Black Hat DC 2010 //Media Archives

Hyatt Regency Crystal City • Jan 31 - Feb 3


white paper document

audio recording

video recording


source material

Event AUDIO & VIDEO: The Source of Knowledge will be onsite to sell audio and video recordings of the Briefings sessions. Their booth will be located outside of the Fourth Floor (Promenade Level), Emperor's Ballroom. You can download the order form here or purchase the media onsite: [ PDF ]

Chema Alonso & Jose Palazon

Connection String Parameter Pollution Attacks

This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the connection and taking advance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are specially dangerous in hosting companies which allow customers to connect against control panels to configure databases.

Jorge Luis Alvarez Medina

Internet Explorer turns your personal computer into a public file server

In this presentation we will show how an attacker can read every file of your file system if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed.

Colin Ames & David Kerb

Neurosurgery With Meterpreter

A crucial step in post-exploitation technology is memory manipulation. Metasploit's Meterpreter provides a robust platform and API on which to build memory exploitation tools to assist the attacker in post-exploitation tasks. This talk will cover several examples of memory manipulation using meterpreter and introduce an extension to aid post-exploitation activities.

We will demonstrate the extraction of unique process memory to analyze for valuable information such as passwords. We will also demonstrate the injection of utilities into a processes memory in order to alter execution flow to provide new "features" like Putty Hijack. Another example that will be covered is interacting with the lsass process memory in order to steal windows session hashes required for pass the hash. Finally we will discuss the use of meterpreter to patch process memory in order to introduce vulnerabilities which can be leveraged for things such as persistence.

Another form of "memory" is the knowledge a host has about its network environment. This presentation will discuss the utilization of a meterpreter extension to automate and facilitate passive network reconnaissance over time, allowing for smart network data acquisition and analysis.


Advanced Command Injection Exploitation: cmd.exe in the '00s

Command injection vulnerabilities have always been a neglected vulnerability class when it comes to exploitation. Many researchers simply view command injection bugs as a direct interface with a shell. While this is true, much more complex tasks can be achieved rather than just executing commands. The purpose of this talk is to discuss the advanced techniques to exploit command injection bugs to leverage more out of these types of vulnerabilities than just a shell. The techniques covered in this talk will show examples of taking a command injection bug and turning it into full native payload execution.

Mike Bailey

Neat, New, and Ridiculous Flash Hacks

Flash is scary stuff. It's installed on just about everybody's web browser, used everywhere, and has a poor security track record. Even within the web application security community, its quirks are poorly understood. Known and intentional behavior can have serious consequences which merit exploration.

This talk is a discussion of new flash-based attacks, repurposing of old attacks, and demonstrations of working (and sometimes ridiculously complex) attacks on Gmail, Twitter, and other major websites.

Dionysus Blazakis

Interpreter Exploitation: Pointer Inference and JIT Spraying

As remote exploits have dwindled and perimeter defenses have become the standard, remote client-side attacks are the next best choice for an attacker. Modern Windows operating systems have quelled the explosion of client-side vulnerabilities using mitigation techniques such as data execution prevention (DEP) and address space layout randomization (ASLR). This work will illustrate two novel techniques to bypass DEP and ASLR mitigations. These techniques leverage the attack surface exposed by the advanced script interpreters or virtual machines commonly accessible within the browser. The first technique, pointer inference, is used to find the memory address of a string of shellcode within the ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to write shellcode to executable memory by leveraging predictable behaviors of the ActionScript JIT compiler bypassing DEP. Future research directions and countermeasures for interpreter implementers are discussed.

Bill Blunden

An Uninvited Guest (Who Won’t Go Home)

While there are a multitude of battle-tested forensic tools that focus on disk storage, the domain of memory analysis is still emerging. In fact, even the engineers who work at companies that sell memory-related tools have been known to admit that the percentage of investigators who perform an in-depth examination of memory is relatively small. In light of this, staying memory resident is a viable strategy for rootkit deployment. The problem then becomes a matter of remaining inconspicuous and finding novel ways to survive a system restart. In this presentation I’ll look at rootkit technology that tackles both of these issues on the Windows platform.

Elie Bursztein and Jean-Michel Picod

Reversing DPAPI and Stealing Windows Secrets Offline

The Data Protection API (DPAPI) plays a key role in Windows security: This API is meant to be the standard way on Windows OS to store encrypted data on the disk. DPAPI is used by many popular applications including Internet Explorer, Google Talk, Google Chrome, Skype, MSN (6.5-7) to encrypt their passwords. It is also used by Windows itself to store sensitive information such as EFS certificates and and Wifi (WEP and WPA) keys.

DPAPI use very opaque structures to store these encrypted data on disk and the available documentation is very sparse. Therefore prior to our work it was impossible to extract and analyze these secrets offline for forensic purpose. This is a particular huge issue for files encrypted using EFS because unless the EFS certificate protected by DPAPI is recovered these files can’t be decrypted and analyzed.

To address these issues, we did reverse the DPAPI and in this presentation will provide a complete walkthrough DPAPI and its structures. Afterward armed with this knowledge, anyone interested in windows forensic will be able to deal with data stored with DPAPI. We will cover the change made by Microsoft from Windows XP up to Windows Seven. Finally we will demonstrate and release DPAPick ( which we believe, is the first tool that allows to decrypt offline data encrypted with DPAPI.

David Byrne and Rohini Sulatycki

Beware of Serialized GUI Objects Bearing Data

This presentation will highlight 0-days in Apache MyFaces and Sun Mojarra that allow an attacker to access all server-side session data, as well as some globally-scoped application variables. This presentation will provide a live demonstration of the flaws. The tool used to exploit the vulnerability will also be released.

A similar vulnerability is present in Microsoft's ASP.Net view state. This may not technically be an 0-day, but it is a poorly known flaw that has been present since the beginning days of .Net. A live demonstration of this will also be performed.

Tom Cross

Exploiting Lawful Intercept to Wiretap the Internet

Many governments require telecommunications companies to provide interfaces that law enforcement can use to monitor their customer's communications. If these interfaces are poorly designed, implemented, or managed they can provide a backdoor for attackers to perform surveillance without lawful authorization. Most lawful intercept technology is proprietary and difficult to peer review. Fortunately, Cisco has published the core architecture of it's lawful intercept technology in an Internet Draft and a number of public configuration guides.

This talk will review Cisco's architecture for lawful intercept from a security perspective. The talk will explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. The talk will explain what steps network operators need to take to protect this interface. The talk will also provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.


Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework

Sometimes you need to choose your exploits precisely and be careful about the packets you write to the wire. Sometimes you just want to type a command, go get some coffee, and come back to a pile of shells. This talk will cover the means that the Metasploit Framework provides for accomplishing both of these goals, including many advancements from my talk at Black Hat USA in the realm of client-side exploitation.

Andrew Fried

Whose Internet is it, anyway?

Malware injecting emails and websites have reached epidemic proportions on the Internet. Virtually all spam originates from bot-infected systems, which have the capacity to send out millions of emails per hour. The sites hosting malware are often part of large fast flux botnets that are geographically dispersed and change with great frequency. The threats have gotten larger; they hit victims faster and have been causing unprecedented losses.

Historically, the primary defense against these attacks has been the anti-virus program. Today, however, antivirus products no longer provide adequate protection – detection rates of less than 20% are commonly seen on newly discovered malware.

The detection, suppression and mitigation of these threats require timely and coordinated efforts between security researchers, anti-virus/content filter vendors, realtime blackhole list maintainers and domain registrars/registries.

This presentation will provide a rare glimpse "behind the curtain" of the efforts undertaken by security researchers (represented by Internet Systems Consortium), domain registrars (represented by GoDaddy) and realtime blackhole providers (represented by The Spamhaus Project and SURBL).

Joe Grand

Hardware is the New Software

Society thrives on an ever increasing use of technology. Electronics are embedded into nearly everything we touch. Hardware products are being relied on for security-related applications and are inherently trusted, though many are completely susceptible to compromise with simple classes of attacks that have been known for decades.

Bolstered by the flourishing hobbyist electronics/do-it-yourself movement, easy access to equipment, and realtime information sharing courtesy of the internet, hardware is an area of computer security that can no longer be overlooked. In this session, Joe will explore the hardware hacking process and share some of his favorite attacks against electronic devices.

Christian Kendi

Enhancing ZFS

ZFS is a revolutionary Open Source file system with many capabilities. Snapshots and Storage pools open new ways on how to store data. Attacking the most valuable assets of a company, their data.

This Talk will focus on how to enhance ZFS and the Solaris Kernel by hijacking ZFS kernel symbols. Furthermore, a demo will be given a new 0day technique will be revealed on how to hide file systems and entire store pools from forensics.

Mike Kershaw

Wireless security isn't dead; Attacking clients with MSF

We've figured out how to defend wireless access points, but clients remain exposed. A look at new attacks against clients using old methods we'd all forgotten about and new methods leveraging Metasploit. This talk will include pre-owning clients before vpn authentication, new ways of using gifars, crossdomain.xml attacks and more.

Vincenzo Iozzo

0-Knowledge Fuzzing

Nowadays fuzzing is a pretty common technique used both by attackers and software developers. Currently known techniques usually involve knowing the protocol/format that needs to be fuzzed and having a basic understanding of how the user input is processed inside the binary.

In the past since fuzzing was little-used obtaining good results with a small amount of effort was possible. Today finding bugs requires digging a lot inside the code and the user-input as common vulnerabilies are already identified and fixed by developers.

This talk will present an idea on how to effectively fuzz with no knowledge of the user-input and the binary. Specifically the talk will demonstrate how techniques like code coverage, data tainting and in-memory fuzzing allow to build a smart fuzzer with no need to instrument it.

David Litchfield

Hacking Oracle 11g

Joshua Marpet

Physical Security in a Networked World: Video Analytics, Video Surveillance, and You.

Video Analytics is a component of many advanced video surveillance systems. It includes such well known features as License Plate Recognition and Facial Recognition. Does it actually work? How well does it work? How can you hack it? How can you access it?

Video surveillance is becoming more and more prevalent in our world, with some estimates showing that walking down Bourbon Street in New Orleans gets you photographed or videoed 3 times for every step you take. Are these systems legal? Who can see that video, or publish it? Is there a way to take advantage of the huge amount of video cameras?

You'll find out.

Joseph Menn

Hacking Russia: Inside An Unprecedented Prosecution of Organized Cybercrime

Almost all of the talk from Western law enforcement agencies of signs of cooperation by Russian authorities in the pursuit of master cybercriminals is an expression of hope, not experience. There is one major documented exception: the 2006 prosecution, conviction and imprisonment of three members of a criminal ring that organized and carried out dozens of denial-of-service attacks on business websites worldwide as part of an extensive extortion racket. Why that case succeeded where all others failed--and why its success has never been replicated, has never been explained. Based on years of research including the only interviews with Russian authorities and the British police detective sent to work with the MVD, author and Financial Times correspondent Joseph Menn gives the highlights of the account in his just-published book, FATAL SYSTEM ERROR: The Hunt for the New Crime Lords Who Are Bringing Down the Internet.

HD Moore

Metasploit and Money

In 2008 Metasploit expanded from a community-run project to a corporate product managed by Rapid7. This talk focuses on the transition, the lessons learned during the acquisition process, the challenges of maintaining a community, and the latest improvements to the Metasploit Framework. The points covered in this talk are valuable for anyone building an open-source product, contemplating the purchase of one, or considering using an open source product to build a commercial application.

Leonardo Nve

Playing in a Satellite Environment 1.2

This presentation is a warning call to those responsible for the companies that use or provide data connection (especially the Internet) via satellite, proving some of the attacks that are possible in this environment.

Deviant Ollam

The Four Types of Lock

Physical security is an oft-overlooked component of data and system security in the technology world. You can have the most hardened servers and network but that doesn't make the slightest difference if someone can gain direct access to a console keyboard or, worse yet, march your hardware right out the door. While numerous ratings and standards exist in order classify specific security hardware, many of these standards are ill-defined and poorly-understood. Do you know what makes a "hardened" or "contractor grade" lock special? What does the phrase "high security" signify on hardware packaging? As it turns out, many of these terms are just for show... but Deviant will walk you step-by-step through some distinct and easy-to-follow examples of how low-grade locks can fail as well as how to clearly identify quality equipment. Additionally, we will cover the more difficult matter of hardware purchase decisions at the highest levels... fine distinctions such as which locks belong on the CEO's office versus which ones to use on your server rooms. Every situation calls for something a bit different, and those differences add up when you're spending $100 or more per lock. Make your money count and keep your budget, and your data, secure.

Nicholas J. Percoco

Global Security Report 2010

From January 1, 2009 to December 31, 2009, we performed approximately 2000* penetration tests (network, application, wireless, and physical) for organizations ranging from the largest companies on the planet to nimble start-ups. In addition, we also performed around 200* security incident and compromise investigations for organizations located in nearly 20 different countries around the world.

The data we have gathered from these engagements is substantial and comprehensive. This presentation will be the first viewing of the results of the analysis of the data gathered during 2009. The results will be presented both technical and business impact analysis with an emphasis on technical for the Black Hat audience.

This presentation will coincide with the release of the paper with the same title. The paper will be released after the conclusion of the talk.

* Trending numbers as of November 5, 2009.

Shane Powell

Cyber Effects Prediction

Once the sole domain of military planners, public sector organizations must begin to understand the extent to which cyber attacks may affect their ability to conduct mission essential operations. Various information security regulations and standards aid organizations with configuring information systems securely. Common processes are used to assess system vulnerabilities and assign risk. However, vulnerability and risk assessments can easily mislead system owners into a false sense of security. While vulnerabilities can be patched and risks may be mitigated, the end result is inevitable that someone must accept responsibility should their organization fall prey to cyber attack through exposures that remain.

The approach to Cyber Effects Prediction proposed in this paper harnesses traditional and emerging analytic methods to provide a deep understanding of the actual security state of an organization’s information system. Cyber Effects Prediction harnesses detailed knowledge of how an organization’s information systems are configured, business operations, continuity of operations planning, and external relationships. Determination can be made from this information of how information systems will likely be attacked, allowing for prediction of the cascading effects that result from successful cyber attack.

Knowledge derived from Cyber Effects Prediction allows for:

  • Understanding System Security Baseline Configurations
  • Assigning System Criticality According to Organizational Mission
  • Understanding Internal, External, or Hybrid Organizational Exposures to Cyber Attack
  • Understanding the Reach of Cyber Attacks Vectors crossing Organizational Exposures
  • Identifying Primary (Direct) Cyber Effects Affecting Systems
  • Predicting Secondary (Internally Cascading) Cyber Effects Affecting Distributed Services
  • Postulating Tertiary (Externally Cascading) Cyber Effects Affecting Operations and Mission
  • Demonstrating System Vulnerabilities through Targeted Penetration Testing
  • Identifying and Prioritizing Remediation Actions
  • Allocating Resources Efficiently in Support of Remediation Actions
  • Calculating Residual Risk either Qualitatively, or More Importantly, Quantitatively

The methodology described focuses on applying Cyber Effects Prediction to the defense of information systems.

Jason Ross

Malware Analysis for the Enterprise

Your organization has Anti-Virus deployed and is logging virus activity to a central location. Your IDS is watching the perimeter, and you have your systems on a regular patch cycle. Malware doesn't affect you, right?


This presentation shows where these technologies are falling short and why malware analysis is quickly becoming a need for companies other than Anti Virus vendors. We'll discuss the pros and cons to virtual machines and bare metal as they apply to the purpose of analyzing malicious software.

After talking about the "why", we'll move on to the "how" and walk through setting up a sandnet, or "virtual internet", comprised of a victim host and a server running multiple services so that you can:

  • Observe Operating System changes made by malware
  • Capture network traffic being sent by the compromised host
  • Intercept DNS calls and redirect them to services you control
  • Set up netcat to interact with unknown protocols

Using these methods, an organization can determine exactly what has been compromised on a host, and more importantly, determine where their data is going.

Armed with accurate information as a result of analyzing the malware an effective response to the incident can be formed.

Nicolas Seriot

iPhone Privacy

The iPhone business model relies on consumers’ trust in a closed ecosystem.

According to Apple: "Applications on the device are sandboxed so they cannot access data stored by other applications. In addition, system files, resources, and the kernel are shielded from the user's application space."

This presentation will discuss iPhone privacy issues and challenge Apple's stance and assertions regarding iPhone security.

The presentation will also show how a rogue application can access substantial quantities of personal data on an unmodified device and expose how it could go unnoticed in spite of AppStore tight reviews.

Val Smith & chris

Why Black Hats Always Win

From the origins of hacking and black hat hackers a new industry called penetration testing has evolved. Penetration testing is intended to emulate a real attacker in order to uncover what vulnerabilities an organization may have that could put them at risk so they can be fixed. This has led to the term "White Hat Hacker" being used to describe those who perform these tests. However the goals of a White Hat differ greatly from the goals of a Black Hat, as do the mindsets. This presentation will describe these differences as well as some of the things black hats have to consider that white hats may not even be aware of. This paper will explain why black hats have the advantage over white hats and why the penetration industry has to change. The take away from this presentation is that current common penetration methodologies are ineffective in demonstrating the actual risk and threats that exist and hopefully provide some insight into how real attacks actually work from the point of view of a black hat.

Kevin Stevens

The Underground Economy of the Pay-Per-Install (PPI) Business

This presentation shows how hackers are recruiting hundreds of affiliates to join their Pay Per Install Affiliate Programs. While purporting to be programs that merely install adware, they are actually scams to install some of the most malicious malware and spyware out on the market today.

I will present different PPI programs as well as the forums where there are guides posted and tips on how to be successful in this business. I will also uncover some of the details of the people running these sites and some stats on how much money is being made.

Matthieu Suiche

Advanced Mac OS X Physical Memory Analysis

In 2008 and 2009, companies and governments interests for Microsoft Windows physical memory growled significantly. Now it is time to talk about Mac OS X. This talk will describe basis of Mac OS X Kernel Internals (and not a XNU kernel creation timeline) and how to retrieve various information like machine information, mounted file systems, processes listing and extraction and threads, kernel extensions listing and extraction and Rootkit detection.

Bryan Sullivan

Agile Security; or, How to Defend Applications with Five-Day-Long Release Cycles

Some security experts would have you believe that it is "impossible" to implement secure development practices in organizations using Agile development methodologies. Admittedly, the use of Agile does pose some challenges to traditional Security Development Lifecycle (SDL) processes—challenges such as meteorically short release cycles, infinitely long product lifetimes (as in the case of cloud applications), and a general You-Ain't-Gonna-Need-It aversion to planning mentality. However, despite these challenges, securing Agile projects is not impossible. SDL and Agile can be made to work well together, and in many ways they can actually work better together than they can separately.

This session will detail the process changes that the Microsoft SDL team has made to improve the applicability of the SDL to Agile development methodologies. We will discuss key challenges faced in adapting secure development practices to Agile and how they were overcome, and we will discuss inherent strengths of Agile that work exceptionally well with the SDL and can potentially lead to a best-of-both-worlds scenario.

Christopher Tarnovsky

Hacking the Smartcard Chip

From start to finish, we will walk through how a current generation smartcard was successfully compromised. The talk will discuss everything that was required in the order the events took place. We will cram several months into an hour!

PS- The talk will be very technical mixed hardware and software (60% hardware, 40% software).

Stefano Zanero & Paolo Milani Comparetti

The WOMBAT API: querying a global network of advanced honeypots

In this talk we will report on the the advances we made in building an automatic, global network which can perform early warning, automatic classification and analysis of malware and exploits as they propagate, or are used, worldwide. After analyzing briefly the WOMBAT project in its 3-year outlook, we will introduce some key advances already realized, among which behavioral analysis and specification languages, and the WOMBAT APIs, a set of APIs meant for the analysts and researcher to be able to query the WOMBAT datasets in a seamless manner.

We will show how easy it is, for external projects, to use our APIs to query our datasets; or to give access to their data through the WAPI.

This talk is also open for contribution from the audience on the future directions of the WOMBAT project.