scapy_dojo_v_1

Saturday, 1430-1830 in Flamingo, Lake Mead I

Hugo Trovao Hacker

Rushikesh D. Nandedkar Engineer, FireEye Inc.

The workshop aims towards making beginners aware and comfortable with various facets of Scapy and its real time usages in various task of penetration testing.

The flow of workshop will be as under:
1. Scapy basics
2. TCP Basics
3. DHCP server
4. DHCP server flooder || DNS/MDNS
5. Crafting a layer using Scapy
6. Fuzzing protocols with Scapy
7. Covert channel using Scapy
8. Scapy-radio

Added value to the workshop:

What attendees will learn:
- sending/receiving/displaying/modifying packets with Scapy
- implementing custom layers in Scapy
- implement answerMachines in Scapy
- to construct tools implementing some real life examples
- simple fuzzing through Scapy and generators
- to decode live traffic with an implemented protocol

Working in Scapy consequently attendees will learn:
- TCP basics
- DHCP/DNS/MDNS basics
- AJP13 protocol
- fuzzing
- Scapy-radio
+
Prebuilt VM containing all scripts and dependencies in place.

An ISO in progress can be found at: https://drive.google.com/open?id=1wJ9OQOAnew3upyoFdMUz1hlo0WEuogJW (/root contains install script. /src contains scripts. python-netaddr dependency needs to be installed manually as of now with apt.)

Skill Level Beginner

Prerequisites: Basics of Python scripting and networks.

Materials: For Windows users:
1. Virtualbox installed
2. Administrator privileges
3. 4GB+ RAM
4. 50 GB free space

For *nix users:
1. Virtaulbox installed (optional)
2. Root privileges
3. 4GB+ RAM
4. 50 GB free space
(In case *nix users do not want to use Virtualbox, they can run scripts directly on their boxes, provided Python and Scapy is installed there.)

Max students: 26

Registration: https://www.eventbrite.com/e/scapy-dojo-v-1-lake-mead-i-tickets-63439609580
(Opens 8-Jul-19)

Hugo Trovao
Hugo is a computer enthusiast since he was a kid and always curious to know how things worked. He liked everything related to computers. He's a researcher by passion, consultant by job and penetration tester by heart. He finds himself at peace while poking holes in applications/networks/systems, while writing security tools tailored to the assessments requirement and indeed while meditating. Always wants to known a better more efficient way of doing things.

Rushikesh D. Nandedkar
Rushikesh is an engineer at FireEye Inc. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon '14 & '18, HITCON '14, Defcamp '14, BruCON '15 '16 '17 '18, DEFCON 24, x33fcon '17 & '18, c0c0n-X '17, Bsides Delhi '17, BlackHat USA '18, DEFCON 26 + Co-author of "DECEPTICON," an intelligent evil-twin. Being an avid CTF player, for him, solace is messing up with packets, frames, and shellcodes.

SELECT code_execution FROM * USING SQLite;—Gaining code execution using a malicious SQLite database

Saturday at 14:00 in Track 1
45 minutes | Demo, Tool, Exploit

Omer Gull Security Researcher at Check Point Software Technologies

Everyone knows that databases are the crown jewels from a hacker's point of view, but what if you could use a database as the hacking tool itself? We discovered that simply querying a malicious SQLite database - can lead to Remote Code Execution. We used undocumented SQLite3 behavior and memory corruption vulnerabilities to take advantage of the assumption that querying a database is safe.

How? We created a rogue SQLite database that exploits the software used to open it.Exploring only a few of the possibilities this presents we’ll pwn password stealer backends while they parse credentials files and achieve iOS persistency by replacing its Contacts database…

The landscape is endless (Hint: Did someone say Windows 10 0-day?). This is extremely terrifying since SQLite3 is now practically built-in to any modern system.

In our talk we also discuss the SQLite internals and our novel approach for abusing them. We had to invent our own ROP chain technique using nothing but SQL CREATE statements. We used JOIN statements for Heap Spray and SELECT subqueries for x64 pointer unpacking and arithmetics. It's a new world of using the familiar Structured Query Language for exploitation primitives,laying the foundations for a generic leverage of memory corruption issues in database engines.

Omer Gull
Omer Gull is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies.

Omer has a diverse background in security research, that includes web application penetration testing, RE and exploitation.

He loves Rum, Old School Hip-Hop and Memory Corruptions.

Twitter: @GullOmer

Shadow Workers: Backdooring with Service Workers

Saturday from 14:00 – 15:50 in Sunset 6 at Planet Hollywood
Audience: Offensive Security, AppSec

Emmanuel Law & Claudio Contin

This presentation is focused around Shadow Workers, a tool that came out of our research on service workers. Service Workers are a new addition to modern browser and often used to extend offline capabilities to a website. With this tool, we weaponized service workers to include the ability to implant a pseudo backdoor in the browser and ghost through a victim's browser session to sniff, manipulate, and even proxy data silently. We'll demo the various persistence mechanisms our tool provides to keep service workers alive and demo how MITM can be done at the browser layer.

https://github.com/shadow-workers/shadow-workers

Emmanuel Law
Emmanuel Law (@libnex) is currently a security engineer in the Bay Area. He spends his free time researching news ways to break stuff and has presented at various international conferences such as Black Hat Arsenal, Ruxcon, Kiwicon, Troopers etc.

Claudio Contin
Claudio Contin (@claudiocontin) is a security consultant with ZX Security in Wellington, New Zealand. Before working in security, he spent several years developing web applications. He has presented at Bsides SF, Kiwicon and OWASP conferences. During his free time, he contributed to various open-source projects such as BEeF framework and Gophish.

Shellcode Compiler

Saturday from 14:00 – 15:50 in Sunset 5 at Planet Hollywood
Audience: Anyone interested in shellcode development

Ionut Popescu

Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows and Linux. It is possible to call any Windows API function or Linux syscall in a user-friendly way. The tool allows users to write custom shellcodes by providing an easy way to call functions or system calls. It does not have all the capabilities of a compiler, but it simplifies a lot the shellcode development process. There is no need to write assembler, it is only required to declare and call functions or system calls. Under the hood there is, of course, a custom compiler which compiles C/C++ style code into ASM which is later assembled using Keystone framework. Before the tool presentation, we will go into a deep dive on the shellcode development process for both Windows and Linux (32 bits only to keep it short and simple).

https://github.com/NytroRST/ShellcodeCompiler

Ionut Popescu
Ionut Popescu works as a Product Security Engineer for UiPath. His focus lies on web application penetration testing, source code review, security architecture review and providing security trainings. In his free time, he also likes to do research focusing on Windows internals, ASM and exploit development. Ionut is a regular speaker at different conferences, e.g. Defcon, Defcamp or OWASP.

SILENTTRINITY

Saturday from 14:00 – 15:50 in Sunset 4 at Planet Hollywood
Audience: Offense

Marcello Salvati

SILENTTRINITY is an asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET's DLR (Dynamic Language Runtime), it attempts to weaponize and demonstrate the flexibility that BYOI (Bring Your Own Interpreter) payloads have over traditional C# implants. What are BYOI payloads? Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the "power" of PowerShell, without going through PowerShell in anyway! Additionally, you can nest multiple interpreters within each other to perform what I've coined "engine inception"! If you're interested in bleeding-edge and out of the ordinary C#/.NET offensive trade-craft, this is the demo for you!

https://github.com/byt3bl33d3r/SILENTTRINITY

Marcello Salvati
Marcello Salvati (@byt3bl33d3r) is a Security Analyst at BlackHills Information Security by day and by night a tool developer who discovered a novel technique to turn tea, sushi, alcohol and dank memes into somewhat functioning code. His passions include anything Active Directory related, trolling people on GitHub and developing open-source tools for the security community at large which he’s been doing for the past several years, some of his projects include SilentTrinity, CrackMapExec, DeathStar, RedBaron and many more.

Srujan: Safer Networks for Smart Homes

Saturday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
Audience: Defense, Network, Hardware, IOT Security

Sanket Karpe & Parmanand Mishra

Srujan is a new type of network segregation system, based on Raspberry Pi, that can be easily deployed on home networks. It allows home users to segregate the devices connecting to their home networks based on the threat profile. User can keep their smart home devices separate from their computers and mobile devices to mitigate risk of cross infection from low-trust devices like smart cameras, speakers and thermostats. Srujan was created to address the challenges around the plethora of IOT devices being deployed in smart homes that are vulnerable and do not receive patches. Srujan can intelligently segregate the home network into different zones based on the device type. It automatically identifies and alerts users when the IOT devices attempt to contact any IP or domain which has been blacklisted by Google Safe Browsing.

Srujan provides the following features:

-- Intelligent segregation of devices based on their type
-- Ability to create network usage stats for each device
-- Ability to quarantine untrusted devices
-- Easy to integrate with SIEM
-- Ability to lookup IP/Domain against Google Safe Browsing.
-- Integration with ANWI (All New Wireless IDS)
-- Prevent call-home pings to manufacturer for enhanced privacy.

