Black Hat USA 2010 //Black Hat Arsenal

Caesars Palace Hotel & Casino, Las Vegas NV

wed: jul.28 | thurs: jul.29


This year Black Hat, in cooperation with Peak Security, is pleased to offer a Tool/Demo area for independent researchers and the open source community that will allow you to showcase your work.


Day One

Day Two

Presentation Speakers/Abstracts


WPA Too!

The world is fast moving towards WPA2 to secure all types of applications running over WiFi. WPA2 is the most robust security configuration available for WiFi networks and seems to have become de-facto security configuration for corporate WLANs. Interestingly, it is also being trusted to secure public WiFi Hotspots, municipal WiFi etc. This demo is about a vulnerability that has been discovered in WPA/WPA2 protocol. The vulnerability could be exploited by a malicious user to attack and compromise a legitimate user.

Md Sohail Ahmad is a wireless security researcher and currently works as a Manager Technology at AirTight Networks. He possesses strong background in secure wireless driver development, protocol development and wireless network security and vulnerability assessment. He has presented in several international security conferences such as Defcon, Toorcon, Comsware etc.

Chema Alonso


FOCA used to be a tool to analyze a network using metadata. Now, with FOCA 2, you can automate the fingerprinting process of a pentesting work just using it. FOCA 2 drives you through the phases of a security auditing process doing automatically the decision you are used to do manually. It help you to reduce time and money and doesn´t let you miss something. It does for you… and it´s free.

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques. Recently spoke in BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks, in DEF CON 16 about Time-Based Blind SQL Injection using heavy Queries, in Toorcon X about RFD (Remote File Downloading) and in DeepSec 2k8 in Austria. Recently has been selected to be presenting in HackCon #4 and HackCon #5 in Norway and in SchmooCon 2k9 in Washington DC, Black Hat Europe 2k9 , DEF CON 17 and Ekoparty and Argentina.

Francisco Amato


"Vulnerabilities are disclosed daily and in the best case new patches are released. Is so new that many application's update process have security weaknesses allowing fake updates injection. The new version of the framework will show how many updates system are still vulnerable to this trivial attack.

Francisco Amato is a researcher and computer security consultant who works in the area of vulnerability Development, blackbox testing,
reverse engineering. He runs his own company - [ISR] Infobyte Security Research, from where he published his developments in audit tools and vulnerabilities in products from companies like Novell, IBM, Sun Microsystems, Apple, Microsoft. Founding organizer of ekoparty south america security conference

Ryan Barnett

ModSecurity Demo Page (using the OWASP ModSecurity Core Rule Set)

To help facilitate easier community testing of the OWASP ModSecurity Core Rule Set (, a demonstration testing page has been created at This page allows anyone to send attack data through a live ModSecurity/CRS installation in order to identify any evasion issues. If a user identifies an issue, they can notify the project team by either submitting a bug report ticket or by sending an email to the OWASP ModSecurity CRS mail-list.

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups. He is currently a member of Trustwave's SpiderLabs Research Team. He is a SANS Institute faculty member, a member of the Open Web Application Security Project (OWASP) where he leads the ModSecurity Core Rule Set Project, as well as a Web Application Security Consortium (WASC) member where he leads both the Web Hacking Incident Database (WHID) and Distributed Open Proxy Honeypots Project. Mr. Barnett’s web security book, “Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.
David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that Maynor contracted with a variety of different companies in a widespread of industries ranging from digital TV development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Ron Bowes

Nmap Scripting Engine (NSE)

Expanding on Fyodor's Blackhat talk, Mastering the Nmap Scripting Engine, this demo will take an in-depth look at how the Nmap Scripting Engine (NSE) can make your job easier, whether you're a defender, attacker, or anyone in between. Whether building packets from the ground up (such as probing DHCP or finding sniffers) or using high-level protocols (such as MSRPC or AFS), NSE makes it easy. From brute-forcing a variety of protocols to finding high-risk vulnerabilities and infections, collecting system data from MSRPC and SNMP, finding open proxies and mail relays, or running remote code with psexec, there are over 125 NSE scripts for any purpose you can think of. Particular focus will be given to the SMB and MSRPC scripts, as are the product of significant research and development by the presenter. After seeing Fyodor's talk, come see Nmap in action! Disclaimer: many boxes were pwned in the making of this demo.

