Black Hat Windows Security 2003
Current Organization and Media Sponsors for Black Hat Briefings Windows 2003
David Aitel

Erik Birkholz

Timothy Bollefer

Mark Burnett

Cesar Cerrudo

Scott Culp

Stephen Dugan

Halvar Flake


Jeremiah Grossman

Riley Hassell

Michael Howard

Dan Kaminsky

Curtis E. A. Karnow

Yoshiaki Komoriya

David LeBlanc

Larry Leibrock

David Litchfield

Haroon Meer

Drew Miller

Michael Muckin

Tim Mullen

Aaron Newman

Steve Riley

Marc Schöenefeld

Eric Schultze

Hidenobu Seki

Saumil Udayan Shah

Charl van der Walt

Interested in obtaining a set of the Windows Security 2003 Briefings printed conference proceedings or CD? Limited numbers are now available for purchase. Bonus gift will be included with any printed conference proceedings order.

detailske me
Topic descriptions are listed alphabetically by speaker. If you want to purchase complete video or audio of a conference, or just a specific speaker please visit The Sound of Knowledge website. They have video tapes and CD Roms of video and audio.

Note: Most presentations are Acrobat PDFs which will require Acrobat Reader 5 or newer to be viewed.

Vivisection of an Exploit Development Process: What To Do When It's Not Easy
David Aitel, Immunity, Inc.
[ Deep Knowledge ]

Dave will take you from beginning to end in the development of the Microsoft Content Server buffer overflow vulnerability. This talk will go over each stage of the attack, with each problem directly addressed, including shellcode, unicode filtering, and executing multiple stage attacks.

Prerequisites: Basic knowledge of x86 assembly or the ability to learn it on the fly.

Dave Aitel has spent 3 years in the private sector researching vulnerabilities, after six years working with the NSA. He is currently running Immunity, Inc., a NYC based consulting and security services firm. Immunity is best known for its donations of SPIKE and SPIKE Proxy to the security community.

Return to the top of the page

Surviving OpenHack IV: Yes, You Can Do It With Microsoft Technology
Timothy Bollefer, Senior Technologist with the Microsoft Security Strategies Team
Steve Riley, Microsoft Senior Consultant, MCS Trustworthy Computing Services
[ .NET nka Windows Server 2003 ]

In October 2002 Microsoft participated in eWeek's OpenHack IV competition, an online contest designed to test enterprise security by exposing systems to the real-world rigors of the Web. Microsoft developed its sample application using the .NET Framework and XML web services and hosted it on Windows 2000 AS, IIS 5.0, and SQL Server 2000. The system withstood over 82,500 attacks and emerged unscathed. Attempted breaches included cross-site scripting attacks, dynamic web page source disclosure, web page defacement, posting malicious SQL commands to the database, and credit card number theft. This session will explain how the system was built and configured and will walk through the steps you can use to similarly secure your own systems.

Steve Riley is a Microsoft senior consultant with the MCS Trustworthy Computing Services practice in Redmond, Washington, a worldwide group that works at all levels of information security assessment, development, and implementation. Steve specializes in network and host security, communication protocols, network design, and information security policies and process. He has conducted security assessments and risk analyses, deployed technologies for prevention and detection, and designed highly available network architectures for many Microsoft customers. Steve grew up in networking and telecommunications; the simple telephone still provides endless hours of exploratory joy.

Timothy Bollefer is a Senior Technologist with the Microsoft Security Strategies Team led by Scott Charney. His responsibilities include threat assessment, product & infrastructure review, and technology evaluation. His ten year tenure with Microsoft includes several years as an engineer within their internal technology group designing and implementing solutions for Microsoft business units.

FrontPage Server Extensions on Windows Server 2003
Mark Burnett, Independent IIS Security Consultant and Author
[ .NET nka Windows Server 2003 ]

The FrontPage Server Extensions (FPSE) have always had a bad reputation when it comes to security. As administrators try to eliminate it, Microsoft continues to integrate it into other products such as MS Office, SharePoint, MS Project, and now Windows Server 2003. With a confusing security model, sparse documentation, and difficulty in configuration, the FPSE are a significant risk. But they are definitely here to stay. Nonetheless, most admins do not understand them.

