Arsenal

presentation source

Android Device Testing Framework v.13 The Android Device Testing Framework ("dtf") project started back in 2014 as a collection of scripts and utilities that aimed to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Since then, dtf has grown into a robust and extensive data collection and analysis framework with over 30 modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you'll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.

presented by Jake Valletta

Android InsecureBank Ever wondered how different attacking and exploiting a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job. Watch as Dinesh walks you through his new and shiny updated custom application - "Android-InsecureBank" and some other source code review tools, to help you understand some known and some not so known Android Security bugs and ways to exploit them.



This presentation will cover Mobile Application Security attacks that will get n00bs as well as 31337 attendees started on the path of Mobile Application Penetration testing. Some of the vulnerabilities in the Android InsecureBank application that will be discussed (but not limited to) are:

- Flawed Broadcast Receivers

- Root Detection and Bypass

- Local Encryption issues

- Vulnerable Activity Components

- Insecure Content Provider access

- Insecure Webview implementation

- Weak Cryptography implementation

- Application Patching

- Sensitive Information in Memory



Expect to see a lot of demos, tools, hacking and have lots of fun.

presented by Dinesh Shetty

Android Tamer Android Tamer is a Virtual / Live Platform for Android Security professionals. This reduces the needs to configure your own environment. This Environment allows people to work on large array of android security related task's ranging from Malware Analysis, Penetration Testing and Reverse Engineering.

presented by Anant Shrivastava

BinProxy It has been a while since the attackers have been targeting various fields in the IT industry, including binary applications, mobile apps, embedded devices, web applications, and the like. One of the biggest problems for the whitehats that focus on defending these attacks, is "Lack of time and manpower". We try to compensate that issue. Basically, what it does is create an easy environment to dynamically analyze executables. We made a new framework to analyze applications called "BinProxy" inspired by web proxy. Our approach can be used to analyze the normal(binary) applications with a web proxy, and applied to Windows, Linux and Mac environments as well as mobile environments such as Android and iOS.



Our framework solves the lack of time and manpower through the following functions without using any debugger, decompiler and other undesirable reversing and hooking tools since there is no need to learn and look up the manual how to use those tools:

- Finding function needed to analyze and monitor

- Modifying function parameters and return values by using web proxy

- Reading/Writing memory, executing certain function and code by using web proxy

- Controlling function using script languages We want to this framework be a open source project. Proof of Concept : https://www.youtube.com/playlist?list=PLNa87eQJGfPXbgj9hMGqijWlzxIHJ8brp

BTA When it comes to the security of the information system, Active Directory domain controllers are, or should be, at the center of concerns, which are (normally) to ensure compliance with best practices, and during a compromise proved to explore the possibility of cleaning the information system without having to rebuild Active Directory. However, few tools implement this process and several ways exist to backdoor Active Directory. We propose to present some possible backdoors which could be set by an intruder in Active Directory to keep administration rights. For example, how to modify the AdminSDHolder container in order to reapply rights after administrator actions. Moreover, backdoors can be implemented in Active Directory to help an intruder to gain back his privileges. Then, we will present BTA, an audit tool for Active Directory databases, and our methodology for verifying the application of good practices and the absence of malicious changes in these databases. The presentation will be organized as follows:

- We begin by describing the stakes around the Active Directory, centerpiece of any information system based on Microsoft technologies.

- We will continue by demonstrating some backdoors in order to keep admins rights or to help an intruder to quickly recover admins rights.

- We will present BTA and the methodology developed to analysis Active Directory.

- We conclude with a feedback on real world usage of BTA. More information can be found on the Bitbucket repository: https: //bitbucket.org/iwseclabs/bta

