Description

Trying to understand code execution vulnerabilities without understanding assembly is nonsense. We will start from scratch to learn assembly, going from no-assembly to understanding how buffer overflows, integer overflow and sign mistmatches work, what are the possibilities of their exploitation and hopefuly more.

The attendee will learn assembly, how to use a debugger, how to code small assembly programs and how to do basic exploits. There's no doubt he'll understand and learn to draw the stack (of utter importance for exploit writing), and if nothing else, what's more important, how to have lots of fun playing the ultimate game against other coders: how is it possible to make their programs do what YOU want.

During the course the student will invest a portion of his/her time working on the computer, solving exercises, and reinforcing all the new concepts and ideas. This way we'll focus on setting the cornerstone where he'll be able to build all his future knowledge on exploit writing. Not focusing on going too far, but rather going deeper.

The course will be heavily based on IA32 (x86) assembly.

You'll [hopefully] learn:

• Assembly reading

• Assembly writing (basics)

• Debugging (in windows at least)

• Reverse engeneering (basics)

• Buffer overflows

• Buffer overflows exploitation (some kinds)

• Integer overflows

• Sign-missmached comparisions

• How C is compiled into assembly

Prerequisites

Basic C reading/understanding skills.

Good coding experience in any language. (C, perl, python, pascal, Smalltalk, any other)

Prerequisite material

• A computer running Windows (2k or higher prefered)

• Your language of choice installed (C compiler, perl or python interpreter, Smalltalk, any other)

• OllyDbg installed (or we'll install it in the class)

• Networking (you'll probably want to use our internet access)

• You'll have to copy a few small files to your box (either network, CD or USB drive is fine)

• Gray matter

Instructor: Gerardo 'gera' Richarte

Gera widely regarded as one of the world's most brilliant "shellcode ninjas" and responsible for countless innovations in technique. A short look at his famous "Insecure Programming by Example" page at the Insecure Programming site should convince you that he is about 31337 as you get. Gera is one of the technical wizards at Core Security Technologies.

Description

Simple stack overflows are mostly dead. Other low hanging fruit, such as straightforward heap overflows, are becoming increasingly less common too.

The game these days is to not only find the more obscure heap overflows, but to also reliably exploit them. There is a big difference between a run of the mill Full Disclosure PoC exploit and a reliable exploit that's fit for commercial use.

This three and a half hour course will take you on a tour of Win32 heap internals, how to play with them and how to work them to your advantage in real life exploit scenarios.

Topics covered:

• Win32 heap basics
  

  • Internal structure: Chunks, FreeList, Lookaside, VAList

  • RtlAllocateHeap

  • RtlFreeHeap

• Win32 heap exploiting basics

  • Unlinking

  • Write4

  • Coalescing

  • Write8

  • Blind Write4

• Playing with the layout

  • Windbg basic

  • Tools to play with it

  • Memleaks & Infoleaks

  • Memleaks:

    • Hard memleaks

    • Soft memleaks

• Shellcode

  • Fixing vs Injecting

• A walk on the wild side

  • Exchange X-LINK2STATE overview

  • SPOOLER overview

  • Verde overview

• Do we still have time?

  • What/Where hints

  • FreeList trick

Prerequisites

• a small knowledge on i386 assembly

• a basic idea of python language

Prerequisite material

• a laptop with vmware (the native os could be linux or windows)

• a vmware image of an out of the box windows 2000 server

• IDA

• windbg (or it we'll be installed on the class)

• python

Instructor: Sinan "noir" Eren

Sinan Eren is a reverse engineer and a casual exploit developer. At Immunity Inc, he performs code/binary audits and exploit development for the CANVAS platform. Architectures and platforms of interest include x86/Win32, Unix on any cpu flavor and popular 3rd party applications (MTAs, HIPS, AV, VPN, Remote Desktop etc.). He recently gave auditing courses for the RPC layer of the Windows OS to several audiences around the USA.

Instructor: Nicolas Waisman

Nicolas Waisman is a Senior Security Researcher at Immunity, Inc. Nico is one of the driving forces behind the CANVAS exploit framework. The majority of his recent work has focused on win32 vulndev, specifically reliable heap exploitation. He also likes to sneak in the odd reverse engineering project from time to time. His most current passion is implementing MOSDEF for the PPC architecture.

Description

This one day course will cover advanced configuration of Snort and its output mechanisms as well as advanced rule writing techniques. Three areas will be covered.

• Advanced configuration. Learn to squeeze the most performance out of Snort's preprocessors and configure the system for large network environments.

• Advanced rule writing. Learn to write Snort rules that unleash the full power of Snort's detection engine. Regular expressions, protocol decoding and detection of vulnerability access (not exploits!) will be covered.

• Output management. Snort generates tons of data, learn how to manage it effectively to get the most out of your deployment!
  

Prerequisites

• Working knowledge of Snort - must be able to put Snort into IDS mode, configure basic rules/preprocessors/output mechanisms

• Basic command line proficiency on host OS (Windows/UNIX)

• Basic proficiency with vi/vim, emacs degenerates need not apply

Ok, just kidding about that last one...

