skip to main content

DEF CON 26 Hacking Conference

Demo Labs

Demo Labs

#WiFiCactus

Saturday 08/11/18 from 1000-1150 at Table One
Offense, defense, hardware

Mike Spicer

The newly upgraded #WiFiCactus for DEF CON 26 is a passive wireless monitoring backpack that listens to 60 channels of 2.4 and 5 gHz WiFi at the same time. New this year is the ability to capture 802.11AC traffic and upgrades to remove bandwidth bottlenecks. This tool uses Kismet to capture the data from the each radio and aggregates them into a single searchable web interface. This tool is also capable of identifying wireless threats, troubleshooting complex wireless environments and helping with correlation analysis between Bluetooth and WiFi.

http://palshack.org/the-hashtag-wifi-cactus-wificactus-def-con-25/

Mike Spicer
d4rkm4tter is a mad scientist who likes to hack hardware and software. He is particularly obsessed with wireless. He has a degree in computer science which he has put to use building and breaking a wide variety of systems.

Back to top



ADRecon: Active Directory Recon

Saturday 08/11/18 from 1200-1350 at Table Six
Security professionals (Blue Team, Red Team), system administrators, etc.

Prashant Mahajan

ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like system administrators, security professionals, DFIR, etc. It can also be an invaluable post-exploitation tool for a penetration tester. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.

The following information is gathered by the tool: Forest; Domain; Trusts; Sites; Subnets; Default Password Policy; Fine Grained Password Policy (if implemented); Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles; Users and their attributes; Service Principal Names (SPNs); Groups and memberships; Organizational Units (OUs); ACLs for the Domain, OUs, Root Containers and GroupPolicy objects; Group Policy Object details; DNS Zones and Records; Printers; Computers and their attributes; LAPS passwords (if implemented); BitLocker Recovery Keys (if implemented); and GPOReport (requires RSAT).

https://github.com/sense-of-security/ADRecon

Prashant Mahajan
Prashant Mahajan is a Security Consultant at Sense of Security Pty Ltd. He has experience with various aspects of Information Security including penetration testing, vulnerability analysis, digital forensics and incident response. Prashant is a founding member of Null—The Open Security Community and frequent speaker at industry events.

Back to top



Angad: A Malware Detection Framework using Multi-Dimensional Visualization

Saturday 08/11/18 from 1600-1750 at Table Two
Defense, Forensics, Network, Malware

Ankur Tyagi

Angad is a framework to automate classification of an unlabelled malware dataset using multi-dimensional modelling. The input dataset is analyzed to collect various attributes which are then arranged in a number of feature vectors. These vectors are then individually visualized, indexed and then queried for each new input file. Matching vectors are labelled as per their AV detection categories for now but this could be changed to a heuristics approach if needed. If dynamic behavior or network traffic details are available, vectors are also converted into activity graphs that depict evolution of activity with a predefined time scale. This results into an animation of malware/malware category's behavior traits and is also useful in identifying activity overlaps across the input dataset.

Malware detection is a challenging task as the landscape is ever-evolving. Every other day, a new variant or a known malware family is reported and signature driven tools race against time to add detection. The process worsens when the rate of incoming samples is in thousands on a daily basis, making static/dynamic analysis alone of no use.

Angad tries to address this issue by leveraging well-known data classification techniques to the malware domain. It tries to provide a known interface to the multi-dimensional modelling approach within a standalone package.

https://github.com/7h3rAm/angad

Ankur Tyagi
Bio: Ankur Tyagi is a Sr. Malware Research Engineer at Qualys Inc., where he analyzes malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include structural visualization techniques for classifying large collections of uncategorized samples. He has completed MS in Software Systems with focus on Applied Security.

Back to top



Archery—Open Source Vulnerability Assessment and Management

Saturday 08/11/18 from 1000-1150 at Table Two
Offense

Anand Tiwari

Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.

https://github.com/archerysec/archerysec/

Anand Tiwari
Anand Tiwari is an information security professional with nearly 5 years of experience in offensive security, with expertise in Mobile and Web Application Security. Currently working with Philips Healthcare on securing medical devices. He has authored Archery—open source tool and has presented at Black Hat Asia 2018. In his free time, he enjoys coding and experimenting with various open source security tools. Twitter handle: @anandtiwarics

Back to top



BLEMystique—Affordable custom BLE target

Saturday 08/11/18 from 1200-1350 at Table Five
Attack and Defence

Nishant Sharma

Jeswin Mathai

BLEMystique is an ESP32 based custom BLE target which can be configured by the user to behave like one of the multiple BLE devices. BLEMystique allows a pentester to play with the BLE side of different kind of smart devices with a single piece of affordable ESP32 chip. BLEMystique contains multiple device profiles, for example, Smart Lock, Smart health band, Smart bulb, Heart rate monitor, Smart Bottle and more.

The BLEMystique code and manuals will be released to general public. So, apart from using the pre-configured devices, the users can also add support for devices for their choice and use their ESP32 board for target practice. In this manner, this tool can improve the overall experience of learning BLE pentesting.

Nishant Sharma
Nishant Sharma is a Technical Manager at Pentester Academy and Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX, WiMini and course/training content. He has presented/published his work at Blackhat Arsenal, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the WIPS solution. He has a Master degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Jeswin Mathai
Jeswin Mathai is a Researcher at Pentester Academy. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals and conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Back to top



boofuzz

Saturday 08/11/18 from 1600-1750 at Table Five
Vulnerability Analysis, AppSec, Offense.

Joshua Pereyda

boofuzz is an open source network protocol fuzzing framework, competing with closed source commercial products like Defensics and Peach.

Inheriting from the open source tools Spike and Sulley, boofuzz improves on a long line of block-based fuzzing frameworks.

The framework allows hackers to specify protocol formats, and boofuzz does the heavy lifting of generating mutations specific to the format. boofuzz makes developing protocol-specific "smart" fuzzers relatively easy. Make no mistake, designing a smart network protocol fuzzer is no trivial task, but boofuzz provides a solid foundation for producing quality fuzzers.

Written in Python, boofuzz builds on its predecessor, Sulley, with key features including:

  • Online documentation.
  • More extensibility including support for arbitrary communications mediums.
  • Built-in support for serial fuzzing, ethernet- and IP-layer, UDP broadcast.
  • Much easier install experience!
  • Far fewer bugs.

https://github.com/jtpereyda/boofuzz

Joshua Pereyda
Joshua is a software engineer specializing in information and network security. He has worked in the critical infrastructure and cloud computing industries with employers heavily invested in software and hardware security. He currently hunts vulnerabilities full time. Among his passions are hacking, teaching kids to program, listening to upper-crust orchestral performances with his wife, and figuring out how he can get paid to do it all... legally.

Back to top



CHIRON

Sunday 08/12/18 from 1000-1150 at Table Three
Defense

Rod Soto

Joseph Zadeh

Home-based open source network analytics and machine learning threat detection

CHIRON is a home analytics based on ELK stack combined with Machine Learning threat detection framework AKTAION. CHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility to home internet devices (IOT, Computers, Cellphones, Tablets, etc). CHIRON is integrated with AKTAION which detects exploit delivery ransomware/phishing.

https://github.com/jzadeh/chiron-elk

Rod Soto
Rod Soto. Director of Security Research at JASK.AI Founder Pacific Hackers Conference, Co-founder Hack The Valley

Joseph Zadeh
Joseph Zadeh. Director of Data science at JASK.AI Co-founder Hack the Valley

Back to top



Cloud Security Suite—One stop tool for AWS, GCP & Azure Security Audit

Saturday 08/11/18 from 1200-1350 at Table Two
Defense, Cloud professionals

Jayesh Singh Chauhan

Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the organisations have partially or entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorisation/configuration, their security is as robust as the person in-charge of creating/assigning these configuration policies. We all know, human error is inevitable and any such human mistake could lead to catastrophic damage to the environment.

Knowing this, audit of cloud infrastructure becomes a hectic task! There are a few open source tools which help in cloud auditing but none of them have an exhaustive checklist. Also, collecting, setting up all the tools and looking at different result sets is a painful task. Moreover, while maintaining big infrastructures, system audit of server instances is a major task as well.

CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures and does OS audits as well. CS Suite leverages current open source tools capabilities and has custom checks added into one tool to rule them all.

https://github.com/SecurityFTW/cs-suite

Jayesh Singh Chauhan
Jayesh Singh Chauhan is a security professional with 7 years of experience in the security space. In past, he has been part of security teams of PayPal, PwC and currently works as the senior security engineer for Sprinklr. He has authored CS-Suite, OWASP Skanda, RFID_Cloner and CSRF PoC generator and has presented in BlackHat Asia, BlackHat EU, hackmiami, c0c0n, GES and Ground Zero Summit. He is the project leader for OWASP Skanda and leads the NULL Bangalore chapter.

Back to top



Conformer

Sunday 08/12/18 from 1000-1150 at Table Six
Offense, AppSec

Mikhail Burshteyn

Conformer is a penetration testing tool, mostly used for external assessments to perform password based attacks against common webforms. Conformer was created from a need for password guessing against new web forms, without having to do prior burp work each time, and wanting to automate such attacks. Conformer is modular with many different parameters and options that can be customized to make for a powerful attack. Conformer has been used in countless assessments to obtain valid user credentials for accessing the internal environment through VPN, other internal resources or data to further the assessment.

https://github.com/mikhbur/conformer

Mikhail Burshteyn
Mikhail Burshteyn is a security consultant at CDW, performing Penetration Tests. Mikhail currently performs External, Internal, Wireless, and Social Engineering assessments, testing the capabilities for wide range of clients and industries. He is interested in research in various security topics, including Networking, Web Apps, and Active Directory.

Back to top



DejaVU—An Open Source Deception Framework

Sunday 08/12/18 from 1200-1350 at Table Three
Offense/Defense

Bhadreshkumar Patel

Harish Ramadoss

Deception techniques—if deployed well—can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks. Although there are lot of commercial tools in this space, we haven't come across open source tools which can achieve this.

With this in mind, we have developed DejaVu which is an open source deception framework which can be used to deploy, configure and administer decoys centrally across the infrastructure. A web-based management console can be used by the defender to deploy multiple interactive decoys (HTTP Servers,SQL,SMB,FTP,SSH,client side–NBNS) strategically across their network on different VLANs. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured to generate high accuracy alert; and how these alerts should be handled.

Decoys can also be placed on the client VLANs to detect client side attacks such as responder/LLMNR attacks using client side decoys. Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys, luring the attacker and enabling detection.

https://github.com/bhdresh/Dejavu

Bhadreshkumar Patel
Bhadreshkumar Patel is a Reverse Engineer by nature and Security Specialist/Pentester by profession with 10 years of experience in offensive and defensive side of security. Likes to code, break stuff, play with controllers. Got lucky in finding zero days in Facebook, NGFW, wireless routers, HMS etc. Dejavu is Bhadresh's first conference submission, but not his first contribution to the security community.

Harish Ramadoss
Harish Ramadoss has over seven years of experience in offensive security space focusing on application and infrastructure security assessments. Led large scale penetration testing engagements for various clients across Finance, Government and Defense.

Back to top



EAPHammer

Saturday 08/11/18 from 1400-1550 at Table One
Offensive security professionals, red teamers, penetration testers, researchers.

Gabriel Ryan

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-EAP network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth wpa --essid CorpWifi --creds

EAPHammer’s userbase has doubled since its debut in early 2017, and the project has matured substantially to meet this demand. It is now the first rogue AP attack tool to offer out-of-the-box support for attacks against 802.11n/ac. Most of the added complexity associated with these protocols is managed automatically by EAPHammer.

We’ve also added some cool feature like Hashcat support, Karma, and SSID cloaking, as well as an extended UI and config management system for advanced users who require granular control over their rogue access points.

To check out the codebase, head to https://github.com/s0lst1c3/eaphammer

Gabriel Ryan
Gabriel Ryan is a penetration tester and researcher with a passion for wireless and infrastructure testing. He currently serves a co-founder and managing security consultant for Digital Silence, a Denver-based consulting firm that specializes in impact driven testing and red team engagements. Prior to joining Digital Silence, Gabriel worked in penetration tester for security services firm Gotham Digital Science as well as OGSystems, a Virginia-based geospatial intelligence contractor. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys writing music and riding motorcycles.

Back to top



Expl-iot—IoT Security Testing and Exploitation framework

Sunday 08/12/18 from 1200-1350 at Table Two
IoT Testers- Pentesters- IoT developers- Offense- Hardware

Aseem Jakhar

Expl-iot is an open source flexible and extendable framework for IoT Security Testing and exploitation. It will provide the building block for writing exploits and other IoT security assessment test cases with ease. Expliot will support most IoT communication protocols, firmware analysis, hardware interfacing functionality and test cases that can be used from within the framework to quickly map and exploit an IoT product or IoT Infrastructure.It will help the security community in writing quick IoT test cases and exploits. The objectives of the framework are: 1. Easy of use 2. Extendable 3. Support for hardware, radio and IoT protocol analysisWe released Expl-iot ruby version in 2017. Once we started implementing hardware and radio functionality, we realized that ruby does not have much support for hardware and radio analysis which led us to deprecate it and re-write it in python to support more functionality. We are currently working on the python3 version and will release it in a month. The new beta release is envisioned to have support for UART(serial), ZigBee, BLE, MQTT, CoAP (next version will have support for JTAG, I2C and SPI) and few miscellaneous test cases.

https://bitbucket.org/aseemjakhar/expliot_framework

Aseem Jakhar
Aseem Jakhar is the Director, research at Payatu Software Labs http://payatu.com a boutique security testing company specializing in IoT, Embedded, cloud, mobile security testing. He is the founder of null-The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference http://nullcon.net and hardwear.io security conference. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, bayesian engine to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including

  • ExplIoT
  • IoT Exploitation Framework
  • DIVA Android (Damn Insecure and Vulnerable App)- Jugaad/Indroid
  • Linux Thread injection kit for x86 and ARM
  • Dexfuzzer
  • Dex file format fuzzer

Back to top



firstorder

Saturday 08/11/18 from 1000-1150 at Table Three
Offense

Utku Sen

Gozde Sinturk

Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). firstorder is designed to evade Empire's C2-Agent communication from anomaly-based intrusion detection systems. It takes a traffic capture file (pcap) of the network and tries to identify normal traffic profile. According to results, it creates an Empire HTTP listener with appropriate options.

Utku Sen
Utku Sen is a security researcher who is mostly focused on following areas: application security, network security, tool development. He presented his tool, Leviathan Framework in Black Hat USA Arsenal and DEF CON Demo Labs in 2017. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016.". He currently works in Tear Security.

Gozde Sinturk
Gozde Sinturk is Security Researcher and Python Developer who involved in projects related to machine learning, natural language processing, and big data. She is developing security tools in her current position. She currently works in Tear Security.

Back to top



GreyNoise

Saturday 08/11/18 from 1200-1350 at Table Three
Defenders, blue teamers, SOC and network analysts

Andrew Morris

GreyNoise is a system that collects all of the background noise of the Internet. Using a large network of geographically and logically dispersed passive collector nodes, GreyNoise collects, labels, and analyzes all of the omnidirectional, indiscriminate Internet-wide scan and attack traffic. GreyNoise data can be used to filter pointless alerts in the SOC, identify compromised devices, pinpoint targeted reconnaissance, track emerging threats, and quantify vulnerability weaponization timelines.

https://greynoise.io/

Andrew Morris
Andrew Morris is the founder of GreyNoise Intelligence, a DC-based cyber security company, and likely holds the world record for amount of time spent staring at Internet-wide scan traffic. Prior to founding GreyNoise, Andrew worked as a researcher, red team operator, and consultant for several large cyber security firms including Endgame, NCC group, and KCG. Outside of work, Andrew enjoys playing fingerstyle acoustic guitar and tries to figure out what his dreams mean.

Back to top



GyoiThon

Sunday 08/12/18 from 1000-1150 at Table Two
Offense

Isao Takaesu

Masuya Masafumi

Toshitsugu Yoneyama,

GyoiThon is a fully automated penetration testing tool against web server. GyoiThon nondestructively identifies the software installed on web server (OS, Middleware, Framework, CMS, etc...) using multiple methods such as machine learning, Google Hacking, pattern matching. After that, GyoiThon executes valid exploits for the identified software. Finally, GyoiThon generates report of scan results. GyoiThon executes the above processing fully automatically.