Please describe the relevance of this work to the Black Hat community:

NSE integrates some of the best concepts and features from tools like Nessus and Metasploit into the solid, fast, and proven Nmap Security Scanner. Whether you're an attacker or defender, the Nmap Scripting Engine (NSE) brings a whole new level of power to Nmap. With the large arsenal of scripts, and new scripts always being written, Nmap is becoming more powerful every day. Some of the newest scripts implement remote process execution (psexec), sophisticated database scanning, vulnerability and backdoor detection (such as the Energizer Trojan and UnrealIRCd backdoor, as well as Windows vulnerabilities), and discovering clients on an NTP server. This demo, which builds and expands on Fyodor's talk, Mastering the Nmap Scripting Engine, will cover a wide range of scripts for every purpose.

Ron Bowes entered the security industry during highschool when he taught himself assembly and reverse engineered the login sequences for several popular Blizzard titles (including Starcraft and Warcraft 3). Since then, he obtained a Bachelor of Computer Science at the University of Manitoba, and worked several jobs in the private industry before becoming a Security Analyst for a division of the government. Outside of his day job, he runs a security consulting company (Dash9 Security), he is an active Nmap developer, he compiles and disseminates research data on leaked or cracked passwords, and he currently maintains and developers dnscat, which implements reverse shells over DNS in new and clever ways.

Frank Breedijk


What is Seccubus? Seccubus automates regular vulnerability scans and provides delta reporting. It effectively reduces the analysis time for subsequent scans of the same infrastructure by only reporting delta findings.

Why? Anyone who has ever used Nessus or OpenVAS will be familiar with one of its biggest drawbacks. Nessus and OpenVAS are very valuable tools, but unfortunately also very noisy. The time needed to report on a single scan will often be two or three times the time needed to do the actual scan. Seccubus was created in order to more effectively analyze the results of regular scans of the same infrastructure.

How does it work? Seccubus runs vulnerability scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI where findings can be easily marked as either real findings or non-issues. Non-issues get ignored until they change. This causes a dramatic reduction of the analysis time.

Frank Breedijk (@Seccubus) is employed as a Security Engineer at Schuberg Philis since 2006. He is responsible for the technical information security of Schuberg Philis Mission Critical outsourcing services. This includes, but is not limited to: * Security Awareness * Vulnerability management * Internal security consultancy * Internal technical audits * Seccubus development Frank Breedijk has been active in IT Security for over 10 years. Before joining Schuberg Philis he worked as a Security Consultant for INS/BT and Security Officer for Interxion. He managed the European Security Operations Center (SOC) for Unisys' managed security services. During this period Gartner labeled Unisys leader in the magic quadrant for Managed Security Services in Europe. Besides his day job Frank Breedijk develops Seccubus, is an active on Twitter and writes blog entries for He has also written magazine articles about Seccubus and security awareness.

Jonathan Cran

MSF Automation & AutoLab

Metasploit kicks a lot of ass as a pentesting tool, but how can i make it do exactly what i want it to do, when i want it to do it? This demo will focus on the myriad ways to automate metasploit and how to quickly extend it to do moere pentesting-type-things. Focus will be placed first on simple automation such as RC scripts, but quickly moving into RPC and additional forms of automation and extensibility. Ideally, the user should be able to automate most of their pentesting workflow by the end of the presentation.

An example outline of content:
- background info / outline
- using rc scripts for automation
- advanced rc scripts (including ruby to do backend work)
- using rpc to automate recon (and background on how we're building new functionality on top of rpc)
- advanced automation using rpc
- digging into the modules (and libraries) to understand how an module / attack works irb is your friend runthrough of the database structure
- tie it all together with automation of a pentesting workflow

Jonathan Cran is the QA engineer with the Metasploit Project - Prior to joining the Metasploit team, he led Rapid7's Professional Services team and specialized in external network penetration testing and web application assessment. In previous lives, he was a build engineer, developer, and network administrator at Iowa State University. He is an active member of the security community and an advisor for the SOURCE Boston conference. In his spare time, he enjoys producing and mixing musicks and replacing his personal responsibilities with lots of automation. He runs a blog at and can be usually be found starting flamewars on twitter (@jcran).

Claudio Criscione

VASTO, Virtualization security ASsessment TOolkit

VASTO is a metasploit-based toolkit engineered toward attacking virtualization infrastructures. It is written by a penetration tester for penetration testers, and is constantly updated to include new attacks. While focused on VMware testing, it can also target a number of different virtualization and cloud computing platforms.

VASTO can be deployed in a matter of minutes and anyone familiar with Metasploit will be able to use it in seconds. VASTO is freely available as an open source software, and the latest version will be release for Black Hat.

Claudio managed to score his first hack at the age of 10, to download more contents from the local BBS bypassing ratio restrictions. After that he hacked his way to graduation at Milano TU and started his PhD while working as the principal consultant at Secure Network. He's been involved in web application security and anomaly detection, and then moved into virtualization security to find a new toy. He presented in various conferences, including Blac kHat Europe, CONFidence and Syscan, and he's an editor at

Wendel Guglielmetti Henrique

thicknet - Oracle, Interrupted: Stealing Sessions and Credentials

In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not... after all, it’s just plaintext.

Thicknet is an injection tool that listens for database authentication and queries, and then alters it to perform actions as designated by an attacker or execute downgrade attacks.

Wendel Guglielmetti Henrique is a Security Consultant at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has worked with IT since 1997, with a specific focus on security for the last 8 years. During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications.

A number of tools authored by Wendel have been featured in national magazines such as PCWorld Brazil and international publications like Hakin9 Magazine. In particular, Wendel developed the first tool to detect the infamous BugBear virus in 2002, before it was detected by popular anti-virus solutions. Recent presentations include Black Hat Europe 2010 (Spain) and OWASP AppSec Research 2010 (Sweden). Last year, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has previously spoken in well known security conferences such as Defcon 16 (USA) and H2HC (Brazil). During the past 4 years he has been working as a penetration tester, where he has performed countless network, application and web application penetration tests for various organizations across government, banking, and commercial sectors, as well as the payment card industry.

Aaron LeMasters

Web Historian 2.0; Web history artifact extraction and analysis; graphing, visualization, sorting, searching, filtering and profiling of complex web history data; customizable and simple UI; supports all major browsers and versions

MANDIANT Web Historian is a popular, free web history extraction tool. This demo will cover Web Historian 2.0, which has been rewritten and revamped with tons of cool new features focused mainly on increasing investigator productivity through an enhanced UI, advanced searching/sorting/filtering, reporting, and basic data visualization. Web Historian supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8. Additional browser support and features will be unveiled at Blackhat Arsenal.

Please describe the relevance of this work to the Black Hat community: Blackhat traditionally has significant attendance from the incident response and network defense communities. Since both of these communities attempt to detect, diagnose and react to attacks, they are very interested not only in what artifacts of the attacks can be found in web history, but also how effective web history tools are able to visualize, filter and correlate potentially voluminous data. Additionally, web history extraction and analysis has been an important and relevant topic to the Blackhat community as evidenced by past conference presentations whose primary topic relied heavily on web history analysis.

Ryan Linn

Metasploit XMLRPC Data Sharing

Data sharing between team members and tools has been a problem for a long time. Most solutions involve passing notes around or trying to create an arbitrary structure that the data fits into. Metasploit has much of the data structures already defined and it is now accessible via XMLRPC. This demo is going to demonstrate data sharing between tools like Nmap and the Browser Exploitation Framework (BeEF) and Metasploit as well as python based tools that will allow you to build sample reports, compare results against previous sessions and both query and manipulate information directly in the Metasploit database. Because Metasploit is the backend, much of the recon, enumeration, and other gathering and scanning activities can generate data inside Metasploit that will be directly actionable either locally or remotely. With the XMLRPC component, it is possible to have multiple agents doing different tasks on different machines all checking back with the same data source, ensuring that when the data is queried that the most up to date information is available to testers.

Ryan Linn is an Information Security Engineer for SAS Institute. With over 10 years of experience in the computer industry, he is currently part of a team responsible for information security globally for one of the nations largest privately held software companies.

In addition to his day job, Ryan is a columnist for where he writes articles and tutorials helping to make security knowledge accessible. He has also spoken at local and national security conferences. In his off time, Ryan enjoys extending and augmenting security tools and has contributed to multiple open source projects including Metasploit.

Moxie Marlinspike

RedPhone and TextSecure

Come watch bits travel through the ether in a secure way as Moxie Marlinspike demonstrates two free secure calling and text messaging applications for Android phones. If there's time, he'll also demonstrate some personal tools like sslstrip, tortunnel, knockknock, and the service.

Moxie Marlinspike is a fellow at the Institute For Disruptive Studies with over thirteen years of experience in attacking networks. He recently published the null-prefix attacks on X.509, the session-denial attacks against OCSP, and is the author of both sslsniff and sslstrip -- the former of which was used by the MD5 Hash Collision team to deploy their rogue CA cert, and the latter of which continues to implement Moxie's deadly "stripping" technique for rendering communication insecure. His tools have been featured in many publications including Hacking Exposed, Forbes Magazine, The Wall Street Journal, the New York Times, and Security Focus as well as on international TV.

David Maynor

LookingGlass 2.0

In 2008 Errata Security released LookingGlass, a free tool designed to help QA engineers quickly assess the security of a Windows application by checking how closely secure development processes were followed. Initially a LookingGlass scan checked to see if security features like ASLR and NX were enabled and that no unsafe functions were used. LookingGlass has been downloaded over 100k times since its release and has been used by Errata Security in countless application assessments.

This summer Errata Security will release LookingGlass 2.0. The new version is still free and will have all the same functionality with added features like the ability to parse PDB files for more debug information, hooks to a debugger to give a count of how often unsafe functions are used and bug report generation to name a few. LookingGlass 2.0 is a lightweight application requiring no install and can analyze a binary on disk or at run time. LookingGlass gives QA engineers in-depth security knowledge at the click of a button.

The current LookingGlass URL is

Jon McCoy

"Tool: DotNetSpike Tool: Injector Demo hacks: SQL_Defend or SQL_Attack or HelloKittyer or TwitterBomb Research: Compromising .Net Applications at Runtime"

I will be showing tools that facilitate building highjacks for .Net programs. The first is Injector it provides access to the internals of .Net programs, allowing for the delivery of payloads. The second is DotNetSpike a payload to be deployed to make a target program malleable. These two tools will make it posable to infiltrate a .Net application to do research and make basic changes.

These tools are intended to facilitate the life cycle of compromising a program, from reconnaissance of a target application, to the mechanism for integration with the target and eventually as a deployable codebase.

DotNetSpike: What can it do to .Net program(s)

  • Edit the GUI (e.g. edit the real Objects on the GUI)
  • Mix GUIs between different applications (e.g. move a button between apps)
  • Directly access functions/code from the GUI (e.g. find a validation function)
  • Look at the object structure (beta - most basic)
  • Locate Objects and get information about them (e.g. get the timer, its name and type)
  • Rip code from memory (e.g. hunt malware or research how to make it)
  • Bypass encryption shells protecting your target's codebase.
  • And much more...

LICENSED UNDER: Creative Commons Attribution-Noncommercial 3.0 United States

Martin Murfitt

MSIE (Microsoft SQL Injection Extractor)

MSIE (Microsoft SQL Injection Extractor) is a tool designed to assist penetration testers in post-discovery exploitation of SQL injection vulnerabilities in Microsoft SQL Server-based applications. It combines different techniques to achieve data extraction in the fastest possible way but always directly through application server responses. For example, where the SQL injection is ‘error based’ the error messages are used to gather information directly. It can also operate in completely blind situations, using time delays to differentiate Boolean responses, extracting multiple characters simultaneously in multi-threaded mode.

Martin Murfitt works as a Penetration Tester for the SpiderLabs division of Trustwave and has over eight years continuous experience in the field of computer security. He ventured into the industry as a graduate employee of pioneering security firm NTA Monitor and quickly advanced via a series of career progressions to a senior position at industry leader NGSSoftware. He joined Trustwave in 2008 and is manager of the EMEA team.

Jason Nehrboss

Cisco IOS rootkits and malware: a practical guide

Cisco IOS is the predominant OS for networking devices on the internet. Cisco IOS has evolved an advanced feature set in the CLI and flexible scripting abilities that provide the network administrator with onboard real-time network event detection, automated network recovery functions, and other valuable capabilities. These features, however, may also be used to exploit critical network devices, network traffic traversing these devices and act as a launch point for further attacks into a network. This presentation discusses the use of and demonstrates an IOS Embedded Event Manager rootkit and worm. When a router is infected it can be leveraged into a powerful malware platform. Capabilities demonstrated will be network packet captures, forward and reverse shell connections, and a mini malware httpd server leveraged with ip address hijacking. A self replicating IOS worm with stealth features and self defense mechanisms are also demonstrated all with platform independent code.

Jason has worked in IT for 20 years. As Network/Security/Systems engineer he has secured a varied motley crew of networks over the years. He spends most of his time beating away at UNIX boxes and everything networking trying to get them more secure. He specializes in routers,switches and firewalls and their misuse.

Mariano Nuñez Di Croce

Onapsis Bizploit

"Onapsis Bizploit is the first Opensource ERP Penetration Testing framework. Developed by the Onapsis Research Labs, Bizploit is designed as an
academic proof-of-concept that will help security professionals in the discovery, exploration, vulnerability assessment and exploitation phases of
specialized ERP Penetration Tests. Currently, Bizploit is shipped with many plugins to assess the security of SAP business platforms. Plugins for other popular ERPs will be included in the short term.

Mariano Nuñez Di Croce is the Director of Research and Development at Onapsis. Mariano has a long experience as a Senior Security Consultant, mainly involved in security assessments and vulnerability research. He has discovered critical vulnerabilities in SAP, Microsoft, Oracle and IBM applications.

Mariano leads the SAP Security Team at Onapsis, where he works hardening and assessing the security of critical SAP implementations in world-wide organizations. He is the author and developer of the first open-source SAP Penetration Testing Framework and has discovered more than 50 vulnerabilities in SAP applications. Mariano is also the lead author of the “SAP Security In-Depth” publication.

Mariano has been invited to hold presentations and trainings in many international security conferences such as Blackhat USA/EU, HITB Dubai/EU, DeepSec, Sec-T,,, Ekoparty as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN.

Steve Ocepek


ackack is a tool that allows network administrators to track long-term sessions. It allows the user to whitelist authorized activity, such as instant messaging sessions, in order to discover potential backdoors into the environment. This tool can be used to detect IRC botnets, remote desktop applications, and any other connection that allows long-term, outsider access the network.

Steve Ocepek is the Director of Security Research at SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Steve has been messing around with network security since 2001, when he unintentionally connected his new wireless card to an Oracle database cluster. From there, he started one of the first NAC companies, authored four patents, and got bought out twice. Steve holds a CISSP, and can be talked into almost anything that involves robots and PBR.

Jeongwook Oh


DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality.

Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers.

This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. There is a ""eEye Binary Diffing Suites"" released back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. Last year, I released DarunGrim2 which is a C++ port of original python codes. DarunGrim2 is way faster than original DarunGrim.

And now I made more improvements over DarunGrim2 and DarunGrim3 is coming. It support web UI and python interface which enables you to automate whole binary diffing process. Also it supports signature-based pattern matching which helps researchers to identify vulnerability related codes fast and easily. I'll also show you how you can use static code analysis to find and confirm security vulnerabilities. There'll be actual examples that you can try.

Jeongwook Oh started his career as a firewall developer back in mid 90s. After that he spent few years doing security audits and penetration testing. Finally, he moved to California and joined eEye crew and did some IPS stuff. It involved userland and kernel land Windows hacking. Now he's working for WebSense Inc where he's doing researches related to malware and exploit detection.

Deviant Ollam

The Open Organisation Of Lockpickers

Although there is a “standard” size and shape for basic handcuff keys, every manufacturer has variations, special features, and sizing issues that make creating a single, universal key quite difficult. The Open Organisation Of Lockpickers, however, has created exactly this type of ""ultimate"" key that opens all major brands of handcuff, both in the United States and elsewhere around the world. Our key is verified as working with... Smith & Wesson (USA), Peerless (USA), ASP (USA), Chicago (USA), Winchester (USA), Hiatt-Thompson (UK), RBS (UK), Kyoung Chang (Korea), Yuil (Korea), Republic Arms (South Africa) ...and more. We have the math, we have the means, and will demonstrate to everyone how to obtain the best handcuff key you might ever own

Francis Brown, Rob Ragan

Google Bing and Beyond: Advanced Search Engine Hacking and Intelligence Gathering

During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior.
Not anymore - our demonstration picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques.
We’ll also be releasing the first ever “live vulnerability feed”, which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This demonstration will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.

Rob Ragan, is a Senior Security Associate at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Rob served as Software Engineer with the Application Security Center team of Hewlett-Packard (formerly SPI Dynamics) where he developed automated web application security testing tools, performed penetration tests, and researched vulnerability assessment and identification techniques. Rob has presented his research at leading conferences such as InfoSec World, has published several white papers, and is a contributing author to the upcoming Hacking Exposed: Web Applications 3rd edition.

Peter Silberman

Memoryze / Audit VIewer

As companies move towards quicker triaging of an ongoing incident, memory analysis is going to play a greater role in speeding up this process. Looking in 8 gig's of memory for malware is a lot easier than searching half a terabyte of data. As time goes on, hard drives will expand much quicker than RAM. Memoryze is a free memory analysis and acquisition tool that supports Windows 2003/7 x64, and x86 support for Windows 2000-2003, Vista. It allows users to enumerate processes, drivers, and hooks and to acquire processes and drivers or complete memory images. Audit Viewer is an open source visualization tool for Memoryze. It allows the user to quickly identify anomalies on the system, such as unsigned DLLs running in service processes, or processes that have command shells open. Audit Viewer supports the Malware Rating Index (MRI) which is a configurable rule set to help identify malware as generically as possible. It allows users to configure rules to find malware unique to their system, or generic to all systems.

Memoryze is completely free and does not have disabled features common in “free” versions of commercial tools. Audit Viewer is open source and has a powerful, configurable rule engine (MRI) that rivals commercial tools costing thousands of dollars.

Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning.

Matthieu Suiche

MoonSols Windows Memory Toolkit

MoonSols Windows Memory Toolkit exists in two editions. A free Community Edition, and a commercial Professional Edition. The toolkit includes utility to acquire Windows physical memory either in a linear format or a Microsoft crash dump format, locally or remotely. The toolkit also includes conversion memory image format for linear, Microsoft crash dump, and Microsoft hibernation images. More information can be found online at

Matthieu Suiche is a security researcher who focuses on reverse code engineering and volatile memory analysis. His previous researches/utilities include Windows hibernation file, Windows physical memory acquisition (Win32dd/Win64dd) and Mac OS X Physical Memory Analysis.

Matthieu has been a speaker during various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon etc. Prior to starting in 2010 MoonSols, a computer security and kernel code consulting and software company based in France, Matthieu worked for companies such as E.A.D.S. (European Aeronautic Defence and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.

Mario Suvajac

TitanEngine with TitanMist, both open source projects. NyxEngine, freeware tool

"TitanEngine was unveiled at last year’s Black Hat Las Vegas. Since it has become a premier file analysis library (400+ functions) used by Anti-Malware researchers and exploit developers worldwide.

TitanMist is a new and exciting open source tool that will combine in an easy to use package a definite set of well tested PeID signatures with 800+ other unpacking scripts. TitanMist will be unveiled at the Black Hat Las Vegas 2010. Binaries, demos and tutorials will be available for both projects. TitanEngine modules are extensions for TitanMist platform.

NyxEngine is a freeware tool that examines supported file formats in search for hidden (steganography) content and file format processing vulnerabilities. This tool has been launched at Black Hat Barcelona this year.

Mario Suvajac is a Reverse Engineer for ReversingLabs. He is a lead developer for TitanMist and TitanEngine open source projects. He several years of experience in Reversing Engineering and is passionate about file and format analysis.

Blake Turrentine

"1. DropBox And ThunderCell: Attack Boxes (All-in-One: Mac OSX, Windows and Linux OSes combined with opensource tools and essential commercial software) 2. The ThunderCracker: Pocket Drone (new product release @ Defcon) 3. Circumventing Fraud Detection (free scripts for Testing Session Hi-Jacking, Man-in-the-Browser and Man-in-the-Middle on Web Applications/ White paper) "

1. Some people defend, others are better at attacking. Having the right tools in your Arsenal is essential. It takes a blend of OSes, opensource and commercial software to make a truly effective attack system. This showcase highlights attack systems such as an All-in-One attack box featuring Mac OSX, Windows and Linux OSes that help standardize toolsets and resources for conducting security assessments.

2. Circumventing Fraud detection systems bring a breath of fresh air to Penetration Testing. Instead of just finding pin holes in web applications, the mindset and methodologies need to also include working within the application the way it was intended. The focus is to evade detection of fraudulent activities by simulating man-in-the-browser, man-in-the-middle and timing scenarios used in today's cutting edge malware.

