PRE CONFERENCE WORKSHOPS - 21-Aug-2014
WS 1
WS 2
WS 3
WS 4
WS 5
Cryptography Essentials for Pen-Testers
OBJECTIVE
To provide Pen testers with good enough yet strong background on cryptography and cryptographic implementations. After completing the course one will have Idea of how crypto is implemented at various levels of computing and networks and where to look for gaps and flaws and how to exploit them.
COURSE CONTENT
- Module 1. Introduction to Building blocks of Cryptography
- Brief history of cryptography
- Random numbers
- Cipher Suites
- Symmetric Cryptography
- Asymmetric Cryptography
- Message Authentication Code
- Introduction to PKI
- Various PKCS standards & their applications
- FIPS compliance
- Module 2. Cryptographic Implementation in Protocols
- Introduction to TLS/SSH, HTTPS
- Checking for HTTP Strict Transport Security (HSTS)
- Introduction to CSP
- Hands on Openssl toolkit
- Writing secure clients and servers
- Encrypting sensitive information
- Files, File system
- Mails
- Keystore
- Module 3. Cryptography in Enterprise Networks
- PKI revisited
- Key stores & key less logins
- Certificate Generation and Deployment using SCEP/CMP
- Certificate Pinning and Rolling Certificate renewal
- Module 4. Attacking encrypted Networks
- Different Network attacks and how Cryptography stops them
- The flows in various cryptographic standards
- Perfect forward Secrecy
- Module 5. General Cryptographic Attacks
- Exploiting PKI flaws
- Exploiting EBC, CBC
- SSL Sniff/SSL Strip
- Exporting rouge certificates through Android Apps
- Null insertion Attacks
- Downgrading or Upgrading attacks
- Module 6. Crypt Analysis Techniques
- Chosen Plain Text, Chosen Cipher Text, Cipher Text only, Collision
- Dictionary attack
- Stream cipher and Block cipher attacks
- BEAST, CRIME, TIME attacks
- Module 7.Miscillenous
- Secure Boot loaders UEFI
- Secureity in Androild platform
- Encryption in GSM communicaitons A5/1 & Attacks
- Penetration Testing for FIPS compliance
PRE-REQUISITE
Some knowledge of PKI and basic Crytpography will help
PARTICIPANTS REQUIREMENTS
Own laptop (Linux or Win) with Openssl installed
DURATION
1 day
WHO SHOULD ATTEND?
Security enthusiasts and professionals intrested to test and secure Cryptographic implementations
WHAT TO EXPECT
Walk away with the very good understanding of- Working use and abuse of PKI systems using Openssl Toolkit
- Know how to test and exploit secure protocols, encrypted networks, few crypt analysis techniques
- Where to look for flaws in systems secured by cryptography
- What are the latest attacks in the Cryptographic world and how do they work
- Know end to end use and abuse of Browser to Web server secure channels
- Know few advanced standards and theoretical attacks.
WHAT NOT TO EXPECT
- Mathematics Behind the Cryptographic standards
- Breaking Google, FB, Banks secure communication by successful cryptanalysis
- This course tries to gives you basic but essential knowledge of cryptography to be an effective Pen-testers to become a Cryptographer Lets join a PHD course :)
SPEAKER DETAILS
Ajit Hatti is a Co-founder of “null -Open security community”, His work is focused on Infrastructure Security, providing Trusted Computing On Hostile Platforms & most of his papers are in social interest. Invented the widely exploited “Applanting” attack.
Currently working on securing systems using Cryptography at Symantec Corporation, he has worked as and Engineer and Researcher with many security companies like IBM-ISS, Bulelane, Zscaler in past.
He has previously presented his security research at BlackHat, NullCon, Ground Zero Summit, c0c0n, ClubHack.
Ajit Hatti, Co-founder of “null -Open security community”
Learning Pentesting for Android
COURSE ABSTRACT
This unique and fast-paced training will get you familiar with the various Android exploitation techniques, and bypassing most of the existing security models in the applications as well as the platform itself. Most of this training is based on the recently published and hugely popular book “Learning Pentesting for Android Devices” by the trainer.