This presentation will cover points such as:

  • Are the FPSE really as insecure as everyone says?
  • What are the real risks with FPSE?
  • What are some even bigger risks with the FPSE?
  • What are some ways to exploit the FPSE?
  • Decoding vti_rpc
  • Cool vti_rpc tricks
  • Introducing my vti_rpc tool
  • Exploiting backwards compatibility
  • Finding unprotected FPSE sites
  • Info gathering through the FPSE
  • Getting directory listings through the FPSE
  • Microsoft's fix for the htimage.exe and imagemap.exe problems.
  • The real fix for the htimage.exe and imagemap.exe problems.
  • Exploiting FP forms and databases.
  • How does the FPSE security model work?
  • Are shtml.dll, author.dll, and admin.dll all the same file?
  • Why can't you uninstall FPSE?
  • How can you move the FPSE?
  • How can you remove the FPSE?
  • How to use them safely
  • Spotting FPSE hacks
  • New Snort rules for FPSE
  • Using Snort for FPSE logging
  • Finding the proper FPSE updates
  • Hacking SharePoint services
  • Hacking FPSE on Windows Server 2003

The tools I will release at the conference are:

  • A scanner for finding unprotected FPSE sites
  • A script for gathering server info through FPSE
  • A script to find all FPSE holes on a server
  • A windows program for sending vti_rpc commands to a server
  • A new set of Snort rules that are much more accurate and specific
    than the current rules

Mark Burnett is an independent IIS security consultant and author. He has written for Windows and .NET Magazine, Security Administrator, Windows Web Solutions, Information Security Magazine, and Mark is co-author of Maximum Windows 2000 Security (SAMS) and Special Ops: Host and Network Security for Microsoft, Unix, and Oracle (Syngress). He also contributed the IIS chapter for Dr. Tom Shinder's ISA Server & Beyond (Syngress). Mark is editor and author at

Return to the top of the page

Hunting Flaws in MS SQL Server
Cesar Cerrudo
Aaron Newman,
Founder & Chief Technology Officer of Application Security, Inc (ASI)
[ IIS, SQL, ISA, etc ]

This talk will show many new SQL Server vulnerabilities and how they were found. Also it will detail SQL Server improvements added in the new SQL Server 2000 SP3 release to fix these vulnerabilities. We will be releasing a new tool to exploit SQL injection with techniques described in paper Manipulating MS SQL Server using SQL injection.

Cesar Cerrudo is an Analyst Programmer and security nresearched from Argentina, specializing in application security. He has found major holes in MS SQL Server and other MS products (included MS web sites) and helped Microsoft to improve SQL Server security. Cesar has worked for Application Security Inc. as an independant consultant.

Aaron Newman is the Founder and Chief Technology Officer of Application Security, Inc (ASI). Widely regarded as one of the world's foremost database security experts, Aaron co-authored a book on Oracle security for Oracle press and has delivered presentations on database security around the world.

Prior to founding ASI, Aaron founded several other security companies, including DbSecure, the pioneers in database security vulnerability assessment, and ACN Software Systems, a database security consulting firm. Aaron has spent the last decade managing and designing database security solutions, researching database vulnerabilities, and pioneering new markets in database security.

Aaron also worked for Intrusion Detection where he developed both intrusion detection and security assessment solutions for Windows NT. Aaron has held several other positions in technology consulting with Price Waterhouse, Internet Security Systems, and Banker's Trust.

Return to the top of the page

Trustworthy Computing Update
Scott Culp, Security Stategist, Microsoft's Trustworthy Computing Team
[ Keynote ]

Microsoft announced its Trustworthy Computing Initiative just over a year ago. What's happened since then? What's yet to come? Scott Culp of Microsoft's Trustworthy Computing Team will describe the progress of the Initiative so far, lessons learned, and next steps.

Scott Culp has worked in various security-related fields during his 20-year career, including communications security, cryptography, and network defense. In 1998, he joined Microsoft and established the Microsoft Security Response Center, where he worked until recently joining the Trustworthy Computing Team under Chief Security Strategist Scott Charney.

Return to the top of the page

$tea£ing with BGP
Stephen Dugan, CCSI
[ Networking & Integration ]

This talk will illustrate the vast amount of harm that could be done IF the BGP routing tables were manipulated. BGP, the routing protocol used between ISPs, is used to maintain the routing and Autonomous System Path information throughout the entire internet. Currently there are around 120,000 networks, subnets, and aggregates in the BGP tables. The inadequacies of BGP-4 have been obvious since a time shortly after being drawn up on a napkin. If we continue to use BGP as-is we will suffer much bigger problems than what happened with AS7007 (Florida ISP took down most /24 prefixes). S-BGP has been in draft form for much too long. BGP can be effectively used for DoS attacks, Server Masquerading, or bring down large sections of the internet. By illustrating the most harmful possibilities of BGP misuse, we might be able to push for a better BGP solution today.

Stephen Dugan is currently an independent contract instructor and network engineer. He has been teaching Cisco networking for the last 3 years focusing on Router and Switch configuration, Voice/Data integration, and Network Security. His students come mostly from Fortune 500 companies and large service providers. He also teaches private internal classes to Cisco Employees. As a Sr. Network Engineer he has worked on the design and implementation of large enterprise, government contractor, and service provider networks. He is also working on a new series of security books entitled "Hacker Attacktecs." The first three planned books will cover Windows, Unix/Linux, and Cisco exploits and how to defend against them.

Return to the top of the page

Graph-Based Binary Analysis
Halvar Flake, Reverse Engineer, Black Hat Consulting
[ Deep Knowledge ]

Though many Servers run Open-Source solutions these days, a lot of the critical infrastructure consists of commercial closed-source software: From IDS Sensors over VPN Gateways and Enterprise Database Servers to large Firewalls: Closed Source is still everywhere. An attacker who is proficient at reverse engineering can - given the right amount of time - find bugs in these critical programs and then attack the network with undisclosed bugs - which is every administrators Nightmare.

Binary analysis is a time-consuming and tedious process, and few people outside of government agencies are proficient at it. Even fewer people realize that a large part of the analysis process can be automated, and that binary analysis can at times even come up to the speed of source code analysis.

This presentation will explain some concepts & tools which can drastically improve the performance of a the reverse engineer when trying to find security-critical vulnerabilites such as buffer overruns. Various ideas and their implementation will be discussed- from graph-coloring using an interface to running a debugger to analysis of flowgraphs to automatically find buffer overruns.

The tools & methodologies presented will be tested 'in the wild' by letting them run over a few major commercial software packages.

Halvar Flake is Black Hat's new resident reverse engineer. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network securityover time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their main reverse engineer.

Return to the top of the page

Attacking Network Embedded Systems
FX, Phenoelit
[ Networking & Integration ]

The speech covers design issues and software vulnerabilities in embedded systems. The exploitation of design failures will be presented using HP network printers as an example - including getting access up to the point where the printer becomes an attack platform itself. Additionally, exploitation of software vulnerabilities will be covered by discussing multiple ways to write actual exploits for Cisco Internetwork Operating System (IOS)

FX is member of the German Phenoelit group. The group's primary interest is in the (in)security of more or less widely used protocols and devices outside of the domain of general purpose operating systems. Phenoelit is well known at Cisco Systems Inc. FX currently works as Security Consultant for n.runs GmbH.

Return to the top of the page

Web Application Security
"Reconnaissance, Exploitation, and Investigation"
Jeremiah Grossman, Founder & CEO of WhiteHat Security, Inc. and former Yahoo! Information Security Officer
Bill Pennington, CISSP, CCNA, Senior Information Security Engineer of WhiteHat Security, Inc.,
[ Audit / Response / Policy ]

The presenters will discuss a number of issues revolving around web application security. Topics include; remotely fingerprinting web servers, the new Cross Site Tracing vulnerability, and web application forensics. Attendees will see demonstrations of new tools to fingerprint web servers and to uncover web application attacks.. 

Jeremiah Grossman designed, audited, and penetration-tested the company's web applications as information security officer at Yahoo!. As one of the world's busiest web properties, all of these applications demanded the highest level of security available.

Continuing his work of the past 5 years, Jeremiah researches and applies his expertise to information security with special emphasis on prevention of web application intrusion. Grossman is one of the principal developers of widely-used WhiteHat Arsenal as well as presented Web Application Security talks at many security conventions including the BlackHat Briefings, the Air Force and Technology Conference, Defcon and ToorCon. He is considered to be among the world's foremost web security experts. Jeremiah is also contributing member to Center for Internet Security Apache Benchmark Group.

Bill Pennington has six years of professional experience in information security and eleven in information technology. Bill's duties at WhiteHat include conducting web application assessments, developing and delivering WhiteHat training and performing research and development. Bill has performed web application assessments for over three years in a variety of industry verticals including financial services, e-commerce, and biotechnology. He is familiar with OS X, Linux, Solaris, Windows, and OpenBSD, and is a Certified Information Security Systems Practitioner (CISSP) and Certified Cisco Network Administrator (CCNA). He has broad experience in web application security, penetration testing, computer forensics and inintrusion detection systems. Prior to joining WhiteHat, Bill was a principal consultant and technical lead for assessment services at Guardent, a nationwide pure play security services provider.

Bill contributed several chapters to "Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios" and is an author of "Hackers Challenge 2". He has spoken at numerous industry events including BlackHat 2002, ISSA LA/Orange County joint conference, and the International Airport Auditors National Meeting 2001.

Return to the top of the page

Payload Anatomy and Future Mutations
Riley Hassell, Senior Researcher Engineer, eEye Digital Security
[ Audit / Response / Policy ]

Payload Anatomy and Future Mutations will introduce a new breed of payloads that can be delivered to a target during exploitation. During the course of the talk, each payload technology will be dissected and the finalized "Intelligent Payload" concepts will be demonstrated.

By utilizing features and protocol extensions supported by the target application, payloads can be injected so that they mimic the normal behavior of the application.

This section provides an overview of common techniques and technologies used to evade detection.

To increase the chances of a payload executing successfully when in an unstable or unreliable machine environment, various technologies may be utilized to “harden” the payload and improve the independency of its surroundings.

