Defcon
Orange Cyberdefense at Hacker Summer Camp
It’s that time of year again where we head out to the desert, more specifically Las Vegas, for what is known as Hacker Summer Camp to attend Black Hat and DEF CON 31! Like previous years, the SensePost team will be present in full force delivering talks, training and hanging out at numerous occasions. For an idea on what we’ve got lined up, check out the rest of this blog post. If you’re keen to meet up, feel free to reach out!
blackhat_defcon_virtual_vegas_2021.zip
Phew! This year’s hacker summer camp is packed with presentations from several hackers across the globe at Orange Cyberdefense. I can’t possibly go into all of the many details, but hope to give a somewhat compressed view of the highlights!
This year we have a total of 10 representations. Four of those are DEF CON 29 talks, where two are main stage talks, one a demo labs talk and one a radio frequency village talk. On the training side of things, we’re delivering five courses at BlackHat USA 21, and one course at Ringzer0. I’ve been fortunate enough to see the behind the scenes preparation that goes into these and can’t wait for the world to see and experience them too!
PEAP Relay Attacks with wpa_sycophant
Back in 2018, I was interested that MSCHAPv2 and NTLMv1 hashes crack using the same algorithms, and wanting to get onto the WiFi of one of our clients, I naively thought “Surely if you can relay NTLMv1 and it uses the same crypto as MSCHAPv2, you should be able to relay MSCHAPv2!”. The resulted in the creation of wpa_sycophant (and its helper berate_ap) to perform PEAP relay attacks. It was presented in our Defcon talk last year from about 17m in.
Abusing GDI Objects for ring0 Primitives Revolution
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One of the core topics of the talk was the release of a new technique GDI object abuse technique, name Palette Objects. Saif presented a previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.
A complete white-paper on the topic was released and can be found here: Whitepaper
SensePost at BlackHat & Defcon 2017
July is our favourite time of year, when thousands descend into Las Vegas for Blackhat/Defcon, or more commonly referred to as ‘Hacker Summer Camp’. This year, our camp councillors have been working hard to bring you all our latest creations.
BlackHat Training We’re running our usual training at BlackHat, and as usual have been working hard to build new courses and update others. Here’s a list:
BLACK OPS HACKING FOR PENTESTERS – MASTER LEVEL PENTESTING ENTERPRISE INFRASTRUCTURE – JOURNEYMAN LEVEL SECDEVOPS: INJECTING SECURITY INTO DEVOPS (NEW) TACTICS, TECHNIQUES AND PROCEDURES FOR HACKERS We’re pretty excited about the new SecDevOps course, which reflects what we’ve learned about transitioning old-style project pentesting into an agile world.
Universal Serial aBUSe
Last Saturday, at Defcon 24, we gave a talk entitled “Universal Serial aBUSe: Remote Physical Access Attacks” about some research we had performed into USB attacks. The talk was part of a research theme we’ve been pursuing related to hardware bypasses of software security. We decided to look into these sorts of attacks after noting their use in real world attacks. For example, you have “Apex predators” such as the NSA’s extensive use of sophisticated hardware implants, most notably for this work, the COTTONMOUTH devices. On the other end of the scale, we noticed real world criminals in the UK and ZA making use of unsophisticated hardware devices, such as hardware keyloggers, drive imagers and physical VPN devices and successfully making off with millions. This led us to hypothesise that there’s probably a large series of possible attacks in between these two extremes. We also noted that there’s not many decent defences against these sorts of attacks, it’s 2016, and the only decent defence against decent hardware keyloggers is still to “manually inspect all USB ports” (assuming this stuff is even visible).
SensePost at Blackhat & Defcon 2016
The annual Hacker Summer Camp is nearly upon us, everyone at SensePost is getting ready. This is a brief overview of what we’ll be doing. The tl;dr is: BlackHat Training, BlackHat Arsenal x2, Defcon talk & Stickers :)
BlackHat Training We’re back at BlackHat for our 15th year of training with a selection of courses ranging from introductory courses for beginners through to hardcore courses for experts.
Basic Tools & Techniques for Hackers – Beginner Level Mobile Application Bootcamp – Journeyman Level Web Application Bootcamp – Journeyman Level Black Ops Hacking for Pentesters – Master Level Threat Intelligence using Maltego This one isn’t ours, but our good friends and business partners, Paterva :) BlackHat Arsenal We were fortunate enough to have two tools accepted for BlackHat Arsenal this year. We think building open source tools for the hacker community is an important part of how we roll, and we appreciate ToolsWatch and the NETpeas crews efforts with arsenal.
Wadi Fuzzer
“Operating system facilities, such as the kernel and utility programs, are typically assumed to be reliable. In our recent experiments, we have been able to crash 25-33% of the utility programs on any version of UNIX that was tested.” [1]
Those were the original words in one of the first fuzzing studies where Prof. Barton Miller was first to use the term ‘fuzzing’
One can see the importance of fuzzing as one of the techniques used to test software security against malformed input leading to crashes and in some cases exploitable bugs.
Improvements in Rogue AP attacks – MANA 1/2
At Defcon 22 we presented several improvements in wifi rogue access point attacks. We entitled the talk “Manna from heaven” and released the MANA toolkit. I’ll be doing two blog entries. The first will describe the improvements made at a wifi layer, and the second will cover the network credential interception stuff. If you just want the goodies, you can get them at the end of this entry for the price of scrolling down.
DefCon 22 – Practical Aerial Hacking & Surveillance
Hello from Las Vegas! Yesterday (ed: uh, last week, my bad) I gave a talk at DefCon 22 entitled ‘Practical Aerial Hacking & Surveillance‘. If you missed the talk the slides are available here. Also, I’m releasing a paper I wrote as part of the talk entitled ‘Digital Terrestrial Tracking: The Future of Surveillance‘, click here to download it.
Whiskey shot!
The Snoopy code is available on our GitHub account, and you can join the mailing list here. Also, congratulations to @AmandersLPD for winning our #SnoopySensor competition! You can see the output of our *amazing* PRNG in action below: I’ll update this post to point to the DefCon video once they’re released. In the meantime, the specifications of my custom quadcopter I had on stage are below:
Page 1 of 1