BSidesLV 2017 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Breaking Ground [clear filter]
Tuesday, July 25

11:30 PDT

GO Forth And Reverse
GO may not longer be the "newest" language, however it is fairly new in terms of reverse engineering. Over the past few years there has been an uptick in malware and non-malicious binaries being distributed in the wild -- though there has been very little documentation provided on how to reverse engineer these things. In an effort to increase community knowledge we will go over how GO works, how to approach reversing it and demo the updated open source kit for reverse GO binaries. We will also tackle how people currently "harden" binaries and how we suggest people should further harden their binaries.

avatar for Tim Strazzere

Tim Strazzere

Security Engineer, Cloudflare
Tim “diff” Strazzere is the Security Engineer at Cloudflare, specializing in mobile, MacOS and Linux security. Along with writing security automation software, he specializes in reverse engineering, malware analysis and vulnerability research. Some interesting past projects include... Read More →

Tuesday July 25, 2017 11:30 - 12:25 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

14:00 PDT

Koadic C3 - Windows COM Command & Control Framework
Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

An in-depth view of default COM objects will be provided. COM is a fairly underexplored, large attack surface in Windows. Post exploitation with PowerShell has grown in popularity in recent years, and seeing what can be done with just the basic Windows Script Host is an interesting exploration. We will also share lots of weird Windows scripting quirks with interesting workarounds we discovered during the course of development.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has available). We also found numerous ways to "fork to shellcode" in an environment which traditionally does not provide such capabilities.

Koadic also attempts to be compatible with both Python 2 and Python 3. Koadic is used via a slick shell, with CLI improvements that we also committed into Metasploit. Koadic's code will be released under the Apache 2.0 license. It consolidates techniques from original research as well as amazing previous research by @subTee, @enigma0x3, and @tiraniddo.

avatar for Aleph _Naught

Aleph _Naught

Senior Security Researcher, RiskSense
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration... Read More →
avatar for zerosum0x0


Senior Security REsearcher, RiskSense, Inc.
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and other contributions to... Read More →

Tuesday July 25, 2017 14:00 - 14:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

15:00 PDT

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots
Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In a wireless network, EAP actually plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network’s physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS. Finally, we will talk about how to defend against these attacks by exploring ways in which EAP-TLS can be made easier to implement.

avatar for Gabriel Ryan

Gabriel Ryan

Security Engineer, Gotham Digital Science
Gabriel is a pentester, CTF player, and Offsec R&D. He currently works for Gotham Digital Science, where he provides full scope red team penetration testing capabilities for a diverse range of clients. Previously he has worked at OGSystems and Rutgers University. He also is a member... Read More →

Tuesday July 25, 2017 15:00 - 15:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

17:00 PDT

Microservices And FaaS For Offensive Security
There are more cloud service providers offering serverless or Function-as-a-service platforms for quickly deploying and scaling applications without the need for dedicated server instances and the overhead of system administration. This technical talk will cover the basic concepts of microservices and FaaS, and how to use them to scale time consuming offensive security testing tasks. Attacks that were previously considered impractical due to time and resource constraints can now be considered feasible with the availability of cloud services and the neverending free flow of public IP addresses to avoid attribution and blacklists.

Key takeaways include a guide to scaling your tools and a demonstration on the practical benefits of utilising cloud services in performing undetected port scans, opportunistic attacks against short lived network services, brute-force attacks on services and OTP values, and creating your own whois database, shodan/censys, and searching for the elusive internet accessible IPv6 hosts.

avatar for Ryan Baxendale

Ryan Baxendale

Centurion Information Security
Ryan works as a penetration tester in Singapore where he leads a team of professional hackers. While his day is filled mainly with web and mobile penetration tests, he is more interested developing security tools, discovering IPv6 networks, and mining the internet for targeted low... Read More →

Tuesday July 25, 2017 17:00 - 17:25 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

17:30 PDT

Zero Trust Networks: In Theory and in Practice
The world is changing, but our network security models are having trouble keeping up. In a time where remote work is regular and cloud mobility is paramount, the perimeter security model is showing its age -- badly.

