The Black Hat Arsenal ASIA 2017 Great Line-Up !
Black Hat Arsenal event is returning for the 3rd time to Asia (Singapore (here are things you can do as well in Singapore https://www.jenreviews.com/best-things-singapore/ )). As you noticed, we started a new system to collect your submissions. It means that things are going bigger than ever :). Our team alongside Black Hat folks spent almost one week going through the amount of submissions we received.
And to be fair with everyone, we have privileged those who never presented before in any session. We were again amazed to see how many demoers have chosen to release their tools during the event !!
So if you have the chance to attend Black Hat Asia, please stop by the Arsenal area to watch some mind blowing demos.
Say hi to the great line-up !
AVET – AntiVirus Evasion Tool
Presented By Daniel Sauder
Avet (link: https://github.com/govolution/avet) is an antivirus evasion tool.What & Why:
- When running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
- Avet is a antivirus evasion tool targeting windows machines
- The techniques used in avet evaded 9 antivirus suites (all of the tested), including MS Defender, McAfee, Sophos, Avira and more
- Avet includes two tools, avet.exe with different antivirus evasion techniques and make_avet for compiling a preconfigured binary file
- Avet.exe loads ASCII encoded shellcode from a textfile or from a webserver, further it is using an av evasion technique to avoid sandboxing and emulation
- For encoding the shellcode the tools format.sh and sh_format are included
- Avet is tested with Kali 2 and tdm-gcc
Short Future (Major Update):
- Interactive assistant for easier usage
- More evasion techniques
- Support for 64bit payloads
Presented By Marcello Salvati
CrackMapExec (a.k.a CME) is a fully open-source, post-exploitation tool written in Python that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land:” abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
CME makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques.
Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.
In this demo the author will be showing off for the first time version 4.0: a major update to the tool bringing more modules, features and capabilities than ever before. If you’re interested in the latest & greatest Active Directory attacks & techniques, this is the demo for you!
Damn Vulnerable SS7 Network
Presented By Akib Sayyed
Telecom network was closed for years but recent advancement in open source telecom opens new doors for telecom hacking. SS7 is core network protocol in 2G and 3G. Many people have proved that these network is unsecured but till date no proper tool or vulnerable network is available in the information security community.
This talk will present a security loopholes in SS7 network and I’ll be covering the SS7 Protocol security, also the real telecom security penetration testing on the lab. The demonstration is prepared from real SS7 Penetration testing experience. During this demo I’m going to publish my SS7 Penetration testing tool that I’ve built for SS7 Assessment. The Damn vulnerable SS7 Network will also be available for information security community. The talk will first present the basics of this vulnerability including: information leaks, denial of service, toll and billing fraud, privacy leaks and SMS fraud.
Attendees will able to understand the basics of the SS7 network and tool usage and in additional; ttendees will also understand the different type of attacks in the SS7 network.
Here are some attacks supported by this tool:
- Subscriber privacy leaks
- Billing frauds
- Denial of service attacks
- Revenue Frauds
- Identity impersonation attacks
- Intercepting incoming services
- Illegal redirects
Datasploit – Automated Open Source Intelligence (OSINT) Tool
Presented By Shubham Mittal
- Allows to set up periodic scans for Cyber Situational Awareness.
- Reverse Image Search Works closely with various social network APIs.
- Highlight credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target from more than 50 paste(s) websites
- IP Threat Intelligence
- Active Scan modules
- Organisation Scoping
- Integration with other tools
- Multiple output report options
Devknox – Autocorrect Security Issues from Android Studio
Presented By Subho Halder
Devknox works like autocorrect by highlighting issues in the code and suggests quick one-click fixes to ensure security is taken care of on the go.
To perform this autocorrect and suggestions, it does a multiple traversal over the AST – Abstract Syntax Tree and performs Taint Analysis over the source-code on the client-side inside the IDE in a matter of few seconds to come up with one click suggested fixes which fixes the root cause issue.
This tool is free and will be open sourced exclusively at Black Hat, so that the security community can help Devknox to have more test-cases and make developers understand and write better and securely.
Presented By Emilio Couto
Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.
The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 60 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn’t have a plugin, you can create your own. During this presentation we’re going release Faraday v2.3 with all the new features that we were working on for the last couple of months.
Presented By Pedro Cabrera
CellAnalysis is the main tool from the “fakebts.com” project, to detect fake BTS stations and prevent GSM rogue attacks, using a linux computer and SDR hardware devices that allow us to scan GSM/GPRS frequencies to monitor a infrastructure radio spectrum and detect multiple GSM rogue attacks.
At Black Hat Arsenal, I would like to show how to configure and use it with the main SDR boards: RTL-SDR, Osmocom phone, USRP B200, HackRF and BladeRF.
HaboMalHunter: An Automated Malware Analysis Tool for Linux ELF Files
Presented By Jingyu YANG & Zhao LIU
HaboMalHunter is an automated malware analysis tool for Linux ELF files, which is a sub-project of Habo Analysis System independently developed by Tencent Antivirus Laboratory. It can comprehensively analyze samples from both static information and dynamic behaviors, trigger and capture behaviors of the samples in the sandbox and output the results in various formats. The generated report reveals significant information about process, file I/O , network and system calls.
Recently, HaboMalHunter has opened its source code under the MIT license, aimed to share and discuss the automatic analysis technology with researchers alike. The project applies digital forensics techniques, such as kernel space system call tracing and memory analysis, and it emphasizes the importance of collaboration with mainstream security tools by making it easy to add third-party YARA rules and supporting the output of .mdb files that are hash-based signature of the ClamAV. The tool, by generating a .syscall file containing a system call number sequence, is also friendly to artificial intelligence research on malware classification and detection.
HaboMalHunter has also been deployed and validated with a large-scale cluster at Tencent Antivirus Laboratory. With the processing ability of thousands of ELF malware samples per day, most of which are from the VirusTotal, HaboMalHunter helps security analysts extract static and dynamic features effectively and efficiently. We hope to present the technical architecture and the detailed implementation about HaboMalHunter and to demonstrate it with several typical real-world Linux malware samples.
For more information, please read the white paper and visit the project website at: https://github.com/Tencent/HaboMalHunter
Presented By Ajit Hatti
LAMMA 1.0 is an attempt to create a Swiss-Army-Knife for security and quality Assessment of Cryptographic implementations. This major update of LAMMA has all new modules for testing trust stores, source code analysis and logical flaws in crypto-coding.
LAMMA 1.0 with new features & fixes makes crypto-testing more effective and smoother even for large scale implementations. You can use and enhance LAMMA 1.0, as it’s a FREE and OPEN SOURCE.
Presented By Keith Lee & Maxwell Koh
MetasploitHelper was developed to assist penetration testers in internal engagements. There are a large number of exploits and modules that are available to penetration testers to use. However, it is often difficult and challenging for penetration testers to keep up to date with the latest exploits.
MetasploitHelper tends to make things easier for testers by testing and matching Metasploit modules against open ports and URI paths on the target hosts.
- Better detection and matching for web application exploits in Metasploit
- Exploit-DB is a very popular source of working exploits. Currently, there are more than 21,298 web application exploits available.
The number of exploits for web applications are increasing at a very fast rate due to more applications being developed and used.
We have added a parser for the web application exploits in Exploit-DB and added them to metasploitHelper and now you can scan and detect more exploitable vulnerabilities much easier.
Presented By Luigi Mori
Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators often place indicators in multiple formats or format them inconsistently. Using indicators from multiple sources and packaging them into different formats requires a large investment of time and effort, especially as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator sources, since they are updated at different times and not always on a regular basis. To automate many of these manual processes, Palo Alto Networks has released MineMeld.
MineMeld is an open source Threat Intelligence framework you can use, among other things, to process indicators and automatically enforce policy on your firewall or augment logs in your SIEM. At the core of MineMeld is a flexible and extensible engine where the data flow is described via a graph of nodes exchanging indicators with a protocol inspired by BGP. By changing the nodes and how they are connected, you can easily define any kind of Threat Intelligence processing logic. And if you need support for a new format, a new protocol or a new logic, you can develop & add your own custom node to the graph.
