10 Nov 2016

Hackfest 2016 Notes

My notes taken at Hackfest 2016 in Quebec City.



  • Michael Bennett, @bennettaur, DDOS strike consultant, securitycompass
  • Recently: 620Gbps against Krebs, mixed vectors; Tbps attack on OVH; Massive attack on Dyn
  • HTTP2 binary proto, multiplexing, HPACK compression, server push, Prio/Dependency
  • Http2 ~= tcp+http1.1
  • Spec at http://httpwg.org/specs/rfc7540.html
  • Imperva research https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
  • See Google rule of thumb with http2
  • Tornado lib in python
  • Test with Apache HTTP with server push; 7MB of data pushed by server
  • Google Chrome support
  • 149x than w/o push
  • Amplification attacks (small req, big response) 68:1 amp, similar to dns amplification but tcp (no reflection)
  • Long lived tcp conn with multiplexing. intention is one conn per page. opens the door to slowloris
  • iptables connlimit module against multiple conn attacks
  • nload tool?
  • Apache http2 faster than nginx
  • nginx limit conn module, limit req module (still effective)
  • Apache mod_evasive and ModSecurity still work
  • Req rate limiting still effective
  • Some tcp-level controls no longer work
  • https://github.com/bennettaur/http2-ddos  

Blue team reboot, proactive defence strategy

Your [linux] configs are bad and you should feel bad

  • Stephen Hall Security Compass
  • linEnum in rebootuser.com
  • blog.g0tmi1k.com blog basic linux priv escal
  • use sudo NOEXEC flag, avoid wildcards
  • Kerberos/sssd: tickets stored in /tmp (kinit, auth, sudo w kerb). use keyring (/etc/krb5.conf, /etc/pam.d/passwd)
  • /etc/ssh/sshd_config: AgentAllowForwarding no
  • ssh socket file in /tmp
  • strings -a /proc/*/environ | grep SSH_AUTH_SOCK
  • SSH multiplexing keeps ssh conn after disconnected. can be piggybacked over. 2fa not needed then
  • Defend via /etc/sshd_config: Maxsessions 1
  • Attack: $HOME/.ssh/config: host *;ControlMaster auto; ControlPath;ControlPersist

Exploit Kits: biggest threat you know nothing about

  1. Gate: redirect to exploit kit (iframe…)
  2. Probe: browser, plugins, is
  3. Exploit page.
  4. Payloads: maleare dl, spyware, malware
  • Exploit kit platform: hosting, exploits, deliv. payload
  • joe sandbox cloud
  • as a service: malvertising, malware
  • angler: 147 redir per mon, 90k targets per serv per day
  • Evading: domain shadowing, 302 cushioning, custom encrypted payload (abuse digfie helman algo)
  • blackhole dashboard
  • Angler, Rig... Angler: flash adobe…
  • Bromium mini vm, Cylance
  • Taxii, stix
  • Glasswire free and reasonable
  • dns sinkholing
  • Privoxy
  • uBlock Origin
  • Safescript/Noscript

Catching IMSI catchers

Hunting with LimaCharlie


  • Patrick Mathieu @pathetiq
  • Intro & call for help with plugin

Docker Security

  • Builds on host/kernel sec.: Grsecurity kernel, SELinux/AppArmor….
  • Daemon as root, socket to control
  • cgroups hardware res. limits to limit (--cpu-shares, --memory…)
  • namespaced resources (vol. uis/gid…). some still not namespaced (kernel, lsm, keyring…). still some holes in namespaces (CVEs)
  • seccomp. granular controls for syscalls

Racing the web

  • Aaron Hnatiw, @insp3ctre
  • OWASP-AT-010, CWE-362
  • Examples used:
    • one time use coupon code
    • bug bounty payout
    • balance xfer between accounts
    • check for crud operations
  • RaceTheWeb.io (rtw). written in Go; demo at racetheweb.io/bank/withdraw
  • CSRF could turn into race cond
  • Defense via locks
  • Python: threading.lock acquire(), release()...
  • Go: sync.Mutex (lock, unlock)
  • Do not use shared resources by sharing memory. Instead, share mem. by communicating
  • PHP: no threading. “could” compile with --enable-sysvsem. Or do at db or file level
  • ACID compliant DB (key is isolation).Serializable
  • MySql: InnoDB
  • Postgres: use SERIALIZABLE
  • ORM: optimistic locking

Fixing the java serialization mess

Pentesting cruises

  • Pub addresses, Shodan, Whois
  • Maritime Telecom Network
  • Each ship has their range of IPs - e.g.…
  • marinetraffic.com, vesselfinder.com
  • Example public services: pc anywhere, yelney on 2323, voip with default creds
  • 67.21.16/24 maritime net
  • Exploitable ssh
  • CommBox login w lots of info (probably found via shodan)

Darkweb Economies

Internet of dongs

Untangling the dark web: unmasking onion services

  • @SarahJamieLewis
  • Top 5 risks:
    • readable directories (backups, configs),
    • exif metadata, cloned sites (mitm, mirrors),
    • ssh fingerpinting (some also available outside of tor),
    • localhost bypasses (server status, xampp, phpmyadmin, pwrsonal wikis, home energy mon.)
  • Onionscan,Released in April for mapping dark web services
  • Future
  • p2p: OnionShare, Ricochet, OpenBazaar
  • Moving away from browser

Make iOS Hacking Great Again

  • @scriptingxss
  • Tools: Hopper, IDA for reversing...
  • JWT token (start with ey) can be decoded online, jwt debugger
  • Realm db browser
  • WebRTC can be used to scan internal network
  • Cordova supports npm. Modules are not really code-reviewed for security.
  • DB Browser for SQLLite

XSS Auditor Bypass Workshop