Organized in collaboration with Tools Watch and Opposing Force, the HITB Armory is a brand new dedicated area where independent researchers will get to show off their projects, run their demos and allow you to play around with their awesome security tools!
Selected from a Call for Tools process, researchers will have 30 minutes to present their tools onstage, followed by a 3-hour demonstration session at the exhibition space within the HITB Armory area itself.
The HITB Armory is free and open-to-public, so feel free to drop by anytime to check out the tools on showcase!
27 November 2018
|Start||End||Where||Topic / Tool||Tool Author||Presentation Time|
|10:00||13:00||Booth 1||Capture This: Real Time Packet Processing with FPGAs||Matteo Collura||14:00 – 14:30|
||Hardware security multidimensional attack and defense tool set||Jie Fu||15:00 – 15:30|
||Virtualizing IoT with code coverage guided fuzzing||Kai Jern Lau & Dr. Anh Quynh||16:00 – 16:30|
|Booth 4||Archery: Open Source Vulnerability Assessment and Management||Anand Tiwari||On 28th|
|Booth 5||aclpwn.py – Advanced ACL exploitation with BloodHound||Dirk-jan Mollema||On 28th|
|Booth 6||Dejavu – Deception Simplified||Bhadreshkumar Patel & Harish Ramadoss||On 28th|
|14:00||17:00||Booth 1||Faraday v3||Emilio Couto||10:00 – 10:30|
|Booth 2||Kurukshetra – Playground for interactive Security Learning||Anirudh Anand||11:00 – 11:30|
|Booth 3||IoT-Home-Guard: A tool for malicious behavioŗ detection in IoT devices||Qinghao Tang & Yuan Zhuang||12:00 – 12:30|
|Booth 4||Finite State Iotasphere: IoT Firmware Vulnerability Discovery Platform||Nicholas Vidovich||On 28th|
|Booth 5||Infernal Wireless – Automated Wireless Penetration Testing Suite||Mukhammad Khalilov||On 28th|
|Booth 6||SigPloit: A New Signaling Exploitation Framework||Loay Abdelrazek||On 28th|
28 November 2018
|Start||End||Where||Topic / Tool||Tool Author||Presenter Time|
|10:00||13:00||Booth 1||Faraday v3||Emilio Couto||On 27th|
||Kurukshetra – Playground for interactive Security Learning||Anirudh Anand||On 27th|
||IoT-Home-Guard: A tool for malicious behavior detection in IoT devices||Qinghao Tang & Yuan Zhuang||On 27th|
[CANCELLED] Finite State Iotasphere: IoT Firmware Vulnerability Discovery Platform [CANCELLED]
aclpwn.py – Advanced ACL exploitation with BloodHound
|[CANCELLED] Nicholas Vidovich||N/A|
||Infernal Wireless – Automated Wireless Penetration Testing Suite||Mukhammad Khalilov||15:00 – 15:30|
||[MOVED] SigPloit: A New Signaling Exploitation Framework [MOVED]||Loay Abdelrazek||14:00 – 14:30|
|14:00||17:00||Booth 1||Capture This: Real Time Packet Processing with FPGAs||Matteo Collura||On 27th|
||Hardware security multidimensional attack and defense tool set||Jie Fu||On 27th|
||Virtualizing IoT with code coverage guided fuzzing||Kai Jern Lau & Dr. Anh Quynh||On 27th|
||Archery: Open Source Vulnerability Assessment and Management||Anand Tiwari||10:00 – 10:30|
||SigPloit: A New Signaling Exploitation Framework||Loay Abdelrazek||11:00 – 11:30|
||Dejavu – Deception Simplified||Bhadreshkumar Patel & Harish Ramadoss||12:00 – 12:30|
We will have an extra talk on 28th at 16:00 from Cristofaro Mune, demoing Remote IoT Timing Attacks from his talk:
Archery: Open Source Vulnerability Assessment and Management — Anand Tiwari
Archery is an open-source vulnerability assessment and management tool that helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular open-source tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.
The main capabilities of our Archery include: * Perform Web and Network Vulnerability Scanning using vulnerability scanner tools. * Correlates and Collaborate all raw scans data, show them in a consolidated manner. * Perform authenticated web scanning. * Perform web application scanning using selenium. * Automate your scanners. * Vulnerability Management including Web, Network and Mobile Applications. * Enable REST API’s for developers to perform scanning and Vulnerability Management. * Useful for DevOps teams for Vulnerability Management.
Archery tool has created using Django framework that gives us the flexibility to easily integrate python scripts. It also easily deployed on servers or user can use locally for their purpose. The tool has created to perform a vulnerability assessment and management. The idea of the tool is to collect all vulnerability in one place and manage vulnerability easily.
aclpwn.py – Advanced ACL exploitation with BloodHound — Dirk-jan Mollema
Ever since ACL collection was introduced in BloodHound, it is easier than ever to find misconfigured permissions on Active Directory objects. Users that have permissions to add members to sensitive groups, Exchange servers that have full control of the domain object or permissions that are too broadly delegated are just a few examples of this. ACLs are however complex to understand and exploit. Aclpwn.py aims to make it easier to exploit ACL based attack paths, gain Domain Admin (or just get enough permissions to obtain the krbtgt account hash and print yourself a golden ticket), and safely revert the changes again afterwards. It does this by integrating with BloodHound via the API’s offered by Neo4j. It has built-in path finding methods that use the Dijkstra algorithm to find the shortest path from the accounts you control to the objective you want to achieve. Once a path is found Aclpwn.py automatically walks through the chain, modifying object permissions and adding users to groups where necessary. When you have achieved your goal you just run the tool again and it will revoke the permissions and restore the original state. This can all be achieved through just a SOCKS tunnel into the client network, running the exploitation from your Command and Control host with BloodHound installed. Since the tool is fully written in Python, it can be run from any operating system and only requires you to have NTLM hashes of the accounts to perform the attacks.
This is a completely new tool that integrates with BloodHound to exploit Active Directory misconfigurations. It will be released under an open source MIT license. The release will contain several pages of documentation on the different pathfinding techniques, the way the tool works internally and on how to use the different command line parameters.
Infernal Wireless – Automated Wireless Penetration Testing Suite — Mukhammad Khalilov
Infernal Wireless – Automated Penetration testing aids penetration testers to perform attacks on wireless network from one platform performing various attacks from exploitation to social engineering to cracking passwords.
The tool integrates AP Evil Twin, BeeF integration, social engineering via page cloning, visual access point representation live and data correlation of probes from network enabled devices.
The tool also incorporates reporting and generation of PDF and HTML outputs.
The tool can be download on below link: https://github.com/entropy1337/infernal-twin
Dejavu – Deception Simplified — Bhadreshkumar Patel & Harish Ramadoss
Deception techniques—if deployed well—can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks. Although there are lot of commercial tools in this space, we haven’t come across open source tools which can achieve this.
With this in mind, we have developed DejaVu which is an open source deception platform which can be used to deploy, configure and administer decoys centrally across the infrastructure. A web-based management console can be used by the defender to deploy multiple interactive decoys (Customized Web Server, Tomcat, SQL, SMB, FTP, SSH, SNMP, ICS-MODBUS, ICS-S7COMM, Client side–NBNS) strategically across their network on different VLANs. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured to generate high accuracy alert; and how these alerts should be handled.
Decoys can also be placed on the client VLANs to detect client side attacks such as responder/LLMNR attacks using client side decoys.
Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys along with digital breadcrumbs, luring the attacker and enabling detection.
The tool was presented at Blackhat and Defon this year in August, 2018. Since then we have made additions to the platform and improved existing functionality which we would be excited to showcase at HITB. We would also like to discuss how DejaVu can be used to detect adversary during the various phases of cyber kill chain.
Additions made :
Faraday v3 — Emilio Couto
The idea behind Faraday is to help you to share all the information that is generated during a pentest, vulnerability assessment or scan without changing the way you work. You run a command, import a report, and Faraday will normalize the results and share them with the rest of the team in real-time. Faraday has more than 60 plugins available (and counting), including the most popular commercial and open-source tools. If you use a tool that Faraday doesn’t have a plugin for, you can create your own! During this presentation we’re going to release Faraday v3 with all the new features that we were working on for the last couple of months that include a huge back-end change.
Kurukshetra – Playground for interactive Security Learning. — Anirudh Anand
Kurukshetra is a web framework that’s developed with the aim of being the first open source framework which provides a solid foundation to host reasonably complex secure coding challenges where developers can learn secure coding practices in a hands on manner. It is composed of two components, the backend framework written in PHP, which manages and leverages the underlying docker system to provide the secure sandbox for the challenge execution, and the frontend, which is a user facing web app providing all the necessary controls, for the admin to host and modify the challenges, and the user to execute and view the result of each of his input.
Online Demo: https://kurukshetra.io/
Full Documentation: https://docs.kurukshetra.io/
IoT-Home-Guard: A tool for malicious behavior detection in IoT devices — Yuan Zhuang
IoT devices, especially secondhand devices and rental devices, are under threat of malware implant attack with physical access. Once IoT devices are compromised, hackers can turn them into snooping devices. From a defensive perspective, there are no solutions to detect Trojans in IoT devices.
We present IoT-Home-Guard — a hardware device to detect malicious behaviors of Trojans in IoT devices, such as audios/videos snoop and remote control. It consists of four parts: data flow catcher, traffic analyzing engine, device fingerprint database and a web server. Features of network traffic are extracted by traffic analyzing engine and compared with pre-built device fingerprint database to detect malicious behaviors.
In another research, we were able to implant Trojans in eight devices including smart speakers, ip cameras, routers, driving recorders and mobile translators. We collected characteristics of those devices and ran IoT-Home-Guard. All devices implanted Trojans have been detected. We believe that malicious behaviors of more devices can be identified with high accuracy after supplement of fingerprint database.
The first generation IoT-Home-Guard tool is a hardware device based on Raspberry Pi with wireless network interface controllers. We will customize new hardware in the second generation. Software part is available in our Github: https://github.com/arthastang/IoT-Home-Guard. The system can be set up with software part in laptops after essential environment configuration.
See details at README.md in https://github.com/arthastang/IoT-Home-Guard
Finite State Iotasphere: IoT Firmware Vulnerability Discovery Platform — Nicholas Vidovich
Iotasphere is a firmware analytics platform designed to give users the ability to reverse engineer their IoT device firmware. The platform performs large-scale firmware analytics including; automated unpacking, metadata collection, file hashing, password hash cracking to identify default credentials, software version identification, file similarity scoring across the entire firmware catalog and CVE correlation.
Iotasphere is the first of its kind platform allowing users to truly understand the threats introduced by their network-enabled embedded devices. With over 200,000 pre-analyzed firmware images from 74 manufacturers including Netgear, Polycom, Sonos, Trendnet, and Ubiquiti, Iotasphere allows you to start immediate analysis. Whether you’re Blue, Red, Purple or Pink teaming, Iotasphere has you covered with the ability to drill down into the target’s filesystem and see an overview of published vulnerabilities and public exploit code.
If you’re serious about your IoT security posture Iotasphere goes even further by enabling custom vulnerability discovery flows via binary vulnerability analysis backed by the Binary Ninja Intermediate Language – grinding through x86, MIPS, and ARM binaries to uncover potential 0-day vulnerabilities.
Iotasphere also uncovers code reuse – a massive problem in the IoT domain where multiple vendors use core software components from Broadcom, Ralink, Marvel and other chip manufacturers and bolt-on minor modifications. Iotasphere exploits this market trend to attribute published CVEs to devices previously unknown to be affected by the CVE, turning N-days into 0-days.
With Iotsphere, IoT security is possible, and it’s happening now
SigPloit: A New Signaling Exploitation Framework — Loay Abdelrazek
Mobile communication networks are using signalling protocols to allow mobile users to communicate using short messages, phone calls and mobile data. Signalling protocols are also used to manage billing for operators and much more. The design flaws that signalling inherits made them vulnerable to attacks such as location tracking of subscriber, fraud, calls and SMS interception. With the high rate of these emerging attacks on telecommunication protocols there is a need to create a comprehensive penetration testing framework for signalling. In this talk, will introduce a framework called Sigploit that takes into consideration the following protocols: SS7, GTP, Diameter and SIP.