As we come to the end of the year we can’t help but take a moment to thank all of your who made TROOPERS15 special! It just makes us all the more pumped to kick it up a notch for TROOPERS16!! #BestWeekEver
Happy Holiday and much Joy to you in the New Year!
Your TROOPERS Team
===
Aaron Zauner: BetterCrypto: three years in
FIRST TIME TROOPERS SPEAKER
The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers.
This talk highlights three years of community collaboration on a 100+ page document that has been continuously evolving via mailing-list discussion and GitHub Pull-requests. We will provide a few metrics and see what kind of discussions were previsional back when we started out.
We will review novel attacks against TLS and other crypto protocols as well as leaked information on classified cryptanalysis have appeared over the last three years and compare how our guide compares against them.
While the project has been going on for three years, there’s regularly renewed interest as soon as new attacks or publications on quantum computers show up. The upkeep and continuous improvement of the project are paramount and every person we can get to help us with their expertise is an improvement for the document.
We will discuss further project development and ideas towards continuous integration and testing of the project’s recommended configurations as well as new threats on online privacy to be mitigated in the future.
Bio: I am self-employed and primarily do engineering work, consulting and research on IT Infrastructure Architecture, Operations & Development, High Performance Computing and Information Security. For more information visit lambda: resilient.systems.
In 2013 I joined the amazing BetterCrypto team in a collaborative effort to write a solid guide for sysadmins and management towards hardening of crypto settings in networked services and appliances.
I currently also work as a researcher at SBA-Research working on network security, applied cryptography, conducting Internet-wide surveys, attacking protocol implementations and proliferating cryptography.
===
Will Schroeder: I Have the Power(View): Offensive Active Directory with PowerShell
FIRST TIME TROOPERS SPEAKER
Active Directory has been covered from a system administration perspective for as long as it has existed. However, much less information exists on how adversaries abuse and backdoor AD, leaving many defenders blind to the attacks carried out in their own environment. This talk will cover Active Directory from an offensive perspective, illustrating ways that attackers move through Windows networks with ease. These actions are facilitated by PowerView, an advanced AD enumeration tool written by the presenter that allows for easy local administrator enumeration, domain trust hopping, user hunting, ACL auditing, and more. PowerView has dramatically changed the way many operate on red team operations, and has helped to “bridge the gap” and bring advanced tradecraft to even time-constrained engagements.
Bio: Will Schroeder (@harmj0y) is a researcher and red teamer in Veris Groups’ Adaptive Threat Division. He actively participates in the public community and has spoken at several industry conferences including Shmoocon, Derbycon, and Defcon on topics spanning AV-evasion, red-teaming, domain trust abuse, offensive PowerShell, and more. He also helps develop/teach the Adaptative Red Team Tactics Blackhat training class, is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active PowerSploit contributor, and is a co-founder/core developer of the PowerShell post-exploitation agent Empire. His technical blog is at http://blog.harmj0y.net/.
===
Joris van de Vis: An easy way into your multi-million dollar SAP systems: An unknown default SAP account
Fortunately more and more SAP customers start securing their business critical SAP infrastructure after many SAP security presentations on conferences and others ways of raising awareness. Securing SAP systems is never an easy task, taking into account the complexity and wide variety of possible deployment scenarios for SAP systems.
However, you can secure the low hanging fruit and prevent the most easy compromises by focusing on just a couple of vulnerabilities. One of the most obvious and simple precautions is to get rid of DEFAULT accounts. This is a simple task as the list of default users and passwords was limited to only 5 accounts for a long time, but that has changed. Welcome to SAP default account number 6; the SMDAGENT user….
A total compromise of a SAP system will be demonstrated in this presentation. Combined with two other vulnerabilities found by our research, this default account is all it takes to get easy access to your multi-million dollar SAP systems.
Bio: Joris has got extensive experience as a SAP Technical consultant and has a wide interest in everything ?under the hood? of SAP systems. In addition to developing and working as a SAP Technical consultant, his main interest lies in the SAP Security domain. Next to helping business to secure their SAP systems, Joris is also a SAP researcher and reported over 40 vulnerabilities in SAP applications. He has got 15 years of experience in working for large fortune-500 companies and helped government departments with implementing and securing SAP landscapes. Joris is co-founder of ERP-SEC, a SAP security focused company based in the Netherlands.
Talks@TROOPERS:
CTF challenge number 3 (AS ABAP) (2015)
===
Dmitry Chastuhin & Alexander Polyakov: Thanks SAP for the vulnerabilities. Exploiting the unexploitable
Bla-blah-blah SAP. Bla-blah-blah big companies. Bla-blah-blah hack multi-million dollar systems. This is how typical SAP Talks are started. But not this time. We are really missing hardcore exploitation stuff and unusual vulnerabilities, no matter where they are. Now it’s time for real HARDCORE!
In our presentation, we will tell (and show) how by using a chain of minor vulnerabilities in different SAP services we can take complete control of an affected system. Have you ever heard that a denial of service vulnerability can be used for remote command execution? No, we are not talking about memory corruption. It’s about how unexploitablea denial of service vulnerabilities can be exploited together with some minor issues to attack system in a way which you have never imagined.
You’ll see the way from Anonymous to SAP_ALL, enjoy!
Bio: Dmitry is a Director of security consulting at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA, HANA and Mobile solutions. He has official acknowledgements from SAP for the vulnerabilities found. Dmitry is also a WEB 2.0 and social network security geek and bug bounty who found several critical bugs in Google, Nokia, Badoo. He is a contributor to the EAS-SEC project. He spoke at the following conferences: BlackHat, Hack in the Box, DeepSec, and BruCON
Talks@TROOPERS:
- Injecting evil code in your SAP J2EE systems: Security of SAP Software Deployment Server (2014)
- Hacking Fortune 2000th CEO’s mobile: Security of SAP Mobile Infrastructure (2015)
Bio: Alexander Polyakov is the Founder of ERPScan, President of EAS-SEC.org project, accomplished R&D professional and Entrepreneur of the year. He is an expert at security for business-critical software like ERP, CRM, SRM and industry specific solutions. He has received due recognition having publishing over 100 vulnerabilities, as well as multiple whitepapers, such as annual award-winning “SAP Security in Figures”, surveys and a book devoted to information security research in SAP and Oracle. He has presented at more than 50 conferences in 20+ countries in all continents and held training sessions for the CISOs of Fortune 2000 companies, including SAP SE.
Talks@TROOPERS:
- Some notes on SAP security (2010)
- Injecting evil code in your SAP J2EE systems: Security of SAP Software Deployment Server (2014)
- Hacking Fortune 2000th CEO’s mobile: Security of SAP Mobile Infrastructure (2015)