Anton Kochkov (xvilka) - Lead Developer at SecurityCode, Russia

Bratus & Goodspeed - Research Associate Professor at Dartmouth and Independent Researcher

Bratus & Patterson - Research Associate Professor at Dartmouth and Founder of Upstanding Hackers, LLC

Breno Silva - Lead Security Researcher na Samsung R&D Brazil Institute

Butterly and Schmidt - ERNW GmbH in Heidelberg, Germany

Daniel J. Bernstein (djb) - Research Professor, University of Illinois at Chicago

Ewerson Guimaraes a.k.a. crash - Security Analyst and Researcher, Ibliss Seguranca & Inteligencia

Fernando Gont - Security consultant and Researcher, SI6 Networks

Halvar Flake - Reverse Engineer Lead, Google

Jan Seidl - CTO, TI Safe

Matias Katz - Founder and CEO, Mkit Argentina

Matrosov & Rodionov - Senior Security Researchers, Intel and Eset

Ricardo Gomes da Silva - SecT (Security in Telecommunications), Telekom Innovation Laboratories

Sergey Shekyan - Principal Engineer, Shape Security

Shikhin Sethi - Independent Security Researcher

William Costa - Coordenador/Consultor Senior, TRTec



  Reversing firmware using radare2
 Anton Kochkov (xvilka)
  This talk will briefly describe modern computers (PC mostly) architecture, commonly used microcontrollers inside PC and laptops, their firmwares and reverse-engineering techiques of them. Most of the talk I'll use radare2, including demo sessions for a few firmware examples.
  Lead Developer at SecurityCode since 2013. During last several years I've focused on reverse-engineering of various firmwares: PC and its peripherals, ARM, MIPS, baseband processors, microcontrollers. Constant contributor to the coreboot project, radare2.

Leader of the Droid-Developers/Miledropedia project MEre project member.



  DemystiPHYing 802.15.4 Digital Radio; or, How to Weaponize ingerprinting for PacketinPacket Mitigation Bypasses
 Bratus & Goodspeed
  Sergey Bratus and Travis Goodspeed

The PHY layer of digital radio is commonly viewed as a black box that takes logical frames on one side of a radio connection and magically pops them out on the other (or doesn't, if control sums don't match). The internals of the black box are shrouded in mystery and magic. Antennas, modulation, and error correction are somehow involved, but they seem to exist in a different dimension that cannot be manipulated digitally at byte-level like call stacks, binaries, or parser bugs. For those of us who can't design radio circuits, it seems to be at best a minecraft game of GnuRadio blocks.

But in reality this just ain't so. The PHY in fact contains several digital layers and mechanisms, which can be manipulated without software-defined radio. We will demystify these mechanisms for the 802.15.4 PHY and will show them in action for sending arbitrary bytes and frames through the air without a software radio, sending frames that aren't heard by WIDS but heard by targets if they use different radio chips, "borrowing" error-correction logic to bypass defenses, and fingerprinting chipset families. Orson Welles may have beat us to the Packet-in-packet technique, but he has nothing on our one-eighth-of-a-nybble mitigation bypass and make-your-own-packet cut-out paper games!
  Travis Goodspeed is a Southern Appalachian neighbor with a bit of an obsession for the MSP430 microcontroller. Sergey Bratus is a North Appalachian neighbor and a Research Assistant Professor at Dartmouth College. Together, they accidentally broke the OSI Model with Packet-in-Packet, a PHY-layer exploit for remote frame injection portable to most digital radios, and continue to work on demystifying PHY for neighbors far and wide.

Sergey Bratus is a Research Associate Professor at Dartmouth College. He enjoys finding weird properties of common programming models and protocols.



  For Want of a Nail (*): A LangSec look at parser bugs in the Pwnies
 Bratus & Patterson
  Sergey Bratus, Meredith L. Patterson

Input parser bugs appear to be simple. For years, they've been among the best-understood bug kinds. Yet 2014 could be called The Year of Parser Bugs on account of Heartbleed alone, and there are more such bugs in the 2014 Pwnie Award nominations. In 2013, parser bugs were over a half of all nominated server-side bugs. When simple bugs account for most impactful vulnerabilities, perhaps they are not so simple after all.

