DEF CON Demolabs
Brief demonstrations for people to show off their project.The DemoLabs are in rooms at LVCC West, Level 3
DEF CON All Demolabs Forum page
5Ghoul Framework – 5G NR Attacks & 5G OTA Fuzzing
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W305
5Ghoul Fuzzer is an over-the-air security testing tool and fuzzing framework that leverages a rogue 5G NR base station to systematically create test cases targeting 5G-capable smartphones or Qualcomm USB-based modems. Moreover, such framework contains test case scripts to launch attacks exploiting 10 implementation-level vulnerabilities ranging from DoS to Downgrades that affect commercial 5G modems from major chipset vendors such as Qualcomm and MediaTek. The tool is released open sourced, but it is also continuously experimented with newer devices. For example, there are two more 5G implementation vulnerabilities that are under embargo and will be released by the end of this month in the open source repository and website maintained for the project.
Links:Project – https://github.com/asset-group/5ghoul-5g-nr-attacks
DEF CON Forums – https://forum.defcon.org/node/249623
People:
SpeakerBio: Matheus Eduardo Garbelini, Research Fellow at Singapore University of Technology and Design (SUTD)
Matheus Eduardo Garbelini is a Research fellow at Singapore University of Technology and Design (SUTD) and a White Hat Wireless Hacker by hobby. Through his research in wireless fuzzing, he discovered implementation vulnerabilities in the chipset of countless Bluetooth, Wi-Fi, and 5G commercial IoT devices.
SpeakerBio: Sudipta Chattopadhyay, Associate Professor at Singapore University of Technology and Design (SUTD)Sudipta Chattopadhyay is an Associate Professor at Singapore University of Technology and Design (SUTD) and hacks code during his spare time. His general research interests lie in the broad area of cyber security including but not limited to security for AI, Wireless Technologies, and Internet of Things (IoTs). Together with Matheus, he discovered SweynTooth, BrakTooth and 5Ghoul, families of Bluetooth and 5G NR vulnerabilities that affected billions of devices worldwide.
Automated Control Validation with Tommyknocker
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W303
Tommyknocker is an open source project designed to facilitate automation of continuous security control validation, bringing some of the processes developers have been using for years for regressing testing, to the security world. It allows users to easily create test scenarios using docker images and standard scripts to perform one or more test actions, followed by the ability to easily check common tooling (SIEM, IDS, Log aggregators) for any expected alerts or log entries. Using Tommyknocker, security organizations can add test cases each time a new security control is created, so that any time a change is made in the environment, the continued functioning of existing controls can be validated. Many times, security organizations will only test controls when they are first implemented, and potentially a few times a year for audit purposes. With Tommyknocker, controls can be tested multiple times per day, ensuring that alerts are raised as soon as possible when a control ceases to function correctly, or is compromised by a threat actor.
Links:Project – https://github.com/loredous/tommyknocker
DEF CON Forums – https://forum.defcon.org/node/249615
People:
SpeakerBio: Jeremy Banker
Jeremy is an accomplished software developer and lifelong hacker with a combined 10 years of experience in software development and cybersecurity. After working his way up from customer support, and earning a Master’s degree in Information Security, Jeremy helped found the Security Product Engineering, Automation and Research group at VMware. Having spoken at both Blackhat Arsenal and Def Con Demolabs on his open source projects, he continues to be passionate about sharing new tools and technologies with the community. In his spare time, Jeremy enjoys gardening, camping, and tinkering with all manner of technology.
Bluetooth Landscape Exploration & Enumeration Platform (BLEEP)
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W306
The purpose of the tool platform is to provide both novice and experienced Bluetooth researchers a “swiss-army knife” for device exploration and enumeration. The Bluetooth Landscape Exploration & Enumeration Platform (BLEEP) is capable of discovering Bluetooth Low Energy (BLE) devices, connecting to them, and enumerating the device as well. BLEEP leverages Python3, BlueZ, and the Linux D-Bus to provide a terminal user interface for identifying and interacting with BLE implements. The I/O capabilities of the toolset include read I/O, performing writes, and capturing of notification signals. The purpose of using these low-level libraries is to maintain small granularity control over the interactivity between BLEEP and the BLE environment.
Links:DEF CON Forums – https://forum.defcon.org/node/249606
Project – https://github.com/Mauddib28/bleep-tool
People:
SpeakerBio: Paul Wortman
Dr. Wortman has a PhD in Electrical and Computer Engineering from the University of Connecticut with research that ranged from network analysis to cyber security risk evaluation. He now focuses on Bluetooth protocol and devices research.
BypassIT – Using AutoIT & Similar Tools for Covert Payload Delivery
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W304
BypassIT is a framework for covert delivery of malware, using AutoIT, AutoHotKey, and other Live off the Land (LotL) tools to deliver payloads and avoid detection. These techniques were derived from reversing attacks observed in the wild by DarkGate and other MaaS actors, revealing universal principles and methods useful for red teaming or internal testing. The framework will consist of a series of tools, techniques, and methods along with testing and reporting on effectiveness, as it relates to evading multiple specific antivirus products.
Links:DEF CON Forums – https://forum.defcon.org/node/249610
People:
SpeakerBio: Ezra Woods, Information Security Analyst, Department of Economic Security at Arizona
Ezra Woods is a recent cybersecurity graduate from Grand Canyon University, working as an Information Security Analyst for Arizona’s Department of Economic Security. Captain of Grand Canyon University’s collegiate cyber defense team, and Team Lead for the Arizona Cyber Threat Response Alliance’s Threat Intelligence Support Unit (TISU).
SpeakerBio: Mike Manrod, Chief Information Security Officer at Grand Canyon EducationMike serves as the Chief Information Security Officer for Grand Canyon Education, responsible for leading the security team and formulating the vision and strategy for protecting students, staff, and information assets across the enterprise. He also serves as Adjunct Faculty for Grand Canyon University, teaching Malware Analysis and Threat Intelligence. Previous experiences include serving as a threat prevention engineer for Check Point and working as a consultant and analyst for other organizations.
Cloud Offensive Breach and Risk Assessment (COBRA)
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W308
Cloud Offensive Breach and Risk Assessment (COBRA) is an open-source tool designed to empower users to simulate attacks within multi-cloud environments, offering a comprehensive evaluation of security controls. By automating the testing of various threat vectors including external and insider threats, lateral movement, and data exfiltration, CNBAS enables organizations to gain insights into their security posture vulnerabilities. CNBAS is designed to conduct simulated attacks to assess an organization’s ability to detect and respond to security threats effectively.
