ROOTCON 12

September 27-28, 2018 Taal Vista Hotel, Tagaytay City
Media direct downloads || Back to past events




Talks

Apple Health
by: Vladimir Katalov
(PDF) (Video)

Your heartrate and sleeping habits. Cardio and workouts. Steps and walking routines, and even your doctor’s recommendations are now known to Apple – and law enforcement. Turn your iPhone into a personal surveillance device tracking your entire life – and sharing it with the cloud. Learn what gets stored in iCloud and how to extract and analyse health data. Warning: don’t try it on your partner’s iPhone to avoid disappointment.

Bug Bounty Hunting on Steroids
by: Anshuman Bhartiya
(PDF) (Video)

Bug bounty programs are a hot topic these days. More and more companies are realizing the benefits of running a program, and researchers are jumping at the opportunity to grab some swag and make some extra cash from the bugs they find. Reporting security issues has never been as easy, open, and risk-free as it is right now. Everybody wins!

Though that doesn’t mean we should stop there. As researchers, we spend a lot of time doing the same menial tasks for each program: monitoring for new targets, checking for common issues, remembering just which flags you needed to pass to that tool (or even which tool is best for that job). We build new tools, hack together shell scripts, and generally make small incremental changes to our process. But surely there’s a better approach?

Are you sick of repeating the same tedious tasks over and over? Wouldn’t it be nice to have your own bug hunting machine? One that -

Is always watching
Reacts as soon as a new target becomes available
Takes care of those tedious repetitive steps for you
Makes life easy when you want to integrate a new tool/workflow
Doesn’t cost the world to run, and trivially scales
Leverages lessons and technologies battle tested in the dev world to improve your offensive capacity, capability and productivity
Monitors your own infrastructure and reacts before hackers can (while saving you the cost of those Bug Bounty payouts in the meantime)

We call this approach Bug Bounty Hunting on Steroids. We will discuss our research and approach to building such a machine, sharing some of the lessons we learned along the way.

Cyber Security Threats to Telecom Networks
by: Rosalia D’Alessandro, Hardik Mehta (@hardw00t), Loay Abdelrazek (@sigploit)
(PDF) (Video)

The presentation will include the following:

Quick introduction of 3G/4G telecom networks
Discuss various ways to access internal network from the access network
Discuss various possible attacks on the IMS platform
Walk-through of how a 3G/4G telecom network node can be compromised.
Discuss various attacks based on signaling protocol (SIP, SS7 , GTP and Diameter)
Simulation based demonstration of exploiting signaling protocols (Release tool modules and demonstration)
Discuss on remediation methodology from such attacks
Open for Questions

The presentation is to highlight various ways to compromise and access telecom operator's network to target following:

Customer Privacy
Core telecom network infrastructure
Operator's Corporate and Management network


Currently, Sigploit is limited to assess SS7 protocol. We plan to release SIP , GTP and Diameter modules during the presentation, including walk-through and demonstration.

Defending cloud Infrastructures with Cloud Security Suite
by: Shivankar Madaan
(PDF) (Video)

Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorization/configuration, their security is as robust as the person in-charge of creating/assigning these configuration policies. As we all know, human error is inevitable and any such human mistake could lead to catastrophic damage to the environment.

Few vulnerable scenarios:

- Your security groups/policies, password policy or IAM policies are not configured properly
- S3 buckets and Azure blobs are world-readable
- Web servers supporting vulnerable ssl ciphers
- Ports exposed to public with vulnerable services running on them
- If root credentials are used
- Logging or MFA is disabled
Knowing all this, audit of cloud infrastructure becomes a hectic task! There are a few open source tools which help in cloud auditing but none of them have an exhaustive checklist. Also, collecting, setting up all the tools and looking at different result sets is a painful task. Moreover, while maintaining big infrastructures, system audit of server instances is a major task as well.

CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures and does OS audits as well. CS Suite leverages current open source tools capabilities and has custom checks added into one tool to rule them all.

Cloud Security Suite is an open source which adheres to GPL V3 (GNU General Public License v3.0). This paper is written for the release of the version 3.0 of the tool.

The major features include:

- Simple installation with support of python virtual environment and docker containers
- GCP Infra Audit
- Initiate all tools/audit checks in one go
- AWS Infra Audit:
Easify your “open source setup” pain.
Compilation of all audit checks in one place
Centralised portable reports
Audits individual systems
- AWS Instance Audit
IP based auditing
Region independent Audit (Public IP)
Supports both public and private IPs for Default region
Automatic Report Generation and Fetching
Portable HTML report
- JSON output
- Integration of AWS Trusted Advisor
- Azure Infra Audit
- Azure IP based Auditing
- Report generation of the Diff between the current and last scan

Exploiting ActionScript3 Interpreter
by: Boris Larin and Anton Ivanov
(PDF) (Video)

At the end of 2017 we discovered an Adobe Flash Player zero day vulnerability (CVE-2017-11292) that was used by the BlackOasis APT. This shows that Adobe Flash Player still is a good target for threat actors. CVE-2017-11292 is a particularly interesting logic bug that lead to type-confusion vulnerability, and there are no public reports describing it.

In our presentation we will cover the following things:

1. What exploitation techniques are currently used by threat actors in Flash exploits
2. A detailed description of CVE-2017-11292
3. Also we will talk about how to find new vulnerabilities in Adobe Flash Player

We will present and release our self-made ActionScript3 processor module and debug plugin for IDA Pro. These tools complement each other, and have shown some good results in debugging exploits in-the-wild.
We analyzed AVM and discovered how to boost analysis with the rich possibilities of IDA Pro and API.

Expl-iot: Hacking IoT like a boss
by: Aseem Jakhar
(PDF) (Video)

IoT is getting a lot of attention these days. Lot of startups are coming up with innovative IoT based solutions. Security researchers have started to look at security of IoT. However, one of the biggest road blocks for security researchers is the toolset. Currently, there are tools both hardware and software that focus on specific work or protocol, but there are none focussing on IoT as a domain itself. Some are not mature yet, some are only PoCs etc. Also, knowledge of hardware is required to assess hardware security go the sensors. These two limitations are restricting security professionals from entering into IoT security domain. If you are among the researchers waiting to get into IoT security - Your wait is over.

The primary focus of this talk is to introduce the attendees to the open source IoT Security Testing framework - Expl-IoT and enable them to use it as well as write plugins for new IoT based exploits and analysis test cases. We are currently working on the expliot website (www.expliot.io), where we will post all news and updates about the framework. All you need to do is just download and install the framework.

As we started digging deeper into IoT security, one thing was evident that there was a lot of time being spent in understanding IoT tools and protocols. So, we decided to create a flexible and extendable framework that would help the security community and us in writing quick IoT test cases and exploits. The objectives of the framework are:

1. Easy of use
2. Extendable
3. Support for hardware, radio and IoT protocol analysis

We released Expl-iot beta version (in ruby) 2017 - https://bitbucket.org/aseemjakhar/expliot_framework We are currently working on the python3 port to support more hardware/radio functionality and have deprecated the ruby version. We will release it in a month. The new beta release is envisioned to have support for UART(serial), ZigBee, BLE, MQTT, CoAP (next version will have support for JTAG, I2C and SPI) and few miscellaneous test cases. This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework.

The rough flow of the talk would be
- IoT Attack Surface
- IoT security testing road blocks
- Introduction to Expliot
- Limitations of IoT protocols
- Attack demos
- Extending Expliot with your own plugins
- Q&A

Fire & Ice: Making and Breaking macOS firewalls
by: Patrick Wardle
(PDF) (Video)

In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.

However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source. This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.

In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering - but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).

Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.

But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"

How (not) to fail at hardware
by: Craig Smith
(PDF) (Video)

A lot of security is being moved into hardware. This doesn't fix security, it just makes it smaller. Security professionals have a good handle on network and application security, however when it comes to doing hardware testing, things are not as easy as they seem. One of the biggest reasons why hired security teams fail to deliver successful hardware engagements often comes down to deficiencies in scoping. This talks describes several stories of failures during hardware engagements and how you can work with vendors to have successful hardware engagements. This talk will give you the tools to properly scope out engagements that will provide great results and give your client the best bang for their buck.

IoT and JTAG Primer
by: Michel Chamberland
(PDF) (Video)

IoT use is growing rapidly through a research study sponsored by Trustwave, it was revealed that sixty-four percent of organizations surveyed have deployed some level of IoT technology, and another twenty percent plan to do so within the next twelve months. The result of this will be that, by the end of 2018, only one in six organizations will not be using at least a minimal level of IoT technology for business purposes. While IoT devices are exploding in deployments, still very little is being done to secure these solutions. The security defenses being employed within this domain tend to be at least a decade old and of insufficient strength to hold back today's attackers. In this same Trustwave sponsored survey, it was found that only twenty-eight percent of organizations surveyed considered their IoT security strategy to be very important. This combination makes IoT devices very attractive targets for malicious attackers, red teamers and others interested parties.

One of the most common ways to analyze and find vulnerabilities in IoT devices is through the use of their JTAG ports. In this talk, we'll be discussing what JTAG is and how it can be used in order to find vulnerabilities in IoT devices. The presentation will cover a bit of history about JTAG and will then jump into the technical details on how to find JTAG ports, what software and hardware tools can be used to identify pinouts, and how to extract and debug the firmware running on a target device. Several examples and small demos will be used during the presentation to show practical applications of the lessons being conveyed. Finally, pointers will be provided as to what to look out for once you have achieved access to a device via JTAG.

Not So Crab Mentality: A True RasS Story
by: Christopher Elisan
(PDF) (Video)

Ransomware-as-a-Service (RaaS) is a booming business for cybercriminals. It gives novice and not-so-skilled cybercriminals the capability to launch and reap the rewards of a ransomware attack. In this talk, I will discuss a real threat actor recruiting partners to spread the GandCrab ransomware in exchange for a percentage of the profit. We will look at the recruiting process, the ransomware deployment technology, the network infrastructure and the ransomware itself to give us a full understanding of how the whole campaign is conducted from beginning to end.

Outline:
- Ransomware-as-a-Service
- Threat actor recruitment process
- GandCrab Deployment Technology
- GandCrab Deep dive
- Attack infrastructure
- Available GandCrab solutions

pi$$ing off an APT
by: Ed Williams
(PDF) (Video)

Red teaming is everywhere and everybody is doing it. Most organisations are not mature enough to be able to repel red team engagements / simulated attacks. The talk will discuss methods that organisations can employ that will disrupt the red team from achieving their goals; and it doesn’t involve an expensive “magic box”!

SAP Incident Response, how to attack and defend!
by: Jordan Santarsieri
(PDF) (Video)

SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, managing suppliers / customers, material management, releasing payments to providers, credit cards processing, business intelligence, etc.

Trainings

Bugcrowd University
by: Jason Haddix
(PDF) (Video)

Bugcrowd is happy to offer a full day workshop for bug hunters to learn both intro and advanced topics in web bug hunting. Each BCU module will go over a vulnerability describing it's nature, how to identify it, how to exploit it, relevant tools associated to it, and have labs for students to test their skills. These Bugcrowd University modules are designed to enable the crowd to spot and exploit Priority One level bugs, even in seemingly complex web applications.

(Intro) What makes a good submission

(Intro) Burp Suite Workshop

(Intermediate) Asset Discovery and Recon

(Advanced) XML External Entity Injection

(Advanced) Authorization & Access Control Testing (MFLAC, IDOR)

(Advanced) Server Side Request Forgery

(Advanced) Security Misconfiguration (Git, AWS, Subdomain, ++)

Smash the Stack: Writing a Buffer Overflow (Win32) Exploit
by: Elvin Gentiles
(PDF) (Video)

What separates a good hacker from a script-kiddie is that they don’t just run the exploit and pray for a shell. A good hacker knows which exploit to use, what it does, and how it works. But what makes a hacker great is that they don’t use exploits developed by others - they develop their own exploits.

This class will teach students to move beyond using exploits developed by others to writing their own ones. Students will learn the Intel x86 architecture, the different registers involved, how the stack works, and how to use a debugger. They will also learn how to cause a crash to an application, control the crash, and embed a payload to gain a shell on the target machine. The students will go through several hands-on exercises that will develop their confidence and creative-thinking skills in writing their own exploits.

