Reversing firmware using radare2
Anton Kochkov (xvilka)
|This talk will briefly describe modern computers (PC mostly) architecture, commonly used microcontrollers inside PC and laptops, their firmwares and reverse-engineering techiques of them. Most of the talk I'll use radare2, including demo sessions for a few firmware examples.|
Lead Developer at SecurityCode since 2013. During last several years I've
focused on reverse-engineering of various firmwares: PC and its peripherals,
ARM, MIPS, baseband processors, microcontrollers. Constant contributor to
the coreboot project, radare2.
Leader of the Droid-Developers/Miledropedia project MEre project member.
Android file system monitoring discussion
|This is a work in progress presentation to discuss challenges in file system monitoring in order to prevent abuse by processes. This is essentialy desired in phones and tablets where such a system could limit the impact of programs on the data created by different applications, thus protecting users privacy.|
|Breno is a computer scientist with over 8 years experience in Information Technology, experienced with a wide range of software development techniques and languages, security systems and network technologies. Breno brings a deep mathematical education, supporting research and algorithm design for network anomaly detection mechanisms in high-speed networks. Breno resides in Brasília, Brazil.|
LTE vs Darwin: Return of the SON
Butterly and Schmidt
|"LTE vs. Darwin - Return of the SON" is the third presentation in a series of talks we started writing for in the middle of 2013, aimed at giving a vast overview of LTE, suggested security features and presenting our research's findings and results. The first talk was held in January 2014 at ShmooCon, the second one at Hackito Ergo Sum, both where concerned with LTE basics, specs and theoretical flaws. Our current focus is on the Self Organizing and Self Configuring features, where we're acquiring new hardware and analyzing/rating specs. The talk will be packed with all new results we achieve during the summer months and a vast overview of the research already presented. We're going to give a short introduction on LTE basics (backend & technical) and will then be focusing on both protocols and devices which are involved in the SON process. Whilst working through the specs and identifying potential flaws in protocols, we're working on having a closer look at eNodeBs/HeNodeBs and will be writing further fuzzers/scanners for closer analysis. We will give a few demos and release our tools which have been created during the process.|
|We're both experienced security researchers and pentesters. Having done various jobs in large enterprise environments, we know our way around protocols, packets and the systems behind them. Both of us work for ERNW GmbH in Heidelberg, Germany, and are part of the TROOPERS' conference team. As ERNW is fully independent, we have no affiliations to any other cooperations or vendors. We simply enjoy learning and breaking new things (the newer, the better), so we're rather passionate about our research in the field of LTE. We've collected various experience with mobile networks during our assignments and are now more than happy to share the results of own research. We're open to sharing knowledge, tools and thoughts, simply to make the world a safer place!|
Daniel J. Bernstein (djb)
|This is an invited talk by the famous cryptologist and programmer, Daniel J. Bernstein|
|Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a mathematician, cryptologist, programmer, and research professor of computer science at the University of Illinois at Chicago. He is the author of the computer software programs qmail, publicfile, and djbdns.|
Who put the backdoor in my modem
Ewerson Guimaraes a.k.a. crash
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP- Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn't a vendor identification and no information about who's its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.
Which lead us to question on the research title: Who put the backdoor in my modem??
Degree in Computer Science from Fumec University, Security Analyst and Researcher at Ibliss Intelligence and Security. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project.
Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais.
Was speaker at: Defcon Bangalore - India - On the subject: Steganography QRcodes using RGB subtle pixel color mutation - 2013
Anna University, Chennai - India - On the subject: Hacking Citrix Servers - 2013
Inside 3d Printing - FabScan / 3D Scan - 2014
Bsides Brazil - In the topic: Hacking Citrix Servers - 2013
Bsides Brazil - On the subject: From bug to Metasploit module. 2012
Just4Meeting 3.0. Portugal - On the subject: From bug to Metasploit module. 2012
State of the Art in IPv6 Security
The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years.
During the last few years, a number of IPv6 security efforts sparked at the Internet Engineering Task Force (IETF) -- the organization in charge of standardizing the internet protocols. The aforementioned efforts have ranged from informational documents aimed at raising awareness and/or providing advice to the network operations community, to new protocol features or modifications aimed at mitigating identified vulnerabilities.
Another area that has seen a lot of evolution is that of IPv6 security assessment and attack tools, in which brand-new tools have emerged to fill a vacumm in the pentester toolkit. One prominent example is the SI6 IPv6 toolkit: a free and portable IPv6 security assessment and attack toolkit, which contains a variety of tools ranging from packet-crafting tools to advanced IPv6 reconnaissance tools (most of which implement techniques that are not available in your penetration testing suite of choice).
