Kiwicon 10 Day 1 Afternoon

A delayed start - apparently the AV started acting wonky once a bunch of radiation sources were unpacked next to it. More time for lunch to digest.

Attacking OS X for fun and profit

Dan “Viss” Tentler

This story started with a journo working on a documentary asking Donto demonstrate how badly Don could fuck up the journo’s life using only technology. Dan did some recon work, and discovered the target had a pretty small attack surface: he used an iPhone, a Mac, Google apps, and had 2FA enabled.

Since he’s a freelancer, it means he’s not part of an organisation with an insecure network, so Dan decided to try a phish.

(Dan notes that a phish calling back to an SSL-secured web server for the payload is a great attack vector. “Thank you LetsEncrypt!”)

This got Dan access in the form of popping a shell - but all his background is with Windows pivots, so he had to start developing his own attack kit. He was delighted to discover how powerful the OS X command line and automation tooling really is; once he understoo plists and osascript, he could access the webcam and GPS logging, amongst other things.

The OS X command line lets you pull a list of all the wifi hotspots, and - a web site maintained by wardrivers using a cell app to map out wireless around the world - will let you work out the location the laptop is in.

Dan notes that osascript is black magic. Bad black magic: for example, it’s trivial to pop up a window that claims to be a software update requesting the password to apply an OS X upgrade. If you get keychain passwords you can unlock not just the Mac, but all the credentials stored in the keychain, including web site passwords.

From here it’s pretty much all good; it turned out that the target was using his 1Pass account to store Dropcam credentials, bank account details, you name it. And from his Paypal account, found his shipping address and sent someone to stand in front of his security camera with a banner.

Using macsay to get his Mac to start talking out loud in a cafe; tracking him for his webcam combined with screenshots; using the webcam to see if the target leaves his laptop unlocked when walking away (he does).

Dan rolled all his tools up into a toolkit called “DTK2” (Duct Take Kit 2). People have used these ideas to build more sophisticated toolkits; metasploit, for example, now ships wih python apps that so all of these sorts of functions.

Pupy is another tool that will create OS X binaries for targeted attacks (as well as other platforms).

Empyre and Empire have been merged to Empire 2 which will give you a cross-platform OS X/Windows toolkit, and Dan rates it very highly for keylogging.

Dylib: you can use the OS X habit of loading from local directory as well as the application directory to get the application to load bad libraries.

There are in-the-wild exploits that check for legit use of the webcam, and only activate when another application is running to cover their tracks.

Compliance in the Cloud: It’s what you make of it


“Once I had erlang shell cred. Then I fell in with a bad cloud, started huffing whiteboard markers, and got into enterprise architecture.”

What is it?

  • Buzzwords: PCI, HIPPA, ISO27001, SOC, FedRAMP.
  • May be required for some business activities.
  • In the US, there are often very industry-specific requiremwnra.

“I’m heavily in favour of FedRAMP, because as a non-citizen, I can’t be on call for it.”

Why would you do this to yourself?

  • Blame enterprise customers. They want you to do this. Which is pain. But they will pay a premium for it.
  • Post-Snowden many goverments now care about data sovereignty standards more than they had before (for example).
  • Customer demand: customers want this, and they don’t want to audit each and every one of you in detail. So the standards are a useful way for them to filter.

Isn’t it Terrible?

  • It can be.
  • Rules lawyering, corner cutting, omission, UX compromise, and so on are what drive things down the route to the Dark Side.
  • But you can also use it to drive overall improvements in your org: document what you have, how it works, eliminate bad practises. Let it drive better automation, logging, monitoring. It can be an opportunity.

There is no standard that says, “You must be miserale or you aren’t really compliant.”

Cloud Native Problems

  • This isn’t just public cloud, it includes local cloud as well.
  • Heroku is 100% AWS. There’s no hidden datacentre.
  • This may be you. This may be where you’re going. You may be adopting technology stacks that look like this, just not on AWS.
  • Cloud weakness: Sprawl.
    • Microservices and apps sprawl in inverse proportion to how easy it is deploy them.
    • IaaS providers give you meta-sprawl. You can deploy multiple microservice deployment platforms across your IaaS accounts.
    • This makes inventory management hard.
    • Get automating.
  • You can’t solve problems with hardware.
    • You can’t plug in a box to monitor traffic.
    • You have to wait for the provider to supply a thing.
    • Often their tools look like magic - “Have you seen that Disney movie with the brooms?”
    • You have to do more on the host - you need to rework your network appliance capabiltiies into agents. Free startup idea!
  • Shade time!
    • Lots of vendors say you can have your network appliances in the cloud.
    • But they’re just a scrape of the box. It doesn’t work well, it doesn’t do the job.
    • “I am angry at the vendors for rolling like it’s 2003.”

Cloud Native Benefits

  • Shared responsibility is a strength of the cloud model - you’ll get your certificates as a side-effect of running on the public cloud.
  • Clouds force you to Do The Right Thing. You can’t subvert the controls the cloud provider is responsible for, because the provider won’t let you subvert their controls.

Change Control

  • A nightmare of Word documents and Jira tickets.
  • Cloud improves this, because everything is software. So you can see what is happening and what has happened.
  • Version control is mandatory. So adding a review step is easy.
  • Change control you don’t hate!


  1. Geoff probably could have plaved more emphasis on the degree to which this can be useful to make people do the Right Thing. If you work for a company on the defensive side of thing, compliance can be gold in terms of making people do things they ought to, but don’t want to spend money on.
  2. Charity Major’s observation that you can outsource labour, but not care applies here. Yes, Amazon care abour being seen to be secure, but at the end of the day your customers rely on you. Waving a bunch of certifications at them if you suffer a breach isn’t going to make them any less angry with you.

Active Incident Response: Kiwicon Edition

Brian Candlish & Christian Teutenberg

The presenters asked that we not record this talk, so they can be more candid, so this space is intentionally left bank.

It was, I will say, very interesting, although I wanted to know more. Baby steps, baby steps.

Post Afternoon Tea

The Band

There’s a group of people wreathed in smoke and wearing robes. Performing music. With throat singing.

“That made about as much as anything else we do in security” - metl.

Practical Phishing Automation with PhishLulz


Wrote the book “The Browser Hacker’s Handbook.” Developer and hacker.

Why Phishing?

“Give a man an 0day, and he’ll have access for a day, teach a man to phish and he’ll have access for life” - the Grugq.

  • To exploit the masses. Phishing still works with a lot of people.
  • Good pretexts and some typo domains can take you a long way with most targets.
  • It’s a great start to pivot from.
  • Phishing is expensive; 0days and the like are very expensive.
  • It’s too much fun still owning people in 2016 with the same old techniques.
  • Active Directory credientials: steal once, auth anywhere.
  • 2FA is still mostly a myth, and still relies on SMS in many cases.
  • It’s hard to detect phishing attacks.

Phishing in real-life?

  • Most times it’s easy, but occasionally stressful.
  • Even more powerful combined with physical access to a location.
  • It’s opportunistic - don’t go after the hard targets.
  • Target, for example, people in departments who are less savvy and have legit reasons to look at email from untrusted/unknown sources, like HR.
  • Don’t attack on first contact; build trust first.
  • An example government target:
    • an Australian target, with a 5 day window.
    • After 3 hours, they had a 39% success rate.
    • Credentials for one thing could be used for all the things; VPN, LAN, etc.

PhishLulz to the Rescue

  • When doing fishing the work and timezones can be the roadblock.
  • You want to automate:
    • Domain reg, DNS zone config.
    • SMTP config.
    • VHost.
    • Correlateclicks with email, location, and BeEF fingerprinting.
    • email templates.

PhizLulz automates all these. It’s a pre-configured Rails app (PhishingFrenzy) and BeEF rolled up together, deployable on Amazon. Deploys, configures, and you’re away.

It also supports: * Subdomain discovery. * Webmail discovery. * Mailbox harvesting - automate the discovery of interesting information in the target’s mailbox that you can use the credentials with. * MailBoxBug.rb * Automated webmail data extrusion/exfiltration. * As far as he knows, this is the first tool of its type. * Uses Phantom/CasperJS to create a headless browser.


  • I didn’t like the “stupid users” flavour of a lot of the talk. Bagging on HR was an example: HR’s job is to establish relationships with unknown entitites purporting to have something the org wants. Part of their job is therefore opening attachments. If you’ve got useable alternatives for people in HR, procurements, and similar roles, we’re all ears. “Don’t do your job, idiot” is not useful advice.
  • SMS-based 2FA is getting a lot of shit here, and amongst a segment of my Twitter feed. You know what? SMS 2FA is substantially better than no 2FA, and it’s UX is excellent compared to whatever bullshit TOTP/HOTP-type scheme is usually touted as “the only option” (especially when the latter so often rely on people installing extra shit, storing recovery keys so they don’t lock themselves out of things they care about and so on). Being a dick about 2FA for normal people doesn’t help anyone, and it’s classic “perfect is the enemy of the good.”
  • PhishLulz itself: It’s all free software. Honestly it looks as good as regular mail compain management tools, and the DKIM/SPF automation is better than most legit mail tools. Come to the dark side, they have cookies?

This is admirable and horrifying all at the same time. Seriously, every sysadmin (recovering or practising) I talked to wished setting up a white hat mail server was as easy as PhishLulz makes it, and the designer I talked to reckoned the email campaign tooling was better than most commercial offerings.

PHP Internals: Exploit Dev Editions

Emmanuel Law

“We can all agree fuck PHP.” No, metl we can’t. There’s more usfeul stuff in PHP than most other common web programming languages.

  • Emmanuel has been enjoying finding weaknesses in the new PHP 7 engine; the Zemd engine consists of a parses and a runtime.
  • The parser isn’t especially interesting; the parser is where the good stuff is from a fuzzer point of view.
  • PHP 7 has improved the security around elements such as the unserializer.
  • He is attacking things like the functions, classes, methods and so on.
  • This yields a mix of local and remote vulnerabilities.
  • The remote vulns can be used access local vulnerabilities.

“If you have a fuzzing farm, I want to be your friend.”

“I can’t fuzz faster, I have to fuzz smarter.”

  • AFL is the gold standard for fuzzing, but PHP is quite particular about syntax. Throwing random shit into Zend simply produces non-exploitable errors.
  • There aren’t many PHP fuzzers out there, and many of them are quite old.

Introducing Phzzer

  • Grammer aware framework: scripts are syntactically correct.
  • Contextually aware: passes in valid data types.
  • There are limits in terms of its understanding of grammar, but it’s good enough.
  • Looked at using the documentation as a source, but it’s static, needs constant updating, and doesn’t cover extensions which may be loaded.
  • But PHP does support reflection on the runtime and will tell you about the syntax, the functions, and the extensions. It doesn’t, however, tell you about the valid datatypes that can be passed in.
  • But by parsing the errors when you throw bad data in, you can get the information about what the functions were expecting (number of args, types).
  • This allows automated fuzzing of everything loaded in a given PHP runtime.

This is really good, more sophisticated than anything else out there, but could be better. Enumeration by errors works, but could surely be more elegant.

  • Instrumenting the runtime with Frida is another step up, because it gives even more, detailed information about what’s happening in functions by way of validation.
  • It also uncovers hidden, undocumented parameters (about 20 or 30 that he’s found so far).
  • This method isn’t working in 7.0.11 and up, with the FAST_ZPP parser preventing instrumentation.

Fuzzing Strategies

  • Cluster fuzzing: apparently random functions actually cluster as “types of thing”; image manipulation, XML parsing, and so on. * These functions may effect one another strongly - what happens wen you chain together date functions?
  • Node mutation: treating a series of operations as mathematically commutative.
  • Use regression testing: extract the PHPT test cases to feed known problems in.
  • Disble the memory manager with USE_ZEND_ALLOC=0; the memory manager is masking some bad code. So you probably leave it on in production.
  • PyPy gives massive performance gains (20% faster).

The results? Very effective. Found 120 in PHP 7.0.0, and scores in the 7.0.12 release.

Exploitation: PHP Internals

  • PHP has a userland and a Zend Internal space.
  • Your script runs in the userland; Zend can be configured to refuse to execute known-dangerous functions.
    • This has been frustratingly effective in Emmanuel’s eperience.
    • So we need ways of breaking out of userland.
  • His example of breaking into the Zend engine is via a double free.
    • This relies on Deep Magic. It’s hard to exploit double frees in the day and age of ASLR.
    • His attack is the DOMDocument function.

…and at this point, I had to go have family dinner, with no sign that Jess Frazelle would get on stage, alas. Apart from the bit where it went grossly over time, this was a really good talk: the presenter showed some really interesting, well-thought out tools and techniques, and demonstrated that people simply aren’t even looking at what is an incredibly popular language/runtime’s weaknesses.