Prerequisites

Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience (Burp Extensions will be developed in Java). While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

Target Audience

Suitable for both web application security specialists and developers.

Material to bring by attendees

Attendees should bring their own laptop with the latest Java as well as their favourite IDE installed.

Course outline

• Introduction 
• Real critical/sensitive device attack escenarios
• OSINT is your friend
• Recognition techniques
• Web application analisys
• Let's exploit something!
• Now is your turn, Spot the vulnerablity in a real PLC

Who should take this course

• Pentesters
• Researchers
• Industrial facility technical staff 

Pre-requisites

• Basic knowledge of industrial protocols
• Basic knowledge of python

What attendees will be provided With

• A list full of fingerprints for critical devices seen in the training
• Recogniton Tools 
• Slides

What attendees should bring

• Laptop

Course Description

This course smartly mix methods and tools in order to give you all the necessary knowledge to be able to perform hardware security audits by yourself. The last part but not least our "Capture The Drone" hands-on to complete the training by practicing what you have learned in an attack/defense scenario featuring our favourite small flying things.

Target audience

• This course is intended for everyone having an interest in security aspects related to hardware products or embedded devices.
• Electronic enthusiasts and professionals
• IT security professionals

Hardware/software Requirements

• Latest VMware Player, VMware Workstation, VMware Fusion (VirtualBox not garanted)
• Hard disk : Minimum 15GB of free space
• RAM : 4GB Minimum 6GB recommended
• Minimum dual core CPU (Intel prefered,I3 I5 or I7)
• 64 Bits OS with administrator access : Windows, Linux or Mac os
• Virtualization instructions activated
• 2 free USB port

All students will be provided with

• Full copy of the course
• One Hardsploit tool board for hardware security audit (see hardsploit.io)
• Training board (try again at your home)
• Few more goodies

Course Syllabus

MODULE 1: Hardware Hacking 101

• Review of electronic basics, motivations for hardware hacking, brief history of hacking security talks
• Hardware security vulnerabilities review, offensive & defensive aspects
• Practical cases for hardware hacking analysis
• Hands-on : Basic electronic components use & fingerprinting

MODULE 2: How to access to the hardware for hacking / audit purpose

• Review of methods & tools to perform hardware security audits
• Create your own audit plan, differences with software pentesting
• Hands-on : Practice exercises with hardware auditing tools
• Hands-on : How to acquire electronic signals, tools & demonstration

MODULE 3: How to access the software inside the hardware

• Embedded system architecture presentation (Microcontroller, FPGA), direct access to the software via I/O interfaces (JTAG / SWD, I2C, SPI, UART, RF (ISM Band), etc.)
• Hands-on : Firmware dumping through different types of interfaces
• DEMO : Power analysis attacks - Indirect access to the software or sensitive content via side channel attacks

MODULE 4: Complete hacking lab

• Full hands-on session to apply practical case on our vulnerable embedded system
• Hands-on : Identifying electronic components
• Hands-on : Electronic signals acquisition
• Hands-on : Bus signals interception and analysis (with Hardsploit)
• Hands-on : Modifying and dumping firmware via JTAG debug function (and other I/O access) (with Hardsploit)
• Hands-on : Fuzzing external interface to spot basic vulnerabilities in embedded systems
• Hands-on : Buffer overflow attacks on embedded system
• Hands-on : Exploiting vulnerabilities during a hardware security audit

MODULE 5: How to protect your hardware products

• Secure Design and Development Life Cycle (SDLC)
• Review of hardware security best practices to limit the risks
• Hands-on : Limit JTAG access, limit software vulnerabilities at embedded level
• Review of protections against side channel attack (limit power analysis attacks)

MODULE 6: SDR Hacking

• SDR hacking methodology (Software Defined Radio)
• Tools of trade (GNURadio, hardware products, etc.)
• Hands-on : How to reverse a wireless protocol from scratch ( communication with wireless LED screen, like on the highway)

MODULE 7: CTD Capture The Drone

• Attack / Defense practical scenario team (Capture the Flag Mode)
• Each team has a mini-drone.
• Hands-on : Defend your drone and take down the others by using the tools and methods learned
• The winning team is the one with the higher-flying time

Overview

Making & B reaking Machine Learning Systems is a fast paced session on machine learning from the Infosec professionals point of view. The class is designed with the goal of providing students with a hands-on introduction to machine learning concepts and systems, as well as making and breaking security applications powered by machine learning. The lab session is designed with security use-cases in mind, since using machine learning in security is very different from using it in other situations. Students will get first hand experience at cleaning data, implementing machine learning security programs, and performing penetration tests of these systems. Each attendee will be provided with a comprehensive virtual machine programming environment that is preconfigured for the tasks in the class, as well as any future machine learning experimentation and development that they will do. This environment consist of all of the most essential machine learning libraries and programming environments friendly to even novices at machine learning. At the end of the class, students will be put through a CTF challenge that will test the machine learning development and exploitation skills that they have learned over the course in a realistic environment.

Preview

We will post a video soon.

What to bring?

• Latest version of VirtualBox Installed
• Administrative access on your laptop with external USB allowed
• At least 20 GB free hard disk space
• At least 4 GB RAM (the more the better)

Prerequisites

• Basic familiarity with Linux
• Python scripting knowledge is a plus, but not essential

Who Should Attend?

• Security Professionals
• Web Application Pentesters
• Software/application developers
• People interested to start using machine learning for security

What to expect?

• Familiarizing yourself with popular machine learning algorithms and how to adapt these for different problems
• How to clean and sanitize data using powerful data processing libraries in Python
• How to build a spam classifier and online anomaly detection system in Python
• How to do performance evaluations of machine learning classifiers
• Examples for using machine learning in intrusion detection, botnet detection, phishing detection, web vulnerability analysis, malware classification, and behavioural analysis
• Perform tuning of machine learning systems to improve classification/detection results
• Perform security evaluations and penetration tests on machine learning systems
  • Fuzzing machine learning classifiers
• How to avoid vulnerabilities in machine learning system and algorithm design
• How to use Apache Spark to design scalable and distributed real-time machine learning systems
• Write your own machine learning captcha solver

What not to expect?

To be a machine learning expert in just three days. This training will impart you all the necessary skills to start building security software using machine learning and teach the lesser known ways of exploiting such systems. Students need to put in further work and use the skills learnt in the class to continue their explorations in machine learning and keep up with the latest developments in this fast evolving field.

Course Syllabus

Day 1

• Introduction to machine learning
  • Hands-on guided exploration of Python machine learning libraries:
    • Data-wrangling using Numpy and Pandas
    • Scikit-learn’s functions and capabilities
    • Data visualization using Matplotlib/Seaborn
• Walkthrough of the most commonly used machine learning algorithms (with quick hands-on examples/visualizations for select algorithms)
  • Supervised learning algorithms
    • Linear/logistic regression
    • Support Vector Machines
    • Decision trees/Random forests
  • Unsupervised learning algorithms
    • Hierarchical/k-Means clustering
  • Semi-supervised learning
• 2-hour example: Building (and bypassing) an email spam filter with scikit-learn
  • Loading data efficiently
  • Using a labeled email/spam corpus training and test set, extract salient features to build a word model of spam
  • Model tuning, cross-validation, and evaluation process
  • With complete knowledge of the system, manually craft a piece of spam to bypass the filter

Day 2

• Lecture on application of machine learning in the security/abuse space
  • Spam, fraud, malware, phishing, and intrusion detection short examples
  • Principles behind selecting the best machine learning models for different use-cases
  • Considerations when using machine learning in an adversarial/malicious environment
• Deep learning for security
  • Using Keras/TensorFlow for anomaly detection with convolutional neural networks
  • Choosing the appropriate model for implementing different types of problems
  • efficacy comparison of different machine learning techniques for solving the anomaly detection problem, and what other considerations to have
• 2-hour example: Building a simple network intrusion detection system with 2 different machine learning models
  • Importance of understanding the data and the threat model before designing a solution for the problem
  • Model tuning, cross-validation, and evaluation process
  • Guided comparisons of the performance characteristics for each Implementation
  • Visualizing and presenting the data for ease of analysis by security operation professionals.

Day 3

• Streaming pipelines for machine learning using Apache Spark MLlib (PySpark)
  • Overview of Apache Spark
    • General architecture
    • Distributed, scalable machine learning deployments with Spark
  • Guided example of a streaming architecture for network anomaly detection using reinforcement learning on Spark
• Evaluating the security of machine learning systems
  • Techniques and guided example of fuzzing a classifier and regressor to find blind spots in the model
  • Evaluation of intelligent learning system architecture that is resilient to model poisoning by an adversary
• Machine Learning CTF challenge - captcha bypass challenges (using captcha character classification starter code provided)

Prerequisites

• Basic Linux knowledge
• Experiecne on any mobile testing is a plus
• Willingness to learn

Target Audience

This course is for penetration testers, mobile developers or anyone keen to learn mobile application security

Material to bring by attendees

• A jailbroken device (iPhone/iPad/iPod). Please contact the trainer if you are having difficulty in arranging one
• Computer with atleast 20+GB of hard disk space and 4 GB of RAM

Course Syllabus

Part 1 - iOS Exploitation

Module 1 : Getting Started with iOS Pentesting

• iOS security model
• App Signing, Sandboxing and Provisioning
• Setting up XCode 8
• Changes in iOS 10
• Primer to iOS 10 security
• Exploring the iOS filesystem
• Intro to Objective-C and Swift
• What's new in Swift 3 ?
• Setting up the pentesting environment
• Jailbreaking your device
• Cydia, Mobile Substrate
• Getting started with Damn Vulnerable iOS app
• Binary analysis
• Finding shared libraries
• Checking for PIE, ARC
• Decrypting ipa files
• Self signing IPA files

Module 2 : Static and Dynamic Analysis of iOS Apps

• Static Analysis of iOS applications
• Dumping class information
• Insecure local data storage
• Dumping Keychain
• Finding url schemes
• Dynamic Analysis of iOS applications
• Cycript basics
• Advanced Runtime Manipulation using Cycript
• Method Swizzling
• GDB basic usage
• Modifying ARM registers

Module 3 : Exploiting iOS Applications

• Exploiting iOS applications
• Broken Cryptography
• Side channel data leakage
• Sensitive information disclosure
• Exploiting URL schemes
• Client side injection
• Bypassing jailbreak, piracy checks
• Inspecting Network traffic
• Traffic interception over HTTP, HTTPs
• Manipulating network traffic
• Bypassing SSL pinning

Module 4 : Reversing iOS Apps

• Introduction to Hopper
• Disassembling methods
• Modifying assembly instructions
• Patching App Binary
• Logify

Module 5 : Securing iOS Apps

• Securing iOS applications
• Where to look for vulnerabilities in code?
• Code obfuscation techniques
• Piracy/Jailbreak checks
• iMAS, Encrypted Core Data

Part 2 - Android Exploitation

Module 1

• Why Android
• Intro to Android
• Android Security Architecture
• Android application structure
• Signing Android applications
• ADB – Non Root
• Rooting Android devices
• ADB – Rooted
• Understanding Android file system
• Permission Model Flaws

Module 2

• Understanding Android Components
• Introducing Android Emulator
• Introducing Android AVD

Module 3

• Proxying Android Traffic
• Reverse Engineering for Android Apps
• Smali Labs for Android
• Dex Analysis and Obfuscation
• Android App Hooking

Module 4

• Attack Surfaces for Android applications
• Exploiting Local Storage
• Exploiting Weak Cryptography
• Exploiting Side Channel Data Leakage
• Root Detection and Bypass
• Exploiting Weak Authorization mechanism
• Identifying and Exploiting flawed Broadcast Receivers
• Identifying and Exploiting flawed Intents
• Identifying and Exploiting Vulnerable Activity Components
• Exploiting Backup and Debuggable apps
• Dynamic Analysis for Android Apps
• Analysing Proguard, DexGuard and other Obfuscation Techniques

Module 5

• Exploitation using Drozer
• Automated source code analysis
• Exploiting Android embedded applications

Prerequisites

1. Basic understanding of how penetration tests are done.
2. Basic understanding of a programming or scripting language could be helpful but is not mandatory.
3. An open mind.

Target Audience

• Red Team members and penetration testers who want to dive in the world of Offensive PowerShell and improve their skills.
• Blue Team members and defenders who want to understand the latest techniques used by the attackers.
• Other security professionals who want to enhance their technical skills.

Material to bring by attendees

• Administrative/root privileges on the laptop
• Ability to install OpenVPN client, connect to a VPN and RDP to Windows boxes.

Course Syllabus

Day 1 – PowerShell Essentials

• Introduction to PowerShell
• Language Essentials
• Using ISE
• Help system
• Syntax of cmdlets and other commands
• Variables, Operators, Types, Output Formatting
• Conditional and Loop Statements
• Functions
• Modules
• PowerShell Remoting and Jobs
• Writing simple PowerShell scripts
• Extending PowerShell with .Net
• Accessing Windows API
• WMI with PowerShell
• Playing with the Windows Registry
• COM Objects with PowerShell

Day 2 – Getting a foothold

• Recon, Information Gathering and the likes
• Vulnerability Scanning and Analysis
• Exploitation – Getting a foothold
• Exploiting MSSQL Servers
• Client Side Attacks with PowerShell
• PowerShell with Human Interface Devices
• Writing shells in PowerShell
• Using Metasploit and PowerShell together
• Porting Exploits to PowerShell

Day 3 – Post Exploitation and Lateral Movement

• Post-Exploitation – What PowerShell is actually made for
• Enumeration and Information Gathering
• Privilege Escalation
• Dumping System and Domain Secrets
• Kerberos attacks (Golden, Silver Tickets and more)
• Pivoting to other machines
• Poshing the hashes™
• Replaying credentials
• Network Relays and Port Forwarding

Teaching Methodology

Students are encouraged to follow the technical training with hands-on approach to the facilitated labs for every module to gain deeper and practical understanding of the topic.

Who should take this course

• DevSecOps
• Security Engineers
• Penetration testers
• Bug bounty hunters
• System Administrators
• SOC analysts
• Security enthusiasts and anyone interested in the modern application stack.

Student requirements

Knowledge of basic pentesting, web application working and linux command line basics,the ability to use a web proxy like Burp Suite, ZAP, and the ability to write basic scripts in any interpreted language is an added advantage.

What students should bring

The requirement for the course is a laptop with administrative and USB access and minimum configuration of 8GB RAM and 100GB hard-disk space.Full virtualisation support, Virtual Box and Docker should be installed. Unix box is preferred.

What students will be provided with

• Presentation Material and associated pdfs.
• 10+ containerized labs to emulate sophisticated production application stacks.
• Access to specific relevant OpSecX courses and certifications.

Course Syllabus

Day 1

Pentesting some of the widely used systems in the modern stack :-

Module 0: Modern Application Stack

• Evolution of Application Stack
• Components of Stack
• Threat Modelling
• Attack Surface

Module 1: Pentesting Databases:

• MySQL,Postgres and OracleDB
  • Basic Enumeration
  • Laying out the attack surface
  • Pentesting third party plugins.
  • Attacking Database Servers.
  • Case Study of CVE-2016-6663
  • Security testing using tools of trade.
• Pentesting NoSQL Databases & Caches: MongoDB, Cassandra, Redis & Memcache
  • Fingerprinting NoSQL databases,
  • Injection attacks on NoSQL Databases.
  • Attacking and identifying vulnerabilities in NoSQL databases through NoSQL exploitation framework.
  • Case study on Mongo Ransomware and hands on vulnerable applications.
• Securing databases.

Module 2: Public Cloud Environments

• Introduction to Cloud Environments.
• AWS Configurations & AWS Security Checks.
• Pentesting AWS lambda servers.
• Secure Best practices for Cloud environments and Securing AWS instances

Module 3: CI Tools

• Introduction to Jenkins, TeamCity and Go.
• Basic misconfigurations and attack surface for these tools.
• Security testing of CI Tools and outlook on vulnerabilities in Jenkins, TeamCity and Go.
• Case Study: Remote Code Execution on Jenkins.

Module 4: Software Collaboration Tools

• Leveraging Version Control Systems like Git, SVN and Perforce.
• Attacking Code collaboration tools - Phabricator, Gitlab and Github Enterprise.

Module 5: Message Brokers

• Introduction to RabbitMQ and Kafka.
• Common misconfigurations.
• Attacking and extracting juicy information from Message brokers.

Day 2

Module 6: Containers

• Hacking Docker environments.
• Setting up vulnerability static analysis for Docker containers (Clair and other tools).
• Hacking Vagrant instances.
• Securing Docker and Vagrant instances.

Module 7: Distributed Configuration Management Systems (DCMS)

• Attacking Apache Zookeeper, HashiCorp Consul & Serf, CoreOS Etcd.
• Owning the entire application thorough DCMS , pivoted attacks.
• Attacking and Scanning using Garfield.

Module 8: Distributed File System

• Basic misconfigurations for Hadoop.
• Analysing the threat model for Hadoop.
• Attacks and remote code executions on Hadoop.
• Securing Hadoop Instances.

Module 9: Kubernetes,Mesos and Marathon (Distributed Deployment & Resource Management)

• Introduction to Kubernetes,Mesos and Marathon
• Fingerprinting Kubernetes,Mesos and Marathon
• Common Misconfigurations
• Pentesting Kubernetes and pivoting through kubernetes containers.
• Hacking entire application stack through Mesos and Marathon.
• Securing Mesos instances.

Module 10: Search Technologies

• Introduction to ElasticSearch and Apache Solr (Lucene)
• Laying out the attack surface and common misconfigurations.
• Pentesting ElasticSearch and Solr.
• Case Study :ElasticSearch CVE-2015-1427 RCE Exploit.

Labs

10+ containerized labs to emulate sophisticated production stack along with applications.

Who should take this course

• Penetration testers tasked with auditing IoT
• Bug hunters who want to find new bugs in IoT products
• Government officials from defensive or offensive units
• Red team members tasked with compromising the IoT infrastructure
• Security professionals who want to build IoT security skills
• Embedded security enthusiasts
• IoT Developers and testers
• Anyone interested in IoT security

Pre-requisites

• Basic knowledge of web and mobile security
• Basic knowledge of Linux OS
• Basic knowledge of programming (C, python) would be a plus

What attendees should bring

• Laptop with at least 40 GB free space
• 4+ GB minimum RAM (2+GB for the VM)
• External USB access
• Administrative privileges on the system

Course outline

• Introduction to IOT
• IOT Architecture
• IoT attack surface
• IoT Protocols Overview
• MQTT
  • Introduction
  • Protocol Internals
  • Reconnaisance
  • Information leakage
  • DOS attack
  • Hands-on with open source tools
• CoAP
  • Introduction
  • Protocol Internals
  • Reconnaissance
  • Cross-protocol attacks
  • Hands-on with open source tools
• M2MXML
  • Introduction
  • m2mxml format
  • Security issues
• CanBus
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Sniffing and Eavesdropping
  • Replay Attack
• Understanding Radio
  • Signal Processing
  • Software Defined Radio
  • Gnuradio
  • Introduction to gnuradio concepts
  • Creating a flow graph
  • Analysing radio signals
  • Recording specific radio signal
  • Replay Attacks
• Radio IoT Protocols Overview
• Zigbee
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Sniffing and Eavesdropping
  • Replay attacks
  • Hands-on with RZUSBstick and open source tools
• BLE
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive) with HCI tools
  • GATT service Enumeration
  • Sniffing GATT protocol communication
  • Reversing GATT protocol communication
  • Read and writing on GATT protocol
  • L2cap smashing
  • Cracking encryption
  • Hands-on with open source tools
• Mobile security (Android)
  • Introduction to Android
  • App architecture
  • Security architecture
  • App reversing and Analysis
  • Input validation attacks
  • Insecure Storage
  • Access control attacks
  • Hardcoding issues
• ARM
  • Architecture
  • Instruction Set
  • Procedure call convention
  • System call convention
  • Reversing
  • Hands-on Labs
• MIPS (If time permits)
  • Architecture
  • Instruction Set
  • Procedure call convention
  • System call convention
  • Reversing
  • Hands-on Labs
• Device Reconnaissance
• Conventional Attacks
• Firmware
  • Types
  • Firmware updates
  • Firmware analysis and reversing
  • Firmware modification
  • Firmware encryption
  • Simulating device environments
• External Storage Attacks
  • Symlink files
  • Compressed files
• IoT hardware Overview
• Introduction to hardware
  • Components
  • Memory
  • Packages
• Hardware Tools
  • Bus Pirate
  • EEPROM readers
  • Jtagulator/Jtagenum
  • Logic Analyzer
• Attacking Hardware Interfaces
  • Hardware Reconnaissance
    • Analyzing the board
    • Datasheets
  • I2C
    • Introduction
    • I2C Protocol
    • Interfacing with I2C
    • Manipulating Data via I2C
    • Sniffing run-time I2C communication
  • SPI
    • Introduction
    • SPI Protocol
    • Interfacing with SPI
    • Manipulating data via SPI
    • Sniffing run-time SPI communication
  • UART
    • What is UART
    • Identifying UART interface
      • Method 1
      • Method 2
    • Accessing sensor via UART
  • JTAG
    • Introduction
    • Identifying JTAG interface
      • Method 1
      • Method 2

Prerequisites

• General knowledge on information security, networking and pentesting
• SAP knowledges is NOT required

Target Audience

• Pentesters or security professional
• Anyone interested to learn about SAP Security

Material to bring by attendees

• Laptop, with administrative privileges on the system, at least 20G free space and 1G Ram for VM.
• SAP GUI (in a windows VM if you are on linux)
• SSH Client
• Virtualization software

Course Syllabus

Day1

• Introduction
• Quick Introduction to SAP world
  • SAP ?
  • SAP in numbers
  • Global concept
  • SAP Gui
  • Vocabulary
• Introduction to SAP Security
  • Why it's important ?
  • History
  • The SAP security parts
  • Risk
  • Usefull transactions
  • Usefull parameters
  • Usefull reports & functions modules
• Training infrastructure
  • Overview and warning
  • Tools provided
  • Hands-on : tools overview
• SAProuter
  • Why saprouter is important
  • How saprouter works
  • SAP ports
  • Saprouter vulnerability
  • Hands-on : internal scan, discover SAP port, forward port
  • Remediation
• SAP Client
  • Overview of SAPGui, Webgui and other
  • Information history gathering
  • Sapgui Shortcut vulnerability
  • Hands-on : retrieve information from end user, crack shortcut password
  • Remediation
• SAP Netweaver ABAP
  • Overview
  • SAP Authorization (concept, critical report, os access, db access)
  • Password concept and Default account
    • Hands-on : find default account
  • SAP Message Server
    • Hands-on : gathering information
  • SAP ICM
    • Hands-on : usefull webservices
  • SAP MMC
    • Hands-on : gathering information
• Remediation

Day2

• Database level security
  • Overview
  • Direct attack to database
  • Hands-on : Retreive SAP database schema password
  • Remediation
• SAP Lateral movement
  • RFC concept
  • RFC hardcoded credential
    • Hands-on : find other SAP, get access to trusted SAP system ? SAP Gateway
    • Hands-on : get os access to trusted SAP system
  • Remediation
• SAP to OS to Database to SAP to...
  • Hands-on : Database to SAP
  • Hands-on : SAP to OS
  • Hands-on : OS to database
  • Hands-on : SAP to database
• ABAP Code vulnerability
  • ABAP Introduction
  • ABAP command injection
  • OS Command injection
  • SQL injection
  • Autorisation bypass
  • Directory traversal
  • Cross client access
  • Genereic module execution
  • Hands-on : use a vulnerable report to elevate priv
  • Remediation
• Full SAP pentest challenge
  • Hands-on : challenge from internet to internal SAP
  • Challenge correction
• Conclusion of securing SAP System
  • SAP security best practice overview
  • Problems
  • The challenge
  • Conclusion

Prerequisites

• At least basic familiarity with Linux command-line, Kali, Wireshark.
• Scripting/programming skills will be very helpful.
• Mobile application reversing skills will be an advantage.

Target Audience

• Pentesters, security professionals
• IoT developers
• Anyone interested

Material to bring by attendees

Contemporary laptop with virtualization software able to run Kali Linux (at least 4GB of RAM, 40GB space), Android > 4.3 smartphone

Course Syllabus

• Bluetooth Smart - based on 7 various smart locks, and specially developed Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi):
  • passive sniffing - hardware, software
  • active MITM - learn GATTacker BLE proxy tool from its creator; BTLEjuice
  • static authentication password capture
  • spoofing devices and their status
  • replay attacks
  • command injection
  • Denial of Service
  • cracking "latest PKI technology"
  • other flaws of custom challenge-response authentication
  • abusing excessive services (e.g. module's default AT-command interface).
  • weaknesses of access sharing functionality
• Linux embedded - based on wireless doorlock, alarm+home automation system
  • authentication bypass
  • information disclosure
  • telnet brute-force
  • command injection
  • physical attack: switching to WiFi maintenance mode using external intercom
  • UART interfaces
• Proprietary network protocols - based on several devices (fingerprint sensor, time attendance monitor, wireless doorlock, alarm system)
  • methods of analyzing proprietary protocols - sniffing, MITM, reversing client/server
  • sniffing administrative credentials
  • abusing improper session management - authentication bypass
  • P2P feature - how to attack doorlock hidden behind NAT
  • taking control over proprietary HVAC control appliance
• Home automation systems integrated with alarms, doors and access control - based on KNX example installation provided
  • typical architecture, group address, device address, KNX-IP gateway
  • tools: ETS configuration software, knxmap, nmap scripts...
  • locate KNX gateway in LAN or remotely from the Internet
  • monitor mode - sniffing the bus passively
  • sending write command to group address and open connected doorlock
• SMS and voice remote control over GSM - based on remote control alarm system
  • brute-force alarm PIN via SMS and voice calls
• NFC/RFID - based on hotel electronic door lock, pinpad, time attendance sensor
  • clone contactless card
  • brute-force ID
• Wiegand
  • sniff the data transmitted from access control reader using BLEKey

Moreover, everyone will also be able try oneself to:

• open smart lock using strong magnet influencing the motor
• cheat fingerprint biometric sensor - you can make your own fingerprint clone
• open voice-controlled lock by hacking nearby speaking devices

Several exercises will be connected with electronic lock guarding a special box of goods from Poland. Whenever a participant will succeed in hacking the lock, the box opens automatically, and one can have a delicious cookie or a shot of a Polish vodka :)

Prerequisites

None specific. Willing to learn and apply new things. A technical background is not necessary. Decision-maker, penetration tester, or hacking enthusiast, this training will be an excellent addition to your professional curriculum.

Target Audience

Professionals, Organisations and Governments. Individuals who have a professional interest in social engineering. Functions or roles requiring social engineering knowledge either for active use or for building protection against social engineering attacks. CISO's, Managers, Consultants, Developers, Hackers, Intelligence Org., Red Teams, Pentesters, Psychologists, Defence, Strategists, Tacticians, CxO's etc.

Material to bring by attendees

Laptop and note paper.

Course Syllabus

You can have the best technical security controls in the world, from the most expensive firewall to the most sophisticated biometric access control, but they will not protect you from social engineering attacks. This 2-day course will provide you with the skills to detect, defend and assess social engineering attacks. You will learn the motivations and methods used by social engineers enabling you to better protect yourself and your organization.

This is not a technical course no technical prerequisites are required. Some tools might be used in the course for achieving a purpose but there will no programming skills necessary. You will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack. Social Engineering is an area filled with ethical challenges, risks and legal landmines and I will do my best to share my experiences in this course. So participants can reap the benefits of my experiences without falling in to the pitfalls I have over the years.

1. Social Engineering Economy - Introduction to Social Engineering
   1. Assessing the social engineering threats
   2. The evolution of social engineering
   3. Thinking like a social engineer
   4. Why social engineering works? The principles on which social engineering is based
   5. The legal and ethical aspects of social engineering
2. The Social Engineering Engagement Framework (SEEF) – Advanced Techniques and Methods
   1. Social engineering engagement management – how to execute SE engagements/ tests
   2. Governance, Risk and Compliance including “++”
   3. Approach Selection Method (ASM) – selecting the most effective and efficient approach
   4. Attack Vector Development (AVD) – developing the most effective attack vectors
   5. The psychology of social engineering – interposal distance, zones of approach, rapport building etc.
3. Social Engineering Prevention and Defence
   1. Identify countermeasures against social engineering attacks
   2. Phishing attacks - is it worth to run phishing exercises?
   3. Defend against social engineering deceptions that threaten organizational security
   4. Plan and evaluate security assessments
   5. Promote vigilance and implement procedures to defeat deceptions
4. Exercises and practical application – Tools used by Social Engineers
   1. Identifying interview techniques that elicit private information
   2. Leveraging authority as a manipulation tool
   3. Conducting information collection: i.e. dumpster dive to gather intelligence
   4. Gathering Information and Intelligence Identifying information sources
   5. OSINT tools

What are the requirements?

• Basic idea of how web applications work.
• Knowledge of client side JavaScript and HTML.
• Basic scripting knowledge in Python is good to have.
• Minimum 2 GB RAM and 20 GB HDD
• Full Virtualization support to run VMWare or VirtualBox
• WiFi/Ethernet support for connectivity.
• Full Administrative access and USB ports enabled.

What are the take aways?

• Course Slides and Cheatsheets
• Vulnerable apps to practise your skills
• Learn about OWASP Top 10 Web vulnerabilities
• Learn about latest and lesser known Web Attacks
• Art of spawning shells with Injection attacks
• Course Details

Course Syllabus

• Introduction to the Course
  • Basics of Web Application
  • Basics of DNS
  • Basics of Web Security
  • Same Origin Policy and other Browser level controls
  • Bypassing SOP
  • Terminology: Encoding vs Escaping vs Encryption
  • Getting Familiar with HTTP(s) Proxies
  • Introduction to Web Fuzzing
• Introduction to Web Vulnerabilities and Attacks
  • Injection Vulnerabilities and Attacks
  • Client Side Attacks vs Server Side Attacks
• Fingerprinting the Web Stack
  • Web App and Server fingerprinting
  • Firewall / WAF fingerprinting
  • Content Management System fingerprinting
  • DNS/Subdomain enumeration
  • Directory/File structure enumeration
• Cross Site Scripting (XSS)
  • Reflected and Stored Cross Site Scripting
  • XSS and Contexts
  • DOM XSS
  • Identifying DOM XSS in modern JS MVC frameworks.
  • mXSS or mutation XSS
  • rPO XSS or Relative Path Overwrite XSS
  • Advanced XSS Exploitation with Beef and OWASP Xenotix
• Cross Site Request Forgery (CSRF)
  • Basics of CSRF
  • Exploiting CSRF
  • CSRF against RESTful Web APIs
• SQL Injection (SQLi)
  • SQL Injection Basics
  • Error based SQLi
  • Union based SQLi
  • Time based blind SQLi
  • Boolean based blind SQLi
  • Out of band SQLi
  • Automated SQLi exploitation with sqlmap
  • Advanced SQLi exploitation for shell access
• Remote Command Execution (RCE)
  • Remote Command Execution basics
  • Testing for RCE
  • Bypassing Filters and Firewalls
  • RCE Cheatsheet
  • Getting shell access
  • Reverse Shell Cheatsheet
  • Automated Remote Command Execution with commix
• Remote Code Injection (RCI)
  • Basics of Remote Code Injection
  • Testing for Remote Code Injection
  • Code Injection in popular languages
  • Case Study Apache Struts2 OGNL Injection
  • Getting shell access
• File Inclusion Vulnerabilities
  • Directory Traversal
  • Exploiting Local File Inclusion
  • Exploiting Remote File Inclusion
• LDAP Injection
  • LDAP Basics
  • Exploiting LDAP Injection
  • Blind LDAP Injection
• Server Side Includes (SSI) & Server Side Template injection (SSTI)
  • Server Side Includes basics
  • Server Side Includes Exploitation
  • Basics of Server Side Templating
  • Server Side Template Injection Basics
  • Exploiting Server Side Template injection for shell access
• Mass Assignment problem in Web Apps
  • Mass Assignment in PHP
  • Exploiting Mass Assignment in Ruby
  • Mass Assignment in Node.js
• Insecure Direct Object Reference (IDOR)
  • Understanding IDOR
  • IDOR Classification
  • Automated IDOR Detection with Burp
• XPATH Injection
  • XPATH Bascis
  • XPATH Injection
  • Out of band XPATH Injection
  • Exploiting XPATH Injection
• Server Side Request Forgery (SSRF) Attacks
  • Server Side Request Forgery Basics
  • Internal vs External SSRF
  • Exploiting an SSRF Vulnerability
• XML External Entity (XXE) Attacks
  • XXE Basics
  • Reflected XXE exploitation
  • Blind XXE exploitation
  • Exploiting XXE in File formats
  • SSRF with XXE
• Deserialization Attacks
  • Deserialization attacks in Java
  • Unserialization and Magic functions in PHP
  • Exploiting Unserialize/ Object Injection in PHP
  • Exploiting Unserialize in Node.js
  • Attacking Pickle in Python
• HTTP Parameter Pollution (HPP)
  • Parameter Handling in Web Applications
  • Parameter Precedence
  • Different Parameter/Routing Schemes
  • HTTP Parameter pollution and exploitation
• NoSQL Injection (NoSQLi)
  • NoSQL Basics
  • NoSQL Injection in MongoDB
  • NoSQL where Injection and exploitation
  • NoSQL blind Injection
  • Remote Code Injection with NoSQLi
  • Exploiting NoSQLi with NoSQL Exploitation Framework
• JSON Primer
  • JavaScript Primer on setter
  • JSON Hijacking
  • JSON Hijacking Today
  • Abusing JSONP to steal data
• Reflected File Download (RFD)
  • Reflected File Download (RFD) basics
  • Crafting an RFD payload
  • Exploiting with RFD
• Abusing Web App Functionality
  • Abusing File upload handlers
  • Phishing with Open Redirects
  • Abusing Data URIs for phishing
  • Phishing with Tabnabbing
  • Clickjacking
  • JavaScript’s window.opener property
  • Phishing with window.opener
• Same Origin Method Execution (SOME)
  • Same Origin Method Execution basics
  • Revisiting Same Origin Policy (SOP)
  • SOME Attack with Flash Callback
• Exploiting Crypto Vulnerabilities
  • Hash extension attacks
  • Padding Oracle attacks
• Bypassing Captcha
  • Introduction to OCR
  • Automated Captcha Solving
• Case Study: Data Breach and Password Cracking
  • Analysing Breach data to identify weakness in Crypto
  • Dictionary attack with custom scripts
  • Brute-forcing password with Hashcat
• Writing Security Tools
  • Automating Pen-tests
  • Writing Custom Logic on Proxies
  • Playing with HTTP Requests
  • Applying Security Logic
  • Creating tools to detect XSS, SQLi, RCE etc.

Prerequisites

The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly

Hardware Requirements

• Minimum 4GB RAM and more than 20 GB Free Hard Disk Space
• Android device ( >=2.3)
• iPhone/iPad (preferable Rooted/Jailbreak)

Software Requirements

• Windows 7/8
• *Nix
• Mac OS X 10.5
• Administrative privileges on your machines
• Virtualbox or VMPlayer
• SSH Client
• Xcode 6 or higher
• ADB
• Android Studio 1.3 or higher
• Android SDK

Target Audience

This workshop is for penetration testers, mobile developers or anyone keen to learn mobile application security

Material to bring by attendees

• Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)
  • Intel / AMD Hardware Virtualization enabled Operating System
  • Administrative access on your laptop with external USB allowed
  • Atleast 20+ GB free hard disk space
  • Atleast 4 GB RAM (more the better)
  • Genymotion installed (Downloadable from http://genymotion.com)
  • VirtualBox Installed (Downloadable from http://www.virtualbox.org)
  • Jailbroken device (>=7.1.2)

Course Syllabus

Day 1

• Session 1
  • Android Introduction & Basics
  • Android Architecture
  • Android File System
  • Android Security & Kernel
    • Linux Kernel based protections
    • Android OS specific protections
• Session 2
  • Android – Permission model
  • Application sandboxing
  • Application Components
    • Activities
    • Intents
    • Services
    • Android Manifest file.
• Session 3
  • SDK and Android Tools
  • Setting up the Pentesting environment
    • Setting the Android Emulator & other required settings.
• Session 4
  • Android device rooting essentials
    • Boot Loaders
    • Recovery Mode
  • Penetration Testing Approach
  • Application Analysis
  • Android Debug Bridge
• Session 5
  • SSL pinning bypass
  • Signing Applications for Android
  • Reverse Engineering
    • Dex2jar
    • Jdgui
    • Apktool
    • Smali/Baksmali

Day 2

• Session 1
  • Traffic interception (Active & Passive )
  • Sniffing Application & Device data
  • Insecure file storage
  • Automated Application Analysis
    • Drozer framework
    • Exploiting Android using Metasploit
    • Application hooking using introspy
• Session 2
  • OWASP Mobile Top 10 Vulnerabilities
  • Lab exercise DIVA (Damn Insecure and Vulnerable App)
• Session 3
  • Introduction to iOS
  • iOS Security Architecture & Features
  • iOS Application Overview
• Session 4
  • iOS Security Model
    • Code signing
    • Sandboxing
    • Encryption
  • iOS application components
  • Setting up the iOS testing Environment
    • Setting up the iPhone/iPad/Simulator
    • Setting up the Xcode
    • Jailbreak essentials
    • iBoot
    • DFU – mode (Recovery Mode)
• Session 5
  • Reverse Engineering the iOS Applications
  • Decrypting Appstore Binaries
  • Identifying the use of Stack smashing Protection
  • Locating Position Independent Executable
  • Inspecting Binary

Day 3

• Session 1
  • Auditing the insecure API usage
  • Exposing the protocol headers
    • Identifying Insecure storage
  • Grabbing the iOS KeyChain
• Session 2
  • iOS App Pentesting
  • Application analysis
  • Active & Passive app assessment
• Session 3
  • Exploiting XSS in Apps through Web Views
  • Attacking XML Processors
  • SQL Injections
  • File system interaction
  • Logging
  • Backgrounding
• Session 4
  • OWASP Top 10 Mobile Vulnerabilities
  • Lab exercise Using DVIA (Damn Vulnerable iOS Application).
• Session 5 (This will be a theoritical and guided session on secure development for Android and iOS as hands-on require rooted and jailbroken devices)
  • Secure development practices
  • Secure programming practices
  • Input/Output Sanitization
  • Secure Communication
  • Os specific permissions
  • Enforcing user authentication
  • Handling sessions properly
• CTF Challenges!