ADRecon: Active Directory Recon

ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like auditors, DIFR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.

The following information is gathered by the tool: Forest; domains in the Forest and other attributes such as sites; domain password policy; domain controllers and their roles; users and their attributes; service principal names; groups and and their members; organizational units and their ACLs; group policy object details; DNS zones and records; printers; computers and their attributes; LAPS passwords (if implemented); and BitLocker Recovery Keys (if implemented).

Presented By

Prashant Mahajan

Androsia - A Step Ahead in Securing Sensitive In-Memory Android Application Data

Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information. The sensitive objects like any other object are kept around in the heap until the app hits a memory constraint. The OS then invokes the Dalvik garbage collector in order to reclaim memory from unreferenced objects on the heap and provides the reclaimed memory back to the app. However, there is no guarantee the objects containing security sensitive information will be cleared from memory. Even though objects might not be used ahead in the program, they might still be referenced directly or indirectly by a GC root which would prevent them from getting collected - a situation known as memory leak.

Android does not provide explicit APIs to reclaim memory from sensitive objects which are not "used" ahead in the program. "*" library does provide classes for holding sensitive data (like KeyStore.PasswordProtection) and API's (like destroy()) to remove sensitive content from the objects. However, the onus of calling these APIs is on the developer. Developers may invoke these APIs at a stage very late in the code or worst may even forget to invoke them. This leaves a window of time where the security critical objects, which are not used any further in the program, live in the heap memory and wait to be garbage collected. During this window, a compromise of the app can allow an attacker to read the credentials by dumping the heap memory. This is a needless risk every Android application lives with today.

We propose a tool called Androsia, which uses a summary based [1] inter-procedural data-flow analysis to determine the points in the program where security sensitive objects are last used (so that their content can be cleared). Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values.

[1] D. Yan, G. Xu, and A. Rountev. Rethinking soot for summary-based wholeprogram analysis. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis, SOAP '12, pages 9–14, New York, NY, USA, 2012. ACM

Presented By

Samit Anwer

Archery - Open Source Vulnerability Assessment and Management

Archery is an open-source vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular open-source tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.

The main capabilities of our Archery include:
  • Perform Web and Network Vulnerability Scanning using open-source tools.
  • Correlates and Collaborate all raw scans data, show them in a consolidated manner.
  • Perform authenticated web scanning.
  • Perform web application scanning using selenium.
  • Vulnerability Management.
  • Enable REST API's for developers to perform scanning and Vulnerability Management.
  • Useful for DevOps teams for Vulnerability Management.
More documentation here:

Presented By

Anand Tiwari

Automated Penetration Toolkit (APT2)

Nearly every penetration test begins the same way - run a NMAP scan, review the results, choose interesting services to enumerate and attack/exploit, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated! Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares, null sessions, and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement.

Have you seen APT2 before? Great, now come and check out some of the new and enhanced features which include stream lined operations, additional modules, and improvements to the overall ease of module creation and development.

Presented By

Adam Compton


Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process - gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then, and only then, we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken.

By combining the concept of derivative admin (the chaining or linking of administrative rights), Active Directory object control relationships, existing tools, and graph theory, we have developed a capability called BloodHound, which can reveal the hidden and unintended relationships in Active Directory domains. BloodHound is operationally-focused, providing an easy-to-use web interface and PowerShell ingestor for memory-resident data collection and offline analysis.

BloodHound offers several advantages to both attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. Most possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. BloodHound has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.

Presented By

Andy Robbins

Cloud Security Suite - One Stop Tool for AWS/GCP Security Audit

Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS & GCP provides you protection with traditional security methodologies and has a neat structure for authorisation/configuration, its security is as robust as the person in charge of creating/assigning these configuration policies. As we all know, human error is inevitable and any such human mistake could lead to catastrophic damage to the environment.

A few vulnerable scenarios:
Your security groups, password policy or IAM policies are not configured properly

  • S3 buckets are world-readable
  • Web servers supporting vulnerable ssl ciphers
  • Ports exposed to public with vulnerable services running on them
  • If root credentials are used
  • Logging or MFA is disabled
  • And many more such scenarios...

