Advanced Web Hacking (3 days) with NotSoSecure - Dhruv Shah This class teaches the audience a wealth of hacking techniques to compromise modern-day web applications, APIs and associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques. The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real-life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. Attendees will also benefit from a state-of-art Hacklab and we will be providing FREE 30 days lab access after the class to allow attendees more practice time. Some of the highlights of the class include: - Modern JWT, SAML, OAuth bugs
- Core business logic issues
- Practical cryptographic flaws.
- RCE via Serialisation, Object, OGNL and template injection.
- Exploitation over DNS channels
- Advanced SSRF, HPP, XXE and SQLi topics.
- Serverless exploits
- Web Caching issues
- Attack chaining and real-life examples.
OVERVIEW This class talks about a wealth of hacking techniques to compromise web applications, APIs, cloud components and other associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server-side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real-life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. Note: Attendees will also benefit from a state-of-art Hacklab and we will be providing free 30 days lab access after the class to allow attendees more practice time. The following is the course outline: Day1 Lab Setup and architecture overview Advanced Burp Features Authentication Attacks - Logical Bypass / Boundary Conditions
- Token Hijacking attacks
- Case Study Bypassing 2 Factor Authentication
- Case Study Authentication Bypass using Subdomain Takeover
Attacking SSO - JWT Token Brute-Force attacks
- SAML Authorization Bypass
- OAuth Issues
XML External Entity (XXE) Attack - XXE Basics
- Advanced XXE Exploitation over OOB channels
- XXE through SAML
- XXE in File Parsing
Complex Password Reset Attacks - Cookie Swap
- Host Header Validation Bypass
- Case study of a popular password reset fails.
Business Logic Flaws / Authorization flaws - Mass Assignment
- Invite/Promo Code Bypass
- Replay Attack
- API Authorisation Bypass
- HTTP Parameter Pollution (HPP)
Server-Side Request Forgery (SSRF) - SSRF to query internal network
- SSRF to call internal files
- Various Case studies
Day 2 Cloud Attacks - SSRF attacks on cloud
- Serverless exploitation
- Google Dorking in the Cloud Era
- Post Exploitation techniques on Cloud-hosted applications
- Various Case Studies
Breaking Crypto - Known Plaintext Attack (Faulty Password Reset)
- Padding Oracle Attack
- Hash length extension attacks
- Auth bypass using .NET Machine Key
Remote Code Execution (RCE) - Java Serialisation Attack
- Node.js Serialization Attack
- PHP Serialization Attack
- JSON Serialization Attack
- Server-Side Template Injection
- Exploiting code injection over OOB channe l
Day 3 SQL Injection Masterclass - 2nd order injection
- Out-of-Band exploitation
- SQLi through crypto
- OS code exec via PowerShell.
- Advanced topics in SQlisqli
- Advanced SQLMap Usage and WAF bypass
Tricky File Upload - Malicious File Extensions
- Circumventing File validation checks
- Exploiting hardened web servers.
Attacking Hardened CMS - Identifying and attacking various CMS
- Attacking Hardened Wordpress, Joomla, and Sharepoint.
Web Caching Attacks. Attack Chaining N tier vulnerability Chaining leading to RCE. Various Case Studies B33r-101 End WHO SHOULD TAKE THIS COURSE Web developers, SOC analysts, intermediate level penetration testers, DevOps engineers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to the next level. STUDENT REQUIREMENTS Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM. WHAT STUDENTS SHOULD BRING See student requirement WHAT STUDENTS WILL BE PROVIDED WITH Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts. Speakers  NotSoSecure - Dhruv Shah Dhruv Shah is an information security professional working as a Principal Security Consultant at NotSoSecure. He has over 9+ years of experience in application, mobile, and network security. He has co-authored the book 'Kali Linux Intrusion and Exploitation' and 'Hands-on Pentesting with Burpsuite' by Packtpub. He is also a trainer of NotSoSecure's much-acclaimed Advanced Web Hacking class and has been a trainer at several leading public conferences such as Black Hat Vegas, Chicago, Alexandria, Japan, UK, Hack in Paris, Texas Cyber Summit, OWASP Appsec Israel, Bsides Lisbon etc. He has provided security training to various clients in UK, EU, and the USA via corporate training. His online presence is with the handle @snypter. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation (2 days) with Dawid Czagan HackerOne bug hunters have earned $20 million in bug bounties until 2017 and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters. Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master. After completing this training, you will have learned about: -
REST API hacking -
AngularJS-based application hacking -
DOM-based exploitation -
bypassing Content Security Policy -
server-side request forgery -
browser-dependent exploitation -
DB truncation attack -
NoSQL injection -
type confusion vulnerability -
exploiting race conditions -
path-relative stylesheet import vulnerability -
reflected file download vulnerability -
subdomain takeover -
and more What students will receive Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace. Special bonus The ticket price includes FREE access to Dawid Czagan’s 6 online courses (https://academy.silesiasecuritylab.com/): -
“Start Hacking and Making Money Today at HackerOne” -
“Keep Hacking and Making Money at HackerOne” -
“Case Studies of Award-Winning XSS Attacks: Part 1” -
“Case Studies of Award-Winning XSS Attacks: Part 2” -
“DOUBLE Your Web Hacking Rewards with Fuzzing” -
“How Web Hackers Make BIG MONEY: Remote Code Execution” What students say about this training This training has been very well-received by students around the world. You can see their testimonials here (https://silesiasecuritylab.com/services/training/#opinions). Prerequisites To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic. Target audience Penetration testers, bug hunters, security researchers/consultants Material to bring by students Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/). Speakers  Dawid Czagan Dawid Czagan is an internationally recognized security researcher, trainer, and author of online security courses https://academy.silesiasecuritylab.com/. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions). Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses https://academy.silesiasecuritylab.com/ . To find out about the latest in Dawid Czagan’s work, you are invited to subscribe to his newsletter https://silesiasecuritylab.com/newsletter/ and follow him on Twitter. | Duration 2 days | Price €1,550.00 | VAT €310.00 | Quantity |
CORELAN “ADVANCED” (3 days) with Peter Van Eeckhoutte The Corelan “ADVANCED” exploit development class is a fast-paced, mind-bending, hands-on course where you will learn advanced exploit development techniques from an experienced exploit developer. During this (typically 3 ‘long’ day) course, students will get the opportunity to learn how to write exploits that bypass modern memory protections for the Win32 platform, using Windows 7 and Windows 10 as the example platform, but using techniques that can be applied to other operating systems an applications. We will discuss differences between Windows 7 and Windows 10 and explore previously undocumented techniques to achieve important exploitation primitives in Windows 10. The trainer will share his “notes from the field” and various tips & tricks to become more effective at writing exploits. This is most certainly not an entry level course. In fact, this is a one of the finest and most advanced courses you will find on Win32 exploit development. This hardcore, practical, hands-on course will provide students with solid understanding of x86 Windows heap exploitation. We make sure the course material is kept updated with current evolutions, includes previously undocumented tricks and techniques, and details about research we performed ourselves, so you can apply the research techniques on other applications and operating system versions. Combined with the way the course is built up, this will turn this class into a truly unique learning experience. During all of our courses, we don’t just focus on techniques and mechanics, we don’t focus on just using one vulnerability, but we mainly want to make sure you understand why a given technique is used, why something works and why something doesn’t work. In the advanced course, we provide you with generic insights on how to do your own research related with heap exploitation in general (not just Windows 7 or Windows 10), fully preparing you for the futurel. The new 2020 edition of the course is based on Windows 7 and Windows 10. (As the Windows 10 Heap Manager contains additional mitigations, we use Windows 7 first to teach the basics, and then use Windows 10 later on). Furthermore, starting with the 2020 edition, the course contains an intro to x64 exploitation (stack & heap) We believe those are just a few arguments that makes this training stand out between other exploit development training offerings. Feel free to check our testimonials page if you want to see real, voluntary, unmodified and uncensored reactions by some of our students. Finally, we offer you post-training support as well. If you have taken the course and you still have questions afterwards, we will help. WARNING: We do not provide solutions for any of the exercises in this course, but we will help you to find the solutions yourself, either during the course or after the course (via the student-only support system) Why take this course ? - Are you familiar with the basics of exploit development ? Do you know how to write exploits for saved return pointer overwrites and abuse SEH records with your eyes closed ? Are you interested in understanding how heap spraying works, and why it works ? Is heap exploitation still a mysterious black box for you? Are you now ready for the next step ?
- Have you taken the Bootcamp or other commercial courses on exploit development and want to move to the next phase ?
- Do you want to learn modern techniques to exploit heap related memory corruptions on Windows 7 and Windows 10 ?
- Do you want to learn the fine art of writing exploits for heap related corruptions in complex applications ?
- Do you want to learn the skills to investigate heap managers on modern Windows versions (Win7, Win10) and how to look for your own exploitation primitives?
- Would you like to know what (generic) questions to ask (rather than being spoonfed exploit-specific solutions & answers)
- Would you like to know how to approach fuzzing/bug hunting in complex applications, how to recognize and determine exploitability for heap based corruptions?
- Are you involved in malware research or do Incident Response & interested in understanding how exploits work?
- Would you like to understand better how to detect exploits and how to protect against them?
- Would you like to get a basic view on common development mistakes, how to avoid them and how compiler options can help?
- Are you able to write ROP chains blindfolded ? (It is fundamentally important that you have practical experience with constructing/writing your own ROP chain!)
- Are you willing to suffer and bleed, absorb new knowledge fast and not intimidated by debuggers and assembly instructions…
- …then this course is exactly what you need !
Still in doubt? Click here to help find the right course for you. Target audience Pentesters, auditors, network/system administrators, reverse engineers, malware analysts, developers, members of a security department, security enthusiasts, or anyone that has a solid and practical basic knowledge of exploit development for Windows already. If you have a strong desire to learn and willing to suffer & bleed, then check out the schedules & register for one of the classes. If you are interested in organizing the course at a conference or as a private course at your company, send me an e-mail (peter[dot]ve{at}corelan[dot]be) Course contents ASLR & DEP Refresher - Bypassing ASLR
- Bypassing DEP
WinDBG Windows Heap Management - Terminology & building blocks
- Windows 7 Heap, Windows 10 Heap (“NT” and “Segment” heap)
- Front-End-Allocator and Back-End-Allocator
- Differences between Windows 7 and Windows 10
- Heap manipulation primitives
Heap Spraying - Basic mechanisms
- Data & object spraying
- Precise heap spraying
Heap Exploitation - Use-After-Free
- Linear & non-linear overflows / controlled write
- Double Free
- Type confusion
- Use of uninitialized memory
- Memory leaks / Information Disclosure
- Heap Manipulations and heap primitives
Intro to x64 exploitation - x64 processes, memory map, registers
- Functions & calling conventions
- Structured Exception Handling
- ASLR
- Stack Buffer Overflows
- Heap exploitation primitives on x64
What’s next - Overview of memory protection evolutions
- Thoughts & ideas on fuzzing and bug hunting
During the course, students will get the opportunity to work on real vulnerabilities in real applications, use a wide range of heap exploitation techniques and most importantly learn how to do your own research to find exploitation primitives in complex applications and new versions of Windows. Warning – The course has a steep learning curve and will require full attention and focus. The “Course Contents” on this page is subject to change without prior notice & can be updated between the moment of registration and the actual course. We will try to cover as much as we can from the “Course Contents”, based on the overall ability to absorb knowledge and time needed to complete the exercises, but Corelan cannot ever guarantee that we will be able to cover everything. Knowledge & Attitude Prerequisites Students must: - be able to read and write simple C/C++ code and simple scripts (python, javascript)
- truly master all basic concepts of exploit development, as listed in our “BOOTCAMP” course. If you have taken the Bootcamp course and done a lot of practice after taking the class, then you’re probably ready for this class.
- be familiar with ROP (i.e. understand how it works on Windows, know how to build a ROP chain, know how to use mona.py to generate a chain and how to fix the chain if it doesn’t work)
- be familiar with using debuggers (we’ll use WinDBG for most part of the course, but we’ll spend some time explaining the basics of using WinDBG. It is assumed that you have practical experience with Immunity Debugger and mona.py)
- be ready to dive into a debugger and read asm for hours and hours and hours
- be ready to think out of the box and have a strong desire to learn
- be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox
- be familiar with using Metasploit to generate shellcode
- have basic practical knowledge of assembly
It’s imperative for students to comply with these prerequisites. Technical Prerequisites Unless specified otherwise, students are required to bring the following : - A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time. The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic.
- 3 Virtual machines (Windows 10 (no patches), Windows 7 SP1 (no patches), Kali Linux (fully up-to-date))
Note : you will receive the exact installation instructions after registration, about a week before class begins, so don’t start installling the VMs yet. All required tools and applications will be provided during the training or will be downloaded from the internet during the training. You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary. Legal Prerequisites It will be required to sign a confidentiality agreement at the start of the course. You will not be admitted to the course without signing this document. You can find a copy of the document here. Speakers  Peter Van Eeckhoutte Peter Van Eeckhoutte is the founder of Corelan Team and the author of the well-known tutorials on Win32 Exploit Development Training, available at https://www.corelan.be. The team gathers a group of IT Security enthusiasts and researchers from around the world, who all share common interests : doing research, gather & share knowledge, and perform responsible/coordination disclosure. Above all, the team is well known for their ethics and their dedication to helping other people in the community. Together with the team, he has developed and published numerous tools that will assist pentesters and exploit developers, and published whitepapers/video’s on a wide range of IT Security related topics (pentesting tools, (malware) reverse engineering, etc). In addition to operating an IRC channel (freenode, channel #corelan), the team is running a slack work space (corelan.slack.com). You can get access to slack by checking out the Corelan Facebook page (@CorelanGCV) or Twitter account (@CorelanGCV), looking for the most recent Slack invitation. Peter is reachable on Twitter (@corelanc0d3r). Peter has been an active member of the IT Security community since 2000 and has been working on exploit development since 2006. He presented at various international security conferences (Athcon, Hack In Paris, DerbyCon, ISSA Belgium) and taught various Win32 Exploit Development courses at numerous places around the globe. He trained security enthusiasts & professionals from private companies, government agencies and military organizations. | Duration 3 days | Price €2,500.00 | VAT €500.00 | Quantity |
Hacking and securing Bluetooth Low Energy and RFID/NFC devices (3 days) with Slawomir Jasek Bluetooth Low Energy is one of the most exploding IoT technologies. BLE devices surround us more and more – not only as wearables, toothbrushes and sex toys, but also smart locks, medical devices and banking tokens. Alarming vulnerabilities of these devices have been exposed multiple times recently. And yet, the knowledge on how to comprehesively assess their security seems very uncommon. This is probably the most exhaustive and up to date training regarding BLE security – for both pentesters and developers. Based on hands-on exercises with real devices (including multiple smart locks), dedicated personal device flashed to a BLE devkit, and a deliberately vulnerable, training hackmelock. RFID/NFC, on the other hand, has been around us for quite long. However, the vulnerabilities pointed out years ago, probably won’t be resolved in a near future. It is still surprisingly easy to clone most access control cards used today. Among other practical exercises performed on real installations, the attendees will reverse-engineer an example hotel access system, and as a result will be able to open all the doors in facility. A list of several hundred affected hotels included. Each attendee will receive 200 EUR hardware pack including among others Proxmark and Raspberry Pi (detailed below). The hardware will allow for BLE attacks (sniffing, intercepting), cloning and cracking multiple kinds of proximity cards, analyse BLE or NFC mobile applications, and most importantly - practice majority of the training exercises later at home. Who should attend - Pentesters, security professionals, red teamers, researchers
- BLE/NFC device designers, developers
- Anyone interested
Key learning objectives - In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices
- Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card
Prerequisite knowledge - Basic familiarity with Linux command-line
- Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
- No prior knowledge of Bluetooth Low Energy nor NFC is required
Hardware/software requirements - Contemporary laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest
- Android smartphone with BLE and NFC support will be very helpful
- You can bring your own BLE device or access control card to check its security
Each student will receive Detailed agenda Bluetooth Smart (Low Energy) Theory introduction - What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
- Usage scenarios, prevalence in IoT devices
- Protocol basics
- Required hardware for BLE assessment
BLE advertisements - Scanning for visible devices, hcitool, bleah, bettercap, Mirage, GATTacker, …
- Beacons: iBeacon, Eddystone, Physical Web
- Simulating beacons – using mobile phone, Linux scripts, other devices.
- How to get free beer by abusing beacon-based reward application
- "Encrypted" beacons, abusing weaknesses in beacon management control protocols
- BLE advertisements of Microsoft and Apple devices (user tracking, decoding of current status/phone number)
- Advertisement spoofing – Denial of Service, device impersonation
BLE connections - Central vs peripheral device
- GATT – services, characteristics, descriptors, handles, reading, writing, notifications
- Mapping device services and characteristics
- Interacting with BLE devices using mobile phone, command-line, various tools
- Taking control of simple, insecure devices – sex toys, key finders, …
Sniffing BLE connections using RF layer hardware - BLE radio modulation, channels, hopping, connection initiation
- BLE link layer encryption – introduction, why is it hardly used in practice
- Sniffing hardware: Ubertooth, nRF sniffer, BtleJack, Sniffle, SDR …
- Wireshark filters, tips&tricks
- Sniffing static cleartext password of a smart lock and other devices
HCI dump - capturing own BLE traffic - Difference from RF layer sniffing
- Linux command-line hcidump
- Android: live BLE packets analysis in Wireshark via TCP service
Device spoofing, active MITM interception - How to perform “man in the middle” attack on BLE connections
- Available tools: GATTacker, BtleJuice, BtleJack, Mirage
- MAC address cloning, mobile OS GATT cache potential problems
- Analysing intercepted traffic
- Denial of Service attacks
- Jamming and hijacking active connections with BtleJack
Replay attacks - Intercept transmission
- Analyse authentication protocol weakness in example smart lock
- Perform replay using tools or mobile phone, and unlock the device
Relay attacks – abusing automatic proximity features (e.g. smart lock autounlock). Various smart locks vulnerabilities case-studies - Attacks on proprietary authentication and protocols
- Decompile Android app, locate relevant source code fragments
- Understand proprietary BLE communication protocol – commands, data exchanged with device
- Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
- Exploit the vulnerability using just a mobile phone – nRF Connect macros
- Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
- Example unlocked AT command interface via BLE service of a smart lock
- Remote access share functions and their weaknesses – how to bypass timing restrictions.
- How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste
Advanced BLE MITM topics - Hooks, data modification on the fly (example attack on mobile PoS)
- Command injection
- Upstream websocket proxy
- "Rolljam"-like attacks on single use keys
- When MITM attack does not work or is not possible – debugging, troubleshooting
Device DFU firmware update OTA services. Bluetooth link-layer encrypted connections - BLE pairing, bonding, encryption
- Intercepting pairing process and decoding Long Term Keys (crackLE)
- Weaknesses of simple pairing (static PIN, just works)
- How to trick a victim into re-pairing
Abusing BLE bonding trust relationships - Analysis of Google Titan U2F token vulnerability
- Possibilities for malicious actions (e.g. change device to appear as a BLE keyboard).
Web Bluetooth – interfacing with nearby devices from javascript. - How hard is it to hijack BLE devices from a hostile web site
- Writing new javascript interface to control own device
Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security. BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home. BLE best practices and security checklist – for security professionals, pentesters, vendors and developers. NFC Short introduction - RFID/NFC – where do I start?
- Frequencies, card types, usage scenarios
- How to recognize card type – quick walkthrough
- Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware
UID-based access control – practical exercises on example reader + door lock - UID-based access control – still surprisingly popular
- UID lengths, formats
- Clone Mifare UID using Android phone and “gen2” UID-changeable card, or libnfc/Proxmark and gen1 card
- How to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
- How to clone a card by making its picture – decoding numbers printed on cards
- Cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
- Emulate card using Proxmark, Chameleon Mini
- Brute-force – is it possible in practice to guess other cards UID?
- Countermeasures against attacks
Wiegand – wired access control transmission standard - Sniff the data transmitted from access control reader using Raspberry Pi GPIO, ESP RFID Tool, BLE-Key, …
- Decode card UID from sniffed bytes, clone the card
- Replay card data on the wire to open lock
Mifare Ultralight - Data structure
- Reading, cloning, emulating
- Example data stored on hotel access card
- Ultralight EV1, C
Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket - Mifare Classic – data structure, access control, keys, encryption
- Default & leaked keys
- Reading & cloning card data using just a mobile phone
- Cracking keys – nested, darkside attacks
- Libnfc tools – mfoc, mfcuk, MiLazyCracker
- Cracking Mifare using Proxmark
- Attacks on EV1 “hardened” Mifare Classic
- Online attacks against reader
Reverse-engineering data stored on card - based on a real hotel system - Recoding access control data (room number, date) stored on card by an example hotel system
- Creating hotel „emergency card” to open all the hotel doors unconditionally
Mifare DESFire – introduction, sample attack on misconfigured access control system ISO15693/iCode SLIX - Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock
- Data of several example ski passes
HID iClass - Cloning “legacy” / “standard security” iClass
- Attacks on iClass Elite
Hitag2 access control - Sniffing password mode transmission between reader and tag
- Simulating Hitag2 against the reader using Proxmark
Intercepting card data from distance – building antenna, possibilities and limits. Speakers  Slawomir Jasek Speaker, trainer and IT security consultant with over 15 years of experience. Participated in countless assessments of systems’ and applications’ security for leading financial companies, public institutions and cutting edge tech startups. Currently leads research on various topics in Polish software security company SecuRing and provides trainings regarding security of contemporary locks and access control systems (www.smartlockpicking.com). Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases - starting from a scratch. Previously gave talks, workshops or trainings at HackInParis, BlackHat USA, multiple Appsec EU, HackInTheBox Amsterdam, Deepsec, BruCON, Confidence, Devoxx and many other events. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Hacking and Securing Cloud Infrastructure (3 days) with NotSoSecure - Scott Isaac This 3-day course cuts through the mystery of Cloud Services (including AWS, Azure, and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing traditional network infrastructure. Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and how to protect yourself from them, is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure. Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial. Highlights of our Training: - Attacking Cloud Services
- Gaining Entry via exposed services
- Attacking specific cloud services
- Post - Exploitation
- Defending the Cloud Environment
- Host base Defenses
- Auditing and benchmarking of Cloud
- Continuous Security Testing of Cloud
Overview Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and how to protect yourself from them, is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure. Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial. DAY 1 Introduction to Cloud Computing - What is cloud
- Why cloud security matters
- Types of clouds and cloud services
- Shared responsibility model
General (Web Hacking) Knowledge - A “leveller”, tailored to the room, ensuring everybody understands conventional web hacking techniques, to make the course accessible to all
Attacking Cloud Services - What changes from conventional security models
- Legalities around Cloud Pentesting
- Introducing the Metadata API
- Understand the attack surface in each type of cloud
- Enumerating for cloud assets
Gaining Entry via exposed services - Function based attacks
- Web application Attacks
- Exposed Service ports
DAY 2 Attacking specific cloud services - Storage Enumeration and Attacks
- Identity Services
- AWS Cognito
- Azure Active Directory
- Containers and Kubernetes Clusters
- Financial Attacks
- Identity and Access Management
- Dormant assets
Google Dorking for resources and sensitive info Post Exploitation - Post access enumeration
- Snapshot stealing
- Backdooring the account
- Maintain access after the initial attack
DAY 3 Defending the Cloud Environment - Metadata API Protection
- Monitoring and logging of the environment
- Catching attacks
Host base Defenses - Windows server auditing
- Linux Server Auditing
Auditing and benchmarking of Cloud - Prepare for the audit
- Automated auditing via tools
- Golden Image / Docker image audits
- Relevant Benchmarks for cloud
Continuous Security Testing of Cloud - Continuous inventory updating by extracting a list of Assets
- Automated scans to pick changes in environment and setup
CTF Key Takeaways Students will gain knowledge of attacking, exploiting and defending a variety of Cloud infrastructure. First, they will play the part of the hacker, compromising serverless apps, cloud machines, storage and database services, dormant assets and resources. Students will learn privilege escalation and pivoting techniques specific to cloud environments. This is followed by Infrastructure Defense, secure configuration, auditing, logging, benchmarks. Students will learn preventive measures against cloud attacks, host-based defense and a number of cloud tools that can help in securing their services and resources. Apply the learning to: - Identify weaknesses in cloud deployment
- Fix the weaknesses in your cloud deployment
- Monitor your cloud environment for attacks
Who Should Take this Course Cloud Administrators, Developers, Solutions Architects, DevOps Engineers, SOC Analysts, Penetration Testers, Network Engineers, security enthusiasts and anyone who wants to take their skills to the next level. Prior pentest experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common command line syntax will be greatly beneficial. Audience Skill Level Intermediate Student Requirements Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM. What Students Should Bring See Student requirement What Students Will Be Provided With Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts. Our own pre-bundled Docker Image containing all the tools needed to begin hacking/auditing/securing the Cloud. Speakers NotSoSecure - Scott Isaac Scott began his journey into cyber security in the defence sector focusing on radio operations. His knowledge of radio propagation, modulation schemes, encoding and encryption methods enabled him to intercept and derive meaningful intelligence from enemy communications. Scott was later head hunted to mentor intelligence analysts operating out of Joint Signals Service Unit who were building a new internet operations capability. During this time Scott worked closely with multinational intelligence agencies and was awarded a commendation by the commanding officer of JSSU. His first civilian role was to continue to deliver training in cyber security which he did for two years as the head of product delivery for QA Ltd - creating simulated training environments to facilitate malware analysis, infrastructure attack, SOC operations and wifi audit. He now develops and delivers training with NotSoSecure and has taught at BlackHat conferences. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Hacking Enterprises - 2021 Edition (3 days) with Will Hunt and Owen Shearing This is an immersive hands-on course aimed at a technical audience. Over the 3 days, we will fully compromise a simulated enterprise covering a multitude of TTP's. The training is based around modern operating systems, using modern techniques, emphasising the exploitation of configuration weaknesses rather than throwing traditional exploits. This means logical thinking and creativity will definitely be put to the test. Students will access our remote lab which is configured with multiple networks, some easily accessible, others not so. Course material and exercise content has been designed to reflect real-world challenges and students will perform numerous hands-on exercises including using OSINT skills to retrieve useful data, perform host/service enumeration and exploitation as well as perform phishing attacks against our live in-LAB users’ to gain access to new networks, bringing new challenges and in the process teaching new sets of skills in post exploitation, network reconnaissance, lateral movement and data exfiltration. We also like to do things with a difference. You'll be provided access to an in LAB Elastic instance, where logs from all targets get pushed and processed. This allows you, whether an attacker or defender, to understand the types of artifacts your attacks leave and how you might catch or be caught in the real world. Swag We realise that training courses are limited for time and therefore students are also provided a complementary In.security hackpack! This includes: - 14-day Slack support channel access where our security consultants are available
- 14-day access to a CTF platform with subnets/hosts not seen during training!
- A hard copy of the RTFM
- A Hak5 LAN Turtle
Agenda Day 1 - Getting familiar with the MITRE ATT&CK framework
- An introduction into monitoring and alerting using our in-LAB ELK stack
- Leveraging OSINT activities
- Enumerating and targeting IPv4 and IPv6 hosts
- Remote/local Linux enumeration and living off the land
- Linux shells, post exploitation and privilege escalation
- [email protected] cracking (*nix specifics)
- Kubernetes and container security
Day 2 - Creating and executing Phishing campaigns against our simulated enterprise users
- Living off the land tricks and techniques in Windows
- [email protected] cracking (Windows specifics)
- Remote/local Windows enumeration
- Windows exploitation and privilege escalation techniques
- Windows Defender/AMSI, Tamper Protection and UAC bypasses
- RDP hijacking
- Bypassing AWL (WDAC, AppLocker, PowerShell CLM)
- Enumerating and extracting LAPS secrets
Day 3 - Lateral movement, pivoting, routing, tunnelling and SOCKS proxies
- Application enumeration and exploitation via pivots
- Abusing domain trusts
- Gaining persistence using Scheduled Tasks and WMI Event Subscriptions
- Data exfiltration over OOB channels (ICMP and DNS)
- Domain Fronting and C2
What Will Be Needed - A laptop to which you have administrative/root access, running either Windows, Linux or Mac operating systems
- Access to VNC, SSH and OpenVPN clients (these can be installed at the start of the training)
Who Should Take This Training - Penetration testers
- SOC analysts
- Security professionals
- IT support, administrative and network personnel
Student Requirements - A firm familiarity of Windows and Linux command line syntax
- Understanding of networking concepts
- Previous pentesting and/or SOC experience is advantageous, but not required
Speakers  Will Hunt Will (@Stealthsploit) is a cyber security consultant who has worked in IT security for over 10 years. He co-founded In.security Limited, a specialist cyber security company delivering high-end consultancy and training services. He’s delivered hacking courses at Black Hat USA/EU, Wild West Hackin’ Fest, NolaCon, 44CON and others, and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.  Owen Shearing Owen (@rebootuser) is a co-founder of In.security Limited, a specialist cyber security consultancy offering technical and training services based in the UK. He is a CREST CCT level security consultant with a strong background in networking and IT infrastructure and has over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events and various conferences. He keeps projects at https://github.com/rebootuser. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Hacking IPV6 networks V6.0 (3 days) with Fernando Gont Every day more and more systems and networks become connected to the IPv6 Internet, not without a fair share of security implications. Learn from the very same folks that have broken and patched the IPv6 protocols how to pentest and defend your IPv6 systems and networks before the bad guys do! Overview The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has resulted in the deployment of IPv6 in many production environments, with many other organizations planning to deploy IPv6 in the short or near term. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterparts, and thus it is likely that the security implications of the protocols be overlooked when they are deployed on production networks. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways. The imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated. While there exist a number of training courses about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies that are vital in all real IPv6 deployment scenarios. During the last few years, SI6 Networks has offered its flagship course “Hacking IPv6 Networks”, providing in-depth hands-on IPv6 security training to networking and security professionals around the world. Hacking IPv6 Networks (version 6.0) is a renewed edition of SI6 Networks’ IPv6 security training course, with background and theoretical information reduced to a minimum, a tremendous increase in hands-on exercises, and newly incorporated materials based on recent developments in the area of IPv6 security. The training is carried out by Fernando Gont, a renowned IPv6 security researcher. Learning Objectives This course will provide the attendee with in-depth knowledge about IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments. The attendee will learn – through hands-on exercises – how each IPv6 feature can be exploited for malicious purposes. Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities. This course will employ a range of open source tools to evaluate the security of IPv6 networks, and to reproduce a number of IPv6-based attacks. During the course, the attendee will perform a large number of exercises in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises. The attendee will be required to perform a large number of IPv6 attacks, and to envision mitigation techniques for the corresponding vulnerabilities. Who Should Attend Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general. Participants Are Required To Participants are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required. What to bring Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed. The minimum requirements for the laptop are: Intel i3 processor. 4GB of RAM. Ethernet and WI-FI network interface cards. At least one USB port. Course Length 3 days Topics covered by this course Introduction to IPv6 - IPv4 address exhaustion
- IPv6 service
- IPv6 transition/deployment mechanisms
- IPv6: current state of affairs
- Brief comparison between IPv6 and Ipv4
- IPv6 security overview
IPv6 Addressing Architecture - IPv6 address types
- IPv6 address analysis
- Implications for address scanning attacks & possible mitigations
- Address Scanning in the IPv6 World
- Privacy implications & possible mitigations
- Implications for end-to-end connectivity
IPv6 Header Fields - IPv6 header overview
- Basic header fields
- Security assessment
IPv6 Extension Headers (EHs) - General implications of EHs
- Security implications of specific IPv6 EHs
- Security implications of specific IPv6 options
- IPv6 EHs in the real world
- Exploitation of IPv6 EHs
- Troubleshooting IPv6 EHs
- Network reconnaissance with IPv6 Ehs
- Recent advances
IPsec - Virtual Private Network (VPN) traffic leakages
Internet Control Message Protocol version 6 (ICMPv6) - ICMPv6 error messages
- ICMPv6 informational messages
- Network reconnaissance with ICMPv6
Neighbor Discovery for IPv6 - Address resolution in IPv6
- Address resolution messages and options
- Neighbor Discovery cache
- Neighbor Discovery attacks
- Neighbor Discovery security controls
- Evasion of Neighbor Discovery security controls
- System configuration options
Stateless Address Auto-configuration (SLAAC) - SLAAC operation
- SLAAC messages and options
- Duplicate Address Detection (DAD)
- SLAAC attacks
- DAD attacks
- SLAAC security controls
- Evasion of SLAAC security controls
- System configuration options
Dynamic Host Configuration Protocol version 6 (DHCPv6) - Security implications of DHCPv6
- DHCPv6 attacks
- DHCPv6 security controls
Multicast Listener Discovery (MLD) - Security implications of MLD
- MLD attacks
- MLD security controls
Upper-Layer Attacks - TCP-based attacks
- UDP-based attacks
- Possible mitigations
DNS Support for IPv6 - Network reconnaissance
- Exploiting DNS reverse mappings
IPv6 Firewalls and Network Intrusion Detection Systems (NIDS) - Known limitations
- IPv6 firewall configuration guidelines
- Evasion of IPv6 firewalls and NIDS
Security Implications of IPv6 for IPv4-only Networks - IPv6 attacks on IPv4-only networks
- Mitigating IPv6 attacks on IPv4-only networks
Transition/Co-existence Technologies - Transition/Co-existence mechanisms
- Attacks on transition/co-existence mechanisms
- Mitigations
Pentesting IPv6 Networks - Network Reconnaissance in IPv6
- Pentesting IPv6 Networks
Speakers  Fernando Gont Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations from around the world. Gont has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite. Gont is currently working as a security consultant and researcher for SI6 Networks. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published 30 IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts. Gont has also developed the SI6 Network’s IPv6 Toolkit – a portable and comprehensive security toolkit for the IPv6 protocol suite – and the SI6 Networks’ IoT Toolkit – a portable security toolkit for IoT evices. Gont runs the IPv6 Hackers and the IoT Hackers mailing-lists, and has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, ekoparty 2007, Kernel Conference Australia 2009, DEEPSEC 2009, HACKLU 2011, DEEPSEC 2011, Hackito Ergo Sum 2012, H2HC 2017, H2HC 2019, Troopers 2019 and Hack In Paris 2018. Additionally, he is a regular attendee of the Internet Engineering Task Force (IETF) meetings. https://www.gont.com.ar
@FernandoGont | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Hands-on Malware Analysis & Reverse Engineering Training (3 days) with Amr Thabet The number of cyber attacks is undoubtedly on the rise, targeting government, military, public and private sectors. These cyber attacks focus on targeting individuals or organizations with an effort to extract valuable information, gaining money through a ransom or damaging their reputation. 43% of cyber attacks these organizations are facing are Advanced Malware, APT Attacks or zero-day attacks. With adversaries getting sophisticated and carrying out advanced malware attacks, detecting and responding to such intrusions is critical for cyber security professionals. The knowledge, skills, and tools required to analyze malicious software are essential to detect, investigate and defend against such attacks. This training takes you in a journey in the topic of malware analysis covering targeted attacks and ransomware attacks with their techniques, strategies and the best practices to respond to them. The training is full of hands-on labs on performing malware analysis, Rootkit analysis and full attack investigations with different real-world samples. You will also receive a copy of Mastering Malware Analysis book to help you further enhance your skills in malware analysis and deal with advanced techniques, different platforms such as IoT/Linux, Android, Mac .. etc and different scripting and interpreted languages. What previous attendants said about this training: “I was always feeling that malware is something scary, something I can’t understand or control. Now I feel it’s not scary anymore. I can actually analyse it, understand it and control it.” by Fung Dao Ying, System Analyst in Bintulu Port Holding Berhad LEARNING OBJECTIVES: - Understand the lifecycle of a targeted attack and all the techniques & strategies the attackers use to penetrate an organization (Spear-phishing, drive by download … etc)
- Know what the steps to take when you discover a malware in your network.
- Perform basic static & behavioral analysis of a malware in an isolated virtualized environment
- Perform static and dynamic code analysis to determine the malware functionality using IDA Pro and Ollydbg/x64dbg
- Understand the basics of the x86 assembly language
- Learn how to detect and analyze a malicious document with embedded macros
- Learn to extract the the network and host-based indicators of compromise
- Able to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
- Perform memory forensics on an infected machine and extract the malware artifacts from its memory.
PROGRAM OUTLINE DAY 1 APT Attacks & Malware Analysis: - What is an APT Attack
- What are the Attack Stages?
- The APT Attack Vectors
- Types of Malware
- Why Malware Analysis
- Types of malware analysis
- Setting up an isolated lab environment
Basic Static Analysis: - Fingerprinting the malware
- Extracting strings
- Determining File obfuscation
- Unpacking Packed Malware
- Understanding PE File characteristics
- Hands-on lab exercise involves analyzing real malware sample
Behavioral Analysis & Sandboxing: - Understanding Behavioral Analysis tools
- Monitoring process, file system, registry and network activity
- Determining the Indicators of compromise (host and network indicators)
- Custom Sandbox Overview
- Working of Sandbox
- Sandbox Features
- Hands-on lab exercise involves analyzing real malware sample
Code Analysis & Malware Functionalities: - Intro to code analysis
- Droppers & Downloaders
- Maintaining Persistence
- Keylogging
- Banking Trojans & Man in The Browser (MiTB)
- Point of Sale Malware (POS)
- Understanding Indication of Comprise
- Write your own YARA rule
DAY 2: Intro To x86/x64 Assembly: - Understanding CPU registers and assembly instructions
- Dive deeper in the assembly language and memory handling
- Reversing assembly code blocks into a higher-level language (C++)
- Dealing with local & global variables
Static & Dynamic Code Analysis In-Depth: - Code Analysis Overview
- Disassembler & Debuggers
- Code Analysis Tools
- Basics of IDA Pro
- Basics of Ollydbg/x64dbg
- Understanding the API calls
- Inspecting API call references
- Demo: Performing static analysis with IDA Pro (Hands-on Practice)
- Demo: Performing dynamic analysis with OllyDbg (Hands-on Practice)
- Hands-on lab exercise involves analyzing real malware sample
Encryption, Packing & Obfuscation - Understanding different encryption algorithms
- Demo: Examining RC4 encryption algorithm
- Learning 4 different manual unpacking techniques for custom unpacking
- Dissecting different obfuscation techniques
- Hands-on Practice on unpacking malware
DAY 3: Spear-phishing Attacks with Malicious Documents: - Examining a malicious office document packed with vbscript macros
- Examining & Dissecting malicious pdf files
- hands-on labs to examine documents packed with malicious macros (real attacks)
Investigating User-Mode Rootkits & API Hooking: - Understanding Process Internals
- Process & Thread Environment Block Structure
- Code Injection
- Types of Code injection
- Remote DLL injection
- Remote Code injection
- Reflective DLL injection
- Hollow process injection
- API Hooking & IAT Hooking
- Hands-on lab exercise (scenario based) involves investigating malware infected memory
Memory Forensics & Volatility Overview: - What is Memory Forensics
- Why Memory Forensics
- Steps in Memory Forensics
- Memory acquisition and tools
- Introduction to Volatility (Advanced Memory Forensics Framework)
- Volatility basic commands
- Determining the profile
- Volatility help options
- Running the plugin
Investigation Process Memory Using Volatility: - Process memory Internals
- Listing DLLs using Volatility
- Identifying hidden DLLs
- Dumping malicious executable from memory
- Dumping DLLs from memory
- Scanning the memory for patterns (yarascan)
- Volatility plugins to identify process injections and API hooking
- Hands-on lab exercise (scenario based) involves investigating malware infected memory
Who Should Attend This course is intended for Cyber Security investigators, Cyber Security Heads and Managers, Security Researchers, Information Technology Heads and Managers, Forensic Practitioners, Incident Responders Malware Analysts, System Administrators, Software Developers ,and security professionals who would like to expand their skills and Anyone interested in learning Malware Analysis and Memory Forensics. Materials Provided: - Training Prerequisite & Lab Setup Guide: a step by step guide to prepare your isolated virtualized environment for executing and analyzing malware
- Malware Analysis Lab VM (Windows 7 VM) with all required tools pre-installed. It will be provided in .ova format
- The labs/exercises samples and memory images.
- A printed copy of mastering Malware Analysis Book
- A printed copy of Malware Analysis & Reverse Engineering Workbook which includes all the exercises taught in the training with step by step solutions to them.
Delegate Requirements: - Should be familiar with using Windows/Linux
- Should have an understanding of basic programming concepts, while programming experience is not mandatory.
Hardware/Software Requirements: - Laptop with minimum 8GB RAM and 80GB free hard disk space
- Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
- VMware Workstation or VMware Fusion (even trial versions can be used).
- Delegates must have full administrator access for the Windows operating system.
Note: VMware player or Virtual Box is not suitable for this training. Speakers  Amr Thabet Amr Thabet is a former malware researcher at Symantec and currently a vulnerability researcher at Tenable. He is the author of "Mastering Malware Analysis" published by Packt Publishing. He had worked on the analysis of multiple nation-state sponsored attacks including the NSA malware families (Stuxnet & Regin), North Korea (Contopee) and many other highly advanced attacks. Amr has spoken at top security conferences all around the world, including DEFCON and VB Conference. He was also featured in Christian Science Monitor for his work on Stuxnet. His mission is to help students all around the world to build their expertise in malware analysis and most importantly, protect their infrastructure from targeted attacks, ransomware attacks and other threats that could target their organization | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Let's the hunt begin: a practical DFIR approach to Enterprise scenarios (2 days) with Alessandro Di Carlo These intensive 2-days course is designed to teach the right way to approach an incident in an enterprise scenario. Nowadays threats and attacks have become more and more complex than years ago, so every company needs to have a dedicated team (CERT/CSIRT) able to rapidly detect and respond these threats. Companies need to understand that hidden threats could already exist into their infrastructures or networks and they should not make the mistake of thinking that their security systems are perfect and inviolable. This course wants to teach the best methodologies and techniques to discover a compromise and, later, to provide the right skills to conduct a deep forensics investigation. We will start speaking about the six phases of an incident response (Preparation, Identification, Containment, Eradication, Recovery and Lesson Learned) and we will continue speaking about differences between Incident Response and Threat Hunting. Students will better understand and learn, with the hand-on labs, different kind of malware behaviors, including the latest techniques to perform evasion and persistence as well as discovering how a file-less malware works. People playing the "Blu Team game" should know that every and each attacker actions leaves a trace; for this reason during the course we will analyze the most famous TTPs (Tactics, Techniques, and Procedures) used by malicious actors and the corresponding artifact left on the system such as prefetch files, socket connections, shimcache, amcache, etc. Finally, students will learn how to write a report with all the information discovered during the digital forensics investigation. Common tools the students will practice with during the course include the entire sets of free software developed by Eric Zimmerman, RAM Capture, DumpIt, densityscout, sigcheck, volatility framework (version 2 and version 3), log2timeline, Yara, etc… Course Syllabus DAY 1: - Setting up laboratory scenario - Incident Response vs Threat Hunting - ATT&CK Framework, who are you? - Live Response and triage - Malware evasion techniques - Malware persistence techniques - WMIC & PowerShell forensics - Principles of Memory forensics - Investigating Lateral Movement - NTFS forensics DAY 2: - Windows Forensics in-depth - Prefetch files analysis - Shimcache analysis - Amcache analysis - LNK analysis - Evt/Evtx analysis - Timeline analysis - Anti-forensics detection - Write custom YARA Rules - How to write a good report Keywords Incident Response, Digital Forensics, Threat Intelligence, Windows Forensics, Memory Forensics Student Prerequisites Basic forensics and windows knowledge Material to bring by attendees Laptop with a virtualization software installed (Virtual Box or VMWare), WiFi connection, 4+ GB of RAM, USB port (for pendrive), at least 40+ GB of free space on the hard disk Speakers  Alessandro Di Carlo Alessandro Di Carlo is Chief Technology Officer at BIT4LAW Srl, an Italian company leader in digital forensics and incident response services. Alessandro is a well-known Digital Forensics and Incident Response expert with extensive experience in collaborating with Law Enforcement Agencies and Critical National Infrastructure players. He holds various security related certifications like GCFA (Giac Certified Forensic Analyst), GASF (Giac Advanced Smartphone Forensics), eCDFP (eLearnSecurity Certified Digital Forensics Professional) and others. He is 3x SANS Institute Lethal Forensicator. Alessandro is often invited to speak at national and international cybersecurity conferences like HackInBo, CDANS (Cyber Defence and Network Security), Droidcon, etc. Formerly Alessandro was head of Penetration Testing & Incident Response for an Italian multinational company. | Duration 2 days | Price €1,550.00 | VAT €310.00 | Quantity |
Mobile Hacking (3 days) with Guillaume Lopes and Davy Douhine Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious a 100% hands-on 3 days mobile training. Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Hopper, Needle, etc.) and techniques to help you to work faster and in a more efficient way in the mobile (Android and iOS) ecosystem. This is the exact training that you would have liked to have before wasting your precious time trying and failing while trying to assess the security of mobile applications. Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide): - Review the codebase of a mobile app (aka static analysis)
- Run the app on a rooted device (to check data security issues)
- Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
- MiTM all the network communications (aka inspect the traffic)
Who Should Attend Pentesters, bug bounty researchers, app makers or just curious Key Learning Objectives - Understanding common mobile vulnerabilities
- Understanding Android and iOS basics
- Understanding of the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard)
- Know how to build an Android and iOS pentest toolset
Prerequisite Knowledge - Basic knowledge of linux/network/security
Hardware / Software Requirements - Laptop and min 8Go RAM and 60Go of space available
- VMware
Agenda Day 1 iOS Hacking - Basics
- Security features
- iOS architecture
- Jailbreaks
- Tools
- iOS virtualization with Corellium
- Test apps and real ones
- Static analysis
- Code checks
- Needle and MobSF
Android Hacking - Basics
- Android Ecosystem
- APK Architecture
- Android Manifest
- Tools needed
- Static Analysis
- Decompilation
- Information Gathering
- IPC
- Access Control
- Hardcoding Secrets
Day 2 iOS Hacking - Dynamic Analysis
- Caching
- Logs
- Backups
- Plist
- SQLite
- Hooking with Cycript
- Hooking with Frida
- Objection
Android Hacking - Dynamic Analysis
- LogCat
- Network Communication
- Certificate Pinning
- Data Storage
- Code Tampering
Day 3 iOS Hacking - Dynamic Analysis
- Analyze without a jailbreak
- Network Security
- MiTM all the traffic
- Rvictl, Wireshark and Burpsuite
- Bonus (Totally not spyware / CVE-2018-4233)
Android Hacking - Dynamic Analysis
- Debugging
- Hooking with Frida
Speakers  Guillaume Lopes Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec and also member of the Checkmarx Application Security Research Team. He also likes to play CTF (Hackthebox, Insomni'hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi'hack team.  Davy Douhine Founder of RandoriSec (https://randorisec.fr/) a security focused IT firm, Davy is working in the itsec field since almost fifteen years. He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security. He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practice Brazilian jiu-jitsu. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Offensive Industrial Control System Security (2 days) with Tijl Deneut and Hendrik Derre Industrial control systems, that provide essential and vital products and services to our economy, are evolving and are becoming more and more interconnected. As this connectivity to the outside world increases, security is becoming one of the most important topics in Industrial IT and OT environments. This results in a large demand for specialized industrial security services, including technical audits (aka penetration tests). These audits will be the focus of this two day training, providing security experts with the necessary skills and experience to tackle these highly sensitive and critical industrial environments. Why this ICS course? This course goes far beyond what other offensive ICS courses offer. We don't teach using simulators or non-industrial hardware but bring you a full functioning factory with +30 industrial hardware devices including PLCs, Remote IO, HMIs, Remote gateways, routers, switches,.. from 10 different vendors including the European market leaders. This is all programmed, configured and networked as a functioning industrial plant to give trainees real hands-on experience that will benefit them in the field! This is the closest you can get to hacking a real factory! 
This training will be hosted by the industrial control and communication competence center (IC4), a collaboration between the university of Ghent’s industrial automation research lab and the security and privacy research group from Howest university College in Belgium. By combining the expertise of these two groups, IC4 has an extensive track record in offering industrial security education and services for SME’s, large multinationals and government institutions. What to expect Attendees will be expected to have some basic IT pentesting knowledge since we won't cover the basics but dive directly into control systems. The course is mainly focused on expanding the knowledge of existing auditors and bringing them into the field of OT security. After completion, the trainees will have a better understanding of all ICS architectures and components, their purpose and the associated risks. They will be able to audit industrial control systems using native industrial protocols to limit the impact of the audit on the network and learn techniques to find vulnerabilities and bugs in industrial devices and protocols. Course outline Day 1 - Introduction to Industrial Control Systems
- Terms & Definitions
- Generic Architecture
- Abbreviated History
- Safety
- PLC programming 101
- Basic building block of a PLC
- PLC programming languages
- Hands-on with Siemens TIA portal
- Scanning ICS
- General Guidelines
- Scanning techniques for siemens, Phoenix Contact, Beckhoff, Schneider, eWON,…
- Hands-on with the fictile factory
- Industrial communications
- IT vs OT networks
- Ethernet based ICS protocols
- Hands-on (live sniffing + packet captures)
Day 2 - Industrial network & system enumeration
- Speaking industrial protocols introduction
- Fieldbus protocols (ModbusTCP, Profinet, Ethercat)
- Higher level data protocols (OPC, OPC UA)
- Proprietary vendor protocols (S7comm, Phoenix contact TCP/1962, Beckhoff ADS)
- Open-Source tools and scripts
- Hands-on with the fictile factory
- Exploiting industrial control systems
- Introduction
- Reversing proprietary industrial protocols
- Hands-on with the fictile factory
- Kiosk escape
- Operator jails
- Common techniques
- Applocker
- Hands-on with the fictile factory
- (BONUS) Software defined radio introduction
- Introduction into radio communications
- Capturing and decoding analogue communication
- Capturing and decoding digital communication
Hardware / Software Requirements A laptop with: - 8GB of RAM at least, ideally 16GB
- 30Gb of free space (to install a VM that we’ll provide)
- RJ45 port or ethernet dongle
- Administrative privileges on your laptop
- VMware Player (ideally VMware Workstation)
- A PDF reader
Speakers  Tijl Deneut Tijl Deneut has over 5 years of experience in the IT security sector and is, amongst others, a Certified Ethical Hacker and an active EC-Council Certified Instructor. Tijl also teaches security classes at both the Howest University College and Ghent University, where he also leads several security research projects. He has had the privilege to present at a number of security and other conferences, including Info Security (Brussels), BruCON (Ghent) and the Chaos Communication Congress (Leipzig). And was also the trainer for classes directed towards, amongst others, the Belgian Computer Crime Unit.  Hendrik Derre Hendrik Derre is currently working as a researcher at the IC4 research group focussing on industrial cyber security and part time professor at Howest University College. After obtaining his master’s degree in engineering technology at the KU Leuven, his early research focussed on industrial data communication and embedded systems. In recent years this focus has shifted towards industrial control systems security and innovative network monitoring systems. | Duration 2 days | Price €1,550.00 | VAT €310.00 | Quantity |
Physical Pentesting: Practical Course (3 days) with Alexandre Triffault Take back home your own kit of lockpicking + bypass kit + RF/RFID Accessories at the end of the training + a book summarizing what you have learned! From beginners to specialists, this training will make you a proficient physical pentester. Practice oriented, during this course you will pick locks, bypass deadbolts and safety doors, mold keys, decode keys from a picture, do privilege escalation on simple and advanced masterkey systems, identify and duplicate RF and RFID credentials… After only 3 days, you will be able to enter and assess a vast amount of infrastructures, including headquarters, hotels, power plants, offices… And through regular practice, you will be able to enter most buildings without breaking anything, allowing you to gain a physical access to your pentest target (server room, CEO laptop…) and, in addition to your computer-based skills, help your clients secure the full spectrum of IT flaws including the physical aspects. Resources : 1 working place per attendee, comprising a training manual, lockpick tools, bypass tools, locks, molding material, bumpkeys, pick guns… Day 1 ## Module 1 Introduction Physical intrusion vectors - Social Engineering
- Climbing
- Access opening
Discover physical security - The different types of locks
- How they work
- How to identify them
Introduction to scenarios - Casual intruder (opportunist)
- Organized burglar team
- Industrial espionage
## Module 2 Wafer locks and tubular locks opening Wafer locks - Identification
- Lockpicking
- Decoding
- Jigglers
Tubular locks - Identification
- Self-impressioning
- Lockpicking
Day 2 ## Module 3 Combination padlocks and key boxes - Identification
- Shims (on compatible models)
- Decoding
- Blade bypass (on compatible models)
Keyed padlocks - Lockpicking
- Combs
- Shims (on compatible models)
- Blade bypass (on compatible models)
Module 4 Pin tumbler locks lockpicking Raking - Specific tools
- The technique
- Tips and tricks
Single Pin Picking - Specific tools
- The technique
- Tips and tricks
Lockpick guns - Mechanical PickGun
- Electronic PickGun
- Specific tensioners
Day 3 Module 5 The Key vector Key duplication - By molding
- With a file
- From a picture
- Special techniques
Bumpkeys - Identification
- Fabrication
- Different techniques (push/pull)
Keyed Alike locks * Finding the key of your target Module 6 The Door vector Non Destructive Opening of the door - Day-latched door opening
- From the latch
- From the handle
- From the bottom
- Exit only doors
Module 7 RF and RFID introduction RF - Identify and attack easily the least protected systems
RFID - Identify and attack easily the least protected systems
Module 8 Conclusion Flaws · Flaws summary Tools and techniques summary Possible protections - Summary of possible protections
Homework - How to practice and develop your skills after the training
Legal stuff Speakers  Alexandre Triffault Security trainer for pentesters, computer scientists and the military for 10 years, Alexandre Triffault ( @Frenchkey_FR ) is developing tools and techniques to circumvent physical security devices. Specialized in 3D printing Keys and Tools, his work consists in finding and exploiting the flaws in access control systems, electronic or mechanical. Preferred targets are Locks, Padlocks, Doors, RF, RFID, and Alarms Systems. His research concentrates on Physical Security; including lockpicking, forensic locksmithing, bypass of electronic locks, bypass of alarm systems, 3D modeling & printing of complex keys and more generally surreptitious techniques for opening locks. He is World Champion in impressioning technique (LockCon 2016).
He has lectured his research over the years at various international conferences and workshops, such as Nuit du Hack (FR), Defcon Lockpick Village (US), Hackito Ergo Sum (FR), LockCon (NL), SigSegV1 (FR), IT Defense (DE), GS Days (FR)…
He is also a Research Associate at the Virology and Cryptology Lab at ESIEA and gives physical security classes in several IT Schools.
Last but not least, he delivers training and consulting to multiple governmental and private organizations in Europe. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
RF Hacking with Software-Defined radio (3 days) with Sébastien Dudek With this class students will learn how to find interesting radio-communications and ways to attack targeted systems: - Learn how radio works and about actual technologies using this interface
- Find and analyze a signal
- Modulate and demodulate a signal
- Encode and decode data meant to be transported over-the-air
- Capture, generate, replay and analyze a signal
- Interface with a signal using SDR devices and software
- Get primary reflexes to attack embedded and IoT systems
- Create your own tools with the GnuRadio framework and its alternatives
- Learn how to use SDR and classical attacks on mobile 2G/3G/4G, RFID/NFC, LoRa, wireless mousses/keyboards/presenters, sub-GHz remotes/alarms, and other similar or custom technologies
Summary Day 1 - Basics Day 1 is an introduction to radio that will help students to learn it's concepts and the techniques used today to receive and transmit signal, but also the constraints that we have to deal with in heterogeneous environments: Introduction to radio - History, evolution, and EU regulations
- Radio waves
- Digital Signal Processing
- Software-Defined Radio
- Antennas
- Amplifiers and connectors
Software-Defined Radio devices - Specifications
- How to choose them
- Few tips and hacks
Observations - Waterfall and spectrum analyzers
- Signal identification
- Modulation/Demodulation
- Encoding/Decoding
Faraday cages and how to design a very cheap one Use of attenuators and software gain parameters Day 2 - Hands on radio Day 2 will put the student in the playground of Software-Defined Radio, where every idea can be written to be simulated and then concretized to realize receivers and transmitters depending on the chosen hardware limitations: Introduction du GnuRadio Software-Defined Radio processing in the chain Practice with GnuRadio Companion - Block schemas
- Parameters
- Generators
- Sinks and sources
- Operators
- Simulations
- Modules
- Executing a block in a real SDR device
- Listening to simple AM and FM signals
- Transferring a simple signal
- Optimizing samples processing
- Features to process samples
- Creating your own block
Investigation and handy tools Day 3 - Attacking physical intrusion systems Day 3 resumes and applies previous chapters to study physical intrusion systems and brings useful tricks for Red Team tests as well as pentests: Common sub-GHz Remotes - Introduction
- Capturing data
- Replaying saved samples
- Analyzing samples (manually and with powerful tools)
- Rolling codes security
Devices using the mobile network (2G/3G/4G) - Introduction
- Monitoring
- Mobile security
- Existing tools
- Interception techniques
- Our feedback in missions
- Tooling with GnuRadio
- Fuzzing and triggering bugs with 2G, 3G and 4G protocol stacks over-the-air
Hardware Hacking - Introduction and how it could be complementary
- Survival and practical reflexes
- Cheap tools and tricks
Attacking Custom devices - Introduction
- Identification (looking at device's references, components, etc.)
- Sniffing signals
- Decoding signals
Some feedbacks on connected locks Class requirement - Knowledge of Linux and a programming language such as C, C++, C# or Python is necessary.
- Understanding of pentesting (network and applications) or red-teaming
- All attendees will need to bring a laptop capable of running VMware virtual machine (8GB of RAM is a minimum)
- Basic knowledge of radio is not mandatory but is a plus
The training The training will provide strong feedback and techniques when attacking radio devices in non-perfect environment and ways to succeed your pentests or red team tests. Student will also get hardware to play at home including a SDR to transmit and receive signal and RF transmitter that could be customized and continue to practice after the training. Resources of the trainer - A lot of resources can be found in this link : https://www.synacktiv.com/en/resources.html
- In January, other resources will be also provided at : https://www.penthertz.com
Speakers Sébastien Dudek Sebastien Dudek is a security researcher and founder of the PentHertz lab that focuses on hardware, radio-communication, physical accesses and IoT devices. For over 8 years he has been particularly passionate about flaws in radio-communication systems. He has made several publications on mobile security (Baseband fuzzing, interception, mapping, etc.) and on data transmission systems with power lines (Power-Line Communication, HomePlug AV) and car and charging station hacking using V2G (Vehicle-to-Grid). He also focuses on practical attacks with various technologies such as Wi-Fi, RFID and other systems that he encountered during his Red Team and penetration tests. | Duration 3 days | Price €2,150.00 | VAT €430.00 | Quantity |
Windows Post-Exploitation Subverting the Core (2 days) with Ruben Boonen This training will focus on all major aspects of the Windows post-exploitation process: breaking restricted environments, subverting operating system controls, privilege escalation (logic/configuration/permission/software bugs), bypassing User Account Control (UAC) and persistence. The training will be beneficial to attackers and defenders alike. Participants will gain an in-depth understanding of common pitfalls when configuring the Windows estate. They will see what tools the attacker has at his disposal, how to live-off-the-land and where to achieve long-term residence when access has been acquired. All sections of the training are accompanied by intense hands-on labs where students will put the theory into practice. The training will simulate real-world environments allowing attendees to later directly apply the content in the field! A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial. Prerequisites A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial. Target audience Members of the red & blue team, penetration testers, system administrators, SOC analysts and security enthusiasts. Materials to bring by attendees - A laptop with either VMWare or VirtualBox installed.
- Enough system resources to run x2 virtual machines simultaneously.
- 30GB free hard disk space.
Course Syllabus Day 1 Breakout - Desktop lockdown (Group Policy/SRP)
- Getting an explorer window
- Folder/File restrictions
- Native/custom command line interfaces
- Breaking Kiosks and Citrix environments
- Bypassing AppLocker/DeviceGuard restrictions
Privilege Escalation - Enumeration
- Configuration weaknesses
- Missing patches
- Scheduled tasks
- Services
- Unattended installations
- DLL hijacking
- Abusing token privileges
Day 2 User Account Control - What is UAC and how does it work
- Auto-elevation
- WUSA/IFileOperation
- Process Status API
- Windows Side-By-Side Assembly
- COM handlers
- Creating proxy DLL’s
- Fileless UAC bypass
- Environment variables
- Race conditions
- Abusing process tokens
- Bypassing “Always Notify”
Persistence - Using the registry
- Scheduled tasks
- Manipulating File Associations
- WMI Permanent Event Subscriptions
- Binary patching
- Application Compatibility Shims
- COM Handler Hijacking
- Leveraging Office and Outlook
- Evasion (ADS/corrupted NTFS folder structures/processor variables)
Speakers  Ruben Boonen Ruben Boonen (@FuzzySec) is a member of of IBM’s X-Force Red Team, providing public & private sector clients assurance around the security posture of their products and infrastructure. Before joining IBM, Ruben worked in defense, on FireEye’s Technical Operations & Reverse Engineering (TORE) team, and offence as a senior security consultant. While Ruben has previously led a wide variety of engagements, along the way he developed a special interest for all things Windows. His current areas of research include Windows internals, privilege escalation, C#/PowerShell trade-craft and memory manipulation. | Duration 2 days | Price €1,550.00 | VAT €310.00 | Quantity |
