The next Black Hat Briefings is scheduled for August 2nd and 3rd in Las Vegas and is immediately followed by Defcon 14. I will be presenting on the next version of the Metasploit Framework, hybrid web-to-native code, and IDS evasion. There are dozens of great talks lined up for Defcon 14, but make sure to catch Valsmith and Chamuco's (of OffensiveComputing fame) talk on attacking malware. These guys do for malware analysis what Metasploit tries to do for exploits.
Metasploit Reloaded (H D Moore)
Over the last three years, the Metasploit Framework has evolved from a klunky exploit toolkit to a sleek EIP-popping machine. The latest version of the Framework is the result of nearly two years of development effort and has become a solid platform for security tool development and automation. In this talk, we will demonstrate how to use the new Framework to automate vulnerability assessments, perform penetration testing, and build new security tools that interact with complex network protocols.
Thermoptic Camouflauge: Total IDS Evasion (Brian Caswell and H D Moore)
Intrusion detection systems have come a long way since Ptacek and Newsham released their paper on eluding IDS, but the gap between the attackers and the defenders has never been wider. This presentation focuses on the two weakest links in the current generation of intrusion detection solutions: application protocols and resource limitations. Complex protocols often have the most dangerous flaws, yet these protocols are barely supported by most intrusion detection engines. Like any other networking component, intrusion detection gear often has a "fast path" for normal traffic, and a "slow path" for handling exceptions. By seeking out and finding the "slow path", an attacker can control the resource usage of the system and bypass nearly any state engine or signature. This presentation will dive into practical attacks on the current generation of IDS and IPS solutions and demonstrate just how evil a few extra packets can be.
Six Degrees of XSSploitation (Dan Moniz and H D Moore)
Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors.
Hacking Malware: Offense Is the New Defense (Valsmith and Danny Quist)
The proliferation of malware is a serious problem, which grows in sophistication and complexity every day, but with this growth, comes a price. The price that malware pays for advanced features and sophistication is increased vulnerability to attack. Malware is a system, just like an OS or application. Systems employ security mechanisms to defend themselves and also suffer from vulnerabilities which can be exploited. Malware is no different. Malware authors are employing constantly evolving techniques including binary obfuscation, anti-debugging and anti-analysis, and built in attacks against protection systems such as anti-virus software and firewalls. This presentation will dig into these techniques and explain the basics. The idea of an open source malware analysis and research community will be explored. All the things the Anti-Virus vendors don't want you to know will be discussed. Methods for bypassing malware's security systems will be presented. These methods include detecting and defeating packers/encoders, hiding the debugger from the malware, and protecting analysis virtual machines. We will hack the malware.