BSidesLV 2017

GO may not longer be the "newest" language, however it is fairly new in terms of reverse engineering. Over the past few years there has been an uptick in malware and non-malicious binaries being distributed in the wild -- though there has been very little documentation provided on how to reverse engineer these things. In an effort to increase community knowledge we will go over how GO works, how to approach reversing it and demo the updated open source kit for reverse GO binaries. We will also tackle how people currently "harden" binaries and how we suggest people should further harden their binaries.

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

An in-depth view of default COM objects will be provided. COM is a fairly underexplored, large attack surface in Windows. Post exploitation with PowerShell has grown in popularity in recent years, and seeing what can be done with just the basic Windows Script Host is an interesting exploration. We will also share lots of weird Windows scripting quirks with interesting workarounds we discovered during the course of development.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has available). We also found numerous ways to "fork to shellcode" in an environment which traditionally does not provide such capabilities.

Koadic also attempts to be compatible with both Python 2 and Python 3. Koadic is used via a slick shell, with CLI improvements that we also committed into Metasploit. Koadic's code will be released under the Apache 2.0 license. It consolidates techniques from original research as well as amazing previous research by @subTee, @enigma0x3, and @tiraniddo.

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In a wireless network, EAP actually plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network’s physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS. Finally, we will talk about how to defend against these attacks by exploring ways in which EAP-TLS can be made easier to implement.

There are more cloud service providers offering serverless or Function-as-a-service platforms for quickly deploying and scaling applications without the need for dedicated server instances and the overhead of system administration. This technical talk will cover the basic concepts of microservices and FaaS, and how to use them to scale time consuming offensive security testing tasks. Attacks that were previously considered impractical due to time and resource constraints can now be considered feasible with the availability of cloud services and the neverending free flow of public IP addresses to avoid attribution and blacklists.

Key takeaways include a guide to scaling your tools and a demonstration on the practical benefits of utilising cloud services in performing undetected port scans, opportunistic attacks against short lived network services, brute-force attacks on services and OTP values, and creating your own whois database, shodan/censys, and searching for the elusive internet accessible IPv6 hosts.

The world is changing, but our network security models are having trouble keeping up. In a time where remote work is regular and cloud mobility is paramount, the perimeter security model is showing its age -- badly.

We deal with VPN tunnel overhead and management. We spend millions on fault-tolerant perimeter firewalls. We carefully manage all entry and exit points on the network, yet still we see ever-worsening breaches year over year. The Zero Trust model aims to solve these problems.

Zero Trust networks are built with security at the forefront. No packet is trusted without cryptographic signatures. Policy is constructed using software and user identity rather than IP addresses. Physical location and network topology no longer matter. The Zero Trust model is very different, indeed.

In this talk, we'll discuss the philosophy and origin of the Zero Trust model, what it brings to the table, and how to think about building one.

SniffAir is an open-source wireless security framework. Its primary purpose is to provide pentesters, systems admins, or others eager about wireless security a way to collect, manage, and analyze wireless traffic. SniffAir was born out of the hassle of managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws or malicious traffic.
We created SniffAir to collect all the traffic broadcasted, grouping them by Client or Access Point. SniffAir can be instructed to parse the information based on rules created by the user. These rules help define the scope. Using these rules, SniffAir moves the in-scope data to a new set of tables, allowing the framework to compare against the original table for anomalies. The user can then perform queries, which display the information required in a clear and concise manner – perfect for facilitating attacks.

What are the motivations and mechanics of code re-use by malware coders?
The talk begin with a few in-the-wild examples of bad guys re-using existing source code.
Later, the main course will be served - an experimental malware written especially for the talk from publicly available code snippets, created by almost purely by copy-paste.

This will be the official public launch of BinaryAlert, a newly developed open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.

The serverless design leads to strong security, automatic scalability, and very low cost. The YARA ruleset can be updated at any time, triggering a re-analysis of the entire bucket and alerting if any new matches are found. BinaryAlert is fully managed with Terraform configuration files and can be deployed in minutes with a single command.

This talk will review the flexibility and popularity of YARA rules, explain the BinaryAlert architecture and demo a deployment followed by a triggered alert (starting from only an empty AWS account).

