This year, your 2-day pass for Hack In Paris includes access to conferences and lunches.
The Corelan Live Bootcamp is a truly unique opportunity to learn both basic & advanced techniques from an experienced exploit developer. During this 3 day course, students will be able to learn all ins and outs about writing reliable exploits for the Win32 platform. The trainer will share his "notes from the field" and various tips & tricks to become more effective at writing exploits.
We believe it is important to explain the basics of buffer overflows and exploit writing, but this is most certainly not "your average" entry level course. In fact, this is one of the finest and most advanced courses you will find on Win32 stack based exploit development.
This hardcore hands-on course will provide students with solid understanding of current Win32 (stack based) exploitation techniques and memory protection bypass techniques. We make sure the course material is kept updated with current techniques, includes previously undocumented tricks and techniques, and details about research we performed ourselves. Combined with the way the course is built up, this will turn these 3 days into a truly unique experience.
During the course, we not only share techniques and mechanics, but we also want to make sure you understand why a given technique is used, why something works and why something doesn’t work.
We believe those are just a few arguments that makes this training stand out between other exploit development training offerings. Feel free to check our testimonials page if you want to see real, voluntary, unmodified and uncensored reactions by some of our students: https://www.corelan-training.com/index.php/testimonials/
Finally, we offer you post-training support as well. If you have taken the course and you still have questions afterwards, we will help.
Are you interested in the process of turning an advisory into a working exploit ? Do you want to figure out if a given security patch/hotfix should be applied immediately or not ? Do you want to learn how to read and understand existing exploits ? Have you ever found yourself in a position where you have to change an existing exploit but failed to make it work. Do you want to write reliable exploits and integrate them into Metasploit ? Do you want to know how shellcode works ? Do you have basic knowledge about win32 exploit development already, but want to learn more about some of the more advanced topics listed below (see course overview) ? Did you read the Corelan exploit development tutorials, but still want to take the classes to fully understand and master the concepts ? Do you have other reasons to learn how to write exploits for the Win32 platform ? Are you willing to suffer and bleed a bit, learn fast and not intimidated by debuggers and assembly instructions… …then this course is what you need !
Pentesters, auditors, network/system administrators, reverse engineers, malware analysts, developers, members of a security department, security enthusiasts, or anyone interested in exploit development.
You can find more details about the course contents at
Students should be able to read simple C code and simple scripts be familiar with writing basic scripts using python/ruby/… be ready to dive into a debugger and read asm for hours and hours and hours be ready to think out of the box and have a strong desire to learn be fluent with managing Windows / Linux operating system and with using vmware workstation/virtualbox be familiar with using Metasploit. No prior knowledge of assembly is required, but it will certainly help if you have some basic knowledge.
Unless specified otherwise, students are required to bring the following :
A laptop (no netbook) with vmware workstation/virtualbox and enough processing power and RAM (we recommend 4Gb of RAM) to run up to 2 virtual machines at the same time. The use of a 64bit processor and a 64bit operating system on the laptop will make the exercises more realistic. 2 Virtual machines installed (Windows 7 SP1, Kali Linux)
Note : you will receive the exact installation instructions after registration, so don’t start installling the VMs yet.
All required tools and applications will be provided during the training or will be downloaded from the internet during the training.
You must have full administrator access to all machines. You must be able to install and remove software, and you must be able to disable and/or remove firewall/antivirus/… when necessary.
Peter Van Eeckhoutte is the founder of Corelan Team and the author of the well-known tutorials on Win32 Exploit Development Training . The team gathers a group of IT Security enthusiasts and researchers from around the world, who all share common interests: doing research, gather & share knowledge, and perform responsible/coordination disclosure. Above all, the team is well known for their ethics and their approach to helping other people in the field.
With his team, he has developed and published numerous tools that will assist pentesters and exploit developers, and published whitepapers/video’s on a wide range of IT Security related topics (pentesting tools, (malware) reverse engineering, etc). The team also moderates a forum that provides a platform for people who want to talk about exploit development, and operates an IRC channel (freenode, channel #corelan).
Peter has been an active member of the IT Security community for close to 15 years and has been working on exploit development for 10 years. He presented at security conferences (Athcon, Hack In Paris, DerbyCon) and delivered the Corelan Live Win32 Exploit Development Bootcamp at various places around the globe. He trained security enthusiasts & professionals from private companies, government agencies and military. You can read more about their experiences on his website.
"The great power of Internet Of Things comes with the great responsibility of security". Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life threatening, there is no way you can afford to neglect the security of IoT products. "Practical Internet of Things (IoT) Hacking” is a research backed and unique course which offers security professionals, a comprehensive understanding of the complete IoT Technology suite including, IoT protocols, sensors, client side, mobile, cloud and their underlying weaknesses. The extensive hands-on labs enable attendees to master the art, tools and techniques to find-n-exploit or find-n-fix the vulnerabilities in IoT, not just on emulators but on real smart devices as well. The course focuses on the attack surface on current and evolving IoT technologies in various domains such as home, enterprise Automation. It covers grounds-up on various IoT protocols including internals, specific attack scenarios for individual protocols and open source software/hardware tools one needs to have in their IoT penetration testing arsenal. We also discuss in detail how to attack the underlying hardware of the sensors using various practical techniques. In addition to the protocols and hardware we will extensively focus on reverse engineering mobile apps and native ARM/MIPS code to find weaknesses. Throughout the course, We will use DRONA, a VM created by us specifically for IoT penetration testing. DRONA is the result of our R&D and has most of the required tools for IoT security analysis. We will also distribute DIVA – IoT, a vulnerable IoT sensor made in-house for hands-on exercises. The “Practical Internet of Things (IoT) Hacking” course is aimed at security professionals who want to enhance their skills and move to/specialise in IoT security. The course is structured for beginner to intermediate level attendees who do not have any experience in IoT, reversing or hardware.