Sanket Karpe
Sanket Karpe is a security researcher with over decade of experience on reverse engineering malware and incident response. He is currently working as a Manager, Malware Research at Qualys Inc where his primary responsibilities include malware analysis, creating new malware detection techniques and tools development. He is the author for ANWI - All New Wireless IDS and likes to work on various IOT projects in his free time.

Parmanand Mishra
Parmanand Mishra is a security enthusiast who is currently working as Senior Malware Researcher at Qualys Inc. He works on malware analysis and adversary simulation based on ATT&CK and loves creating tools on the same. He has spoken at security conferences like c0c0n and goes by Kart1keya on Github.

SSO Wars: The Token Menace

Saturday at 13:00 in Track 4
45 minutes | Demo, Tool, Exploit

Alvaro Muñoz Software Security Researcher @ Fortify (Micro Focus)

Oleksandr Mirosh Software Security Researcher @ Fortify (Micro Focus)

It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.

In this talk, we will present two new techniques:

• 1) A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.
• 2) A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.

A new tool to detect this type of vulnerability will also be discussed and released.

Alvaro Muñoz
Alvaro Muñoz (@pwntester) is Principal Security Researcher at Micro Focus Fortify where he researches new software vulnerabilities and implement systems to detect them. His research focuses on web application frameworks where he looks for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy application security programs. Muñoz has presented at many Security conferences including BlackHat, DEF CON, RSA, OWASP AppSec US & EU, JavaOne, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP. He plays CTFs with Spanish int3pids team and blogs at http://www.pwntester.com.

Twitter: @pwntester
Website: http://www.pwntester.com

Oleksandr Mirosh
Oleksandr Mirosh has over 11 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.

Twitter: @olekmirosh

State of DNS Rebinding - Attack & Prevention Techniques and the Singularity of Origin

Saturday at 15:00 in Track 3
45 minutes | Demo, Tool

Gerald Doussot Principal Security Consultant, NCC Group

Roger Meyer Principal Security Consultant, NCC Group

Do you want to know how you can exploit DNS rebinding 10x faster, bypass prevention mechanisms, interactively browse the victim's internal network, and automate the whole process during your next red team exercise?

This talk will teach you how and give you an easy-to-use tool to do it.

First, we will cover in detail the subtleties that make DNS rebinding attacks more effective in practice, including techniques and operational conditions that make it faster and more reliable. We'll also explain how to bypass commonly recommended security controls, dispelling attack and defense misconceptions that have been disseminated in blogs and social media posts.

This talk will include a number of demos using Singularity, our open source DNS rebinding attack framework that includes all the parts you need to get started pwning today, including:

• Remote code execution and exfiltration payloads for common dev tools and software
• Practical scanning and automation techniques to maximize the chance of controlling targeted services

We'll also show an interesting post-exploitation technique that allows you to browse a victim browser network environment via the attacker's browser without the use of HTTP proxies.

You'll leave this talk with the knowledge and tools to immediately start finding and exploiting DNS rebinding bugs.

Gerald Doussot
Gerald Doussot is a Principal Security Consultant at NCC Group, with over 20 years experience in information technology. Gerald has undertaken defensive and offensive security roles, including the design, implementation and management of security solutions, software development, integration and security Testing.

Roger Meyer
Roger Meyer is a Principal Security Engineer at NCC Group with extensive experience in managing and leading complex engagements. Roger specializes in web application security, network penetration testing, configuration reviews, and secure software development and architecture design.

Tag-side attacks against NFC

Saturday at 13:00 in Track 3
45 minutes | Demo, Tool

Christopher Wade

This talk covers tag-side attacks against NFC communication protocols, including cracking of Mifare encryption keys and performing targeted attacks against NFC readers. In addition, it will cover the design and creation of devices capable of emulating NFC tags down to the raw protocol using standard components and tools, with no abstraction to dedicated hardware, covering and expanding on the capabilities of available products. This talk will contain how 13.56MHz NFC works at a raw level, how tools can be built for analysing it, how the protocol can be implemented in full on standard Microcontrollers, and the security weaknesses present in its design.

Christopher Wade
Chris is a seasoned security researcher and testing consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.

Twitter: @Iskuri1
Github: https://github.com/Iskuri

Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws

Saturday at 16:30 in Track 1
20 minutes | Demo

Andy Grant Technical Vice President, NCC Group

We are hackers, we won't do as you expect or play by your rules, and we certainly don't trust you. JAR files are really ZIPs...unzip them! So are Microsoft's DOCX, XLSX, PPTX, etc. Let's open them up! macOS applications (.app "files") are really directories you can browse?! Sweet, let's do that.

Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives that, among other things, contain many plaintext files (including shell, Perl, and Python scripts) as cpio files compressed using gzip.

In this presentation I'll walk you through extracting the contents of these installer packages, understanding their structure, and seeing how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I'll include examples of serious security issues I've seen in the wild and show you how they can be exploited to elevate privileges and gain code/command execution.

After this talk, .pkg files will no longer be opaque blobs to you. You'll walk away knowing tools and techniques to tear them open, understand how to evaluate what they're really doing on your computer, and a methodology for finding bugs in them. As a final bonus, I'll include a subtle trick or two that can be used on red teams.

Andy Grant
Andy Grant is a Technical Vice President for NCC Group. While at NCC Group, Andy has worked on a wide-variety of security assessment and advisory projects. He has performed numerous application assessments on mobile (Android, iOS, WP7), desktop (OS X/macOS, Windows, Linux), and web platforms. He has also performed many internal and external network penetration tests and widget/third-party platform reviews. Andy has worked with small tech start-ups, small and large software development groups, and large financial institutions. Andy has a BS in Computer Science and an Advanced Computer Security Certificate from Stanford University.

Twitter: @andywgrant

Vacuum Cleaning Security—Pinky and the Brain Edition

Saturday at 16:00 in Track 4
20 minutes | Exploit

jiska TU Darmstadt, Secure Mobile Networking Lab

clou (Fabian Ullrich)

Data collected by vacuum cleaning robot sensors is highly privacy-sensitive, as it includes details and metadata about consumers’ habits, how they live, when they work or invite friends, and more. Connected vacuum robots are not as low-budget as other IoT devices and vendors indeed invest into their security. This makes vacuum cleaning robot ecosystems interesting for further analysis to understand their security mechanisms and derive takeaways.

In this talk we discuss the security of the well-protected Neato and Vorwerk ecosystems. Their robots run the proprietary QNX operating system, are locally protected with secure boot, and use various mechanisms that ensure authentication and encryption in the cloud communication. Nonetheless, we were able to bypass substantial security components and even gain unauthenticated privileged remote execution on arbitrary robots. We present how we dissected ecosystem components including a selection of vacuum robot firmwares and their cloud interactions.

jiska
Jiska has a M.Sc. in IT-Security. She is a PhD student at the Secure Mobile Networking Lab (TU Darmstadt) since May 2014. Her main research interest are wireless physical layer security and reverse engineering. You might also know her embroidery projects or game shows from past CCC events.

Twitter: @seemoolab

clou (Fabian Ullrich)
Fabian has a M.Sc. in IT-Security. He is working as a researcher and analyst at ERNW. His main research interests are full stack IoT and web application security. In his free time, Fabian likes to capture some flags.

We Hacked Twitter… And the World Lost Their Sh*t Over It!

Saturday at 22:15 in Firesides Lounge
45 minutes

Mike Godfrey Penetration Tester, INSINIA Security

Matthew Carr Penetration Tester, INSINIA Security

In December 2018 INSINIA Security was involved in one of the biggest hacking stories of the year. A number of “celebrities”, including Louis Theroux, Eamon Holmes and more, logged into their Twitter accounts just after Christmas to find a Tweet, from their account, saying:

“This account has been temporarily hijacked by INSINIA SECURITY”.

The tweet immediately directed people to our blog post, and the compromised accounts retweeted INSINIA’s Tweet, saying:

“This account is now under the control of @InsiniaSRT. Luckily, this has been H4CK3D to highlight an important vulnerability. The user of this account has NOT lost access to it, no data compromised and is NOT under attack. See how it was done…”.

What we did was simple. We used spoof texts to Tweet from these accounts. We NEVER had access to these accounts. We could never read DM’s. We simply passively controlled these accounts with no opportunity of getting confidential data in return.

So what did the hacking community, journalists and commentators do?! They LOST THEIR SH*T OVER IT!

“It’s unethical” “It’s a crime” “Computer Misuse Act counts for security researchers too!” “You guys are total f*cking idiots!

These are the types of things we’d heard from our peers. But why was the backlash so bad? In this talk, INSINIA explains why it was done, how it was done, how people reacted and how research can be released quickly and responsibly… Without always getting the warm reception you might expect!