NAD – A Tool for Performing Dynamic Runtime Analysis of Android Functions
Presented By Han Lee
Android application penetration testing goes further than testing the client to server communication. In order to get a holistic view on the risk exposure, a thorough analysis of the application has to be done to understand how the application works. This is also imperative to be able to bypass jailbreak detection, SSL pinning, or figure out how the application is handling encryption (e.g. being able to decrypt certain values).
There are several approaches available:
- The application can be decompiled, modified and recompiled. This approach however may not always work due to errors while decompiling.
- Patch the application by utilizing method hooks and overriding the original method. In order to identify the correct code and method to patch, the penetration tester has to go through the very time consuming process of figuring out the correct methods.
Adding to the frustration, most applications in release mode produce minified and obfuscated code. The above-mentioned problems makes analyzing an Android application a very tedious process, even before the actual analysis of the application has started. Currently there are no tools available for Android that allow for easy method hooking. This is why I started developing NAD, a tool which allows testers to perform on the fly method hooks.
This talk aims to demonstrate an Android tool built upon the Xposed framework. This tool is an attempt to be the “Burp suite” for Android application methods. It provides the user with several abilities to ease such frustration and make life easier:
- Perform trace method calls
- Intercept all methods of the Android application
- Pause the application
- Modify the input parameters of the hooked method
- Modify the return value of the hooked method
My goal for developing this tool is to save time and provide more insight into compiled Android applications.
Offense and Defense Toolkits in High/Low Frequency
Presented By Haoqi Shan
RFID and contact-less smart cards have become pervasive technologies nowadays. IC/RFID cards are generally used in security systems such as airport and military bases that require access control. This presentation introduces the details of contact-less card security risk firstly, then the principles of low frequency(125KHz) attack tool, HackID Pro, will be explained. This tool contains an Android App and a hardware which can be controlled by your phone. HackID Pro can emulate/clone any low frequency IC card to help you break into security system, just type few numbers on your phone. After 125KHz, this presentation will show you how to steal personal information from EMV bank card, whose carrier frequency is high frequency, 13.56MHz, just sitting around you. In the end, our defense tool, Card Defender, will be dissected to explain how this product can protect your card and informations in both high/low frequency way and some tricks that this defense tool can do.
Presented By Martin Preisler
OpenSCAP is the only free and open source implementation of the NIST SCAP standard. It has two major use cases:
Vulnerability assessment – enables users to automatically scan their machines for vulnerabilities using OVAL CVE feeds coming from the operating system vendors – Red Hat, Canonical, SUSE, … OpenSCAP can load the CVE feed and examine the machine, virtual machine storage image or container. Any missing patches are reported.
Security compliance – allows fully automated evaluation and remediation of machines using SCAP security policies. Instead of looking at vulnerabilities in this use-case we are looking for weaknesses in the configuration. A good source for SCAP security policies is the open source SCAP Security Guide project which we will demo with OpenSCAP. Check out the list of available products and profiles by visiting https://static.open-scap.org/
One of the main improvements in the latest 1.2 branch is the ability to scan various resources using similar command-line interface. We will cover scanning bare-metal machines, remote machines over ssh, VMs, VM storage images, containers and container images.
SCAP Workbench is a GUI front-end for OpenSCAP. It allows users to customize security policies for their organization by selecting/deselecting rules and choosing different values (e.g.: password min length) for evaluation. The result can be saved in a so-called tailoring file. To demonstrate we will make such a customized policy
PowerSAP: Powershell Tool to Assess SAP Security
Presented By Joffrey CZARNY
Most companies, small or big, use SAP technologies to work. Many of them provide access to their SAP environments through Citrix. Indeed, supplier or subcontractors need to reach SAP environment, from back office to boardroom, warehouse to storefront, desktop to mobile device; users can quickly and ‘securely’ access SAP enterprise application software with Citrix virtualization without exposing their SAP landscape to Internet.