We deal with VPN tunnel overhead and management. We spend millions on fault-tolerant perimeter firewalls. We carefully manage all entry and exit points on the network, yet still we see ever-worsening breaches year over year. The Zero Trust model aims to solve these problems.

Zero Trust networks are built with security at the forefront. No packet is trusted without cryptographic signatures. Policy is constructed using software and user identity rather than IP addresses. Physical location and network topology no longer matter. The Zero Trust model is very different, indeed.

In this talk, we'll discuss the philosophy and origin of the Zero Trust model, what it brings to the table, and how to think about building one.

avatar for Doug Barth

Doug Barth

Site Reliability Engineer, Stripe
Doug is a Site Reliability Engineer at Stripe. With a deep interest in software, hardware, and production systems, he has spent his career using computers to solve hard problems. He helped deploy PagerDuty's IPsec mesh network, and wrote on a book about Zero Trust Networks.
avatar for Evan Gilman

Evan Gilman

Staff Software Engineer, VMware Tanzu
Evan Gilman is an engineer with a background in computer networks. With roots in academia, and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker, and author... Read More →

Tuesday July 25, 2017 17:30 - 18:25 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

18:30 PDT

SniffAir – An Open-Source Framework for Wireless Security Assessments
SniffAir is an open-source wireless security framework. Its primary purpose is to provide pentesters, systems admins, or others eager about wireless security a way to collect, manage, and analyze wireless traffic. SniffAir was born out of the hassle of managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws or malicious traffic.
We created SniffAir to collect all the traffic broadcasted, grouping them by Client or Access Point. SniffAir can be instructed to parse the information based on rules created by the user. These rules help define the scope. Using these rules, SniffAir moves the in-scope data to a new set of tables, allowing the framework to compare against the original table for anomalies. The user can then perform queries, which display the information required in a clear and concise manner – perfect for facilitating attacks.

avatar for Steven Darracott

Steven Darracott

Security Consultant, Optiv
Steven is currently employed by Optiv Security Inc. as a Security Consultant on the Attack and Penetration team where he performs numerous wireless security assessments annually.
avatar for Matthew Eidelberg

Matthew Eidelberg

Security Consultant, Optiv
Matthew Eidelberg is a husband, father, and security fanatic. Matthew currently works as a Security Consultant on Optiv’s Attack and Penetration team. He has a passion for wireless, malware, red teaming and spends his free time taking things apart. @Tyl0us on Twitter

Tuesday July 25, 2017 18:30 - 18:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

19:00 PDT

Writing Malware Without Writing Code
What are the motivations and mechanics of code re-use by malware coders?
The talk begin with a few in-the-wild examples of bad guys re-using existing source code.
Later, the main course will be served - an experimental malware written especially for the talk from publicly available code snippets, created by almost purely by copy-paste.

avatar for Gal Bitensky

Gal Bitensky

Sr. Security Researcher, Minerva Labs
A 29-year-old geek from Tel-Aviv, breaker of stuff. Currently working as a senior malware psychologist in the Israeli start-up Minerva labs. Experienced in various fields, ranging from web application security and Windows internals to SCADA. Fluent in exotic languages like PHP, Lisp... Read More →

Tuesday July 25, 2017 19:00 - 19:25 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

19:30 PDT

YARA-as-a-Service (YaaS): Real-Time Serverless Malware Detection
This will be the official public launch of BinaryAlert, a newly developed open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.

The serverless design leads to strong security, automatic scalability, and very low cost. The YARA ruleset can be updated at any time, triggering a re-analysis of the entire bucket and alerting if any new matches are found. BinaryAlert is fully managed with Terraform configuration files and can be deployed in minutes with a single command.

This talk will review the flexibility and popularity of YARA rules, explain the BinaryAlert architecture and demo a deployment followed by a triggered alert (starting from only an empty AWS account).

avatar for Austin Byers

Austin Byers

Software Engineer | CSIRT, Airbnb
I joined Airbnb in 2016 as a software engineer on the security team. Since then, I've been working on Airbnb's encryption services and incident response tools, including Cipher and the open-source StreamAlert project, respectively. Prior to my professional work, I was the University... Read More →

Tuesday July 25, 2017 19:30 - 19:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169
Wednesday, July 26

10:00 PDT

CheckPlease - Payload-Agnostic Implant Security
In this talk, we present CheckPlease, our new repository of implant security modules. CheckPlease is unique in that it is payload-agnostic, meaning we implement every module in PowerShell, Python, Go, Ruby, C#, Perl, and C. In our talk, we not only present on a breadth of new techniques, but we also walk step-by-step through their implementations in newer languages that are seemingly a major increase in payload deliverance.

CheckPlease will serve as the central repository for implant security and, as a byproduct, sandbox detection. In our opinion, the future of sandbox detection is in implant security; by targeting your payload, your odds of executing in a sandbox decrease dramatically. This talk will provide insight into the newest implant security techniques, their implementations, and how payloads in new languages interact with the Windows API.

avatar for Brandon Arvanaghi

Brandon Arvanaghi

Associate Consultant, Mandiant
Brandon Arvanaghi is a security consultant at Mandiant (a FireEye company). At Mandiant, he has written tools for webshell detection and malware sandbox evasion. He is the author of SessionGopher, CheckPlease, and a contributor to PowerShell Empire. Prior to Mandiant, Brandon conducted... Read More →
avatar for Christopher Truncer

Christopher Truncer

Christopher Truncer (@ChrisTruncer) is a red teamer with Mandiant. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing toolsets that are not only designed... Read More →

Wednesday July 26, 2017 10:00 - 10:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

11:00 PDT

Network Forensic Analysis in an Encrypted World
The movement to encrypt network communications has created a new set of challenges and critical choices for information security and risk operations personnel and executives. Network security monitoring (NSM) and network forensics is essential to secure a modern enterprise but many wonder if the changing landscape will shift the balance of power to attackers. While encryption renders many legacy network security monitoring tools useless, there are compelling cases for maintaining user privacy.

This talk will examine how the increasing adoption of encryption in common network protocols impacts security architectures and present new techniques to build threat intelligence and detection streams that operate on top of encrypted traffic. Further, the talk will present research and statistics based upon the techniques to show how real threat actors have been detected and shut down even when hiding behind the veil of encryption. The talk will close by presenting a maturity model helping organizations to understand their maturity level in terms of monitoring encrypted traffics. Attendees will leave no longer wondering how encrypting “all the things” prevents their team from analyzing those things.

avatar for William Peteroy

William Peteroy

Co-Founder and CEO, ICEBRG
William has over a decade of experience in network and software security. Prior to co-founding ICEBRG, William worked in a number of business and technical leadership positions as a Technical Lead, Technical Director and Subject Matter Expert for the Department of Defense (DoD) as... Read More →
avatar for Justin Warner

Justin Warner

Principal Security Engineer, ICEBRG
Justin Warner (@sixdub) is a security engineer at ICEBRG focusing on helping customers to gain large visibility into their enterprise and ultimately detect and analyze malicious activity. Justin is an Air Force Academy graduate, former USAF Cyber Ops officer, and former red team lead... Read More →

Wednesday July 26, 2017 11:00 - 11:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

12:00 PDT

Abusing Webhooks for Command and Control
You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.
Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we’ll show the tool that will use the concept of a broker website to work with the external C2 using webhooks.

avatar for Dimitry Snezhkov

Dimitry Snezhkov

Security, IBM X-Force Red
Sr. Security Consultant for X-Force Red at IBM, currently focusing on offensive security testing, code hacking and tool building.

Wednesday July 26, 2017 12:00 - 12:25 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

14:00 PDT

SECSMASH: Using Security Products to own the Enterprise'
Enterprise security tools provide a deep level of insight, and access, to the organizations they are designed to protect. Although, in the right hands these tools can be powerful assets for a blue team, they can be equally valuable for an attacker. Attackers can subvert legitimate functionality to gain and maintain access to an enterprise's crown jewels.
Solutions such as Splunk, Tanium, Tripwire, Carbon Black Response, in addition to providing detailed reporting on an organizations assets, all offer the ability to run commands or scripts for administrative purposes on end points. Many of these systems by default, or only, run commands as the 'System' user on Windows. This can be leveraged to gain access to critical systems, pivot into 'segmented' networks, and maintain stealthy command and control.
Unfortunately, these tools are commonly deployed with inadequate hardening, or with excessive number of administrative user accounts. One reason for this could be the prior knowledge required to leverage the power of these applications in a safe and controlled manner during a pentest, causing them to largely go unnoticed, or unreported on most tests. We want to bring awareness to the importance of protecting deployed security tools and provide a framework for pentesters and red team teamers to leverage these tools on engagements. The tool we are releasing is called secsmash, and provides a handy commandline tool to turn credentials you've acquired for a supported tool into enterprise pwnage.


Kevin Dick

Information Security Consultant, Tevora
Information security consultant at Tevora since 2012. Wore a lot of hats initially, including solution integration work, auditing, and penetration testing. Kevin now leads Tevora's penetration testing and red teaming group. Areas of focus include Network, web, and mobile application... Read More →
avatar for Steven Flores

Steven Flores

Information Security Consultant, Tevora
Steven is a former Marine and now penetration tester/red teamer from Southern California. When he isn't brewing awesome coffee he enjoys doing research on different threat techniques and tool development.

Wednesday July 26, 2017 14:00 - 14:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

15:00 PDT

Modern Internet-Scale Network Reconnaissance
Network reconnaissance is not what it used to be. The surge in cloud use and temporary infrastructure has turned standard network discovery on its head. Security folks on both sides of the fence are struggling to identify organizational assets as these trends accelerate. This talk will describe how to build an internet-scale network discovery platform using open source software (some old, some new) and a wide range of data sources, most of which are available at zero cost. For the last two years, the presenter has been using this platform to accelerate penetration tests, provide accurate pre-sales project scoping, and help defenders get a handle on their network footprint.



Underflow has spent the last twenty years finding vulnerabilities, writing exploits, and breaking into networks.

Wednesday July 26, 2017 15:00 - 15:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

17:00 PDT

Vaccination - An Anti-Honeypot Approach
Malware often searches for specific artifacts as part of its “anti-­VM\analysis\sandbox\debugging” evasion mechanisms, we will abuse its cleverness against it.
The "anti-­honeypot" approach is a method to repel (instead of luring) attackers, implemented by creating and modifying those artifacts on the potential victim’s machine.
Once the created artifacts are found by the malware – it will terminate.

The session will include motivations for attackers to use evasion techniques, some in-­the-­wild examples and effective countermeasures against it.
A short DIY­ vaccination live demo will be performed, including the execution and prevention of a live malware from recent cases (e.g. WannaCry, NotPetya\EternalPetya).

The script used in the demo to vaccinate the potential victim will be uploaded to GitHub and publicly shared under CC-BY-SA.

avatar for Gal Bitensky

Gal Bitensky

Sr. Security Researcher, Minerva Labs
A 29-year-old geek from Tel-Aviv, breaker of stuff. Currently working as a senior malware psychologist in the Israeli start-up Minerva labs. Experienced in various fields, ranging from web application security and Windows internals to SCADA. Fluent in exotic languages like PHP, Lisp... Read More →

Wednesday July 26, 2017 17:00 - 17:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169

18:00 PDT

Lessons from the front lines: New York City Cyber Command
Colin Ahern, the Deputy Chief Information Security Officer of the City of New York will share the way forward for NYC Cyber Command. NYC Cyber Command has responsibility for cyber threats against nearly 300,000 employees, and over 400,000 workstations/servers and connected devices. Colin will lay out the approach to the complex technical and organizational challenges facing the Greatest City in the World with regards to current and future cyber threats.

avatar for Colin Ahern

Colin Ahern

Deputy CISO, City of New York
Colin Ahern is the Deputy Chief Information Security Officer of the City of New York. Before joining the City, he was a security engineer and threat researcher in financial services. Colin also served seven years in the US Army, deploying twice to Afghanistan and commanding a company... Read More →

Wednesday July 26, 2017 18:00 - 18:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169