OVERVIEW

This class talks about a wealth of hacking techniques to compromise web applications, APIs, cloud components and other associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server-side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real-life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Note: Attendees will also benefit from a state-of-art Hacklab and we will be providing free 30 days lab access after the class to allow attendees more practice time.

The following is the course outline:

Day1

Lab Setup and architecture overview Advanced Burp Features

Authentication Attacks

• Logical Bypass / Boundary Conditions
• Token Hijacking attacks
• Case Study Bypassing 2 Factor Authentication
• Case Study Authentication Bypass using Subdomain Takeover

Attacking SSO

• JWT Token Brute-Force attacks
• SAML Authorization Bypass
• OAuth Issues

XML External Entity (XXE) Attack

• XXE Basics
• Advanced XXE Exploitation over OOB channels
• XXE through SAML
• XXE in File Parsing

Complex Password Reset Attacks

• Cookie Swap
• Host Header Validation Bypass
• Case study of a popular password reset fails.

Business Logic Flaws / Authorization flaws

• Mass Assignment
• Invite/Promo Code Bypass
• Replay Attack
• API Authorisation Bypass
• HTTP Parameter Pollution (HPP)

Server-Side Request Forgery (SSRF)

• SSRF to query internal network
• SSRF to call internal files
• Various Case studies

Day 2

Cloud Attacks

• SSRF attacks on cloud
• Serverless exploitation
• Google Dorking in the Cloud Era
• Post Exploitation techniques on Cloud-hosted applications
• Various Case Studies

Breaking Crypto

• Known Plaintext Attack (Faulty Password Reset)
• Padding Oracle Attack
• Hash length extension attacks
• Auth bypass using .NET Machine Key

Remote Code Execution (RCE)

• Java Serialisation Attack
• Node.js Serialization Attack
• PHP Serialization Attack
• JSON Serialization Attack
• Server-Side Template Injection
• Exploiting code injection over OOB channe l

Day 3

SQL Injection Masterclass

• 2nd order injection
• Out-of-Band exploitation
• SQLi through crypto
• OS code exec via PowerShell.
• Advanced topics in SQlisqli
• Advanced SQLMap Usage and WAF bypass

Tricky File Upload

• Malicious File Extensions
• Circumventing File validation checks
• Exploiting hardened web servers.

Attacking Hardened CMS

• Identifying and attacking various CMS
• Attacking Hardened Wordpress, Joomla, and Sharepoint.

Web Caching Attacks. Attack Chaining N tier vulnerability Chaining leading to RCE. Various Case Studies B33r-101

End

WHO SHOULD TAKE THIS COURSE

Web developers, SOC analysts, intermediate level penetration testers, DevOps engineers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to the next level.

STUDENT REQUIREMENTS

Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

WHAT STUDENTS SHOULD BRING

See student requirement

WHAT STUDENTS WILL BE PROVIDED WITH

Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

After completing this training, you will have learned about:

• REST API hacking

• AngularJS-based application hacking

• DOM-based exploitation

• bypassing Content Security Policy

• server-side request forgery

• browser-dependent exploitation

• DB truncation attack

• NoSQL injection

• type confusion vulnerability

• exploiting race conditions

• path-relative stylesheet import vulnerability

• reflected file download vulnerability

• subdomain takeover

• and more

What students will receive

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Special bonus

The ticket price includes FREE access to Dawid Czagan’s 6 online courses (https://academy.silesiasecuritylab.com/):

• “Start Hacking and Making Money Today at HackerOne”

• “Keep Hacking and Making Money at HackerOne”

• “Case Studies of Award-Winning XSS Attacks: Part 1”

• “Case Studies of Award-Winning XSS Attacks: Part 2”

• “DOUBLE Your Web Hacking Rewards with Fuzzing”

• “How Web Hackers Make BIG MONEY: Remote Code Execution”

What students say about this training

This training has been very well-received by students around the world. You can see their testimonials here (https://silesiasecuritylab.com/services/training/#opinions).

Prerequisites

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

Target audience

Penetration testers, bug hunters, security researchers/consultants

Material to bring by students

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

Why take this course ?

• Are you familiar with the basics of exploit development ? Do you know how to write exploits for saved return pointer overwrites and abuse SEH records with your eyes closed ? Are you interested in understanding how heap spraying works, and why it works ? Is heap exploitation still a mysterious black box for you? Are you now ready for the next step ?
• Have you taken the Bootcamp or other commercial courses on exploit development and want to move to the next phase ?
• Do you want to learn modern techniques to exploit heap related memory corruptions on Windows 7 and Windows 10 ?
• Do you want to learn the fine art of writing exploits for heap related corruptions in complex applications ?
• Do you want to learn the skills to investigate heap managers on modern Windows versions (Win7, Win10) and how to look for your own exploitation primitives?
• Would you like to know what (generic) questions to ask (rather than being spoonfed exploit-specific solutions & answers)
• Would you like to know how to approach fuzzing/bug hunting in complex applications, how to recognize and determine exploitability for heap based corruptions?
• Are you involved in malware research or do Incident Response & interested in understanding how exploits work?
• Would you like to understand better how to detect exploits and how to protect against them?
• Would you like to get a basic view on common development mistakes, how to avoid them and how compiler options can help?
• Are you able to write ROP chains blindfolded ? (It is fundamentally important that you have practical experience with constructing/writing your own ROP chain!)
• Are you willing to suffer and bleed, absorb new knowledge fast and not intimidated by debuggers and assembly instructions…
• …then this course is exactly what you need !

Still in doubt? Click here to help find the right course for you.

Target audience

Pentesters, auditors, network/system administrators, reverse engineers, malware analysts, developers, members of a security department, security enthusiasts, or anyone that has a solid and practical basic knowledge of exploit development for Windows already.

If you have a strong desire to learn and willing to suffer & bleed, then check out the schedules & register for one of the classes. If you are interested in organizing the course at a conference or as a private course at your company, send me an e-mail (peter[dot]ve{at}corelan[dot]be)

Course contents

ASLR & DEP Refresher

• Bypassing ASLR
• Bypassing DEP

WinDBG

• Introduction to WinDBG

Windows Heap Management

• Terminology & building blocks
• Windows 7 Heap, Windows 10 Heap (“NT” and “Segment” heap)
• Front-End-Allocator and Back-End-Allocator
• Differences between Windows 7 and Windows 10
• Heap manipulation primitives

Heap Spraying

• Basic mechanisms
• Data & object spraying
• Precise heap spraying

Heap Exploitation

• Use-After-Free
• Linear & non-linear overflows / controlled write
• Double Free
• Type confusion
• Use of uninitialized memory
• Memory leaks / Information Disclosure
• Heap Manipulations and heap primitives

Intro to x64 exploitation

• x64 processes, memory map, registers
• Functions & calling conventions
• Structured Exception Handling
• ASLR
• Stack Buffer Overflows
• Heap exploitation primitives on x64

What’s next

• Overview of memory protection evolutions
• Thoughts & ideas on fuzzing and bug hunting

During the course, students will get the opportunity to work on real vulnerabilities in real applications, use a wide range of heap exploitation techniques and most importantly learn how to do your own research to find exploitation primitives in complex applications and new versions of Windows.

Warning – The course has a steep learning curve and will require full attention and focus.

The “Course Contents” on this page is subject to change without prior notice & can be updated between the moment of registration and the actual course. We will try to cover as much as we can from the “Course Contents”, based on the overall ability to absorb knowledge and time needed to complete the exercises, but Corelan cannot ever guarantee that we will be able to cover everything.

Knowledge & Attitude Prerequisites

Students must:

• be able to read and write simple C/C++ code and simple scripts (python, javascript)
• truly master all basic concepts of exploit development, as listed in our “BOOTCAMP” course. If you have taken the Bootcamp course and done a lot of practice after taking the class, then you’re probably ready for this class.
• be familiar with ROP (i.e. understand how it works on Windows, know how to build a ROP chain, know how to use mona.py to generate a chain and how to fix the chain if it doesn’t work)
• be familiar with using debuggers (we’ll use WinDBG for most part of the course, but we’ll spend some time explaining the basics of using WinDBG. It is assumed that you have practical experience with Immunity Debugger and mona.py)
• be ready to dive into a debugger and read asm for hours and hours and hours
• be ready to think out of the box and have a strong desire to learn
• be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox
• be familiar with using Metasploit to generate shellcode
• have basic practical knowledge of assembly

It’s imperative for students to comply with these prerequisites.

Technical Prerequisites

Unless specified otherwise, students are required to bring the following :

• A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time. The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic.
• 3 Virtual machines (Windows 10 (no patches), Windows 7 SP1 (no patches), Kali Linux (fully up-to-date))

Note : you will receive the exact installation instructions after registration, about a week before class begins, so don’t start installling the VMs yet.

All required tools and applications will be provided during the training or will be downloaded from the internet during the training.

You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary.

Legal Prerequisites

It will be required to sign a confidentiality agreement at the start of the course. You will not be admitted to the course without signing this document. You can find a copy of the document here.

Who should attend

• Pentesters, security professionals, red teamers, researchers
• BLE/NFC device designers, developers
• Anyone interested

Key learning objectives

• In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices
• Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card

Prerequisite knowledge

• Basic familiarity with Linux command-line
• Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
• No prior knowledge of Bluetooth Low Energy nor NFC is required

Hardware/software requirements

• Contemporary laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest
• Android smartphone with BLE and NFC support will be very helpful
• You can bring your own BLE device or access control card to check its security

Each student will receive

• Course materials in PDFs (over 2000 pages)
• All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive

• Take-away hardware pack for hands-on exercises consisting of:

  • Proxmark 3 with latest firmware
  • Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet, …)
  • NFC PN532 board (libnfc)
  • Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
  • Bluetooth Smart hardware sniffer (nRF, BtleJack) based on nrf51822 module
  • Individual BLE device to attack running on development kit (including source code)
  • ST-Link V2 SWD debugger for programming nRF boards
  • 2 Bluetooth Low Energy USB dongles

Detailed agenda

Bluetooth Smart (Low Energy)

Theory introduction

• What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
• Usage scenarios, prevalence in IoT devices
• Protocol basics
• Required hardware for BLE assessment

BLE advertisements

• Scanning for visible devices, hcitool, bleah, bettercap, Mirage, GATTacker, …
• Beacons: iBeacon, Eddystone, Physical Web
• Simulating beacons – using mobile phone, Linux scripts, other devices.
• How to get free beer by abusing beacon-based reward application
• "Encrypted" beacons, abusing weaknesses in beacon management control protocols
• BLE advertisements of Microsoft and Apple devices (user tracking, decoding of current status/phone number)
• Advertisement spoofing – Denial of Service, device impersonation

BLE connections

• Central vs peripheral device
• GATT – services, characteristics, descriptors, handles, reading, writing, notifications
• Mapping device services and characteristics
• Interacting with BLE devices using mobile phone, command-line, various tools
• Taking control of simple, insecure devices – sex toys, key finders, …

Sniffing BLE connections using RF layer hardware

• BLE radio modulation, channels, hopping, connection initiation
• BLE link layer encryption – introduction, why is it hardly used in practice
• Sniffing hardware: Ubertooth, nRF sniffer, BtleJack, Sniffle, SDR …
• Wireshark filters, tips&tricks
• Sniffing static cleartext password of a smart lock and other devices

HCI dump - capturing own BLE traffic

• Difference from RF layer sniffing
• Linux command-line hcidump
• Android: live BLE packets analysis in Wireshark via TCP service

Device spoofing, active MITM interception

• How to perform “man in the middle” attack on BLE connections
• Available tools: GATTacker, BtleJuice, BtleJack, Mirage
• MAC address cloning, mobile OS GATT cache potential problems
• Analysing intercepted traffic
• Denial of Service attacks
• Jamming and hijacking active connections with BtleJack

Replay attacks

• Intercept transmission
• Analyse authentication protocol weakness in example smart lock
• Perform replay using tools or mobile phone, and unlock the device

Relay attacks – abusing automatic proximity features (e.g. smart lock autounlock).

Various smart locks vulnerabilities case-studies

• Attacks on proprietary authentication and protocols
• Decompile Android app, locate relevant source code fragments
• Understand proprietary BLE communication protocol – commands, data exchanged with device
• Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
• Exploit the vulnerability using just a mobile phone – nRF Connect macros
• Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
• Example unlocked AT command interface via BLE service of a smart lock
• Remote access share functions and their weaknesses – how to bypass timing restrictions.
• How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste

Advanced BLE MITM topics

• Hooks, data modification on the fly (example attack on mobile PoS)
• Command injection
• Upstream websocket proxy
• "Rolljam"-like attacks on single use keys
• When MITM attack does not work or is not possible – debugging, troubleshooting

Device DFU firmware update OTA services.

Bluetooth link-layer encrypted connections

• BLE pairing, bonding, encryption
• Intercepting pairing process and decoding Long Term Keys (crackLE)
• Weaknesses of simple pairing (static PIN, just works)
• How to trick a victim into re-pairing

Abusing BLE bonding trust relationships

• Analysis of Google Titan U2F token vulnerability
• Possibilities for malicious actions (e.g. change device to appear as a BLE keyboard).

Web Bluetooth – interfacing with nearby devices from javascript.

• How hard is it to hijack BLE devices from a hostile web site
• Writing new javascript interface to control own device

Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security.

BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist – for security professionals, pentesters, vendors and developers.

NFC

Short introduction

• RFID/NFC – where do I start?
• Frequencies, card types, usage scenarios
• How to recognize card type – quick walkthrough
• Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware

UID-based access control – practical exercises on example reader + door lock

• UID-based access control – still surprisingly popular
• UID lengths, formats
• Clone Mifare UID using Android phone and “gen2” UID-changeable card, or libnfc/Proxmark and gen1 card
• How to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
• How to clone a card by making its picture – decoding numbers printed on cards
• Cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
• Emulate card using Proxmark, Chameleon Mini
• Brute-force – is it possible in practice to guess other cards UID?
• Countermeasures against attacks

Wiegand – wired access control transmission standard

• Sniff the data transmitted from access control reader using Raspberry Pi GPIO, ESP RFID Tool, BLE-Key, …
• Decode card UID from sniffed bytes, clone the card
• Replay card data on the wire to open lock

Mifare Ultralight

• Data structure
• Reading, cloning, emulating
• Example data stored on hotel access card
• Ultralight EV1, C

Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket

• Mifare Classic – data structure, access control, keys, encryption
• Default & leaked keys
• Reading & cloning card data using just a mobile phone
• Cracking keys – nested, darkside attacks
• Libnfc tools – mfoc, mfcuk, MiLazyCracker
• Cracking Mifare using Proxmark
• Attacks on EV1 “hardened” Mifare Classic
• Online attacks against reader

Reverse-engineering data stored on card - based on a real hotel system

• Recoding access control data (room number, date) stored on card by an example hotel system
• Creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare DESFire – introduction, sample attack on misconfigured access control system

ISO15693/iCode SLIX

• Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock
• Data of several example ski passes

HID iClass

• Cloning “legacy” / “standard security” iClass
• Attacks on iClass Elite

Hitag2 access control

• Sniffing password mode transmission between reader and tag
• Simulating Hitag2 against the reader using Proxmark

Intercepting card data from distance – building antenna, possibilities and limits.

Overview

Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and how to protect yourself from them, is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure. Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

DAY 1

Introduction to Cloud Computing

• What is cloud
• Why cloud security matters
• Types of clouds and cloud services
• Shared responsibility model

General (Web Hacking) Knowledge

• A “leveller”, tailored to the room, ensuring everybody understands conventional web hacking techniques, to make the course accessible to all

Attacking Cloud Services

• What changes from conventional security models
• Legalities around Cloud Pentesting
• Introducing the Metadata API
• Understand the attack surface in each type of cloud
• Enumerating for cloud assets

Gaining Entry via exposed services

• Function based attacks
• Web application Attacks
• Exposed Service ports

DAY 2

Attacking specific cloud services

• Storage Enumeration and Attacks
• Identity Services
  • AWS Cognito
  • Azure Active Directory
• Containers and Kubernetes Clusters
• Financial Attacks
• Identity and Access Management
• Dormant assets

Google Dorking for resources and sensitive info

Post Exploitation

• Post access enumeration
• Snapshot stealing
• Backdooring the account
• Maintain access after the initial attack

DAY 3

Defending the Cloud Environment

• Metadata API Protection
• Monitoring and logging of the environment
• Catching attacks

Host base Defenses

• Windows server auditing
• Linux Server Auditing

Auditing and benchmarking of Cloud

• Prepare for the audit
• Automated auditing via tools
• Golden Image / Docker image audits
• Relevant Benchmarks for cloud

Continuous Security Testing of Cloud

• Continuous inventory updating by extracting a list of Assets
• Automated scans to pick changes in environment and setup

CTF

Key Takeaways

Students will gain knowledge of attacking, exploiting and defending a variety of Cloud infrastructure. First, they will play the part of the hacker, compromising serverless apps, cloud machines, storage and database services, dormant assets and resources. Students will learn privilege escalation and pivoting techniques specific to cloud environments. This is followed by Infrastructure Defense, secure configuration, auditing, logging, benchmarks. Students will learn preventive measures against cloud attacks, host-based defense and a number of cloud tools that can help in securing their services and resources.

Apply the learning to:

• Identify weaknesses in cloud deployment
• Fix the weaknesses in your cloud deployment
• Monitor your cloud environment for attacks

Who Should Take this Course

Cloud Administrators, Developers, Solutions Architects, DevOps Engineers, SOC Analysts, Penetration Testers, Network Engineers, security enthusiasts and anyone who wants to take their skills to the next level. Prior pentest experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common command line syntax will be greatly beneficial.

Audience Skill Level

Intermediate

Student Requirements

Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

What Students Should Bring

See Student requirement

What Students Will Be Provided With

Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts. Our own pre-bundled Docker Image containing all the tools needed to begin hacking/auditing/securing the Cloud.

Swag

We realise that training courses are limited for time and therefore students are also provided a complementary In.security hackpack! This includes:

• 14-day Slack support channel access where our security consultants are available
• 14-day access to a CTF platform with subnets/hosts not seen during training!
• A hard copy of the RTFM
• A Hak5 LAN Turtle

Agenda

Day 1

• Getting familiar with the MITRE ATT&CK framework
• An introduction into monitoring and alerting using our in-LAB ELK stack
• Leveraging OSINT activities
• Enumerating and targeting IPv4 and IPv6 hosts
• Remote/local Linux enumeration and living off the land
• Linux shells, post exploitation and privilege escalation
• [email protected] cracking (*nix specifics)
• Kubernetes and container security

Day 2

• Creating and executing Phishing campaigns against our simulated enterprise users
• Living off the land tricks and techniques in Windows
• [email protected] cracking (Windows specifics)
• Remote/local Windows enumeration
• Windows exploitation and privilege escalation techniques
• Windows Defender/AMSI, Tamper Protection and UAC bypasses
• RDP hijacking
• Bypassing AWL (WDAC, AppLocker, PowerShell CLM)
• Enumerating and extracting LAPS secrets

Day 3

• Lateral movement, pivoting, routing, tunnelling and SOCKS proxies
• Application enumeration and exploitation via pivots
• Abusing domain trusts
• Gaining persistence using Scheduled Tasks and WMI Event Subscriptions
• Data exfiltration over OOB channels (ICMP and DNS)
• Domain Fronting and C2

What Will Be Needed

• A laptop to which you have administrative/root access, running either Windows, Linux or Mac operating systems
• Access to VNC, SSH and OpenVPN clients (these can be installed at the start of the training)

Who Should Take This Training

• Penetration testers
• SOC analysts
• Security professionals
• IT support, administrative and network personnel

Student Requirements

• A firm familiarity of Windows and Linux command line syntax
• Understanding of networking concepts
• Previous pentesting and/or SOC experience is advantageous, but not required

Overview

The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has resulted in the deployment of IPv6 in many production environments, with many other organizations planning to deploy IPv6 in the short or near term.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterparts, and thus it is likely that the security implications of the protocols be overlooked when they are deployed on production networks. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways.

The imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated.

While there exist a number of training courses about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies that are vital in all real IPv6 deployment scenarios. During the last few years, SI6 Networks has offered its flagship course “Hacking IPv6 Networks”, providing in-depth hands-on IPv6 security training to networking and security professionals around the world.

Hacking IPv6 Networks (version 6.0) is a renewed edition of SI6 Networks’ IPv6 security training course, with background and theoretical information reduced to a minimum, a tremendous increase in hands-on exercises, and newly incorporated materials based on recent developments in the area of IPv6 security. The training is carried out by Fernando Gont, a renowned IPv6 security researcher.

Learning Objectives

This course will provide the attendee with in-depth knowledge about IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments.

The attendee will learn – through hands-on exercises – how each IPv6 feature can be exploited for malicious purposes. Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities.

This course will employ a range of open source tools to evaluate the security of IPv6 networks, and to reproduce a number of IPv6-based attacks. During the course, the attendee will perform a large number of exercises in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises. The attendee will be required to perform a large number of IPv6 attacks, and to envision mitigation techniques for the corresponding vulnerabilities.

Who Should Attend

Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.

Participants Are Required To

Participants are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required.

What to bring

Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed. The minimum requirements for the laptop are: Intel i3 processor. 4GB of RAM. Ethernet and WI-FI network interface cards. At least one USB port.

Course Length

3 days

Topics covered by this course

Introduction to IPv6

• IPv4 address exhaustion
• IPv6 service
• IPv6 transition/deployment mechanisms
• IPv6: current state of affairs
• Brief comparison between IPv6 and Ipv4
• IPv6 security overview

IPv6 Addressing Architecture

• IPv6 address types
• IPv6 address analysis
• Implications for address scanning attacks & possible mitigations
• Address Scanning in the IPv6 World
• Privacy implications & possible mitigations
• Implications for end-to-end connectivity

IPv6 Header Fields

• IPv6 header overview
• Basic header fields
• Security assessment

IPv6 Extension Headers (EHs)

• General implications of EHs
• Security implications of specific IPv6 EHs
• Security implications of specific IPv6 options
• IPv6 EHs in the real world
• Exploitation of IPv6 EHs
• Troubleshooting IPv6 EHs
• Network reconnaissance with IPv6 Ehs
• Recent advances

IPsec

• Virtual Private Network (VPN) traffic leakages

Internet Control Message Protocol version 6 (ICMPv6)

• ICMPv6 error messages
• ICMPv6 informational messages
• Network reconnaissance with ICMPv6

Neighbor Discovery for IPv6

• Address resolution in IPv6
• Address resolution messages and options
• Neighbor Discovery cache
• Neighbor Discovery attacks
• Neighbor Discovery security controls
• Evasion of Neighbor Discovery security controls
• System configuration options

Stateless Address Auto-configuration (SLAAC)

• SLAAC operation
• SLAAC messages and options
• Duplicate Address Detection (DAD)
• SLAAC attacks
• DAD attacks
• SLAAC security controls
• Evasion of SLAAC security controls
• System configuration options

Dynamic Host Configuration Protocol version 6 (DHCPv6)

• Security implications of DHCPv6
• DHCPv6 attacks
• DHCPv6 security controls

Multicast Listener Discovery (MLD)

• Security implications of MLD
• MLD attacks
• MLD security controls

Upper-Layer Attacks

• TCP-based attacks
• UDP-based attacks
• Possible mitigations

DNS Support for IPv6

• Network reconnaissance
• Exploiting DNS reverse mappings

IPv6 Firewalls and Network Intrusion Detection Systems (NIDS)

• Known limitations
• IPv6 firewall configuration guidelines
• Evasion of IPv6 firewalls and NIDS

Security Implications of IPv6 for IPv4-only Networks

• IPv6 attacks on IPv4-only networks
• Mitigating IPv6 attacks on IPv4-only networks

Transition/Co-existence Technologies

• Transition/Co-existence mechanisms
• Attacks on transition/co-existence mechanisms
• Mitigations

Pentesting IPv6 Networks

• Network Reconnaissance in IPv6
• Pentesting IPv6 Networks

What previous attendants said about this training:

“I was always feeling that malware is something scary, something I can’t understand or control. Now I feel it’s not scary anymore. I can actually analyse it, understand it and control it.” by Fung Dao Ying, System Analyst in Bintulu Port Holding Berhad

LEARNING OBJECTIVES:

• Understand the lifecycle of a targeted attack and all the techniques & strategies the attackers use to penetrate an organization (Spear-phishing, drive by download … etc)
• Know what the steps to take when you discover a malware in your network.
• Perform basic static & behavioral analysis of a malware in an isolated virtualized environment
• Perform static and dynamic code analysis to determine the malware functionality using IDA Pro and Ollydbg/x64dbg
• Understand the basics of the x86 assembly language
• Learn how to detect and analyze a malicious document with embedded macros
• Learn to extract the the network and host-based indicators of compromise
• Able to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
• Perform memory forensics on an infected machine and extract the malware artifacts from its memory.

PROGRAM OUTLINE

DAY 1

APT Attacks & Malware Analysis:

• What is an APT Attack
• What are the Attack Stages?
• The APT Attack Vectors
• Types of Malware
• Why Malware Analysis
• Types of malware analysis
• Setting up an isolated lab environment

Basic Static Analysis:

• Fingerprinting the malware
• Extracting strings
• Determining File obfuscation
• Unpacking Packed Malware
• Understanding PE File characteristics
• Hands-on lab exercise involves analyzing real malware sample

Behavioral Analysis & Sandboxing:

• Understanding Behavioral Analysis tools
• Monitoring process, file system, registry and network activity
• Determining the Indicators of compromise (host and network indicators)
• Custom Sandbox Overview
• Working of Sandbox
• Sandbox Features
• Hands-on lab exercise involves analyzing real malware sample

Code Analysis & Malware Functionalities:

• Intro to code analysis
• Droppers & Downloaders
• Maintaining Persistence
• Keylogging
• Banking Trojans & Man in The Browser (MiTB)
• Point of Sale Malware (POS)
• Understanding Indication of Comprise
• Write your own YARA rule

DAY 2:

Intro To x86/x64 Assembly:

• Understanding CPU registers and assembly instructions
• Dive deeper in the assembly language and memory handling
• Reversing assembly code blocks into a higher-level language (C++)
• Dealing with local & global variables

Static & Dynamic Code Analysis In-Depth:

• Code Analysis Overview
• Disassembler & Debuggers
• Code Analysis Tools
• Basics of IDA Pro
• Basics of Ollydbg/x64dbg
• Understanding the API calls
• Inspecting API call references
• Demo: Performing static analysis with IDA Pro (Hands-on Practice)
• Demo: Performing dynamic analysis with OllyDbg (Hands-on Practice)
• Hands-on lab exercise involves analyzing real malware sample

Encryption, Packing & Obfuscation

• Understanding different encryption algorithms
• Demo: Examining RC4 encryption algorithm
• Learning 4 different manual unpacking techniques for custom unpacking
• Dissecting different obfuscation techniques
• Hands-on Practice on unpacking malware

DAY 3:

Spear-phishing Attacks with Malicious Documents:

• Examining a malicious office document packed with vbscript macros
• Examining & Dissecting malicious pdf files
• hands-on labs to examine documents packed with malicious macros (real attacks)

Investigating User-Mode Rootkits & API Hooking:

• Understanding Process Internals
• Process & Thread Environment Block Structure
• Code Injection
• Types of Code injection
• Remote DLL injection
• Remote Code injection
• Reflective DLL injection
• Hollow process injection
• API Hooking & IAT Hooking
• Hands-on lab exercise (scenario based) involves investigating malware infected memory

Memory Forensics & Volatility Overview:

• What is Memory Forensics
• Why Memory Forensics
• Steps in Memory Forensics
• Memory acquisition and tools
• Introduction to Volatility (Advanced Memory Forensics Framework)
• Volatility basic commands
• Determining the profile
• Volatility help options
• Running the plugin

Investigation Process Memory Using Volatility:

• Process memory Internals
• Listing DLLs using Volatility
• Identifying hidden DLLs
• Dumping malicious executable from memory
• Dumping DLLs from memory
• Scanning the memory for patterns (yarascan)
• Volatility plugins to identify process injections and API hooking
• Hands-on lab exercise (scenario based) involves investigating malware infected memory

Who Should Attend

This course is intended for Cyber Security investigators, Cyber Security Heads and Managers, Security Researchers, Information Technology Heads and Managers, Forensic Practitioners, Incident Responders Malware Analysts, System Administrators, Software Developers ,and security professionals who would like to expand their skills and Anyone interested in learning Malware Analysis and Memory Forensics.

Materials Provided:

• Training Prerequisite & Lab Setup Guide: a step by step guide to prepare your isolated virtualized environment for executing and analyzing malware
• Malware Analysis Lab VM (Windows 7 VM) with all required tools pre-installed. It will be provided in .ova format
• The labs/exercises samples and memory images.
• A printed copy of mastering Malware Analysis Book
• A printed copy of Malware Analysis & Reverse Engineering Workbook which includes all the exercises taught in the training with step by step solutions to them.

Delegate Requirements:

• Should be familiar with using Windows/Linux
• Should have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware/Software Requirements:

• Laptop with minimum 8GB RAM and 80GB free hard disk space
• Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
• VMware Workstation or VMware Fusion (even trial versions can be used).
• Delegates must have full administrator access for the Windows operating system.

Note: VMware player or Virtual Box is not suitable for this training.

Course Syllabus

DAY 1: - Setting up laboratory scenario - Incident Response vs Threat Hunting - ATT&CK Framework, who are you? - Live Response and triage - Malware evasion techniques - Malware persistence techniques - WMIC & PowerShell forensics - Principles of Memory forensics - Investigating Lateral Movement - NTFS forensics

DAY 2: - Windows Forensics in-depth - Prefetch files analysis - Shimcache analysis - Amcache analysis - LNK analysis - Evt/Evtx analysis - Timeline analysis - Anti-forensics detection - Write custom YARA Rules - How to write a good report

Keywords

Incident Response, Digital Forensics, Threat Intelligence, Windows Forensics, Memory Forensics

Student Prerequisites

Basic forensics and windows knowledge

Material to bring by attendees

Laptop with a virtualization software installed (Virtual Box or VMWare), WiFi connection, 4+ GB of RAM, USB port (for pendrive), at least 40+ GB of free space on the hard disk

Who Should Attend

Pentesters, bug bounty researchers, app makers or just curious

Key Learning Objectives

• Understanding common mobile vulnerabilities
• Understanding Android and iOS basics
• Understanding of the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard)
• Know how to build an Android and iOS pentest toolset

Prerequisite Knowledge

• Basic knowledge of linux/network/security

Hardware / Software Requirements

• Laptop and min 8Go RAM and 60Go of space available
• VMware

Agenda

Day 1

iOS Hacking

• Basics
  • Security features
  • iOS architecture
  • Jailbreaks
  • Tools
  • iOS virtualization with Corellium
  • Test apps and real ones
• Static analysis
  • Code checks
  • Needle and MobSF

Android Hacking

• Basics
  • Android Ecosystem
  • APK Architecture
  • Android Manifest
  • Tools needed
• Static Analysis
  • Decompilation
  • Information Gathering
  • IPC
  • Access Control
  • Hardcoding Secrets

Day 2

iOS Hacking

• Dynamic Analysis
  • Caching
  • Logs
  • Backups
  • Plist
  • SQLite
  • Hooking with Cycript
  • Hooking with Frida
  • Objection

Android Hacking

• Dynamic Analysis
  • LogCat
  • Network Communication
  • Certificate Pinning
  • Data Storage
  • Code Tampering

Day 3

iOS Hacking

• Dynamic Analysis
  • Analyze without a jailbreak
• Network Security
  • MiTM all the traffic
  • Rvictl, Wireshark and Burpsuite
• Bonus (Totally not spyware / CVE-2018-4233)
  • Metasploit

Android Hacking

• Dynamic Analysis
  • Debugging
  • Hooking with Frida

Why this ICS course?

This course goes far beyond what other offensive ICS courses offer. We don't teach using simulators or non-industrial hardware but bring you a full functioning factory with +30 industrial hardware devices including PLCs, Remote IO, HMIs, Remote gateways, routers, switches,.. from 10 different vendors including the European market leaders. This is all programmed, configured and networked as a functioning industrial plant to give trainees real hands-on experience that will benefit them in the field! This is the closest you can get to hacking a real factory!

This training will be hosted by the industrial control and communication competence center (IC4), a collaboration between the university of Ghent’s industrial automation research lab and the security and privacy research group from Howest university College in Belgium. By combining the expertise of these two groups, IC4 has an extensive track record in offering industrial security education and services for SME’s, large multinationals and government institutions.

What to expect

Attendees will be expected to have some basic IT pentesting knowledge since we won't cover the basics but dive directly into control systems. The course is mainly focused on expanding the knowledge of existing auditors and bringing them into the field of OT security. After completion, the trainees will have a better understanding of all ICS architectures and components, their purpose and the associated risks. They will be able to audit industrial control systems using native industrial protocols to limit the impact of the audit on the network and learn techniques to find vulnerabilities and bugs in industrial devices and protocols.

Course outline

Day 1

1. Introduction to Industrial Control Systems
   • Terms & Definitions
   • Generic Architecture
   • Abbreviated History
   • Safety
2. PLC programming 101
   • Basic building block of a PLC
   • PLC programming languages
   • Hands-on with Siemens TIA portal
3. Scanning ICS
   • General Guidelines
   • Scanning techniques for siemens, Phoenix Contact, Beckhoff, Schneider, eWON,…
   • Hands-on with the fictile factory
4. Industrial communications
   • IT vs OT networks
   • Ethernet based ICS protocols
   • Hands-on (live sniffing + packet captures)

Day 2

1. Industrial network & system enumeration
   • Speaking industrial protocols introduction
   • Fieldbus protocols (ModbusTCP, Profinet, Ethercat)
   • Higher level data protocols (OPC, OPC UA)
   • Proprietary vendor protocols (S7comm, Phoenix contact TCP/1962, Beckhoff ADS)
   • Open-Source tools and scripts
   • Hands-on with the fictile factory
2. Exploiting industrial control systems
   • Introduction
   • Reversing proprietary industrial protocols
   • Hands-on with the fictile factory
3. Kiosk escape
   • Operator jails
   • Common techniques
   • Applocker
   • Hands-on with the fictile factory
4. (BONUS) Software defined radio introduction
   • Introduction into radio communications
   • Capturing and decoding analogue communication
   • Capturing and decoding digital communication

Hardware / Software Requirements

A laptop with:

1. 8GB of RAM at least, ideally 16GB
2. 30Gb of free space (to install a VM that we’ll provide)
3. RJ45 port or ethernet dongle
4. Administrative privileges on your laptop
5. VMware Player (ideally VMware Workstation)
6. A PDF reader

Day 1

## Module 1

Introduction

Physical intrusion vectors

• Social Engineering
• Climbing
• Access opening

Discover physical security

• The different types of locks
• How they work
• How to identify them

Introduction to scenarios

• Casual intruder (opportunist)
• Organized burglar team
• Industrial espionage

## Module 2 Wafer locks and tubular locks opening

Wafer locks

• Identification
• Lockpicking
• Decoding
• Jigglers

Tubular locks

• Identification
• Self-impressioning
• Lockpicking

Day 2

## Module 3 Combination padlocks and key boxes

• Identification
• Shims (on compatible models)
• Decoding
• Blade bypass (on compatible models)

Keyed padlocks

• Lockpicking
• Combs
• Shims (on compatible models)
• Blade bypass (on compatible models)

Module 4 Pin tumbler locks lockpicking

Raking

• Specific tools
• The technique
• Tips and tricks

Single Pin Picking

• Specific tools
• The technique
• Tips and tricks

Lockpick guns

• Mechanical PickGun
• Electronic PickGun
• Specific tensioners

Day 3

Module 5 The Key vector

Key duplication

• By molding
• With a file
• From a picture
• Special techniques

Bumpkeys

• Identification
• Fabrication
• Different techniques (push/pull)

Keyed Alike locks * Finding the key of your target

Module 6 The Door vector

Non Destructive Opening of the door

• Day-latched door opening
• From the latch
• From the handle
• From the bottom
• Exit only doors

Module 7 RF and RFID introduction

RF

• Identify and attack easily the least protected systems

RFID

• Identify and attack easily the least protected systems

Module 8

Conclusion

Flaws

· Flaws summary

Tools and techniques summary

Possible protections

• Summary of possible protections

Homework

• How to practice and develop your skills after the training

Legal stuff

• Don't go to jail!

Summary

Day 1 - Basics

Day 1 is an introduction to radio that will help students to learn it's concepts and the techniques used today to receive and transmit signal, but also the constraints that we have to deal with in heterogeneous environments:

Introduction to radio

• History, evolution, and EU regulations
• Radio waves
• Digital Signal Processing
• Software-Defined Radio
• Antennas
• Amplifiers and connectors

Software-Defined Radio devices

• Specifications
• How to choose them
• Few tips and hacks

Observations

• Waterfall and spectrum analyzers
• Signal identification
• Modulation/Demodulation
• Encoding/Decoding

Faraday cages and how to design a very cheap one Use of attenuators and software gain parameters

Day 2 - Hands on radio

Day 2 will put the student in the playground of Software-Defined Radio, where every idea can be written to be simulated and then concretized to realize receivers and transmitters depending on the chosen hardware limitations:

Introduction du GnuRadio Software-Defined Radio processing in the chain Practice with GnuRadio Companion

• Block schemas
• Parameters
• Generators
• Sinks and sources
• Operators
• Simulations
• Modules
• Executing a block in a real SDR device
• Listening to simple AM and FM signals
• Transferring a simple signal
• Optimizing samples processing
• Features to process samples
• Creating your own block

Investigation and handy tools

Day 3 - Attacking physical intrusion systems

Day 3 resumes and applies previous chapters to study physical intrusion systems and brings useful tricks for Red Team tests as well as pentests:

Common sub-GHz Remotes

• Introduction
• Capturing data
• Replaying saved samples
• Analyzing samples (manually and with powerful tools)
• Rolling codes security

Devices using the mobile network (2G/3G/4G)

• Introduction
• Monitoring
• Mobile security
• Existing tools
• Interception techniques
• Our feedback in missions
• Tooling with GnuRadio
• Fuzzing and triggering bugs with 2G, 3G and 4G protocol stacks over-the-air

Hardware Hacking

• Introduction and how it could be complementary
• Survival and practical reflexes
• Cheap tools and tricks

Attacking Custom devices

• Introduction
• Identification (looking at device's references, components, etc.)
• Sniffing signals
• Decoding signals

Some feedbacks on connected locks

Class requirement

• Knowledge of Linux and a programming language such as C, C++, C# or Python is necessary.
• Understanding of pentesting (network and applications) or red-teaming
• All attendees will need to bring a laptop capable of running VMware virtual machine (8GB of RAM is a minimum)
• Basic knowledge of radio is not mandatory but is a plus

The training

The training will provide strong feedback and techniques when attacking radio devices in non-perfect environment and ways to succeed your pentests or red team tests. Student will also get hardware to play at home including a SDR to transmit and receive signal and RF transmitter that could be customized and continue to practice after the training.

Resources of the trainer

• A lot of resources can be found in this link : https://www.synacktiv.com/en/resources.html
• In January, other resources will be also provided at : https://www.penthertz.com

Prerequisites

A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial.

Target audience

Members of the red & blue team, penetration testers, system administrators, SOC analysts and security enthusiasts.

Materials to bring by attendees

• A laptop with either VMWare or VirtualBox installed.
• Enough system resources to run x2 virtual machines simultaneously.
• 30GB free hard disk space.

Course Syllabus

Day 1

Breakout

• Desktop lockdown (Group Policy/SRP)
• Getting an explorer window
• Folder/File restrictions
• Native/custom command line interfaces
• Breaking Kiosks and Citrix environments
• Bypassing AppLocker/DeviceGuard restrictions

Privilege Escalation

• Enumeration
• Configuration weaknesses
• Missing patches
• Scheduled tasks
• Services
• Unattended installations
• DLL hijacking
• Abusing token privileges

Day 2

User Account Control

• What is UAC and how does it work
• Auto-elevation
• WUSA/IFileOperation
• Process Status API
• Windows Side-By-Side Assembly
• COM handlers
• Creating proxy DLL’s
• Fileless UAC bypass
• Environment variables
• Race conditions
• Abusing process tokens
• Bypassing “Always Notify”

Persistence

• Using the registry
• Scheduled tasks
• Manipulating File Associations
• WMI Permanent Event Subscriptions
• Binary patching
• Application Compatibility Shims
• COM Handler Hijacking
• Leveraging Office and Outlook
• Evasion (ADS/corrupted NTFS folder structures/processor variables)