0.4
pts2022
PTS2022
2022-07-04
2022-07-06
3
00:05
https://cfp.pass-the-salt.org/pts2022/schedule/
Europe/Paris
2022-07-04T14:15:00+02:00
14:15
00:35
Amphitheater
pts2022-68-mattermost-end-to-end-encryption-plugin
https://cfp.pass-the-salt.org/pts2022/talk/KTMCGR/
false
Mattermost End-to-End Encryption plugin
Talk
en
This talk will describe the internals of a Mattermost End-to-End Encryption plugin that has been developed at Quarkslab in 2021.
This talk will include:
* the problems we are trying to solve, and the attack models considered
* existing plugins / why make a new one
* the underlying cryptography protocol and various tradeoff
* maybe a small demo :)
The plugin is open source here: https://github.com/quarkslab/mattermost-plugin-e2ee . You can also read a blog post about it here: https://blog.quarkslab.com/mattermost-end-to-end-encryption-plugin.html .
It's been battle-tested and used (almost) seamlessly in production at Quarkslab since September 2021, within a team of around 100 people.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/mattermost-end-to-end-encryption-plugin/)
/media/pts2022/submissions/KTMCGR/logo_sEcFHeq.png
Adrien GuinetAngèle Bossuat
2022-07-04T14:50:00+02:00
14:50
00:35
Amphitheater
pts2022-62-cryptpad-a-zero-knowledge-collaboration-platform
https://cfp.pass-the-salt.org/pts2022/talk/LPMHUA/
false
CryptPad : a zero knowledge collaboration platform
Talk
en
Presentation of the CryptPad.fr project, a 100% encrypted collaboration platform.
Cloud services are increasingly used and your data is increasingly exposed. Even though cloud services "promise" to ensure the security of your data, we do not actually control what is put in place to ensure the security of our data and our privacy. Many cloud services use our data to set up advertising-based business models that read our data and pass it on to advertising services. Others are more transparent, but struggle to effectively secure our data.
Yet another approach is possible!
In this presentation, we will present the CryptPad project (https://cryptpad.fr) which offers an end-to-end encrypted collaboration solution. CryptPad has been developed for more than 5 years now and is an end-to-end encrypted collaborative suite allowing the editing of multiple format documents in real time. This platform integrates more than 8 types of documents including Office formats with import and export, a kanban, an HTML editor, a Markdown editor, a drawing tool and a survey creation tool, as well as a Drive with shared folders . The tool also has a management infrastructure and key sharing between users, all end-to-end encrypted to guarantee the strictest possible data confidentiality.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/cryptpad-a-zero-knowledge-collaboration-platform/)
/media/pts2022/submissions/LPMHUA/CryptPad_logo_text_cTakG1P.png
Ludovic Dubost
2022-07-04T15:25:00+02:00
15:25
00:20
Amphitheater
pts2022-54-dataflow-tabular-charts-a-presentation-tool-for-security-architects
https://cfp.pass-the-salt.org/pts2022/talk/3EXX8R/
false
Dataflow tabular charts -- a presentation tool for security architects
Short Talk
en
Security architects commonly have to represent drawings of complex systems to highlight the principles of their security architecture. Most drawings in common use are "seen from above", and do not allow a clear presentation of the protocol stacks and data processes along a dataflow.
Dataflow tabular charts are a new kind of drawings to show security boundaries crossed by functional dataflows. We will present the importance of those drawings for documenting security architectures, risk assessments, and penetration test results. We will then show a tool that can produce those charts automatically based on a textual description, similar to how `msggen` creates message charts.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/dataflow-tabular-charts-a-presentation-tool-for-security-architects/)
Yves Rutschle
2022-07-04T16:15:00+02:00
16:15
00:20
Amphitheater
pts2022-67-sandboxing-your-application-with-landlock-illustration-with-the-p7zip-case
https://cfp.pass-the-salt.org/pts2022/talk/BGQGZC/
false
Sandboxing your application with Landlock, illustration with the p7zip case
Short Talk
en
Landlock is the security sandboxing feature available since Linux 5.13. Its goal is to empower developers by letting them harden their applications. Indeed, it is assumed that with enough skill and time, most of software could be compromised. Sandboxing enables to add a new layer of security to mitigate such attack.
