Description

Nessus is a distributed engine, which could do much more than network auditing. In this class, Nicolas Pouvesle and Renaud Deraison will detail the Nessus architecture, the scripting language API and available functions, and will show to the students how they can turn Nessus into a potentially more powerful and agressive tool.

The goal of this course is to explain the Nessus architecture and how can take advantage of it to tailor it to its needs -- whether it is network auditing, system monitoring, and a massive pen-test".

They will then teach to the students how they can write their own NASL scripts to perform their own network checks. In particular, the SMB and SSH APIs will be explained so that students can learn how to write scripts digging information from remote Windows and Unix hosts by using the APIs provided by Nessus.

Prerequisites

• The students should have a laptop running Nessus 2.2.7 or 3.0.x

• The students should be familiar with either perl, php or preferably NASL

Instructor: Renaud Deraison

Renaud is the Chief Research Officer at Tenable Network Security. Founder and the primary author of the open-source Nessus vulnerability scanner project. He has worked for SolSoft, and founded his own computing security consulting company, 'Nessus Consulting S.A.R.L.' Nessus detects network vulnerabilities and is in use at more than 50,000 worldwide organizations. Under Renaud's leadership, the Nessus project has won numerous awards, including the 2002 Network Computing 'Well Connected' award and PC Magazine's 2003 'Open Source Product of the Year' award. Mr. Deraison also is an editorial board member of the Common Vulnerabilities and Exposures Organization, has presented at a variety of security conferences and has had his work published in several magazines and books.

Instructor: Nicolas Pouvesle

No bio.

Description

Trying to understand code execution vulnerabilities without understanding assembly is nonsense. We will start from scratch to learn assembly, going from no-assembly to understanding how buffer overflows, integer overflow and sign mistmatches work, what are the possibilities of their exploitation and hopefuly more.

The attendee will learn assembly, how to use a debugger, how to code small assembly programs and how to do basic exploits. There's no doubt he'll understand and learn to draw the stack (of utter importance for exploit writing), and if nothing else, what's more important, how to have lots of fun playing the ultimate game against other coders: how is it possible to make their programs do what YOU want.

During the course the student will invest a portion of his/her time working on the computer, solving exercises, and reinforcing all the new concepts and ideas. This way we'll focus on setting the cornerstone where he'll be able to build all his future knowledge on exploit writing. Not focusing on going too far, but rather going deeper.

The course will be heavily based on IA32 (x86) assembly.

You'll [hopefully] learn:

• Assembly reading

• Assembly writing (basics)

• Debugging (in windows at least)

• Reverse engeneering (basics)

• Buffer overflows

• Buffer overflows exploitation (some kinds)

• Integer overflows

• Sign-missmached comparisions

• How C is compiled into assembly

Prerequisites

Basic C reading/understanding skills.

Good coding experience in any language. (C, perl, python, pascal, Smalltalk, any other)

Prerequisite material

• A computer running Windows (2k or higher prefered)

• Your language of choice installed (C compiler, perl or python interpreter, Smalltalk, any other)

• OllyDbg installed (or we'll install it in the class)

• Networking (you'll probably want to use our internet access)

• You'll have to copy a few small files to your box (either network, CD or USB drive is fine)

• Gray matter

Instructor: Gerardo 'gera' Richarte

Gera is widely regarded as one of the world's most brilliant "shellcode ninjas" and responsible for countless innovations in technique. A short look at his famous "Insecure Programming by Example" page at the Insecure Programming site should convince you that he is about 31337 as you get. Gera is one of the technical wizards at Core Security Technologies.

Description

This course shows how to use honeypot technologies as a concrete improvement to your organisations security defences. This course will concentrate on low-interaction honeynet technology.

