rss feed link header graphic

Black Hat Europe 2009 Briefings Speakers

Moevenpick City Center, Amsterdam • April 14-17

This is a partial speaker list for Black Hat Europe 2009. We expect to have the full list by February 15, so please keep checking this page.

capitol dome at night

Speakers and Topics

Register Button

Chema Alonso and Enrique Rando

Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data

In 2003 Tony Blair was “bytten” by a word document which its metadata demonstrated had been edited. Since that days a lot of advisories warning about to keep free of undesired data all published document shown up around the whole Internet… but times went by and people don´t worry so much about this BIG problem. In this session you will see how analyzing all published documents in a website is possible to fingerprint a lot of (if not almost all) information about the internal network. This session will show you how to use FOCA tool to collect the files, gathering the information from ODF, MS Office, PDF/EPS/PS files, cross the information found with artificial intelligence rules and fingerprint big amount of info about the network structure, matching IP address with internal server names, printers, shared folders, ACLs…and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politécnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques. Recently spoke in BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks, in Defcon 16 about Time-Based Blind SQL Injection using heavy Queries, in Toorcon X about RFD (Remote File Downloading) and in DeepSec 2k8 in Austria. Currently has been selected to be presenting in HackCon#4 in Norway and in SchmooCon 2k9 in Washington DC.

Enrique Rando is a Computer Engineer by the Malaga University. He has been working for fifteen years on end user support and systems administration. He is currently an official for the Andalusian Government, in Málaga (Spain), where he is the responsible for the Computer Department of the Employment Department.

Craig Balding

A Cloud Security Ghost Story

This presentation rips apart the hype and "newfangledness" of Cloud Services (IaaS, PaaS, SaaS etc) to expose the ghost in the machine. Just as the human brain has grown, built upon earlier, more primitive brain structures, so it is with the Cloud. With the advent of commercially available, pay-as-you-go public Cloud services, CFOs are casting a weary eye to the CIO in anticipation of joining the great infrastructure linedance in the sky. Meanwhile, vendors are jockeying for position to "enable" the Enterprise Cloud and Cloud brokers are trading excess compute capacity in data centers. What does all this mean from a security point of view? What are the security risks (and benefits)? Are you ready to face the ghosts in the Clouds?

Craig Balding is an IT Security Practitioner at a fast paced banking/finance Fortune 500 where he leads a global team of technical security specialists. He has a decade of hands-on IT Security experience, with over 15 years in the IT industry. He is a Chartered IT Professional, CISSP and co-author of "Maximum Security:A Hackers Guide to Protecting Your Network". He specialises in penetration testing, incident response, forensics, UNIX/Linux and ORACLE security. Craig founded where he blogs about Cloud Computing and Security -the subject of his BlackHat presentation. He also blogs at for people that are curious about life in the IT Security Industry.

Emmanuel Bouillon

Taming the Beast : Assess Kerberos-Protected Networks

Due to its universal support, to the fact that it is Microsoft's default and that it provides for a real SSO solution, Kerberos is a pervasive authentication protocol with a strong reputation of security. This talk will cover some of the issues involved with attacking a Kerberized network both under Unix and Microsoft Windows environment. It will review known yet underestimated implementation limitations and study under which circumstances they still lead to exploitable vulnerabilities. It will also present new ones that enable to step in the targeted systems. We will show how simple python codes implement those attacks. Finally, we will discuss some of the protocol evolutions and study their potential consequences in terms of security.

Emmanuel Bouillon has been working in Information Security for more than a decade. Currently a security expert employed by the CEA (French Atomic Energy Commission), He is in charge of a technical team dedicated to information security. Among its missions are incident handling, vulnerability assessment and penetration testing. His research interests include authentication protocols issues and information security in High Performance Computing environment.

Benjamin Caillat

WiShMaster - WIndows SHellcode MASTERy

Malicious codes have to be able to manipulate their own code in order to implement some viral techniques, like executable infections, memory-only execution or polymorphism.

