SOHOplessly Broken Contest!

Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers. Yet, these devices facilitate the connectivity and protection (we hope) of millions of end-systems. The critical vulnerabilities that persist in these widely used devices demonstrate an urgent need for deeper scrutiny.

SOHOplessly is a no-holds-barred router hacking competition. There will be three (3) tracks that focus on exploiting vulnerabilities.
Track 0 is a pre-con contest. Track 1 is a capture the flag style contest. Track 2 is a surprise contest that will take place at random times throughout the conference.

Please see the contest page for more information!

PancakeCon? PancakeCon!

If you are brave enough to wake early Sunday, October 26 from 8:30 to 11 am, join us at the 1st Annual PancakeCon! PancakeCon is hell-bent on offering the three best hours of eating gourmet pancakes in an interesting atmosphere of demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical InfoSec issues. PancakeCon will be hosted at CyberHive, a nearby incubator and shared workspace dedicated to the building the next generation of cybersecurity products.

More information will be in the program and announced during the conference! PancakeCon.

Hacapocalypse Team Fortress 2 LAN Party!

Join us as San Diego 2600 Presents a Team Fortress 2 LAN Party, Friday, October 24th, at 9PM. Join other hackers in Team Fortress 2 madness, either in the structured team server or on the free-for-all server. Bring your laptop/gaming rig with Team Fortress 2 (available for free on Steam) and join in the fun.

Interested? Please fill out the following form. You do not have to provide your real name or handle, but we would appreciate a count so we can anticipate the number of people interested in playing.

Preliminary Lineup Released!

We’re proud to announce our preliminary lineup for ToorCon San Diego 16. We’ll be posting additional talks and more details over the next week as we finish up the Call for Papers. Also, our Workshops are selling fast so don’t wait too long to register!

Advanced ANDROID & iOS Exploitation Workshop
Instructor: Aditya Gupta, Attify Security

Software Defined Radio Workshop
Instructor: Michael Ossmann, Great Scott Gadgets

MS-SQL Post-exploitation In-depth Workshop
Instructors: Rob Beck & Noelle Murata, Neohapsis

MS-SQL Post-exploitation In-depth Workshop Registration Open!

MS-SQL Post-exploitation In-depth Workshop:

The MS-SQL Post-exploitation In-depth workshop demonstrates the tactics an attacker can employ to maintain persistence in a Microsoft SQL Server database, while harnessing the available facilities to expand their influence in an environment. Plenty of resources exist today that show methods for compromising SQL and SQL-dependent applications to achieve access to the environment, very few provide methods for maintaining control of a SQL instances or performing attacks against the host and environment from within the SQL service.

This course will offer attendees an understanding of the various facilities that are available for executing system level commands, scripting, and compiling code… all from inside the SQL environment, once privileged access has been acquired. Students will walk away from this two-day course with a greater understanding of:

  • MS-SQL specific functionality
  • Stored procedures
  • Extended stored procedures
  • SQL assemblies
  • SQL agent
  • SQL internals
  • Conducting attacks and assessments from inside the SQL environment
  • Methods employed for stealth inside of SQL

Upon the completion of this workshop, attendees will:

  • Be familiar with multiple facilities in the SQL Server environment for executing system commands.
  • Understand ways to execute arbitrary code and scripts from within the database.
  • Understand methods for operating with stealth in the SQL service.
  • Know ways an attacker can rootkit or backdoor the SQL service for persistence.
  • Be familiar with hooking internal SQL functions for data manipulation.
  • Harvest credentials and password hashes of the SQL server.
  • Have familiarity with the extended stored procedure API.
  • Be able to create and deploy SQL assemblies.
  • Have the ability to impersonate system and domain level users for performing escalation in the environment.

Attendee requirements for this workshop:

  • Modern laptop with wired or wireless networking capabilities.
  • Ability to use Microsoft remote desktop from their system.
  • Basic understanding of the T-SQL language and syntax.
  • Ability to follow along with coding/scripting concepts (coding experience a plus, but not required – languages include: C, C++, C#, vbscript, jscript, and powershell)
  • Ability to navigate Visual Studio and OllyDBG (previous experience a plus, but not required.)

Attendees will be provided with:

  • Hosted VMs for testing and workshop labs.
  • Training materials – presentation materials and lab examples.

Who should attend this workshop?

  • SQL administrators and security personnel.
  • Professional pen-testers and corporate security team members.
  • Incident response analysts for new methods of attack detection.
  • Forensic team members unfamiliar with SQL related attack patterns.
  • Anyone interested in furthering their understanding of SQL Server.

Registration: TC:SD MS-SQL Post-exploitation In-depth Workshop + Seminar

ToorCon 15 Reception

Our reception tonight is at the pool deck on the 3rd Floor. Follow the signs for the Ivory Room. Saturday and Sunday’s events will be on the Second Floor. You’ll need to use the elevators to get up. We’ll see you all soon!

Let the Hackers Learn

Schools don’t teach hacking, and the internet hides it for both profit, and fear of punishment. This makes learning, in a legal way, very difficult; so we developed a site where anyone can create any security related challenge they want. This talk is about how we keep our server safe and secure while letting our users make any mistake they want so they can teach the world about all the web based exploits.

John Irwin
I love to break things and love to learn. I graduated from the University of Washington with a bachelors in Informatics. I have experience working in IT, and am currently employed at Security Innovation as a Security Engineer.

Adventures with weird machines thirty years after “Reflections on Trusting Trust”

It’s been thirty years since Ken Thompson’s famous “Reflections on Trusting Trust” (well, 29, but what’s an off-by-one?). Back then, few hackers expected to actually encounter a planted bug, and now we speculate what commonly used software might not have them. But, if we somehow managed to eliminate all bugs, could we then trust software? We believe that the answer is “not really”: bugs are a part of the problem but by far not all of it.

Any complex enough input is indistinguishable from bytecode for a “weird” virtual machine hiding in the parser. Unless we radically redesign data formats, telling what data could do when fed to software is much harder than it needs to be. For code, of course, it’s known to be undecidable, but it may surprise you how many “tables” are as good as code: for example, so are ELF relocations + dynamic symbols, and so are IDT+GDT+TSS for an ia32 processor (no instructions needed for a Turing-complete computation). This talk will summarize two years of our explorations with @BxSays and @JulianBangert of such “weird machine” programming environments, and what these weird machines mean for “Trusting Trust” beyond bugs.

Sergey Bratus
Sergey Bratus believes that hacking has become a distinct computing research and engineering discipline: while academia focuses on abstractions, models, and frameworks, hackers expose “weird machines” inside actual systems, and show how much unexpected computation power they are capable of. On his day job as a Research Assistant Professor at Dartmouth College, he is extremely fortunate to work with brilliant students who hack ELF, DWARF, 802.11, 802.15.4, and many other nice things.

Static Malware Analysis with PyTriage

Malware analysis is a long process. It’s also not a very well known process among most IT professionals. In some corporate environments a dedicated malware analyst might not be available. In that case, one of the available IT staff might need to perform some preliminary analysis on the binary. It is for this reason PyTriage is available.

This tool provides a simple to use interface to perform preliminary static analysis of the binary. One of it’s features is to generate hashes in a variety of standards. Currently it supports MD5, SHA1 and sshdeep but more can be added quite easily. It also supports file type recognition with “file magic” technique so one can be sure of the type of the file before starting detailed analysis. PyTriage also has some PE dissection capabilities. It splits the PE into required sections and then displays the section information along with it’s hash and size. One can also peek into the imported DLLs as well as the exported functions which will hint at the possible usage of the binary. It can also generate signatures in two different formats: One for the open source malware analysis tool YARA and the other for the popular antivirus ClamAV. PyTriage also has support for submitting the file via the VirusTotal API. This allows you to look up if the file has been detected previously by antivirus providers. There is also a report generation feature that allows you to generate a concise report.

All of this is available with an easy to use GUI so newcomers to malware analysis can find analysis easy. The presentation will also take a look at how one can write plugins for the tool so as to contribute and make it a better tool.

Yashin Mehaboobe
Yashin is a security researcher with the Cyber Security and Privacy Foundation. My areas of interest in this field span hardware security, social engineering, network security, malware analysis and reverse Engineering. He had discovered a denial of service vulnerability in Android that he reported to Google and presented at Defcon Kerala. His work includes creating a static file based web application fingerprinting script for nmap, automated malware detection system for the Raspberry Pi, a network proxy in Python and a malware analysis framework in Python. He was the winner of the Defkthon CTF held at Defcon Kerala. He has also presented at Defcon Bangalore and c0c0n 2013.