Description

Have you noticed how some researchers continue to find flaws in even the mostr heavily reviewed applications? Would you like to develop those same skills, whether to find the next big 0day or protect against it?

Vulnerability Discovery Demystified teaches the techniques used by many prominent bug hunters to find some of the most critical and elusive vulnerabilities in real-world software. Coverage includes hands-on experience identifying how bugs can occur, what they look like in real code, and how you can leverage platform and language knowledge to attack a given application. This understanding will provide the necessary foundation for not just finding bugs, but also determining the potential exploitability and crafting more effective exploits.`

You should note that we will not be teaching fuzz-testing; nor will we teach students about running an automated code scanner and trying to collate results into a report. Instead, coverage focuses on a thorough application analysis and understanding - the more you understand about an application, the greater chance you have of learning its dirty secrets.

Outline

• Static analysis fundamentals

• Common vulnerability patterns

• Core application analysis labs

• Attack surface quantification

• Manual code tracing exercises

• Debugger assisted analysis labs

• Understanding environment, OS, and API quirks

• Leveraging application knowledge for exploits

Prerequisite working knowledge

• Win32 and Unix

• C/C++

• ia32 ASM

• IDA

Prerequisites

• Laptop capable of running required software

• IDA Pro

• An IDE or source code browser

• A debugger

Instructor: Mark Dowd

No bio.

Instructor: Justin Schuh

No bio.

Description

Penetration testing with canned tools and exploits is a thing of the past. As companies are getting more and more conscious of having their internal programs binary audited and reverse engineered, penetration testers are required to spot vulnerabilities in compiled code and write custom exploits for these vulnerabilities. The Exploit Laboratory takes the hacker's approach in demonstrating how seemingly trivial errors and vulnerabilities can be exploited with astonishing results. The Exploit Laboratory begins with an introduction to vulnerabilities in binary code and goes through a systematic process of debugging, reverse engineering and writing a working exploit for these vulnerabilities.

This class is aimed at demystifying the "rocket science" in writing exploits - delivered in a down-to-earth, learn-by-example methodology, by trainers who have been teaching advanced topics in computer security for over 6 years. This class does NOT require knowledge of assembly language. A few concepts and a sharp mind is all you need. Examples and exercises in this class cover both the Unix (Linux) and Microsoft Windows platforms.

Topics

• Introduction to error conditions

• The CPU's Registers

• The Process memory map

• Effective use of debuggers on Linux and Windows

• Stack Overflows in Linux and Windows

• Getting control of the Instruction Pointer

• Making exploits reliable

• Return to stack vs. return via registers

• Advances in shellcode techniques

• Overwriting Exception Handlers

• Heap Overflows in Linux and Windows

• Overwriting Global Offset Table entries

• Exploiting Browsers

• Format String bugs (time permitting)

Prerequisite Knowledge

• Working knowledge of operating systems, Win32 and Unix.

• Working knowledge of shell scripts, cmd scripts or Perl.

• Be able to work easily with command line tools.

• Understanding of C programming would be a bonus.

Laptop requirements

• Hardware Requirements:

  • Intel x86 hardware required

  • 512MB RAM required, at a minimum

  • Wired 10/100 Network card

  • CDROM drive

  • 4 GB free Hard disk space

• Operating Systems (one of the following):

  • Windows 2000 SP4/XP SP2 -OR- Linux kernel 2.4/2.6

  • For Windows users:

    • Windows 2000 SP4/XP SP2

    • Windows Vista WILL NOT WORK (you have been warned)

    • Administrator access mandatory

    • Ability to disable Anti-virus / Anti-spyware programs

    • Ability to disable Windows Firewall or personal firewall

    • Active Perl to be installed

  • For Linux users:

    • Kernel 2.4 or 2.6 required

    • Root access mandatory

    • Ability to use an X-windows based GUI environment

  • MAC OS X is currently not supported in this class. Participants may bring their Intel based MacBooks or MacBook Pros that have Windows XP running on them using Apple Boot Camp. If you wish to use Parallels Desktop, you may do so, but you are on your own when it comes to weird troubleshooting.

• Pre-loaded software:

  • Netcat (nc)

  • SSH client (PuTTY for Windows laptop users)

  • Perl 5.8 or above (ActivePerl for Windows users)

  • Firefox browser

Instructor: Saumil Shah

Founder and CEO, Net-Square Solutions Pvt. Ltd. saumil@net-square.com Saumil continues to lead the efforts in e-commerce security research at Net-Square. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Previously, Saumil held the position of Director of Indian operations at Foundstone Inc. and a senior consultant with Ernst & Young. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant. Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Description

This course shows how to use honeypot technologies as a concrete improvement to your organisations security defences. This course will concentrate on low-interaction honeynet technology.

• honeyd

• workings of honeyd

• routing traffic to honeyd

• simulation

• simulation tcp/ip stacks

• simulation of network infrastructure

• simulation of applications

• advanced honeyd configuration

• centralized data collection with honeyd

• traditional methods

• honeyd collectorr/mustard

• writing honeyd plugins

• honeyd to protect cooperate infrastructure

• malware collection

• Collecting malware with honeypots

• Techniques used

• mwcollect / nepenthes

• How they work

• Writing own modules

• Analyzing the received shellcodes

• Analyzing the captured binaries

• Results

• Bots/Botnets

• Intro to bots and demo

• Reverse engineering of bot

• Basic techniques

• Sandboxes

• Ollydbg and/or IDA

• Botnet 101

• How they work

• What you need to know

• Observing them

• Live botnet observation

• Results

Prerequisites

Students should be familiar with honeypot concepts and have a good understanding of TCP/IP networking and analysis tools like Ethereal.

Prerequisite material

Students need to bring a computer configured with VMWare and powerful enough to run two VMware sessions at once. The computer also should have an wired ethernet interface. Students also need to have an IRC client and the Python programming language installed. They also should have a Windows installation (native or in vmware) with OllyDbgr (http://www.ollydbg.de/) installed.

Instructor: Thorsten Holz

Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems. He is one of the founders of the German Honeynet Project and has extensive background in the area of honeypots and bots/botnets. His research interests include the practical aspects of secure systems, but he is also interested in more theoretical considerations of dependable systems. In addition, he is the editor-in-chief of the German IT-security magazine MISC.

Description

Most current tools that work at the packet level suffer some deficiencies that will prevent you to correctly map networks, find flaws, test equipments, etc. Learn what those deficiencies are, and how you can overcome them with Scapy (http://www.secdev.org/projects/scapy) to efficiently do network discovery, network stack crash testing, leak findings, Wi-Fi injection, attacks, automating specific tasks, etc. See how to extend Scapy with the obscure protocols you need to test and that have no tools supporting them, all that in a matter of minutes.

Topics

• Introduction

• conceptual flaws of other tools

• Scapy's concepts to avoid those flaws

• Quick overview

• packet manipulation

• sending packets

• sniffing

• manipulating packet lists

• sending and receiving

• manipulating result lists

• high level functions

• Packet creation workshop

• old school

• honey, I shrunk the C exploit (by a factor of 100)

• Fuzzing

• random everywhere

• Playing with TTL

• fun with DNAT

• sliced network scans

• Playing with leaks

• examples of flaws

• spotting the padding

• Playing with Wi-Fi

• sniffing, AP spotting

• signal strength monitoring

• frame injection

• airpwn attack (AP spoofing)

• Extending Scapy

• scripting Scapy

• adding your own protocols

• building your own tools

Prerequisites

• good knowledge of TCP/IP protocol suite

• good python basics (read, understood and practicized http://www.python.org/doc/current/tut/tut.html)

• some knowledge of Ethernet and 802.11 will help

Prerequisite material

• computer with Scapy *installed* and *running* and *working*

• python

• python-crypto

• python-gnuplot

• python-pyx

• graphviz

• imagemagick

Instructor: Philippe Biondi

Philippe Biondi is a research engineer and security expert working at the IT security lab of EADS Corporate Research Center. He is a member of the French Honeynet Project. He was co-author of LIDS. He is the author of Scapy and Shellforge and a lot of other tools. His Scapy tutorial at CanSecWest/core05 was rated one of the best talks of the conference by attendees.

Description

You think you know what VoIP really is, and moreover you can say what the real security risks are and how to mitigate them ? Then this course isn't for you :)

We'll first go through the basics: signaling protocols (SIP, H.323, MGCP, H.248), the media stream side (RTP, CODECs, etc) and how voice really works on the telco side.

Then we'll discuss what a full VoIP architecture looks like (on the carrier and the entreprise side): devices it's made of, protocols, operating systems and applications, etc. This will provide the students with the basics on the IMS core, Session Border Controllers, VoIP firewalls, Applications Servers and web front-ends.

Once the scene is set, we'll discuss the architecture's security: attack vs defense, what's exposed and at risk, how to secure it (is encryption of signaling and/or media really the answer ?), etc. How do Skype, ZRTP, and other protocols fit into the overall picture. What problem do they solve and which risks do they introduce ?

On the practical side of things, we'll play with a sniffer, listen into signaling and media, analyze the exchanges, etc. i.e. learn how VoIP "really" works. We will also use some of the VoIP "hacking" tools, to show you what they are good at and what kind of vulnerabilities they really expose.

Prerequisites

• Laptop with an Ethernet NIC and working network

• Either Win32 or Linux (or MacOS, but don't expect me to help if something isn't working properly :)

• Wireshark (Ethereal), version 0.99.4 or higher

• Counterpath X-Lite Free, version 3.0 or higher

• A headset (without mike is fine if you have one integrated)

Instructor: Nico Fischbach

Nico is a Senior Manager, in charge of the European Network Security Engineering team at COLT Telecom, a leading pan-European provider of end-to-end business communications services.

He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of Sécurité.Org a French speaking portal on computer and network security, of eXperts and mystique, an informal security research group and think tank, and of the French chapter of the Honeynet project.

He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the french security magazine MISC. More details and contact information on his homepage.

Description

Wireless LANs are now widely deployed and have often introduced an explosion of security issues and unique vulnerabilities. Despite nowadays security means, it still appears a lot of available wireless networks not being properly secured. This dojo training will bring you up to date with most advanced Wi-Fi security technologies, providing detailed, up to date, in-depth knowledge. Mixing both lecture and hands-on, it offers a practical approach of Wi-Fi security, learning and practising security assessment and deployment for wireless networks. At the end of this course, you will be able to integrate secure wireless environments in your existing infrastructure and assess Wi-Fi networks security.

Topics

• Quick Wi-Fi basics wrapup

• Assessing Wi-Fi networks security

• Wi-Fi networks enumeration technics and tools

• Security features analysis

• Weaknesses

• Intrinsic weaknesses, basic tricks

• WEP cracking fundamentals and technics

• Applied malicious traffic injection

• Targeting Wi-Fi clients

• Wireless networks pentesting methodology

• Building secure Wi-Fi networks

• Wi-Fi security features

• 802.1x authentication

• Wi-Fi Protected Access

• IEEE 802.11i/WPA2

• Wi-Fi Protected Setup

• Wi-Fi network integration w/ network architectures

• Roadmap and key points

• Network security experience (Ethernet, TCP/IP)

• 802.11 experience will help

• Understanding Python programming would be a bonus

Prerequisite material Practical exercices will require Backtrack v2 Stable Release live CDROM[1]. Therefore, each student must bring his own laptop running this live distribution properly[2] and be equipped with an injection capable wireless adapter[3] (Atheros based adapter strongly advised).

• [1] http://www.remote-exploit.org/backtrack.html

• [2] http://backtrack.offensive-security.com/index.php?title=HCL:Laptops

• [3] http://backtrack.offensive-security.com/index.php?title=HCL:Wireless

This one day course will bring you up to date with most advanced Wi-Fi security technologies, far beyond what you could expect from a Wi-Fi security 101 or workshop, providing detailed, up to date, in-depth informations and technics. Mixing both lecture and hands-on, it offers a practical approach of Wi-Fi (in)security, learning and practicing very latest Wi-Fi exploitation and penetration technics, as well as state of the art protection protocols and best practices for secure wireless networks deployement.

Topics

Wi-Fi insecurity

• 802.11 intrinsec weaknesses and basic tricks

• WEP cracking fundamentals and technics (inc. fragmentation attack)

• Applied malicious traffic injection

• Pentesting a Wi-Fi network

Wi-Fi security

• 802.1x authentication

• Wi-Fi Protected Access

• IEEE 802.11i/WPA2

• Wi-Fi Protected Setup

• Secure 802.11 features and network architectures

Prerequisites

• Ethernet and TCP/IP

• 802.11 network experience

Prerequisite material

Each student must bring his own laptop running his own Backtrack v1.0 Final CDROM with wireless traffic raw injection compatible adapter (Atheros based adapter strongly recommanded).

Instructor: Cédric Blancher

Cédric Blancher has spent the last 7 years working in netwo security field, performing audits and penetration tests. In 2004, he joined EADS Innovation Works and now runs the Computer Security Research Lab in Suresnes, France. His research focuses on network security, especially wireless links. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He delivered technical presentations and trainings worldwide, and written papers and articles on network security. Cédric's website: href="http://sid.rstack.org/">http://sid.rstack.org/

Description

The course shows how to effectively implement modern hardening frameworks and techniques for securing Linux-based (and secondarily *NIX systems) systems by keeping things manageable and at the same time avoiding the usual madness and confusion often created by MAC/hardening frameworks.

The goal of this course is to teach hands-on how to deal with every aspect of installing, configuring and maintaining hardening frameworks and learning the available techniques and administration for securing Linux systems. You'll learn the different architectures, implementation details, administration procedures and issues related to all the covered frameworks as well as acquire the proper skills for maintaining and troubleshooting the hardened environment. Special focus will be given to security monitoring and auditing, policy development and maintenance and hardening systems integration with your favourite distribution / OS.

Topics

You'll learn:

• basic *NIX security concepts and techniques

• security monitoring with Host Intrusion Detection Systems (HIDS)

• log monitoring and correlation

• swatch / tenshi / SEC / ...

• file system integrity checkers

• aide / samhain / osiris / ...

• sensible accounts and auth token management

• One Time Passwords

• shell account security

• extended POSIX ACLs

• hardening frameworks

• PaX / ASLR / Grsecurity

• SELinux

• RSBAC

• Systrace

• GCC hardening / Stack Smashing Protection

• ELF hardening: PIE (Position Independent Executables) / PIC (Position Independent Code)

• secure backup architectures

• centralized account management with LDAP

Bonus Topic:

• genuine Italian swearings to use when things go wrong! (and impress your co-workers)

Prerequisites

• basic command line proficiency on *NIX systems

• basic Linux/*NIX system administration skills

• familiarity with Makefiles / autoconf usage and package compilation and installation

• familiarity with Linux kernel configuration / compilation / installation

• basic scripting skills

Prerequisite material

• Each student must bring his own laptop running a recent Linux distribution, Fedora, RHE or Gentoo/Linux are the best choices but since the class will also focus on how to deal with this frameworks on any distribution we won't require any of those as long as it's a modern distribution capable of compiling without problems.

• Needless to say a working network adapter (along with a IPv4 TCP/IP) stack is required.

Instructor: Andrea Barisani

Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

Description

Defend The Flag (DTF) is a unique two day hands-on training course designed to take the traditionally dry Windows security training workshop and make it interactive, personal, and visceral for each attendee. Students will gain the understanding of modern exploitation tools and techniques, in order to better learn how to protect their Windows systems. Practical implementations of Windows host hardening will demonstrate the effectiveness of defense in depth, especially in environments where patching is delayed for testing or just not possible for application compatibility reasons.

Students will hear from experts in Attack and Defense. Day One is a hands-on lab tutorial on both securing and attacking Windows. Half the day will be spent learning about network attacks, modern sophisticated attack tools, and understanding the attackers' mindset. The other half of the day will be spent on Windows hardening, basic intrusion detection, forensics, and incident response while under attack.

On Day Two, the students will form teams to compete against each other. Each student will have a chance to play both roles of attacker and defender throughout the day. Defenders (Blue Cell) will be responsible for keeping critical Windows servers and desktops up and running on a simulated corporate network. Meanwhile, the attackers (Red Cell) will attempt to penetrate other teams' systems and shut off critical services, steal passwords and data, and generally disrupt network communications.

The winning team will have the best Windows hardening skills and uptime for their systems and services throughout the day. May the best defenders win!

Day One

Attacking Windows

• The attacker mindset - what are they thinking?

• Techniques and methodology of attack.

• Mapping target networks and identifying vulnerable systems.

• Labs on using an exploit framework - so easy your grandmother might already be doing it.

Defending Windows

• Preparing for an attack

  • Hardening Network protocols, system services, DCOM

  • Setting ACLs on file objects and on the registry

  • Security-relevant registry settings

  • User rights assignments

  • Audit and event logs

  • Account and password policies

  • Group Policy Settings

• During the attack

  • How to find out that a system is under attack or has been compromised

  • How to stop the attack

• After the attack

  • Basic forensics

  • How to prevent recurrence

Day Two

• All-day melee-style competition, where each team has both attackers to disrupt the other teams, and defenders to try to keep their own systems up.

Prerequisite working knowledge

• Basic Windows administration for servers and workstations

• No previous hands-on attack experience necessary

Equipment

• Laptops will be provided for the students pre-configured for the class

Instructor: Microsoft

No bio.