white paper



AVET - AntiVirus Evasion Tool

Avet (link: is an antivirus evasion tool.

What & Why:

  • When running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
  • Avet is a antivirus evasion tool targeting windows machines
  • The techniques used in avet evaded 9 antivirus suites (all of the tested), including MS Defender, McAfee, Sophos, Avira and more
  • Avet includes two tools, avet.exe with different antivirus evasion techniques and make_avet for compiling a preconfigured binary file
  • Avet.exe loads ASCII encoded shellcode from a textfile or from a webserver, further it is using an av evasion technique to avoid sandboxing and emulation
  • For encoding the shellcode the tools and sh_format are included
  • Avet is tested with Kali 2 and tdm-gcc

Short Future (Major Update):
  • Interactive assistant for easier usage
  • More evasion techniques
  • Support for 64bit payloads

Presented By

Daniel Sauder


CellAnalysis is a tool every pentester should add to his/her arsenal. Nowadays there are other tools intended to find fake cells (fake stations, IMSI Catchers, etc.), most of them use active monitoring; that is, they monitor traffic coming to the SIM card on a smartphone, so that only cell attacks are scanned on the same network as the SIM card. CellAnalysis offers a different approach, it performs a passive traffic monitoring, so it doesn't require a SIM card or a mobile device, just an OsmocomBB phone or compatible device SDR (rtlsdr, usrp, hackrf or bladerf) to start monitoring all the frequencies of the GSM spectrum.

Far from being an out-of-the-box tool, it has been developed using shell-scripting to make easier the code modification or the customization by the pentester, as well as the integration with other tools. SDR device or OsmocomBB phone connected to the computer running Linux will analyze the spectrum or a part of it, in search of cells and for each cell found, a quantitative and qualitative analysis of the information transmitted will be carried out. Alarms generation is not based on a scoring system, but each parameter chosen as a potential threat will generate an alarm if it is evaluated as such in the cell under study.

Presented By

Pedro Cabrera

CrackMapExec v4

CrackMapExec (a.k.a CME) is a fully open-source, post-exploitation tool written in Python that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land:" abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

CME makes heavy use of the Impacket library and the PowerSploit Toolkit for working with network protocols and performing a variety of post-exploitation techniques.

Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios.

In this demo the author will be showing off for the first time version 4.0: a major update to the tool bringing more modules, features and capabilities than ever before. If you're interested in the latest & greatest Active Directory attacks & techniques, this is the demo for you!

Presented By

Marcello Salvati

Damn Vulnerable SS7 Network

Telecom network was closed for years but recent advancement in open source telecom opens new doors for telecom hacking. SS7 is core network protocol in 2G and 3G. Many people have proved that these network is insecure, but to date no proper tool or vulnerable network is available in the information security community.

This talk will present security loopholes in SS7 network and will cover the SS7 Protocol security and the real telecom security penetration testing on the lab. The demonstration is prepared from real SS7 Penetration testing experience. During this demo I'm going to publish my SS7 Penetration testing tool that I've built for SS7 Assessment. The Damn vulnerable SS7 Network will also be available for information security community. The talk will first present the basics of this vulnerability including: information leaks, denial of service, toll and billing fraud, privacy leaks and SMS fraud.

Attendees will able to understand the basics of the SS7 network and tool usage and in additional; attendees will also understand the different type of attacks in the SS7 network.

Here are some attacks supported by this tool:

  • Subscriber privacy leaks
  • Billing frauds
  • Denial of service attacks
  • Revenue Frauds
  • Identity impersonation attacks
  • Intercepting incoming services
  • Illegal redirects

Presented By

Akib Sayyed

Datasploit - Automated Open Source Intelligence (OSINT) Tool

Utilizing various Open Source Intelligence (OSINT) tools and techniques that we have found to be effective, DataSploit brings them all into one place, correlates the raw data captured and gives the user, all the relevant information about the domain/email/ phone number/person, etc. It allows you to collect relevant information about a target which can expand your attack/defence surface very quickly. Sometimes it might even pluck the low hanging fruits for you without even touching the target and give you quick wins. More documentation here:

Presented By

Shubham Mittal

Devknox - Autocorrect Security Issues from Android Studio

Devknox works like autocorrect by highlighting issues in the code and suggests quick one-click fixes to ensure security is taken care of on the go.

