Posts Tagged ‘DefCon32’
[DefCon32] DEF CON 32: NTLM The Last Ride
Jim Rush and Tomais Williamson, security researchers from Wellington, New Zealand, electrified DEF CON 32 with a deep dive into exploiting NTLM authentication before its planned phase-out in Windows 11 and beyond. Representing CyberCX, they unveiled new vulnerabilities, bypassed existing fixes, and exposed insecure defaults in Microsoft’s NTLM-related controls. Their fast-paced presentation, infused with humor and technical depth, offered a final hurrah for NTLM hacking, urging attendees to turn off NTLM where possible.
Revisiting NTLM’s Persistent Flaws
Jim and Tomais began by contextualizing NTLM, a 25-year-old authentication protocol still prevalent despite its known weaknesses. They highlighted Microsoft’s plan to deprecate NTLM, yet emphasized its lingering presence in legacy systems. Their research uncovered new bugs, including a bypass of a previously patched CVE, allowing attackers to coerce NTLM hashes from various applications. By exposing these flaws, Jim and Tomais underscored the urgency of transitioning to more secure protocols like Kerberos.
Novel Exploitation Techniques
The duo detailed their innovative approaches, combining multiple bug classes to extract NTLM hashes from unexpected sources, such as document processors and build servers. Their live demonstrations showcased “cooked” bugs—exploits leveraging URL inputs to trigger hash leaks. Jim’s anecdotes about their discoveries, including a nod to their CyberCX colleague’s assistance, highlighted the collaborative nature of their work. These techniques revealed NTLM’s fragility, especially in environments with permissive defaults.
Insecure Defaults and Systemic Gaps
Focusing on Microsoft’s NTLM security controls, Jim and Tomais exposed glaring gaps, such as libraries allowing unauthenticated hash extraction. They demonstrated how attackers could exploit these defaults in applications like Microsoft Teams or PDF generators, turning innocuous features into attack vectors. Their findings, supported by CyberCX’s research efforts, emphasized the need for organizations to audit NTLM usage and disable it wherever feasible to prevent hash coercion.
Community Collaboration and Future Steps
Concluding, Jim and Tomais called for community engagement, inviting attendees to share ideas for extracting hashes from novel sources like video games. They praised Microsoft’s MSRC team for their responsiveness and urged continued disclosure to advance research. Their advice to “turn off NTLM, then turn it back on when someone screams” humorously captured the challenge of legacy system dependencies, encouraging proactive steps toward more secure authentication frameworks.
Links:
[DefCon32] DEF CON 32: Finding & Exploiting Local Attacks on 1Password Mac Desktop App
J. Hoffman and Colby Morgan, offensive security engineers at Robinhood, delivered a compelling presentation at DEF CON 32, exploring vulnerabilities in the 1Password macOS desktop application. Focusing on the risks posed by compromised endpoints, they unveiled multiple attack vectors to dump local vaults, exposing weaknesses in 1Password’s software architecture and IPC mechanisms. Their research, blending technical rigor with practical demonstrations, offered critical insights into securing password managers against local threats.
Probing 1Password’s Security Assumptions
J. and Colby opened by highlighting the immense trust users place in password managers like 1Password, which safeguard sensitive credentials. They posed a critical question: how secure are these credentials if a device is compromised? Their research targeted the macOS application, uncovering vulnerabilities that could allow attackers to access vaults. By examining 1Password’s reliance on inter-process communication (IPC) and open-source components, they revealed how seemingly robust encryption fails under local attacks, setting the stage for their detailed findings.
Exploiting Application Vulnerabilities
The duo detailed several vulnerabilities, including an XPC validation bypass that enabled unauthorized access to 1Password’s processes. Their live demonstrations showcased how attackers could exploit these flaws to extract vault data, even on locked systems. They also identified novel bugs in Google Chrome’s interaction with 1Password’s browser extension, amplifying the attack surface. J. and Colby’s meticulous approach, including proof-of-concept scripts released at Morgan’s GitHub, underscored the need for robust validation in password manager software.