Fernando Gont will provide an overview of all recent IPv6 security efforts at the IETF, summarizing the key aspects of each of them, and describing their implementation status by the most popular operating systems -- thus providing the audience with a snapshot of the latest advancements in the IPv6 standardization community, and the impact of the aforementioned work on the vendor and network operations community. Additionally, he will present the key-features of the SI6 Networks' IPv6 Toolkit, along with live demos of the most important tools of the toolkit.
The SI6 Networks' IPv6 Toolkit is available at
Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations.
Gont has worked on a number of projects for the UK National Infrastructure Security Co- ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite.
Gont is currently working as a security consultant and researcher for SI6 Networks (http://www.si6networks.com). Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published more than a dozen IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts.
Besides developing new IPv6 attack and defense techniques, Gont has produced the SI6 Network's IPv6 Toolkit (
Company: http://www.si6networks.com Personal: http://www.gont.com.ar
Gont has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, HACK.LU 2011, DEEPSEC 2011, LACSEC 2012, Hackito Ergo Sum 2012, Hack In Paris 2012, and IPv6 Kongress 2013. Additionally, he is a regular attendee of IETF (Internet Engineering Task Force) meetings.
More information about Fernando Gont is available at his personal web site:
|Halvar Flake is a famous researcher in the areas of Reverse Engineering and Vulnerability Researcher|
Thomas Dullien (better known as Halvar Flake) has been working on topics related to reverse engineering (and vulnerability research) for the last 9 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA).
Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.
Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis. The company was acquired by Google in 2011.
Catchme if you can: TOR tricks for bots, shells and general hacking
This presentation brings some techniques that can be used by bots, shells (specially Metasploit's meterpreter) and other hacker tools to benefit from the anonimity provided by the TOR network (and possibly other darknets as I2P and Freenet as well).
Starting with the proper configuration of TOR clients, will be presented some configuration options and the use of bridges and protocol obfuscators (TOR's Pluggable Transports) to achieve maximum anonymity and low profiling due pattern analysis or timing attacks. This configuration will be then extended to the TOR Hidden Services, in order to provide client authentication and other security advantages.
There are plenty of wonderful tools that we use in our hackings that unfortunately aren't proxy aware. TOR uses SOCKS5 interface to enable DNStunneled communication from the external world to the darknet and we can make those proxyunaware tools to perform over the TOR network by using some cool socket binding and bridging tricks.
A live demo will be presented (if the internet connection allows, else a video will be presented) of a simple small botnet operating from inside the TOR network (optionally using tor2web relay if TOR network is blocked), using obfuscated bridges, HiddenServicesbased HTTP or IRC C&C, multiple C&C addresses and the use of OTP (Onetime password) algorithms to achieve synchronized randomization (for low detection) and a primitive DGA (domain generator algorithm), lowering the overall profilability of the botnet.
A variant of this botnet will be discussed (and models presented) going over a P2P (peertopeer) paradigm (as opposed to the C&C via Hidden Services).
For the remote shells, I'll demonstrate how to use a custom payload dropper (Metasploit framework's payloads in this case) that will deploy and configure the TOR client binary, deploy the bind_tcp payload and expose to the TOR network over a HiddenService, for Linux and Windows.
The main objective is to present how is possible to gain enormous resilience and low detection rate, for bots and for attacks without using a single exitnode, remaining sunk into the darknet the whole time.
Keywords: TOR, linux, python, darknets, anonymity, bots, botnet, metasploit, malware, meterpreter, windows
|Jan Seidl is a *NIX, BSD, C & Python lover. Security consultant and researcher, focused on SCADA security, dedicated pentester and malware reverse engineer rookie with large experience on administering servers’, networks’ and application’s security. Speaker on many security and freesoftware conferences like Hackers 2 Hackers Conference (BR), CeBIT (DE), Defcon Bangalore (IN), Forum Internacional Software Livre FISL (BR) and many others. Author of the IT & SCADA security blog http://wroot.org and a book on SCADA security (Segurança de Automação Industrial e SCADA, CAMPUS 2014) with several other technical papers published, is currently CTO of TI Safe Segurança da Informação. (http://br.linkedin.com/in/janseidl / http://twitter.com/jseidl)|
HexRaysCodeXplorer: object oriented RE for fun and profit
Matrosov & Rodionov
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin:
- Automatic type REconstruction for C++ objects.
- C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works.
- Navigation through virtual function calls in HexRays Pseudocode window.
- Object Explorer - useful interface for navigation through virtual tables (VTBL) structures.
In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.
Alexander Matrosov (@matrosov)
Alexander has more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Currently working at Intel as Senior Security REsearcher. In previous four years he worked at ESET as Senior Malware Researcher and Security Intelligence Team Lead. His experience on security research field since from 2003 for major Russian companies. He is also a Lecturer at Cryptology and Discrete Mathematics department of National Research Nuclear University in Moscow, and co-author of the research papers “Stuxnet Under the Microscope” and “The Evolution of TDL: Conquering x64” and is frequently invited to speak at security conferences (REcon, Ekoparty, CONFidence, ZeroNights, PHDays ...). Nowadays he specializes in the comprehensive analysis of complex threats, modern vectors of exploitation and hardware security research.
Eugene Rodionov (@vxradius)
Eugene Rodionov graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009. He has been working in the past five years for several companies, performing software development, IT security audit and malware analysis. He currently works at ESET, one of the leading companies in the antimalware industry, where he performs analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies, reverse engineering and cryptology. He is co-author of the research papers “Stuxnet Under the Microscope” and “TDL3: The Rootkit of All Evil?”. Eugene Rodionov also holds the position of Lecturer at the National Nuclear Research University MEPHI in Russia.
Practical Analysis of Embedded Microcontrollers against Clock Glitching Attacks
Ricardo Gomes da Silva
Clock glitching attacks are one of the different types of hardware fault injections studied nowadays. By glitching the clock, it is possible to change the target’s hardware behavior, either by corrupting or simply skipping CPU instructions. Since the software is not prepared to handle a device that has been tampered with, an attacker can exploit such vulnerability and take over the control flow of the program. Multiple attacks can then be performed, such as forcing the device to exiting loops or dump its own memory.
This work applies such technique against AVR microcontrollers by implementing a modular glitcher environment. Such environment allows not only for fine-tuning of at- tacks, but also a brute-force algorithm for finding the glitching range to be implemented. By executing multiple repeatable experiments, both on handcrafted and compiled code, it demonstrates that such architecture is vulnerable against these attacks by introducing faults that were not expected and cannot be handled by the software. The implications of this regarding the security of the program are discussed in this work. Additionally, a critical analysis of the disadvantages and issues of the approach used and how it can be further improved is provided.
|Estudante de Ciência da Computação pela UFRGS realizando dupla-diplomação na TU Berlin. Atualmbolsista no SecT (Security in Telecommunications) no Telekom Innovation Laboratories, onde realiza pesquisas em injeção de falhas em hardware, mais precisamente em Clock Glitching.|
Headless Browser Hide and Seek
Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks.
This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice.
With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you.
Introduction to Headless Browsers
- What it is and how it works
- Legitimate uses and how you can benefit
- Malicious Use of PhantomJS
- Impersonate a legitimate browser
- Fuzzing a web application
- Find performance bottlenecks
Exploiting the Exploiter
- How attackers attempt to hide
- How to expose them on your site
- Additional evasion and techniques and countermeasures
- Example of attacking with phantomJS with subsequent detection
- Arbitrary code execution on up-to-date remote PhantomJS
- Various ways of abusing remote PhantomJS
Counter-attacking and Attribution
- How to turn a headless browser against the attacker
- Vulnerabilities in PhantomJS
- Best practices for using headless browsers safely
Sergey Shekyan is a Principal Engineer at Shape Security, where he is focused on the development of the new generation web security product. Prior to Shape Security, he spent 4 years at Qualys developing their on demand web application vulnerability scanning service. Sergey presented research at security conferences around the world, covering various information security topics. Sergey has spoken at BlackHat USA, HITB Amsterdam, PHDays, H2HC, and other security conferences.
Bei Zhang is a Senior Software Engineer at Shape Security, focused on analysis and countermeasures of automatic web attacks. Previously, he worked at the Chrome team at Google with a focus on the Chrome Apps API. His interests include web security, source code analysis, and algorithms.
Pesquisa de XSS e seus variantes em consoles de gateways voltados a SI
|Nesta palestra diversas vulnerabilidades em gateways que deveriam prover seguranca serao demonstrados, analizando-se os impactos, as facilidades e as motivacoes auxiliando a audiencia a entender a complexidade dos seus proprios ambientes e a importancia da simplificacao para obtencao de seguranca.|
|Trabalho com Tecnologia há 12 anos dos quais 7 foram dedicados a Segurança da Informação, conquistei as certificações CISSP, CEH, CPT, CEPT, Comptia Security+, FCNSP, LPI durante minha carreira . Atuo como Coordenador/Consultor Senior completando 5 anos da TRTEC Informática. Me considero um Nerd Junior, Amante do Arduino.|