I’m writing this wrap-up from the Dublin airport, waiting my flight back to Belgium. This new edition of SOURCE is already over. What did we learn today?

This second day started with Vincenzo Lozzo‘s keynote. Lorenzo gave first, some facts. From an economic point of view, Internet will generate nice business in the coming years (2012: $60B, in 2016: $86B – according to Gartner). Another one, KPMG announced a raise of 40% increase in data-loss incidents. But a good news: entrepreneurs are looking to invest where there is a business like infosec. Also, US government said that cyberwar is like a regular war and army forces can be used. Scary to read some quotes like this one:

Report for NATO justifies killing of hackers in a cyberwar.

In the security world, some people are not ready to share information with vendors when they found vulnerabilities. Infosec security is fundamentally trying to solve tech problems thought non-technical actions. They are different groups of attackers: Organized crime, they are also trying to get as much money as possible. If the ROI is not good enough, they will choose another target. Hacktivists are a different group with less sophisticated attacks. The scariest group is nation-states. Huge budgets, attacks can be very sophisticated depending on the target. A nice quote from Lorenzo:

Can you even kick them out if they ever get in?

Then he also explained a game strategy based on the FlipIt  game to try to guess the attacker behaviour. But some group of attackers can’t be analysed with this technique. Banks are an example: it’s more a fair game. They know they will be attacked from time to time. The insecurity of complexity: At conferences, you learn new ways to attack. You try to implement new controls to block them. But it’s not sure that they can be implemented. The market of lemons compared to infosec is not new. Are we checking security from a wrong angle? Bugs don’t attack companies, people with exploits do. Lorenzo make a comparison between “bug bounty” programs and blue hat prize. Fixing a bug will not really improve the overall security. He gave a good example with Acrobat Reader: there is a difference between bug fixing and mitigation. Since they implemented a sandbox, there are less 0-days released.

Fixing bugs is like draining the sea with a spoon. It makes you look heroic but doesn’t achieve anything

Things that Vincenzo would like to see in the future:

• Better ways to simulate attackers (vs classic pen tests)
• Faster and more agile countermeasure creation & deployment
• Better data gathering about attackers
• Stronger economical research on attack dynamics

Patrick Schulz and Felix Matenaar were the first regular speakers with their talk about Android: “Android application reverse engineering and defences“. They started with a motivating example. First step, the static information gathering: This can be achieved by decompiling the application, examining the Type System (classes) and APIs. It’s quite easy with Android. Then, the dynamic analysis is performed with sandboxes and debuggers like APKTool. What are the Interesting stuffs to look for? Data validation, license checks and client checks are good examples. Then you can add extra code and redistribute the application. So, from a developer perspective, how to avoid this? How to protect your applications and how to address those problems?

To prevent static analysis, use code obfuscation, dynamic code loading. You can also make code harder to read. Some tools are referred here. Application modification (or temper proofing) is another risk. Run time integrity checks. React to the fact that your application has been modified or repacked. Hide interesting code and make it harder for malware authors to repack it. A technique presented by the speakers was “Manifest Cheating“. Inject a “name” attribute in the application tag with ID 0 and value “detect.class”. It will be skipped by packet but will make APKtool to crash when analysing the file later. If you really implement the detect.class, it will be executed and you’ll know that your application was repacked. Runtime integrity checks can be implemented like checking the application signature. Dynamic analysis or anti-runtime analysis: Use techniques like debugger detection and prevention.

Then the floor was open to improvised lightning talks and discussions. First, Dildog presented some tests he make yesterday night with URLs and Unicode characters that make Google Drive creating non-deletable files on the filesystem. Funny! Then, some tools were presented again by Patrick and Fellow. Finally, I quickly introduced my tool to monitor pastebin.com.

After a lunch and some good conversations enjoying the sunny weather over Dublin, the last half-day restarted with Peter Morgan and John Villamil. They presented “Monkeyherd: Stay fuzzy my friends“. This is a fuzzing tool developed by Accuvant Labs and is definitively an offensive tool. People usually know simple fuzzing tools but it can quickly become more complex to implement. Question from the speakers: Why aren’t more companies doing fuzzing? Some are doing well (like Google, Microsoft, Mozilla) but it requires motivation to deal with discovered bugs, company resources and experience to execute this process.

They explained deeply how to implement distributed fuzzing. Monkeyhard is deployed in the Amazon EC2 cloud and based on tools like SSH, Git, Ruby/Python and Redis. It can also perform GUI automation, dynamic binary instrumentation and uses a C&C to keep track of discovered vulnerabilities. It looks to be a very powerful tool.