Mitigating Local Threats
Addressing mitigation, J. and Colby recommended upgrading to the latest 1Password versions, noting fixes in versions 8.10.18 and 8.10.36 for their disclosed issues. They urged organizations to enhance endpoint security, emphasizing that password managers are prime targets for red teamers seeking cloud credentials or API keys. Their findings, developed over a month of intensive research, highlighted the importance of proactive patching and monitoring to safeguard sensitive data on compromised devices.
Engaging the Security Community
Concluding, J. and Colby encouraged the DEF CON community to extend their research to other password managers, noting that similar vulnerabilities likely exist. They shared their code to inspire further exploration and emphasized responsible disclosure, having worked with 1Password to address the issues. Their call to action invited attendees to collaborate on improving password manager security, reinforcing the collective effort needed to protect critical credentials in an era of sophisticated local attacks.
Links:
[DefCon32] DEF CON 32: Laundering Money
Michael Orlitzky, a multifaceted security researcher and mathematician, captivated the DEF CON 32 audience with a provocative presentation on bypassing payment mechanisms in CSC ServiceWorks’ pay-to-play laundry machines. By exploiting physical vulnerabilities in Speed Queen washers and dryers, Michael demonstrated how to run these machines without payment, framing his actions as a response to CSC’s exploitative practices. His talk, rich with technical detail and humor, shed light on the intersection of physical security and consumer frustration, urging attendees to question predatory business models.
Uncovering CSC’s Predatory Practices
Michael began by introducing CSC ServiceWorks, a major provider of coin- and app-operated laundry machines in residential buildings. He detailed their business model, which charges tenants for laundry despite rent covering utilities, often trapping users with non-refundable prepaid cards or unreliable apps like CSC GO. Michael recounted personal grievances, such as machines eating quarters or failing to deliver services, supported by widespread customer complaints citing CSC’s poor maintenance and refund processes. His narrative positioned CSC as a corporate antagonist, justifying his exploration of hardware bypasses as a form of reclaiming fairness.
Bypassing Coin Slots with Hardware Hacks
Delving into the technical core, Michael explained how to access the service panels of CSC-branded Speed Queen machines, which use standardized keys available online. By short-circuiting red and black wires in the coin-drop mechanism, he tricked the machine into registering payment, enabling free cycles without damage. His live demonstration, complete with safety warnings about grounding and electrical risks, showcased the simplicity of the bypass—achievable in seconds with minimal tools. Michael’s approach, detailed on his personal website, emphasized accessibility, requiring only determination and basic equipment.
Addressing CSC’s Security Upgrades
Michael also addressed CSC’s response to his findings, noting that days before DEF CON 32, the company upgraded his building’s machines with new tubular locks and security Torx screws. Undeterred, he demonstrated how to bypass these using a tubular lockpick or a flathead screwdriver, highlighting CSC’s superficial fixes. His candid tone and humorous defiance—acknowledging the machines’ internet-connected logs—underscored the low risk of repercussions, as CSC’s focus on profit over maintenance left such vulnerabilities unaddressed. This segment reinforced the talk’s theme of exploiting systemic flaws in poorly secured systems.
Ethical Implications and Community Call
Concluding, Michael framed his work as a protest against CSC’s exploitative practices, encouraging attendees to consider the ethics of bypassing systems that exploit consumers. He shared resources, including manuals and his write-up, to empower others while cautioning about legal risks. His talk sparked reflection on the balance between technical ingenuity and corporate accountability, urging the DEF CON community to challenge predatory systems through informed action.
Links:
[DefCon32] DEF CON 32: Measuring the Tor Network
Silvia Puglisi and Roger Dingledine, key figures in the Tor Project, delivered an insightful presentation at DEF CON 32, shedding light on the Tor network’s metrics and community-driven efforts to maintain its health. As millions rely on Tor to evade surveillance and censorship, Silvia and Roger detailed how the Tor Project collects safe metrics, detects attacks, and fosters a vibrant relay operator community. Their talk provided a window into the challenges of sustaining an anonymity network and invited attendees to contribute to its mission of preserving internet freedom.
