We believe it is important to explain the basics of buffer overflows and exploit writing, but this is most certainly not "your average" entry level course. In fact, this is one of the finest and most advanced courses you will find on Win32 stack based exploit development.

This hardcore hands-on course will provide students with solid understanding of current Win32 (stack based) exploitation techniques and memory protection bypass techniques. We make sure the course material is kept updated with current techniques, includes previously undocumented tricks and techniques, and details about research we performed ourselves. Combined with the way the course is built up, this will turn these 3 days into a truly unique experience.

During the course, we not only share techniques and mechanics, but we also want to make sure you understand why a given technique is used, why something works and why something doesn’t work.

We believe those are just a few arguments that makes this training stand out between other exploit development training offerings. Feel free to check our testimonials page if you want to see real, voluntary, unmodified and uncensored reactions by some of our students: https://www.corelan-training.com/index.php/testimonials/

Finally, we offer you post-training support as well. If you have taken the course and you still have questions afterwards, we will help.

Why take this course

Are you interested in the process of turning an advisory into a working exploit ? Do you want to figure out if a given security patch/hotfix should be applied immediately or not ? Do you want to learn how to read and understand existing exploits ? Have you ever found yourself in a position where you have to change an existing exploit but failed to make it work. Do you want to write reliable exploits and integrate them into Metasploit ? Do you want to know how shellcode works ? Do you have basic knowledge about win32 exploit development already, but want to learn more about some of the more advanced topics listed below (see course overview) ? Did you read the Corelan exploit development tutorials, but still want to take the classes to fully understand and master the concepts ? Do you have other reasons to learn how to write exploits for the Win32 platform ? Are you willing to suffer and bleed a bit, learn fast and not intimidated by debuggers and assembly instructions… …then this course is what you need !

Target audience

Pentesters, auditors, network/system administrators, reverse engineers, malware analysts, developers, members of a security department, security enthusiasts, or anyone interested in exploit development.

Course overview

You can find more details about the course contents at

https://www.corelan-training.com/index.php/training/bootcamp/

Prerequisites:

Students should be able to read simple C code and simple scripts be familiar with writing basic scripts using python/ruby/… be ready to dive into a debugger and read asm for hours and hours and hours be ready to think out of the box and have a strong desire to learn be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox be familiar with using Metasploit. No prior knowledge of assembly is required, but it will certainly help if you have some basic knowledge.

Tools/Equipment needed:

Unless specified otherwise, students are required to bring the following :

A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time. The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic. 2 Virtual machines installed (Windows 7 SP1, Kali Linux)

Note : you will receive the exact installation instructions after registration, so don’t start installling the VMs yet.

All required tools and applications will be provided during the training or will be downloaded from the internet during the training.

You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary.

Prerequisites

Basic knowledge of web and mobile security Basic knowledge of Linux OS Basic knowledge of programming (C, python) would be a plus

Target audience

Penetration testers tasked with auditing IoT Bug hunters who want to find new bugs in IoT products Government officials from defensive or offensive units Red team members tasked with compromising the IoT infrastructure Security professionals who want to build IoT security skills Embedded security enthusiasts* IoT Developers and testers Anyone interested in IoT security

Material to bring by attendees

Laptop with at least 50 GB free space 8+ GB minimum RAM (4+GB for the VM) External USB access Administrative privileges on the system Virtualization software – VirtualBox 5.X (including Virtualbox extension pack) Linux machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse). Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work Latest OS on the host machines (For ex. Windows 7 is known to cause issues)

Course Syllabus

• Introduction to IOT

• IOT Architecture

• Identify attack surfaces

IoT Protocols Overview

MQTT

• Introduction

• Protocol Internals

• Reconnaisance

• Information leakage

• Hands-on with open source tools

CoAP

• Introduction

• Protocol Internals

• Reconnaissance

• Cross-protocol HTTP attacks

• Hands-on with open source tools

• CanBus

Introduction and protocol Overview

Reconnaissance (Active and Passive)

Sniffing and Eavesdropping

Replay Attack

• Understanding Radio

Signal Processing

Software Defined Radio

Gnuradio

=Introduction to gnuradio concepts

=Creating a flow graph

=Analysing radio signals

=Recording specific radio signal

=Replay Attacks

• Radio IoT Protocols Overview

Zigbee

• Introduction and protocol Overview

• Reconnaissance (Active and Passive)

• Sniffing and Eavesdropping

• Replay attacks

• Hands-on with RZUSBstick and open source tools

• BLE

Introduction and protocol Overview

Reconnaissance (Active and Passive) with HCI tools

GATT service Enumeration

Sniffing GATT protocol communication

Reversing GATT protocol communication

Read and writing on GATT protocol

L2cap smashing Cracking encryption Hands-on with open source tools

• Expliot – IoT exploitation framework

Intorduction

Architecture

Test Cases

• Mobile security (Android)

Introduction to Android

App architecture

Security architecture

App reversing and Analysis

• ARM

Architecture

Instruction Set

Procedure call convention

System call convention

Reversing

Hands-on Labs

• MIPS (If time permits)

Architecture

Instruction Set

Procedure call convention

System call convention

Reversing

Hands-on Labs

• Device Reconnaissance

• Conventional Attacks

• Firmware

Types

Firmware updates

Firmware analysis and reversing

Firmware modification

Firmware encryption

Simulating device environments

• External Storage Attacks

Symlink files

Compressed files

• IoT hardware Overview

• Introduction to hardware

Components

Memory

Packages

• Hardware Tools

Bus Pirate

EEPROM readers

Jtagulator/Jtagenum

Logic Analyzer

• Attacking Hardware Interfaces

Hardware Reconnaissance

Analyzing the board

Datasheets

I2C

=Introduction

=I2C Protocol

=Interfacing with I2C

=Manipulating Data via I2C

=Sniffing run-time I2C communication

SPI

=Introduction

=SPI Protocol

=Interfacing with SPI

=Manipulating data via SPI

=Sniffing run-time SPI communication

UART

=What is UART

=Identifying UART interface

==Method 1

==Method 2

=Accessing sensor via UART

JTAG

=Introduction

=Identifying JTAG interface

==Method 1

==Method 2

Researches

http://www.payatu.com/research/

Links

http://www.payatu.com/damn-insecure-and-vulnerable-app/

https://bitbucket.org/aseemjakhar/kcmd

https://bitbucket.org/aseemjakhar/indroid

Prerequisites

Attendees are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required.

Target audience

Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.

Material to bring by attendees

Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed. The minimum requirements for the laptop are: Intel Core Duo, 1.66 GHz. 4GB of RAM. Ethernet and WI-FI network interface cards.

Course Syllabus

Introduction to IPv6

• IPv4 address exhaustion

• IPv6 service

• IPv6 transition/deployment mechanisms

• IPv6: current state of affairs

• Brief comparison between IPv6 and IPv4

• IPv6 security overview

IPv6 Addressing Architecture

• IPv6 address types

• IPv6 address analysis

• Implications for address scanning attacks & possible mitigations

• Privacy implications & possible mitigations

• Implications for end-to-end connectivity

IPv6 Header Fields

• IPv6 header overview

• Basic header fields

• Security assessment

IPv6 Extension Headers (EHs)

• General implications of EHs

• Security implications of specific IPv6 EHs

• Security implications of specific IPv6 options

• IPv6 EHs in the real world

• Exploitation of IPv6 EHs

• Troubleshooting IPv6 EHs

• Network reconnaissance with IPv6 EHs

• Recent advances

IPsec

• Virtual Private Network (VPN) traffic leakages

Internet Control Message Protocol version 6 (ICMPv6)

• ICMPv6 error messages

• ICMPv6 informational messages

• Network reconnaissance with ICMPv6

Neighbor Discovery for IPv6

• Address resolution in IPv6

• Address resolution messages and options

• Neighbor Discovery cache

• Neighbor Discovery attacks

• Neighbor Discovery security controls

• Evasion of Neighbor Discovery security controls

• System configuration options

Stateless Address Auto-configuration (SLAAC)

• SLAAC operation

• SLAAC messages and options

• Duplicate Address Detection (DAD)

• Troubleshoting SLAAC

• SLAAC attacks

• DAD attacks

• SLAAC security controls

• Evasion of SLAAC security controls

• System configuration options

Dynamic Host Configuration Protocol version 6 (DHCPv6)

• Sample DHCPv6 traffic

• Security implications of DHCPv6

• DHCPv6 attacks

• DHCPv6 security controls

Multicast Listener Discovery (MLD)

• Introduction to MLD

• Sample MLD traffic

• Security implications of MLD

• MLD attacks

• MLD security controls

IPsec Virtual Private Network (VPN)

• traffic leakages

Upper-Layer Attacks

• Introduction

• TCP-based attacks

• UDP-based attacks

• Possible mitigations

DNS Support for IPv6

• Network reconnaissance

• Exploitation of DNS reverse mappings

IPv6 Firewalls

• Introuction

• Known limitations

• Examples

• Evasion of IPv6 firewalls

Security Implications of IPv6 for IPv4-only Networks

• IPv6 attacks on IPv4-only networks

• Mitigating IPv6 attacks on IPv4-only networks

Transition/Co-existence Technologies

• Overview

• Automatic tunneling mechanisms

• Attacks on automatic tunneling mechanisms

• Mitigations

Network Reconnaissance in IPv6

• Host scanning in IPv6

• Port scanning in IPv6

• Overview of penetration testing in IPv6

IPv6 Deployment Considerations

• Designing an IPv6 address plan

• Operating System hardening

• Other considerations

Researches

IPv6 Attack and Defense

Link

https://www.si6networks.com/tools/ipv6toolkit

Prerequisites

• Experience with vulnerability assessment and penetration testing.

• Familiarity with web application security vulnerabilities.

• Basic knowledge of TCP/IP network protocol.

• Familiarity with virtualization tools like VMware/VirtualBox

What To Expect

• Exposure to infrastructure penetration testing tools and techniques.

• Exploiting enterprise network.

• Live real-life scenarios.

• Multi vector attacks.

• Exploiting configuration vulnerabilities.

• Capture the Flag (CTF) to test skills.

What To Bring

• A laptop with administrator privileges.

• Minimum 50 GB of free hard disk space.

• Minimum 4 GB RAM for virtual machines.

• Laptop should have a ethernet and wifi capability.

• VM Player or VMWare Workstation installed.

Course Syllabus

Day-1

• Information gathering and recon techniques

• Advanced payload obfuscation with Metasploit Framework

• Pivoting with Metasploit Framework

• Network device exploitation and VLAN Hopping

• Hacking the Evil Corp

• Discover apps and services

• Exploit configuration weaknesses for information gathering

• Exploit workstations

• Exploit MQ services

• Exploit CI/CD pipelines

• Exploit custom services

Day-2

• Windows Server 2012 exploitation

• Windows Domain Controller exploitation

• MacOSX exploitation

• Linux web app server exploitation

• Oracle database server enumeration and exploitation

Day-3

Day-3 will host a Capture the Flag (CTF) contest where participants will compete against each other in live hacking of provided network. Scores will be tracked and made available in the CTF portal in real-time.

Prerequisites

Minimum 6-8 years of IT experience

Target audience

Network administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.

Material to bring by attendees

Laptops

Course Syllabus

Module 1: Hacking Windows Platform

a) Detecting unnecessary services

b) Misusing service accounts

c) Implementing rights, permissions and privileges

d) Direct Kernel Object Modification

Module 2: Top 50 tools: the attacker's best friends

a) Practical walkthrough through tools

b) Using tools against scenarios

Module 3: Modern Malware

a) Techniques used by modern malware

b) Advanced Persistent Threats

c) Fooling common protection mechanisms

Module 4: Physical Access

a) Misusing USB and other ports

b) Offline Access techniques

c) BitLocker unlocking

Module 5: Intercepting Communication

a) Communicating through firewalls

b) Misusing Remote Access

c) DNS based attacks

Module 6: Hacking Web Server

a) Detecting unsafe servers

b) Hacking HTTPS

c) Distributed Denial of Service attacks

Module 7: Data in-Security

a) File format attacks for Microsoft Office, PDF and other file types

b) Using incorrect file servers’ configuration

c) Basic SQL Server attacks

Module 8: Password attacks

a) Pass-the-Hash attacks

b) Stealing the LSA Secrets

c) Other

Module 9: Hacking automation

a) Misusing administrative scripts

b) Script based scanning

Module 10: Designing Secure Windows Infrastructure

On the market there are thousands of solutions available to enrich security in our infrastructure. Idea of this module is to provide the complete knowledge and to gain the holistic approach to the areas that can be secured and the measures that can be implemented.

Module 11: Securing Windows Platform

a) Defining and disabling unnecessary services

b) Implementing secure service accounts

c) Implementing rights, permissions and privileges

d) Driver signing

Module 12: Malware Protection

a) Techniques used by modern malware

b) Malware investigation techniques

c) Analyzing cases of real malware

d) Implementing protection mechanisms

Module 13: Managing Physical Security

a) Managing port security: USB, FireWire and other

b) Mitigating Offline Access

c) Implementing and managing BitLocker

Module 14: Deploying and configuring Public Key Infrastructure

a) Role and capabilities of the PKI in the infrastructure

b) Designing PKI architecture

c) PKI Deployment – Best practices

Module 15: Configuring Secure Communication

a) Deploying and managing Windows Firewall – advanced and useful features

b) Deploying and configuring IPsec

c) Deploying secure Remote Access (VPN, Direct Access, Workplace Join, RDS Gateway)

d) Deploying DNS and DNSSEC

Module 16: Securing Web Server

a) Configuring IIS features for security

b) Deploying Server Name Indication and Centralized SSL Certificate Support

c) Monitoring Web Server resources and performance

d) Deploying Distributed Denial of Service attack prevention

e) Deploying Network Load Balancing and Web Farms

Module 17: Providing Data Security and Availability

a) Designing data protection for Microsoft Office, PDF and other file types

b) Deploying Active Directory Rights Management Services

c) Deploying File Classification Infrastructure and Dynamic Access Control

d) Configuring a secure File Server

e) Hardening basics for Microsoft SQL Server

f) Clustering selected Windows services

Module 18: Mitigating the common password attacks

a) Performing Pass-the-Hash attack and implementing prevention

b) Performing the LSA Secrets dump and implementing prevention

Module 19: Automating Windows Security

a) Implementing Advanced GPO Features

b) Deploying Software Restriction: Applocker

c) Advanced Powershell for administration

Researches

DPAPI, Platform Security, Credential attacks

Links

https://cqureacademy.com

Prerequisites

Basic knowledge of electric circuits. Basic knowledge of computer architectures. A background in software security or hardware engineering are an advantage. Basic soldering skills are an advantage.

Target audience

Analysts with IT security backgrounds, who want to proceed to hardware hacking. Forensics analysts who want to proceed to hardware forensics. Engineers who want to learn how hardware hackers think, in order to test and improve their products. Hobbyists who plan to test hardware commercially.

Material to bring by attendees

• Laptop

• Win7 OS as host or VM

• Winhex (licensed or demo)

• Termite terminal installed

• Saleae Logic Analizer (any model)

• Latest Saleae Beta software installed

• Termite terminal installed

• 5 GB of free space mimimum

• 4 GB RAM minimum

• Mouse is highly recommended

• Any device that the attendees would like to test the newly acquired skills on (routers, IP cams, etc…)

Course Syllabus

Day 1:

Module 1 : Embedded Architectures and Communication protocols

Why are these protocols important?

Serial

SPI

Module 2 : The logic Analyzer

What is a logic analyzer?

How can it be used to reverse a system?

Decoding protocols with the LA

Module 3 :Different types of low-density memories

Flash and EEPROM

Communication protocols used

How they are used on embedded systems

Day 2:

Module 4 : How to dump and modify the memories, and existing types of protections.

Getting to know your IC before removing it

Using the soldering iron to remove and resolder a memory IC

Using the hot air station to remove and resolder a memory IC

Checking for protections against modification

Finding and using Debug ports

Module 5 : How to effectively look for backdoors on systems (other than "uart shells")

Basics of embedded system behavior

Production backdoors

Retail product backdoors

Day 3:

Module 6 : Advanced countermeasures, such as tamper switches and self-erasing chips

Module 7 : Basic Fault Injection Concepts, Basic Exploitation Concepts (depends on interest of trainees)

Module 8 : Hacking IoT Devices Playground and Walk-Trough

Researches

IoT, Embedded Systems, integrated circuits, embedded software stacks

What students will receive

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Prerequisites

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

Target audience

Penetration testers, bug hunters, security researchers/consultants

Material to bring by attendees

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

Prerequisites

A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial.

Target audience

Members of the red & blue team, penetration testers, system administrators, SOC analysts and security enthusiasts.

Material to bring by attendees

• A laptop with either VMWare or VirtualBox installed.
• Enough system resources to run x2 virtual machines simultaneously.
• 30GB free hard disk space.

Course Syllabus

Day 1:

=Breakout=

• Desktop lockdown (Group Policy/SRP)

• Getting an explorer window

• Folder/File restrictions

• Native/custom command line interfaces

• Breaking Kiosks and Citrix environments

• Bypassing AppLocker/DeviceGuard restrictions

=Privilege Escalation=

• Enumeration

• Configuration weaknesses

• Missing patches

• Scheduled tasks

• Services

• Unattended installations

• DLL hijacking

• Abusing token privileges

Day 2:

=User Account Control=

• What is UAC and how does it work

• Auto-elevation

• WUSA/IFileOperation

• Process Status API

• Windows Side-By-Side Assembly

• COM handlers

• Creating proxy DLL’s

• Fileless UAC bypass

• Environment variables

• Race conditions

• Abusing process tokens

• Bypassing “Always Notify”

=Persistence=

• Using the registry

• Scheduled tasks

• Manipulating File Associations

• WMI Permanent Event Subscriptions

• Binary patching

• Application Compatibility Shims

• COM Handler Hijacking

• Leveraging Office and Outlook

• Evasion (ADS/corrupted NTFS folder structures/processor variables)

Prerequisites:

The audience needs a fundamental engineering understanding of the world of security &security modeling. They need a very open mind, and a willingness to look at cyber-­?security with a Brand New Prism. A super-­?technical background is not necessary, but those with more technical skills will likely enjoy the problem-­?solving section.

Ideally, with the audience working from different operational and technical standpoints, they can jointly explore new ways to secure networks, using a wide variety of techniques and comparatively simple math (algebra, with a little conceptual understanding of basic calculus – which is not required to solve any of the exercises.)

Target audience

Security architects; application designers; networking engineers; telecommunications professionals; strategic thinkers.

Material to bring by attendees

Laptop, plenty of note paper and lots of imagination! This session will spin your head!

Course Syllabus

Handouts:

• Bayesian Probability Basics

• Analogue Security Design building blocks

Highly interactive, with exercises, group solutions development.

Day 1

AM

• Why Analogue Security? The problems with using a 40 year-­?old security models in a synchronous communications environment. Physical security metaphors and why they don’t work.

• The Strategic Profile of a modern security model.

• Basic Time-­?Based Security. Introducing the first analogue security maths, physical metaphors that do work, and why there is no measurably definitive protection.

• Implications of Infinity

• Using analogue padding and compression techniques as security controls in a Detection-­? Reaction Matrix by dividing bandwidth by time.

• A Primer on analogue concepts: Square waves, smoothing, adding and mixing, perception, trending, fractals and more.

• Electronics 101: Basic Ohm’s Law, Power Law, and how to calculate in series and parallel circuits. (EXERCISES)

Day 1

PM

• Boolean logic. Calculating logic trees and truth tables. (EXERCISES)

• The Administrative Root problem, multiple administrators, and the good and bad about the Two Man Rule. Introducing the concept of Trust Factors.

• Positive and Negative Feedback in the Three domains.

• SCADA/ICS security view

• Applying Flip-­?flops and adding Time-­?Based Security through Feedback

• Application of Negative Time in Security

• Mixing in Trust Factors to understand Time-­?Based Degrading Trust

• Introducing the OODA-­?Loop; history, real-­?world use of it; neural metaphors, and the math of Squeezing the Loop using limits. (EXERCISES)

• Applying OODA in security.

• Out of Band Control Signals, VCAs & SCADA/ICS

• Detection in Depth in the physical world and applying to cybersecurity, programming and networking. Defining the mathematical limits of security. (Some Maths)

Group talks over Beer.

Day 2

AM:

• Bayesian Probability Primer. (EXERCISES)

• Bounding Security Domains (MATH)

• Measure and compare the security performance of security products.

• How to reduce data leaks and exfiltration using Analogue Network Security. (SMTP)

• Analogue anti-­?phishing circuits

• How to design DoS/DDoS protection with Out of Band circuitry

• Designing tools to stop SPAM and Identification (Notification) of members of botnets

Using the Analogue Security building blocks we have studies, we will begin design application concepts for the audience to work on analogue I&A designs, cryptographic applications, multiple detection and feedback operations. (EXERCISES)

Day 2

PM:

The audience will be encouraged to come up with their own security problems to solve and will also be tasked with designing security architectures for various security problems. (EXERCISES) They will need to interact: business practitioners, networking engineers and security professionals, and come up with analogue solutions, with mathematical proofs. (EXERCISES)

Group talks over Beer.

Course outline:

This training will mainly focus on the following :

Arm basics and Android native code.

Reverse engineer Dex code for security analysis.

Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.

Runtime analysis of the apps by active debugging.

Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application. Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behaviour of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc. Hooking an application and learn to perform program/code modification. By the end of training, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system, permissions and security model of both iOS and Android platform.

Prerequisites

Basic familiarity of Linux usage,

Willingness to learn.

Target audience

Penetration testers/security professional,

Mobile Developers,

Anyone interested to learn mobile application security.

Material to bring by attendees

A jailbroken iPhone/iPad/iPod for iOS testing is must for hands-on.

Laptop with 20+ GB free hard disk space 4+ GB RAM

Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)

Android SDK , Genymotion installed.

Intel / AMD Hardware Virtualization enabled Operating System

Administrative access on your laptop with external USB allowed

Course Syllabus

Day 1:

Session 1 : Android Introduction & Basics

Android Architecture & File System

Android Security & Kernel

Android b  Permission model & sandboxing

Application Components & Structure

Session 2 : Setting up the Pentesting environment

SDK and Android Tools

Setting up the Pentesting environment

Setting the Android Emulator & other required settings.

Android device rooting essentials

Penetration Testing Approach

Application Analysis

Android Debug Bridge

Hands on - Setting up the Pentesting environment

Hands on b  Looking at the artifacts of the application.

Hands on - Lab exercise

Session 3 : Reverse engineering & runtime manipulation

Reverse engineer the app

Hands on - apk decompilation(smali/baksmali Dalvik assembler/disassembler)

Hands on - Runtime manipulation and code patching

Hands on - Recompile and Resign the APK

Hands on - Reading the class files and

Hands on - Lab exercise

Session 4 : Application dynamic runtime analysis

Monitoring process & Network activity

Analyzing logs using logcat

Memory dumps and analysis

Debugging :

Native debugging with IDA (building signatures, types etc.)

Runtime instrumentation and manipulation

Hands on - Memory dumps and objects analysis

Hands on - Bypass Application Restrictions

Hands on - lab exercise

Session 5 :Application Components and security issues

Knowing Activity, Service, Content provider, Broadcast receiver

The application components structure

Hands on - Direct component invocation by unauthorized apps

Hands on - Invoking Activities using malicious intents

Hands on - Using broadcast receivers

Session 6 : Data and Network interception b  manipulation and analysis

Traffic interception (Active & Passive )

Sniffing Application & Device data

Proxies and sniffers

Hands on - Intercepting application traffic

Hands on - Importing SSL certificates & trusted CAb s

Validating server certificates and avoiding man-in-the-middle

Hands on -Techniques such as HostnameVerifier and HttpsURLConnection class

Hands on - SSL Pinning and SSLPinning bypass

Client side certificate authentication

Hands on - Vulnerabilities relating to information transmission

Day 2:

Session 1 :Introduction to iOS

iOS Security Architecture & Features

iOS Application Overview

Session 2 : iOS Security Model

iOS Security Model

Code signing

Sandboxing

Encryption

iOS application components

Session 3 : Setting up the iOS testing Environment

Setting up the iPhone/iPad/Simulator

Setting up the Xcode

Jailbreak essentials

iBoot

DFU b  mode ( Recovery mode)

Session 4 : Reverse Engineering

Hands on - Reverse Engineering the iOS Applications

Hands on - Decrypting Appstore Binaries

Hands on - Identifying the use of Stack smashing Protection

Hands on - Locating Position Independent Executables

Hands on - Inspecting Binary

Session 5 : Perform instrumenting at runtime using dynamic linkers

Hands on - Runtime modification using gdb

Hands on - Method swizzling using cycript

Hands on - Inspecting the applications for runtime changes

Understanding the hooking process

Identifying whether the application is being debugged

Hands on - Debugging the native code in iSO (gdb & lldb)

Session 6 : Auditing & Pentesting the iOS Applications

Hands on - Aduiting the insecure API usage

Exposing the protocol headers

Hands on - Identifying Insecure storage

Hands on - Grabbing the iOS KeyChain

Hands on - Application analysis Hands on - Exploiting XSS in Apps through WebViews

Hands on - Attacking XML Processors

Hands on - SQL

Injection File System interaction

Researches

Android, iOS, Security, Keychain, Reverse engineering, instrumentation, swizzling, hooking, Debug, runtime manipulation, root, jailbreak, pinning, SSL Pinning bypass, Obfuscation, binary analysis, checksum calculation, dex, smali, Mach-O, Pentesting, mobile vulnerabilities, mobile trojan

In this 2 day training we start by looking at the application stack consisting of Databases,CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers. Along with the training knowledge, the training also aims to impart the technical know-how methodology of testing these systems. This workshop is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique workshop, as we go through multiple challenging scenarios one might not have come across. During the entire duration of the training, the students are expected to learn the following

1.Look for vulnerabilities within the application stack.

2.Gain in depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems.

3.Security testing of an entire application stack from an end-to-end perspective.

Prerequisites

Knowledge of basic pentesting, web application working and linux command line basics,the ability to use a web proxy like Burp Suite, ZAP, and the ability to write basic scripts in any interpreted language is an added advantage.

Target audience

DevSecOps, Security Engineers, Penetration testers, Bug bounty hunters, System Administrators, SOC analysts, Security enthusiasts and anyone interested in the modern application stack.

Material to bring by attendees

The requirement for the course is a laptop with administrative and USB access and minimum configuration of 8GB RAM and 100GB hard-disk space.Full virtualisation support, Virtual Box and Docker should be installed.Unix box is preferred.

Course Syllabus

Day 1:

Pentesting some of the widely used systems in the modern stack :

Module 0 : Modern Application Stack

• Evolution of Application Stack

• Components of Stack

• Threat Modelling

• Attack Surface

Module 1 : Pentesting Databases:

• MySQL,Postgres and OracleDB

• Basic Enumeration

• Laying out the attack surface

• Pentesting third party plugins.

• Attacking Database Servers.

• Case Study of CVE-2016-6663

• Security testing using tools of trade.

• Pentesting NoSQL Databases & Caches: MongoDB, Cassandra, Redis & Memcache

• Fingerprinting NoSQL databases,

• Injection attacks on NoSQL Databases.

• Attacking and identifying vulnerabilities in NoSQL databases through NoSQL exploitation framework.

• Case study on Mongo Ransomware and hands on vulnerable applications.

• Securing databases.

Module 2 : Public Cloud Environments

• Introduction to Cloud Environments.

• AWS Configurations & AWS Security Checks.

• Pentesting AWS lambda servers.

• Secure Best practices for Cloud environments and Securing AWS instances

Module 3 : CI Tools

• Introduction to Jenkins, TeamCity and Go.

• Basic misconfigurations and attack surface for these tools.

• Security testing of CI Tools and outlook on vulnerabilities in Jenkins,

• TeamCity and Go.

• Case Study: Remote Code Execution on Jenkins.

Module 4 : Software Collaboration Tools

• Leveraging Version Control Systems like Git, SVN and Perforce.

• Attacking Code collaboration tools - Phabricator, Gitlab and Github Enterprise.

Module 5 : Message Brokers

• Introduction to RabbitMQ and Kafka.

• Common misconfigurations.

• Attacking and extracting juicy information from Message brokers.

Day 2:

Module 6 : Containers

• Hacking Docker environments.

• Setting up vulnerability static analysis for Docker containers (Clair and other tools).

• Hacking Vagrant instances.

• Securing Docker and Vagrant instances.

Module 7 : Distributed Configuration Management Systems (DCMS)

• Attacking Apache Zookeeper, HashiCorp Consul & Serf, CoreOS Etcd.

• Owning the entire application thorough DCMS , pivoted attacks.

• Attacking and Scanning using Garfield.

Module 8 : Distributed File System

• Basic misconfigurations for Hadoop.

• Analysing the threat model for Hadoop.

• Attacks and remote code executions on Hadoop.

• Securing Hadoop Instances.

Module 9 : Kubernetes,Mesos and Marathon (Distributed Deployment & Resource Management)

• Introduction to Kubernetes,Mesos and Marathon

• Fingerprinting Kubernetes,Mesos and Marathon

• Common Misconfigurations

• Pentesting Kubernetes and pivoting through kubernetes containers.

• Hacking entire application stack through Mesos and Marathon.

• Securing Mesos instances.

Module 10 : Search Technologies

• Introduction to ElasticSearch and Apache Solr (Lucene)

• Laying out the attack surface and common misconfigurations.

• Pentesting ElasticSearch and Solr .

• Case Study :ElasticSearch CVE-2015-1427 RCE Exploit.

Prerequisites

x86 assembler, use of debugging tools (desired), Windows API

Target audience

Software developers, malware analysts

Material to bring by attendees

Laptop with enough power to run a Windows 7 virtual machine, given by the instructor

Course Syllabus

PART 1) Introduction

1 Introduction to Reverse Engineering

• What is Reverse Engineering?

• Motivation

• Approaches to Reverse Engineering

• Reverse Engineering Code

2 Previous Concepts

• Computer Architecture Basic Concepts

• Operating System

• Playing with Debuggers

3 A Bunch of Tools Needed for Reversing

• Disassemblers and Hexadecimal Editors

• Debuggers

• PE Editor, Identifier and Resource Editor

• Memory Dumpers and Emulators

• IAT fixer and API monitors

• Documentation

4 Test-Bed Environment

5 Windows NT Internals Terminology

PART 2) Protection Techniques Compendium

6 Anti-Debug Techniques

• PEB, TEB, LDR. . .WTF?

• Using Win32 APIs

• Access Tokens and other Objects

• Windows Exceptions

• A Bunch (More) of Anti-Debug Techniques

• Reversing Tools Detection

• Other Anti-Debug Techniques

7 Anti-Tracing Techniques

8 Anti-Dump Techniques

• A bit of background. . .

• Memory Zone Protection

• Nanomites, Stolen Bytes and Protected Pages

• Virtual Machines

9 EP Anti-Detection Techniques

10 Anti-Sandboxing & Anti-VMs Techniques

• GDT, LDT, IDT. . .WTF again!

• VMs Detection

• Sandboxing detection

• Other Anti-Debug using LDT

11 Other Protection Techniques

• Obfuscation

• Dongles

• Cryptography

PART 3) Take-home messages

12 Conclusions

13 References

Researches

Reversing, anti-analysis, anti-forensics

Link

https://github.com/ricardojrdez/anti-analysis-tricks

Pre-requisites

• At least basic familiarity with Linux command-line, Kali, Wireshark.
• Scripting/programming skills will be very helpful.

Target audience

• Pentesters, security professionals
• IoT developers
• Anyone interested

Material to bring by attendees

• Laptop capable of running Kali Linux in VM and USB port.
• Android smartphone with BLE and NFC support will be very helpful.
• You can bring your own BLE device or NFC card to verify its security.

Course syllabus

1. NFC

UID-based access control - practical exercises on example reader + door lock

• UID lengths, formats
• clone Mifare UID using "Chinese magic" card and provided hardware
• how to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
• how to clone a card by making its picture - decoding numbers printed on cards
• emulate card using Proxmark, Chameleon Mini
• brute-force - is it possible in practice to guess other cards UID?
• countermeasures against attacks

Wiegand - wired access control transmission standard

• sniff the data transmitted from access control reader using Raspberry Pi GPIO
• decode card UID from sniffed bytes, clone the card
• replay card data on the wire to open lock
• available Wiegand sniffers/repeaters

Mifare Classic & its weaknesses - practical exercises based on hotel door lock system, ski lift card, bus ticket

• Mifare Classic - data structure, access control, keys, encryption
• default & leaked keys
• reading & cloning card data using just a mobile phone
• cracking keys - nested, darkside attacks
• libnfc tools - mfoc, mfcuk, MiLazyCracker
• cracking Mifare using provided hardware

Reverse-engineering data stored on card

• decoding access control data (room number, date) stored on card by an example hotel system
• creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare Ultralight

• data structure
• reading, cloning, emulating
• example data stored on hotel access card

Introduction to Proxmark, Low Frequency cards (EM4100, HID Prox).

Summary of known attacks and security issues of Mifare Plus, DESFire, Ultralight C, HID iClass ...

2. Bluetooth Smart (Low Energy)

based on multiple devices (including 7 various smart locks) and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).

Theory introduction

• What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
• Usage scenarios, prevalence in IoT devices
• Protocol basics
• Advertisements, connections
• Central vs peripheral device
• GATT - services, characteristics, descriptors, handles
• Security features - pairing/encryption, whitelisting, MAC randomization
• Security in practice: own crypto in application layer
• Hardware required for BLE assessment

BLE advertisements and beacons

• iBeacon, Eddystone, Physical Web
• Simulating beacons - using mobile phone, Linux scripts, other devices.
• How to get free beer by abusing beacon-based reward application
• scanning for visible devices, hcitool, bleah, GATTacker, ...
• decoding data in advertisements
• advertisement spoofing - Denial of Service, device impersonation

Sniffing BLE connections using RF layer hardware

• Ubertooth, nRF sniffer, other hardware
• Wireshark filters, tips&tricks
• sniffing static cleartext password of a smart lock and other devices using provided hardware

HCI dump (Linux, Android) - setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities.

Attacking services exposed by devices

• mapping device services and characteristics
• interacting with devices that do not require pairing/authentication
• example unlocked AT command interface via BLE service of a smart lock

Device spoofing, active MITM interception

• how to perform “man in the middle” attack on BLE connections
• available tools: GATTacker, BtleJuice.
• MAC address cloning
• analysing intercepted traffic
• Denial of Service attacks

Replay attacks

• intercept transmission
• analyse authentication protocol weakness in example smart lock
• perform replay using tools or a mobile phone, and unlock the device

Mobile application analysis, attacks on proprietary authentication and protocols

• decompile Android app, locate relevant source code fragments
• understand proprietary BLE communication protocol - commands, data exchanged with device
• based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
• exploit the vulnerability using just a mobile phone - nRF Connect macros
• verify other vendor's claims on "Latest PKI technology" and "military grade encryption"

Relay attacks - abusing automatic proximity features (e.g. smart lock autounlock).

Remote access share functions and their weaknesses - how to bypass timing restrictions.

How to create own, independent server-side API for device - based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.

Introduction to Web Bluetooth, Bluetooth Mesh, Bluetooth 5.0

BLE Hackmelock - open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist - for security professionals, pentesters, vendors and developers.

3. Linux embedded

based on wireless door lock, alarm+home automation system and other devices:

• authentication bypass
• information disclosure
• telnet brute-force
• OS command injection

4. Proprietary network protocols

based on fingerprint sensor device, wireless door lock, alarm system, HVAC controller

• various approaches to analyzing proprietary protocols
• step-by-step understanding packets and attacking remote management binary communication of fingerprint sensor
• sniffing and decoding administrative credentials
• abusing improper session management (authentication bypass)
• unlock wireless alarm with a single packet
• P2P communication - how to attack devices hidden behind NAT

5. KNX home automation

an example installation connected to electromagnetic lock

• theory introduction, typical architecture, group address, device address...
• tools: ETS configuration suite vs open-source knxd, knxmap, nmap scripts - how to locate and connect to KNX-IP gateway in LAN or remotely
• monitor mode - sniffing the bus communication
• write command to group address and open lock

6. SMS and DTMF remote control over GSM

based on remote control alarm system

• theory introduction to GSM interception
• brute-force alarm administrative PIN via automated remote SMS and voice calls from the cloud API

7. RF remote control

how to disarm alarm using wire connected to Raspberry Pi - Software Defined Radio - tools and hardware

• identifying specified signal, its frequency and characteristics
• recording radio data sent by remote controller using provided RTL-SDR dongle
• replay the recorded control commands using simple wire connected to Raspberry Pi GPIO, and disarm alarm
• introduction to more advanced attacks on key rolling systems

8. Moreover

you will also be able to try:

• open smart lock using special strokes of a strong magnet which turns the device's inside motor
• cheat fingerprint biometric sensor - we can make your own fingerprint clone during training
• open voice-controlled lock by hacking nearby speaker-enabled device

Each student will receive:

• course materials in PDFs (several hundred pages)
• all required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive
• Hardware pack for hands-on exercises consisting of:
  • Bluetooth Smart hardware sniffer and development kit based on nrf51822 module
  • 2 Bluetooth Low Energy USB dongles
  • Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further practice at home.
  • NFC NXP PN532 board + "magic UID" card - which will allow to clone most common Mifare Classic contactless cards
  • RTL-SDR USB dongle

Prerequisites

• Basic knowledge of Linux OS
• Basic knowledge of programming (C, python) would be a plus

Target audience

• Penetration testers tasked with auditing ICS
• Government officials from defensive or offensive units
• Red team members tasked with compromising the ICS infrastructure
• Embedded security enthusiasts
• SCADA and PLC programmers.
• Anyone interested in ICS security

Material to bring by attendees

• Laptop with at least 40 GB free space
• 4+ GB minimum RAM (2+GB for the VM)
• External USB access
• Administrative privileges on the system

Course Syllabus

• Briefing of ICS
• Difference between ICS and DCS
• Briefing of PLC and RTU
• ICS architecture
• PLC wiring
• PLC programming
• ICS Protocols Overview
• Modbus
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Sniffing and Eavesdropping
  • Baseline Response Replay
  • Modbus Flooding
  • Modifying Coil and register values of PLC
  • Rogue Interloper (PLC)
• S7 Communication
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Sniffing and Eavesdropping
  • Uploading and downloading PLC programmes
  • Start and Stop plc CPU
• AST protocol
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Retrieve data from controller
  • Modifying data over controller
• DNP3
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Length Overflow attack
  • Reset function attack
  • Rogue Interloper (PLC)
• Canbus
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Sniffing and Eavesdropping
  • Replay Attack
  • Packet Forging attack
• OPC
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Read/Write to system, outputs to operator,
  • Denial of service
  • Session Hijacking
• Fins
  • Introduction and protocol Overview
  • Reconnaissance (Active and Passive)
  • Sniffing and Eavesdropping
  • Replay attacks
  • Uploading and downloading PLC programmes
  • Start and Stop plc CPU
• Fuzzing technique of ICS protocols
• Hardware Analysis
• I2C
  • Introduction
  • I2C Protocol
  • Interfacing with I2C
  • Manipulating Data via I2C
  • Sniffing run-time I2C communication
• SPI
  • Introduction
  • SPI Protocol
  • Interfacing with SPI
  • Manipulating data via SPI
  • Sniffing run-time SPI communication
• UART
  • What is UART
  • Identifying UART interface
    • Method 1
    • Method 2
  • Accessing sensor via UART
• Debugging with JTAG

And at the end ICS CTF Challenge.

Prerequisites

All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) Each attendee will be given a USB key with a custom Kali virtual machine, that includes the specific tools that we will use as well as the lab files (pcap, etc), and a Windows virtual machine with specific ICS software to perform the lab sessions

Target audience

This training is aimed at security professional willing to deep dive into the Industrial Control Systems and have real-world, hands-on sessions. There is no specific requirement for attendees except a basic infosec culture.

Material to bring by attendees

All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum)

Course Syllabus

Module 1 : Introduction to ICS

For starters, we will introduce the concept of ICS. The topics will include:

• A brief history of ICS

• Vocabulary

• The CIM model

• Classic architectures

• ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles

• OT vs IT

Module 2 : Pentesting Basics & tools

This module will introduce the concept of penetration test. We will not spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, this module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training.

The module will include :

• OSINT for ICS : Where to look to find informations

• Reconnaissance : how to portscan & nessus

• Exploitation : Metasploit basics

Toolz used : nmap, Nessus, Metasploit

Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux

Module 3 : Windows basics and pentesting Windows

Unfortunately, any ICS now includes, at least in some areas, Windows systems. So some time must be spent on Windows basics. This module will introduce the following topics:

• Windows Active Directory

• How to find credentials on Windows systems

• Exploiting and pivoting to gain Domain Admin privileges

• A selection of hacking techniques will be applied on lab machines

Even if you are already knowledgeable about Windows and it’s security, I’m quite sure I can show you some new tricks :)

Module 4 : Common ICS vulnerabilities

This module will introduce the most common vulnerabilities found during ICS audits:

• Lack of network segmentation / Exposure

• Lack of hardening

• ICS protocols insecurity

Module 5 : ICS protocols

This module will introduce the most common ICS protocols:

• Modbus

• S7

• OPC

• Profinet

• DNP3

• Ethernet/IP….

Attendees will analyze network captures and be introduced to software libraries/clients to use these protocols to talk to PLC simulators as well as real PLCs.

Module 6 : Introduction to safety for security pros

This module will introduce the required safety knowledge in order to understand the OT world. The different concepts of safety will be detailed, as well as the leading norms and hazard analysis. The differences with IT risk analysis will be mentioned and to finish, a basic case study will be performed.

Module 7 : Programming PLCs [HS]

In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs.

Toolz used : TIA Portal / SoMachine Basic

Lab : Windows virtual machine and real PLCs from Schneider and Siemens

Module 8 : Pentesting ICS [HS]

This module will be composed mostly of lab sessions, in order to apply the knowledge learned during module 5:

• Theory and general warning when performing tests in real ICS environments

• Common weaknesses

• Network capture analysis & replaying packets

• Talking industrial protocols : Modbus, S7….

• Additional PLC features: web server, FTP, SNMP...

Toolz used : nmap, Nessus, Metasploit

Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs

Module 9 : Securing ICS [HS]

We all know it, all clients want to know what they can do to improve the security of their systems. This module will detail the technical and organizational solutions one may engage in to secure their ICS. This will include : system hardening, network segmentation, sharing data with IT systems, and security supervision.

The leading security standards will also be mentioned and briefly compared.

Toolz used : Windows virtual machine, IDS

Lab : Students will have to configure an IDS virtual machine and verify its efficiency, and write a new attack signature for an attack previously performed.

Module 10 : Case study PM

In this module, students will be given information and network diagrams about a case-study ICS. They will have to highlight the security weaknesses and come up with recommendations.

Module 11 : Capture The Flag [HS]

A good training must include “real-life” examples and labs. To go further individual labs that will occur, we will dedicate the last half-day of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newly-acquired knowledge on a simulation of a “real-life” system. This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand !

Prerequisites

To sit for the exam after taking training, candidates must have five years of experience in three of the five CCISO Domains verified via the Exam Eligibility Application.

Target audience

Current and aspiring CISOs and/or CIOs.

Course Syllabus

• Domain 1 : Governance
• Domain 2 : Security Risk Management, Controls, & Audit Management
• Domain 3 : Security Program Management & Operations
• Domain 4 : Information Security Core Concepts
• Domain 5 : Strategic Planning, Finance, & Vendor Management

Link

https://ciso.eccouncil.org/