Optimizing payloads using size, speed, advanced chip features, and a few stack tricks will be discussed in this section.

Example Payloads

Fakeload - This payload will "Fakeload" an image across an SSL connection directly into memory, where it performs its own fixups and initializes a process using the retrieved file image. Using this technique we can download and execute a remote application without ever touching the file system, creating a process, or creating a thread.

RIO - This payload is injected into a server, at which time it will intercept desired incoming and outgoing communications. When data is sent to the server containing information of interest to the attacker, "RIO" will intercept it, add it into a collection, and return to normal application behavior. The attacker can then later send a special request to the server and "RIO" will dump the collected data across the network to the client.

The Future…

Riley Hassell, a Senior Researcher Engineer at eEye Digital Security, is responsible for the design and implementation of eEye Digital Security's QA and research tool suite. He is responsible for the discovery of several highly exposed vulnerabilities released by eEye Digital Security.

Riley created and currently maintains ADAM and EVE. ADAM is a network-level heuristic auditing system, and EVE is a runtime application auditing system. These two technologies are used by eEye researchers to learn about application behavior, and to assist in the auditing of software applications.

Return to the top of the page

Writing Secure & Hack Resistant Code
Michael Howard, Security Program Manager, Windows XP, MIcrosoft
David LeBlanc, Senior Security Technologist in Microsoft’s Information Technology Group, Microsoft
[ Application Development ]

Michael Howard is a security program manager on the Microsoft Windows XP team, focusing on secure design, programming, and testing techniques. He works with hundreds of people both inside and outside the company each year to help them secure their applications. He is the author of Designing Secure Web-Based Applications for Microsoft Windows 2000 from Microsoft Press. Prior to working on Windows XP, Michael worked on next-generation Web server technologies and IIS. He has worked on Microsoft Windows NT® security since 1992.

David LeBlanc is a senior security technologist in Microsoft’s Information Technology Group. His primary role is defending the Microsoft network from attack. He has worked in the security field throughout his professional life, including working at Internet Security Systems where he was the primary engineer on ISS’s award-winning security products. David serves on a number of external security-related advisory boards.

Return to the top of the page

Applied Black Op Networking on Windows XP
Dan Kaminsky, Cryptotheorist, DoxPara Research
[ Audit / Response / Policy ]

Following up the explorations of 2002's "Black Ops of TCP/IP", 2003 will see the implementation and deployment of radically new methods of network manipulation -- and not just on the Unix platform. This talk will discuss and demonstrate the latest tools of the "Paketto Keiretsu", newly ported to the Windows platform. The tools will be demonstrated, advanced methods of weaving them together will be explored, and some very interesting new techniques (not yet ready for public discussion) will be unveiled.

Dan Kaminsky, also known as Effugas, worked for two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. He is best known for his work on the ultra-fast port scanner scanrand, part of the "Paketto Keiretsu", a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for "Hack Proofing Your Network: Second Edition", and has delivered presentations at several major industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. Dan is based in Silicon Valley.

Return to the top of the page

Strike and Counterstrike: The Law on Automated Intrusions and Striking Back
Curtis E. A. Karnow
[ Keynote ]

There is a growing interest in “self help” mechanisms to counter internet mediated threats. Content providers such as record labels and movie studios favor proposed federal legislation that would allow them to disable copyright infringers’ computers. Software licensors endorse state laws that permit the remote disabling of software in use by the licensee when the license terms are breached. Internet security professionals debate the propriety and legality of striking back at computers which launch worms, viruses, and other intrusions.

The presentation focuses on automated intrusions from routine search ‘bots and screen scraping to intentional network assaults such as DDoS. Then it discusses legal doctrines used by the courts to evaluate claims that the assaults are illegal, as well as evolving legal issues of striking back at the attacking system. Courts are reaching back centuries for legal analogies in these cutting edge cases, and this presentation explores — in plain English — the rapidly developing issues in litigation such as the Intel spam case, the eBay/Bidder’s edge screen scraping matter, and then the application of ‘self defense’ and ‘self help’ theories to strike back at automated intrusions such as worms and viruses.

Curtis Karnow is a partner at the law firm of Sonnenschein, Nath + Rosenthal and a member of the firm’s e-commerce, security and privacy, and intellectual property groups. He is the author of Future Codes: Essays In Advanced Computer Technology & The Law (Artech House, 1997). Mr. Karnow has counseled on public key infrastructure policies, electronic contracting, and digital signatures. Formerly Assistant U.S. Attorney in the Criminal Division, Mr. Karnow’s responsibilities included prosecution of all federal crimes, including complex white-collar fraud, from investigation and indictment through jury verdict and appeal. Since then, Mr. Karnow has represented defendants indicted for unauthorized access to federal interest computers; defended against a criminal grand jury investigation into high tech export actions; represented clients before federal grand juries investigating alleged antitrust conspiracies and securities violations; brought legal actions against internet-mediated attacks on client networks, and in a state criminal investigation represented a computer professional framed by a colleague in a complex computer sabotage. He has also advised on jurisdictional issues arising out of a federal criminal Internet-related indictment, and advises on liability and policy issues, including interfacing with law enforcement authorities, arising from computer security breaches and Internet privacy matters. He occasionally sits as a temporary judge in the California state court system.

