white paper




  • ..cantor.dust..

    ..cantor.dust.. is an interactive binary visualization tool, a radical evolution of the traditional hex editor. By translating binary information to a visual abstraction, reverse engineers and forensic analysts can sift through mountains of arbitrary data in seconds. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint. ..cantor.dust.. dramatically accelerates the analysis process, and, for the experienced user, forms an indispensable tool in the reverser's arsenal.

    Presented By:
    Christopher Domas

  • Armitage

    Armitage is a red team collaboration tool built on the open source Metasploit Framework. Released in December 2010, Armitage has seen constant updates and improvements since its inception--updates and improvements driven by feedback from its wonderful user community. This demonstration will show how Armitage works and dive into some of the lesser known features that are quite handy for penetration testers.

    Presented By:
    Raphael Mudge

  • ARPwner

    ARPwner is a tool to do arp poisoning and dns poisoning attacks, with a simple gui and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python, so you can modify on your needs

    Presented By:
    Nicolas Trippar

  • AWS Scout

    The scale and variety of Amazon Web Servers (AWS) has created a constantly changing landscape. What was previously managed by enterprise IT groups is now done through a variety of Amazon-based services, leaving many questions concerning the risk and security of these environments unanswered. This presentation will discuss the most common mistakes that we have seen in the field and show you how to audit them using AWS Scout.

    Scout is a security tool that lets AWS administrators make an assessment of their environments security posture. Using the AWS API, we can gather configuration data for manual inspection or highlight high-risk areas automatically. Rather than pouring through dozens of pages on the web, we can get an clear view of the attack surface.

    Presented By:
    Jonathan Chittenden

  • backfuzz

    Backfuzz is a fuzzing tool for different protocols (FTP, HTTP, IMAP, etc) written in Python. The general idea is that this script has several predefined functions, so whoever wants to write their own plugin's (for another protocol) can do that in few lines.

    Presented By:
    Matias Choren

  • Burp Extensibility Suite

    Whether it be several Class B Subnets, a custom Web Application utilizing tokenization, or the integration of 3rd party detection/exploitation software, there comes a time when your go-to testing application is not sufficient as is. With Burp Suite Extensibility you can push these requirements to the next level by building functionality that allows you to perform your required task, maintaining efficiency, value, and most of all, detection/exploitation of the specified target. Several Extensions along with a common extensibility framework will be on display demonstrating its ability, adaptation, and ease of use while overall being able to reach your testing requirements. Along with the demonstration, these extensions will be released to the public during the week of blackhat to encourage further development and extensibility participation.

    Presented By:
    James Lester

  • Bypassing Every CAPTCHA provider with clipcaptcha

    reCAPTCHA and other CAPTCHA service providers validate millions of CAPTCHAs each day and protect thousands of websites against the intertube bots. A secure CAPTCHA generation and validation ecosystem forms the basis of the mutual trust model and large scale damage can happen if any component of this ecosystem is compromised.

    The presentation explains third party CAPTCHA provider integration and explains vulnerabilities that affect almost every CAPTCHA provider including reCAPTCHA. These vulnerabilities can be exploited to completely bypass the protection offered by CAPTCHA providers. A new signature based tool clipcaptcha will be introduced and released that can be used to exploit these vulnerablities to bypass CAPTHCA provider protection. clipcaptcha's operational modes will be demonstrated. The operational modes include the following three mondes among others:

    • Avalanche Mode: All CAPTCHA validation requests are approved.
    • Stealth Mode: Only attacker provided CAPTCHAs are approved.
    • DoS Mode: All CAPTCHA validation requests are denied.

    Demonstrations will explain these modes along with live CAPTCHA provider bypass on the test server.

    Presented By:
    Gursev Singh Kalra

  • CrowdRE

    Reversing complex software quickly is challenging due to the lack of professional tools that support collaborative analysis. The CrowdRE project aims to fill this gap. Rather than using a live distribution of changes to all clients, which has proven to fail in the past, it leverages from the architecture that is being used with success to organize source code repositories: a system that manages a history of changesets as commit messages. The central component is a cloud based server that keeps track of commits in a database. Each commit covers one or more functions of an analyzed binary and contains information like annotations, comments, prototype, struct and enum definitions and the like. Clients can search the database for commits of functions by constructing a query of the analyzed binary's hash and the function offset. Different concurring commits for a function are possible; in such cases it is up to the user to decide which commit is better.

    This basic concept is sufficient for a collaborative workflow on a per-function basis for a shared binary. One exciting feature is a similarity hashing scheme that considers the basic block boundaries of a function. Each function is mapped on a similarity preserving hash of fixed size. A database query for such a functions similarity hash returns a set of functions sorted by their similarity value, and the analyst can choose amongst them. This is extremely helpful when analyzing variants based on the same code or generations of a malware family, for example.

    The CrowdRE client is now freely available as an IDA Pro plugin. CrowdStrike maintains a central cloud for the community to share their commits amongst each other. It is our goal to help building a public database of known, well annotated functions to speed up the analysis of standard components, somewhat similar to what BinCrowd (which is offline nowadays) offered but with support for multiple co-existing commits for the same function. We also supports list-based commit visibility to give users control over who else can see and import their contributions. In the coming days we will release a series of how-to blog posts and videos to speed up adoption of CrowdRE.

  • FakeNet

    FakeNet is a tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware's network activity from within a safe environment. The tool is extremely light weight running inside the same virtual machine as the malware. This allows dynamic malware analysis without the burden of setting up multiple virtual machines.

    It supports HTTP, SSL, DNS, and several other protocols. The tool is extendable via Python extensions. It redirects all traffic to it's listeners on the localhost, including traffic to hard coded IP addresses. It creates output specific to the needs of a malware analyst. It also has the ability to create a packet capture from local traffic; something that's not possible with pcap based tools such as wireshark.

    Presented By:
    Andrew Honig

  • Generic Metasploit NTLM Relayer

    NTLM auth blobs contain the keys to the kingdom in most domain environments, and relaying these credentials is one of the most misunderstood and deadly attacks in a hacker's corporate arsenal. Even for smart defenders it's almost like a belief system; some people believe mixed mode IIS auth saves them, NTLMv2 is not exploitable, enabling the IIS extended protection setting is all you need, it was patched with MS08-068, you have to be in the middle, you have to visit a website, you have to be an administrator for the attack to matter, etc. etc.


    http_ntlm_relay is a highly configurable Metasploit module I wrote that does several very cool things, allowing us to leverage the awesomeness of Metasploit and show the way for these non-believers:

    • HTTP -> HTTP NTLM relay with POST, GET, HTTPS support.
    • HTTP -> SMB NTLM relay with ENUM_SHARES, LS, WRITE, RM, and EXEC support. This extended support allows a lot of interesting attacks against non admins and multiple browsers that aren't currently available in Metasploit.
    • NTLMv2 support, which means that this attack now works a lot more often on modern windows environments.
    • Mutex support allowing information from one request to be used in a future request. A simple example of this would be a GET to retrieve a CSRF token used in a POST. A more complex example would be an HTTP GET request to recover computer names, and then using that information to SMB relay to those computers for code execution.

    It will be open source and I'll try my darndest to get it included in Metasploit proper before Blackhat.

    Presented By:
    Rich Lundeen

  • HTExploit bypassing htaccess restrictions

    HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.

    Using HTExploit you will learn how to take advantage of weaknesses or miss-configurations in htaccess files, bypassing the authentication process. Download these protected files and proving against LFI, RFI and SQL Injection.

    Presented By:
    Maximiliano Soler

  • ice-hole 0.3 (beta)

    Ice-hole is a java email phishing tool that identifies when a user has clicked on the link. It allows internal organizations to test their users social engineering defenses. The tool can be used in conjunction with various third party software like SET, Java Keystroke loggers and the BEEF framework to create real life social engineering attacks. Ice-Hole can also be used with training websites to not only capture when a user clicks on a link, but register when their training has been completed. A simple email phishing tool that can be expanded upon in multiple ways

    Presented By:
    Darren Manners

  • Incident Response Analysis Visualization and Threat Clustering through Genomic Analysis

    By capturing real-time forensic information on thwarted zero-day attacks using virtual environments for browsers and PDF readers and feeding that information to the Invincea Threat Data Server, the paradigm can shift from one of post-facto breach detection and analysis to pre-breach forensic examinations on the motives and methods of the adversary. Feeding this information into a high dimention data analysis engine that categorizes malware based on core genomic characteristics, Invincea provides a visualization capability for malware research. A demonstration of this capability can be seen here -

    Presented By:
    Steve Taylor

  • iSniff GPS

    iSniff GPS performs passive wireless sniffing to identify nearby iPhones and iPads.