presented by Joffrey Czarny

Commix: Detecting And Exploiting Command Injection Flaws Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed.The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application. A prime example of a real, infamous command injection vulnerability that clearly depicts the threats of this type of code injection was the recently discovered Shellshock bug.Despite the prevalence and the high impact of the command injection attacks, little attention has been given by the research community to this type of code injection. In particular, we have observed that although there are many software tools to detect and exploit other types of code injections such as SQL injections or Cross Site Scripting, to the best of our knowledge there is no dedicated and specialized software application that detects and exploits automatically command injection attacks. This paper attempts to fill this gap by proposing an open source tool that automates the process of detecting and exploiting command injection flaws on web applications, named as commix, (COMMand Injection eXploitation).This tool supports a plethora of functionalities, in order to cover several exploitation scenarios. Moreover, Commix is capable ofdetecting, with high success rate, whether a web application is vulnerable to command injection attacks. Finally, during the evaluation of the tool we have detected several 0-day vulnerabilities in applications. Overall, the contributions of this work are: a) We provide a comprehensive analysis and categorization of command injection attacks; b) We present and analyze our open source tool that automates the process of detecting and exploiting command injection vulnerabilities; c) We will reveal(during presentation) several 0-day command injection vulnerabilities that Commix detected on various web based applications from home services (embedded devices) to web servers.

presented by Anastasios Stasinopoulos

Credmap: The Credential Mapper It is not uncommon for people who are not experts in security to reuse credentials on different websites; even security savvy people reuse credentials all the time. For this reason "credmap: the Credential Mapper" was created, to bring awareness to the dangers of credential reuse. Credmap takes a user and password as input and it attempts to login on a variety of known websites to test if the user has reused credentials on any of these. New websites can be easily added with simple knowledge of Python. Credmap is also capable of searching in public credential dumps of compromised websites (e.g. r0ckyou, AM, Adobe, etc.) and collecting the user's password from there to then test with on other websites. Credmap was written purely in Python and is open-source and available on GitHub.

presented by Roberto Salgado

CuckooDroid - An Automated Malware Analysis Framework To combat the growing problem of Android malware, we present a new solution based on the popular open source framework Cuckoo Sandbox to automate the malware investigation process. Our extension enables the use of Cuckoo's features to analyze Android malware and provides new functionality for dynamic and static analysis. Our framework is an all in one solution for malware analysis on Android. It is extensible and modular, allowing the use of new, as well as existing, tools for custom analysis.



The main capabilities of our CuckooDroid include:

- Dynamic Analysis - based on Dalvik API hooking

- Static Analysis - Integration with Androguard

- Emulator Detection Prevention

- Virtualization Managers that support the popular virtualization solutions (VMware,Virtualbox, Esxi, Xen, and Kvm) and now also android emulator.

- Traffic Analysis

- Intelligence Gathering - Collecting information from Virustotal, Google Play etc.

- Behavioral Signatures



Examples of well-known malware will be used to demonstrate the framework capabilities and its usefulness in malware analysis.

presented by Idan Revivo

D1c0m-X2 In this second version of the tool, a plugin for the exploitation of ORACLE database will be added, which will become an even more attractive exploit. DICOM (Digital Imaging and Communications in Medicine) is recognized worldwide for the exchange of medical tests, designed for handling, display, storage, printing, and transmission standard. It includes defining a file format and a network communication protocol. Target:

D1c0m-X.2 is a tool that is responsible for searching the TCP / IP ports of Robot surgery or x-rays, CT scans, MRI or other medical devices that use this protocol, and once found, check if the firmware is vulnerable. If they are not vulnerable, it will try to exploit using scripts, which are intended to block the connection between the server and the Robot, making a DDOS or accessing the System. Before launching the attack, D1c0m-X.2 also explores the possibility of an intrusion through the Corporative Web of the Hospital or Clinic, if the intrusion is achieved, we proceed to interact with shell console, applying different vulnerabilities, such as SQLI, Default password, etc.

Finally, the DUMP of critical information of Patients, Doctors and Staff is automated.

presented by Michael Hudson

Dockscan Dockscan is a vulnerability assessment and audit tool for Docker and container installations. It will report on docker installation security issues as well as docker container configurations. The tool helps both system administrator administering Docker to help them secure Docker, as well as security auditors and penetration testers who need to audit Docker installation.

presented by Vlatko Kosturjak

Dvcs-Ripper DVCS-Ripper will rip web accessible (distributed) version control systems ranging from Subversion and git to Mercurial and Bazaar. It can rip repositories even when directory browsing is turned off. The new release adds support for ripping packed refs in git and it speeds up git ripping drastically. Currently it is the fastest and most feature packed source code ripper tool.

presented by Vlatko Kosturjak

Exploit Pack Exploit Pack is an open source security framework for exploit developers, pentesters and security enthusiasts. Exploit Pack uses an advanced software-defined interface that supports rapid reconfiguration to adapt exploit codes to the constantly evolving threat environment. Objectively measure threats, vulnerabilities, impact and risks associated with specific cyber-security incidents by rapidly reacting on the integration of both, offensive and defensive security.

presented by Juan Sacco

Faraday Since collaborative pentesting is more common each day, sharing the information generated by the pentesters between each other could become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.



The idea of Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the result and share that with the rest of the team in real time. Faraday has most than 40 plugins (and counting) available, including a the most used tools (msf, nmap, sqlmap to name a few), and if you use a tool for which Faraday doesn't have a plugin, you can create your own.

During this presentation we're going to show you the latest version of the tool, and how can be used to improve the effectiveness of your team during a penetration test.

presented by Daniel Foguel

FindSecurityBugs FindSecurityBugs is a plugin for the Java static analysis tool FindBugs. This plugin consists of set rules that focus only on security weaknesses. It can be use by developers or security analysts to find vulnerabilities in their code.

From XSS to RCE 20 This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit's Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications.

presented by Hans-Michael Varbaek

Haka - An Open Source Security Oriented Language Haka is an open source security oriented language that allows to specify and apply security policies on live captured traffic. Haka is based on Lua. It is a simple, lightweight (~200 kB) and fast (a JiT compiler is available) scripting language. The scope of Haka is twofold. First of all, Haka enables the specification of security rules to filter unwanted streams and report malicious activities. Haka provides a simple API for advanced packet and stream manipulation. One can drop, create and inject packets. Haka supports also on-the-fly packet modification. This is one of the main features of Haka since all complex tasks such as resizing packets, setting correctly sequence numbers are done transparently to the user. This enables to specify and deploy complex mitigation scenarios. Secondly, Haka is endowed with a grammar allowing to specify protocols and their underlying state machine. Haka supports both type of protocols : binary-based protocols (e.g. dns) and text-based protocols (e.g. http). The specification covers packet-based protocols such as ip as well as stream-based protocols like http. Thanks to that grammar, we were able to specify several protocols including ip, icmp, tcp, udp, http, dns, smtp and ssl. Haka is embedded into a modular framework including multiple packet capture modules (pcap, nfqueue), logging and alerting modules (syslog, elasticsearch), and auxiliary modules such as a pattern matching engine and an instruction disassembler module. The latter allow to write fine-grained security rules to detect obfuscated malware for instance. Haka was designed in a modular fashion enabling users to extend it with additional modules. Haka is intended to be used by all security communities: network security officer wishing to deploy quickly new security controls, academics wishing to evaluate the detection efficiency of a new algorithm, or security experts trying to investigate an incident on a specific protocol such as a scada protocol.

presented by Mehdi Talbi

Hardsploit: Like Metasploit But For Hardware Hacking Why we chose to create HardSploit: It is clear that something is needed to help the security community to evaluate, audit and/or control the level of security in embedded systems.

HardSploit is a complete tool box (hardware & software), a framework which aims to:

- Facilitate the auditing of electronic systems for industry 'security' workers (consultants, auditors, pentesters, product designers, etc.)

- Increase the level of security (and trust!) of new products designed by the industry

HardSploit Modules & Framework:

Hardsploit is an all-in-one tool hardware pentest tool with software and electronic aspects. This is a technical and modular platform (using FPGA) to perform security tests on electronic communications interfaces of embedded devices.

The main hardware security audit functions are:

- Sniffer

- Scanner

- Interact

- Dump memory



Hardsploit's Modules will let hardware pentesters intercept, replay and/or send data via each type of electronic bus used by the hardware target. The level of interaction that pentesters will have depends on the features of the electronic bus.



Hardsploit's Modules further enable you to analyze electronic bus (serial and parallel types), JTAG, SPI, I2C's, parallel addresses & data bus on chip.



Assisted Visual Wiring Function:

No more stress with that tremendous part of Hardware pen testing: You will know what needs to be connected and where!

We integrated into the tool an assisted visual wiring function to help you connect your wires to the hardware target:

- GUI will display the pin organization (Pin OUT) of the targeted chip.

- GUI will guide you throughout the wiring process between Hardsploit Connector and the target

- GUI will control a set of LEDs that will turn ON and OFF to easily let you find the right Hardsploit Pin Connector to connect to your target



The software part of the project will help to conduct an end-to-end security audit and will be compatible (integrated) with existing tools such as Metasploit. We will offer integration with other APIs in the future.