This training will cover trainings such as Setting up Android Pentest Environment, OWASP Mobile Top 10, Advanced Android Application Auditing - Static and Dynamically, Finding own vulnerabilities, Automation, Lesser known attack vectors, Vulnerabilities in MDM/BYOD solutions and a lot more.
The entire training will follow complete hands-on and CTF based approach, with lots of vulnerable apps and crackmes for the entire class.
You don’t need to be an Android Expert in order to attend this training, as we will cover everything from very basics, and will move on to the intermediate and advanced topics.
OBJECTIVE
- Attendees will be able to find vulnerabilities in various real world applications for the Android platform.
- Attendees will feel comfortable with writing custom scripts and automation of application auditing for mobile platforms
PRE-REQUISITE
- Min 10 GB HDD and 2 GB RAM
- AGenymotion (Could be downloaded from http://genymotion.com/)
- VMware Fusion/Player/Workstation
*Physical Android device is not needed during the training. In case you’re willing to bring, make sure its > 2.3.7 and rooted.
DURATION
One day
WHO SHOULD ATTEND
- Pentesters and Security professionals interested to get into Android Security
- People already into the technical domain, willing to get into mobile security
- Mobile Application Developers
COURSE CONTENT
Before Lunch :
- Module 1.
- Introduction to Android Security
- Setting up the Android Pentesting Lab
- Android Permission Model and Security Architecture
- Bypassing Android platform security
- Getting familiar with Android Debug Bridge (ADB)
- Reverse Engineering of Android Applications
- In-Depth with Smali Analysis
- Modifying Android applications to reveal sensitive info
- Android Malware Analysis
- Module 2.
- Traffic Interception of Android Browser and Applications SSL
- Based Traffic Interception
- Bypassing Certificate Pinning
- Insecure Data Storage
- Having fun with exploiting databases
- Exploiting Content Providers
After Lunch :
- Module 3.
- Security Issues in Debuggable Applications
- Runtime Analysis of Android apps
- Introduction to Drozer
- Using drozer to find vulnerabilities in apps
- Writing custom drozer modules
- Local File Inclusion/Directory Traversal
- Automating Exploitation
- Module 4.
- Security Issues in Android Backups
- Exploitation of Android Backups
- URI Handlers
- Webview based Exploitation
- Chaining vulnerabilities
- Using metasploit for Android exploitation
- Final CTF competition
ARM Android Xploitation
OBJECTIVE
ARM Android Xploitation takes up one of the finest operating system used smartphones I.e. Android as the ARM based platform for the training and takes a deep dive into ARM assembly, Android Native development components, buffer overflows and shellcoding. The training introduces the attendees to the ARM Android platform including the intrinsic technical details and security issues using a balanced proportion of theory and extensive hands-on and exercises. It provides a base for the attendees to develop security research expertise on the ARM based platforms beyond the conventional Android application security testing skills.
COURSE CONTENT
- Introduction to Android
- What is Android?
- The architecture
- Getting the Android source
- Setting up the environment
- Android Native Dev primer
- ADB
- NDK
- Compiling C code
- Assembly code
- Execution
- Debugging
- Android ARM Assembly primer
- ARM overview
- Processor Modes
- Registers
- Instruction set
- Stack implementation
- System call convention
- Procedure call convention
- Exercises
- ARM Shellcoding Primer
- Introduction
- System interaction
- Relative addressing
- Four byte Hell!
- Null byte Hell!
- ARM THUMB and the finger
- Exercises
- Indroid - Code Injection
- Borrowing from Windows
- Linux Ptrace
- Library Injection
- Indroid
- Memory Allocation and Execution
- Threadification
- Payload
- The API
- Putting it all together i.e. DIY injection
- ARM buffer overflow primer
- Buffer overflow 101
- The ARM/Linux stack
- Stack overflow
- Controlling the flow of execution
- Ret2Libc
- Exercises
PRE-REQUISITE
- Basic Linux knowledge
- Programming, assembly knowledge will be a plus although not specifically required
- Passion to learn new security stuff
PARTICIPANTS REQUIREMENTS
- Bring your own laptop
- 15+ GB free hard disk space
- 2+ GB RAM
- VirtualBox installed on the system
DURATION
1 day
WHO SHOULD ATTEND?
- Information security professionals
- Security researchers and penetration testers
- Anyone with interest in Android security
- Android developers/QA
WHAT TO EXPECT
- Interactive hands-on training session
- Code analysis, trial and errors
- Getting familiar with the Android platform
WHAT NOT TO EXPECT
Becoming an ARM or Android hacker overnight. Use the knowledge gained and research further to master the platform. This training acts as a base to quickly kick start your research into ARM/Android security.
SPEAKER DETAILS
Aseem Jakhar Aseem Jakhar is the Director, research at Payatu Technologies Pvt Ltd a boutique security testing company. He is well known in the hacking and security community as the founder of null -The open security community, registered not-for-profit organization and also the founder of nullcon security conference.
He has extensive experience in system programming, security research, consulting and managing security software development projects. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, multicast packet reflector, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few. He is an active speaker at security and open source conferences; some of the conferences he has spoken at include AusCERT – Gold Coast, Defcon – Las Vegas, Hack.lu - Luxembourg, Blackhat - Amsterdam, Xcon - Beijing, Cyber security summit - Bangalore, Cocon - Cochin, OSI Days - Bangalore, Clubhack - Pune, Gnunify – Pune.
His research includes Linux remote thread injection, automated web application detection and dynamic web filter. He is the author of open source Linux thread injection kit -Jugaad and Indroid which demonstrate a stealthy in-memory malware infection technique.
Some of the Trainings Conducted by Aseem- Advanced Android/iOS exploitation at Hack in Paris, Paris 2014
- ARM Android exploitation at PHDays, Moscow 2014
- ARM Android exploitation at Hack.Lu, Luxembourg 2013
- Xtreme Android Hacking at nullcon, India 2012/2013
Email – aseem@payatu.com
Phone: +91-9881376590
TESTIMONIALS
- “Aseem is a knowledgeable ARM guy. His training features the whole ARM spectrum - from the beginning to the end. I recommend his training if you're looking for a training on practical ARM exploitation.” - Jurriaan Bremer, Author - DARM ARM disassembler, Core Developer Cuckoo Sandbox , Netherlands
- “Aseem came off as an expert instantly at the ARM workshop. He is a natural teacher and guided everyone through the workshop effortlessly. He was well prepared in advance and he had prepared his VM well to allow easy learning of the actual content. He was dedicated and helpful. ” - Parth Shukla, Information Security Analyst – AusCERT, Australia
- “I found Aseem's workshop really good, clear and easy to understand. His tutorial gave me a good insight of what it is under the hood. From my point of view, I think he highlighted the more important design specific aspects of the architecture. The exploitation part was also very instructive since he mentioned many issues related to ARM exploitation as well as how to deal with them. The structure is good, the programming/exploiting assignments are well chained and the difficulty is ascending gradually.” - Quentin Jerome, PhD. Student - University of Luxembourg, Luxembourg
- “I appreciated Aseem's workshop, because I am interested on binaries exploitation, I had try to make shellcode, ret2libc, ROP on x86, but never on ARM.” - Rémi Chipaux, Pentester – Steria, France
Wordpress Security Syllabus
COURSE CONTENT
- Wordpress Setup
- Setup basic wordpress
- Understand wordpress configurations (site and multisite)
- Understand Wordpress Security Landscape
- Various attack surfaces available in wordpress
- Protecting Wordpress
- Protecting bare bone wordpress
- Secure configuration
- Additional layers of protections
- Security Best Practices
- Analyzing Wordpress Attacks
- Identifying and co-relating logs to isolate vulnerable plugin
PRE-REQUISITE
Knowledge of PHP programming and basic understanding of web application / CMS systems in general
PARTICIPANTS REQUIREMENTS
Laptop with a virtualization software prefered virtualbox. VM would be provided for all practice performance.
DURATION
1 day
WHAT TO EXPECT
- Understanding of
- Security constrains/issues in wordpress
- Overall Security Landscape of Wordpress ecosystem
- Protections that can be applied in wordpress
- How to identify if attack has happened and what is the cause of attack.
WHAT NOT TO EXPECT
To be turned into security ninja overnight. Its a long process this workshop will put you in correct path and give you an edge in form of pinpointed and condensed information.
SPEAKER DETAILS
Anant Shrivastava is a Independent Security Consultant. He is also author of Wp-Filemanager a wordpress plugin with >1L downloads, he has also written other plugin's, customized themes and performed multiple security audits over wordpress plugins. He also maintains his own active network of websites and blogs since 2007 (primary blogging portal is http://blog.anantshri.info). He holds GWAPT, CEH and RHCE. He has been speaker / Trainer at various conferences like Nullcon, c0c0n, Clubhack, g0s. He specialize in Web Application Security, and Mobile Security.
http://anantshri.info
Browser Fuzzing
OBJECTIVE
This course focus on findings & exploiting bugs in leading browsers. This hands-on training will help participants to develop their own fuzzers. The course also covers domain of the fuzzing, frameworks and analysing the crashes. Bugs like Use-After-Free & Heap Corruptions/Overflow will be discussed as case study with in-depth analysis using debuggers.
PRE-REQUISITE
- Understanding of HTML, DOM, and how browser works
- Basic knowledge of JavaScript and candidate should able to read and write his own JavaScript
PARTICIPANTS REQUIREMENTS
- bring your own laptop
- min 4 GB ram, 20GB Harddisk space
- Administrative access on laptop
- Virtualization software installed (VMplayer)
DURATION
One day
WHAT TO EXPECT
- Interactive hands-on training session
- buidling your own fuzzer & ideas
- Fuzzing techniques & frameworks
- crash analysis
WHAT NOT TO EXPECT
- browser 0-day exploits
- our own fuzzers
WHO SHOULD ATTEND
- Information security professionals
- Security researchers
- Anyone with interest in browser security
COURSE CONTENT
- Introduction to Browser Fuzzing
- What is browser Fuzzing?
- Why We do Fuzzing?
- Browsers Internals
- What to fuzz ?
- Browser Bugs Intro
- Use-After-free
- Heap Corruption/Overflow
- Types of fuzzers
- Introduction to Static Fuzzer
- Introduction to Dynamic Fuzzer
- Difference between both
- Hands on static fuzzer like radamsa
- What is Radamsa
- How we can collect templates
- How to generate testcases
- Executing testcases on browsers
- Pros & Cons
- Hands on dynamic fuzzer (grinder)
- What is Grinder
- Different Components of grinder
- Creating own grinder supporting fuzzer
- Running it on Internet Explorer 9
- Pros & Cons
- Case study:
- Crash analysis
- Use After Free Vulnerability
- Heap Corruptions/Overflows
- Heap Spray to Control Crash
- Bye Bye
SPEAKER DETAILS
AMol_NAikis a web application pentester working with Mercedes-Benz Research & Development India. He has more than 8 years of experience in Application Security, Ethical Hacking and Network security. He is listed in Google Security Hall of Fame, Facebook WhiteHat and Twitter Security page for reporting various vulnerabilities in their web applications. He won ClubHack preCON CTF 2011. His web hacking technique "Exploitation of Self-Only XSS in Google Code" qualified for “Top 10 web hacking techniques in 2011” contest run by Jeremiah Grossman.
Amol Naik,
Web Application Pentester,
Mercedes-Benz Research & Development, India
C0C0N 2013 Photos
