X11 is much more powerful than we think. In this talk I will show how to generate a backdoor for any Linux or BSD machine that runs X11, X-Window or Xorg, by using only syscalls to X, no binaries, or Opcodes, or privileges to be executed, which can be invoked by hardware interruptions or an open port on the victim computer. ###### What's under the hood This attack takes advantage of a feature included in the "dbus" IPC software (http://en.wikipedia.org/wiki/D-Bus) that controls the lock screen. By tampering with it, you can easily invoke an unlock. The hardware interruptions that excecute the code can be easily implemented by the attacker according to his choice, but the trick is to chose the correct hardware that can be controlled while the computer is locked, which are only a few. In the demo I will show all the ways I could unlock the screen, with hardware interruptions, an open UDP port, or even without having the backdoor running in the background and just calling it. It can also be triggered through a Shellshock attack. Dbus is bundled with gnome, kde, freedesktop, xfce and more X systems, making (almost) any Linux or BSD box vulnerable to this attack. This material is innovative because X11 is widely used, and this type of behavior would be critical to the Linux/BSD community. Since is a technical talk, mostly will be demo, but I will include some slides that explain the origins of the bug and the exploitation.
When spring came to one country we've got the desire to hack stuff not in frowzy office but in the open air. All of a sudden, along with snowdrops, telecom operators billboards appeared which advertised the fastest, the cheapest and the best. Before diving into the internet with the new gadget we decided to test how these ads correspond to reality... To our reality. Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network. And the result was not late in arriving. In some cases we managed to attack SIM-cards, “clone” phone and intercept traffic without boring rainbow tables, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier. Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
This talk is about hacking a well-known fitness wristband, the Fitbit Flex. Wearables are extremely trendy nowadays, but actually, we know little about their security: what information do they send on us? how reliable are they ? can they be hacked? etc. The fact they rely on proprietary protocols does not help. So, precisely, we focus on understanding the communication with the tracker. Eventually, that's how we learn how to turn the Flex into a wearable random number generator. Connected objects are exciting for end-users (70 million of wearables sold in 2014) but certainly also for security researchers... because they are new, there is little research on the topic yet and thus open path to discoveries In this talk, I focus on the Fitbit Flex. This is a fitness wristband which records your daily walking and running steps, computes distance and calories and also has a few other features like tracking your sleep or waking you up.
SAP applications build the business backbone of the largest organizations in the world. In this presentation, exploits will be shown manipulating a business process to extract money, critical payment information, and credit card data out of the business backbone. We’ll explain the attack vectors, and what effective measures you can take to prevent, detect and respond to them.
For many years world knew only about physical or even vandal attacks on ATMs. Firstly there were cash-machine robberies, ram raids or another "big-power-needed" attacks. Technical progress increased and brought more intelligent crime - skimming and shimming for stealing magstripe track data, fake pinpad for stealing PIN. During last several years so many times ATMs were jackpotted with some named or unnamed malware. How it happened? Unpatched operating system or vulnerable ATM software? Possible. Banks may have a "secure" ATM with patched OS and software, with installed antivirus, encrypted HDD or blocked USB. But there are another more interesting ways also. Unified ways are independent on ATMs' vendor or installed software. Every ATM is included equal parts, such as card reader, pinpad and dispenser. All parts are connected through common interfaces (like RS232 or USB). What if we take popular credit-card size computer and make a fake ATM-host for connecting to devices directly? During presentation at Blackhat we showed how an adversary can use Raspberry Pi to gain control over ATM machine and it’s parts. In our updated presentation we would like to show some more technical information behind these attacks. This information will include description of some faults and misconfiguration in brand new ATM machines of one of major vendor that were fixed recently this year. Such attacks provide adversary possibility to control dispenser device to “jackpot” any amount of money from the ATM.
This course is geared towards those new to exploit development and will provide a fun and interactive environment to break Windows applications. The Foundations course covers a significant portion of the popular Bootcamp class, excluding some of the more advanced topics while adding a few chapters of its own. This course will give you a rock solid understanding of the fundamentals of exploit development for Windows. During the course, students will get “hands-on” experience working with real vulnerabilities in real applications and the techniques used to exploit them.
This training takes a deep dive into all the components of Android operating system starting right from the ARM assembly, shellcoding, buffer overflows, OS security, App security model, reverse engineering to App security and exploitation. The training is specifically designed to have more hands-on and exercises for the trainees to grasp the intrinsic technical details of OS and App security. In the training we discuss binary and app reversing, app security assessment, common app vulnerabilities. We cover OS specific app security considerations such as Android dex format, smali file manipulation, runtime iOS app manipulation and much more. We will also cover ARM assembly, shellcoding on ARM and explain the security issues such as buffer overflow exploitation for ARM devices and look at how they are different from x86 processors. We will also look at ARM speific considerations for shellcoding such as ARM and THUMB state transitions and basic ROP/Ret2libc examples. The training is specifically designed to have more hands-on and exercises for the trainees to grasp the intrinsic technical details of the ARM and smartphone operating systems. An open source, customized distribution for android development and security testing known as Android Tamer (www.androidtamer.com) is also provided with the training material. The training provides a base to the trainees to develop security research expertise on the ARM Android platform way beyond the conventional security testing skills.
