PTS2022
This talk will describe the internals of a Mattermost End-to-End Encryption plugin that has been developed at Quarkslab in 2021.
FЯIDA (frida.re) is a dynamic instrumentation tool that supports reverse engineering closed-source applications. Learning how to use this tool enables open-source contributors to build interfaces to closed-source or even re-implement protocols for compatibility.
Presentation of the CryptPad.fr project, a 100% encrypted collaboration platform.
Security architects commonly have to represent drawings of complex systems to highlight the principles of their security architecture. Most drawings in common use are "seen from above", and do not allow a clear presentation of the protocol stacks and data processes along a dataflow.
Dataflow tabular charts are a new kind of drawings to show security boundaries crossed by functional dataflows. We will present the importance of those drawings for documenting security architectures, risk assessments, and penetration test results. We will then show a tool that can produce those charts automatically based on a textual description, similar to how msggen
creates message charts.
Landlock is the security sandboxing feature available since Linux 5.13. Its goal is to empower developers by letting them harden their applications. Indeed, it is assumed that with enough skill and time, most of software could be compromised. Sandboxing enables to add a new layer of security to mitigate such attack.
This talk quickly introduce the main Landlock properties, and we then explain how to sandbox your own application. We'll use p7zip, a C++ archive manager, as a practical example.
Containers on Linux are a powerful abstraction that help isolate applications from one another. They are now available everywhere: to run applications from small IoT devices to large cloud servers, to easily setup development environments and to enable distribution independent packaging with Flatpak on desktops.
In this talk we will go over several variants of Fedora that are focused on containers: Fedora IoT, Fedora CoreOS and Fedora Silverblue/Kinoite. We will look at what makes them particularly well suited to host containers and how their design leads to increased security without compromising their usability.
This workshop is designed to the beginner who want to discover the malware analysis and the reverse engineering.
Once upon a time, corporate firewalls started to block port 22. But we could still ssh
to port 443. sslh
was originally written to listen to port 443, figure out the protocol between SSH and TLS, and forward it appropriately. 15 years in the making, sslh
now supports many other protocols, including TLS SNI. We will cover the main functions and configuration of the tool, both for firewall evasion (its original, malicious use), service hiding and SNI frontend (its current, benign use).
Writing signatures for Suricata and other intrusion detection systems (IDS) is considered by many to be a form of art. One of the main reasons is that the rule writer needs to start by examining a network trace to identify patterns that are representative to a threat/behavior without being too broad (to avoid false positives) or too narrow (to avoid being escaped at the first change of a bit in the attack). But the language used to write signatures is the second reason. It is not really expressive and doesn’t have advanced constructs. As a result signatures require complex writing to do things that could appear simple. And there are implicit conventions and structures that must be followed to guarantee correct integration in the detection engine.
The open-source Suricata Language Server (SLS) has been developed to solve these problems. SLS is a Language Server Protocol implementation that allows the user to benefit from built-in Suricata diagnostic capabilities when editing rules. SLS provides advanced diagnostics as well as auto-completion. In this talk, you will see how SLS can be used and how to make sense of the error messages and learn about some of the optimizations inside the detection engine. You will also discover what Suricata features are used behind the scene to make this possible.
A while ago, we decided to use Scapy's packet manipulation capabilities as a basis for our own industrial network protocols' attack framework in Python. At first, it seemed like the best idea ever: there is nothing better than Scapy for handling network protocols. But it was not as easy as we thought it would be, because of the gap between our own specifications and Scapy internals. We wanted users of our framework be able to manipulate valid and invalid packets, as a set of separate type-independent fields. But this is not how Scapy works, so we had to find workarounds. We ended up wrapping Scapy packets inside our own packet objects, using Python tricks and weird adaptations to translate from our framework's syntax to Scapy's mode of operation. And it works fine (as long as we don't touch anything). This is the story of our struggle to make both our tool and Scapy match and what we learned along the way.
An RF Signal is an element that a human cannot see nor hear, but could be measured with many means today. Particularly, the Software-Defined Radio allows even people with a low budget to observe radio frequencies in real-time, and so make they capture different types of communications: AM/FM, Mobile & LPWAN communications, etc. There are many ways to classify all the technologies depending on the used frequency, used bandwidth, duty cycle, and patterns, but it is sometimes hard and/or time-consuming to recognize these technologies.
To resolve these types of challenges, we thought about using Machine & Deep Learning tools to optimize our classification, and we wanted to share with you our successes, mistakes, and other feedback. In addition to proper classification, RF emanations are also permanent in the air, and we will see that the same techniques can be applied to match harmonics, but also for side-channel attacks as well.
Despite not getting a lot of attention, questions of ethics and morality are everywhere in the cybersecurity field. As our community concentrates more and more political power through the giant technology companies ruling the digital realm, a discussion on acceptable practices is needed more than ever.
In this talk, I want to bring forward new security dilemmas that have surfaced in the recent years and that practitioners face every day. My hope is to foster a much-needed reflection about our role in the cybersecurity world, especially as it it being transformed by its first military conflict ever.
If a format structure isn't vulnerable, can that change once wrapped in an archive ?
MI-LXC is a platform to simulate an internet-like environment (BGP routing, DNS hierarchy, several organizations, pre-configured services such as mail with graphical clients, ...), currently composed of 28 hosts distributed in 10 AS. It can be used for network security training and can also serve as a substrate to deploy and demonstrate network security tools. It is based on LXC using the infrastructure-as-code principle and runs as a VM on a standard laptop.
Reverse-engineering hardware devices usually requires extracting data from
memory, be it from an internal Flash of a SoC, an external NAND or SPI
flash chip. Extracting memory content is part of the job, but once done we still
need to analyze it and face the inevitable truth : we may be in front of an
unknown memory dump or just have no idea of how information is stored in it,
or even how it is loaded into the SoC or MCU memory.
In this talk we will introduce Binbloom version 2, a tool able to identify the base address of any firmware code and also some specific structures such as UDS databases (often encountered in ECUs), no matter what the architecture (32 or 64 bits).
GNU poke is an interactive editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them. Once a user has defined a structure for binary data (usually matching some file format) she can search, inspect, create, shuffle and modify abstract entities such as ELF relocations, MP3 tags, DWARF expressions, partition table entries, and so on, with primitives resembling simple editing of bits and bytes. The program comes with a library of already written descriptions (or "pickles" in poke parlance) for many binary formats.
The purpose of this lightning talk is to present executable files formats tricks (ELF and Mach-O)
to prevent static analysis tools (like IDA, BinaryNinja, ...) from working correctly.
While these tricks do not break the execution of the original binary, when they are opened in IDA, BinaryNinja and, Radare2
the code looks obfuscated while only the file format is modified (not the instructions)
These modifications are leveraged by LIEF and the scripts will be published at the end
of the conference with an associated blog post.
You will enjoy hacking with RFID/NFC cards and devices by means of open source.
You will have plenty of time to get familiar with the Proxmark3 RDV4 and operate it by yourself in various conditions and challenges.
Using sudo, you can control and log administrative access to your hosts. Recent sudo versions allow you to send log messages in JSON format, while the latest sudo features also allow you to watch and control previously blind spots.
DFIR-IRIS is a collaborative incident response platform recently published in open-source. It provides operational and efficient features to respond to IR challenges. Information sharing, real-time collaboration, timeline creation, forensic evidence ingestion, task logging, daily reports for customers... These are all necessary steps in an investigation that need to be simplified in order to reduce analysts' workload. From this statement was born DFIR-IRIS.
This talk will present two new open-source incident response tools and a new rust library dedicated to Incident Response.
bin2json a tool to extract metadata from multiple file formats to json and TapIR a collaborative server for incident response accessible through a REST API, a web ui, and python command line tools.
Cyberchef is an awesome tool developed by GCIH (the UK Intelligence Services). Easy to deploy and maintain, it offers a complete toolbox to manipulate data. This talk will briefly introduce the core features of Cyberchef and, on a second part, we will discuss how to speed up the analysis of data in the context of malware analysis (decoding C2 traffic, decoding configuration files and many more examples)
MobSF is a free and OpenSource security scanner for mobile application.
First, this talk will introduce MobSF and its different features. Then, the talk will present how MobSF can be used during a penetration test or a red team.
After presenting how to setup the tool for penetration testing, different use cases will be presented, regarding two different points of view:
- a security review of a mobile application (or an SDK), in this case, the mobile application or the specific SDK is the target.
- an assessment where the mobile application is not directly the target, in this case, the mobile application is used for recon (and more).
- a quick use case of usage for every penetration tester who don't want to dig into complex android methods
These use cases will also point MobSF limits and how to handle them by using the API and homemade scripts. For some cases, a comparison with other tools (such as apkleaks) will be done.
At last, a quick review of how bug report and feature requests are handled by the MobSF team.
Threat hunting with network data can be done with Suricata that combines a signature based IDS with network security monitoring capabilities. In this workshop we will show through SELKS usage. SELKS is a complete network threat hunting stack based on Suricata and Elasticsearch. We will use some of the recent capabilities of Suricata like dataset to show that it goes far beyond the traditional role of an IDS.
Arbitrary object deserialisation vulnerability in Java applications can be really dangerous, but also worthless if you are not able to find a gadget chain.
Some gadgets chains are known and can be used without much consideration, but most of them don't work anymore.
Indeed, most known gadgets are 3 or 5 year olds. This can be explained by the fact that finding such chains is hard and few tools exist to automate this process. In this talk I want to present a new technique to easily find new gadgets by leveraging the power of CodeQL. CodeQL is a very powerful static code analyzer that provides a way to analyze code by querying it like a data store. It's open source and can work on open source projects as it requires the source code of the analysed application. CodeQL can find paths between different methods and calls inside an application. This is really useful for gadget chain as we need to look for code paths from a deserialization method to a dangerous one which can lead to arbitrary code execution.
Have you ever come across a website that used NTLM-based authentication, and you just could not authenticate with your browser nor BurpSuite even though you knew your credentials were correct? NTLM Extended Protection for Authentication (EPA) might be the culprit... Indeed, Firefox, among others, does not support the NTLM EPA mechanism and fails to authenticate.
This new protection was implemented to prevent relay attacks on webservers. With the rise of the powerful attack chain that involves ADCS, Petit Potam and NTLM relay, this protection has proven to be very useful!
What can we do then?! How are we going to use all our favorite tools? By creating a proxy of course! This implied multiple problematics, such as TLS interception, HTTP parsing, NTLM authentication, EPA implementation, and so on.
kdigger, short for "Kubernetes digger", is a context discovery tool for Kubernetes penetration testing. This tool is a compilation of various plugins called buckets to facilitate pentesting Kubernetes from inside a pod.