skip to main content

DEF CON China 1.0 Hacking Conference

Demo Labs

Demo Labs

English | 中文


Friday - 31 May, 2019

10:00 - 12:00
VoIPShark: Open Source VoIP Analysis Platform
Nishant Sharma, Jeswin Mathai, Ashish Bhangale

12:00 - 14:00
OSfooler
Jaime Sánchez "segofensiva"

14:00 - 16:00
From Zero Overhead to Many Vulnerabilities: Escalating Fuzzing Effectiveness and Efficiency with Intel PT
Dr. Xinyu Xing, Yaohui Chen, Dr. Jun Xu, Dr. Jimmy Su -

SATURDAY - 01 June, 2019

10:00 - 12:00
VoIPShark: Open Source VoIP Analysis Platform
Nishant Sharma, Jeswin Mathai, Ashish Bhangale

12:00 - 14:00
OSfooler
Jaime Sánchez "segofensiva"

14:00 - 16:00
From Zero Overhead to Many Vulnerabilities: Escalating Fuzzing Effectiveness and Efficiency with Intel PT
Dr. Xinyu Xing, Yaohui Chen, Dr. Jun Xu, Dr. Jimmy Su -

SUNDAY - 02 June, 2019

10:00 - 12:00
JTAGulator
Joe Grand "Kingpin"

12:00 - 14:00
OSfooler
Jaime Sánchez "segofensiva"

14:00 - 16:00
From Zero Overhead to Many Vulnerabilities: Escalating Fuzzing Effectiveness and Efficiency with Intel PT
Dr. Xinyu Xing, Yaohui Chen, Dr. Jun Xu, Dr. Jimmy Su

JTAGulator

Joe Grand (Kingpin)

JTAGulator is an open source hardware hacking tool that assists in identifying on-chip debug interfaces from test points, vias, component pads, or connectors on a circuit board.

Additional information:
http://www.jtagulator.com
http://www.grandideastudio.com/portfolio/jtagulator

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by engineers, researchers, and hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.

JTAGulator is an open source hardware hacking tool that assists in identifying on-chip debug interfaces from test points, vias, component pads, or connectors on a circuit board. It currently supports the detection of JTAG and asynchronous serial/UART interfaces. The tool can save a significant amount of time during reverse engineering, particularly for those who don't have the resources required for traditional hardware reverse engineering processes, and bridges the gap between gaining physical access to circuitry and exploiting it.

JTAGulator continues to be updated with new features and functionality. The project welcomes feedback/contributions/pull requests from the community. JTAGulator hardware and core firmware is distributed under a Creative Commons Attribution-3.0 United States license (http://creativecommons.org/licenses/by/3.0/us/). Supporting Files, Code, etc: Complete design details, documentation, presentations/videos, etc. available at the project page above

Target Audience: Hardware, Offense, Defense
Hardware hackers looking offensively for an entry point in which to compromise a hardware device. Engineers looking to defensively identify/classify their exposure by using the tool to test for open interfaces on their devices.

Joe Grand (@joegrand), also known as Kingpin, is a computer engineer, hardware hacker, DEFCON badge designer, teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com). He has been creating, exploring, and manipulating electronic devices since the 1980s.

OSfooler

Jaime Sánchez aka segofensiva

Traditional methods to defeat OS Fingerprinting in Linux were written as kernel modules, or at least, as patches to the Linux kernel, like Honeyd, IP Personality, the Stealth Patch, Fingerprint ****er, IPlog... The reason is that if the aim is to change Linux TCP/IP stack behavior, and if we want to achieve it, we need to do it in the kernel layer. Most of these tools are old, doesn't work with actual kernels of can affect tcp/ip stack performance.

OSfooler was presented at Blackhat Arsenal 2013. It was built on NFQUEUE, an iptables/ip6tables target which delegate the decision on packets to a userspace. It transparently intercepted all traffic that your box was sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.

OSfooler-NG has been complete rewriten from the ground up, being highly portable, more efficient and combining all known techniques to detect and defeat at the same time:

  • Active remote OS fingerprinting: like Nmap or Xprobe
  • Passive remote OS fingeprinting: like p0f or pfsense
  • Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting

Some additional features are:

  • No need for kernel modification or patches
  • Simple user interface and several logging features
  • Transparent for users, internal process and services
  • Detecting and defeating mode: active, passive & combined
  • Will emulate any OS
  • Capable of handling updated nmap and p0f fingerprint database
  • Undetectable for the attacker

Target Audience: Defense and Mobile

Jaime Sánchez (aka @segofensiva) has worked for over 20 years as a specialist advisor for large national and international companies, focusing on different aspects of security such as consulting, auditing, training, and ethical hacking techniques. He holds a Computer Engineering degree and an Executive MBA. In addition, he holds several certifications, like CISA, CISM, CISSP, just to name a few, and a NATO SECRET security clearance, as a result of his role as advisory of many law enforcement organizations, banks and large companies in Europe and Spain.

He has spoken in renowned security conferences nationally and internationally, as in RootedCON, Nuit du Hack, Black Hat, Defcon, DerbyCON, NocOnName, Deepsec, Shmoocon or Cyber Defence Symposium, among others. As a result of his researches, he has notified security findings and vulnerabilities to top companies and vendors, like Banco Popular, WhatsApp, Snapchat, Microsoft, Apple etc.