To pentest SAP system required some knowledge of this technologies and some hacking tool. Unfortunately, lots of SAP hacking tools are not maintained anymore and dependencies are required like RFC SDK to work.
When it comes to assess/pentest the security of SAP landscape from Citrix, no tool is freely available and it is not allow or possible to install third softwares or dependencies.
We present PowerSAP, an powershell assessment tool for SAP, which try to answer to this problematic of dependencies and use from Citrix environment.
The presentation will start by describing the issues around SAP hacking tools, then we will continue by explaining the restrictions meet to pentest from Citrix system. And then we will present in detail PowerSAP tool developed to solve the issues meet and of course with some demos.
Presented By Eric Johnson
Puma Scan provides real-time, continuous source code analysis as development teams write code in Visual Studio. With over 50 security-focused rules targeting insecure configuration, cross-site scripting, injection, weak validation, cryptography, cross-site request forgery, and many more insecure coding patterns, Puma Scan relies on Roslyn (the .NET Compiler Platform) to display vulnerabilities as spell check errors and compiler warnings. Come see a live demonstration of the Puma hunting source code for vulnerabilities, and walk away with an open-source (MPL v2.0) static analysis engine to help secure your .NET applications
Presented By Tomer Zait
Did you ever want to be at two different places at the same time? When I asked myself this question, I actually started developing this solution in my mind. While performing penetration tests there are often problems caused by security devices that block the “attacking” IP. This really annoyed me, so I wrote a script to supply a solution for this problem. With a large number of IP addresses performing the attacks, better results are guaranteed – especially when attempting attacks to bypass Web Application Firewalls, Brute-Force type attacks and many more.
1) [Github] https://github.com/realgam3/pymultitor
2) [OwaspIL Old Presentation] https://www.owasp.org/images/3/3d/OWASPIL-2016-02-02_PyMultiTor_TomerZait.pdf
* I will release a new version of pymultitor (the proxy version of PyMultitor; it will allow people to interact with this tool without any change of the configuration of their own tools).
Shadow-Box: Lightweight Hypervisor-Based Kernel Protector
Presented By Seunghun Han & Junghwan Kang
Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges. Creating Ring -1 is plausible using VT such as ARM TrustZone, Intel VT-x, and AMD AMD-v. The existing VT (Virtualization Technologies) supports to separate the worlds into a host (normal world, ring -1, host) and a guest (normal world, ring 0 ~ ring 3). Previous research such as NumChecker, Secvisor, NICKLE, Lares, and OSck used VT to protect kernel.
In this demo, we show a security monitoring framework for operating systems, Shadow-box, using state-of-the-art virtualization technologies. Shadow-box is introduced at Black Hat Asia 2017 briefing and has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine, and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. We manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.
Shadow-box is an open source project (MIT license), and we have been successfully operating Shadow-box in real world since last year. Real world environment is different from laboratory environment. So, we have gone through many trials and errors for a year, and have learned lessons from them. We share our know-hows about using virtualization technology and deploying research into the wild.
Presented By Shota Shinogi
ShinoBOT is a RAT simulator for the pentesters, researchers.The powershell based version is released and it allows you to test the detection performance of your security environment against the powershell based attacks, which increase recently.
As the previous version you can use ShinoBOT Suite to perform the whole APT scenario, from exploit to data exfiltration.
Smart Whitelisting Using Locality Sensitive Hashing
Presented By Jonathan Oliver & Jayson Pryde
Using cryptographic hashes (such as SHA1 or MD5) for whitelisting results in some limitations. Machine Learning extensions of whitelisting may be used for execution control, verification, minimizing false positives from other detection methods or other purpose.
Locality Sensitive Hashing is a state of the art method in machine learning for the scalable approximate-nearest-neighbor search.
The identification of executable files which are very similar to known legitimate executable files fits very well within this paradigm.
We provide open source tools for the evaluation of TLSH (a locality sensitive hash) of executable programs.
We also provide a backend query service which we will make available to researchers on an ongoing basis.