    Data disclosed by all iDevices when they connect to WiFi networks is used to track where each device has recently been. Each device's recent locations and other information is displayed on a live-updated map. There will be a live demonstration at Blackhat Arsenal.

    iSniff GPS is a combination of a commandline tool and web application written in Python. A turnkey Linux VM image containing the complete tool ready to run will be made available at Blackhat, with source code to be published on Github.


    Presented By:
    Hubert Seiwert

  • Kautilya and Nishang

    Kautilya is a toolkit and framework which allows usage of USB Human Interface Devices in Penetration Tests. The toolkit contains useful payloads and modules which could be used at different stages of a Penetration Test. Kautilya is tested with Teensy++ device but could be used with most of the HIDs. It has been successfully tested for breaking into Windows 7, Ubuntu11 and Mac OS X Lion.

    Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation. The scripts are written on the basis of requirement by the author during real Penetration Tests. It contains many interesting scripts like download and execute, keylogger, password hash dumper, time based payload and much more.

    Presented By:
    Nikhil Mittal

  • LiME Forensics 1.1

    LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

    Presented By:
    Joe Sylve

  • MIRV

    MIRV (Metasploit's Incident Response Vehicle) is a new tool (based on Metasploit's meterpreter) which was created to address the perceived shortcomings in existing host-based incident response tools: they do not operate on large amounts of nodes, are difficult to get past change advisory boards that grant approval for deployment, are not stealthy and do not have the ability to be safely extended.

    MIRV's main design feature are the embedded Lua micro-agents to monitor various system activity events and the ability to act on those events using the full flexibility and most importantly - safety of Lua.

    It also revives the discussion of active defence - not just alarms, but traps: can the defender use the attacker's connection to obtain some information about the attacker's system, or even attack the attacker's system? An example based on terminal services shared drive feature is presented. MIRV's features can also be used for offence as a flexible rootkit and some examples are given.



    Presented By:
    Konrads Smelkovs

  • ModSecurity Open Source WAF

    ModSecurity is already the most widely deployed WAF in existence protecting millions of web sites, but we are now also announcing that we have ported the module to both the Microsoft IIS and Nginx platforms. These ports will allow you to run ModSecurity natively within the web servers you want to protect. Come to this demo to see the latest new features recently added to ModSecurity including crypto/hashing protections.

    Presented By:
    Ryan Barnett

  • OWASP Broken Web Applications Project

    The Open Web Application Security Project (OWASP) Broken Web Applications project ( provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.

    Demonstrations of the new 1.0 release will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents.

    Presented By:
    Chuck Willis

  • Oyedata for OData Assessments

    OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn't been publically explored in terms of security. OData aims to provide a consistent access mechanism for data access from a variety of sources including but not limited to, relational databases, file systems, content management systems, and traditional web sites. I will be presenting and releasing a new tool that can be used to assess OData implementations. Tool features include:

    • Intuitive GUI based tool written in C#.
    • Ability to create attack templates from local and remote Service Documents and Service Metadata Documents.
    • Ability to generate attack templates for Creation of new Entries, updating existing Entries, Service Operation invocation, Entry deletion etc…
    • Ability to export attack templates in JSON and XML formats that can be fed to custom Fuzzers.
    • Support for XML and JSON data formats.
    • Ability to engage the OData services for manual testing.
    • Data generator for EDMSimpleType test data generation.
    • Ability to generate "Read URIs" for Entities, Entity Properties and Entity Property Values.
    • Ability to identify Keys, Nullable and Non-Nullable Properties and indicate the same in the attack templates.
    • Web proxy, HTTP and HTTPS support.
    Presented By:
    Gursev Singh Kalra

  • peepdf

    peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. It's included in BackTrack and REMnux.

    Some of the peepdf features:

    • It shows all the objects in the document, highlighting the suspicious elements and potential vulnerabilities.
    • It supports all the most used filters and encodings.
    • It can parse different versions of a file, object streams and encrypted documents.
    • It provides Javascript and shellcode analysis wrappers, thanks to Spidermonkey and Libemu.
    • It's able to create new PDF files and modify existent ones using obfuscation techniques.
    • It's able to extract all the information easily thanks to its interactive console.
    Presented By:
    Jose Miguel Esparza

  • phpmap

    Attempts to leverage the lack of input validation on the php eval() function in web applications.

    Presented By:
    Matt Bergin

  • Redline

    Redline is free utility from Mandiant that makes both experienced and entry-level incident responders faster and more efficient. Using Redline, responders can perform a guided investigation of possibly compromised systems.

    The updated version 1.5 of Redline includes new features and enhancements to existing capabilities, including:

    • Improved Analysis Capabilities
      • Include and search for Indicators of Compromise (IOC) and create a searchable report detailing any suspicious activity found matching those IOCs.
      • Simultaneously perform multiple tasks such as conducting an investigation while searching for IOCs.
      • Check the progress of an investigation at any time via "Background Tasks" in the main menu and receive a notification when a background task has been scheduled.
    • Enhanced Data Collection and Configuration
      • Configure and collect a much broader range of data about the target host, such as event logs and file listings.
      • Convert this into searchable data using the new IOC search options.
      • Specify a set of IOCs before collection and Redline will now help tailor the configuration to provide meaningful search results and ensure that all the data required by the chosen IOCs is collected.
      • See the detailed information associated with each indicator when choosing which indicators to include in a search.
    Presented By:
    Lucas Zaichkowsky

  • Registry Decoder

    The registry on Windows systems contain a tremendous wealth of forensic artifacts, including application executions, recently accessed files, application-specific passwords, removable device activity, search terms used and more. Existing registry analysis tools are poorly suited for investigations involving more than one machine (or even more that one registry file), for either registry acquisition or analysis. This problem is only exacerbated by the now-standard Volume Shadow Service, which makes available multiple historical copies of the registry by default. In order to make large scale investigations of the registry feasible, we developed Registry Decoder, an open source tool for automated acquisitions and deep analysis of the large sets of Windows registry data. Registry Decoder includes powerful search functionality, activity timelining, plugin-based extensibility, a differencing engine and multi-format reporting. Since its release at Blackhat Vegas Arsenal 2011, it has been downloaded almost 10,000 times and has been nominated for the Computer Forensic Software Tool of the Year by Forensic 4cast. This year at Blackhat we plan to release Registry Decoder 2.0 which has a number of new features, including new plugins, better timelining, and huge performance enhancements.

    Presented By:
    Lodovico Marziale

  • SAP Proxy

    The analysis and reverse engineering of SAP GUI network traffic has been the subject of numerous research projects in the past, and several methods have been available in the past for decoding SAP DIAG traffic. Until the release of SensePost's freely available proof of concept SAP DIAG tools (SAPProx and SApCap) in 2011, most methods were complicated and convoluted, or not in the public domain.

    SAP is widely used and normally stores information of great sensitivity to companies. However, by default the communication protocol can be described as telnet-meets-gzip and Secure Network Communication (SNC) is not enabled in most organisations where SAP GUI is used. Furthermore, the protocol can be abused with relatively devastating effect against both server and client side components.

    SensePost's tools for decoding and analysing SAP DIAG protocol has now been refined to a production ready, and offensive platform with scripting and fuzzing support. In addition, the toolset has been extended to include support for intercepting and decoding RFC-based communication.

    Presented By:
    Ian De Villiers

  • Semi-Automated iOS Rapid Assessment

    Apple's AppStore continues to grow in popularity, and iOS devices continue to have a high perception of security from both users and experts. However, applications on the AppStore often have security or privacy flaws that are not apparent, even to sophisticated users. Security experts can find these flaws via manual tests, but the enormity of the AppStore ensures that only a small minority of apps could ever be manually tested.

    This presentation will demonstrate a new tool and methodology to perform automated or semi-automated assessment of iOS applications and assist with manual testing.

