DeepSec2016 Talk: Abusing LUKS to Hack the System – Interview with Ismael Ripoll & Hector Marco

Please tell us the top facts about your talk.

  • It discloses a vulnerability that affects Linux systems encrypted with Luks, and how it can be abused to escalate privileges: CVE-2016-4484
  • Includes a sketch of the boot sequence with a deeper insight into the initrd Linux process
  • A brief discussion about why complexity is the enemy of security: The whole system needs to be observed.
  • A practical real working demo attack will be presented.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Well, this is a difficult question. Basically, it is an attitude in front of the computer. When we start a research line, we don’t stop digging until the ultimate doubt and question is addressed. After the GRUB 28 bug, we keep reviewing the rest of the Linux boot sequence.

Why do you think this is an important topic?

Although we will present how to abuse the system thought a cryptography service, the root of the problem is the “complexity”: The idea of complexity is not limited to difficult mathematical algorithms or advanced data structures, but also the combination of subsystems increases the overall complexity. The vulnerability that will be presented is a good example of how the addition of new features (in this case, security features) may weaken the system by creating new faults.

Is there something you want everybody to know – some good advice for our readers maybe?

Our talk will show that it is not necessary to use complex exploits or advanced USB hacking devices to hack the system. Knowledge is the only necessary tool. Do you remember the GRUB 28 bug? This time it is a little bit more complex but the result is… surprising.

A prediction for the future – What, do you think, will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Thanks to the advances in mitigation techniques (ASLR, NX, SSP, CFI,etc..) and better software engineering methods, the number of exploitable faults may be reduced (as far as the programmers for the IoT do apply those technologies). A more dangerous type of vulnerabilities are those caused by the interaction of two or more systems which work correct when used separately.

On the other hand, cryptography will always be a hot topic. As far as crypto algorithms become outdated by the advances in computer power and crypto analyses, crypto suites must be updated. And new code means new bugs.


ismaelIsmael Ripoll received his PhD in computer science from the Universitat Politecnica de Valencia in 1996, where he is professor of several cybersecurity subjects in the Department of Computing Engineering. Before working on security he participated in multiple research projects related to hypervisor solutions for European spacecrafts; dynamic memory allocation algorithms; Real-Time Linux; and hard real-time scheduling theory. Currently, he is applying all this background to the security field. His current research interests include memory error defense/attacks techniques (SSP and ASLR) and software diversification. Ismael Ripoll is a Cybersecurity researcher at UPV Cybersecurity group.


hmarco_newHector Marco-Gisbert has received his Ph.D. degree in computer science, CyberSecurity in 2015. Initially, he participated in several research projects where the main goal was to develop a hypervisor for the next generation of space crafts for the ESA (European Space Agency). He contributed to extend his scope of projects and to include security aspects using the MILS (Multiple Independent Levels of Security/Safety) architecture. Currently, Hector Marco is a lecturer in Cyber Security and Virtualisation at the University of the West of Scotland. His research aims to identify and thwart critical security threats focusing on servers and smartphone platforms. His interests includes the study and design of new low level attacks and protection mechanisms. He revisited mature and well known techniques like SSP (Stack Smashing Protection) and ASLR (Address Space Layout Randomization), and was able to make substantial contributions e.g. in the form of RenewSSP and ASLR-NG. Hector received awards and recognitions from Google and Packet Storm Security for his security contributions to the Linux kernel.

DeepSec 2016 Talk: I Thought I Saw a |-|4><0.- Thomas Fischer

Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. “But what does this really mean?”, asks Thomas Fischer. “And what real impact does it have on the security team? Can we use threat hunting to provide a process to better detect and understand when you’ve been breached?”

More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough?

What if a more thoughtful and intelligent way of generating alerts could draw an analysts attention to the right place at the right time? This would provide context or even flag indicated suspicious behaviour that can become the starting point of a hunt.

In his talk Thomas Fischer will explore this theory and establish working foundations of what threat hunting is and look at some of the challenges associated with gathering large sets of data. This will give us a foundation to look at how we can improve and explore implementing an intelligent threat hunting model to drive the investigation process. We asked him some questions beforehand.

Please tell us the top 5 facts about your talk.

Threat Hunting is the new thing to detect malicious activities in your environment. In the talk we look at what it takes to do threat hunting, the challenges in putting into place, and how to deal with the volume of data. While most threat hunting pitches talk about using network based data, this talk looks at what kind of end point data can be used, the impact it can have on data volumes and what to look for to start the hunt.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This talk is essentially a story about how to analyse a ton of data and what methods can help. It was born from my own experience into looking at what trends in IR are going on.

Why do you think this is an important topic?

It’s important because current automated solutions no longer suffice in detecting the “bad guys”. We need better methods and processes to combat these creative attackers.

Is there something you want everybody to know – some good advice for our readers maybe?

In this talk, I share some experiences in what and how to look at threat hunting as a method for detecting malicious activities. Threat hunting is becoming the current in-thing for marketing – hopefully this talk will clear up what threat hunting really means for incident response.

A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Machine learning will play an important part of IR in the near future. As humans we won’t be able to process the volume of data being generated for IR. So machine learning is the natural next step to highlight “things” that need to be responded to…

tfheadshotWith over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management, secure development, Incident response and forensics. Thomas has held roles varying from security architect in large fortune 500 companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital GuardianThomas is also an active participant in the infosec community not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.


DeepSec2016: 0patch – Self-healing Security Updates. DeepSec and ACROS Security Introduce a Platform for Micropatches

As soon as a security gap in an computer application is made public the anxious wait begins. Whether it is software for your own network, online applications or apps for your mobile devices, as a user you will quickly become aware of your own vulnerability. The nervousness increases. When will the vendor publish the security update? In the meanwhile is there anything you can do to reduce the risks? Alternatively, how long can you manage without this certain software?

To provide answers to these questions is the central point of security management. Some vendors have fixed dates for security updates. However, occasionally unscheduled updates take place, while some vendors wait quite a few years before they release another update. And this is only true for applications that are still in production or come with a support contract. What happens to programs no longer supported? One possible answer is 0patch, a platform for so-called micropatches in live mode.

Micropatches as emergency management

Contrary to popular belief patches can not only be provided by a software’s vendor. It is possible to change applications both at runtime and during a short interrupt. Since publicly disclosed vulnerabilities are already thoroughly documented by security researchers, micro-patches can be created on the basis of this information, serving directly to eliminate the vulnerabilities in question. This system is called 0patch. It has been developed by security experts who have been penetrating networks for more than 15 years. In such attacks, you must also inject code, thus apply micropatches. Every exploitation of vulnerabilities is based on this principle. Simply put, 0patch is the opposite of an exploit.

“Our technology called 0patch is a result of the frustration about the fact that its just as easy to break into networks as it was 15 years ago,” says Mitja Kolsek, Managing Director of ACROS Security. With the micropatch platform, there is an incentive for researchers to document vulnerabilities and design patches to fix them. In return they get a compensation from the users of these micropatches.

Patching software might not sound very innovative, nevertheless, this very process is still one of the biggest sore points of IT security

And there are further extension possibilities: In IT security research concepts are tested, which automatically find gaps in code and propose corresponding micro-patches. Such technologies could also be incorporated into Quality assurance processes.

Modern protection for legacy systems

One does not like to talk about it, but in almost every infrastructure there are legacy systems in the form of old applications or software packages, which are no longer supported. In the times of mainframes code has simply been taken along with compatibility layers. This is still happening today, but now without space-filling computers. The 0patch platform is especially interesting for these applications. With the help of micropatches, vulnerabilities can be closed even without the support of a vendor. A far more beneficial option than to wait and hope that lightning will strike somewhere else.

European Premiere: Workshop 0patch platform for users

As part of its 10th anniversary, the DeepSec In-Depth Security Conference offers high-caliber trainings to its participants. Among other things, there is the workshop “Do-It-Yourself Patching: Writing Your Own Micropatch”, held by Mitja Kolsek and other developers of 0patch. It is a training with practical examples from the working world. You learn how to create unofficial micropatches based on real vulnerabilities and to apply them correctly, even during runtime. The workshop focuses on software for Microsoft® Windows, but it will provide examples for all platforms. The content is intended for security researchers as well as users from IT departments. Software developers are also welcome to participate and get to know the system. After all, a micropatch can help both vendors and customers to save precious time and avoid uncertainties.

Annual meeting of international renowned security experts in Vienna

The topics of this year’s DeepSec trainings range from WLAN attacks, patches, cryptography, targeted attacks on Apple’s iPhone and IoT devices, Windows PowerShell for attackers, network technology for secure web application development to social engineering. International trainers bring their expertise to the heart of Europe, thereby providing you with a unique training opportunity.

And then there’s the two-day conference filled with lectures from all areas of IT Security. The keynote will be given by Marcus Ranum, who set up the first e-mail server for, and will reflect upon over 30 years of IT security.

The complete conference program is available on:

The workshops will be held on the 8th / November 2016
The conference takes place on 10/11. November
Venue: The Imperial Riding School Vienna – A Renaissance Hotel
Ungargasse 60
1030 Vienna.

DeepSec2016 Talk: AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That – Nikhil Mittal

In his talk Nikhil Mittal will focus on AMSI: In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common.

AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10.

Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI? We asked Nikhil Mittal a few questions about his talk.

Please tell us the top 5 facts about your talk.

  • The talk is about AMSI (Antimalware Scan Interface), an interface present by-default on Windows 10 machines which can work with antivirus on a machine.
  • AMSI enables the scanning of a script through an antivirus present on the machine, regardless of the input method (memory, disk or manual) used for loading the script.
  • AMSI steps in when a script is submitted to the corresponding script host – which makes bypass techniques like obfuscation less effective.
  • Even if PowerShell scripts are executed without using powershell.exe. AMSI can still catch the scripts.
  • Fellow researchers have already discovered, bypasses/avoidance for AMSI. It is still dependent on the signature based detection of the antivirus.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I use PowerShell a lot in during penetration testing engagements and while testing one of my PowerShell scripts on a Windows 10 machine, I noticed that it was being blocked even when loaded from memory. On investigation, I stumbled upon AMSI (Antimalware Scan Interface), the Microsoft technology enabled by default on Windows 10 machines, which is designed to stop script based attacks which utilize PowerShell, VBScript, JScript etc. This talk is a result of my and other hackers’ experiments with AMSI.

Why do you think this is an important topic?

Script based attacks are widely used both by the good and by the bad guys. Scripts like those for PowerShell are generally hard to detect because of various functionalities available in PowerShell, which allow the scripts to be loaded from memory and not from disk. AMSI is an important step towards thwarting such script based attacks because it has the capability to detect malicious scripts even from memory.

Is there something you want everybody to know – Some good advice for our readers maybe?

Spread awareness about abuse of legit functionality of office software, scripts, email clients etc. among your family and your organization. More people and organizations get hacked through the abuse of functionalities than by an 0-day.

A prediction about the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I am quite sure Microsoft is taking note of the developments related to AMSI. I expect the cat and mouse game to continue. There will be more fixes and more bypasses. But ultimately, the overall security of Windows boxes is definitely going to improve with AMSI.

nikhil_mittal_Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients, which include many global corporate giants. He is also a member of the Red teams of selected clients.

He specializes in assessing security risks at secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. Nikhil is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and of Nishang, a post exploitation framework in PowerShell. In his spare time, he researches on new attack methodologies and updates his tools and frameworks.

He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs on


DeepSec 2016 Talk: TLS 1.3 – Lessons Learned from Implementing and Deploying the Latest Protocol – Nick Sullivan

Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS. TLS was last changed in 2008, and a lot of progress has been made since then. CloudFlare will be the first company to deploy this on a wide scale. In his talk Nick Sullivan will be able to discuss the insights his team gained while implementing and deploying this protocol. Nick will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges his team faces around securely implementing new features such as 0-RTT resumption. He’ll also demonstrate an attack on the way some browsers have chosen to implement TLS 1.3.  We asked Nick some questions about his topic of interest.

Please tell us the top 5 facts about your talk.

  • You’ll learn about the process of defining an IETF standard
  • We’ll explore why AEAD is one of the most important terms in transport security
  • I’ll demonstrate how to share connections between C and Go processes
  • I’ll share real world data about the benefits of TLS 1.3
  • We’ll explore the term “DJB all the things”

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I’ve been working with my team on building a TLS 1.3 implementation for most of the year and thought DeepSec would be a great venue to showcase our work.

Why do you think this is an important topic?

TLS is often the last defence for data sent on the Internet, fixing it and raising the profile of the new version are very important for the future of security online.

Is there something you want everybody to know – Some good advice for our readers maybe?

Cryptography protocols and best practices are constantly changing, it’s easy to configure them insecurely.

A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I hope TLS 1.3 gets adopted quickly. The performance gain will be a strong motivator for that. But that also means that TLS 1.3 is probably the last update to TLS that brings something significant other than security benefits, so hopefully we got the security right.


nick-sullivanNick Sullivan is a leading cryptography and security technologist. He currently works on cryptographic products and strategy for CloudFlare. Previously, he held the prestigious title of “Mathemagician” at Apple, where he encrypted books, songs, movies and other varieties of mass media.

DeepSec 2016 Talk: Where Should I Host My Malware? – Attila Marosi

The growth of IoT devices continues to raise questions about their role and impact on cybersecurity. Badly or poorly configured devices are easy targets for malicious actors. At first glance launching an attack against IoT devices seems challenging due to the diversity of their ecosystem, but actually an attack is very easy to execute. In his talk Attila Marosi will explain why the IoT is a cybercriminal’s paradise:

“In our SophosLabs research, we focused on a very generic attack scenario that would affect almost any device using FTP services – Your router or network-attached storage (NAS) for example. These attacks typically exploit the level of trust people place on any content hosted on internal network shares. A successful attacker would abuse or compromise a default FTP guest account, place a “Trojan horse” in a visible file share and rely on human curiosity for the rest to happen. In many cases, root folders for FTP and WWW services are the same, a fact which makes it even easier for the attacker. Since many of the IoT devices publicly expose FTP services world-wide, this fairly unsophisticated attack can result in a large number of infected “things” and provide great value to cybercriminals.

To assist our research, we developed an IoT scanning framework (“ScanR”) which is able to perform large scale network probes to assess the state of open FTP services and identify how many of them have been compromised . In our latest test, we utilized ScanR against 3 million open FTP servers to determine the type of the device and the state of its security. The results are far worse than we’d expected.

Over 90% of the unprotected devices were found to be infected with at least one Malware threat or exhibiting the signs of an attack. In this talk, we’ll reveal the results of the research, exposing the number of vulnerable devices and gigabytes of storage now freely available to attackers.
We’ll also share the technical results of the malware analysis.

In summary, this talk will provide an insight into how very old Internet protocols are being exploited via modern internet connected “things”, explain the risks for home and corporate users and suggest recommendations on how businesses and private users could better protect themselves  against these unsophisticated, but dangerous and highly successful attack scenarios.

attila-marosiAttila Marosi has always been working in the information security field since he started to work in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provide novel solutions to the newest threats.

Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading trade journals and does some teaching on different levels; on the top level he teaches white hat hackers. He has given talks at many security conferences including, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.

DeepSec 2016 Talk: Unveiling Patchwork – Gadi Evron

Nation state attacks are very popular – in the news and in reality. High gain, low profile, maximum damage. From the point of information security it is always very insightful to study the anatomy of these attacks once they are known. Looking at ways components fail, methods adversaries use for their own advantage, and thinking of possible remedies strengthens your defence. At DeepSec 2016 Gadi Evron will share knowledge about an operation that went after government systems all around the world.

Patchwork is a highly successful nation state targeted attack operation, which infected approximately 2,500 high-value targets such as governments, worldwide. It is the first targeted threat captured using a commercial cyber deception platform. In his talk Gadi Evron will share how deception was used to catch the threat actor, and later on secure their second stage malware and lateral movement activity. Examining this threat actor is especially interesting as on the one hand it displayed an extremely sophisticated intelligence and operational capability, carefully choosing targets, successfully compromising them, and scaling the operation, while on the other hand, technologically their toolset is built like a patchwork quilt, a combination of snippets of code taken from various online forums and from GitHub that any kid off the street could build.

Patchwork is not a hypothetical attack. It already happened, and it is real. We recommend to attend this presentation to anyone being involved with defending networks and systems. Learn from actual incidents.


Gadi is the Founder and CEO of Cymmetria, a cyber security startup that is pioneering the space of cyber deception. He is also Founder and Chairman of the Board of the Israeli CERT, Founding Chairman of the Cyber Threat Intelligence Alliance (CTIA), and Founder of the Israeli Government CERT. Gadi is widely recognized for his work in Internet security operation and
global incident response, and is considered the first botnet expert.

Prior to founding Cymmetria, Gadi was VP of Cybersecurity Strategy for Kaspersky Lab, led PwC’s Cyber Security Center of Excellence (located in Israel), and was CISO of the Israeli government’s Internet operations. He has authored two books on the topic of information security, organizes global professional working groups, chairs worldwide conferences, and is a
frequent lecturer.

DeepSec 2016 Talk: Exploiting First Hop Protocols to Own the Network – Paul Coggin

At DeepSec 2016 Paul Coggin will focus on how to exploit a network by targeting the various first hop protocols. Attack vectors for crafting custom packets as well as a few of the available tools for layer 2 network protocols exploitation will be covered.

Paul will provide you with defensive mitigations and recommendations for adding secure visualization and instrumentation for layer 2. He kindly answered a few questions beforehand:

Please tell us the top facts about your talk.

The presentation focuses on commonly overlooked layer 2 security issues. In many cases penetration testers and auditors focus on the upper layers of the OSI model and miss the low hanging fruit at layer 2. The talk will cover both offensive exploit techniques and methods for securing networks. Multicast switching and routing protocols, router redundancy protocols, IPv6 and other protocols will be discussed.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The talk was inspired by numerous penetration testing projects where up to 8 high level vulnerabilities were identified within a few minutes by simply running Wireshark on networks. It became obvious that the red and blue teams are failing to address layer 2 security.

Why do you think this is an important topic?

In my experience a network can be fully patched with secure apps and OS but the first hop layer 2 protocol vulnerabilities are overlooked.

Is there something you want everybody to know about your topic – Some good advice for our readers maybe?

If you are an experienced AppSec security professional interested in learning how to test and secure lower layers of the OSI stack this talk should be of interest to you. Anyone that is new to INFOSEC and desiring to learn a few new tricks to make immediate impact on their team should definitely attend this talk.

A prediction for the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I am very interested in how software defined networks(SDN) and network function virtualization(NFV) will affect both enterprise and service provider networks. Centralized control and automation will enable many network infrastructure and protocol issues to be resolved in a timely manner. At the same time new attack surfaces and attack vectors will be developed for the new architectures as they are deployed.

paul-cogginPaul Coggin is an information Security Engineer. His expertise includes tactical, service provider and ICS/SCADA network infrastructure attacks and defenses as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis and penetration testing engagements for critical infrastructure and tactical networks.


DeepSec2016 Talk: Security and Privacy in the Current E-Mobility Charging Infrastructure – Achim Friedland

The whole information technology strongly depends on electric power. Your servers will turn into expensive door stoppers once the power goes out. The same is true for your mobile devices and the hardware you use to get around. Hence there are efforts to extend the power grid to accommodate the demand of new and emerging technologies. The charging infrastructure requires some security considerations. You cannot simply put a cable into any power socket, throw it our of the windows, and use it for charging unknown devices and vehicles. It’s a bit more complicated. At DeepSec 2016 Achim Friedland will give you an overview on what charging really means.

In his talk Achim Friedland focuses on the emerging market of  smart and electric mobility as an interesting area of research and development for both academia and startups. Our society, he says, needs to change its ways of transport and mobility in order to save our climate and to allow everyone on this planet to enjoy the possibilities of modern mobility. Already multiple different solutions have been implemented, but neither any clear market player, nor any proven and widely adopted standard or best-practice exist today. Sadly most players in the market are primarily creating gated communities of e-mobility providers, navigation system providers and charging station operators which do not share much data or knowledge. As everyone can imagine security, privacy and usability is therefore not the primary focus of these cartels, even when they are partly funded by public money.

This talk will focus on the security and privacy aspects of e-mobility charging infrastructure. From the authentication process, over reservation, the start of a charging process, up to billing and fraud-detection this talk will give an overview on which (personal) data will be transmitted, why, and if this might be a security or privacy issue (in the future).
The talk will further give an overview on how current ICT solutions (ISO/IEC15118, OCPP, OICP, OCPI, OIOI, OCHP, …) handle those requirements and what could be done to improve the current situation. It will also give a short introduction into a new protocol design called /World Wide Charging Protocol Suite/, which tries hard not only to be a super set of all current protocols, but also a security and privacy by design approach for an enjoyable e- and smart mobility future.

achim-friedlandAchim Friedland has a degree in computer science from the Technical University of Ilmenau, Germany. He has a strong interest in computer networking and security and published several papers in this field. He left academia to lead r&d in two data driven startups (graph databases and renewable energy). Now he has started his own company in the field of smart mobility, Open Data and privacy.

DeepSec2016 Workshop: Offensive PowerShell for Red and Blue Teams – Nikhil Mittal

Penetration Tests and Red Team operations for secured environments need altered approaches, says Nikhil Mittal. You cannot afford to touch disks, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.

PowerShell has changed the way Windows networks are attacked – it is Microsoft’s shell and scripting language available by default in all modern Windows computers and can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teams to learn PowerShell.

Nikhil Mittals training is aimed towards attacking Windows networks using PowerShell. It is based on real world penetration tests and Red Team engagements for highly secured environments. We asked Nikhil a few questions about his course.

 Please tell us the top 5 facts about your workshop.

  • The course uses an online lab where students can get some real hands-on experience.
  • A PowerShell cheatsheet will be shared with the students, which is useful for penetration testers.
  • The workshop includes multiple real world scenarios which allow students, especially those on blue teams, to understand the tactics of adversaries.
  • Those students who are part of red teams and want to include PowerShell in their arsenal will enjoy breaking different servers and active directory trusts.
  • The course uses updated Windows 2012 R2 servers. We break the latest and the greatest.

How did you come up with it? Was there something like an initial spark that set your mind on creating this workshop?

PowerShell is the tool/script to go for if a security professional wants to test the security of his organization. I am using it since 2011 in my penetration tests. I always observed a lack of awareness in both Red Teams and Blue Teams when it comes to the security capabilities of PowerShell. That’s why I decided to create a workshop on this topic.

Why do you think this is an important topic?

PowerShell is present by-default on all modern Windows operating systems. It comes in very handy to know a tool which is very much integrated into the Windows OS and Active Directory environment. Regardless if one belongs to the offensive or defensive security, it is imperative to learn PowerShell.

Is there something you want everybody to know about your your training – some good advice for our readers maybe?

My training comes with a free one month access to my online lab. The lab mimics a live Active Directory environment with various real world penetration test scenarios.

A prediction about the future – What do you think will be the next
innovations or future downfalls when it comes to particularly your field of expertise / the topic of your workshop?

PowerShell attacks are here to stay! Although Microsoft has introduced some very interesting and useful security features for PowerShell, to learn how to use this tool / script properly is going to be equally useful for both Red and Blue teams for a long time.

Here’s a list of some of the techniques, implemented using PowerShell, which will be used in the course (scroll to “course content” for more details):In-memory shellcode execution using client side attacks.

  • Exploiting SQL Servers (Command Execution, trust abuse, lateral movement.)
  • Using Metasploit payloads with no detection
  • Active Directory trust mapping, abuse and Kerberos attacks
  • Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
  • Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration
  • Network relays, port forwarding and pivots to other machines
  • Reboot and Event persistence
  • Bypass security controls like Firewalls, HIPS and Anti-Virus.

This training aims to change how you test a Windows based environment.The course is a mixture of demonstrations, exercises, hands-on and lecture, focusing more on methodology and techniques than tools. After this training you’ll be able to write your own scripts and customize existing ones for security testing. Additionally, attendees will get free access to a complete Active Directory environment that lasts for one month.

Course Content


  • PowerShell Essentials and Getting a Foothold
  • Introduction to PowerShell
  • Language Essentials
  • Using ISE
  • Help system
  • Syntax of cmdlets and other commands
  • Variables, Operators, Types, Output Formatting
  • Conditional and Loop Statements
  • Functions
  • Modules
  • PowerShell Remoting and Jobs
  • Writing simple PowerShell scripts
  • Extending PowerShell with .Net
  • WMI with PowerShell
  • Playing with the Windows Registry
  • COM Objects with PowerShell
  • Recon, Information Gathering and the likes
  • Vulnerability Scanning and Analysis
  • Exploitation – Getting a foothold
  • Exploiting MSSQL Servers
  • Client Side Attacks with PowerShell
  • PowerShell with Human Interface Devices
  • Using Metasploit and PowerShell together

Day 2

  • Post Exploitation and Lateral Movement
  • Post-Exploitation – What PowerShell is actually made for
  • Enumeration and Information Gathering
  • Privilege Escalation
  • Dumping System and Domain Secrets
  • Kerberos attacks (Golden, Silver Tickets and more)
  • Backdoors and Command and Control
  • Pivoting to other machines
  • Poshing the hashes™
  • Replaying credentials
  • Network Relays and Port Forwarding
  • Achieving Persistence
  • Detecting and stopping PowerShell attacks
  • Quick System Audits with PowerShell
  • Security controls available with PowerShell

nikhil_mittal_Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.

He specializes in assessing security risks at secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation, and is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs at

Smart Homes are the battlefield of the future – DeepSec Conference examines the Internet of Things

The Internet of Things is knocking at your door. Many businesses and private individuals have already admitted IoT to their offices and homes, unfortunately often without knowing what they’ve let themselves in for. A naive belief in progress opens all gates, doors and windows to attackers. This is a serious matter. Therefore, DeepSec Conference will focus on this topic on the occasion of its 10th anniversary. The program includes lectures and workshops about the components of smart devices, smart houses and smart networks. Not all products come with a solid security concept. How to test if your devices function properly? What consequences has the total conversion to “smart”? How to proceed correctly to select appropriate systems?

Hacked by your fridge

Spectacular burglaries have always been the best material for screenplays. We know the scene where the protagonist floats on ropes over a light barrier and has to apply all kinds of special tricks to reach her goal. Several films portray hackers who operate with enormous effort the most sophisticated technology to penetrate a network and copy data. This scenario might soon be a thing of the past. With the networking of kettles, refrigerators, scales, toy dolls, phones, televisions, washing machines or toothbrushes the level of difficulty has dropped considerably. Be it because of the design or because of the limited capabilities of its hardware, everyday objects were never meant to defend your living room or office space against attackers.

Early adopters have never been bothered by this. But now the Internet of Things with all its components and implications slowly becomes the norm. Therefore, it’s high time to deal with its security concept.

Striking deficiencies in applied cryptography

An important component of information security is still used improperly: We’re talking about cryptographic methods for authentication, encryption and decryption. Since foreign networks naturally don’t advertise their level of trust, one isn’t allowed to communicate in plain text without signature any more, at the latest since the publication of the Snowden documents. However, the same applies to everyday objects and their servers nowadays, as well as to websites and apps on smartphones.
For this very reason the DeepSec conference offers lectures and workshops for decision makers, developers and engineers to advice and actively support them. Even without mathematics you must be able to properly assemble the building blocks of good security design. Even motorists without a degree in chemistry know the difference between petrol and diesel. The same principle should hold true for the development department. The lecturers also want to provide the impetus to question existing configurations with their contents. Nothing has been built to last forever.
Alas, Secure Coding in itself is no longer sufficient to help companies and their products on the IoT market, to survive in the modern networked world. You have to get the design right in the first place.

Smart Weather: Sunny with cloudy intervals

Cloud systems will also be critically examined at DeepSec Conference. Nowadays many approaches no longer think of local data management. Therefore, web browser, web applications and the surfaces of local devices are inevitably affected. The word cloud comprises a number of technologies, which are automatically included in the presented scenarios. From the viewpoint of information security, the problems have only moved to a different area. But anyway, you have to deal with it.
The conference program bridges Cloud systems, the Internet of Things and the intelligent protection of data hosted by external service providers. Machines are not only a threat, but can be used to protect your own infrastructure. Adaptive algorithms have been hotly debated in recent months. Expert lecturers will explain how to use these tools properly and inform you about their limitations.

In-depth conference programme

On the occasion of the 10th DeepSec Conference ten two-day workshops were added to the program. Topics range from wireless attacks, fixing vulnerabilities with patches, cryptography, targeted attacks on Apple’s iPhone and IoT devices, Windows PowerShell for attackers / defenders, network technology, secure web application development to social engineering. International trainers bring their expertise to the heart of Europe, thereby providing you with a unique training opportunity.
And then there’s the two-day conference program full of presentations from all areas of IT Security.

The keynote will be given by Marcus Ranum, who set up the first email server for, and will reflect over 30 years of IT Security.

Here’s the link to the entire program:
DeepSec Workshops: 8/9. November 2016.

DeepSec Conference: 10/11. November 2016.

Venue: The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Wien.

Tickets are available online:
If you need any further information please don’t hesitate to contact us.
DeepSec GmbH


DeepSec 2016 Talk: The Perfect Door and The Ideal Padlock – Deviant Ollam

You have spent lots of money on a high-grade pick-resistant lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself!

Deviant Ollams talk  will be a hard-hitting exploration (full of photo and video examples) of the ways in which your doors and padlocks – the most fundamental part of your physical security – can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door and acquire ideal padlocks… if you’re willing to learn and understand the problems that all doors and padlocks tend to have.

We asked Deviant a few questions beforehand.

Please tell us the top 5 facts about your talk.

  • Whole talk is from hard data and facts in the field, not theory.
  • Everything i show that’s wrong immediately gets a fix recommended.
  • Nothing in this talk costs more than about 200 EUR to fix, often much less.
  • I am hilarious on stage, but also educational.
  • I have stopped drinking beer… please only offer me wine or whisky after the talk.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Yes… we get into the little details so often when it comes to locks and lock designs, but so rarely do i find myself actually picking locks in the field. We typically get into buildings and containers in other ways. So why not talk about that? That stuff is way easier to fix.

Why do you think this is an important topic?

It instantly makes people able to eliminate or dramatically reduce the bulk of their physical weaknesses. It’s instantly-digestible, immediately actionable, and cheap to fix.

Is there something you want everybody to know – some good advice for our readers maybe?

Dear god, install Push-To-Exit buttons in your most secure spaces. And install them correctly. I’ll show you what i mean in the talk.

A prediction for the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

More and more reliance on badge systems and electronic locks will be the norm. And unless badge credentials are secured properly, they are just as vulnerable. And we attack that stuff too 😉


While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books “Practical Lock Picking” and “Keys to the Kingdom” are among Syngress Publishing’s best-selling pen testing titles. At multiple annual security conferences Deviant runs the Lockpick Village workshop area, and he has conducted physical security training sessions forBlack Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.

His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Deviant’s first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology’s Science, Technology, & Society program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. While earning his BS degree at NJIT, Deviant also completed the History degree program at Rutgers University.

DeepSec 2016 Workshop: Do-It-Yourself Patching: Writing Your Own Micropatch – Mitja Kolsek

The current state of updating software – be it operating systems, applications or appliances – is arguably much better than it was a decade ago, but apparently not nearly good enough to keep even the most critical systems patched in a timely manner – or at all, says Mitja Kolsek.

Official vendor updates are cumbersome, costly to apply, even more costly to revert and prone to breaking things as they replace entire chunks of a product. Enterprises are therefore left with extensive and expensive testing of such updates before they dare to apply them in production, which gives attackers an endless supply of “n-day” vulnerabilities with published exploit code.

Furthermore, for various entirely rational reasons, many organizations are using products with no security updates such as old Java runtimes, Windows XP, or expensive industry systems that still work perfectly well but are not supported any more by their vendor.

Fortunately, there is a better way to approach vulnerability patching, one that not just minimizes the risk, hassle and costs, but also allows 3rd parties with no access to source code to write a patch. It’s called micropatching and it injects or replaces tiny fractions of machine code within the memory of a running process to patch a vulnerability. (Or, why not, a functional defect in your unsupported application.) Sounds interesting! We asked Mitja for more information about his workshop.

Please tell us the top 5 facts about your workshop.

  • This is the first workshop in the history of computing that will teach people to write efficient, reliable patches for someone else’s closed-source code.
  • Using this knowledge, one can fix vulnerabilities that original vendors refuse to fix, or fix functional problems in unsupported product versions, which vendors would prefer to have fixed by selling an expensive new version.
  • Attendees will take apart a couple of widely-used software products, analyze vulnerabilities in them and create patches that will block proof-of-concept exploits. We will then rejoice over contributing to a more secure future while turning our patches on and off without relaunching the applications.
  • Attendees will make their first big steps towards becoming fully qualified code doctors, allowing them to fix functional or security issues on both their own or corporate computers, as well as to start a career as “bug fixers”, paying their bills and mortgages by fixing bugs for millions of other users.
  • In case it wasn’t obvious: Our plan is to equip security researchers and IT enthusiasts with tools and knowledge for actively fixing the growing problem of vulnerable and buggy closed-source code and code that needs fixing without restarting millions of computers or blocking millions of transactions.

How did you come up with it? Was there something like an initial spark that set your mind on creating this workshop?

Our team has been (legally) breaking into customers’ networks for over 15 years and we’re thoroughly disappointed that it is just as easy to break in today as it was when we began. It is easy and inexpensive to find an exploit for a vulnerability in a browser, reader or text editor these days that might have been patched by its vendor, but almost certainly hasn’t been applied in a big network yet. So this “security update gap”, as we call it, combined with a huge number of vulnerabilities that do not, and never will have official fixes, makes attacker’s job ever easier.

We wanted to turn the tables by “fixing the fixing” – finally bringing the way we’re patching vulnerabilities up to this century. So we’re building a micro-hot-patching platform that will enable any security enthusiast with some knowledge of reverse engineering and machine coding to fix a piece of code, even without access to its source code. This will take the “monopoly on fixing” from software vendors, and provide a foundation for a crowdpatching community, where security researchers will not only find bugs, but also fix them and get financially rewarded for it by those whose problems they actually solve: software users.

Why do you think this is an important topic?

Obviously, software fixing is not going to fix itself. It took a tremendous community effort and a lot of time to push at least the biggest software vendors, and at least for their supported software, from “occasional opportunistic updates” to “huge regular updates that often break stuff, require restarts, and are a pain to revert.” And this is about as far as vendors can be pushed, because now they can claim to be diligent and prompt in providing bug fixes, while it’s users’ fault if they’re not applying these fixes in a timely fashion. We need a different strategy for pushing things further towards actually fixing bugs (as opposed to just making fixes available), and we believe that micropatching is the most efficient solution as it minimizes the risk of functional problems, makes patches easy to review, requires no downtime for applying or removing patches – but most importantly, allows 3rd parties to fix bugs that were previously at the sole mercy of vendors’ business priorities.

Is there something you want everybody to know about your your training?

Prepare to be dazzled – we’ve been doing this for over two years now but it still feels magical to witness a vulnerability getting patched, or unpatched, in a fraction of a second while the application is running. You’ll experience this on your own computer with a patch you write and compile yourself, and you will want to show it to everyone you meet (which might result in some awkward situations with strangers on the street outside the conference hotel).

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your workshop?

There’s still a long way to go before every computer, phone, deep space probe, car and IoT device down to the last smart toothpick supports micropatching, and a lot of obstacles to overcome, but the course is set and unless we want to stay in this ever-warmer patching hell we’re in now, we’d better start digging a way out. The growing availability of micropatching will lead to new research on automated micropatch generation and testing, including formal verification of patch correctness. Coupled with advances in automated vulnerability detection, we’re heading towards building a powerful global automated “IT immune system,” which will make attacks against code ridiculously expensive and a wasteful of effort. And then we’ll patch us, people – but that’s not until next year’s DeepSec workshop.

This years two-day workshop will teach you how to create a 3rd party “unofficial” micropatch for various known vulnerabilities in popular Windows software. We will start with a proof-of-concept document that triggers a vulnerability, determine the type of vulnerability (buffer overflow, use-after-free, format string…), find its root cause, and finally create a micropatch for it, which we’ll apply using the 0patch Agent.

You will learn how to approach patching of different types of security flaws, how to find a suitable patching location, and how to test a micropatch.

Attendees should have experience with reading assembly language (ideally also reverse engineering) and have their own Windows laptops with the following software installed:

  • Microsoft WinDbg 32bit version x.y.z (to be defined before the workshop)
  • Adobe Reader DC version x.y.z (to be defined before the workshop)
  • Foxit Reader version x.y.z (to be defined before the workshop)
  • 0patch Agent for Windows version x.y.z (to be defined before the workshop)
  • 0patch Factory version x.y.z (to be defined before the workshop)

But also do come if you happen to have a nasty functional defect in your expensive custom application that would cost you an arm and leg to update.

This workshop is suitable for security researchers, who will learn how to write micropatches for vulnerabilities they find, as well as for software vendors, who want to avoid the costly process of rebuilding, retesting and redeploying their product every time someone finds a vulnerability in it that could be fixed with a few machine instructions.

mitja_publicMitja’s last 15 years of career comprises co-leading a small security outfit which ran APT-like attack simulations before China was guilty of everything, using SQL injection before it had a name, and discovering vulnerability types which were previously unknown. In addition to finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he’d like to leave information security some day in a state where it’ll be seriously difficult to break into a typical network deploying standard and inexpensive security solutions.


DeepSec2016 Talk: Java Deserialization Vulnerabilities – The Forgotten Bug Class – Matthias Kaiser

Most programming languages and frameworks have support for serialization of data. It’s quite handy for storing things to disk (or other media) and transporting them around a network for example. The process can be reversed, aptly called deserialization, in order to obtain the original pieces of data. Great. Even though this process sounds simple, there is a lot that can go wrong. First of all data can be manipulated. Subtle modifications can cause havoc when the data is touched. There is a lesser known class of bugs around deserialization and serialization techniques. Matthias Kaiser has some insights to share.

Java deserialization vulnerabilities are a bug class of its own. Although several security researchers have published details in the last ten years, still the bug class is fairly unknown. Early 2015 Chris Frohoff and Gabriel Lawrence made a huge step towards practical exploitation by finding a novel exploit technique in the widespread Apache Commons Collections library. Since then several security researchers have continued on their work and discovered new vulnerabilities as well as exploit techniques. In his talk Matthias Kaiser will give a basic introduction how to find and exploit java deserialization vulnerabilities. He will also cover how vendors failed to fix deserialization vulnerabilities using blacklist filtering. Last but not least an unknown blacklist bypass will be shown for a certain product (name withheld) including a live-demo.

Don’t say „But it’s just data!“. Data-driven attacks are quite common. Deserialization vulnerabilities is yet another attack  vector your adversaries will use against you. Therefore you should know about this. We recommend this talk not only for developers. Anyone handling data of any kind should have a look at these vulnerability classes.

matthias-kaiserMatthias Kaiser is the Head of Vulnerability Research at Code White. He enjoys bug hunting in Enterprise Software but also client side software and has discovered vulnerabilities in products of Oracle, IBM, VMware, SAP, Symantec, Apache, Adobe, etc. He spent quite some time in researching Java deserialization vulnerabilities and deserialization gadgets and has presented his research at international conferences such as Ruhrsec, Infiltrate and Blackhat.

DeepSec 2016 Workshop: Fundamentals of Routing and Switching from a Blue and Red Team Perspective – Paul Coggin

Penetrating networks has never been easier. Given the network topology of most companies and organisations, security has been reduced to flat networks. There is an outside and an inside. If you are lucky there is an extra network for exposed services. Few departments have retained the skills to properly harden network equipment – and we haven’t even talked about the Internet of Things (IoT) catastrophe where anything is connected by all means necessary. Time to update your knowledge. Luckily we have just the right training for you!

In Paul Coggins’ intense 2 day class, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs they will receive practical experience with routing and switching technologies with a detailed discussion on how to attack and defend the network infrastructure. The Participants of this workshop will leave the class with a good understanding of how to configure and operate routing and switching protocols as well as how to attack and defend the control, management and data planes in their organization networks.

This is what you can expect from the course:

• VLAN, VLAN Trunking

• VLAN security

• First hop network protocols

• First hop network protocols security issues

• ACLs and NAT

• IPv6 fundamentals

• IPv6 security

• Spanning Tree Protocol (STP)

• STP security

• OSPF and EIGRP configuration

• OSPF and EIGRP routing protocol security

• BGP operation overview

• BGP security

• MPLS overview

• MPLS security

• Network management

• Network management security

Additional Course Modules (Time Permitting)

• Software defined networking

• Open Flow

• SDN security

• Additional network infrastructure and protocol topics

• And more


Further Information:

• Instructor internationally known for teaching networking, hacking and forensics courses

• Instructor Who Hacks for a Living with 20+ years experience designing, implementing, troubleshooting, securing and hacking large complex networks

• Course uses CCNA Routing and Switching 200-120 Network Simulator for labs (Disclaimer: This is not a CCNA certification prep course).


Lab Software System Requirements:

Students must bring a laptop with local administrator level privileges for software installation.

Windows (Minimum)

• Windows 10, Windows 8.1, or Windows 7

• 1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor

• 1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)

• 16 GB available hard disk space (32-bit) or 20 GB (64-bit)

• DirectX 9 graphics device with WDDM 1.0 or higher driver


Mac (Minimum)

• Mac OS X 10.11, 10.10, 10.9, or 10.8

• Intel core Duo 1.83 GHz

• 512 MB RAM (1GB Recommended)

• 1.5 GB Hard Disk space

• 32-bit color depth at 1024X768 resolution



• Adobe Acrobat Reader version 8 & above


Don’t miss this opportunity to learn about networks from the viewpoint of attackers and defenders alike.

paul-cogginPaul Coggin is an information Security Engineer. His expertise includes tactical, service provider, and ICS\SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis, and penetration testing engagements for critical infrastructure and tactical networks.