arsenal on march 16


white paper document





0800 - 0900 + WELCOME TEA & COFFEE in Wintergarden
1000 - 1800
1000 - 1015 + break
1015 - 1115 Serkan Özkan:
1115 - 1145 + coffee service
1145 - 1245 Didier Stevens: PDF Tools Jose Miguel Esparza: peepdf
1245 - 1415 + lunch break
1415 - 1515 Frank Breedijk: Seccubus Tom Forbes: xcat
1515 - 1530 + break
1530 - 1630 Frank Breedijk: Seccubus Andrey Labunets: Windbgshark
1630 - 1700 + coffee service
1700 - 1800 Mike Jordon + James Forshaw: CANAPE Xavier Mertens: pastemon


NETpeas is the leading provider of COREvidence™ the First Marketplace Security Solutions in SaaS mode. COREvidence™ integrates solutions & services to create a single access. Customers have access to Technology Leaders in Vulnerability Management, Compliance Achievement and IT Monitoring. COREvidence™ combines astonishing benefits as flexibility of use Based on Credit Plan, accurate scanning using Multiple APIs and Engines and Unified straight-to-the-point deliverables.

Frank Breedijk


What is Seccubus?
Seccubus automates regular vulnerability scans and provides delta reporting.

The goal is to reduce the analysis time for subsequent scans of the same infrastructure by only reporting delta findings.
What's the issue?

Anyone who has ever used Nessus, OpenVAS, Nikto or another vulnerability scanner will be familiar with the drawback of such tools. Tools like Nessus are very valuable tools, but unfortunately the results contain a lot of noise. Time needed to interpret and create a report using the results of a scan will often be two or three times the time needed to do the actual scan.

Seccubus was created in order to more effectively analyze the results of regular scans of the same infrastructure by efficiently interpreting results.
Frank Breedijk CISSP B ICT is employed as a Security Engineer at Schuberg Philis since 2006. He is responsible for the technical information security of Schuberg Philis Mission Critical outsourcing services. This includes, but is not limited to:

  • Security Awareness
  • Vulnerability management
  • Internal security consultancy
  • Internal technical audits
  • AutoNessus development

Frank Breedijk has been active in IT Security for over 10 years. Before joining Schuberg Philis he worked as a Security Consultant for INS/BT and Security Officer for Interxion. He managed the European Security Operations Center (SOC) for Unisys' managed security services. During this period Gartner labeled Unisys leader in the magic quadrant for Managed Security Services in Europe.

Besides his day job Frank Breedijk is an active on Twitter and writes blog entries for He has also written magazine articles about Seccubus and security awareness.

Jose Miguel Esparza


peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. It's included in BackTrack and REMnux.

Some of the peepdf features:

  • It shows all the objects in the document, highlighting the suspicious elements and potential vulnerabilities.
  • It supports all the most used filters and encodings.
  • It can parse different versions of a file, object streams and encrypted documents.
  • It provides Javascript and shellcode analysis wrappers, thanks to Spidermonkey and Libemu.
  • It's able to create new PDF files and modify existent ones using obfuscation techniques.
  • It's able to extract all the information easily thanks to its interactive console.

Jose Miguel Esparza is a security researcher and has been working as e-crime analyst at S21sec e-crime for more than 5 years, focused on botnets, malware and Internet fraud. Author of some exploits and analysis tools like Malybuzz and peepdf ( He is also a regular writer in the S21sec blogs ( and and about security and threats in Internet, and has taken part in several conferences, e.g. RootedCon (Spain), CARO Workshop (Czech Republic) and Source Seattle (USA).

Tom Forbes


The tools exploit xpath injection vulnerability in web applications and support advanced exploitation features. Both Xpath 1.0 and 2.0 are supported. The tool allows extraction of entire XML database by exploiting the XPATH vulnerability in web application frameworks. Some of the advanced features which Xcat supports include:

  1. True and Error conditions (Blind Injection)
  2. Extracting Data over Out-of-band channels (HTTP, DNS)
  3. Abusing the DOC function and reading arbitrary XML files on the system

Tom is a university student who finished his summer internship at 7Safe last year. During the internship Tom worked on several interesting aspects of IT Security. His research paper on Hacking XPATH 2.0 is the only material available on internet on this topic.

Mike Jordon & James Forshaw


Citrix ICA is a complex multi-layered protocol which uses multiplexed frames, compression and encryption over a single TCP connection. Rather than creating a complete bespoke program to proxy and manipulate the traffic, CANAPE can be used to provide the networking, parsing and fuzzing infrastructure to significantly reduce development effort.