    Presented By:
    Justin Engler

  • Smartphone Pentesting Framework

    As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.

    Presented By:
    Georgia Weidman

  • Tenacious Diggity - New Google Hacking Diggity Suite Tools

    All brand new tool additions to the Google Hacking Diggity Project - The Next Generation Search Engine Hacking Arsenal. As always, all tools are free for download and use.

    When last we saw our heroes, the Diggity Duo had demonstrated how search engine hacking could be used to take over someone's Amazon cloud in less than 30 seconds, build out an attack profile of the Chinese government's external networks, and even download all of an organization's Internet facing documents and mine them for passwords and secrets. Google and Bing were forced to hug it out, as their services were seamlessly combined to identify which of the most popular websites on the Internet were unwittingly being used as malware distribution platforms against their own end-users.

    Now, we've traveled through space and time, my friend, to rock this house again…

    True to form, the legendary duo have toiled night and day in the studio (a one room apartment with no air conditioning) to bring you an entirely new search engine hacking tool arsenal that's packed with so much tiger blood and awesome-sauce, that it's banned on 6 continents. Many of these new Diggity tools are also fueled by the power of the cloud and provide you with vulnerability data faster and easier than ever thanks to the convenience of mobile applications. Just a few highlights of new tools to be unveiled are:

    • AlertDiggityDB – For several years, we've collected vulnerability details and sensitive information disclosures from thousands of real-time RSS feeds setup to monitor Google, Bing, SHODAN, and various other search engines. We consolidated this information into a single database, the AlertDiggityDB, forming the largest consolidated repository of live vulnerabilities on the Internet. Now it's available to you.
    • Diggity Dashboard – An executive dashboard of all of our vulnerability data collected from search engines. Customize charts and graphs to create tailored views of the data, giving you the insight necessary to secure your own systems. This web portal provides users with direct access to the most current version of the AlertDiggityDB.
    • Bing Hacking Database (BHDB) 2.0 – Exploiting recent API changes and undocumented features within Bing, we've been able to completely overcome the previous Bing hacking limitations to create an entirely new BHDB that will make Bing hacking just as effective as Google hacking (if not more so) for uncovering vulnerabilities and data leaks on the web. This also will include an entirely new SharePoint Bing Hacking database, containing attack strings targeting Microsoft SharePoint deployments via Bing.
    • NotInMyBackYardDiggity – Don't be the last to know if LulzSec or Anonymous post data dumps of your company's passwords on, or if a reckless employee shares an Excel spreadsheet with all of your customer data on a public website. This tool leverages both Google and Bing, and comes with pre-built queries that make it easy for users to find sensitive data leaks related to their organizations that exist on 3rd party sites, such as PasteBin, YouTube, and Twitter. Uncover data leaks in documents on popular cloud storage sites like Dropbox, Microsoft SkyDrive, and Google Docs. A must have for organizations that have sensitive data leaks on domains they don't control or operate.
    • PortScanDiggity – How would you like to get Google to do your port scanning for you? Using undocumented functionality within Google, we've been able to turn Google into an extremely effective network port scanning tool. You can provide domains, hostnames, and even IP address ranges to scan in order to identify open ports ranging across all 65,535 TCP ports. An additional benefit is that this port scanning is completely passive – no need to directly communicate with target networks since Google has already performed the scanning for you.
    • ombine Google/Bing hacking and data loss prevention (DLP) scanning on a massive scale, made possible via the power of cloud computing. Chuck Norris approved.
    • CodeSearchDiggity-Cloud Edition – Google recently shut down Code Search in favor of focusing on Google+, putting "more wood behind fewer arrows". I suppose we could have let the matter go, and let CodeSearchDiggity die, but that would be the mature thing to do. Instead, we are harnessing the power of the cloud to keep the dream alive – i.e. performing source code security analysis of nearly every single open source code project in existence, simultaneously.
    • BingBinaryMalwareSearch (BBMS) – According to the Verizon 2012 DBIR, malware was used to compromise a staggering 95% of all records breached for 2011. BBMS allows users to proactively track down and block sites distributing malware executables on the web. The tool leverages Bing, which indexes executable files, to find malware based on executable file signatures (e.g. "Time Stamp Date:", "Size of Code:", and "Entry Point:").
    • Diggity IDS – Redesigned intrusion detection system (IDS) for search engine hacking. Will still leverage the wealth of information provided by the various Diggity Alert RSS feeds, but will also make more granular data slicing and dicing possible through new and improved client tools. Also includes the frequently requested SMS/email alerting capabilities, making it easier than ever for users to keep tabs on their vulnerability exposure via search engines.