Benjamin Uphoff


Net/FSE (Network Forensic Search Engine) is a server application for network operations released under the GPL version 2. The system consists of data capture, indexing and search services optimized for processing high-volume IP-based network log data. Log data from firewalls, intrusion detection systems, routers and other network devices is streamed to Net/FSE in near real time, providing network professionals on enterprise networks with fast drill down and analysis of billions of log records.

A web interface built on top of Tomcat and GWT (Google Web Tools) is integrated into the codebase. The UI is designed to be an easy to use workflow tool for network operations including security, compliance, troubleshooting and management. Socket-based APIs and HTTP-based XML APIs make integrating search of network log data fast and easy.

In June 2009 the 0.2 version of the open source Net/FSE was released at The 0.3 release is currently in progress. is the user community and information center for Net/FSE users.

Benjamin Uphoff is an Assistant Professor in the Electrical Engineering and Computer Science Department at the Milwaukee School of Engineering (MSOE). He received his Ph. D. in Computer Science from Iowa State University. Ben’s research interests are network security and intrusion detection systems for large, heterogeneous networks. He is also a co-founder of Packet Analytics, a venture capital-backed startup company in Santa Fe, NM. He currently holds the title of Vice President of Research at Packet Analytics. The company’s core technology is based on work he developed at the Department of Energy's Los Alamos National Laboratory where he was a member of the Detection, Analysis and Response Tools team and Computer Security Incident Response Team from 2001 to 2007.

David White

The "SECoverer Code Analysis Framework" as an integration platform for precise static string analysis with "Pixy" and dynamic invariant inference and validation with "WALER"

There comes the time where a true security expert has to look at some source code. Everybody knows that ""real men"" use vi, find, grep, and hair-raising Perl and shell scripts to analyze complex software projects. However, at some point, it makes sense to trade in stone knives and bearskins for tools that are more modern.

While security tools continue to become more sophisticated and capable the pain of security source code audits doesn't seem to decrease. This presentation describes the technologies behind advanced static and dynamic vulnerability analysis tools. New algorithms that precisely model the behavior of so-called ""sanitization"" routines help static analysis tools reduce both false positive and also false negative results. A novel approach to finding logical errors using a dynamic and static analysis tool recognizes the assumptions made during development and tries to find a code flow path that invalidates them. Live demonstrations will show that these new approaches are no longer purely theoretical.

In practice, even the best tools won't make security problems go away. The risks of the traditional rush to market are becoming increasingly apparent, and regulators and standardization organizations are beginning to put pressure on companies to fix problems before they arise. Auditors need to put results in context and communicate with their colleagues, developers, and management in a timely and efficient manner in order to implement pro-active security. We conclude with a discussion of new ways to ensure that bugs get fixed before it's too late.

David White is an experienced developer of applications large and small in a wide variety of languages on a wide variety of platforms. He and his colleague Andreas Nusser have spent the last years developing the SECoverer Code Analysis Framework in close collaboration with security professionals. In this time, he has acquired experience and theoretical insight into the construction of static analysis tools. His years of programming experience have also sensitized him to the importance of pro-active security in the software development process.

Mark Wuergler


SILICAU is Immunity's automated wireless attack utility designed to assess the security of wireless networks. Some of the features in SILICAU include:

- Recover WEP and WPA1/2 keys - Crack LEAP Authentication - Easily hijack HTTP web application sessions (think email, social networking, Intranet) - Reveal hidden SSIDs - Discover associated wireless clients - Automatically scan networks for vulnerabilities

Using SILICAU it is possible to reduce false positives common in most vulnerability scanners by actively exploiting discovered hosts using the latest CANVAS client-side and remote exploits complete with a variety of post-exploitation actions such as grabbing password hashes, all wireless keys and a screen shot of the active desktop from compromised machines. All of this at the click of a button!

A large percentage of those in attendance at Black Hat are security researchers, penetration testers and security consultants. SILICAU offers a tool that they can include in their “arsenal” that will aid them in their work. With the intuitive GUI and high focus on automation, SILICAU is the perfect tool to bring along on your wireless assessments or test the security of wireless networks all the way down to the hosts that connect to the network.