GyoiThon consists of three engines:

  • Software analysis engine:
    It identifies software based on HTTP response obtained by normal access to web server using Machine Learning base and signature base. In addition, it uses Google Hacking.
  • Vulnerability determination engine:
    It collects vulnerability information corresponding to identified software by the software analysis engine. And, it executes an exploit corresponding to the vulnerability of the software and checks whether the software is affected by the vulnerability.
  • Report generation engine:
    It generates a report that summarizes the risks of vulnerabilities and the countermeasure.

Traditional penetration testing tools are very inefficient because they execute all signatures. On the other hand, GyoiThon is very efficient because it executes only valid exploits for the identified software. As a result, the user's burden will be greatly reduce, and GyoiThon will greatly contribute to the security improvement of many web servers.

https://github.com/gyoisamurai/GyoiThon

Isao Takaesu
Isao Takaesu is working in Mitsui Bussan Secure Directions, Inc. as security engineer and researcher. In the past, he found out numerous vulnerabilities in server of client and he proposed countermeasures to client. He thinks that there's more and want to efficiently find out vulnerabilities. Therefore, He's focusing on artificial intelligence technology and developing fully automated penetration testing tool using machine learning.

Masuya Masafumi
Masafumi Masuya is a security engineer on the Mitsui Bussan Secure Directions, Inc. He loves network security assessment, so he found many vulnerabilities in various servers of enterprises. He is always thinking about a method to efficiently perform network security assessment, even while sleeping. He especially loves cURL and Japanese word 'Gyoi'. "Gyoi" means that there is nothing you cannot do!

Toshitsugu Yoneyama
Toshitsugu Yoneyama is a Security Researcher and Manager on the Mitsui Bussan Secure Directions, Inc. He has reported several vulnerabilities in Juniper, Nessus, Amazon, Apache and various routers. He participated alone in Hack2win which is a hacking competition in CodeBlue 2017, and he pwned several devices by remote attack and get the 3rd prize.

Back to top



Halcyon IDE

Saturday 08/11/18 from 1000-1150 at Table Six
Offense, Defense, AppSec, Network Security, Nmap Scanners & Developers

Sanoop Thomas

Halcyon IDE lets you quickly and easily develop Nmap scripts for performing advanced scans on applications and infrastructures with a wide range capabilities from recon to exploitation. It is the first IDE released exclusively for Nmap script development. Halcyon IDE is free and open source project (always will be) released under MIT license to provide an easier development interface for rapidly growing information security community around the world. The project was initially started as an evening free time "coffee shop" project and has taken a serious step for its developer/contributors to spend dedicated time for its improvements very actively. More information and source code: https://halcyon-ide.org

https://halcyon-ide.org

Sanoop Thomas
Sanoop Thomas (@s4n7h0) is a seasoned security professional with diverse background in consulting, teaching, research and product-based industries with a passion to solve complex security problems. Today, Sanoop works as information security specialist focusing on application security and secure coding. His field of interest includes reverse engineering, malware analysis, application security and automating security pentest/analysis methodologies. He is moderating null open community chapter in Singapore and organised over 60 events & workshops to spread security awareness across country. Sanoop is also the author of Halcyon IDE (https://halcyon-ide.org) an IDE that is focused to develop Nmap scripts. He has spoken at security conferences like Nullcon, OWASP India, HITBGSEC, Rootcon, and Blackhat Arsenal.

Back to top



HealthyPi—Connected Health

Saturday 08/11/18 from 1400-1550 at Table Four
Hardware and biohacking

Ashwin K Whitchurch

We (at ProtoCentral) developed the HealthyPi HAT for the Raspberry Pi as a way of opening up the healthcare and open source medical to anyone. The HealthyPi is made of the same "medical-grade" components found in regular vital sign monitors, for a fraction of the cost of such system. This is our way of democratizing medical hardware to develop new areas of research.

Our objective when we began developing the HealthyPi was to make a simple vital sign monitoring system which is simple, affordable, open-source (important !) and accessible. HealthyPI is completely open-source and is our way of "hacking" patient monitoring systems by getting data that you need, in the way that you need and extending on that without getting involved in sticky proprietary NDAs and such.

*Demo will allow people to come, check out and play with (and possibly hack) the HealthyPi device while getting their vital signs monitored.*

https://github.com/Protocentral/protocentral-healthypi-v3

Ashwin K Whitchurch
Ashwin K Whitchurch is the CEO of ProtoCentral (Circuitects Electronics Solutions Pvt Ltd) based out of Bangalore in India. The company makes, sells and supprts open source hardware products, most of them for healthcare and medical applications. Ashwin has published research papers, book chapters and reviews in well-known international journals and conferences. ProtoCentral (and Ashwin) has been present in many hardware gatherings including Maker Faire ( New York & Rome), Hackaday Superconference, OSHWA Summit and has given talks on his projects with open source hardware.

Back to top



Honeycomb—An extensible honeypot framework

Saturday 08/11/18 from 1600-1750 at Table Three
Incident Responders, Security Researchers, Developers

Omer Cohen

Imri Goldberg

We present Honeycomb—A repository of honeypot services and integrations for the information security community. Our vision: Honeycomb will be the pip or apt-get for honeypots.

While working hard to create various honeypots for several high profile vulnerabilities, we realized we were repeating some of the underlying work that’s involved in creating a honeypot—a useful honeypot is easy to deploy, configure and collects reports. We have these capabilities in Cymmetria’s commercial deception product but we wanted to open source this functionality to the community so everyone could benefit from it.

Eventually came the idea for honeycomb—an extensible platform for writing honeypots which comes with a repository of useful honeypots which makes it super easy to create new honeypots. Honeycomb and the honeypot repository together form a powerful tool for security professionals looking to gain threat intelligence on the latest threats.

