New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Sthack 2016

May 12, 2016

Sthack 2016

Intrinsec was present at the Sthack security conference in Bordeaux which took place on April 8, 2016.

sthack 2016 (1)Laurent Oudot presented us with an overview of the evolution of digital espionage techniques over the years. The first known intrusions targeted government institutions in order to gain recognition, while current attacks are aimed at money, whether through data theft or by taking the victim hostage.

sthack 2016 (2)Damien Picard presented us with practical examples of how to bypass the restrictions put in place by Powershell.

PowerShell has been present by default since Windows 7. Based on the .NET platform, it is object-oriented and tends to replace the classic Windows console.

Several workarounds have been presented, such as running a script, the different levels of LanguageMode restriction, or even AppLocker.

Slides: http://www.synacktiv.fr/ressources/presentation_Powershell-for-pentesters_synacktiv.pdf

sthack 2016 (3)Jonathan Salwan and Romain Thomas presented the new features of their hybrid analysis tool, Triton. It supports both 32-bit and 64-bit architectures and offers an API usable in C++ and Python to automate certain tasks. As an added bonus, a library can be loaded into IDAPro to deobfuscate code fragments directly within the debugger.

Slides: http://triton.quarkslab.com/files/sthack2016-rthomas-jsalwan.pdf

sthack 2016 (4)Kelly Lum presented her work on the .NET framework. She provided an overview of the tools used to analyze CIL code. For your information, the CIL code generated after compiling .NET languages (C#, VB, etc.) is similar to Java bytecode. The speaker then demonstrated techniques for hiding obfuscated code within a binary using caving. Indeed, the sections of a binary must be aligned to optimize their loading into memory, and this alignment is achieved using padding bytes. It is therefore possible to place code in this area (called the "cave") without modifying the other useful segments of the binary.

sthack 2016 (5)This presentation focused on the various current attacks impacting GSM. After a rapid-fire review of how GSM works, the emphasis shifted to the tools and software used to intercept communications. IMSI catchers, in particular, implement these interception methods. It should be noted that, according to them, the hardware needed to set up this tool is readily available and affordable (less than €1,000). However, its use must be limited to an isolated laboratory (such as a Faraday cage).

sthack 2016 (6)Selene Giupponi presented methods for recovering sensitive data from mobile devices during forensic analyses. As an example, she observed that when iTunes creates an encrypted backup of a device, the backup sent to iCloud is automatically decrypted by Apple's servers. The American company justified this decryption as necessary to simplify the use of backups.

sthack 2016 (7)During this conference, Antoine Cervoise and Julien Reitzel presented various techniques for performing a physical brute-force attack on multiple hardware components, such as a BIOS, a smartphone lock screen, or any other authentication interface. Validation can be performed via webcam. If the authentication page disappears, the entered password is considered valid, and the script saves the last entered code. The goal was to present a generic tool that could be adapted to a wide range of platforms at a low cost.

The project's source code is available: https://github.com/cervoise/Hardware-Bruteforce-Framework-2

sthack 2016 (8)Finally, we participated in the CTF which took place all night. A write-up of one of the forensic analysis tests has already been published on our blog..

Contact