Description

Penetration testing is often a contest between an attacker of limited resources and a target with signficant defenses and capabilities. Security tools, including the Metasploit Framework, are designed to extend the capabilities of a single attacker and gain access where none is provided.

This course dives into the newest features of the Metasploit Framework and demonstrates how to use these features in every aspect of a penetration test. Students will learn how to create custom modules to solve specific tasks, launch wide-scale client-side attacks, operate a malicious wireless access point, generate custom backdoors, bypass intrusion prevention systems, automate the post-exploitation process, and much more.

The course is split between hands-on labs and lectures, with a focus on practical techniques that have proven successful in the real world.

Prerequisites:

• Students will need a laptop capable of running version 3.2 of the Metasploit Framework.

• Students should have working knowledge of Microsoft Windows and at least one Unix-like operating systems (Linux, Solaris, Mac OS X, etc).

• Students should have some experience with one or more scripting language, such as Ruby, Perl, Python, or PHP.

• Students should also be familiar with TCP/IP networking and be comfortable configuring TCP/IP settings on Unix and Windows platforms.

Recommendations:

• A laptop running a recent version of Linux, BSD, or Mac OS X.

• Experience using the Metasploit Framework.

• Experience with exploits and vulnerability assessment tools.

• Experience with the Ruby programming language.

• Experience with low-level TCP/IP tools (nmap, hping, wireshark).

Instructor: HD Moore

HD Moore is the director of security research at BreakingPoint Systems, where he focuses on the content and security testing features of the BreakingPoint product line. Prior to BreakingPoint, HD spent seven years providing vulnerability assessments, leading penetration tests, and developing exploit code. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open- source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open- source security projects.

Description

IPv6 has been around "on paper" for a long time and the "migration deadline" is slowly getting closer as available IPv4 addresses shrink.

Depending on who you ask and how you look at it it can be considered either a minor or a major evolution from IPv4, especially on the security front.

We will present and discuss the protocol(s), their implementation, what the security changes are (good and bad), issues you will face during a migration, etc.

The lab sessions will enable you to understand IPv6 security in more details.

Topics

We will present:

• IPv6

• What changes from IPv4.

• What the new IPv6 protocols are.

• How they impact the overall security.

• The new holes you'll poke into existing IPv4 deployments.

Prerequisites

For the lab exercises we will use scapy6, dynamips and wireshark. You have to bring your own laptop, running Linux (native or virtualized). Make sure the operating system is working properly especially the network component if you run it inside a VM. You don't have to pre-install the tools.

scapy6 is not supported on Win32 and has been tested only in very limited manner on *BSD/MacOs. We will not be able to debug during the dojo.

Prerequisite material

None in particular. The student should be "fluent" with tcpdump/wireshark output, understand basic TCP/IP routing and basic *NIX network commands.

Instructor: Nico Fischbach

Nico is a Senior Manager, in charge of the European Network Security Engineering team at COLT Telecom, a leading pan-European provider of end-to-end business communications services.

He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of Sécurité.Org a French speaking portal on computer and network security, of eXperts and mystique, an informal security research group and think tank, and of the French chapter of the Honeynet project.

He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the french security magazine MISC. More details and contact information on his homepage.

Instructor: Guillaume Valadon

No bio.

Description

Honeypots and honeynets are very much en vogue nowadays. This course explains what honeypots are, what they are good for, when they can bring rapid ROI to an organization deploying them, and when they are only of academic interest.

This class will teach how to setup different types of honeypots and how to learn more about the tools, tactics, and motives of attackers, but also to swiftly detect and react to malware outbreaks in an organization. We will also show how honeypot technology can be used to estimate risks in a way management understands. The main focus of the course lies on learning more about autonomous spreading malware and botnets. We focus on different low-interaction honeypot solutions and honeyclients since these two tools can often be easily integrated into an existing infrastructure. We show how to use these tools together with CWSandbox, a malware analysis tool, to study botnets in detail and how to mitigate this threat within an organziation or a bigger network.

The course will be a mix of lectures and hands-on exercises, with a focus on practical techniques that have proven successful in the real world. The exercises involve for example setting up a honeypot, analyzing packet dumps, analyzing a given binary or shellcode, or extracting information from a given analysis report.

Topics:

You will learn during the course:

• In-depth introduction to honeypots and honeynets

• Overview of classical honeypots and honeyclients

• Setting up different kinds of honeypots

• Analyzing the collected information

• Collecting malware with honeypots

• Analyzing collected malware in an automated way

• In-depth overview of current bots and botnets

• Using honeypots to recognize infected machines

• Protecting a network with the help of honeypots

Prerequisites

Students should be familiar with basic honeypot concepts and have a good understanding of TCP/IP networking and analysis tools like Wireshark. Basic understanding of the Windows OS and malware analysis are a bonus.

Prerequisite material

Students need to bring a computer configured with VMware and powerful enough to run two VMware sessions at once. Students also need to have an IRC client and the Python programming language installed. All additional tools will be provided during the course.

Instructor: Thorsten Holz

Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems. He is one of the founders of the German Honeynet Project and has extensive background in the area of honeypots and bots/botnets. His research interests include the practical aspects of secure systems, but he is also interested in more theoretical considerations of dependable systems. In addition, he is the editor-in-chief of the German IT-security magazine MISC.

Instructor: Guillaume Valadon

No bio.

Description

With every web application that an organization brings online or e-business that goes live, malicious hackers are waiting to attack. This class provides students with the knowledge and tools to identify known and unknown vulnerabilities, develop countermeasures, and perform ongoing assessments of these web applications. In a hands-on setting, Ultimate Web Hacking instructors offer demonstrations on how attackers can access corporate information with little more than a web browser.

Also in this class, the students will learn strategic, tactical and operational countermeasures to prevent hackers from exploiting web-based applications, security considerations unique to secure web applications, thorough knowledge of popular web application and infrastructure vulnerabilities including SQL injection, cross site scripting, authentication/authorization issues and session management weaknesses.

Who Should Take This Class

System and network administrators, security personnel, auditors, consultants, and/or web designers concerned with web security should take this course. Basic UNIX and Windows competency is required for the course to be fully beneficial.

Exercises

All topics are supported by hands-on exercises specifically designed to increase knowledge retention. Classroom exercises provide the basic hands-on experience needed to secure web applications and internet facing software.

Course Materials

• Class handouts

• Foundstone authored book

• Foundstone t-shirt

• Free Tools CD with course tools and scripts

Topic

• Introduction to Web applications

• Profiling the environment

• Finding vulnerabilities in configuration management

• Parameter manipulation

• Breaking authentication and user management

• Breaking session management

• Data validation attacks like:

• Cross site scripting

• Cross site request forgery

• SQL Injection

• File system traversal

• Data protection issues

• Other grab bag topics

Prerequisite Knowledge

• Working knowledge of Windows or Unix Operating Systems and command-line tools

• Working knowledge of HTTP, SSL and related protocols

• Working knowledge of shell scripts, SQL, Perl and javascript

Instructor: Mike Andrews

No bio

Description

JEE is known as a framework to build java business applications. Vulnerabilities in these applications are on the one hand introduced by the software, and on the other and more likely created by the application developers. For a complete JEE security audit it is therefore more important to build up the skill to „feel“ the attack surface than just applying pre-build exploits that only expose framework bugs.

This class starts with describing the important parameters that define the attack surface, such as dangerous code patterns, configuration settings and reasonable secure defaults. Examples of real-life vulnerabilities are used introduce the participants to the experience that simple bugs are able to create holes, we cover both perspectives, the bug and the fix. The curriculum goes on with presenting and train the use of the tool set, necessary to spot vulnerable code parts. We presented techniques such as code skim reading, binary scanning, reverse engineering and interpreting the hidden security message of harmless looking heap, thread and stack dumps.

The trainer has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. This class does not require prior knowledge of the java bytecode set but a deeper understanding how JVMs work mixed with creativity is very helpful to transfer the presented techniques into personal success.

The examples and exercises shown in this class cover apache tomcat, apache geronimo, jboss and sun glassfish.

Topics

The topics presented are:

• The Java architecture, JVMs and bytecode

• The java security model

• Secure programming in a nutshell

• Java vulnerabilities, how they differ from C-type bugs

• The JEE architecture

• Open holes in JEE, how to spot them

• How to harden a JEE server

• Tools and toys to prepare and conduct JEE pentests

• Writing self-assessment clients

• Short excursion to web security, xss and xsrf, how to spot and prevent in JEE

• Examples, examples...

Prerequisites

• Working knowledge of distributed java concepts

• No specific OS knowledge required

• Be able to work easily with java developer tools (command line, eclipse/netbeans IDE)

• Understanding of Java (secure) programming and JEE concepts would be a bonus (boosts your mileage).

Prerequisite material

• Each student must bring his own laptop.

• A working network adapter (along with a IPv4 TCP/IP) stack is recommended.

Instructor: Marc Schoenefeld

No bio

Description

Fully understanding how TCP/IP works is a must-have skill for anyone involved in IT security, this course will teach you everything about the TCP/IP protocol suite and its security concerns and implications.

You will learn all the gory details about the packets that are exchanged whether you browse, send emails, DDoS your friends, ARP spoof or hijack connections. You will learn how to sniff, decode and understand packet traces and attack patterns, how to craft packets for good and evil using specific tools, how to defend the networks you manage by deploying firewalls and Intrusion Detection Systems.

Topics

You'll learn:

• TCP/IP protocol suite and related protocols

• sniffing with tcpdump, Wireshark and other specialized tools

• network scanning and system fingerprinting

• common attack patterns

• packet crafting tools

• purpose-specific tools for session hijacking, DoS'ing and much more

• advanced firewalling and Network Intrusion Detection System deployment

Prerequisites

• basic command line proficiency on *NIX systems

Prerequisite material

• Each student must bring his own laptop running a modern and up to date Linux distribution, capable of compiling without problems.

• Needless to say a working network adapter (along with a IPv4 TCP/IP) stack is required.

Instructor: Andrea Barisani

Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

Description

The entirety of the course is student centric, hands on, and lab intensive. On day one, students will be instructed on the use of the Peach Fuzzing Platform, from a practitioner's perspective, learning the ways in which Peach can be used to fuzz a variety of targets including network protocol parsers, ActiveX/COM interfaces, file parsers, APIs, and web services. Students will build and run fuzzers that target real world applications.

On the second day, students will be exposed to the internals of Peach for a developer's perspective. The Peach architecture and module interfaces will be explained in great detail as to equip students with the skills necessary to extend and adapt Peach to their custom needs. Students will then develop their own Peach extensions in a lab environment to reinforce these concepts.

Topics

Upon completion of this course, students will be enabled to create effective fuzzers that target:

• State-aware network protocol parsers

• N-tier applications

• Arbitrary APIs

• File parsers

• COM and Active/X components

• Extend the Peach Fuzzing Platform

• Apply these concepts and tools to their unique environment

• Utilize parallel fuzzing to increase fuzzing efficiency

Prerequisite Knowledge

• Ability to use Windows XP

• Ability to use WireShark

• Working knowledge of basic XML or HTML

Laptop requirements

• A laptop capable of running two Windows XP Virtual Machines

• Dual Core machine w/2GB of RAM recommended

• One of the following Virtualalization Platforms:

  • VMWare Server 2.0

  • VMWare Player 2.0 (FREE)

  • VMWare Workstation 6.x

• One of the following devices:

  • USB 2.0 port

  • Dual Layer DVD Drive

  • 1394/Firewire port

IMPORTANT NOTE: This is a two day course and may not be taken in conjunction with another course.

Instructor: Michael Eddington

No bio.

Description

Wireless LANs are now widely deployed and have often introduced an explosion of security issues and unique vulnerabilities. Despite nowadays security means, it still appears a lot of available wireless networks not being properly secured.

This dojo training will bring you up to date with most advanced Wi-Fi security technologies, providing detailed, up to date, in-depth knowledge. Mixing both lecture and hands-on, it offers a practical approach of Wi-Fi security, learning and practising security assessment and deployment for wireless networks.

At the end of this course, you will be able to integrate secure wireless environments in your existing infrastructure and assess Wi-Fi networks security.

Topics

• Quick Wi-Fi basics wrapup

• Assessing Wi-Fi networks security

• Wi-Fi networks enumeration technics and tools

• Security features analysis

• Weaknesses

• Intrinsic weaknesses, basic tricks

• WEP cracking fundamentals and technics

• Applied malicious traffic injection

• Targeting Wi-Fi clients

• Wireless networks pentesting methodology

• Building secure Wi-Fi networks

• Wi-Fi security features

• 802.1x authentication

• Wi-Fi Protected Access

• IEEE 802.11i/WPA2

• Wi-Fi Protected Setup

• Wi-Fi network integration w/ network architectures

• Roadmap and key points

Prerequisites

• Network security experience (Ethernet, TCP/IP)

• 802.11 experience will help

• Understanding Python programming would be a bonus

Prerequisite material

Practical exercices will require Backtrack v2 Stable Release live CDROM. Therefore, each student must bring his own laptop running this live distribution properly and be equipped with an injection capable wireless adapter (Atheros based adapter strongly advised).

Instructor: Cédric Blancher

Cédric Blancher has spent the last 7 years working in netwo security field, performing audits and penetration tests. In 2004, he joined EADS Innovation Works and now runs the Computer Security Research Lab in Suresnes, France. His research focuses on network security, especially wireless links. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He delivered technical presentations and trainings worldwide, and written papers and articles on network security. Cédric's website: href="http://sid.rstack.org/">http://sid.rstack.org/

Description

The course shows how to effectively implement modern hardening frameworks and techniques for securing Linux-based (and secondarily *NIX systems) systems by keeping things manageable and at the same time avoiding the usual madness and confusion often created by MAC/hardening frameworks.

The goal of this course is to teach hands-on how to deal with every aspect of installing, configuring and maintaining hardening frameworks and learning the available techniques and administration for securing Linux systems. You'll learn the different architectures, implementation details, administration procedures and issues related to all the covered frameworks as well as acquire the proper skills for maintaining and troubleshooting the hardened environment. Special focus will be given to security monitoring and auditing, policy development and maintenance and hardening systems integration with your favourite distribution / OS.

Topics

You'll learn:

• basic *NIX security concepts and techniques

• security monitoring with Host Intrusion Detection Systems (HIDS)

• log monitoring and correlation

• swatch / tenshi / SEC / ...

• file system integrity checkers

• aide / samhain / osiris / ...

• sensible accounts and auth token management

• One Time Passwords

• shell account security

• extended POSIX ACLs

• hardening frameworks

• PaX / ASLR / Grsecurity

• SELinux

• RSBAC

• Systrace

• GCC hardening / Stack Smashing Protection

• ELF hardening: PIE (Position Independent Executables) / PIC (Position Independent Code)

• secure backup architectures

• centralized account management with LDAP

Bonus Topic:

• genuine Italian swearings to use when things go wrong! (and impress your co-workers)

Prerequisites

• basic command line proficiency on *NIX systems

• basic Linux/*NIX system administration skills

• familiarity with Makefiles / autoconf usage and package compilation and installation

• familiarity with Linux kernel configuration / compilation / installation

• basic scripting skills

Prerequisite material

• Each student must bring his own laptop running a recent Linux distribution, Fedora, RHE or Gentoo/Linux are the best choices but since the class will also focus on how to deal with this frameworks on any distribution we won't require any of those as long as it's a modern distribution capable of compiling without problems.

• Needless to say a working network adapter (along with a IPv4 TCP/IP) stack is required.

Instructor: Andrea Barisani

Andrea Barisani is a system administrator and security consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 16 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

Instructor: Jay Beale

No bio.

Description

Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door.

Topics

This course will cover:

• Theory & Overview

  • Basic introduction

  • Components of a lock

  • Photos of the most typical locks

  • "Take a look at your keys" (many will match)

• Weak Security: The Basic Pin Tumbler Design

  • How they function internally

  • How picking happens (depiction)

  • How picking is performed (demonstration)

  • How picking is easy (audience participation)

• Weak Security: Alternative Designs

  • Combination Locks

  • Warded Locks

  • Dimple Locks

  • Tubular Locks

  • Wafer Locks

  • Barrel Locks

• Q&A; break and Tools Setup

• Group Hands-on application of the above-demonstrated techniques

• Fun for Police & Feds

  • Basic Handcuffs

  • Better Handcuffs

  • Gun Locks

  • Group Hands-on

• The Bump Attack

  • How many locks are vulnerable

  • How bumping works

  • Detail of Bump Keys (more detail than I give in public lectures)

  • Making a Bump Key (i cut one by hand in front of everyone, and even imperfect it will still work)

  • Group Hands-On (audience is given a variety of locks to bump open)

• High Security (a.k.a. "We've seen everything that's wrong... now what can we do about it!?")

  • Security Pins

  • Unshimable Padlocks (Double-ball, Sargent & Greenleaf 8077)

  • Sidebars: The best additional layer of security (if done properly)

    • Pin-based systems (Assa & Schlage)

    • Slider-based systems (Evva & Scorpion)

  • Rotating Disk Locks (demonstration of Abloy, picking with Falle Tool, Protec, laser decoding?)

  • Magnetic Locks (Miiwa vs Evva)

  • How some sidebars can fail (how people attempt to pick some Assa, some Medeco)

  • Safes & Vaults (discussion of safe locks, UL ratings, and how some of the oldest designs, like "lever locks", are still in use and do very well in safes)

  • Countermeasures to the Bump Attack

    • Which high security locks are completely invulnerable

    • Why some high security locks are vulnerable (maybe even MORE than cheap locks)

    • New designs for inexpensive, everyday locks that make them resistant or even immune

    • Pickbuster and other fluid-based solutions

• Institutional Concerns (important details for people who have oversight of grounds, campuses, or entire facilities)

  • Master Keying (how it is achieved, what the risks are, how to mitigate them)

  • Interchangeable Cores (why they're easy to manage but can pose a risk, how to check if your SFIC system is safe)

  • Contractor Pins (how to make a new facility secure during and after construction)

  • Restricted keyways and how they relate to key duplication control

  • Electronic security systems, access controls, etc

• What to Try When You Leave

  • Other resources for more learning (books, web sites, etc)

  • Hobbiest and Aacademic communities for lockpicking

  • Sport picking events

  • Advanced tools and techniques to acquire and attempt

  • Tips for testing your own security

  • Maintenance and lubrication of locks

• Security in the "real" world

  • Many attacks are unsophisticated and do not involve picking

    • Windows & Doors (why they're often installed poorly, how to reinforce them) Walls, floors, ceilings (how secure do you need to be?)

    • Illicit access to wiring

  • Integration of locks with larger security systems

  • Logging and records (Mul-T-Lock "CLiQ system" example)

  • Cost/Benefit analysis

  • "List of terrific locks"

  • The "American Padlock" example which ties the physical world to the digital world so perfectly

You'll learn

Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Attendees will not only learn how to distinguish good locks and access control from poor ones, but will also become well-versed in picking and bypassing many of the most common locks used in North America... convince management that a new investment is necessary by showing them yourself how the server room door can be opened without a key in under a minute! :-)

Prerequisites

None. If you have your own lockpick tools, you are welcome to bring them, but this is not necessary.

Prerequisite material

None. A set of tools will be provided to you as part of the course.

Instructor: Deviant Ollam

No bio.

Description

No Details

Prerequisites:

• No Details

Recommendations:

• No Details

Instructor: Saumil Shah

Founder and CEO, Net-Square Solutions Pvt. Ltd. saumil@net-square.com Saumil continues to lead the efforts in e-commerce security research at Net-Square. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Previously, Saumil held the position of Director of Indian operations at Foundstone Inc. and a senior consultant with Ernst & Young. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant. Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Description

Most current tools that work at the packet level suffer some deficiencies that will prevent you to correctly map networks, find flaws, test equipments, etc. Learn what those deficiencies are, and how you can overcome them with Scapy (http://www.secdev.org/projects/scapy) to efficiently do network discovery, network stack crash testing, leak findings, Wi-Fi injection, attacks, automating specific tasks, etc. See how to extend Scapy with the obscure protocols you need to test and that have no tools supporting them, all that in a matter of minutes.

Topics

• Introduction

• conceptual flaws of other tools

• Scapy's concepts to avoid those flaws

• Quick overview

• packet manipulation

• sending packets

• sniffing

• manipulating packet lists

• sending and receiving

• manipulating result lists

• high level functions

• Packet creation workshop

• old school

• honey, I shrunk the C exploit (by a factor of 100)

• Fuzzing

• random everywhere

• Playing with TTL

• fun with DNAT

• sliced network scans

• Playing with leaks

• examples of flaws

• spotting the padding

• Playing with Wi-Fi

• sniffing, AP spotting

• signal strength monitoring

• frame injection

• airpwn attack (AP spoofing)

• Extending Scapy

• scripting Scapy

• adding your own protocols

• building your own tools

Prerequisites

• good knowledge of TCP/IP protocol suite

• good python basics (read, understood and practicized http://www.python.org/doc/current/tut/tut.html)

• some knowledge of Ethernet and 802.11 will help

Prerequisite material

• computer with Scapy *installed* and *running* and *working*

• python

• python-crypto

• python-gnuplot

• python-pyx

• graphviz

• imagemagick

Instructor: Philippe Biondi

Philippe Biondi is a research engineer and security expert working at the IT security lab of EADS Corporate Research Center. He is a member of the French Honeynet Project. He was co-author of LIDS. He is the author of Scapy and Shellforge and a lot of other tools. His Scapy tutorial at CanSecWest/core05 was rated one of the best talks of the conference by attendees.