We take a look at the recent crop of famous bugs -- such as Heartbleed, Android Master Key, goto fail, Nginx chunked encoding, and others -- from the Language-theoretic security (LangSec) point of view. This talk continues our "Shotgun Parsers" examination of historic input-handling bugs from two years ago.

  Meredith L. Patterson is a founder of Upstanding Hackers, LLC and a co-creator of Language-theoretic approach to security ( She developed the first language-theoretic defense against SQL injection in 2005 as a Phd student at the University of Iowa and has continued expanding the technique ever since. She lives in Brussels, Belgium.

Sergey Bratus is a Research Associate Professor at Dartmouth College. He enjoys finding weird properties of common programming models and protocols.



  Android file system monitoring discussion
 Breno Silva
  This is a work in progress presentation to discuss challenges in file system monitoring in order to prevent abuse by processes. This is essentialy desired in phones and tablets where such a system could limit the impact of programs on the data created by different applications, thus protecting users privacy.
  Breno is a computer scientist with over 8 years experience in Information Technology, experienced with a wide range of software development techniques and languages, security systems and network technologies. Breno brings a deep mathematical education, supporting research and algorithm design for network anomaly detection mechanisms in high-speed networks. Breno resides in Brasília, Brazil.



  LTE vs Darwin: Return of the SON
 Butterly and Schmidt
  "LTE vs. Darwin - Return of the SON" is the third presentation in a series of talks we started writing for in the middle of 2013, aimed at giving a vast overview of LTE, suggested security features and presenting our research's findings and results. The first talk was held in January 2014 at ShmooCon, the second one at Hackito Ergo Sum, both where concerned with LTE basics, specs and theoretical flaws. Our current focus is on the Self Organizing and Self Configuring features, where we're acquiring new hardware and analyzing/rating specs. The talk will be packed with all new results we achieve during the summer months and a vast overview of the research already presented. We're going to give a short introduction on LTE basics (backend & technical) and will then be focusing on both protocols and devices which are involved in the SON process. Whilst working through the specs and identifying potential flaws in protocols, we're working on having a closer look at eNodeBs/HeNodeBs and will be writing further fuzzers/scanners for closer analysis. We will give a few demos and release our tools which have been created during the process.
  We're both experienced security researchers and pentesters. Having done various jobs in large enterprise environments, we know our way around protocols, packets and the systems behind them. Both of us work for ERNW GmbH in Heidelberg, Germany, and are part of the TROOPERS' conference team. As ERNW is fully independent, we have no affiliations to any other cooperations or vendors. We simply enjoy learning and breaking new things (the newer, the better), so we're rather passionate about our research in the field of LTE. We've collected various experience with mobile networks during our assignments and are now more than happy to share the results of own research. We're open to sharing knowledge, tools and thoughts, simply to make the world a safer place!



 Daniel J. Bernstein (djb)
  This is an invited talk by the famous cryptologist and programmer, Daniel J. Bernstein
  Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a mathematician, cryptologist, programmer, and research professor of computer science at the University of Illinois at Chicago. He is the author of the computer software programs qmail, publicfile, and djbdns.



  Who put the backdoor in my modem
 Ewerson Guimaraes a.k.a. crash
  For quite some time we have been seeing espionage cases reaching countries, governments and large companies.

A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP- Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.

This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn't a vendor identification and no information about who's its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.

Which lead us to question on the research title: Who put the backdoor in my modem??
  Degree in Computer Science from Fumec University, Security Analyst and Researcher at Ibliss Seguranca & Inteligencia. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project.

Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais.

Was speaker at: Defcon Bangalore - India - On the subject: Steganography QRcodes using RGB subtle pixel color mutation - 2013
Anna University, Chennai - India - On the subject: Hacking Citrix Servers - 2013
Inside 3d Printing - FabScan / 3D Scan - 2014
Bsides Brazil - In the topic: Hacking Citrix Servers - 2013
Bsides Brazil - On the subject: From bug to Metasploit module. 2012
Just4Meeting 3.0. Portugal - On the subject: From bug to Metasploit module. 2012



  State of the Art in IPv6 Security
 Fernando Gont
  The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years.