He is a frequent contributor on TV (TVE, Cuatro, LaSexta, Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and radio programs, and writes a blog called 'SeguridadOfensiva'

Twitter: @segofensiva
Website: https://www.seguridadofensiva.com
Tools: https://github.com/segofensiva

VoIPShark: Open Source VoIP Analysis Platform

Nishant Sharma R&D Manager, Pentester Academy

Jeswin Mathai Security Researcher, Pentester Academy

Ashish Bhangale Senior Security Researcher, Pentester Academy

Leveraging the packet switched network for making phone calls or VoIP has come a long way now. Today, it has already replaced conventional circuit switching based telephones from the large organizations and now moving to capture the non-commercial users. In this talk, we will focus on the traffic analysis based security analysis of SIP and RTP protocols which are one of the most popular protocols for VoIP. These protocols are already gaining new adopters on high rate and also replacing older protocols like H323.

We will discuss VoIPShark open source VoIP Analysis Platform which will allow people to analyze live or stored VoIP traffic, easily decrypt encrypted SRTP stream, perform macro analysis, generate summary specific to VoIP traffic/nodes and export calls/SMS/DTMF in popular user friendly file formats. We will also be releasing VoIPShark collection of Wireshark plugins written in Lua under GPL. VoIPShark is plug-n-play, easy to modify/extend and platform independent in nature. We will also discuss the currently available open source tools for SRTP decryption, their shortcomings and how VoIPShark address those.

Nishant Sharma is a R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 6+ years of experience in information security field including 4+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.

LinkedIn: https://www.linkedin.com/in/wifisecguy/
Twitter: @wifisecguy
Facebook: https://www.facebook.com/wifisecguy

Ashish Bhangale is a Senior Security Researcher at Pentester Academy and Attack Defense. He has 6+ years of experience in Network and Web Application Security. He has also worked with the state law enforcement agencies in the capacity of a Digital Forensics Investigator and was instrumental in solving IT fraud/crime cases. He was responsible for developing and testing the Chigula (WiFi Forensics Framework) and Chellam (First pure WiFi Firewall) frameworks. He has also created and managed multiple projects like Vulnerable Web Application OSes, Vulnerable Router Project and Damn Vulnerable Wordpress. He has presented/published his work at Blackhat, Wireless Village, IoT village and Demo labs (DEFCON). His areas of interest include Forensics, WiFi and AD security.

Jeswin Mathai is a Researcher at Pentester Academy and Attack Defense. He has published his work at Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

LinkedIn: https://www.linkedin.com/in/jeswinmathai/
Twitter: @jeswinMathai
Facebook: https://www.facebook.com/jeswinMathai

From Zero Overhead to Many Vulnerabilities: Escalating Fuzzing Effectiveness and Efficiency with Intel PT

Dr. Xinyu Xing Assistant Professor, Penn State University. Research Scientist, JD.com

Yaohui Chen PhD student, Northeastern University’s College of Computer and Information Science

Dr. Jun Xu Assistant Professor, Stevens Institute of Technology

Dr.Jimmy Su Head of security center, JD.com Silicon Valley

In practice, AFL typically exhibits high-performance overhead, particularly when stress-testing target software without access to their source code. Given a commercial off-the-shelf (COTS) binary, AFL needs to perform a black box on-the-fly instrumentation through a customized version of QEMU running in "user space emulation" mode. Despite the best effort of systematic optimization, however, QEMU still incurs substantial overhead to binary-only fuzzing. According to the AFL white paper, the overhead of QEMU based AFL is approximately 2-5x, which significantly surpasses those fuzzing tasks performed through lightweight static instrumentation.

FAST-AFL is a new fuzzing tool to enhance performance for binary-only fuzzing. Technically speaking, the tool is designed and prototyped with Intel PT -- a newly available hardware feature -- along with a path-sensitive feedback scheme. With this hardware and software co-design principle, the tool could not only accelerate a binary-only fuzzing task for about 29x but, more importantly, explore deeper program behaviors.

Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania State University, and currently working at JD Inc. as a visiting researcher. His research interest includes exploring, designing and developing tools to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. He was the speaker at BlackHat USA, BlackHat Europe and many academic conferences (e.g., USENIX Security and CSS). He has also received best paper awards from academic conferences such as CCS and ACSAC. His works have been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes etc. He was also the organizer of NSA memory corruption forensics competition.

Yaohui Chen is a PhD student in the Computer System Security program at Northeastern University’s College of Computer and Information Science, advised by Professor Long Lu. Originally from Sanya, China, Chen earned his bachelor’s degree at Tongji University in Shanghai before coming to Northeastern, where he now works in Professor Lu’s Research in Software and Systems Security (RiS3) lab. Chen’s research centers on security in Android and Linux systems. One of Chen’s primary takeaways from his research thus far is the massive vulnerability that exists in cyberspace. By developing defense systems that help to prevent cyberattack, he hopes to address complex issues in system security and help to combat this vulnerability.

Dr. Jun Xu is an Assistant Professor in the Department of Computer Science at Stevens Institute of Technology. He received his PhD from Penn State University, with a focus on cyber security. His research spans the areas of software security, system security, and binary analysis. He has developed new methodologies and techniques for vulnerability finding, analysis, exploitation, and mitigation. His research has led to the discovery of hundreds of previously unknown security defects. Jun is a recipient of ACM CCS Outstanding Paper Award, Penn State Alumni Association Dissertation Award, and RSA Security Scholarship.

Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world-leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye's first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song's team as a postdoc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.