Troopers15 – 5th Round of Talks Selected

Happy new year and all the best for 2015 to everybody!
Here’s the next round of Troopers15 talks (all the others can be found here):


Marion Marschalek & Moti Joseph: The Wallstreet of Windows Binaries        FIRST TIME MATERIAL

Synopsis: Nowadays common ways to find exploitable vulnerabilities include but are not limited to fuzzing, static and dynamic analysis and patch reversing. All common approaches have advantages and limits. Fuzzers tend to only find a limited number of bugs, depending on the sophistication of the fuzzer which is indirectly dependent on the development time invested. Reverse engineering a binary for finding bugs, regardless whether statically or with a debugger, is tedious and requires a lot of time and expertise.
As we are lazy bastards, we refuse to do all the work by hand and brain. And, as we are greedy bastards, we want a maximum scope of vulnerabilities we can cover and not be limited to what we see from a fuzzers perspective.
So as you know – in general the lazy greedy bastards have the better ideas. We present you with our idea, which is built after the model of the Wallstreet. We built a tool which weighs the value of a function in a Windows binary as the Wallstreet values a stock; the value telling us the likability of a function to be exploitable.
The Wallstreet technique works with two different evaluation methods, for once the likability that a function is vulnerable and also the likability that it is exploitable.
We collect indicators, which help us evaluate that a specific function is potentially vulnerable. Such could be a present memory allocation or conversion function, a lacking sanitization check or a suspicious pattern in the functionname such as ‘create’, ‘convert’ or ‘set’. A combination of these and a handful more indicators lets us calculate what we call the speculation value.
For the validation of the exploitability we traverse the call tree of a suspicious candidate, to verify its accessibility in an automated way. Only functions which we can influence as an attacker are interesting for us; thus we rate these accessible functions with a price-to-earnings value. Finally putting speculation value and price-to-earnings value in context, we evaluate a function with either ‘buy’ if we believe it comes with an exploitable vulnerability, or with ‘sell’ when we are certain it is not interesting to us. No worries, the presentation will not contain advanced mathematical equations.
Our tool parses binaries and persists all the gathered information to a database, from where we can retrieve highly suspicious functions in an automated way. Without getting our hands dirty, that is. And because we are lazy bastards who like colors, a lot, we use visuals to make evaluation even easier. The tool is dubbed Wallstreet, free after the most famous stock market on the planet. It is based on Python, C and SQLite and will be released under the WTFPL license ( Also, there will be demos 😀
Wrapping it up, this presentation shows an easy to use approach which makes the complicated topic of binary exploitation more accessible. Wallstreet of Windows Binaries provides beginners with better understanding of the challenges and practitioners with a hands-on tool.

Marion is malware reverse engineer. Some say she also does marketing, but at the time of writing she could not be reached to further comment on that. At daytime she hunts malware for Cyphort Inc., at nighttime she hunts rabbits. Two years ago Marion won Halvar Flake’s reverse engineering challenge for females, since then she set out to rock and roll the industry. She practices martial arts and has a vivid passion to take things apart. Preferably, other people’s things.

Marion’s recent publications include:
EvilBunny: Suspect #4 [November 2014]
Not old enough to be forgotten: the new chic of Visual Basic 6 [Virus Bulletin, July 2014]
Analysis Report Trojan-Downloader.Win32.Upatre [February 2014]

Moti Joseph has been involved in computer security. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan, Taipe.
Also, Moti’s work is so secret, he never publishes anything.

At Troopers14 they presented “What Happens In Windows 7 Stays In Windows 7“.

Innovation Aspects

Automation is crucial in security research, as much as data analysis is crucial for process automation. The Wallstreet Of Windows Binaries is a follow-up project to a tool named DiffRay, which we started in 2013. DiffRay was successful, but required a lot of work to be done manually and also a lot of expertise and dedicated time for evaluation of results. The Wallstreet tool aims to cover a much broader scope of vulnerabilities with less manual effort. We believe, by providing tools for the community and our findings and insights we empower a greater collective understanding of the subject.

Martijn Grooten: The State of Email in 2015        FIRST TIME MATERIAL

Synopsis: Back in the early 1980s, when email was invented, the Internet population was many orders of magnitude smaller than four million. The small group of people that used the Internet knew each other and they adhered to this thing called ‘netiquette’, so they wouldn’t send each other unwanted emails. They definitely wouldn’t read each other’s emails, even if they could.
That 1980s Internet has changed beyond recognition in the three decades since. But email is still more or less the same. In this presentation we will look at the state of email in 2015. Does spam show that email is broken? Do the Snowden revelations show that it is? Or will the migration towards IPv6 break it? And what is being done to fix these issues?

Bio: Martijn Grooten is Editor of Virus Bulletin. A mathematician turned security researcher, he has been running comparative tests on spam filters for six years. He has a broad interest in security and has spoken on various topics at a number of conferences. He holds a number of regularly changing opinions.

Antonios Atlasis, Enno Rey & Jayson Salazar: MLD Considered Harmful – Breaking Another IPv6 Subprotocol              IPv6 Security Summit

Synopsis: Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link,
much like IGMP is used in IPv4. Most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by
sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent,
especially as far as its potential security implications are concerned. These ones can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified DoS
attacks. In this presentation, we will first study and analyse the default behaviour of some of the most popular OS. During this study, we will examine whether the specific OS
implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the
protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be
proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extent in the emerging IPv6 era. There will be demos and a tool release. 😉
This is an updated version of our DeepSec talk.


Antonios Atlasis (MPhil, PhD) has been an IT engineer for more than 20 years, developer and instructor in several Computer Science and Computer Security related fields. The last decade he
has specialised in IT Security, working mainly as a penetration tester, incident handler and intrusion analyst. His latest security researches focuses on IPv6 and some of his work has been
presented at BlackHat Europe 2012, BlackHat Abu Dhabi 2012, at the IPv6 Security Summit of Troopers13 and at Troopers14. He is the author of Chiron and regularly contributes to the Insinuator IPv6 Blog.

Enno Rey is a long-term network security geek who loves to explore devices & protocols, and to break flawed ones. He has been involved with IPv6 since 1999.

Jayson Salazar currently works as a penetration tester at ERNW GmbH. The focus of his work lies mostly in the areas of application and network security, at the moment especially IPv6. In
addition to security trainings, he actively takes part in security assesments of network infrastructures and web applications in enterprise environments.

Paul Coggin: Defending the Enterprise Against Network Infrastructure Threats

Synopsis: Learn about network attack vectors that an adversary can use to control, and influence network traffic flows and exfiltrate data by exploiting network devices and protocols in enterprise or service provider networks. Defensive methods and techniques for monitoring and protecting against the outlined attack vectors will be discussed. This presentation explores advanced methods and techniques that the CISO, network and security architects and security auditors need to understand about network infrastructure and protocols. Understand how routing infrastructure can be compromised to enable sophisticated pivoting and exfiltration of data. Know how to analyze often over looked network trust relationships, integration, dependencies and interdependencies in the enterprise and service provider network architecture. Review the architecture and operations for border gateway protocol (BGP) services with references to the recent BGP prefix hijacking attacks. The discussion will cover how Multi-protocol Label Switch (MPLS) networks may be attacked without the Enterprise being aware of the event. Strategies for monitoring and securing enterprise networks including BGP and MPLS against the threats vectors presented will be discussed.

Bio: Paul Coggin is a Senior Principal Cyber Security Analyst with Dynetics, Inc in Huntsville, Alabama. Paul is responsible for architecting and securing large complex tactical, critical infrastructure and service provider networks as well as teaching networking and security courses. Paul is a Cisco Systems Certified Instructor # 32230, Certified EC-Council Instructor and a certified SCADA security architect. He has a BS in Mathematics, an MS in Computer Information Systems, an MS in Information Assurance and Security and he is currently pursuing an MS in Systems Management.

Ertunga Arsal: SAP, Credit Cards and the Bird that Talks Too Much                SAP Security Track

Synopsis: SAP applications build the business backbone of the largest organizations in the world. In this presentation, exploits will be shown manipulating a business process to extract money, critical payment information, and credit card data out of the business backbone. Follow the bird and enjoy tweets of data that will interest you.

Bio: Ertunga Arsal is the founder of ESNC, a company specialized in SAP security products. ESNC developed the first product to automate the complete security and patching process for SAP. Previously, he worked with Tech Data (Nasdaq:TECD) for many years as a security consultant and was responsible for SAP and applications security of the EMEA region. Being part of the incident response team, he commonly took the lead on numerous investigations. Ertunga is an active security researcher and alone in 2013, SAP has released more than 75 security patches for the vulnerabilities he reported. Ertunga also lectures on Systems and Network Security at Sabanci University for postgraduates.

Patrick Thomas: Multipath TCP Breaking Today’s Networks with Tomorrow’s Protocols

Synopsis: MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can’t see it all and when the endpoint addresses change in the middle of a connection?
This session shows you how MPTCP breaks assumptions about how TCP works, and how it can be used to evade security controls. We will also show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.

Bio: Patrick Thomas is a recovering software developer turned penetration tester with Neohapsis (now Cisco). He works on offensive and defensive security tools, with an emphasis on web application security, web malware, and social engineering. He has previously spoken at Black Hat, DEFCON, SecTor, AppSec Cali, and others.


More talks to follow soon, so stay tuned ;-).

See you @Troopers & have a great weekend



Leave a Reply

Your email address will not be published. Required fields are marked *