44CON 2017: Full Schedule

Java’s Remote Method Invocation (RMI) enables developers to seamlessly interact with objects that reside within another Java Virtual Machine (JVM), potentially on a remote server. As is often the case, the trade-off for seamless remote method invocation is security. While many consider RMI to be outdated and uninteresting, many in-service implementations remain trivial to exploit, and there are many questions to consider. How common is RMI? How many RMI services are making the same mistakes when it comes to security? What else could I do with arbitrary RMI services? Can RMI services be secured, and if so, how?

I set about finding answers to those questions. Along the way I wrote a tool to help with enumeration of RMI services, called BaRMIe, which eventually became an exploitation tool following the discovery of vulnerabilities within Java itself.

During this talk I’ll look at the work I did and present the results of my research including answers to my original questions and the exploitation tool I wrote, BaRMIe.

Speakers

Nicky Bloor

Wednesday September 13, 2017 18:45 - 19:44 BST
*Track 1*

Track 1 Talk

18:45 BST

Olivier Bilodeau - Capture-The-Flag 101

This workshop is a deep-dive into Capture-The-Flag (CTF) competitions for CTF first timers. It will introduce CTFs and then assist both teams and individuals prepare for them and evolve their applied cybersecurity skills in the process.

The workshop will have various levels (easy, medium, hard) of CTF challenges in several categories (binaries, Web, crypto) and hints and solutions will be provided during the workshop.

Speakers

Olivier Bilodeau

Wednesday September 13, 2017 18:45 - 20:44 BST
*Track 2*

Track 2 Workshop

19:45 BST

Gabriel Ryan - The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defence mechanism. In a wireless network, EAP plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network’s physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Speakers

Gabriel Ryan

Wednesday September 13, 2017 19:45 - 20:44 BST
*Track 1*

Track 1 Talk

20:45 BST

Lightning Talks

Wednesday September 13, 2017 20:45 - 21:59 BST
*Track 1*

Track 1 Talk

08:30 BST

44CON 2017 Registration opens

Thursday September 14, 2017 08:30 - 09:14 BST
Cortex Insight Cafe

Networking

08:30 BST

44CON 2017 Registration opens

Thursday September 14, 2017 08:30 - 09:14 BST
*Workshop*

Networking

08:30 BST

44CON 2017 Registration opens

Thursday September 14, 2017 08:30 - 09:14 BST
*Track 2*

Networking

08:30 BST

44CON 2017 Registration opens

Thursday September 14, 2017 08:30 - 09:14 BST
*Track 1*

Networking

08:30 BST

44CON 2017 Registration opens

Thursday September 14, 2017 08:30 - 09:14 BST
*Track 3*

Networking

09:15 BST

44CON 2017 Opening

Thursday September 14, 2017 09:15 - 09:29 BST
*Track 1*

Track 1 Talk

09:30 BST

Don Bailey - The Internet of Us

The Internet of Things has devolved into a four letter word on the tongues of information security researchers. As a result, we’ve endured the nonsensical rants of would-be hacker-pundits exclaiming every new technology must be junk that certainly can be hacked. Even if they’re right, they’re missing the point: the world is changing out from under them.

IoT isn’t simply a trend that splices any given thing with a communications chip and rudimentary application. IoT is the next wave of computing. The boundaries between endpoints and cloud services is blurring into new abstractions with trendy names like ‘the fog’. As the blurring of resources continues, IoT won’t simply be things connecting to services, it will represent services extended inward toward our fingertips.

This shift in computing has already started to upend the way we think about the effects of information security gaps. For example, most implementers and even auditors of IoT technology don’t understand that the greater risk to an insecure deployment isn’t to the consumer, it’s actually to the business. Many standard IoT models actually put the business at risk of bankruptcy due to the way services are exposed to endpoints, and how these services can be abused to create massive surges in fees.

Yet, instead of identifying these shifts in architectural models, infosec pundits would rather shake their fist at the sky. We, as an industry, must do better not only for ourselves, but for the global community. Our job is to lift up the community and support it in its efforts to evolve our world. Otherwise, we will succeed in securing relics, leaving brave new worlds without an atmosphere.

Without pointing fingers, this keynote presentation calls out the negative behaviours in IoT security punditry by demonstrating not only how new security models have slipped through the infosec community’s fingers, but how these gaps can be combatted and resolved with cost-effective strategies.

At the end of this keynote, the audience should feel a new commitment toward infosec principles, and to new technological models. I hope to empower everyone to realize that The Internet of Things isn’t about stuff, it’s about Us. The Internet of Us.

Speakers

Don Bailey

Don A. Bailey has consistently engaged in ground breaking research over the past decade. He helped prove SS7 to be a global threat to telephony security before anyone knew what SS7 was, and helped mitigate these threats in the USA. Don started the IoT hacking trend by performing the... Read More →

Thursday September 14, 2017 09:30 - 10:29 BST
*Track 1*

Track 1 Talk

10:30 BST

Break

Thursday September 14, 2017 10:30 - 11:00 BST
*Track 1*

Networking

10:30 BST

Ruben Boonen - UAC 0day, all day pt 1

This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.

Auto-Elevation:

Identifying auto-elevating processes
Analyzing process workflows
Finding UAC bypass targets
Elevated File Operations:

Using the IFileOperation COM object
Tricking the Process Status API (PSAPI)
Getting UAC 0day (Pre RS2):

Analysis of known UAC bypasses
Understanding the Windows Side-By-Side Assembly + Creating proxy DLL’s
Using the Bypass-UAC framework (https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC) + Dropping 0day(s)!
Looking forward:

Triaging Windows 10 Redstone 2
Leaving IFileOperation behind
COM objects & Fileless elevation
The workshop has intense hands-on labs where attendees will put the theory into practice. After attending you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!

Speakers

Ruben Boonen

Thursday September 14, 2017 10:30 - 12:29 BST
*Track 3*

Track 3 Workshop

10:30 BST

Amanda Rousseau - Reverse Engineering Windows Malware 101 Workshop

Reverse engineering already sounds like black magic, when in reality it’s just lot’s of practice and strong foundations in computer science concepts. You might not always remember what you learned in computer science classes or understood it enough to actually apply it to the real world. The best way to learn is by getting hands on practice. In this workshop, the main take away is learning how to set analysis goals. By using tools and computer science concepts you can work step by step to those analysis goals. This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by creating a basic x86 assembly program, and reviewing RE tools and malware techniques. The workshop will conclude by attendees performing hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C\C++, Python, or Java Requirements: Laptop with an OS that supports VirtualBox, and wifi connection
Provided: A virtual machine and tools will be provided

Speakers

Amanda Rousseau

Thursday September 14, 2017 10:30 - 12:29 BST
*Workshop*

Workshop

11:00 BST

Klaus Schmeh - Breaking Historical Ciphers with Modern Algorithms

Many old encryption methods are still hard to break today. For instance, cryptanalyzing a Turning Grill (a cipher device already known in the 18th century) is far from trivial. Many other encryption methods of historical importance can nowadays be broken, for instance Enigma messages from WW2, ADFGVX -ciphertexts from WW1, bigram substitutions, cipher slide messages, and double column transpositions.

This presentation will introduce a number of non-trivial ciphers that played an important role in history and explain how they can be broken with modern means. This will be demonstrated with original ciphertexts from past centuries, some of which were deciphered only recently. A number of interesting improvements in this area have been developed in recent years. Research is still going on.

In spite of all these efforts, there are still surprisingly many historical encryption methods (and original ciphertexts) that are unbroken to date. Among others, Enigma messages with less than 70 letters, double column transpositions with long key words, and numerous cold war ciphers still baffle cryptanalysts. However, research goes on and we might see further improvements in the near future.

Speakers

Klaus Schmeh

Thursday September 14, 2017 11:00 - 11:59 BST
*Track 1*

Track 1 Talk

11:00 BST

Nikhil Mittal - Red Team Revenge : Attacking Microsoft ATA

Microsoft Advanced Threat Analytics (ATA) is a defence platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is performed using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behaviour as well. It slowly builds an organizational graph and can detect deviations from normal behaviour.

This talk focuses on identifying and attacking ATA installations. Can ATA be attacked to suppress alerts? How noisy is it to attack ATA? How can alerts related to a particular identity (user and computer) be exempted? How can ATA be controlled and crippled remotely?

The talk will be full of live demonstrations

Speakers

Nikhil Mittal

Thursday September 14, 2017 11:00 - 11:59 BST
*Track 2*

Track 2 Talk

12:00 BST

Lunch

Thursday September 14, 2017 12:00 - 13:29 BST
*Track 2*

Networking

12:00 BST

Lunch

Thursday September 14, 2017 12:00 - 13:29 BST
*Track 1*

Networking

12:30 BST

Lunch

Thursday September 14, 2017 12:30 - 13:29 BST
*Workshop*

Networking

12:30 BST

Lunch

Thursday September 14, 2017 12:30 - 13:29 BST
*Track 3*

Networking

13:30 BST

Cedric Halbronn - Cisco ASA Episode 2: Striking back - Internals and Mitigations

In 2016, two critical vulnerabilities were published that targeted Cisco ASA (Adaptive Security Appliance) firewalls. Even though the exploits for both are public, they are restricted to specific ASA versions and there is no public tool to understand how they work. This talk is about ASA internals, the reverse engineering involved and tools we have developed to better weaponize exploits.

In addition to covering previously unpublished details of Cisco ASA internals and how the exploit was generalised to apply to over 100 versions and made 100% reliable, the talk will cover a number of tailor-made tools developed to assist in the reverse engineering and exploit production. The tools will be released after the talk.

Speakers

Cedric Halbronn

Thursday September 14, 2017 13:30 - 14:29 BST
*Track 1*

Track 1 Talk

13:30 BST

Lars Haukli - Hypervisor-Assisted Ring0 Debugging with radare2

Reverse engineering protected code operating in kernel mode can be challenging. More advanced protection mechanisms typically combine obfuscation or encryption with techniques that hinder dynamic analysis. Some code will not run at all when certain debugging features are enabled by the OS.

radare2 is a comprehensive open-source framework for reverse engineering, that takes you to a magical world where control flow graphs of disassembled code are displayed in ASCII art. The framework combines a vast set of code analysis capabilities, which you can make use of in a variety of ways.

Enter the idea of connecting radare2 to a virtual machine, giving it direct access to guest physical memory. The intent is to debug Ring0 code running inside the guest, with the debugging mechanism operating exclusively on the host.

This talk will cover the use of radare2 on a Linux host accessing a Windows VM.

Speakers

Lars Haukli

Thursday September 14, 2017 13:30 - 14:29 BST
*Track 2*

Track 2 Talk

13:30 BST

Ruben Boonen - UAC 0day, all day pt 2

Speakers

Ruben Boonen

Thursday September 14, 2017 13:30 - 15:29 BST
*Track 3*

Track 3 Workshop

13:30 BST

Didier Stevens - A Hands On Introduction To Software Defined Radio

Software Defined Radio is a fascinating playfield for hackers. But the learning curve is steep, and SDR devices are expensive. This two hour hands on workshop introduces SDR via a gentle learning curve, and with cheap devices, so that everyone can participate. Operating SDRs via the open source software GNU Radio offers a wealth of possibilities, but it is hard for beginners to start with GNU Radio. You need a good grasp of the radio concepts to find your way through the software. SDR is quite different from analogue radio, and for most attendees, even analogue radio is quite mysterious.

With GNU Radio and GNU Radio Companion, I will guide the attendees through a set of exercises (specially designed for this workshop) intended to familiarize them with radio technology, SDR, GNU Radio and GNU Radio Companion. Each attendee should bring their own laptop and Didier will supply 20 cheap SDR devices (USB digital TV receivers RTL2832U) and a couple of more performant devices, like the HackRF One, a WiSpy, and a handheld digital spectrum analyzer. We will boot from a Live CD and start with simple exercises to understand SDR. Because of the limited number of devices (20 devices), the workshop is limited to 20 attendees. But attendees can bring their own RTL2832U.

Speakers

Didier Stevens

Thursday September 14, 2017 13:30 - 15:29 BST
*Workshop*

Workshop

14:30 BST

David Mirza Ahmad - Subgraph OS: Hardening a Linux Desktop

44con.com/talks

Speakers

David Mirza Ahmad

Thursday September 14, 2017 14:30 - 15:29 BST
*Track 1*

Track 1 Talk

14:30 BST

Kev Sheldrake - Cracking HiTag2 Crypto - Weaponising Academic Attacks for Breaking and Entering

HiTag2 is an RFID technology operating at 125KHz. It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions – the majority of RFID technologies at 125KHz feature no authentication or encryption at all. As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2. They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools. Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but so far none have been forthcoming.

This talk covers implementation of all three attacks on RFIDler, supported by desktop computers. The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key. The talk will cover how HiTag2 RFID works and will describe the first attack in detail plus the implementation challenges. The attacks are weaponised and permit cloning of tags, which will be demonstrated.

The tools used will be released after the talk.

There is a workshop accompanying this talk which builds on the material covered and goes into further detail on a number of attacks, “Cracking HiTag2 Crypto: A Detailed Look at the Academic Attacks”. Attending this talk is a pre-requisite for the workshop.

Speakers

Kev Sheldrake

Thursday September 14, 2017 14:30 - 15:29 BST
*Track 2*

Track 2 Talk

15:30 BST

Break

Thursday September 14, 2017 15:30 - 15:59 BST
*Workshop*

Networking

15:30 BST

Break

Thursday September 14, 2017 15:30 - 15:59 BST
*Track 2*

Networking

15:30 BST

Break

Thursday September 14, 2017 15:30 - 15:59 BST
*Track 3*

Networking

15:30 BST

Break

Thursday September 14, 2017 15:30 - 15:59 BST
*Track 1*

Networking

16:00 BST

Matt Wixey - See no evil, hear no evil: Hacking invisibly and silently with light and sound

Traditional techniques for C2 channels, exfiltration and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost from an attacker’s perspective – we constantly see examples of attackers creatively bypassing such protections – it is always beneficial to have more weapons in one’s arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk presents and demonstrates a number of techniques and attacks which utilise light and/or sound, covering everything from C2 channels and exfiltration using light and near-ultrasonic sounds, to disabling and disrupting motion detectors; from a DIY laser microphone to sending a drone into the stratosphere; from trolling friends, to jamming speech, and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, particularly for on-site engagements, but also demonstrates – in a hopefully fun and practical way – how these techniques work, their pros and cons, and possible future developments.

I also consider mitigation against some of these attacks, where applicable, and encourage defenders to consider how and why some of these attacks might work where traditional methods fail.

Speakers

Matt Wixey

Thursday September 14, 2017 16:00 - 16:59 BST
*Track 1*

Track 1 Talk

16:00 BST

Marc Newlin and Matt Knight - So You Want to Hack Radios

The Age of the Radio is upon us: wireless protocols are a dime a dozen thanks to the explosion of the Internet of Things. While proprietary wireless solutions may offer performance benefits and cost savings over standards like 802.11 or Bluetooth, their security features are rarely well-exercised due to lack of access to these interfaces. The adoption of Software Defined Radio (SDR) by the security research community has helped shift this balance, however SDR remains a boutique skillset. Join us as we lift the veil on SDR and show that a PhD is not need to pwn the Internet of Things Radios.

This session offers a tutorial on how to apply Software Defined Radio, with an emphasis on the “Radio” part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.

We begin with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to any wireless system. We will show how to use this workflow to recover and inject packets from/into a variety of devices with proprietary modulations.

Attendees should expect to walk away with practical knowledge of how to apply SDR to examine proprietary wireless protocols. We will release GNU Radio flowgraph templates and shell scripts to get attendees started.

Speakers

Matt Knight

Marc Newlin

Thursday September 14, 2017 16:00 - 16:59 BST
*Track 2*

Track 2 Talk

17:00 BST

Gin O'Clock

Thursday September 14, 2017 17:00 - 18:29 BST
*Workshop*

Networking

17:00 BST

Gin O'Clock

Thursday September 14, 2017 17:00 - 18:29 BST
*Track 1*

Networking

17:00 BST

Gin O'Clock

Thursday September 14, 2017 17:00 - 18:29 BST
*Track 2*

Networking

17:00 BST

Gin O'Clock

Thursday September 14, 2017 17:00 - 18:29 BST
*Track 3*

Networking

17:30 BST

Food

Food will be available to purchase.

Thursday September 14, 2017 17:30 - 19:29 BST
Cortex Insight Cafe

Networking

19:35 BST

Evening Session: Yuriy Bulygin - Discovering vulnerable UEFI BIOS firmware at scale

Vulnerabilities in system firmware allow adversaries to bypass almost any protection used in the operating system, virtual machine manager and other software. System firmware attacks bypass Secure Boot, software based full-disk encryption and virtualization-based security. Threats exploiting such vulnerabilities can extract secrets from operating system memory, subvert secure/trusted VMs and even hypervisors, install stealthy and persistent implants and even brick physical systems.

We’ve discovered a number of such vulnerabilities in the past and developed an open source framework to automate analysis. Despite these risks there are still many modern systems which do not protect their main BIOS/UEFI firmware. We decided to analyze thousands of UEFI firmware updates from multiple platform vendors and discovered hundreds of vulnerabilities, indicating that corresponding systems lack any basic firmware protections in ROM or signed firmware updates. We’ll present the process, findings and limitations of such offline analysis of vendor firmware update images.

Speakers

Yuriy Bulygin

Thursday September 14, 2017 19:35 - 20:29 BST
*Track 1*

Track 1 Talk

20:30 BST

An audience with Richard Morrell

Thursday September 14, 2017 20:30 - 22:00 BST
*Track 2*

20:30 BST

Evening Session: Open Mic (Rant away)

Thursday September 14, 2017 20:30 - 22:29 BST
*Track 1*

Track 1 Talk

20:30 BST

Evening Session: David Mirza Ahmad - Subgraph OS Workshop

Subgraph OS is an operating system designed to provide a hardened Linux desktop resistant to network and malware attacks.

Subgraph includes a hardened kernel, application sandboxing with per-application network rules, an application firewall and extensive security monitoring and alerting.

This presentation will outline the overall design and goals of the project and detail progress so far, including a detailed description of the sandboxing implementation.

Speakers

David Mirza Ahmad

Thursday September 14, 2017 20:30 - 22:29 BST
*Track 3*

Track 3 Workshop

20:30 BST

Evening Session: Saumil Shah - ARM Assembly and Shellcode Basics

A two hour workshop on writing ARM Shellcode from scratch. This workshop will cover some simple ARM assembly, and then two shellcode examples: A simple execve() shell and a fully working Reverse Shell. The shellcode will be tested in an ARM QEMU Emulator as well as on actual ARM hardware.

Participants will be provided with ARM images running on QEMU for testing their shellcode. A shared Raspberry Pi-2 cluster will be made available for testing the shellcode on proper ARM hardware. Participants are encouraged to also bring their Raspberry PI-2 devices to the workshop.

Speakers

Maria Markstädter

Saumil Schah

Thursday September 14, 2017 20:30 - 22:29 BST
*Workshop*

Workshop

09:20 BST

44CON Day 2 opens

Friday September 15, 2017 09:20 - 09:29 BST
*Track 1*

Track 1 Talk

09:30 BST

Nelson Murilo - Chkrootkit: Eating APTs at breakfast since 1997

Chkrootkit will be 20 years old in 2017!

The first chkrootkit release was 1997 and it was written by Klaus (CERT.br team) and the presenter. Chkrootkit is a suite of POSIX shell scripts and some tools written in ANSI C, and runs like a charm in virtually all Unix environment without dependencies. It can detect several rootkits, malicious activity (some APTs included) and can do post mortem forensic analysis to detect kernel module activities and related indicators of compromise. This tool currently detects ~70 known Rootkits, Worms and many malicious activities. This talk will discuss the features and methods used to detect rootkits and malware in general, the limitations and potential options to improve it. Chkrootkit is an open source tool, so suggestions are always welcome.

Speakers

Nelson Murilo

Friday September 15, 2017 09:30 - 10:29 BST
*Track 1*

Track 1 Talk

09:30 BST

Graham Sutherland - Secrets Of The Motherboard (Shit My Chipset Says)

Modern motherboards are fairly daunting pieces of hardware. They’re full of closed-source firmware, undocumented and obscure parts, incredibly complex components, and are developed by people with vast domain-specific knowledge. They’re also full of exciting security-impacting technologies like IME, AMT, SMM, TPM, and UEFI. But, despite the apparent difficulty, what if we took a stab at trying to understand these devices and what security looks like at the bare-metal level? The real secret is that it’s not as hard as it looks.

This talk runs through a list of weird and wonderful things I found while reading datasheets for Intel chipsets and other motherboard parts. Along the way we’ll explore unusual functionality not intended for production use, features we can exploit to build more open platforms, potential security pitfalls in motherboard design, and the challenges faced by certain industries in attempting to secure hardware for reuse.

Speakers

Graham Sutherland

Friday September 15, 2017 09:30 - 10:29 BST
*Track 2*

Track 2 Talk

09:30 BST

James Forshaw - WORKSHOP: Introduction to Windows Logical Privilege Escalation

This workshop will go through an introduction to finding and exploiting logical privilege escalation vulnerabilities on Windows. More and more code running on Windows is done inside sandboxes or as non-administrators. This makes privilege escalation more important than ever. Memory corruptions are a common way of gaining higher privileges but Windows has been introducing more mitigations making exploitation harder. Logical vulnerabilities on the other hand are typically not affected by mitigations such as ASLR or DEP, but they’re generally more difficult to find. As an added complication they cannot be easily discovered through typical fuzzing approaches. Some of the topics to be presented will be:

Windows Internals as relevant to privilege escalation
Types of sandboxes, restricted and low box tokens
Under the hood
Attack surface analysis:
Probing the sandbox and the system
COM services
Exposed device drivers
File and registry vulnerabilities
How to find them and what to look for
Exploitation
Token vulnerabilities
How to find them and what to look for
Exploitation
UAC and unusual unfixed vulnerabilities
Working examples of based on previous vulnerabilities
Attendees are welcome to participate through the workshop by having access to a Windows 10 32 bit VM installation. Access to all tools and examples demonstrated on the day will be provided.

Speakers

James Forshaw

Friday September 15, 2017 09:30 - 11:29 BST
*Track 3*

Track 3 Workshop

09:30 BST

Kev Sheldrake - Cracking HiTag2 Crypto - Detailed Look at the Academic Attacks.

NOTE: The corresponding talk “Cracking HiTag2 Crypto – Weaponising Academic Attacks for Breaking and Entering” is a pre-requisite for this workshop. You must attend the talk if you plan to attend the workshop.

HiTag2 is an RFID technology operating at 125KHz. It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions – the majority of RFID technologies at 125KHz feature no authentication or encryption at all. As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2. They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools. Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but so far none have been forthcoming.

In this workshop I will explain how HiTag2 RFID works in detail, including the PRNG and the authentication and encryption protocols, and will present my own implementations of the attacks, written for RFIDler and supported by desktop computers. The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key. The second and third attacks use time/memory trade-off brute force and cryptanalytic attacks to recover the key, such that the contents of the read-protected pages can also be accessed. The attacks are weaponised and permit cloning of tags, which I will demonstrate.

All tools will be publicly released.

Speakers

Kev Sheldrake

Friday September 15, 2017 09:30 - 11:29 BST
*Workshop*

Workshop

10:30 BST

Break

Friday September 15, 2017 10:30 - 10:59 BST
*Track 2*

Networking

10:30 BST

Break

Friday September 15, 2017 10:30 - 10:59 BST
*Track 1*

Networking

11:00 BST

Colin Mulliner - Inside Android’s SafetyNet Attestation: What it can and can’t do lessons learned from a large scale deployment

There are many reasons for protecting your mobile applications against modification and tampering. Until recently you had to use third party tools or implemented your own app integrity checks and device rooting checks. Today you can use Android’s SafetyNet Attestation infrastructure to ensure the integrity of your application and the user’s device. Unfortunately, SafetyNet Attestation is not well documented by Google.

This talk provides a deep dive into SafetyNet Attestation. We show what level of attestation SafetyNet provides and what it can’t do. The talk is based on the lessons learned from implementing SafetyNet Attestation for an app with a large install base. We turned SafetyNet upside down to find its flaws and shortcomings. This talk will provide you with everything you need to know about Android’s SafetyNet Attestation and will help you to implement and use it in your app.

Speakers

Colin Mulliner

Friday September 15, 2017 11:00 - 11:59 BST
*Track 1*

Track 1 Talk

11:00 BST

Aaron Guzman - Hide Yo Keys, Hide Yo Car: Remotely Exploiting Connected Vehicle APIs and Apps

Today, most vehicle manufacturers in the US connect their vehicles to a type of network and delegate controls to mobile or web applications upon vehicle purchasing. Thankfully in the US, security research for consumer devices are now exempt from DMCA which enables us to audit and assess our connected vehicles. Like many devices in the IoT space, a single software bug in connected vehicles can compromise the entire ecosystem.

In this talk, we will demonstrate the methodology used to discover and remotely exploit vulnerabilities in Subaru’s STARLINK remote vehicle services, as well as discuss how car manufacturers can learn from these mistakes. After all, who needs car keys when your vehicle is “connected"?

Friday September 15, 2017 11:00 - 11:59 BST
*Track 2*

Track 2 Talk

11:30 BST

Matt Knight & Marc Newlin - How to Hack Radios: Hands-On with RF Physical Layers

The Age of the Radio is upon us: wireless protocols are a dime a dozen thanks to the explosion of mobile devices and the Internet of Things. While proprietary wireless solutions may offer performance benefits and cost savings over standards like 802.11 or Bluetooth, their security features are rarely well-exercised due to a lack of access to these interfaces. The adoption of Software Defined Radio (SDR) by the security research community has helped shift this balance, however SDR remains a boutique skillset. Join us as we lift the veil on SDR and show that a PhD is not needed to pwn the Internet of Things’ Radios.

This workshop offers an applied tutorial on how to apply Software Defined Radio, with an emphasis on the “Radio” part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.

We begin with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to just about any IoT wireless system. The bulk of this session will demonstrate how this workflow can be applied to recover and inject packets from/into a variety of devices with proprietary modulations by walking through it, live and in detail, with attendees actively contributing to reverse-engineered solutions and working along in parallel.

Attendees should expect to walk away with practical knowledge of how to apply SDR to examine and deconstruct proprietary wireless protocols. We encourage attendees to bring along their own SDR hardware, though we’ll provide a handful of RTL-SDRs and live USB images for those who lack equipment. Finally, we will release all GNU Radio flowgraph templates and shell scripts for further hacking and development.

Speakers

Matt Knight

Marc Newlin

Friday September 15, 2017 11:30 - 13:29 BST
*Workshop*

Workshop

12:00 BST

Lunch

Friday September 15, 2017 12:00 - 13:29 BST
*Track 1*

Networking

12:00 BST

Lunch

Friday September 15, 2017 12:00 - 13:59 BST
*Track 3*

Networking

12:00 BST

Lunch

Friday September 15, 2017 12:00 - 13:59 BST
*Track 2*

Networking

13:30 BST

Lunch

Friday September 15, 2017 13:30 - 13:59 BST
*Workshop*

Networking

13:45 BST

Falanx Demo

Friday September 15, 2017 13:45 - 13:59 BST
*Track 1*

14:00 BST

Alex Plaskett & James Loureiro - Biting the Apple that feeds you - macOS Kernel Fuzzing

This talk details the use of MWR’s platform agnostic kernel fuzzing techniques to automatically identify critical flaws within Apple macOS.

This talk will focus on how the researchers approached developing fuzzing automation to test the core subsystems of the XNU kernel and the insights gained, and also highlight architectural differences between other supported platforms which had to be addressed during this work.

The old adage of ‘different fuzzers find different bugs’ will also be explored, as we looked into the effectiveness of using targeted fuzzing for specific components considered most likely to yield vulnerabilities.

An in-memory fuzzer based on a combination of static and dynamic analysis was also constructed to target these components with the aim to achieve greater code coverage, efficiency and to allow attacks on other privileged components within macOS via IPC.

Finally we will discuss the issues discovered by the fuzzers and highlight future improvements which could be made to the tooling going forward to increase coverage and effectiveness.

Various tools used during the research will be released after the talk.

Speakers

James Loureiro

Alex Plaskett

Friday September 15, 2017 14:00 - 14:59 BST
*Track 1*

Track 1 Talk

14:00 BST

William Knowles - Persisting with Microsoft Office: Abusing Extensibility Options

One software product that red teamers will almost certainly find on any compromised workstation is Microsoft Office. This talk will discuss the ways that native functionality within Office can be abused to obtain persistence.

A wide range of techniques for abusing various add-in mechanisms will be covered. Each persistence mechanism will be discussed in terms of its relative advantages and disadvantages for red teamers. In particular, with regards to their complexity to deploy, privilege requirements, and applicability to Virtual Desktop Infrastructure (VDI) environments which hinder the use of many traditional persistence mechanisms.

The talk will finish with approaches to detection and prevention of these persistence mechanisms.

Speakers

WIlliam Knowles

Friday September 15, 2017 14:00 - 14:59 BST
*Track 2*

Track 2 Talk

15:00 BST

Olivier Bilodeau - Lessons Learned Hunting IoT Malware

Permeating the entire spectrum of computing devices, malware can be found anywhere code is executed. Embedded devices, of which many are a part of the Internet of Things (IoT), are no exception. With their proliferation, a new strain of malware and tactics have emerged. This presentation will discuss our lessons learned from reverse-engineering and hunting these threats.

During our session, we will explain the difficulty in collecting malware samples and why operating honeypots is an absolute requirement. We will study some honeypot designs and will propose an IoT honeypot architecture comprising several components like full packet capture, a man-in-the-middle framework and an emulator.

Additionally, reverse-engineering problems and practical solutions specific to embedded systems will be demonstrated. Finally, we will explore three real-world cases of embedded malware. First, Linux/Moose, a stealthy botnet who monetizes its activities by selling fraudulent followers on Instagram, Twitter, YouTube and other social networks. Second, a singular ELF binary of the MIPS architecture which serves as a dropper. Third, LizardSquad’s LizardStresser DDoS malware known as Linux/Gafgyt. Attendees will leave this session better equipped to hunt this next generation of malware using primarily open source tools.

Speakers

Olivier Bilodeau

Friday September 15, 2017 15:00 - 15:59 BST
*Track 1*

Track 1 Talk

16:00 BST

44CON Closing

Friday September 15, 2017 16:00 - 16:30 BST
*Track 1*

Track 1 Talk