• honeyd

• workings of honeyd

• routing traffic to honeyd

• simulation

• simulation tcp/ip stacks

• simulation of network infrastructure

• simulation of applications

• advanced honeyd configuration

• centralized data collection with honeyd

• traditional methods

• honeyd collectorr/mustard

• writing honeyd plugins

• honeyd to protect cooperate infrastructure

• Collecting malware with honeypots

• Techniques used

• mwcollect / nepenthes

• How they work

• Writing own modules

• Analyzing the received shellcodes

• Analyzing the captured binaries

• Results

• Bots/Botnets

• Intro to bots and demo

• Reverse engineering of bot

• Basic techniques

• Sandboxes

• Ollydbg and/or IDA

• Botnet 101

• How they work

• What you need to know

• Observing them

• Live botnet observation

• Results

Prerequisites

Students should be familiar with honeypot concepts and have a good understanding of TCP/IP networking and analysis tools like Ethereal.

Prerequisite material

Students need to bring a computer configured with VMWare and powerful enough to run two VMware sessions at once. The computer also should have wired ethernet. Students also need to have an IRC client and the Python programming language installed. They also should have a Windows installation (native or in vmware) with OllyDbg (http://www.ollydbg.de/) installed.

Thorsten Holz

Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems. He is one of the founders of the German Honeynet Project and has extensive background in the area of honeypots and bots/botnets. His research interests include the practical aspects of secure systems, but he is also interested in more theoretical considerations of dependable systems. In addition, he is the editor-in-chief of the German IT-security magazine MISC.

Description

Most current tools that work at the packet level suffer some deficiencies that will prevent you to correctly map networks, find flaws, test equipments, etc. Learn what those deficiencies are, and how you can overcome them with Scapy (http://www.secdev.org/projects/scapy) to efficiently do network discovery, network stack crash testing, leak findings, Wi-Fi injection, attacks, automating specific tasks, etc. See how to extend Scapy with the obscure protocols you need to test and that have no tools supporting them, all that in a matter of minutes.

Topics

• Introduction

• conceptual flaws of other tools

• Scapy's concepts to avoid those flaws

• Quick overview

• packet manipulation

• sending packets

• sniffing

• manipulating packet lists

• sending and receiving

• manipulating result lists

• high level functions

• Packet creation workshop

• old school

• honey, I shrunk the C exploit (by a factor of 100)

• Fuzzing

• random everywhere

• Playing with TTL

• fun with DNAT

• sliced network scans

• Playing with leaks

• examples of flaws

• spotting the padding

• Playing with Wi-Fi

• sniffing, AP spotting

• signal strength monitoring

• frame injection

• airpwn attack (AP spoofing)

• Extending Scapy

• scripting Scapy

• adding your own protocols

• building your own tools

Prerequisites

• good knowledge of TCP/IP protocol suite

• good python basics (read, understood and practicized http://www.python.org/doc/current/tut/tut.html)

• some knowledge of Ethernet and 802.11 will help

Prerequisite material

• computer with Scapy *installed* and *running* and *working*

• python

• python-crypto

• python-gnuplot

• python-pyx

• graphviz

• imagemagick

• prism2 or 2.5 with recent hostap driver for Wi-Fi injection

Philippe Biondi

Philippe Biondi is a research engineer and security expert working at the IT security lab of EADS Corporate Research Center. He is a member of the French Honeynet Project. He was co-author of LIDS. He is the author of Scapy and Shellforge and a lot of other tools. His Scapy tutorial at CanSecWest/core05 was rated one of the best talks of the conference by attendees.

Description

802.11 wireless LAN has been widely deployed in the past few years, parallely introducing an explosion of security issues mainly due to weak default configurations and lack of users information. Despites all available information about WiFi networks vulnerabilities, open or insecure networks still represente the majority of deployed wireless networks.

This one day course will bring you up to date with WiFi security, providing detailed in-depth background informations and technics, for infrastructure and adhoc networks. Mixing both lecture and hands-on, it will offer you a very practical approach of WiFi (in)security, learning and practicing latest exploitation technics in WEP cracking, WiFi network penetration and wireless stations attacks, as well as state of the art efficicent protection schemes for secure wireless access deployent, such as WPA and 802.11i.

Topics

• 802.11 security fundamentals

• Complete and practical WEP cracking overview

• Applied malicious traffic injection

• WPA and 802.11i/WPA2 in depth

Prerequisites

• good knowledge of TCP/IP protocol suite

• good knowledge of Ethernet protocol suite

• knowledge of 802.11 protocol

Prerequisite material

• Each student must bring his own laptop wether capable of running Auditor or Whax Live CDROM, or running a recent 2.6 Linux kernel with Madwifi driver and Scapy installed/running/working. Atheros based adapters will be provided.

• Good knowledge and understanding of Ethernet and TCP/IP protocol suite

• Overall knowledge and understanding of 802.11 networks

Cédric Blancher

Cédric has spent the last 5 years working in network security field, performing audits and penetration tests. In 2004, he joined EADS Corporate Research Center in France to work on R&D; within the network security field, including a focus on wireless links. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He also has delivered technical presentations (Eurosec, SSTIC, Cansecwest, Recon, Syscan, etc.) and written research papers and magazine articles (MISC, SSTIC, etc.) about network security. Cédric's website : http://sid.rstack.org/

Description

The proliferation of Bluetooth in the mobile phone and PDA industries has, unfortunately, brought with it a corresponding surge of security issues and problems. Since the initial "BlueSnarfing" attacks in 2003, there have been a constant trickle of new issues, as each new generation of device hits the market, some with far-reaching consequences for the potential victims.

This course will bring you up to date with all the currently known issues, providing detailed background information and techniques, as well as tools for the auditing of Bluetooth devices for vulnerability to attack.

The instructors of this course have been the leading pioneers in highlighting Bluetooth security issues, and work closely with the industry to help find and eliminate problems, as well as bringing them to the public's attention by speaking at major security conferences worldwide, such as DEFCON, Black Hat and Chaos Communications Congress.

More information on their work can be found at http://www.trifinite.org, the home of the Trifinite Group.

Description

1 day course, consisting of a short lecture and demonstrations, followed by hands-on installation of tools and instruction in their use.

Prerequisites

Students coming into this course must know how to configure a linux kernel.

Prerequisite material

Students should bring a laptop with a Bluetooth dongle (for best results, we recommend a Cambridge Silicon Radio (CSR) based dongle, as some of the test tools are chip manufacturer dependant). A live CD will be provided, but students wishing to set up their laptop for ongoing Bluetooth auditing should have Linux version 2.6.10 or greater pre-installed.

Instructor: Martin Herfurt

Martin Herfurt is the founder of the trifinite.group. He completed his Telecommunications Engineering Degree at the Salzburg University of Applied Sciences and Technologies in 2001. Alongside his study Martin was involved in numerous industry projects, providing him with commercial programming practice. In 2000 Martin followed up his formal study with a four-month internship at the telecommunications institute of TELCOT institute in San Ramon, California, USA. Since the second half of 2000 Martin has been working as a full time researcher at an Austrian Research facility. His project responsibilities there were ranging from the co-ordination of a European IST project with a total budget of over 5 million Euro to software agents development. Together with a colleague, Martin began giving a class on mobile data services at the Salzburg University of Applied Sciences and Technologies in the summer of 2003. In February 2004, Martin discovered a major security loophole in several popular cellphones which is referred to as BlueBug in the media. As part of his fascination with the rapid development in computer programming Martin has become a regular participant in the Chaos Communication Congress which is a yearly meeting of the German hacker association CCC.

Instructor: Marcel Holtman

Marcel Holtmann is the maintainer and the core developer of the official Linux Bluetooth stack which is called BlueZ. He started working with the Bluetooth technology back in 2001. His work includes new hardware drivers, upper layer protocol implementations and the integration of Bluetooth into other subsystems of the Linux kernel. In January 2004 he overtook the maintainer role from the original developer Max Krasnyansky. Together with Jean Tourrilhes he maintains the OpenOBEX project. He is also responsible for the IrDA and Bluetooth integrations of the Gnokii project.

Instructor: Adam Laurie

Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own'Apache-SSL'which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers - http://www.thebunker.net) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.