2 wires and 2 wheels: Bikes can do CAN too
"Most motorcycle manufacturers started using CAN in the early 2000s, and since then, more and more devices have been added to CAN networks on bikes. ABS, traction control, navigation systems, luxuries like heated grips, basics like lighting and advanced diagnostics, but for some reason, they still haven’t grabbed the attention of car hackers. Why? I hope to open the door to this field, and help gain popularity in motorcycle CANbus hacking.
Through this adventure, you’ll follow me as my passion for motorcycles, goes headfirst into my passion for computers, and I build tools and software to reverse engineer my motorcycle's CAN system.
Python scripts, microcontrollers, pulse width modulation, some potentiometers, and a bit of what I like to call “Ruthless Engineering”, has helped me finally reach the pinnacle of CAN bus packet reversing.
We’ll cover some engine simulation, execute some packet capture session analysis, and put it all back together again, for the development of an aftermarket gauge cluster."
A deeper diving on shellcode...
Shellcode is often spotted to execute a malformed code in a way that can trigger the injection or further exploitation process, or other operations, mostly used in offensive ways.
In this presentation I would like to describe more advance method in handling malicious shellcode cases I dealt in Linux operating systems on several architectures.
But beforehand I will to try to present several basics & category of shellcode in a simple and practical ways that maybe can help other analysts or RE beginners to help in recognizing which type of shellcodes and how to handle them in
their work on their blue-team's field.
This is a sequel of my previous presentations at:
2018: R2CON2018 "Unpacking the non-unpackable Linux malware"
2019: HACKLU2019 "Linux Fileless Malware and Post Exploitation"
Automating Threat Hunting on the Dark Web and other nitty-gritty thingso
by: Apurv Singh Gautam (@ASG_Sc0rpi0n)
What's the hype with the dark web? Why are security researchers focusing more on the dark web? How to perform threat hunting on the dark web? Can it be automated? If you are curious about the answers to these questions, then this talk is for you. Dark web hosts several sites where criminals buy, sell, and trade goods and services like drugs, weapons, exploits, etc. Hunting on the dark web can help identify, profile, and mitigate any organization risks if done timely and appropriately. This is why threat intelligence obtained from the dark web can be crucial for any organization. In this presentation, you will learn why threat hunting on the dark web is necessary, different methodologies to perform hunting, the process after hunting, and how hunted data is analyzed. The main focus of this talk will be automating the threat hunting on the dark web. You will also get to know what operational security (OpSec) is and why it is essential while performing hunting on the dark web and how you can employ it in your daily life.
Blockchain Based OT Monitoring Solution (BBOTMS)
by: Asif Hameed Khan
/ Gagan Jattana
Industrial Control Systems (ICS) are no longer an Isolated system. Industrial Control Systems (ICS) are having internet connectivity capabilities. The rise of IIoT/Industry 4.0 has opened the gateway for an adversary to attack the OT environment. The last decade has shown tremendous growth of cyber-attacks on OT/ICS environments ranging from Stuxnet malware to Industroyer, Shamoon, and Triton SIS devices compromise to name a few. As the cyber-related issues are rising, it is necessary to build threat detection and monitoring capabilities for an enterprise to detect and respond to sophisticated cyber threats. This work presents a novel approach for robust monitoring of OT/ICS environment based on the blockchain technology.
Cracking Financial Systems
by: Project Nexus
Recent attacks provide insight on cyber assaults which could halt the global economy. Financial-based systems are little more than a set of promises between various online and real life entities. Processes designed to make these services safe have created new vulnerabilities. If systemic institutions were compromised, panic could spread. Better testing is needed. However, cracking financial systems is harder than it looks. Project Nexus shows how certain testing methodologies can affect financial services, retail, banking, ecommerce, and might even have an impact on our chances for success.
Discover vulnerabilities with CodeQL
by: Boik Su (@boik_su)
- In this talk, I'll give a little bit of introduction to CodeQL and its practical functionality. Besides, I'll showcase some vulnerabilities that I found through utilizing CodeQL's powerful static and taint analysis. There's even one flaw that could lead to RCE! Consequently, the audience will understand the concepts of static analysis, taint analysis, data flow analysis, and so on after the talk.
- In addition to finding flaws, developers gaining such experiences can also take advantage of using CodeQL's powerful features to improve the SSDL cycle and have security baseline enacted for large codebases.
From an 'IVI in a box' to a 'CAR in a box'
by: Ian Tabor (@mintynet)
The talk will have details of the vulnerability I found in my 2015 DS5 Limited Edition. I decided to build an 'IVI in a box' to further test the hardware for further exploits, this posed its own challenges. There is information on how I found a major vulnerability in a vehicle which paid out some money to allow me to complete the ‘car in a box’.
The talk also details the additional hardware that was used to make PD0 'car in a box' think that the engine is working, the wheels are turning and other sensors are also working.
Hackers Don't Wear Black Hoodies, They Wear Capes
by: Chloé Messdaghi
Sixty percent of hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs. This talk dives into the brain's response to fear while focusing on increasing public awareness in order to bring legislation that supports ethical hackers, ending black hoodie and ski mask imagery, and encourage organizations to support bilateral trust within their policies.
High Value Adversary Emulation through Purple Team and the C2 Matrix
by: Jorge Orchilles
Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decisions making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 48 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
How I Pwned the ICS data during my internship
by: Shail Patel
As part of my summer graduate internship, I was hired by NREL as a cybersecurity intern to perform security evaluations on a grid based ICS network. There was a need to develop, validate and deploy a unique and innovative architecture that comprehensively addresses the challenges associated with the proliferation of high penetration of distributed PV systems such as reverse power flows, feeder load balancing and voltage stability. Having considering this type of architecture which includes Advanced Distributed Management System (ADMS), a Beaglebone pi controller, Real-Time Automation Controller (RTAC), Grid Edge Management System (GEMS), a local python script that communicates between these devices, and unencrypted communication protocols like Modbus and DNP3 being used, there was a need to perform vulnerability assessments on these devices to test the confidentiality and integrity of the data being flowed between these devices. Thus, I performed packet capture analysis, vendor device analysis and local NREL device analysis on them and observed interesting results.
Pentesting disclosed various bugs and loopholes as a result of the use of insecure protocols like Modbus and DNP3. Some of the classic examples I discovered are Default credentials for the Inverter, LFI in BeagleBone image, lots of open network ports, capacitor bank statuses, and lots of plaintext values in the communication model. I also devised measures to protect the DNP3 and Modbus data in transit which I will introduce in this talk. Thus, the purpose of this talk would be focused on need to secure the ICS/SCADA data which has no built-in security and possess challenges.
I've Injected a DLL - You Won't Believe What Happened Next!
"Over the past year I've noticed that many people are particularly interested in the field of multiplayer game hacking, since these kinds of blog posts get quite a few clicks on my blog. Detailed information of good quality on this topic is hard to find on the internet, especially
documentation of game hack source codes. I think this topic is quite interesting and fascinating at the same time since game hacks are able to precisely alter the inner workings of other processes by employing modifications of assembly code or memory segments. What's even better is that people with experience in game hacking are able to transfer the knowledge into various other fields, like exploit development and antivirus evasion research. Hence, game hacking is a win for everyone :)
These are the reasons why I decided to dig into this topic myself, with the goal to share my research, code and knowledge afterwards. During the last years I've implemented various game hacks for two different games:
- A hack for the Quake3 engine based game Jedi Academy: It allows you to view enemies trough walls (wallhack), it automatically aims (aimbot) and shoots (triggerbot) at enemies. Also, it has various other very game-specific features and some convenience functions like adding custom shaders to enemies to make them more visible. Even though the game is kind of retro, the techniques I've used can be applied to modern games too.
- Hacks for the game Counter Strike: Global Offensive: It makes you immune to flash grenades that would normally block your view. It's able to hook the 3D engine of the game to add custom content to the screen, like information on other player's current weapon and status. Also, I've implemented an aimbot that's very different to the one from the other game since the underlying game engine is also different.
During the talk I will explain two methods to implement a game hack:
1. Internal Hacks: It basically works by injecting a custom DLL into the game process that's able to hook and modify game functions. I'll also explain how to implement hooking from scratch without using an external library.
2. External Hacks: They run in their own process and constantly read and write the game memory of the game process in order to alter it at runtime.
As you can imagine, implementing the same cheat, e.g. the aimbot, is quite different when doing it internally versus externally."
Inside the Mind of a Threat Actor: Beyond Pentesting
by: Phillip Wylie
Red team is a commonly misunderstood offensive security discipline. Red team has been used as a general term for all areas of offensive security just as blue team for defensive security. True red teaming goes Beyond Pentesting and into more adversarial emulation. While there are overlapping skills, there are differences that will be discussed as Phillip shares his experience of going from a pentester to a red teamer. In this talk, you will learn about the different areas that make up red team operations, common tools, and the path to becoming a red teamer. In this presentation, you will learn about resources helpful for a path into red teaming.