To perform this autocorrect and suggestions, it does a multiple traversal over the AST - Abstract Syntax Tree and performs Taint Analysis over the source-code on the client-side inside the IDE in a matter of few seconds to come up with one click suggested fixes which fixes the root cause issue.

This tool is free and will be open sourced exclusively at Black Hat, so that the security community can help Devknox to have more test-cases and make developers understand and write better and securely.

Devknox can be downloaded at

Presented By

Subho Halder


Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.

The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 60 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn't have a plugin, you can create your own. During this presentation we're going release Faraday v2.3 with all the new features that we were working on for the last couple of months.

Presented By

Emilio Couto

HaboMalHunter: An Automated Malware Analysis Tool for Linux ELF Files

HaboMalHunter is an automated malware analysis tool for Linux ELF files, which is a sub-project of Habo Analysis System independently developed by Tencent Antivirus Laboratory. It can comprehensively analyze samples from both static information and dynamic behaviors, trigger and capture behaviors of the samples in the sandbox and output the results in various formats. The generated report reveals significant information about process, file I/O , network and system calls.

Recently, HaboMalHunter has opened its source code under the MIT license, aimed to share and discuss the automatic analysis technology with researchers alike. The project applies digital forensics techniques, such as kernel space system call tracing and memory analysis, and it emphasizes the importance of collaboration with mainstream security tools by making it easy to add third-party YARA rules and supporting the output of .mdb files that are hash-based signature of the ClamAV. The tool, by generating a .syscall file containing a system call number sequence, is also friendly to artificial intelligence research on malware classification and detection.

HaboMalHunter has also been deployed and validated with a large-scale cluster at Tencent Antivirus Laboratory. With the processing ability of thousands of ELF malware samples per day, most of which are from the VirusTotal, HaboMalHunter helps security analysts extract static and dynamic features effectively and efficiently. We hope to present the technical architecture and the detailed implementation about HaboMalHunter and to demonstrate it with several typical real-world Linux malware samples.


Presented By

Jingyu Yang  &  Zhao Liu


LAMMA 1.0 is an attempt to create a Swiss-Army-Knife for security and quality Assessment of Cryptographic implementations. This major update of LAMMA has all new modules for testing trust stores, source code analysis and logical flaws in crypto-coding.

LAMMA 1.0 with new features & fixes makes crypto-testing more effective and smoother even for large scale implementations. You can use and enhance LAMMA 1.0, as it's a FREE and OPEN SOURCE.

Presented By

Ajit Hatti

Maltego Have I Been Pwned?

"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by Duowan, Taobao, Tianya, etc

Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego presents these breaches in an easy to understand graph format that can be enriched with other sources of data.

Presented By

Christian Heinrich

MetasploitHelper Reloaded

MetasploitHelper was developed to assist penetration testers in internal engagements. There are a large number of exploits and modules that are available to penetration testers to use. However, it is often difficult and challenging for penetration testers to keep up to date with the latest exploits.

MetasploitHelper tends to make things easier for testers by testing and matching Metasploit modules against open ports and URI paths on the target hosts.

What's New!

  • Better detection and matching for web application exploits in Metasploit
  • Exploit-DB is a very popular source of working exploits. Currently, there are more than 21,298 web application exploits available.

The number of exploits for web applications are increasing at a very fast rate due to more applications being developed and used.

We have added a parser for the web application exploits in Exploit-DB and added them to metasploitHelper and now you can scan and detect more exploitable vulnerabilities much easier.

Presented By

Keith Lee  &  Maxwell Koh


Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators often place indicators in multiple formats or format them inconsistently. Using indicators from multiple sources and packaging them into different formats requires a large investment of time and effort, especially as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator sources, since they are updated at different times and not always on a regular basis. To automate many of these manual processes, we have released MineMeld.

MineMeld is an open source Threat Intelligence framework you can use, among other things, to process indicators and automatically enforce policy on your firewall or augment logs in your SIEM. At the core of MineMeld is a flexible and extensible engine where the data flow is described via a graph of nodes exchanging indicators with a protocol inspired by BGP. By changing the nodes and how they are connected, you can easily define any kind of Threat Intelligence processing logic. And if you need support for a new format, a new protocol or a new logic, you can develop & add your own custom node to the graph.

Presented By

Luigi Mori

NAD - A Tool for Performing Dynamic Runtime Analysis of Android Functions

Android application penetration testing goes further than testing the client to server communication. In order to get a holistic view on the risk exposure, a thorough analysis of the application has to be done to understand how the application works. This is also imperative to be able to bypass jailbreak detection, SSL pinning, or figure out how the application is handling encryption (e.g. being able to decrypt certain values).

There are several approaches available:

  • The application can be decompiled, modified and recompiled. This approach however may not always work due to errors while decompiling.
  • Patch the application by utilizing method hooks and overriding the original method. In order to identify the correct code and method to patch, the penetration tester has to go through the very time consuming process of figuring out the correct methods.

Adding to the frustration, most applications in release mode produce minified and obfuscated code. The above-mentioned problems makes analyzing an Android application a very tedious process, even before the actual analysis of the application has started. Currently there are no tools available for Android that allow for easy method hooking. This is why I started developing NAD, a tool which allows testers to perform on the fly method hooks.

This talk aims to demonstrate an Android tool built upon the Xposed framework. This tool is an attempt to be the "Burp suite" for Android application methods. It provides the user with several abilities to ease such frustration and make life easier:

  • Perform trace method calls
  • Intercept all methods of the Android application
  • Pause the application
  • Modify the input parameters of the hooked method
  • Modify the return value of the hooked method

My goal for developing this tool is to save time and provide more insight into compiled Android applications.


Presented By

Han Lee


OpenSCAP is the only free and open source implementation of the NIST SCAP standard. It has two major use cases:
Vulnerability assessment - enables users to automatically scan their machines for vulnerabilities using OVAL CVE feeds coming from the operating system vendors - Red Hat, Canonical, SUSE, ... OpenSCAP can load the CVE feed and examine the machine, virtual machine storage image or container. Any missing patches are reported.

Security compliance - allows fully automated evaluation and remediation of machines using SCAP security policies. Instead of looking at vulnerabilities in this use-case we are looking for weaknesses in the configuration. A good source for SCAP security policies is the open source SCAP Security Guide project which we will demo with OpenSCAP. Check out the list of available products and profiles by visiting

One of the main improvements in the latest 1.2 branch is the ability to scan various resources using similar command-line interface. We will cover scanning bare-metal machines, remote machines over ssh, VMs, VM storage images, containers and container images.

SCAP Workbench is a GUI front-end for OpenSCAP. It allows users to customize security policies for their organization by selecting/deselecting rules and choosing different values (e.g.: password min length) for evaluation. The result can be saved in a so-called tailoring file. To demonstrate we will make such a customized policy.

Presented By

Martin Preisler

OWASP Seraphimdroid

Indonesia is undoubtedly one of the most attractive markets in Southeast Asia. With a population of over 250 million - the largest in the region and the fourth largest in the world, after China, India, and the US - who wouldn't keep an eye on this market?
According to We Are Social's compendium of world digital stats, Indonesia now has 88.1 million active internet users, up 15 percent over the past 12 months. Its mobile market has exploded over the past couple of years. SIM subscriptions in Indonesia stand at 326.3 million, way more than its population. This means each mobile phone user owns an average of two SIM cards. 85 percent of the population own mobile phones, while 43 percent carry smartphones.

Mobile apps offer a level of convenience that the world has never known before. From home, the office, on the road and even from the hotel room in another country on vacation - can login to any voicemail at work, check the credit card balance, view the bank balance, buy new clothes, book travel and more. This extreme level of convenience has brought with it an extreme number of security risks as user's credit card details, bank logins, passwords and more are flying between devices and backend databases and systems across the net. Understanding these risks can help many people prepare their app and protect, their data and their users.

OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks.

Presented By

Ade Yoseman Putra

Puma Scan

Puma Scan provides real-time, continuous source code analysis as development teams write code in Visual Studio. With over 50 security-focused rules targeting insecure configuration, cross-site scripting, injection, weak validation, cryptography, cross-site request forgery, and many more insecure coding patterns, Puma Scan relies on Roslyn (the .NET Compiler Platform) to display vulnerabilities as spell check errors and compiler warnings. Come see a live demonstration of the Puma hunting source code for vulnerabilities, and walk away with an open-source (MPL v2.0) static analysis engine to help secure your .NET applications.

Presented By

Eric Johnson


Did you ever want to be at two different places at the same time? When I asked myself this question, I actually started developing this solution in my mind. While performing penetration tests there are often problems caused by security devices that block the "attacking" IP. This really annoyed me, so I wrote a script to supply a solution for this problem. With a large number of IP addresses performing the attacks, better results are guaranteed - especially when attempting attacks to bypass Web Application Firewalls, Brute-Force type attacks and many more.

1) [Github]
2) [OwaspIL Old Presentation]

* I will release a new version of pymultitor (the proxy version of PyMultitor; it will allow people to interact with this tool without any change of the configuration of their own tools).

Presented By

Tomer Zait

Shadow-Box: Lightweight Hypervisor-Based Kernel Protector

Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges. Creating Ring -1 is plausible using VT such as ARM TrustZone, Intel VT-x, and AMD AMD-v. The existing VT (Virtualization Technologies) supports to separate the worlds into a host (normal world, ring -1, host) and a guest (normal world, ring 0 ~ ring 3). Previous research such as NumChecker, Secvisor, NICKLE, Lares, and OSck used VT to protect kernel.

In this demo, we show a security monitoring framework for operating systems, Shadow-box, using state-of-the-art virtualization technologies. Shadow-box is introduced at Black Hat Asia 2017 briefing and has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine, and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. We manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.

Shadow-box is an open source project (MIT license), and we have been successfully operating Shadow-box in real world since last year. Real world environment is different from laboratory environment. So, we have gone through many trials and errors for a year, and have learned lessons from them. We share our know-hows about using virtualization technology and deploying research into the wild.

Presented By

Seunghun Han  &  Junghwan Kang


ShinoBOT is a RAT simulator for the pentesters, researchers.The powershell based version is released and it allows you to test the detection performance of your security environment against the powershell based attacks, which increase recently.
As the previous version you can use ShinoBOT Suite to perform the whole APT scenario, from exploit to data exfiltration.

Presented By

Shota Shinogi

Smart Whitelisting Using Locality Sensitive Hashing

Using cryptographic hashes (such as SHA1 or MD5) for whitelisting results in some limitations. Machine Learning extensions of whitelisting may be used for execution control, verification, minimizing false positives from other detection methods or other purpose.

Locality Sensitive Hashing is a state of the art method in machine learning for the scalable approximate-nearest-neighbor search.
The identification of executable files which are very similar to known legitimate executable files fits very well within this paradigm.

We provide open source tools for the evaluation of TLSH (a locality sensitive hash) of executable programs.
We also provide a backend query service which we will make available to researchers on an ongoing basis.

In this talk, we show the effectiveness of applying locality sensitive hashing techniques to identify files similar to legitimate executable files. In the demo we will:

  • Give a brief explanation of locality sensitive hashing
  • Describe typical modifications made to legitimate executable files (such as security updates, patches, functionality enhancements, and corrupted files)
  • Given a program P, demonstrate how the tool can be used to query for similar executable files
  • Demonstrate how meta data (such as certificates) can be employed to confirm the legitimacy of program P

Presented By

Jonathan Oliver  &  Jayson Pryde

Tintorera: Source Code Intelligence

Tintorera is a new static analysis tool developed in Python that uses the GCC compiler to build C projects aiming to obtain intelligence from them. GCC offers a powerful plugin architecture that allows tapping into its internals, and static analysis tools can benefit from it to gather information of the source code while compiling.

Some Tintorera features that a code auditor can benefit from:

  • Obtain many code metrics: Cyclomatic Complexity (CC), comment density, physical lines of codes, design complexity, code averages and etc.
  • Attack Surface analysis of the entire project, identifies all entry and exit of data.
  • Can identify Linux API and well-known libraries such as OpenSSL.
  • Perform different visualization maps of the source code such as function structure, logic and function calls relationship.
  • Context and code analysis of: comments, inline assembly, global variables, function parameters and more.
  • The entire source code is converted to a JSON representation allowing performing queries.
  • Creates HTML reports while the project gets compiled by GCC.
  • Extend Tintorera to fit your needs easily using Python.
  • Tap into GCC internals and passes.

By using static analysis techniques, Tintorera can gather intelligence of a C source code allowing a code auditor to learn about the project faster. Tintorera is a tactical response as projects grow in complexity and code reviews are usually performed under limited time.

Presented By

Simon Roses Femerling

Unicorn's RFID Armoury

RFID and contact-less smart cards have become pervasive technologies nowadays. IC/RFID cards are generally used in security systems such as airport and military bases that require access control. This presentation introduces the details of contact-less card security risk firstly, then the principles of low frequency(125KHz) attack tool, HackID Pro, will be explained. This tool contains an Android App and a hardware which can be controlled by your phone. HackID Pro can emulate/clone any low frequency IC card to help you break into security system, just type few numbers on your phone. After 125KHz, this presentation will show you how to steal personal information from EMV bank card, whose carrier frequency is high frequency, 13.56MHz, just sitting around you. In the end, our defense tool, Card Defender, will be dissected to explain how this product can protect your card and informations in both high/low frequency way and some tricks that this defense tool can do.

Presented By

Haoqi Shan  &  Yang Qing  &  Yunding Jian

WiDy: WiFi 0wnage in Under $5

WiDy is an open source Wi-Fi Attack and Defense platform created to run on the extremely cheap ESP8266 (<$5) IoT platform. We've written a simple framework which you can hack and create your own tools or automate attack/defense tasks. Among the attacks WiDy is able to perform out of the box, include:

  • Honeypot Attacks
  • Captive Portal Attacks
  • Serving Exploits to browsers using DNS redirection
  • Wi-Fi Scanner
  • Wi-Fi Be Gone (similar to TV-be-gone)
  • Sniffing and Injection
  • Beacon Floods like MDK
  • Deauthentication & Disasscoation
  • Client monitoring
  • WiFi IDS/IPS functionality
  • … other interesting applications

The key advantage of using the ESP8266 to recreate Wi-Fi attack/defense functionality is that anyone can now build these tools and physically deploy them in under $5 in the field! One can only imagine the kind of projects the community can create once the core code is available to modify and hack. We have also used the Arduino based platform to make it easier to work with our code. Of course, experienced developers can recreate/port this code to work with the manufacturer SDKs or with the Open ESP SDK. The code is written entirely in C.

All code and scripts will be open sourced under MIT license and launched at Black Hat Asia Arsenal!

Zenected Threat Defense VPN

Zenected is a cloud-based security threat protection service. It's delivered through a set of pre-configured services. Once a user connects to Zenected, that user's network traffic is filtered to keep the bad things out (e.g. phishing sites, malware). The only thing this a user has to configure on the endpoint device (be it a mobile device, a desktop or laptop or IoT device) is your VPN connection. Oh, btw - because you are using VPN, your network traffic is kept secret even if you connect using your favorite coffee store WFi.

All mentioned services are updated every hour with a new set of threat indicators. The feeds are delivered by Perun Works.
Zenected is easy to manage. It uses a web front-end for administrators to manage your instance. An administrator user can:

  • Manage Zenected users including adding more admin users
  • Blacklist URLs or domain names that you don't want your users to access
  • Whitelist URLs or domain names, that were identified as malicious but you still want your users to be able to get to them
  • Review exception requests from users
  • If you are a Zenected end-user what you will like about it, is:
  • No need to install additional software on your mobile phone, tablet or laptop – Zenected uses standard OS features build-in into all modern systems
  • If you encounter a certain resource blocked by the system, you can request an exception. Each exception is then reviewed by an administrator.

More details available on the webpage:

Presented By

Tomasz Jakubowski