 |
white paper |
 |
presentation |
 |
source |
Avet (link: https://github.com/govolution/avet) is an antivirus evasion tool.
What & Why:
CellAnalysis is a tool every pentester should add to his/her arsenal. Nowadays there are other tools intended to find fake cells (fake stations, IMSI Catchers, etc.), most of them use active monitoring; that is, they monitor traffic coming to the SIM card on a smartphone, so that only cell attacks are scanned on the same network as the SIM card. CellAnalysis offers a different approach, it performs a passive traffic monitoring, so it doesn't require a SIM card or a mobile device, just an OsmocomBB phone or compatible device SDR (rtlsdr, usrp, hackrf or bladerf) to start monitoring all the frequencies of the GSM spectrum.
Far from being an out-of-the-box tool, it has been developed using shell-scripting to make easier the code modification or the customization by the pentester, as well as the integration with other tools. SDR device or OsmocomBB phone connected to the computer running Linux will analyze the spectrum or a part of it, in search of cells and for each cell found, a quantitative and qualitative analysis of the information transmitted will be carried out. Alarms generation is not based on a scoring system, but each parameter chosen as a potential threat will generate an alarm if it is evaluated as such in the cell under study.
CrackMapExec (a.k.a CME) is a fully open-source, post-exploitation tool written in Python that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land:" abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
CME makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques.
Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.
In this demo the author will be showing off for the first time version 4.0: a major update to the tool bringing more modules, features and capabilities than ever before. If you're interested in the latest & greatest Active Directory attacks & techniques, this is the demo for you!
Telecom network was closed for years but recent advancement in open source telecom opens new doors for telecom hacking. SS7 is core network protocol in 2G and 3G. Many people have proved that these network is insecure, but to date no proper tool or vulnerable network is available in the information security community.
This talk will present security loopholes in SS7 network and will cover the SS7 Protocol security and the real telecom security penetration testing on the lab. The demonstration is prepared from real SS7 Penetration testing experience. During this demo I'm going to publish my SS7 Penetration testing tool that I've built for SS7 Assessment. The Damn vulnerable SS7 Network will also be available for information security community. The talk will first present the basics of this vulnerability including: information leaks, denial of service, toll and billing fraud, privacy leaks and SMS fraud.
Attendees will able to understand the basics of the SS7 network and tool usage and in additional; attendees will also understand the different type of attacks in the SS7 network.
Here are some attacks supported by this tool:
Utilizing various Open Source Intelligence (OSINT) tools and techniques that we have found to be effective, DataSploit brings them all into one place, correlates the raw data captured and gives the user, all the relevant information about the domain/email/ phone number/person, etc. It allows you to collect relevant information about a target which can expand your attack/defence surface very quickly. Sometimes it might even pluck the low hanging fruits for you without even touching the target and give you quick wins. More documentation here: http://datasploit.readthedocs.io/en/latest/.
Devknox works like autocorrect by highlighting issues in the code and suggests quick one-click fixes to ensure security is taken care of on the go.
To perform this autocorrect and suggestions, it does a multiple traversal over the AST - Abstract Syntax Tree and performs Taint Analysis over the source-code on the client-side inside the IDE in a matter of few seconds to come up with one click suggested fixes which fixes the root cause issue.
This tool is free and will be open sourced exclusively at Black Hat, so that the security community can help Devknox to have more test-cases and make developers understand and write better and securely.
Devknox can be downloaded at https://devknox.io
Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.
The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 60 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn't have a plugin, you can create your own. During this presentation we're going release Faraday v2.3 with all the new features that we were working on for the last couple of months.
HaboMalHunter is an automated malware analysis tool for Linux ELF files, which is a sub-project of Habo Analysis System independently developed by Tencent Antivirus Laboratory. It can comprehensively analyze samples from both static information and dynamic behaviors, trigger and capture behaviors of the samples in the sandbox and output the results in various formats. The generated report reveals significant information about process, file I/O , network and system calls.
Recently, HaboMalHunter has opened its source code under the MIT license, aimed to share and discuss the automatic analysis technology with researchers alike. The project applies digital forensics techniques, such as kernel space system call tracing and memory analysis, and it emphasizes the importance of collaboration with mainstream security tools by making it easy to add third-party YARA rules and supporting the output of .mdb files that are hash-based signature of the ClamAV. The tool, by generating a .syscall file containing a system call number sequence, is also friendly to artificial intelligence research on malware classification and detection.
HaboMalHunter has also been deployed and validated with a large-scale cluster at Tencent Antivirus Laboratory. With the processing ability of thousands of ELF malware samples per day, most of which are from the VirusTotal, HaboMalHunter helps security analysts extract static and dynamic features effectively and efficiently. We hope to present the technical architecture and the detailed implementation about HaboMalHunter and to demonstrate it with several typical real-world Linux malware samples.
DOWNLOAD: https://github.com/Tencent/HaboMalHunter
LAMMA 1.0 is an attempt to create a Swiss-Army-Knife for security and quality Assessment of Cryptographic implementations. This major update of LAMMA has all new modules for testing trust stores, source code analysis and logical flaws in crypto-coding.
LAMMA 1.0 with new features & fixes makes crypto-testing more effective and smoother even for large scale implementations. You can use and enhance LAMMA 1.0, as it's a FREE and OPEN SOURCE.
"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by Duowan, Taobao, Tianya, etc
Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.
The integration of "Have I been pwned?" with Maltego presents these breaches in an easy to understand graph format that can be enriched with other sources of data.
MetasploitHelper was developed to assist penetration testers in internal engagements. There are a large number of exploits and modules that are available to penetration testers to use. However, it is often difficult and challenging for penetration testers to keep up to date with the latest exploits.
MetasploitHelper tends to make things easier for testers by testing and matching Metasploit modules against open ports and URI paths on the target hosts.
What's New!
Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators often place indicators in multiple formats or format them inconsistently. Using indicators from multiple sources and packaging them into different formats requires a large investment of time and effort, especially as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator sources, since they are updated at different times and not always on a regular basis. To automate many of these manual processes, we have released MineMeld.
MineMeld is an open source Threat Intelligence framework you can use, among other things, to process indicators and automatically enforce policy on your firewall or augment logs in your SIEM. At the core of MineMeld is a flexible and extensible engine where the data flow is described via a graph of nodes exchanging indicators with a protocol inspired by BGP. By changing the nodes and how they are connected, you can easily define any kind of Threat Intelligence processing logic. And if you need support for a new format, a new protocol or a new logic, you can develop & add your own custom node to the graph.
Android application penetration testing goes further than testing the client to server communication. In order to get a holistic view on the risk exposure, a thorough analysis of the application has to be done to understand how the application works. This is also imperative to be able to bypass jailbreak detection, SSL pinning, or figure out how the application is handling encryption (e.g. being able to decrypt certain values).
There are several approaches available:
OpenSCAP is the only free and open source implementation of the NIST SCAP standard. It has two major use cases:
Vulnerability assessment - enables users to automatically scan their machines for vulnerabilities using OVAL CVE feeds coming from the operating system vendors - Red Hat, Canonical, SUSE, ... OpenSCAP can load the CVE feed and examine the machine, virtual machine storage image or container. Any missing patches are reported.
Security compliance - allows fully automated evaluation and remediation of machines using SCAP security policies. Instead of looking at vulnerabilities in this use-case we are looking for weaknesses in the configuration. A good source for SCAP security policies is the open source SCAP Security Guide project which we will demo with OpenSCAP. Check out the list of available products and profiles by visiting https://static.open-scap.org/
One of the main improvements in the latest 1.2 branch is the ability to scan various resources using similar command-line interface. We will cover scanning bare-metal machines, remote machines over ssh, VMs, VM storage images, containers and container images.
SCAP Workbench is a GUI front-end for OpenSCAP. It allows users to customize security policies for their organization by selecting/deselecting rules and choosing different values (e.g.: password min length) for evaluation. The result can be saved in a so-called tailoring file. To demonstrate we will make such a customized policy.
Indonesia is undoubtedly one of the most attractive markets in Southeast Asia. With a population of over 250 million - the largest in the region and the fourth largest in the world, after China, India, and the US - who wouldn't keep an eye on this market?
According to We Are Social's compendium of world digital stats, Indonesia now has 88.1 million active internet users, up 15 percent over the past 12 months. Its mobile market has exploded over the past couple of years. SIM subscriptions in Indonesia stand at 326.3 million, way more than its population. This means each mobile phone user owns an average of two SIM cards. 85 percent of the population own mobile phones, while 43 percent carry smartphones.
Mobile apps offer a level of convenience that the world has never known before. From home, the office, on the road and even from the hotel room in another country on vacation - can login to any voicemail at work, check the credit card balance, view the bank balance, buy new clothes, book travel and more. This extreme level of convenience has brought with it an extreme number of security risks as user's credit card details, bank logins, passwords and more are flying between devices and backend databases and systems across the net. Understanding these risks can help many people prepare their app and protect, their data and their users.
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks.
Puma Scan provides real-time, continuous source code analysis as development teams write code in Visual Studio. With over 50 security-focused rules targeting insecure configuration, cross-site scripting, injection, weak validation, cryptography, cross-site request forgery, and many more insecure coding patterns, Puma Scan relies on Roslyn (the .NET Compiler Platform) to display vulnerabilities as spell check errors and compiler warnings. Come see a live demonstration of the Puma hunting source code for vulnerabilities, and walk away with an open-source (MPL v2.0) static analysis engine to help secure your .NET applications.