Return to the top of the page

Exploiting DCOM
Yoshiaki Komoriya, Network Security Engineer,
Hidenobu Seki, aka Urity, Network Security Specialist,
[ Application Development ]

Do you know DCOM?

The DCOM ( Distributed COM ) is an application-level protocol for controlling remote programs. Almost all Windows have DCOM installed by default.

Do you know InternetExplorer is DCOM-enabled program?
Not only IE, but also a lot of programs of Microsoft is DCOM-enabled.

Can't you control IE remotely?
Yes, you can.

We will show the security risks of DCOM by demonstrating some tools which exploit DCOM-enabled programs such as IE and MS-Office remotely. Not only will we demonstrate these tools, but we will also talk about the mechanism and the implementation of them.

The presentation will consist of the following:

  • DCOM: Facts and Risks
  • IE exploit demonstration
  • IE data stealing & IE hijack
  • Exploit method
  • DCOM authentication & exploit techniques
  • Other exploit demonstration 

Yoshiaki Komoriya is working as network security engineer at and engaged in the research of Distributed Object Technology such as DCOM. He has published an IE exploit tool named "IE'en".

Hidenobu Seki, aka Urity works as a network security specialist at He was a speaker at the Black Hat Windows Security 2002 Briefings.

Return to the top of the page

Forensics Tools and Processes for Windows XP Platforms®
Larry Leibrock, Ph.D, Associate Dean, CTO, McCombs School of Business Administration, The University of Texas
[ Audit / Response / Policy ]

This overview will involve case investigation procedures and a set of advanced tools for the imaging, forensics review and reporting processes involving Windows client platforms. The course will include use of a set of tool to analyze digitally stored case evidence on exclusively Windows XP systems.

These items of evidence are becoming increasingly important in a wide variety of administrative, civil and criminal cases, and numerous law enforcement agencies, which have trained personnel, to retrieve this evidence from computers. To increase the effective investigation and prosecution of criminals who utilize computers, it is critical for systems professionals and investigators to understand the basic concepts of information technology, computer security, evidence controls and the forensic examination of digitally stored information.

In this intensive talk, attendees will receive vital information on the processes and tools used to collect and analyze digital evidence on Windows XP. In addition to reviewing the typical areas where digital evidence may be located or hidden within a computer a range of forensics tool kits will be used to extract such information.

Larry Leibrock, Ph.D., is a member of the McCombs Business School – The University of Texas faculty and serves as the Associate Dean and Technology Officer for the McCombs Business School. He has held or currently holds clinical teaching and research appointments at McCombs Business School, Institute for Advanced Technology, The University of Texas Law School, Emory University, Helsinki School of Economics and Monterrey Technologica in Mexico City and Monterrey. He is a member of IEEE, ACM, Internet Society, FIRST and USENIX/SAGE. He is also a member of the Department of Defense Software Engineering Institute and a participant in the Air Force Software Technology Conference. He is the founder and CTO for eForensics LLC, a private technical services firm.

He has experience in enterprise systems support, offensive/defensive systems security measures, systems security audits, and IT deployment projects in both governmental and corporate settings.

In clinical practice, he has served as the project manager in over IT projects in several US and international sites. He holds professional certifications in IT project management, Windows“, UNIX“, systems performance, computer security and networking. He has authored papers in the topics of information systems attacks, encryption, public key infrastructures, privacy, systems survivability and systems forensics.

He has won several University teaching awards and has served as an expert in a range of legislative matters, judicial testimony, and legal disputes. Larry has served as a Special Master for a Texas Court in the areas of systems management, systems survivability, security and protection of systems mechanisms.

Larry has delivered expert digital evidence testimony at both civil and criminal trials. He has testified for the Presidential Commission for Protection of Critical Information Infrastructure and the Senate Science Committee. He recently presented forensics testimony at an invitational conference for the Executive Office of the President. He presently serves on the Texas Infrastructure Protection Advisory Committee formed by the Attorney General of Texas. He is also appointed to the Board of Directors - Texas Department of Information Resources. Larry is active in IT industry and government systems consulting projects in the areas of systems forensics, enterprise IT operations, security and incident investigations.

Return to the top of the page

Oracle Security II
David Litchfield, Founder, Next Generation Security Software
[ IIS, SQL, ISA, etc. ]

One year on after David's last talk on Oracle security David will cover the latest threats posed to organizations employing and Oracle solution. This briefing will demonstrate exploitation of the new format string vulnerability in Oracle's Application Server, thus gaining control of the web front end through a firewall and, from there, gaining control of the backend Oracle database server. The talk will finish with the steps that need to be taken to mitigate the risk.

David Litchfield is a world-renowned security expert specializing in Windows NT and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Microsoft's Internet Information Server and Oracle's Application Server have lead to the tightening of sites around the world. David Litchfield is also the author of Cerberus' Internet Scanner (previously NTInfoscan), one of the world's most popular free vulnerability scanners. In addition to CIS, David has written many other utilities to help identify and fix security holes. David is the author of many technical documents on security issues including his tutorial on Exploiting Windows NT Buffer Overruns referenced in the book "Hacking Exposed".

Return to the top of the page

.NET from the Hacker's Perspective
Drew Miller
[ .NET nka Windows Server 2003 ]

  • What are the things about .NET that make hackers smile?
  • Problems it does solve
    • Buffer Overflows (in managed code)
    • Code access security
    • Role access security
    • Trojans
  • Problems that need to be solved, which .NET doesn't do on it's own.
    • Same old things hijacking
    • replay attacks, session to (NTLM,Kerberos, etc) authentication binding
  • Stuff that makes .NET hacking a bit different then before
    • Databases Everywhere...easier to interface with them from Apps
    • ViewState, and other types of information leakage
    • XML Everywhere!
    • Ease of development makes ease of hacking without good design
    • Cross site scripting very easy, hard to protect against

Return to the top of the page

IIS 6.0's Security Architecture - It's a Whole New World
Michael Muckin, Microsoft Consulting Services
[ .NET nka Windows Server 2003 ]

As the Web Server included with Windows Server 2003 (was
.NET), IIS 6.0 will be the platform for the next generation Web
Infrastructure and .NET solutions running Web Services. It will also be
a target of attack. This presentation will present the brand-spanking
new architecture of IIS 6.0 and cover the following topics:

  • A new request processing architecture - HTTP.sys, kernel-mode
    queues, worker processes and isolation mode
  • Secure defaults - lessons learned
  • Security enhancements: SSL, Process isolation and Constrained
  • A new Authorization model
  • Patching the box on the fly
  • Deploying IIS 6.0 Securely - Locking down your server

This session will be your jump-start to securely deploying your IIS 6.0
boxes. It will also demo some cool tools to assist with keeping your
box locked tight.

Michael Muckin has been in the electronic communications and IT industry for over 14 years. His career began in the military working on cryptographic communications and surveillance equipment while in the 3rd Surveillance, Reconnaissance and Intelligence Group of the USMC. As an independent consultant, he delivered consulting services and training to the NSA, Bell Atlantic, AT&T and other Fortune 1000 companies. Since joining Microsoft Consulting Services, he has written two Microsoft QuickStart Security consulting packages, was a contributor and reviewer of the Security Operations Guide for Windows 2000 Server, and has trained many of Microsoft's consultants and support personnel on security and defense techniques.

Return to the top of the page

Timothy Mullen, CIO, AnchorIS.Com
[ IIS, SQL, ISA, etc. ]

BlackHat gave birth to the “strikeback” technology developed to combat the propagation of global worms… While there continues to be debate about the moral, technical, and legal issues associated with a defensive response to a worm attack in the wild, the need for such a technology to leverage within one’s own infrastructure has become evident.

Enter Enforcer™

Enforcer™ is the first highly scalable, configurable, modular active response system designed specifically to neutralize worm events at the infrastructure level. Respecting the Blackhat tradition of no commercial product sponsorships, this session will focus entirely on the technical aspects of Enforcer’s operation, and its unique worm-neutralizing architecture. Don’t miss the product launch of the first security product born of BlackHat.

Timothy Mullen is CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions.  Mullen is also a columnist for Security Focus' Microsoft Focus section, and a regular contributor of InFocus technical articles.  A.k.a. Thor, he is the founder of the "Hammer of God" security coop group.

Return to the top of the page

Securing Wireless Networks with 802.1x, EAP-TLS, and PEAP
Steve Riley, Microsoft Senior Consultant, MCS Trustworthy Computing Services
[ Networking & Integration ]

Everyone knows that WEP is useless. And until something better comes along to replace it, 802.1x is about the best the industry can do right now. This session will demonstrate how to implement two different kinds of 802.1x wireless security on Windows: EAP-TLS, with computer and user certificates, and PEAP (protected EAP), with computer and user credentials. Come learn how PEAP enables you to deploy a secure wireless network today that will still work with PKI-based authentication in the future.

Steve Riley is a Microsoft senior consultant with the MCS Trustworthy Computing Services practice in Redmond, Washington, a worldwide group that works at all levels of information security assessment, development, and implementation. Steve specializes in network and host security, communication protocols, network design, and information security policies and process. He has conducted security assessments and risk analyses, deployed technologies for prevention and detection, and designed highly available network architectures for many Microsoft customers. Steve grew up in networking and telecommunications; the simple telephone still provides endless hours of exploratory joy.

Return to the top of the page

Java Library Hole Allowing Multiplatform Denial-Of-Service
Marc Schöenefeld
[ Application Development ]

Java DK 1.4.1 JRE from Sun has been found to contain a locally exploitable Denial of Service. This affects standalone java programs as well as hosted environments such as servlet engines based on Jakarta tomcat or JRUN.

Java DK 1.4.1 JRE from Sun has been found to contain a locally exploitable Denial of Service. The problem appears difficult to exploit, but hackers have a history of discovering and releasing exploit code for exploitable flaws. It even underlines the riskyness to run java software in shared environments like ISP running servlet hosting. A malicious user or an attacker could insert the described exploitable API code to force JVM crashes in the ISPs runtime environment. This will cause outage of the JSP or Java Servlet service the JVM is running for.

The Effects
Java DK 1.4.1 like its predecessors has entry points to native libraries. These entry points can be called with parameters (java simple types or objects). If an object value is null and the native routine does not provide appropriate check for null values, the JVM reaches an undefined state and typically ends of in a JVM crash. The following proof of concept code describes the problem stated above. If you are interested for details about JVM security see the presentation of Marc Schoenefeld at Blackhat 2002.

Marc Schöenefeld: As an experienced Java programmer and former nerd in C64 assembly I tried to bundle these both ends of experiences together.During work time I am busy being software architect for a large data centre in the finance field. My upcoming phd thesis is targeted to the topic of reengineering of legacy systems. Marc Schoenefeld has been a software developer and an software architect since during university time and after he became Master of Business Informatics in 1997. He specializes in large scale application development (CORBA) and was involved in a OMG success story describing the adaptation of CORBA principles to a large-scale high volume banking application as part of his future phd thesis. Bytecode hacking on the other hand is his hobby since he got his C64 in 1983. Therefore his interest for Java securiy is a rendezvouz of these both major interest areas.

Return to the top of the page

Securing Your Network: The Art of Attack and Penetration
Eric Schultze, Director of Product Research & Development, Shavlik Technologies
Erik Pace Birkholz (CISSP, MCSE), Principal Consultant & Lead Instructor, Foundstone
[ Deep Knowledge ]

Hackers! They're out there everywhere just waiting to catch you off-guard. But how do you protect yourself from these malicious marauders? You have to infiltrate their minds to understand their tactics. In this workshop we expose the methodologies that today's hackers use to gain access to our customer's networks and critical data. We'll demonstrate a typical attack exploiting both well- and little-known vulnerabilities that hackers use to get around traditional security mechanisms. During the course of the attack, we'll identify opportunities to better secure hosts and networks against the more esoteric exploits.

Topics include:

  • Port Scanning
  • Banner Grabbing
  • Bypassing Router and Firewall Filtering
  • Using Source Ports
  • Leveraging Port Redirection
  • 101 uses for netcat
  • Exploiting Common Configuration and Implementation Weaknesses in Windows 2000 and Windows XP
  • Exploiting System Services Enumerating Information Leakage from Microsoft hosts
    Passing Hash
  • Hacking Web Servers
  • Hacking SQL
  • Linking Vulnerabilities for Maximum Exploitation

Particular attention will be paid to securing the DMZ and related hosts against each of the above attacks.

Eric Schultze manages Shavlik Technologies' product vision and implementation. Schultze most recently served as a program manager for the Microsoft Security Response Center and a senior technologist in the Trustworthy Computing team at Microsoft Corporation. In those roles he managed the Microsoft security patch and bulletin release process and developed security solutions for Microsoft products including patch management and deployment solutions. Before joining Microsoft, Schultze co-founded Foundstone, Inc., where he directed their "Ultimate Hacking: Hands On" training program. His experiences in assessing, penetrating, and securing Microsoft technologies formed the basis of Foundstone's audit and assessment methodologies for Windows operating systems. Prior to starting Foundstone, Schultze was a senior manager in Ernst & Young's national Attack & Penetration group, where he was widely recognized as the firm's expert on Microsoft security. Eric has Bachelor of Arts degrees in Psychology and Sociology from Amherst College.

Erik Pace Birkholz (CISSP, MCSE) is a Principal Consultant and Lead Instructor for Foundstone. Since 1995, Erik has performed internal security assessments, penetration tests, host security reviews, web application assessments, and security training around the world. Erik is a contributing author for four of the six books in the International Best Selling series, "Hacking Exposed, Network Security Secrets and Solutions". In January 2003, Erik’s book entitled, "Special Ops: Host and Network Security for Microsoft, UNIX and Oracle" was published by Syngress Press.

