Announcing the first 5 talks of TROOPERS18!!!!

TROOPERS17 was unlike any TROOPERS we had known before. Everything just seemed bolder, better, and beyond our expectations. From surprise speakers like the grugq (do you have a follow-up talk for #TR18 by the way?) to new speakers who are now TROOPERS family, TROOPERS17 is one for the history books!

If you were there you might be wondering to yourself, how could they possibly top it (and if you were not there check out this video from TR17)? Well, I am not going to lie, it will be a challenge. However, the high quality of talk and training submissions for this year have us feeling pretty positive about making #TR18 the “best year ever”!

With that being said I am happy to introduce the first official 5 talks of TROOPERS18!

Presenting at NGI: »Securing your in-ear fitness coach: Challenges in hardening next generation wearables« by Kavya Racharla & Sumanth Naropanth


Abstract: Wearable platforms today enable rich, next-generation experiences such as secure payments, specialized sports tracking and precise location monitoring. Data collection is only the first step for these products. The real “user experience” is often the result of a complex mesh of interactions between wearables, smartphones, cloud-hosted array of web applications and analytics software. Designing and validating security for such ecosystems, the kind of which never existed until a few years ago, demands brand-new lines of thinking and security best practices. Wearables live and operate on the human body, collecting a wealth of personal data. This gives rise to new challenges in storing such data securely and conforming to privacy regulations, especially in a world where consumer privacy laws are so diverse.

The Oakley Radar Pace is a head-worn real time, voice activated coaching system that creates and manages training programs for track running or cycling. The “coach” is an NLP-powered voice assistant on the eyewear. User can converse with it hands-free, and get advanced feedback on their performance.

In our presentation, we talk about the security and privacy research that went into designing and developing Radar Pace, including a custom Security Development Lifecycle (SDL) that accounted for the three “branches” of the program: wearable, phone and the cloud. We present examples of vulnerabilities and privacy problems associated with such new classes of products. While the applications and use cases for wearables are limited only by the designers’ imagination, the best practices we have pioneered will be useful and can easily be reapplied by vendors creating new wearables and IoT products. The goal of our presentation is to educate attendees about shedding the old notions of privacy and Security Development Lifecycle when preparing for the products of the future, as well as to discuss interesting security vulnerabilities in such technologies

BIOS: Kavya (@kavyaracharla) is a senior security researcher and lead for Intel’s New Devices Group. She worked for Oracle and Qualcomm’s security teams before she started her current job at Intel. She has a Masters in Information Security from the Johns Hopkins University and a passion for Security.

Sumanth (@snaropanth) is a senior security research manager for Intel’s New Devices Group. He has worked in the information security industry for over a decade in a variety of roles, including incident response, feature development and security assurance. He worked for Sun Microsystems and Palm before his current job at Intel. He has a Masters in Computer Science (Security) from Columbia University

Presenting in our Attack & Research Track: »How to Bring HID Attacks to the Next Level« by Luca Bongiorni


Abstract: Since the first public appearance of HID Attacks, many awesome researches, tools and devices have been released.

However, Offensive Security folks were always seeking cheap and dedicated hardware that could be controlled remotely (i.e. over WiFi or BT). And this is how WHID Injector and P4wnP1 were born.

WHID stands for WiFi HID injector, it is an USB Rubberducky on steroids, designed to fulfill Pentesters needs during their engagements. It can be easily controlled over the WiFi network and can potentially bypass air-gapped environments. P4wnP1 is a tool based on RaspberryPi Zero W and it is a Bashbunny on Steroids. It has many cool features like Win10 Lockpicker, HID backdoor (which bypasses air-gapped environments as well), a call-home feature, etc.

During the talk we will see in depth how WHID was designed and which software it supports. We will also compare its features against P4wnP1’s ones. And (Murphy permitting) You will see them in action! 😎

BIO: Luca (@LucaBongiorni) is very good at creating biographies. He is working as Principal Offensive Security Expert and also actively involved in InfoSec where the main fields of research are: Radio Networks, Reverse Engineering, Hardware Hacking, Antani, Internet of Things and Physical Security. Since 2012 is keeping a closer eye on FSB operations. His favorite hobbies are Pasta, Grappa and ARP-Spoofing.

Presenting in our Defense & Management Track : Real-Life Network and Security Automation« by Ivan Pepelnjak

Abstract: While vendor marketers keep confusing customer engineers with buzzwords like “software-defined” and “intent-driven”, an increasing number of network- and security engineers decided to go another way and solve their problems the way system administrators did years ago: by combining simple tools into a system that delivers real-life solutions to real-life problems. The talk will focus on several simple use cases.

BIO: Ivan Pepelnjak (CCIE#1354 Emeritus) (@ioshints) has implemented his first network automation solution in mid-1990s, presented SDN and Network Automation solutions at Interop, Troopers, RIPE and other regional ISP meetings, and delivered numerous on-site SDN and network automation workshops for large enterprises and service providers.

Ivan is the author of several SDN-related books, Hands-On Network Automation workshop, Building Network Automation Solutions online course, highly praised webinars, and dozens of network automation and SDN-related technical articles published on his blog.

Presenting in our SAP Track : »SAP IGS : The ‘vulnerable’ forgotten component« by Yvan Genuer


Abstract: SAP Internet Graphics Server (IGS) is present by default in every SAP Netweaver system since 10 years now. This component provides several services like chart generating, zipping file, requesting spool information as well as converting pictures. Curiously it is not very well known or documented.

This talk will describe the way we used to understand how this component works, and how it could be exploited. It will include the difficulties we met, how we resolved them and what future work remains to be done.

All without authentication and remotely exploitable, we will speak about vulnerabilities like XXE, XSS, DoS or SSRF, and a particular arbitrary file upload issue. Also we introduce, a tool to perform a quick SAP IGS assessment.

BIO: Yvan (@_1ggy) has nearly 15 years of experience in SAP. Starting out as a SAP basis administrator for various well-known French companies, since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a discreet person, he received official acknowledgements from SAP AG for vulnerabilities he’s reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir and, as well as a full training at Hack In Paris.

Presenting in our Active Directory Track: An ACE Up The Sleeve: Designing Security Descriptor Based Backdoors by Will Schroeder & Andy Robbins

Abstract: Active Directory (AD) and host-based security descriptors are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD and host objects align perfectly with the “attackers think in graphs” philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While security descriptor misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy persistence in an Active Directory environment. It’s often difficult to determine whether a specific security descriptor misconfiguration was set intentionally or implemented by accident, and modifications to specific host security descriptors can have far-reaching and unintended consequences in the domain as a whole. This makes security descriptor-based backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory and host security descriptors in depth, including our “misconfiguration taxonomy” and enumeration/analysis with BloodHound’s ever-expanding released feature set. We will cover how specific host host-based security descriptor modifications can affect the security of the system as a whole, filling in the gaps from the pure Active Directory approach. We will then cover methods to design chains of these backdoors, producing novel Active Directory persistence paths that evade most current detections.

BIOS: Will Schroeder (@harmj0y) is a offensive engineer and red teamer for SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences on a variety of topics, including DEF CON, Black Hat, ShmooCon, DerbyCon, Troopers, BlueHat Israel, and various Security BSides conferences.

Andy Robbins (@_wald0) is the Adversary Resilience Lead at SpecterOps, an active red teamer, and co-author of the BloodHound project, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has presented at DEF CON, Black Hat, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security.

The Early Bird rate is now on for our TROOPERS18 tickets.  We can’t wait to see you in Heidelberg March 12-16, 2018!