Our ambition is to provide a tool equivalent to those of the company Qualys or Nessus (Vulnerability Scanner) or the Metasploit framework but in the domain of embedded systems/electronics.





presented by Yann Allain

IntelMQ IntelMQ is a solution for collecting and processing security feeds, pastebins, and tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.

Jack Jack is a novel web based tool to assist in the identification and illustration of abusing web resources in terms of ClickJacking. Jack allows implementers to identify if certain online resources are vulnerable to ClickJacking and also allows implementers to generate a PoC to harvest submitted user credentials to illustrate the affect of the vulnerability. Jack also allows implementers to generate a local instance of the PoC site and deploy it a HTTP container such as Apache.

presented by Chris Le Roy

Kautilya - Fastest Shells Youll Ever Get Kautilya is a framework which enables using Human Interface Devices (HIDs) in Penetration Testing. Kautilya is capable of generating ready-to-use payloads for a HID.

In this demonstration, you will see how Kautilya could be used to get access to a computer, dumping system secrets in plain, data, executing shellcode in memory, installing backdoors, dropping malicious files and much more. New payloads to backdoor a Windows machine will be released in this presentation.

presented by Nikhil Mittal

Lynis Most of us have performed some level of system hardening, using checklists or custom scripts. The next level is to keep the security defenses of your systems compliant with your baselines. Lynis is an open source tool to help you with this goal. It is portable, flexible and specialized on Linux/Unix based systems. It performs an in-depth health check of your systems and tells you what additional steps you can take to lock things down. In this demo, we will see how easy it is to use, yet flexible enough to support much more than initially is visible.





presented by Michael Boelen

Nishang - Tracking A Windows User In this demonstration, we will see how scripts based on built-in Windows tools Windows PowerShell PowerShell, VB Script, .Net Framework, native commands, Registry etc. could be used to keep track of a Windows user. In addition to having backdoor access, these tools and scripts provide capabilities like taking pics from user webcam, recording MIC, screen-shot/live-streaming of user screen, logging keys, internet history, location tracking and much more. All the scripts in the demo would be a part of Nishang framework.

presented by Nikhil Mittal

OSXCollector OSXCollector is an open source forensic evidence collection and analysis toolkit for Mac OS X. It automates the forensic evidence collection and analysis that previously Yelp's team of responders has been doing manually. We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific malware alerts. Host based detectors like antivirus software will tell us about known malware infestations or weird new startup items. Network based detectors see potential CnC callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, "Hey, I think I have like Stuxnet or conficker or something on my laptop."

When alerts fire, our incident response team's first goal is to "stop the bleeding" to contain and then eradicate the threat. Next, we move to "root cause the alert" figuring out exactly what happened and how we'll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) based on our past experiences when dealing with the malware infections and other threats haunting Yelp's corporate network.



https://github.com/Yelp/osxcollector



presented by Kuba Sendor

OWASP Security Knowledge Framework Over 10 years of experience in web application security bundled into a single application. The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. Use SKF to learn and integrate security by design in your web application. In a nutshell:

- Training developers in writing secure code

- Security support pre-development (Security by design, early feedback of possible security issues

- Security support post-development(Double check your code by means of the OWASP ASVS checklists)

- Code examples for secure coding In a nutshell:- Training developers in writing secure code- Security support pre-development (Security by design, early feedback of possible security issues- Security support post-development(Double check your code by means of the OWASP ASVS checklists)- Code examples for secure coding

Panoptic Since it's debut 2 years ago, Panoptic has become the go-to open source penetration testing tool for automating the process of search and retrieval of common log and config files through path traversal vulnerabilities. For the brand new release, Panoptic will have new and enhanced capabilities, such as being able to automate the escalation of a Local File Inclusion (LFI) vulnerability to Remote Code Execution (RCE) and even spawn a meterpretrer session.

presented by Roberto Salgado

peepdf peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and modify/obfuscate existent ones.





presented by Jose Miguel Esparza

Pestudio Pestudio is a unique tool that allows you to perform an initial assessment of a malware without even infecting a lab system or studying its code. Malicious executable often attempts to hide its malicious behavior and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of Pestudio is to detect these anomalies, provide Indicators and score the Trust for the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk. Pestudio has been in the top 10 list of "Best Security Tool" in 2013 and 2014 by the readers of ToolsWatch.org.