Collecting Safe Metrics for Anonymity
Silvia opened by explaining the Tor Project’s approach to gathering metrics without compromising user anonymity. By analyzing usage patterns and relay performance, the network health team identifies unusual activity, such as potential attacks or misconfigured relays. Silvia highlighted tools like Tor Weather, which notifies operators of relay issues, and the network status API, which supports data analysis. These efforts ensure the network remains robust while prioritizing user privacy, a delicate balance in an anonymity-focused ecosystem.
Detecting and Mitigating Network Threats
Roger delved into the strategies for identifying and countering attacks on the Tor network, which supports over seven thousand volunteer-operated relays. He discussed how metrics help detect malicious relays and unusual traffic patterns, enabling rapid response to threats. Roger cited historical examples, such as the 2009 Green Party Movement in Iran, where Tor empowered activists, underscoring the network’s role in global activism. By sharing these insights, he emphasized the importance of community vigilance in maintaining network integrity.
Fostering a Diverse Relay Community
The duo highlighted the Tor Project’s efforts to grow its community of relay operators, encouraging attendees to run relays, bridges, or Snowflake proxies. Silvia detailed initiatives like the formal relay operator meetup planned for future conferences, aiming to strengthen community ties. Roger stressed that contributing to Tor supports activists worldwide, particularly those without institutional protections. Their call to action invited DEF CON attendees to join the network health team or contribute to projects like rewriting tools in Rust for better performance.
Future Challenges and Community Engagement
Concluding, Silvia and Roger outlined ongoing challenges, such as improving data visualization and scaling the network to handle increasing demand. They encouraged contributions to the Tor Project’s wiki and open-source tools, emphasizing that every relay or code contribution aids the fight for privacy and anonymity. Their interactive session at the Tor booth post-talk invited attendees to explore further, reinforcing the collaborative spirit that drives the Tor ecosystem forward.
Links:
[DefCon32] DEF CON 32: Exploiting Cloud Provider Vulnerabilities for Initial Access
Nick Frichette, a cloud security expert, enthralled the DEF CON 32 audience with a deep dive into vulnerabilities within Amazon Web Services (AWS) that enable initial access to cloud environments. Moving beyond traditional misconfiguration exploits, Nick explored flaws in AWS services like AppSync and Amplify, demonstrating how attackers can hijack Identity and Access Management (IAM) roles. His presentation offered practical defensive strategies, empowering organizations to secure their cloud infrastructure against sophisticated attacks.
Understanding IAM Role Exploits
Nick began by explaining how IAM roles establish trust within AWS, relying on mechanisms like sts:AssumeRoleWithWebIdentity to prevent unauthorized access across accounts. He detailed a confused deputy vulnerability in AWS AppSync that allowed attackers to assume roles in other accounts, bypassing trust boundaries. Through a real-world case study, Nick illustrated how this flaw enabled unauthorized access, emphasizing the importance of understanding trust relationships in cloud environments to prevent such breaches.
Amplify Vulnerabilities and Zero-Day Risks
Delving deeper, Nick revealed a critical vulnerability in AWS Amplify that exposed customer IAM roles to takeover, granting attackers a foothold in victim accounts. His demonstration highlighted how adversaries could exploit this flaw without authentication, underscoring the severity of zero-day vulnerabilities in cloud services. Nick’s meticulous analysis of Amplify’s architecture provided insights into how such flaws arise, urging security practitioners to scrutinize service configurations for hidden risks.
Defensive Strategies for Cloud Security
Nick concluded with actionable recommendations, advocating for the use of condition keys in IAM trust policies to block cross-tenant attacks. He demonstrated how setting account-specific conditions thwarted his AppSync exploit, offering a defense-in-depth approach. Nick encouraged organizations to audit IAM roles, particularly those using web identity federation, and to test configurations rigorously before deployment. His work, available at Security Labs, equips defenders with tools to fortify AWS environments.
Links:
[DefCon32] DEF CON 32: Mutual Authentication Is Optional
Xavier Zhang, an RFID enthusiast and physical security researcher, delivered a concise yet impactful presentation at DEF CON 32, exposing vulnerabilities in HID iClass SE readers used in physical access control systems. By demonstrating cloning, downgrading, and emulation attacks, Xavier revealed how attackers can bypass secure credentials to gain unauthorized access to facilities. His interactive demos, leveraging tools like Proxmark3 and Flipper Zero, underscored the importance of mutual authentication and provided practical mitigation strategies to enhance physical security.
Exploiting iClass SE Vulnerabilities
Xavier opened by outlining the mechanics of HID iClass SE credentials, widely used in secure facilities. He detailed four attack vectors, starting with cloning, the simplest method, which exploits predictable facility codes in poorly configured systems. By analyzing publicly available documentation from a Canadian vendor, Xavier showed how attackers can replicate credentials without physical access, highlighting the risks of enabling legacy technologies on modern readers. His insights emphasized the need for robust configuration practices to prevent trivial exploits.
Advanced Attacks and Community Contributions
Transitioning to more complex techniques, Xavier demonstrated downgrading and emulation attacks that bypass iClass SE’s secure authentication. Using tools like Proxmark3 and Flipper Zero, he showcased how vulnerabilities, such as an authentication bypass discovered by the RFID hacking community, enable unauthorized access. Xavier acknowledged contributors like Eric Betts and Kate, whose work on iClass documentation and emulation code was instrumental. His live demos illustrated the real-world implications of these exploits, urging organizations to prioritize secure credential issuance.
Links:
- None available
[DefCon32] DEF CON 32: Gotta Cache ‘em All – Bending the Rules of Web Cache Exploitation
Martin Doyhenard, a seasoned security researcher, captivated the DEF CON 32 audience with his exploration of innovative web cache exploitation techniques. Focusing on exploiting ambiguities in RFC standards, Martin unveiled two novel methods—Static Path Deception and Cache Key Confusion—that push the boundaries of web cache attacks. Through detailed case studies and a live demonstration, he showcased how these techniques can compromise application confidentiality, enable arbitrary cache poisoning, and even achieve full site takeovers, providing actionable insights for security practitioners to identify and mitigate such vulnerabilities.
Unveiling Web Cache Mechanics
Martin began by elucidating the inner workings of web caches, which store frequently accessed content to enhance website performance. He highlighted how caches rely on URL parsing to determine what to store and serve, yet inconsistencies in parsing across platforms create exploitable vulnerabilities. By leveraging ambiguities in RFC standards, attackers can manipulate cache behavior to serve malicious content or expose sensitive data. Martin’s clear explanation set the stage for understanding the sophisticated attacks that followed, emphasizing the critical role of URL parsers in web security.
Static Path Deception: Breaching Confidentiality
Delving into his first technique, Martin introduced Static Path Deception, a method that exploits cache handling of static file paths to compromise application confidentiality. Using a case study involving Nginx behind Cloudflare, he demonstrated how attackers can trick caches into serving sensitive content to unauthorized users. By crafting specific URL patterns, Martin showed how this technique bypasses traditional cache restrictions, exposing private data. His findings underscore the need for consistent cache configuration across content delivery networks and web servers to prevent such breaches.
Cache Key Confusion: Poisoning and Denial of Service
Martin then presented Cache Key Confusion, a technique exploiting discrepancies in how platforms like Microsoft Azure Cloud normalize cache keys. He illustrated how attackers can manipulate URL parsing to poison caches, serving malicious content to all users or triggering denial-of-service attacks. His live demo combined Cache Key Confusion with an open redirect vulnerability to execute arbitrary JavaScript, achieving a complete site takeover. This powerful demonstration highlighted the far-reaching impact of parser inconsistencies and the potential for significant disruption in cloud-based environments.