Knowing all this, audit of AWS/GCP infrastructure becomes a hectic task! There are few open source tools that help AWS/GCP auditing, but none of them have an exhaustive checklist. Also, collecting, setting up all the tools, and looking at different result sets is a painful task. Moreover, while maintaining big infrastructures, system audit of server instances is a major task as well.

CS Suite is a one stop tool for auditing the security posture of the AWS/GCP infrastructure and does OS audits as well. CS Suite leverages current open-source tools capabilities and has other missing checks added into one tool to rule them all. CS-Suite also supports JSON output which can be consumed for further usage.

Presented By

Jayesh Chauhan  &  Shivankar Madaan

CQTools: The Ultimate Hacking Toolkit

CQURE Team has written over 200 hacking tools during penetration testing. We decided to choose the top 35 tools and pack them in a toolkit called CQTools. This toolkit allows you to deliver complete attacks within the infrastructure, starting with sniffing and spoofing activities, going through information extraction, password extraction, custom shell generation, custom payload generation, hiding code from antivirus solutions, various keyloggers and leverage this information to deliver attacks. Some of the tools are based on discoveries that were released to the world for the first time by CQURE Team; some of the tools took years to complete, and all of the tools work in a straightforward manner. CQTools is the ultimate toolkit to have when delivering penetration test. The tools simply work, and we use them in practice during our cybersecurity assignments. Come and have a look how our CQTools can boost your penetration testing experience!

Presented By

Paula Januszkiewicz  &  Greg Tworek

CrackMapExec v4.0

Ever needed to pentest a network with 10 gazillion hosts with a very limited time frame? Ever wanted to Mimikatz entire subnets? How about shelling entire subnets? How about dumping SAM hashes? Share spidering? Keeping track of all the credentials you pillaged? (The list goes on)! All while doing this in the stealthiest way possible? Look no further than CrackMapExec! CrackMapExec (a.k.a CME) is a modular post-exploitation tool written in Python that helps automate assessing the security of *large* Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection, IDS and IPS solutions. Although meant to be used primarily for offensive purposes, CME can be used by blue teams as well to assess account privileges, find misconfigurations and simulate attack scenarios. In this demo, the author will be showing off v4.0, a major update to the tool bringing more feature and capabilities than ever before! If you are interested in the latest and greatest Active Directory attacks/techniques, weaponizing them at scale and general cool AD stuff this is the demo for you!

Presented By

Marcello Salvati

CyBot - Open-Source Threat Intelligence Chat Bot (World Tour)

Threat intelligence chat bots are useful friends. They perform research for you and can even be note takers or central aggregators of information. However, it seems like most organizations want to design their own bot in isolation and keep it internal. To counter this trend, our goal was to create a repeatable process using a completely free and open source framework, an inexpensive Raspberry Pi (or even virtual machine), and host a community-driven plugin framework to open up the world of threat intel chat bots to everyone from the home user to the largest security operations center.

We were thrilled to debut the end result of our research (a chat bot that we affectionately call CyBot) at Black Hat Arsenal Vegas. We took the great feedback and ideas from an enthusiastic crowd and brought CyBot to Black Hat Europe for more fun. Now we are bringing CyBot to Asia to complete the world tour by spreading the word and increasing global collaboration.

So, if you know even a little bit of Python, you can help write plugins and share them with the community. If you want to build your own CyBot, the instructions in this project will let you do so with about an hour of invested time and anywhere from $0-$35 in expenses. Come make your own threat intelligence bot today!

Presented By

Tony Lee

Faraday v3 - Collaborative Penetration Test and Vulnerability Management Platform

The idea behind Faraday is to help you to share all the information that is generated during a pentest, vulnerability assessment or scan without changing the way you work. You run a command, import a report, and Faraday will normalize the results and share them with the rest of the team in real-time. Faraday has more than 60 plugins available (and counting), including the most popular commercial and open-source tools. If you use a tool that Faraday doesn't have a plugin for, you can create your own! During this presentation we're going to release Faraday v3.0 with all the new features that we were working on for the last couple of months that include a huge back-end change. Come check it out!

Presented By

Emilio Couto

Firmware Analysis and Comparision Tool (FACT)

The Firmware Analysis and Comparison Tool (FACT) is intended to automate Firmware Security analysis. Thereby, it shall be easy to use (web GUI), extend (plug-in system) and integrate (REST API). When analyzing Firmware, you face several challenges: unpacking, initial analysis, identifying changes towards other versions, find other firmware images that might share vulnerabilities you just found. FACT is able to automate many aspects of these challenges leading to a massive speedup in the firmware analysis process. This means you can focus on the fun part of finding new vulnerabilities, whereas FACT does all the boring stuff for you.

Presented By

Peter Weidenbach


Have you ever needed to rapidly create a Windows VM with all your analysis tools? Do you get annoyed by constantly having to update each and every security tool to the latest version in you VMs? Has your VM been not updated or patched for years on end? If you answered yes to any of these questions, then you NEED the FLARE VM.

FLARE VM is the first of its kind freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

FLARE VM comes in three flavors – Malware Analysis, Incident Response, and Penetration Testing editions. Each edition targets a specific task. For example, FLARE VM - Malware Analysis Edition is optimized for and contains tools specifically for reverse engineering malware. The tools included with FLARE VM distribution were either developed or carefully selected by the members of the FLARE (FireEye Labs Advanced Reverse Engineering) Team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade.

The security distribution works as an easily deployable package that you can install on an existing Windows installation. FLARE VM brings a familiar, easy to manage package management system to quickly deploy and customize the platform to suite your specific needs. After the initial installation, you can easily add, remove and update packages in the FLARE VM package repository.

During the session attendees will be familiarized with different tools, plug-ins and scripts offered on the FLARE VM to do the following:

  • How to go from a basic Windows installation to a fully deployed FLARE VM ready to analyze malware and conduct security assessments in 30 minutes or less.
  • Perform basic static analysis of a real malware sample to gather basic indicators.
  • Run the malware sample in a safe manner in order to manually gather dynamic indicators by simulating a complete network environment and carefully observing malware behavior with a variety of tools and techniques.
  • Deep dive into malware inner workings by using a number of disassemblers and decompilers available on the system.
  • Advanced dynamic analysis and generic unpacking techniques using debuggers, various plugins, and other tools that come with the distribution.
  • Learn how to customize the VM, create new packages and your own custom editions using the FLARE VM package repository.

Bring a Windows 7+ Virtual Machine to easily participate in the hands-on section of the demo.

Presented By

Peter Kacherginsky


GyoiThon is a growing penetration test tool using Deep Learning. Deep Learning improves classification accuracy in proportion to the amount of learning data. Therefore, GyoiThon will be taking in new learning data during every scan. Since GyoiThon uses various features of software included in HTTP response as learning data, the more you scan, the more the accuracy of software detection improves. For this reason, GyoiThon is a growing penetration test tool.

GyoiThon identifies the software installed on web server (OS, Middleware, Framework, CMS, etc...) based on the learning data. After that, GyoiThon executes valid exploits for the identified software. GyoiThon automatically generates reports of scan results. GyoiThon executes the above processing automatically.

GyoiThon consists of three engines:

  • Software analysis engine - It identifies software based on HTTP response obtained by normal access to web server using Deep Learning base and signature base.
  • Vulnerability determination engine - It collects vulnerability information corresponding to identify software by the software analysis engine. And, the engine executes an exploit corresponding to the vulnerability of the software and checks whether the software is affected by the vulnerability.
  • Report generation engine - It generates a report that summarizes the risks of vulnerabilities and the countermeasure.

Traditional penetration testing tools are very inefficient because they execute all signatures; however, unlike traditional penetration testing tools, GyoiThon is very efficient because it executes only valid exploits for the identified software. As a result, the user's burden will be greatly reduce, and GyoiThon will greatly contribute to the security improvement of many web servers.

Horus - Binary Library Security Scanning Engine

Horus is a scanning engine for mobile security mainly used to detect security risks of binary library, including detection of binary vulnerabilities and malicious behavior. Horus is currently used within Alipay Inc. It is designed as a rule-based framework. As many mobile apps use a large number of third-party libraries - such as libopenssl, libffmpeg and so on - Horus supports security detection of various types of binary libraries. New product or new task connects to it by calling the interface. By adding and removing defined rules (CVE,patch,txt), the user will get a distribution or matching statistic for vulnerability, backdoor or malicious activity, etc. Now,It matches rules at different level: binary function level, binary pattern level and binary instruction level.
Horus has resolved thousands of application security risks and help us improve the security of applications effectively and reliably. We want to open this security scanning engine through Arsenal. We hope to improve matching algorithms and performance of Horus in the future with more ai power inside. We also hope more and more security developers can work together to improve Horus.

Presented By

Qin Chen  &  Jiashui Wang

Jackhammer - One Security Vulnerability Assessment/Management Tool

Jackhammer is an integrated tool suite that comes with out-of-the-box industry standard integrations. It is a first-of-its-kind tool that combines static analysis, dynamic web app analysis, mobile security, API security, network security, CMS security, AWS/Azure security tools, docker/container security, and vulnerability manager that gives a complete glimpse into security posture of the organization. Using this suite, even senior leadership can have a comprehensive view of their organization's security.

Why was it needed? Security, while being imperative for any organization, it is hard to comprehend by most of the developers. Security engineers need to scrutinize every service or app turning security analysis a time intensive and repetitive. What if there exists a tool that can empower everyone to test their code for vulnerabilities, automate security analysis, and show the overall security hygiene of the company?

How does it work? Jackhammer initiates various types of scans using existing proven tools and the results are consumed by onboard vulnerability manager. Unique dashboard presents intuitive interface giving the user a holistic view of the code base. The normalized reports are instantly accessible to developers, QAs, TPMs, and security personnel.

It can be plugged/integrated with:

  • CI systems and Git via hooks giving complete control over code commits
  • AWS/Azure account and can keep on scanning complete IP space in realtime
  • Additional commercial/open source tools within few minutes and manage those tools from jackhammer
  • Ticketing systems (like Jira)
  • slack/pagerduty for real time alerting in addition to SMS and emails

It creates a sandbox using dockers for every tool and scales the systems when the scan needs it and descale on completion of the scans. The spin-up and tear down is a completely automated process so no person needs to look at the resources making it inexpensive and cost-effective.

Mobile Security Framework - MobSF

Mobile Security Framework (MobSF) is an intelligent, all-in-one open-source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile Applications and supports both binaries (APK, IPA & APPX ) and zipped source code. MobSF can also perform Web API Security testing with its API fuzzer that can do information gathering, analyze security headers, identify mobile API specific vulnerabilities like XXE, SSRF, path traversal, IDOR, and other logical issues related to session and API rate limiting.

Presented By

Ajin Abraham

NetRipper - Smart Traffic Sniffing for Penetration Testers

NetRipper is a post-exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic. It also uses encryption-related functions from a low privileged user, making it able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

Presented By

Ionut Popescu

Objective-See's Mac Security Tools

Patrick drank the Apple juice; to say he loves his Mac is an understatement. However, he is bothered by the increasing prevalence of macOS malware and how both Apple & 3rd-party security tools can be easily bypassed. Instead of just complaining about this fact, he decided to do something about it. To help secure his personal computer, he's written various macOS security tools that he now shares online (always free!), via

Come watch as DoNotDisturb detects physical access attacks, LuLu blogs malware attempting to communicate with C&C servers, and much more. Our Macs will remain secure!

Presented By

Patrick Wardle

OWASP JoomScan Project

OWASP joomscan (short for [Joom]la Vulnerability [Scan]ner) is an opensource project in Perl programming language to detect Joomla CMS vulnerabilities and analyses them.

OWASP SecureTea Tool Project

The OWASP SecureTea Project that was developed to be used by anyone who is interested in Security IOT (Internet of Things) and still needs further development. It functions by keeping track of the movement of the mouse/touchpad, detecting who accesses the laptop with mouse/touchpad installed, and sending warning messages via Twitter.

Project Walrus : An Android App for Card Cloning

Project Walrus is an Android app we're developing to let pentesters make better use of their contactless card devices, like the Proxmark and the Chameleon Mini. Come and see how Walrus can help you on your next red team, or just come so I can clone your access cards.

Presented By

Daniel Underhay  &  Matthew Daley

Prowler - Cluster Network Scanner

Prowler is a Cluster Network Vulnerability Scanner, developed during Singapore Infosec Community Hackathon - HackSmith v1.0. It is implemented on a cluster of Raspberry Pi and it will scan a network for vulnerabilities, such as default/weak credentials, that can be easily exploited.

Presented By

Faith See Wan Yi  &  Chi Seng Wong  &  Timothy Liu

puzzCode Make Backdoors Great Again!

puzzCode is a simple compiler based on mingw, written in C# to build windows applications in such a way that they can't be analysed by standard analysis tools (e.g. IDA, Ollydbg, x64dbg, Snowman Decompiler, etc.)

puzzCode is based on MinGW to compile C/C++ source code to assembly language while also obfuscating every instruction. puzzCode transforms each original instruction into obfuscated code by breaking each function into countless pieces.

The most important thing is that the executable (exe) file, once compiled by puzzCode will be undetectable by antivirus as it effectively will create a completely new application.

Presented By

Sheng-Hao Ma


PyExfil is a data exfiltration package with various data exfiltration techniques for various scenarios.

Presented By

Yuval Nativ

QR Safety Scanner

A QR scanner that checks if the QR code contains malicious links. Recently QR codes are being use everywhere, for advertisements, payments, name cards, etc. However, if someone would to exploit these QR codes by hiding malicious links, devices will be infected with malware.

Presented By

Tan Ashley


RouterSploit is an exploitation framework for embedded devices written in python.

Presented By

Marcin Bury  &  Blane Cordes

Trape: The Phishing Evolution

Trape is a recognition tool that allows you to track people and make phishing attacks in real time; the information you can get is very detailed. The objective is to teach the world the possible outcomes through this strategy -- the big Internet companies could be monitoring you, getting information beyond your IP, such as the sessions of your sites or Internet services.

Presented By

Jose Pino  &  Jhonathan Espinosa


This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source and destination logons, session duration as well as get information regarding logged on users at a given datetime (among other options), providing a starting point to begin the forensic analysis/incident triage.

Presented By

Chema Garcia

WiPi-Hunter - Detects Illegal Wireless Network Activities

WipiHunter is developed for detecting illegal wireless network activities; howver, it shouldn't be seen only as a piece of code. Instead, actually it is a philosophy. You can infer from this project new wireless network illegal activity detection methods. New methods, new ideas and different point of views can be obtained from this project.

Example: WiFi Pineapple attacks, Fruitywifi, mana-toolkit, karma attack. WiPi-Hunter Modules:

  • PiSavar: Detects activities of PineAP module and starts deauthentication attack (for fake access points - WiFi Pineapple Activities Detection)
  • PiFinger: Searches for illegal wireless activities in networks you are connected and calculate wireless network security score (detect wifi pineapple and other fakeAPs)
  • PiDense: Monitor illegal wireless network activities. (Fake Access Points)
  • PiKarma: Detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points)
  • PiNokyo: If threats like wifi pineapple attacks or karma attacks are active around, users will be informed about these threats.

Presented By

Mehmet Kutlay Kocer  &  Besim Altinok

Zeus - AWS Auditing & Hardening Tool

Zeus is a powerful tool for AWS EC2 /S3 / CloudTrail / CloudWatch / KMS best hardening practices. It checks security settings according to the profiles the user creates and changes them to recommended settings based on the CIS AWS Benchmark source at request of the user.

Presented By

Deniz Parlak