While web applications become richer and provide higher levels of user experiences, those run increasingly larger amounts of code on both server and client side. Few of the pages on the web server may be the performance bottlenecks. Identifying those pages gives both the application owner as well as an attacker a chance to be more efficient in performance or attack.
We will discuss a method of identifying the weakness of the web Application by performing series of regular requests to it. With some refinements and data normalizations performed on the gathered data, and then performing more testing based on the later it is possible to pinpoint to single most resource(CPU or DB) consuming page of the application. Armed with that information it is possible to perform more efficient DOS/DDOS attacks with very simple tools.
The presentation will be accompanied with a few demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researches to play with.
At some point as information security practitioners, we all face those god-awful three letters. PCI. Yes. It sucks, it's not cheap, and Yes, It's not "real security". But if you or your client is handling cardholder information, you must SUBMIT! Err… comply….with over 200 requirements. But how does a technically-minded and security-driven badass meet the letter and intent of PCI without pulling their hair out, spending thousands on vendor solutions that don’t provide holistic security, upsetting management, nor just “check the box” and move on?
Zack and Erin will explore their tried and tested open source solutions implemented by organizations from the small/mid-sized to some of the largest providers in the world to address the requirements of PCI DSS while substantially improving security. This isn’t your grandpa’s high-level theoretical overview, but a deep technical dive with specific configuration guidelines you can implement tomorrow.
You too can better devote resources to skilled talent over ineffective or exorbitantly priced products and let’s start fixing things.
“What does this application do?” is a question that analysts often ask themselves when performing an application assessment or analyzing mobile malware. CobraDroid was designed to answer this question. CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!).
This talk discusses how CobraDroid can be used for Android malware analysis and application assessments. It will include a discussion of the techniques used to assess applications and a demonstration of the tool.
Cryptography is awesome, but modern cryptography has a seriously high barrier to entry that prevents a lot of people from getting into its technical side. Fortunately, many important lessons, attacks, and concepts can be demonstrated using classic pre-digital ciphers. Over the course of this four-hour workshop attendees will:
* Learn the technical basics of cryptography.
* Implement classic ciphers by hand.
* Learn about weaknesses in these ciphers and how to leverage these weaknesses to crack said ciphers.
* Get examples (in Python) from my Open Source framework to automate standard cryptographic functions, including attacks and analysis.
* Learn the history and stories surrounding my chosen ciphers.
* Learn a methodology so that when given an unknown ciphertext, they will be able to diagnose the cipher used and implement an attack.
Cuckoo Sandbox is an open source for automating the dynamic analysis of malware. It allows you to run and monitor any suspicious file inside an isolated environment and collect indicators and evidences of its behavior.
Cuckoo is growing to be an established but complex software and there are many features, improvements and fixes that are yet to be developed.
At Brucon core developers, contributors and users will be able to sit down to discuss, hack, break (and possibly build) Cuckoo Sandbox and wonder about the future of fighting malware.This workshop is sponsored by Splunk
Currently, computers are increasingly user for illicit activities, in this scenario, as such it is necessary for respond incidents of security to use Computer Forensics best practices, even if not a formal criminal investigation take place. This article how about post mortem forensic of medias especially the hard disks. Several tests and evaluations can be do in each layer of abstraction, in order to recovery data with quality to identify evidence . This evidence can be block of data or even a file related to the security incident being investigated that will henceforth be treated as an artifact. It is true that to perform a forensic analysis, to demand methodology and also appropriate tools.About the Methodology Analysis in Five Layers that proposing a treatment in each layer of abstraction allowing the identification of each data that can be relevant in the analysis of incident and to meet the need of appropriate tools, the use FOSS tools, is an interesting alternative, since the number of projects developed by this community, for computer forensic, is significant and of sufficient quality to allow the realization of all the forensic computational process.
Who should attend:
Law enforcement officers, federal agents, or detectives who want to master computer forensics and expand their investigative skillset to include data breach investigations, intrusion cases, and tech-savvy cases
Incident response team members who are responding to complex security incidents/intrusions and need to utilize computer forensics to help solve their cases
Computer Forensic professionals who want to solidify and expand their understanding of file system forensic and incident response related topics
Information security professionals with some background in hacker exploits, penetration testing, and incident response
Information security managers who would like to master digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams
Nowadays, nearly everyday we see a new botnet going up and another one being brought down, looking at this fact the presenters of this talk decided that they needed a way to constantly know and visualize different botnet status. Then we decided we needed to go one step further, and, not only understand how they were growing or shrinking, but to also capture patterns between the different machines that have been compromised and multiple proprieties of different botnets:
After we achieved this, we decided to create a fast and useful way to use this data, so we created what we call The Cyberfeed and Project Hyperion, which we will also be doing live demos of.
On the cyberfeed side you can access all of our data of all types from sinkholes, to portscans, and even honeypots and do different types of queries, allowing you to access only the data you need and want, combining all this it can provide you with useful information that can even be used in defense.
On Hyperion, is where our visual modules are located, you can easily get visual geospatial information about different botnets and search for information on our portscans.
This is a workshop on hacking Excel on Windows without exploits.
Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, ...), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.
I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.
The advantage of hacking without exploits, is that this will always work, regardless of the patching level. As long as Excel and macros are allowed to run, arbitrary code can be executed.
These techniques are interesting to hackers and pentesters, because they allow one to execute arbitrary code in a restricted environment, without creating new processes or writing DLLs to disk. Even in a whitelisted environment, where EXEs and DLLs have to be whitelisted, these techniques work as long as Excel is allowed to run and macros are not disabled.
For the pure VBA technique, I show examples of:
a Windows taskmanager that can kill, pause and resume Windows processes, as well as inject shellcode into these processes. This spreadsheet is also useful to clean infected PCs were malware prevents taskmanager from running.
network utilities: ping, resolve, ...
installed programs list
For the mixed VBA technique, I show examples of:
a spreadsheet with embedded cmd.exe and regedit.exe. These two programs are taken from ReactOS (the opensource project aiming to build a Windows XP binary compatible OS), transformed into DLLs, and then injected into Excel's memory from memory with specially designed shellcode. This spreadsheet allows one to run an undetectable command line interpreter and registry editor in environments were such tools are restricted. This is not only usable on corporate PCs or kiosks, but (for example) also on infected PCs were malware prohibits cmd.exe and regedit.exe to run.
a spreadsheet with the opensource code of putty.exe transformed into a DLL.
a spreadsheet with a port forwarder, allowing the restricted machine to be used as a proxy.
...
I will not only explain these techniques and demo these spreadheets, but I will also explain and release the tools I designed to create these spreadsheets.
Attendees have to bring a Windows machine (physical or virtual) with Microsoft Excel (2003, 2007, 2010 or 2013, 32-bit or 64-bit). 32-bit Excel is preferred, as some examples only work on 32-bit (at the time of writing, ReactOS is 32-bit only).
A Python interpreter is also needed for attendees that want to use my tools to transform a DLL into VBA code.
All tasks involved in binary analysis can be automated. Sometimes it’s a matter of convenience and sometimes there is just not another way to do it…
From static reversing with IDA Pro to debugging with Immunity debugger (or even without a debugger!) every task can be carried out with better performance and more important, less headaches, by using a bit of Python.
In this 4h. workshop (hands on!) you will be learning how to work more efficiently and unleash all the power of several reversing tools you may already know to some extent.
Directed to
Advanced beginners in the field of binary reverse engineering who had their first contact with the tools of the trade (IDA Pro, OllyDbg, Immunity Debugger, etc.) and want to go to the next level by automating tasks and writing small scripts or plugins
To take away
First immersion in the area of reversing automation.
How to use Python to automate some tedious tasks
Lots of scripts and plugins to take home and play!
Geeky fun!
Requirements
Some knowledge in binary reversing on Windows
Basic x86 assembly knowledge would be very helpful
First exposure to tools like IDA Pro or a debugger (Olly is cool, Immunity Debugger would be better)
Basic knowledge of the Python language
So you're a network wizard, and all your packets are urgent. You nmap, and wireshark, and you're good at it. At parties people ask to see your packet tricks, and challenge you to duels.
This is a workshop/challenge born over a beer wager between two such gentleman of networks. Chaps with finely groomed facial hair and an understanding of Braess' paradox applied to routing tables.
And what better place to settle that challenge over beer, than Brucon?
The challenge was simple, yet worthy:
Can you associate with wireless, get an IP address, set your DNS server, resolve a URL, and do an HTTP request using only SCAPY? In other words, BE THE OS at the network layer.
They didn't do it because it was cool, and they didn't do it because it was sexy (cause let's face it, it's neither). They did it to re-learn the foundations of networking and packetry. They did it to embrace the task that gives birth to deep understanding. They did it because they admire the people of the IETF who bootstrapped the internet primarily by writing and responding to text files.
Now you too, can quote RFCs. You too, can improve your SCAPY skills in a single day. You too, can make obscure packet jokes.
More importantly, this workshop will test you on things you *think* you know. The gentleman in question thought they were pen-test badasses, until they humbled themselves on the foundations of networking.
Are you ready to school these two legendary gentleman on what they think they already know?
This will be half workshop, half personal challenge. The two hosts were born out the hacker spaces, where everyone is a teacher and everyone is a student. This is simply a continuation of that ethos.
Requirements:
A desire to learn and participate and share.
A laptop with SCAPY installed (http://secdev.org/projects/scapy/doc/installation.html)
.NET has been around forever, yet the amount of tutorials and documentation covering its analysis is rather diffuse. It's time to give it the beatdown it deserves.
This talk will cover the current state of the art in .NET reversing, down from PE format of .NET assemblies through various types of obfuscation, and into reversing tools and techniques. Finally, we'll demo how to modify the behavior of an obfuscated .NET binary by injecting new code.
Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against attackers, and thus the penetration testing industry was born. Back then the approach to attacks was very paint by numbers. If an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial training on this concept was derived from real world attacks, and we have evolved that training but stopped a few years ago that quick mimicking the real attackers. Why did we do this? It isn’t because as an industry we didn’t want to advance it but it was because it became very difficult to. Why so difficult, because the times have changed, and people are not just giving out thing like they used to. Attackers don’t take that approach. They find a vulnerability/exploit and treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money and takes a Monet. Yes there are plenty of lookalike Monet paintings, but none have the brush stroke characteristics that true Monet paintings do. Are current approach to detecting and resembling real attacks is still very paint by numbers. Our commercial off-the-shelf tools are great tools, and can help something look like a Monet, but when you look at the brush strokes you can see it is a paint by numbers.
We will be reviewing some Tactics, Techniques, and Procedures (TTP) scenarios from real world attacks and showing the not so common differences between true attacker TTPs and current penetration testing methodologies, TTPs, and tools. This talk will focus on the binary aspects of these scenarios to show significant differences and some similarities of current attack patterns. This presentation is designed to show viewers the very low level details that we are overlooking in how to replicate true malicious attackers.This common trend to use off-the-shelf tools to conduct penetration tests has replaced a significant amount of tool writing which has and will help the industry, but this has come at an expense as well.
All tasks involved in binary analysis can be automated. Sometimes it’s a matter of convenience and sometimes there is just not another way to do it…
From static reversing with IDA Pro to debugging with Immunity debugger (or even without a debugger!) every task can be carried out with better performance and more important, less headaches, by using a bit of Python.
In this 4h. workshop (hands on!) you will be learning how to work more efficiently and unleash all the power of several reversing tools you may already know to some extent.
Directed to
Advanced beginners in the field of binary reverse engineering who had their first contact with the tools of the trade (IDA Pro, OllyDbg, Immunity Debugger, etc.) and want to go to the next level by automating tasks and writing small scripts or plugins
To take away
First immersion in the area of reversing automation.
How to use Python to automate some tedious tasks
Lots of scripts and plugins to take home and play!
Geeky fun!
Requirements
Some knowledge in binary reversing on Windows
Basic x86 assembly knowledge would be very helpful
First exposure to tools like IDA Pro or a debugger (Olly is cool, Immunity Debugger would be better)
Basic knowledge of the Python language
Cryptography is awesome, but modern cryptography has a seriously high barrier to entry that prevents a lot of people from getting into its technical side. Fortunately, many important lessons, attacks, and concepts can be demonstrated using classic pre-digital ciphers. Over the course of this four-hour workshop attendees will:
* Learn the technical basics of cryptography.
* Implement classic ciphers by hand.
* Learn about weaknesses in these ciphers and how to leverage these weaknesses to crack said ciphers.
* Get examples (in Python) from my Open Source framework to automate standard cryptographic functions, including attacks and analysis.
* Learn the history and stories surrounding my chosen ciphers.
* Learn a methodology so that when given an unknown ciphertext, they will be able to diagnose the cipher used and implement an attack.
Cuckoo Sandbox is an open source for automating the dynamic analysis of malware. It allows you to run and monitor any suspicious file inside an isolated environment and collect indicators and evidences of its behavior.
Cuckoo is growing to be an established but complex software and there are many features, improvements and fixes that are yet to be developed.
At Brucon core developers, contributors and users will be able to sit down to discuss, hack, break (and possibly build) Cuckoo Sandbox and wonder about the future of fighting malware.This workshop is sponsored by Splunk
Millions of new malware samples are identified each week, but most are simply variants of well-known families. Finding a means to automatically group these families enables researchers to focus their time on the truly interesting samples. Machine learning clustering algorithms are perfect for this task. WINTER CLUSTER is a four hour, hands-on workshop that introduces machine learning and malware analysis. Students will build a foundation on these topics and create an interactive malware clustering tool from scratch. After the conference, attendees can immediately integrate “the Agglomerator” into their real-world or R&D environments.
The first hour of the workshop provides the students with a taste of machine learning. WINTER CLUSTER covers both classification and clustering algorithms, but focuses on the intuition behind each approach. In the first lab session, students work with an industrial-grade machine learning toolkit to rapidly triage a large dataset and identify threats.
The second hour of the workshop has students dive into malware analysis. WINTER CLUSTER presents common techniques for static and dynamic analysis. Throughout this session, the authors place an emphasis on identifying features appropriate for machine learning algorithms. In this session, students dissect real malware and manually identify similarities among the samples.
After a break, the third and fourth hour of the workshop takes the newly formed expertise and applies it towards the problem: "How can we handle a firehose of malware?". Students build an automated malware clustering tool that discovers relationships among samples. As they identify and extract robust features, the tool agglomerates binaries into families. WINTER CLUSTER concludes by exploring how attendees can implement a similar system in their research or professional environment.
Attendees of the workshop are encouraged to bring a laptop with VMware in order to participate in the labs. The speakers will provide a virtual machine with all required software and frameworks.
High-speed network design separates components into a "fast-path" and a "slow-path". And example might be "software defined networks", where software controls how a switch forwards network traffic. One set of terminology calls this the "data-plane" and "control-plane".
This is a great metaphor for cybersecurity. The "data-plane" is exposed to hackers, and must withstand constant hacker attack while keeping up with link speed traffic. The "control-plane" is hidden from hacker attack, using firewalls or non-routable IP addresses.
My DNS server is a "data-plane" DNS. It's based upon an in-memory table that's lost due to power outage. It doesn't store information a SQL server with transaction logging. Because of this, it can be 10x or even 100x as fast. This is a great attribute for the "data-plane", but a horrible attribute for the "control-plane".
It's role is to be a "slave" to a "hidden master" server running software like BIND10. The design proposed by this talk is that all DNS should consist of slave DNS servers exposed to the Internet, and that all primary master servers should be hidden from the Internet.
From a DNS point of view, I'll show how UPDATE, NOTIFY, and AXFR/IXFR mechanisms work to maintain this structure.
This idea isn't necessarily new, it's just that it hasn't been formalized. People already use caching front-ends for hidden webservers, or separate 10.x.x.x private networks for controlling their public infrastructure routers. The purpose of this talk is to provide a more formal, rigorous discussion of this idea. For example, I'll demonstrate how the custom TCP/IP stack in my DNS server that bypasses the operating-system stack serves this "data plane" purpose.
All tasks involved in binary analysis can be automated. Sometimes it’s a matter of convenience and sometimes there is just not another way to do it…
From static reversing with IDA Pro to debugging with Immunity debugger (or even without a debugger!) every task can be carried out with better performance and more important, less headaches, by using a bit of Python.
In this 4h. workshop (hands on!) you will be learning how to work more efficiently and unleash all the power of several reversing tools you may already know to some extent.
Directed to
Advanced beginners in the field of binary reverse engineering who had their first contact with the tools of the trade (IDA Pro, OllyDbg, Immunity Debugger, etc.) and want to go to the next level by automating tasks and writing small scripts or plugins
To take away
First immersion in the area of reversing automation.
How to use Python to automate some tedious tasks
Lots of scripts and plugins to take home and play!