Basic knowledge of web and mobile security Basic knowledge of Linux OS Basic knowledge of programming (C, python) would be a plus
Penetration testers tasked with auditing IoT Bug hunters who want to find new bugs in IoT products Government officials from defensive or offensive units Red team members tasked with compromising the IoT infrastructure Security professionals who want to build IoT security skills Embedded security enthusiasts* IoT Developers and testers Anyone interested in IoT security
Laptop with at least 50 GB free space 8+ GB minimum RAM (4+GB for the VM) External USB access Administrative privileges on the system Virtualization software – VirtualBox 5.X (including Virtualbox extension pack) Linux machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse). Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work Latest OS on the host machines (For ex. Windows 7 is known to cause issues)
Introduction to IOT
Identify attack surfaces
IoT Protocols Overview
Hands-on with open source tools
Cross-protocol HTTP attacks
Introduction and protocol Overview
Reconnaissance (Active and Passive)
Sniffing and Eavesdropping
Software Defined Radio
=Introduction to gnuradio concepts
=Creating a flow graph
=Analysing radio signals
=Recording specific radio signal
Introduction and protocol Overview
Reconnaissance (Active and Passive)
Sniffing and Eavesdropping
Hands-on with RZUSBstick and open source tools
Reconnaissance (Active and Passive) with HCI tools
GATT service Enumeration
Sniffing GATT protocol communication
Reversing GATT protocol communication
Read and writing on GATT protocol
L2cap smashing Cracking encryption Hands-on with open source tools
Introduction to Android
App reversing and Analysis
Procedure call convention
System call convention
System call convention
Firmware analysis and reversing
Simulating device environments
IoT hardware Overview
Introduction to hardware
Analyzing the board
=Interfacing with I2C
=Manipulating Data via I2C
=Sniffing run-time I2C communication
=Interfacing with SPI
=Manipulating data via SPI
=Sniffing run-time SPI communication
=What is UART
=Identifying UART interface
=Accessing sensor via UART
=Identifying JTAG interface
Aseem Jakhar is the Director, research at Payatu Software Labs payatu.com a boutique security testing company. He is well known in the hacking and security community as the founder of null -The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference nullcon.net and hardwear.io security conference http://hardwear.io He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, PHDays and many more.
The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has already resulted in the deployment of IPv6 in most large content distribution networks, a variety of ISPs, enterprises, and other production environments. Other organizations have aleady planned to deploy IPv6 in the short or near term. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterparts, and thus it is likely that the security implications of the protocols be overlooked when they are deployed on production networks. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways. Thus, the imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated. While there exist a number of training courses about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies that are vital in all real IPv6 deployment scenarios. During the last few years, we have offered the training course “Hacking IPv6 Networks”, providing in-depth hands-on IPv6 security training to networking and security professionals around the world. Hacking IPv6 Networks (version 4.0) is a renewed edition of such training course, with a tremendous increase in hands-on exercises, and newly incorporated materials based on recent developments in the area of IPv6 security. The training is carried out by Fernando Gont, a renowned IPv6 security researcher.
Attendees are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, ARP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump). Basic knowledge of IPv6 is desirable, but not required.
Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.
Attendees willing to perform the hands-on exercises are expected to bring a laptop with VirtualBox already installed. The minimum requirements for the laptop are: Intel Core Duo, 1.66 GHz. 4GB of RAM. Ethernet and WI-FI network interface cards.
Introduction to IPv6
IPv4 address exhaustion
IPv6 transition/deployment mechanisms
IPv6: current state of affairs
Brief comparison between IPv6 and IPv4
IPv6 security overview
IPv6 Addressing Architecture
IPv6 address types
IPv6 address analysis
Implications for address scanning attacks & possible mitigations
Privacy implications & possible mitigations
Implications for end-to-end connectivity
IPv6 Header Fields
IPv6 header overview
Basic header fields
IPv6 Extension Headers (EHs)
General implications of EHs
Security implications of specific IPv6 EHs
Security implications of specific IPv6 options
IPv6 EHs in the real world
Exploitation of IPv6 EHs
Troubleshooting IPv6 EHs
Network reconnaissance with IPv6 EHs
Internet Control Message Protocol version 6 (ICMPv6)
ICMPv6 error messages
ICMPv6 informational messages
Network reconnaissance with ICMPv6
Neighbor Discovery for IPv6
Address resolution in IPv6
Address resolution messages and options
Neighbor Discovery cache
Neighbor Discovery attacks
Neighbor Discovery security controls
Evasion of Neighbor Discovery security controls
System configuration options
Stateless Address Auto-configuration (SLAAC)
SLAAC messages and options
Duplicate Address Detection (DAD)
SLAAC security controls
Evasion of SLAAC security controls
Dynamic Host Configuration Protocol version 6 (DHCPv6)
Sample DHCPv6 traffic
Security implications of DHCPv6
DHCPv6 security controls
Multicast Listener Discovery (MLD)
Introduction to MLD
Sample MLD traffic
Security implications of MLD
MLD security controls
IPsec Virtual Private Network (VPN)
DNS Support for IPv6
Exploitation of DNS reverse mappings
Evasion of IPv6 firewalls
Security Implications of IPv6 for IPv4-only Networks
IPv6 attacks on IPv4-only networks
Mitigating IPv6 attacks on IPv4-only networks
Automatic tunneling mechanisms
Attacks on automatic tunneling mechanisms
Network Reconnaissance in IPv6
Host scanning in IPv6
Port scanning in IPv6
Overview of penetration testing in IPv6
IPv6 Deployment Considerations
Designing an IPv6 address plan
Operating System hardening
IPv6 Attack and Defense
Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations from around the world. Gont has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite. Gont is currently working as a security consultant and researcher for SI6 Networks (https://www.si6networks.com). Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work for these organizations, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published 30 IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts. Gont has also developed the SI6 Network's IPv6 Toolkit (https://www.si6networks.com/tools/ipv6toolkit) -- a portable and comprehensive security toolkit for the IPv6 protocol suite -- and the SI6 Networks' IoT Toolkit (https://www.si6networks.com/tools/iot-toolkit) -- a portable security toolkit for IoT evices. Gont runs the IPv6 Hackers and the IoT Hackers mailing-lists (https://lists.si6networks.com), and has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, HACK.LU 2011, DEEPSEC 2011, LACSEC 2012, Hackito Ergo Sum 2012, Hack In Paris 2013, German IPv6 Kongress 2014, H2HC 2017, and Troopers 2017. Additionally, he is a regular attendee of the Internet Engineering Task Force (IETF) meetings.
Security systems are evolving and becoming more complex, so are the hacking techniques. Every successful hack penetrating network infrastructure has to evade through multiple layers of security in a perfect sequence. Imagine yourself in an environment with diverse operating systems, servers and applications with legacy as well as in-house developed products and security solutions such as firewall, AV etc. How do you plan to go ahead and pwn them all? Learn to exploit and compromise targets where Metasploit will not work by default. Perform a wide array of tricks to discover, enumerate and pwn services, systems, domain controllers. Move around in an enterprise network with VLAN hopping to pwn some more. Analyze and exploit enterprise software components such as JBoss, MQ, CI/CD, Domain Controller, Database servers, Network Devices etc.
• Experience with vulnerability assessment and penetration testing.
• Familiarity with web application security vulnerabilities.
• Basic knowledge of TCP/IP network protocol.
• Familiarity with virtualization tools like VMware/VirtualBox
• Exposure to infrastructure penetration testing tools and techniques.
• Exploiting enterprise network.
• Live real-life scenarios.
• Multi vector attacks.
• Exploiting configuration vulnerabilities.
• Capture the Flag (CTF) to test skills.
• A laptop with administrator privileges.
• Minimum 50 GB of free hard disk space.
• Minimum 4 GB RAM for virtual machines.
• Laptop should have a ethernet and wifi capability.
• VM Player or VMWare Workstation installed.
• Information gathering and recon techniques
• Advanced payload obfuscation with Metasploit Framework
• Pivoting with Metasploit Framework
• Network device exploitation and VLAN Hopping
• Hacking the Evil Corp
• Discover apps and services
• Exploit configuration weaknesses for information gathering
• Exploit workstations
• Exploit MQ services
• Exploit CI/CD pipelines
• Exploit custom services
• Windows Server 2012 exploitation
• Windows Domain Controller exploitation
• MacOSX exploitation
• Linux web app server exploitation
• Oracle database server enumeration and exploitation
Day-3 will host a Capture the Flag (CTF) contest where participants will compete against each other in live hacking of provided network. Scores will be tracked and made available in the CTF portal in real-time.
Abhisek Datta is a Security Researcher and Consultant with over 10+ years of experience. His core area of expertise includes Penetration Testing, Vulnerability Analysis, Exploit Development, Reverse Engineering & Malware Analysis and Source Code Review. He has been involved in multiple high profile Reverse Engineering and Penetration Testing projects in the past for clients in India and abroad. He has multiple CVE’s under his name for reporting vulnerabilities in various products. Some of CVE’s reported by him CVE-2014-4117, CVE-2015-0085, CVE-2014-6113, CVE-2015-1650, CVE-2015-1682, CVE-2015-2376, and CVE-2015-2555. At present he heads the technology team at Appsecco Consulting Pvt. Ltd. and is responsible for security tools development and process automation.
Omair has over eight years of experience in penetration testing, vulnerability assessment and network security. He has been responsible for maintaining a secure network for mission critical applications. His area of work includes Vulnerability Assessment, Security Audits, Penetration Test, Source Code Reviews and Trainings. He was led penetration tester for various clients in the telecom, retail, government and banking sector based in India, Saudi, Morocco, Mauritius, UAE, Kuwait, Oman and Bahrain with a team size varying from 5-8 members. He has also published security advisories pertaining to various vulnerabilities in commonly used software like Excel, Real Player, Internet Explorer and Chrome. His area of expertise includes Vulnerability Research, Reverse Engineering and Fuzzing. Some of the latest CVE’s reported by him CVE-2015-1240, CVE-2015-1668, CVE-2015-0043, CVE-2015-0042, CVE-2014-4128, CVE-2014-6354, CVE-2014-4145, CVE-2014-4050, CVE-2014-1772, CVE-2014-0313, and CVE-2014-0263.
Omair has various industry certification under his name.
Everyone has heard about hackers. It is commonly known that their jobs differ from system administrator jobs. However, things they do in their darkened rooms are definitely interesting and worth knowing. Many of the techniques they use are very useful in everyday administration tasks. Is it that easy to get into systems? What about Windows 10 – are all of these security features preventing all of the attacks possible before? Well no! And we need to know how to implement features properly in order to be on a safe side! Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors but this can be achieved only when configuring these settings properly! A Hackers' knowledge is considered to be valuable, both by system creators and common users. Administrators do not have to be taught how to be a hacker; it is often enough to show them one simple, but very interesting tool or technique, to change the point of view on their own IT environment. Topics covered in this seminar help you to walk in hacker's shoes and evaluate your network from their point of view. Be careful – this workshop is designed for IT and Security professionals who want to take their skills and knowledge to the next level. After this workshop, you will be familiar with hacker techniques, which can be useful to protect yourself against. This is a three days training with demos and reasonable and smart explanations.
Minimum 6-8 years of IT experience
Network administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.
Module 1: Hacking Windows Platform
a) Detecting unnecessary services
b) Misusing service accounts
c) Implementing rights, permissions and privileges
d) Direct Kernel Object Modification
Module 2: Top 50 tools: the attacker's best friends
a) Practical walkthrough through tools
b) Using tools against scenarios
Module 3: Modern Malware
a) Techniques used by modern malware
b) Advanced Persistent Threats
c) Fooling common protection mechanisms
Module 4: Physical Access
a) Misusing USB and other ports
b) Offline Access techniques
c) BitLocker unlocking
Module 5: Intercepting Communication
a) Communicating through firewalls
b) Misusing Remote Access
c) DNS based attacks
Module 6: Hacking Web Server
a) Detecting unsafe servers
b) Hacking HTTPS
c) Distributed Denial of Service attacks
Module 7: Data in-Security
a) File format attacks for Microsoft Office, PDF and other file types
b) Using incorrect file servers’ configuration
c) Basic SQL Server attacks
Module 8: Password attacks
a) Pass-the-Hash attacks
b) Stealing the LSA Secrets
Module 9: Hacking automation
a) Misusing administrative scripts
b) Script based scanning
Module 10: Designing Secure Windows Infrastructure
On the market there are thousands of solutions available to enrich security in our infrastructure. Idea of this module is to provide the complete knowledge and to gain the holistic approach to the areas that can be secured and the measures that can be implemented.
Module 11: Securing Windows Platform
a) Defining and disabling unnecessary services
b) Implementing secure service accounts
d) Driver signing
Module 12: Malware Protection
b) Malware investigation techniques
c) Analyzing cases of real malware
d) Implementing protection mechanisms
Module 13: Managing Physical Security
a) Managing port security: USB, FireWire and other
b) Mitigating Offline Access
c) Implementing and managing BitLocker
Module 14: Deploying and configuring Public Key Infrastructure
a) Role and capabilities of the PKI in the infrastructure
b) Designing PKI architecture
c) PKI Deployment – Best practices
Module 15: Configuring Secure Communication
a) Deploying and managing Windows Firewall – advanced and useful features
b) Deploying and configuring IPsec
c) Deploying secure Remote Access (VPN, Direct Access, Workplace Join, RDS Gateway)
d) Deploying DNS and DNSSEC
Module 16: Securing Web Server
a) Configuring IIS features for security
b) Deploying Server Name Indication and Centralized SSL Certificate Support
c) Monitoring Web Server resources and performance
d) Deploying Distributed Denial of Service attack prevention
e) Deploying Network Load Balancing and Web Farms
Module 17: Providing Data Security and Availability
a) Designing data protection for Microsoft Office, PDF and other file types
b) Deploying Active Directory Rights Management Services
c) Deploying File Classification Infrastructure and Dynamic Access Control
d) Configuring a secure File Server
e) Hardening basics for Microsoft SQL Server
f) Clustering selected Windows services
Module 18: Mitigating the common password attacks
a) Performing Pass-the-Hash attack and implementing prevention
b) Performing the LSA Secrets dump and implementing prevention
Module 19: Automating Windows Security
a) Implementing Advanced GPO Features
b) Deploying Software Restriction: Applocker
c) Advanced Powershell for administration
DPAPI, Platform Security, Credential attacks
Paula Januszkiewicz is a CEO and Founder of CQURE Inc. and CQURE Academy. She is also Enterprise Security MVP and a world class cybersecurity expert, consulting Customers all around the world. She has her heart and soul in the company, having deep belief that positive thinking is the key to success. Her quality-driven approach, extreme attention to details and conference speaking publicity have brought CQURE, at its early stage, to the never-ending world of hacks, forensics, data theft and other security challenges. Paula established CQURE in 2007 and since then she has continued to build the team’s professional image and cybersecurity skills, currently owning and managing CQURE departments in New York (US), Dubai (UAE) and Zug (Switzerland), additionally to headquarters in Warsaw (Poland). Since 2007 of CQURE Team’s exceptional quality and unique cybersecurity knowledge, experience and skills is in high demand on enterprise market. Paula has 14 years of experience in the cybersecurity field, performing penetration tests, architecture consulting, trainings and seminars. She has performed hundreds of security projects, including those for governmental organizations and big enterprises, at the same time being a top speaker and a keynote speaker at many well-known conferences, including Microsoft Ignite (rated No 1 Speaker among 1100 speakers and 26000 attendees), RSA (in 2017 in San Francisco her session was one of the 5 hottest sessions), Black Hat, TechEd North America, TechEd Europe, TechEd Middle East, CyberCrime etc., where she is often rated as No 1 speaker. Her presentations gather thousands of people. Paula also creates security awareness programs for various organizations, including awareness sessions for top management (telecoms, banks, government etc.). She is passionate about sharing her knowledge with others. In private, she enjoys working with her research team, converting the results of her findings to authored leading-edge trainings and tools used in practice in projects. She wrote a book about Threat Management Gateway and she’s currently working on the next one… so stay tuned for more. She has access to a source code of Windows, an honor granted to just few people around the world! Paula is a type that suffers, when doing nothing – every year she takes over 215 flights to provide security services to international organizations and enterprises. You can always expect some thoughtful ideas and interesting arguments!
HackerOne bug hunters have earned $20 million in bug bounties until 2017 and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.
Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.
After completing this training, you will have learned about:
REST API hacking
AngularJS-based application hacking
bypassing Content Security Policy
server-side request forgery
DB truncation attack
type confusion vulnerability
exploiting race conditions
path-relative stylesheet import vulnerability
reflected file download vulnerability
Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.
To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.
Penetration testers, bug hunters, security researchers/consultants
Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).
Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his security bug hunting experience in his hands-on trainings "Hacking Web Applications - Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More" and "Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation". He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions).
Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses at Pluralsight. To find out about the latest in Dawid Czagan's work, you are invited to follow him on Twitter (@dawidczagan).
This training will focus on all major aspects of the Windows post-exploitation process: breaking restricted environments, subverting operating system controls, privilege escalation (logic/configuration/permission/software bugs), bypassing User Account Control (UAC) and persistence. The training will be beneficial to attackers and defenders alike. Participants will gain an in-depth understanding of common pitfalls when configuring the Windows estate. They will see what tools the attacker has at his disposal, how to live-off-the-land and where to achieve long-term residence when access has been acquired. All sections of the training are accompanied by intense hands-on labs where students will put the theory into practice. The training will simulate real-world environments allowing attendees to later directly apply the content in the field! A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial.
A detailed understanding of Windows is not required to attend the training, however a basic familiarity with the windows command line (cmd/PowerShell), the Sysinternals Suite and certain concepts such as schedule tasks, services and UAC will be greatly beneficial.
Members of the red & blue team, penetration testers, system administrators, SOC analysts and security enthusiasts.
Desktop lockdown (Group Policy/SRP)
Getting an explorer window
Native/custom command line interfaces
Breaking Kiosks and Citrix environments
Bypassing AppLocker/DeviceGuard restrictions
Abusing token privileges
=User Account Control=
What is UAC and how does it work
Process Status API
Windows Side-By-Side Assembly
Creating proxy DLL’s
Fileless UAC bypass
Abusing process tokens
Bypassing “Always Notify”
Using the registry
Manipulating File Associations
WMI Permanent Event Subscriptions
Application Compatibility Shims
COM Handler Hijacking
Leveraging Office and Outlook
Evasion (ADS/corrupted NTFS folder structures/processor variables)
Ruben Boonen (@FuzzySec) is a senior security consultant who has performed hundreds of assessments for private and public sector entities. He holds a number of industry recognized security certifications such as OSCE, OSEE and CREST CCT INF. While he has lead a wide variety of engagements he has developed a specialty for red teaming and Windows post-exploitation. His areas of research include client-side attacks, privilege escalation, Windows internals, Windows kernel exploitation, restricted environment breakouts, persistence and PowerShell. In his free time Ruben loves to give back to the InfoSec community. He has been an assistant trainer at Black Hat USA and has delivered workshops at DefCon, 44Con and various BSides events. He maintains an InfoSec blog (http://www.fuzzysecurity.com/) and GitHub account (https://github.com/FuzzySecurity) where he publishes research on a variety of topics and he is one of the project owners for the PowerSploit post-exploitation framework.
Mobiles Apps are the most preferred way of delivering the attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers. So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then the 'Mobile App Attack' is of definite interest to you, as the Mobile App Attack familiarises attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them. Along with the various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms. With live demos using intentionally crafted real-world vulnerable Android and iOS apps by the author, we shall look into the some of the common ways as to how the malicious apps bypass the security mechanisms or misuse the given permissions. Apart from that we shall have a brief understanding of what is so special with the latest Android 8 and iOS 11 security and the relating flaws.
This training will mainly focus on the following :
Arm basics and Android native code.
Reverse engineer Dex code for security analysis.
Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
Runtime analysis of the apps by active debugging.
Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application. Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behaviour of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc. Hooking an application and learn to perform program/code modification. By the end of training, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system, permissions and security model of both iOS and Android platform.
Basic familiarity of Linux usage,
Willingness to learn.
Penetration testers/security professional,
Anyone interested to learn mobile application security.
A jailbroken iPhone/iPad/iPod for iOS testing is must for hands-on.
Laptop with 20+ GB free hard disk space 4+ GB RAM
Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)
Android SDK , Genymotion installed.
Intel / AMD Hardware Virtualization enabled Operating System
Administrative access on your laptop with external USB allowed
Session 1 : Android Introduction & Basics
Android Architecture & File System
Android Security & Kernel
Android b Permission model & sandboxing
Application Components & Structure
Session 2 : Setting up the Pentesting environment
SDK and Android Tools
Setting up the Pentesting environment
Setting the Android Emulator & other required settings.
Android device rooting essentials
Penetration Testing Approach
Android Debug Bridge
Hands on - Setting up the Pentesting environment
Hands on b Looking at the artifacts of the application.
Hands on - Lab exercise
Session 3 : Reverse engineering & runtime manipulation
Reverse engineer the app
Hands on - apk decompilation(smali/baksmali Dalvik assembler/disassembler)
Hands on - Runtime manipulation and code patching
Hands on - Recompile and Resign the APK
Hands on - Reading the class files and
Session 4 : Application dynamic runtime analysis
Monitoring process & Network activity
Analyzing logs using logcat
Memory dumps and analysis
Native debugging with IDA (building signatures, types etc.)
Runtime instrumentation and manipulation
Hands on - Memory dumps and objects analysis
Hands on - Bypass Application Restrictions
Hands on - lab exercise
Session 5 :Application Components and security issues
Knowing Activity, Service, Content provider, Broadcast receiver
The application components structure
Hands on - Direct component invocation by unauthorized apps
Hands on - Invoking Activities using malicious intents
Hands on - Using broadcast receivers
Session 6 : Data and Network interception b manipulation and analysis
Traffic interception (Active & Passive )
Sniffing Application & Device data
Proxies and sniffers
Hands on - Intercepting application traffic
Hands on - Importing SSL certificates & trusted CAb s
Validating server certificates and avoiding man-in-the-middle
Hands on -Techniques such as HostnameVerifier and HttpsURLConnection class
Hands on - SSL Pinning and SSLPinning bypass
Client side certificate authentication
Hands on - Vulnerabilities relating to information transmission
Session 1 :Introduction to iOS
iOS Security Architecture & Features
iOS Application Overview
Session 2 : iOS Security Model
iOS Security Model
iOS application components
Session 3 : Setting up the iOS testing Environment
Setting up the iPhone/iPad/Simulator
Setting up the Xcode
DFU b mode ( Recovery mode)
Session 4 : Reverse Engineering
Hands on - Reverse Engineering the iOS Applications
Hands on - Decrypting Appstore Binaries
Hands on - Identifying the use of Stack smashing Protection
Hands on - Locating Position Independent Executables
Hands on - Inspecting Binary
Session 5 : Perform instrumenting at runtime using dynamic linkers
Hands on - Runtime modification using gdb
Hands on - Method swizzling using cycript
Hands on - Inspecting the applications for runtime changes
Understanding the hooking process
Identifying whether the application is being debugged
Hands on - Debugging the native code in iSO (gdb & lldb)
Session 6 : Auditing & Pentesting the iOS Applications
Hands on - Aduiting the insecure API usage
Exposing the protocol headers
Hands on - Identifying Insecure storage
Hands on - Grabbing the iOS KeyChain
Hands on - Application analysis Hands on - Exploiting XSS in Apps through WebViews
Hands on - Attacking XML Processors
Hands on - SQL
Injection File System interaction
Android, iOS, Security, Keychain, Reverse engineering, instrumentation, swizzling, hooking, Debug, runtime manipulation, root, jailbreak, pinning, SSL Pinning bypass, Obfuscation, binary analysis, checksum calculation, dex, smali, Mach-O, Pentesting, mobile vulnerabilities, mobile trojan
Sneha works as Security Consultant with Payatu Software Labs LLP. Her areas of interest lies in web application and mobile application security and fuzzing. She has discovered various application flaws within open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided training at GNUnify, FUDCon, DefCamp, DefCon, AppSec USA, BSidesLV, DeepSec, BSidesVienna and Nullcon. She is also the chapter lead for null - Pune.
Continuous Build & Deployment tools, Message brokers, Configuration Management systems, Resource Management systems and Distributed file systems are some of the most common systems deployed in modern cloud infrastructures thanks to the increase in the distributed nature of software. Modern day pentesting is no more limited to remote command execution from an exposed web application. In present day scenario, all these applications open up multiple doors into a company’s infrastructure. One must be able to effectively find and compromise these systems for a better foothold on the infrastructure which is evident through the recent attacks on the application stack through platforms like Shodan paving way for a full compromise on corporate infrastructures.
In this 2 day training we start by looking at the application stack consisting of Databases,CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers. Along with the training knowledge, the training also aims to impart the technical know-how methodology of testing these systems. This workshop is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique workshop, as we go through multiple challenging scenarios one might not have come across. During the entire duration of the training, the students are expected to learn the following
1.Look for vulnerabilities within the application stack.
2.Gain in depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems.
3.Security testing of an entire application stack from an end-to-end perspective.
Knowledge of basic pentesting, web application working and linux command line basics,the ability to use a web proxy like Burp Suite, ZAP, and the ability to write basic scripts in any interpreted language is an added advantage.
DevSecOps, Security Engineers, Penetration testers, Bug bounty hunters, System Administrators, SOC analysts, Security enthusiasts and anyone interested in the modern application stack.
The requirement for the course is a laptop with administrative and USB access and minimum configuration of 8GB RAM and 100GB hard-disk space.Full virtualisation support, Virtual Box and Docker should be installed.Unix box is preferred.
Pentesting some of the widely used systems in the modern stack :
Module 0 : Modern Application Stack
Evolution of Application Stack
Components of Stack
Module 1 : Pentesting Databases:
MySQL,Postgres and OracleDB
Laying out the attack surface
Pentesting third party plugins.
Attacking Database Servers.
Case Study of CVE-2016-6663
Security testing using tools of trade.
Pentesting NoSQL Databases & Caches: MongoDB, Cassandra, Redis & Memcache
Fingerprinting NoSQL databases,
Injection attacks on NoSQL Databases.
Attacking and identifying vulnerabilities in NoSQL databases through NoSQL exploitation framework.
Case study on Mongo Ransomware and hands on vulnerable applications.
Module 2 : Public Cloud Environments
Introduction to Cloud Environments.
AWS Configurations & AWS Security Checks.
Pentesting AWS lambda servers.
Secure Best practices for Cloud environments and Securing AWS instances
Module 3 : CI Tools
Introduction to Jenkins, TeamCity and Go.
Basic misconfigurations and attack surface for these tools.
Security testing of CI Tools and outlook on vulnerabilities in Jenkins,
TeamCity and Go.
Case Study: Remote Code Execution on Jenkins.
Module 4 : Software Collaboration Tools
Leveraging Version Control Systems like Git, SVN and Perforce.
Attacking Code collaboration tools - Phabricator, Gitlab and Github Enterprise.
Module 5 : Message Brokers
Introduction to RabbitMQ and Kafka.
Attacking and extracting juicy information from Message brokers.
Module 6 : Containers
Hacking Docker environments.
Setting up vulnerability static analysis for Docker containers (Clair and other tools).
Hacking Vagrant instances.
Securing Docker and Vagrant instances.
Module 7 : Distributed Configuration Management Systems (DCMS)
Attacking Apache Zookeeper, HashiCorp Consul & Serf, CoreOS Etcd.
Owning the entire application thorough DCMS , pivoted attacks.
Attacking and Scanning using Garfield.
Module 8 : Distributed File System
Basic misconfigurations for Hadoop.
Analysing the threat model for Hadoop.
Attacks and remote code executions on Hadoop.
Securing Hadoop Instances.
Module 9 : Kubernetes,Mesos and Marathon (Distributed Deployment & Resource Management)
Introduction to Kubernetes,Mesos and Marathon
Fingerprinting Kubernetes,Mesos and Marathon
Pentesting Kubernetes and pivoting through kubernetes containers.
Hacking entire application stack through Mesos and Marathon.
Securing Mesos instances.
Module 10 : Search Technologies
Introduction to ElasticSearch and Apache Solr (Lucene)
Laying out the attack surface and common misconfigurations.
Pentesting ElasticSearch and Solr .
Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame (hackerone.com/tunnelshade). All tools are available at github.com/tunnelshade and all ramblings at blog.tunnelshade.in . Spoke at few conferences notably Nullcon, Troopers, Brucon, Pycon India etc.. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.
Francis Alexander , Security Engineer for Envestnet|Yodlee has over 3+ Years of Experience in the Application Security industry, the author of NoSQL Exploitation framework and NoSQL Honeypot. His areas of interest include NoSQL Databases, Machine Learning and Cloud Security. He has been invited to speak & train at variety of conferences such as Troopers, Insomn'hack, Hack in the Box, Hack in Paris, 44Con, Nullcon, C0c0n.
This course was given by first time in Hack in Paris 2013. Now, we revisit the same topic with updated material and in an updated environment. First, we show the basic concepts of Reverse Code Engineering (RCE), also by practicing some small executables. The aim is to provide enough background to the students to understand how the methodology of RCE is performed. Then, the course covers anti-RCE techniques. This second part aims at showing common techniques used in software to protect from RCE, commenting (from O.S. perspective) each technique in detail, as well as developing small proof-of-concepts (PoCs) for each technique. The goal of PoCs is to show the students how the generated assembly code is and the difficulty () of bypassing each one of these techniques. We will discuss how (almost) all techniques can be easily circumvented, as well as the particular advantages/disadvantages of each technique, providing also insights about the future of software protection. The anti-RCE techniques were released to the public in https://github.com/ricardojrdez/anti-analysis-tricks
x86 assembler, use of debugging tools (desired), Windows API
Software developers, malware analysts
Laptop with enough power to run a Windows 7 virtual machine, given by the instructor
PART 1) Introduction
1 Introduction to Reverse Engineering
What is Reverse Engineering?
Approaches to Reverse Engineering
Reverse Engineering Code
2 Previous Concepts
Computer Architecture Basic Concepts
Playing with Debuggers
3 A Bunch of Tools Needed for Reversing
Disassemblers and Hexadecimal Editors
PE Editor, Identifier and Resource Editor
Memory Dumpers and Emulators
IAT fixer and API monitors
4 Test-Bed Environment
5 Windows NT Internals Terminology
PART 2) Protection Techniques Compendium
6 Anti-Debug Techniques
PEB, TEB, LDR. . .WTF?
Using Win32 APIs
Access Tokens and other Objects
A Bunch (More) of Anti-Debug Techniques
Reversing Tools Detection
Other Anti-Debug Techniques
7 Anti-Tracing Techniques
8 Anti-Dump Techniques
A bit of background. . .
Memory Zone Protection
Nanomites, Stolen Bytes and Protected Pages
9 EP Anti-Detection Techniques
10 Anti-Sandboxing & Anti-VMs Techniques
GDT, LDT, IDT. . .WTF again!
Other Anti-Debug using LDT
11 Other Protection Techniques
PART 3) Take-home messages
Reversing, anti-analysis, anti-forensics
Ricardo J. Rodríguez received M.S. and Ph.D. degrees in Computer Science from the University of Zaragoza, Zaragoza, Spain, in 2010 and 2013, respectively. His Ph.D. dissertation was focused on performance analysis and resource optimization in critical systems, with special interest in Petri net modelling techniques. He is currently an Assistant Professor at Centro Universitario de la Defensa, General Military Academy, Zaragoza, Spain. His research interests include performance and dependability analysis, program binary analysis, and contactless cards security. He has participated as speaker (and trainer) in several security conferences, such as NoConName, Hack.LU, RootedCON, Hack in Paris, MalCON, or Hack in the Box Amsterdam, among others.
You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities - such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the devices the same way.
During this course students will perform: wireless sniffing, spoofing, cloning, replay, DoS, authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking "military grade encryption", abusing excessive services, intercepting wireless remote controls, brute-forcing PINs via voice calls and attacking building automation systems. The offensive exercises will teach you how to analyze the devices' security, and the best practices guidelines will help to design them properly.
The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening voice-controlled lock by remotely hacking speaker-enabled devices. Several tasks will be associated with electromagnetic lock guarding a special vault. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have hidden reward.
Covering lots of various topics and technologies (including NFC, Bluetooth Smart, Linux embedded, Wiegand, WiFi, P2P, SDR, GSM, KNX, ...) guarantees that regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time. The training includes a hardware pack (over 100 EUR value) for each student, consisting of preconfigured Raspberry Pi, NFC board, RTL-SDR dongle and Bluetooth Low Energy sniffer. The hardware will introduce you to the world of RF analysis, allow you to crack and clone NFC cards, sniff and analyse Bluetooth Low Energy connections.
UID-based access control - practical exercises on example reader + door lock
Wiegand - wired access control transmission standard
Mifare Classic & its weaknesses - practical exercises based on hotel door lock system, ski lift card, bus ticket
Reverse-engineering data stored on card
Introduction to Proxmark, Low Frequency cards (EM4100, HID Prox).
Summary of known attacks and security issues of Mifare Plus, DESFire, Ultralight C, HID iClass ...
based on multiple devices (including 7 various smart locks) and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi).
BLE advertisements and beacons
Sniffing BLE connections using RF layer hardware
HCI dump (Linux, Android) - setup, analysis, difference from RF-layer sniffing, replay/fuzzing possibilities.
Attacking services exposed by devices
Device spoofing, active MITM interception
Mobile application analysis, attacks on proprietary authentication and protocols
Relay attacks - abusing automatic proximity features (e.g. smart lock autounlock).
Remote access share functions and their weaknesses - how to bypass timing restrictions.
How to create own, independent server-side API for device - based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste.
Introduction to Web Bluetooth, Bluetooth Mesh, Bluetooth 5.0
BLE Hackmelock - open-source software emulated device with multiple challenges to practice at home.
BLE best practices and security checklist - for security professionals, pentesters, vendors and developers.
based on wireless door lock, alarm+home automation system and other devices:
based on fingerprint sensor device, wireless door lock, alarm system, HVAC controller
an example installation connected to electromagnetic lock
based on remote control alarm system
how to disarm alarm using wire connected to Raspberry Pi - Software Defined Radio - tools and hardware
you will also be able to try:
Trainer, speaker and IT security consultant with almost 15 years of experience. He participated in many assessments of systems' and applications' security for leading financial companies and public institutions, including a few dozen e-banking systems. Slawomir has an MSc in automation&robotics, previously developed secure embedded systems certified for use by national agencies, and recently also IoT assessment tools - including new BLE MiTM proxy. Currently leading research on various topics in Polish software security company SecuRing. Beside research and training, he focuses on consulting and designing of secure solutions for various software and hardware projects, during all phases - starting from a scratch. Speaker at BlackHat USA (new Bluetooth Smart Man-in-the-middle proxy tool), Appsec EU (insecurity of proprietary network protocols), HackInTheBox Amsterdam (Host Card Emulation mobile contactless payments), Confidence (IoT), Devoxx and other conferences for developers (SDLC, mobile application security). Trainer at HackInParis, Appsec EU, Deepsec, HackInTheBox, BruCON, Confidence.
New generation malware and attacks have been targeting ICS and systems causing huge monetary and human life losses. ICS system still vulnerable in nature because it’s poorly understood. Penetration testing on ICS systems is a very niche field which requires in-depth knowledge and has a huge dependency in terms of the Hardware availability.
In this course, will concentrate on methodologies to conduct penetration testing of commercial Hardware devices such as PLCs as well as simulators and also provide an excellent opportunity for participants to have hands-on experience on Penetration Testing of these devices and systems. This course also focused on hardware analysis of the embedded system and fuzzing techniques over ICS protocol to identify 0-day vulnerabilities. The ICS setup will simulate the ICS infrastructure with real-time PLCs and SCADA application. In the end, of course, there will be ICS CTF and some GOODIES to give away for the winners
Throughout the course, we will use DRONA-ICS, a VM created by us specifically for ICS and IoT penetration testing. DRONA is the result of our R&D and has most of the required tools for ICS and IoT security analysis. We will also distribute DIVA – ICS, a vulnerable embedded sensor made in-house for hands-on exercises.
The “Practical Industrial Control System (ICS) Hacking” course is aimed at security professionals who want to enhance their skills and move to/specialize in ICS security. The course is structured for beginner to intermediate level attendees who do not have any experience in ICS, reversing or hardware.
And at the end ICS CTF Challenge.
Arun is a Hardware, IOT and ICS Security Researcher, working with Payatu Software Labs as Sr. Security Researcher. His areas of interest are Hardware Security, SCA, Fault Injection, RF protocols and Firmware Reverse Engineering. He also has experience in performing Security Audits for both Government and private clients. He has presented a talk at the nullcon 2016,2017 Goa, GNUnify 2017 ,Defcamp 2017 and also co-trainer for Practical IOT hacking training and delivered in HITB 2017, HIP 2017, private clients in London, Australia, Sweden, Netherlands etc. He is an active member of null – The open Security community.
Industrial Control Systems (in)security is making headlines on a regular basis recently. Why ? Are security experts crying wolf or do we have a real problem ? This training will help you understand the specificities of OT (Operational Technology) compared to IT. Using this knowledge, we will identify the most common vulnerabilities, and then exploit it on several hands-on lab systems, including real ICS software and real PLCs. We'll conclude this training with an engaging ICS Capture the Flag half-day !
All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) Each attendee will be given a USB key with a custom Kali virtual machine, that includes the specific tools that we will use as well as the lab files (pcap, etc), and a Windows virtual machine with specific ICS software to perform the lab sessions
This training is aimed at security professional willing to deep dive into the Industrial Control Systems and have real-world, hands-on sessions. There is no specific requirement for attendees except a basic infosec culture.
All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum)
Module 1 : Introduction to ICS
For starters, we will introduce the concept of ICS. The topics will include:
A brief history of ICS
The CIM model
ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles
OT vs IT
Module 2 : Pentesting Basics & tools
This module will introduce the concept of penetration test. We will not spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, this module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training.
The module will include :
OSINT for ICS : Where to look to find informations
Reconnaissance : how to portscan & nessus
Exploitation : Metasploit basics
Toolz used : nmap, Nessus, Metasploit
Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux
Module 3 : Windows basics and pentesting Windows
Unfortunately, any ICS now includes, at least in some areas, Windows systems. So some time must be spent on Windows basics. This module will introduce the following topics:
Windows Active Directory
How to find credentials on Windows systems
Exploiting and pivoting to gain Domain Admin privileges
A selection of hacking techniques will be applied on lab machines
Even if you are already knowledgeable about Windows and it’s security, I’m quite sure I can show you some new tricks :)
Module 4 : Common ICS vulnerabilities
This module will introduce the most common vulnerabilities found during ICS audits:
Lack of network segmentation / Exposure
Lack of hardening
ICS protocols insecurity
Module 5 : ICS protocols
This module will introduce the most common ICS protocols:
Attendees will analyze network captures and be introduced to software libraries/clients to use these protocols to talk to PLC simulators as well as real PLCs.
Module 6 : Introduction to safety for security pros
This module will introduce the required safety knowledge in order to understand the OT world. The different concepts of safety will be detailed, as well as the leading norms and hazard analysis. The differences with IT risk analysis will be mentioned and to finish, a basic case study will be performed.
Module 7 : Programming PLCs [HS]
In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs.
Toolz used : TIA Portal / SoMachine Basic
Lab : Windows virtual machine and real PLCs from Schneider and Siemens
Module 8 : Pentesting ICS [HS]
This module will be composed mostly of lab sessions, in order to apply the knowledge learned during module 5:
Theory and general warning when performing tests in real ICS environments
Network capture analysis & replaying packets
Talking industrial protocols : Modbus, S7….
Additional PLC features: web server, FTP, SNMP...
Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs
Module 9 : Securing ICS [HS]
We all know it, all clients want to know what they can do to improve the security of their systems. This module will detail the technical and organizational solutions one may engage in to secure their ICS. This will include : system hardening, network segmentation, sharing data with IT systems, and security supervision.
The leading security standards will also be mentioned and briefly compared.
Toolz used : Windows virtual machine, IDS
Lab : Students will have to configure an IDS virtual machine and verify its efficiency, and write a new attack signature for an attack previously performed.
Module 10 : Case study PM
In this module, students will be given information and network diagrams about a case-study ICS. They will have to highlight the security weaknesses and come up with recommendations.
Module 11 : Capture The Flag [HS]
A good training must include “real-life” examples and labs. To go further individual labs that will occur, we will dedicate the last half-day of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newly-acquired knowledge on a simulation of a “real-life” system. This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand !
Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 8 years, he has been performing security audits and pentest on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON...
EC-Council's CCISO Program has certified leading information security professionals around the world. A core group of high-level information security executives, the CCISO Advisory Board, contributed by forming the foundation of the program and outlining the content that would be covered by the exam, body of knowledge, and training. Some members of the Board contributed as authors, others as exam writers, others as quality assurance checks, and still others as trainers. Each segment of the program was developed with the aspiring CISO in mind and looks to transfer the knowledge of seasoned professionals to the next generation in the areas that are most critical in the development and maintenance of a successful information security program.
The Certified CISO (CCISO) program is the first of its kind training and certification program aimed at producing top-level information security executives. The CCISO does not focus solely on technical knowledge but on the application of information security management principles from an executive management point of view. The program was developed by sitting CISOs for current and aspiring CISOs.
To sit for the exam after taking training, candidates must have five years of experience in three of the five CCISO Domains verified via the Exam Eligibility Application.
Current and aspiring CISOs and/or CIOs.
Expert in the area of information security. With an active career in IT as a background, and a long list of passions such as traveling the world , music and football. He entered the international Cyber community 10 years ago, and never left. He is a regular speaker at local government conferences. He speaks on subjects such as privacy, cyber security,implement information security management systems (ISMS)and how to audit and maintain them. He implement the first national a proofed citizen electronic ID in the Dutch local government. He is helping companies to be aware of cyber threats and how to protect the valuable asset of companies. He is not only doing the technically approach but specially the human factor of cyber threats.
If we cancel a training after your order, you will be refunded the full price of the training
If you have any question or request, you can contact us at: +33 1 78 76 58 16
Talk Participate to the talks for €200.00