presented by Marc Ochsenmeier

Reissue Request Scripter (Burp Plugin) This Burp plugin has one focus built script to replay HTTP request with various scripting languages. It supports Python, Ruby, Perl, PHP, Powershell, and JavaScript. It is the swiss knife of the custom HTTP web exploits. This plugin starts where other automated tools reach their limit. It integrates itself well with "python-paddingoracle" tool to create custom padding oracle attack. It can be used to build quickly malicious JavaScript request for XSS payload. It can be used along sqlmap to exploit second order SQL injection.The BH Arsenal demo will focus on the most common usage: Padding Oracle, SQLi and XSS payload. The Burp plugin is available for download on GitHub and on the Burp App Store:

- https://github.com/h3xstream/http-script-generator

- https://pro.portswigger.net/bappstore/ShowBappDetails.aspx?uuid=6e0b53d8c801471c9dc614a016d8a20d

presented by Philippe Arteau

Rudra - The Destroyer of Evil Rudra aims to provide a developer-friendly framework for exhaustive analysis of (PCAP and PE) files. It provides features to scan and generate reports that include file's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These details, alongwith file-format specific analysis information, help an analyst to understand the type of data embedded in a file and quickly decide if it deserves further investigation. Rudra now supports scanning PE files and can perform API scans, anti{debug, vm, sandbox} detection, packer detection, authenticode verification, alongwith Yara, shellcode, and regex detection upon them. Additionally, following new features are being added for the first beta release: - Interactive console providing access to all internal data structures and objects, exposing a rich API for users

- Plugin architecture to operate upon decoded file content (usecases might be to write a decoder for a new RAT found in the wild or to write a custom unpacker for a binary stub, etc.)

- Extracting subfiles and optionally scanning them if needed

- Heuristics to identify suspicious network flows and exe files The report for each analyzed file can be dumped to disk as a JSON/HTML/PDF. If needed, analysis can be customized via CLI arguments, config file, or interactive console. Rudra also supports protocol identification, decoding, and normalization. It can analyze embedded URLs and IP addresses within files and gather whois/geolocation information for them. Users can view live mapping of identified hosts and correlate the results from different analysis modules to perform deeper investigation.

presented by Ankur Tyagi

VirusTotal.com VirusTotal.com is the free online file and URL scanner that everyone knows. However there are many free features that many users don't know about such as:

- IP address and domain reputation. See malware files known to be associated with a particular IP address or domain

- Passive DNS info

- Searching on file hash, and related files

- Carbon black integration

- Ctatic analysis of files, structural analysis of many file types (PE, ELF, APK, ZIP, RAR, MACHO, .NET, office, etc)

- Sandbox dynamic analysis of PE, and APK files

- ROMS, BIOS, and firmware files

- SSDEEP, authentihash, imphash, and other similarity indexes

- Certificate checks on signed files

- Whitelisting of trusted files

- Free desktop scanning applications for Windows, MAC, and open source for compilation on linux.

presented by Karl Hiramoto

VolatilityBot The Volatility Bot-Excavator: effective automation for executable file extraction. Made by and for security researchers. Part of the work security researchers have to go through when they have to study new malware or wish to analyse suspicious executables, is to extract the binary file and all the different satellite injections and strings decrypted during the malware's execution. This initial process is mostly manual, which can make it long and incomprehensive. Enter the Volatility Bot-Excavator. This is a tool developed by and for malware researchers, leveraging the Volatility Framework. This new automation tool cuts out all the guesswork and manual extraction from the binary extraction phase. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses and so on. Beyond the obvious value of having a complete extraction automated and produced in under one minute, the Bot-Excavator is highly effective against a large variety of malware codes and their respective load techniques. It can take on complex malware including banking trojans such as ZeuS, Cridex, and Dyre, just as easily as it extracts from simpler downloaders of the like of Upatre, Pony or even from targeted malware like Havex. After the Bot-Excavator finishes the extraction, it can further automate repair or prepare the extracted elements for the next step in analysis. For example, it can the Portable Executable (PE) header, prepare for static analysis via tools like IDA, go to a YARA scan, etc.