BSides Roanoke 2024 Talks

This talk will look at modern tools that are currently being used to analyze android APKs. We will dive into smali, explain what it is, and look at tools to help with static application analysis. We will also look at dynamic analysis tools such as frida, and talk about how to make an app debuggable via JDB.

This talk will explore the basic concepts relating to wireless protocols used by consumer devices, how to decode, fuzz, and repeat commands, and a comparison between the Flipper Zero and other open-source hardware/software solutions.

Want to know which attack your organization is most likely to experience? This crash course in risk quantification will open your eyes to the fast path of forecasting. Fully functional models and training materials available FREE.

Breaches continue happening at unprecedented levels with huge financial impact to the global economy year after year. Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of data from disparate sources is not working. Adversaries know this fact and regularly benefit from it. The average breach goes unnoticed for 212 days. That’s an ample amount of time for anyone to surreptitiously run off with the crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage. We need a new approach if we’re ever going to stop the madness. Hackers also deserve a better opponent. This talk discusses a different way of thinking about breach detection that is intended to reduce the number of false positives, improve alert fidelity, reduce time-to-detection, and prevent the massive level of burnout affecting our industry. We will cover the history of breach detection, the current state of affairs, the paradigm shift to new ways of thinking about the problem, practical examples of how to deploy effective breach detection technology, and the results of a red team campaign against a heavily layered network of deception inception.

Extended Berkeley Packet Filter (eBPF) has emerged as a powerful tool in the Linux kernel, enabling developers to write custom programs that can be loaded into the kernel at runtime. While eBPF offers tremendous potential for enhancing system performance, monitoring, and security, it also presents a significant risk when misused for malicious purposes. In this talk, we will explore the dual nature of eBPF and its implications for Linux security and malware development. We’ll begin by discussing the legitimate uses of eBPF, such as creating efficient network filters, tracing and profiling applications, and implementing security policies at the kernel level. We’ll examine real-world examples of how eBPF is being leveraged to enhance system visibility, detect threats, and enforce access controls. However, we’ll also delve into the darker side of eBPF and its potential for abuse. We’ll demonstrate how attackers can exploit eBPF to develop sophisticated rootkits that operate at the kernel level, making them extremely difficult to detect and remove. We’ll analyze the techniques used to inject malicious eBPF programs into the kernel, hijack system calls, and establish persistence on compromised systems. Furthermore, we’ll discuss the challenges and limitations of traditional security solutions when faced with eBPF-based malware. We’ll highlight the need for advanced detection mechanisms and the importance of monitoring eBPF programs loaded into the kernel. Throughout the talk, we’ll provide practical examples, live demonstrations, and code snippets to illustrate the concepts discussed. We’ll also explore potential mitigations and best practices for securing systems against eBPF-based threats. Attendees will gain a deep understanding of eBPF’s role in Linux security and malware development. They’ll learn how to leverage eBPF for legitimate purposes while also being aware of its potential for abuse. We’ll empower attendees with the knowledge and tools necessary to detect, analyze, and defend against eBPF-based malware. Whether you’re a security researcher, system administrator, or malware analyst, this talk will provide valuable insights into the complex landscape of eBPF and its implications for Linux security. Join us as we explore the double-edged sword of eBPF and arm ourselves with the knowledge to wield it responsibly.

Ek47 is a payload encryptor that leverages user-selected environmental keys associated with a target execution context. In the absence of these environmental keys, Ek47 payloads will not decrypt and execute. This creates a strong resistance to automated/manual analysis and reverse engineering of payloads. Ek47 supports many different environmental keys such as current user, domain, computer name, installed programs, and more. Additionally, Ek47 supports packing payloads of .NET assemblies, unmanaged DLLs, and raw shellcode. Ek47 payloads are themselves .NET assemblies and can be uploaded to disk or executed reflectively via any execute-assembly method. By default, a standard AMSI/ETW bypass is executed before the main payload is executed, but Ek47 makes it easy to add custom bypasses for more advanced evasion functionality. Additional features are provided such as entropy management, PE header stomping, and a variety of payload output formats.

As we push things like Kubernetes clusters to edge installations for reduced latency and increased availability, how protected are they against crowbar theft? Encrypting their disks reduces these risks, but then you discover corner cases in production where your servers aren’t automatically decrypting, and you’ve effectively DoSed yourself. Oops. We’ll explore an alternative with network-based decryption without escrow or proprietary hardware using the Open Source Linux tools Tang and Clevis.

In this session I’ll show you how I turned Radford University’s Esports Center into a password-cracking supercomputer. I’ll also tell you what I learned about password security, better ways to handle authentication, and tips for choosing and storing passwords if you must use them.

Operational security (OpSec) is a cornerstone in red teaming, necessitating continuous refinement of tools and techniques to avoid detection. This workshop is designed for penetration testers, aspiring red teamers, and individuals seeking to enhance their offensive capabilities. It focuses on customizing the Impacket toolset to improve OpSec during engagements. Impacket tools such as wmiexec, smbexec, and secretsdump are staples in the toolkit of any red teamer due to their versatility and flexibility in Windows environments. However, their detectability has increased as defensive measures have become more sophisticated. This session proposes modifications to these tools to avoid default IOCs and detections. Participants will explore various customization strategies, including changing default settings, altering network signatures, and integrating stealthier execution methods. Practical exercises will guide attendees through the process of modifying the Impacket scripts, demonstrating how these changes can significantly enhance operational security in simulated environments. Attendees will gain hands-on experience modifying the Impacket tool set to remove common IOCs. The workshop aims to foster a deeper understanding of both the tools and the underlying network protocols, enabling participants to tailor their approaches to specific operational contexts and defensive landscapes.

Quantum computing, driven by AI, will take over the world. You’ll lose your job, your privacy, your freedom, even your life. How??? MAGIC. LITERAL MAGIC. Your situation is hopeless. You can’t fight magic! UNTIL NOW. Introducing: post-quantum cryptography! If you thought your typical gold-level cryptography was effective, get ready to blow right past platinum and quantum levels straight to POST-QUANTUM level. This stuff is literally the “Expelliarmus” to quantum computing’s “Avada Kedavra.” In this thrilling talk, we will discuss quantum mechanics (magic), quantum computing (also magic), and how to fight these evil tools of government conspirators with the maximum 1000XP top-quality get-it-while-supplies-last post-quantum cryptography! …or maybe, in the spirit of Craig Martell, we will reveal how overhyped and mundane this highly-specialized computing system is, and then look into some of the interesting algorithms being developed to resist these efficient password-cracking machines. …but which talk will you receive??? YOU’LL HAVE TO SHOW UP TO FIND OUT!

This presentation should be a gold mine for both attackers and defenders. Defenders will learn how to mitigate trivial privilege escalation paths in their enterprise networks and attackers will add new tricks up their sleeves for penetration tests.

The infosec industry hasn’t done very much to eliminate the root causes of cyber attacks. This talk reviews the types of cyber attacks seen over the past 30 years and how the same vectors that worked back then are still effective in 2024. Cybersecurity is multi-billion dollar industry. Why haven’t we been able to mitigate the root causes of cyber attacks? We’ll end with a few suggestions for addressing some of these root causes.

The talk will introduce ready-to-use Jupyter Notebooks for large-scale threat hunting in production environment. Rather than looking at terabytes of data in a traditional tabular format, we will explore the effectiveness of visualizations, emphasizing graphs, to identify and investigate outliers. The primary area of focus would be Anomaly Detection applied to substantial volume of data to generate Alerts for SOC based on Windows Sysmon Endpoint Logs and Zeek/Suricata Netflow Logs.