Hacking Cars... hands-on !

Robert Leale (@carfucar) is a long-time car hacker who is President of CanBusHack, a small, but focussed company specializing in Reverse and Forward Engineering vehicle electronics systems. In 2016, Robert formed the Car Hacking Village whose goal is to bring hardware and tools to hacking and security conferences around the globe.

• Introduction to ECUs
• Introduction to Vehicle Networks
• Vehicle Sub-Systems Overview
• Hands-On: Build a CAN Bus
• CAN Bus Tools
• Connect to our CAN Bus
• Break/Fix our CAN Bus
• Transmit on our CAN Bus
• Send Commands on our CAN Bus
• Security Access
• Device Control
• Sending Diagnostics Commands
• Handling Errors
• Open Hack Controllers

Windows Laptop or VM.
Skill Level: Beginner/Intermediate

This training focuses on elevating your threat detection, security investigations, and response knowledge into the cloud.
This hands-on training built on AWS, with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications.
It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for both red & blue teams.
This training takes both investigator and builder approach towards security.
It not only teaches you the fundamentals of cloud infrastructure security, but also focuses on building highly scalable threat detection,
monitoring and response tools by using cloud native services like serverless, containers, object stores, IAM and much more.

By the end of this training, we will be able to:

• Use cloud technologies to detect & build automated response against IAM attacks.
• Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.
• Use serverless functions to perform on-demand threat scans.
• Deploy containers to deploy threat detection services at scale.
• Implement VPC mirroring for network based cloud security monitoring.
• Build notification services to create detection alerts.
• Analyze malware-infected virtual machines to perform automated forensic investigations.
• Define step functions to implement automated forensic artifacts collection for cloud resources.
• Build cloud security response playbooks for defense evasion, persistence and lateral movements.
• Perform advance security investigations through architecting and deploying security data-lake for real-time threat intelligence and monitoring.

Abhinav Singh is a cybersecurity researcher with close to a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant.
He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt.
He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs.
His work has been quoted in several security and privacy magazines, and digital portals.
He is a frequent speaker at eminent international conferences like Black Hat, RSA & Defcon.
His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.

DAY 1

Introduction

• Introduction to cloud services
• Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
• Understanding cloud deployment architecture.
• Introduction to Logging services in cloud.
• Introduction to shared responsibility model.
• Setting up your free tier account.
• Setting up AWS command-line interface.
• Understanding Cloud attack surfaces.

Detecting and monitoring against IAM attacks

• Identity & Access management crash course.
• Policy enumeration from an attacker's & defender's perspective.
• Detecting and responding to user account brute force attempts.
• Building anomaly detection using CloudWatch events.
• Building controls against privilege escalation and access permission flaws.
• Attacking and defending against user role enumeration.
• Brute force attack detection using cloudTrail.
• Automated notification for alarms and alerts.
• Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.Malware detection and investigation on/for cloud infrastructure
  • Quick Introduction to cloud infrastructure security.
  • Building clamAV based static scanner for S3 buckets using AWS lambda.
  • Integrating serverless scanning of S3 buckets with yara engine.
  • Building signature update pipelines using static storage buckets to detect recent threats.
  • Malware alert notification through SNS and slack channel.
  • Adding advanced context to slack notification for quick remediation.
  • Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.

  DAY 2

  Threat Response & Intelligence analysis techniques on/for Cloud infrastructure

  • Integrating playbooks for threat feed ingestion and Virustotal lookups.
  • Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
  • Creating a Security datalake for advance analytics and intelligence search.
  • Building dashboards and queries for real-time monitoring and analytics.
  • CTF exercise to correlate multiple logs to determine the source of infection.

  Network Security & monitoring for Cloud Infrastructure

  • - Understanding Network flow in cloud environment.
  • - Quick introduction to VPC, subnets and security groups.
  • - Using VPC flow logs to discover network threats.
  - VPC traffic mirroring to detect malware command & Control.

  Forensic Acquisition, analysis and intelligence gathering of cloud AMI's.

  • Analysis of an infected VM instance.
  • Building an IR 'flight simulator' in the cloud.
  • Creating a step function rulebook for instance isolation and volume snapshots.
  • lambda functions to perform instance isolation and status alerts.
  • Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
  • Automated timeline generation and memory dump.
  • Storing the artifacts to S3 bucket.
  • On-demand execution of Sleuthkit instance for detailed forensic analysis.
  • Enforcing security measures and policies to avoid instance compromise.

• Laptop with internet access.
• Basic understanding of cloud services.
• System administration and linux cli.
• Able to write basic programs in python.
• Familiarity with SQL and KQL queries will be a plus.
• Free tier account for AWS. You will be provided access to our training platform containing labs and exercises.