This talk quickly introduce the main Landlock properties, and we then explain how to sandbox your own application. We'll use p7zip, a C++ archive manager, as a practical example.
https://docs.kernel.org/userspace-api/landlock.html
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/sandboxing-your-application-with-landlock-illustration-with-the-p7zip-case/)
Mickaël Salaün
2022-07-04T16:35:00+02:00
16:35
00:35
Amphitheater
pts2022-61-building-operating-systems-optimized-for-containers-from-iot-to-desktops-and-servers
https://cfp.pass-the-salt.org/pts2022/talk/MTLGWL/
false
Building operating systems optimized for containers, from IoT to desktops and servers
Talk
en
Containers on Linux are a powerful abstraction that help isolate applications from one another. They are now available everywhere: to run applications from small IoT devices to large cloud servers, to easily setup development environments and to enable distribution independent packaging with Flatpak on desktops.
In this talk we will go over several variants of Fedora that are focused on containers: Fedora IoT, Fedora CoreOS and Fedora Silverblue/Kinoite. We will look at what makes them particularly well suited to host containers and how their design leads to increased security without compromising their usability.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/building-operating-systems-optimized-for-containers-from-iot-to-desktops-and-servers/)
Timothée Ravier
2022-07-04T14:20:00+02:00
14:20
03:00
Workshop Room
pts2022-70--workshop-fida-reverse-engineering-introduction
https://cfp.pass-the-salt.org/pts2022/talk/T8XSUV/
false
[Workshop] FЯIDA Reverse Engineering Introduction
Workshop
en
FЯIDA (frida.re) is a dynamic instrumentation tool that supports reverse engineering closed-source applications. Learning how to use this tool enables open-source contributors to build interfaces to closed-source or even re-implement protocols for compatibility.
Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.
In this workshop, you will learn how to use FЯIDA on real-world targets. The only prerequisite are basic programming skills, you will learn everything else in the workshop. Depending on your prior knowledge, we will solve simple crackmes or analyze complex applications and daemons on mobile devices.
**Prerequisites:** if you can, please bring a laptop and install Android Studio including an Android VM without Google Play Services for preparation (see resources attached below). Optionally, you can also bring other devices that support FЯIDA, such as rooted Android phones or jailbroken iPhones. This will save time that you can spend on solving challenges and learning FЯIDA instead.
While this workshop is meant for beginners, feel free to join as advanced FЯIDA user. FЯIDA is a great tool to explore proprietary systems like iOS, there's always something new to learn about.
Maximum of **15 students**.
/media/pts2022/submissions/T8XSUV/frida_WEuEWgt.png
jiska
2022-07-05T09:30:00+02:00
09:30
00:20
Amphitheater
pts2022-53-sslh-an-applicative-level-protocol-multiplexer
https://cfp.pass-the-salt.org/pts2022/talk/XTBQ73/
false
sslh -- an applicative-level protocol multiplexer
Short Talk
en
Once upon a time, corporate firewalls started to block port 22. But we could still `ssh` to port 443. `sslh` was originally written to listen to port 443, figure out the protocol between SSH and TLS, and forward it appropriately. 15 years in the making, `sslh` now supports many other protocols, including TLS SNI. We will cover the main functions and configuration of the tool, both for firewall evasion (its original, malicious use), service hiding and SNI frontend (its current, benign use).
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/sslh-an-applicative-level-protocol-multiplexer/)
Yves Rutschle
2022-07-05T09:50:00+02:00
09:50
00:35
Amphitheater
pts2022-50-write-faster-suricata-signatures-easier-with-suricata-language-server
https://cfp.pass-the-salt.org/pts2022/talk/AGLDYH/
false
Write faster Suricata signatures easier with Suricata Language Server
Talk
en
Writing signatures for Suricata and other intrusion detection systems (IDS) is considered by many to be a form of art. One of the main reasons is that the rule writer needs to start by examining a network trace to identify patterns that are representative to a threat/behavior without being too broad (to avoid false positives) or too narrow (to avoid being escaped at the first change of a bit in the attack). But the language used to write signatures is the second reason. It is not really expressive and doesn’t have advanced constructs. As a result signatures require complex writing to do things that could appear simple. And there are implicit conventions and structures that must be followed to guarantee correct integration in the detection engine.
