Iceman will show you the latest revision of proxmark3 tool, RDV40, a successful kickstarter that brought NFC analysis to the next level. Identifying common issues in the Proxmark community. RRG formed to produce new hardware like the proxmark3 RVD4

What’s so special about the PM3 RDV4?

Onboard storage

SIM interface

Improved HF + LF antennna

Improved HF antenna

Improved ‘capsule’ LF antenna

QC process

Covert + discreet

Current capabilities of offical firmware and popular forks.

Kubernetes is an open-source system for the deployment, scaling, and management of containerized applications. Common implementations of Kubernetes are not secure by default and a lot of information about the hardening of Kubernetes intrinsic security is not known to the public. Since version 1.7 though, the security level has increased and the common security risks have been mitigated. More information about Kubernetes attack and defense methodologies has become available. However, none of these published resources lay the focus on the logging mechanisms of Kubernetes and the possibility for detection of active threats.

The system we created is a combination of existing tools for a centralized audit system for Kubernetes instances. This system, named K8sCop, serves as a data analysis tool for the monitoring of cluster activity and detection of potentially malicious events. The talk contains several demonstrations, where attacks are conducted against a Kubernetes instance, which are made visible in the Kubernetes Security Dashboard (K8SD) in Kibana.

The presentation will describe how to set up the existing tools the following way:

– How to store audit logs in Kubernetes instances

– How to set up Elasticsearch with Kubernetes using the Fluent daemon

– How to run the K8sCop analyzer for static or streaming analysis on Kubernetes log data

– What types of Kubernetes incidents are labelled by K8sCop

– How to import and view the Kubernetes Security Dashboard in Kibana

We will show how to use the dashboard and demonstrate attacks on Kubernetes in real-time and how they are caught by our system.

All project material is opensource, such that organizations and individuals that require visibility over their Kubernetes infrastructure can use and adapt these tools to suit their own needs. The sources can be found at https://github.com/k8scop/k8s-security-dashboard.

The talk demonstrates how to deliver a distributed chat system that creates a way for communicating peers by using a covert channel hiding its network traffic in 802.11 management frames ciphered through AES encryption.

To achieve greater network coverage, each of the nodes participating in the chat acts also as a repeater of the received messages, thus extending the range of operation. The chat also allows sending data files in order to exfiltrate information from high security locations. Thanks to the type of covert communications used, it is very difficult to detect and fight.

Two-factor authentication is considered “the solution” to prevent phishing.

In reality, only Universal Two-factor (U2F) is somehow useful once hardware keys are deployed, while the rest of 2FA solutions fail miserably, including SMS, Push, SoftwareAuthenticators, OTP and others.

If there is no HTTP Origin verification and the second factor token is sent via web, phishing can be performed pretty much transparently performing MiTM by using a reverse proxy solution.

Moreover, once valid sessions are collected, they can be impersonated via browser instrumentation with a farm of dockerized Chrome headless instances. Such instances are useful not only to keep alive the stolen sessions but also to scrape and extrude data from hijacked accounts, as well as performing any action on user behalf.

Depending on the instrumented portal, activities can be different, such as: backdooring a GitHub account by adding an SSH key, searching for credentials over an OWA webmail, chaining bugs in WordPress and automating RCE and what not.

The whole process is automated by Muraena and Necrobrowser. The first is a custom target-agnostic reverse proxy solution (written in golang). The latter, takes care of the instrumentation and session riding.

This approach minimizes the complexity of handling phishing with 2FA, while drastically reducing the time needed to perform post-phishing activities, allowing the phisherman to focus on data analysis and scenario planning.

There will be demos performing phishing and session instrumentation on a number of portals like GitHub, OWA, Google Docs, LinkedIn, protected by different authentication types.

Muraena and Necrobrowser will be released after the talk.

Remote timing attacks have been often researched in the past. They have been applied to breaking cryptographic algorithms, inferring web server secrets and even in recent cache timing attacks.

Research has shown the feasibility of inferring time differences down to 1us for remote and down to 100ns in LAN environments.
Although very small, such timescales do not allow for practical inference of instruction-level decisions on fast CPUs, such as in remote password guessing performed via memcmp() timing. In facts, timing attacks become much more feasible (and common) at larger timescales (i.e. SQL injections).

While true for fast servers, the opportunities provided by IoT devices, with fast Internet connections and slower CPUs, are currently unexplored.
In order to support our ongoing research, a dedicated tool has been developed for performing automated remote timing attacks.

The tool is modular and implements techniques from research state of the art.
It supports a choice of target’s timing strategies, also available in a distributed configuration, useful for remote measurements.
Multiple statistical classifiers and offline analysis are also available.
Feedback between the modules allows for completely automated attacks.
Even though the main research is still ongoing and the tool may enjoy further refinement, we are able to demonstrate the tools and preliminary results.
During the presentation, we will show the tools’ features and potentials, while demo’ing remote extraction of a 8-digits PIN from a very common IoT platform.

A company, regardless of its size and market power, may go out of business or lose a lot of value because of a security incident on its information system.

The number of vulnerabilities and the interest of cyber-attackers is only increasing. With the advent of the monetization of botnet cyber attacks or the installation of crypto-miners for example, the threats are going more varied and intensified, but less targeted. The vast majority of companies are digital and increasingly exposed on the Internet. The level of cyber exposure is also higher. The “Cyber” risk has become vital. Today, everything has changed and tomorrow everything will change even faster. Where manual analysis was sufficient, paradigms of risk assessment are moving towards more automation. But we need intelligent automation.

The technological offer is not lacking, but after more than 10 years of experience, our observation is indisputable:

1. The best tools are only satisfactory in part of their capacities
2. It remains difficult to have a realistic and continuous visibility on the risks borne by the assets exposed by an organization.
3. Business processes tend to adapt to the tool capabilities rather than using these tools to support their cyber surveillance strategy.

This automation strategy also tends to address the drastic lack of competent cyber security resources and retention of talents. The automation of recurrent, time-consuming and low-value-added tasks will allow teams to focus on more complex and therefore more motivating topics. PatrOwl is a solution for automating calls to commercial or open source tools that perform checks. To date, around 40 tools or online services are supported. Beyond centralizing the results obtained, the PatrOwl analysis engine compares these results with its knowledge base and other third-party services to determine scenarios of attacks (predictive analysis) or to trigger actions.

The idea behind Faraday is to help you to share all the information that is generated during a pentest, vulnerability assessment or scan without changing the way you work.
You run a command, import a report, and Faraday will normalize the results and share them with the rest of the team in real-time. Faraday has
more than 70 plugins available (and counting), including the most popular commercial and open-source tools.
If you use a tool that Faraday doesn’t have a plugin for, you can create your own!
Come check it out!

Overview of the tool 
RFQuack is a versatile RF-hacking tool that allows you to sniff, analyze, and transmit data over the air. Consider it as the modular version of the great YardStick One, which is based on the CC1111 radio chip. Similarly to RFCat for the YardStick One, RFQuack has a console-based and Python-scriptable client that allows you to set parameters on the radio, receive, transmit, and so on.

Another RF-hacking dongle? RFQuack is midway between software-defined radios (SDRs), which offer great flexibility at the price of a fatter code base, and RF dongles, which offer great speed and a plug-and-play experience at the price of less flexibility (you can’t change the radio chip). So, if you need to analyze a weird RF protocol with that special packet format or that very special modulation scheme, with mixed symbol encodings, with RFQuack you just swap the radio shield and you can just start working right away. And if we don’t support that special radio chip yet, you can just craft your shield and add support to the software!

RFQuack is unique in some ways. First, it supports multiple embedded radio chips (e.g., RF69, RF95, CC1120), basically all the chips supported by RadioHead (which we forked to create RadioHAL, a more hackable radio hardware abstraction layer), and we’re adding more. Secondly, it does not require a wired connection to the host computer: the serial port is used only to display debugging messages, but the interaction between the client and the node is over TCP using WiFi (via Arduino WiFi) or via GPRS (via TinyGSM library) as networking layers. Third, the Python client allows both high-level operations (e.g., change frequency, change modulation) as well as to interact with the radio chip at a very low level (read or write registers). So, you have the power of an embedded radio chip driven by native code running on the MCU, but you can program in it Python via a simple API! Last, the firmware and the API implement the concept of in-flight packet-filtering and packet-modification rules (it’s like a tiny firewall), which means that you can instruct the firmware to listen for a packet matching a given signature (in addition to the usual sync-word- and address-based filtering, which you can disable for full promiscuous mode), optionally modify it right away, and re-transmit it with under a few milliseconds delay, because all the processing happens on the MCU.

RFQuack has a modular software and hardware architecture comprising a radio chip, a micro-controller unit (MCU, a network adapter (e.g., WiFi or cellular). The communication layers are organized as follows. The Python client encodes the message for the RFQuack dongle with Protobuf: this ensures data-type consistency across firmware (written in C) and client (written in Python), a bit of data validation, and low development effort. The serialized messages are transported over MQTT (which allows multi-node and multi-client scenarios) or just serial (when you need minimal latency). The connectivity layer is just a thin abstraction over various cellular modems and the Arduino/ESP WiFi.

Remote timing attacks have been often researched in the past. They have been applied to breaking cryptographic algorithms, inferring web server secrets and even in recent cache timing attacks.

Research has shown the feasibility of inferring time differences down to 1us for remote and down to 100ns in LAN environments.
Although very small, such timescales do not allow for practical inference of instruction-level decisions on fast CPUs, such as in remote password guessing performed via memcmp() timing. In facts, timing attacks become much more feasible (and common) at larger timescales (i.e. SQL injections).

While true for fast servers, the opportunities provided by IoT devices, with fast Internet connections and slower CPUs, are currently unexplored.
In order to support our ongoing research, a dedicated tool has been developed for performing automated remote timing attacks.

The tool is modular and implements techniques from research state of the art.
It supports a choice of target’s timing strategies, also available in a distributed configuration, useful for remote measurements.
Multiple statistical classifiers and offline analysis are also available.
Feedback between the modules allows for completely automated attacks.
Even though the main research is still ongoing and the tool may enjoy further refinement, we are able to demonstrate the tools and preliminary results.
During the presentation, we will show the tools’ features and potentials, while demo’ing remote extraction of a 8-digits PIN from a very common IoT platform.

A company, regardless of its size and market power, may go out of business or lose a lot of value because of a security incident on its information system.

The number of vulnerabilities and the interest of cyber-attackers is only increasing. With the advent of the monetization of botnet cyber attacks or the installation of crypto-miners for example, the threats are going more varied and intensified, but less targeted. The vast majority of companies are digital and increasingly exposed on the Internet. The level of cyber exposure is also higher. The “Cyber” risk has become vital. Today, everything has changed and tomorrow everything will change even faster. Where manual analysis was sufficient, paradigms of risk assessment are moving towards more automation. But we need intelligent automation.

The technological offer is not lacking, but after more than 10 years of experience, our observation is indisputable:

1. The best tools are only satisfactory in part of their capacities
2. It remains difficult to have a realistic and continuous visibility on the risks borne by the assets exposed by an organization.
3. Business processes tend to adapt to the tool capabilities rather than using these tools to support their cyber surveillance strategy.

This automation strategy also tends to address the drastic lack of competent cyber security resources and retention of talents. The automation of recurrent, time-consuming and low-value-added tasks will allow teams to focus on more complex and therefore more motivating topics. PatrOwl is a solution for automating calls to commercial or open source tools that perform checks. To date, around 40 tools or online services are supported. Beyond centralizing the results obtained, the PatrOwl analysis engine compares these results with its knowledge base and other third-party services to determine scenarios of attacks (predictive analysis) or to trigger actions.

The idea behind Faraday is to help you to share all the information that is generated during a pentest, vulnerability assessment or scan without changing the way you work.
You run a command, import a report, and Faraday will normalize the results and share them with the rest of the team in real-time. Faraday has
more than 70 plugins available (and counting), including the most popular commercial and open-source tools.
If you use a tool that Faraday doesn’t have a plugin for, you can create your own!
Come check it out!

Overview of the tool 
RFQuack is a versatile RF-hacking tool that allows you to sniff, analyze, and transmit data over the air. Consider it as the modular version of the great YardStick One, which is based on the CC1111 radio chip. Similarly to RFCat for the YardStick One, RFQuack has a console-based and Python-scriptable client that allows you to set parameters on the radio, receive, transmit, and so on.

Another RF-hacking dongle? RFQuack is midway between software-defined radios (SDRs), which offer great flexibility at the price of a fatter code base, and RF dongles, which offer great speed and a plug-and-play experience at the price of less flexibility (you can’t change the radio chip). So, if you need to analyze a weird RF protocol with that special packet format or that very special modulation scheme, with mixed symbol encodings, with RFQuack you just swap the radio shield and you can just start working right away. And if we don’t support that special radio chip yet, you can just craft your shield and add support to the software!

RFQuack is unique in some ways. First, it supports multiple embedded radio chips (e.g., RF69, RF95, CC1120), basically all the chips supported by RadioHead (which we forked to create RadioHAL, a more hackable radio hardware abstraction layer), and we’re adding more. Secondly, it does not require a wired connection to the host computer: the serial port is used only to display debugging messages, but the interaction between the client and the node is over TCP using WiFi (via Arduino WiFi) or via GPRS (via TinyGSM library) as networking layers. Third, the Python client allows both high-level operations (e.g., change frequency, change modulation) as well as to interact with the radio chip at a very low level (read or write registers). So, you have the power of an embedded radio chip driven by native code running on the MCU, but you can program in it Python via a simple API! Last, the firmware and the API implement the concept of in-flight packet-filtering and packet-modification rules (it’s like a tiny firewall), which means that you can instruct the firmware to listen for a packet matching a given signature (in addition to the usual sync-word- and address-based filtering, which you can disable for full promiscuous mode), optionally modify it right away, and re-transmit it with under a few milliseconds delay, because all the processing happens on the MCU.

RFQuack has a modular software and hardware architecture comprising a radio chip, a micro-controller unit (MCU, a network adapter (e.g., WiFi or cellular). The communication layers are organized as follows. The Python client encodes the message for the RFQuack dongle with Protobuf: this ensures data-type consistency across firmware (written in C) and client (written in Python), a bit of data validation, and low development effort. The serialized messages are transported over MQTT (which allows multi-node and multi-client scenarios) or just serial (when you need minimal latency). The connectivity layer is just a thin abstraction over various cellular modems and the Arduino/ESP WiFi.

Iceman will show you the latest revision of proxmark3 tool, RDV40, a successful kickstarter that brought NFC analysis to the next level. Identifying common issues in the Proxmark community. RRG formed to produce new hardware like the proxmark3 RVD4

What’s so special about the PM3 RDV4?

Onboard storage

SIM interface

Improved HF + LF antennna

Improved HF antenna

Improved ‘capsule’ LF antenna

QC process

Covert + discreet

Current capabilities of offical firmware and popular forks.

Kubernetes is an open-source system for the deployment, scaling, and management of containerized applications. Common implementations of Kubernetes are not secure by default and a lot of information about the hardening of Kubernetes intrinsic security is not known to the public. Since version 1.7 though, the security level has increased and the common security risks have been mitigated. More information about Kubernetes attack and defense methodologies has become available. However, none of these published resources lay the focus on the logging mechanisms of Kubernetes and the possibility for detection of active threats.

The system we created is a combination of existing tools for a centralized audit system for Kubernetes instances. This system, named K8sCop, serves as a data analysis tool for the monitoring of cluster activity and detection of potentially malicious events. The talk contains several demonstrations, where attacks are conducted against a Kubernetes instance, which are made visible in the Kubernetes Security Dashboard (K8SD) in Kibana.

The presentation will describe how to set up the existing tools the following way:

– How to store audit logs in Kubernetes instances

– How to set up Elasticsearch with Kubernetes using the Fluent daemon

– How to run the K8sCop analyzer for static or streaming analysis on Kubernetes log data

– What types of Kubernetes incidents are labelled by K8sCop

– How to import and view the Kubernetes Security Dashboard in Kibana

We will show how to use the dashboard and demonstrate attacks on Kubernetes in real-time and how they are caught by our system.

All project material is opensource, such that organizations and individuals that require visibility over their Kubernetes infrastructure can use and adapt these tools to suit their own needs. The sources can be found at https://github.com/k8scop/k8s-security-dashboard.

The talk demonstrates how to deliver a distributed chat system that creates a way for communicating peers by using a covert channel hiding its network traffic in 802.11 management frames ciphered through AES encryption.

To achieve greater network coverage, each of the nodes participating in the chat acts also as a repeater of the received messages, thus extending the range of operation. The chat also allows sending data files in order to exfiltrate information from high security locations. Thanks to the type of covert communications used, it is very difficult to detect and fight.

Two-factor authentication is considered “the solution” to prevent phishing.

In reality, only Universal Two-factor (U2F) is somehow useful once hardware keys are deployed, while the rest of 2FA solutions fail miserably, including SMS, Push, SoftwareAuthenticators, OTP and others.

If there is no HTTP Origin verification and the second factor token is sent via web, phishing can be performed pretty much transparently performing MiTM by using a reverse proxy solution.

Moreover, once valid sessions are collected, they can be impersonated via browser instrumentation with a farm of dockerized Chrome headless instances. Such instances are useful not only to keep alive the stolen sessions but also to scrape and extrude data from hijacked accounts, as well as performing any action on user behalf.

Depending on the instrumented portal, activities can be different, such as: backdooring a GitHub account by adding an SSH key, searching for credentials over an OWA webmail, chaining bugs in WordPress and automating RCE and what not.

The whole process is automated by Muraena and Necrobrowser. The first is a custom target-agnostic reverse proxy solution (written in golang). The latter, takes care of the instrumentation and session riding.

This approach minimizes the complexity of handling phishing with 2FA, while drastically reducing the time needed to perform post-phishing activities, allowing the phisherman to focus on data analysis and scenario planning.

There will be demos performing phishing and session instrumentation on a number of portals like GitHub, OWA, Google Docs, LinkedIn, protected by different authentication types.

Muraena and Necrobrowser will be released after the talk.