In 2002, Erik was invited by Microsoft to present "Hacking Exposed: Live!" to over 500 of their Windows developers at their corporate headquarters in Redmond. Later that year, he was invited presented to over 3000 Microsoft employees from around the globe at the 2002 Microsoft Global Briefings. Evaluated against over 500 presentations by over 9,500 attendees, his presentation was rated first place. Based on that success, he was a VIP Speaker at the Microsoft MEC 2002 conference.

Throughout his career, Erik has presented hacking methodologies and techniques to members of major United States government agencies, including the Federal Bureau of Investigation, National Security Agency and most branches of the Department of Defense. He has presented at the Black Hat Windows Security Briefings, Microsoft and The Internet Security Conference (TISC). Before accepting the role of Principal Consultant at Foundstone, he served as Assessment Lead for ISS, a Senior Consultant for Ernst & Young's National Attack and Penetration team and a Consultant for KPMG’s Information Risk Management group.

Erik holds a B.S. degree in Computer Science from Dickinson College (est. 1773) in Carlisle, Pennsylvania. In 1999, he was named a Metzger Conway Fellow, an annual award presented to a distinguished Dickinson alumnus who has achieved excellence in his or her field of study.

Return to the top of the page

HTTP: Advanced Assessment Techniques
Saumil Udayan Shah, Director of Research & Development, NT OBJECTives Inc; Director, Net-Square Solutions Pvt. Ltd.
[ IIS, SQL, ISA, etc. ]

The Fire and Water toolkit contains tools for both assessment and defense of web servers. This talk discusses some advanced techniques used in the F&W toolkit which overcomes efficiency problems and highly increases the accuracy of the tools. Two of the techniques discussed here include Web and Application server identification, and HTTP page signatures. Web and Application server identification allows for discovery of the underlying web server platform, despite it being obfuscated, and other application components which may be running as plug-ins. HTTP page signatures allow for advanced HTTP error detection and page groupings. A few other HTTP probing techniques shall be discussed as well. A Blackhat version of the Fire and Water toolkit will be specially released, which demonstrates the techniques being discussed. The current version of the Fire and Water toolkit, containing a preview of the techniques, is available for download from NT Objectives. A whitepaper is being prepared, which shall be available from the same URL.

Saumil Shah continues to lead the efforts in e-commerce security research at NTOBJECTives Inc, where he currently serves as the Director of Research an Development. He is the co-author of "Web Hacking: Attacks and Defense" published by Addison Wesley. He has had more than eight years experience with network security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a reg ular speaker at security conferences worldwide such as BlackHat, RSA, etc.

Previously, Saumil held the position of Director of Indian operations with Foundstone Inc. in the US, and a senior consultant with Ernst & Young's Information Security Services. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member for their Management Development Programmes.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He also holds a CISSP certification. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996).

Return to the top of the page

The Role of Non Obvious Relationships in the Foot Printing Process
Charl van der Walt, Founding Member, SensePost
Haroon Meer, Technical Security Specialist, SensePost
[ Networking & Integration ]

During perimeter testing it is becoming more and more finding the one vulnerable server on a large network perimeter rather than finding a bug in one server. Many security companies spend huge amounts of time finding this bug - they search deep and not wide. With networks becoming more interconnected every day many large companies don't even know how many networks or hosts are connected to them. The process of obtaining a proper foot print of a company is overlooked in many cases. Footprinting starts with obtaining a list of domains related to the company. The task of obtaining a list of domains related to a specific institution is tedious as the relationship between the institution and their domains is not always obvious. Footprinting is not an exact science - large amount of domains (which translates to pieces of networks or paths into a private network) are typically overlooked during a blind penetration test. The presentation is on footprinting large institutions with focus on an automated technique of finding the "hidden" relationships between domains and institutions.

  • A method has been developed that will automatically provide a list of related domains (given an initial "seed" domain) with relevant "vector lengths" to the source.
  • The code (source and binary) to the project will be released. A paper on the subject and method will be written and released with the tool.

The presentation will include a section on a methodology developed for further domain enumeration. The method allows a user to submit one domain name and a minimum number of keywords and returns a list of domains that are also owned by the institution (over and above the list of related domains (which might not belong to the institution). The method is much more complex that a simple whois query - it makes use of following modules:

  • Link extraction (both to and from) with dynamic weighting
  • Whois selective brute forcing expansion
  • Normalizing of data to represent relevance decay graphically
  • TLD expansion
  • MX record vetting (both true and non-false methods)
  • Web site splash page fingerprint vetting (for getting rid of template sites)

Haroon Meer joined SensePost as a Technical Security Specialist after over 7 years in the Networking/Security industry. He has a wide background in security & networking from writing code to administration of large Campus networks. He is currently heavily involved in the development of additional security tools and proof of concept code and has been a speaker at the recent Black Hat Windows Briefings in New Orleans.

Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Return to the top of the page

Black Hat Logo
(c) 1996-2007 Black Hat