Links:DEF CON Forums – https://forum.defcon.org/node/249608
Project – https://github.com/PaloAltoNetworks/cnbas-tool
People:
SpeakerBio: Anand Tiwari
Anand Tiwari is an information security professional with a strong technical background working as a Product Manager (PM), focusing on the more technical aspects of a cloud security product. He tries to fill it in by doing in-depth technical research and competitive analysis, given business issues, strategy, and a deep understanding of what the product should do and how the products actually work. He has authored ArcherySec—an open source-tool and has presented at BlackHat, DEF CON USA, and HITB conferences. He has successfully given workshops at many conferences such as DevOpsDays Istanbul, Boston.
SpeakerBio: Harsha KoushikHarsha Koushik is a security engineer and researcher, passionate about securing digital systems. Specializing in Cloud-Native Application Platform Protection (CNAPP), tackling emerging cyber threats while working at large scales. Additionally, Harsha hosts the security podcast ‘Kernel-Space,’ exploring insightful discussions on the latest trends and issues in cybersecurity.
CODASM – Hiding Payloads in Plain .text
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W305
CODASM aims to decrease a stageless payload’s Shannon entropy, which was found to be a simple but annoying detection vector used by EDRs. It’s a Python program that processes arbitrary binary inputs and produces a C program consisting of two parts: a buffer holding generated x86-64 ASM instructions with the original payload encoded into it, and a set of functions that can decode the ASM at runtime. The buffer is designed to be compiled into the final payload’s .text section, thus it looks like regular (if not functional) code to AVs, EDRs and analysts. This encoding effectively decreases the payload’s Shannon entropy but comes with a significant increase in output size. The demo will cover usage of the tool and dissection/reverse engineering of the resulting payload.
Links:DEF CON Forums – https://forum.defcon.org/node/249629
People:
SpeakerBio: Moritz Laurin Thomas, Senior Red Team Security Consultant at NVISO ARES
Moritz is a senior red team security consultant at NVISO ARES (Adversarial Risk Emulation & Simulation). He focuses on research & development in red teaming to support, enhance and extend the team’s capabilities in red team engagements of all sorts. Before joining the offensive security community, Moritz worked on a voluntary basis as a technical malware analyst for a well-known internet forum with focus on evading detections and building custom exploits. When he isn’t infiltrating networks or exfiltrating data, he is usually knees deep in research and development, dissecting binaries and developing new tools.
Cyber Security Transformation Chef (CSTC)
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W307
Imagine GCHQ’s CyberChef integrated in BurpSuite with live modification of requests at your fingertips. That’s exactly what we had in mind when we built the Cyber Security Transformation Chef (CSTC) a few years ago. The CSTC is an extension to the popular BurpSuite Proxy built for experts working with web applications. It enables users to define recipes that are applied to outgoing or incoming HTTP requests/responses automatically. Whatever quirks and specialties an application might challenge you with during an assessment, the CSTC has you covered. Furthermore, it allows to quickly apply custom formatting to a chosen message, if a more detailed analysis is needed. After the initial release the CSTC is finally back! It contains new features and improvements such as many new operations to be used in recipes, inclusion of community requested features and a refactoring of the codebase. Alongside the CTSC we will launch a new public repository with recipes we found useful in our experience as penetration testers and of course open for contribution by the community. This helps the community to solve common challenges and getting started working with the CSTC.
Links:DEF CON Forums – https://forum.defcon.org/node/249625
Project – https://github.com/usdAG/cstc
People:
SpeakerBio: Florian Haag, Managing Security Consultant at usd AG
Florian Haag is a managing security consultant at usd AG with experience in penetration testing, software security assessments as well as code reviews. He is specialized in penetration tests of thick client applications, leveraging his background in software development to reverse engineer proprietary client applications and network protocols. In addition, he maintains several open source tools for web application pentesting presented at international conferences like BlackHat and DEF CON.
SpeakerBio: Matthias Göhring, Security Consultant and Penetration Tester at usd AGMatthias Göhring is security consultant and penetration tester at usd AG, an information security company based in Germany with the mission #moresecurity. He is Head of usd HeroLab, the division of usd specialized in technical security assessments. In addition, he holds lectures at Technical University Darmstadt and University of Applied Sciences Darmstadt on ethical hacking and penetration testing. In previous scientific work, he focused on network and communication security as well as software security.
distribRuted – Distributed Attack Framework
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W303
Penetration testing tools often face limitations such as IP blocking, insufficient computing power, and time constraints. However, by executing these tests across a distributed network of hundreds of devices, these challenges can be overcome. Organizing such a large-scale attack efficiently is complex, as the number of nodes increases, so does the difficulty in orchestration and management. distribRuted provides the necessary infrastructure and orchestration for distributed attacks. This framework allows developers to easily create and execute specific distributed attacks using standard application modules. Users can develop their attack modules or utilize pre-existing ones from the community. With distribRuted, automating, managing, and tracking a distributed attack across hundreds of nodes becomes straightforward, thereby enhancing efficiency, reducing time and costs, and eliminating Single Point of Failure (SPoF) in penetration testing.
Links:Project – https://distribruted.com
DEF CON Forums – https://forum.defcon.org/node/249609
People:
SpeakerBio: Ismail Melih Tas, Founder and CEO at Siber Ninja
Melih Tas is a VP in Application Security at a multi-national financial company in London, UK, and the founder and CEO of VulnHero and Siber Ninja, two cybersecurity startups. He has previously worked as a Senior Security Consultant at Synopsys, a Tech Lead at Garanti BBVA Bank, and a Security Researcher at Nortel-Networks Netas. Melih holds a Ph.D. in Cyber Security, has presented at renowned hacker conferences including DEF CON and Black Hat, and is a published academic author with a focus on VoIP security and Application Security.
SpeakerBio: Numan Ozdemir, Cybersecurity Researcher and Computer ProgrammerNuman Ozdemir is a cybersecurity researcher and computer programmer currently pursuing a degree in Mathematics and Computer Science. His research interests include blockchain and application security.
Docker Exploitation Framework
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W303
Docker Exploitation Framework is a cross-platform framework that is focused on attacking container environments (think Kubernetes, docker, etc). It can identify vulnerabilities, misconfigurations, and potential attack vectors. It also helps to automate different stages of a successful kill-chain through features such as:
- Vulnerability scanning
- Container breakouts
- Pod2pod lateral movement
- File layers deep inspection and extraction
- Attack surface discovery and mapping
- Privilege escalation, etc
Project – https://dockerexploitationframework.github.io/
DEF CON Forums – https://forum.defcon.org/node/249603
People:
SpeakerBio: Emmanuel Law, Senior Staff Security Engineer
Emmanuel Law (@libnex) has over a decade of security research experience. He has presented at various international conferences such as Black Hat USA Arsenal, Troopers, Kiwicon, Ruxcon etc. He has also released tools such as Shadow Workers for browser exploitation. He is currently working as a Senior Staff Security Engineer in San Francisco Bay Area.
SpeakerBio: Rohit PitkeRohit Pitke has been working in the security industry over a decade in various fields like application and infrastructure security, offensive security and security software development. He has presented in various conferences like AppSec USA, AppSec Rome, NullCon.
Drop-Pi
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W306
The Drop-Pi is a suite of software developed on a Raspberry Pi to facilitate the automatic bypassing of 802.1x/NAC implementations (pre 802.1x-2010 standards) and establish discrete remote access into target networks. Designed with physical penetration testing in mind, the Drop-Pi can establish remote access inside a target network within a matter of seconds after being plugged in, affording assessors with a quick in and out on an objective. Its built with common and easily sourced hardware which allows for easy and quick provisioning of multiple Drop-Pi devices. When it’s not feasible to utilize a target network for egress traffic, the Drop-Pi can easily be configured to employ a wireless connection or mobile hotspot to facilitate access in and out of the network.
Links:DEF CON Forums – https://forum.defcon.org/node/249636
Project – https://github.com/ditmer/Drop-Pi
People:
SpeakerBio: Doug Kent, Pentesting Team at State Farm
Doug has worked at State Farm for about 20 years. Working on mostly security technologies ranging from Active Directory, PKI, Endpoint protection and finally landing recently on the Pentesting team. Doug has a passion for identifying vulnerabilities and partnering with control solution teams to protect State Farm data and fulfill our promise to customers. He strives to help others with offensive security skills by providing training, guidance, and kill chain demonstrations.
SpeakerBio: Robert Ditmer, Red Team at State FarmRob has been on the State Farm Pentesting Team for 3 years and has recently moved the Red Team. Prior to his time at State Farm, he has worked with various other companies as a penetration testing consultant – enabling him to experience a wide range of technologies and their differing implementations. Rob enjoys the challenge of developing tools and infrastructure to better the skills and abilities of the State Farms Red Team.
FACTION
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W308
FACTION is an all-encompassing solution for streamlined security assessment workflows and enhancing collaboration within your teams. In addition, It’s fully open source and extendable so it can integrate within diverse environments. FACTION’s key benefits are that it cuts reporting time down to more than half for manual pen-tests, keeps tabs on all outstanding vulnerabilities with custom alerts based on your SLAs, becomes the hub of shared information for your assessments enabling other teammates to replay attacks you share, facilitates large scale assessment scheduling that typically becomes hard to manage when your teams are doing more than 100 assessments a year, and is fully extendable with REST APIs and FACTION Extensions.
Links:DEF CON Forums – https://forum.defcon.org/node/249632
Project – https://github.com/factionsecurity/faction
People:
SpeakerBio: Josh Summitt, Founder at Faction Security
With over 18 years of experience in application security, Josh has played diverse roles—from being a penetration tester and reverse engineer to serving as a full-stack developer and CTO of a cybersecurity startup. He founded Faction Security, an organization committed to hosting open-source tools with the goal of supporting security teams by providing resources that enhance collaboration and efficiency. In addition to making open-source security tools, Josh builds custom modular synths and generally enjoys making strange and unusual noise-making devices.
Farming Ndays with GreyNoise
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W308
Gnarly vulnerabilities in devices and services that typically face the internet are being disclosed every week. You can use GreyNoise’s new free community analysis platform to deploy honeypot sensors, collect PCAPs of in-the-wild exploitation of software vulnerabilities, discover the source IPs of mass scanners, botnets, and compromised devices, and compare attacks across networks. In this presentation we’re demonstrating GreyNoise’ new sensor deployment, SQL explorer, and rules engine.
People:
SpeakerBio: Andrew Morris
No BIO available
Garak
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W306
Garak, Generative AI Red-teaming and Assessment Kit, is a vulnerability scanner for large language models (LLMs) and dialogue systems. It has a host of different probes, each working on different vulnerabilities and payloads. It connects to a broad range of different LLMs. The attacks range between static tests of fixed prompts, to dynamically assembled prompts, to probes that respond to existing model behavior when working out their next move. Community contribution plays a big part of Garak already, with an active repo & over 300 members in the Discord. Garak can assess and attack anything that takes text and returns text, and is already used by many industry players in assessment of internal and external models, including NVIDIA and Microsoft as well as a range of emerging AI Security startups; it’s the #1 ranked tool for LLM security on Hackernews. But we think it’s mostly a lot of fun.
Links:DEF CON Forums – https://forum.defcon.org/node/249618
Project – https://github.com/leondz/garak/
People:
SpeakerBio: Erick Galinkin, Research Scientist at NVIDIA
Erick Galinkin is a Research Scientist at NVIDIA working on the security assessment and protection of large language models. Previously, he led the AI research team at Rapid7 and has extensive experience working in the cybersecurity space. He is an alumnus of Johns Hopkins University and holds degrees in applied mathematics and computer science. Outside of his work, Erick is a lifelong student, currently at Drexel University and is renowned for his ability to be around equestrians.
SpeakerBio: Leon Derczynski, Principal Research Scientist, LLM Security at NVIDIALeon Derczynski is principal research scientist in LLM Security at NVIDIA and prof in natural language processing at ITU Copenhagen. He’s on the OWASP LLM Top 10 core team, and consults with governments and supranational bodies. He co-wrote a paper on how LLM red teaming is like demon summoning, that you should definitely read. He’s been doing NLP since 2005, deep learning since it was more than one layer, and LLM security for about two years, which is almost a lifetime in this field. Finally, Prof. Derczynski also contributes to ML Commons, and regularly appears in national and international media.
GC2 – The First Serverless Command & Control
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W306
GC2 is the first serverless command and control. This project aims to demonstrate how attackers could take advantage of third-party tools (Google Sheets and Google Drive) to execute commands and exfiltrate information from a compromised system. First released in 2021, became well known in April 2023 after being mentioned in Google’s Threat Horizons Report.
Links:Project – https://github.com/looCiprian/GC2-sheet
DEF CON Forums – https://forum.defcon.org/node/249630
People:
SpeakerBio: Lorenzo Grazian
Lorenzo Grazian has more than 6 years of experience in red teaming, penetration testing and source code review mainly in the financial and transport industries. He worked and led local and global cybersecurity projects. Besides his offensive security background, he developed several tools to support offensive security activities.
HIDe & SEEK
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W304
The Injectyll-HIDe project (released at DEF CON 30) is back and better than ever! The hardware implant utilizes the same standard features that you have come to know and love (keystroke recording, keystroke injection, mouse jiggler, etc.) but it has evolved into so much more. The functionality has been steadily growing over its initial release to offer users even more tools! But wait, there’s more! We’re proud to show off the new SEEK shields this year at the CON! Tired of running a covert mesh network? Want to try out new RF technologies? We’ve added LoRa and LoRaWAN to the mix as well! These shields are field swappable and work with the existing C2 and implant code to give you the versatility that you need to continue evading detection. Attendees should be prepared to flip 0ut over these features, as well as some new additions to the project that we will be announcing at DEF CON. Who’s ready for a high stakes game of hacker’s HIDe and SEEK?
Links:DEF CON Forums – https://forum.defcon.org/node/249616
Project – https://github.com/Injectyll-HIDe/Injectyll-HIDe
People:
SpeakerBio: Jonathan Fischer, Red Team Consultant and Researcher
Jonathan Fischer (a.k.a. c4m0ufl4g3) is a hardware and IoT security enthusiast that started off designing, programming, and implementing electronic controls for industrial control systems and off-highway machinery. After a decade in that industry, Jonathan obtained his BS in Computer Science and transitioned over to the cyber security industry where he has been working as a Red Team consultant and researcher for more than seven years at a Fortune 500 company. Since joining the cyber security industry, Jonathan has earned various industry certifications (OSCP, GXPN, etc.) and continues to leverage his unique experience in his research into hardware hacking. Jonathan has presented his research at conferences such as DEF CON Demo Labs, ShmooCon, THOTCON, BSides LV, and Hardware Hacking Village. He is also the co-creator of Injectyll-HIDe, an open-source hardware implant designed for use by red teams.
SpeakerBio: Matthew RichardMatthew Richard is a software developer that enjoys coding in low level languages. His favorite text editor is Neovim. As an average Neovim enjoyer he is obligated to stand on the side of Vi in the text editor war, but chooses to be on the side of Ed to make everyone equally unhappy. His operating system of choice is NixOS… by the way. 🙂
Hopper – Distributed Fuzzer
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W308
Hopper is a Coverage-Guided Greybox Distributed Fuzzer, inspired by AFL++, and written in Golang. Like other fuzzers, Hopper operates as a standard command-line interface tool, allowing you to run fuzz campaigns to find vulnerabilities and exploits in software. Hopper’s mutation algorithm, energy assigning strategy, and out-of-process coverage gathering, are all inspired by AFL++, the current state of the art fuzzer. However, Hopper’s distributed strategy differs substantially than AFL++ in an attempt to define a new distributed fuzzing paradigm. AFL++ and LibFuzzer have clear scaling limitations in larger environments, notably the AFL++’s rudimentary multi-machine mode. As an early prototype, Hopper addresses these limitations by implementing a deduplicating communication schema that establishes a consistency invariant, minimizing repeated work done by fuzzing nodes. Hopper is a standalone, new piece of software developed from scratch in the spirit of exploration, this is not yet another python plugin/extension for AFL++. Hopper is currently available on GitHub, including containerized runnable campaign demos. Tooling and observability are first class features, in the form of a TUI to monitor fuzzing campaigns, usage docs, and quick-start scripts for orchestrating fuzz campaigns.
Links:Project – https://github.com/Cybergenik/hopper
DEF CON Forums – https://forum.defcon.org/node/249620
People:
SpeakerBio: Luciano Remes, Software Engineer at Palantir Technologies
Luciano Remes received a B.S. in Computer Science from the University of Utah, where he did 2 years of grant-funded Systems research under the FLUX Research Group, finally working on his Thesis Hopper: Distributed Fuzzer. During this time, he also interned at AWS EC2 and Goldman Sachs SPARC infrastructure teams, as well as a few startups including Blerp and Basecamp. Currently, he’s a Software Engineer at Palantir Technologies building distributed network infrastructure.
SpeakerBio: Wade Cappa, Software Engineer at Palantir TechnologiesWade Cappa recently graduated from Washington State University with a B.S in Computer Science and is now working at Palantir Technologies as a Software Engineer on distributed data systems. He previously worked at Microsoft in the Semantic Machines department, creating a dynamically linked debugging utility for an internal use tooling language. In his freetime he is working with a high-performance-computing research group on a cutting edge distributed strategy for approximating submodular monotonic optimizations.
Maestro
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W303
Maestro is a post-exploitation tool designed to interact with Intune/EntraID from a C2 agent on a user’s workstation without requiring knowledge of the user’s password or Azure authentication flows, token manipulation, and web-based administration console. Maestro makes interacting with Intune and EntraID from C2 much easier, as the operator does not need to obtain the user’s cleartext password, extract primary refresh token (PRT) cookies from the system, run additional tools or a browser session over a SOCKS proxy, or deal with Azure authentication flows, tokens, or conditional access policies in order to execute actions in Azure on behalf of the logged-in user. Maestro enables attack paths between on-prem and Azure. For example, by running Maestro on an Intune admin’s machine, you can execute PowerShell scripts on any enrolled device without ever knowing the admin’s credentials!
Links:DEF CON Forums – https://forum.defcon.org/node/249621
Project – https://github.com/Mayyhem/Maestro
People:
SpeakerBio: Chris Thompson, Principal Consultant at SpecterOps
Chris Thompson (@_Mayyhem) is a Principal Consultant at SpecterOps, where he conducts red team operations, research, tool development, and training. Chris has instructed at Black Hat USA/EU and spoken at Arsenal, DEF CON Demo Labs, SO-CON, and Troopers. He is the primary author of Maestro and SharpSCCM and co-author of Misconfiguration Manager, an open-source tool and knowledge base that can be used to help demonstrate, mitigate, and detect attacks that abuse Microsoft Configuration Manager (formerly SCCM).
MITRE Caldera for OT
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W303
Caldera for Operational Technology (C4OT) is an extension to the open-source Caldera adversary emulation platform. Adversary emulation has long helped defenders of information systems exercise and improve their cyber defenses by using real adversary techniques. While Caldera has been out since 2021, C4OT was released September 2023. Specifically, C4OT exposes native OT protocol functions to Caldera. The initial release of C4OT supported three popular OT protocols (Modbus, BACnet, and DNP3). Since then, we have added support for two more protocols (IEC61850 and Profinet). Today, we are actively working on support for the space protocol GEMS. By utilizing Caldera and the C4OT plugins, end-users can emulate threat activity across both Enterprise and Operational networks with ease.
Links:Project – https://github.com/mitre/caldera-ot
DEF CON Forums – https://forum.defcon.org/node/249633
People:
SpeakerBio: Blaine Jeffries, Operational Technology Security Engineer at MITRE Corp
Blaine Jeffries is an Operational Technology Security Engineer at MITRE with a focus on defensive cybersecurity research, threat intelligence and adversary emulation. At MITRE, Blaine currently serves as a co-lead of Caldera for OT and supports a variety of DoD and government sponsors. Prior to joining MITRE, Blaine served in the US Air Force as a Cyberspace Operations Officer. Currently he holds degrees in Electrical Engineering and Cyberspace Operations.
SpeakerBio: Devon Colmer, Cybersecurity Engineer, Critical Infrastructure Protection Innovation Center at MITRE CorpDevon Colmer is a Cybersecurity Engineer in MITRE’s Critical Infrastructure Protection Innovation Center, working principally in OT adversary emulation and detection engineering. Prior to joining MITRE, Devon served as a Submarine Officer in the US Navy. He has led the development of OT plugins for MITRE’s adversary emulation platform, Caldera, and is currently researching a common data model for OT protocols.
MITRE Caldera
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W308
MITRE Caldera is a scalable, automated adversary emulation, open-source cybersecurity platform developed by MITRE. It empowers cyber practitioners to save time, money, and energy through automated security assessments. Caldera not only tests and evaluates detection/analytic and response platforms, but it also provides the capability for your red team to perform manual assessments with computer assistance. This is achieved by augmenting existing offensive toolsets. The framework can be extended to integrate with any custom tools you may have. The development team behind the platform is a group of red teamers, software developers, exploit writers, cyber threat analysts, AI researchers, cybersecurity engineers, and computer scientists. They all pursue the common goal of building a premier adversary emulation platform for our security defenders around the world.
Links:DEF CON Forums – https://forum.defcon.org/node/249626
Project – https://github.com/mitre/caldera
People:
SpeakerBio: Mark Perry, Lead Applied Cyber Security Engineer at MITRE Corp
Mark Perry is a Lead Applied Cyber Security Engineer at MITRE Corp, where he specializes in adversary emulation and work development. With a robust background in infrastructure and cyber security frameworks, Mark brings extensive expertise to his role, focusing on fortifying systems against sophisticated cyber threats. He has worked on projects involving adversary emulation, red teaming, cyber threat intelligence, and software development. Mark also leads development and delivery of Caldera workshops, providing participants with practical, hands-on training utilizing cybersecurity techniques. Additionally, he actively promotes Caldera’s benefactor program, fostering community support and engagement to further the development of cybersecurity tools and resources. Outside of his professional endeavors, Mark enjoys traveling and is a supercar enthusiast.
SpeakerBio: Rachel Murphy, Cyber Security Engineer at MITRE CorpRachel Murphy is a Cyber Security Engineer at MITRE Corp. She has a B.S. in Mechanical Engineering and prior to joining MITRE, she worked as a mechanical engineer at NASA performing thermal analysis for the International Space Station at Johnson Space Center in Houston, TX. Rachel has worked on projects in adversary emulation, red teaming, cyber threat intelligence, and software development. Part of this work includes supporting Caldera’s research in artificial intelligence, developing Caldera workshops like this one, and promoting Caldera’s benefactor program. She has also served as a red team operator for MITRE Engenuity’s ATT&CK Evaluations.
Moriarty
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W307
Moriarty is a.NET tool designed to identify vulnerabilities for privilege escalation in Windows environments. Building upon Watson and Sherlock, Moriarty extends their capabilities by incorporating advanced scanning techniques for newer vulnerabilities and integrating additional checks. This tool supports a wide range of Windows versions, from Windows 10 to Windows 11 and Server versions 2016, 2019, and 2022. Moriarty differentiates itself by its ability to enumerate missing KBs and detect a variety of vulnerabilities linked to privilege escalation, offering suggestions for potential exploits. The tool’s extensive database includes well-known vulnerabilities such as PrintNightmare (CVE-2021-1675), Log4Shell (CVE-2021-44228), and SMBGhost (CVE-2020-0796), among others.
Links:Project – https://github.com/BC-SECURITY/Moriarty
DEF CON Forums – https://forum.defcon.org/node/249637
People:
SpeakerBio: Anthony “Coin” Rose, Lead Security Researcher and Chief Operating Officer at BC Security
Anthony “Coin” Rose, CISSP, is a Lead Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, HackMiami, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
SpeakerBio: Jake “Hubble” Krasnov, Red Team Operations Lead and Chief Executive Officer at BC SecurityJake “Hubble” Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
MPT – Pentest in Action
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W307
In ever evolving software development world, security is also becoming fast paced. Hence, each product going through the pentest cycle has to be managed effectively and efficiently. Managing multiple pentests and testers is important. A single pane of glass view for managing pentests and testers is what the goal of this tool is.
Links:DEF CON Forums – https://forum.defcon.org/node/249631
Project – https://github.com/jenyraval/MPT
People:
SpeakerBio: Jyoti Raval, Senior Staff Product Security Leader at Baker Hughes
Jyoti Raval works as Senior Staff Product Security Leader at Baker Hughes. She is responsible for securing product end-to-end and involved in various phases of security life cycle. She is author of the Phishing Simulation Assessment and MPT tools, and has presented at Defcon, BlackHat, Nullcon, HITB, OWASP NZ and Infosec Girls. She also heads OWASP Pune chapter.
Nebula – 3 Years of Kicking *aaS and Taking Usernames
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W307
Cloud Penetration Testing has become a hot topic in the offensive community, as the cloud based infrastructures have been slowly taking the place on-prem ones used to have. This requires a tool to help with it. Nebula is a cloud Pentest Framework, which offers reconnaissance, enumeration, exploitation, post exploitation on AWS, Azure, DigitalOcean and above all opportunity to extend even more. It is built modulary for each provider and each attack, allowing for a diversity in attack surface. This coupled with the client-server architecture, allows for a collaborated team assessment of a hybrid cloud environment.
Links:DEF CON Forums – https://forum.defcon.org/node/249607
Project – https://github.com/gl4ssesbo1/Nebula
People:
SpeakerBio: Bleon Proko
Bleon Proko is an info-sec passionate about Infrastructure Penetration Testing and Security, including Active Directory, Cloud (AWS, Azure, GCP, Digital Ocean), Hybrid Infrastructures, as well as Defense, Detection and Thread Hunting. He has presented in conferences like BlackHat and BSides on topics related to Cloud Penetration Testing and Security. His research include Nebula, a Cloud Penetration Testing Framework (https://github.com/gl4ssesbo1/Nebula) and other blogs, which you can also find on his blog (blog.pepperclipp.com). He is also the author of the upcoming book “Deep Dive into Clouded Waters: An overview in Digital Ocean’s Pentest and Security” (https://leanpub.com/deep-dive-into-clouded-waters-an-overview-in-digitaloceans-pentest-and-security)
Open Hardware Design for BusKill Cord
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W303
An open hardware design for BusKill cables that uses 3D printing and easily sourceable components. BusKill cables are hardware Dead Man’s Switches that use USB events to trigger a laptop to lock, shutdown, or self-destruct when the laptop is physically separated from the operator.
Links:Project – https://github.com/BusKill/usb-a-magnetic-breakaway
DEF CON Forums – https://forum.defcon.org/node/249627
People:
SpeakerBio: Melanie Allen
Melanie Allen is a 3D-printing enthusiast and volunteer hardware developer with the BusKill project.
