Loading…
BruCON 0x09 has ended
Thursday, October 5
 

08:30 CEST

Registration & Breakfast
Thursday October 5, 2017 08:30 - 10:00 CEST
00. Lounge University

09:45 CEST

BruCON Opening
Thursday October 5, 2017 09:45 - 10:00 CEST
01. Westvleteren University

10:00 CEST

Keynote - The cyber short. A market solution for product safety and corporate governance

The Bug Short: What I learned on the way to Wall Street.

Justine Bone presents the world's first ever cyber security-backed short position.

 

As CEO of MedSec, Justine and her team successfully utilized cybersecurity research to impact company performance. Working in partnership with the Muddy Waters investment fund, Justine changed the calculus of how security experts can invest, conduct, and deliver research. Justine describes the factors, gotchas, and preparation required to embark and execute on such a project, enacting a new way to monetize vulnerabilities and address the dysfunctional market around product security.


Speakers
avatar for Justine Bone

Justine Bone

Justine is a recovering vulnerability researcher and security executive with background in software security research, risk management, information security governance, and identity management. Justine currently serves as the CEO of cyber-security company MedSec, a vulnerability research... Read More →


Thursday October 5, 2017 10:00 - 11:00 CEST
01. Westvleteren University

10:00 CEST

ICS and IoT Village
Thursday October 5, 2017 10:00 - 19:00 CEST
02. Westmalle University

10:30 CEST

Getting the Most Out of Windows Event Logs
Limited Capacity filling up

A typical mistake repeatedly made by many security teams is that they collect such large amount of events that at the end their Security Information and Event Management (SIEM) solution chokes on the data fed into it, rendering it slow and ineffective. "Collect all the events!!!" sounds nice in theory, but in practice, less is often more and we must select and focus on events that provide real value from a security perspective and have an actual use-case behind them. But what if we do not even have a SIEM and cannot afford one or do not have the staff or the skill to deploy and maintain one? Luckily, in a Microsoft Windows environment we have built-in and free tools at our disposal to get quickly started with security monitoring and hunting using Windows Event Logs.

In this workshop, we will go through some of the most important and valuable Windows Events to be collected such as AppLocker or EMET events, user and service creation events, PowerShell commands, etc. We will discuss how to properly configure Advanced Audit Policy Settings, see how to collect events with Windows Event Forwarding (WEF) and how to set up Sysmon for advanced application and process monitoring.

Once we have the list of events we need, we will see a few simple PowerShell commands and modules that can help us slice and dice Event Logs like Get-WinEvent. We will also test scripts and tools that are made for monitoring and detection, such as DeepBlueCLI. Finally, we will use the free Power BI Desktop to build nice dashboards to give us a better overview of the data we are collecting.

Speakers

Thursday October 5, 2017 10:30 - 12:30 CEST
Novotel Novotel Ghent

10:30 CEST

Playing with RFID workshop
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

This is a workshop about Radio-frequency Identification (RFID), including a basic introduction and a set of practical hands-on challenges. We will start with explaining the theory behind RFID, including the different types and protocols (insecure vs. secure types) and how to perform an RFID assessment. Afterwards, the participants can take on several challenges (of increasing difficulty) with RFID readers that we will provide. Our objective is to make this workshop fun and accessible to a wide audience.


Thursday October 5, 2017 10:30 - 12:30 CEST
05. La Trappe Novotel

10:30 CEST

Practical iOS App Exploitation and Defense using iGoat
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

/!\ Important Notice /!\

If you want to perform hands-on during session, please have below setup:

1. Macbook with root permission and Xcode (8.2 or above but less than version 9) Installed.
2. Training Files [Download]: https://goo.gl/n16AiT
--------------------------------------------------------------------------------------------------------------------------

iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This training will show you how to conduct a wide range of penetration tests on iOS applications to uncover vulnerabilities and strengthen the system from attacks.
This 2 hrs session will help you conduct end to end pentesting of iOS Applications and will also help you to understand the security measures which needs to be taken. This training will also have CTF challenge where attendees will use their skills learnt in session. To attend this hands-on session, all you have to do is bring your macbook with xcode installed on it.


Thursday October 5, 2017 10:30 - 12:30 CEST
03. Chimay Novotel

10:30 CEST

Programming Wireshark With Lua
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

In this 2 hour workshop, you will learn how to program Wireshark with the Lua programming language.

Wireshark can be extended using the C and Lua programming languages. In this workshop, we will look into Lua taps and dissectors to help you analyze traffic that "pure" Wireshark does not understand. Wireshark dissectors are often designed to analyze a network protocol.
You will learn how to install Lua dissectors and program your own.
Say you are reversing a botnet, then you can develop your own dissector that analyses the custom network protocol that the botnet uses to communicate between the C&C and the clients. But custom dissectors can help you even with known network protocols. For example, Didier will teach you the inner workings of a simple custom dissector he developed in Lua to display TCP flags like Snort.

Speakers

Thursday October 5, 2017 10:30 - 12:30 CEST
04. Orval Novotel

11:00 CEST

Detecting malware even when it is encrypted - Machine Learning for network HTTPS analysis
With the increasing amount of malware HTTPS traffic, it is a challenge to discover new features and methods to detect malware without decrypting the traffic. A detection method that does not need to unencrypt the traffic is cheaper (because no traffic interceptor is needed), faster and private, respecting the original idea of HTTPS. Our research goal is to detect malware HTTPS connections using data from Bro IDS logs [1], that does not need to unencrypt the traffic.

We created and extracted our features from data logs that the Bro IDS is able to generate from a pcap file. Bro offers information about flows, SSL handshakes and X.509 certificates. These three types of data give us enough information to create powerful features and machine learning algorithms to detect the malicious HTTPS traffic with good accuracy.

Our machine learning algorithm uses 30 different features. These features are divided into features for flows, features for SSL handshakes and features for X.509 certificates. One of our main contributions is that our data model is based on connection 4-tuples. A connection 4-tuple aggregates the group of flows which share the same SrcIP, DstIP, DstPort, and protocol. Therefore, each connection summarizes the behavior of the malware while connecting to the same C&C server. Such aggregation proved paramount for the success of our method.

A core part of our research was the production and selection of correct datasets. We used 13 datasets from the CTU-13 malware dataset [2], 55 malware datasets from the Stratosphere Malware Capture Facility Project (done by Maria Jose Erquiaga)[3] and we produced 20 of our own normal datasets. Each dataset was processed to extract the Bro files from the original pcap files. Afterwards, each dataset was labeled using our expert knowledge. The Amount of malware and normal traffic in our entire dataset is balanced.

Our detection method consisted in using and comparing several machine learning algorithms to learn how the normal HTTPS traffic differs from the malware HTTPS based on our behavioral features. Our results show that malware HTTPS behaviour is distinct from normal HTTPS behaviour and that our methods are able to detect malware with good accuracy without decrypting the traffic.

[1] https://www.bro.org/
[2] https://stratosphereips.org/category/dataset.html
[3] https://mcfp.felk.cvut.cz/publicDatasets/


Thursday October 5, 2017 11:00 - 12:00 CEST
01. Westvleteren University

12:00 CEST

Knock Knock... Who's there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.
With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and get access to the CMS administration panel. Attackers take advantage of the fact that still, in most cases, CMSs chosen passwords are very weak: admin, 123456, qwerty, etc. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware or even for selling in the black market to interested parties.

The goal of this presentation is threefold: first, to outline different malware and botnets with CMS brute-forcing capabilities; second to provide a comparison of the most prominent brute-forcing botnets with a focus on their technical capabilities; third to present an in-depth analysis of a real life distributed brute-force attack on a popular CMS platform performed by a botnet known as Sathurbot.

While the trojan Sathurbot first appeared in 2013 [3], it is still active and affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study is focused on the web crawling and brute-forcing modules with specific insights obtained of a real life infection. It will provide insights of the infrastructure, target selection, aggressiveness, and an analysis of it's success from our observation.

As a final contribution, we will present some detection methods that can be used to identify CMS brute-forcing attacks.

[1] Built With. (2017, April). WordPress Usage Statistics. Retrieved from https://trends.builtwith.com/cms/WordPress
[2] CVE Details. (2017, April). WordPress Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
[3] Krebs On Security. (2013, April) Brute Force Attacks Build WordPress Botnet. Retrieved from https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

Speakers

Thursday October 5, 2017 12:00 - 13:00 CEST
01. Westvleteren University

13:00 CEST

Lunch
Thursday October 5, 2017 13:00 - 14:00 CEST
00. Lounge University

13:30 CEST

Hacking Bluetooth Smart locks
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

/!\ Important Notice /!\
You are welcome to take part in the workshop without having any additional hardware. You will receive all necessary code, files and instructions – to buy it later if needed, and then practice BLE hacking at home.
However, if you wish to take active part in the workshop, for best hands-on experience we suggest the hardware options below. If you are interested, we can prepare the chosen hardware for you – please fill the form linked below:
https://docs.google.com/forms/d/e/1FAIpQLSeicybP1_nqqExc6elx5AaG2NN1aSW1K3zS-VqekCDD5DykOw/viewform

More information: https://smartlockpicking.com/events/brucon/

Thank you.
---------------------------------------------------------------

Recently it seems our home/car/bicycle locks have started to follow a new trend: to include a BLE chip inside to make them "smart".
Unlike smart toothbrushes, socks or kettles, locks guard our safety, and their security should be much more of a concern. Vendors promise "military-grade level of security", "128-bit encryption" and "cryptographic key exchange protocol" using "latest PKI technology". However, recent disclosures of multiple vulnerabilities in smart locks clearly contradict the assurances on the actual security provided, and raise the question of whether these devices have passed any independent security assessments at all!
Bring your Kali Linux installs with your own BLE dongle and/or Bluetooth sniffing hardware of choice, and we’ll go about hacking at least 7 various smart locks. You will learn how to intercept, analyze, find vulnerabilities in such devices. You will get familiar with available tools, including GATTacker Bluetooth Smart Man-in-the-Middle proxy presented at BH16 from its own creator.
Our live hacking session will cover among others:
Lack of link-layer encryption and possible MITM scenarios
Passive sniffing
Static authentication password
Spoofing
Replay attacks
Command injection
Denial of Service
Cracking "own PKI"
Other flaws of custom challenge-response authentication
Abusing excessive services (e.g. module’s default AT-command interface).
Sharing keys weaknesses
You will also get familiar with an open-source, deliberately vulnerable BLE Hackmelock developed by author. The device can be simulated on your Raspberry Pi, Linux or Mac and along with an enclosed Android application, provides for various levels of challenges to help you to further practice BLE hacking at home.

Speakers

Thursday October 5, 2017 13:30 - 17:30 CEST
02. Westmalle University

13:30 CEST

Malware Triage: Malscripts Are The New Exploit Kit
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Malware triage is an important function in any mature incident response program; the process of quickly analyzing potentially malicious files or URLs to determine if your organization has exposure. Traditionally malware triage has focused on exploit kits which were the initial infection vector of choice, but this is changing. In recent years malscripts and file based exploits have become an equally common initial infection vector. Often delivered via email, malscripts can take many different forms, WScript, Javascript, or embedded macros. However, the goal is always the same; obtain code execution and deliver a malicious payload.

In this workshop you will work through the triage of a live malscript sample. During this process you will identify and extract malscripts from Office documents, manually deobfuscate the malscripts, circumvent anti-analysis techniques, and finally determine the purpose of the scripts and payload in order to develop countermeasures. The focus of this process will be the intersection between the techniques used to analyze malscripts and the larger incident response process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop. Please make sure to bring a laptop that you are able to analyze malware on (we recommend using a VM). We also recommend that you have Google Chrome installed, no other tools are required to be installed prior to the workshop.


Thursday October 5, 2017 13:30 - 17:30 CEST
04. Orval Novotel

13:30 CEST

Practical Machine Learning in InfoSecurity
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

This lab session is designed to give attendees a quick introduction to ML concepts and gets up and running with the popular machine learning library, sci-kit learn.

We first start by building a basic understanding of how to integrate ML into an email spam identification system. We look at the inner workings and discuss the components involved in the system. Using the training data, we train our system to identify genuine messages and the system automatically learns from these examples. Different classifiers are tuned to get the maximum efficiency we can crunch out from this setup.

Once we have an efficient system, we do a deep dive and look at how one can trick the system to fail, again by using ML techniques.

Machine Learning (ML) is the future. Systems we use today use ML extensively, whether it is powering an e-commerce website or fraud detection in banking. However, it takes the average developer and security professional some level of skill and experience to apply machine learning and get useful results. It is a skill that anyone can learn, but we feel that material in this space is greatly lacking.

We give students a gentle introduction to the topic with the classic boolean classification problem and introduce classifiers, which are at the core of many of the most common ML systems. We deal with some easy to implement classifiers in sci-kit learn (linear classifiers, decision trees etc.), and show visualizations on how it works.

We then dive into training our classifiers with a labelled dataset. Trying different classifiers to approach the problem and verify the accuracy by cross verifying with the test data helps us choose an ideal algorithm for the problem in hand. This lab servers as a quick and practical introduction to the world of machine learning.

In addition, we guide the student through a simple example of deploying security machine learning systems in production pipelines in a distributed and scalable fashion using Apache Spark. Lastly, we will touch on ways that such systems can be poisoned, misguided, and utterly broken if the architects and implementers are not careful.


Thursday October 5, 2017 13:30 - 17:30 CEST
05. La Trappe Novotel

13:30 CEST

Windows malware development: A JMP in the dark
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Malware development has always been a subject that has been frowned upon, however it is a valuable skill to possess for Security Specialists as it will help them acquire a better understanding on how Windows operates under the hood. This knowledge can be applied in many fields such as general penetration testing and bug bounties.

Whilst the development of malware is not illegal, as at that point it is still just a piece of software, the distribution and usage of the software on third party systems is still illegal. Therefore, it can be a cumbersome task to piece together all the information, this workshop thus aims to centralize and explain this information in a coherent fashion.

Most modern-day malware uses injection, both for persistence and stealth purposes. During the workshop we will focus on the different injection techniques used, rather than on the malware itself. Stealth will be the common thread, it will become obvious how helpless antivirus software stands in the protection against these type of attacks, even with using defensive techniques such as function hooking.

After this workshop, security researchers will have a solid basis to start from to continue further research.

Speakers

Thursday October 5, 2017 13:30 - 17:30 CEST
03. Chimay Novotel

14:00 CEST

Evading Microsoft ATA for Active Directory Domination
Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.

Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?

The talk will be full of live demonstrations.

Speakers

Thursday October 5, 2017 14:00 - 15:00 CEST
01. Westvleteren University

15:00 CEST

Secure channels: Building real world crypto systems
Secure communication is one of the most common, most important real world application of cryptography today.
But besides being one of the most important requirements of modern communication systems people still keep getting this wrong. And it’s not fully clear why that is.
In this presentation we are going to explore the cryptography that is involved in building secure channels (the theory and the practice)
We are going to look at different secure channel concepts:
- Authenticated key establishment protocol;
- Key derivation phases;
- Protecting data using the derived key (typically using authenticated encryption).

Followed by an in-depth look of typical properties that we require of such channels and the specific cryptographic constructions that accomplish these properties.
We will look at the following properties:
- Data confidentiality;
- Data integrity;
- Authenticity of the messages.
We will explain some of the most famous security bugs in TLS and SSH and why they came to be by exploring the “cryptographic doom principle” and some of the proposed fixes.
In the second part of this presentation we are going to look at some recent efforts into secure secure channel implementations (SSH and TLS 1.3), and what the proposed fixes entailed.

What attendees will learn
Attendees will learn what a cryptographic secure channel is and what typical cryptographic constructions are involved in creating such a channel.

Speakers

Thursday October 5, 2017 15:00 - 16:00 CEST
01. Westvleteren University

16:00 CEST

Coffee Break
Thursday October 5, 2017 16:00 - 16:30 CEST
00. Lounge University

16:30 CEST

From Weakest Link to Retaliation Weapon: Building Efficient Anti-Social Engineering Awareness Program
As many infosec practitioners, early in my career I tended to disregard security awareness. People can't change, I thought, and the evidence was there. No matter what we, as security community, did to make our less savvy colleagues avoid social engineering threats, it seemed that it didn't work. But it turned out that we just did the wrong things. Much later, when I've become more familiar with the industry as a whole and the agendas that drive its players, I've realized that information security is simply not the field where the answers to the questions of human nature could be found. All infosec industry could offer, was moving "the user" as far as possible from the responsibility of their actions, normally by placing a bunch of intrusive software on their devices and some blinking boxed between them and the Internet. But wait, I pondered, if the human being is so unreliable and irresponsible, how happened that the humanity survived the natural threats and developed into the species that dominates planet Earth? Could we draw analogies between the threats in the real, kinetic world and the "cyber space"? Could we then use the strategies that helped us fight (or rather flight) a bear… or a tiger… to survive this new jungle out there? It turns out we could. During the last two years I've developed an efficient program that leads to significant increase in user resilience to modern cyber threats that employ social engineering principles and techniques. The approach it takes is backed by social psychology and behavioral science research results, as well as the track record of its successful application to the high-profile companies here in Ukraine, that face threats that are slightly unusual to most businesses abroad. During the talk I will let you know how it works, why it works, and how you can make it work for your own or any other company.

Thursday October 5, 2017 16:30 - 17:30 CEST
01. Westvleteren University

17:30 CEST

Open Source Security Orchestration
My original question was “How do I share a Fail2ban jail?” But there are many other questions aren’t there? How do we get to threats in time? How do we make sure that the evidence that we need gets captured or that the threat is stopped before it is too late? How do we do all this with a limited staff? We only have so many people. The answer to that is orchestration. Of course, the vendors can offer you something. As long as you want to pay lots of money, setup a complicated product, they got you covered. Seriously! I just want these two boxes talking. If this happens, I want this to happen. Can we just do that without some major operation? Yes. It turns out that we can.

We’ll start with Adaptive Network Protocol (ANP) which was developed so that nodes can share event information with each other. Install an ANP agent, peer it with as many systems as you want so that they can begin sharing, and then add an interface for every action that you would like a system to take when it sees a particular event. It is that easy.

In this session, we’ll show you how ANP works, how to install it, and cover all the use cases from generating your own Threat Intelligence feed, to sharing fail2ban jails across clouds, to automatically NATing threats to honeypots, and many more. To show you how it works, I will even demo some of these scenarios. What's more, you can take ANP home with you so that you too can use it to automate your network defenses. Because when it comes to defending your network, responding quickly can mean all the difference and with ANP you can do that.

Speakers

Thursday October 5, 2017 17:30 - 18:30 CEST
01. Westvleteren University

18:30 CEST

Dinner
Thursday October 5, 2017 18:30 - 20:00 CEST
00. Lounge University

21:30 CEST

BruCON Party
Join us at the BruCON party on Thursday (2017-10-05) Evening !

Location: Tijuana - Schuurkenstraat 2




Thursday October 5, 2017 21:30 - 23:59 CEST
Tijuana Schuurkenstraat 2
 
Friday, October 6
 

07:30 CEST

Hacker Run (10K)
What better way is there to start the second conference day than running 10km with a bunch of hackers?

Put on your running shoes and join us at the entrance of the Novotel (workshop venue) on Friday at 7:30.

We’ll be back in time to freshen up and attend the first presentation of the day.

Word is that it’s also a good way to get rid of a hangover!

Friday October 6, 2017 07:30 - 08:30 CEST
Novotel Novotel Ghent

08:30 CEST

Registration & Breakfast
Friday October 6, 2017 08:30 - 10:00 CEST
00. Lounge University

10:00 CEST

10:00 CEST

ICS and IoT Village
Friday October 6, 2017 10:00 - 18:00 CEST
02. Westmalle University

10:30 CEST

Defeating Proprietary Protocols the Smart Way
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Started six years ago, the project Netzob [www.netzob.org] aims at providing state-of-the-art algorithms for protocol reverse engineering in an open source framework. In this project, we have implemented and extended previous academic works for message format and state machine reversing. We have also designed novel algorithms that properly exploits contextual information to infer the semantic attributes contained in protocols.

The project Netzob does not only focus on protocol reversing, and now addresses many needs related to security (traffic generation of proprietary protocols for the evaluation of security products, ”smart” fuzzing of protocol implementation, automatic generation of protocol parsers, etc.). Netzob is usable through a Python API that allows a semi-automatic approach for reverse engineering. It also deals with several communication vectors (USB, Network, PCAP files, IPC, ...) and can easily be extended thanks to its code architecture.

During this workshop, the following topics will be addressed through practical and realistic exercises:
- Common and advanced protocol reverse engineering techniques. This part will cover techniques such as automatic field identifications, contextual clustering, semantic sequence alignment, field’s dependency identification through correlation means, …
- “Smart” fuzzing of undocumented or proprietary protocols. This part will focus on traffic generation and mutation strategies along with various techniques to produce a fine grained definition domain configuration of each fields and state machine transition to fuzz.
- Vulnerability assessment by means of state machine comparison. This part will focus on the automatic extraction of the state machine of a protocol. Once achieved, attendees will learn how to leverage this technique on multiple implementations of the same protocol to find vulnerabilities.


Friday October 6, 2017 10:30 - 12:30 CEST
04. Orval Novotel

10:30 CEST

Getting the Most Out of Windows Event Logs
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

A typical mistake repeatedly made by many security teams is that they collect such large amount of events that at the end their Security Information and Event Management (SIEM) solution chokes on the data fed into it, rendering it slow and ineffective. "Collect all the events!!!" sounds nice in theory, but in practice, less is often more and we must select and focus on events that provide real value from a security perspective and have an actual use-case behind them. But what if we do not even have a SIEM and cannot afford one or do not have the staff or the skill to deploy and maintain one? Luckily, in a Microsoft Windows environment we have built-in and free tools at our disposal to get quickly started with security monitoring and hunting using Windows Event Logs.

In this workshop, we will go through some of the most important and valuable Windows Events to be collected such as AppLocker or EMET events, user and service creation events, PowerShell commands, etc. We will discuss how to properly configure Advanced Audit Policy Settings, see how to collect events with Windows Event Forwarding (WEF) and how to set up Sysmon for advanced application and process monitoring.

Once we have the list of events we need, we will see a few simple PowerShell commands and modules that can help us slice and dice Event Logs like Get-WinEvent. We will also test scripts and tools that are made for monitoring and detection, such as DeepBlueCLI. Finally, we will use the free Power BI Desktop to build nice dashboards to give us a better overview of the data we are collecting.

Speakers

Friday October 6, 2017 10:30 - 12:30 CEST
05. La Trappe Novotel

10:30 CEST

May the data stay with you - Network Data Exfiltration Techniques.
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Data exfiltration is the process of transmitting data from pwned or infected networks back to the attacker while trying to minimize detection.
During this workshop (2 hours) we will go through different network exfiltration methods and techniques (DNS, ICMP, TCP, UDP, HTTP, RDP, Cloud-app based and others). I will explain how they work, how to run them and what differences between are. It is a highly interactive workshop (I have dozen short labs already prepared) where you will be guided through the use of a set of open source tools powered by a short-fast theory. This hands-on workshop content and labs is a part of my three day "Open Source Defensive Security" training.

Speakers

Friday October 6, 2017 10:30 - 12:30 CEST
03. Chimay Novotel

11:00 CEST

See no evil, hear no evil: Hacking invisibly and silently with light and sound
Traditional techniques for C2 channels, exfiltration, surveillance, and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost, from an attacker's perspective - we constantly see examples of attackers creatively bypassing such protections - it is always beneficial to have more weapons in one's arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk demonstrates a number of techniques and attacks which leverage light and/or sound, using off-the-shelf hardware. It covers everything from C2 channels and exfiltration using light and near-ultrasonic sound, to disabling and disrupting motion detectors; from laser microphones, to catapulting drones into the stratosphere (or the ceiling if you're risk-averse); from trolling friends, to jamming speech and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, but also demonstrates, in a hopefully fun and practical way, how these techniques work, their advantages, disadvantages, and possible future developments. It also gives details of real case studies where some of these techniques have been used, and provides defenders with realistic methods for the mitigation of these attacks.

Finally, the talk covers some ideas for future research in this area.

Speakers

Friday October 6, 2017 11:00 - 12:00 CEST
01. Westvleteren University

12:00 CEST

Browser Exploits? Grab them by the… collar!
APT has become a hot topic in enterprise IT today. One of the softwares that we see becomes victim of APT attack more often is web browsers and the attack surface is becoming bigger and bigger every day.

TCP Live Stream Injection (https://en.wikipedia.org/wiki/Packet_injection) is a technique that we have seen, is being abused by various Internet Service Providers, Router vendors for decades. We have seen in the past, using this technique ISPs, router vendors intercepts HTTP traffic and inject arbitrary data silently into HTTP responses. This is usually done by injecting arbitrary JavaScript code into actual HTTP response body in real time. When the injected JavaScript code reaches client browser it performs various operations such as loading advertisements, information gathering etc.

This paper presents a generic browser exploit detection technique that uses the same Live Network Stream Code Injection technique to reliably catch browser exploits. The detection system can be considered as completely agent less and capable of detecting various techniques, used in modern browser exploitation. Unlike any other Host Based Intrusion Prevention Systems, to be able to generically detect and block browser exploits, no OS API hooking, dll injection or code injection is required in browser process.

Speakers

Friday October 6, 2017 12:00 - 13:00 CEST
01. Westvleteren University

13:00 CEST

Lunch
Friday October 6, 2017 13:00 - 14:00 CEST
00. Lounge University

13:30 CEST

Building a cheap, robust, scaling, penetration testing/bug bounty super computer
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Are you confronted with huge amounts of IP addresses you need to scan or penetration test against?
Are you ready to go into bug bounty hunting on a large scale?
Do you need to do open source intelligence for hundreds of domains and users?

Then you need a scalable and robust system that is easy to build and maintain, easy to control and that can scale in seconds.

During this workshop we will build a system that can use physical computers, virtual machines, cloud based systems, mobile phones, mini computers (system on a chip such as the Raspberry PI) and even microcontrollers such as an Arduino. Basically, if it has a CPU or chip in it we can attach it as a worker.
This system will be robust; a defect part will not affect the system as a whole. It will be cheap by using some cloud solutions and cheap hardware. It will be versatile; we could program it to do whatever we want. All this in the space of under 4 hours.

Some of the tasks we will achieve in this workshop:
- generate rainbow tables on the fly and crack a password
- create an open source intelligence report really fast
- perform a penetration test on a big network comprised of different types of servers (SSH, DNS, web applications, web services ...)
- furthermore we will show how this system can be used to help you get started in bug bounties by doing things like DNS brute forcing


Friday October 6, 2017 13:30 - 17:30 CEST
03. Chimay Novotel

13:30 CEST

ICS Pentest 101
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

There is a lot of talking about ICS, SCADA and such nowadays, but only few people have the opportunity to get their hands dirty and understand how it works. The goal of this workshop is to give the knowledge required to start attacking Scada networks and PLCs, and give hands-on experience on real devices and have fun hacking a model train !

In this workshop, you will learn the specifics of performing a penetration test on industrial control systems, and especially on Programmable Logic Controllers (PLCs). We will cover the main components and the commonly associated security flaws of industrial control systems, aka SCADA systems. We will discover how they work, how they communicate with the SCADA systems, to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring a robot arm and a model train !

Speakers
AS

Arnaud Soullié

Arnaud Soullié is a manager at Wavestone, performing security audits and leading R&D projects. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences... Read More →
AT

Alexandrine Torrents

Alexandrine Torrents is a cybersecurity consultant at Wavestone, a French consulting company. She is specialized in penetration testing, and performed several security assessment on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and she developed a particular tool... Read More →


Friday October 6, 2017 13:30 - 17:30 CEST
02. Westmalle University

13:30 CEST

Jedi's trick to convince your boss and colleagues
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

/!\ Important Notice /!\

For The workshop, if you have an example of something you want(ed) to communicate within your organization and that you have prepared, please bring it with you or even send it to brucon @ apalala . be. It can be just an idea, a description of something you want to change or promote or even some slides. We'll work on it all together.
-------------------------------------------------------------------------------------------------------------------------------------

Social engineering techniques can be used to hack into companies and help the dark side reach their targets. They can also be used by the light side to help you achieve your objectives: make the company more secure.

How often did you present a good and original solution but your bosses were reluctant to change the current shitty solution? How often did you tried to change processes so they are more straightforward, more efficient, and your colleagues just reject the idea to avoid an additional burden? How often do you try to convince end-users to do the things rights, using videos, presentation, cartoons even, and there's still people doing it wrong?

There is Jedi's tricks for that, its all around you, it is called social psychology and we'll give you the foundations to improve your impact and your success rate. Based on latest researches in Social psychology and neuro-sciences, in persuasive communication and in psychotherapies, this workshop will present you with the few building blocks necessary to build efficient communication or winning negotiations. We'll ask participants to submit, if they will, example of communications or projects they would like to promote or defend. The workshop will be held under Chattam house rules to foster open communication and disclosure.

Of course, the force is the same for the Siths and the Jedis, so you'll be able to use these techniques for both the dark and the light side.

Speakers

Friday October 6, 2017 13:30 - 17:30 CEST
04. Orval Novotel

13:30 CEST

Mimikatz
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Speakers

Friday October 6, 2017 13:30 - 17:30 CEST
05. La Trappe Novotel

14:00 CEST

XFLTReaT: a new dimension in tunnelling
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.

This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.

Speakers

Friday October 6, 2017 14:00 - 15:00 CEST
01. Westvleteren University

15:00 CEST

DYODE

DYODE (Do Your Own Dyode) is a low cost, DIY data diode aimed at securing Industrial Control Systems. While data diodes have been used for a long time on classified networks, the high cost and complexity of implementation have kept them away from a lot of valid use cases on industrial control systems. During our assignments, we encountered many situations in which time or availability constraints were not really high -but the security risk was- and a commercial data diode way too costly.

 

We developed a working data diode using standard components and open source libraries. We want to prove with this project that it is possible to produce a simple, working, ICS oriented data diode for less than $200. The principles of using COTS components to make a data diode are not brand new, but we aim at providing a package software solution to ease the creation process, with a specific focus on ICS.

Our diode can be used for file transfer, Modbus data transfer as well as screen sharing for remote debugging.

We will demo v2 of the DYODE, a diode based on serial connection and optocoupler, that only allows very low speed exchanges (sufficient for Modbus) for an even cheaper cost (around 50$).


Speakers
AS

Arnaud Soullié

Arnaud Soullié is a manager at Wavestone, performing security audits and leading R&D projects. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences... Read More →


Friday October 6, 2017 15:00 - 16:00 CEST
01. Westvleteren University

16:00 CEST

Coffee Break
Friday October 6, 2017 16:00 - 16:30 CEST
00. Lounge University

16:30 CEST

Weaponizing the BBC Micro:Bit
In 2015, BBC sponsored Micro:Bit was launched and offered to one million
students in the United Kingdom to teach them how to code. This device is
affordable and have a lot of features and can be programmed in Python rather
than C++ like the Arduino. When we discovered this initiative in 2016, we
quickly thought it was possible to turn this tiny device into some kind of
super-duper portable wireless attack tool, as it is based on a well-known
2.4GHz RF chip produced by Nordic Semiconductor.

It took us a few months to hack into the Micro:Bit firmware and turn it
into a powerful wireless attack tool able to sniff keystrokes from wireless
keyboards or to hijack and take complete control of quadcopters during flight.
We also developed many tools allowing security researchers to interact with
proprietary 2.4GHz protocols, such as an improved sniffer inspired by the
mousejack tools designed by Bastille. Source code of our custom firmware and related tools are opensource.

The Micro:Bit will become a nifty platform to create portable RF attack tools
and ease the life of security researchers dealing with 2.4GHz protocols !

Speakers

Friday October 6, 2017 16:30 - 17:30 CEST
01. Westvleteren University

17:30 CEST

MEATPISTOL, A Modular Malware Implant Framework
Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn’t the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we’re fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction. This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.


Friday October 6, 2017 17:30 - 18:30 CEST
01. Westvleteren University

18:30 CEST

BruCON Closing
Friday October 6, 2017 18:30 - 18:45 CEST
01. Westvleteren University
 
Filter sessions
Apply filters to sessions.