Mike Godfrey
Mike Godfrey, Director of INSINIA Security, started life as a “hacker” before he had hit his teens. With a professional background in Electro-technical / Electro-mechanical Engineering and almost 20 years’ experience in building and breaking computers.

Mike offers a unique perspective when it comes to varied and multi-vector attacks and is regarded as one of the UK’s most capable multi-skilled Cyber Security Specialists, gaining notoriety in the Cyber Security industry for using elements of different skills, both on hard and soft surfaces, to carry out highly technical and often highly intricate electronic attacks. One of these attacks includes hacking Costco’s high security Sentry display safe with nothing more than a magnet and a sock! This research was utilised and referenced by @Plor in his talk at DEF CON 25 – “Popping a Smart Gun”. Mike has also been lucky enough to become a DEF CON speaker in 2018, one of the proudest moments of his life!

Mike works as a Cyber Security contributor for the BBC, LBC, Channel 4 and was the Ethical Hacker who discovered the TalkTalk and O2 data breach stories.

Twitter: @MikeGHacks

Matthew Carr
Matthew's previous roles including Senior Penetration Tester and Researcher at SecureLink, Europe's largest managed security services provider and Operational Security Specialist at Ikea overseeing worldwide Operational Security as part of a Specialist Team.

Matthew regularly speaks at industry events and lectures offensive security at Malmö's Technology University in Sweden.

Matthew spent over 3 years as part of an R&D team building intrusion detection software, a secure cloud platform, SIEM tools and other security software, Matthew is not only a competent red teamer but also a valuable asset to any blue team.

Matthew works as a Cyber Security contributor for the Telegraph, Talk Radio and SVT.

Twitter: @sekuryti

Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks

Saturday at 10:00 in Track 1
45 minutes | Demo, Tool

Ali Islam CEO, Numen Inc.

Dan Regalado (DanuX) CTO, Numen Inc

Historically, hypervisors have existed in the cloud for efficient utilization of resources, space, and money. The isolation feature is one of the reasons hypervisors are heavily moving to other ecosystems, like Automobiles, so that for example, if an Infotainment crashes, it does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL announced the use of hypervisors in their deployments on Cars.

The trending is real, but there is a big challenge! Most of the systems in Cars and Medical devices run on ARM, plus, protection at the hypervisor level is still limited. So, is it possible to have a framework that runs at the hypervisor level, able to monitor at the OS level and most important, capable to identify and kill threats coming into the monitored devices?

During this talk we will walk you through the steps needed to setup a framework running on Xilinx ZCU102 board able to monitor ARM-based devices and to kill malicious threats identified. Also will discuss challenges on syscall monitoring, single-stepping limitations, techniques to stay stealthy, techniques to detect and kill traditional malware seen in enterprise like Ransomware, Heap Exploits and capabilities on VM Escape attacks and feasibilty to detect Spectre-like exploits.

Ali Islam
Ali Islam Khan is the Chief Executive Officer (CEO) and Co-Founder of Numen Inc. He is also an avid C programmer and has developed the core set of Numen’s Virtual Machine Introspection (VMI) capabilities. Before quitting his job to work full time on Numen, Ali was Director R&D at FireEye where he was leading the R&D efforts for FireEye’s flagship email and network products. He is the founding member of FireEye Labs where he invented & developed some of the key detection technologies used in FireEye products today. Ali has multiple patents to his name and has over 13 years’ experience in a wide range of cyber security disciplines, including cryptography, malware analysis, cyber-espionage and product development. He has successfully created and led global teams from scratch. Ali has spoken at conferences such as RSA and worked with various government agencies such as DHS, KISA on intelligence sharing efforts to counter nation-state level threats.

Khan holds an MBA from UC Berkeley and a Master’s degree in network security from Monash University, Australia. He is an AUSAID scholar and the recipient of the prestigious Golden Key Award.

Twitter: @Ali_Islam_Khan
LinkedIn: https://www.linkedin.com/in/aliislam/

Dan Regalado (DanuX)
Daniel Regalado aka DanuX is the CTO and Co-Founder of Numen Inc. He is a Mexican security researcher with more than 17 years in the scene. He has worked reversing malware and exploits at Symantec Security Response Team and FireEye Labs and lately focused on IoT threats at Zingbox. He is credited with the discovery of most of the ATM malware worldwide. He is the co-author of famous book Gray Hat Hacking and he likes to present his discoveries in major security conferences like RECon, RSA, DEF CON IoT/Car Hacking villages, BSIDES.

Twitter: @danuxx
LinkedIn: https://www.linkedin.com/in/daniel-regalado-200aa414/