In this talk, we show the effectiveness of applying locality sensitive hashing techniques to identify files similar to legitimate executable files. In the demo we will:
- Give a brief explanation of locality sensitive hashing
- Describe typical modifications made to legitimate executable files (such as security updates, patches, functionality enhancements, and corrupted files)
- Given a program P, demonstrate how the tool can be used to query for similar executable files
- Demonstrate how meta data (such as certificates) can be employed to confirm the legitimacy of program P
Tintorera: Source Code Intelligence
Presented By Simon Roses Femerling
Tintorera is a new static analysis tool developed in Python that uses the GCC compiler to build C projects aiming to obtain intelligence from them. GCC offers a powerful plugin architecture that allows tapping into its internals, and static analysis tools can benefit from it to gather information of the source code while compiling.
Some Tintorera features that a code auditor can benefit from:
- Obtain many code metrics: Cyclomatic Complexity (CC), comment density, physical lines of codes, design complexity, code averages and etc.
- Attack Surface analysis of the entire project, identifies all entry and exit of data.
- Can identify Linux API and well-known libraries such as OpenSSL.
- Perform different visualization maps of the source code such as function structure, logic and function calls relationship.
- Context and code analysis of: comments, inline assembly, global variables, function parameters and more.
- The entire source code is converted to a JSON representation allowing performing queries.
- Creates HTML reports while the project gets compiled by GCC.
- Extend Tintorera to fit your needs easily using Python.
- Tap into GCC internals and passes.
By using static analysis techniques, Tintorera can gather intelligence of a C source code allowing a code auditor to learn about the project faster. Tintorera is a tactical response as projects grow in complexity and code reviews are usually performed under limited time.
WiDy: WiFi 0wnage in Under $5
Presented By Vivek Ramachandran & Nishant Sharma & Ashish Bhangale
WiDy is an open source Wi-Fi Attack and Defense platform created to run on the extremely cheap ESP8266 (<$5) IoT platform. We’ve written a simple framework which you can hack and create your own tools or automate attack/defense tasks. Among the attacks WiDy is able to perform out of the box, include:
- Honeypot Attacks
- Captive Portal Attacks
- Serving Exploits to browsers using DNS redirection
- Wi-Fi Scanner
- Wi-Fi Be Gone (similar to TV-be-gone)
- Sniffing and Injection
- Beacon Floods like MDK
- Deauthentication & Disasscoation
- Client monitoring
- WiFi IDS/IPS functionality
- … other interesting applications
The key advantage of using the ESP8266 to recreate Wi-Fi attack/defense functionality is that anyone can now build these tools and physically deploy them in under $5 in the field! One can only imagine the kind of projects the community can create once the core code is available to modify and hack. We have also used the Arduino based platform to make it easier to work with our code. Of course, experienced developers can recreate/port this code to work with the manufacturer SDKs or with the Open ESP SDK. The code is written entirely in C.
All code and scripts will be open sourced under MIT license and launched at Black Hat Asia Arsenal!
Zenected Threat Defense VPN
Presented By Tomasz Jakubowski
Zenected is a cloud-based security threat protection service. It’s delivered through a set of pre-configured services. Once a user connects to Zenected, that user’s network traffic is filtered to keep the bad things out (e.g. phishing sites, malware). The only thing this a user has to configure on the endpoint device (be it a mobile device, a desktop or laptop or IoT device) is your VPN connection. Oh, btw – because you are using VPN, your network traffic is kept secret even if you connect using your favorite coffee store WFi.
All mentioned services are updated every hour with a new set of threat indicators. The feeds are delivered by Perun Works.
Zenected is easy to manage. It uses a web front-end for administrators to manage your instance. An administrator user can:
- Manage Zenected users including adding more admin users
- Blacklist URLs or domain names that you don’t want your users to access
- Whitelist URLs or domain names, that were identified as malicious but you still want your users to be able to get to them
- Review exception requests from users
- If you are a Zenected end-user what you will like about it, is:
- No need to install additional software on your mobile phone, tablet or laptop – Zenected uses standard OS features build-in into all modern systems
- If you encounter a certain resource blocked by the system, you can request an exception. Each exception is then reviewed by an administrator.
More details available on the webpage: https://zenected.com