Michael Jordon is a Principal Consultant at Context Information Security and has 11 years experience within the IT security and software development industry. Michael developed the Context App Tool (CAT) which is a web application security tool for performing manual application assessments. He has presented at various conferences including InfoSec, OWASP and RuxCon. He has also released advisories in software products including Sophos, Citrix and Outlook web access and released a whitepaper on 'Assessing Cloud Node Security'.

James is a principal consultant at Context Information Security Limited; a UK based security consultancy firm with a presence in Australia through our Melbourne office. He has been involved with computer hardware and software security for almost 10 years with a skill set which covers the bread and butter of the security industry such as application testing, through to more bespoke product assessment, vulnerability analysis and exploitation. He is also the developer of the CANAPE tool being presented at Black Hat.
He has presented at a number of conferences included Chaos Computer Congress and Ruxcon.

Andrey Labunets


Windbgshark is an open source network debugging tool, designed to assist in reverse engineering of unknown protocols, traffic manipulation and searching for vulnerabilities in protocols and applications under Windows. Novelty of Windbgshark, relative to other debugging tools, is that it is tightly integrated with both Windbg debugger and Wireshark packet analyzer, which makes handling the traffic and performing simple manual testing very rapid. At the same time, Windbgshark is a framework for building custom fuzzers and is useful for various debugging scenarios.
Other features include:

  • Reliable and unified inspection engine for both x86 and x64 applications (no code patching)
  • Windbg scripting and automation is possible
  • The packet trace is being captured, dissected and visible in Wireshark on-the-fly
  • Localhost traffic is also inspected

During the presentation I will demonstrate how to use basic Windbgshark features as well as how to implement a simple network fuzzer, uncover a memory corruption vulnerability and gather accurate reproduction steps and a crash dump with this tool (automatically, of course).

Andrey Labunets is currently a student at the Tyumen State University, pursuing his degree in computer security. His research focuses on reverse engineering of programs and protocols with applications in detection of vulnerabilities and exploit development. With DSecRG Andrey was involved in vulnerability research of business applications and revealed several weaknesses and flaws in Oracle software. Now Andrey is working in the area of traffic analysis mechanisms and is responsible for development of the traffic inspection tool as a part of a corporate DLP solution. His experience and interests encompass a wide range of topics in information security and computer science including formal verification methods, operating systems internals, he also enjoys playing around with debuggers and analyzing crash dumps.

Xavier Mertens


pastemon is a tool to monitor content for relevant information. Based on regular expressions, events are generated. Those can be further processed by log management / SIEM tools to increase awareness about a group of users, a brand or corporate data leaks.

Xavier Mertens is a Security Consultant working for C-CURE/Telenet Solutions, a Belgian consultancy company. His job focuses mainly on "security monitoring" solutions such as log management, SIEM, incident management but also on audits and some pentests. Instead of following vendors, he prefers to find the best solutions to solve security issues. One of his preferred tool at the moment is OSSEC. He wrote several blog articles about this software to increase its performance or visibility. In parallel to his daily job, Xavier maintains his security blog ( and offers some spare time and resources to initiatives like BruCON (the Belgian security conference) and EuroTrashSecurity.

-pastemon -twittermon

Serkan Özkan is a security vulnerability database website, which collects data from multiple sources and provide some unique features like statistics, links to human readable OVAL definitions, customizable rss feeds (for example you can subscribe to feeds for all vulnerabilities related to all Microsoft products, a single product or vulnerabilities of a single version of a specific product) etc. collects OVAL data from several sources and provide a human readable interface to OVAL data.

Owner of and Long time developer, part time penetration tester, security consultant.

Didier Stevens

PDF tools

Didier has released several free open source tools to help with the analysis of (malicious) PDF files. These tools are included in popular Linux distros like BackTrack and REMnux. One of these tools, pdfid, is also running on the number one virus scanning site VirusTotal.

Didier has also produced tutorials for these tools on YouTube.

But Didier has released many other offensive, defensive and forensic tools. Feel free to ask questions about these tools too.

Currently Didier is working on Cisco IOS forensic tools.

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCITP, MCSE/Security, RHCT, CCNA Security, OSWP) is an IT Security Consultant currently working at a large Belgian Financial corporation.
He is employed by Contraste Europe NV, an IT Consulting Services company. You can find his open source security tools on his IT security related blog at