During the last few years, a number of IPv6 security efforts sparked at the Internet Engineering Task Force (IETF) -- the organization in charge of standardizing the internet protocols. The aforementioned efforts have ranged from informational documents aimed at raising awareness and/or providing advice to the network operations community, to new protocol features or modifications aimed at mitigating identified vulnerabilities.

Another area that has seen a lot of evolution is that of IPv6 security assessment and attack tools, in which brand-new tools have emerged to fill a vacumm in the pentester toolkit. One prominent example is the SI6 IPv6 toolkit: a free and portable IPv6 security assessment and attack toolkit, which contains a variety of tools ranging from packet-crafting tools to advanced IPv6 reconnaissance tools (most of which implement techniques that are not available in your penetration testing suite of choice).

Fernando Gont will provide an overview of all recent IPv6 security efforts at the IETF, summarizing the key aspects of each of them, and describing their implementation status by the most popular operating systems -- thus providing the audience with a snapshot of the latest advancements in the IPv6 standardization community, and the impact of the aforementioned work on the vendor and network operations community. Additionally, he will present the key-features of the SI6 Networks' IPv6 Toolkit, along with live demos of the most important tools of the toolkit.

The SI6 Networks' IPv6 Toolkit is available at .
  Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations.

Gont has worked on a number of projects for the UK National Infrastructure Security Co- ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite.

Gont is currently working as a security consultant and researcher for SI6 Networks ( Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published more than a dozen IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts.

Besides developing new IPv6 attack and defense techniques, Gont has produced the SI6 Network's IPv6 Toolkit () -- a portable and comprehensive security toolkit for the IPv6 protocol suite.

Company: Personal:

Gont has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, HACK.LU 2011, DEEPSEC 2011, LACSEC 2012, Hackito Ergo Sum 2012, Hack In Paris 2012, and IPv6 Kongress 2013. Additionally, he is a regular attendee of IETF (Internet Engineering Task Force) meetings.

More information about Fernando Gont is available at his personal web site:



 Halvar Flake
  Halvar Flake is a famous researcher in the areas of Reverse Engineering and Vulnerability Researcher
  Thomas Dullien (better known as Halvar Flake) has been working on topics related to reverse engineering (and vulnerability research) for the last 9 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA).

Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.

Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis. The company was acquired by Google in 2011.



  Catch­me if you can: TOR tricks for bots, shells and general hacking
 Jan Seidl
  This presentation brings some techniques that can be used by bots, shells (specially Metasploit's meterpreter) and other hacker tools to benefit from the anonimity provided by the TOR network (and possibly other darknets as I2P and Freenet as well).

Starting with the proper configuration of TOR clients, will be presented some configuration options and the use of bridges and protocol obfuscators (TOR's Pluggable Transports) to achieve maximum anonymity and low profiling due pattern analysis or timing attacks. This configuration will be then extended to the TOR Hidden Services, in order to provide client authentication and other security advantages.

There are plenty of wonderful tools that we use in our hackings that unfortunately aren't proxy aware. TOR uses SOCKS5 interface to enable DNS­tunneled communication from the external world to the darknet and we can make those proxy­unaware tools to perform over the TOR network by using some cool socket binding and bridging tricks.

A live demo will be presented (if the internet connection allows, else a video will be presented) of a simple small botnet operating from inside the TOR network (optionally using tor2web relay if TOR network is blocked), using obfuscated bridges, HiddenServices­based HTTP or IRC C&C, multiple C&C addresses and the use of OTP (One­time password) algorithms to achieve synchronized randomization (for low detection) and a primitive DGA (domain generator algorithm), lowering the overall profilability of the botnet.

A variant of this botnet will be discussed (and models presented) going over a P2P (peer­to­peer) paradigm (as opposed to the C&C via Hidden Services).

For the remote shells, I'll demonstrate how to use a custom payload dropper (Metasploit framework's payloads in this case) that will deploy and configure the TOR client binary, deploy the bind_tcp payload and expose to the TOR network over a HiddenService, for Linux and Windows.

The main objective is to present how is possible to gain enormous resilience and low detection rate, for bots and for attacks without using a single exit­node, remaining sunk into the darknet the whole time.

Keywords: TOR, linux, python, darknets, anonymity, bots, botnet, metasploit, malware, meterpreter, windows
  Jan Seidl is a *NIX, BSD, C & Python lover. Security consultant and researcher, focused on SCADA security, dedicated pentester and malware reverse engineer rookie with large experience on administering servers’, networks’ and application’s security. Speaker on many security and free­software conferences like Hackers 2 Hackers Conference (BR), CeBIT (DE), Defcon Bangalore (IN), Forum Internacional Software Livre ­ FISL (BR) and many others. Author of the IT & SCADA security blog and a book on SCADA security (Segurança de Automação Industrial e SCADA, CAMPUS ­ 2014) with several other technical papers published, is currently CTO of TI Safe Segurança da Informação. ( /



  Hardware Backdooring X11 with much class and no privileges
 Matias Katz
  X11 is much more powerful than we think. In this talk I will show how to generate a backdoor for any Linux or BSD machine that runs X11, X-Window or Xorg, by using only syscalls to X, no binaries, or Opcodes, or privileges to be executed, which can be invoked by hardware interruptions or an open port on the victim computer.

What's under the hood:
This attack takes advantage of a feature included in the "dbus" IPC software ( that controls the lock screen. By tampering with it, you can easily invoke an unlock. The hardware interruptions that excecute the code can be easily implemented by the attacker according to his choice, but the trick is to chose the correct hardware that can be controlled while the computer is locked, which are only a few. In the demo I will show all the ways I could unlock the screen, with hardware interruptions, an open UDP port, or even without having the backdoor running in the background and just calling it. Dbus is bundled with gnome, kde, freedesktop, xfce and more X systems, making (almost) any Linux or BSD box vulnerable to this attack.
  Matias Katz is a Penetration Tester who specializes in Web security analysis. He loves to build simple tools to perform discovery and exploitation on any software or network. He has spoken at BlackHat, H2HC, Ekoparty, TEDx, Campus party, OWASP and many important conferences. He is the founder and CEO of Mkit Argentina (, a company that specializes in computer, physical and human security solutions. He is also the founder of Andsec conference ( And he is Super Mario World master!!



  HexRaysCodeXplorer: object oriented RE for fun and profit
 Matrosov & Rodionov
  HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin:

- Automatic type REconstruction for C++ objects.
- C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works.
- Navigation through virtual function calls in HexRays Pseudocode window.
- Object Explorer - useful interface for navigation through virtual tables (VTBL) structures.

In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.
  Alexander Matrosov (@matrosov)
Alexander has more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Currently working at Intel as Senior Security REsearcher. In previous four years he worked at ESET as Senior Malware Researcher and Security Intelligence Team Lead. His experience on security research field since from 2003 for major Russian companies. He is also a Lecturer at Cryptology and Discrete Mathematics department of National Research Nuclear University in Moscow, and co-author of the research papers “Stuxnet Under the Microscope” and “The Evolution of TDL: Conquering x64” and is frequently invited to speak at security conferences (REcon, Ekoparty, CONFidence, ZeroNights, PHDays ...). Nowadays he specializes in the comprehensive analysis of complex threats, modern vectors of exploitation and hardware security research.

Eugene Rodionov (@vxradius)
Eugene Rodionov graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009. He has been working in the past five years for several companies, performing software development, IT security audit and malware analysis. He currently works at ESET, one of the leading companies in the antimalware industry, where he performs analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies, reverse engineering and cryptology. He is co-author of the research papers “Stuxnet Under the Microscope” and “TDL3: The Rootkit of All Evil?”. Eugene Rodionov also holds the position of Lecturer at the National Nuclear Research University MEPHI in Russia.



  Practical Analysis of Embedded Microcontrollers against Clock Glitching Attacks
 Ricardo Gomes da Silva
  Clock glitching attacks are one of the different types of hardware fault injections studied nowadays. By glitching the clock, it is possible to change the target’s hardware behavior, either by corrupting or simply skipping CPU instructions. Since the software is not prepared to handle a device that has been tampered with, an attacker can exploit such vulnerability and take over the control flow of the program. Multiple attacks can then be performed, such as forcing the device to exiting loops or dump its own memory.

