BruCON 0x09 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Talk [clear filter]
Thursday, October 5


BruCON Opening
Thursday October 5, 2017 09:45 - 10:00
01. Westvleteren University


Keynote - The cyber short. A market solution for product safety and corporate governance

The Bug Short: What I learned on the way to Wall Street.

Justine Bone presents the world's first ever cyber security-backed short position.


As CEO of MedSec, Justine and her team successfully utilized cybersecurity research to impact company performance. Working in partnership with the Muddy Waters investment fund, Justine changed the calculus of how security experts can invest, conduct, and deliver research. Justine describes the factors, gotchas, and preparation required to embark and execute on such a project, enacting a new way to monetize vulnerabilities and address the dysfunctional market around product security.

avatar for Justine Bone

Justine Bone

Justine is a recovering vulnerability researcher and security executive with background in software security research, risk management, information security governance, and identity management. Justine currently serves as the CEO of cyber-security company MedSec, a vulnerability research... Read More →

Thursday October 5, 2017 10:00 - 11:00
01. Westvleteren University


Detecting malware even when it is encrypted - Machine Learning for network HTTPS analysis
With the increasing amount of malware HTTPS traffic, it is a challenge to discover new features and methods to detect malware without decrypting the traffic. A detection method that does not need to unencrypt the traffic is cheaper (because no traffic interceptor is needed), faster and private, respecting the original idea of HTTPS. Our research goal is to detect malware HTTPS connections using data from Bro IDS logs [1], that does not need to unencrypt the traffic.

We created and extracted our features from data logs that the Bro IDS is able to generate from a pcap file. Bro offers information about flows, SSL handshakes and X.509 certificates. These three types of data give us enough information to create powerful features and machine learning algorithms to detect the malicious HTTPS traffic with good accuracy.

Our machine learning algorithm uses 30 different features. These features are divided into features for flows, features for SSL handshakes and features for X.509 certificates. One of our main contributions is that our data model is based on connection 4-tuples. A connection 4-tuple aggregates the group of flows which share the same SrcIP, DstIP, DstPort, and protocol. Therefore, each connection summarizes the behavior of the malware while connecting to the same C&C server. Such aggregation proved paramount for the success of our method.

A core part of our research was the production and selection of correct datasets. We used 13 datasets from the CTU-13 malware dataset [2], 55 malware datasets from the Stratosphere Malware Capture Facility Project (done by Maria Jose Erquiaga)[3] and we produced 20 of our own normal datasets. Each dataset was processed to extract the Bro files from the original pcap files. Afterwards, each dataset was labeled using our expert knowledge. The Amount of malware and normal traffic in our entire dataset is balanced.

Our detection method consisted in using and comparing several machine learning algorithms to learn how the normal HTTPS traffic differs from the malware HTTPS based on our behavioral features. Our results show that malware HTTPS behaviour is distinct from normal HTTPS behaviour and that our methods are able to detect malware with good accuracy without decrypting the traffic.

[1] https://www.bro.org/
[2] https://stratosphereips.org/category/dataset.html
[3] https://mcfp.felk.cvut.cz/publicDatasets/

Thursday October 5, 2017 11:00 - 12:00
01. Westvleteren University


Knock Knock... Who's there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.
With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and get access to the CMS administration panel. Attackers take advantage of the fact that still, in most cases, CMSs chosen passwords are very weak: admin, 123456, qwerty, etc. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware or even for selling in the black market to interested parties.

The goal of this presentation is threefold: first, to outline different malware and botnets with CMS brute-forcing capabilities; second to provide a comparison of the most prominent brute-forcing botnets with a focus on their technical capabilities; third to present an in-depth analysis of a real life distributed brute-force attack on a popular CMS platform performed by a botnet known as Sathurbot.

While the trojan Sathurbot first appeared in 2013 [3], it is still active and affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study is focused on the web crawling and brute-forcing modules with specific insights obtained of a real life infection. It will provide insights of the infrastructure, target selection, aggressiveness, and an analysis of it's success from our observation.

As a final contribution, we will present some detection methods that can be used to identify CMS brute-forcing attacks.

[1] Built With. (2017, April). WordPress Usage Statistics. Retrieved from https://trends.builtwith.com/cms/WordPress
[2] CVE Details. (2017, April). WordPress Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
[3] Krebs On Security. (2013, April) Brute Force Attacks Build WordPress Botnet. Retrieved from https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/


Thursday October 5, 2017 12:00 - 13:00
01. Westvleteren University


Evading Microsoft ATA for Active Directory Domination
Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.

Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?

The talk will be full of live demonstrations.


Thursday October 5, 2017 14:00 - 15:00
01. Westvleteren University


Secure channels: Building real world crypto systems
Secure communication is one of the most common, most important real world application of cryptography today.
But besides being one of the most important requirements of modern communication systems people still keep getting this wrong. And it’s not fully clear why that is.
In this presentation we are going to explore the cryptography that is involved in building secure channels (the theory and the practice)
We are going to look at different secure channel concepts:
- Authenticated key establishment protocol;
- Key derivation phases;
- Protecting data using the derived key (typically using authenticated encryption).

Followed by an in-depth look of typical properties that we require of such channels and the specific cryptographic constructions that accomplish these properties.
We will look at the following properties:
- Data confidentiality;
- Data integrity;
- Authenticity of the messages.
We will explain some of the most famous security bugs in TLS and SSH and why they came to be by exploring the “cryptographic doom principle” and some of the proposed fixes.
In the second part of this presentation we are going to look at some recent efforts into secure secure channel implementations (SSH and TLS 1.3), and what the proposed fixes entailed.

What attendees will learn
Attendees will learn what a cryptographic secure channel is and what typical cryptographic constructions are involved in creating such a channel.


Thursday October 5, 2017 15:00 - 16:00
01. Westvleteren University


From Weakest Link to Retaliation Weapon: Building Efficient Anti-Social Engineering Awareness Program
As many infosec practitioners, early in my career I tended to disregard security awareness. People can't change, I thought, and the evidence was there. No matter what we, as security community, did to make our less savvy colleagues avoid social engineering threats, it seemed that it didn't work. But it turned out that we just did the wrong things. Much later, when I've become more familiar with the industry as a whole and the agendas that drive its players, I've realized that information security is simply not the field where the answers to the questions of human nature could be found. All infosec industry could offer, was moving "the user" as far as possible from the responsibility of their actions, normally by placing a bunch of intrusive software on their devices and some blinking boxed between them and the Internet. But wait, I pondered, if the human being is so unreliable and irresponsible, how happened that the humanity survived the natural threats and developed into the species that dominates planet Earth? Could we draw analogies between the threats in the real, kinetic world and the "cyber space"? Could we then use the strategies that helped us fight (or rather flight) a bear… or a tiger… to survive this new jungle out there? It turns out we could. During the last two years I've developed an efficient program that leads to significant increase in user resilience to modern cyber threats that employ social engineering principles and techniques. The approach it takes is backed by social psychology and behavioral science research results, as well as the track record of its successful application to the high-profile companies here in Ukraine, that face threats that are slightly unusual to most businesses abroad. During the talk I will let you know how it works, why it works, and how you can make it work for your own or any other company.

Thursday October 5, 2017 16:30 - 17:30
01. Westvleteren University


Open Source Security Orchestration
My original question was “How do I share a Fail2ban jail?” But there are many other questions aren’t there? How do we get to threats in time? How do we make sure that the evidence that we need gets captured or that the threat is stopped before it is too late? How do we do all this with a limited staff? We only have so many people. The answer to that is orchestration. Of course, the vendors can offer you something. As long as you want to pay lots of money, setup a complicated product, they got you covered. Seriously! I just want these two boxes talking. If this happens, I want this to happen. Can we just do that without some major operation? Yes. It turns out that we can.

We’ll start with Adaptive Network Protocol (ANP) which was developed so that nodes can share event information with each other. Install an ANP agent, peer it with as many systems as you want so that they can begin sharing, and then add an interface for every action that you would like a system to take when it sees a particular event. It is that easy.

In this session, we’ll show you how ANP works, how to install it, and cover all the use cases from generating your own Threat Intelligence feed, to sharing fail2ban jails across clouds, to automatically NATing threats to honeypots, and many more. To show you how it works, I will even demo some of these scenarios. What's more, you can take ANP home with you so that you too can use it to automate your network defenses. Because when it comes to defending your network, responding quickly can mean all the difference and with ANP you can do that.


Thursday October 5, 2017 17:30 - 18:30
01. Westvleteren University
Friday, October 6



See no evil, hear no evil: Hacking invisibly and silently with light and sound
Traditional techniques for C2 channels, exfiltration, surveillance, and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost, from an attacker's perspective - we constantly see examples of attackers creatively bypassing such protections - it is always beneficial to have more weapons in one's arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk demonstrates a number of techniques and attacks which leverage light and/or sound, using off-the-shelf hardware. It covers everything from C2 channels and exfiltration using light and near-ultrasonic sound, to disabling and disrupting motion detectors; from laser microphones, to catapulting drones into the stratosphere (or the ceiling if you're risk-averse); from trolling friends, to jamming speech and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, but also demonstrates, in a hopefully fun and practical way, how these techniques work, their advantages, disadvantages, and possible future developments. It also gives details of real case studies where some of these techniques have been used, and provides defenders with realistic methods for the mitigation of these attacks.

Finally, the talk covers some ideas for future research in this area.


Friday October 6, 2017 11:00 - 12:00
01. Westvleteren University


Browser Exploits? Grab them by the… collar!
APT has become a hot topic in enterprise IT today. One of the softwares that we see becomes victim of APT attack more often is web browsers and the attack surface is becoming bigger and bigger every day.

TCP Live Stream Injection (https://en.wikipedia.org/wiki/Packet_injection) is a technique that we have seen, is being abused by various Internet Service Providers, Router vendors for decades. We have seen in the past, using this technique ISPs, router vendors intercepts HTTP traffic and inject arbitrary data silently into HTTP responses. This is usually done by injecting arbitrary JavaScript code into actual HTTP response body in real time. When the injected JavaScript code reaches client browser it performs various operations such as loading advertisements, information gathering etc.

This paper presents a generic browser exploit detection technique that uses the same Live Network Stream Code Injection technique to reliably catch browser exploits. The detection system can be considered as completely agent less and capable of detecting various techniques, used in modern browser exploitation. Unlike any other Host Based Intrusion Prevention Systems, to be able to generically detect and block browser exploits, no OS API hooking, dll injection or code injection is required in browser process.


Friday October 6, 2017 12:00 - 13:00
01. Westvleteren University


XFLTReaT: a new dimension in tunnelling
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.

This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.


Friday October 6, 2017 14:00 - 15:00
01. Westvleteren University



DYODE (Do Your Own Dyode) is a low cost, DIY data diode aimed at securing Industrial Control Systems. While data diodes have been used for a long time on classified networks, the high cost and complexity of implementation have kept them away from a lot of valid use cases on industrial control systems. During our assignments, we encountered many situations in which time or availability constraints were not really high -but the security risk was- and a commercial data diode way too costly.


We developed a working data diode using standard components and open source libraries. We want to prove with this project that it is possible to produce a simple, working, ICS oriented data diode for less than $200. The principles of using COTS components to make a data diode are not brand new, but we aim at providing a package software solution to ease the creation process, with a specific focus on ICS.

Our diode can be used for file transfer, Modbus data transfer as well as screen sharing for remote debugging.

We will demo v2 of the DYODE, a diode based on serial connection and optocoupler, that only allows very low speed exchanges (sufficient for Modbus) for an even cheaper cost (around 50$).


Arnaud Soullié

Arnaud Soullié is a manager at Wavestone, performing security audits and leading R&D projects. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences... Read More →

Friday October 6, 2017 15:00 - 16:00
01. Westvleteren University


Weaponizing the BBC Micro:Bit
In 2015, BBC sponsored Micro:Bit was launched and offered to one million
students in the United Kingdom to teach them how to code. This device is
affordable and have a lot of features and can be programmed in Python rather
than C++ like the Arduino. When we discovered this initiative in 2016, we
quickly thought it was possible to turn this tiny device into some kind of
super-duper portable wireless attack tool, as it is based on a well-known
2.4GHz RF chip produced by Nordic Semiconductor.

It took us a few months to hack into the Micro:Bit firmware and turn it
into a powerful wireless attack tool able to sniff keystrokes from wireless
keyboards or to hijack and take complete control of quadcopters during flight.
We also developed many tools allowing security researchers to interact with
proprietary 2.4GHz protocols, such as an improved sniffer inspired by the
mousejack tools designed by Bastille. Source code of our custom firmware and related tools are opensource.

The Micro:Bit will become a nifty platform to create portable RF attack tools
and ease the life of security researchers dealing with 2.4GHz protocols !


Friday October 6, 2017 16:30 - 17:30
01. Westvleteren University


MEATPISTOL, A Modular Malware Implant Framework
Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn’t the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we’re fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction. This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.

Friday October 6, 2017 17:30 - 18:30
01. Westvleteren University


BruCON Closing
Friday October 6, 2017 18:30 - 18:45
01. Westvleteren University