We are currently in the process of finalizing the release of the project and working on releasing additional plugins. Join us to learn how to utilize existing honeycomb capabilities as well as writing honeypot services and integrations on your own!

https://github.com/Cymmetria/honeycomb

Omer Cohen
As an experienced Incident Response investigator and team leader, Omer has a wealth of knowledge and experience in the areas of cyber security, security research, software development and system administration, as well as network architecture and design. Omer has delivered and implemented numerous projects involving cutting edge technologies for multiple security related applications in addition to providing accurate and appropriate information security consulting and incident response services to Fortune 500 companies and other leading organization. Omer currently manages Customer Success in EMEA and APAC at Demisto, the leading Security Orchestration, Automation and Response (SOAR) solution provider.

Imri Goldberg
An experienced technical entrepreneur, Imri has significant experience in development, architecture and security. Before joining Cymmetria as VP R&D, Imri was the founder & CTO of Desti, a travel startup that was acquired by Nokia-HERE in 2014. Today Imri serves as the CTO of Cymmetria, heading innovation and research and working on product and architecture. Cymmetria is the leading Cyber Deception vendor with its main product MazeRunner® used by Fortune 500 companies in multiple verticals including finance, insurance, health, government, retail, etc.

Back to top



ioc2rpz

Saturday 08/11/18 from 1400-1550 at Table Three
Defence/Network security

Vadim Pavlov

DNS is the control plane of the Internet. Usually DNS is used for good but:

  • It can be used to track users locations and their behaviour;
  • Malware uses DNS to command and control, exfiltrate data or redirect traffic;
  • According with 2016 Cisco annual security report, 91.3% of malware use DNS;
  • Advertisements companies usually use separate and obscure domains to show ads;
  • Free DNS services (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9 etc) can help you to address some concerns but you can not define your own protection settings or ad filters.

ioc2rpz is a custom DNS server which automatically converts indicators (e.g. malicious FQDNs, IPs) from various sources into RPZ feeds and automatically maintains/updates them. The feeds can be distributed to any open source and/or commercial DNS servers which support RPZ, e.g. ISC Bind, PowerDNS. You can run your own DNS server with RPZ filtering on a router, desktop, server and even Arduino. System memory is the only limitation.

With ioc2rpz you can define your own feeds, actions and prevent undesired communications.

https://github.com/Homas/ioc2rpz

Vadim Pavlov
Vadim Pavlov is passionate about traveling, learning foreign and programming languages, writing scripts/software, integrating solutions, interacting with colleagues and customers to solve complex problems. As a truly lazy person Vadim wants to automate all routine.

Vadim has 15+ years of IT experience and last 5 years Vadim spent at Infoblox and became an expert in DNS and DNS Security: did researches, wrote articles, created custom DNS servers, Infoblox's DNS Data Exfiltration(Infiltration) Demo and Security Assessments portals, created integrations with security solutions. He achieved a masters degree with honors in Computer Science (Software Development) from Russia.

Back to top



LHT (Lossy Hash Table)

Saturday 08/11/18 from 1400-1550 at Table Six
Offense

Steve Thomas

Cracks passwords or keys from a small key space near instantly. A small key space being a few trillion (40+ bits). It costs about 3 bytes/key and usually <100ms. The largest known deployment (made by a different less efficient program) is 160 TB. It is assumed that people are running similar ones to attack brain wallets.

https://tobtu.com/lhtcalc.php

Steve Thomas
Steve specializes in crypto and password research. Steve was one of the panelists for the Password Hash Completion. "I do stuff... sometimes." Like PAKE to HSM or finding bugs in Signal Protocol, CryptoCat, Adobe ColdFusion 9's password encryption key generator, and password hashing functions (MySQL323 meet in the middle attack, XSHA1 [Blizzard's old hash function], etc).

Back to top



Local Sheriff

Saturday 08/11/18 from 1000-1150 at Table Five
Target audience would be AppSec, Code Assesments, and privacy researchers.

Konark Modi

Think of Local sheriff as a reconnaissance tool in your browser for gathering information about what companies know about you. While you as a user normally browse the internet it works in the background and helps you identify what sensitive information(PII—Name, Date Of Birth, Email, Passwords, Passport number, Auth tokens.) are being shared/leaked to which all third-parties and by which all websites.

The issues that Local Sheriff helps identify:

  • What sensitive information with is being shared this which parties?
  • What companies are behind these third parties?
  • What can they doing with this information? EG: de-anonymize users on the internet, create shadow profiles.

Local Sheriff can also be used by organizations to audit:

  • Which all the third-parties that are being used on their websites.
  • The third-parties on the websites are implemented in a way that respect user’s privacy and sensitive data is not being leaked to them.

Local Sheriff is a web-extension that can used with Chrome, Opera, Firefox.

https://github.com/cliqz-oss/local-sheriff

Konark Modi
Konark works as a Tech lead with Cliqz GmbH developing privacy-focused search engine and browser. He works on projects ranging across Privacy by design, Anonymous Data collection like Human Web, Anti-Tracking etc.

Prior to Cliqz, Konark was working with one of the largest e-commerce website in India(Makemytrip.com) in data platform and security team, solving interesting challenges related to DWH, BI and data security.

His recent personal projects, in an endeavor to help organizations fix vulnerabilities have spanned across browsers, health trackers, Government services, travel mobile apps etc.

Konark has been a speaker and presenter at numerous international conferences.

