This is a guest post by Antonios Atlasis.
This week I had the pleasure to attend BruCON 2014. While participating at the Brucon 5×5 program, I had also the chance to attend this well-known European Con which is held in the beautiful city of Ghent.
The main event took place two days (on 25th and 26th of September), while some very interesting trainings were given in the previous days. There was mainly one track, plus some workshops that you could also attend, if you wished. You could book your seat at one of the workshops using an on-line scheduling system.
The first talk, after the keynote speech, was the “Investigating PowerShell Attacks”, given by Matt Hastings and Ryan Kazanciyan. PowerShells can almost do anything, not only from administrative perspective but from an attacker’s view too. There are many PowerShell attacking frameworks, with Powersploit to be the most popular one, and hence, it has become almost mandatory for intrusion and forensics analysts to be able to follow such attacks by performing memory analysis. Among else, they presented examples, hints regarding what to look for, etc. A really informative technical talk.
Aaron LeMasters presented a “Windows Crash Dump Exploration”. During his talk, he provided an interesting and an in-depth explanation of the inner workings of crashdumps in Windows up to the latest Windows 8.1. He also revealed that Crash Dump is now used for other purposes by Microsoft than the initial one, which, however, can be abused by attackers for malicious purposes (what a surprise 🙂 ).
Then, I participated at the FakeNet 2 workshop named “Counterfeiting the pipes with FakeNet 2.0”, presented by Michael Sikorski. Michael, during his workshop released the latest version of FakeNet tool, which incorporates several enhancements; the most notable of them is its integration with a Just-in-time debugger, like Ollydbg, upon connection establishment of the malware. A really useful feature which we had the chance to try during the CTF challenge that he gave to us.
Finally, the last talk of the first day was the “One Packet to Rule Them All”, by Arne Swinnen and Alaedine Mesbahi. These guys, after summarising some known techniques to achieve packing, including reflective DLL injection, stub injection and resource packet method, they talked about code emulation and dynamic detection. Then, they presented the results of the packer that they developed which achieves a 100% evasion of antivirus systems (well done guys!).
The second day started with another keynote speech, by Adam Shostack this time, who talked about ten plus three traps that people may encounter when building their own Threat Model. However, after that I had to switch to the 5×5 track simply because I was part of it and I was presenting my project, Chiron (but more on this on a forthcoming blogpost). From the other projects, I really liked the Cisco IOS memory forensics project (called Network Device Forensics) by Xavier Mertens and Didier Stevens, and the concept of Conpot project by Daniel Haslinger, Lukas Rist and Johny Vestergaard who presented a honeypot for Industrial Control Systems. Very interesting the other two projects too, the OWTF (Offensive Web Testing Framework) by Alessandro Gonzalez, Marios Kourtesis and Machiraju, and the WPScan Vulnerability Database by Ryan Dewhurst.
Finally, the last talk of Brucon was about “Stealing a Mobile Identity Using Wormholes” by Markus Vervier, who explained how you can access and abuse the SIM card on Android phones; yet another informative talk.
I left from Brucon and Ghent with a very warm impression. Friendly organisers, pure Con atmosphere (including a “Wall of …Shame”) and informative talks. And …B33r, of course 🙂