Overview

This class talks about a wealth of hacking techniques to compromise web applications, APIs, cloud components and other associated end-points. This class focuses on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known.

Note: This is a medium paced class and attendees are expected to have a basic understanding of common web vulnerabilities and attacks. Attendees will also benefit from a state-of-art Hacklab and we will be providing free 30 days lab access after the class to allow attendees more practice time.

The following is the course outline:

Day 1:

Authentication Attacks

• Logical Bypass / Boundary Conditions
• Token Hijacking attacks
• Attacking SSO
• SAML / OAuth 2.0 / JWT Attacks
• SAML Authentication and Authorization Bypass

Advanced XXE Attacks

• XXE through SAML
• XXE in file parsing
• XXE Exploitation over OOB channels

Breaking Crypto

• Known Plaintext Attack (Faulty Password Reset)
• Path Traversal using Padding Oracle
• Hash length extension attacks
• Auth Bypass using Pre-shared MachineKey

Complex Business Logic Flaws / Authorization flaws

• Mass Assignment bugs
• Invite/Promo Code Bypass
• Replay Attack
• Second Order IDOR attack
• HTTP Parameter Pollution (HPP)

Day 2 :

Server-Side Request Forgery (SSRF)

• SSRF to call internal files
• SSRF to exploit templates and extensions

SQL Injection Masterclass

• 2nd Order Injection
• Out-of-Band exploitation
• SQLi through crypto
• OS code exec via Powershell
• Advance SQLMAP Usage with eval option
• Data Exfiltration over DNS via SQLi
• Introspection based attacks in GraphQL

Remote Code Execution (RCE)

• Java Serialization Attacks
• Net Serialization Attack
• PHP object injection
• Ruby/ERB template injection

Day 3:

Attacking the Cloud

• SSRF Exploitation
• Serverless exploitation
• Google Dorking in the Cloud Era
• Cognito misconfiguration to data exfiltration
• Various Case Studies

Tricky File Uploads

• Malicious File Extensions
• Circumventing File validation checks

Attacking Hardened CMS

• Identifying and attacking various CMS
• Attacking Hardened Wordpress, Joomla, and Sharepoint

Miscellaneous Topics - A Collection of weird and wonderful XSS and CSRF attacks - Attack Chaining

B33r 101

KEY TAKEAWAYS

• The latest hacks in the world of web hacking. The class content has been carefully handpicked to focus on some neat, new and ridiculous attacks.

• We provide a custom kali image for this class. The custom kali image has been loaded with a number of plugins and tools (some public and some NotSoPublic) and these aid in quickly identifying and exploiting vulnerabilities discussed during the class.

• The class is taught by a real pentester and the real-world stories shared during the class help attendees in putting things into perspective.

WHO SHOULD TAKE THIS COURSE

• Web developers
• SOC analysts
• Intermediate level penetration testers
• DevOps engineers, network engineers
• Security architects
• Security enthusiasts
• Anyone who wants to take their skills to the next level.

AUDIENCE SKILL LEVEL

Intermediate/Advanced

STUDENT REQUIREMENTS

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

Users are also encouraged to familiarize themselves with Burp Suite https://portswigger.net/burp/communitydownload to gain maximum out of the class.

WHAT STUDENTS SHOULD BRING

See student requirement

WHAT STUDENTS WILL BE PROVIDED WITH

Access to a hacking lab not just during the course but for 30 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts.

Our courses also come with detailed answer sheets. That is a step by step walkthrough of how every exercise within the class needs to be solved. These answer sheets are also provided to students at the end of the class.

Who should attend

• Pentesters, security professionals, red teamers, researchers
• BLE/NFC device designers, developers
• Anyone interested

Key learning objectives

• In-depth knowledge of Bluetooth Low Energy, common implementation pitfalls, device assessment process and best practices
• Ability to identify vulnerable access control systems, clone cards and reverse-engineer data stored on card

Prerequisite knowledge

• Basic familiarity with Linux command-line
• Scripting skills, pentesting experience, Android mobile applications security background will be an advantage, but is not crucial
• No prior knowledge of Bluetooth Low Energy nor NFC is required

Hardware/software requirements

• Contemporary laptop capable of running Kali Linux in virtual machine (VirtualBox or VMWare), and at least two USB ports available for VM guest
• Android smartphone with BLE and NFC support will be very helpful
• You can bring your own BLE device or access control card to check its security

Each student will receive

• Course materials in PDFs (over 2000 pages)
• All required additional files: source code, documentation, installation binaries, virtual machine images on a pendrive

• Take-away hardware pack for hands-on exercises consisting of:

  • Proxmark 3 with latest firmware
  • Multiple RFID/NFC tags for cracking and cloning, including “Chinese magic UID”, T5577, Ultralight, HID Prox, iClass, EV1, Mifare Classic with various content (bus ticket, hotel, e-wallet, …)
  • NFC PN532 board (libnfc)
  • Raspberry Pi 3 (+microSD card and 3.1A power adapter), with assessment tools and Hackmelock installed for further hacking at home.
  • Bluetooth Smart hardware sniffer (nRF, BtleJack) based on nrf51822 module
  • Individual BLE device to attack running on development kit (including source code)
  • ST-Link V2 SWD debugger for programming nRF boards
  • 2 Bluetooth Low Energy USB dongles

Detailed agenda

Bluetooth Smart (Low Energy)

Theory introduction

• What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
• Usage scenarios, prevalence in IoT devices
• Protocol basics
• Required hardware for BLE assessment

BLE advertisements

• Scanning for visible devices, hcitool, bleah, bettercap, Mirage, GATTacker, …
• Beacons: iBeacon, Eddystone, Physical Web
• Simulating beacons – using mobile phone, Linux scripts, other devices.
• How to get free beer by abusing beacon-based reward application
• "Encrypted" beacons, abusing weaknesses in beacon management control protocols
• BLE advertisements of Microsoft and Apple devices (user tracking, decoding of current status/phone number)
• Advertisement spoofing – Denial of Service, device impersonation

BLE connections

• Central vs peripheral device
• GATT – services, characteristics, descriptors, handles, reading, writing, notifications
• Mapping device services and characteristics
• Interacting with BLE devices using mobile phone, command-line, various tools
• Taking control of simple, insecure devices – sex toys, key finders, …

Sniffing BLE connections using RF layer hardware

• BLE radio modulation, channels, hopping, connection initiation
• BLE link layer encryption – introduction, why is it hardly used in practice
• Sniffing hardware: Ubertooth, nRF sniffer, BtleJack, Sniffle, SDR …
• Wireshark filters, tips&tricks
• Sniffing static cleartext password of a smart lock and other devices

HCI dump - capturing own BLE traffic

• Difference from RF layer sniffing
• Linux command-line hcidump
• Android: live BLE packets analysis in Wireshark via TCP service

Device spoofing, active MITM interception

• How to perform “man in the middle” attack on BLE connections
• Available tools: GATTacker, BtleJuice, BtleJack, Mirage
• MAC address cloning, mobile OS GATT cache potential problems
• Analysing intercepted traffic
• Denial of Service attacks
• Jamming and hijacking active connections with BtleJack

Replay attacks

• Intercept transmission
• Analyse authentication protocol weakness in example smart lock
• Perform replay using tools or mobile phone, and unlock the device

Relay attacks – abusing automatic proximity features (e.g. smart lock autounlock).

Various smart locks vulnerabilities case-studies

• Attacks on proprietary authentication and protocols
• Decompile Android app, locate relevant source code fragments
• Understand proprietary BLE communication protocol – commands, data exchanged with device
• Based on example smart lock, discover protocol weakness, create exploit to open the lock without knowing current password or prior sniffing
• Exploit the vulnerability using just a mobile phone – nRF Connect macros
• Verify other vendor’s claims on “Latest PKI technology” and “military grade encryption”
• Example unlocked AT command interface via BLE service of a smart lock
• Remote access share functions and their weaknesses – how to bypass timing restrictions.
• How to create own, independent server-side API for device – based on a real smart lock vendor, which disappeared and shut the servers, effectively rendering the device e-waste

Advanced BLE MITM topics

• Hooks, data modification on the fly (example attack on mobile PoS)
• Command injection
• Upstream websocket proxy
• "Rolljam"-like attacks on single use keys
• When MITM attack does not work or is not possible – debugging, troubleshooting

Device DFU firmware update OTA services.

Bluetooth link-layer encrypted connections

• BLE pairing, bonding, encryption
• Intercepting pairing process and decoding Long Term Keys (crackLE)
• Weaknesses of simple pairing (static PIN, just works)
• How to trick a victim into re-pairing

Abusing BLE bonding trust relationships

• Analysis of Google Titan U2F token vulnerability
• Possibilities for malicious actions (e.g. change device to appear as a BLE keyboard).

Web Bluetooth – interfacing with nearby devices from javascript.

• How hard is it to hijack BLE devices from a hostile web site
• Writing new javascript interface to control own device

Bluetooth Mesh, Bluetooth 5.0 – what these technologies change and what not in terms of BLE security.

BLE Hackmelock – open-source software emulated device with multiple challenges to practice at home.

BLE best practices and security checklist – for security professionals, pentesters, vendors and developers.

NFC

Short introduction

• RFID/NFC – where do I start?
• Frequencies, card types, usage scenarios
• How to recognize card type – quick walkthrough
• Equipment, and what can you do with it – mobile phone, card reader, simple boards, Chameleon Mini, Proxmark, other hardware

UID-based access control – practical exercises on example reader + door lock

• UID-based access control – still surprisingly popular
• UID lengths, formats
• Clone Mifare UID using Android phone and “gen2” UID-changeable card, or libnfc/Proxmark and gen1 card
• How to emulate contactless cards and unlock UID-based system using just a smartphone (Android, iOS), without any additional hardware
• How to clone a card by making its picture – decoding numbers printed on cards
• Cloning other ID-based cards – Low Frequency EM41XX, HID Prox, …
• Emulate card using Proxmark, Chameleon Mini
• Brute-force – is it possible in practice to guess other cards UID?
• Countermeasures against attacks

Wiegand – wired access control transmission standard

• Sniff the data transmitted from access control reader using Raspberry Pi GPIO, ESP RFID Tool, BLE-Key, …
• Decode card UID from sniffed bytes, clone the card
• Replay card data on the wire to open lock

Mifare Ultralight

• Data structure
• Reading, cloning, emulating
• Example data stored on hotel access card
• Ultralight EV1, C

Mifare Classic & its weaknesses – practical exercises based on hotel door lock system, ski lift card, bus ticket

• Mifare Classic – data structure, access control, keys, encryption
• Default & leaked keys
• Reading & cloning card data using just a mobile phone
• Cracking keys – nested, darkside attacks
• Libnfc tools – mfoc, mfcuk, MiLazyCracker
• Cracking Mifare using Proxmark
• Attacks on EV1 “hardened” Mifare Classic
• Online attacks against reader

Reverse-engineering data stored on card - based on a real hotel system

• Recoding access control data (room number, date) stored on card by an example hotel system
• Creating hotel „emergency card” to open all the hotel doors unconditionally

Mifare DESFire – introduction, sample attack on misconfigured access control system

ISO15693/iCode SLIX

• Cloning ISO15693 UID on a “magic UID” card, unlocking smart lock
• Data of several example ski passes

HID iClass

• Cloning “legacy” / “standard security” iClass
• Attacks on iClass Elite

Hitag2 access control

• Sniffing password mode transmission between reader and tag
• Simulating Hitag2 against the reader using Proxmark

Intercepting card data from distance – building antenna, possibilities and limits.

We realise that training courses are limited for time and therefore students are also provided with the following:

• Completion certificate
• 14-day extended LAB access after the course finishes
• 14-day access to a CTF platform with subnets/hosts not seen during training!
• Discord support channel access where our security consultants are available Hacking Enterprises

Agenda:

Day 1

• MITRE ATT&CK framework
• Overview on using the in-LAB ELK stack
• Offensive OSINT
• Enumerating and exploiting IPv6 targets
• Pivoting, routing, tunnelling and SOCKS proxies
• Application enumeration and exploitation via pivots
• Linux living off the land and post exploitation
• Kubernetes and container security

Day 2

• Exploitative phishing against our simulated enterprise users
• Living off the land tricks and techniques in Windows
• [email protected] and [email protected] cracking
• Windows exploitation and privilege escalation techniques
• Windows Defender/AMSI and UAC bypasses
• Situational awareness and domain reconnaissance
• RDP hijacking

Day 3

• Bypassing AWL (AppLocker, PowerShell CLM and Group Policy)
• Extracting LAPS secrets
• Lateral movement for domain trust exploitation
• WMI Event Subscriptions for persistence
• Out of Band (OOB) data exfiltration
• Domain Fronting and C2

Who Should Attend:

This training is suited to a variety of students, including:

• Penetration testers / Red Team operators
• SOC analysts
• Security professionals
• IT Support, administrative and network personnel

Prerequisite Knowledge:

• A firm familiarity of Windows and Linux command line syntax
• Understanding of networking concepts
• Previous pentesting and/or SOC experience is advantageous, but not required

Hardware / Software Requirements:

• Students will need to bring a laptop to which they have administrative/root access, running either Windows, Linux or Mac operating systems
• Students will need to have access to VNC, SSH and OpenVPN clients on their laptop (these can be installed at the start of the training)

Previous Training Locations: The 2019 and 2020 releases of this training have been given at the following conferences.

• Black Hat Asia (Virtual – September 2020)
• Wild West Hackin’ Fest (Virtual - September 2020)
• Black Hat USA (Virtual – August 2020)
• BruCon Spring Training (Virtual - June 2020)
• Wild West Hackin’ Fest (Virtual - March 2020)
• 44CON (UK - June 2019)
• Nolacon (USA - May 2019)
• Wild West Hackin’ Fest (USA - October 2019)

What previous attendants said about this training:

“I was always feeling that malware is something scary, something I can’t understand or control. Now I feel it’s not scary anymore. I can actually analyse it, understand it and control it.” by Fung Dao Ying, System Analyst in Bintulu Port Holding Berhad

LEARNING OBJECTIVES:

• Understand the lifecycle of a targeted attack and all the techniques & strategies the attackers use to penetrate an organization (Spear-phishing, drive by download … etc)
• Know what the steps to take when you discover a malware in your network.
• Perform basic static & behavioral analysis of a malware in an isolated virtualized environment
• Perform static and dynamic code analysis to determine the malware functionality using IDA Pro and Ollydbg/x64dbg
• Understand the basics of the x86 assembly language
• Learn how to detect and analyze a malicious document with embedded macros
• Learn to extract the the network and host-based indicators of compromise
• Able to analyze downloaders, droppers, keyloggers, fileless malwares, HTTP backdoors, etc.
• Perform memory forensics on an infected machine and extract the malware artifacts from its memory.

PROGRAM OUTLINE

DAY 1

APT Attacks & Malware Analysis:

• What is an APT Attack
• What are the Attack Stages?
• The APT Attack Vectors
• Types of Malware
• Why Malware Analysis
• Types of malware analysis
• Setting up an isolated lab environment

Basic Static Analysis:

• Fingerprinting the malware
• Extracting strings
• Determining File obfuscation
• Unpacking Packed Malware
• Understanding PE File characteristics
• Hands-on lab exercise involves analyzing real malware sample

Behavioral Analysis & Sandboxing:

• Understanding Behavioral Analysis tools
• Monitoring process, file system, registry and network activity
• Determining the Indicators of compromise (host and network indicators)
• Custom Sandbox Overview
• Working of Sandbox
• Sandbox Features
• Hands-on lab exercise involves analyzing real malware sample

Code Analysis & Malware Functionalities:

• Intro to code analysis
• Droppers & Downloaders
• Maintaining Persistence
• Keylogging
• Banking Trojans & Man in The Browser (MiTB)
• Point of Sale Malware (POS)
• Understanding Indication of Comprise
• Write your own YARA rule

DAY 2:

Intro To x86/x64 Assembly:

• Understanding CPU registers and assembly instructions
• Dive deeper in the assembly language and memory handling
• Reversing assembly code blocks into a higher-level language (C++)
• Dealing with local & global variables

Static & Dynamic Code Analysis In-Depth:

• Code Analysis Overview
• Disassembler & Debuggers
• Code Analysis Tools
• Basics of IDA Pro
• Basics of Ollydbg/x64dbg
• Understanding the API calls
• Inspecting API call references
• Demo: Performing static analysis with IDA Pro (Hands-on Practice)
• Demo: Performing dynamic analysis with OllyDbg (Hands-on Practice)
• Hands-on lab exercise involves analyzing real malware sample

Encryption, Packing & Obfuscation

• Understanding different encryption algorithms
• Demo: Examining RC4 encryption algorithm
• Learning 4 different manual unpacking techniques for custom unpacking
• Dissecting different obfuscation techniques
• Hands-on Practice on unpacking malware

DAY 3:

Spear-phishing Attacks with Malicious Documents:

• Examining a malicious office document packed with vbscript macros
• Examining & Dissecting malicious pdf files
• hands-on labs to examine documents packed with malicious macros (real attacks)

Investigating User-Mode Rootkits & API Hooking:

• Understanding Process Internals
• Process & Thread Environment Block Structure
• Code Injection
• Types of Code injection
• Remote DLL injection
• Remote Code injection
• Reflective DLL injection
• Hollow process injection
• API Hooking & IAT Hooking
• Hands-on lab exercise (scenario based) involves investigating malware infected memory

Memory Forensics & Volatility Overview:

• What is Memory Forensics
• Why Memory Forensics
• Steps in Memory Forensics
• Memory acquisition and tools
• Introduction to Volatility (Advanced Memory Forensics Framework)
• Volatility basic commands
• Determining the profile
• Volatility help options
• Running the plugin

Investigation Process Memory Using Volatility:

• Process memory Internals
• Listing DLLs using Volatility
• Identifying hidden DLLs
• Dumping malicious executable from memory
• Dumping DLLs from memory
• Scanning the memory for patterns (yarascan)
• Volatility plugins to identify process injections and API hooking
• Hands-on lab exercise (scenario based) involves investigating malware infected memory

Who Should Attend

This course is intended for Cyber Security investigators, Cyber Security Heads and Managers, Security Researchers, Information Technology Heads and Managers, Forensic Practitioners, Incident Responders Malware Analysts, System Administrators, Software Developers ,and security professionals who would like to expand their skills and Anyone interested in learning Malware Analysis and Memory Forensics.

Materials Provided:

• Training Prerequisite & Lab Setup Guide: a step by step guide to prepare your isolated virtualized environment for executing and analyzing malware
• Malware Analysis Lab VM (Windows 7 VM) with all required tools pre-installed. It will be provided in .ova format
• The labs/exercises samples and memory images.
• A printed copy of mastering Malware Analysis Book
• A printed copy of Malware Analysis & Reverse Engineering Workbook which includes all the exercises taught in the training with step by step solutions to them.

Delegate Requirements:

• Should be familiar with using Windows/Linux
• Should have an understanding of basic programming concepts, while programming experience is not mandatory.

Hardware/Software Requirements:

• Laptop with minimum 8GB RAM and 80GB free hard disk space
• Laptop with USB ports, lab samples, and custom Linux VM will be shared via USB sticks
• VMware Workstation or VMware Fusion (even trial versions can be used).
• Delegates must have full administrator access for the Windows operating system.

Note: VMware player or Virtual Box is not suitable for this training.

Day 1

## Module 1

Introduction

Physical intrusion vectors

• Social Engineering
• Climbing
• Access opening

Discover physical security

• The different types of locks
• How they work
• How to identify them

Introduction to scenarios

• Casual intruder (opportunist)
• Organized burglar team
• Industrial espionage

## Module 2 Wafer locks and tubular locks opening

Wafer locks

• Identification
• Lockpicking
• Decoding
• Jigglers

Tubular locks

• Identification
• Self-impressioning
• Lockpicking

Day 2

## Module 3 Combination padlocks and key boxes

• Identification
• Shims (on compatible models)
• Decoding
• Blade bypass (on compatible models)

Keyed padlocks

• Lockpicking
• Combs
• Shims (on compatible models)
• Blade bypass (on compatible models)

Module 4 Pin tumbler locks lockpicking

Raking

• Specific tools
• The technique
• Tips and tricks

Single Pin Picking

• Specific tools
• The technique
• Tips and tricks

Lockpick guns

• Mechanical PickGun
• Electronic PickGun
• Specific tensioners

Day 3

Module 5 The Key vector

Key duplication

• By molding
• With a file
• From a picture
• Special techniques

Bumpkeys

• Identification
• Fabrication
• Different techniques (push/pull)

Keyed Alike locks * Finding the key of your target

Module 6 The Door vector

Non Destructive Opening of the door

• Day-latched door opening
• From the latch
• From the handle
• From the bottom
• Exit only doors

Module 7 RF and RFID introduction

RF

• Identify and attack easily the least protected systems

RFID

• Identify and attack easily the least protected systems

Module 8

Conclusion

Flaws

· Flaws summary

Tools and techniques summary

Possible protections

• Summary of possible protections

Homework

• How to practice and develop your skills after the training

Legal stuff

• Don't go to jail!