Hack.lu day 1: honeypots, voip pentesting and exploiting anti-virus

Day 1 on Hack.lu was a very productive one. I met a lot of interesting people and learned a lot. This day was supposed to be mostly about workshops. Unfortunately only one out of three I attented, was actually hands on. The other were only demos.

The first presentation was by the FCCU (Belgian Federal Computer Crime Unit). Because of licensing issues, it was only a demo. After the talk, I argumented to the speakers that the active participants could have provided each their own VM with Windows OS. It was also a requirement for other workshops. I didn't learn much here because the talk was very similar to their presentation in the ISSA conference some months ago. So I was disappointed it wasn't more hands on.

The second presentation by Joffrey Czarny was actually very interactive and included a lab. This was the most fun of the entire day. I will list some of the tools we used:

• Voiphopper
• svmap.py
• smap
• RTPInject
• SIPcrack

And last but not least, third presentation of the day was about exploiting Anti-virus. It was very similar to the talk on CCCamp 'Antivirus (in)security' also by Sergio Alvarez . Besides the presentation, it was also only a demo and no actual workshop. There were some new elements in the presentation compared to the previous one. The worst thing that can happen to an AV product is not actually failing to detect malware. It's not crashing. It's being exploited. Think about it, which one is worse? Exploiting a client or exploiting a gateway? Defence in depth says to use different scanning engines. Something I have also been promoting.

Actually this defence in depth practice also increases your risk. The more different engines you use, the more chance you have to get exploited this way. I never looked at it this way. I saw a demo on a fully patched machine and it got owned

Scary stuff.