Blog: https://medium.com/@konarkmodi

Back to top



nzyme

Sunday 08/12/18 from 1000-1150 at Table One
Defense, RF, WiFi/802.11

Lennart Koopmann

Detecting attackers who use WiFi as a vector is hard because of security issues inherent in the 802.11 protocol, as well as commoditized ways of near-perfect spoofing of WiFi enabled devices.

Security professionals work around this by treating WiFi traffic as insecure and encrypting data on higher layers of the protocol stack. Sophisticated attackers do not limit their efforts to jamming or tapping of wireless communication, but try to use deception techniques to trick human operators of WiFi devices into revealing secrets. The list of attacks that are possible after a user has been convinced to connect to a rogue access point that is under the attacker's control ranges from DNS spoofing to crafted captive portals that can be used for classic phishing attempts.

This is why the new nzyme release introduces its own set of WiFi deception techniques. It is turning the tables and attempts to trick attackers into attacking our own simulated, wireless infrastructure that resembles realistic clients and access points. Together with the general collection of all 802.11 management frames already offered in the existing release, nzyme now replays all relevant communication to and from our decoy transceivers to a log management system like Graylog for analysis and alerting. This combination allows tricking attackers into revealing themselves by leaving easy to identify traces during all exploitation phases.

Applying WiFi deception to defensive perimeters gives the blue team a chance to reveal, delay, and condition attackers.

https://wtf.horse/2017/10/02/introducing-nzyme-wifi-802-11-frame-recording-and-forensics/

Lennart Koopmann
Born and raised in Germany, Lennart founded the Open Source log management project Graylog in 2009 and has since then worked with many organizations on log management and security-related projects. He has an extensive background in software development and architecture. There is a high chance that you will meet Lennart at a LobbyCon somewhere in the country. Once he ran a marathon but was not very Fast.

Back to top



GUI Tool for OpenC2 Command Generation

Sunday 08/12/18 from 1200-1350 at Table Six
Defense

Efrain Ortiz

The tool is a stand alone web self service application that graphically represents all the evolving OpenC2 commands to allow OpenC2 application developers to click and generate OpenC2 commands. The tool makes it extremely easy for even beginners to work on the creation of OpenC2 commands. The tool provides the OpenC2 command output in JSON and in curl, nodejs and python code to be easily integrate into Incident Response or Orchestration platforms.

https://github.com/netcoredor/openc2-cmdgen

Efrain Ortiz
Efrain is a Director in the Office of the CTO at Symantec Corporation. Prior to his Director role, he worked 15 years as a field pre-sales systems engineer. Efrain started his digital life on a TRS-80 Color Computer II in the 1980s. Previous to his 15 years at Symantec, he worked in various roles, from pen testing to network and systems administration. His current favorite project is working on the OpenC2 language specification.

Back to top



Orthrus

Saturday 08/11/18 from 1000-1150 at Table Four
InfoSec

Nick Sayer

Orthrus is a small appliance that allows the user to create a cryptographically secured USB volume from two microSD cards. The data on the two cards is encrypted with AES-256 XEX mode, and all of the key material used to derive the volume key is spread between the two cards. There are no passwords to manage. If you have both cards, you have everything. If you have only one, you have half the data encrypted with a key you cannot reconstruct. This allows for “two-man control” over a dataset. Orthrus itself has no keys of its own and a volume created or written with one Orthrus can be used with any other (or on any other thing that implements the Orthrus open specification). Orthrus is open source hardware and firmware.

https://hackaday.io/project/20772-orthrus

Nick Sayer
Nick Sayer has been a software developer for most of his life and has spent the last ten years specializing in his day job on security and cryptography. He recently rediscovered the hardware hobby he abandoned in his teens and has a store on Tindie full of his creations, all of which are open.

Back to top



PA Toolkit—Wireshark plugins for Pentesters

Saturday 08/11/18 from 1600-1750 at Table Six
Defence

Nishant Sharma

Jeswin Mathai

PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter. PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

  • WiFi (WiFi network summary, Detecting beacon, deauth floods, Evil twin etc.)
  • VoIP ( Overview of extensions, servers, Detecting invite flood, message flood, SIP auth bruteforcing, Decrypting encrypted VoIP conversation)
  • HTTP (Listing all visited websites, downloaded files, streaming files, Detecting HTTP Tunnels)
  • HTTPS (Listing all websites opened on HTTPS, Detecting self-signed certificates)
  • ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
  • DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)

The key advantage of using PA toolkit is that any user can check security related summary and detect common attacks just by running Wireshark. And, he can do this on the platform of his choice. Also, as the project is open source and written in newbie-friendly Lua language, one can easily extend existing plugins or reuse the code to write plugins of his own.

Nishant Sharma
Nishant Sharma is a Technical Manager at Pentester Academy and Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX, WiMini and course/training content. He has presented/published his work at Blackhat Arsenal, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the WIPS solution. He has a Master degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Jeswin Mathai
Jeswin Mathai is a Researcher at Pentester Academy. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals and conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Back to top



Passionfruit

Sunday 08/12/18 from 1000-1150 at Table Five
iOS reverse engineer, Mobile security research

Zhi Zhou

Yifeng Zhang

Passionfruit is a cross-platform app analyze tool for iOS. It aims to provide a powerful and user friendly gui for app pentesting and reverse engineering. In this demo we’ll cover the most common tasks in iOS RE, like dumping decrypted apps from AppStore, exploring filesystem and other runtime introspections.

https://github.com/chaitin/passionfruit

Zhi Zhou
AntFinancial Zhi Zhou is a security engineer at AntFinancial LightYear Lab, who mainly focus on applied software security, including both mobile and desktop platforms. He’s been working on blackbox assessment, vulnerability exploit and new attack surface discovery. He was a speaker at BlackHat USA 2017.

Yifeng Zhang
Chaitin Tech Yifeng Zhang is a penetration tester at Chaitin Tech, working in mobile security and financial malware. He has been dedicated to developing security tools to make pen-testing more efficient and effective.

Back to top



PCILeech

Sunday 08/12/18 from 1000-1150 at Table Four
Offense, Hardware, DFIR

Ulf Frisk

Ian Vitek

The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and governments alike. Hardware sold out, FPGA support was introduced and devices are once again available! We will demonstrate how to take total control of still vulnerable systems via PCIe DMA code injection. Kernels will be subverted, full disk encryption defeated and shells spawned! Processes will be enumerated and their virtual memory abused—all by using affordable hardware and the open source PCILeech toolkit.

http://github.com/ufrisk/pcileech

Ulf Frisk
Ulf Frisk is a hacker/penetration tester working in the Swedish financial sector. Ulf focuses on penetration testing and it-security audits during daytime and low-level security research during nighttime. Ulf takes a special interest in DMA—direct memory access, and has a dark past as a developer.

Ian Vitek
Ian Vitek has a background as a pentester but now works with information security in the Swedish financial sector. Ian has held presentations at Defcon 8, 10, 12, BSidesLV and over the last years attended as a Defcon DJ (VJ Q.Alba). Interested in web, layer 2, DMA and pin bypass attacks.

Back to top



Sh00t—An open platform for manual security testers & bug hunters

Saturday 08/11/18 from 1400-1550 at Table Two
AppSec, Mobile and Offensive security

Pavan Mohan

An open platform for bug hunters emphasizing on manual security testing.

Sh00t is a dynamic task manager to replace simple text editors or task management tools that are NOT meant for security testing provides checklists for security testing helps in reporting with custom bug templates

Sh00t benefits best for pen testers, bug bounty hunters, security researchers and anybody who love bugs!

Written in Python and powered by Django web framework.

Pavan Mohan
Pavan aka pavanw3b is a Senior Security Engineer at ServiceNow. He is one of the core members of Null security community—Hyderabad chapter. He participates in bug bounty programs in his free time and made it to hall of fames of some companies.

Back to top



Swissduino—Stealthy USB HID Networking & Attack

Saturday 08/11/18 from 1600-1750 at Table Four
Offense

Mike Westmacott

The Swissduino is a set of tools on an Arduino Yun that allow for the upload of binaries to target systems remotely via USB HID Keyboard, and then provide TCP connectivity between the remote attacker system and the target purely through USB HID. The demonstration shows a Metasploit Meterpreter stub being uploaded, and then actively used without triggering anti-virus (Win 7 host…). New for 2018: (In development) Expanded toolset that allows for password extraction from login and automated installation of toolkit in Windows 10 with anti-malware/local firewall, also targeting of Linux.

Github: https://github.com/drwesty/swissduino

Mike Westmacott
Mike works for Thales Cyber & Consulting at the technical end of the cyber security practice and operates broadly on the same basis as an attacker. He has conducted over one hundred penetration tests and audits against a wide variety of systems and targets, combined with activities such as secure code review, reverse engineering and wireless assessment. Mike has worked as a CREST Certified Network Intrusion Analyst and has performed breach assessments in a number of different industry sectors including finance, engineering and government. He has managed and delivered a CVI (Cyber Vulnerability Investigation) for the UK MOD in the first of a series of industry-delivered assessments.

He has provided incident response training at board level in the form of desktop scenarios with red and blue teams engaged in a fictitious cyber-attack. This has proven to be an excellent tool for extracting tactics, forming future strategies, and educating participants.

Mike founded a volunteer group in BCS (The Chartered Institute for IT) to introduce IT practitioners to the information security industry and has presented at a government select committee and taken part in numerous senior panels at industry and government events. He has also written articles for well-known industry publications included ITnow, Computer Weekly, InfoSecurity Magazine.

Prior to working in information security Mike worked as an application support analyst on a financial trading platform and later an enterprise succession planning system. Before this Mike gained his PhD in Computer Vision at the University of Southampton.

Back to top



trackerjacker

Saturday 08/11/18 from 1200-1350 at Table One
Offensive and Defensive Wireless Hackers

Caleb Madrigal

trackerjacker is a new wifi tool that allows you to (a) see all wifi devices and which wifi networks they're connected to, along with how much data they've sent, how close by they are, etc, and (b) look for interesting traffic patterns and trigger arbitrary actions based on those patterns. The "mapping" functionality is sort of like nmap for wifi—it lists all wifi networks nearby, and under each network it lists all the clients connected to that network. The "trigger" functionality allows users to do things like "if this device sends more than 10000 bytes in 30 seconds, do something". It also includes a powerful Python plugin system that makes it simple to write plugins to do things like "if I see an Apple device with a power level greater than -40dBm, deauth it". If you want to do any sort of wifi recon/monitoring/hacking, trackerjacker will almost certainly make the job easier!

https://github.com/calebmadrigal/trackerjacker

Caleb Madrigal
Caleb is a programmer who enjoys hacking and mathing. He is a member of the Mandiant/FireEye applied research team, where he researches and builds sweet incident response software. Recently, he's mostly been hacking with Python, Jupyter, C, and Machine Learning. Though only recently getting into the security space professionally, Caleb has been into security for a while—in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". These days, he has fun doing a lot of Radio/Wireless hacking, and using Machine Learning/Math to do cool security-related things.

Back to top



Walrus

Saturday 08/11/18 from 1400-1550 at Table Five
Offense (physical security assessors), Defense (contactless access control system users)

Daniel Underhay

Matthew Daley

Walrus is an open-source Android app for contactless card cloning devices such as the Proxmark3 and Chameleon Mini. Using a simple interface in the style of Google Pay, access control cards can be read into a wallet to be written or emulated later.

Designed for physical security assessors during red team engagements, Walrus supports basic tasks such as card reading, writing and emulation, as well as device-specific functionality such as antenna tuning and device configuration. More advanced functionality such as location tagging makes handling multiple targets easy, while bulk reading allows the stealthy capture of multiple cards while “war-walking” a target.

We’ll be demoing Walrus live with multiple short- and long-range card cloning devices, as well as giving a sneak peek of future plans for the app.

https://walrus.app/

Daniel Underhay
Daniel Underhay is a Security Consultant working at Aura Information Security. He has presented at Troopers, Black Hat Asia Arsenal, ChCon, OzSecCon, and BSides Wellington. He enjoys all aspects of penetration testing, red teaming and phishing engagements.

Matthew Daley
Matthew Daley is a Senior Security Consultant at Aura Information Security. He has presented at Black Hat Asia Arsenal, BSides Wellington, OzSecCon, and OWASP New Zealand. He enjoys vulnerability discovery and exploitation, developing tools to help pentesters in their work, and writing long mailing list disclosures.

Back to top



WHID Injector: Hot To Bring HID Attacks to the Next Level

Saturday 08/11/18 from 1200-1350 at Table Four
Red Teams, Blue Teams and Hardware Hackers.

Luca Bongiorni

Nowadays, security threats and cyber-attacks against ICS assets, became a topic of public interest worldwide. Within this demo, will be presented how HID attacks can still be used by threat actors to compromise industrial air-gapped environments. WHID Injector was born from the need for a cheap and dedicated hardware that could be remotely controlled in order to conduct HID attacks. WHID's core is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects). Nontheless, during the last months, a new hardware was under R&D (i.e. WHID-Elite). It replaces the Wi-Fi capabilities with a 2G baseband, which gives unlimited operational range.

This cute piece of hardware is perfect to be concealed into USB gadgets and used during engagements to get remote shell over an air-gapped environment. In practice, is the "wet dream" of any ICS Red Teamer out there.

During the demo we will see in depth how WHID and WHID-Elite were designed and their functionalities. We will also look at which tools and techniques Blue Teams can use to detect and mitigate this kind of attacks.

https://github.com/whid-injector/WHID

Luca Bongiorni
Luca is working as Principal Offensive Security Specialist and also actively involved in InfoSec where the main fields of research are: Radio Networks, Reverse Engineering, Hardware Hacking, Antani, Internet of Things and Physical Security. Since 2012 is keeping a closer eye on FSB operations in Baltics, while trying to avoid being poisoned with Polonium or Nervin GAS. His favorite hobbies are Pasta, Grappa and ARP-Spoofing.

Back to top



WiPi-Hunter—It Strikes against Illegal Wireless Network Activities (Detect and active response)

Saturday 08/11/18 from 1600-1750 at Table One
Offense, Defense

Besim Altinok

Mehmet Kutlay Kocer

M.Can KURNAZ

WiPi Hunter is developed for detecting illegal wireless network activities. But, it shouldn't be seen only as a piece of code. Instead, actually, it is a philosophy. You can infere from this project new wireless network illegal activity detection methods. New methods new ideas and different point of views can be obtained from this project.

Example: WiFi Pineapple attacks, Fruitywifi, mana-toolkit

WiPi-Hunter Modules:

PiSavar: Detects activities of PineAP module and starts deauthentication attack (for fake access points - WiFi Pineapple Activities Detection)

PiFinger: Searches for illegal wireless activities in networks you are connected and calculate wireless network security score (detect wifi pineapple and other fakeAPs)

PiDense: Monitor illegal wireless network activities. (Fake Access Points)

PiKarma: Detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points)

PiNokyo: If threats like wifi pineapple attacks or karma attacks are active around, users will be informed about these threats.Like proxy (New)

https://github.com/WiPi-Hunter

Besim Altinok
Besim ALTINOK (@AltnokBesim) is a security enginner at BARIKAT Internet Security. He performs penetration tests on a wide area like web, network and mobile pentesting. His main interests are IoT Pentest and WiFi Security. He wrote a book about WiFi networks: "Wireless Network Security". Besim also member of Octosec and Canyoupwnme teams and he supports community thru that teams. Besim was speaker at Blackhat Europe 2017 Arsenal and Blackhat Asia 2018 Arsenal.

Mehmet Kutlay Kocer
Mehmet Kutlay KOCER (@kutlaykocer) was graduated from TOBB University of Economics and Technology B.S. Computer Engineering in 2016. His Senior Design Project was about VOIP systems in the name "SIP DDoS Attacks Detection and Prevention" with the cooperation of TOBB University and NETAS. Currently, he is working as a Penetration Tester in BARIKAT Internet Security for 2 years. He played a major role in conducting Barikat SOC in 2016. Finally Mehmet Kutlay KOCER spoke at Blackhat ASIA 2018 Arsenal

M.Can KURNAZ
M. Can Kurnaz (@0x43414e) is a penetration tester and currently works at European Network for Cyber Security in Netherlands.

He is conducting penetration tests over internet, internal networks, web-based applications and Operational Technology infrastructures such as smart meters, RTUs, data concentrators, telecontrol gateways, electric vehicle charging points and various ICS/SCADA systems and components, conducting robustness tests for OT devices and working on physical and wireless security assessments of IT/OT devices.

At the same time, he is also contributing as an instructor to "Red Team – Blue Team Training for Industrial Control Systems and Smart Grid Cyber Security" training of ENCS.

Back to top