Talks and workshops
From BruCON 2012
 (Keynote) Ed Skoudis - Letting Loose the Dogs of (cyber) War
With the onslaught of recent headlines containing revelations of nation-state activity in computer attacks, a lot of people are wondering: What the heck is going on? Although controversial in some quarters, the militarization of cyber space proceeds apace. Some think that military operations in cyber space are impossible, impractical, or just plain evil. In this lively and hard-hitting presentation, Ed Skoudis will analyze the trends and look at where such activities may be heading. We'll then focus on some of the ramifications for the hacker community. How could cyber military action impact you and your hacking research? What steps should hackers take to prepare for a significantly more militarized cyber space? We'll discuss those issues, and many more.
 Georgia Weidman - Introducing the Smartphone Penetration Testing Framework
As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.
 Robert McArdle - HTML5 - A Whole New Attack Vector
In this talk we will look at HTML5 from an attackers view-point. Because not only does HTML5 bring us Semantic web, editable content, inbuilt form validation, local storage, awesome video support and the long overdue death of <div> - it also opens up a host of new opportunities for attackers.
 Raul Siles - Security of National eID (smartcard-based) Web Applications
National electronic identification (eID) smartcards are used by millions of European citizens, like in Belgium or Spain, as well as worldwide, as a key element to authenticate against critical web applications on both the public and private sectors. This identification technology commonly used to access a variety of web eGovernment services, plus financial, insurance, and utility companies websites, is considered secure. However, due to the lack of web auditing and pen-testing tools to thoroughly evaluate the smartcard-based authentication process and subsequent session management capabilities... can we really trust the security of these eID services and web applications? The eID smartcard can be secure but... is it used in a secure way? Let's take an in-depth look at the current landscape through security tools, practical demonstrations, and educational scenarios from real-world penetration tests on a worldwide leading country like Spain, with more than 25 million eIDs.
 Andreas Bogk - Herding RATs
It all started out with a seemingly harmless request: "Could you have a look at our traffic, whether there is something suspicious? Of course there was. 14 different remote access toolkit binaries, 80 infected hosts, and four groups of attackers later, there wasn’t anymore. Tales from the trenches of fighting against APT RATs.
This talk will give an overview of the tools and techniques used to isolate network traffic and binaries used in an ongoing attack. It will also illustrate the strategies and techniques employed by a class of attackers commonly referred to as "Advanced persistent threat".
 Josh Corman and Jericho - "Cyberwar" : Not What We Were Expecting
With all the hyperbole and rhetoric surrounding "Cyber-War", we've grown blind to the real conflicts. Cyber-War is upon us, but it is NOT like you expected. Citizens are all involved (or will be), but we are not prepared.
The conflicts don't have clean battle lines, aren't fought by or between traditional states, and are far more personal and idealogical. Historically, we have only seen cyberwar through failed analogies, or our own greedy lenses. In doing so, we have failed to give proper attention to the subject, let alone understand it. This talk will be more than an honest analysis of the past, present, and near future of cyber-war. From the DARPAnet goals of the Internet, to the original AntiSec's "inevitable conflict", to the guerilla warfare that we must come to understand, we'll outline what cyber-war isn't and, more importantly, what it is and will become.
When the shit hits the fan, what role will you play? It's past time to prepare yourself; will you be a warrior, minute man, survivalist, or collateral damage?
 Allison Miller - A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses
In many technical functions, automation is critical to maintaining stable, predictable, and effective operations. Security is no exception, especially in environments with thousands or even millions of customers, transactions, endpoints, or actions -- manual intervention has to be the exception and not the expectation. But how does an organization automate security, given all the complexity of a large threat surface and unpredictable attackers? Many environments (including financial systems, game platforms, and social networks) turn to analytics, specifically risk models, to automate risk detection and security decisions. In this session, we will walk-through the process for designing and deploying data-driven models and decision technology.
 Mathy Vanhoef - New flaws in WPA-TKIP
First an overview of the WPA-TKIP protocol is given and the currently known attacks are discussed, along with a brief history of WEP. Then two new attacks on WPA-TKIP are presented. The first attack is an efficient and practical denial of service attack where the attacker only has to inject two frames each minute to disrupt all traffic. The second attack describes a scenario where an attacker is able to decrypt all traffic on a WPA-TKIP secured network. The second attack has multiple requirements that are rarely satisfied in real-world environments. Nevertheless it’s the first known attack on the WPA-TKIP specification capable of decrypting all transmitted traffic.
 Martin Gallo - Uncovering SAP vulnerabilities: dissecting and breaking the Diag protocol
Nowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processess. In recent years it has become a hot topic in information security, at the time that headlines about hacks against SAP systems increases everyday. Although, while fixes and countermeasures are released monthly by SAP at an incredibly rate, the available security knowledge is limited and some components are still not well covered.
SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netwever installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unkown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors.
This talk is about taking SAP penetration testing out of the shadows and sheedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP sofware through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the acquired knowledge while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats.
 Fernando Gont - Recent Advances in IPv6 Security
The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years. Additionally, a number of activities such as the World IPv6 Day in 2011 and the upcoming World IPv6 Launch Day (scheduled for June 2012) have led to an improvement in IPv6 awareness and an increase in the number of IPv6 deployments.
There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when the protocols are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts, either in terms of features or in terms of performance. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security measures in unexpected ways.
During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out the first comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers and security administrators deploying or operating the protocols. Part of the results of the aforementioned project have been recently published, leading to a number of improvements in many IPv6 implementations, and in the protocol specifications themselves. Fernando Gont will discuss the results of the aforementioned project, introducing the attendees to the “state of the art” in IPv6 security, and providing advice on how to deploy the IPv6 protocols securely. Gont will also discusss recent advances in IPv6 security areas such as Denial of Service attacks, firewall circumvention, network reconnaissance, and First-Hop security, and will describe other IPv6 security areas in which further work is needed. Finally, he will describe some vulnerabilities found in popular IPv6 implementations, such as NDbased Denial of Service attacks, and vulnerabilities arising from the use of predictable IPv6 Fragment Identification or Flow Label values.
 Gregory Pickett - pMap, the silent killer
With auto-configuration protocols now being added to operating systems and implemented by default in your network devices, hosts are now actively advertising their available attack surfaces to anyone listening on the network.
In this session, I will debut my new tool pMap. pMap listens silently and without sending any packets is able to extract information from these advertisements to discover hosts, to perform a port scan, and to fingerprint operating systems and services on these hosts. A multi-purpose tool this can be used to mitigate the risks advertising hosts bring to your environment or to attack the local segment within the enterprise as well as the public arena when these enterprise hosts leave the safety of the network.
We’ll first cover what makes all this possible, then examine typical network traffic to see what is made available to us, and then demonstrations will be given highlighting the use of the tool’s features in a variety of scenarios from the defensive to the offensive including as part of a remote attack using Metasploit where the tool is deployed as a Metasploit module on a compromised host to allow a silent, undetectable profiling of the remote network. Don't miss it!
 Carlos Garcia - How I met your pointer (Hijacking client software for fuzz and profit)
Looking for vulnerabilities in closed source software is particularly difficult when the researcher is confronted with proprietary and/or undocumented protocols. Several approaches could be taken to attack this problem like for example, full reverse engineering or dumb fuzzing. Unfortunately, these are either incredibly time/brain consuming or highly inefficient.
In this talk another way will be shown, namely, the manipulation of client software using binary instrumentation techniques in order to use them as kind of 'double agents' against the server they are talking to.
Some small tools and code examples will be released after the talk for everybody to play with.
 Paul Marsh - Satellite Hacking
What sort of data can be received from the vast numbers of satellites in orbit around the Earth? What are the various types of satellite orbits, and what equipment is needed to start 'hacking' satellites. These questions, and more, will be answered in this talk which discusses satellite hacking techniques. Real life examples of traffic, data and audio communications received will be presented. We'll also take a critical look at a UK military satellite hacking incident which was widely reported in the press, and consider the commonly asked question -"can it be done?"
 Meredith L. Patterson and Sergey Bratus - LangSec
 Mickey Shkatov - we have you by the gadgets
Why send someone an executable when you can just send them a sidebar gadget?
We will be talking about the windows gadget platform and what the nastyness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses.
Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.
 int0x80 (of Dual Core) - Moar Anti-Forensics for the Louise
This presentation is the new and improved anti-forensics version of those "Stupid Pet Tricks" segments on late night US talk shows. Nothing ground-breaking here, but there may be some ideas and techniques presented that forensic investigators haven’t considered or encountered.
 David Mortman - The Defense RESTs: Automation and APIs for Improving Security
Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren't from security vendors, they don't even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is to centralize management, automate and test.
Testing is especially key, like Jeremiah says "Hack Yourself First". So many vulnerabilities can be detected automatically. Let the machines do that work and find the basic XSS, CSRF and SQLi flaws, not to mention buffer overflows, Save the manual effort for the more complex versions of the above attacks and for business logic flaws. This is one of those spaces that dedicated security tools are a must. Leverage APIs (and protect API endpoints), be evidence driven. Counter intuitively, deploy more often, with smaller change sets. Prepare for fail and fail fast but recover faster. Not just theory, will include real examples with real code including open protocols like netconf and open source software like dasein-cloud.
There will be no discussion of APT, DevOps vs NoOps, BYOD or Cloud Security concerns, there will however be baked goods assuming I can get the through customs.
 Didier Stevens - Windows x64: The Essentials (2h)
In this workshop we will touch upon important differences between 32-bit and 64-bit Windows.
Did you know WoW64 (Windows 32-bit on Windows 64-bit), the system that allows you to run 32-bit applications on 64-bit Windows, presents applications with a different view on the file system and the registry? Why wouldn't you use a 32-bit AV program on x64 Windows, but can you compile a 64-bit application on a 32-bit machine?
Did you know 32-bit processes can't load 64-bit DLLs and 64-bit processes can't load 32-bit DLLs?
Did you know that x64 shellcode is significantly different from 32-bit shellcode because of the calling convention?
Here are some of the exercises for the workshop attendees:
- How to develop and inject an x64 DLL
- How to develop x64 shellcode
- How to develop and sign an x64 kernel driver
- How does WoW64 allow us to run 32-bit applications on a 64-bit system?
- How do we "break" out of WoW64?
Attendees will have to bring a laptop with Windows x64 (native of VM).
 Kyle 'Kos' Osborn & Krzysztof Kotowicz - Advanced Chrome Extension Exploitation (2h)
Browser exploitation can seem to be a nearly unachievable task these days. ASLR, DEP, segregated processes and sandboxes have proven to be effective in abating exploits by attackers. Our expectation of browser security is so high, that in addition to bug bounty programs, competitions such as Pwn2Own and Pwnium have been formed around the core concept of weeding out dangerous bugs.
HTML5 gave us a plethora of new attacks and exploits to worry about, and browser vendors are still feeling the growing pain of adapting to that new standard. With these new tools, however, we are able to step back from the concept of “shell is all”, and expand exploitation and post exploitation on a softer surface, browser extensions.
What about security in these newfangled localized HTML applications? Even though they are protected by all the other baked in browser protections (ASLR/DEP/sandboxing), they are still vulnerable to everyday, vanilla web applications vulnerabilities (XSS/CSRF/ClickJacking/ETC). Not only that - with the presence of various extension repositories like Chrome Web Store it’s much easier to scan the source code and discover these vulnerabilities. On the other hand, extensions have access to a powerful browser API unavailable to usual web pages and successful exploit in this environment might give the attacker close to full browser access. For example, a single XSS may lead to code execution in context of every http[s]:// origin (Universal XSS), bypassing all protections present within the websites. Some extensions can read and manipulate all cookies (even their httpOnly flavor), access browsing history, bookmarks and call binary code stored in DLL files.
In our presentation, we will give a technical overview of: Modern browser security and protections HTML5 security Google Chrome extensions architecture Discovering and exploiting vulnerabilities in Chrome extensions Leveraging the vulnerabilities for browser take-over (post-exploitation)
 Michael Sikorski & William Ballenthin - Clearing the Red Forest (4h)
Many incident responders and forensic analysts search systems for evil without a dedicated malware analyst, and don’t have an easy way to determine “Is this file malware?”. Furthermore, anti-virus products do not recognize all malware that an analyst deals with in an environment --- whether it is because the signatures or heuristics fail. To solve this issue, we propose using a flexible malware classification tool called Red Forest. This free tool is extremely flexible and can be easily customized. In this workshop, we will show the benefits of Red Forest and how you can extend the malware classification engine using plug-ins. You will even learn to train the system using your own samples alongside our preset configuration.
After a quick lecture to build your computer science foundation, we will turn to a hands-on and interactive laboratory where you will learn about the Red Forest tool. Throughout the workshop, we will post challenges to see how solid of a classifier you can build. You will be given malicious and clean samples and use Red Forest to build the best classifier you can. Near the end of the day, we will give out prizes for the best feature and the best classifier.
Hardware/Software Requirements - The students must bring a laptop with VMware Workstation or Player. We will provide a VM image for use in the classroom with all tools needed for the workshop installed.
 Abraham Aranguren - Introducing OWTF (4hr)
In this talk there will be a brief introduction to OWTF. This will be followed up with demos of the latest features up until the time of the conference (this is a fast moving project) to help pen testers get the most out of this tool and/or provide them with new ideas to improve their pen testing process.
OWTF is a tool that tries to achieve a new level of efficiency and comprehensiveness by combining great standards (OWASP aligned, PTES in the to-do list), great tools, websites and knowledge in the public domain together with continuous reporting using an interactive report that allows the pen tester to analyse the information in a similar fashion to the thought process of a chess player.
OWTF intends to find an optimal balance between automation and human analysis so that the best of both worlds can be attained.
Please follow the instructions on this blog post to get the required data before the workshop.
 Biosshadow, Matt Erasmus, Benson - The PANIC Project
Every year, thousands of passwords are leaked to the internet (most often via a post to pastebin). For the individuals carrying out these embarrassing attacks, it’s just about the lulz, or proving a point. For each organization whose passwords are leaked, and for their users, this is a travesty. For us, though, it’s a valuable opportunity to gain insight into passwords as the primary unit of authentication. We all use them, but what do we really know about them?
This treasure trove of statistically significant data is available, and it’s only fair to the victims of these crimes that we do something good with this data. We’re building an automated system to comb the web for leaked passwords and warehouse them. Once stored in a centralized database, these passwords are the subject of statistical inquiries: What’s the most common password? What’s the breakdown of character classes in each password? How many of them are present in widely available rainbow tables? How long would it take to perform an online brute force attack on the weakest 10% of all passwords? Answers to these questions and more are well within our reach when we collect and analyze this publicly available data. Beyond being able to do analysis, we can make a compact rainbow table style database of hashes for all passwords we’ve seen. Our database includes all the common hash types (MD5, SHA1, SHA256, NTLM, MySQL, and others). We call this combination of multiple hash types into a single table “double rainbow tables” for obvious reasons. A public database of known in-use passwords pressures users to use more secure passwords for their own accounts, and devs to properly salt their hashes. We will discuss lessons learned building scrapers and an ingest framework for specific data in a disparate array of unstructured data sources, raw observations in data we have collected, and statistically significant conclusions from the data we have collected. We will also be releasing our source and aggregate data for further analysis.
 Vivek Ramachandran - Hacking with Python (2hr)
This workshop will give you a crash course in how to apply Python Scripting to hacking and pentesting. We will look at various libraries, tools and techniques which we can use in Python and apply them to the following infosec domains:
- web application security
- exploit research
- reverse engineering
- malware analysis
- software cracking
- network attacks
- attack automation
This workshop is ideal for penetration testers, security enthusiasts and network administrators who want to learn to automate tasks or go beyond just using ready made tools. Pre-Requisites: Basics knowledge of Python programming and Infosec. We will be taking up live examples and case studies from different domains. Participants will be provided the software required for download. Please get along a Linux distribution with Python 2.7.2 and 3.x installed.
hacked by qibo212
 Meredith L. Patterson & Sergey Bratus - Shotgun Parsers in the Crosshairs
Any code that transforms data has to make some assumptions about what it receives; it's up to some other code to recognize if the data is as it expects. The sole purpose of this recognizer is to protect subsequent innocent code from being lured into memory corruption or from otherwise aiding and abetting pwnage.
Sadly, a lot of actual input handling code is a mixture of data processing and recognition, scattered throughout a codebase. Its "sanity checking" is neither strong enough to verify all the implicit assumptions, nor written with these assumptions in mind. We call such input handling code "shotgun parsers" and argue that it's the number 1 reason for the ubiquitous insecurity of programs facing the internet.
In this talk, we will discuss examples of shotgun parsers across the layers of a TCP/IP stack (and well-attested exploits for them, drawn from the pages of Phrack) and show how to rein them in with a principled approach to building recognizers. From digital radio physical layer frames to SQL injection, shotgun parsers sow distraction and must be eliminated if we are to trust how programs process input.
Our previous talks (see langsec.org) concentrated on theory; in this talk, we take the practical software-engineering view. We'll demonstrate how to apply our axiom of "full recognition before processing" in practice, using the Hammer parsing library (https://github.com/UpstandingHackers/hammer) to implement protocol message formats and the Ragel state machine compiler (http://www.complang.org/ragel/) to implement protocol internals.
 Beer Hacking workshop
Beer that you buy in the shops is licensed. But we think that beer should be free. We will show in this workshop how to make a double fermentation lager beer, using only kitchen and garden equipment. No special tools. No secrets. Free your thirst.
 LSEC - Hiring! Looking for volunteer Cyber FireFighters and Innovative Cyber Security Measures
LSEC is a European non-profit association looking for innovative independent cybersecurity experts to develop a series of actions to fight bots, malware detection and mitigation, undermining TOR networks and to increase security measures on all levels (end user, enterprise, operator, society). Be part of a European expert team of security engineers, system integrators and network operators and participate actively in the development of a series of tools and pilot actions. Challenged and supported by the European Commission, LSEC is a partner in the ACDC consortium and will lead the pilot developments. During this session, we will inform you about the project, ask you to consider some of the identified pilots and share your thoughts on how to implement them. We will also seek for new ideas and out-of-the box thinking, and to help us understand how we could get your support in this ambitious action, either as volunteers or paid freelancers. We will be ready to reward the greatest and most applicable idea at the end of the discussion with a 3D gaming experience or a mega beer voucher.
Some innovative pilots under discussion :
- Fast-Flux detection and monitoring tool for infected machines behind domains using Fast-Flux techniques
- Optimized whois tool for ABUSE contact extraction
- Evidence Extraction Tool for processing logs related with C&C botnet servers, optimized to manage large volumes of information.
- MMT-Security property model is inspired from Linear Temporal Logic and can referring to Security rules that describe the expected behavior and Attacks that describe malicious behaviour
- Analysis of data traffic (near real time) during a predefined period, collecting network data and feeding into advanced data analytics technologies in order to detect botnet activities
- Detection of unknown botnets by controlling applications positively and blocking unknown-udp or unknown-tcp traffic in enterprise and government networks or with end users
- Network-level expertise to the detection of mobile network abuse (botnets in mobile networks) and high-performance data collection, analysis
- Passive DNS replication component sensor for the real-time detection of malware domains and fast-flux bots or botnets C&C
 fbz - Hardware Hacking
 Wednesday September 26th, 14:00: Build your own arduino clone for controlling servo motors
Build a simple arduino clone for controlling up to six servo motors, with rs232 logic level converter programmer dongle. You can be a complete beginner for this workshop. Please bring a laptop to program the circuit at the end (not required), patience, and the desire to solder up your own small footprint microcontroller board. Soldering irons and USB-serial dongles and tools provided. Available slots: 13. Cost: 15 euros.
 Thursday September 27th, 14:00: Build a quadrifilar helix antenna and use rtl-sdr to listen to NOAA weather satellites
Build a collapsible quadrifilar helix antenna for 137.5 MHz NOAA weather satellites. Use it with an rtl-sdr board, also provided, (Terratec Cinergy T Stick RC Mk II (PID 0x00d3) with Elonics E4000). You can be a complete beginner for this workshop. Please bring a laptop, preferably with gnuradio installed and running (yes this is a pain, but it won't be covered too much in this workshop). Tools to build the antenna and materials for the antenna will be provided, an rtl-sdr board will also be provided. You will walk away with a collapsible (or fixed) quadrifilar helix antenna and an rtl-sdr stick, and hopefully a head start at the amazingly cheap way of grabbing satellite images from space! Available slots: 10. Cost: 30 euros.
 Walter Belgers (TOOOL) - Lockpicking
 Joernchen, Astera & Mumpi - DJ Workshop (2h)