Mark Wuergler is an active SILICAU developer and security consultant for Immunity, Inc in Miami Beach Florida. For many years Mark has helped develop and teach advanced security courses and perform security assessments for Fortune 500 companies as well as government, financial and educational sectors all over the world. Before joining Immunity he was working as a lead security specialist for a security firm in Moscow Russia with a focus on application and wifi assessments.

M Zubair Rafique

GeheiemSMS & Research Work: Exposing the CCN (Criminal Cellular Network): SMS Vulnerabilities to Embed High Capacity Covert Channels

For security organizations whose responsibility it is to pledge security, any mode of communication without inspection between entities to evade a ‘security evaluation criteria’ highlights a serious risk. Covert Channels constitute an important security threat since they are used to ex-filtrate sensitive information, to disseminate malicious code and more alarmingly to transfer the criminal (or terrorist) instructions [“Bin Ladens Messages Could Be Hiding In Plain Sight”].

This work presents ‘0’ day vulnerabilities and weaknesses, that we discovered, in Short Message Service (SMS) protocol – the most used service of Cellular networks – that allow embedding of high capacity covert channels. We show that an intruder, by exploiting SMS vulnerabilities, can bypass existing security infrastructure (including firewalls, intrusion detection systems, content filters) of a sensitive organization and primitive content filtering software at an SMS Center (SMSC). We've found that the SMS in itself and along with its value added services (like picture SMS, ring tone SMS) appears to be much more susceptible to security vulnerabilities as compared to the other services in IP based networks.

To demonstrate the effectiveness of covert channels in SMS, we have developed a new tool – GeheimSMS – that embeds data bytes (not only secret, but also hidden) by composing the SMS in Protocol Description Unit (PDU) mode and transmits it from a mobile device using serial or Bluetooth link. The contents of overt (benign) message are not corrupted; hence the secret communication remains unsuspicious in transmission and reception of SMS. Our experiments on active cellular networks show that 1 KB of a secret message can be transmitted in less than 3 minutes by sending 26 SMS messages without raising alarm for a suspicious activity.

By illustrating these vulnerabilities and loopholes in SMS, we will recommend methodologies that will help sensitive organizations in particular and network operators in general in revamping their confidentiality, privacy, and security infrastructure. Moreover, we believe that our work will force the security community to issue a Request For Comments (RFC) for SMS security before criminals (or terrorists) start exploiting it (if they are not already doing it).

M. Zubair Rafique is a researcher at Next Generation Intelligent Networks Research Center (nexGIN RC). His research focus is network security, mobile security and vulnerability analysis. In 2009, he discovered the famous vulnerability in VoIP servers “INVITE of DEATH” that allows the attacker to crash the real world VoIP server, causing remote Denial of Service (DoS), with single malformed packet. He received his BSc degree in Electrical Engineering with majors in Telecommunication from the Center for Advance Studies in Engineering (CASE).

About The Black Hat Arsenal Event

Do you have a great tool or demo that you have been dying to bring to the attention of the Black Hat community?

This year Black Hat, in cooperation with Peak Security, is pleased to offer a Tool/Demo area for independent researchers and the open source community that will allow you to showcase your work. The concept is simple: We will be providing kiosks complete with monitor, power, wired internet access and you will bring your machine and have three hours to showcase your work and answer questions from delegates attending Black Hat. Spaces will be limited to a total of 32 unique tools/demos over the course of the Briefings.

What we hope to achieve: Greater awareness and access to terrific work for the security world at large.

What this is not: an exhibit space for big enterprise sized companies.

Priority is given to shareware/freeware tool developers and independent researchers.

If you are interested in participating, please complete the following application:

get DOC | get RTF


  • All presenters will be required to bring their own laptops with VGA output.
  • Selected presenters will be provided with gratis entry to the Briefings. No travel, accommodations or honorarium is provided.
  • Only a single presenter per accepted submission will be allowed gratis entry to the conference.
  • Access to view and tour the demo area and kiosks are available to the registered delegates of the conference and are not open to the general public.
  • No free expo passes are available for friends or family of presenters of the Arsenal.

Applications for the Arsenal will be accepted until July 1 with rolling acceptances until that date... so applying earlier is better than later! And, as always, Black Hat reserves the right to make the final determination of tools/demos for all stations. If there are any questions, please email


For more info, please visit: