Hack In Paris - From June 27th to July 1st

Hack in Paris 2021 – Archives November 15th - 19th, 2021

Conferences
Trainings

Nov, 18

09:00

Holding The Stick at Both Ends: Fuzzing RDP Client and Server with Shaked Reiner and Or Ben-Porath

09:00 – 09:45

This talk describes our journey to make a traditional coverage-guided fuzzer (WinAFL) fuzz a complex network protocol – RDP. We will share our experience developing this ability and analyzing the results and the new bugs found.

Speakers

Shaked Reiner

Shaked Reiner is a security researcher at CyberArk focused on vulnerability research, OS security, and malware. In his free time, Shaked likes to reverse engineer random pieces of software, solve CTF challenges and make cocktails.

Or Ben-Porath

Or Ben-Porath is a security researcher at CyberArk and a PHD student in mathematics at Tel Aviv University. His research fields vary from Galois theory to fuzzing and OS security.

10:00

Monsters in the enterprise dungeon - finding and fixing severe 0-day vulnerabilities with Egor Dimitrenko and Mikhail Klyuchnikov

10:00 – 10:45

Get your Tickets !

What's under the hood of enterprise software? To figure out this question we have conducted a research of the products of one of the leading companies in its industry - Vmware. While researching various products, we discovered severe 0-day vulnerabilities, which were assigned 10 CVEs. We will share 5 stories about the most interesting and critical CVEs.

Speakers

Egor Dimitrenko

Egor Dimitrenko is a penetration tester at Positive Technologies, a member of PTSWARM team and an organizer of VolgaCTF, an international CTF competition. His research interests lie primarily within popular web-applications.

Mikhail Klyuchnikov

Mikhail Klyuchnikov is a senior security researcher at Positive Technologies and a member of PTSWARM team. He is focused on web application security research.

11:00

Steganography and malware from scratch with Juan Araya

11:00 – 11:45

Get your Tickets !

Learn about Steganography and malware and how it can impact the confidentiality, integrity and availability of data. During this session you will learn how payloads, files and text can be sent hidden in pictures and audio files. You will also get familiar with the most common types of malware attacks and general recommendations to protect against them.

Speakers

Juan Araya

Juan Araya is a certified pentester and cybersecurity specialist with 20 years of experience in IT. He has been leading cybersecurity teams and projects during the last 10 years. He is from Costa Rica and relocated to Spain 2 years ago. He holds multiple cybersecurity certifications and a master degree in cybersecurity. He actively participates as a speaker in multiple cybersecurity conferences around the world such as Bsides Panama 2019, GeekCamp Singapore 2020, OpenExpo Europe 2020 and Bsides Dublin 2021.

12:00

Is it really an intrusion if you get called in?: Mis-configuration based attacks in AWS with Kavisha Sheth

12:00 – 12:45

Get your Tickets !

Misconfiguration vulnerabilities have experienced a 12,286% increase in the past year. Regardless of whether you are a cloud security enthusiast or a pentester, it is important that you are aware of the misconfiguration issues of the cloud platform.

Speakers

Kavisha Sheth

14:00

Unlimited Sherlock: Deep-Dive into Forensics Operations to Track Down Hackers

14:00 – 14:45

Get your Tickets !

Cyber-crime is booming as threat actors seek to exploit the increased online dependency and mass migration to remote working triggered by the global health pandemic. Malicious registrations, including malware and phishing, grew 569% from February to March 2020, while new samples of ransomware rose by 72% in the first half of 2020. In this current climate of spoofed domains and cleverly faked emails, demand for digital forensics skills has never been higher. Organizations are wising up to the fact that by discovering how an attacker gained entry to a system, similar attacks can be prevented.

During this session, Paula will show you how to think like a hacker so you can evaluate your infrastructure for exploitable vulnerabilities and how to recover the evidence attackers leave behind. Join us and become familiar with the most up-to-date Forensics Operations to become aware and well prepared to investigate hackers’ tracks!

17:00

{Internet of Things or Threats}: Anatomizing the Structure of IoT Botnets with Aditya K Sood

17:00 – 17:45

Get your Tickets !

Attackers are targeting IoT devices and compromising them for nefarious operations such as malware infections and building botnets. In this talk, we discuss the threat model of command-and-control (C&C) panels of IoT devices and show how these are compromised and used for different sets of attacks, such as targeted and broad-based infections. In addition, we will discuss in-depth the techniques and tactics opted by botnet operators to design IoT botnets. This talk is primarily structured to demonstrate attacks that are happening via IoT devices running in the wild. The demonstrations will highlight: detecting and compromising IoT C&C panels, and live attacks executing from the compromised IoT devices as launchpads. We will dissect a number of C&C panels related to different IoT botnets to dissect infections. The demonstration will help the audience to understand the IoT threats occurring in real time.

Speakers

Aditya K Sood

Aditya K Sood (Ph.D.) is a cyber security advisor, practitioner, and researcher. With the experience of more than 13 years, he provides strategic leadership in the field of information security covering products and infrastructure. Dr. Sood has authored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, ISACA, Virus Bulletin, and Usenix. His work has been featured in several media outlets. He has been an active speaker at industry conferences and presented at Blackhat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP, and many others. Dr. Sood obtained his Ph.D. from Michigan State University in Computer Sciences. Dr. Sood is also an author of the "Targeted Cyber Attacks" and "Empirical Cloud Security" books.

Nov, 19

09:00

"Easy" mobile penetration testing with Brida with Federico Dotta and Piergiovanni Cipolloni

09:00 – 09:45

Get your Tickets !

Mobile applications “level up” complexity of penetration testing and security analysis, thanks to a custom client in which it is possible to implement strong security features, like combinations of symmetric and asymmetric encryption and signatures on the top of the TLS channel, in order to further protect communications with the backend servers and to make very difficult to discover and exploit common application vulnerabilities. These situations require strong reversing and developing skills, in order to be able to understand these security protocols and to implement indispensable tools to accomplish the tasks, such as handling the encryption of our attack vectors.

Brida was born to lower skills and time required for these complex tasks, giving penetration testers a tool to handle all these situations with minimal reversing and developing effort, by taking advantage of the integration of the most used penetration testing tool (Burp Suite) with a great dynamic code instrumentation toolkit (Frida).

In this talk, we will show all the new features of the last versions of Brida, including a new engine that allows users to create, directly from Brida’s graphical interface, custom plugins that:

Process requests/responses that pass through every Burp Suite tool, in order to be able to encrypt/decrypt/resign elements of requests and responses using Frida exported functions
Add custom tab to Burp Suite request/response pane, in order to be able to decrypt/decode/process requests/responses (or portions of them) using Frida exported functions (and then encrypt/encode/process modifications and replacing the original request/response, if any)
Add custom context menu options to invoke Frida exported functions on requests and responses
Add buttons to invoke Frida exported functions

Speakers

Federico Dotta

Federico Dotta is a Principal Security Analyst at HN Security, an Italian Security Advisory Company. He began his career as a penetration tester in 2009, focusing on Web and Mobile applications and on physical security. He developed many security tools, most of them publicly available on GitHub, with the purpose of helping the job of ethical hackers when handling complex situations. He presented the result of his researches in Italian and international conferences, like HackInBo in Bologna and Hack In The Box in Amsterdam.

Piergiovanni Cipolloni

Piergiovanni Cipolloni is an IT Security professional and researcher with over 15 years of experience in the IT security industry. Currently he is a Principal Security Analyst at HN Security, an Italian Security Advisory Company. Previously spoken at: HITB Amsterdam 2018 about advanced mobile penetration testing where alongside his co-worker Federico Dotta he presented Brida the tool they created in order to speed up the security review of a mobile application interactions with its back-end servers.

10:00

Fuzzing Apache HTTP Server for fun (and CVEs) with Antonio Morales

10:00 – 10:45

Get your Tickets !

"In this talk, I will cover the more interesting bits of the research that I've carried out on Apache HTTP server's security. I will walk you through the entire review process, including fuzzing, static analysis, and variant analysis.

I will also show several vulnerabilities I discovered in Apache HTTP server and how they could be exploited"

Speakers

Antonio Morales

Antonio Morales works as a security researcher at GitHub Security Lab, whose primary mission is to help improve Open Source project's security. Antonio's interests include fuzzing, code analysis, exploit development, and C/C++ security.

11:00

Hey EDR you'll never see me! with Jameel Nabbo

11:00 – 11:45

Get your Tickets !

In many red teaming engagements, the red team faces an important issue that can make their life difficult in terms of lateral movements or bypassing antiviruses since we’re not in 2010. most organizations install XDR by design into their employee’s computers as well as servers.

The modern red teaming techniques require more skills and effort to create shellcodes and access systems without being detected.

In this talk, evasion techniques will be presented that can be used by the red team to bypass modern end-point protection and signature-based detection.

As some end-point protections nowadays uses machine learning algorithms at the top of signature-based detection and memory analysis. This makes our life as red teamers even harder when injecting a process or making syscalls.

Speakers

Jameel Nabbo

Jameel nabbo has been a cybersecurity researcher in offensive security for more than a decade, with a scientific research background. Jameel specialised in application security mainly in the programming languages design and implementation for doing static code analysis SAST on the source code.

12:00

All Roads Lead to OpenVPN: Pwn’ing Industrial Remote Access Clients with Sharon Brizinov

12:00 – 12:45

Get your Tickets !

We identified a key problem with the way industrial remote access solutions are harnessing OpenVPN—a problem that, in most cases, can lead to a 1-click RCE on the VPN client side, just by luring a victim to a malicious website.

Speakers

Sharon Brizinov

Sharon Brizinov is the vulnerability research team lead at Claroty. He specializes in vulnerability research, malware analysis, network forensics, and ICS/SCADA security. In addition, Brizinov participated in well-known hacking competitions such as Pwn2Own, and he holds a DEFCON black-badge for winning the ICS CTF.

14:00

Dissecting PDF Files to Malware Analysis with Filipi Pires

14:00 – 14:45

Get your Tickets !

This hands-on talk will teach the concepts, tools, and the first techniques to analyze, investigate and hunt malwares. During this presentation I will introduce attendees to the basics of malware analysis. Attendees will learn to perform analysis static and dynamic with a focus in PDF structure, executing this in real samples. Demonstrate different kind of structures in the binaries as a PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaining too about some anti-disassembly techniques, demonstrating as a is the action of these malware’s and where it would be possible to “include” a malicious code.

Speakers

Filipi Pires

I’ve been working Principal Security Engineer and Security Researcher at senhasegura…I’m Hacking is NOT a crime Advocate and RedTeam Village Contributor. I’m part of the Staff team of DEFCON Group São Paulo-Brazil, International Speakers in Security and New technologies events in many countries such as US, Canada, Germany, Poland and others, I’ve been served as University Professor in Graduation and MBA courses at brazilian colleges, in addition, I'm Creator and Instructor of the Course Malware Attack Types with Kill Chain Methodology (PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).

15:00

Cannibal Hacking, from zero the hero to hammer smashed host with Kevin Denis

15:00 – 15:45

Get your Tickets !

Cannibal Hacking, from zero the hero to hammer smashed host [ Parental Advisory : Explicit hacking, crude webshells, horrific security flaws and Hardcore hacking in hostile environment ]

If you’re a bad guy (tm), you want to deliver your malwarez, your spam, your payloads without being worried. So, instead of hosting them in your systems, why not using webservers belonging to others? They pay the hosting, the bandwidth, they will be in trouble if something goes wrong, so it’s a platform of choice.

And guess what? If you mix

1) Admins(?) letting sit a poorly configured and forgotten system with a bad password for years

2) Hackers gonna hack

you got a lot of hacked servers and machines all over the world! And sometimes, all of those hacked machines are here for a long time.

Bad guy(c) are not defacing servers anymore (well, sometimes, its still true), they prefer to stay hidden under the radar. Who will suspect that the nice little blog talking about puppies and shiny diamond is the C&C server of a “yet another mirai” botnet, builds ransomware clients and spam the planet for the next magic pill?

In this talk, we will focus on the attacker point of view. We are the good guys, they are the bad guys (tm), and servers are innocent collateral victims. We’ll see how we can find the attacker, learn things, find new victims, look over the shoulders of the attacker, and continue to learn how they operate. In the end, we propose some ways to keep those attackers out of the servers, detect them, and eventually kick them out.

Speakers

Kevin Denis

Security Expert at synacktiv Reverse, exploit and pwn. At night, like to follow botnets, reverse C&C command protocols, and hunting for bad guys (tm)

16:00

Software Incident Preparedness – An Emergency Medical Response Perspective with Jake Byman

16:00 – 16:45

Get your Tickets !

When developing software, sometimes emergencies happen. Sometimes a bad commit is introduced. Sometimes a database migration goes wrong. Sometimes a malicious actor does something nefarious.

As a software engineer, I have extensive experience in Incident Response, helping manage software emergencies.

Outside of my job in software engineering, I’ve worked as an Emergency Medical Technician for the past 7 years, responding to medical calls ranging from sprained ankles to cardiac emergencies.

The various tools and techniques used to manage and prepare for emergencies in the medical world have interesting applications in the software incident response world.

In this talk I will touch on the techniques used in both disciplines, and how my experience as an Emergency Medical Technician can be applied to help prepare for software incidents, and help foster a culture of building software safely.

Speakers

Jake Byman

Nov, 15

Advanced Web Hacking (3 days) with NotSoSecure - Dhruv Shah

November 15 – November 17

This class teaches the audience a wealth of hacking techniques to compromise modern-day web applications, APIs and associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques. The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real-life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Attendees will also benefit from a state-of-art Hacklab and we will be providing FREE 30 days lab access after the class to allow attendees more practice time. Some of the highlights of the class include:

Modern JWT, SAML, OAuth bugs
Core business logic issues
Practical cryptographic flaws.
RCE via Serialization, Object, OGNL and template injection.
Exploitation over DNS channels
Advanced SSRF, HPP, XXE and SQLi topics.
Serverless exploits
Attack chaining and real life examples.

Overview

This class talks about a wealth of hacking techniques to compromise web applications, APIs, cloud components and other associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Note: This is a medium paced class and attendees are expected to have a basic understanding of common web vulnerabilities and attacks. Attendees will also benefit from a state-of-art Hacklab and we will be providing free 30 days lab access after the class to allow attendees more practice time.

The following is the course outline:

Day 1:

Authentication Attacks

Logical Bypass / Boundary Conditions
Token Hijacking attacks
Attacking SSO
SAML / OAuth 2.0 / JWT Attacks
SAML Authentication and Authorization Bypass

Advanced XXE Attacks

XXE through SAML
XXE in file parsing
XXE Exploitation over OOB channels

Breaking Crypto

Known Plaintext Attack (Faulty Password Reset)
Path Traversal using Padding Oracle
Hash length extension attacks
Auth Bypass using Pre-shared MachineKey

Complex Business Logic Flaws / Authorization flaws

Mass Assignment bugs
Invite/Promo Code Bypass
Replay Attack
Second Order IDOR attack
HTTP Parameter Pollution (HPP)

Day 2 :

Server-Side Request Forgery (SSRF)

SSRF to call internal files
SSRF to exploit templates and extensions

SQL Injection Masterclass

2nd Order Injection
Out-of-Band exploitation
SQLi through crypto
OS code exec via Powershell
Advance SQLMAP Usage with eval option
Data Exfiltration over DNS via SQLi
Introspection based attacks in GraphQL

Remote Code Execution (RCE)

Java Serialization Attacks
Net Serialization Attack
PHP object injection
Ruby/ERB template injection

Day 3:

Attacking the Cloud

SSRF Exploitation
Serverless exploitation
Google Dorking in the Cloud Era
Cognito misconfiguration to data exfiltration
Various Case Studies

Tricky File Uploads

Malicious File Extensions
Circumventing File validation checks

Attacking Hardened CMS

Identifying and attacking various CMS
Attacking Hardened Wordpress, Joomla, and Sharepoint

Miscellaneous Topics - A Collection of weird and wonderful XSS and CSRF attacks - Attack Chaining

B33r 101

KEY TAKEAWAYS

The latest hacks in the world of web hacking. The class content has been carefully handpicked to focus on some neat, new and ridiculous attacks.
We provide a custom kali image for this class. The custom kali image has been loaded with a number of plugins and tools (some public and some NotSoPublic) and these aid in quickly identifying and exploiting vulnerabilities discussed during the class.
The class is taught by a real pentester and the real-world stories shared during the class help attendees in putting things into perspective.

WHO SHOULD TAKE THIS COURSE

Web developers
SOC analysts
Intermediate level penetration testers
DevOps engineers, network engineers
Security architects
Security enthusiasts
Anyone who wants to take their skills to the next level.

AUDIENCE SKILL LEVEL

Intermediate/Advanced

STUDENT REQUIREMENTS

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

Users are also encouraged to familiarize themselves with Burp Suite https://portswigger.net/burp/communitydownload to gain maximum out of the class.

WHAT STUDENTS SHOULD BRING

See student requirement

WHAT STUDENTS WILL BE PROVIDED WITH

Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts.

Our courses also come with detailed answer sheets. That is a step by step walkthrough of how every exercise within the class needs to be solved. These answer sheets are also provided to students at the end of the class.

Speakers

NotSoSecure - Dhruv Shah

Dhruv Shah is an information security professional working as an Associate Director at NotSoSecure. He has over 11+ years of experience in application, mobile, and network security. He has co-authored the book 'Kali Linux Intrusion and Exploitation' and 'Hands-on Pentesting with BurpSuite' by Packtpub. He is also a trainer of NotSoSecure's much-acclaimed Advanced Web Hacking class and has been a trainer at several leading public conferences such as Black Hat Vegas, Chicago, Alexandria, Japan, Hack in Paris, Texas Cyber Summit, OWASP Appsec Israel, etc. He has provided security training to various clients in the UK, EU, and USA via corporate training. His online presence is with the handle @snypter.

Hacking and securing Bluetooth Low Energy and RFID/NFC devices (3 days) with Slawomir Jasek

November 15 – November 17

Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more – not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehesively assess their security seems very uncommon. This is probably the most exhaustive and up to date training regarding BLE security – for both pentesters and developers. Based on hands-on exercises with real devices (including multiple smart locks), dedicated personal device flashed to a BLE devkit, and a deliberately vulnerable, training hackmelock.

RFID/NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used today. Among other practical exercises performed on real installations, the attendees will reverse-engineer an example hotel access system, and as a result will be able to open all the doors in facility. A list of several hundred affected hotels included.

Each attendee will receive 200 EUR hardware pack including among others Proxmark and Raspberry Pi (detailed below). The hardware will allow for BLE attacks (sniffing, intercepting), cloning and cracking multiple kinds of proximity cards, analyse BLE or NFC mobile applications, and most importantly - practice majority of the training exercises later at home.

Who should attend

Pentesters, security professionals, red teamers, researchers
BLE/NFC device designers, developers
Anyone interested

Key learning objectives

In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices
Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card

Prerequisite knowledge

Basic familiarity with Linux command-line
Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
No prior knowledge of Bluetooth Low Energy nor NFC is required

Hardware/software requirements

Contemporary laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest
Android smartphone with BLE and NFC support will be very helpful
You can bring your own BLE device or access control card to check its security

Each student will receive

Course materials in PDFs (over 2000 pages)
All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive
Take-away hardware pack for hands-on exercises consisting of:
- Proxmark 3 with latest firmware
- Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet, …)
- NFC PN532 board (libnfc)
- Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
- Bluetooth Smart hardware sniffer (nRF, BtleJack) based on nrf51822 module
- Individual BLE device to attack running on development kit (including source code)
- ST-Link V2 SWD debugger for programming nRF boards
- 2 Bluetooth Low Energy USB dongles

Detailed agenda

Bluetooth Smart (Low Energy)

Theory introduction

What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
Protocol basics
Required hardware for BLE assessment

BLE advertisements

Scanning for visible devices, hcitool, bleah, bettercap, Mirage, GATTacker, …
Beacons: iBeacon, Eddystone, Physical Web
Simulating beacons – using mobile phone, Linux scripts, other devices.
How to get free beer by abusing beacon-based reward application
"Encrypted" beacons, abusing weaknesses in beacon management control protocols
BLE advertisements of Microsoft and Apple devices (user tracking, decoding of current status/phone number)
Advertisement spoofing – Denial of Service, device impersonation

BLE connections

Central vs peripheral device
GATT – services, characteristics, descriptors, handles, reading, writing, notifications
Mapping device services and characteristics
Interacting with BLE devices using mobile phone, command-line, various tools
Taking control of simple, insecure devices – sex toys, key finders, …

Sniffing BLE connections using RF layer hardware

BLE radio modulation, channels, hopping, connection initiation
BLE link layer encryption – introduction, why is it hardly used in practice
Sniffing hardware: Ubertooth, nRF sniffer, BtleJack, Sniffle, SDR …
Wireshark filters, tips&tricks
Sniffing static cleartext password of a smart lock and other devices

HCI dump - capturing own BLE traffic

Difference from RF layer sniffing
Linux command-line hcidump
Android: live BLE packets analysis in Wireshark via TCP service

Device spoofing, active MITM interception

How to perform “man in the middle” attack on BLE connections
Available tools: GATTacker, BtleJuice, BtleJack, Mirage
MAC address cloning, mobile OS GATT cache potential problems
Analysing intercepted traffic
Denial of Service attacks
Jamming and hijacking active connections with BtleJack

Replay attacks

Intercept transmission
Analyse authentication protocol weakness in example smart lock
Perform replay using tools or mobile phone, and unlock the device

Relay attacks – abusing automatic proximity features (e.g. smart lock autounlock).

Various smart locks vulnerabilities case-studies

Attacks on proprietary authentication and protocols
Decompile Android app, locate relevant source code fragments
Understand proprietary BLE communication protocol – commands, data exchanged with device
Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
Exploit the vulnerability using just a mobile phone – nRF Connect macros
Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
Example unlocked AT command interface via BLE service of a smart lock
Remote access share functions and their weaknesses – how to bypass timing restrictions.
How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste

Advanced BLE MITM topics

Hooks, data modification on the fly (example attack on mobile PoS)
Command injection
Upstream websocket proxy
"Rolljam"-like attacks on single use keys
When MITM attack does not work or is not possible – debugging, troubleshooting

Device DFU firmware update OTA services.

Bluetooth link-layer encrypted connections

BLE pairing, bonding, encryption
Intercepting pairing process and decoding Long Term Keys (crackLE)
Weaknesses of simple pairing (static PIN, just works)
How to trick a victim into re-pairing

Abusing BLE bonding trust relationships

Analysis of Google Titan U2F token vulnerability
Possibilities for malicious actions (e.g. change device to appear as a BLE keyboard).

Web Bluetooth – interfacing with nearby devices from javascript.

How hard is it to hijack BLE devices from a hostile web site
Writing new javascript interface to control own device

Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security.

BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist – for security professionals, pentesters, vendors and developers.

NFC

Short introduction

RFID/NFC – where do I start?
Frequencies, card types, usage scenarios
How to recognize card type – quick walkthrough
Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware

UID-based access control – practical exercises on example reader + door lock

UID-based access control – still surprisingly popular
UID lengths, formats
Clone Mifare UID using Android phone and “gen2” UID-changeable card, or libnfc/Proxmark and gen1 card
How to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
How to clone a card by making its picture – decoding numbers printed on cards
Cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
Emulate card using Proxmark, Chameleon Mini
Brute-force – is it possible in practice to guess other cards UID?
Countermeasures against attacks

Wiegand – wired access control transmission standard

Sniff the data transmitted from access control reader using Raspberry Pi GPIO, ESP RFID Tool, BLE-Key, …
Decode card UID from sniffed bytes, clone the card
Replay card data on the wire to open lock

Mifare Ultralight

Data structure
Reading, cloning, emulating
Example data stored on hotel access card
Ultralight EV1, C

Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket

Mifare Classic – data structure, access control, keys, encryption
Default & leaked keys
Reading & cloning card data using just a mobile phone
Cracking keys – nested, darkside attacks
Libnfc tools – mfoc, mfcuk, MiLazyCracker
Cracking Mifare using Proxmark
Attacks on EV1 “hardened” Mifare Classic
Online attacks against reader

Reverse-engineering data stored on card - based on a real hotel system

Recoding access control data (room number, date) stored on card by an example hotel system
Creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare DESFire – introduction, sample attack on misconfigured access control system

ISO15693/iCode SLIX

Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock
Data of several example ski passes

HID iClass

Cloning “legacy” / “standard security” iClass
Attacks on iClass Elite

Hitag2 access control

Sniffing password mode transmission between reader and tag
Simulating Hitag2 against the reader using Proxmark

Intercepting card data from distance – building antenna, possibilities and limits.

Speakers

Slawomir Jasek

Speaker, trainer and IT security consultant with over 15 years of experience. Participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups. Currently leads research on various topics in Polish software security company SecuRing and provides trainings regarding security of contemporary locks and access control systems (www.smartlockpicking.com). Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases - starting from a scratch. Previously gave talks, workshops or trainings at HackInParis, BlackHat USA, multiple Appsec EU, HackInTheBox Amsterdam, Deepsec, BruCON, Confidence, Devoxx and many other events.

Hacking and Securing Cloud Infrastructure (3 days) with NotSoSecure - Martin CERNAC

November 15 – November 17

This 3-day course cuts through the mystery of Cloud Services (including AWS, Azure, and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing traditional network infrastructure. Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and knowing how to protect yourself from them is critical. This course covers both the theory as well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure. Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

Note: Students will have access to a state-of-the-art Hacklab with a wide variety of vulnerabilities to practice exploitation and will receive a FREE 1 month subscription after the class to allow more practice time along with the support portal to clear doubts.

Gaining Entry in cloud via exposed services
Attacking specific cloud services
Post Exploitation
Defending the Cloud Environment
Host base Defenses
Auditing and benchmarking of Cloud
Continuous Security Testing of Cloud

Overview

Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and knowing how to protect yourself from them is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure.

Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

Syllabus :

Introduction to Cloud Computing - Introduction to cloud and why cloud security matters - Comparison with conventional security models - Shared responsibility model - Legalities around Cloud Pentesting - Attacking Cloud Services

Enumeration of Cloud environments

DNS based enumeration
OSINT techniques for cloud based asset

Gaining Entry via exposed services

Serverless based attacks (AWS Lambda / Azure & Google functions )
Web application Attacks

Attacking specific cloud services

Storage Attacks
Azure AD Attacks
IAM Misconfiguration Attacks
Roles and permissions based attacks
Attacking Incognito misconfigurations

Exploiting Kubernetes Clusters and container as a service

Understanding how container technology works
Exploiting docker environments and breaking out of containers
K8s exploitation and breakouts
Exploiting misconfigured containers

Post – Exploitation

Persistence in Cloud
Post exploit enumeration
Snapshot access
Backdooring the account

Auditing and Benchmarking of Cloud

Preparing for the audit
Automated auditing via tools
IaaS Auditing Windows and *nix Environments
Golden Image / Docker image audits
Relevant Benchmarks for cloud

Defending the Cloud Environment

Identification of cloud assets (AWS, Azure and GCP)
Protection of Cloud Assets

-- Principle of least privilege

-- Control Plane and Data Plane Protection

--Metadata API Protection

Detection of Security issues

-- Setting up Monitoring and logging of the environment

-- Identifying attack patterns from logs*

-- Real time monitoring of logs*

Response to Attacks

-- Automated Defense techniques

-- Cloud Defense Utilities

-- Validation of Setup

Purple teaming where red and blue exchange notes
CTF to reinforce learning

*Demo will be shown by the instructor, Lab time will be provided if time permits. Extended Lab access will be available for 30 days after the class.

KEY TAKEAWAYS

Students will gain knowledge of attacking, exploiting and defending a variety of Cloud infrastructure. First, they will play the part of the hacker, compromising serverless apps,

cloud machines, storage and database services, dormant assets and resources.

Students will learn privilege escalation and pivoting techniques specific to cloud environments. This is followed by Infrastructure Defense, secure configuration, auditing, logging, benchmarks.

Students will learn preventive measures against cloud attacks, host-based defense and a number of cloud tools that can help in securing their services and resources. Apply the learning to:

Identify weaknesses in cloud deployment
Fix the weaknesses in your cloud deployment
Monitor your cloud environment for attacks

The free 30 day lab access provides attendee surplus time to learn advanced topics in their own time and at their own pace.

WHO SHOULD TAKE THIS COURSE

Cloud Administrators, Developers, Solutions Architects, DevOps Engineers, SOC Analysts, Penetration Testers, Network Engineers, security enthusiasts and anyone who wants to take their skills to the next level.

Prior pentest experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common command line syntax will be greatly beneficial.

AUDIENCE SKILL LEVEL

Intermediate

STUDENT REQUIREMENTS

Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools and the scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

WHAT STUDENTS SHOULD BRING

See Student requirement

WHAT STUDENTS WILL BE PROVIDED WITH

Numerous scripts and tools (some public and some NotSoPublic) will also be provided during the training, along with the student handouts.

TRAINERS

Martin joined the UK NotSoSecure team in 2021. He works with a wide range of NotSoSecure clients, delivering training on topics covering application and cloud security, DevSecOps and infrastructure. Martin also delivers training at large conferences, including Black Hat Europe and Las Vegas. Another part of his role revolves around penetration testing of web applications, infrastructure and networks. He is also involved in Red Team assessments appraising system and network vulnerabilities with little or no prior knowledge of them. Finally, he participates in research efforts concerning new application security threats with some of his research being published on the NotSoSecure blog.

Speakers

NotSoSecure - Martin CERNAC

Martin began working as a Software Developer in 2011, gaining a BSc (top of the class) in Computer Science in 2016. He then switched to cybersecurity, achieving an MSc in Computer Security in 2018. His work as a Security Consultant has led him to pass a number of professional certifications, including OSCP (Offensive Security Certified Professional), OSWE (Offensive Security Web Expert) and OSEP (Offensive Security Experienced Penetration Tester). He has also created course content on various topics, ranging from digital forensics to advanced application security focused on niche topics.

Martin joined the UK team of NotSoSecure in 2021, where he works with a wide range of clients. He delivers security services such as Penetration Testing (web application, infrastructure and networks) and Red Team assessments, appraising system and network vulnerabilities with little or no prior knowledge of the client environment. He also delivers training for clients on application and cloud security, DevSecOps and infrastructure, as well as at major conferences, including Black Hat Europe and Black Hat Las Vegas. Finally, within NotSoSecure, he participates in research on new application security threats, with some of his findings published on the company’s blog

Hacking Enterprises - 2021 Edition (3 days) with Will Hunt and Owen Shearing

November 15 – November 17

This is an immersive hands-on course aimed at a technical audience. Over the 3 days we will fully compromise a simulated enterprise covering a multitude of TTP's. The training is based around modern operating systems, using modern techniques and emphasising the exploitation of configuration weaknesses rather than throwing traditional exploits. This means logical thinking and creativity will definitely be put to the test.

Students will access a cloud-based LAB configured with multiple networks, some easily accessible, others not so. Course material and exercise content has been designed to reflect real-world challenges and students will perform numerous hands-on exercises including executing exploitative phishing campaigns against our simulated users to gain access to new networks, in turn bringing new challenges including IPv6 exploitation, subverting AMSI and AWL, passphrase cracking, pivoting, lateral movement, OOB persistence mechanisms and much more!

We also like to do things with a difference. You'll be provided access to an in LAB Elastic instance, where logs from all targets get pushed and processed. This allows you, whether an attacker or defender, to understand the types of artefacts your attacks leave and how you might catch or be caught in the real word.

We realise that training courses are limited for time and therefore students are also provided with the following:

Completion certificate
14-day extended LAB access after the course finishes
14-day access to a CTF platform with subnets/hosts not seen during training!
Discord support channel access where our security consultants are available Hacking Enterprises

Agenda:

Day 1

MITRE ATT&CK framework

Overview on using the in-LAB ELK stack

Offensive OSINT

Enumerating and exploiting IPv6 targets

Pivoting, routing, tunnelling and SOCKS proxies

Application enumeration and exploitation via pivots

Linux living off the land and post exploitation

Kubernetes and container security

Day 2

Exploitative phishing against our simulated enterprise users

Living off the land tricks and techniques in Windows

P@ssw0rd and p@ssphras3 cracking

Windows exploitation and privilege escalation techniques

Windows Defender/AMSI and UAC bypasses

Situational awareness and domain reconnaissance

RDP hijacking

Day 3

Bypassing AWL (AppLocker, PowerShell CLM and Group Policy)

Extracting LAPS secrets

Lateral movement for domain trust exploitation

WMI Event Subscriptions for persistence

Out of Band (OOB) data exfiltration

Domain Fronting and C2

Who Should Attend:

This training is suited to a variety of students, including:

Penetration testers / Red Team operators

SOC analysts

Security professionals

IT Support, administrative and network personnel

Prerequisite Knowledge:

A firm familiarity of Windows and Linux command line syntax

Understanding of networking concepts

Previous pentesting and/or SOC experience is advantageous, but not required

Hardware / Software Requirements:

Students will need to bring a laptop to which they have administrative/root access, running either Windows, Linux or Mac operating systems

Students will need to have access to VNC, SSH and OpenVPN clients on their laptop (these can be installed at the start of the training)

Previous Training Locations: The 2019 and 2020 releases of this training have been given at the following conferences.

Black Hat Asia (Virtual – September 2020)

Wild West Hackin’ Fest (Virtual - September 2020)

Black Hat USA (Virtual – August 2020)

BruCon Spring Training (Virtual - June 2020)

Wild West Hackin’ Fest (Virtual - March 2020)

44CON (UK - June 2019)

Nolacon (USA - May 2019)

Wild West Hackin’ Fest (USA - October 2019)

Speakers

Will Hunt

Will (@Stealthsploit) co-founded In.security in 2018. Will’s been in infosec for over a decade and has helped secure many organisations through technical security services and training. Will’s delivered hacking courses globally at several conferences including Black Hat and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen Shearing

Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin’ Fest, NolaCon, 44CON and BruCON. He keeps projects at https://github.com/rebootuser.

Hands-on Malware Analysis & Reverse Engineering Training (3 days)

November 15 – November 17

The number of cyber attacks is undoubtedly on the rise, targeting government, military, public and private sectors. These cyber attacks focus on targeting individuals or organizations with an effort to extract valuable information, gaining money through a ransom or damaging their reputation. 43% of cyber attacks these organizations are facing are Advanced Malware, APT Attacks or zero-day attacks.

With adversaries getting sophisticated and carrying out advanced malware attacks, detecting and responding to such intrusions is critical for cyber security professionals. The knowledge, skills, and tools required to analyze malicious software are essential to detect, investigate and defend against such attacks.

This training takes you in a journey in the topic of malware analysis covering targeted attacks and ransomware attacks with their techniques, strategies and the best practices to respond to them. The training is full of hands-on labs on performing malware analysis, Rootkit analysis and full attack investigations with different real-world samples.

You will also receive a copy of Mastering Malware Analysis book to help you further enhance your skills in malware analysis and deal with advanced techniques, different platforms such as IoT/Linux, Android, Mac .. etc and different scripting and interpreted languages.

What previous attendants said about this training:

“I was always feeling that malware is something scary, something I can’t understand or control. Now I feel it’s not scary anymore. I can actually analyse it, understand it and control it.” by Fung Dao Ying, System Analyst in Bintulu Port Holding Berhad

LEARNING OBJECTIVES:

Understand the lifecycle of a targeted attack and all the techniques & strategies the attackers use to penetrate an organization (Spear-phishing, drive by download … etc)
Know what the steps to take when you discover a malware in your network.
Perform basic static & behavioral analysis of a malware in an isolated virtualized environment
Perform static and dynamic code analysis to determine the malware functionality using IDA Pro and Ollydbg/x64dbg
Understand the basics of the x86 assembly language
Learn how to detect and analyze a malicious document with embedded macros
Learn to extract the the network and host-based indicators of compromise
Able to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
Perform memory forensics on an infected machine and extract the malware artifacts from its memory.

PROGRAM OUTLINE

DAY 1

APT Attacks & Malware Analysis:

What is an APT Attack
What are the Attack Stages?
The APT Attack Vectors
Types of Malware
Why Malware Analysis
Types of malware analysis
Setting up an isolated lab environment

Basic Static Analysis:

Fingerprinting the malware
Extracting strings
Determining File obfuscation
Unpacking Packed Malware
Understanding PE File characteristics
Hands-on lab exercise involves analyzing real malware sample

Behavioral Analysis & Sandboxing:

Understanding Behavioral Analysis tools
Monitoring process, file system, registry and network activity
Determining the Indicators of compromise (host and network indicators)
Custom Sandbox Overview
Working of Sandbox
Sandbox Features
Hands-on lab exercise involves analyzing real malware sample

Code Analysis & Malware Functionalities:

Intro to code analysis
Droppers & Downloaders
Maintaining Persistence
Keylogging
Banking Trojans & Man in The Browser (MiTB)
Point of Sale Malware (POS)
Understanding Indication of Comprise
Write your own YARA rule

DAY 2:

Intro To x86/x64 Assembly:

Understanding CPU registers and assembly instructions
Dive deeper in the assembly language and memory handling
Reversing assembly code blocks into a higher-level language (C++)
Dealing with local & global variables

Static & Dynamic Code Analysis In-Depth:

Code Analysis Overview
Disassembler & Debuggers
Code Analysis Tools
Basics of IDA Pro
Basics of Ollydbg/x64dbg
Understanding the API calls
Inspecting API call references
Demo: Performing static analysis with IDA Pro (Hands-on Practice)
Demo: Performing dynamic analysis with OllyDbg (Hands-on Practice)
Hands-on lab exercise involves analyzing real malware sample

Encryption, Packing & Obfuscation

Understanding different encryption algorithms
Demo: Examining RC4 encryption algorithm
Learning 4 different manual unpacking techniques for custom unpacking
Dissecting different obfuscation techniques
Hands-on Practice on unpacking malware

DAY 3:

Spear-phishing Attacks with Malicious Documents:

Examining a malicious office document packed with vbscript macros
Examining & Dissecting malicious pdf files
hands-on labs to examine documents packed with malicious macros (real attacks)

Investigating User-Mode Rootkits & API Hooking:

Understanding Process Internals
Process & Thread Environment Block Structure
Code Injection
Types of Code injection
Remote DLL injection
Remote Code injection
Reflective DLL injection
Hollow process injection
API Hooking & IAT Hooking
Hands-on lab exercise (scenario based) involves investigating malware infected memory

Memory Forensics & Volatility Overview:

What is Memory Forensics
Why Memory Forensics
Steps in Memory Forensics
Memory acquisition and tools
Introduction to Volatility (Advanced Memory Forensics Framework)
Volatility basic commands
Determining the profile
Volatility help options
Running the plugin

Investigation Process Memory Using Volatility:

Process memory Internals
Listing DLLs using Volatility
Identifying hidden DLLs
Dumping malicious executable from memory
Dumping DLLs from memory
Scanning the memory for patterns (yarascan)
Volatility plugins to identify process injections and API hooking
Hands-on lab exercise (scenario based) involves investigating malware infected memory

Who Should Attend

This course is intended for Cyber Security investigators, Cyber Security Heads and Managers, Security Researchers, Information Technology Heads and Managers, Forensic Practitioners, Incident Responders Malware Analysts, System Administrators, Software Developers ,and security professionals who would like to expand their skills and Anyone interested in learning Malware Analysis and Memory Forensics.

Materials Provided:

Training Prerequisite & Lab Setup Guide: a step by step guide to prepare your isolated virtualized environment for executing and analyzing malware
Malware Analysis Lab VM (Windows 7 VM) with all required tools pre-installed. It will be provided in .ova format
The labs/exercises samples and memory images.
A printed copy of mastering Malware Analysis Book
A printed copy of Malware Analysis & Reverse Engineering Workbook which includes all the exercises taught in the training with step by step solutions to them.

Delegate Requirements:

Should be familiar with using Windows/Linux
Should have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware/Software Requirements:

Laptop with minimum 8GB RAM and 80GB free hard disk space
Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
VMware Workstation or VMware Fusion (even trial versions can be used).
Delegates must have full administrator access for the Windows operating system.

Note: VMware player or Virtual Box is not suitable for this training.

Physical Pentesting: Practical Course (3 days)

November 15 – November 17

Take back home your own kit of lockpicking + bypass kit + RF/RFID Accessories at the end of the training + a book summarizing what you have learned!

From beginners to specialists, this training will make you a proficient physical pentester.

Practice oriented, during this course you will pick locks, bypass deadbolts and safety doors, mold keys, decode keys from a picture, do privilege escalation on simple and advanced masterkey systems, identify and duplicate RF and RFID credentials…

After only 3 days, you will be able to enter and assess a vast amount of infrastructures, including headquarters, hotels, power plants, offices… And through regular practice, you will be able to enter most buildings without breaking anything, allowing you to gain a physical access to your pentest target (server room, CEO laptop…) and, in addition to your computer-based skills, help your clients secure the full spectrum of IT flaws including the physical aspects.

Resources : 1 working place per attendee, comprising a training manual, lockpick tools, bypass tools, locks, molding material, bumpkeys, pick guns…

Day 1

## Module 1

Introduction

Physical intrusion vectors

Social Engineering
Climbing
Access opening

Discover physical security

The different types of locks
How they work
How to identify them

Introduction to scenarios

Casual intruder (opportunist)
Organized burglar team
Industrial espionage

## Module 2 Wafer locks and tubular locks opening

Wafer locks

Identification
Lockpicking
Decoding
Jigglers

Tubular locks

Identification
Self-impressioning
Lockpicking

Day 2

## Module 3 Combination padlocks and key boxes

Identification
Shims (on compatible models)
Decoding
Blade bypass (on compatible models)

Keyed padlocks

Lockpicking
Combs
Shims (on compatible models)
Blade bypass (on compatible models)

Module 4 Pin tumbler locks lockpicking

Raking

Specific tools
The technique
Tips and tricks

Single Pin Picking

Specific tools
The technique
Tips and tricks

Lockpick guns

Mechanical PickGun
Electronic PickGun
Specific tensioners

Day 3

Module 5 The Key vector

Key duplication

By molding
With a file
From a picture
Special techniques

Bumpkeys

Identification
Fabrication
Different techniques (push/pull)

Keyed Alike locks * Finding the key of your target

Module 6 The Door vector

Non Destructive Opening of the door

Day-latched door opening
From the latch
From the handle
From the bottom
Exit only doors

Module 7 RF and RFID introduction

Identify and attack easily the least protected systems

RFID

Identify and attack easily the least protected systems

Module 8

Conclusion

Flaws

· Flaws summary

Tools and techniques summary

Possible protections

Summary of possible protections

Homework

How to practice and develop your skills after the training

Legal stuff

Don't go to jail!