Martin Roesch

Marty is a respected authority on intrusion detection technology and forensics, and today works at Sourcefire where he is the founder and CTO. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Detection System.

Over the past eight years, Martin has developed various network security tools and technologies, including intrusion detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc., and the Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for numerous government and large corporate customers. Martin has been interviewed as an industry expert in multiple technology publications, as well as print and online news services such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Snort has been featured in Scientific American, on A&E;'s Secret Places: Inside the FBI, and in several books, such as Network Intrusion Detection: An Analysts Handbook, Intrusion Signatures and Analysis, Maximum Security, Hacking Exposed, and others.

Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University.

Description

This course shows how to use honeypot technologies as a concrete improvement to your organisations security defences. This course will concentrate on low-interaction honeynet technology.

• honeyd

  • workings of honyd

  • routing traffic to honeyd

  • simulation

    • simulation tcp/ip stacks

    • simulation of network infrastructure

    • simulation of applications

    • advanced honeyd configuration

  • centralized data collection with honeyd

    • traditional methods

    • honeyd collectorr/mustard

  • writing honeyd plugins

  • honeyd to protect cooperate infrastructure

• malware collection

• Collecting malware with honeypots

  • Techniques used

  • mwcollect / nepenthes

    • How they work

    • Writing own modules

    • Analyzing the received shellcodes

    • Analyzing the captured binaries

  • Results

• Bots/Botnets

  • Intro to bots and demo

  • Reverse engineering of bot

    • Basic techniques

    • Sandboxes

    • Ollydbg and/or IDA

• Botnet 101

  • How they work

  • What you need to know

  • Observing them

  • Live botnet observation

• Results

Prerequisites

Students should be familiar with honeypot concepts and have a good understanding of TCP/IP networking and analysis tools like Ethereal.

Prerequisite material

Students need to bring a computer configured with VMWare and powerful enough to run two VMware sessions at once. The computer also should have an wired ethernet interface. Students also need to have an IRC client and the Python programming language installed. They also should have a Windows installation (native or in vmware) with OllyDbgr (http://www.ollydbg.de/) installed.

Instructor: Maximillian Dornseif

Maximillian Dornseif has studied laws and computer science at the University of Bonn, Germany where he wrote his PhD Thesis about the "Phenomenology of Cybercrime". He has been doing IT security consulting since the mid nineties and today focuses mostly on penetration-testing. In early 2004 he joined the Laboratory for Dependable Distributed Systems at RWTH Aachen University where he bootstrapped the computer forensics education program and the German honeynet project and the now famous "Summerschool Applied IT-Security". Since Fall 2005 he works as a post-doc researcher at the University of Mannheim. Dornseif is a sought after speaker at international security conferences and has published in the legal and computer science fields on a wide range of topics.

Instructor: Thorsten Holz

Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems. He is one of the founders of the German Honeynet Project and has extensive background in the area of honeypots and bots/botnets. His research interests include the practical aspects of secure systems, but he is also interested in more theoretical considerations of dependable systems. In addition, he is the editor-in-chief of the German IT-security magazine MISC.

Description

Most current tools that work at the packet level suffer some deficiencies that will prevent you to correctly map networks, find flaws, test equipments, etc. Learn what those deficiencies are, and how you can overcome them with Scapy (http://www.secdev.org/projects/scapy) to efficiently do network discovery, network stack crash testing, leak findings, Wi-Fi injection, attacks, automating specific tasks, etc. See how to extend Scapy with the obscure protocols you need to test and that have no tools supporting them, all that in a matter of minutes.

Topics

• Introduction

  • conceptual flaws of other tools

  • Scapy's concepts to avoid those flaws

• Quick overview

  • packet manipulation

  • sending packets

  • sniffing

  • manipulating packet lists

  • sending and receiving

  • manipulating result lists

  • high level functions

• Packet creation workshop

  • old school

  • honey, I shrunk the C exploit (by a factor of 100)

• Fuzzing

  • random everywhere

• Playing with TTL

  • fun with DNAT

  • sliced network scans

• Playing with leaks

  • examples of flaws

  • spotting the padding

• Playing with Wi-Fi

  • sniffing, AP spotting

  • signal strength monitoring

  • frame injection

  • airpwn attack (AP spoofing)

• Extending Scapy

  • scripting Scapy

  • adding your own protocols

  • building your own tools

Prerequisites

• good knowledge of TCP/IP protocol suite

• good python basics (read, understood and practicized http://www.python.org/doc/current/tut/tut.html?LANG=ENGLISH)

• some knowledge of Ethernet and 802.11 will help
  

Prerequisite material

• computer with Scapy *installed* and *running* and *working*

• python

• python-crypto

• python-gnuplot

• python-pyx

• graphviz

• imagemagick

• prism2 or 2.5 with recent hostap driver for Wi-Fi injection

Instructor: Philippe Biondi

Philippe Biondi is a research engineer and security expert working at the IT security lab of EADS Corporate Research Center. He is a member of the French Honeynet Project. He was co-author of LIDS. He is the author of Scapy and Shellforge and a lot of other tools. His Scapy tutorial at CanSecWest/core05 was rated one of the best talks of the conference by attendees.