SCAGoat – Exploiting Damn Vulnerable SCA Application
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W305
SCAGoat is a deliberately insecure web application designed for learning and testing Software Composition Analysis (SCA) tools. It offers a hands-on environment to explore vulnerabilities in Node.js and Java Springboot applications, including actively exploitable CVEs like CVE-2023-42282 and CVE-2021-44228 (log4j). This application can be utilized to evaluate various SCA and container security tools, assessing their capability to identify vulnerable packages and code reachability. As part of our independent research, the README includes reports from SCA tools like semgrep, snyk, and endor labs. Future research plans include incorporating compromised or malicious packages to test SCA tool detection and exploring supply chain attack scenarios.
Links:DEF CON Forums – https://forum.defcon.org/node/249617
Project – https://github.com/harekrishnarai/Damn-vulnerable-sca
People:
SpeakerBio: Hare Krishna Rai, Product Security Engineer
As a Product Security Engineer, Hare Krishna Rai’s passion for cybersecurity drives him to excel in various areas. He specializes in conducting penetration testing, actively participates in security Capture The Flag (CTF) competitions, and performs code reviews to ensure secure code development. His expertise extends to leveraging Static Application Security Testing (SAST) techniques in languages like Java, Python, JavaScript, JSP, among others.
SpeakerBio: Prashant Venkatesh, Manager, Product SecurityPrashant Venkatesh is an information security expert with over 20 years of experience. He presently works as Manager, Product Security at an ecommerce company. Prashant is an enthusiastic participant in the field who consistently coordinates, reviews papers, and presents his work at numerous InfoSec conferences, including Blackhat Nullcon and c0c0n. He is also active through the OWASP Bay Area chapter Leadership and is co-founder of the annual Seasides Conference in India.
Serberus
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W308
The Serberus is a serial Man-in-the-Middle hardware hacking tool designed to connect to embedded devices . It has 4 channels and has headers to interface with up to 3 UARTs simultaneously and also has the ability to connect to JTAG, SPI, I2C and SWD interfaces. During this talk I will introduce the Serberus and what makes it different than other, similar tools. It has a level shifter and switch to allow you to connect to logic voltages of 1.8, 2.5 and 3.3v or any arbitrary voltage between 1.65v and 5.5v, matching that of your target. The Serberus is unique in that it was designed to use open source tools like the Akheron proxy in order to MitM serial communications. I will demonstrate the Serberus connecting to a wifi router, to a JTAG, I2C or SPI target and I will also show the MitM capabilities on the serial connection between an aircraft transponder and its avionics system. The Serberus project is free and open source with all board layouts, gerbers and schematics published.
Links:Project – https://github.com/pk-mdt/Serberus
DEF CON Forums – https://forum.defcon.org/node/249614
People:
SpeakerBio: Patrick Kiley, Principal Consultant at Mandiant
Principal Consultant at Mandiant (a division of Google Cloud) has over 20 years of information security experience working with both private sector employers and the Department of Energy/National Nuclear Security Administration (NNSA). Patrick has spoken at DEF CON, BlackHat, Bsides and RSA. Patrick can usually be found in the Car Hacking or Aerospace village where he volunteered for several years. His passion is embedded systems security and has released research in Avionics, embedded systems and even bricked his own Tesla while trying to make it faster.
Skynet
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W306
Skynet is an AI project (just kidding.) It is meant to be a sort of unified theory of detection, enabling us to plot any detection artifact types on screen around an entity and decision them faster and more accurately. While plotting alert sets, attack trees, and kill chains has been done, for the presentation of alert sets and cases, we are planning to use graphing as the primary presentation, triage and decisioning mechanism, at scale, using a novel combination of heuristics and machine learning. It is an alert manager made by users, for users.
Links:DEF CON Forums – https://forum.defcon.org/node/249612
People:
SpeakerBio: Craig Chamberlain
Craig Chamberlain has been working on threat hunting and detection for most of his life and has contributed to several SIEM-like products you may have used. Most of them had unnecessarily simple alert pages and workflow, which makes him sad, and this is his attempt to put things right. He has presented at numerous conferences including the SANS Threat Hunting Summit; RSA 2024; CactusCon; the ISC2 Congress; SOURCE Boston; and several B-Sides conferences in Washington DC, San Francisco, NoVA, Boston, and Rochester.
SpeakerBio: Rewanth TammanaRewanth Tammana is a security ninja, open-source contributor, and an independent consultant. Previously, Senior Security Architect at Emirates NBD National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap. Rewanth speaks and delivers training at numerous security conferences worldwide. He was recognized as one of the MVP researchers on Bugcrowd (2018), published an IEEE research paper on ML and security, and more.
Tempest
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W304
Tempest is a command and control framework written in 100% Rust. It began as a research project and personal challenge, but has grown into a very effective c2 framework. The original concept was to write a simple yet effective c2 framework, and design continues to focus on this simple goal. Because it started out as a research project with a learning goal, the framework is not directly based on any existing c2 frameworks and the vast majority of code will not be found anywhere else.
Links:Project – https://github.com/Teach2Breach/tempest
DEF CON Forums – https://forum.defcon.org/node/249622
People:
SpeakerBio: Kirk Trychel, Senior Red Team Engineer at Box.com
Kirk Trychel is a Senior Red Team Engineer with Box.com and a lifelong hacker. He has lead Red Teams with the Department of Defense, Secureworks Adversary Group, and CrowdStrike Adversary Emulations. Always eager to hack the newest technology, Kirk has produced original research across many areas of offensive security. His diverse experience combines with a passion to understand and expand attack surfaces, and do what defenders have not considered. Besides breaching systems, Kirk loves sharing his knowledge with the community and helping enhance organizations’ security posture.
Tengu Marauder
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W305
The Tengu Marauder, derived from a previous security drone project, is a portable wheeled robot equipped with an ESP32 Marauder, currently in its testing phase. Designed for simplicity and efficiency, the Tengu Marauder serves as an alternative and interactive tool for WiFi network security testing. Its capabilities include WiFi scanning, deauthentication attacks, packet sniffing, and other wireless security tests. The compact design ensures ease of construction and maintenance using readily available parts and straightforward code integration. Essentially an advanced RC robot, the Tengu Marauder operates headless via XBee, providing a fun and engaging platform for testing the security of network-controlled devices over WiFi, such as IoT smart home devices and smaller WiFi-controlled drones like the Ryze Tello. This project would not have been possible without the development help, test runs, and support from the Philadelphia RAICES organization, the Philadelphia DEFCON group, and DeciSym.AI.
Links:Project – https://github.com/Lexicon121/Tengu-Marauder
DEF CON Forums – https://forum.defcon.org/node/249611
People:
SpeakerBio: Leonardo Serrano
Leonardo Serrano is a dedicated community organizer who spends his time learning more about the cyberz, connecting people, and supporting cool projects. His focus is primarily on threat modeling and the intersection of security architecture, process, and decision-making. Leo runs a hackerspace in Philadelphia called “The Tooolbox” with his partners where he hopes to showcase the amazing hackers who call Philadelphia home.
SpeakerBio: Lexie ThachLexie Thach has worked in cybersecurity for ten years in various positions. During this time, I developed a strong affinity for electrical engineering, programming, and robotics engineering. Despite not having a traditional academic background, I have extensive hands-on experience from my eight years in the US Air Force, specializing in cybersecurity and tactical networks for aircraft missions and operations. My focus on securing and testing the security of autonomous systems stems from these experiences, and I am passionate about sharing the techniques I have learned. Currently I run a local hackerspace in Philadelphia in support of DC215 called The Tooolbox where anyone can come to learn new hacking tools, try to build offensive or defensive security robots and we have 3D printers on standby for any prototyping people want.
Testbed Virtual Factory
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W306
As the landscape of industrial control systems (ICS) evolves, the security vulnerabilities inherent in these systems have become increasingly important. In response to this escalating situation, in this paper, we present the development of a virtualized cybersecurity research testbed tailored for these environments. Addressing the challenge of limited access to proprietary OT network data for research purposes, our this talk proposes a comprehensive framework for simulating industrial environments, aiming to facilitate the development and testing of cybersecurity solutions by providing functionalities for network traffic logging, attack impact simulation, generation of labeled multivariate time series sensor datasets, among others, bridging the gap between theoretical research and practical application needs, especially in situations of low data availability and data-driven cybersecurity research.
Links:Project – https://github.com/Gradiant/virtual-factory
DEF CON Forums – https://forum.defcon.org/node/249624
People:
SpeakerBio: Borja Pintos Castro, Researcher, Security and Privacy Area at Gradiant
Borja Pintos-Castro is passionate about cybersecurity, he spends the day reading and tinkering. He obtained a degree in Computer Engineering from the University of A Coruña. He also has a Master of Computer Security by the International University of La Rioja. Now, he is a researcher at Gradiant in the Security and Privacy Area and specifically in Cybersecurity industry 4.0 projects. Currently, he manages some industrial security projects, specifically analyzing network traffic and using honeypots to detect threats and attacks. He has the certification OSCP (PEN-200) from Offensive Security.
SpeakerBio: Camilo Piñón BlancoCamilo Piñón-Blanco graduated in Telecommunication Technologies Engineering (2021) and Master in Telecommunication Engineering (2023) from the University of Vigo, both specializing in Telematics Engineering. He did his Bachelor’s Thesis with GRADIANT, focused on detection of cyber-attacks in industrial networks with Machine Learning techniques. He has worked at the atlanTTic research center as a researcher, dealing with natural language processing and text data analysis. In 2022 he re-joined the GRADIANT as an Engineer-Researcher in Security and Privacy, within the Privacy & Security Analytics line, where he has done his Master’s Thesis on anomaly detection in time series through UEBA and LSTM neural networks. His main lines of work are applied machine learning, data analysis and software development.
The Metasploit Framework v6.4
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W304
The Metasploit Framework released version 6.4 earlier this year, including multiple improvements to Kerberos-related attack workflows. The latest changes added support for forging diamond and sapphire tickets, as well as dumping tickets from compromised hosts. Metasploit users can now exploit unconstrained delegation in Active Directory environments for privilege escalation as well as use pass-the-ticket authentication for the Windows secrets dump module. These new Kerberos improvements increase the ways in which tickets can be forged, gathered, as well as used. Additionally, Metasploit has added support for new protocol based sessions, allowing users to interact with targets without uploading payloads, thus increasing their evasive capabilities. These new sessions can be established to database, SMB and LDAP servers. Once opened, they enable users to interact and run post modules with them, all without running a payload on the remote host. Finally, version 6.4 includes a complete overhaul of how Metasploit handles its own DNS queries. These improvements ensure that users pivoting their traffic over compromised hosts are not leaking their queries and offer a high degree of control over how queries should be resolved. This demonstration will cover these latest improvements and show how the changes can be combined for new, streamlined attack workflows using the latest Metasploit release.
Links:Project – https://github.com/rapid7/metasploit-framework
DEF CON Forums – https://forum.defcon.org/node/249628
People:
SpeakerBio: Jack Heysel, Senior Security Researcher at Rapid7
Jack Heysel is a Senior Security Researcher at Rapid7, where he contributes to and helps maintain the Metasploit Framework. Jack started at Rapid7 in 2016 working on their vulnerability management solution. He transitioned to the Metasploit team in 2021 and has been happily writing and reviewing exploits ever since. While AFK, Jack enjoys exploring the mountains and outdoors that surround his home.
SpeakerBio: Spencer McIntyre, Security Research Manager at Rapid7Spencer McIntyre is a Security Research Manager at Rapid7, where he works on the Metasploit Framework. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019. Previously, Spencer worked at a consulting firm working with clients from various industries, including healthcare, energy, and manufacturing. He is an avid open-source contributor and comic book reader.
The World Wide Paraweb
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W307
Paraweb empowers people to publish and surf invisibly on a World Wide Web without the telltale traffic patterns that can betray our use of Tor and VPNs to network monitors. Paraweb is a wide-area hypermedia information retrieval initiative that combines steganography and open Web 1.0-inspired protocols to hijack and embed itself as a parasitic communications network inside existing social network websites like Tumblr, Instagram, and Reddit. Paraweb publishers can steganographically encode HTML-based, para-hyperlinked sites within innocuous media, then post those media on social network sites indistinguishably from benign content creators. Paraweb surfers can traverse these media as benign social network users, decoding the contents of para-sites as they appear normally in their searches, traversals, and feeds. Paraweb traffic is designed to blend indistinguishably with normal Web 2.0 and social network traffic, enabling Paraweb netizens to “hide in plain sight.” Paraweb’s loose and open-source combination of steganography and web-based protocols extends the hard-shell defenses of the encrypted web to the realms of deniability and stealth.
Links:DEF CON Forums – https://forum.defcon.org/node/249613
Project – https://www.paraweb.io/
People:
SpeakerBio: Nathan Sidles
Nathan Sidles is a person.
TheAllCommander 2.0
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W305
TheAllCommander is an open-source tool which offers red teams and blue teams a framework to rapidly prototype and model malware communications, as well as associated client-side indicators of compromise. The framework provides a structured, documented, and object-oriented API for both the client and server, allowing anyone to quickly implement a novel communications protocol between a simulated malware daemon and its command and control server. For Blue Teamers, this allows rapid modeling of emerging threats and comprehensive testing in a controlled manner to develop reliable detection models. For Red Teamers, this framework allows rapid iteration and development of new protocols and communications schemes with an easy to use Python interface. The framework has many tools or techniques used by red teams built in to allow out-of-the-box modeling, including emulated client browser HTTPS traffic Remote Desktop tunneling, and UAC bypass.
Links:DEF CON Forums – https://forum.defcon.org/node/249635
Project – https://github.com/matt-handy/TheAllCommander
People:
SpeakerBio: Matthew Handy, NASA
Matt Handy completed his BS in Computer Science at the University of Maryland, College Park (UMD) in 2010, and MS in CyberSecurity at Johns Hopkins in 2014. He has worked for NASA’s Goddard Space Flight Center doing satellite ground systems development since 2009. He has specialized in secure software systems development and has helped to develop several missions over the course of his career. In his off time, he enjoys doing independent security research and creating tools like TheAllCommander to help make a more secure cyber world.
Volatile Vault – Data Exfiltration in 2024
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W305
In red team operations, selecting the right tools for data exfiltration is critical, yet comes with obstacles such as triggering Data Exfiltration Prevention (DEP) systems. We present “Volatile Vault” as a solution, a custom-built platform tailored to evade DEP detection. Our tool encrypts the data on the client-side and then provides a modular approach for uploading said data. Some of the currently implemented upload strategies are chunked HTTP uploads to multiple domain fronted endpoints (AWS) or QUIC as an alternative protocol.
Links:DEF CON Forums – https://forum.defcon.org/node/249605
Project – https://github.com/molatho/VolatileVault
People:
SpeakerBio: Moritz Laurin Thomas, Senior Red Team Security Consultant at NVISO ARES
Moritz is a senior red team security consultant at NVISO ARES (Adversarial Risk Emulation & Simulation). He focuses on research & development in red teaming to support, enhance and extend the team’s capabilities in red team engagements of all sorts. Before joining the offensive security community, Moritz worked on a voluntary basis as a technical malware analyst for a well-known internet forum with focus on evading detections and building custom exploits. When he isn’t infiltrating networks or exfiltrating data, he is usually knees deep in research and development, dissecting binaries and developing new tools.
SpeakerBio: Patrick Eisenschmidt, Red Team Lead at NVISO ARESPatrick has gained extensive experience in the offensive security domain. Currently, he serves as the Red Team Lead at NVISO ARES (Adversarial Risk Emulation & Simulation). In this role, he supervises a team of operators and directs both high-profile Red Team operations and Tiber/TLPT Assessments. Beyond leadership, Patrick actively participates in crafting intricate spear phishing campaigns and boosts the Red Team’s effectiveness by developing and maintaining open-source methodologies and tools.
Vovk – Advanced YARA Rule Generator v2.0
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W304
Vovk is a toolset that can be used to create YARA rules. The Vovk DEF CON 2024 version will be released at DEF CON.
Links:DEF CON Forums – https://forum.defcon.org/node/249634
Project – https://github.com/malienist/vovk
People:
SpeakerBio: Benjamyn Whiteman, Lead Analyst, Global CSOC at TikTok USDS
Benjamyn Whiteman has worked in the InfoSec industry for the past 7 years in roles that include Security Engineering, Forensics Analysis and Global CSIRTs. Ben regularly presents his research at internal company summits and security conferences. Ben has been training and mentoring new cyber security professionals for a few years now and also presented his research at HackSydney 2022 and 2023. Currently, Ben is a part of the Global CSOC for TikTok USDS as the Lead Analyst at Sydney, Australia.
SpeakerBio: Vishal Thakur, Senior Director, Cyber Fusion Center at TikTok USDSVishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research. He has presented his research at international conferences (BlackHat, DEFCON, FIRST, SANS DFIR Summit) and has also run training/workshops at some of these conferences. Vishal is currently working as Senior Director, Cyber Fusion Center at TikTok USDS. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia. For the past few years, Vishal has been involved in ML and AI security and has been researching this subject.
XenoboxX – Hardware Sandbox Toolkit
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W307
Malware frequently employs anti-VM techniques, which can vary in their difficulty to detect and counteract. While integrating anti-detection measures in our labs is a frequently used option, we should also consider using a real hardware sandbox, even if this sounds weird. By leveraging the awesome PCILeech project and DMA hardware access, XenoboxX provides a suite of tools for analysis tasks, such as dumping dynamically allocated memory and searching for IoC. These tools allow us to inject code at kernel level through DMA, making detection significantly more challenging and giving a new perspective to the analysis.
Links:Project – https://github.com/cecio
DEF CON Forums – https://forum.defcon.org/node/249619
People:
SpeakerBio: Cesare Pizzi, Security Researcher, Analyst, and Technology Enthusiast
Cesare Pizzi is a Security Researcher, Analyst, and Technology Enthusiast. Mainly focused on low level programming, he developed a lot of OpenSource software, sometimes hardware related (USBvalve) and sometimes not.
Doing a lot of reverse engineering too. He likes to share his job when possible (at Defcon, Insomni’hack, Nullcon. etc). Contributor of several OS Security project (Volatility, OpenCanary, PersistenceSniper, Speakeasy, CETUS, TinyTracer, etc) and CTF player.
Zip It Up, Sneak It In – Introduction of apkInspector
Demolabs DC Forum Page
Demolabs Map Page – LVCC West/Floor 3/W304
apkInspector is a tool designed to tackle Android APKs, helping to uncover and decode the evasive tactics used by malware. It can decompress APK entries and extract detailed information such as entry names and sizes, making it easy to analyze the contents of an app. The tool also processes and decodes Android XML (AXML) files into a human-readable format, all while considering the sneaky evasion tactics that malware might employ. apkInspector is able to also identify specific evasion techniques used by malware to bypass static analysis, providing crucial insights for security analysis. It is built to function both as a standalone command-line interface (CLI) for direct operations and as a library that can be integrated into other security tools, enhancing its utility and adaptability in various cybersecurity environments.
Links:DEF CON Forums – https://forum.defcon.org/node/249604
Project – https://github.com/erev0s/apkInspector
People:
SpeakerBio: Kaloyan Velikov
Kaloyan Velikov is a security professional that has also been in the cybersecurity field for more than five years. While he is proficient in web application and network security pentesting, as well as various device assessments, in the recent years he has been busy learning the testing of mobile applications and device configurations. This led to a more focused specialization in pentesting on both the Android and iOS platforms. He is always eager to try new tools and see how they can be implemented into the penetration testing playbook. Kaloyan is always up for a challenge even if there is a skill gap and extra research will be required to proceed. He also loves to share the knowledge he has obtained, because it is great to help each other to succeed in our assignments.
SpeakerBio: Leonidas VasileiadisMeet Leonidas, an enthusiast in Android’s security landscape, a physicist with a double master’s in cybersecurity and over five years of dedicated cybersecurity experience. He’s not just about flashy titles; he’s got the certifications to prove he can push buttons and hack the world. Passionate about web and mobile security, he loves building solutions with code. He’s a firm believer that sharing is caring and enjoys unraveling the complexities of cyber threats as much as he loves tackling riddles. Dive into his session to explore sneaky Android malware tricks, leaving equipped to spot and stop them like a pro.