Speakers

Anshuman Bhartiya
Anshuman Bhartiya has been in the IT industry for about 11 years now and has had the opportunity to wear multiple hats. Anshuman has been a web developer, cloud consultant, systems engineer and security engineer to name a few. Anshuman has a varied skillset and he likes to tinker with the latest technology coming up with innovative solutions for difficult and challenging problems. Security, Automation and Innovation are some things he is really passionate about and he firmly believes in sharing knowledge and the Open Source community. You can find some of Anshuman's work at his Github here - https://github.com/anshumanbh where he has open sourced tools such as “git-all-secrets”, “brutesubs”, “kubebot”, “tkosubs”, etc. Anshuman has also participated and submitted vulnerabilities to some of the top bug bounty platforms like Bugcrowd, HackerOne and Synack.

Aseem Jakhar
Aseem Jakhar is the Director, research at Payatu payatu.com a boutique security testing company specializing in IoT, embedded, mobile and cloud security assessments. He is well known in the hacking and security community as the founder of null – The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference nullcon.net and hardwear.io security conference http://hardwear.io He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, BruCON, Defcon, Hack In The Box, Hack.lu, Hack in Paris, PHDays and many more. He is the author of various open source security tools including:

- ExplIoT – An open source Internet Of Things Security Testing and Exploitation framework – https://bitbucket.org/aseemjakhar/expliot_framework

- Linux thread injection kit – Jugaad (https://bitbucket.org/aseemjakhar/jugaad) and Indroid (https://bitbucket.org/aseemjakhar/indroid) which demonstrate a stealthy in- memory malware infection technique.

- DIVA (Damn Insecure and Vulnerable App) for Android which gamifies Android App vulnerabilities and is used for learning Android Security issues. https://github.com/payatu/diva-android

- Dexfuzzer – Dex file format Fuzzer. https://bitbucket.org/aseemjakhar/dexfuzzer/src

Boris Larin, Anton Ivanov
Boris Larin is a malware analyst focused on exploits detection and vulnerability research. In his free time he likes to examine the security of embedded devices.

Anton Ivanov leads the behavior detection team at Kaspersky Lab. Anton has discovered several zero day vulnerabilities in Adobe Flash Player, Microsoft Windows kernel and Silverlight.

Christopher Elisan
Christopher Elisan is a seasoned reverse engineer and malware researcher. He is currently the Principal Malware Scientist at RSA. He has a long history of digital threat and malware expertise, reversing, research and product development. He started his career at Trend Micro as one of the pioneers of TrendLabs. This is where he honed his skills in malware reversing. After Trend Micro, he built and established F-Secure's Asia R&D where he spearheaded multiple projects that include vulnerability discovery, web security, and mobile security. After F-Secure, he joined Damballa as their resident malware subject matter expert and reverse engineer. Aside from speaking at various conferences around the world, he frequently provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications. Christopher Elisan is also a published author. He authored "Advanced Malware Analysis" and "Malware, Rootkits and Botnets." He co-authored "Hacking Exposed: Malware and Rootkits." All books are published by McGraw-Hill.

Craig Smith
Craig Smith is the Director of Transportation Security and Research at Rapid7, a cybersecurity analytics and automation company. He is also the founder of Open Garages, a distributed collective of performance tuners, mechanics, security researchers and artists. Craig authored the "Car Hacker's Handbook", the de facto guide to automotive security. At Rapid7, Craig runs the Transportation Practice, which specializes in providing strategic consultancy and deep technical expertise to the transport industries. His work includes extensive testing for innovative new technologies being developed in the automotive industry. Craig has developed many free and open source tools to help teach others about vehicle security. Craig has worked in security for over 20 years, with a focus on automotive and other types of transport for the last 7 years.

Ed Williams
Edward Williams is a seasoned cyber security specialist with 10 years directly focused on penetration testing and consultancy for Government and private sector organisations.

He heads up penetration testing within Trustwave’s elite team of forensic investigators, researchers and ethical hackers, Spiderlabs, as Director for EMEA.

Holding an MSc degree in Information Security and Computer Crime Edward previously worked as a Principal Security Consultant specializing in Internal Infrastructure, Security Architecture and Red Teaming where he conducted many STAR and CBEST engagements. Edward was also responsible for the creation and maintenance of many internal methodologies, standards and practices.

Much of Edward’s work concentrated on securing critical national infrastructures. Edward holds many industry certifications including CREST CCSAS and is now a CREST assessor where he creates and proctors exams within the U.K.

Edward has authored many tools and blogs, and was TSC (Technical Security Consultancy) consultant of the year 17/18 for the largest non-government penetration testing team in the world.

Jayesh Signh Chauhan, Shivankara
Jayesh Singh Chauhan is a security professional with more than 6 years of experience in the security space. In past, he has been part of security teams of PayPal, PwC and currently works as the senior security engineer for Sprinklr. He has authored CS-Suite, OWASP Skanda, RFID_Cloner and CSRF PoC generator and has presented in BlackHat Asia 2018, BlackHat EU 2017, c0c0n 2017, 2015, 2013, GES 2014 and Ground Zero 2015. He is the project leader for OWASP Skanda and leads the NULL Bangalore chapter.

Shivankar works as a security engineer for Sprinklr and has more than 2 years of experience in Devops as well. His expertise varies from web, mobile to infra-structure pen-testing. He is a core contributor for CS-Suite and has spoken at c0c0n 2017,Blackhat Europe 2017,Blackhat Asia 2018, BlackHat USA 2018. He is also an active member of null community.

Jordan Santarsieri
Mr Santarsieri is a founder partner at Vicxer where he utilizes his 12+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world.

He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer's customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats.

Jordan has also discovered critical vulnerabilities in Oracle and SAP software, and is a frequent speaker at international security conferences such as Black-Hat DC, Insomnihack, Hacker Halted, OWASP US, 8dot8 and Ekoparty.

Michel Chamberland
Michel Chamberland is the North America Practice Lead at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 20 years of experience in information technology, helping businesses protect themselves from cyber threats. Prior to Trustwave, he led various security focused roles serving in the financial sector as well as small businesses. Michel grew up in Sherbrooke, Quebec and currently lives in Sarasota, Florida with his three daughters. Michel plays a leadership role in his local OWASP chapter (Suncoast) and is a member of the FBI InfraGard and ISACA organizations. Michel holds a Bachelor of Science in Computer Science as well as a Master's of Science in Information Security Assurance from Western Governors University. Over the years, Michel has collected several industry certifications such as CISSP, OSCE, OSCP, OSWP. CEH, CHFI, CCSK, MCP, GIAC G2700, MCTS, Security+, MCP, CCNA, CCNA Security and many others.

Patrick Wardle
Patrick Wardle is the Chief Research Officer at Digita Security and Founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Wardle is passionate about all things related to macOS security and thus spends his days finding Apple 0-days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

Rosalia D’Alessandro, Hardik Mehta (@hardw00t), Loay Abdelrazek (@sigploit)
We are Telecom security researchers and active contributors/ developers of Sigploit - A Telecom Signaling Exploitation Framework. We work towards identifying various vulnerabilities (including zero days) in telecom network infrastructure. We work to improve network security posture of some important Telecom operators.

Vladimir Katalov
Vladimir Katalov is CEO, co-owner and co-founder of ElcomSoft Co.Ltd. Born in 1969 and grew up in Moscow, Russia. He studied Applied Mathematics in Moscow Engineering-Physics Institute (State University); from 1987 to 1989, was sergeant in the Soviet Army. Vladimir works in ElcomSoft from the very beginning (1990); in 1997, he created the first program the password recovery software line has started from: Advanced ZIP Password Recovery. Now he coordinates the software development process inside the company and develops strategic plans for future versions.

Vladimir manages all technical researches and product developments in the company. He regularly presents on various events and also regularly runs it security and computer forensics trainings both for foreign and inner (Russian) computer investigative committees and other organizations.

Contest Winners

Receives the Black Badge entitled them for free entrance for next years conference.

Capture The Flag
Team Harambae with 2050 points

Hacker Jeopardy
Team Diverse (Jason @Jhaddix Haddix, JP @swagnetow Villanueva, Ryan @digitalwoot Black)

Semprix' Mysterybox
None

Sponsors

To be updated...

Pics

ROOTCON 12 Pics