“All you ever wanted to know about BeEF”

Speaker: Michele "antisnatchor" Orru, Senior Spider (â Trustwave SpiderLabs)

BeEF is a powerful platform for client-side pwnage, XSS post-exploitation and generally victim browser security-context abuse. Every browser is in a different security context: browser and operating system type/version, plugins installed, specific domain hooked could open different security holes. Imagine Internet Explorer 8 on Windows XP-SP3 lacking patches, vulnerable to the Aurora exploit, or maybe Firefox fully patched with a vulnerable Java plugin. The framework allows the penetration tester to select specific modules (in real-time) to target each browser, and therefore each context.

During this workshop we will start with BeEF in action on a number of simulated attack scenarios, employing techniques like:
  • keystrokes logging;
  • social engineering;
  • complete host compromise;
  • persistence;
  • tunneling proxy.
The workshop will proceed covering other key features such as the RESTful API, that allows you to script everything and extend BeEF with your custom logic in situations where you can have hundreds of hooked browsers.

Finally, we'll finish the workshop covering internal network compromise from within the victim browser, introducing the new BeEF bind shellcode and explaining how Inter-Protocol Exploitation is used. Inter-protocol Exploitation removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.

We'll have more live demos than slides, so fun is assured.
If you want to fall in love with BeEF, and you like application security, you must come to this workshop.

Requirements for participants to workshop:
Computer with VMware Player 5.

“Random Numbers. Take Two”

Speakers: Arseny Reutov, Timur Yunusov, Dmitry Nagibin

At BlackHat 2012, George Argyros and Aggelos Kiayias presented their research concerning attacks on random number generator in PHP, which shows the pseudoness of the random numbers. We have conducted our own research which led to the creation of a program to attack session generators and other PHP defense mechanisms. We have also prepared some exploits to conduct such attacks on the latest versions of popular web applications.

The workshop will feature:
  • the theory of session creation and initialization/performance of pseudo random number generator in various PHP versions
  • the practice of attacks involving guessing of random password reset tokens and random new passwords as well as the PHPSESSID Seed Bruteforce utility which attacks the random number generator
  • vulnerabilities in the latest versions of UMI.CMS, OpenCart, Data Life Engine
  • recommendations for developers on how to prevent such problems
Requirements for participants to workshop:
Computer with VMware Player 5.

“Advanced Exploit Development (x32). Browser Edition”

Speaker: Alexey Sintsov

The browser is a window into the world of the Internet, so it is not surprising that various adverse figures use the window to climb right into our home. This workshop is designed for those who are interested in understanding how these figures enter the house by exploiting browser (or plugin) vulnerabilities such as a buffer overflow or use-after-free. Furthermore, we will discuss in details how various defense mechanisms that should prevent penetration work and how they are deceived. We will study the types of attacks on the defense mechanisms of OS and software, such as DEP/ASLR/SafeSEH/GS, learn the technique of HeapSpray, and execute arbitrary code to bypass all the protections! All attacks and exploits will be reproduced by participants during the workshop so they can independently evaluate the threats and the real capabilities of such attacks.

  • Typical browser bugs (in IE and its plugins)
    • What is BoF? How to take over?
      • RET
      • SEH
      • vTable
    • Exploiting plugin vs. exploiting browser
  • Exploitation
    • HeapSpray in IE9
    • defense bypass
    • vanilla DEP (IE6-7)
    • permanent DEP+ASLR bypass (with the help of non-ASLR module)
    • ROP (StackPivot)
    • safeSeh+GS+DEP+ASLR
    • ASLR bypass (even if ALL modules have ASLR enabled!)
  • What is UaF? How to take over?
    • What prevents UaF?
  • Other worlds: Firefox/Opera/Safari/Chrome

At all key stages, calc.exe will be obtained. Participants themselves will bypass the defense methods and build exploits.

A participant will receive:
  • Exploitation in IE
    • Buffer overflow in the stack
    • Use-After-Free
  • Skills of creating weaponized exploits
  • Understanding the best defenses of MS Windows 7
    • DEP/Permanent DEP
    • ASLR
    • stack canary
    • safeSEH
  • …and how to bypass it!
  • Working with Immunity Debugger and
Requirements for participants to workshop:
  • 5 hours
  • All participants will receive a training plugin (x32, compatible with all browsers), but there are common requirements for the platform and necessary software:
    • Windows 7 (32/64)
    • IE9
    • FireFox
    • Immunity debugger
    • Internet connection
    • MS Paint
    • HexEditor

“RFID: Jokers up our sleeves”

Speakers: Kirill Salamatin (aka Del), Andrey Tsumanov

  • The world of contactless cards
    • Scope of usage today and in the future
    • Let’s respect legislation
    • Examples of poorly designed systems (mountain skiing and water parks, entertainment centers, transport systems)
    • The mistakes that developers make
    • Minimum defense from card cloning
    • How to protect access control systems from clones
  • Tools that allow concealed unauthorized data reading from a distance
    • Autonomous EM-Marine cloner: we will show how it works
    • EM-Marine antennae to read from one meter distance: we will show a picture
    • ACR122U traditional reader: easily concealed if necessary
    • The sniffer jacket, our drawing card: we will let you touch it and show how it works
  • Tools to defend from unauthorized card reading
    • Which solutions are there on the market?
    • Screening covers for a biometric passport: we will show how they work
    • Screening contactless card keepers: will show as well if we receive them on time
    • Faraday shield for contactless cards DIY: we will confirm that it works
  • Manipulating 125kHz cards
    • Easy to read
    • Easy to write
    • Several cards in one device
    • The main problem of using EM-Marine
  • Manipulating Mifare Classic cards
    • Special emulating devices
    • Dual JCOP31 smart cards. How can they help an attacker?
    • Emulation by reader
    • Communicators with NFC
    • Software and hardware for manipulations
    • Tools to hack Mifare Classic
    • Extracting keys from Mifare Classic: demo
  • Mifare Zero
    • Rewritable RFID cards
    • Which cards are those?
    • Overview of writing software
    • Demo of the results
    • Tolls to defend from clones on the access control system level

Requirements for participants to workshop:
  • 4 hours
  • Dear friends!
    There are two ways to participate in our workshop.
    You can simply look at what will happen, write it down, and try to repeat it at home.
    But it will be much more interesting to bring a laptop with an ACR122U reader and try to repeat our contactless manipulations right there. This way, you will be able to get an immediate hint if you fail to do something.
    Keys are supposed to be extracted under Linux and 0 blocks to be written under Windows. Make sure your laptop is charged and the reader is visible in the system.
    Remember that you manipulate cards at your own risk and you are fully responsible for the consequences.

“Reversing banking trojan: an in-depth look into Gataka”

Speaker: Jean-Ian Boutin

Seldom do we see a new banking Trojan with the size and complexity of Win32/SpyEye appearing. This happened last year with the discovery of Win32/Gataka: a banking Trojan able to inject content in HTML pages and exhibiting a modular architecture easily extensible with plugins. Once installed on a computer, Win32/Gataka can be used by botnet operators to steal personal information. As of now, it has been used to steal banking credentials in various countries such as Germany, the Netherlands and Australia.

The workshop documents the discovery of this banking Trojan along with its internal design and its similarities with another well-known banking Trojan: Win32/SpyEye. Among other things, both share the same webinject configuration file syntax. This is a good example of malware writer specialization: webinject file targeting specific institutions are interoperable between different malware platforms. Advanced webinject configuration file and how scripts contained in these files can be used to automatically steal personal information and/or attempt fraudulent bank transfers will also be discussed. Finally, we will go over some of the campaigns we have tracked in the past year and show how this new strain of malware is targeting national institutions and how it is evading different two-factor authentication processes. Throughout the workshop, we will have reversing sessions that will highlight some of the steps needed to analyze this threat.

Aliases: Tatanga, Hermes.

Requirements for participants to workshop:
  • 2 hours
  • Immunity Debugger (Installed on Windows VM)
  • IDA Pro 6.1 or IDA free (Installed on Windows VM)

“Exploitation of XML-based attacks”

Speaker: Alexey Tyurin

XML (Extensible Markup Language): being simply a markup language in essence, it has become a base for various data storage and transmission formats. Currently, XML (broadly speaking) and XML based technologies are a common thread in most information systems, from small to huge. This is why knowing and understanding the attacks connected to XML will be useful for any pen-tester: because they are universal.

The workshop will feature:
  • Basic description of XML and XML documents processing
  • Description of technologies connected with XML (WSDL, SOAP, DTD, XPath, XSLT, XML Signature, XML Encryption è ò.ä.) and scope of their application
  • Most of modern attacks based on XML (the classic agenda: exposure, exploitation, post-exploitation)
  • All possible impacts: from DoS to RCE and advanced SSRF exploitation
  • Introduction to various tools. How to automate exposure and exploitation
  • Particularities of performing attacks with different parsers, languages and OS
Requirements for participants to workshop:
  • 2 hours
  • VMware Player 5

“Forewarned is forearmed: AddressSanitizer and ThreadSanitizer”

Speakers: Alexander Potapenko, Dmitry Vyukov

We'll talk about two bug-hunting tools, AddressSanitizer and ThreadSanitizer, describe their design and their applications to industrial development and vulnerability testing.

The workshop will feature some known bugs (buffer overflows, use-after-free, race conditions) in opensource projects and their impact on program stability and security. We'll also show how those bugs could've been prevented.

  • review of memory and synchronization errors; their impact on software stability and security
  • structure of two tools which search for those errors: AddressSanitizer and ThreadSanitizer; their benefits and drawbacks
  • how to use ASan/TSan on both sides of the fence
  • practice
Requirements for participants to workshop:
  • 2 hours
  • a laptop with Linux (64x, possibly on a VM)


Speakers: Alexander Azimov, Artyom Gavrichenkov, Alexander Lyamin

About DDoS in three chapters:

  1. “Game of BGP” by Alexander Azimov

    There is an obvious fact that instability at inter-domain routing level could have great influence on prefix availability. There are two main reasons for network instability at the level of Autonomous Systems: router misconfigurations and routing loops which occur during BGP convergence process. During this talk, I’ll try to cover common errors in router configuration and show main trends of different routing events.

  2. “Network Operator's View: HOW[NOT]TO Write TCP-based Network Applications” by Artem Gavrichenkov

    For over 3 years developers of Qrator collected and analyzed common programming errors in network applications, including Web sites and custom TCP-based protocols. The speech is focused on how to avoid frequent mistakes when designing your own protocol and how to set up an application server hosting a scalable network application.

  3. “Beyond the botnet” by Alexander Lyamin.

    We all know that “DDoS” == “botnet” and botnets are the means to carry out successful DDoS attack. At least it used to be. But as defensive measures progress and exploiting L7 with simple “GET /”is not efficient anymore, and full browser stack with imitation of human behavior takes another level of sophistication and math. It’s also leading to dramatic drop in botnet efficiency. Is it GAME OVER for DDoS?
Requirements for participants to workshop:
  • 3 hours
  • Any questions that worry yous

Official support:
With participation of:
Gold sponsor:
Silver sponsors:
Prizes Sponsors:
General Media Partner:
Media Partners:
Competition organizers: