This workshop presents the concepts behind exploiting binary applications using return-oriented programming with a balance of theory and practical exploit development. Participants will analyze a vulnerable binary, find the bug and develop a complex gadget chain involving advanced return-oriented programming techniques such as stack pivoting to develop a multi-stage exploit which will result in arbitrary code execution on the target server. With guidance at each step of the way, this workshop aims to give a hands-on experience to the techniques and methods involved in developing a functional ROP exploit. Whether you want to try the challenge on your own, or want to follow along, this workshop will hopefully have something for you.
The following topics will be covered:
Requirements
Participants should be comfortable with reading C code and simple x86-64 assembly listings. Experience with reverse engineering is not required but will help when debugging the exercises.
You should also bring a laptop with an ssh client to connect to the challenge servers and a Software Reverse Engineering tool such as Ghidra (Recommended), Radare2, or IDA. No additional software is required as all the tools will be provided remotely.
Familiarity with tmux, pwntools and pwndbg and the command line will help but are absolutely not required.
Tools
The following tools will be presented and used in the workshop:
Alexandre is a security researcher working for GoSecure. His area of expertise is reverse engineering, binary exploitation and tool development. His previous experience as a software developer covers a broad spectrum of topics ranging from low-level systems and binary protocols to web applications. Prior to joining the research team, Alexandre spent time as an Ethical Hacker honing his offensive security skills. His areas of interests include binary analysis, compiler theory and systems programming. Alexandre gives back to the Montréal infosec community by volunteering his time, contributing workshops and designing application security challenges for events like MontréHack and REcon.
Are you a pentester/security researcher interested in IoT security but are reluctant to start because you have been told that it requires knowledge of hardware, hw security, IoT architecture, protocols and plethora of tools both software and hardware? If yes, then this workshop is meant for you.
Are you a penetration tester/security researcher interested in IoT security but are reluctant to start because you have been told that it requires knowledge of hardware internals, hardware security, IoT architecture, protocols and plethora of tools both software and hardware? If yes, then this workshop is meant for you. While it does require considerate amount of knowledge in the domain, it is not as difficult as you may think. In this workshop we will introduce you to the some of the important concepts and tools in a very simple way and will try to map it to general security techniques.
The primary focus of this workshop is to introduce the attendees to the open source IoT Security Testing framework - EXPLIoT (https://gitlab.com/expliot_framework/expliot) and enable them to use it as well as write plugins for new IoT based exploits and analysis test cases.
As we started digging deeper into IoT security, one thing was evident that there was a lot of time being spent in understanding IoT tools and protocols. So, we decided to create a flexible and extendable framework that would help the security community and us in writing quick IoT test cases and exploits. The objectives of the framework are:
Easy to use
Extendable
Support for hardware, radio and IoT protocol analysis
EXPLIoT currently supports the following protocols which can be utilized for writing new plugins/exploits:
Radio – BLE
Network – MQTT, CoAP, DICOM, MODBUS
Hardware – CAN, SPI, I2C, UART, JTAG
This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework.
Workshop outline:
IoT Attack Surface
Expliot Framework
-- Architecture
-- Executing plugins
-- Extending the framework by writing your own plugins
-- Protocol
-- Security issues
-- Hands-on with plugins
-- Write a custom Plugin
BLE plugins Hands-on/Demo
CANbus plugins Hands-on/Demo
DICOM plugins Hands-on/Demo
UART Plugins Hands-on/Demo
Hackathon - Get creative and write your own plugin
Pre-requisites
Knowledge of generic security testing (web, mobile or infra)
Knowledge of Python
Knowledge of Linux
Laptop with Linux OS and EXPLIoT installed
Install dependencies - https://expliot.readthedocs.io/en/latest/installation/manual-installation.html
Install EXPLIoT - $ sudo pip3 install expliot
=================================================
Notes
I am the author of EXPLIoT framework and love to share information on how it can make the life of an IoT Security test easier.
=================================================
Audience Level
All
=================================================
Important
Duration of the Workshop - 3-4 hrs
=================================================
Aseem Jakhar is the Director, research at Payatu payatu.com a boutique security testing company specializing in IoT, embedded, mobile and cloud security assessments. He is well known in the hacking and security community as the founder of null - The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference nullcon.net and hardwear.io security conference http://hardwear.io He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti- virus software, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack In The Box, Hack.lu, Hack in Paris, PHDays and many more. He is the author of various open source security tools including: 1. ExplIoT – An open source Internet Of Things Security Testing and Exploitation framework - https://bitbucket.org/aseemjakhar/expliot_framework 2. Linux thread injection kit - Jugaad and Indroid which demonstrate a stealthy in- memory malware infection technique. Indroid - https://bitbucket.org/aseemjakhar/indroid Jugaad - https://bitbucket.org/aseemjakhar/jugaad 3. DIVA (Damn Insecure and Vulnerable App) for Android which gamifies Android App vulnerabilities and is used for learning Android Security issues. https://github.com/payatu/diva-android 4. Dexfuzzer – Dex file format Fuzzer. https://bitbucket.org/aseemjakhar/dexfuzzer/src
This workshop takes participants through a low level firmware extraction process which is easy to perform and doesn’t require expensive hardware.
At the core of every IoT device is its firmware. Detailed security assessment of devices starts with obtaining a copy of the firmware. The firmware can then be statically analyzed or dynamically. Several techniques exist for firmware extraction.
This workshop takes participants through a low level firmware extraction process which is easy to perform and doesn’t require expensive hardware.
details of the workshop:
We shall present how do it using a cheap USB to serial adapter and open source softwares on a linux computer.
The workshop will be going through the process with the following steps :
Understanding the reconnaissance phase related to hardware
Examining the hardware and find a serial port
If there is no serial port obviously available, chase the working combination of pins to reveal a serial port with a multimeter
Setting up of your minicom working environment and connecting the adapter
Extracting the firmware
Analyze
=================================================
Notes
technical requirements:
Attendees can also bring their own devices (mostly IoT, or routers), I'll have extra adapters and wires to provide for the workshop.
Attendees need to bring their own laptop.
The workshop is done in *nix environment, Linux or Mac (for binaries).
Do you have a principal network and repo from where people can download the material for the workshop (binaries, slides)?
In any case, I publish configuration requirements soon enough before the con so people can have the time to set up.
=================================================
Duration of the wortkshop
2 hours
=================================================
Audience Level
Entry level
Former teacher, trained linguist, 42 school alumni, I’m passionate about research activity on both computers and human sides. I moved to info security as a threat intelligence analyst by day and reverser by night. Organizer of the defcon group of Paris, we host foreigners speakers, and do love our small hackers gatherings
This workshop gives the audience a detailed overview about blind, input based fuzzing, finding memory bugs, diving into topics such as:
Intro to Fuzzing : The fundamentals of fuzzing, understanding why fuzzing is needed and how to make the process of fuzzing efficient.
Smart Fuzzing : We will look at using american fuzzy lop (AFL), which demonstrates the process of compile time instrumentation. We will understand the color code in AFL, process timing, stages, findings, yields, path geometry and stability. We will integrate address sanitizer (ASAN/MSAN) which helps in identifying address and memory corruption bugs, making the process smarter.
Triage Analysis : We look at POC's generated by AFL during the fuzzing process, attaching it to the actual binaries to see, how the input is handled by the binaries.
Summary
In intro to fuzzing we will discuss and understand all parts to a successful fuzzing and why it’s needed, understanding various fuzzer’s and setting up the environment.
We will move ahead and start with AFL, understating the installation part. Also, we will quickly have a look on AFL key components which is, process timing, stages, findings, yields, path geometry and stability. We have created certain vulnerable binaries from which we will demonstrate overflows using AFL and analyzing the targets, crashes and hangs which gets generated by AFL.
After that we will move ahead and start with smart fuzzing where we will integrate ASAN with AFL, but before that we will give a brief understanding about ASAN and MSAN and how it is used to detects the runtime bugs during the compilation of a binary.
In end we will give small exercise’s to students to gets hands-on, on what they have learned so far and clear their doubts. We will quickly wrap-up our workshop by discussing about how they can leverage this knowledge against the bug bounty programs and then show casing multiple bugs which we found during our research..
An active speaker discovered multiple zero-days in modern web browsers, opensource contributor. He has presented in conferences such as Hacktivity, PHDays, HITB, BSides. In his free time, he blogs at www.inputzero.io
The security of cryptographic protocols remains as relevant as ever, with systems such as TLS and Signal being responsible for much of the Web’s security guarantees. One main venue for the analysis and verification of these protocols has been automated analysis with formal verification tools, such as ProVerif, CryptoVerif and Tamarin. Indeed, these tools have led to confirming security guarantees (as well as finding attacks) in secure channel protocols, including TLS and Signal. However, formal verification in general has not managed to significantly attract a wider audience.
Verifpal is new software for verifying the security of cryptographic protocols that aims is to work better for real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3 and other protocols. It is a community-focused project, and available under a GPLv3 license.
In this workshop, you will learn how to use Verifpal to model and verify the security goals of advanced, cutting-edge protocols such as Signal and TLS 1.3. No prior knowledge in formal verification is necessary — Verifpal is specifically tailored for beginners and newcomers!
Nadim Kobeissi is a researcher in applied cryptography and director at Symbolic Software. His research work focuses on protocol analysis and formal verification. Nadim received his Ph.D. after doing research at the Institut National de Recherche en Informatique et Automatique (INRIA) in Paris and has published peer-reviewed research focusing on applied cryptography and automated protocol verification.
Attendees will learn to fight against WiFi Pineapple, KARMA attack and fake access point opening techniques
OUR SCENARIOS
BLUE Exercise 1: Threat modeling study of your wireless network that you own or have assumed
BLUE Exercise 2: Analysis Environmental Threats
BLUE Exercise 3: Can you detect abnormal Activities?
BLUE Exercise 4: Can you detect abnormal Activities?
OUR GIFTS (You can take this to home)
Besim Altinok (@AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, Blackhat ASIA, Defcon, and others. Besim ALTINOK works currently at Barikat Cyber Security in Turkey. Besim also founded Pentester Training project.