Did you ever want to be at two different places at the same time? When I asked myself this question, I actually started developing this solution in my mind. While performing penetration tests there are often problems caused by security devices that block the "attacking" IP. This really annoyed me, so I wrote a script to supply a solution for this problem. With a large number of IP addresses performing the attacks, better results are guaranteed - especially when attempting attacks to bypass Web Application Firewalls, Brute-Force type attacks and many more.
URLs:
1) [Github] https://github.com/realgam3/pymultitor
2) [OwaspIL Old Presentation] https://www.owasp.org/images/3/3d/OWASPIL-2016-02-02_PyMultiTor_TomerZait.pdf
* I will release a new version of pymultitor (the proxy version of PyMultitor; it will allow people to interact with this tool without any change of the configuration of their own tools).
Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges. Creating Ring -1 is plausible using VT such as ARM TrustZone, Intel VT-x, and AMD AMD-v. The existing VT (Virtualization Technologies) supports to separate the worlds into a host (normal world, ring -1, host) and a guest (normal world, ring 0 ~ ring 3). Previous research such as NumChecker, Secvisor, NICKLE, Lares, and OSck used VT to protect kernel.
In this demo, we show a security monitoring framework for operating systems, Shadow-box, using state-of-the-art virtualization technologies. Shadow-box is introduced at Black Hat Asia 2017 briefing and has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine, and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. We manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.
Shadow-box is an open source project (MIT license), and we have been successfully operating Shadow-box in real world since last year. Real world environment is different from laboratory environment. So, we have gone through many trials and errors for a year, and have learned lessons from them. We share our know-hows about using virtualization technology and deploying research into the wild.
ShinoBOT is a RAT simulator for the pentesters, researchers.The powershell based version is released and it allows you to test the detection performance of your security environment against the powershell based attacks, which increase recently.
As the previous version you can use ShinoBOT Suite to perform the whole APT scenario, from exploit to data exfiltration.
Using cryptographic hashes (such as SHA1 or MD5) for whitelisting results in some limitations. Machine Learning extensions of whitelisting may be used for execution control, verification, minimizing false positives from other detection methods or other purpose.
Locality Sensitive Hashing is a state of the art method in machine learning for the scalable approximate-nearest-neighbor search.
The identification of executable files which are very similar to known legitimate executable files fits very well within this paradigm.
Tools
We provide open source tools for the evaluation of TLSH (a locality sensitive hash) of executable programs.
We also provide a backend query service which we will make available to researchers on an ongoing basis.
In this talk, we show the effectiveness of applying locality sensitive hashing techniques to identify files similar to legitimate executable files. In the demo we will:
Tintorera is a new static analysis tool developed in Python that uses the GCC compiler to build C projects aiming to obtain intelligence from them. GCC offers a powerful plugin architecture that allows tapping into its internals, and static analysis tools can benefit from it to gather information of the source code while compiling.
Some Tintorera features that a code auditor can benefit from:
RFID and contact-less smart cards have become pervasive technologies nowadays. IC/RFID cards are generally used in security systems such as airport and military bases that require access control. This presentation introduces the details of contact-less card security risk firstly, then the principles of low frequency(125KHz) attack tool, HackID Pro, will be explained. This tool contains an Android App and a hardware which can be controlled by your phone. HackID Pro can emulate/clone any low frequency IC card to help you break into security system, just type few numbers on your phone. After 125KHz, this presentation will show you how to steal personal information from EMV bank card, whose carrier frequency is high frequency, 13.56MHz, just sitting around you. In the end, our defense tool, Card Defender, will be dissected to explain how this product can protect your card and informations in both high/low frequency way and some tricks that this defense tool can do.
WiDy is an open source Wi-Fi Attack and Defense platform created to run on the extremely cheap ESP8266 (<$5) IoT platform. We've written a simple framework which you can hack and create your own tools or automate attack/defense tasks. Among the attacks WiDy is able to perform out of the box, include:
Zenected is a cloud-based security threat protection service. It's delivered through a set of pre-configured services. Once a user connects to Zenected, that user's network traffic is filtered to keep the bad things out (e.g. phishing sites, malware). The only thing this a user has to configure on the endpoint device (be it a mobile device, a desktop or laptop or IoT device) is your VPN connection. Oh, btw - because you are using VPN, your network traffic is kept secret even if you connect using your favorite coffee store WFi.
All mentioned services are updated every hour with a new set of threat indicators. The feeds are delivered by Perun Works.
Zenected is easy to manage. It uses a web front-end for administrators to manage your instance. An administrator user can:
