BSidesAthens Logo

BSidesAthens 2016 Wrap-Up

Here is my wrap-up for the first edition of BSidesAthens. There are more and more BSides events organized across the world and the Greek capital has now one! It was also a good opportunity to spend the weekend in this nice city. Grigorios Fragkos kicked off the event a few minutes late (“but is normal for Greek people” as he said). Usual stuff for a BSides event: coffee, free WiFi and plenty of people. According to the organization, ~200 people joined (it was sold-out). The schedule was split across three tracks. Two for regular presentations and one dedicated to workshops.

The keynote slot was assigned to the Hellenic Army via the Colonel Mr. Myron Koutias. The title was “The future of cybersecurity and cyberdefense beyond state borders”. The keynote was mainly a presentation of the cybersecurity services proposed by the national army: investigation, threads, design and protection of the IP environments used by the army.
Colonel Myron Koutsias
Keywords are here: prevent, detect and ultimately respond. Another goal is to “think like an attacker”: evaluate the victim, intrusion and active infection. The Hellenic Army estimates that more and more threads will arise due to the constantly growing number of people connected to the Internet and also mobile devices (no mention of IoT btw?). Information sharing is another key element. The keynote was basically a review of the current security state that any country is facing today and what we should have to do to better protect. It ended with a message to student: they are recruiting actively!
My first choice was to attend the read teaming workshop but the speaker… never joined the event! So, I went to the track 1 to attend the talk about OWASP ASVS by Panagiotis Yialouris. “ASVS” is an OWASP project and is the abbreviation of “Application Security Verification Standard” (more info here).
Panagiotis on stage
Based on a real project realized by his company, Panagiotos explained what’s behind the ASVS and how it can help to find more vulnerabilities that can not easily (or not at all) detected by classic vulnerability scanners. Also, performing a penetration test is not enough to have a full coverage of the application. Design security must also be evaluated. Here is a good example of vulnerability find:
sendEmail(
    “Your password is: “ + getUserPassword(user))
Indeed not very secure to send a password in the wild! The conclusion was: “Security is better and easier when integrated in a built-in manner”. We agree on this but it’s not yet implemented in many organisations!
My next choice was: “Getting the most of evil twin with Wifiphisher“. The main developer of this tool, George Chatzisofroniou, explained what is the evil twin attack. In short, a rogue access-point spoofs a legitimate one in order to gather personal or corporate data. It’s a common attack.
George on stage
The goal is to de-auth the victim and present him a malicious AP. In this scenario, the most important step is to get the right equipment: more power your have, more chances to have to get victims coming to you. For George, the ideal setup is to have 2 wireless devices: one acting as the rogue AP and one to perform the denial of service (deauth). Why such attacks are very successful? Because of the “auto-connect” feature activated in many network managers. Also, the access point with the best signal will be used. Note that the network manager uses a combination of ESSID and encryption type. The attacker needs to replicate both. Different scenarios were reviewed by George:
  • An open WiFi with a captive portal: just a stronger signal is required.
  • WPA(2) with a pre-shared key: often the key is shared by people or written somewhere. It’s easy to grab it. If the key is unknown, a downgrade attack can be performed using the KARMA attack. But it has less impact on modern operating systems.
  • WPA enterprise: If not authenticating the AP, clients are also vulnerable. Offline brute-force is doable with captured challenge-response.

Note that guessing the SSID is also very easy. There are good chances that people who attend BSidesAthens will use a SSID called “BSidesAthens“! Using a deauth attack: DEAUTH frames are sent in clear. If you send back an answer: “Sorry PSK is incorrect”. It’s some kind of DoS and there are chances that the victim will search for another network (read: yours).

Finally, some phishing scenarios were reviewed (that Wifiphiser can perform): A captive portal or fake social network page. More evil: a fake page coming from the wireless device stating that a firmware upgrade is ready to be installed. It’s also possible to imitate the network manager login page (based on the User-Agent, we can guess the victim’s OS). This is a very nice tool available on GitHub.

The next talk was really funny! Steve Lord talked about malicious IoT devices.

The next talk was the one of Steve Lord (@stevelord) about malicious  IoT devices. Steve started with some example of stupid Internet of Things devices that are completely useless… Like the smart egg minder! Steve calls this the Internet of Wrongs. But we can have much more find when designing some connection object to play with your friends (or enemies). Here are some examples. All of them are based on micro computers like Arduino’s or Raspberry Pi’s.

Steve on stage

WOLter is a small project designed to flood a network with WOL (Wakeup on LAN) packets. The result is that it will drain batteries of devices like MacBooks. Evil! :). Poephol is a WiFi SSID generator “because Steve’s mate’s neighbours are Poephols”. Etc… Lot of nice toys build to fight against people that upset you. Note that most of those toys are prohibited by local laws…

After the lunch break, Anastasios Stasinopoulos restarted with “Perform effective command injection attacks like Mr. Robot“. Anastasios reviewed common command injection issues (why software are vulnerable – incorrect or complete lack of input data validation). Nice targets are usually IoT devices. Such attacks can be: with a direct output, “blind” (like with SQLi), semi-blind (it’s possible to retrieve the output character by character) or file based (the output is written to a file on the file system).
Anastasios on stage
The next part of the talk was a presentation of the Commix tool and some nice demonstrations. Commix is an automated tool that can be used to test web-based applications with the view to find bugs, errors or vulnerabilities related to such injection attacks. It can perform user enumeration, fingerprinting, disclose paths but also launch shells, meterpreter sessions, etc. It can also perform exfiltration via DNS/ICMP protocols. A very cool tool, definitively!
For the next timeslot, I was on stage to present “Building a poor man’s F1r3Ey3 mail scanner”. My slides available here.
Then, Yiannis Ioannides talked about his project: “WarBerry Troops Deployment in Red Teaming Scenarios“. Usually, when you are performing a red team attack, your enemy is the time. Based on this fact, Yiannis developed a nice tool that runs on top of a Raspberry Pi to perform network scans in four steps:
  1. Come in
  2. Connect the WarBerry
  3. Get out
  4. Pwn!

Yiannis on stage

 This device / tool is working on a battery, can have a 3G dongle to exfiltrate data (or to offer a backdoor) and works below the radar (compared to a classic Nmap scan, it scans only to useful stuff in a corporate environment. The device can also act as a bridge and play MITM. A demo was performed and Yiannis demonstrated how it can defeat controls like NAC. Another very cool tool to add to your toolbox!
The last talk that I attended was “The steps a company needs to take in order to upgrade its information security” by Leonidas Tertipis. IMHO, the talk was not really targeting the classic audience of a BSides event. It was oriented to C-levels but the information given by Leonidas was very accurate.
Leonidas on stage
One of the key messages to remind is: “Security costs money … but it can save a lot too“. He reviewed several steps that every company should implement to increase the overall security level like the implementation of data classification. Once data classified, it’s easy to know how to store, exchange, destroy or share them. IMHO, this presentation being scheduled just after the one about the WarBerry is a good coincidence. Indeed, Leonidas explained that organisations must have procedures while attackers just don’t…
In parallel to the regular talks, there was a workshop (by Steve Lord), a CTF and a “treasure hunt” game. The regular event is over, it’s now time for some fun in Athens and the after party on the hotel’s roof garden, next to the swimming pool with a clear view of Acropolis!

20 comments

Leave a Reply

Your email address will not be published. Required fields are marked *