 |
white paper |
 |
presentation |
 |
source |
Android Tamer is a Virtual/Live Platform for Android Security professionals. This reduces the needs to configure your own environment and professional can focus on exploitation. This Environment allows people to work on large array of android security related task's ranging from Malware Analysis, Penetration Testing and Reverse Engineering. Large number of tweaks and automations are build inside the Virtual Machine to make life easy for the User.
When it comes to the security of the information system, Active Directory domain controllers are, or should be, at the center of concerns, which are (normally) to ensure compliance with best practices, and during a compromise proved to explore the possibility of cleaning the information system without having to rebuild Active Directory. Indeed, backdoors can be implemented in Active Directory to help an intruder to gain back his privileges. However, few tools implement this cleaning/survey process despite several ways existing for backdooring Active Directory.
We propose to present some possible backdoors which could be set by an intruder in Active Directory to keep administration rights. For example, how to modify the AdminSDHolder container in order to reapply rights after administrator actions. Then, we will present BTA, an audit tool for Active Directory databases, and our methodology for verifying the application of good practices and the absence of malicious changes in these databases. One of example, that we will show, is how to spot accounts which have DCSync rights and pulls account credentials through the standard Domain Controller replication API.
The presentation will be organized as follows:
CrackMapExec aims to be a one-stop-shop for pentesting Active Directory environments! Think smbexec on steroids, combining the latest and greatest techniques for AD ownage in a single tool!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks, concurrently auto-injecting Mimikatz/Shellcode/DLL's into memory using Powershell, dumping the NTDS.dit, querying and executing commands through MSSQL DB's and more!
The biggest improvements over the current tools are:
Since collaborative pentesting is more common each day and teams become larger, sharing the information between pentesters can become a difficult task. Different tools, different formats, long outputs (in the case of having to audit a large network) can make it almost impossible. You may end up with wasted efforts, duplicated tasks, a lot of text files scrambled in your working directory. And then, you need to collect that same information from your teammates and write a report for your client, trying to be as clear as possible.
The idea behind Faraday is to help you to share all the information that is generated during the pentest, without changing the way you work. You run a command, or import a report, and Faraday will normalize the results and share that with the rest of the team in real time. Faraday has more than 50 plugins available (and counting), including a lot of common tools. And if you use a tool for which Faraday doesn't have a plugin, you can create your own.
During this presentation we're going to show you the latest version of the tool, and how it can be used to improve the effectiveness of your team during a penetration test.
HackSys Extreme Vulnerable Driver is an intentionally vulnerable Windows Kernel driver developed for security enthusiasts to learn and polish their exploitation skills. HackSys Extreme Vulnerable Driver caters to a wide range of vulnerabilities ranging from simple Buffer Overflow to complex Use After Free, Pool Overflow, Type Confusion and Arbitrary Memory Overwrite. This allows researchers to explore different exploitation techniques for every implemented vulnerabilities. HackSys Extreme Vulnerable Driver also comes with the mitigation for each implemented vulnerability which helps kernel driver developers understand how these mitigations are applied.
Source Code: https://github.com/hacksysteam/HackSysExtremeVulnerable
Driver Blog: http://www.payatu.com/hacksys-extreme-vulnerable-driver/
Halcyon is the first unofficial IDE for Nmap script development. The existing challenge in developing Nmap Scripts (NSE) is the lack of an IDE that gives easiness in building custom scripts for real world scanning. Halcyon is free to use, java based application that has code intelligence, code builder, auto-completion, debugging and error correction and a bunch of other features similar like other development IDE(s) for traditional programming languages. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the community. Halcyon IDE can understand Nmap library and traditional LUA syntax as well. At the same time it also comes with an offline Nmap wiki that helps Nmap script writers an easy way to access development library references. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while development majority of test scenarios. The IDE gives options to debug the code, make code error free, export the code to the library and several other pre/post development tasks from within the same interface itself.
Janus is feedback-driven, interactive Android security analysis platform that facilitates a collection of advanced security analysis tools with the capabilities from vulnerability discovery to malicious application detection. Its main purpose is to enable large scale Android application security analysis by integrating automated, customizable analysis results and human interventions.
Specifically, Janus works as follows. First, Janus leverages lightweight malware scanners, similarity detection tools, and vulnerability detection tools to help researchers diagnose whether a given Android application is malicious or vulnerable.
Next, Janus provides a set of tools to perform more fine-grained and heavier analyses, including dynamic taint analysis, program slicing, and machine learning, etc. In particular, security researchers are involved in this phase. By integrating these automated analyses and human interventions, Janus will confirm the detection results, filter false positives, and also extract the features of the application. These features will be used to guide subsequent analyses to quickly find similar vulnerabilities or malicious applications.
We will demonstrate Janus with a number of real world malicious and vulnerable applications.
Limon is a sandbox for automating Linux malware analysis. It collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware's process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis.
For more information, please visit this blog post on Limon: http://malware-unplugged.blogspot.in/2015/11/limon-sandbox-for-analyzing-linux.html; the download link is also available on GitHub: https://github.com/monnappa22/Limon.
Passive DNS (pDNS) provides near real-time detection of cache poisoning and fraudulent changes to domains registered for trademarks, etc by answering the following questions:
Pocsuite is an open-source remote vulnerability testing framework developed by the Knownsec Security Team.
Written in Python and supported both validation and exploitation two plugin-invoked modes, Pocsuite could import batch targets from files and test them against multiple exploit-plugins in advance.
There are two ways to work with Pocsuite: configuring exploit-required arguments and running in console-based modes; and handling the output from steps in interactive modes. Besides, it could display output in a human-friendly graph providing more useful information for pentesters.
Like Metasploit, it is a development kit for pentesters to develop their own exploits. Users could utilize some auxiliary modules packaged in Pocsuite to extend their exploit functions or integrate Pocsuite to develop other vulnerability assessment tools.
At last, Pocsuite is also an extremely useful tool to integrate Seebug and ZoomEye APIs in a collaborative way. Vulnerability assessment can be done automatically and effectively by searching targets through ZoomEye and acquiring PoC scripts from Seebug or locally.
Rudra aims to provide a developer-friendly framework for exhaustive analysis of (PCAP and PE) files. It provides features to scan and generate reports that include file's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These details, alongwith file-format specific analysis information, help an analyst to understand the type of data embedded in a file and quickly decide if it deserves further investigation.
Rudra is the only tool to provide an effective bot based query mechanism for scanning files. Users can use Twitter and mention a Pastebin link that stores the base64 encoded version of the file to be scanned. It will pull the file from Pastebin, perform base64 decoding, initiate scanning on decoded file, submit base64 encoded json report to Pastebin and post a reply tweet with its link. This provides a quick and effective option to try Rudra without installing it.
Rudra supports scanning PE files and can perform API scans, anti{debug, vm, sandbox} detection, packer detection, authenticode verification, alongwith Yara, shellcode, and regex detection upon them. Additionally, following new features are being added for the first beta release:
SAIVS is an artificial intelligence to find vulnerabilities in Web applications. The goal of SAIVS is to find vulnerabilities like a human security engineer. In January 2016, We developed the beta SAIVS. Beta SAIVS has the following capabilities:
SecBee is a ZigBee security testing tool. It is basically a kind of ZigBee vulnerability scanner, which allows the mapping of ZigBee networks and enables security testers and developers to check the actual product implementation for ZigBee specific vulnerabilities.
Currently it supports direct and indirect ZigBee communication and provides features for command injection, scan for enabled devices, sniff network keys in plaintext and encrypted with the ZigBee default key and an insecure rejoin request.
The tool is still under development and additional features are added. The final goal is to test for the correct application and implementation of every ZigBee security service.
Seebug is an open vulnerability platform based on vulnerability and PoC/Exp sharing communities. So far, it already has 50,000+ vulnerabilities and 40,000+ PoC/Exps.
On this platform, users can submit new vulnerabilities or update information of existing ones that are lacking of details such as summaries, PoC/Exps, solutions, CVE-ID and other basic fields. In exchange, we will reward you with KBs, which can be used to buy other submissions (such as PoCs) or converted into RMB directly (1 KB is equivalent to RMB 5 Yuan currently).
Seebug provides an opportunity for vulnerability learning. We plan to open BBS and CFP columns in the near future so that users can submit their technical articles, ideas, and communicate with each other on vulnerability mining issues.
Besides, each vulnerability is accompanied by a lifeline, recording all the relevant events during this process and offering a complete picture about the vulnerability development course.
With the help of ZoomEye, the latest vulnerabilities across the world can be detected timely and displayed on the vulnerability detail page. Based on the result, we can effectively conduct emergency response activities and provide online detection tools, affected vendor lists and early warning upon necessary.
The SensePost Toolset consists of numerous transforms and mini-sets of transforms. This includes OSINT, language translation, twitter monitoring, Spotify, Skype stalking and detailed in-depth foot-printing capabilities.
Sense Post Toolkit: https://www.sensepost.com/discover/tools/maltego/osint/SPToolset/
StackPivotChecker is a tool to provide instruction level inspection on stack pivoting behavior from 0-day. It provides rapid 0-day analysis capability. This lightweight tool to help research to address first stack pivoting point from complex 0-day execution path; it addressed real 0-day such as CVE-2013-0640.
VirusTotal is the free online file and URL scanner that everyone knows. However there are many free features that many users don't know about such as:
ZoomEye is a cyberspace search engine released in 2013. Unlike Shodan which only crawls the port fingerprints of Internet-connected devices and does less work on fingerprint parsing, ZoomEye crawls on not only Internet-connected devices, but also websites to get the fingerprints. All of these fingerprints are powered by our two major engines Xmap and Wmap. Xmap is specialized to port scanning, and Wmap focuses on Web Application fingerprint crawling and parsing.
We distribute the crawlers running 7/24 across the world, providing both host device and web application searches to the public by crawling and indexing. Users can also achieve integration and automation with our platform API.
This talk covers a basic introduction on our crawling and analyzing architecture, some thoughts on scanning crawling strategies, and the major process on parsing and analyzing devices and website fingerprints.
To better understand the complexity of the cyberspace, we work hard on fingerprint parsing and analysis to get more detailed and complete metadata. We think that more accurate and formatted data will do great help to our research. Besides, some cases will be demonstrated in comparison with Shodan and Censys.io to prove our strengths.
The ZoomEye 101 section introduces how ZoomEye helps to enhance our research or do some hacking stuff. The audience will learn not only the revolution history of ZoomEye, but also some helpful Internet research methodologies.