Such manipulations are considerably simplified if the program comes in the form of a shellcode. There are few solutions to obtain a shellcode: one is to write source code in assembly, but it quickly becomes a boring work. Another is to write source code in C language in a specific way, so that compiled code doesn't contain any hardcoded address. However, writing C code like this is very boring too, and it quickly appears that using an automatic tool that generates "specific" code from "normal" code is indispensable.

WiShMaster is a tool that converts a set of C source files written "normally" (the compilation of those source files produce an executable) and generates a shellcode, that is a block of code without any hardcoded or external reference and that can run in any process at any address. If execution is redirected to its first byte, the shellcode will accomplish exactly the same operation than the executable generated through normal sources compilation.

This transformation - called "shellcodisation" - opens lots of facilities: quick implementation of advanced viral techniques, shellcodes' redistribution etc.

WiShMaster first release is available on my web site (

Benjamin Caillat is a teacher in the specialized master in IT security program of ESIEA, a French engineering school. Started a PhD in September 2008 on "the study of backdoors usage in companies' targeted attacks" in the IT security research laboratory of esiea. Publications:

* -SSTIC 2005 (French conference):Compromise companies' information system through its employees

* -Manager of the Challenge-SecuriTech in 2005 and 2006, a French security contest

* -Article about developing advanced backdoors for Windows in MISC 2008, a french IT security magazine

Lord Erroll

Keynote: Privacy Protecting People or People Protecting Privacy

Lord Erroll, 60, is a cross-bench member of the House of Lords and takes pride in "voting against stupid Government ideas whoever is in power". Born, Merlin Sereld Victor Gilbert Hay, he is the 24th Earl of Erroll, chief of the Scottish clan Hay and also Lord High Constable of Scotland.

Before taking up his seat in the Upper House, Lord Erroll served for 15 years in the Territorial Army as well as holding several technical roles as an IT consultant, programmer and system designer.

He is now active in many parliamentary committees, including PITCOM (Parliamentary IT Committee), EURIM (European Information Society Group) and E-RA, the E-business Regulatory Alliance.

Lord Erroll was also one of the leaders in the creation of the personal internet security report released last July by the House of Lords' Select Committee on Science and Technology, and is its foremost spokesperson.

In his spare time, Lord Erroll promotes Scotch whisky and writes for a blog about wine which he founded called the Secret Sommelier.

Bernardo Damele Assumpcao Guimaraes

Advanced SQL Injection Exploitation to Operating System Full Control

Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.

It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference.

Bernardo Damele Assumpcao Guimaraes is an IT security engineer currently based in London (United Kingdom) and employed as penetration tester and security researcher for a renowned security company. In recent years he has been researching web application and database management systems security. He is sqlmap ( lead developer, MySQL UDF repository developer and Metasploit contributor.

Eric Filiol

OpenOffice Security Design Weaknesses

Document malware exists for Microsoft Office: the sadly known macro-viruses which still represent a numeric nuisance nowadays. The recent evolution of office suite towards free software - providing a high compatibility with existing office software – makes it very necessary to determine and evaluate the exact level of risk of the OpenOffice suite with respect to document malware, This paper presents an up to date in-depth evaluation of its security (release 3.0.x) based on the results established since 2006 and 2007. All those results as well as the different sources codes of our attacks have been communicated to the OpenOffice developers group in order to help them to correct the identified security weaknesses and thus enhance the overall security of the OpenOffice suite around the concept of Trusted OpenOffice suite.

While this suite has been developed towards more and more easy-to-useness, the overall security has not been modified at all since. Worrying security weaknesses that have been identified since can still be exploited. They still may be used by malware to spread through innocuous-looking documents by exploiting the feeling of trust based on encryption and digital signature. At the present time, it seems far easier to develop sophisticated document malware for OpenOffice than for Microsoft Office. It is worth mentionning that the attacks we present are NOT based on software (implementation) flaws but on conceptual weaknesses that urge a redesign of the whole software concept.

Finally this paper will discuss the pros and cons of both open and proprietary solutions, on a purely technical basis, as far as security is concerned. There is no such thing as a perfect solution. Therein lies all the complexity of doing computer security.

Eric Filiol is the Head Scientist Officer of the Operational Cryptology and Operational Computer Virology Lab at the French Army Signals Academy in Rennes and at the ESIEA Engineer Academy in Laval, France. He holds a PhD in Applied Mathematics and Computer Science, a Habilitation Thesis in computer science, as well as, an engineer diploma in cryptology. My main research interests are operational cryptanalysis of symmetric cryptosystems, malware modelization and cyberwarfare models from a military perspective.

Jean-Paul Fizaine is a researcher at the Operational Cryptology and Operational Computer Virology Lab at ESIEA Engineer Academy in Laval, France. He is also a graduate student in computer science and mathematics at the university of Poitiers. He holds a science degree in computer sicence of the university of Paris VII. His main research interests are malware modelization, malware and cryptographic risks, and operational malware research.

Hagen Fritsch

Stack Smashing as of Today: A State-of-the-Art Overview on Buffer Overflow Protections on linux_x86_64

This presentation is for everyone familiar with buffer overflows, but who lost track on the developments of the field during the last years. We look into mitigation techniques deployed in current linux boxes and how to get around them while light is shed with an additional focus on 64bit platforms as those are increasing in popularity. Known (and not yet known) techniques to bypass NX, ASLR or stack-cookies will be presented giving an overview of the field and the ability to assess the threat that buffer overflows still pose today.

Hagen Fritsch is a computer science student at Technische Universität München, currently finishing my master degree and am specializing in IT-security with a research focus on code analysis and verification, buffer overflows and mitigation techniques. I hosted the Stack Smashing Contest at 21C3 in Berlin, 2004. I am currently giving classes for IT-security and Networking at the Technical University of Munich and the Ludwig-Maximilian University.

Roberto Gassira' and Roberto Piccirillo

Hijacking Mobile Data Connections

The increasing diffusion of smartphones and, generally, Internet capable mobile phones, is making web access from phones a 'normal' activity for mobile users. Mobile Operators are also leveraging new services for increasing their revenues connected to mobile data connections. In this fast changing scenario, some 'small' details may lag behind and have not been yet addressed in the Mobile environment. Our work shows how the combination of several common factors, Mobile Operator Networks, handsets and systemic 'issues' allow an attacker to take complete control of user data connections. By exploiting these issues, an attacker will be able to intercept data connections and possibly inject content by using easily available tools and standard protocols.

The described methodology allows 'data extrusion' scenarios, applying also to sessions that are typically confined into the Mobile Operator Network.The presentation analyzes the protocols needed for such attack, outline the issues, propose an attack scenario and provide means for its exploitation.A remote web browsing session hijacking will be demonstrated. We believe that new attacks exploiting the described issues may surge in the next future.

Roberto Gassira' graduated in Computer Science with the thesis "Smartk, a smart card framework for the Linux Kernel." Roberto spent my PhD experience working on OS security based on smart cards. His career started as Security Analyst performing penetration test and vulnerability assessment of Web Applications. Currently he is working on Mobile Security as Security Researcher for Mobile Security Lab focusing on analysis and security assessment of embedded devices based on ARM architecture and mobile application by means of reverse engineering techniques.

Roberto Piccirillo is currently working as a Security Researcher for Mobile Security Lab. He graduated in Computer Science with the thesis "Graphical Representation and Animation for Cryptography Education". He mainly deals with Mobile Application and Protocol Security but he is also interested in binaries reverse engineering.

Rob Havelt

Yes It Is Too WiFi, and No Its Not Inherently Secure

Legacy 802.11 FHSS networks are alive and well. You see them in countless numbers of warehouses, retail environments, sometimes even in corporate networks. Unlike more modern 802.11 b/a/g/n these 802.11 FHSS networks are not treated as untrusted, oftentimes there will be no controls between these networks and corporate LAN environments. Sometimes vendors, and sometimes even credulous security consultants perpetuate the myth that this architecture is acceptable because unlike 802.11 off the shelf hardware to monitor these networks at the physical layer is not readily available.

Many times I've heard the argument that with these networks the SSID value is a security control as the attacker would need to know it to join the network, and that it would take "an expert attacker with thousands of dollars worth of highly sophisticated equipment to effectively sniff this over the air".

This talk will discuss the physical characteristics of 802.11 FHSS (PHY and MAC layer) and demonstrate practical methods of finding, eavesdropping, and attacking these networks, using basic, easily obtainable tools such as GNURadio and the USRP.

After demonstrating practical attack methodology, using actual real-life scenarios, I will discuss the security issues surrounding these legacy networks in production environments and the importance for security controls beyond obscurity.

Rob Havelt is the practice manager for penetration testing at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Rob has worked with offensive security seemingly forever, and from running a start-up ISP, to working as a TSCM specialist, he's held just about every job possible in the realm of system administration and information security. Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life -Rob is, and will always be, a career hacker.

Anthony Lineberry

Alice in User-Land: Hijacking the Linux Kernel via /dev/mem

Rootkits are commonplace in today’s threat landscape and increasingly difficult to deal with for those responsible for keeping systems safe. Kernel rootkits are especially difficult to detect and remove due to the fact that they operate on the same level as the operating system itself, and are thus able to intercept or subvert any operation made by the operating system. With new techniques demonstrated in this talk, it is possible to subvert the Linux kernel via direct code injection through /dev/mem, the driver interface to physically addressable memory, instead of using kernel modules to insert malicious code. This presentation will provide understanding of emerging rootkit methodologies in the 2.6 linux kernel such as locating important structures in the kernel, manipulating the memory inside, and hijacking the system, all via /dev/mem along with practical defensive countermeasures. Additionally, there will be a demonstration of a proof of concept implementation of rootkit code that enables manipulation of virtually anything your heart desires utilizing /dev/mem.

Anthony Lineberry is a security researcher from Los Angeles who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and feels uncomfortable speaking in the 3rd person. Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Flexilis.

Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification

This presentation will demonstrates an approach to security testing, which allows proofs of erros from specification to a simulated computer program. The focus is on low-level tracking for observing of logical properties satisfy a formal specification of programming error based on Common Weakness Enumeration (CWE). It will include techniques for alter execution flow though instrumentation code, triggering occurence of error during simulated execution of the computer program. As a result, new Valgrind tool, software-based dynamic information flow tracking system to attack a wide range of programming errors.

Bruno Luiz's career in security was started with penetration testing followed with experience in security administration and designing of security systems. Currently is a independent security researcher and consultant. He has many contributions, emphasis on Black Hat Briefings. Some of his areas of interest are:bug-finding, survivable systems engineering and penetration testing.

Moxie Marlinspike

Stripping SSL To Defeat HTTPS In Practice

This presentation will detail Moxie's SSL stripping technique, designed to side-step SSL as it is deployed in common web applications such as online banking and secure web logins. Additionally, there will be some discussion into possible mitigating patterns and solutions that have been proposed, as well as a look into what effect this technique might be having in the wild.

Moxie Marlinspike

Erez Metula

.NET Framework Rootkits: Backdoors Inside Your Framework

This presentation introduces application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. This presentation focuses on the .NET Framework, while covering various ways to develop malware (rootkits,backdoors,logic manipulation, etc.) for the .NET framework, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.

This presentation also introduces ".Net-Sploit" - a new tool for building MSIL malware that will enable the user to inject preloaded/custom payload to the Framework core DLL.

The Whitepaper, .NET-Sploit, and source code can be found here

Erez Metula is a senior application security consultant, working as the application security department manager at 2BSecure. He has extensive hands-on experience performing security assessments, secure development consulting & training for clients in Israel and abroad such as banks, financial organizations, military, software development companies, telecom, and more. Erez is also a leading instructor for many information security training, especially on secure software development methodologies & techniques. He had lectured on advanced .NET security (and other development platforms) for worldwide organizations and is constant speaker for conferences such as Microsoft .NET Security User Group, OWASP (Open Web Application Security Project), and more. He holds a CISSP certification and is toward graduation of Msc in computer science.

Charlie Miller and Vincenzo Iozzo

Fun and Games with Mac OS X and iPhone Payloads

Mac OS X continues to spread among users, and with this increased market share comes more scrutinization of the security of the operating system. The topics of vulnerability analysis and exploit techniques have been discussed at length. However, most of these findings stop once a shell has been achieved. This paper introduces advanced payloads which help to avoid detection, avoid forensics, and avoid countermeasures used by the operating system for both Mac OS X and iPhone. These payloads include Meterpreter and userland-exec for forensics evasion and two iPhone payloads which work against factory iPhones, despite the deviceʼs memory protections and code signing mechanisms.

Charlie Miller is Principal Analyst at Independent Security Evaluators. He was the first with public exploits against Apple's iPhone and first phone running Google's Android operating system. He won the CanSecWest Pwn2Own competition in 2008. He was one of the top 10 computer hackers of 2008 according to Popular Mechanics.

Vincenzo Iozzo is a student at the Politecnico di Milano where he does some research regarding malware and IDS. He is involved in a number of open source projects, including FreeBSD due to Google Summer of Code. He also works as a security consultant for Secure Network, an Italian company, and as a reverse engineer for Zynamics.

Jon Miller, Alex Wheeler, David Bonvillian, and Neel Mehta

Cutting Through the Hype: An Analysis of Application Testing Methodologies

In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to blackbox testing, whitebox testing, graybox testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.

Jon Miller is the Director of Assessment Sales for Accuvant. He has been active in the information security industry for the past 11 years working primarily as a penetration tester. Prior to joining Accuvant, Jon spent 5 years on the ISS X-Force consulting team.

Alex Wheeler manages the DVLabs Security Research group at TippingPoint. His group is responsible for developing protection to address vulnerabilities and incorporate them into TippingPoint's intrusion prevention systems. Previous to TippingPoint, Alex worked as the Principal Researcher at IBM ISS X-Force and has held management and technical positions within IT security. He holds a Master's degree from University of Chicago in Computer Science and a Bachelors degree from University of Wisconsin at Milwaukee in Accounting.

Alex comes from a reverse-engineering background and experience was cultivated through extensive static analysis of binary code in widespread security and networking technologies for vulnerabilities. He has discovered numerous systemic vulnerabilities in critical software and was awarded the 2008 Pwnie for “Best Server-Side Bug” with his discovery of flaws in Microsoft’s tcpip.sys.

David Bonvillain is the Director of Assessment Services for Accuvant and has provided security consulting services, primarily focused on vulnerability analysis and penetration testing, for clients in a nearly all industry verticals for the past 11 years. He is responsible for providing technical leadership for Accuvant’s security practice in the area of security assessments and penetration testing. Previously he spent 4 years as a senior consultant with Internet Security Systems X-Force professional services and prior to ISS was a senior security consultant with Netrex.

Neel Mehta works as an application vulnerability researcher at ISS X-Force, and like many other security researchers comes from a reverse-engineering background. His reverse engineering experience was cultivated through extensive consulting work in the copy protection field, and has more recently been focused on application security. Neel has done extensive research into binary and source-code auditing, and has applied this knowledge to find many vulnerabilities in critical and widely deployed network applications.

Mariano Nunez Di Croce

SAP Penetration Testing

While there is plenty of publicly available information on how to assess and secure operating systems, databases, wireless devices and Web applications, the security of Enterprise applications is still taking baby steps . If you are a professional pentester and are required to run an SAP security assessment, where would you start? nmap? nessus? And after that? SAP systems are complex, running many applications and interfaces. Therefore, the assessment of these systems requires specific techniques and tools.

In this talk you will learn how to start an SAP pentest, what and where to look for. You will look into the whole process, from the information discovery stage to the exploitation phase, with a LOT of LIVE DEMOS! Moreover, you will learn how to use sapyto, the first opensource SAP Penetration Testing Framework, which will help you with your SAP security assessments. Moreover, during this talk, a new sapyto version will be released!

On the other hand, if you are a security administrator you *must* know how to protect the systems storing and processing your critical business information, being aware of unsecure default configurations that will render your systems vulnerable, as well as the current and future attacks that will try to exploit them. This talk will also detail the ways in which you can protect yourself against potential attackers, helping you to increase the security level of your SAP installation and protecting your business.

Mariano Nunez Di Croce is a senior security researcher working at CYBSEC, mainly involved in Penetration Testing and Vulnerability Research. In the research field, he has discovered critical vulnerabilities in Microsoft, Oracle and Watchfire products as well as more than 40 vulnerabilities in SAP systems, many of which have been disclosed to the public. Mariano is now leading CYBSEC's SAP Security Team, where he has worked securing and assessing many critical SAP implementations. He is the developer of sapyto, the first SAP Penetration Testing Framework, and has also published white-papers and tools about this subject.

Mariano has been invited to hold presentations and trainings in many international security conferences such as Blackhat, Sec-T,, Ekoparty, DeepSec, CIBSI as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN and in his free time he enjoys staying away from his computer.

Mariano Nunez Di Croce

Alternate: Testing Internet-facing SAP Services: The SAProuter

The SAProuter is an SAP application-level gateway developed to "protect your SAP network against unauthorized access". Therefore, by analyzing incoming connection attempts, the SAProuter will authorize or reject remote access to internal SAP systems. Every SAP implementation has at least one SAProuter, which many times is completely exposed to the Internet.

This talk will demonstrate different techniques and tools to assess the security of one of the most critical SAP components. You will see how wrong configuration can lead to complete exposure of the internal SAP network to Internet, as well as the whole company network.

Furthermore, we will present you the saprouterAgent, a sapytoAgent that will allow you to escalate privileges into the internal network in security pentests. All the presented tools will be available in the next public sapyto version, released at the presentation!

Finally, we will show how to protect your network from external attackers by secure configuration and implementation of your SAProuter systems.

Mariano Nunez Di Croce is a senior security researcher working at CYBSEC, mainly involved in Penetration Testing and Vulnerability Research. In the research field, he has discovered critical vulnerabilities in Microsoft, Oracle and Watchfire products as well as more than 40 vulnerabilities in SAP systems, many of which have been disclosed to the public. Mariano is now leading CYBSEC's SAP Security Team, where he has worked securing and assessing many critical SAP implementations. He is the developer of sapyto, the first SAP Penetration Testing Framework, and has also published white-papers and tools about this subject.

Mariano has been invited to hold presentations and trainings in many international security conferences such as Blackhat, Sec-T,, Ekoparty, DeepSec, CIBSI as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN and in his free time he enjoys staying away from his computer.

Enno Rey and Daniel Mende

All Your Packets Are Belong to Us - Attacking Backbone Technologies

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

Enno Rey is a long time network geek with extensive knowledge in the protocol and device security space. Some people like to play with model railways, some with toys from Cupertino... he just likes to play with high end network equipment.

Daniel Mende is a German security researcher specialized on network protocols and technologies. He's well known for his Layer2 extensions of the SPIKE and Sulley fuzzing frameworks and has presented on protocol security at many occasions including Troopers08, CCC Easterhegg, IT Underground/Prague and ShmooCon. Usually he releases a new tool when giving a talk.

Rich Smith

VAASeline: VNC Attack Automation Suite

During network enumerations and pentests VNC servers are commonly found on otherwise-secured systems. VNC servers can often be the subjects of weak or blank passwords due to their presence as part of an organisation's 'Shadow IT' infrastructure, thus not conforming to password or authentication policies.

For these reasons, it was deemed preferable to have a generic method by which VNC systems could have arbitrary command execution scripted against them in an automated manner as part of a penetration test or vulnerability scan using only the Remote Frame Buffer (RFB) protocol on which VNC is built. While a seemingly simple task, due to the design of the RFB protocol, it quickly becomes complex and you are left thinking 'it shouldn't be this hard …. should it?' The reason for this from a programmatic perspective is the blind nature of the protocol: mouse and keyboard events input, framebuffer updates output. This makes input vectors very limited and outcome of supplied input essentially invisible to scripts as it is manifested as visual screen updates only.

The presentation discusses a generic method by which arbitrary commands can be executed on a VNC server only through the use of standard RFB protocol packet types, albeit through the inventive misuse of them.

In brief, a multi-step technique to use the clipboard of the target VNC server along with an uploaded VBScript clipboard monitor and the Client/ServerCutText RFB packet types as a crude RPC interface over which a custom but extensible ASCII protocol has been implemented to allow arbitrary, stateful actions to be taken on Win32 VNC servers using only the RFB protocol.

A library written in python to allow the technique to be easily used has be written and will be released under the LGPL license, along with the presentation. In addition a number of other VNC attack tools based on the same library will also be released, including:

  • Passive Clipboard Sniff: This allows the contents of the clipboards from both a VNC client and server to be grabbed off the wire by an attacker.
  • Active Clipboard Sniff: This allows the clipboard of a targeted VNC system to be monitored by a n attacker who is able to authenticate to a VNC server.
  • VNC Auto Auth: This allows a VNC server utilising password authentication to have its password enumerated by either dictionary or brute force attacks.

These tools help an attacker to get into a position whereby he is able to use the VNC RPC technique to take arbitrary scriptable actions on a target.

These tools can be easily scripted together to provide an entirely automated VNC server enumeration, password discovery and attacker action across an entire network as part of a penetration test.

Demonstrations of the tools, libraries and techniques will be shown in the presentation.

Finally the techniques should be generally applicable to the Remote Desktop Protocol also, although a library to support this is not ready for release at this time.

Rich Smith (Miami, FL) joined Immunity in October 2008 to lead R&D for CANVAS, Immunity's flagship product. Prior to joining Immunity, Rich has 5 years experience as a principal security researcher with HP Labs leading the Research In Offensive Technology and Threats. Rich has spoken at numerous international conferences,both public and private, and participated in both industry and EU sponsored infosec groups. Rich's most recent public research was in the area of permanent denial of service (PDOS) attacks against embedded systems, which he presented publicly in Singapore(SyScan),Taiwan(SyScan) and London (EUSecWest). Rich's technical expertise includes extensive toolset and exploit development in python, and experience with both network, desktop and embedded system security.

Roelof Temmingh and Chris Bohme

Integrating Maltego with Offensive and Defensive Open Source Tools

Last year we have shown how Maltego can discover and visually correlate all sort of interesting information. Since version 2.0.2 of the tool it is possible to extend the functionality with local transforms. This means that anyone with a little creative energy can write their own transforms (in any language) while using the power and flexibility of the framework. This year we will show how we can integrate offensive and defensive tools into Maltego, how little effort it takes, and the awesome power this combination of tools hold. We will show how log file analyzers, vulnerability scanners, port scanner, IDS logs and local databases all work in harmony together - without re-inventing the wheel! These local transforms will be released to attendees at the conference. We will also be revealing the long awaited v2.1 as well updated community editions.

Roelof Temmingh has been working in the security industry for 15 years. In 2000 he co-founded SensePost as technical director and later headed up the research and development section. During this time he developed many successful security assessment tools (such as Wikto and Suru), contributed to several books (such as Aggressive Network Self-Defense, How to own a continent, Nessus Network Auditing) and spoke at numerous international security conferences (Black Hat, Defcon, FIRST, CansecWest, RSA, etc.) . At the start of 2007 he left the company to start Paterva.

Chris Bohme, an electronic engineer by training, is currently the lead software architect at Pinkmatter Solutions. Since 1994 he has been involved in designing and building network security and crypto appliances. In 2002 he co-founded the software development house Pinkmatter Solutions, a company specializing in interesting software, ranging from network security and cryptography to RFID and satellite imagery. He is currently involved with Paterva to architect and develop the information collection and visualization tool Maltego. Chris’s pet projects include unifying spatial information and mined data for meaningful information gathering, security in earth observation satellites and building the ultimate robotic girlfriend...

Jeroen van Beek

Passports Reloaded Goes Mobile

In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008 Elvis' ePassport was found. This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents with non-original content and ways to attack these mechanisms. Additionally we dive into the process of integrating emulator chips in existing travel documents. Also a new ePassport attack suite will be presented, allowing you to backup your passport chip with a mobile phone.

Jeroen van Beek is a Security Consultant and Security Researcher with over 6 years of professional experience in network security and penetration testing. In 2007, he presented the world’s first publicly available full blown cracker for Oracle 11g. Jeroen is a well-known guest speaker at several Dutch universities. Besides security, he likes sleeping, drinking wine, the sun and fast red Italian motorcycles.

Chris Wysopal

Detecting "Certified Pre-owned" Software and Devices

Is there lead in the paint of that Chinese toy or melamine in that baby formula? These are appropriate questions for the risks of today. But what about that codec or toolbar you just installed, or the digital picture frame you just purchased? Legitimate software and devices today are coming "certified pre-owned". It would be nice if AV companies could keep up with their blacklisting efforts but they have fallen behind. And when was the last time you scanned a web app or a digital picture frame for malicious code? AV just isn't up to the task. Static analysis with a ruleset that inspects for the telltale signs of malicious code can flag the badware. This presentation will outline how to inspect statically for rootkit behavior, anti-debugging code, timebombs, backdoor credentials, and network information leakage.

Chris Wysopal, Veracode’s CTO and Co-Founder, is responsible for the company’s software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is the author of “The Art of Software Security Testing” published by Addison-Wesley.

Stefano Zanero & Claudio Criscione

Masibty: a Web Application Firewall Based on Anomaly Detection

During this talk we will focus on why current web application firewalls and IPSs are basically useless, since they are misuse based (e.g. rely on rules). Since misuse detectors are unable to keep up with evolving attack schemes, evasion techniques, and custom applications, better anomaly detectors are badly needed.

Masibty is an anomaly detection reverse proxy, aimed at detecting web application attacks. It is able to detect zero-day attacks (the real thing, not a marketing-tainted redefinition) after an initial live training which does not require attack-free data.

Modularized for easy extension, in its current implementation it is able to detect and block anomalies in the DOM tree - therefore blocking XSS attacks - and in application parameters.

It is resilient to URL rewriting, and it was tested against in-the-wild exploits collected from the usual sources over a number of months, with the use of various forms of evasion.

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is an Assistant Professor. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association), for which he sits in the International Board of Directors. He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Claudio Criscione has a M.Sc degree from the Politecnico di Milano technical university, with a master thesis on anomaly detection. A passionate developer and system architect, Claudio has been focusing on web application and virtualization security, with a twist on intrusion prevention. He has been working for the last 6 years as a freelance security consultant before joining in 2008, as a partner, Secure Network, a security consulting firm based in Milan

Black Hat Webcasts

Black Hat Social