My talk will be about drone threats in general and how you can assess drone based threats. I will show the comprehensive threat assessment methodology and the countermeasures you can take against the drone threat. The threat assessment is based on a catalog of about 140 items. Particularly interesting will be looking at the drone threats in relation to:
Planting payload at specific locations (i.e. hacking equipment transported to target location for instance)
Tampering communication equipment with the help of drones
Insider threat communicate with an insider with the help of a drone
Hacking the communication of a drone
Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly - inspire and empower action.
Last year's conference appearance's:
Software engineering today has rightfully embraced the open source and cloud ecosystem to move faster and focus valuable engineering time on new problems instead of ones that have already been solved. As a result, we’ve collectively achieved more than we ever have in terms of technical advancement and production of new services. At the same time however, the supply chain of a modern application has gotten significantly more complicated as dependency trees have exploded and more vendors get introduced. This talk outlines 10 tactics that organizations can adopt to manage the modern supply chain without introducing excessive friction.
This talk is very much focused on process, specifically, 10 different tactics that participants can take and apply in their teams or organizations to manage supply chain risk, be it from vendors or OSS. To that end, I will be framing the problem up initially to talk about software composition analysis and dynamic dependency graphs as well as various cloud security and outsourced processor risks.
Robert Wood is a CSO, technologist, red teamer, strategic advisor, and speaker. Presently, Robert is the Chief Security Officer at Simon Data, a fellow at ICIT, and the founder of hackyourcybercareer.com. In these roles, Robert drives value creation by influencing and empowering others to succeed. Throughout Robert’s career, he has worked with, advised, and led many security programs and initiatives including the trust and security program at Nuna Health and the red team practice at Cigital.
Many networks can be reached from the outside as RJ45 cables are visible near various devices: CCTV cameras, billboards, etc.
The use of such an access point is attractive during red team attacks as well as real hacking. When network is well configured, intrusion shall be detected by the change of link state (link-down, link-up). This can lead to rise an alert for security team and/or to block the port.
We will see an intrusion scheme that is undetectable and give a Man In The Middle position to the intruder. The intrusion goes though four steps:
stripping the individual wires
replacing the initial cable portion by a dedicated electronics
using of the electronics as a TAP to gather information about the network
total traffic redirection to place the intruder in a MITM position with the opportunity to inject/modify traffic.
We have checked the transparency of this hack with several layer 2 protocols: no spanning tree topology change, vlan compliant, LLDP compliant (original switchs on both sides still see each other), etc.
The hack is also undetectable by mac and IP filters. This intrusion has already been successfully tested with a Cisco router and with Hirschmann switchs (devices often used in industral and SCADA networks) New tests are planned to assess the intrusion with devices from other network suppliers.
The presentation will include a live demonstration.
Since 2010, Erwan Broquaire is a project manager in the ITS & and road safety department of Cerema south-ouest. Cerema is a french public study group.
Erwan Broquaire drives studies on cyber-security concerns for road operators, including evaluation of firewalls or pen tests.
He manages the development of the national video software solution of the Ministry in charge of transprot : Vizird. He drove many network architectures projects for road operators. He is member of the list of experts for assisting in the implementation of the ENISA Work Programme
Erwan was representative of the French Ministry of Transport for the definition of the European standard Datex II in 2010.
Formerly he worked at DIRMC, the road operator for highways in Massif Central (France)
Since 2011, Pierre-Yves Tanniou has been a project manager in the ITS & and road safety department of Cerema sud-ouest. Cerema is a french public body in support of the definition, implementation and evaluation of public policies in the fields of sustainable development.
Pierre-Yves Tanniou drives studies on traffic management for french road operators, including definition and qualification of applications for traffic management centers. Since 2016 he has also taken part in validation of autonomous vehicle experiments for the french ministry.
Formerly he worked at SIER and DIRIF, the road operator for highways around Paris. After managing projects of traffic management equipments (traffic sensors, VMS, CCTV…), he drove the definition and deployment of data and energy networks to improve safety for 22 road tunnels.
Pierre-Yves Tanniou graduated as an engineer in electronics, signal processing (1990) and artificial intelligence (1991) at the polytechnic institute of Grenoble.
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
In this talk, we demonstrate our methodology to analyze a "smart" device from PCB to exploit writing, with the associated tools and methodology. Our victim device for this talk is a Bluetooth Low Energy smartlock that uses a Nordic Semiconductor nRF52832 SoC as its “brain”.
The vendor claims this device is secure, but we found multiple vulnerabilities we will disclose during this talk. We will detail how we’ve found these issues and how we created our exploits to demonstrate these vulnerabilities. Moreover, we will provide some tools to analyze any nRF5x system-on-chip firmware from Nordic Semiconductor.
More importantly, we will give tips and tricks to attendees who are interested in (or already working in) reverse-engineering devices. We will also summarize the top 10 vulnerabilities seen in various devices we analyzed, as it may shed some light about the efforts vendors have to make to provide really secure hardware.
Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp, Hack.lu, Hack In Paris and a dozen times at the Nuit du Hack (one of the oldest French security conferences).
After all the loud news around the insecurity of the mobile networks and some harsh real cases that were revealed, mobile operators started taking more sophisticated security measures. Apart from the SMS Home Routing solutions, a newly grown market of the signaling firewalls is being slowly adopted into the operator’s infrastructure.
This is the right way to withstand the basic attacks. We have been continuously investigating signaling networks security for years. The results of last year’s security assessments and security monitoring projects show that the situation became a little better. However, the same vulnerabilities are being exploited in a sneaky complicated way that is enough to bypass the “straight-forward” security mechanisms.
In this talk, I am going to show some statistics on how the network vulnerability state evolved during last 3 years. Moreover, I cannot go away without showing some new techniques caught during security monitoring and developed during penetration testing. These techniques allow bypassing security measures in some networks and include SMS Home Routing bypass, location tracking with position refinement and the SS7 firewall bypass.
Telecom Security Expert, Positive Technologies.
Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he is engaged in the research of signaling network security and in audits for international mobile operators.
He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, and Telegram accounts.
As an expert in telecom security, he researches signaling network security and participates in audits for international mobile operators.
Sergey is also the general developer of the Telecom Vulnerability Scanner tool and member of the Telecom Attack Discovery development team and co-author of Positive Technologies annual reports on telecom security.
However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild?
In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.
The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities.
In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser- known cmd.exe replacement binaries.
I will conclude this talk with a live demo of my latest obfuscation framework called Invoke-DOSfuscation that obfuscates cmd.exe payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.
Do you believe in vendor claims that AI, or some equivalent, offers superior security? Is your organization ready to face the future… today?
The Hack in Paris 2018 debate will bring you to the edge of your seats, with Moderator Winn Schwartau asking the uncomfortably tough questions of debaters Michael J. Masucci and Dr. Greg Carpenter – and then it’s your turn.
We will explore ideas such as, “How can we trust vendor’s claims about AI performance in network security?” “How can we compare performance – honestly and fairly?” “Why won’t they disclose their methods… what are they hiding?” Remember Microsoft’s racist chat bot?
And then we explore how much we can actually “Trust” AI (or Machine or Deep Learning) technologies to make life and death judgements to replace human decision-making? Are organizations really ready to hand over security control to AI systems even though most CISO/CIO/CTOs don’t even know how they work? They need to be prepared!
Just before we hand over questions to the audience we MUST address autonomous hybrid cyber-kinetic systems, from drones (where do we point them to crash?) to self-driving vehicles (where nothing can go wwrrrrooonnnngggggg…a/k/a artificial stupidity). If you don’t know about the Trolley Problem, get engaged (or enraged!) when we examine how pre-programmed neural-network biases will decide who lives and dies! And do the same biases apply across every culture?
Become part of the discussion! Voice your opinion and questions.
But, are they ANY answers? Is there a Cookbook?
Be there and find out. The Best Debate you will attend this year!
• Founder: www.thesecurityawarenesscompany.com, (Interpact, Inc.) The Security Awareness Company • Distinguished Fellow: Ponemon Institute 2012+ • Advisor to the President: ISSA, International • Board. Mobile Application Development Partners, LLC, • In November 2009, was named one of the Top‐20 security industry pioneers by SC Magazine. • Named one of the Top 25 Most Influential People for 2008 by Security Magazine • Voted one of the Top 5 Security Thinkers for 2007 by SC Magazine. • In 2002, honored as a “Power Thinker” and one of the 50 most powerful people by Network World. • He coined the term “Electronic Pearl Harbor" and was the Project Lead of the Manhattan Cyber Project Information Warfare and Electronic Civil Defense Team. • Founder of InfowarCon
Michael J. Masucci is an award-winning media producer, video-artist, writer, musician, curator and mediator. He also currently serves as an Arts Commissioner for the City of Santa Monica, where he chairs its prestigious Public Art Committee. His collaborations have been exhibited, at venues such as the Museum of Modern Art (New York), the Institute of Contemporary Art (London), the American Film Institute (Los Angeles), the Autry National Center, on commercial television, as well as in festivals, galleries conferences and universities. He has guest lectured at universities and conferences internationally, including at Caltech, USC, UCLA, the University of Helsinki and the New School.
Masucci holds a law degree as well as certificates in, film, music, entrepreneurship, graphic design, mediation and conflict resolution.
Gregory Carpenter, CISM, is the owner of Gregory Carpenter Enterprises LLC and Chief of Security Testing for Titania Solutions, co-author of “Reverse Deception: Organized Cyber Threat Counter-Exploitation” and hosts a weekly radio program of the same name. He is an Adjunct Professor of statistics and IT and is on the International Board of Advisors of the Mackenzie Institute & Board of Directors of ATNA Systems. He served several years at the NSA, with over three decades in the army and is currently pursuing his doctorate in Public Health focusing on in vivo bionanorobotic device security. He is the recipient of numerous awards including the coveted National Security Agency Military Performer of the Year.
As security practitioners, we know what "secure software" is, but we do not always know how to actually achieve software assurance in the way we want it. Many valid questions arise when trying to fix a development function that does not think it has time or resources to create securely: How should you evaluate an existing software development program? What do you do once you’ve identified deficiencies in a process? How do you inject security into the organization’s framework? When insecure methods for creating and maintaining software have already been established, but the program does not include security or compliance, there are practical techniques you can use to elicit change, such as obtaining buy-in from stakeholders and closing process gaps. Any existing software development methodology can be updated to ensure security becomes a mandatory consideration at every step of the SDLC.
This is a process and people oriented talk. You can see more of my work and videos on my website, specifically https://architectsecurity.org/blog/april-c-wright-media-and-press/
April C. Wright is a Senior Security and Compliance Manager for Verizon, where she builds SDLC program maturity, implements eGRC, and performs risk reduction with a vengeance via leadership of comprehensive security programs for massive global infrastructures. She is a hacker who has spent the last 25+ years as a generalist, breaking, making, fixing, and defending all the things, while playing roles on offensive, defensive, operational, and development teams throughout her career. In 2017, she co-founded the Boston Defcon Group (DC617). Specializing in seemingly nothing (except maybe learning about everything in the hope of sharing and employing knowledge), April is a polymath who has collected dozens of certifications to add letters at the end of her name, from Social Engineering to Cloud Security to First Aid to Photography. She once read on teh interwebs that researchers at the University of North Carolina released a comprehensive report in 2014 confirming that she is the “most significant and interesting person currently inhabiting the earth”, so it must be true.
As a result of the exhaustion of the IPv4 free address space, more and more sites are becoming dual-stacked -- that is, available over both IPv4 and IPv6. In theory, IPv6 and IPv4 are just two similar network-layer protocols, and thus security policies (e.g. open TCP/UDP ports) should be the same for both protocols for any given site. In practice, this may not be the case. This talk presents the results of a wide-scale project in which the security policies of a number of sites were evaluated over both IPv4 and IPv6, shedding light on the mismatch of IPv6 and IPv4 security policies in the real world.
Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations from around the world.
Gont has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite.
Gont is currently working as a security consultant and researcher for SI6 Networks. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published 30 IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts. Gont has also developed the SI6 Network’s IPv6 Toolkit – a portable and comprehensive security toolkit for the IPv6 protocol suite – and the SI6 Networks’ IoT Toolkit – a portable security toolkit for IoT evices.
Gont runs the IPv6 Hackers and the IoT Hackers mailing-lists, and has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, ekoparty 2007, Kernel Conference Australia 2009, DEEPSEC 2009, HACKLU 2011, DEEPSEC 2011, Hackito Ergo Sum 2012, H2HC 2017, H2HC 2019, Troopers 2019 and Hack In Paris 2018. Additionally, he is a regular attendee of the Internet Engineering Task Force (IETF) meetings.
Attacks targeting connected cars have already been presented in several conferences, as well as different tools to spy on CAN buses. However, there have been only a few attempts to create “something similar” to a useful backdoor for the CAN bus. Moreover, some of those proofs of concept were built upon Bluetooth technology, limiting the attack range and therefore tampering its effects.
Now we are happy to say that: Those things are old!
Throughout our research we have successfully developed a hardware backdoor for the CAN bus, called "The Bicho". Due to its powerful capabilities we can consider it as a very smart backdoor. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? The Bicho makes it all possible.
All this "magic" is provided by the assembler-coded firmware we developed for a PIC18F2580 microcontroller. Additionally, our hardware backdoor has an intuitive graphical interface, called "Car Backdoor Maker", which is open-sourced and allows payload customization. The Bicho supports multiple attack payloads and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is related to a command that can be delivered via SMS, this way it allows remote execution from any geographical location.
Even more, as an advanced feature, the attack payload can be configured to be automatically executed once the target vehicle is proximate to a given GPS location. The execution can also be triggered by detecting the transmission of a particular CAN frame, which can be associated with any given factor, such as: the speed of the vehicle, its fuel level, and some other factors. This feature provides the means to design highly sophisticated attacks and also being able to execute them not only remotely but also automatically.
Sheila A. Berta: Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in different countries. Over the years, Sheila has discovered several vulnerabilities in popular web applications such as Facebook, LinkedIN, Hotmail, ImageShack and others. Currently, Sheila works at Eleven Paths as Security Researcher who specializes in web application security, reverse engineering and exploit writing. She is also a developer in ASM x86, C/C++, Python and the most popular web application technologies. Sheila is an International Speaker, who has spoken about different research at important security conferences such as Black Hat EU 2017, Black Hat Arsenal USA/EU, DefCon 25 CHV, Ekoparty Security Conference, HackLu, IEEE ArgenCon, OWASP Latam Tour, APPSEC Latam, DragonJARCon and others.
Actual Chief Security Ambassador at Eleven Paths.
Local chapter coordinator at Centro de Ciberseguridad Industrial of Argentina (a Centro de Ciberseguridad Industrial de España Subsidiary
CCI-Es.org) - Former President at ISSA Argentina (through periods 2011-2013 and 2013-2015)
Information Security specialist consultant
Professor of "Computer Forensics" and "Information Security" classes at Instituto Superior de Seguridad Pública (ISSP)
Active member of several information security associations such as: ISSA International, OWASP, Usuaria, Argentina Cibersegura - Member of Segurinfo's academic comitee from 2007 to date - Guest speaker at several international information security conferences and events such Black Hat USA 2017 Arsenal, DefCon 25 CHV, Ekoparty Security Conference and others. - Instructor on Ethical Hacking related issues such as: Defense Methodologies, Platform Hardening, Web Security, and Anti-Forensic Techniques. - Social Engineering Passionate. - Co-author of "Ethical Hacking, un enfoque metodológico" (Editorial Alfaomega - 2010). - Co-organizer of MS Doing Blue event.
The past 4-5 years have completely changed the way pentesters & attackers think about Active Directory and Enterprise security as a whole: Tactics, Techniques and procedures (TTPs) have been becoming increasingly more sophisticated as we've seen from malware and state-sponsored attacks.
Recently, open-source tool-sets have been created that can completely automate domain privilege escalation, lateral movement, post-exploitation and some (if not all) of the entire process of going from an unprivileged user on the network to Domain Administrator in almost every Active Directory environment regardless of its size or complexity: we are truly in the 'Golden Age' of Attack Automation.
In this presentation, we will examine the past, present & future of Active Directory security:
We will try to understand how we got here in the first place and take a deep dive into the research/open-source tools that have radically advanced the way we attack Active Directory.
We will look at real-world malware that has incorporated some form of automation or 'worm like' behavior and try to infer what even more sophisticated attacks might look like in the near future.
Finally, we will discuss what I consider to be the 'secure baseline' for any Active Directory environment and give you a Top 10 list of things you can do to secure your Active directory network from these attacks using builtin utilities or third party (free) Microsoft products all without installing flashy-blinky boxes.
Marcello Salvati (@byt3bl33d3r) is a security consultant at BlackHills Infosec by day and by night a tool developer who discovered a novel technique to turn tea, sushi, alcohol and dank memes into somewhat functioning code. He’s also really good at writing bios. I know, at this point you’re probably asking yourself: “ Wait, how good of a bio writer is this guy? I need a quantifiable metric in order to come to a conclusion! The suspense is killing me!”. Well John Strand hired him so that he could continue to write them. Yeah… that’s how good. Checkmate Atheists! dab mic drop
Our main motto of this session is to walk through the multiple vulnerabilities present in PBX that may possess threat to any individual or organization. This talk will demonstrate multiple exploitable security vulnerabilities including impact, attack scenario and mitigations that we came across while playing with different PBX. Hackers could explore the vulnerabilities to launch various security attacks and security professionals will learn how to mitigate against them. Our presentation will not be limited to the one, but many PBX vendors.
A Live demonstration of vulnerabilities.
It’s always exciting to know how the hackers are finding new ways to gain access to your organization. Protection of the PBX is thus a high priority. Private Branch Exchange (PBX) is an essential component that supports the critical functions of your organization.
In our talk, the following categories and demonstration will be included:
Internet connected PBX and gaining access
Caller ID Spoofing
Failing to protect your PBX can expose your organization to loss of confidential information or financial damage. Most of the organizations which have implemented PBX are either unaware or ignore the security issues with PBX. The real key to effective security is to keep ourselves always updated. Once you understand the threat you are in a much better position to deploy security effectively.
Sachin Wagh has over four years of experience in penetration testing, vulnerability assessment and network security. He is an independent security researcher. Executed a number of External and Internal Vulnerability Assessment, Penetration Testing activities. He has acquired several certifications like CEH, and ECSA. Acknowledged by Google, Microsoft, Ebay, Nokia, Intel, ESET, F-secure, Tesla, IBM and many more for reporting security vulnerabilities. He has multiple CVE’s and BIDs under his name for reporting vulnerabilities in various products. Some of CVE’s reported by him CVE-2018-3812, CVE-2017-6517, CVE-2017-9542, and CVE-2016-6592. Presented his security research paper at Hakon & National Cyber Security Conference Currently, he is working as security analyst at Symantec.
Himanshu Mehta (LPT ECSA CEH EC Council LPT Board Member Covet.it Board Member Speaker Team Lead, Symantec) Himanshu Mehta is passionate about Computer Security and due to this reason he actively and responsibly discloses security vulnerabilities to vendors. He is also involved in several bug bounty and Capture the Flag programs. As an advisory board member of EC-Council’s Licensed Penetration Tester group, he actively contributes to make security certification more challenging and interesting. He is also a board member at Covet.it contributing to the discussion – Future of Cyber Security in Transforming Businesses. He has been invited as Chief Guest for several security events and presented his security research paper at Hakon, BSides, InfoSecurity Europe, Hack In Paris, and National Cyber Security Conference. Currently, he is leading a team of security intelligence at Symantec which gave him good insight about cyber-security and helped to emerge as a creative leader. On the other hand, it also increased his thirst to explore more in this field.
For quite some time now, WMI has resided in the main roster of techniques used by threat actors to perform lateral movement between endpoints. Despite the vast scope of classes and methods available through WMI, attackers moving laterally seem to rely almost exclusively on the "Create" method of the "Win32_Process" class , diving further into the depths of the WMI model only to perform reconnaissance and establish persistence.
This talk will exhibit various never-before-seen techniques for authenticated (file-based and fileless) remote execution, using only pure-WMI methods, along with stealthier enhancements of known techniques, all of which subvert many host and network-based methods of detection without using the notorious Win32_Process class.
The talk will also describe the strengths and weaknesses and provide detection methods for every technique described
Since the first public appearance of HID Attacks, many awesome researches, tools and devices have been released. However, Offensive Security folks were always seeking cheap and dedicated hardware that could be controlled remotely (i.e. over WiFi or BT). And this is how WHID Injector and P4wnP1 were born. WHID stands for WiFi HID injector. It is a cheap but reliable piece of hardware designed to fulfill Pentesters needs related to HID Attacks, during their engagements. The core of WHID is mainly an Atmega 32u4 (commonly used in many Arduino boards) and an ESP-12s (which provides the WiFi capabilities and is commonly used in IoT projects). P4wnP1 is a tool based on RaspberryPi Zero W and it is a Bashbunny on Steroids. It has many cool features like Win10 Lockpicker, HID backdoor (which bypasses air-gapped environments as well), a call-home feature, wifi-based Karma and MANA attacks, etc. During the presentation we will see in depth how WHID & P4wnP1 were designed and we will compare their features. We will also look which tools and techniques Blue Teams can use to detect and mitigate this kind of attacks.
In the last few years, digital payment methods have had an incredible adoption rate in consumer devices around the world. Many big companies are adding NFC(Near Field Communication) support to all sorts of devices to allow consumers to make monetary transactions. Some of these companies are protecting themselves by implementing tokenization as part of the payment technology. However, it is well documented that it is possible to bypass these technologies using simple mechanisms. With all these changes in the NFC ecosystem, the information security field is not well prepared to protect against the increasing new attacks in this area.
Relay and replay attacks are becoming more common in the payment industry. Getting more complex and sophisticated day by day. We are not just seeing simple skimming techniques but complex attack vectors that are a combination of technologies and implementations involving SDR(Software-Defined Radio), NFC, APDU(Application Protocol Data Unit), hardware emulation design, specialized software, tokenization protocols and social engineering.
In this talk, we will discuss what these attacks are, or what kind of hardware or software could be implemented. Also we will talk about how anyone already has the hardware necessary to carry out one of these attacks or for $35 dollars someone can create a device to do so. Adding that we will show real scenarios where these technologies combined with RFID(Radio Frequency Identification) emulation could exploit any type of NFC transaction. But even worse, how the same attack methods could exploit new NFC implementations for years to come.
This talk uses exploitation hardware and demos; the presentation will include SDR communication, RFID emulation, APDU communication, extraction of data from physical and digital cards.
Salvador Mendoza is a security researcher focusing in tokenization processes, magnetic stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON 24/25, DerbyCon, Ekoparty, BugCON, 8.8, and Troopers 17/18. Salvador designed different tools to pentest magnetic stripe information and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet, SamyKam and lately BlueSpoof.
Security systems are evolving and becoming more complex, so are the hacking techniques. Every successful hack penetrating network infrastructure has to evade through multiple layers of security in a perfect sequence. Imagine yourself in an environment with diverse operating systems, servers and applications with legacy as well as in-house developed products and security solutions such as firewall, AV etc. How do you plan to go ahead and pwn them all? Learn to exploit and compromise targets where Metasploit will not work by default. Perform a wide array of tricks to discover, enumerate and pwn services, systems, domain controllers. Move around in an enterprise network with VLAN hopping to pwn some more. Analyze and exploit enterprise software components such as JBoss, MQ, CI/CD, Domain Controller, Database servers, Network Devices etc.
• Experience with vulnerability assessment and penetration testing.
• Familiarity with web application security vulnerabilities.
• Basic knowledge of TCP/IP network protocol.
• Familiarity with virtualization tools like VMware/VirtualBox
• Exposure to infrastructure penetration testing tools and techniques.
• Exploiting enterprise network.
• Live real-life scenarios.
• Multi vector attacks.
• Exploiting configuration vulnerabilities.
• Capture the Flag (CTF) to test skills.
• A laptop with administrator privileges.
• Minimum 50 GB of free hard disk space.
• Minimum 4 GB RAM for virtual machines.
• Laptop should have a ethernet and wifi capability.
• VM Player or VMWare Workstation installed.
• Information gathering and recon techniques
• Advanced payload obfuscation with Metasploit Framework
• Pivoting with Metasploit Framework
• Network device exploitation and VLAN Hopping
• Hacking the Evil Corp
• Discover apps and services
• Exploit configuration weaknesses for information gathering
• Exploit workstations
• Exploit MQ services
• Exploit CI/CD pipelines
• Exploit custom services
• Windows Server 2012 exploitation
• Windows Domain Controller exploitation
• MacOSX exploitation
• Linux web app server exploitation
• Oracle database server enumeration and exploitation
Day-3 will host a Capture the Flag (CTF) contest where participants will compete against each other in live hacking of provided network. Scores will be tracked and made available in the CTF portal in real-time.
Abhisek Datta is a Security Researcher and Consultant with over 10+ years of experience. His core area of expertise includes Penetration Testing, Vulnerability Analysis, Exploit Development, Reverse Engineering & Malware Analysis and Source Code Review. He has been involved in multiple high profile Reverse Engineering and Penetration Testing projects in the past for clients in India and abroad. He has multiple CVE’s under his name for reporting vulnerabilities in various products. Some of CVE’s reported by him CVE-2014-4117, CVE-2015-0085, CVE-2014-6113, CVE-2015-1650, CVE-2015-1682, CVE-2015-2376, and CVE-2015-2555. At present he heads the technology team at Appsecco Consulting Pvt. Ltd. and is responsible for security tools development and process automation.
Omair has over eight years of experience in penetration testing, vulnerability assessment and network security. He has been responsible for maintaining a secure network for mission critical applications. His area of work includes Vulnerability Assessment, Security Audits, Penetration Test, Source Code Reviews and Trainings. He was led penetration tester for various clients in the telecom, retail, government and banking sector based in India, Saudi, Morocco, Mauritius, UAE, Kuwait, Oman and Bahrain with a team size varying from 5-8 members. He has also published security advisories pertaining to various vulnerabilities in commonly used software like Excel, Real Player, Internet Explorer and Chrome. His area of expertise includes Vulnerability Research, Reverse Engineering and Fuzzing. Some of the latest CVE’s reported by him CVE-2015-1240, CVE-2015-1668, CVE-2015-0043, CVE-2015-0042, CVE-2014-4128, CVE-2014-6354, CVE-2014-4145, CVE-2014-4050, CVE-2014-1772, CVE-2014-0313, and CVE-2014-0263.
Omair has various industry certification under his name.
The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has already resulted in the deployment of IPv6 in most large content distribution networks, a variety of ISPs, enterprises, and other production environments. Other organizations have aleady planned to deploy IPv6 in the short or near term. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterparts, and thus it is likely that the security implications of the protocols be overlooked when they are deployed on production networks. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways. Thus, the imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated. While there exist a number of training courses about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies that are vital in all real IPv6 deployment scenarios. During the last few years, we have offered the training course “Hacking IPv6 Networks”, providing in-depth hands-on IPv6 security training to networking and security professionals around the world. Hacking IPv6 Networks (version 4.0) is a renewed edition of such training course, with a tremendous increase in hands-on exercises, and newly incorporated materials based on recent developments in the area of IPv6 security. The training is carried out by Fernando Gont, a renowned IPv6 security researcher.
Attendees are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required.
Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.
Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed. The minimum requirements for the laptop are: Intel Core Duo, 1.66 GHz. 4GB of RAM. Ethernet and WI-FI network interface cards.
Introduction to IPv6
IPv4 address exhaustion
IPv6 transition/deployment mechanisms
IPv6: current state of affairs
Brief comparison between IPv6 and IPv4
IPv6 security overview
IPv6 Addressing Architecture
IPv6 address types
IPv6 address analysis
Implications for address scanning attacks & possible mitigations
Privacy implications & possible mitigations
Implications for end-to-end connectivity
IPv6 Header Fields
IPv6 header overview
Basic header fields
IPv6 Extension Headers (EHs)
General implications of EHs
Security implications of specific IPv6 EHs
Security implications of specific IPv6 options
IPv6 EHs in the real world
Exploitation of IPv6 EHs
Troubleshooting IPv6 EHs
Network reconnaissance with IPv6 EHs
Internet Control Message Protocol version 6 (ICMPv6)
ICMPv6 error messages
ICMPv6 informational messages
Network reconnaissance with ICMPv6
Neighbor Discovery for IPv6
Address resolution in IPv6
Address resolution messages and options
Neighbor Discovery cache
Neighbor Discovery attacks
Neighbor Discovery security controls
Evasion of Neighbor Discovery security controls
System configuration options
Stateless Address Auto-configuration (SLAAC)
SLAAC messages and options
Duplicate Address Detection (DAD)
SLAAC security controls
Evasion of SLAAC security controls
System configuration options
Dynamic Host Configuration Protocol version 6 (DHCPv6)
Sample DHCPv6 traffic
Security implications of DHCPv6
DHCPv6 security controls
Multicast Listener Discovery (MLD)
Introduction to MLD
Sample MLD traffic
Security implications of MLD
MLD security controls
IPsec Virtual Private Network (VPN)
DNS Support for IPv6
Exploitation of DNS reverse mappings
Evasion of IPv6 firewalls
Security Implications of IPv6 for IPv4-only Networks
IPv6 attacks on IPv4-only networks
Mitigating IPv6 attacks on IPv4-only networks
Automatic tunneling mechanisms
Attacks on automatic tunneling mechanisms
Network Reconnaissance in IPv6
Host scanning in IPv6
Port scanning in IPv6
Overview of penetration testing in IPv6
IPv6 Deployment Considerations
Designing an IPv6 address plan
Operating System hardening
IPv6 Attack and Defense
"The great power of Internet Of Things comes with the great responsibility of security". Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life threatening, there is no way you can afford to neglect the security of IoT products. "Practical Internet of Things (IoT) Hacking” is a research backed and unique course which offers security professionals, a comprehensive understanding of the complete IoT Technology suite including, IoT protocols, sensors, client side, mobile, cloud and their underlying weaknesses. The extensive hands-on labs enable attendees to master the art, tools and techniques to find-n-exploit or find-n-fix the vulnerabilities in IoT, not just on emulators but on real smart devices as well. The course focuses on the attack surface on current and evolving IoT technologies in various domains such as home, enterprise Automation. It covers grounds-up on various IoT protocols including internals, specific attack scenarios for individual protocols and open source software/hardware tools one needs to have in their IoT penetration testing arsenal. We also discuss in detail how to attack the underlying hardware of the sensors using various practical techniques. In addition to the protocols and hardware we will extensively focus on reverse engineering mobile apps and native ARM/MIPS code to find weaknesses. Throughout the course, We will use DRONA, a VM created by us specifically for IoT penetration testing. DRONA is the result of our R&D and has most of the required tools for IoT security analysis. We will also distribute DIVA – IoT, a vulnerable IoT sensor made in-house for hands-on exercises. The “Practical Internet of Things (IoT) Hacking” course is aimed at security professionals who want to enhance their skills and move to/specialise in IoT security. The course is structured for beginner to intermediate level attendees who do not have any experience in IoT, reversing or hardware.
Basic knowledge of web and mobile security Basic knowledge of Linux OS Basic knowledge of programming (C, python) would be a plus
Penetration testers tasked with auditing IoT Bug hunters who want to find new bugs in IoT products Government officials from defensive or offensive units Red team members tasked with compromising the IoT infrastructure Security professionals who want to build IoT security skills Embedded security enthusiasts* IoT Developers and testers Anyone interested in IoT security
Laptop with at least 50 GB free space 8+ GB minimum RAM (4+GB for the VM) External USB access Administrative privileges on the system Virtualization software – VirtualBox 5.X (including Virtualbox extension pack) Linux machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse). Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work Latest OS on the host machines (For ex. Windows 7 is known to cause issues)
Introduction to IOT
Identify attack surfaces
IoT Protocols Overview
Hands-on with open source tools
Cross-protocol HTTP attacks
Hands-on with open source tools
Introduction and protocol Overview
Reconnaissance (Active and Passive)
Sniffing and Eavesdropping
Software Defined Radio
=Introduction to gnuradio concepts
=Creating a flow graph
=Analysing radio signals
=Recording specific radio signal
Introduction and protocol Overview
Reconnaissance (Active and Passive)
Sniffing and Eavesdropping
Hands-on with RZUSBstick and open source tools
Introduction and protocol Overview
Reconnaissance (Active and Passive) with HCI tools
GATT service Enumeration
Sniffing GATT protocol communication
Reversing GATT protocol communication
Read and writing on GATT protocol
L2cap smashing Cracking encryption Hands-on with open source tools
Introduction to Android
App reversing and Analysis
Procedure call convention
System call convention
Procedure call convention
System call convention
Firmware analysis and reversing
Simulating device environments
IoT hardware Overview
Introduction to hardware
Analyzing the board
=Interfacing with I2C
=Manipulating Data via I2C
=Sniffing run-time I2C communication
=Interfacing with SPI
=Manipulating data via SPI
=Sniffing run-time SPI communication
=What is UART
=Identifying UART interface
=Accessing sensor via UART
=Identifying JTAG interface
Aseem Jakhar is the Director, research at Payatu payatu.com a boutique security testing company specializing in IoT, embedded, mobile and cloud security assessments. He is well known in the hacking and security community as the founder of null - The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference nullcon.net and hardwear.io security conference http://hardwear.io He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti- virus software, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack In The Box, Hack.lu, Hack in Paris, PHDays and many more. He is the author of various open source security tools including: 1. ExplIoT – An open source Internet Of Things Security Testing and Exploitation framework - https://bitbucket.org/aseemjakhar/expliot_framework 2. Linux thread injection kit - Jugaad and Indroid which demonstrate a stealthy in- memory malware infection technique. Indroid - https://bitbucket.org/aseemjakhar/indroid Jugaad - https://bitbucket.org/aseemjakhar/jugaad 3. DIVA (Damn Insecure and Vulnerable App) for Android which gamifies Android App vulnerabilities and is used for learning Android Security issues. https://github.com/payatu/diva-android 4. Dexfuzzer – Dex file format Fuzzer. https://bitbucket.org/aseemjakhar/dexfuzzer/src
Everyone has heard about hackers. It is commonly known that their jobs differ from system administrator jobs. However, things they do in their darkened rooms are definitely interesting and worth knowing. Many of the techniques they use are very useful in everyday administration tasks. Is it that easy to get into systems? What about Windows 10 – are all of these security features preventing all of the attacks possible before? Well no! And we need to know how to implement features properly in order to be on a safe side! Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors but this can be achieved only when configuring these settings properly! A Hackers' knowledge is considered to be valuable, both by system creators and common users. Administrators do not have to be taught how to be a hacker; it is often enough to show them one simple, but very interesting tool or technique, to change the point of view on their own IT environment. Topics covered in this seminar help you to walk in hacker's shoes and evaluate your network from their point of view. Be careful – this workshop is designed for IT and Security professionals who want to take their skills and knowledge to the next level. After this workshop, you will be familiar with hacker techniques, which can be useful to protect yourself against. This is a three days training with demos and reasonable and smart explanations.
Minimum 6-8 years of IT experience
Network administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.
Module 1: Hacking Windows Platform
a) Detecting unnecessary services
b) Misusing service accounts
c) Implementing rights, permissions and privileges
d) Direct Kernel Object Modification
Module 2: Top 50 tools: the attacker's best friends
a) Practical walkthrough through tools
b) Using tools against scenarios
Module 3: Modern Malware
a) Techniques used by modern malware
b) Advanced Persistent Threats
c) Fooling common protection mechanisms
Module 4: Physical Access
a) Misusing USB and other ports
b) Offline Access techniques
c) BitLocker unlocking
Module 5: Intercepting Communication
a) Communicating through firewalls
b) Misusing Remote Access
c) DNS based attacks
Module 6: Hacking Web Server
a) Detecting unsafe servers
b) Hacking HTTPS
c) Distributed Denial of Service attacks
Module 7: Data in-Security
a) File format attacks for Microsoft Office, PDF and other file types
b) Using incorrect file servers’ configuration
c) Basic SQL Server attacks
Module 8: Password attacks
a) Pass-the-Hash attacks
b) Stealing the LSA Secrets
Module 9: Hacking automation
a) Misusing administrative scripts
b) Script based scanning
Module 10: Designing Secure Windows Infrastructure
On the market there are thousands of solutions available to enrich security in our infrastructure. Idea of this module is to provide the complete knowledge and to gain the holistic approach to the areas that can be secured and the measures that can be implemented.
Module 11: Securing Windows Platform
a) Defining and disabling unnecessary services
b) Implementing secure service accounts
c) Implementing rights, permissions and privileges
d) Driver signing
Module 12: Malware Protection
a) Techniques used by modern malware
b) Malware investigation techniques
c) Analyzing cases of real malware
d) Implementing protection mechanisms
Module 13: Managing Physical Security
a) Managing port security: USB, FireWire and other
b) Mitigating Offline Access
c) Implementing and managing BitLocker
Module 14: Deploying and configuring Public Key Infrastructure
a) Role and capabilities of the PKI in the infrastructure
b) Designing PKI architecture
c) PKI Deployment – Best practices
Module 15: Configuring Secure Communication
a) Deploying and managing Windows Firewall – advanced and useful features
b) Deploying and configuring IPsec
c) Deploying secure Remote Access (VPN, Direct Access, Workplace Join, RDS Gateway)
d) Deploying DNS and DNSSEC
Module 16: Securing Web Server
a) Configuring IIS features for security
b) Deploying Server Name Indication and Centralized SSL Certificate Support
c) Monitoring Web Server resources and performance
d) Deploying Distributed Denial of Service attack prevention
e) Deploying Network Load Balancing and Web Farms
Module 17: Providing Data Security and Availability
a) Designing data protection for Microsoft Office, PDF and other file types
b) Deploying Active Directory Rights Management Services
c) Deploying File Classification Infrastructure and Dynamic Access Control
d) Configuring a secure File Server
e) Hardening basics for Microsoft SQL Server
f) Clustering selected Windows services
Module 18: Mitigating the common password attacks
a) Performing Pass-the-Hash attack and implementing prevention
b) Performing the LSA Secrets dump and implementing prevention
Module 19: Automating Windows Security
a) Implementing Advanced GPO Features
b) Deploying Software Restriction: Applocker
c) Advanced Powershell for administration
DPAPI, Platform Security, Credential attacks
Paula Januszkiewicz is a CEO and Founder of CQURE Inc. and CQURE Academy. She is also Enterprise Security MVP, Microsoft Regional Director and a cybersecurity expert, consulting Customers all around the world. She has her heart and soul in the company, having deep belief that positive thinking is the key to success. Paula established CQURE in 2007 and since then she has continued to build the team’s cybersecurity skills, currently owning and managing CQURE departments in New York (US), Dubai (UAE) and Zug (Switzerland), additionally to headquarters in Warsaw (Poland). Paula is a top speaker on many well-known conferences including Microsoft Ignite 2015 (rated No 1 Speaker), RSA (in 2017 in San Francisco her session was one of the 5 hottest sessions), etc. Paula performs penetration tests, architecture consulting, trainings and seminars. Paula also creates security awareness programs, including sessions for executives (telecoms, banks, etc.). Paula loves sharing her knowledge with others and is a type that suffers, when doing nothing – every year she takes over 215 flights to visit Customers. You can always expect some thoughtful ideas and interesting arguments!
You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities - such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the devices the same way.
During this course students will perform: wireless sniffing, spoofing, cloning, replay, DoS, authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking "military grade encryption", abusing excessive services, intercepting wireless remote controls, brute-forcing PINs via voice calls and attacking building automation systems. The offensive exercises will teach you how to analyze the devices' security, and the best practices guidelines will help to design them properly.
The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening voice-controlled lock by remotely hacking speaker-enabled devices. Several tasks will be associated with electromagnetic lock guarding a special vault. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have hidden reward.
Covering lots of various topics and technologies (including NFC, Bluetooth Smart, Linux embedded, Wiegand, WiFi, P2P, SDR, GSM, KNX, ...) guarantees that regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time. The training includes a hardware pack (over 100 EUR value) for each student, consisting of preconfigured Raspberry Pi, NFC board, RTL-SDR dongle and Bluetooth Low Energy sniffer. The hardware will introduce you to the world of RF analysis, allow you to crack and clone NFC cards, sniff and analyse Bluetooth Low Energy connections.
UID-based access control - practical exercises on example reader + door lock
Wiegand - wired access control transmission standard
Mifare Classic & its weaknesses - practical exercises based on hotel door lock system, ski lift card, bus ticket
Reverse-engineering data stored on card
Introduction to Proxmark, Low Frequency cards (EM4100, HID Prox).
Summary of known attacks and security issues of Mifare Plus, DESFire, Ultralight C, HID iClass ...
based on multiple devices (including 7 various smart locks) and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).
BLE advertisements and beacons
Sniffing BLE connections using RF layer hardware
HCI dump (Linux, Android) - setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities.
Attacking services exposed by devices
Device spoofing, active MITM interception
Mobile application analysis, attacks on proprietary authentication and protocols
Relay attacks - abusing automatic proximity features (e.g. smart lock autounlock).
Remote access share functions and their weaknesses - how to bypass timing restrictions.
How to create own, independent server-side API for device - based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.
Introduction to Web Bluetooth, Bluetooth Mesh, Bluetooth 5.0
BLE Hackmelock - open-source software emulated device with multiple challenges to practice at home.
BLE best practices and security checklist - for security professionals, pentesters, vendors and developers.
based on wireless door lock, alarm+home automation system and other devices:
based on fingerprint sensor device, wireless door lock, alarm system, HVAC controller
an example installation connected to electromagnetic lock
based on remote control alarm system
how to disarm alarm using wire connected to Raspberry Pi - Software Defined Radio - tools and hardware
you will also be able to try:
Speaker, trainer and IT security consultant with over 15 years of experience. Participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups. Currently leads research on various topics in Polish software security company SecuRing and provides trainings regarding security of contemporary locks and access control systems (www.smartlockpicking.com). Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases - starting from a scratch. Previously gave talks, workshops or trainings at HackInParis, BlackHat USA, multiple Appsec EU, HackInTheBox Amsterdam, Deepsec, BruCON, Confidence, Devoxx and many other events.
New generation malware and attacks have been targeting ICS and systems causing huge monetary and human life losses. ICS system still vulnerable in nature because it’s poorly understood. Penetration testing on ICS systems is a very niche field which requires in-depth knowledge and has a huge dependency in terms of the Hardware availability.
In this course, will concentrate on methodologies to conduct penetration testing of commercial Hardware devices such as PLCs as well as simulators and also provide an excellent opportunity for participants to have hands-on experience on Penetration Testing of these devices and systems. This course also focused on hardware analysis of the embedded system and fuzzing techniques over ICS protocol to identify 0-day vulnerabilities. The ICS setup will simulate the ICS infrastructure with real-time PLCs and SCADA application. In the end, of course, there will be ICS CTF and some GOODIES to give away for the winners
Throughout the course, we will use DRONA-ICS, a VM created by us specifically for ICS and IoT penetration testing. DRONA is the result of our R&D and has most of the required tools for ICS and IoT security analysis. We will also distribute DIVA – ICS, a vulnerable embedded sensor made in-house for hands-on exercises.
The “Practical Industrial Control System (ICS) Hacking” course is aimed at security professionals who want to enhance their skills and move to/specialize in ICS security. The course is structured for beginner to intermediate level attendees who do not have any experience in ICS, reversing or hardware.
And at the end ICS CTF Challenge.
Arun is a Hardware, IOT and ICS Security Researcher, working with Payatu Software Labs as Sr. Security Researcher. His areas of interest are Hardware Security, SCA, Fault Injection, RF protocols and Firmware Reverse Engineering. He also has experience in performing Security Audits for both Government and private clients. He has presented a talk at the nullcon 2016,2017 Goa, GNUnify 2017 ,Defcamp 2017 and also co-trainer for Practical IOT hacking training and delivered in HITB 2017, HIP 2017, private clients in London, Australia, Sweden, Netherlands etc. He is an active member of null – The open Security community.
Industrial Control Systems (in)security is making headlines on a regular basis recently. Why ? Are security experts crying wolf or do we have a real problem ? This training will help you understand the specificities of OT (Operational Technology) compared to IT. Using this knowledge, we will identify the most common vulnerabilities, and then exploit it on several hands-on lab systems, including real ICS software and real PLCs. We'll conclude this training with an engaging ICS Capture the Flag half-day !
All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) Each attendee will be given a USB key with a custom Kali virtual machine, that includes the specific tools that we will use as well as the lab files (pcap, etc), and a Windows virtual machine with specific ICS software to perform the lab sessions
This training is aimed at security professional willing to deep dive into the Industrial Control Systems and have real-world, hands-on sessions. There is no specific requirement for attendees except a basic infosec culture.
All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum)
Module 1 : Introduction to ICS
For starters, we will introduce the concept of ICS. The topics will include:
A brief history of ICS
The CIM model
ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles
OT vs IT
Module 2 : Pentesting Basics & tools
This module will introduce the concept of penetration test. We will not spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, this module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training.
The module will include :
OSINT for ICS : Where to look to find informations
Reconnaissance : how to portscan & nessus
Exploitation : Metasploit basics
Toolz used : nmap, Nessus, Metasploit
Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux
Module 3 : Windows basics and pentesting Windows
Unfortunately, any ICS now includes, at least in some areas, Windows systems. So some time must be spent on Windows basics. This module will introduce the following topics:
Windows Active Directory
How to find credentials on Windows systems
Exploiting and pivoting to gain Domain Admin privileges
A selection of hacking techniques will be applied on lab machines
Even if you are already knowledgeable about Windows and it’s security, I’m quite sure I can show you some new tricks :)
Module 4 : Common ICS vulnerabilities
This module will introduce the most common vulnerabilities found during ICS audits:
Lack of network segmentation / Exposure
Lack of hardening
ICS protocols insecurity
Module 5 : ICS protocols
This module will introduce the most common ICS protocols:
Attendees will analyze network captures and be introduced to software libraries/clients to use these protocols to talk to PLC simulators as well as real PLCs.
Module 6 : Introduction to safety for security pros
This module will introduce the required safety knowledge in order to understand the OT world. The different concepts of safety will be detailed, as well as the leading norms and hazard analysis. The differences with IT risk analysis will be mentioned and to finish, a basic case study will be performed.
Module 7 : Programming PLCs [HS]
In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs.
Toolz used : TIA Portal / SoMachine Basic
Lab : Windows virtual machine and real PLCs from Schneider and Siemens
Module 8 : Pentesting ICS [HS]
This module will be composed mostly of lab sessions, in order to apply the knowledge learned during module 5:
Theory and general warning when performing tests in real ICS environments
Network capture analysis & replaying packets
Talking industrial protocols : Modbus, S7….
Additional PLC features: web server, FTP, SNMP...
Toolz used : nmap, Nessus, Metasploit
Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs
Module 9 : Securing ICS [HS]
We all know it, all clients want to know what they can do to improve the security of their systems. This module will detail the technical and organizational solutions one may engage in to secure their ICS. This will include : system hardening, network segmentation, sharing data with IT systems, and security supervision.
The leading security standards will also be mentioned and briefly compared.
Toolz used : Windows virtual machine, IDS
Lab : Students will have to configure an IDS virtual machine and verify its efficiency, and write a new attack signature for an attack previously performed.
Module 10 : Case study PM
In this module, students will be given information and network diagrams about a case-study ICS. They will have to highlight the security weaknesses and come up with recommendations.
Module 11 : Capture The Flag [HS]
A good training must include “real-life” examples and labs. To go further individual labs that will occur, we will dedicate the last half-day of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newly-acquired knowledge on a simulation of a “real-life” system. This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand !
Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 9 years, he has been performing security audits and pentest on all type of targets. He specializes in Industrial Control Systems and has performed ICS assessments all over the world in all industries: energy (power plants, gas transportation & storage), pharmaceutical, food industry… He has also spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON… He is also the creator of DYODE, a low-cost, DIY data diode for ICS (https://github.com/wavestone-cdt/dyode).
EC-Council's CCISO Program has certified leading information security professionals around the world. A core group of high-level information security executives, the CCISO Advisory Board, contributed by forming the foundation of the program and outlining the content that would be covered by the exam, body of knowledge, and training. Some members of the Board contributed as authors, others as exam writers, others as quality assurance checks, and still others as trainers. Each segment of the program was developed with the aspiring CISO in mind and looks to transfer the knowledge of seasoned professionals to the next generation in the areas that are most critical in the development and maintenance of a successful information security program.
The Certified CISO (CCISO) program is the first of its kind training and certification program aimed at producing top-level information security executives. The CCISO does not focus solely on technical knowledge but on the application of information security management principles from an executive management point of view. The program was developed by sitting CISOs for current and aspiring CISOs.
To sit for the exam after taking training, candidates must have five years of experience in three of the five CCISO Domains verified via the Exam Eligibility Application.
Current and aspiring CISOs and/or CIOs.
Expert in the area of information security. With an active career in IT as a background, and a long list of passions such as traveling the world , music and football. He entered the international Cyber community 10 years ago, and never left. He is a regular speaker at local government conferences. He speaks on subjects such as privacy, cyber security,implement information security management systems (ISMS)and how to audit and maintain them. He implement the first national a proofed citizen electronic ID in the Dutch local government. He is helping companies to be aware of cyber threats and how to protect the valuable asset of companies. He is not only doing the technically approach but specially the human factor of cyber threats.
The Corelan Live Bootcamp is a truly unique opportunity to learn both basic & advanced techniques from an experienced exploit developer. During this 3 day course, students will be able to learn all ins and outs about writing reliable exploits for the Win32 platform. The trainer will share his "notes from the field" and various tips & tricks to become more effective at writing exploits.
We believe it is important to explain the basics of buffer overflows and exploit writing, but this is most certainly not "your average" entry level course. In fact, this is one of the finest and most advanced courses you will find on Win32 stack based exploit development.
This hardcore hands-on course will provide students with solid understanding of current Win32 (stack based) exploitation techniques and memory protection bypass techniques. We make sure the course material is kept updated with current techniques, includes previously undocumented tricks and techniques, and details about research we performed ourselves. Combined with the way the course is built up, this will turn these 3 days into a truly unique experience.
During the course, we not only share techniques and mechanics, but we also want to make sure you understand why a given technique is used, why something works and why something doesn’t work.
We believe those are just a few arguments that makes this training stand out between other exploit development training offerings. Feel free to check our testimonials page if you want to see real, voluntary, unmodified and uncensored reactions by some of our students: https://www.corelan-training.com/index.php/testimonials/
Finally, we offer you post-training support as well. If you have taken the course and you still have questions afterwards, we will help.
Are you interested in the process of turning an advisory into a working exploit ? Do you want to figure out if a given security patch/hotfix should be applied immediately or not ? Do you want to learn how to read and understand existing exploits ? Have you ever found yourself in a position where you have to change an existing exploit but failed to make it work. Do you want to write reliable exploits and integrate them into Metasploit ? Do you want to know how shellcode works ? Do you have basic knowledge about win32 exploit development already, but want to learn more about some of the more advanced topics listed below (see course overview) ? Did you read the Corelan exploit development tutorials, but still want to take the classes to fully understand and master the concepts ? Do you have other reasons to learn how to write exploits for the Win32 platform ? Are you willing to suffer and bleed a bit, learn fast and not intimidated by debuggers and assembly instructions… …then this course is what you need !
Pentesters, auditors, network/system administrators, reverse engineers, malware analysts, developers, members of a security department, security enthusiasts, or anyone interested in exploit development.
You can find more details about the course contents at
Students should be able to read simple C code and simple scripts be familiar with writing basic scripts using python/ruby/… be ready to dive into a debugger and read asm for hours and hours and hours be ready to think out of the box and have a strong desire to learn be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox be familiar with using Metasploit. No prior knowledge of assembly is required, but it will certainly help if you have some basic knowledge.
Unless specified otherwise, students are required to bring the following :
A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time. The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic. 2 Virtual machines installed (Windows 7 SP1, Kali Linux)
Note : you will receive the exact installation instructions after registration, so don’t start installling the VMs yet.
All required tools and applications will be provided during the training or will be downloaded from the internet during the training.
You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary.
Peter Van Eeckhoutte is the founder of Corelan Team and the author of the well-known tutorials on Win32 Exploit Development Training, available at https://www.corelan.be. The team gathers a group of IT Security enthusiasts and researchers from around the world, who all share common interests : doing research, gather & share knowledge, and perform responsible/coordination disclosure. Above all, the team is well known for their ethics and their dedication to helping other people in the community. Together with the team, he has developed and published numerous tools that will assist pentesters and exploit developers, and published whitepapers/video’s on a wide range of IT Security related topics (pentesting tools, (malware) reverse engineering, etc). In addition to operating an IRC channel (freenode, channel #corelan), the team is running a slack work space (corelan.slack.com). You can get access to slack by checking out the Corelan Facebook page (@CorelanGCV) or Twitter account (@CorelanGCV), looking for the most recent Slack invitation. Peter is reachable on Twitter (@corelanc0d3r).
Peter has been an active member of the IT Security community since 2000 and has been working on exploit development since 2006.
He presented at various international security conferences (Athcon, Hack In Paris, DerbyCon, ISSA Belgium) and taught various Win32 Exploit Development courses at numerous places around the globe. He trained security enthusiasts & professionals from private companies, government agencies and military organizations.
This training will focus on all major aspects of the Windows post-exploitation process: breaking restricted environments, subverting operating system controls, privilege escalation (logic/configuration/permission/software bugs), bypassing User Account Control (UAC) and persistence. The training will be beneficial to attackers and defenders alike. Participants will gain an in-depth understanding of common pitfalls when configuring the Windows estate. They will see what tools the attacker has at his disposal, how to live-off-the-land and where to achieve long-term residence when access has been acquired. All sections of the training are accompanied by intense hands-on labs where students will put the theory into practice. The training will simulate real-world environments allowing attendees to later directly apply the content in the field! A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial.
A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial.
Members of the red & blue team, penetration testers, system administrators, SOC analysts and security enthusiasts.
Desktop lockdown (Group Policy/SRP)
Getting an explorer window
Native/custom command line interfaces
Breaking Kiosks and Citrix environments
Bypassing AppLocker/DeviceGuard restrictions
Abusing token privileges
=User Account Control=
What is UAC and how does it work
Process Status API
Windows Side-By-Side Assembly
Creating proxy DLL’s
Fileless UAC bypass
Abusing process tokens
Bypassing “Always Notify”
Using the registry
Manipulating File Associations
WMI Permanent Event Subscriptions
Application Compatibility Shims
COM Handler Hijacking
Leveraging Office and Outlook
Evasion (ADS/corrupted NTFS folder structures/processor variables)
HackerOne bug hunters have earned $20 million in bug bounties until 2017 and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.
Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.
After completing this training, you will have learned about:
REST API hacking
AngularJS-based application hacking
bypassing Content Security Policy
server-side request forgery
DB truncation attack
type confusion vulnerability
exploiting race conditions
path-relative stylesheet import vulnerability
reflected file download vulnerability
Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.
To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.
Penetration testers, bug hunters, security researchers/consultants
Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).
Dawid Czagan is an internationally recognized security researcher, trainer, and author of online security courses https://academy.silesiasecuritylab.com/. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions). Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses https://academy.silesiasecuritylab.com/ . To find out about the latest in Dawid Czagan’s work, you are invited to subscribe to his newsletter https://silesiasecuritylab.com/newsletter/ and follow him on Twitter.
This course was given by first time in Hack in Paris 2013. Now, we revisit the same topic with updated material and in an updated environment. First, we show the basic concepts of Reverse Code Engineering (RCE), also by practicing some small executables. The aim is to provide enough background to the students to understand how the methodology of RCE is performed. Then, the course covers anti-RCE techniques. This second part aims at showing common techniques used in software to protect from RCE, commenting (from O.S. perspective) each technique in detail, as well as developing small proof-of-concepts (PoCs) for each technique. The goal of PoCs is to show the students how the generated assembly code is and the difficulty () of bypassing each one of these techniques. We will discuss how (almost) all techniques can be easily circumvented, as well as the particular advantages/disadvantages of each technique, providing also insights about the future of software protection. The anti-RCE techniques were released to the public in https://github.com/ricardojrdez/anti-analysis-tricks
x86 assembler, use of debugging tools (desired), Windows API
Software developers, malware analysts
Laptop with enough power to run a Windows 7 virtual machine, given by the instructor
PART 1) Introduction
1 Introduction to Reverse Engineering
What is Reverse Engineering?
Approaches to Reverse Engineering
Reverse Engineering Code
2 Previous Concepts
Computer Architecture Basic Concepts
Playing with Debuggers
3 A Bunch of Tools Needed for Reversing
Disassemblers and Hexadecimal Editors
PE Editor, Identifier and Resource Editor
Memory Dumpers and Emulators
IAT fixer and API monitors
4 Test-Bed Environment
5 Windows NT Internals Terminology
PART 2) Protection Techniques Compendium
6 Anti-Debug Techniques
PEB, TEB, LDR. . .WTF?
Using Win32 APIs
Access Tokens and other Objects
A Bunch (More) of Anti-Debug Techniques
Reversing Tools Detection
Other Anti-Debug Techniques
7 Anti-Tracing Techniques
8 Anti-Dump Techniques
A bit of background. . .
Memory Zone Protection
Nanomites, Stolen Bytes and Protected Pages
9 EP Anti-Detection Techniques
10 Anti-Sandboxing & Anti-VMs Techniques
GDT, LDT, IDT. . .WTF again!
Other Anti-Debug using LDT
11 Other Protection Techniques
PART 3) Take-home messages
Reversing, anti-analysis, anti-forensics
Ricardo J. Rodríguez received M.S. and Ph.D. degrees in Computer Science from the University of Zaragoza, Zaragoza, Spain, in 2010 and 2013, respectively. His Ph.D. dissertation was focused on performance analysis and resource optimization in critical systems, with special interest in Petri net modelling techniques. He is currently an Assistant Professor at Centro Universitario de la Defensa, General Military Academy, Zaragoza, Spain. His research interests include performance and dependability analysis, program binary analysis, and contactless cards security. He has participated as speaker (and trainer) in several security conferences, such as NoConName, Hack.LU, RootedCON, Hack in Paris, MalCON, or Hack in the Box Amsterdam, among others.