BSides Knoxville 2016

Automotive security has received a major buzz recently, mainly due to researchers like Charlie Miller and Chris Valasek and major recalls in the news.
During the last 3 years our team has performed security evaluations on a large number of ECUs of various models, suppliers and manufacturers. In this talk we will attempt to give an overview of some of the findings we discovered. We will talk about the specific techniques and tools we used and what are some of the recurring bugs we keep encountering. Do not try this at home :)

The review board likes submissions that include references to prior works and research you used in developing your presentation.
Every penetration test begins the same way. Run a NMAP scan, review the results, choose services to enumerate and attack, and perform post-exploitation pillaging. What was once a manual process is now automated!
Nearly every penetration test begins the same way; run a NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated!
Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement.

We all want to improve our skill sets, right? Reading is great, but there is no experience like actually 'doing it'. In this module, we will discuss how to build your own hacking lab from the ground up, for next to no cost. We will also discuss the various free penetration testing distributions, as well as the intentionally vulnerable virtual machines you can practice anything on from phishing, to web app testing, to exploits, and more.

Many people do not understand that a USB thumb drive is a mini computer, capable of making decisions and reading and writing memory all on its own. Each drive has firmware responsible for implementing the responses to any read or write requests sent to it by a host computer. Forensic tools such as write blockers can prevent certain commands from being sent to the drive, but they have no impact at all on what the drive's firmware chooses to do. What if it chooses to erase everything if it isn't continuously sent a special sequence of commands that only the user knows?
In this talk, I will demonstrate (through code only, no hardware tinkering) how to modify the firmware on a standard USB thumb drive to erase everything (including itself) if custom software isn't running on the PC that the drive is plugged into.

For attackers, obtaining access to a Windows workstation with limited privileges can really put a damper on your day. Low privileged access can be a roadblock for even the most skilled "undocumented administrators". Local administrator access to a windows machine within an active directory domain often results in the ability to compromise the whole domain. This talk will walk through how attackers and defenders can learn to identify and exploit practical Windows privilege escalation vectors on the Windows 7 OS.

When researchers think of Microsoft Windows process mitigations they’re likely to come up with DEP and ASLR. However Microsoft has been adding a number lesser known mitigations ranging from blocking Win32k system calls to reducing a sandbox’s attack surface which already assume RCE has been achieved. This presentation will describe the implementation of these less well known mitigations, some silly bypasses and bugs in their implementations as well as how you can use them in real world code to improve the security of your own applications.

At a conference, I don't much give a damn what the target was or how big the pwnage was; I watch talks for the clever tricks that the presenters used to get their results. This lecture is just the best tricks from a dozen or more projects, the techniques that we reverse engineers share over drinks and next to campfires.

So gather round, children, and I'll teach you how to distinguish code and data pointers at a glance on the Thumb architecture. I'll teach you how easy it is to write an X86 bootloader, and ways to write an exploit blind, without already having the code of your target. Some of these tricks are easy, some of them are advanced, but all of them are clever and one or two just might be the missing piece to your next reverse engineering project.