Ben Williams was the following guest with a talk about hacking appliances. This was a talk that he already performed in Amsterdam for BlackHat 2012. Then he presented an update of his research this year again at BlackHat. As I missed it due to an agenda conflict, it was a good opportunity to refresh my mind. What’s new? Nothing much! Security vendors still fail to properly protect their appliances. They are usually considered as “safe” and deployed in DMZ but some, providing basic network services, can be connected to internal networks. They also receive lot of prices as “product of the year”, scarry!

Who were Ben’s victims:

• Sophos Email Appliance (v3.7.4.0): Admin webgui attack with a 500 passwords list. Done! (No protection against bruteforce or account lockout). OS command injection and reflective attack.
• Citrix Remote Access Gateway: authentication bypass & port forwarding via SSH
• Symantec Email Gateway: owned by receiving a mail and spawn a root shell.
• TrendMicro Email Gateway.

Last but not least, Nick Hiliard presented “The DDoS that didn’t almost break the Internet“. Everybody remembers the massive DDoS attack against SpamHaus a few months ago. Nick came back on this story and gave interesting details about how it happened. Everything started on March 18th with a DDoS against the website and blacklist servers operated by SpamHaus. They asked the help of CloudFlare to mitigate the attacks.

Nick explained how the attack was performed: It was based on DNS amplification: a DNSSEC query for “ANY ripe.net” is 54 bytes but DNSSEC replies to this query with 3181 bytes (58x amplification!). 27 millions of open DNS servers are available in the Internet (source: openresolver.org). The attackers were a mix of compromised end-users, compromised WordPress/Joomly instances and VPS servers.  Most important, what are the lessons learned:

• Unicast flood control is critical on IXPs
• Use OOB networks to manage your critical devices!
• IXP peeing IP’s should probably not be routed on the Internet
• Reality rarely gets in the way of a good headline
• Bad guys are careful not to get caught

Finally, keep in mind: botnets are large and use BCP38 and DNS ACLs

The presentation about “SQL Post-exploitation” was cancelled, the speaker was not able to join the conference. The SOURCE conference is now over! Thanks to Stacy & Christien for the organisation and to accept me as a speaker. If we met during the conference and have questions about my talk or tools, feel free to contact me! See you next year, again in Dublin?

There are so many security conferences around the world… Some people already debated about this: Is it better to restrict the annual agenda to well-known events or let people start their own? IMHO, we need initiatives like this. It’s good to have a broad agenda with local conferences where local people can attend without spending huge amounts of money for travels and lodging (If you can go to conferences, let’s bring the conferences to you!) So, let’s welcome the newly born conference called “NoSuchCon“. The first edition was just organized in Paris across the last three days. Unfortunately, I was only able to attend the last day… If only I could expand my holidays like a filesystem! I joined Paris early the morning to attend the first keynote. Here is a quick review of the day.

Today’s keynote was presented by Dmitri Alperovitch (from Crowdstrike). His presentation had only… one slide, displayed at the end of his keynote! The first message broadcasted by Dmitri was “We are doing wrong!“. Is it really a breaking news? No, major vendors, browsers, mobile phones, all of them are working to improve their security. We also have Next-Generation firewalls, powerful forensic tools and medias are talking about “cyber-*” (replace the star with your favourite term) and are trying to do some awareness. So what?

This is a paradox! Even with all those changes, we are still unable to block our adversaries. Our desire to have a “one-size-fits-all” security solution is bad. We have very specific issues to address. One category of actors are hacktivists. Another one is espionage. Classic defences approach do not work with those actors. Offensive is more lucrative and cheaper. If you increase your defences, offensive guys will grow too. This is a never-ending story. A good example are DDoS. Increasing your pipe to the Internet (bandwidth) and server farms will not solve the problem. Attackers will use bigger bots! Also, how to defend against national agencies which have huge budgets? Know your enemy, this will allow you to break the asymmetry between attack & defense.  Find the pin-point and push on it. Attackers usually focus on a target and don’t have a look at its competitor. An idea proposed by Dmitri: can a “bounty hunter” program law  help to catch attackers? Dmitri brought a big suitcase full of t-shirts and distributed them after his keynote. That’s for the show but it’s always funny to get goodies!

The first half-day was dedicated to presentations about the Windows kernel. A first one was performed by Aaron LeMasters about “Crashdmp-ster diving the Windows 8 crash dump stack“. The Microsoft crash dump mechanism is an interesting component of the operating system. Aaron performed some researches about this feature. His project is hosted on crashd.md.

The crash dump mechanism is a layer driver providing an I/O path to a mass storage device. It is used in two situations: when a bug check occurs (hey, it’s Windows! ) or to hibernate the system (crashdmp.sys). Aaron describe how it works. Note that the mechanism is different between Windows XP – 7 and Windows 8. With  the last version of the Microsoft OS, the crash dump subsystem can be tricked into reading and writing everywhere. That’s what Aaron explained during his talk. Based on his research, he also wrote a CTF challenge for SOURCE Boston and explained in details how it worked. The source code will be released soon, check out his website.

Then, a second talk immediately followed: “Exploiting hard core pool corruption in Microsoft Windows kernel” by Nikita Tarakanov. Today, many applications implement sandboxes (ex: browsers). To evade sandboxes, a good idea is to abuse… the low level… the kernel.

Once broken, you have access to everything. Previous vulnerabilities found in Windows kernels are memory corruption. Today, known techniques do no work anymore with Windows 8. First, Nikita reviewed how kernel pool is working and what were the “old” attacks. The next part covered a new attack which works on all versions of Windows: DKOHM (“Direct Kernel Object Header Manipulation“).

After a lunch break in a small Parisian restaurant, eating and talking about security, the second set of talks started again. The first one was “XML – Out-of-band exploitation” by Yunusov Timur and Alexey Osipov. First part was about parameter entities (“PE“). Speakers reviewed then and how they work.  How work out-of-band attacks? The attacker send XML to the server which parses it and requests data from the malicious host.

They also performed demos of exfiltrating data from via an XML file: Using DNS requests made during XML document XSLT transformation to extract information via a bunch of A queries to forged names. An other demo was to grab /etc/passwd from a website just be trying to validate an XML file. Sweet!

The next talk was again about kernels but this time on MacOS X! Pedro Vilaca presented “Revisiting Mac OS X kernel root kits“. Rootkits are kernel extensions. Pedro reviewed interesting ideas to make them more powerful. The Mac OS landscape has less researchers and lack of public developments about rootkits. But it does not mean that more are working in the wild. Great job performed by Pedro but difficult to maintain due to the operating system being closed source.

After a coffee break, the last run of talks started. Luigi Auriemma & Donato Ferrante presented “Exploiting game engines for fun & profit“.

Why target games? Because the attack surface is huge! Did you know that some engines are sold with special licenses to military organisations? Almost all kind of people are playing once back at home. Even C-level people can be gamers during their free time. This can be a nice way of exploiting their company. The same engine can be shared across multiple games (and stuff added like Lego-blocks). The same vulnerability can be re-used! Gain of time and $$$. Game engines can be attacked on four topics:

• Fragmented packets: Games are based on UDP protocol but they try to implement a TCP-over-UDP. When fragmentation occurs, the engine must rebuild the original packet. This process is performed in memory. What about trying to place the payload of a packet in another memory area?
• Compression: Not algorithms but index numbers.Flipping bits can be interesting
• Game Protocols:
• Customization (extensions also called “mods” and command line)

After the theori, the speakers performed some live demos. Check out revuln.com for their white paper released today!

For the next talk, the planning changed. The scheduled speaker was not able to come to France due to a visa issue. Weird! A last minute (but excellent!) speaker replaced him: Sergey Bratus presented “Any input is a program“. I was lost, his topic was too complex! I don’t know how many people were able to fillow him in the audience.

The last talk was “Killing rats with incident response process” by Robinson Delaugerre and Adrien Chevalier. The result of their research is a new framework called Arsenic which will be released soon. The goal is to perform incident response in a easy way. They started the talk with some facts about incident handling and how complex it can be.

This process is based on three pillars:

• Network analysis
• Host forensics
• Reverse engineering

Arsenic is a their framework, written in Ruby, which brings those pillars together. They also performed live demos to detect a well-known RAT (Poison Ivy). It seems to be an interesting tool.

And that’s already done. That was a quick but interesting visit to this new event. Again, NoSuchCon, welcome in the world of security conferences! Organizers made it a success with 250 attendees (number received from a member of the organisation). I liked particularly:

• The idea of a “one-cay” pass for people who were not able to block three consecutive days.
• Slides were available a few minutes before the talk (useful for people sitting far from the beamer)
• The conference Facedancer badge (made by Travis Goodspeed)
• Live streaming

During its implementation, a file integrity monitoring project may face two common issues:

• The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!
• The process must be fine tuned to react only on important changes otherwise they are two risks: The real suspicious changes will be hidden in the massive flow of false-positives. People in charge of the control could miss interesting changes.

There are plenty of tools which implement FIM, commercial as well as free. My choice went to OSSEC for a while. My regular followers know that I already posted lot of articles about it. I also contributed to the project with a patch to add Geolocatization to alerts. This time, I wrote another patch to improve the file integraty monitoring feature of OSSEC.

FIM has been part of the OSSEC features for a while and is handled by the syscheckd daemon running on all agents. How does OSSEC address the common issues reported above? To keep the baseline integrity, the databases of files (or registry for Windows agents) are stored on the manager itself. This manager is normally a well-protected server where all the OSSEC intelligence is stored. About false-positives, OSSEC implement several ways to prevent them. Some files can be ignored with an <ignore> XML tag in ossec.conf:

<syscheck>
    <ignore>/etc/mnttab</ignore>
</syscheck>

This is easy to exclude files but it’s a pain to manage! Some files can be excluded using specific OSSEC rules:

<rule id="100000" level="0" >
    <if_group>syscheck</if_group>
    <description>Ignored file changes</description>
    <match>/etc/mnttb|/etc/hosts|/etc/resolv.conf</match>
    <hostname>srv1</hostname>
</rule>

This rule will disable notification if any change is detected on srv1 in /etc/mnttab, /etc/hosts or /etc/resolv.conf. Note that another control exists: By default when a file has changed three times, new changes will be automatically ignored. Handy but… it could be improved!

When I’m deploying security tools and control, my goal is to reduce the “noise” as much as possible. A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package! That’s why I wrote the following patch for OSSEC (more precisely for the analysisd daemon which is responsible of the decoding and alerting of events generated by agents).

I added a SQLite3 DB which contains a list of MD5 hashes to ignore when reported by agents. When a file change is reported, its NEW MD5 hash is looked up in the DB. If found, the change is ignored. Why an external SQL database to store the hashes? To be easily populated by external tools as seen in the following schema:

To active this feature, apply the patch, create a SQLite3 database:

CREATE TABLE files (
    md5sum VARCHAR(32),
    file VARCHAR(256),
    time DATETIME
);
CREATE UNIQUE INDEX files_idx ON files(md5sum);

Then, just define the MD5 database in the main ossec.conf file on your OSSEC server:

<global>
    <md5db>/etc/md5.db</md5db>
</global>

This database must contains all the MD5 hashes that you want to ignore. On Ubuntu, it’s easy to find all hashes of installed files in /var/lib/dpkg/info/*.md5sums. I wrote a simple Python script to read those files and populate the SQL database.

#!/usr/bin/python

import fnmatch
import os
import sqlite3
import signal
import sys
def signal_handler(signal, frame):
    print "Interrupted!"
    if (conn):
        conn.commit()
        conn.close()
    sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
conn = sqlite3.connect('/opt/ossec/etc/md5db.db')
for file in os.listdir('/var/lib/dpkg/info'):
    if fnmatch.fnmatch(file, '*.md5sums'):
        c = conn.cursor()
        f = open('/var/lib/dpkg/info/' + file, 'r')
        l = f.readline()
        while l:
            array = l.split()
        try:
            c.execute('INSERT INTO files VALUES("' + array[0] + '","' + \
                      array[1] + '",date("now"))')
        except sqlite3.Error, e:
        print "%s: %s" % (array[0], e.args[0])
        l = f.readline()
        conn.commit()
        f.close()
conn.close()

After every new patch installation on my Ubuntu, the database is updated with new MD5′s. As the FIM process is executed every 6 hours (default setting) by OSSEC, you have time to update the database and reduce the false positives alerts.

The patch is available here.

I’ll show you a good example of the explosion of resource requirements. Today I was performing some cleanup on my corporate laptop. Being a consultant, it runs plenty of tools such as management consoles provided by $VENDORS. Working for multiple customers running different versions of this product (a well-known firewall brand), I’ve different versions of the tools installed. Of course, I need to keep multiple versions because you need to use the right one to access the firewall running the corresponding version. Just have a look at this screenshot:

(Click to enlarge)

I wonder what will ask the next version of the console as disk storage…

It’s a fact, humans don’t like to assume their errors. It’s not easy to concede a bad choice and say that your security solution does not fullfill its job. But why pretend to have the top-notch-killer-device on the other side?  Remember, years ago, the flame war between Linux and Windows users? (Honestly, I took part of this game when I was young)

Sometimes, colleagues or customers ask me what’s the best choice between “x” or “y“. It’s always difficult for me to answer such questions in a cold start situation. First of all because most of the time, I don’t have enough background to compare them. Of course, the market is full of studies and analyses like the well-known Gartner magic-quadrant. Those can help you to make a first selection. Some vendors ask research firms to make a comparison of their product with direct competitors. If they “asked“, it means they also “paid” for these researches. In a customer – supplier relation, the customer must be happy. May we be certain that the results of the study are fully independent? I’m in doubt…

Personally, the best solution is the one which will solve YOUR issue and match YOUR requirements in terms of:

• Budget
• Features
• Integration in your environment
• Management & Support

Keep in mind that your information security is a big market place where all vendors would like their share of the cake… Select two or three solutions, ask for live demos, setup a PoC (“Proof of Concept“). This could cost time and money but you will have all keys in your hand to make the right decision. Don’t buy a brand, buy a solution!

This was already the third edition of BSidesLondon today! Time flies! Being busy yesterday, I just reached London in the morning and arrived just in time for the administrative tasks (registration, pick-up a t-shirt, goodies), grabbing some coffee and shaking some hands. BSidesLondon is definitively growing in size and quality: A huge number of attendees, two tracks, a rookie track, a job fair, workshops and lightning talks. Even the sun was present over London, no fog at all! Two tracks means you have to make choices! Here is the brief overview of my schedule.

The first presentation I attended was “Pentesting like a Grandmaster” by Abraham Aranguren. The talk was split in two parts. FIrst, Abraham started with an interesting comparison: “Pentesting == a chess game“. This can be resumed with the picture below:

How far can you go with “your” intelligence? The success is always possible. They are many examples of great people who made awesome stuff with a normal IQ. Intelligence does not warranty success. One fact: it’s important to start early; this is an advantage. The talent is something natural and skills must be developed by hours and hours (days or months) of training. The comparison continues with the chess game. As reported by many chess champions: “You can only be good at chess if you love the game“.  It’s exactly the same in information technology (generally speaking – not only security). Some quotes are so true:  ”No pain, no gain” (Arnold Schwarzeneger), “Pain is temporary” (Mohamed Ali). The next question could be how to stay motivated. Like in high level sports, your must remain healthy (in your body as well as in your mind). Another interesting quote I liked:

“Smart people learn from their mistakes. But the real sharp ones learn from the mistakes of other people” (Brandon Mull)

Abraham reviewed good tips to stay healthy and keep your attention.  In the second part of the talk, he explained why the game preparation is a key (again in chess and pen testing). Before the game: scope better, do better. Know the enemy but know yourself (strengths & weaknesses). Finally, some examples were reviewed of how a good preparation helps to pwn your target easily.. But keep in mind: When media report an exploit “in seconds“, it took usually days or weeks to prepare it. The examples were demonstrated using Abraham’s project: OWTF. I liked the comparison between the two worlds which initially have nothing in common. Great talk to start the day.

For the second talk, my choice was to follow Javvad Malik about his own story “How to build a personal security brand that will stop the hackers, save the world and get you the girl“. What a program! The room was crowded with people sitting on the ground! This is always a good sign. Javaad is a showman, have a look at his Youtube channel about information security, a must see. His talk was a reflexion about people who are “bankable” in information security. Starting with a fact: why everybody found Mother Theresa a personality? It’s the same in information security. Javvad showed a nice graph of knowledge vs fame. Then he defined three levels: echo chamber, industry, public and put famous people on it:

(Note: the hidden face is Gregory Evans

The key is the message you have to pass and how to deliver it. Today,  we have access to the same tools and services as professionals a few years ago to promote ourself. How to find the right idea to promote ourself? Via podcasts, blogs, mentors & continuous feedback.  Often security people act like the actors doing the promotion of Hollywood movies: they visit many places, are facing the same questions and constantly repeat the same sentences. Same message is broadcasted again & again. But what makes a good infosec guy? Javaad showed two pictures of Fish & Chips. Prepared with the same food but presented differently.  The same may apply with blogs: a blog post could be a very good research but badly presented. Also, the message we have to deliver is often bad news: “you got owned“, “you lost data“, etc. Then the procrastination and comfort zone are part of the game. Being a “public” man forces you to remain visible. Question to the audience: Who has a blog and did not updated it for a long time”. I personally know this feeling. We make this on our free time but have wife, kids. Another tip: “Do not feed the troll“. There is a difference between trolling and criticism. Javaad’s receipt was:

• He discovered himself
• He created his own rules
• He believed

Excellent non-technical presentation but with true content and lot of fun.

The third talk was presented by my friend Chris John Riley: “Defense by Numb3r5” or “Making problems for script k1d13s and scanner monkeys“. Chris started with a description of the use of HTTP return codes. You know the 2xx, 3xx, etc. Some are common, others less like 206 which means “partial content“. Most of them are defined in the RFC 2616 and divided on five classes of response:

• 1xx (info)
• 2xx (success)
• 3xx (redirection)
• 4xx (client error)
• 5xx (server error)

Personally, I like the 402 – “payment required“. Chri’s question is why talk about numbers? For security reason of course. What can we do with them? Unpredicatability is at your advantage in your defense layer. Increase attacker costs, delay operations. There was already some ideas about this topic but not very deeply analysed. So, how to use this? Browsers have to be flexible. This leads to interpretation! But wait, there are RFC for that? They’re more than a guideline. What can possibly go wrong? Chris made some testing using a MitM proxy written in Python. Goal of this proxy: If the response code is not 200, respond with a 200 . A exampe of script is available on his blog:

http://catch22insecurity.com/POC/respcode.php?code=200

Chrome, Firefox and Internet Explorer were tested against all codes with HTML, Iframe & JavaScript pages. What a surprise: They interpret differently. Codes are often associated with headers. Ex: 302 & Location:. If headers are missing, what’s happening?  What can we do with this:

• Browser fingerprinting (UA can be spoofed but behaviour no)
• Proxy detection

Let’s put all the stuff together. Simply fuck with things and defeate attackers (slowing down, case false positives/negatives etc). By changing the answers to HTTP requests performed by crawlers and scanners, Chris demonstrated the different kinds of results with, depending on the cases, many false positives or false negatives. Finally, he had the idea to write an HTTP Tarpit: attacks detected by a WAF are send to a bad list to the server which rewrites all the responses to those IP’s. Even more funny, Metasploit performs attacks also based on HTTP response code (>800 occurrences found in the code). Chris’s concluion: “No match, no shell“. Script kiddies go away! The MitM proxy code is available here.

After a sunny lunch break outside and some Club-Mate, my schedule continued with Stephen Bonner and his “Make cyber-love not cyber-war” talk. Based on slides with pictures only, Stephen reviewed the current situation of cyber-war and explained why he does not like this expressions. Very good speaker, good interactivity with the audience but I was not attracted by the topic.

Then followed “Pentest automation – Helping you to get to the pub on time” with Rory McCure. The goal of this talk was to review different ways to optimise your time during pentesting activities to go back early to home … or to the pub! Rory started with a general question: Why automate?

• To save time!
• Repetition is boring and we are all lazy people
• For accuracy: how to not miss interesting stuff?
• To encode your knowledge! If you script it, you won’t forget what you learned

It’s a fact, if you’re a pentester, you must be able to write some code. The next question which will arise is: In which language(s)? Rory’s recommendation is to pick up one and stick to it. How to choose? The language should be

• Dynamic
• Provide an Interactive shell
• Focus on development speed
• And have a good 3rd party library support (to easily add extra features to your scripts).

Another tip: use source code control (subversion, git, etc), it will save you time and headaches. To better learn, find real examples you need to solve. Then Rory reviewed some nice scenarios where scripts can be helpful. His examples were written in Ruby:

• Expanding a subnet in an IP addresses list. Easy but so convenient
• Writing a template using the ‘mechanize‘ Ruby library to automate a dual-steps authentication process.
• Parsing the output of tools like nmap.

Scripts can also be used to automate very boring tasks: reporting! Major security tools can be extended using plugins or extensions (whatever you name them). Think about Metasploit or Burpsuite. Contribute and add your own code to automate your tasks. A final remark to the presentation: If infosec guys complain about the bad quality of code delivered by customers, they are also writing bad code to automate their tasks. Try to write secure code yourself! The examples reviewed by Rory are available on his github account.

The last talk was the one of Alex Polychronopoulos about “Going Stealth: Staying off your AV  radar“. Again an interesting topic for pentesters who have to fight often with anti-virus programs and try to evade their detection mechanisms. Today’s AV features are:

• Detection
• Identification
• Disinfection
• Some of them implement more funky stuff like built-in IDS, browser add-on, etc ($VENDORS have always plenty of ideas)

Anti-virus evasion sometimes can be quite easy (some files are simply not scanned like *.tmp or *.ocx files) and less than 5% of new threats are detected. Alex reviewed the different type of analysis. Static analysis is not efficient today. Detection based on signatures are out of business for new threats. The code can be easily obfuscated (via “packers“). Today, dynamic analysis is better (it executes the malicious code and observes its behaviour) but the main weakness of emulators is… the emulation! The malware can slow down execution (using multiple sleep() calls), use uncommon CPU instruction sets or simply detect the emulator (and not perform any malicious activity). How to evade? First tip: See big! Most anti-virus have a file size limit for performance reasons. Second,  what about destroying the AV itself? After all it’s also a software like any other with bugs.  Research is always helpful to find new evasion techniques. What about packers? Their goal is to produce a new executable from… an executable and make it more difficult to be detected by AV. Problem: they do not like self modifying code! Better packers encrypt the code. The key can be randomised for each payload (polymorphism). If you don’t like encryption, use your math classes and implement other algebra transformations to build a better packer. Don’t forget to hide your strings! (can also be used a signatures). Don’t forget that any packer, best of all, will always become a signature at a time. What about metamorphism? Examples: Use random registers, substitute instructions, randomly add track code. Put all this techniques together to write your best packer. Interesting stuff but lacking of real examples. Some packed files passed through antivirus would be funny (with a low detection rate of course).

In parallel to the regular tracks, the rookie track given the stage to new coming speakers. There was some interesting topics like:

• Blinking hell – Data extraction through keyboard lock states
• External assessments
• ICMP – The proxy your admin hates to block

I hope that slides will be released soon! Kudos to the BsidesLondon team for the great event!

After some beers at the after party, I went out for a dinner with friends to discuss about security arround Italian food. Tomorrow, let’s dive into the $VENDORS jungle at InfoSecurity Europe before travelling back to Belgium!

The last weekend, an ethical hacking event was organised in Belgium. The Hacknowledge Contest joined Charleroi and was hosted at the CPEHN. This event was previously organised only in France thanks to the initiative of the ACISSI. Last year, they decided to open their challenges to other countries. The current list of participating countries is: Côte d’Ivoire, Maroc, Benelux, Espagne and France. The organisers are already looking to extend their list with other countries. If you are interested, maybe contact them.

Initally, I registered a small team with a colleague and finally we were five ethical hackers/friends to participate as “UID(0)“. So, we joined Charleroi Saturday afternoon to attend a bunch of small talks around information security. Small event and a relaxed atmosphere. The covered topics were:

After a break and the registration of all teams, the challenges started for a period of 12 hours (Saturday 10PM to Sunday 10AM). No CTF, no blue team nor read team but a list of challenges to solve similar to the SANS Netwars. Each challenge solved gives you points. Seventy challenges  were  categories were split in the categories like:

• Web technologies
• Crypto
• Network
• Forensics
• Hardware (lockpicking, Teensy, barcodes, …)

It was very friendly with good times, music. We finished at the third position but very close to the second team… Only the first two teams won, too bad! The final contest will be organised in France and the winning team will receive a very nice price: a trip all-inclusive to Las Vegas to attend the DefCON security conference!

I don’t often participate to events like this one. I liked the limited number of teams (5) and the friendly atmosphere between the team. Not too small, not too big, well organized. The event was also covered by some Belgian media.

My current environment is:

• Ubuntu 12.04-LST (fully patched)
• SET 5.0.2 (installed from the git repository)
• Metasploit 4.6

After the SET upgrade, I faced the following error when launching Metasploit from SET (full error dumped to allow the Google crawler to do its job)

set:phishing> Setup a listener [yes|no]:yes
/opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require': no such file to load -- active_support/concern (LoadError)
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core/module_manager/cache.rb:4
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core/module_manager.rb:27
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:66
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/core.rb:34 
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/ui/console/driver.rb:2
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/ui/console.rb:11
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3/lib/msf/ui.rb:11
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `fastlib_original_require'
 from /opt/metasploit/apps/pro/msf3/lib/fastlib.rb:374:in `require'
 from /opt/metasploit/apps/pro/msf3//msfconsole:136

Metasploit was running fine when started manually from the command line. Google found a thread on a forum about the same kind of problem. The suggestion was to setup the right environment for Metasploit using the setenv.sh script. Note: Be sure to execute the script using ‘source‘ otherwise a new shell will be spawned and closed immediately without changing your environment:

# source /opt/metasploit/scripts/setenv.sh
# se-toolkit

Same issue, I tried to load ‘active_support/concern’ manually, it worked:

# ruby
require('active_support/concern')
^D
#

Finally, I upgraded the installed Ruby gems with the following command:

# gem update `gem list | cut -d ' ' -f 1`

And the problem was solved! Don’t ask me why, I did not dive into the code and I’m not a Ruby guru it worked for me. If you are facing the same problem, think about upgrading your Gems. Just sharing…

Here is my list of installed Gems:

# gem list

*** LOCAL GEMS ***

actionmailer (3.2.13, 3.2.11)
actionpack (3.2.13, 3.2.11)
activemodel (3.2.13, 3.2.11)
activerecord (3.2.13, 3.2.11)
activeresource (3.2.13, 3.2.11)
activesupport (3.2.13, 3.2.11)
acts_as_list (0.2.0, 0.1.5)
arel (4.0.0, 3.0.2)
authlogic (3.3.0, 3.1.0)
bigdecimal (1.1.0)
bson (1.8.5, 1.6.4)
bson_ext (1.6.1)
builder (3.2.0, 3.0.4)
bundler (1.3.5, 1.1.2)
carrierwave (0.8.0, 0.7.0)
chunky_png (1.2.8, 1.2.6)
coderay (1.0.9, 1.0.8)
compass (0.12.2)
daemons (1.1.9, 1.1.8)
erubis (2.7.0)
eventmachine (0.12.10)
formtastic (2.2.1, 2.1.1)
fssm (0.2.10, 0.2.9)
hike (1.2.2, 1.2.1)
i18n (0.6.4, 0.6.1)
ice_cube (0.10.0, 0.9.1)
io-console (0.3)
journey (1.0.4)
jquery-rails (2.2.1, 2.1.3)
json (1.7.7, 1.6.6, 1.6.5, 1.5.4)
kaminari (0.14.1, 0.14.0)
libv8 (3.16.14.1, 3.11.8.17 x86_64-linux, 3.3.10.4 x86_64-linux)
liquid (2.5.0, 2.3.0)
mail (2.5.3, 2.4.4)
method_source (0.8.1)
mime-types (1.22)
minitest (4.7.2, 2.5.1)
msgpack (0.4.6 ruby)
multi_json (1.7.2, 1.5.0)
nokogiri (1.5.2 ruby)
pg (0.13.2 ruby)
polyglot (0.3.3)
pry (0.9.12, 0.9.10)
rack (1.4.5, 1.4.1 ruby)
rack-cache (1.2)
rack-ssl (1.3.3, 1.3.2)
rack-test (0.6.2)
rails (3.2.13, 3.2.11)
railties (3.2.13, 3.2.11)
rake (10.0.4, 10.0.3, 0.9.2.2)
rdoc (4.0.1, 3.12, 3.9.4)
ref (1.0.4)
robots (0.10.1)
sass (3.2.7, 3.2.1)
slop (3.4.4, 3.3.3)
sprockets (2.9.2, 2.2.2)
state_machine (1.2.0, 1.1.2)
therubyracer (0.9.10)
thin (1.3.1)
thor (0.18.1, 0.16.0)
tilt (1.3.7, 1.3.3)
treetop (1.4.12)
tzinfo (0.3.37, 0.3.35)

Dear readers, I’ve some gifts for you! I’m very proud (and surprised!) to have been nominated to the European Security Bloggers Awards in two categories: “Best Personal Security Blog” and “Best Security EU Twitter“. To thank you for these nominiations (and first of all for reading/following me), I’ve some tickets to distribute for two nice security events in Paris (DisneyLand Convention Center).

The first one is Hack In Paris which will be held from 17th to 21st of June. Then, La Nuit du Hack will follow during the weekend. Both are very good events with renowned international speakers. To give you an idea, have a look at my 2012 wrap-ups (day 1 and day 2). A first version of schedule has already been published. The organizers provided me 2 x 10 tickets for both conferences. It won’t be fair to simply distribute them to the first comers so here is a small contest! Answer the following question: (tip: the answer is on my blog)

“After the last edition of BlackHat Europe in Barcelona, I waited my flight back to home with a good friend of mine. Who is it?”

Send your answer by email only to xavier[at]rootshell[dot]be. The following information must be provided in the mail:

• Subject: Contest HIP/NDH 2013
• My friend’s nick, Twitter or full name
• Your ticket preference (HIP, NDH or both)

Good luck! Some rules:

• Be sure to attend the conference (in Paris, June 2013) and not waste tickets
• Travel & hotel costs are not covered and must be paid by the winners
• HIP tickets are not valid for trainings (only talks)

This year, I won’t be able to attend the conference during the week. But I will join Paris for the weekend, see you there!

PS: Don’t forget to vote!