pts2024
Landlock is the sandboxing mechanism available on Linux. In this workshop, we'll sandbox an application in a way which is transparent to users. This hardening will help mitigate security vulnerabilities.
Yeti was initially created in 2017, when a very operational french financial CERT had the need for managing threat-intelligence related indicators. When responding to incidents, they wanted quick answers to DFIR-related questions like “where have I seen this kind of filesystem activity before?”, or “is any of this network traffic suspicious”. Yeti was created to fulfill that need.
Fast forward to 2024, open-source threat intelligence platforms (or TIPs) have now proliferated, and yet these questions are not always easy to answer. As environments are now more complex than ever (think cloud providers, kubernetes, terraform, etc.) and attackers get more creative, DFIR teams need to find a way to structure their operations to be able to keep up with the operational tempo. What’s the query that you used to query cloud logs? How do I query a system for that persistence mechanism that was explained in that blogpost? How do I structure investigations to make sure that my team on the other side of the world can pick up where I left and knows what to look for?
This talk will show how Yeti has changed to respond to the need for a “forensics intelligence” repository, integrating with various other OSS projects such as Timesketch, DFIQ, ForensicArtifacts, MISP to leverage collective forensic knowledge and supercharge forensic analysis. We’ll introduce newcomers to Yeti, explain our reasoning behind these new capabilities, take a tour of all these other open-source projects, and showcase some of the possible synergies.
When I'm teaching reverse engineering, we cover different malware analysis approaches from static analysis up to code analysis. We don't convert the “automated” analysis part. Why? Because, the training goal is to help you to address malware that failed (or evaded) sandboxes. But it does not mean that automation is not interesting, it is… definitively! It's a great way to process a huge amount of malware samples and focus only on the “interesting” ones. In this talk, I'll show you how I'm doing my hunting activities, how I collect interesting samples from mail feeds, online resources and how files are processed/stored.
In the current messy digital landscape, staying ahead of security threats and vulnerabilities is crucial for operational security. "Bring Back RSS for Operational Security" is a lowtek talk that delves into the resurgence of Really Simple Syndication (RSS) as a critical tool for Security Operations Centers (SOCs) and security teams. This presentation will explore how RSS, a once commonplace technology, can be repurposed in modern cybersecurity strategies to enhance threat intelligence, streamline information gathering, and support rapid response mechanisms. The talk describes a set of open source tooling to use RSS on a day-to-day usage in an information security team.
This is an hands-on talk about what you can do with the rev.ng decompiler, an open source decompiler based on LLVM and QEMU.
We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.
Then we'll dig into rev.ng intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).
Finally, we'll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by rev.ng, which is always syntactically valid.
Everything that will be shown will be 100% reproducible by the audience in real-time using rev.ng.
Sudo is used by millions to control and log administrator access to systems. However, in most cases, people use the default configuration or add a simple rule to allow a user to run a single command. The sudo workshop is for those who want to go well beyond the basics and want to practice many of the enterprise-focused features of sudo.
The Zeek open-source NSM platform is so much more than just the vanilla Zeek log files. With a bit of Zeek scripting and Python bindings, you can connect it to your Python programs and libraries like Numpy, Pandas, and Tensorflow. Join us and use Python with machine learning to supercharge your Zeek environment!
BEAM (Bogdan/Björn's Erlang Abstract Machine) is a virtual machine designed by Ericsson used to run Erlang applications. We ran into such an application during an assignment and had to disassemble it as well as many libraries, and discovered that the existing tools do not produce a correct and complete disassembly. A lot of valuable information is lost in the process (cross-references and some type information) that makes the analysis of the disassembled code a nightmare (and the VM architecture makes it worse).
In this talk, we will quickly introduce the BEAM VM and its internals, expose the reasons that led us to develop a tiny disassembler and discuss the difficulties caused by the virtual machine architecture. We will demonstrate how our disassembler may help with batch-processing and cross-modules analysis, and how the produced disassembly makes a difference compared to the other tools. The source code of this disassembler will be made available soon before the talk.
CryptPad is an open-source end-to-end encrypted collaborative office suite
focusing on being easy to use and protecting the privacy of its user, even
from itself.
In this talk, we will start with an history of CryptPad development before
moving on exciting new improvement both from a security and usability point
of view.
IMPORTANT INFO: due to personal reason, the speaker won't be able to attend the conference in person. Finally, we will be showing a video of his talk, recorded by the speaker beforehand, and he will then answer any questions participants may have via videoconference.
Shufflecake is a novel, free, open-source data encryption tool that allows the creation of hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. This is useful for people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. You can consider Shufflecake a "spiritual successor" of tools such as TrueCrypt and VeraCrypt, but vastly improved: it is fast, supports any filesystem of choice, and can manage multiple layers of nested decoy volumes, so to improve user experience and make deniability of the existence of these partitions really plausible.
Shufflecake is the result of a multi-year research aimed at solving fundamental limitations of plausible deniability tools. It has been peer-reviewed and presented at top IT conferences such as DEF CON Demo Labs and ACM CCS. It is under active development, and the open source community is welcome to contribute. In this talk we will present the history and limitations of other existing solutions, we will show how Shufflecake works and solves such limitations, and we will see why Shufflecake is an indispensable tool in the arsenal of users facing violent or coercive investigation.
This workshop serves as a primer on utilizing DFIR-Orc for incident response, offering practical, hands-on learning. Additionally, it will highlight the use of FastFind, an integrated tool within DFIR-ORC, designed for executing widespread searches for indicators of compromise across your enterprise network.
There’s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Finding attack paths in Kubernetes by hand is a frustrating, slow, and tedious process. Defending Kubernetes against those same attack paths is almost impossible without any third party tooling.
In this workshop we will present KubeHound - an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog. We will cover the custom KubeHound DSL to demonstrate its power to identify some of the most interesting and common attack primitives living in your Kubernetes cluster. If the DSL is not enough, we will cover the basics of Gremlin, the language used by our graph technology so you can find relevant attack paths that matter to you.
As attackers (or defenders), there's nothing better to understand an attack than to exploit it oneself. So in this workshop we will cover some of the usual attack paths and exploit them. This way you will see by yourself, the difficulty (or not) to fully compromise a Kubernetes cluster (#DontDoThisAtHome).
At last, is this workshop we will also demonstrate two ways of using KubeHound: * As a standalone tool that can be run from a laptop * Or deployed as a service in your own Kubernetes clusters (KubeHound as a Service)
The main goal of this workshop is to show how defenders can find and eliminate the most dangerous attack paths and how attackers can have a treasure map to fully compromise a Kubernetes cluster by using the free and open source version of KubeHound.
In this talk, we'll delve into the evolution and foundational principles of Kunai, a specialized threat detection and hunting tool crafted for Linux environments. We'll revisit its core objectives while unveiling its latest features, including its integration with MISP and its detection rules engine, demonstrating how Kunai enhances daily Linux machine monitoring. Through practical demonstrations and real-world examples, attendees will learn how to leverage Kunai's capabilities to reinforce the security of Linux infrastructures against ever-evolving cyber threats.
Overview of the pyrasp module: internals, key security engines and most relevant use cases
Kubernetes clusters rely on TLS for secure and authenticated internal communication. However, managing TLS certificates in such environments can be complex. Kubernetes offers built-in mechanisms to handle certificate signature and distribution to ease this challenge. Bootstrap tokens play an important role in this process, serving as initial identifiers that enable certificate signing requests. Typically, these requests are automatically approved and signed. As often in security, this ease of use implies the emergence of attack vectors.
This presentation will delve into the mechanics of Kubernetes authentication and bootstrap tokens to highlight exploitation possibilities of such tokens.
Inspired by Marc Wickenden's research on Google GKS TLS Bootstrapping, we will demonstrate a new attack in AKS clusters (Azure), that will not be fixed by Microsoft.
Certificate Transparency was initiated in 2011 after Diginotar, a certificate authority, was breached. This transparency ecosystem now logs all HTTPS certificates accepted by major root programs. It makes certificates publicly discoverable, and would make such attacks discoverable shall they happened again. This ecosystem requires the collaboration of multiple participants: log operators, certificate authorities, user agents, root programs, domain owners, log monitors and verifiers. Log operators, run one of the core components of this ecosystem: tamper-evident logs. This technology was first rolled out at scale for Certificate Transparency, and is now being used for more use cases, such as binary transparency.
In this talk, we will provide an overview of Certificate Transparency, and explain how all the ecosystem participants work together to keep the ecosystem healthy and usable. We will go over the technical specificities of Certificate Transparency, and future plans of bringing CT and other transparent ecosystems closer.
In a delegated-trust environment like the WebPKI, revocation of trust in certificates and keys that are compromised is a critical aspect of security. But for many years, security experts have rightly been saying that revocation is broken: Certificate Revocation Lists don’t scale; the Online Certificate Status Protocol fails open, is expensive to run, and is a privacy risk; and mass-revocations can effectively take huge swathes of the internet offline. This talk will provide technical details behind three techniques that the tiny team at Let’s Encrypt is using to solve these problems at scale.
The goal of the tool suite is to make it easier to handle suspicious contents reported by your users, friends or constituents. It empowers them to check URLs, emails, or files they receive and take educated decisions without relying on you all the time.
This workshop will go in depth on how you can configure Lookyloo and Pandora, and all the other tools that make it a complete tool suite usable in your organisation with minimal manual work. We will also look at the correlation features to pivot across captures to find phishing campaigns in the 3+ millions captures gathered across the years on the CIRCL Lookyloo instance.
There are a multitude of open-source cryptography libraries. This is why no one needs yet another cryptography library. Nevertheless, having a framework that brings together a range of libraries behind an easy-to-use unified API can be useful. A typical use case could be companies and individuals who are willing to migrate from classical cryptography to quantum-resistant cryptography without having to learn a new API. This is commonly known as crypto-agility.
Sandwich provides such a framework as a meta-library. It provides a hard-to-misuse API that interoperates with trusted and well-established cryptography libraries. Users can switch between protocols and/or libraries in a flash, without having to recompile or even edit their source code.
This presentation breaks down Sandwich by explaining its core principles and its unified API.
Repository of the project: https://github.com/sandbox-quantum/sandwich
This workshop will show participants how to set up instances of Yeti and Timesketch and interconnect them. After the infrastructure is set up, participants will learn how to add data, run feeds, and set up Yeti to automatically augment Timesketch sketches with useful threat and forensics intelligence data. Once all that is ready, we’ll upload some forensics data to Timesketch and run through a full investigation, using intelligence from Yeti to hit the ground running. We’ll also curate intelligence as we go, and see how this intelligence will be fed back into Yeti, and be made accessible in future cases. If time permits, we’ll do an end-to-end run of the OSS DFIR pipeline using GRR and dfTimewolf.
crypto-condor is a tool to test implementations of cryptographic primitives. It aims to verify that implementations are compliant with the standard as well as with ANSSI's recommendations.
It is a Python library that includes a command-line interface (CLI). It comes with a documentation that details the library's features, gives usage examples, and includes method guides on the supported primitives. These guides outline the characteristics of a given primitive, along with a list of rules and
recommendations by the ANSSI pertaining the primitive. The post-quantum primitives currently under the NIST standardisation process are also documented.
The tool is not yet publicly available: we intend to release it as open source software alongside its documentation and a Python package on PyPI. This way, installing it will require a single command:
python -m pip install crypto-condor
Usage
For a complete guide, refer to the included documentation.
In a few words, this tool can test implementations under one of two scenarios:
- We either have access to its source code or the implementation so we can execute the functions we want to test, in which case we can use test vectors.
- Or we can at least capture inputs given to the implementation and their corresponding outputs, in which case we can compare these outputs to those generated by the tool's internal implementation.
Presentation outline
- Introduction: what does crypto-condor aim to solve?
- State of the art: example of Wycheproof and Paranoid.
- The tool: what is covered, the different modes of operation (wrapper or output), and the documentation.
- Usage example: CRY.ME, its implementation of AES-CBC, AES-GCM, and SHA3-256.
- Conclusion: currently under development (e.g. support for more primitives), going to be open source.
USB (Universal Serial Bus) is the current standard for connecting peripherals to devices. USB is used to connect keyboards, mouses, printers, music instruments, storage, cameras and pretty much everything to a device. This makes it the perfect target for security researchers with physical access to a USB port. A small USB primer at the start of this talk should give you a broad idea of how USB2 works and some improvements USB3 brings.
While exchanging with USB peripherals can be done in Python with PyUSB1 on any PC, creating custom USB peripherals for security assessment and testing (e.g., attack surface analysis, scanning, fuzzing) of USB hosts can be more challenging as it requires specific hardware. That's where Facedancer2 came in 12 years ago : Facedancer is a Python library from Great Scott Gadgets that interacts with a dedicated hardware capable of creating USB devices, allowing you to create and modify a USB2 peripheral in seconds.
However, the flexibility of Facedancer comes with a cost: data has to go from the target host to the controlling PC, then back to the target host using a much longer path than a regular USB device would use. The current implementation of Facedancer is based on backends, which support different hardwares: Facedancer213/Raspdancer4/BeagleDancer5, GreatFET One6 and the Moondancer backend for the upcoming Cynthion board7. While Moondancer should bring USB2 High-speed support (480Mb/s), Facedancer is currently stuck to USB2 Full-speed (1.5Mb/s) with instability issues.
With the open-source project Hydradancer8, we bring a USB2 High-speed backend to Facedancer using the USB3 capabilities of HydraUSB3, a platform based on the RISC-V WCH569 chip. While emulating USB3 peripherals is still out of the question with the current delays, Hydradancer brings improved speeds and stability for USB2 peripheral emulation. As the WCH569 lacks documentation for USB3 and a proper SDK, a lot of testing was required to get the USB3 connection working and we will present the different challenges that we encountered while making wch-ch56x-lib, a support library for WCH569 with tested USB2/USB3/HSPI(High-speed Parallel Interface)/SerDes(Serializer/Deserializer) drivers.
As we needed to measure the improvements of Hydradancer over existing backends, we will present our benchmarks that compare Hydradancer with the existing Facedancer21 and GreatFET boards. Our results showed 447 times faster average write transfers for USB2 Full-speed transmission compared with Facedancer21 and 10 times faster compared with GreatFET One.
Then, we will demonstrate the use of Facedancer for security research and compare Hydradancer with the existing Facedancer21 and GreatFET One boards for this usage.
As Facedancer is not the only option when it comes to creating USB peripherals, we will compare it with raw-gadget9, a low-level interface for the Linux Gadget USB subsystem and learn how Hydradancer and raw-gadget can complement each other.
Finally, we will talk about the current limitations of USB emulation and what the future might look like, especially for USB3 peripheral creation.
NOTE : We will release wch-ch56x-lib, a support library for the WCH569 chip, the code used for our benchmarks along with the firmware and backend for Hydradancer in April 2024. Benjamin Vernoux, the creator of HydraUSB3, is currently working on making the Hydradancer hardware available to the public and it should be ready for the talk or soon after. We started by working on a dual HydraUSB3 setup, Hydradancer will be a single smaller board and the talk will be based on a development version of this new board.
As modern devices become more secure, hardware based fault injection methods including Electromagnetic Fault Injection (EMFI) are gaining traction. They become an important tool to bypass modern security mechanisms and perform further security research like firmware reverse engineering. However, hardware hacking setups are often expensive and inaccessible due to the limited amount of open-source hardware, software and available information. There have been efforts towards improving this, but so far, no publication presented a complete solution. In this talk, we present an accessible EMFI setup based on open-source hardware and software and prove its effectiveness against modern IoT targets. We describe the whole setup, the design considerations that went into it, release circuit diagrams and code, as well as presenting the first successful instruction skips on the latest ultra-low-power Espressif ESP32-C3 IoT System-On-Chip (SoC), which could be applied against its secure boot implementation, firmware encryption or hardware flag checks.
Over the last decades, the proliferation of phishing websites has emerged as a significant cybersecurity threat, necessitating greater attention and research. These deceptive online websites, designed to mimic legitimate websites, aim to trick unsuspecting users into divulging sensitive information such as usernames, passwords, and financial details. Understanding the mechanics and prevalence of these malicious sites is crucial for developing effective countermeasures and safeguarding users' online security. Supervised machine learning models have become the standard for phishing detection, offering prediction capacities to security systems. These models rely largely on annotated data for their training, evaluation and ongoing maintenance. Thus, there exist a need for the efficient gathering of such annotated data to improve phishing detection methodologies.
In this talk, we will introduce WikiPhish, a novel, renewable, and open-access dataset for phishing website classification. WikiPhish consists of 110,606 webpages sourced from URLs drawn from Wikipedia's references alongside renowned phishing databases OpenPhish and PhishTank. The dataset is designed to address the challenges of phishing detection by leveraging Wikipedia's contribution verification and wide-ranging content. This allows the development of phishing detection models on a strong foundational baseline that can evolve overtime.
Join us for an immersive hands-on workshop where we'll delve into Kunai, a specialized threat detection and hunting tool tailored for Linux environments. Participants will explore its evolution, core principles, and latest features, including integration with MISP and its detection rules engine, through practical, real-world use cases. With guided exercises, attendees will learn to leverage Kunai for enhancing their Linux machines visibility, empowering them to identify and mitigate threats effectively.
Natural Language Processing (NLP) is a vital, well-established tool across sectors like finance and risk management. Within cybersecurity, NLP is crucial for extracting and analyzing information, data annotation, developing detection protocols, and malware classification. Today some of its key roles include extracting indicators of compromise from unstructured data and automating threat intelligence reporting.
Contrary to popular belief, the field is open to everyone; with some programming skills and a dash of creativity, anyone can start and get some results pretty quickly.
This workshop is an introduction for total beginners, where no prior knowledge in natural language processing or machine learning is required.
Over the years I've been working on the phishing threat, starting from scratch, I've had to create several tools for detection, investigation of the URLs or actors behind these threats, but also material recuperation (phishing kits). Today, I'd like to introduce you to these different tools, their benefits and how they can be used on a day-to-day basis.
oletools is an open-source project developed since 2012 to analyse MS Office documents and also any files with the OLE/CFB format (Compound File Binary), especially for malware analysis. oletools is used by many blue teamers, and it has also been integrated into a large number of malware analysis tools, platforms and online services.
In this talk I will demonstrate how to use oletools to analyse recent malware samples. I will also present new features developed this year to analyse MSI and MSIX installers, and the specific file format identification algorithm in the ftguess tool.
In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse functionalities into applications, driving both innovation and efficiency across the development community. While the benefits of using these resources are clear, the management of external dependencies introduces a set of considerations regarding security and maintainability.
Inspired by Alex Birsan's blogpost on Dependancy confusion, we are going to introduce the tool Depfuzzer. This tool enables the search for failing dependencies across various projects.
The tool will initially list all the dependencies of the projects and then gather information for each of them from the website https://deps.dev/. From there, it is possible to determine if a dependency exists and is still maintained.
Other checks have also been added, such as the validity of the maintainer's email, for example.
JA3 technique has been succesfull for years in fingerprinting TLS implementation but a recent update in Chrome is making it mostly useless. A new alternative algorithm named JA4 has been developed but is it good enough ?