Offensive Embedded Exploitation : Getting hands dirty with IOT/Embedded Device Security Testing
by: Kaustubh Padwad
"The world is moving towards smart culture everything nowadays is smart, and mostly all are those smart devices are basically embedded devices with internet connectivity or some provision to connect with the internet. Since these devices are booming in market this also tempting lots of people/groups for hacking.
In this 1 hour talk we will discuss how to test the embedded/IoT devices, it would give you a methodology for assessment, how to perform firmware analysis, identifying vulnerable components, basic approach for reverse engineering the binaries to discover potential remote code execution, memory corruption vulnerabilities by looking for native vulnerable functions in C or bad implementation of functions like System, popen, pclose etc.
After conducting static analysis,firmware analysis we will move towards dynamic testing approch which include web application testing, Underlying OS security testing, identifying vulnerabilities and misconfiguration in device. At last we will move towards fuzzing the device via web application parameters and installing aproppriate debugger on device to identify memory corruption vulnerabilities."
Payload delivery for initial access in Adversary Simulation exercise
by: Bourbon Jean-Marie aka "kmkz"- @kmkz_security
How to perform payload delivery and compromise a company that have a very small attack surface during Adversary Simulation exercise? Let's talk about this!
As red team we know that a decisive task is to gain initial access... and it is not that easy in 2020.
The goal of this talk is to provide a real feedback from battlefield on how to deal with all mitigation and blue teamers in order to gain initial access in restricted environments.
Some droppers example, payloads and other real-life oriented TTPs will be shared during this talk (no magic but working!) as well as some idea on how a blue team can catch attacker using some quick-wins solution.
Pursuing Evasive Custom Command & Control (C3)
by: Mark Ian Secretario
/ Renzon Cruz
This talk is all about dissecting C3 channels and how the attacker leverages this technique in order to exfiltrate data using cloud storage provider
- Investigating in-memory attacks leveraging legitimate 3rd party services like Dropbox, OneDrive, and Slack to use as a medium for Command & Control Communication
- Detecting usage and exfiltration optimizing custom command & control channels
- Part of this talk is performing a forensics investigation to a large footprint of artifacts when utilizing cloud storage such as OneDrive, Dropbox, Box, GoogleDrive
Quark Engine - An Obfuscation-Neglect Android Malware Scoring System
by: JunWei Song
"Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.
We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we're sure that the crime is practiced.
According to the above principle, we developed our order theory of android malware. We develop five stages to see if the malicious activity is being practiced. They are
1. Permission requested.
2. Native API call.
3. Certain combination of native API.
4. Calling sequence of native API.
5. APIs that handle the same register.
We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.
Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.
Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.
Further, we will also show a case study of Android malware and demonstrate how the obfuscation technique is useless to our engine. Last but not least, we will be open-sourcing everything (Malware Scoring System, Dalvik Bytecode Loader) during our presentation."
ReconPal: Leveraging NLP for Infosec
by: Nishant Sharma
Recon is one of the most important phases that seem easy but takes a lot of effort and skill to
do right. One needs to know about the right tools, correct queries/syntax, run those queries,
correlate the information, and sanitize the output. All of this might be easy for a seasoned
infosec/recon professional to do but for rest, it is still near to magic. How cool it will be to ask a
simple question like “Find me an open Memcached in Manila with UDP support?” or “How many
IP cameras in Phillippines are using default credentials?” in WhatsApp chat or a web portal and
get the answer?
The integration of GPT-3, deep learning-based language models to produce human-like
text, with well-known recon tools like Shodan can allow us to do the same. In this talk, we will
cover how such integration can be done with Shodan and other recon tools. And, how this
functionality can be extended to cover other popular tools. The code will be open-source and
made available after the talk.
Zero Trust in the Era of Cloud
by: Vandana Verma Sehgal aka InfosecVandana
Cloud is the new cool thing, everyone wants to be in cloud but what about security and compliance standards. How do organizations manage safety as well as security in the era of cloud. The concept of everyone inside the network being good or trusted is blown out of the water with cloud deployments. Effectively everyone is a tenant on a big server farm when it comes to cloud.
The only way forward is to not trust anything or what can be called a zero trust model. This talk will explore the concept of zero trust and will try to demystify zero trust models. The talk will focus on implementation and deployment scenarios of zero trust for organizations. How should the business prepare for the transition, what are the architectural requirements and what policies are required to be implemented?
We will conclude the talk with some recommendations based on our own experience dealing with zero trust deployments across a broad spectrum of clients and market segments.