In this talk, we present CheckPlease, our new repository of implant security modules. CheckPlease is unique in that it is payload-agnostic, meaning we implement every module in PowerShell, Python, Go, Ruby, C#, Perl, and C. In our talk, we not only present on a breadth of new techniques, but we also walk step-by-step through their implementations in newer languages that are seemingly a major increase in payload deliverance.

CheckPlease will serve as the central repository for implant security and, as a byproduct, sandbox detection. In our opinion, the future of sandbox detection is in implant security; by targeting your payload, your odds of executing in a sandbox decrease dramatically. This talk will provide insight into the newest implant security techniques, their implementations, and how payloads in new languages interact with the Windows API.

The movement to encrypt network communications has created a new set of challenges and critical choices for information security and risk operations personnel and executives. Network security monitoring (NSM) and network forensics is essential to secure a modern enterprise but many wonder if the changing landscape will shift the balance of power to attackers. While encryption renders many legacy network security monitoring tools useless, there are compelling cases for maintaining user privacy.

This talk will examine how the increasing adoption of encryption in common network protocols impacts security architectures and present new techniques to build threat intelligence and detection streams that operate on top of encrypted traffic. Further, the talk will present research and statistics based upon the techniques to show how real threat actors have been detected and shut down even when hiding behind the veil of encryption. The talk will close by presenting a maturity model helping organizations to understand their maturity level in terms of monitoring encrypted traffics. Attendees will leave no longer wondering how encrypting “all the things” prevents their team from analyzing those things.

You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.
Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we’ll show the tool that will use the concept of a broker website to work with the external C2 using webhooks.

Enterprise security tools provide a deep level of insight, and access, to the organizations they are designed to protect. Although, in the right hands these tools can be powerful assets for a blue team, they can be equally valuable for an attacker. Attackers can subvert legitimate functionality to gain and maintain access to an enterprise's crown jewels.
Solutions such as Splunk, Tanium, Tripwire, Carbon Black Response, in addition to providing detailed reporting on an organizations assets, all offer the ability to run commands or scripts for administrative purposes on end points. Many of these systems by default, or only, run commands as the 'System' user on Windows. This can be leveraged to gain access to critical systems, pivot into 'segmented' networks, and maintain stealthy command and control.
Unfortunately, these tools are commonly deployed with inadequate hardening, or with excessive number of administrative user accounts. One reason for this could be the prior knowledge required to leverage the power of these applications in a safe and controlled manner during a pentest, causing them to largely go unnoticed, or unreported on most tests. We want to bring awareness to the importance of protecting deployed security tools and provide a framework for pentesters and red team teamers to leverage these tools on engagements. The tool we are releasing is called secsmash, and provides a handy commandline tool to turn credentials you've acquired for a supported tool into enterprise pwnage.

Network reconnaissance is not what it used to be. The surge in cloud use and temporary infrastructure has turned standard network discovery on its head. Security folks on both sides of the fence are struggling to identify organizational assets as these trends accelerate. This talk will describe how to build an internet-scale network discovery platform using open source software (some old, some new) and a wide range of data sources, most of which are available at zero cost. For the last two years, the presenter has been using this platform to accelerate penetration tests, provide accurate pre-sales project scoping, and help defenders get a handle on their network footprint.

Malware often searches for specific artifacts as part of its “anti-­VM\analysis\sandbox\debugging” evasion mechanisms, we will abuse its cleverness against it.
The "anti-­honeypot" approach is a method to repel (instead of luring) attackers, implemented by creating and modifying those artifacts on the potential victim’s machine.
Once the created artifacts are found by the malware – it will terminate.

The session will include motivations for attackers to use evasion techniques, some in-­the-­wild examples and effective countermeasures against it.
A short DIY­ vaccination live demo will be performed, including the execution and prevention of a live malware from recent cases (e.g. WannaCry, NotPetya\EternalPetya).

The script used in the demo to vaccinate the potential victim will be uploaded to GitHub and publicly shared under CC-BY-SA.

Colin Ahern, the Deputy Chief Information Security Officer of the City of New York will share the way forward for NYC Cyber Command. NYC Cyber Command has responsibility for cyber threats against nearly 300,000 employees, and over 400,000 workstations/servers and connected devices. Colin will lay out the approach to the complex technical and organizational challenges facing the Greatest City in the World with regards to current and future cyber threats.