This week, the second edition of “Pass-The-Salt” was organized in Lille, France. The conference was based on the same format at last year and organized at the same location (see my previous diary). I like this kind of event where you can really meet people (the number of attendees was close to 200) without fixing an appointment at this time, this place to be sure to catch your friends! The conference was a mix of talks and technical workshop spread across three days. The scheduled was based on “topics” and presentation were grouped together (Low-Level Hacking & Breaking, Free Software Projects under Stress, etc).
After a brief introduction by Christophe, the first set of talks started (the first day started at 2PM). Ange Albertini was the first speaker and presented the results of his current research about hash collisions. Yes, everybody knows that MD5 is broken for a while but what does it mean for us in our daily infosec life? What is really the impact? After a short reminder about hash functions and why they are so useful in many cases (to check passwords, to index files or validate them), Ange described how it is possible to generate files with the same hash. The approach is called a pre-image attack or PIA:
- Generate a file X with a hash H:
- Given any H, make X so that hash(X) = H
The types of collision are called IPC (“Identical Prefix Collision”) or CPC (“Chosen Prefix Collision”). After a review of both techniques, Ange explained how to practically implement this and gave some examples of “malicious” files like a single file being a PDF document, an executable, an image and a video! (depending on the application used to open it). That’s also the case of his slide desk (available here). Rename the file with a ‘.html’ extension and open it in your browser!
The next presentation covered the tool called “Dexcalibur” by Georges-B. Michel. The idea behind the tool is to automate the reversing of Android applications. A lot of Android applications (.dex) are obfuscated and generate a new .dex while executed. The problem for the reverse-engineer is that you can only hook functions that you’re aware of. The tool presented by Georges-B is based on Frida (another cool tool) and other tools like Baksmali, LIEF, Capstone, etc).
Aurélien Pocheville explained how he reversed an NFC reader (ChameleonMini). Aurélien used Ghidra to achieve this. Not my domain of predilection but it was interesting. I like the funny anecdote provided by Aurélien like when he bricked his friend’s garage token and the original was… in the closed garage 🙂
After a short coffee break, Johannes vom Dorp presented his tool called FACT or “Firmware Analysis and Comparison Tool”. Today, many devices are based on a firmware (think about all the IoT toys around you. A typical firmware analysis process has the following steps: Unpacking > Information gathering > Identifying weaknesses > Reverse Engineering. This can quickly become a boring task. FACT replaces steps 1 – 3 by automating them. The tool looks very interesting and is available here.
Thomas Barabosch presented “cwe_checker: Hunting Binary Code Vulnerabilities Across CPU Architectures”. The idea of this presentation looks like the same as above with firmware analysis. Indeed, we need to automate as much as possible our boring/daily tasks. But it’s not always easy. The case presented by Thomas was a perfect example: IoT devices are running on multiple CPU architectures. This makes the process of finding vulnerabilities not easy. Thomas introduces the tool ‘cwe_checked’ which is based on the Binary Analysis Platform (BAP).
The first day completed with a talk about the Proxmark3, the awesome NFC tool. Christian Herrmann (Iceman) started with a fact: many people have a Proxmark but can’t use them. I fully agree it’s also my case. I bought one because I had a good opportunity but I never took the time to play with it. He gave details about rdv40, the latest version of the tool. Christian also did also a very workshop on the Proxmark (which was very popular).
Day two started with a presentation by François Lesueur: “Mini-Internet Using LXC”. What is MI-LXC? It’s a framework to construct virtual infrastructures on top of LXC to practise security on realistic infrastructures. Cyberranges is a cart with some hardware and a framework to manage VMs and scenarios. MI-LXC has common services, routing, information systems… just like the regular internet. There were already other existing frameworks but they did not meet all Francois’s expectations. So, he started his own project. Components: containers based on LXC, LXC python binding, bash scripts. With an initial config of 20 containers, 8 internal bridges, you can still run a small fully working Internet (using 4GB of storage and 800MB of memory. The project is available here.
The next talk was “Phishing Awareness, feedback on a bank’s strategy” by Thibaud Binetruy. First slide deck with a TLP indication. Thibaut first presented the tool they developed: “Swordphish” (link) and, in a second part, how they used it inside the Société Générale bank. First, they used a commercial tool but it was expensive and not practical for 150K users. In many cases, the classic story is to decide to write your own tool. It does not have to be complex: just send emails and wait for feedback. Make it “simple” (used by non-tech people). First create a template (mail with a link,, redirection, of, etc). Create a campaign (ransomware, fake form. Dashboard. You can tag people (tech, non-tech; …) to improve reporting and statistics. Output to Excel because people like to use it to generate their own stats. They also developed a reporting button in Outlook to report phishing. Because they don’t know who’s the security contact. Also helps to get all SMTP headers!
After the morning break, we switched to more offensive talks, especially against web technologies like tokens and API’s. Louis Nyffenegger presented “JWAT… Attacking JSON Web Tokens”. Perfect timing, after learning how to abuse JWT, the next presentation was about protecting API’s. MAIF (a French mutual insurance company) has open-sourced Otoroshi, a reverse proxy & API management solution. Key features are exposure, quotas & throttling, resiliency and monitoring. and security of course. Apps need to be sure that request actually comes from Otoroshi. Otoroshi sends a header containing a signed random state for a short TTL. App sends back a header containing the original token and signed with a short TTL. Otoroshi handles TLS end-to-end. JWT tokens are supported (see the previous talk).
After the lunch break (the idea to bring food trucks at the venue was nice), the topic related to attack/defence started. The first presentation was “Time-efficient assessment of open-source projects for Red Teamers” by Thomas Chauchefoin & Julien Szlamowicz. Red-team is a nice way to say “real world pentest” so with a large scope (access, physical, etc). They explained with very easy to read slides about how they compromised an application. Then, Orange Tsai (from DEVCORE) explained how he found vulnerabilities in Jenkins (which is a very juicy target seeing the number of companies using it).
Jean-Baptiste Kempf from the VLC project came to defend his program. VLC is the most used video player worldwide. Jean-Baptiste gave crazy numbers like 1M downloads per day! When you are a key player, you are often the target of many attacks and campaigns. He explained step by step how VLC is developed and updated and tried to kill some myths about in a very freedom style.
The last set of talks was related to privacy. Often, privacy is like security: it is addressed at the end of a project and this is bad! The first talk was “OSS in the quest for GDPR compliance”. Aaron Macsween (from XWiki / Cryptpad) explained the impact of GDPR on such tool (XWiki, Cryptpad) address this issue. Then Nicolas Pamart explained how TLS 1.3 is used by the Stormshield firewall solutions. This new TLS version focuses on enhancing user privacy and security. Finally, Quinn Norton and Raphaël Vinot presented their tool called Lookyloo a web interface allowing to scrape a website and then displays a tree of domains calling each other.
The day ended with about one hour of lightning talks (or rump sessions as called at Pass-The-Salt) and the social event in the centre of Lille.
The last day started for me with my workshop about OSSEC & Threat Hunting. The room was almost full and we had interesting exchanges during the morning. Sadly, I missed the talk about Sudo by Peter Czanik which looked very interesting (I just need to read the slides now).
In the afternoon, we had a bunch of presentations about how to secure the Internet. The first one was about a new project kicked off by CIRCL. When they release a new tool, you can expect something cool. Alexandre Dulaunoy presented a brand new tool: The D4 Project. The description on the website resumes everything: “A large-scale distributed sensor network to monitor DDoS and other malicious activities relying on an open and collaborative project.”. As explained by Alexandre, everybody is running “tools” like PassiveDNS, PassiveSSL, honeypots to collect data but it’s very difficult to correlate the collected data or to make analysis at a large scale. The idea behind D4 is to implement a simple protocol which can be used to send collected data to a central repository for further analysis.
Then Max Mehl (Free Software Foundation Europe) came to explain why free software is imported in IT security but may also lead to some issues.
The next talk was presented by Kenan Ibrović: “Managing a growing fleet of WiFi routers combining OpenWRT, WireGuard, Salt and Zabbix”. The title resumes everything. The idea was to demonstrate how you can manage a worldwide network with free tools.
Finally, two presentations closed the day: “Better curl!” by Yoann Lamouroux. He made a lightning talk last year but there were so many interesting things to say about Curl, the command line browser, that he came back with a regular talk. He presented many (unknown) features of Curl. And “PatrOwl” was presented by Nicolas Mattiocco. PatrOwl is a tool to orchestrate sec-ops and automate calls to commercial or open source tools that perform checks.
To conclude, three intense days with many talks (the fact that many of them where 20-mins talks, the schedule may contain more), relaxed atmosphere, good environment. It seems to be a “go” for the 2020 edition!
Note: All the slides have been (or remaining will be soon) uploaded here.