Embedded devices, digital systems, control systems, instrumentation& control or supervision device, Home electronic devices etc.., they play a critical role in many industrial plants or in everyday life . Security of these devices has long remained a marginal issue: we obviously share this view. However, one other aspect of this area is also often treated marginally: How to audit the security of such embedded systems? Are security community and industrial prepared? Do they have references, clear auditing guidelines, methods& best practices to evaluate properly those devices? Are IT security experts trained to audit an embedded/electronic system? Do they have necessary knowledge’s to perform a security audit or a simple intrusion test on this type system? This knowledge is not specifically part of the skills acquired by the various stakeholders in the community of IT security. It is to master a variety of fields such as digital electronics, analog signal processing, FPGA or other specific measurement tools (oscilloscope, logic analyzer, etc..). Without training or good practices disseminated and adapted to this type of audit, can we properly assess the security of such a device? Attending to our training will ensure you to be able to reduce this gap ! If you want to learn how to audit or secure an embedded device please consider booking a seat in our training. During this training, we will allow you to understand security flaws and how to exploit hardware vulnerabilities& how to secure Hardware products. We will provide all necessary hardware hacking stuff (prototypes, tools, etc…) to attendees. They will be able to follow and perform all hands on labs. We built a real and functional embedded device that contains plenty of hardware vulnerabilities (Hard& Soft level): It’s a vulnerable electronic lock board dedicated to hardware hacking training! (see photo above)
Industrial Control Systems (in)security is making headlines on a regular basis recently. Why ? Are security experts crying wolf or do we have a real problem ? This training will help you understand the specificities of OT (Operational Technology) compared to IT. Using this knowledge, we will identify the most common vulnerabilities, and then exploit it on several hands-on lab systems, including real ICS software and real PLCs !
Burp Suite Pro is the leading tool for auditing Web applications at large. Users are mainly penetration testers, QA people, or advanced developers. Mastering Burp Suite allows users to get the most of a tool where they usually spend countless hours. Their work is then faster, less error-prone and more reproducible. Last but not least, more time and brain power are available to testers, who can focus on identifying and exploiting complex and creative bugs or vulnerabilities. Possible targets are classical web applications (of course) but also thick clients, mobile applications internal networks or complex cloud deployments.
What information are you trying to protect? Why are you trying to protect it? What is your strategy for protecting it? Who’s responsible for implementing that strategy? How will you know it works? Will it meet your compliance requirements? You may have answers to some or all of these questions but a simple, pragmatic information security management system (ISMS) will provide a proven framework to ensure you effectively identify, minimise and manage the threats to your information. The training presents a practical, step-by-step guide for designing and implementing a cost-effective ISMS to meet your organisation’s data security requirements and / or to comply to industry recognised best practices (ISO-27001). This one day practical training session includes: - Defining information security goals & objectives - Creating an information classification management policy - Information asset & risk register formats - Reviewing ISMS format options and overview of automated tools available - Identifying, locating and marking sensitive data - Designing physical, technical and procedural security control - Defining control definitions, objectives and evidencing production requirements - Control testing requirements - 3rd party liability and service level agreement statements - Documentation required for demonstrating compliance - Proving due diligence in the event of an incident or compromise
Today’s reality is this: No matter what business you are in, no matter where in the world you are – if you’ve got data, then your business is at constant risk. These are the words used by Robert J. McCullen to describe the current situation in the 2013 Global Security Report. IT and security professionals are faced with an increasing number of threats that are not only growing in volume, but also in sophistication and scale. This Python for Hackers course will provide you the tools and teach you the techniques to quickly identify and fix weaknesses in your corporate network. After a quick introduction to the Python programming language, you will learn through several hands-on exercises how to collect information about your target, launch complex Web attacks, extend world-class tools such as the Burp Suite and WinDbg, discover 0days vulnerabilities, write reliable exploits for windows, and develop custom scripts for your Android phone.
What if someone could break into your place, steal, duplicate, alter things, and you didn't even know it happened ? It's the nightmare of every Chief Information Security Officer but even so, it's far easier than you would think. Would you like to own the masterkey of almost any masterkeyed system ? Would you like to be able to own any key or open any lock ? The methods of intrusion covered in this training applies well to European, American and even Australian systems. This training will teach you a lot of different ways to beat high security systems, easily and efficiently. If you can do it, an attacker can do it also. Learning these techniques will help you to protect your assets, computers, hard drives, and your home and offices against industrial espionage from insiders and outsiders.
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this two-day hands-on training! Dawid Czagan will discuss security bugs that he have found together with Micha? Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.
This will be a hands on introduction to exploiting iOS applications. The training will be based on exploiting Damn Vulnerable iOS app and other vulnerable apps which are written by the trainer in order to make people understand the different kinds of vulnerabilities in an iOS application. This course will also discuss how a developer can secure their applications using secure coding and obfuscation techniques. After the workshop, the students will be able to successfully pentest and secure iOS applications. All the students will get a free copy of Damn Vulnerable iOS app solutions, a pdf presentation with all the slides, an ebook on iOS application security, and all the necessary tools used to pentest iOS applications.
PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language available by default in all modern Windows computers. It could interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows network. This makes it imperative for Penetration Testers to learn PowerShell. This training is aimed towards attacking Windows network using PowerShell and is based on real world penetration tests done by the instructor. Various techniques like in-memory code execution, privilege escalation, backdoors, keylogging, data exfiltration, dumping system secrets in plain, persistence, pivoting, pwning Active Directory Server, lateral movement in a network etc. would be discussed. The course is a mixture of demonstrations, exercises, hands-on and lecture. The course also has a CTF which attendees could try after the training. Attendees would be able to write own scripts and customize existing ones for security testing after this training. This training aims to change how you test a Windows based environment.