This is a training to tell about the fundamentals of reverse code engineering, specially focused on Intel assembly and Windows systems, as well as the techniques that can be used to prevent analysis of Windows programs (aiming at knowing how to detect and defeat them). 

Description

During the first day of the course, we show the basic concepts of Reverse Code Engineering (RCE), also by practicing with a lot of executables. The aim is to provide enough background to the students to understand how RCE is performed, no matter the binary code is formed. The course covers advanced RCE techniques, such as unpacking and .NET reversing. During the second day, the course covers anti-RCE techniques. This second part aims at showing common techniques used in software to protect from RCE, commenting (from O.S. perspective) each technique in detail while compiling a proof-of-concept (PoC) of them. The goal of PoCs is to show the students how the assembly code generated is and the difficulty (</irony>) of bypassing each one of these techniques. We will discuss how (almost) all techniques can be easily circumvented, as well as the particular advantages/disadvantages of each technique.

Outline

DAY 1: Reverse Code Engineering: Theory & Practice

Outline (1) - Introduction and Previous Concepts 

1. Introduction to Reverse Engineering       

- Motivation Reverse Engineering?

- Motivation

- Approaches to Reverse Engineering

- Reverse Code Engineering

    1. Data Representation

    2. Memory Alignment

    3. Computer<b>t</b>

    4. Introduction to Reverse Engineering

- What is Reverse Engineering?

- Motivation

- Reverse Code Engineering Engineering

- Reverse Code Engineering

    1. Data Representation

    2. Memory Alignment

    3. Computer Architecture: Basic Concepts

    4. Windows NT internals

- PEB, TEB, LDR. . .WTF?

- PE Headers

- Windows APIs

Outline (2) - Basic Reverse Code Engineering: Tools

1. Using a Debugger: OllyDBG

  7 .Types of Analysis

1. Understanding Assembler from Code

Outline (3) - Basic Reverse Code Engineering: Techniques

  1. Event-Fishing

  2. Serial-Fishing

  3. Getting the Keys

- Self-Keygenning

- Keygenning

Outline (4) - Advanced Reverse Code Engineering

  1. Unpacking

  2. .NET Reversing

Outline (5) - Practicum, Conclusions and References

  1. Some Practical Exercises

  2. Conclusions

  3. References

DAY 2: (Anti-)Reverse Code Engineering: Theory & Practice

  1. Anti-debugging/tracing techniques

- Using OS Windows Internal Structures

- Using Windows APIs

- Using Access Tokens and other Objects

- Using Windows Exceptions

- Reversing Tools Detection

- A bit of anti-tracing techniques

  1. Anti-dump techniques

  2. Anti-virtualization techniques

  3. Advanced anti-RCE techniques

- Stolen Bytes

- Nanomites

- Memory zones protection

  1. Anti-DBI techniques

  2. Other techniques in-the-wild

- Code obfuscation

- Cryptography

  1. Conclusions & Discussion of new techniques: where are we being leaded to? 

This training will focus on all aspects of the Windows post-exploitation process: restricted environments, operating system controls, privilege escalation, User Account Control (UAC) and persistence. The training will be beneficial to attackers and defenders alike. 

Overview 

This training will focus on all major aspects of the Windows post-exploitation process: breaking restricted environments, subverting operating system controls, privilege escalation (logic/configuration/permission/software bugs), bypassing User Account Control (UAC) and persistence. The training will be beneficial to attackers and defenders alike. Participants will gain an in-depth understanding of common pitfalls when configuring the Windows estate. They will see what tools the attacker has at his disposal, how to live-off-the-land and where to achieve long-term residence when access has been acquired. All sections of the training are accompanied by intense hands-on labs where students will put the theory into practice. The training will simulate real-world environments allowing attendees to later directly apply the content in the field! A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial. 

Prerequisites 

A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial. 

Target audience 

Members of the red & blue team, penetration testers, system administrators, SOC analysts and security enthusiasts. 

Materials to bring by attendees 

- A laptop with either VMWare or VirtualBox installed. 

- Enough system resources to run x2 virtual machines simultaneously. 

- 30GB free hard disk space. 

Course Syllabus 

Day 1 

Breakout  

- Desktop lockdown (Group Policy/SRP) 

- Getting an explorer window 

- Folder/File restrictions 

- Native/custom command line interfaces 

- Breaking Kiosks and Citrix environments 

- Bypassing AppLocker/DeviceGuard restrictions 

Privilege Escalation  

- Enumeration 

- Configuration weaknesses 

- Missing patches 

- Scheduled tasks 

- Services 

- Unattended installations 

- DLL hijacking 

- Abusing token privileges 

Day 2 

User Account Control  

- What is UAC and how does it work 

- Auto-elevation 

- WUSA/IFileOperation 

- Process Status API 

- Windows Side-By-Side Assembly 

- COM handlers 

- Creating proxy DLL’s 

- Fileless UAC bypass 

- Environment variables 

- Race conditions 

- Abusing process tokens 

- Bypassing “Always Notify” 

Persistence  

- Using the registry 

- Scheduled tasks 

- Manipulating File Associations 

- WMI Permanent Event Subscriptions 

- Binary patching 

- Application Compatibility Shims 

- COM Handler Hijacking 

- Leveraging Office and Outlook 

- Evasion (ADS/corrupted NTFS folder structures/processor variables)  

Discover the world of Industrial Control Systems in this exciting 3-day training! You’ll learn everything you need to start assessing, pentesting and securing these specific systems. We’ll focus on practical knowledge, tools & techniques with a ton of hands-on exercises and real industrial devices 

Outline of the training

Day 1     

- Module 1: Introduction to ICS

- Module 2: Pentesting Basics & tools

- Module 4: Common ICS vulnerabilitiesesting Windows

- Module 4: Common ICS vulnerabilities

Day 2     

- Module 5: ICS protocols

- Module 6: Introduction to safety for security pros

- Module 7: Programming PLCs

- Module 8: Pentesting ICS

Day 3     

- Module 9: Securing ICS

- Module 10: Case study

- Module 11: Capture The Flag

Detailed description of the modules

Module 1 : Introduction to ICS

For starters, I will introduce the concept of ICS. The topics will include: - A brief history of ICS - Vocabulary - The CIM model - Classic architectures - ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles - OT vs IT

Module 2 : Pentesting Basics & tools

This module will introduce the concept of penetration test. I do not intend to spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, I think a module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training. The module will include : - OSINT for ICS : Where to look to find informations - Reconnaissance : how to portscan & nessus - Exploitation : Metasploit basics

Toolz used : nmap, Nessus, Metasploit Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux

Module 3 : Windows basics and pentesting Windows

Unfortunately, any ICS now includes, at least in some areas, Windows systems. So I think that some time must be spent on Windows basics. This module will introduce the following topics: - Windows Active Directory - How to find credentials on Windows systems - Exploiting and pivoting to gain Domain Admin privileges A selection of hacking techniques will be applied on lab machines.

Module 4 : Common ICS vulnerabilities

This module will introduce the most common vulnerabilities found during ICS audits: - Lack of network segmentation / Exposure - Lack of hardening - ICS protocols insecurity

Module 5: Module 5: ICS protocols

This module will introduce the most common ICS protocols: Modbus/TCP, S7, Profinet, DNP3, Ethernet/IP…. Attendees will analyze network captures and be introduced to software libraries/ clients to use these protocols to talk to PLC simulators.

Module 6 : Introduction to safety for security pros

This module will introduce the required safety knowledge in order to understand the OT world. The different concepts of safety will be detailed, as well as the leading norms and hazard analysis. The differences with IT risk analysis will be mentioned and to finish, a basic case study will be performed.

Module 7 : Programming PLCs

In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs (I already have 6 entry-level PLCs from Schneider/Siemens, and will add several more depending on how many students will register for the training). Toolz used : SoMachine Basic Lab : Windows virtual machine and real PLCs from Schneider and Siemens

Module 8 : Pentesting ICS

This module will be mostly lab sessions, in order to apply the knowledge learned during module 5: - Theory and general warning - Common weaknesses - Network capture analysis & replaying packets - Talking industrial protocols : Modbus, S7 - Additional PLC features: web server, ftp, snmp… Toolz used : nmap, Nessus, Metasploit Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs

Module 9 : Securing ICS

We all know it, all clients want to know what they can do to improve the security of their systems. This module will detail the technical and organizational solutions one may engage in to secure their ICS. This will include : system hardening, network segmentation, sharing data with IT systems, and security supervision. The leading security standards will also be mentioned and briefly compared. Toolz used : Windows virtual machine, IDS Lab : Students will have to configure an IDS virtual machine and verify its efficiency, and write a new attack signature for an attack previously performed.

Module 10 : Case study

In this module, students will be given information and network diagrams about a case-study ICS. They will have to highlight the security weaknesses and come up with recommendations.

Module 11 : Capture The Flag

I strongly believe that a good training must include “real-life” examples and labs. To go further individual labs that will occur, I will dedicate the last half-day of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newly-acquired knowledge on a simulation of a “real-life” system. This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand ! 

Prerequisites

This training is aimed at security professional willing to deep dive into the Industrial Control Systems and have real-world, hands-on sessions. There is no specific requirement for attendees except a basic infosec culture. All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) Each attendee will be given a USB key with a custom Kali virtual machine, that includes the specific tools that we will use as well as the lab files (pcap, etc), and a Windows virtual machine with specific ICS software to perform the lab sessions. 

The Corelan “ADVANCED” exploit development class is a fast-paced, mind-bending, hands-on course where you will learn advanced exploit development techniques from an experienced exploit developer. During this (typically 3 ‘long’ day) course, students will get the opportunity to learn how to write exploits that bypass modern memory protections for the Win32 platform, using Windows 7 as the example platform, but using techniques that can be applied to other operating systems.  The trainer will share his “notes from the field” and various tips & tricks to become more effective at writing exploits. 

This is most certainly not an entry level course. In fact, this is a one of the finest and most advanced courses you will find on Win32 exploit development.     

This hardcore, practical, hands-on course will provide students with solid understanding of x86 Windows heap exploitation.  We make sure the course material is kept updated with current evolutions, includes previously undocumented tricks and techniques, and details about research we performed ourselves, so you can apply the research techniques on other applications and operating system versions.  Combined with the way the course is built up, this will turn this class into a truly unique learning experience. 

During all of our courses, we don’t just focus on techniques and mechanics, but we also want to make sure you understand why a given technique is used, why something works and why something doesn’t work.  In the advanced course, we also provide you with insights on how to do your own research related with heap exploitation. 

We believe those are just a few arguments that makes this training stand out between other exploit development training offerings.  Feel free to check our <a href="https://www.corelan-training.com/index.php/testimonials/">testimonials page</a> if you want to s ee real, voluntary, unmodified and uncensored reactions by some of our students. 

Finally, we offer you post-training support as well. If you have taken the course and you still have questions afterwards, we will help. 

WARNING: We do not provide solutions for any of the exercises in this course, but we will help you to find the solutions yourself, either during the course of after the course (via the student-only forum)   

Why take this course ? 

- Are you familiar with the basics of exploit development ? Do you know how to write exploits for saved return pointer overwrites and abuse SEH records with your eyes closed ?  Are you interested inunderstanding how heap spraying works, and why it works ?  Is heap exploitation still a black box for you? Are you now ready for the next step ?

- Have you taken the Bootcamp or other commercial courses on exploit development and want to move to the next phase ? 

- Do you want to learn modern techniques to exploit applications on Windows 7 ? 

- Do you want to learn the fine art of writing browser exploits ? 

- Do you want to learn the skills to investigate heap managers on modern Windows versions (Win10) and find your own exploitation primitives? 

- Would you like to know what (generic) questions to ask (rather than being spoonfed exploit-specific solutions & answers) 

- Are you able to write ROP chains blindfolded ?  (It is fundamentally important that you have practical experience with constructing/writing your own ROP chain!) 

- Are you willing to suffer and bleed, absorb new knowledge fast and not intimidated by debuggers and assembly instructions… 

- …then this course is exactly what you need !  

<a href="https://www.corelan-training.com/Find%20the%20right%20Corelan%20training%20for%20you.pdf">Still in doubt?  Click here to help find the right course for you.  </a> 

Target audience 

Pentesters, auditors, network/system administrators, reverse engineers, malware analysts, developers, members of a security department, security enthusiasts, or anyone that has a solid and practical basic knowledge of exploit development for Windows already. 

If you have a strong desire to learn and willing to suffer & bleed, then check out <a href="https://www.corelan-training.com/index.php/training/training-schedules/" title="the schedules">the schedules</a> & register for one of the classes.  If you are interested in organizing the course at a conference or as a private course at your company, send me an e-mail (peter[dot]ve{at}corelan[dot]be)  

Course contents 

ASLR & DEP Refresher 

- Bypassing ASLR 

- Bypassing DEP 

Heap Spraying 

- Heap Feng Shui & heaplib 

- Precise Heap Spraying 

Heap Exploitation (Internet Explorer as an example) 

- DOM Fundamentals 

- Heap Fundamentals 

- Heap Exploitation 

    1. Use After Free 

    2. Linear & non-linear corruptions 

    3. Type confusion 

- Memory leaks / Information Disclosure 

- Heap Manipulations and heap primitives 

Finding your own bugs  

- Thoughts & experiences on fuzzing 

During the course, students will get the opportunity to work on real vulnerabilities in real applications, use a wide range of heap exploitation techniques  and most importantly learn how to do your own research to find exploitation primitives in complex applications and new versions of Windows. 

Warning – The course has a steep learning curve and will require full attention and focus. 

The “Course Contents” on this page is subject to change without prior notice & can be updated between the moment of registration and the actual course.  We will try to cover as much as we can from the “Course Contents”, based on the overall ability to absorb knowledge and time needed to complete the exercises, but Corelan GCV cannot ever guarantee that we will be able to cover everything.  

Knowledge & Attitude Prerequisites 

Students must: 

- be able to read simple C code and simple scripts 

- truly master all basic concepts of exploit development, as listed in our “BOOTCAMP” course.  If you have taken the Bootcamp course and done a lot of practice after taking the class, then you’re probably ready for this class.  

- be familiar with ROP (i.e. understand how it works on Windows, know how to build a ROP chain, know how to use mona.py to generate a chain and how to fix the chain if it doesn’t work) 

- be familiar with reading/writing python/ruby/html/javascript scripts 

- be familiar with using debuggers (we’ll use WinDBG for most part of the course, but we’ll spend some time explaining the basics of using WinDBG.  It is assumed that you have practical experience with Immunity Debugger and mona.py) 

- be ready to dive into a debugger and read asm for hours and hours and hours 

- be ready to think out of the box and have a strong desire to learn 

- be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox 

- be familiar with using Metasploit to generate shellcode 

- have basic practical knowledge of assembly 

It’s imperative for students to comply with these prerequisites.  

Technical Prerequisites 

Unless specified otherwise, students are required to bring the following : 

- A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time.  The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic. 

- 2 Virtual machines (Windows 7 SP1 (no patches), Kali Linux (fully up-to-date)) 

Note : you will receive the exact installation instructions after registration, about a week before class begins, so don’t start installling the VMs yet. 

All required tools and applications will be provided during the training or will be downloaded from the internet during the training.  

You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary. 

Legal Prerequisites 

It will be required to sign a confidentiality agreement at the start of the course.  You will not be admitted to the course without signing this document.  You can find a copy of the document <a href="https://www.corelan-training.com/Confidentiality%20Agreement%20Courseware.pdf" title="here">here</a>. 

During this training we will focus on two technologies implemented very commonly in various IoT devices, including among others smart locks and access control systems : BLE and NFC/RFID. 

Bluetooth Low Energy (Smart, 4) is one of the most popular and rapidly growing IoT technologies. Unfortunatelly the prevalence of technology does not come with security, and the knowledge on how to comprehensively assess such devices seems very uncommon. This training aims to address this need. Multiple hands-on exercises with dedicated individual devices (included in takeaway hardware set) guarantee to thoroughly understand from both developer’s and pentester’s perspective how BLE works and how can be attacked. We will perform: wireless sniffing, spoofing, cloning, replay, Denial of Service, Man in the Middle, authentication and command-injection attacks. Practical exercises will include opening multiple real "smart" locks, investigating proprietary protocols, demystifying and breaking "military grade encryption" and abusing excessive services.  

NFC/RFID on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used for buildings today. Among other practical exercises performed on real installations, the attendees will reverse an example, quite popular hotel access system, and as a result will be able to open all the doors in facility. 

The training includes a hardware pack (about 200 EUR value) for each student, consisting among others of preconfigured Raspberry Pi, Proxmark3, "magic" tags, NFC board, dedicated Bluetooth device to attack and BLE sniffer. The hardware will allow you to crack and clone NFC/RFID tags, sniff and analyse Bluetooth Low Energy connections and practice most of the exercises later at home.  

Pre-requisites 

- At least basic familiarity with Linux command-line, Kali, Wireshark. 

- Scripting/programming skills will be very helpful. 

Target audience 

- Pentesters, security professionals 

- IoT developers 

- Anyone interested 

Material to bring by attendees 

- Laptop capable of running Kali Linux in VM and USB port. 

- Android smartphone with BLE and NFC support will be very helpful. 

- You can bring your own BLE device or NFC card to verify its security. 

Course syllabus  

1. NFC

UID-based access control - practical exercises on example reader + door lock

- UID lengths, formats

- clone Mifare UID using “Chinese magic” card and provided hardware

- how to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware

- low frequency tags (EM, HID Prox, …)

- how to clone a card by making its picture - decoding numbers printed on cards

- emulate card using Proxmark, Chameleon Mini

- brute-force - is it possible in practice to guess other cards UID?

- countermeasures against attacks

Wiegand - wired access control transmission standard

- sniff the data transmitted from access control reader using Raspberry Pi GPIO

- decode card UID from sniffed bytes, clone the card

- replay card data on the wire to open lock

- available Wiegand sniffers/repeaters

Mifare Classic & its weaknesses - practical exercises based on hotel door lock system, ski lift card, bus ticket and others

- Mifare Classic - data structure, access control, keys, encryption

- default & leaked keys

- reading & cloning card data using just a mobile phone

- cracking keys - nested, darkside, hardnested attacks

- libnfc tools - mfoc, mfcuk, MiLazyCracker

- cracking Mifare using provided hardware (PN532 libnfc, Proxmark)

Reverse-engineering data stored on card

- decoding access control data (room number, date) stored on card by an example hotel system

- creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare Ultralight

- data structure

- reading, cloning, emulating

- example data stored on hotel access card

Introduction to Proxmark, Low Frequency cards (EM4100, HID Prox).

Summary of known attacks and security issues of ISO15693, Mifare Plus, DESFire, Ultralight C, HID iClass, Hitag …

2. Bluetooth Smart (Low Energy)

based on multiple devices (including 7 various smart locks) and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).

Theory introduction

- What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?

- Usage scenarios, prevalence in IoT devices

- Protocol basics

- Advertisements, connections

- Central vs peripheral device

- GATT - services, characteristics, descriptors, handles

- Security features - pairing/encryption, whitelisting, MAC randomization

- Security in practice: own crypto in application layer

- Hardware required for BLE assessment

BLE advertisements and beacons

- iBeacon, Eddystone, Physical Web

- Simulating beacons - using mobile phone, Linux scripts, other devices.

- How to get free beer by abusing beacon-based reward application

- scanning for visible devices, hcitool, bleah, GATTacker, …

- decoding data in advertisements

- advertisement spoofing - Denial of Service, device impersonation

Sniffing BLE connections using RF layer hardware

- Ubertooth, nRF sniffer, BtleJack, …

- Wireshark filters, tips&tricks

- sniffing static cleartext password of a smart lock and other devices using provided hardware

HCI dump (Linux, Android) - setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities.

Attacking services exposed by devices

- mapping device services and characteristics

- interacting with devices that do not require pairing/authentication

- example unlocked AT command interface via BLE service of a smart lock

Device spoofing, active MITM interception

- how to perform “man in the middle” attack on BLE connections

- available tools: GATTacker, BtleJuice.

- MAC address cloning

- analysing intercepted traffic

- Denial of Service attacks

Replay attacks

- intercept transmission

- analyse authentication protocol weakness in example smart lock

- perform replay using tools or a mobile phone, and unlock the device

Mobile application analysis, attacks on proprietary authentication and protocols

- decompile Android app, locate relevant source code fragments

- understand proprietary BLE communication protocol - commands, data exchanged with device

- based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing

- exploit the vulnerability using just a mobile phone - nRF Connect macros

- verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”

Relay attacks - abusing automatic proximity features (e.g. smart lock autounlock).

Jamming and intercepting ongoing connections using BtleJack and provided hardware.

Remote access share functions and their weaknesses - how to bypass timing restrictions.

How to create own, independent server-side API for device - based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.

Introduction to Web Bluetooth, Bluetooth Mesh, Bluetooth 5.0

BLE Hackmelock - open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist - for security professionals, pentesters, vendors and developers.

Each student will receive:  

- course materials in PDFs (several hundred pages)

- all required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive

- Hardware pack for hands-on exercises consisting of:     

 - Bluetooth Smart hardware sniffer (nRF, BtleJack) and development kit based on nrf51822 module

- 2 Bluetooth Low Energy USB dongles

- Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further practice at home.

- Proxmark3 with latest firmware

- NFC NXP PN532 board (libnfc)

- Multiple NFC/RFID tags, including “magic UID”, T5577, Ultralight, EV1, …

HackerOne bug hunters have earned $20 million in bug bounties until 2017 and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts.  Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

After completing this training, you will have learned about:

-       REST API hacking

-       AngularJS-based application hacking

-       DOM-based exploitation

-       bypassing Content Security Policy

-       server-side request forgery

-       browser-dependent exploitation

-       DB truncation attack

-       NoSQL injection

-       type confusion vulnerability

-       exploiting race conditions

-       path-relative stylesheet import vulnerability

-       reflected file download vulnerability

-       subdomain takeover

-       and more

What students will receive 

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Special bonus 

The ticket price includes FREE access to Dawid Czagan’s 6 online courses (https://academy.silesiasecuritylab.com/):

- “Start Hacking and Making Money Today at HackerOne”

- “Keep Hacking and Making Money at HackerOne”

- “Case Studies of Award-Winning XSS Attacks: Part 1”

- “Case Studies of Award-Winning XSS Attacks: Part 2”

- “DOUBLE Your Web Hacking Rewards with Fuzzing” (in preparation; to be published soon)

- “How Web Hackers Make BIG MONEY: Remote Code Execution” (in preparation; to be published soon)

What students say about this training

This training has been very well-received by students around the world. You can see their testimonials here (https://silesiasecuritylab.com/services/training/#opinions).

Prerequisites

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

Target audience

Penetration testers, bug hunters, security researchers/consultants 

Material to bring by students

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/). 

Action packed web hacking class exploiting modern web application vulnerabilities such as SSRF, Template Injection, 2nd Order SQLi, Deserialization, Crypto flaws and more .Attacking authentication schemes such as JWT, SAML, OAuth. Learning esoteric Out-of-Band techniques and attack chaining. 

Overview

This class teaches audience a wealth of hacking techniques to compromise modern day web applications, APIs and associated end-points. This class focus on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. Attendees will also benefit from a state-of-art Hacklab where they can practice the challenges.

Course Outline

Authentication Bypass

- Token Hijacking attacks

- Logical Bypass / Boundary Conditions

- SAML / OAuth 2.0 / Auth-0 / JWT Attacks

- JWT Token Brute-Force attacks

- SAML Authentication and Authorization Bypass

- XXE through SAML

- Advanced XXE Exploitation over OOB channels

Password Reset Attacks

- Cookie Swap

- Host Header Validation Bypass

- Case study of popular password reset fails.

Breaking Crypto

- Known Plaintext Attack (Faulty Password Reset)

- Path Traversal using Padding Oracle

- Hash length extension attacks 

Business Logic Flaws / Authorization flaws

- Mass Assignment

- Invite/Promo Code Bypass

- Replay Attack

- API Authorization Bypass

SQL Injection

- 2nd order injection

- Out-of-Band exploitation

- SQLi through crypto

- OS code exec via powershell.

- Advanced topics in SQli

Remote Code Execution (RCE)

- Java Serialisation Attack

- Node.js RCE

- PHP object injection

- Ruby/ERB template injection

- Exploiting code injection over OOB channel

Server Side Request Forgery (SSRF)

- SSRF to query internal network

- SSRF to code exec

Unrestricted File Upload

- Malicious File Extensions

- Circumventing File validation checks

Miscellaneous Topics

- HTTP Parameter Pollution (HPP)

- XXE in file parsing

- A Collection of weird and wonderful XSS and CSRF attacks.

Attack Chaining

- Combining Client-side and Server-side attacks to steal internal secrets

- B33r 101

Who should take this course

Web developers, SOC analysts, entry level/intermediate level penetration testers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to next level

Student requirements  

Students must bring their own laptop and have admin/root access on it. The laptop should have at least 4 GB RAM and 20 GB of free disk space and a working copy of the latest Kali Operating System. Kali OS should be run inside a Virtual machine (e.g. VMware Workstation/Fusion/Player or Virtual Box).

What students will be provided with  

Access to a hacking lab not just during the course but for 15 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts. 

The course covers all aspects of Windows infrastructure security - you will learn how to implement them! Our goal is to teach you how to design and implement secure infrastructures based on the reasonable balance between security and comfort with great knowledge of attacker’s possibilities. 

Prerequisites:
To attend this training you should have a good hands-on experience in administering Windows infrastructure. At least 8 years in the field is recommended. 

Target audience
Enterprise administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security. 

Materials
Author’s unique tools, over 200 pages of exercises, presentations slides with notes.  

Agenda
Module 1: Hacking Windows Platform  
a)Detecting unnecessary services
b) Misusing service accounts
c) Implementing rights, permissions and privileges
d) Direct Kernel Object Modification  

Module 2: Top 50 tools: the attacker's best friends  
a)Practical walkthrough through tools
b) Using tools against scenarios  

Module 3: Modern Malware  
a) Techniques used by modern malware
b) Advanced Persistent Threats
c) Fooling common protection mechanisms  

Module 4: Physical Access  
a) Misusing USB and other ports
b) Offline Access techniques
c) BitLocker unlocking  

Module 5: Intercepting Communication  
a) Communicating through firewalls
b) Misusing Remote Access
c) DNS based attacks  

Module 6: Hacking Web Server  
a) Detecting unsafe servers
b) Hacking HTTPS
c) Distributed Denial of Service attacks  

Module 7: Data in-Security  
a) File format attacks for Microsoft Office, PDF and other file types
b) Using incorrect file servers’ configuration
c) Basic SQL Server attacks

Module 8: Password attacks  
a) Pass-the-Hash attacks
b) Stealing the LSA Secrets
c) Other  

Module 9: Hacking automation  
a) Misusing administrative scripts
b) Script based scanning  

Module 10: Designing Secure Windows Infrastructure
On the market there are thousands of solutions available to enrich security in our infrastructure. Idea of this module is to provide the complete knowledge and to gain the holistic approach to the areas that can be secured and the measures that can be implemented.  

Module 11: Securing Windows Platform  
a) Defining and disabling unnecessary services
b) Implementing secure service accounts
c) Implementing rights, permissions and privileges
d) Driver signing  

Module 12: Malware Protection  
a)Techniques used by modern malware
b) Malware investigation techniques
c) Analyzing cases of real malware
d) Implementing protection mechanisms  

Module 13: Managing Physical Security  
a) Managing port security: USB, FireWire and other
b) Mitigating Offline Access
c)Implementing and managing BitLocker  

Module 14: Deploying and configuring Public Key Infrastructure  
a) Role and capabilities of the PKI in the infrastructure
b) Designing PKI architecture
c) PKI Deployment – Best practices   

Module 15: Configuring Secure Communication  
a) Deploying and managing Windows Firewall –  advanced and useful features
b) Deploying and configuring IPsec
c) Deploying secure Remote Access (VPN, Direct Access, Workplace Join, RDS Gateway)
d) Deploying DNS and DNSSEC  

Module 16: Securing Web Server  
a) Configuring IIS features for security
b) Deploying Server Name Indication and Centralized SSL Certificate Support
c) Monitoring Web Server resources and performance
d) Deploying Distributed Denial of Service attack prevention
e) Deploying Network Load Balancing and Web Farms 

Module 17: Providing Data Security and Availability  
a)Designing data protection for Microsoft Office,  PDF and other file types
b) Deploying Active Directory Rights Management Services
c) Deploying File Classification Infrastructure and Dynamic Access Control
d) Configuring a secure File Server
e) Hardening basics for Microsoft SQL Server
f) Clustering selected Windows services  

Module 18: Mitigating the common password attacks  
a)Performing Pass-the-Hash attack and implementing prevention
b) Performing the LSA Secrets dump and implementing prevention  

Module 19: Automating Windows Security
a) Implementing Advanced GPO Features
b) Deploying Software Restriction: Applocker
c) Advanced Powershell for administration  

This is a deep dive course on security operations: vulnerability management, anomalies detection, the discovery of industry attacks and threats. Topics covered during this training will help you to walk in hackers’ shoes and evaluate your infrastructure from their point of view. 

The secure infrastructure configuration should be the most important line of defense in every organization. Unfortunately, people, the most valuable resource, are not always aware of the level of security in their companies, possible points of entry, how operating systems are attacked, and how to protect the infrastructure from successful attacks which are sometimes caused by configuration mistakes. Understanding internal OS protection mechanisms and services/roles completely provides a huge impact on the whole infrastructure security level. Unfortunately, the problem is... rarely anyone has this impact!
 

This is a deep dive course on security operations: vulnerability management, anomalies detection, discovery of industry attacks and threats, understanding how compromised system or solution looks like, defining the indicators of the attack, incident handling also daily servicing on SIEM platform. We will also walk through the advanced access rights, password mechanisms, windows internals, PowerShell usage for security purposes, gaining unauthorized access, advanced DNS configuration and common configuration mistakes, forensics techniques, Active Directory security, IIS Security, debugging, advanced monitoring and troubleshooting and much more! Topics covered during this training will help you to walk in hackers’ shoes and evaluate your infrastructure from their point of view.  

The training focuses on detecting, responding, and resolving computer security incidents and covers the following security techniques:  

- The steps of the incident handling process  

- Detecting malicious applications and network activity  

- Common attack techniques that compromise hosts  

- Detecting and analyzing system and network vulnerabilities  

- Continuous process improvement by discovering the root causes of incidents  

It is a must-go for enterprise administrators, security officers and architects. Delivered by one of the best people in the market in the security field – with practical knowledge from tons of successful projects, many years of real-world experience, great teaching skills and no mercy for misconfigurations or insecure solutions.  

Target audience  

Enterprise administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.  

Materials  

Author’s unique tools, over 300 pages of exercises, presentations slides with notes.  

Agenda  

Module 1: Introduction to Incident Response and Handling
1. Types of Computer Security Incidents
2. Examples of Computer Security Incidents
3. Signs of an Incident
4. Incident Prioritization
5. Incident Response 6. Incident Handling  

Module 2: System and Network Security Mechanisms
1. Integrity Levels
2. Anti-malware & Firewalls
3. Application Whitelisting, Application Virtualization
4.Privileged Accounts, Authentication, Monitoring, and UAC
5.Whole Disk Encryption
6. Browser Security
7. EMET
8. Dangerous Endpoint Applications Session Zero
9. Privileges, permissions and rights
10. Passwords security (techniques for getting and cracking passwords
11. Registry Internals
12. Monitoring Registry Activity
13. Boot configuration
14. Services architecture
15. Access tokens
16. Web Application Firewall
17. HTTP Proxies, Web Content Filtering, and SSL Decryption
18. SIMs, NIDS, Packet Captures, and DLP
19. Honeypots/Honeynets
20. Network Infrastructure – Routers, Switches, DHCP, DNS
21. Wireless Access Points  

Module 3: Incident Response and Handling Steps  
1. How to Identify an Incident
2. Handling Incidents Techniques
3. Incident Response Team Services
4. Defining the Relationship between Incident Response, Incident Handling, and Incident Management
5. Incident Response Best Practices
6. Incident Response Policy
7. Incident Response Plan Checklist  

Module 4: Handling Network Security Incidents
1. Denial-of-Service Incidents
2. Distributed Denial-of-Service Attack
3. Detecting DoS Attack
4. Incident Handling Preparation for DoS
5. DoS Response and Preventing Strategies
6. Following the Containment Strategy to Stop DoS
7. Detecting Unauthorized Access Incident
8. Incident Handling Preparation  
9. Incident Prevention
10. Following the Containment Strategy to Stop Unauthorized Access
11. Eradication and Recovery
12. Detecting the Inappropriate Usage Incidents
13. Multiple Component Incidents
14. Containment Strategy to Stop Multiple Component Incidents
15. Network Traffic Monitoring Tools  

Module 5: Handling Malicious Code Incidents
1. Count of Malware Samples
2. Virus, Worms, Trojans and Spywares
3. Incident Handling Preparation
4. Incident Prevention
5. Detection of Malicious Code
6. Containment Strategy
7. Evidence Gathering and Handling 8. Eradication and Recovery  

Module 6: Securing Monitoring Operations
1. Industry Best Practices
2. Critical Security Controls
3. Host, Port and Service Discovery
4. Vulnerability Scanning
5. Monitoring Patching, Applications, Service Logs
6. Detecting Malware via DNS logs
7. Monitoring Change to Devices and Appliances
8. Leveraging Proxy and Firewall Data
9. Configuring Centralized Windows Event Log Collection
10. Monitoring Critical Windows Events
11. Detecting Malware via Windows Event Logs
12. Scripting and Automation
13. Importance of Automation
14. PowerShell  

Module 7: Forensics Basics
1. Computer Forensics
2. Objectives of Forensics Analysis
3. Role of Forensics Analysis in Incident Response
4. Forensic Readiness And Business Continuity
5. Types of Computer Forensics
6. Computer Forensic Investigator
7. Computer Forensics Process
8. Collecting Electronic Evidence
9. Challenging Aspects of Digital Evidence
10. Forensics in the Information System Life Cycle
11. Forensic Analysis Guidelines
12. Forensics Analysis Tools
13. Memory acquisition techniques
14. Finding data and activities in memory
15. Tools and techniques to perform memory forensic  

Guillaume Lopes (@Guillaume_Lopes) and Davy Douhine (@ddouhine), senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% hands-on 2 days mobile training. Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Hopper, Needle, etc.) and techniques to help you to work faster and in a more efficient way in the mobile (Android and iOS) ecosystem. This is the exact training that you would have liked to have before wasting your precious time trying and failing while testing.

Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide):

- Review the codebase of a mobile app (aka static analysis)

- Run the app on a rooted device (to check data security issues)

- Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)

- MiTM all the network communications (aka inspect the traffic)

Prerequisites

A laptop :

- with 8GB of RAM at least, ideally 16GB

- 40Gb of free space (to install a VM based on Kali that we’ll provide)

- Administrative rights on your laptop + a way to deactivate anti-virus, HIPS and firewall

- VMWare Player (ideally VMWare Workstation)

- A PDF reader

A jailbroken iDevice (iPhone/iPad/iPod) running at least iOS9 for the iOS labs

Agenda 

2 days based mainly on practical exercises

- Day 1: Android Hacking

Basics

• Android Ecosystem

• APK Architecture

• Android Manifest

• Tools needed

Static Analysis

• Decompilation

• Information Gathering

• IPC

• Access Control

• Hardcoding Secrets

Dynamic Analysis

• LogCat

• Network Communication

• Certificate Pinning

• Data Storage

• Code Tampering

• Debugging

• Hooking with Frida

- Day 2: iOS Hacking

Security and architecture

• Security features

• iOS architecture

Techniques

• Steps and requirements

Testing environment

• Tools

Jailbreaks

• History

• Types

Targets

• Test apps and real ones

Needle

• History and features

Static analysis

• /static/code_checks

• /binary/*

Data Storage

• Caching

• Logs

• /storage/data/*

Dynamic analysis

• Cycript

• Frida

• IPAPatch/Resign

• Objection

Network Security

• MiTM all the traffic

• Wireshark and Burpsuite

Bonus (Pegasus – Trident / CVE-2016-4657)

• Metasploit

Every day more and more systems and networks become connected to the IPv6 Internet, not without a fair share of security implications. Learn from the very same folks that have broken and patched the IPv6 protocols how to pentest and defend your IPv6 systems and networks before the bad guys do! 

 Overview  

The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has resulted in the deployment of IPv6 in a number of production environments, with many other organizations planning to deploy IPv6 in the short or near term.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterparts, and thus it is likely that the security implications of the protocols be overlooked when they are deployed on production networks. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways.

The imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated.

While there exist a number of training courses about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies that are vital in all real IPv6 deployment scenarios. During the last few years, SI6 Networks has offered its flagship course “Hacking IPv6 Networks”, providing in-depth hands-on IPv6 security training to networking and security professionals around the world.

Hacking IPv6 Networks (version 5.0) is a renewed edition of SI6 Networks’ IPv6 security training course, with an a tremendous increase in hands-on exercises, and newly incorporated materials based on recent developments in the area of IPv6 security. The training is carried out by Fernando Gont, a renowned IPv6 security researcher.

 Learning Objectives  

This course will provide the attendee with in-depth knowledge about IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments.

The attendee will be given an in-depth explanation of each topic covered in this course, and will learn – through hands-on exercises – how each feature can be exploited for malicious purposes. Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities.

This course will employ a range of open source tools to evaluate the security of IPv6 networks, and to reproduce a number of IPv6-based attacks. During the course, the attendee will perform a large number of exercises in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises. The attendee will be required to perform a large number of IPv6 attacks, and to envision mitigation techniques for the corresponding vulnerabilities.

Who Should Attend  

Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.

 Participants Are Required To  

Participants are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required.

What to bring  

Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed, and an empty memory stick (of at least 8 GB) or a DVD drive. The minimum requirements for the laptop are: Intel Core Duo, 1.66 GHz. 4GB of RAM. Ethernet and WI-FI network interface cards. 

Topics covered by this course  

Introduction to IPv6 

- IPv4 address exhaustion

- IPv6 service

- IPv6 transition/deployment mechanisms

- IPv6: current state of affairs

- Brief comparison between IPv6 and IPv4

- IPv6 security overview

IPv6 Addressing Architecture 

- IPv6 address types

- IPv6 address analysis

- Implications for address scanning attacks & possible mitigations

- Privacy implications & possible mitigations

- Implications for end-to-end connectivity

IPv6 Header Fields 

- IPv6 header overview

- Basic header fields

- Security assessment

IPv6 Extension Headers (EHs) 

- General implications of EHs

- Security implications of specific IPv6 EHs

- Security implications of specific IPv6 options

- IPv6 EHs in the real world

- Exploitation of IPv6 EHs

- Troubleshooting IPv6 EHs

- Network reconnaissance with IPv6 EHs

- Recent advances

IPsec 

- Virtual Private Network (VPN) traffic leakages

Internet Control Message Protocol version 6 (ICMPv6) 

- ICMPv6 error messages

- ICMPv6 informational messages

- Network reconnaissance with ICMPv6

Neighbor Discovery for IPv6 

- Address resolution in IPv6

- Address resolution messages and options

- Neighbor Discovery cache

- Neighbor Discovery attacks

- Neighbor Discovery security controls

- Evasion of Neighbor Discovery security controls

- System configuration options

Stateless Address Auto-configuration (SLAAC) 

- SLAAC operation

- SLAAC messages and options

- Duplicate Address Detection (DAD)

- Troubleshoting SLAAC

- SLAAC attacks

- DAD attacks

- SLAAC security controls

- Evasion of SLAAC security controls

- System configuration options

Dynamic Host Configuration Protocol version 6 (DHCPv6) 

- Sample DHCPv6 traffic

- Security implications of DHCPv6

- DHCPv6 attacks

- DHCPv6 security controls

Multicast Listener Discovery (MLD) 

- Sample MLD traffic

- Security implications of MLD

- MLD attacks

- MLD security controls

Securing Routing Protocols for IPv6 

- Border Gateway Protocol (BGP)

- RIPng

- EIGRPv6

- IS-IS

- OSPFv3

Upper-Layer Attacks 

- TCP-based attacks

- UDP-based attacks

- Possible mitigations

DNS Support for IPv6 

- Network reconnaissance

- Exploiting DNS reverse mappings

IPv6 Firewalls 

- Known limitations

- Evasion of IPv6 firewalls

Security Implications of IPv6 for IPv4-only Networks 

- IPv6 attacks on IPv4-only networks

- Mitigating IPv6 attacks on IPv4-only networks

Transition/Co-existence Technologies 

- Automatic tunneling mechanisms

- Attacks on automatic tunneling mechanisms

- Mitigations

Network Reconnaissance in IPv6 

- Host scanning in IPv6

- Port scanning in IPv6

IPv6 Deployment Considerations 

- Designing an IPv6 address plan

- Operating System hardening

- Other considerations 

Overview

"The great power of Internet Of Things comes with the great responsibility of security". Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life threatening, there is no way you can afford to neglect the security of IoT products.

"Practical Internet of Things (IoT) Hacking” is a unique course which offers security professionals, a comprehensive understanding of the complete IoT Technology suite including, IoT protocols, sensors, client side, mobile, cloud and their underlying weaknesses. The extensive hands-on labs enable attendees to identify, exploit or fix vulnerabilities in IoT, not just on emulators but on real smart devices as well.

The course focuses on the attack surface on current and evolving IoT technologies in various domains such as home, enterprise Automation. It covers grounds-up on various IoT protocols including internals, specific attack scenarios for individual protocols and open source software/hardware tools one needs to have in their IoT penetration testing arsenal. It also covers hardware attack vectors and approaches to identify respective vulnerabilities . In addition to the protocols and hardware it also focuses on reverse engineering mobile apps and native code to find weaknesses.

Throughout the course, We will use eXos, an VM created by us specifically for IoT penetration testing. eXos is the result of our R&D and has most of the required tools for IoT security analysis. We will also distribute DIVA – IoT, a vulnerable IoT sensor made in-house for hands-on exercises.

The “Practical Internet of Things (IoT) Hacking” course is aimed at security professionals who want to enhance their skills and move to/specialise in IoT security. The course is structured for beginner to intermediate level attendees who do not have any experience in IoT, reversing or hardware.

Course outline

* Introduction to IOT

* IOT Architecture

* IoT attack surface

* Expliot – IoT exploitation framework

    – Intorduction

    – Architecture

    – Test Cases

* IoT Protocols Overview

* MQTT

    – Introduction

    – Protocol Internals

    – Reconnaisance

    – Information leakage

    – DOS attacks

    – Hands-on with open source tools

* CoAP

    – Introduction

    – Protocol Internals

    – Reconnaissance

    – Cross-protocol attacks

    – Hands-on with open source tools

* Understanding Radio

    – Signal Processing

    – Software Defined Radio

    – Gnuradio

        – Introduction to gnuradio concepts

        – Creating a flow graph

        – Analysing radio signals

        – Recording specific radio signal

        – Replay Attacks

* Radio IoT Protocols Overview

* Zigbee

    – Introduction and protocol Overview

    – Reconnaissance (Active and Passive)

    – Sniffing and Eavesdropping

    – Replay attacks

    – Hands-on with RZUSBstick and open source tools

* BLE

    – Introduction and protocol Overview

    – Reconnaissance (Active and Passive) with HCI tools

    – GATT service Enumeration

    – Sniffing GATT protocol communication

    – Reversing GATT protocol communication

    – Read and writing on GATT protocol

    – Fuzzing Characteristic values

    – Hands-on with open source tools

* Mobile security (Android)

    – Introduction to Android

    – App architecture

    – Security architecture

    – App reversing and Analysis

* ARM

    – Architecture

    – Instruction Set

    – Procedure call convention

    – System call convention

    – Reversing

    – Hands-on Labs

* Device Reconnaissance

* Firmware

    – Types

    – Firmware updates

    – Firmware analysis and reversing

    – Firmware modification

    – Firmware encryption

    – Simulating device environment

* Conventional Attacks

* External Storage Attacks

    – Symlink files

    – Compressed files

* IoT hardware Overview

* Introduction to hardware

    – Components

    – Memory

    – Packages

* Hardware Tools

    – Expliot Nano

    – EEPROM readers

    – Jtagulator/Jtagenum

    – Logic Analyzer

* Attacking Hardware Interfaces

* Hardware recon

    – Hardware Reconnaissance

      – Analyzing the board

      – Datasheets

* Attacking Debug ports

    – What are debug ports

    – Importance

    – UART

      – Introduction

      – Identifying UART interface

           – Method 1

           – Method 2

      – Accessing sensor via UART

      – Brute-forcing Custom consoles

– JTAG

    – Introduction

    – Identifying JTAG interface

           – Method 1

           – Method 2

    – Extracting firmware from the microcontroller

    – Run-time patching the firmware code

    – Real time code analysis

* Attacking the Memory

    – Where and What data is stored?

    – Common memory chips and protocols

    – I2C

      – Introduction

      – Interfacing with I2C

      – Manipulating Data via I2C

      – Sniffing run-time I2C communication

    – SPI

      – Introduction

      – Interfacing with SPI

      – Manipulating data via SPI

      – Sniffing run-time SPI communication

Who should take this course

• Penetration testers tasked with auditing IoT

• Bug hunters who want to find new bugs in IoT products

• Government officials from defensive or offensive units

• Red team members tasked with compromising the IoT infrastructure

• Security professionals who want to build IoT security skills

• Embedded security enthusiasts

• IoT Developers and testers

• Anyone interested in IoT security

Pre-requisites

• Basic knowledge of web and mobile security

• Knowledge of Linux OS

• Basic knowledge of programming - python

What attendees should bring

• Laptop with at least 50 GB free space

• 8+ GB minimum RAM (4+GB for the VM)

• External USB access (min. 2 USB ports)

• Administrative privileges on the system

• Virtualization software – Latest VirtualBox (5.2.X) (including Virtualbox extension pack)

• Linux host machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse).

• Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work

What attendees will be provided With

• Commercial IoT Devices for hands-on (only during the class)

• DIVA - IoT: custom vulnerable IoT sensor Testbed for hands-on (only during the class)

• Hardware tools for sensor analysis for hands-on (only during the class)

• eXos VM - Platform for IoT Penetration testing

• Training material/slides

• Practical IoT hacking Lab manual PDF

What to expect

• Hands-on Labs

• Reverse Engineering

• Getting familiar with the IoT security

• This course will give you a direction to start performing pentests on IoT products

What not to expect

• Becoming a hardware/IoT hacker overnight. Use the knowledge gained in the training to start pentesting IoT devices and sharpen your skills.