The open-source Suricata Language Server (SLS) has been developed to solve these problems. SLS is a Language Server Protocol implementation that allows the user to benefit from built-in Suricata diagnostic capabilities when editing rules. SLS provides advanced diagnostics as well as auto-completion. In this talk, you will see how SLS can be used and how to make sense of the error messages and learn about some of the optimizations inside the detection engine. You will also discover what Suricata features are used behind the scene to make this possible.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/write-faster-suricata-signatures-easier-with-suricata-language-server/)
Éric Leblond
2022-07-05T10:25:00+02:00
10:25
00:20
Amphitheater
pts2022-59-building-on-top-of-scapy-what-could-possibly-go-wrong-
https://cfp.pass-the-salt.org/pts2022/talk/NAZGWD/
false
Building on top of Scapy: what could possibly go wrong?
Short Talk
en
A while ago, we decided to use Scapy's packet manipulation capabilities as a basis for our own industrial network protocols' attack framework in Python. At first, it seemed like the best idea ever: there is nothing better than Scapy for handling network protocols. But it was not as easy as we thought it would be, because of the gap between our own specifications and Scapy internals. We wanted users of our framework be able to manipulate valid and invalid packets, as a set of separate type-independent fields. But this is not how Scapy works, so we had to find workarounds. We ended up wrapping Scapy packets inside our own packet objects, using Python tricks and weird adaptations to translate from our framework's syntax to Scapy's mode of operation. And it works fine (as long as we don't touch anything). This is the story of our struggle to make both our tool and Scapy match and what we learned along the way.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/building-on-top-of-scapy-what-could-possibly-go-wrong/)
Claire Vacherot
2022-07-05T11:15:00+02:00
11:15
00:35
Amphitheater
pts2022-64-use-of-machine-and-deep-learning-on-rf-signals
https://cfp.pass-the-salt.org/pts2022/talk/ZFF89E/
false
Use of Machine and Deep Learning on RF Signals
Talk
en
An RF Signal is an element that a human cannot see nor hear, but could be measured with many means today. Particularly, the Software-Defined Radio allows even people with a low budget to observe radio frequencies in real-time, and so make they capture different types of communications: AM/FM, Mobile & LPWAN communications, etc. There are many ways to classify all the technologies depending on the used frequency, used bandwidth, duty cycle, and patterns, but it is sometimes hard and/or time-consuming to recognize these technologies.
To resolve these types of challenges, we thought about using Machine & Deep Learning tools to optimize our classification, and we wanted to share with you our successes, mistakes, and other feedback. In addition to proper classification, RF emanations are also permanent in the air, and we will see that the same techniques can be applied to match harmonics, but also for side-channel attacks as well.
In this presentation, we will go through the steps of observing a signal, doing capture, talking about challenges to classifying the signal, and show techniques of using ML & DL from making a model, to using algorithms and available functions.
This will be an opportunity to talk about our infrastructure, today's results, failures, and future improvements.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/use-of-machine-and-deep-learning-on-rf-signals/)
Sébastien Dudek
2022-07-05T11:50:00+02:00
11:50
00:35
Amphitheater
pts2022-57-ethics-in-cyberwar-times
https://cfp.pass-the-salt.org/pts2022/talk/LXHHPG/
false
Ethics in cyberwar times
Talk
en
Despite not getting a lot of attention, questions of ethics and morality are everywhere in the cybersecurity field. As our community concentrates more and more political power through the giant technology companies ruling the digital realm, a discussion on acceptable practices is needed more than ever.
In this talk, I want to bring forward new security dilemmas that have surfaced in the recent years and that practitioners face every day. My hope is to foster a much-needed reflection about our role in the cybersecurity world, especially as it it being transformed by its first military conflict ever.
The aim is not to be patronizing and distribute brownie points, or shame people or companies that are not behaving ethically (well, maybe NSO). Instead, I would like to use these 20 minutes to recognize the very real and complex problems that we face, mostly in isolation. The list below contains a few of the topics I intend to address:
- The morality of open-source security software
- Threat intelligence's function as an *intelligence* broker
- Is it possible to remain neutral in a cyber-war?
- The morality of cyberattacks in the context of the war in Ukraine
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/ethics-in-cyberwar-times/)
/media/pts2022/submissions/LXHHPG/why-follow-ethics_JZT8w1S.jpg
Ivan Kwiatkowski
2022-07-05T14:00:00+02:00
14:00
00:35
Amphitheater
pts2022-35-abusing-archive-based-file-formats
https://cfp.pass-the-salt.org/pts2022/talk/JPRTLR/
false
Abusing archive-based file formats
Talk
en
If a format structure isn't vulnerable, can that change once wrapped in an archive ?
File formats abuses depend on specific structure characteristics, which makes some file formats not vulnerable. It's however quite common to wrap some formats in specific archive formats.
Combining a format structure with an archive structure may change the outcome, making the result vulnerable by exploiting outside of the box.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/abusing-archive-based-file-formats/)
Ange Albertini
2022-07-05T14:35:00+02:00
14:35
00:35
Amphitheater
pts2022-66-binbloom-reloaded
https://cfp.pass-the-salt.org/pts2022/talk/VXNE8H/
false
Binbloom reloaded
Talk
en
Reverse-engineering hardware devices usually requires extracting data from
memory, be it from an internal Flash of a SoC, an external NAND or SPI
flash chip. Extracting memory content is part of the job, but once done we still
need to analyze it and face the inevitable truth : we may be in front of an
unknown memory dump or just have no idea of how information is stored in it,
or even how it is loaded into the SoC or MCU memory.
In this talk we will introduce Binbloom version 2, a tool able to identify the base address of any firmware code and also some specific structures such as UDS databases (often encountered in ECUs), no matter what the architecture (32 or 64 bits).
Detailed outline
============
I. Introduction (5 minutes)
---------------------------
I.1. Quick introduction and demo of the tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will start the talk by introducing the main reason why this new version of Binbloom has been developed and will show it live on various firmwares (on 32-bit and 64-bit firmwares). I will also insist on the fact this tool implements a new method that will be detailed in this talk, and that other tools exist too.
I.3. How existing tools work
~~~~~~~~~~~~~~~~~~~~~
I then talk about how I came to improve Binbloom, the fact that other tools do exist that are able to guess a firmware base address (like *rbasefind* for instance), and I will detail their internals (basically, they try every possible base address and compute a score based on some heuristics).
I.4. Actual limitations (64-bit architecture)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will then talk about the actual limitations of these existing tools, the lack of support for 64-bit architecture.
II. Bruteforce vs. Inference (7 minutes)
----------------------------------------
In this part of the talk, I will detail the algorithm implemented in Binbloom v2, which does not rely on bruteforce but try to infer the base address based on data found in the firmware.
II.1. Entropy
~~~~~~~~~
I present the first interesting metric other tools are lacking: entropy. Firmware entropy can be useful to tell code and data apart, based on thresholds that have to be determined.
II.2. Introducing Binbloom v2 internals
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is time to go into the details with a focus on the inference mechanism implemented in Binbloom v2. This mechanism allows Binbloom to deduce a set of potential base address rather than bruteforcing any possible values, that is more efficient on 64-bit architecture firmware files but also backward-compatible with 32-bit architectures.
II.3. Implementation constraints (memory usage, performances and firmware file size)
I will then talk about some technical constraints I faced during the development of Binbloom, especially memory usage issues or how I had to deal with a huge number of candidate addresses. I will also talk about performances issues and code optimization.
II.4. 32-bit and 64-bit architectures support
Again, I will insist in this part of the talk on the fact that this method is generic and may be used for 32-bit and 64-bit based firmware files, with the same efficiency.
III. Binbloom v2 (3 minutes)
----------------------------
III.1. Comparison between Binbloom v2, rbasefind and Binbloom v1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will present in this section the result of a comparative analysis performed on Binbloom v1 and v2 and rbasefind, aiming at evaluating the efficiency of these three toos on a set of firmware files gathered on Internet (thanks Twitter !) and internally at Quarkslab.
III.2. Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will then present some improvements (in our todo list) for Binbloom v2, and what they may bring to the tool. It is also a good time to ask the audience to contribute to this project ! I will give the repository URL and invite attendees to give it a try (and report issues as well) =)
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/binbloom-reloaded/)
Damien Cauquil
2022-07-05T15:40:00+02:00
15:40
00:35
Amphitheater
pts2022-56-gnu-poke-the-extensible-editor-for-structured-binary-data
https://cfp.pass-the-salt.org/pts2022/talk/HSBGXM/
false
GNU poke, the extensible editor for structured binary data
Talk
en
GNU poke is an interactive editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them. Once a user has defined a structure for binary data (usually matching some file format) she can search, inspect, create, shuffle and modify abstract entities such as ELF relocations, MP3 tags, DWARF expressions, partition table entries, and so on, with primitives resembling simple editing of bits and bytes. The program comes with a library of already written descriptions (or "pickles" in poke parlance) for many binary formats.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/gnu-poke-the-extensible-editor-for-structured-binary-data/)
Jose E. Marchesi
2022-07-05T16:15:00+02:00
16:15
00:35
Amphitheater
pts2022-52-the-poor-man-s-obfuscator
https://cfp.pass-the-salt.org/pts2022/talk/RJCGBC/
false
The Poor Man's Obfuscator
Talk
en
The purpose of this lightning talk is to present executable files formats tricks (ELF and Mach-O)
to prevent static analysis tools (like IDA, BinaryNinja, ...) from working correctly.
While these tricks do not break the execution of the original binary, when they are opened in IDA, BinaryNinja and, Radare2
the code looks obfuscated while only the file format is modified (not the instructions)
These modifications are leveraged by LIEF and the scripts will be published at the end
of the conference with an associated blog post.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/the-poor-mans-obfuscator/)
/media/pts2022/submissions/RJCGBC/featured_FbDh2BN.png
Romain Thomas
2022-07-05T09:30:00+02:00
09:30
03:00
Workshop Room
pts2022-58--workshop-malware-analysis-with-ghidra-x64dbg
https://cfp.pass-the-salt.org/pts2022/talk/EWYSJ7/
false
[Workshop] Malware analysis with Ghidra & x64dbg
Workshop
en
This workshop is designed to the beginner who want to discover the malware analysis and the reverse engineering.
Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.
We will start by explaining the x86 assembly language. Once we have discovered the basic instructions, we will directly reverser our first malware: a ransomware. We will work statically with Ghidra and dynamically with x32dbg two open-source software. The purpose will be to be acquainted with the tools and reply to a couple of questions: what is the encryption algorithm? Can I restore the encrypted file? Where is stored the ransom note?
**Prerequisites:** for the attendees who would like to work dynamically, a virtual machine running Windows must be configured before the workshop. The free Windows virtual machines provided by Microsoft works perfectly for this workshop: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
Maximum of **10 participants**.
Paul Rascagnères
2022-07-05T14:00:00+02:00
14:00
03:00
Workshop Room
pts2022-47--workshop-mi-lxc-mini-internet-testbed-for-network-security-training-and-security-tools-demonstration
https://cfp.pass-the-salt.org/pts2022/talk/SJJZDE/
false
[Workshop] MI-LXC (Mini-Internet testbed) for network security training and security tools demonstration
Workshop
en
MI-LXC is a platform to simulate an internet-like environment (BGP routing, DNS hierarchy, several organizations, pre-configured services such as mail with graphical clients, ...), currently composed of 28 hosts distributed in 10 AS. It can be used for network security training and can also serve as a substrate to deploy and demonstrate network security tools. It is based on LXC using the infrastructure-as-code principle and runs as a VM on a standard laptop.
Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.
During this workshop, we will explore the MI-LXC platform. First, we will see how to use it to illustrate MitM attacks such as BGP or DNS attacks, to deploy a global ACME Certification Authority (Smallstep), to simulate a phishing and intrusion scenario (reverse-shell, nmap, ...) or to deploy IDS sensors (Suricata, OSSEC, Prelude SIEM). Second, we will study how to extend this skeleton architecture to deploy, demonstrate and train in other network security tools by adding new hosts or AS or modifying existing ones.
MI-LXC is available at https://github.com/flesueur/mi-lxc/ and this workshop will be more-or-less based on the tutorial : https://github.com/flesueur/mi-lxc/blob/master/doc/TUTORIAL.md
**Prerequisites for this workshop**
The workshop will run on a pre-configured Virtual Machine of MI-LXC v1.4.2. Attendees thus need :
* A personal laptop with 4GB of RAM (8GB recommended) and 10GB of free hard-drive space (15GB recommended)
* VirtualBox or VMWare Player
* Having downloaded and imported the VM archive (2.5GB, v1.4.2) : https://flesueur.irisa.fr/mi-lxc/images/milxc-debian-amd64-1.4.2.ova
Maximum of **15 participants**.
/media/pts2022/submissions/SJJZDE/logo_NfnTtbY.png
François Lesueur
2022-07-06T10:00:00+02:00
10:00
00:35
Amphitheater
pts2022-45-sudo-logs-for-blue-teamers
https://cfp.pass-the-salt.org/pts2022/talk/ER89BJ/
false
Sudo logs for Blue Teamers
Talk
en
Using sudo, you can control and log administrative access to your hosts. Recent sudo versions allow you to send log messages in JSON format, while the latest sudo features also allow you to watch and control previously blind spots.
What does this mean for your Blue Team? You have more control in defining both the people who can access your system, and the actions they can perform in it. The resulting log messages contain a lot more information in an easy to process format. This way you do not just collect more logs, but it becomes easier to detect and react to important sudo events.
From my talk, you can learn about JSON-formatted logging in sudo and how to work with those logs in syslog-ng. I will introduce you to some of the latest sudo features, like chroot and cwd support, and logging and intercepting sub-commands. I will also show you how to work with these logs within syslog-ng: for example, how to parse JSON-formatted log messages and working with name-value pairs to create alerts on critical sudo events.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/sudo-logs-for-blue-teamers/)
Peter Czanik
2022-07-06T10:35:00+02:00
10:35
00:20
Amphitheater
pts2022-46-dfir-iris-collaborative-incident-response-platform
https://cfp.pass-the-salt.org/pts2022/talk/9TPFEL/
false
DFIR-IRIS - collaborative incident response platform
Short Talk
en
DFIR-IRIS is a collaborative incident response platform recently published in open-source. It provides operational and efficient features to respond to IR challenges. Information sharing, real-time collaboration, timeline creation, forensic evidence ingestion, task logging, daily reports for customers... These are all necessary steps in an investigation that need to be simplified in order to reduce analysts' workload. From this statement was born DFIR-IRIS.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/dfir-iris-collaborative-incident-response-platform/)
/media/pts2022/submissions/9TPFEL/95911680_B4NoVer.png
Théo LetailleurPaul Amicelli
2022-07-06T11:25:00+02:00
11:25
00:20
Amphitheater
pts2022-51-tapir-trustable-artifact-parser-for-incident-response
https://cfp.pass-the-salt.org/pts2022/talk/DQPJCB/
false
TAPIR : Trustable Artifact Parser for Incident Response
Short Talk
en
This talk will present two new open-source incident response tools and a new rust library dedicated to Incident Response.
bin2json a tool to extract metadata from multiple file formats to json and TapIR a collaborative server for incident response accessible through a REST API, a web ui, and python command line tools.
This talk is about two new incident response tool : TapIr and bin2json and the Tap rust library there are based on.
Those two tools are based on the TAP (Trustable Artifact Parser) rust library, that come with different plugins to parse specific artefacts (NTFS, MTF, regitry, evtx, prefetch, ...),
and include a search engine that let you create complex query.
- bin2json can take different kinds of input like : disk image, partition, or collection of artifacts and automatically generate a json file containing metadata extracted from those inputs.
It can also generate the json file as a timeline. The generated file can then be analyzed via tools like jq or sent to elastic search or splunk for further analysis.
- TapIR is a service that can ingest the same kind of file as bin2json, then let you access extracted data and metadata through a rest API.
You can install it and make it accessible on a local network, a remote host or on the cloud, thus leveraging remote collaborative analysis.
TapIR come with web UI and a python client as command lines tools that lets you automate your IR task via scripting.
- The two aforementioned tools take advantage of the TAP library, written in RUST that make parsing secure and fast by leveraging heavy multithreading
During the presentation we will go through the architecture of the TAP library, when and how to use TapIR and bin2json, and finally we will make a demonstration of the different tools.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/tapir-trustable-artifact-parser-for-incident-response/)
Solal Jacob
2022-07-06T11:45:00+02:00
11:45
00:35
Amphitheater
pts2022-44-improve-your-malware-recipes-with-cyberchef
https://cfp.pass-the-salt.org/pts2022/talk/8NDEN8/
false
Improve your Malware Recipes with Cyberchef
Talk
en
Cyberchef is an awesome tool developed by GCIH (the UK Intelligence Services). Easy to deploy and maintain, it offers a complete toolbox to manipulate data. This talk will briefly introduce the core features of Cyberchef and, on a second part, we will discuss how to speed up the analysis of data in the context of malware analysis (decoding C2 traffic, decoding configuration files and many more examples)
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/improve-your-malware-recipes-with-cyberchef/)
Xavier Mertens
2022-07-06T14:00:00+02:00
14:00
00:20
Amphitheater
pts2022-63-mobsf-for-penetration-testers
https://cfp.pass-the-salt.org/pts2022/talk/778XUY/
false
MobSF for penetration testers
Short Talk
en
MobSF is a free and OpenSource security scanner for mobile application.
First, this talk will introduce MobSF and its different features. Then, the talk will present how MobSF can be used during a penetration test or a red team.
After presenting how to setup the tool for penetration testing, different use cases will be presented, regarding two different points of view:
- a security review of a mobile application (or an SDK), in this case, the mobile application or the specific SDK is the target.
- an assessment where the mobile application is not directly the target, in this case, the mobile application is used for recon (and more).
- a quick use case of usage for every penetration tester who don't want to dig into complex android methods
These use cases will also point MobSF limits and how to handle them by using the API and homemade scripts. For some cases, a comparison with other tools (such as apkleaks) will be done.
At last, a quick review of how bug report and feature requests are handled by the MobSF team.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/mobsf-for-penetration-testers/)
Antoine CervoiseMickael Benassouli
2022-07-06T14:20:00+02:00
14:20
00:35
Amphitheater
pts2022-60-finding-java-deserialization-gadgets-with-codeql
https://cfp.pass-the-salt.org/pts2022/talk/CQ98BD/
false
Finding Java deserialization gadgets with CodeQL
Talk
en
Arbitrary object deserialisation vulnerability in Java applications can be really dangerous, but also worthless if you are not able to find a gadget chain.
Some gadgets chains are known and can be used without much consideration, but most of them don't work anymore.
Indeed, most known gadgets are 3 or 5 year olds. This can be explained by the fact that finding such chains is hard and few tools exist to automate this process. In this talk I want to present a new technique to easily find new gadgets by leveraging the power of CodeQL. CodeQL is a very powerful static code analyzer that provides a way to analyze code by querying it like a data store. It's open source and can work on open source projects as it requires the source code of the analysed application. CodeQL can find paths between different methods and calls inside an application. This is really useful for gadget chain as we need to look for code paths from a deserialization method to a dangerous one which can lead to arbitrary code execution.
I'll first describe what a deserialization vulnerability is and how gadgets are constructed / found to perform malicious actions. Then I'll introduce CodeQL and the different possibility of this tool and finally I'll present a new technique to automate the process of finding Java gadget chains with CodeQL.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/finding-java-deserialization-gadgets-with-codeql/)
Hugo Vincent
2022-07-06T14:55:00+02:00
14:55
00:20
Amphitheater
pts2022-69-dissecting-ntlm-epa-building-a-mitm-proxy
https://cfp.pass-the-salt.org/pts2022/talk/NEYFDV/
false
Dissecting NTLM EPA & building a MitM proxy
Short Talk
en
Have you ever come across a website that used NTLM-based authentication, and you just could not authenticate with your browser nor BurpSuite even though you knew your credentials were correct? NTLM Extended Protection for Authentication (EPA) might be the culprit... Indeed, Firefox, among others, does not support the NTLM EPA mechanism and fails to authenticate.
This new protection was implemented to prevent relay attacks on webservers. With the rise of the powerful attack chain that involves ADCS, Petit Potam and NTLM relay, this protection has proven to be very useful!
What can we do then?! How are we going to use all our favorite tools? By creating a proxy of course! This implied multiple problematics, such as TLS interception, HTTP parsing, NTLM authentication, EPA implementation, and so on.
In the first part of this talk, I will give a short overview of the NTLM protocol over HTTP. Then I will explain how EPA fits into all this, and how it impacts NTLM relay over HTTPs. Finally, I will present our interception proxy Prox-Ez and the obstacles we encountered during the development.
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/dissecting-ntlm-epa-building-a-mitm-proxy/)
/media/pts2022/submissions/NEYFDV/passthesalt_fZbrqiP.jpg
Pierre Milioni
2022-07-06T15:15:00+02:00
15:15
00:20
Amphitheater
pts2022-72-kdigger-a-context-discovery-tool-for-kubernetes-penetration-testing
https://cfp.pass-the-salt.org/pts2022/talk/EQ8QFD/
false
kdigger: A Context Discovery Tool for Kubernetes Penetration Testing
Short Talk
en
kdigger, short for "Kubernetes digger", is a context discovery tool for Kubernetes penetration testing. This tool is a compilation of various plugins called buckets to facilitate pentesting Kubernetes from inside a pod.
During this short session, I'll demonstrate a scenario of a multi-tenant attack in a Kubernetes cluster. I will explain the risks, see how to prevent this kind of attack and show how kdigger can speed up the discovery process of the environment.
On top of discovering a new tool, this presentation will give you an idea of how pentesters generally try to pivot in typical Kubernetes clusters
See also: [🎥 video](https://passthesalt.ubicast.tv/videos/kdigger-a-context-discovery-tool-for-kubernetes-penetration-testing/)
/media/pts2022/submissions/EQ8QFD/kdigger_d5RH8S1.jpeg
Mahé Tardy
2022-07-06T09:30:00+02:00
09:30
03:00
Workshop Room
pts2022-65--workshop-rfid-nfc-rise-of-proxmark3-hands-on
https://cfp.pass-the-salt.org/pts2022/talk/M7ZQC3/
false
[Workshop] RFID/NFC: Rise of Proxmark3, hands on
Workshop
en
You will enjoy hacking with RFID/NFC cards and devices by means of open source.
You will have plenty of time to get familiar with the Proxmark3 RDV4 and operate it by yourself in various conditions and challenges.
Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.
You will enjoy hacking with RFID/NFC cards and devices by means of open source. The primarily tool being used in this workshop is the Proxmark3 RDV4, the latest and most featured of the Proxmark3 generations (additional onboard storage, SIM interface, swappable antennas, etc).
You will have plenty of time to get familiar with the Proxmark3 RDV4 and operate it by yourself in various conditions and challenges.
You will deal with different types of the most common transponders that can be found in the wild (aka tags, tokens, etc.), guided by Doegox, who will make sure you have a pleasant and instructive time.
The workshop covers RFID from the Low Frequency band (mainly used for individual physical access to buildings, garages, hotels, etc.) to the High Frequency band, where credit cards, passports, but also NFC come into play.
You will understand which type of access cards can be emulated or even cloned.
To setup your development environment, there are guides on the Proxmark3 RDV4 github repo which are essential to follow. If everyone comes prepared we can have better focus during the workshop on using / compiling / flashing / jtaging the proxmark3 device.
If you already have a Proxmark3 device, bring it with you and we show you how to use it with new firmware as well.
**Requirements:**
Bring your laptop with a configured development environment already installed:
If you are under Linux (preferred), please [follow these instructions ](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Linux-Installation-Instructions.md) and make sure ModemManager is removed;
If you are under Windows, please [follow these instructions](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Windows-Installation-Instructions.md) (we recommend WSL or Proxspace v3.2);
If you are under OS X / Homebrew users, please [follow these instructions](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Mac-OS-X-Homebrew-Installation-Instructions.md).
Maximum of **15 students**.
Philippe Teuwen
2022-07-06T14:00:00+02:00
14:00
03:00
Workshop Room
pts2022-55--workshop-threat-hunting-with-selks-and-suricata-6
https://cfp.pass-the-salt.org/pts2022/talk/BNNNQX/
false
[Workshop] Threat Hunting with SELKS and Suricata 6
Workshop
en
Threat hunting with network data can be done with Suricata that combines a signature based IDS with network security monitoring capabilities. In this workshop we will show through SELKS usage. SELKS is a complete network threat hunting stack based on Suricata and Elasticsearch. We will use some of the recent capabilities of Suricata like dataset to show that it goes far beyond the traditional role of an IDS.
Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.
With this workshop, attendees will get a good understanding of Suricata generated data and of some of its main features. By working an network trace, we will see how it is possible to understand a network, discover threats and deploy detection at the organization level.
**Prerequisites:** hardware requirements for the attendees is a computer with at least 2 cores and 9 Gb of memory running preferably under Linux but Windows or MacOS X should work.
Maximum of **15 participants**.
Éric Leblond