This work applies such technique against AVR microcontrollers by implementing a modular glitcher environment. Such environment allows not only for fine-tuning of at- tacks, but also a brute-force algorithm for finding the glitching range to be implemented. By executing multiple repeatable experiments, both on handcrafted and compiled code, it demonstrates that such architecture is vulnerable against these attacks by introducing faults that were not expected and cannot be handled by the software. The implications of this regarding the security of the program are discussed in this work. Additionally, a critical analysis of the disadvantages and issues of the approach used and how it can be further improved is provided.
  Estudante de Ciência da Computação pela UFRGS realizando dupla-diplomação na TU Berlin. Atualmbolsista no SecT (Security in Telecommunications) no Telekom Innovation Laboratories, onde realiza pesquisas em injeção de falhas em hardware, mais precisamente em Clock Glitching.



  Headless Browser Hide and Seek
 Sergey Shekyan
  Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks.

This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice.

With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you.

Introduction to Headless Browsers
- What it is and how it works
- Legitimate uses and how you can benefit
- Malicious Use of PhantomJS
- Impersonate a legitimate browser
- Fuzzing a web application
- Find performance bottlenecks

Exploiting the Exploiter
- How attackers attempt to hide
- How to expose them on your site
- Additional evasion and techniques and countermeasures

- Example of attacking with phantomJS with subsequent detection
- Arbitrary code execution on up-to-date remote PhantomJS
- Various ways of abusing remote PhantomJS

Counter-attacking and Attribution
- How to turn a headless browser against the attacker
- Vulnerabilities in PhantomJS
- Best practices for using headless browsers safely
  Sergey Shekyan is a Principal Engineer at Shape Security, where he is focused on the development of the new generation web security product. Prior to Shape Security, he spent 4 years at Qualys developing their on demand web application vulnerability scanning service. Sergey presented research at security conferences around the world, covering various information security topics. Sergey has spoken at BlackHat USA, HITB Amsterdam, PHDays, H2HC, and other security conferences.

Bei Zhang is a Senior Software Engineer at Shape Security, focused on analysis and countermeasures of automatic web attacks. Previously, he worked at the Chrome team at Google with a focus on the Chrome Apps API. His interests include web security, source code analysis, and algorithms.



  Option ROMs: A Hidden (But Privileged) World
 Shikhin Sethi
  Each modern x86 computer uses PCI option ROMs to initialize devices during early boot. The option ROMs not only get privileged and unsupervised access to the machine, but are also typically relied upon by the operating system to provide key device services such as video.

We show how malicious option ROMs can be executed in the background, "stealing" the host machine resources such as logical cores, memory, and PCI devices. We further show how to man-in-the-middle interrupts from devices, and how to gather useful information without destroying the device state, and how such malicious ROMs can snoop on the OS, especially with poorly designed kernels (or drivers) using the option ROMs themselves.

Although UEFI attempts to address the issue by using bytecode option ROMs, we show how to bypass its security restriction. We look at how "weird machines" in the boot process could be used to undermine the trust model of the OS, and how these might be prevented.

Given that option ROMs are ubiquitous, we look at how such malicious ROMs could be detected and protected against.
  Shikhin Sethi is a systems hacker with a keen interest in using low-level knowledge for exploits. Shikhin writes an article series on the x86 architecture and nifty tricks surrounding it for the International Journal of PoC||GTFO. A student in India, Shikhin is also interested in operating system design and creating standard components for a secure OS.



  Pesquisa de XSS e seus variantes em consoles de gateways voltados a SI
 William Costa
  Nesta palestra diversas vulnerabilidades em gateways que deveriam prover seguranca serao demonstrados, analizando-se os impactos, as facilidades e as motivacoes auxiliando a audiencia a entender a complexidade dos seus proprios ambientes e a importancia da simplificacao para obtencao de seguranca.
  Trabalho com Tecnologia há 12 anos dos quais 7 foram dedicados a Segurança da Informação, conquistei as certificações CISSP, CEH, CPT, CEPT, Comptia Security+, FCNSP, LPI durante minha carreira . Atuo como Coordenador/Consultor Senior completando 5 anos da TRTEC Informática. Me considero um Nerd Junior, Amante do Arduino.