    So come ready to engage us as we explore these tools and more in this DEMO rich presentation. You are cordially invited to ride the lightning.

    Presented By:
    Francis Brown

  • ThreadFix

    ThreadFix is an open source software vulnerability aggregation and management system that allows software security teams to reduce the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and projects. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating web application firewall rules, this system also allows companies to protect vulnerable applications while remediation activities occur. ThreadFix empowers managers with vulnerability trending reports that demonstrate software security progress over time.

    Presented By:
    Dan Cornell

  • Vega

    Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging. Vega attack modules are written in Javascript, users can easily modify them or write their own. The Vega web vulnerability scanner runs on Linux, Windows, and OS X.

    Vega can be downloaded from our website,

  • WATOBO - Web Application Toolbox

    Doing manual penetration tests on web applications is time-consuming and can be very boring or even frustrating. On the other hand, if you use an automated tool you often don't know if or how things have been checked because there's too much "Voodoo" under the hood.

    Each approach has its advantages and disadvantages but the selection of tools which merge both worlds is very limited. In this presentation I will introduce WATBO (Web Application Toolbox) which closes the gap and combines the advantages of both, the manual and the automated approach to web application assessments. WATOBO works like a local proxy and is analyzing the traffic on the fly for helpful information and vulnerabilities. It also has automated scanning capabilities, e.g. SQL-Injection, XSS-Checks and more. It can handle of One-Time-Tokens (aka Anti-CSRF-Tokens) and has powerfull session management capabilities.

    WATOBO is written in (FX)Ruby and was initially released in May 2010 as an open source project on SourceForge (

    Presented By:
    Andreas Schmidt

  • XMPPloit

    XMPPloit is a command-line tool to attack XMPP connections, allowing the attacker to place a gateway between the client and the server and perform different attacks on the client stream.

    The tool exploit, implementation vulnerabilities at the client & server side and XMPP protocol.

    The main goal is that all the process is transparently for the user and never replace any certificate (like HTTPS attacks).

    Some features are:

    • Downgrade the authentication mechanism (can obtain the user credentials)
    • Force the client not to use an encrypted communication
    • Set filters for traffic manipulation
    • Filters that have been implemented in this version for Google Talk are:
    • Read all the the user's account mails
    • Read and modify all the user's account contacts (being or not in the roster).

    A preliminary version was described in my talk 'XMPP, more than chat' ( presented in RootedCON 2012 (Spain).

    Presented By:
    Luis Delgado

  • zCore IPS - Modern Smartphone Security

    The awareness of cyber-espionage has increased significantly with recent malwares found, such as Stuxnet and Flame, and with the discovery of attacks, such as Aurora. A research published at DEFCON18 and BHDC showed that modern ARM architecture is not immune to vulnerabilities that are popular in X86 architecture. Hacking smartphones became common knowledge, and we've realized that it is only a matter of time until we will see the next Aurora on Smartphones. Hacking your computer has become harder with time and multiple versions so the attackers seek additional entry-points to your organization and your Smartphone, with features like VPN access being the perfect target!

    We will go through modern government-grade attacks on smartphones and will prove that the same smartphone you are carrying with you today can act as a spying-machine that will reveal all of your secrets and data to your enemies.

    The next step of the attackers will be finding a way into your internal network or other key-people at your organization, using the same infection routine. Smartphones hacking has increased significantly as more researched have adopted this new technology. We will cover recent attacks and threats that are being discovered every-day that puts us at risk!

    We will show and demonstrate several attack vectors that are being used today against targeted devices and how we're preventing those attacks using zCore IPS, our comprehensive Mobile IPS solution. This solution has been specially built for Smartphones with zMitigaion™, a highly effective technology for 0day protection offered to those who face targeted and government-grade attacks on Smartphones.

    Presented By:
    Itzhak (Zuk) Avraham