HITB Armory

What is HITB Armory

The HITB Armory is where you can see your favourite security tools. You will access an exhibit area in which tools’ developers will conduct demostrations for up 2 hours per day!

Come, meet, ask questions! They are here for you! The goal is to create a easy and relaxed environment to speak about features and tricks of your daily security tools, or to find new ones!

The event is organized by HITB in collaboration with Opposing Force.

Diversity Matters!

HITB Armory Board is committed to creating a conference that is as inclusive as possible. We want to showcase the best security tools available around the world.

We are also committed to ensure the conference is a place where ideas are exchanged, old friends get together, new friends meet and harassment is not tolerated. We expect speakers, attendees and sponsor representatives to be professional and courteous to each other. We reserve the right to remove, without refund, ANY attendee (speaker or otherwise) who is unable to adhere to this policy.

Talk Schedule

Day 1

Morning Session (10:00 – 12:00):

Lunch Break (13:00 – 14:00)

Afternoon Session (14:00 – 16:00):

Evening Session (16:00 – 18:00):

Day 2

Morning Session (10:00 – 12:00):

Lunch Break (13:00 – 14:00)

Afternoon Session (14:00 – 16:00):

Evening Session (16:00 – 18:00):

Tools Details:

Endpoint Detection Super Powers On The Cheap, With Sysmon And Splunk

(by Olaf Hartong)

In order to become a super hero, able to hunt for bad in your environment you first need some great powers. Starting blind, you need means to listen. I will introduce a modular Sysmon configuration to cover your Windows environment, mapped extensively to the ATT&CK framework.
By using the ATT&CK framework as a basis for hunting the likelihood of catching at least part of the attackers trail is significantly increased. To make use of this rich data source I will demonstrate a Threat Hunting application which will guide your investigation along all covered ATT&CK techniques.

The Jop Rocket: Mastering Jump Oriented Programming With A New Code Reuse Attack Framework (https://www.joprocket.com)

(by Bramwell Brizendine & Dr. Josh Stroschein )

This talk will introduce and explain Jump-oriented Programming (JOP), showcasing the newly released software exploitation framework, the JOP ROCKET. By way of preface, we can observe Return-oriented programming (ROP) has been the predominant mode of code-reuse attacks for the last decade, popularized by Mona, from Corelan. Other forms of code-reuse attack have been all but invisible, novelties or confined to academia, and this trend is to be expected, given the absence of dedicated tooling, to make such attacks feasible. In 2019, Dr. Bramwell Brizendine decided to remedy this need for a dedicated tool, and he released the JOP ROCKET, a versatile and powerful tool to facilitate the finding of JOP gadgets, allowing for previously complex code-reuse attack methodology to be made accessible.

Quark Engine An Obfuscation Neglect Android Malware Scoring System (https://github.com/quark-engine/quark-engine)

(by JunWei Song, LokJin Sih, AnWei Kung, Chung Hsin Chen & KunYu Chen)

Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

According to the above principle, we developed our order theory of android malware. We develop five stages to see if the malicious activity is being practiced. They are:

1. Permission requested.

2. Native API call.

3. Certain combination of native API.

4. Calling sequence of native API.

5. APIs that handle the same register.

We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as finding cross reference and calling sequence of the native API and tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Tenjint: Cross Architecture Virtual Machine Introspection

(by Jonas Pfoh & Sebastian Vogl)

Dynamic analysis is a powerful technique for gaining a deeper understanding of malicious software. This requires executing the malware in a controlled and instrumented environment. Virtual machine introspection (VMI) offers such an environment while providing full visibility into the behavior of the sample and preventing malware from detecting the instrumentation itself. VMI leverages hardware virtualization features to completely isolate the instrumentation from the target, making it difficult for the malware to detect or attack the analysis component. Additionally, the virtualization layer has full view of the virtual hardware and the ability to trap hardware events. This grants the instrumentation the ability to gain a very detailed view of the sample’s behavior while remaining isolated from the malware itself.

Thus far VMI tools mainly focus on x86 and there are very few that support further architectures. For example, the ARM architecture has supported virtualization since ARMv7, but there are very few VMI tools that support it. With the proliferation of ARM in the embedded market and its rise in the server and laptop markets, the need for a VMI tool that works across both x86 and ARM architectures is immediately apparent. Such a tool should be flexible enough to allow a researcher to manually analyse a malware sample and be scalable enough to be used as a basis for large automated dynamic analysis workflows.

To this end we present tenjint, a VMI-based dynamic analysis framework for both x86 and ARMv8 architectures. tenjint operates completely isolated from the monitored environment while providing full visibility into the analyzed system. The platform leverages modified KVM/Qemu components that interact with the tenjint library written in Python 3. tenjint incorporates an iPython shell for manual analysis as well as a powerful, but simple to understand Python 3 API for writing custom monitoring or automation tasks.

All Bourbon is Whiskey, But Not all Whiskey is Bourbon (https://github.com/adobe/tripod)

(by Andrei Cotaie & Tiberiu Boros)

From a logging perspective, in either classic or big data scenarios, anomalies are events that occur very rarely in a dataset. Malicious events share a similar trait, in the sense that, if most of the infrastructure is well-secured, they are also infrequent entries when compared to main-stream log events/activities.
“All Bourbon is Whiskey, but not all Whiskey is Bourbon” is maybe the best analogy to describe the relationship between anomalies and malicious events. All malicious events are anomalies, but not all anomalies are malicious events.
Starting from this supposition, the direct approach is to identify the anomalies in a dataset and search for the potential malicious activities in this subset of data. For logs sources that generate up to several millions of events each hour an Anomaly subset can be something up to just dozens of events, reducing the investigation space drastically.
Our proposed framework tends to be generic enough to be applied to most logs types where there is a high (but not necessarily obvious) correlation between the observations.
The framework consists of two main modules:

  1. Transforming our data from a logs state (categorical values/string/text) to a vectorized one (numerical one) using a deep-learning generic approach;
  2. Use anomaly detection for generating the list of extremely rare events that occur in the dataset, using the vectorized format.

We will discuss about the multiple Anomaly Detection algorithms we experimented with but also how we used the Tripod Machine Learning tool, a recently released open-source project from Adobe that we helped develop and demonstrate how unsupervised learning can be used to compute latent representations for sequences (logs entries).

Electronegativity: Identify Misconfigurations And Security Anti Patterns In Electron Applications (https://github.com/doyensec/electronegativity)

(by Lorenzo Stella)

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications (electronjs.org).

This is the first and only tool capable of detecting potential weaknesses and implementation bugs when developing applications using Electron, as recommended in the official security guidelines of the Electron project. Software developers and security auditors can use this tool to create secure desktop applications using web technologies.

After being recently featured in Black Hat Asia 2019 (Preloading Insecurity In Your Electron) and Black Hat USA Arsenal 2019, the tool will be showcased after a major update at the HITB Armory 2020 where we will demonstrate its potential by scanning well-known applications.

After joining the project as core contributor this year, we recently improved its analysis capabilities with a scope analyzer and comprehensive checks to discard false positive and keep false negative findings. The tool has already helped us in finding several critical vulnerabilities in many popular Electron apps like Wire, Discord and Mattermost.

Come see live demonstrations of Electronegativity hunting Electron applications for vulnerabilities and walk away with an open-source (Apache 2.0) static analysis engine to help secure your Electron applications!

Sec Xtractor Hardware Exploitation And Firmware Extraction Tool (https://github.com/sec-consult/SEC-Xtractor_Hardware)

(by Thomas Weber & Steffen Robertz)

The SEC Xtractor Assisted Hardware Analysis Tool was originally designed as internal hardware analysis tool. It was used as all-in-one solution to dump NAND / NOR / SPI and I²C flash memory chips. Because of different voltage levels of some chips, the SEC Xtractor provides the option to adjust the voltage from 3.3V to 1.8V (5V are rarely used today). Its program code is completely written in standard C which enables any programmer to modify the code without a lot of knowledge about hardware. Custom memory chips can also be added to the firmware in this way.

Beside reading flash memory chips, the SEC Xtractor has integrated JTAG-bruteforce functionality with configurable pin count. UART transmit pins can be found with a passive UART identifier module.
Another capability of the SEC Xtractor is the directly available FT2232H module that enables the device to use OpenOCD and two serial ports out of the box, also with configurable voltage levels.

The Pwning Machine, An Easy To Setup Pwning Station.

(by Lucas Philippe)

Today services are no longer huge monolithic block, we live in the day of containers and micro services. This change in the application development world also change the way we search and exploit vulnerabilities. Detection and Exploits become more a more complex and often rely on out-of-bound exploitation, such as:

But setting up and maintaining an environment to do this can be tedious and time consuming, so hunters turn to third party services to do theirs testings. We can see a lot of report using tools such as XSSHunter or BurpCollaborator, while those tools do great at their job they fail to provide the privacy often required by private bug bounty programs.

Introducing The Pwning Machine, an easy to setup and maintain bug bounty environment. An all-in-one, customizable and extensible suite of tools required by all serious hunters.

During this session, We will address the implementation of The Pwning Machine, the possibilities of integrating new services and associated configurations as well as demonstrations on use cases resulting from “real-world” vulnerabilities.

Dynamic Data Resolver (Ddr) Ida Dynamo Rio Instrumentation Plugin

(by Holger Unterbrink)

Dynamic Data Resolver IDA plugin – Extending IDA with dynamic data
This IDA Plugin is instrumenting the binary using the DynamoRIO framework. It can resolve most of the dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations e.g. call eax or interesting strings e.g. “PE” which are decoded at runtime. You can also instrument the binary in a way that it can dump interesting buffers and last but not least you have several options to patch the binary at runtime to avoid anti-analyzing functions.

The plugin can significantly improve the analyzing time of malware samples. Additionally, the plugin architecture and the DynamoRIO features are opening many interesting opportunities for own extensions and use cases.