable Driver

Presented by: Ashfaq Ansari

HackSys Extreme Vulnerable Driver is an intentionally vulnerable Windows Kernel driver developed for security enthusiasts to learn and polish their exploitation skills. HackSys Extreme Vulnerable Driver caters to a wide range of vulnerabilities ranging from simple Buffer Overflow to complex Use After Free, Pool Overflow, Type Confusion and Arbitrary Memory Overwrite. This allows researchers to explore different exploitation techniques for every implemented vulnerabilities. HackSys Extreme Vulnerable Driver also comes with the mitigation for each implemented vulnerability which helps kernel driver developers understand how these mitigations are applied.

Source Code:
Driver Blog:



Halcyon IDE – Unofficial IDE for Nmap Script Development

Presented by: Sanoop Thomas

Halcyon is the first unofficial IDE for Nmap script development. The existing challenge in developing Nmap Scripts (NSE) is the lack of an IDE that gives easiness in building custom scripts for real world scanning. Halcyon is free to use, java based application that has code intelligence, code builder, auto-completion, debugging and error correction and a bunch of other features similar like other development IDE(s) for traditional programming languages. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the community. Halcyon IDE can understand Nmap library and traditional LUA syntax as well. At the same time it also comes with an offline Nmap wiki that helps Nmap script writers an easy way to access development library references. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while development majority of test scenarios. The IDE gives options to debug the code, make code error free, export the code to the library and several other pre/post development tasks from within the same interface itself.




Presented by: Chen Yexuan & Tang Zhushou

Janus is feedback-driven, interactive Android security analysis platform that facilitates a collection of advanced security analysis tools with the capabilities from vulnerability discovery to malicious application detection. Its main purpose is to enable large scale Android application security analysis by integrating automated, customizable analysis results and human interventions.

Specifically, Janus works as follows. First, Janus leverages lightweight malware scanners, similarity detection tools, and vulnerability detection tools to help researchers diagnose whether a given Android application is malicious or vulnerable.

Next, Janus provides a set of tools to perform more fine-grained and heavier analyses, including dynamic taint analysis, program slicing, and machine learning, etc. In particular, security researchers are involved in this phase. By integrating these automated analyses and human interventions, Janus will confirm the detection results, filter false positives, and also extract the features of the application. These features will be used to guide subsequent analyses to quickly find similar vulnerabilities or malicious applications.

We will demonstrate Janus with a number of real world malicious and vulnerable applications.



Limon – Sandbox for Analyzing Linux Malwares

Presented by: Monnappa K A

Limon is a sandbox for automating Linux malware analysis. It collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware’s process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis.

For more information, please visit this blog post on Limon:; the download link is also available on GitHub:




Presented by: Christian Heinrich & Paul Vixie & Daniel Cuthbert

Passive DNS (pDNS) provides near real-time detection of cache poisoning and fraudulent changes to domains registered for trademarks, etc by answering the following questions:

  • Where did this DNS Record point to in the past?
  • What domains are hosted on a specific nameserver?
  • What domains resolve into a given network?
  • What subdomains exist below a certain domain name?

pDNSego is a set of Maltego Transforms that perform link analysis of pDNS datasets based on a Fully Qualified Domain Name (FQDN), IP Address, Net Block, Name Server (NS) or Mail eXchange (MX) DNS Record.




Presented by: Zhang Zuyou

Pocsuite is an open-sourced remote vulnerability testing framework developed by Knownsec Security Team.

Written in Python and supported both validation and exploitation two plugin-invoked modes, Pocsuite could import batch targets from files and test those targets-imported against multiple exploit-plugins in advance.

There are two ways to work with Pocsuite: configuring exploit-required arguments and running in console-based modes; and handling the output from steps in interactive modes. Besides, it could display output in a human-friendly graph providing more useful information for pentesters.

Like Metasploit, it is a development kit for pentesters to develop their own exploits. Users could utilize some auxiliary modules packaged in pocsuite to extend their exploit functions or integrate pocsuite to develop other vulnerability assessment tools.

At last, Pocsuite is also an extremely useful tool to integrate Seebug and ZoomEye APIs in a collaborative way. Vulnerability assessment can be done automatically and effectively by searching targets through ZoomEye and acquiring PoC scripts from Seebug or locally.



Rudra: The Destroyer of Evil

Presented by: Ankur Tyagi

Rudra aims to provide a developer-friendly framework for exhaustive analysis of (PCAP and PE) files. It provides features to scan and generate reports that include file’s structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These details, alongwith file-format specific analysis information, help an analyst to understand the type of data embedded in a file and quickly decide if it deserves further investigation.

Rudra is the only tool to provide an effective bot based query mechanism for scanning files. Users can use Twitter and mention a Pastebin link that stores the base64 encoded version of the file to be scanned. It will pull the file from Pastebin, perform base64 decoding, initiate scanning on decoded file, submit base64 encoded json report to Pastebin and post a reply tweet with its link. This provides a quick and effective option to try Rudra without installing it.

Rudra supports scanning PE files and can perform API scans, anti{debug, vm, sandbox} detection, packer detection, authenticode verification, alongwith Yara, shellcode, and regex detection upon them. Additionally, following new features are being added for the first beta release:

  • Interactive console providing access to all internal data structures and objects, exposing a rich API for users
  • Plugin architecture to operate upon decoded file content (usecases might be to write a decoder for a new RAT found in the wild or to write a custom unpacker for a binary stub, etc.)
  • Extracting subfiles and optionally scanning them if needed
  • Heuristics to identify suspicious network flows and exe files

The report for each analyzed file can be dumped to disk as a JSON/HTML/PDF. If needed, analysis can be customized via CLI arguments, config file, or interactive console.

Rudra also supports protocol identification, decoding, and normalization. It can analyze embedded URLs and IP addresses within files and gather whois/geolocation information for them. Users can view live mapping of identified hosts and correlate the results from different analysis modules to perform deeper investigation.



SAIVS (Spider Artificial Intelligence Vulnerability Scanner)

Presented by: Isao Takaesu

SAIVS is an artificial intelligence to find vulnerabilities in Web applications. The goal of SAIVS is to find vulnerabilities like a human security engineer. In January 2016, We developed the beta SAIVS. Beta SAIVS has the following capabilities:

  • It can crawl simple Web applications. SAIVS can crawl Web applications that include dynamic pages such as “login,” “create account” and “information search”.
  • It can find for vulnerabilities. SAIVS can find vulnerabilities such as “Cross Site Scripting” and “SQL Injection”.
  • It can output a scanning report. SAIVS can output a scanning report. The report includes target URLs and location of the found vulnerabilities.

SAIVS can also perform the following human-like actions: “SAIVS recognizes the type of the page. If it crawls the login page without having a login credential, it creates login credential in the create account page. After it log in with the created login credentials, it crawls the rest of the pages and scans for vulnerabilities. When it finishes all pages, it outputs a scanning report.” SAIVS uses machine learning algorithms such as Naive Bayes, Q-Learning, Multi-layer Perceptron in order to achieve one of the aforementioned capabilities: It can crawl simple Web applications. Our session will explain how this ability was made possible by the machine learning algorithms.




Presented by: Tobias Zillner

SecBee is a ZigBee security testing tool. It is basically a kind of ZigBee vulnerability scanner, which allows the mapping of ZigBee networks and enables security testers and developers to check the actual product implementation for ZigBee specific vulnerabilities.

Currently it supports direct and indirect ZigBee communication and provides features for command injection, scan for enabled devices, sniff network keys in plaintext and encrypted with the ZigBee default key and an insecure rejoin request.

The tool is still under development and additional features are added. The final goal is to test for the correct application and implementation of every ZigBee security service.




Presented by: Zhong Chenming

Seebug is an open vulnerability platform based on vulnerability and PoC/Exp sharing communities. So far, it already has 50,000+ vulnerabilities and 40,000+ PoC/Exps.

On this platform, users can submit new vulnerabilities or update information of existing ones that are lacking of detailssuch as summaries, PoC/Exps, summary, solutions, CVE-ID and other basic fields. As an exchange, we will reward you KB, which can be used to buy others submissions (such as PoCs) or converted into RMB directly (1 KB is equivalent to RMB 5 Yuan for now).

Seebug provides an opportunity for vulnerability learning. We plan to open Seebug BBS and Paper columns in the near future so that users can submit their technical articles, ideas, and communicate with each other on vulnerability mining issues.

Besides,each vulnerability is accompanied by a lifeline, recording all the relevant events during this process and offering a complete picture about the vulnerability development course.

With the help of ZoomEye, the latest vulnerabilities across the world can be detected timely and displayed on the vulnerability detail page. Based on the result, we can effectively conduct emergency response activities and provide online detection tools,affected vendor lists and early warning upon necessary.




Presented by: Xiaoning Li & Haifei Li

StackPivotChecker is a tool to provide instruction level inspection on stack pivoting behavior from 0-day. It provides rapid 0-day analysis capability. This lightweight tool to help research to address first stack pivoting point from complex 0-day execution path; it addressed real 0-day such as CVE-2013-0640.

Presented by: Karl Hiramoto is the free online file and URL scanner that everyone knows. However there are many free features that many users don’t know about such as:

  • A free public API for anyone to automate file or URL analysis.
  • IP address and domain reputation. See malware files known to be associated with a particular IP address or domain, and history Passive DNS info
  • Searching on file hash, and related files
  • Sysinternals, Carbon black, etc. integrations
  • Static analysis of files, structural analysis of many file types (PE, ELF, APK, ZIP, RAR, MACHO, .NET, office, etc)
  • Sandbox dynamic analysis of PE, APK, Apple Mach-O, and applications.
  • ROMS, BIOS, and firmware files
  • SSDEEP, authentihash, imphash, and other similarity indexes
  • Certificate checks on signed files
  • Whitelisting of trusted files
  • Free desktop scanning applications for Windows, MAC, and open source for compilation on linux.



ZoomEye Cyberspace Search Engine

Presented by: Zhou Yang

ZoomEye is a Cyberspace search engine released in 2013. As everyone knows, Shodan has already been around for years and it is widely used in Security Community. Unlike Shodan which only crawls the port fingerprints of Internet-connected devices and does a few work on fingerprint parsing, we crawl on not only Internet-connected devices, but also websites to get the fingerprints. All of these fingerprints are powered by our two major engines Xmap and Wmap. Xmap is specialized to port scanning, and Wmap focuses on Web Application fingerprint crawling and parsing.

We distribute the crawlers running 7/24 across the world, providing both host device and web application searches to the public by crawling and indexing. Users can also achieve integration and automation with our platform API.

This talk covers a basic introduction on our crawling and analyzing architecture, some thoughts on scanning crawling strategies, and the major process on parsing and analyzing devices and website fingerprints.

To better and deeply understand the complexity of the Cyberspace, we work hard on fingerprint parsing and analysis to get more detailed and complete metadata. We think that more accurate and formatted data will do great help to our Internet research. Besides, some cases will be demonstrated in comparison with Shodan and to prove our strengths.

The ZoomEye 101 section would introduce that how ZoomEye could help to enhance our Internet-research or do some hacking stuff. The audience will learn not only the revolution history of ZoomEye, but also some helpful Internet research methodologies.


MaxiSoler @maxisoler