This workshop presents the concepts behind exploiting binary applications using return-oriented programming with a balance of theory and practical exploit development. Participants will analyze a vulnerable binary, find the bug and develop a complex gadget chain involving advanced return-oriented programming techniques such as stack pivoting to develop a multi-stage exploit which will result in arbitrary code execution on the target server. With guidance at each step of the way, this workshop aims to give a hands-on experience to the techniques and methods involved in developing a functional ROP exploit. Whether you want to try the challenge on your own, or want to follow along, this workshop will hopefully have something for you.
The following topics will be covered:
Participants should be comfortable with reading C code and simple x86-64 assembly listings. Experience with reverse engineering is not required but will help when debugging the exercises.
You should also bring a laptop with an ssh client to connect to the challenge servers and a Software Reverse Engineering tool such as Ghidra (Recommended), Radare2, or IDA. No additional software is required as all the tools will be provided remotely.
Familiarity with tmux, pwntools and pwndbg and the command line will help but are absolutely not required.
The following tools will be presented and used in the workshop:
Alexandre is a security researcher working for GoSecure. His area of expertise is reverse engineering, binary exploitation and tool development. His previous experience as a software developer covers a broad spectrum of topics ranging from low-level systems and binary protocols to web applications. Prior to joining the research team, Alexandre spent time as an Ethical Hacker honing his offensive security skills. His areas of interests include binary analysis, compiler theory and systems programming. Alexandre gives back to the Montréal infosec community by volunteering his time, contributing workshops and designing application security challenges for events like MontréHack and REcon.
Are you a pentester/security researcher interested in IoT security but are reluctant to start because you have been told that it requires knowledge of hardware, hw security, IoT architecture, protocols and plethora of tools both software and hardware? If yes, then this workshop is meant for you.
Are you a penetration tester/security researcher interested in IoT security but are reluctant to start because you have been told that it requires knowledge of hardware internals, hardware security, IoT architecture, protocols and plethora of tools both software and hardware? If yes, then this workshop is meant for you. While it does require considerate amount of knowledge in the domain, it is not as difficult as you may think. In this workshop we will introduce you to the some of the important concepts and tools in a very simple way and will try to map it to general security techniques.
The primary focus of this workshop is to introduce the attendees to the open source IoT Security Testing framework - EXPLIoT (https://gitlab.com/expliot_framework/expliot) and enable them to use it as well as write plugins for new IoT based exploits and analysis test cases.
As we started digging deeper into IoT security, one thing was evident that there was a lot of time being spent in understanding IoT tools and protocols. So, we decided to create a flexible and extendable framework that would help the security community and us in writing quick IoT test cases and exploits. The objectives of the framework are:
Easy to use
Support for hardware, radio and IoT protocol analysis
EXPLIoT currently supports the following protocols which can be utilized for writing new plugins/exploits:
Radio – BLE
Network – MQTT, CoAP, DICOM, MODBUS
Hardware – CAN, SPI, I2C, UART, JTAG
This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework.
IoT Attack Surface
-- Executing plugins
-- Extending the framework by writing your own plugins
-- Security issues
-- Hands-on with plugins
-- Write a custom Plugin
BLE plugins Hands-on/Demo
CANbus plugins Hands-on/Demo
DICOM plugins Hands-on/Demo
UART Plugins Hands-on/Demo
Hackathon - Get creative and write your own plugin
Knowledge of generic security testing (web, mobile or infra)
Knowledge of Python
Knowledge of Linux
Laptop with Linux OS and EXPLIoT installed
Install dependencies - https://expliot.readthedocs.io/en/latest/installation/manual-installation.html
Install EXPLIoT - $ sudo pip3 install expliot
I am the author of EXPLIoT framework and love to share information on how it can make the life of an IoT Security test easier.
Duration of the Workshop - 3-4 hrs
Aseem Jakhar is the Director, research at Payatu payatu.com a boutique security testing company specializing in IoT, embedded, mobile and cloud security assessments. He is well known in the hacking and security community as the founder of null - The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference nullcon.net and hardwear.io security conference http://hardwear.io He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti- virus software, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack In The Box, Hack.lu, Hack in Paris, PHDays and many more. He is the author of various open source security tools including: 1. ExplIoT – An open source Internet Of Things Security Testing and Exploitation framework - https://bitbucket.org/aseemjakhar/expliot_framework 2. Linux thread injection kit - Jugaad and Indroid which demonstrate a stealthy in- memory malware infection technique. Indroid - https://bitbucket.org/aseemjakhar/indroid Jugaad - https://bitbucket.org/aseemjakhar/jugaad 3. DIVA (Damn Insecure and Vulnerable App) for Android which gamifies Android App vulnerabilities and is used for learning Android Security issues. https://github.com/payatu/diva-android 4. Dexfuzzer – Dex file format Fuzzer. https://bitbucket.org/aseemjakhar/dexfuzzer/src
This workshop gives the audience a detailed overview about blind, input based fuzzing, finding memory bugs, diving into topics such as:
Intro to Fuzzing : The fundamentals of fuzzing, understanding why fuzzing is needed and how to make the process of fuzzing efficient.
Smart Fuzzing : We will look at using american fuzzy lop (AFL), which demonstrates the process of compile time instrumentation. We will understand the color code in AFL, process timing, stages, findings, yields, path geometry and stability. We will integrate address sanitizer (ASAN/MSAN) which helps in identifying address and memory corruption bugs, making the process smarter.
Triage Analysis : We look at POC's generated by AFL during the fuzzing process, attaching it to the actual binaries to see, how the input is handled by the binaries.
In intro to fuzzing we will discuss and understand all parts to a successful fuzzing and why it’s needed, understanding various fuzzer’s and setting up the environment.
We will move ahead and start with AFL, understating the installation part. Also, we will quickly have a look on AFL key components which is, process timing, stages, findings, yields, path geometry and stability. We have created certain vulnerable binaries from which we will demonstrate overflows using AFL and analyzing the targets, crashes and hangs which gets generated by AFL.
After that we will move ahead and start with smart fuzzing where we will integrate ASAN with AFL, but before that we will give a brief understanding about ASAN and MSAN and how it is used to detects the runtime bugs during the compilation of a binary.
In end we will give small exercise’s to students to gets hands-on, on what they have learned so far and clear their doubts. We will quickly wrap-up our workshop by discussing about how they can leverage this knowledge against the bug bounty programs and then show casing multiple bugs which we found during our research..
An active speaker discovered multiple zero-days in modern web browsers, opensource contributor. He has presented in conferences such as Hacktivity, PHDays, HITB, BSides. In his free time, he blogs at www.inputzero.io
Attendees will learn to fight against WiFi Pineapple, KARMA attack and fake access point opening techniques
BLUE Exercise 1: Threat modeling study of your wireless network that you own or have assumed
BLUE Exercise 2: Analysis Environmental Threats
BLUE Exercise 3: Can you detect abnormal Activities?
BLUE Exercise 4: Can you detect abnormal Activities?
OUR GIFTS (You can take this to home)
Besim Altinok (@AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, Blackhat ASIA, Defcon, and others. Besim ALTINOK works currently at Barikat Cyber Security in Turkey. Besim also founded Pentester Training project.