HITB Armory – By ToolsWatch & Opposing Force

Date: Nov 27 & 28

Time: 9am – 6pm

Overview

Organized in collaboration with Tools Watch and Opposing Force, the HITB Armory is a brand new dedicated area where independent researchers will get to show off their projects, run their demos and allow you to play around with their awesome security tools!

Selected from a Call for Tools process, researchers will have 30 minutes to present their tools onstage, followed by a 3-hour demonstration session at the exhibition space within the HITB Armory area  itself.

The HITB Armory is free and open-to-public, so feel free to drop by anytime to check out the tools on showcase!

HITB Armory – Tools Showcase Schedule

27 November 2018

Start End Where Topic / Tool Tool Author Presentation Time
10:00 13:00 Booth 1 Capture This: Real Time Packet Processing with FPGAs Matteo Collura 14:00 – 14:30
Booth 2
Hardware security multidimensional attack and defense tool set Jie Fu 15:00 – 15:30
Booth 3
Virtualizing IoT with code coverage guided fuzzing Kai Jern Lau & Dr. Anh Quynh 16:00  – 16:30
Booth 4 Archery: Open Source Vulnerability Assessment and Management Anand Tiwari  On 28th
Booth 5 aclpwn.py – Advanced ACL exploitation with BloodHound Dirk-jan Mollema  On 28th
Booth 6 Dejavu – Deception Simplified Bhadreshkumar Patel & Harish Ramadoss  On 28th
14:00 17:00 Booth 1 Faraday v3 Emilio Couto 10:00 – 10:30
Booth 2 Kurukshetra – Playground for interactive Security Learning Anirudh Anand 11:00 – 11:30
Booth 3 IoT-Home-Guard: A tool for malicious behavioŗ detection in IoT devices Qinghao Tang & Yuan Zhuang 12:00 – 12:30
Booth 4 Finite State Iotasphere: IoT Firmware Vulnerability Discovery Platform Nicholas Vidovich On 28th
Booth 5 Infernal Wireless – Automated Wireless Penetration Testing Suite Mukhammad Khalilov On 28th
Booth 6 SigPloit: A New Signaling Exploitation Framework Loay Abdelrazek On 28th

 

28 November 2018

Start End Where Topic / Tool Tool Author Presenter Time
10:00 13:00 Booth 1 Faraday v3 Emilio Couto On 27th
Booth 2
Kurukshetra – Playground for interactive Security Learning Anirudh Anand On 27th
Booth 3
IoT-Home-Guard: A tool for malicious behavior detection in IoT devices Qinghao Tang & Yuan Zhuang On 27th
Booth 4
[CANCELLED] Finite State Iotasphere: IoT Firmware Vulnerability Discovery Platform [CANCELLED]

aclpwn.py – Advanced ACL exploitation with BloodHound

[CANCELLED] Nicholas Vidovich N/A
Booth 5
Infernal Wireless – Automated Wireless Penetration Testing Suite Mukhammad Khalilov 15:00 – 15:30
Booth 6
[MOVED] SigPloit: A New Signaling Exploitation Framework [MOVED] Loay Abdelrazek 14:00 – 14:30
14:00 17:00 Booth 1 Capture This: Real Time Packet Processing with FPGAs Matteo Collura On 27th
Booth 2
Hardware security multidimensional attack and defense tool set Jie Fu On 27th
Booth 3
Virtualizing IoT with code coverage guided fuzzing Kai Jern Lau & Dr. Anh Quynh On 27th
Booth 4
Archery: Open Source Vulnerability Assessment and Management Anand Tiwari 10:00 – 10:30
Booth 5
SigPloit: A New Signaling Exploitation Framework Loay Abdelrazek 11:00 – 11:30
Booth 6
Dejavu – Deception Simplified Bhadreshkumar Patel & Harish Ramadoss 12:00 – 12:30

We will have an extra talk on 28th at 16:00 from Cristofaro Mune, demoing Remote IoT Timing Attacks from his talk:

COMMSEC: System-level Threats: Dangerous Assumptions in Modern Product Security


Tools Overview

Archery: Open Source Vulnerability Assessment and Management — Anand Tiwari

Archery is an open-source vulnerability assessment and management tool that helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular open-source tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.

The main capabilities of our Archery include: * Perform Web and Network Vulnerability Scanning using vulnerability scanner tools. * Correlates and Collaborate all raw scans data, show them in a consolidated manner. * Perform authenticated web scanning. * Perform web application scanning using selenium. * Automate your scanners. * Vulnerability Management including Web, Network and Mobile Applications. * Enable REST API’s for developers to perform scanning and Vulnerability Management. * Useful for DevOps teams for Vulnerability Management.

Other Information

Archery tool has created using Django framework that gives us the flexibility to easily integrate python scripts. It also easily deployed on servers or user can use locally for their purpose. The tool has created to perform a vulnerability assessment and management. The idea of the tool is to collect all vulnerability in one place and manage vulnerability easily.

https://github.com/archerysec/archerysec


aclpwn.py – Advanced ACL exploitation with BloodHound — Dirk-jan Mollema

Ever since ACL collection was introduced in BloodHound, it is easier than ever to find misconfigured permissions on Active Directory objects. Users that have permissions to add members to sensitive groups, Exchange servers that have full control of the domain object or permissions that are too broadly delegated are just a few examples of this. ACLs are however complex to understand and exploit. Aclpwn.py aims to make it easier to exploit ACL based attack paths, gain Domain Admin (or just get enough permissions to obtain the krbtgt account hash and print yourself a golden ticket), and safely revert the changes again afterwards. It does this by integrating with BloodHound via the API’s offered by Neo4j. It has built-in path finding methods that use the Dijkstra algorithm to find the shortest path from the accounts you control to the objective you want to achieve. Once a path is found Aclpwn.py automatically walks through the chain, modifying object permissions and adding users to groups where necessary. When you have achieved your goal you just run the tool again and it will revoke the permissions and restore the original state. This can all be achieved through just a SOCKS tunnel into the client network, running the exploitation from your Command and Control host with BloodHound installed. Since the tool is fully written in Python, it can be run from any operating system and only requires you to have NTLM hashes of the accounts to perform the attacks.

Other Information
This is a completely new tool that integrates with BloodHound to exploit Active Directory misconfigurations. It will be released under an open source MIT license. The release will contain several pages of documentation on the different pathfinding techniques, the way the tool works internally and on how to use the different command line parameters.


Infernal Wireless – Automated Wireless Penetration Testing Suite — Mukhammad Khalilov

Infernal Wireless – Automated Penetration testing aids penetration testers to perform attacks on wireless network from one platform performing various attacks from exploitation to social engineering to cracking passwords.

The tool integrates AP Evil Twin, BeeF integration, social engineering via page cloning, visual access point representation live and data correlation of probes from network enabled devices.

The tool also incorporates reporting and generation of PDF and HTML outputs.

Other Information
The tool can be download on below link: https://github.com/entropy1337/infernal-twin


Dejavu – Deception Simplified — Bhadreshkumar Patel & Harish Ramadoss

Deception techniques—if deployed well—can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks. Although there are lot of commercial tools in this space, we haven’t come across open source tools which can achieve this.

With this in mind, we have developed DejaVu which is an open source deception platform which can be used to deploy, configure and administer decoys centrally across the infrastructure. A web-based management console can be used by the defender to deploy multiple interactive decoys (Customized Web Server, Tomcat, SQL, SMB, FTP, SSH, SNMP, ICS-MODBUS, ICS-S7COMM, Client side–NBNS) strategically across their network on different VLANs. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured to generate high accuracy alert; and how these alerts should be handled.

Decoys can also be placed on the client VLANs to detect client side attacks such as responder/LLMNR attacks using client side decoys.

Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys along with digital breadcrumbs, luring the attacker and enabling detection.

Other Information

The tool was presented at Blackhat and Defon this year in August, 2018. Since then we have made additions to the platform and improved existing functionality which we would be excited to showcase at HITB. We would also like to discuss how DejaVu can be used to detect adversary during the various phases of cyber kill chain.

Additions made :

  • Breadcrumbs : Generate powershell scripts to add decoys to domain, create honeyhash and kerberoast tokens
  • Personalized Threat intelligence : Add decoys to DMZ which can serve as a personalized threat intelligence feed
  • New Scada/ICS Decoys : Modbus, ICS-S7COMM
  • Log Aggregation : New dashboard to view events in a aggregated manner, better/easier for the analysts monitori

https://github.com/bhdresh/Dejavu


Faraday v3 — Emilio Couto

The idea behind Faraday is to help you to share all the information that is generated during a pentest, vulnerability assessment or scan without changing the way you work. You run a command, import a report, and Faraday will normalize the results and share them with the rest of the team in real-time. Faraday has more than 60 plugins available (and counting), including the most popular commercial and open-source tools. If you use a tool that Faraday doesn’t have a plugin for, you can create your own! During this presentation we’re going to release Faraday v3 with all the new features that we were working on for the last couple of months that include a huge back-end change.

Link: https://github.com/infobyte/faraday


Kurukshetra – Playground for interactive Security Learning. — Anirudh Anand

Kurukshetra is a web framework that’s developed with the aim of being the first open source framework which provides a solid foundation to host reasonably complex secure coding challenges where developers can learn secure coding practices in a hands on manner. It is composed of two components, the backend framework written in PHP, which manages and leverages the underlying docker system to provide the secure sandbox for the challenge execution, and the frontend, which is a user facing web app providing all the necessary controls, for the admin to host and modify the challenges, and the user to execute and view the result of each of his input.

Online Demo: https://kurukshetra.io/

Full Documentation: https://docs.kurukshetra.io/

Github: http://github.com/a0xnirudh/kurukshetra/


IoT-Home-Guard: A tool for malicious behavior detection in IoT devices — Yuan Zhuang

IoT devices, especially secondhand devices and rental devices, are under threat of malware implant attack with physical access. Once IoT devices are compromised, hackers can turn them into snooping devices. From a defensive perspective, there are no solutions to detect Trojans in IoT devices.

We present IoT-Home-Guard — a hardware device to detect malicious behaviors of Trojans in IoT devices, such as audios/videos snoop and remote control. It consists of four parts: data flow catcher, traffic analyzing engine, device fingerprint database and a web server. Features of network traffic are extracted by traffic analyzing engine and compared with pre-built device fingerprint database to detect malicious behaviors.

In another research, we were able to implant Trojans in eight devices including smart speakers, ip cameras, routers, driving recorders and mobile translators. We collected characteristics of those devices and ran IoT-Home-Guard. All devices implanted Trojans have been detected. We believe that malicious behaviors of more devices can be identified with high accuracy after supplement of fingerprint database.

The first generation IoT-Home-Guard tool is a hardware device based on Raspberry Pi with wireless network interface controllers. We will customize new hardware in the second generation. Software part is available in our Github: https://github.com/arthastang/IoT-Home-Guard. The system can be set up with software part in laptops after essential environment configuration.

Other Information
See details at README.md in https://github.com/arthastang/IoT-Home-Guard


Finite State Iotasphere: IoT Firmware Vulnerability Discovery Platform — Nicholas Vidovich

Iotasphere is a firmware analytics platform designed to give users the ability to reverse engineer their IoT device firmware. The platform performs large-scale firmware analytics including; automated unpacking, metadata collection, file hashing, password hash cracking to identify default credentials, software version identification, file similarity scoring across the entire firmware catalog and CVE correlation.

Iotasphere is the first of its kind platform allowing users to truly understand the threats introduced by their network-enabled embedded devices. With over 200,000 pre-analyzed firmware images from 74 manufacturers including Netgear, Polycom, Sonos, Trendnet, and Ubiquiti, Iotasphere allows you to start immediate analysis. Whether you’re Blue, Red, Purple or Pink teaming, Iotasphere has you covered with the ability to drill down into the target’s filesystem and see an overview of published vulnerabilities and public exploit code.

If you’re serious about your IoT security posture Iotasphere goes even further by enabling custom vulnerability discovery flows via binary vulnerability analysis backed by the Binary Ninja Intermediate Language – grinding through x86, MIPS, and ARM binaries to uncover potential 0-day vulnerabilities.

Not interested in binary targets? Iotasphere has you covered with custom language analysis support for shell scripts, PHP, and JavaScript. Identify back doors, hard coded credentials, client-side vulnerabilities, command injection vectors, and authentication bypasses.

Iotasphere also uncovers code reuse – a massive problem in the IoT domain where multiple vendors use core software components from Broadcom, Ralink, Marvel and other chip manufacturers and bolt-on minor modifications. Iotasphere exploits this market trend to attribute published CVEs to devices previously unknown to be affected by the CVE, turning N-days into 0-days.

With Iotsphere, IoT security is possible, and it’s happening now


SigPloit: A New Signaling Exploitation Framework — Loay Abdelrazek

Mobile communication networks are using signalling protocols to allow mobile users to communicate using short messages, phone calls and mobile data. Signalling protocols are also used to manage billing for operators and much more. The design flaws that signalling inherits made them vulnerable to attacks such as location tracking of subscriber, fraud, calls and SMS interception. With the high rate of these emerging attacks on telecommunication protocols there is a need to create a comprehensive penetration testing framework for signalling. In this talk, will introduce a framework called Sigploit that takes into consideration the following protocols: SS7, GTP, Diameter and SIP.


HITB Armory is organised in collaboration with: