Overview

This class talks about a wealth of hacking techniques to compromise web applications, APIs, cloud components and other associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Note: This is a medium paced class and attendees are expected to have a basic understanding of common web vulnerabilities and attacks. Attendees will also benefit from a state-of-art Hacklab and we will be providing free 30 days lab access after the class to allow attendees more practice time.

The following is the course outline:

Day 1:

Authentication Attacks

• Logical Bypass / Boundary Conditions
• Token Hijacking attacks
• Attacking SSO
• SAML / OAuth 2.0 / JWT Attacks
• SAML Authentication and Authorization Bypass

Advanced XXE Attacks

• XXE through SAML
• XXE in file parsing
• XXE Exploitation over OOB channels

Breaking Crypto

• Known Plaintext Attack (Faulty Password Reset)
• Path Traversal using Padding Oracle
• Hash length extension attacks
• Auth Bypass using Pre-shared MachineKey

Complex Business Logic Flaws / Authorization flaws

• Mass Assignment bugs
• Invite/Promo Code Bypass
• Replay Attack
• Second Order IDOR attack
• HTTP Parameter Pollution (HPP)

Day 2 :

Server-Side Request Forgery (SSRF)

• SSRF to call internal files
• SSRF to exploit templates and extensions

SQL Injection Masterclass

• 2nd Order Injection
• Out-of-Band exploitation
• SQLi through crypto
• OS code exec via Powershell
• Advance SQLMAP Usage with eval option
• Data Exfiltration over DNS via SQLi
• Introspection based attacks in GraphQL

Remote Code Execution (RCE)

• Java Serialization Attacks
• Net Serialization Attack
• PHP object injection
• Ruby/ERB template injection

Day 3:

Attacking the Cloud

• SSRF Exploitation
• Serverless exploitation
• Google Dorking in the Cloud Era
• Cognito misconfiguration to data exfiltration
• Various Case Studies

Tricky File Uploads

• Malicious File Extensions
• Circumventing File validation checks

Attacking Hardened CMS

• Identifying and attacking various CMS
• Attacking Hardened Wordpress, Joomla, and Sharepoint

Miscellaneous Topics - A Collection of weird and wonderful XSS and CSRF attacks - Attack Chaining

B33r 101

KEY TAKEAWAYS

• The latest hacks in the world of web hacking. The class content has been carefully handpicked to focus on some neat, new and ridiculous attacks.

• We provide a custom kali image for this class. The custom kali image has been loaded with a number of plugins and tools (some public and some NotSoPublic) and these aid in quickly identifying and exploiting vulnerabilities discussed during the class.

• The class is taught by a real pentester and the real-world stories shared during the class help attendees in putting things into perspective.

WHO SHOULD TAKE THIS COURSE

• Web developers
• SOC analysts
• Intermediate level penetration testers
• DevOps engineers, network engineers
• Security architects
• Security enthusiasts
• Anyone who wants to take their skills to the next level.

AUDIENCE SKILL LEVEL

Intermediate/Advanced

STUDENT REQUIREMENTS

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

Users are also encouraged to familiarize themselves with Burp Suite https://portswigger.net/burp/communitydownload to gain maximum out of the class.

WHAT STUDENTS SHOULD BRING

See student requirement

WHAT STUDENTS WILL BE PROVIDED WITH

Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts.

Our courses also come with detailed answer sheets. That is a step by step walkthrough of how every exercise within the class needs to be solved. These answer sheets are also provided to students at the end of the class.

Overview

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full‑stack exploitation master.

Watch 3 exclusive videos (~1 hour) and feel the taste of this live online training. Schedule a FREE Zoom meeting with the instructor (30 minutes) and learn more about this live online training.

Key Learning Objectives

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking
• DOM-based exploitation
• bypassing Content Security Policy
• server-side request forgery
• browser-dependent exploitation
• DB truncation attack
• NoSQL injection
• type confusion vulnerability
• exploiting race conditions
• path-relative stylesheet import vulnerability
• reflected file download vulnerability
• subdomain takeover
• XML attacks
• deserialization attacks
• HTTP parameter pollution
• bypassing XSS protection
• clickjacking attack
• window.opener tabnabbing attack
• RCE attacks
• and more…

Watch 3 exclusive videos (~1 hour) and feel the taste of this live online training.

Schedule a FREE Zoom meeting with the instructor (30 minutes) and learn more about this live online training.

What Students Will Receive

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus

The ticket price includes FREE access to Dawid Czagan’s 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• DOUBLE Your Web Hacking Rewards with Fuzzing
• How Web Hackers Make BIG MONEY: Remote Code Execution

What Students Say About This Training

This training has been very well-received by students around the world. Here you can see testimonials.

What Students Should Know

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here).

Who should attend

• Pentesters, security professionals, red teamers, researchers
• BLE/NFC device designers, developers
• Anyone interested

Key learning objectives

• In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices
• Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card

Prerequisite knowledge

• Basic familiarity with Linux command-line
• Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
• No prior knowledge of Bluetooth Low Energy nor NFC is required

Hardware/software requirements

• Contemporary laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest
• Android smartphone with BLE and NFC support will be very helpful
• You can bring your own BLE device or access control card to check its security

Each student will receive

• Course materials in PDFs (over 2000 pages)
• All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive

• Take-away hardware pack for hands-on exercises consisting of:

  • Proxmark 3 with latest firmware
  • Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet, …)
  • NFC PN532 board (libnfc)
  • Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
  • Bluetooth Smart hardware sniffer (nRF, BtleJack) based on nrf51822 module
  • Individual BLE device to attack running on development kit (including source code)
  • ST-Link V2 SWD debugger for programming nRF boards
  • 2 Bluetooth Low Energy USB dongles

Detailed agenda

Bluetooth Smart (Low Energy)

Theory introduction

• What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
• Usage scenarios, prevalence in IoT devices
• Protocol basics
• Required hardware for BLE assessment

BLE advertisements

• Scanning for visible devices, hcitool, bleah, bettercap, Mirage, GATTacker, …
• Beacons: iBeacon, Eddystone, Physical Web
• Simulating beacons – using mobile phone, Linux scripts, other devices.
• How to get free beer by abusing beacon-based reward application
• "Encrypted" beacons, abusing weaknesses in beacon management control protocols
• BLE advertisements of Microsoft and Apple devices (user tracking, decoding of current status/phone number)
• Advertisement spoofing – Denial of Service, device impersonation

BLE connections

• Central vs peripheral device
• GATT – services, characteristics, descriptors, handles, reading, writing, notifications
• Mapping device services and characteristics
• Interacting with BLE devices using mobile phone, command-line, various tools
• Taking control of simple, insecure devices – sex toys, key finders, …

Sniffing BLE connections using RF layer hardware

• BLE radio modulation, channels, hopping, connection initiation
• BLE link layer encryption – introduction, why is it hardly used in practice
• Sniffing hardware: Ubertooth, nRF sniffer, BtleJack, Sniffle, SDR …
• Wireshark filters, tips&tricks
• Sniffing static cleartext password of a smart lock and other devices

HCI dump - capturing own BLE traffic

• Difference from RF layer sniffing
• Linux command-line hcidump
• Android: live BLE packets analysis in Wireshark via TCP service

Device spoofing, active MITM interception

• How to perform “man in the middle” attack on BLE connections
• Available tools: GATTacker, BtleJuice, BtleJack, Mirage
• MAC address cloning, mobile OS GATT cache potential problems
• Analysing intercepted traffic
• Denial of Service attacks
• Jamming and hijacking active connections with BtleJack

Replay attacks

• Intercept transmission
• Analyse authentication protocol weakness in example smart lock
• Perform replay using tools or mobile phone, and unlock the device

Relay attacks – abusing automatic proximity features (e.g. smart lock autounlock).

Various smart locks vulnerabilities case-studies

• Attacks on proprietary authentication and protocols
• Decompile Android app, locate relevant source code fragments
• Understand proprietary BLE communication protocol – commands, data exchanged with device
• Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
• Exploit the vulnerability using just a mobile phone – nRF Connect macros
• Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
• Example unlocked AT command interface via BLE service of a smart lock
• Remote access share functions and their weaknesses – how to bypass timing restrictions.
• How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste

Advanced BLE MITM topics

• Hooks, data modification on the fly (example attack on mobile PoS)
• Command injection
• Upstream websocket proxy
• "Rolljam"-like attacks on single use keys
• When MITM attack does not work or is not possible – debugging, troubleshooting

Device DFU firmware update OTA services.

Bluetooth link-layer encrypted connections

• BLE pairing, bonding, encryption
• Intercepting pairing process and decoding Long Term Keys (crackLE)
• Weaknesses of simple pairing (static PIN, just works)
• How to trick a victim into re-pairing

Abusing BLE bonding trust relationships

• Analysis of Google Titan U2F token vulnerability
• Possibilities for malicious actions (e.g. change device to appear as a BLE keyboard).

Web Bluetooth – interfacing with nearby devices from javascript.

• How hard is it to hijack BLE devices from a hostile web site
• Writing new javascript interface to control own device

Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security.

BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist – for security professionals, pentesters, vendors and developers.

NFC

Short introduction

• RFID/NFC – where do I start?
• Frequencies, card types, usage scenarios
• How to recognize card type – quick walkthrough
• Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware

UID-based access control – practical exercises on example reader + door lock

• UID-based access control – still surprisingly popular
• UID lengths, formats
• Clone Mifare UID using Android phone and “gen2” UID-changeable card, or libnfc/Proxmark and gen1 card
• How to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
• How to clone a card by making its picture – decoding numbers printed on cards
• Cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
• Emulate card using Proxmark, Chameleon Mini
• Brute-force – is it possible in practice to guess other cards UID?
• Countermeasures against attacks

Wiegand – wired access control transmission standard

• Sniff the data transmitted from access control reader using Raspberry Pi GPIO, ESP RFID Tool, BLE-Key, …
• Decode card UID from sniffed bytes, clone the card
• Replay card data on the wire to open lock

Mifare Ultralight

• Data structure
• Reading, cloning, emulating
• Example data stored on hotel access card
• Ultralight EV1, C

Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket

• Mifare Classic – data structure, access control, keys, encryption
• Default & leaked keys
• Reading & cloning card data using just a mobile phone
• Cracking keys – nested, darkside attacks
• Libnfc tools – mfoc, mfcuk, MiLazyCracker
• Cracking Mifare using Proxmark
• Attacks on EV1 “hardened” Mifare Classic
• Online attacks against reader

Reverse-engineering data stored on card - based on a real hotel system

• Recoding access control data (room number, date) stored on card by an example hotel system
• Creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare DESFire – introduction, sample attack on misconfigured access control system

ISO15693/iCode SLIX

• Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock
• Data of several example ski passes

HID iClass

• Cloning “legacy” / “standard security” iClass
• Attacks on iClass Elite

Hitag2 access control

• Sniffing password mode transmission between reader and tag
• Simulating Hitag2 against the reader using Proxmark

Intercepting card data from distance – building antenna, possibilities and limits.

We realise that training courses are limited for time and therefore students are also provided with the following:

• Completion certificate
• 14-day extended LAB access after the course finishes
• 14-day access to a CTF platform with subnets/hosts not seen during training!
• Discord support channel access where our security consultants are available Hacking Enterprises

Agenda:

Day 1

• MITRE ATT&CK framework
• Overview on using the in-LAB ELK stack
• Offensive OSINT
• Enumerating and exploiting IPv6 targets
• Pivoting, routing, tunnelling and SOCKS proxies
• Application enumeration and exploitation via pivots
• Linux living off the land and post exploitation
• Kubernetes and container security

Day 2

• Exploitative phishing against our simulated enterprise users
• Living off the land tricks and techniques in Windows
• [email protected] and [email protected] cracking
• Windows exploitation and privilege escalation techniques
• Windows Defender/AMSI and UAC bypasses
• Situational awareness and domain reconnaissance
• RDP hijacking

Day 3

• Bypassing AWL (AppLocker, PowerShell CLM and Group Policy)
• Extracting LAPS secrets
• Lateral movement for domain trust exploitation
• WMI Event Subscriptions for persistence
• Out of Band (OOB) data exfiltration
• Domain Fronting and C2

Who Should Attend:

This training is suited to a variety of students, including:

• Penetration testers / Red Team operators
• SOC analysts
• Security professionals
• IT Support, administrative and network personnel

Prerequisite Knowledge:

• A firm familiarity of Windows and Linux command line syntax
• Understanding of networking concepts
• Previous pentesting and/or SOC experience is advantageous, but not required

Hardware / Software Requirements:

• Students will need to bring a laptop to which they have administrative/root access, running either Windows, Linux or Mac operating systems
• Students will need to have access to VNC, SSH and OpenVPN clients on their laptop (these can be installed at the start of the training)

Previous Training Locations: The 2019 and 2020 releases of this training have been given at the following conferences.

• Black Hat Asia (Virtual – September 2020)
• Wild West Hackin’ Fest (Virtual - September 2020)
• Black Hat USA (Virtual – August 2020)
• BruCon Spring Training (Virtual - June 2020)
• Wild West Hackin’ Fest (Virtual - March 2020)
• 44CON (UK - June 2019)
• Nolacon (USA - May 2019)
• Wild West Hackin’ Fest (USA - October 2019)

Overview

The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has resulted in the deployment of IPv6 in many production environments, with many other organizations planning to deploy IPv6 in the short or near term.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterparts, and thus it is likely that the security implications of the protocols be overlooked when they are deployed on production networks. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways.

The imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated.

While there exist a number of training courses about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies that are vital in all real IPv6 deployment scenarios. During the last few years, SI6 Networks has offered its flagship course “Hacking IPv6 Networks”, providing in-depth hands-on IPv6 security training to networking and security professionals around the world.

Hacking IPv6 Networks (version 6.0) is a renewed edition of SI6 Networks’ IPv6 security training course, with background and theoretical information reduced to a minimum, a tremendous increase in hands-on exercises, and newly incorporated materials based on recent developments in the area of IPv6 security. The training is carried out by Fernando Gont, a renowned IPv6 security researcher.

Learning Objectives

This course will provide the attendee with in-depth knowledge about IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments.

The attendee will learn – through hands-on exercises – how each IPv6 feature can be exploited for malicious purposes. Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities.

This course will employ a range of open source tools to evaluate the security of IPv6 networks, and to reproduce a number of IPv6-based attacks. During the course, the attendee will perform a large number of exercises in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises. The attendee will be required to perform a large number of IPv6 attacks, and to envision mitigation techniques for the corresponding vulnerabilities.

Who Should Attend

Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.

Participants Are Required To

Participants are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required.

What to bring

Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed. The minimum requirements for the laptop are: Intel i3 processor. 4GB of RAM. Ethernet and WI-FI network interface cards. At least one USB port.

Course Length

3 days

Topics covered by this course

Introduction to IPv6

• IPv4 address exhaustion
• IPv6 service
• IPv6 transition/deployment mechanisms
• IPv6: current state of affairs
• Brief comparison between IPv6 and Ipv4
• IPv6 security overview

IPv6 Addressing Architecture

• IPv6 address types
• IPv6 address analysis
• Implications for address scanning attacks & possible mitigations
• Address Scanning in the IPv6 World
• Privacy implications & possible mitigations
• Implications for end-to-end connectivity

IPv6 Header Fields

• IPv6 header overview
• Basic header fields
• Security assessment

IPv6 Extension Headers (EHs)

• General implications of EHs
• Security implications of specific IPv6 EHs
• Security implications of specific IPv6 options
• IPv6 EHs in the real world
• Exploitation of IPv6 EHs
• Troubleshooting IPv6 EHs
• Network reconnaissance with IPv6 Ehs
• Recent advances

IPsec

• Virtual Private Network (VPN) traffic leakages

Internet Control Message Protocol version 6 (ICMPv6)

• ICMPv6 error messages
• ICMPv6 informational messages
• Network reconnaissance with ICMPv6

Neighbor Discovery for IPv6

• Address resolution in IPv6
• Address resolution messages and options
• Neighbor Discovery cache
• Neighbor Discovery attacks
• Neighbor Discovery security controls
• Evasion of Neighbor Discovery security controls
• System configuration options

Stateless Address Auto-configuration (SLAAC)

• SLAAC operation
• SLAAC messages and options
• Duplicate Address Detection (DAD)
• SLAAC attacks
• DAD attacks
• SLAAC security controls
• Evasion of SLAAC security controls
• System configuration options

Dynamic Host Configuration Protocol version 6 (DHCPv6)

• Security implications of DHCPv6
• DHCPv6 attacks
• DHCPv6 security controls

Multicast Listener Discovery (MLD)

• Security implications of MLD
• MLD attacks
• MLD security controls

Upper-Layer Attacks

• TCP-based attacks
• UDP-based attacks
• Possible mitigations

DNS Support for IPv6

• Network reconnaissance
• Exploiting DNS reverse mappings

IPv6 Firewalls and Network Intrusion Detection Systems (NIDS)

• Known limitations
• IPv6 firewall configuration guidelines
• Evasion of IPv6 firewalls and NIDS

Security Implications of IPv6 for IPv4-only Networks

• IPv6 attacks on IPv4-only networks
• Mitigating IPv6 attacks on IPv4-only networks

Transition/Co-existence Technologies

• Transition/Co-existence mechanisms
• Attacks on transition/co-existence mechanisms
• Mitigations

Pentesting IPv6 Networks

• Network Reconnaissance in IPv6
• Pentesting IPv6 Networks

What previous attendants said about this training:

“I was always feeling that malware is something scary, something I can’t understand or control. Now I feel it’s not scary anymore. I can actually analyse it, understand it and control it.” by Fung Dao Ying, System Analyst in Bintulu Port Holding Berhad

LEARNING OBJECTIVES:

• Understand the lifecycle of a targeted attack and all the techniques & strategies the attackers use to penetrate an organization (Spear-phishing, drive by download … etc)
• Know what the steps to take when you discover a malware in your network.
• Perform basic static & behavioral analysis of a malware in an isolated virtualized environment
• Perform static and dynamic code analysis to determine the malware functionality using IDA Pro and Ollydbg/x64dbg
• Understand the basics of the x86 assembly language
• Learn how to detect and analyze a malicious document with embedded macros
• Learn to extract the the network and host-based indicators of compromise
• Able to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
• Perform memory forensics on an infected machine and extract the malware artifacts from its memory.

PROGRAM OUTLINE

DAY 1

APT Attacks & Malware Analysis:

• What is an APT Attack
• What are the Attack Stages?
• The APT Attack Vectors
• Types of Malware
• Why Malware Analysis
• Types of malware analysis
• Setting up an isolated lab environment

Basic Static Analysis:

• Fingerprinting the malware
• Extracting strings
• Determining File obfuscation
• Unpacking Packed Malware
• Understanding PE File characteristics
• Hands-on lab exercise involves analyzing real malware sample

Behavioral Analysis & Sandboxing:

• Understanding Behavioral Analysis tools
• Monitoring process, file system, registry and network activity
• Determining the Indicators of compromise (host and network indicators)
• Custom Sandbox Overview
• Working of Sandbox
• Sandbox Features
• Hands-on lab exercise involves analyzing real malware sample

Code Analysis & Malware Functionalities:

• Intro to code analysis
• Droppers & Downloaders
• Maintaining Persistence
• Keylogging
• Banking Trojans & Man in The Browser (MiTB)
• Point of Sale Malware (POS)
• Understanding Indication of Comprise
• Write your own YARA rule

DAY 2:

Intro To x86/x64 Assembly:

• Understanding CPU registers and assembly instructions
• Dive deeper in the assembly language and memory handling
• Reversing assembly code blocks into a higher-level language (C++)
• Dealing with local & global variables

Static & Dynamic Code Analysis In-Depth:

• Code Analysis Overview
• Disassembler & Debuggers
• Code Analysis Tools
• Basics of IDA Pro
• Basics of Ollydbg/x64dbg
• Understanding the API calls
• Inspecting API call references
• Demo: Performing static analysis with IDA Pro (Hands-on Practice)
• Demo: Performing dynamic analysis with OllyDbg (Hands-on Practice)
• Hands-on lab exercise involves analyzing real malware sample

Encryption, Packing & Obfuscation

• Understanding different encryption algorithms
• Demo: Examining RC4 encryption algorithm
• Learning 4 different manual unpacking techniques for custom unpacking
• Dissecting different obfuscation techniques
• Hands-on Practice on unpacking malware

DAY 3:

Spear-phishing Attacks with Malicious Documents:

• Examining a malicious office document packed with vbscript macros
• Examining & Dissecting malicious pdf files
• hands-on labs to examine documents packed with malicious macros (real attacks)

Investigating User-Mode Rootkits & API Hooking:

• Understanding Process Internals
• Process & Thread Environment Block Structure
• Code Injection
• Types of Code injection
• Remote DLL injection
• Remote Code injection
• Reflective DLL injection
• Hollow process injection
• API Hooking & IAT Hooking
• Hands-on lab exercise (scenario based) involves investigating malware infected memory

Memory Forensics & Volatility Overview:

• What is Memory Forensics
• Why Memory Forensics
• Steps in Memory Forensics
• Memory acquisition and tools
• Introduction to Volatility (Advanced Memory Forensics Framework)
• Volatility basic commands
• Determining the profile
• Volatility help options
• Running the plugin

Investigation Process Memory Using Volatility:

• Process memory Internals
• Listing DLLs using Volatility
• Identifying hidden DLLs
• Dumping malicious executable from memory
• Dumping DLLs from memory
• Scanning the memory for patterns (yarascan)
• Volatility plugins to identify process injections and API hooking
• Hands-on lab exercise (scenario based) involves investigating malware infected memory

Who Should Attend

This course is intended for Cyber Security investigators, Cyber Security Heads and Managers, Security Researchers, Information Technology Heads and Managers, Forensic Practitioners, Incident Responders Malware Analysts, System Administrators, Software Developers ,and security professionals who would like to expand their skills and Anyone interested in learning Malware Analysis and Memory Forensics.

Materials Provided:

• Training Prerequisite & Lab Setup Guide: a step by step guide to prepare your isolated virtualized environment for executing and analyzing malware
• Malware Analysis Lab VM (Windows 7 VM) with all required tools pre-installed. It will be provided in .ova format
• The labs/exercises samples and memory images.
• A printed copy of mastering Malware Analysis Book
• A printed copy of Malware Analysis & Reverse Engineering Workbook which includes all the exercises taught in the training with step by step solutions to them.

Delegate Requirements:

• Should be familiar with using Windows/Linux
• Should have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware/Software Requirements:

• Laptop with minimum 8GB RAM and 80GB free hard disk space
• Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
• VMware Workstation or VMware Fusion (even trial versions can be used).
• Delegates must have full administrator access for the Windows operating system.

Note: VMware player or Virtual Box is not suitable for this training.

Course Syllabus

DAY 1: - Setting up laboratory scenario - Incident Response vs Threat Hunting - ATT&CK Framework, who are you? - Live Response and triage - Malware evasion techniques - Malware persistence techniques - WMIC & PowerShell forensics - Principles of Memory forensics - Investigating Lateral Movement - NTFS forensics

DAY 2: - Windows Forensics in-depth - Prefetch files analysis - Shimcache analysis - Amcache analysis - LNK analysis - Evt/Evtx analysis - Timeline analysis - Anti-forensics detection - Write custom YARA Rules - How to write a good report

Keywords

Incident Response, Digital Forensics, Threat Intelligence, Windows Forensics, Memory Forensics

Student Prerequisites

Basic forensics and windows knowledge

Material to bring by attendees

Laptop with a virtualization software installed (Virtual Box or VMWare), WiFi connection, 4+ GB of RAM, USB port (for pendrive), at least 40+ GB of free space on the hard disk

Who Should Attend

Pentesters, bug bounty researchers, app makers or just curious

Key Learning Objectives

• Understanding common mobile vulnerabilities
• Understanding Android and iOS basics
• Understanding of the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard)
• Know how to build an Android and iOS pentest toolset

Prerequisite Knowledge

• Basic knowledge of linux/network/security

Hardware / Software Requirements

• Laptop and min 8Go RAM and 60Go of space available
• VMware

Agenda

Day 1

iOS Hacking

• Basics
  • Security features
  • iOS architecture
  • Jailbreaks
  • Tools
  • iOS virtualization with Corellium
  • Test apps and real ones
• Static analysis
  • Code checks
  • Needle and MobSF

Android Hacking

• Basics
  • Android Ecosystem
  • APK Architecture
  • Android Manifest
  • Tools needed
• Static Analysis
  • Decompilation
  • Information Gathering
  • IPC
  • Access Control
  • Hardcoding Secrets

Day 2

iOS Hacking

• Dynamic Analysis
  • Caching
  • Logs
  • Backups
  • Plist
  • SQLite
  • Hooking with Cycript
  • Hooking with Frida
  • Objection

Android Hacking

• Dynamic Analysis
  • LogCat
  • Network Communication
  • Certificate Pinning
  • Data Storage
  • Code Tampering

Day 3

iOS Hacking

• Dynamic Analysis
  • Analyze without a jailbreak
• Network Security
  • MiTM all the traffic
  • Rvictl, Wireshark and Burpsuite
• Bonus (Totally not spyware / CVE-2018-4233)
  • Metasploit

Android Hacking

• Dynamic Analysis
  • Debugging
  • Hooking with Frida

Day 1

## Module 1

Introduction

Physical intrusion vectors

• Social Engineering
• Climbing
• Access opening

Discover physical security

• The different types of locks
• How they work
• How to identify them

Introduction to scenarios

• Casual intruder (opportunist)
• Organized burglar team
• Industrial espionage

## Module 2 Wafer locks and tubular locks opening

Wafer locks

• Identification
• Lockpicking
• Decoding
• Jigglers

Tubular locks

• Identification
• Self-impressioning
• Lockpicking

Day 2

## Module 3 Combination padlocks and key boxes

• Identification
• Shims (on compatible models)
• Decoding
• Blade bypass (on compatible models)

Keyed padlocks

• Lockpicking
• Combs
• Shims (on compatible models)
• Blade bypass (on compatible models)

Module 4 Pin tumbler locks lockpicking

Raking

• Specific tools
• The technique
• Tips and tricks

Single Pin Picking

• Specific tools
• The technique
• Tips and tricks

Lockpick guns

• Mechanical PickGun
• Electronic PickGun
• Specific tensioners

Day 3

Module 5 The Key vector

Key duplication

• By molding
• With a file
• From a picture
• Special techniques

Bumpkeys

• Identification
• Fabrication
• Different techniques (push/pull)

Keyed Alike locks * Finding the key of your target

Module 6 The Door vector

Non Destructive Opening of the door

• Day-latched door opening
• From the latch
• From the handle
• From the bottom
• Exit only doors

Module 7 RF and RFID introduction

RF

• Identify and attack easily the least protected systems

RFID

• Identify and attack easily the least protected systems

Module 8

Conclusion

Flaws

· Flaws summary

Tools and techniques summary

Possible protections

• Summary of possible protections

Homework

• How to practice and develop your skills after the training

Legal stuff

• Don't go to jail!

Student Prerequisites

• During the course many labs will require students to prototype hooking logic in JavaScript. As such JavaScript experience will be very helpful but not strictly required.
• A detailed knowledge of Windows internals is not required but basic familiarity with the Windows API will be beneficial.
• Attendees need to verify they are able to run PwnAdventure3 on a Windows VM. It can be set on the lowest setting and does not have to run fast. This is important as a substantial portion of the training will consist of hacking PwnAdventure3.

Who should take this course?

Members of the Red Team, Blue Team and Researchers.

Materials to bring by attendees

• A laptop with VMWare Workstation / Player / Fusion. VirtualBox is not supported.
• Enough system resources to run x2 virtual machines simultaneously.
• 30GB free hard disk space.
• Attendees need not bring their own VM, those will be handed out, fully configured, during the training.

Course Syllabus

[Day 1]

• Introduction to function hooking
• A closer look at familiar tools: Procmon / API Monitor
• Tracing API calls
• Fermion, an electron UI for Frida
• Hooking to => Change application behaviour
• Hooking to => Inspect data
• Hooking to => Subvert application controls
• Calling native functions from Frida
• Bug-hunting HackSysExtremeVulnerableDriver
• Hooking ShowSnaps

[Day 2]

• Setting up PwnAdventure3
• Abusing the implicit trust of the game server
• Finding a trigger mechanism
• Unintended use of game functionality
• Solving "Unbearable Revenge"
• Finding game objects in memory
• In-line network proxy
• Prototyping a parser
• Crafting packets
• Applicability of function hooking & porting knowledge to other frameworks