Mitigation and Community Engagement
Concluding, Martin shared practical strategies to counter these vulnerabilities, urging organizations to audit cache configurations and disable key normalization where possible. He introduced his open-source tool, Cache Killer, designed to detect parsing discrepancies, and encouraged the DEF CON community to contribute to its development. By sharing references to prior research and his own findings, Martin fostered a collaborative approach to improving web cache security, inspiring attendees to hunt for similar vulnerabilities in bug bounty programs and beyond.
Links:
- None available
[DefCon32] DEF CON 32: Feet Feud
Tiberius, presenting as “Toes” with the OnlyFeet CTF team, hosted the lively “Feet Feud” game show at DEF CON 32, bringing together cybersecurity enthusiasts for a fun, interactive competition. Team captains Ali Diamond, known for her Hack 5 ThreatWire hosting, and John Hammond, a prominent cybersecurity educator, led their teams in a spirited battle of wits. The event, a fan favorite after unofficial runs in previous years, engaged the audience with hacker-themed challenges and quirky prizes, fostering community spirit and camaraderie.
The Game Show Experience
Tiberius kicked off the event with infectious enthusiasm, introducing Ali and John as team captains. Audience members, selected based on vibrant attire like orange bow ties, joined the teams, creating an electric atmosphere. The game, inspired by classic game shows, featured cybersecurity-themed questions and challenges, blending humor with technical knowledge. Tiberius’s dynamic hosting, supported by assistants Helen and Wolfie, ensured a fast-paced, engaging experience that kept the crowd entertained.
Celebrating the Hacker Community
The event celebrated the DEF CON community’s creativity and collaboration, with Ali and John leading their teams through rounds that tested hacking trivia and problem-solving skills. Prizes, including Hack The Box VIP vouchers, coding socks, and whimsical baby foot candles, added a playful touch. Tiberius emphasized the importance of community-driven events like Feet Feud, which provide a lighthearted counterbalance to the conference’s technical intensity, strengthening bonds among attendees.
Building on Tradition
Reflecting on Feet Feud’s evolution from a small gathering to a main-stage event, Tiberius highlighted its growing popularity, with this year’s crowd far exceeding the previous high of 40 attendees. The game’s success, supported by sponsors like Hack The Box, underscores its role in fostering a sense of belonging within the cybersecurity community. By encouraging audience participation and celebrating victories with quirky rewards, Feet Feud reinforces DEF CON’s unique blend of learning and fun.
Looking Ahead
Concluding, Tiberius expressed hope for Feet Feud’s return with even grander prizes, thanking Helen and Wolfie for their invaluable support. The event’s success lies in its ability to unite hackers in a shared celebration of their craft, inspiring future iterations that continue to blend competition with camaraderie. Ali and John’s leadership, combined with the audience’s enthusiasm, ensures Feet Feud remains a cherished DEF CON tradition.
Links:
[DefCon32] DEF CON 32: HookChain – A New Perspective for Bypassing EDR Solutions
Helvio Carvalho Junior, a renowned security researcher and CEO of Sec4US, unveiled his groundbreaking HookChain technique at DEF CON 32, offering a fresh perspective on evading Endpoint Detection and Response (EDR) systems. By combining Import Address Table (IAT) hooking, dynamic System Service Number (SSN) resolution, and indirect system calls, Helvio demonstrated how HookChain stealthily redirects Windows subsystem execution flows, bypassing EDR monitoring without altering application code. His presentation, enriched with live demonstrations, challenged cybersecurity conventions and spurred discussion on adaptive defense strategies.
Understanding EDR Limitations
Helvio opened by outlining the rapid evolution of digital threats, which continuously challenge EDR solutions designed to monitor API calls through Ntdll.dll. He explained that traditional EDRs rely on hooking key functions to detect malicious activity, but these mechanisms can be circumvented. HookChain exploits this by manipulating the execution flow to avoid monitored interfaces, achieving stealth without modifying the source code of applications or malware. Helvio’s approach highlights the need for EDRs to evolve beyond static monitoring techniques.
Technical Mechanics of HookChain
Delving into the technical core, Helvio detailed HookChain’s methodology, which integrates IAT hooking to redirect function calls, dynamic SSN resolution to adapt to varying Windows versions, and indirect system calls to bypass EDR hooks. His live demo showcased shellcode injection into a process, executing it undetected by EDRs like CrowdStrike and SentinelOne. By leveraging techniques like Halo’s Gate to locate unhooked functions, HookChain ensures malicious payloads operate invisibly, achieving an impressive 66% success rate against top EDR products listed in Gartner’s Magic Quadrant.
Testing and Vendor Responses
Helvio shared results from testing HookChain against various EDR solutions, including remote process injection and credential dumping with tools like Mimikatz. His findings revealed that while some vendors, such as SentinelOne, implemented patches to counter HookChain, others lagged in response. He emphasized the importance of open collaboration, noting that two vendors engaged with him to test mitigations. Helvio’s transparency, including sharing his whitepaper and source code on GitHub, encourages the community to refine and challenge his techniques, fostering stronger defenses.
Future Directions for Cybersecurity
Concluding, Helvio urged the DEF CON community to embrace continuous innovation in security research. HookChain not only exposes vulnerabilities in current EDR systems but also paves the way for more adaptive solutions. He advocated for proactive strategies that anticipate emerging threats, inspiring researchers to explore new evasion techniques and defenders to enhance monitoring beyond Ntdll.dll. His work, rooted in a passion for discovery, sets a benchmark for advancing endpoint security in a dynamic threat landscape.
Links:
[DefCon32] DEF CON 32: Leveraging Private APNs for Mobile Network Traffic Analysis
Aapo Oksman, a seasoned security researcher specializing in IoT and network protocols, delivered a compelling presentation at DEF CON 32 on harnessing private Access Point Names (APNs) to analyze mobile and IoT device traffic. As devices increasingly rely on 4G and 5G networks, bypassing traditional Wi-Fi monitoring, Aapo’s innovative approach enables security professionals to inspect, filter, and tamper with mobile network traffic. His talk provided practical techniques for both offensive and defensive cybersecurity, from penetration testing to detecting malicious activity in mobile ecosystems.
Challenges in Mobile Network Monitoring
Aapo began by highlighting the shift in device communication from Wi-Fi to mobile networks, which complicates traditional traffic analysis due to direct connections to ISP-operated base stations. Setting up private base stations, while possible, is costly and complex. Aapo introduced private APNs as a cost-effective alternative, allowing users to create isolated networks within ISP infrastructure. This approach grants visibility into device communications, overcoming the limitations of locked-down devices and enabling detailed traffic analysis for security purposes.
Harnessing Private APNs for Security
Delving into the technical details, Aapo explained how private APNs can be configured to route mobile traffic through controlled environments, such as firewalls or custom servers. His demonstration showcased the setup process, emphasizing affordability and scalability, with costs decreasing as more devices are added. By intercepting IP traffic, security professionals can perform penetration testing on IoT devices or monitor for malicious activity, such as command-and-control (C2) communications. Aapo’s approach leverages ISP infrastructure to create a controlled network environment, enhancing both offensive and defensive capabilities.
Uncovering Advanced Malware Threats
Aapo addressed the growing sophistication of mobile malware, which often avoids Wi-Fi or VPN connections to evade detection. He cited an example of a misconfigured malware detected via Wi-Fi traffic, underscoring that advanced threats are designed to operate solely over mobile networks. Private APNs enable defenders to monitor these communications, identifying C2 servers or other malicious activities that would otherwise go unnoticed. Aapo’s insights highlight the critical need for innovative monitoring techniques to counter evolving mobile threats.
Practical Applications and Future Directions
Concluding, Aapo shared project details and encouraged the DEF CON community to explore private APNs for their research. He emphasized the dual-use potential of his approach, enabling both penetration testers and defenders to gain deeper insights into mobile device behavior. By connecting private APNs to existing security infrastructure, organizations can enhance their ability to detect and mitigate threats. Aapo’s work paves the way for future advancements in mobile network security, urging continued exploration of ISP-based solutions.
Links:
- None available