Geeky fun!
Requirements
Some knowledge in binary reversing on Windows
Basic x86 assembly knowledge would be very helpful
First exposure to tools like IDA Pro or a debugger (Olly is cool, Immunity Debugger would be better)
Basic knowledge of the Python language
So you're a network wizard, and all your packets are urgent. You nmap, and wireshark, and you're good at it. At parties people ask to see your packet tricks, and challenge you to duels.
This is a workshop/challenge born over a beer wager between two such gentleman of networks. Chaps with finely groomed facial hair and an understanding of Braess' paradox applied to routing tables.
And what better place to settle that challenge over beer, than Brucon?
The challenge was simple, yet worthy:
Can you associate with wireless, get an IP address, set your DNS server, resolve a URL, and do an HTTP request using only SCAPY? In other words, BE THE OS at the network layer.
They didn't do it because it was cool, and they didn't do it because it was sexy (cause let's face it, it's neither). They did it to re-learn the foundations of networking and packetry. They did it to embrace the task that gives birth to deep understanding. They did it because they admire the people of the IETF who bootstrapped the internet primarily by writing and responding to text files.
Now you too, can quote RFCs. You too, can improve your SCAPY skills in a single day. You too, can make obscure packet jokes.
More importantly, this workshop will test you on things you *think* you know. The gentleman in question thought they were pen-test badasses, until they humbled themselves on the foundations of networking.
Are you ready to school these two legendary gentleman on what they think they already know?
This will be half workshop, half personal challenge. The two hosts were born out the hacker spaces, where everyone is a teacher and everyone is a student. This is simply a continuation of that ethos.
Requirements:
A desire to learn and participate and share.
A laptop with SCAPY installed (http://secdev.org/projects/scapy/doc/installation.html)
Millions of new malware samples are identified each week, but most are simply variants of well-known families. Finding a means to automatically group these families enables researchers to focus their time on the truly interesting samples. Machine learning clustering algorithms are perfect for this task. WINTER CLUSTER is a four hour, hands-on workshop that introduces machine learning and malware analysis. Students will build a foundation on these topics and create an interactive malware clustering tool from scratch. After the conference, attendees can immediately integrate “the Agglomerator” into their real-world or R&D environments.
The first hour of the workshop provides the students with a taste of machine learning. WINTER CLUSTER covers both classification and clustering algorithms, but focuses on the intuition behind each approach. In the first lab session, students work with an industrial-grade machine learning toolkit to rapidly triage a large dataset and identify threats.
The second hour of the workshop has students dive into malware analysis. WINTER CLUSTER presents common techniques for static and dynamic analysis. Throughout this session, the authors place an emphasis on identifying features appropriate for machine learning algorithms. In this session, students dissect real malware and manually identify similarities among the samples.
After a break, the third and fourth hour of the workshop takes the newly formed expertise and applies it towards the problem: "How can we handle a firehose of malware?". Students build an automated malware clustering tool that discovers relationships among samples. As they identify and extract robust features, the tool agglomerates binaries into families. WINTER CLUSTER concludes by exploring how attendees can implement a similar system in their research or professional environment.
Attendees of the workshop are encouraged to bring a laptop with VMware in order to participate in the labs. The speakers will provide a virtual machine with all required software and frameworks.
Geolocation of mobile devices (MS) by the network has always been considered of interest, for example, to locate people in distress calling an emergency number, and so the GSM standard provides different location services (LCS), some network-based, and some MS-based or MS-assisted.
OK, but what if a third party, without access to the network, was interested in knowing the exact position of a particular MS? Could he or she locate it?
In this presentation we will show that this is indeed possible, even if the MS does not want to be found, meaning that the device has all its location services deactivated. We will demonstrate a system we designed and built for this purpose, that can be operated in any standard vehicle, and which can pinpoint the exact location of any target MS in a radius of approximately 2 kilometers around the vehicle.
Yet, the main focus of the presentation will not so much be the system itself as it will be the process we followed for its design and implementation. We will describe in detail the many technical difficulties that we encountered along the way and how we tackled them.
We believe this can be useful for people embarquing themselves in similar research projects.
Obviously, a system like this cannot be demonstrated live in the room (it would be quite illegal), but we will show videos of the different consoles of the system, operating in different environments.