Students will be provided with:

• PDF versions of slides that will be used during the training.
• Complete course guide in containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs and detailed explanation of concepts discussed during the training.
• Slack channel to continue the discussion and access even after the training ends.
• Infrastructure-as-code templates to deploy the test environments & simulations for continued practice after the class ends.
• Access to Github account for accessing custom-built source codes and tools.
• Collection of test malware samples, forensic images, detection rules and queries.

Fuzzing is a technique of identifying software vulnerabilities by automated corpus generation.
It has produced immense results and attracted a lot of visibility from security researchers and professionals in the industry,
today fuzzing can be utilized in various ways which can be incorporated into your secure SDLC to discover vulnerabilities in advance and fix them.

Dhiraj Mishra is an active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor.
He is a trainer at Blackhat, BruCON, and presented in conferences such as Ekoparty, NorthSec, Hacktivity, PHDays & HITB.
In his free time, he blogs at www.inputzero.io and tweets on @RandomDhiraj.

Zubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software.
He is a trainer at Blackhat, BruCON and OWASP and has delivered multiple workshops, including PHDays and Hacktivity.
Utilizes his fuzzing skills in his day-to-day trade to identify new ways of breaking into enterprises! Blogging at devtty0.io and tweets on @p1ngfl0yd.

Finding vulnerabilities in software requires in-depth knowledge of different technology stacks. Modern day software’s have a huge codebase and may contain vulnerabilities. Manually verifying such vulnerabilities is a tedious task and may not be possible in all cases. This training is designed in such a way that it introduces the concept of fuzzing and vulnerability discovery in software’s covering multiple platforms such as Linux & Windows and triage analysis for those vulnerabilities.

During this training, attendees would be emulating techniques which would provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.

DAY 1

• Understanding fuzzing fundamentals
• AFL Internals
• Setting up the environment
• Selecting fuzzing targets
• Spinning up the fuzzer effectively
• Corpus generation
• Address/Memory Sanitizers
• Hooking custom mutators
• “Not so pro tips” while fuzzing
• Parallel fuzzing
• Improving code coverage with grammar
• Plotting difference in code coverage
• Enhancing your fuzzing approach

DAY 2

• Setting up persistent mode
• Introduction to QEMU
• AFL internals for QEMU
• Targeting blackbox binaries
• Cross-platform architecture fuzzing
• Setting up QEMU persistent
• Introduction to network fuzzing
• WinAFL Internals
• Analyzing your target with debuggers
• Improving code coverage
• Capture the crash

Basic understanding of Linux & Windows fundamentals.
Understanding of basic programming concepts, familiarity with C/C++ and common data types.
Attendees are required to have a system with root/admin privilege with minimum 8GB RAM and 100 GB disk space with VirtualBox or VMware installed.

Students will be provided :

• Walkthrough of lab exercises
• Local lab setup (OVA of Ubuntu and Windows) loaded with all the course exercises and material including solutions
• A private dedicated channel where trainers will be available to answer your queries after the training.

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% “hands-on” mobile workshop.
Goal is to introduce the OWASP Mobile Security Testing Guide alongside with a few tools (Adb, Apktool, JADX, Frida, Hopper, Objection, and Rvictl)
and techniques to help you to work faster and in a more efficient way in the mobile (Android and iOS) ecosystem.
This is the exact training that you would have liked to have before wasting your precious time trying and failing while testing.

Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android).
Currently working as a Senior Penetration Tester at RandoriSec.
He also likes to play CTF (Hackthebox, Insomni'hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi'hack team.

Founder of RandoriSec (https://randorisec.fr/) a security focused IT firm, Davy has worked in the IT Security field for almost fifteen years.
He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security.
He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practice Brazilian jiu-jitsu.

• Introduce the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard)
• Learn Android and iOS security basics
• Know how to build an Android and iOS pentest toolset
• Learn how to review the codebase of a mobile application (aka static analysis)
• Run the mobile application on a rooted device (to check data security issues)
• Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
• Man in The Middle all the network communications (aka inspect the traffic)

Network and Linux basics

A laptop with:

• 8GB of RAM at least, ideally 16GB
• 50Gb of free space (to install a VM based on Kali that we’ll provide)
• Administrative privileges on your laptop + a way to deactivate anti-virus, HIPS and firewall
• VMWare Player (ideally VMWare Workstation)
• A PDF reader

Slides of the training will be provided.

The labs (exercices) will be done using a custom VM + a Corellium access (to virtualise iOS).

As nicely said in PoC||GTFO Volume II, « This is not a book about astronomy; rather, this is a book about telescopes ». In the same spirit, this training isn’t about Web hacking. Instead, this training is for Web hackers who want to master their toolbox. Mastering Burp Suite Pro, including its newest features, will indeed allow testers to get the most out of the tool, optimizing time spent auditing and testing. Work will be faster (thanks to hotkeys) and much more efficient (more tools, more possibilities). Fasten your seat belt for this exceptional 1-day long "Fast & Furious" edition of this popular training!

Nicolas Grégoire (aka @Agarri_FR) has more than 20 years of experience in penetration testing and auditing of (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then, either privately or during infosec events. Outside of that, he runs Agarri, an one-guy company where he finds security bugs for customers and for fun. His public security research (that mostly deals with XML, XSLT and SSRF) was presented at numerous conferences around the world (HackInTheBox, ZeroNights, HackInParis, Nullcon, ...). He was also thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.

The usual "Mastering Burp Suite Pro" training lasts 4 days and goes deep and wide. This exceptional 1-day version will be packed with some of the most useful tricks held in Nicolas' sleeve. We will go fast and cover a variety of subjects, from CSRF tokens (with and without macros) to point-and-click identification of tricky DOM XSS vulnerabilities. A large share of the time will be allocated to extensions, both generic (like Hackvertor and Logger++) and specialized ones (like Auth Analyzer). Turbo Intruder and Stepper will probably be covered too, depending on the group's pace.

• Working knowledge of common Web vulnerabilities (like XSS and SQLi)
• Basic knowledge of Burp Suite (Proxy + Repeater) - No higher limit, the more you know the better you'll enjoy the session
• Decent laptop (no Netbooks, no Tablets, no iPads)
• Wireless connectivity (either builtin or via a external card)
• 64-bit OS supported by Burp Suite Pro (a temporary Pro license is provided)
• Administrative privileges (in order to configure network settings)

For the first time, join a hands-on Windows Internals and Debugging class and learns the mysteries of Windows Internals while acquiring practical debugging and analysis skills.
Take a deep dive into the internals of the Windows NT kernel architecture, covering the recently-shipped 20H2, and the upcoming 21H1 and 21H2 versions.
Learn the dirty secrets behind both offensive and defensive work and see how rootkits and other kernel-mode malware abuse obscure mechanisms to persist and evade detection.

We will cover security features and changes in Windows 10, including Virtualization Based Security (VBS), Hypervisor Code Integrity (HVCI), Kernel Data Protection (KDP), eXtended Control Flow Guard (XFG), and Intel Control-flow Enforcement Technology (CET).
These features, in addition to other mitigations covered in this class, make exploitation more difficult than ever before.
With the addition of VBS, even gaining Ring 0 access is no longer enough to fully “own” a machine. We will also look into improvements made to past Windows features, such as expanding ASLR to the kernel and the secure kernel (KASLR and SKASLR), as well as adding KCFG to protect from kernel exploitation.
In addition to all of these, we will analyze capabilities that are meant for 3^rd party security products. We will get to know features such as new ETW providers, which supply information previously available only through user-mode hooks, different callbacks that give drivers built-in detection and prevention abilities, and the Secure Pool, a unique feature that allows drivers to utilize VBS capabilities to protect their data from attacks. These different features all have their benefits and their limitations, and there are areas that are still blind spots for defenders but might already be used by attackers.
This class offers a lot of theory and knowledge, but also lots of hands-on experience: throughout the class you will use tools such as WinDbg, Sysinternals tools, WinObjEx64 and Process Hacker to view, analyze, trace, and edit kernel features. Attendees will get familiar with new debugger capabilities and gain scripting abilities that will significantly simplify complicated operations and allow insight into internal kernel mechanisms.

Attendees will receive a physical handout of the entire course materials for future reference, access to a live chat channel with sharing of all live commands and demo output, plus a zip file containing the course logs and over 50 different sample scripts and extensions.

Yarden is a Software Engineer at Crowdstrike, working on EDR features, and a consultant for Winsider Seminars & Solutions Inc., co-teaching security trainings.
Previously, she worked at SentinelOne as a security researcher and QA engineer.
Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as CET internals, extension host hooking and kernel exploit mitigations.
Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.

N/A

You must have a Windows machine to attend, and you should have the Windows Driver Kit 11 release for 21H2 or later (22000 / 2009), which you can freely grab from MSDN.
A virtual machine (VirtualBox or Hyper-V are strongly preferred – configured in UEFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 11.
Locally, any version of Windows 7 or above, 32-bit or 64-bit is fine – but it’s strongly preferred you bring a Windows 10 or 11 box.
You should install the Windows Driver Kit on your host – not the VM.
If you have a Linux or Mac device, then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.

The instructors will use a 64-bit Windows 11 device, with 32-bit VMs.

GHIDRA/IDA/HexRays helpful, but not required.

This training will familiarize system administrators and security professionals with modern Windows attacks and best security practices, such as Windows security components, network interception, Active Directory mapping, privilege escalation, lateral movements, credentials theft and common persistence techniques. After covering a large attack overview, the course introduces associated counter-measures such as credentials protection and much more. After the workshop, members will understand how to protect their infrastructure against modern attacks. Hands-on: This class is practice-oriented, lectures present real-world attacks that participants put into practice in various labs.

The course gives an idea of how pentesters and hackers think, and the best way to defend against them. To do so, this training is given by a duo of pentesting engineers. Both trainers have in combination more than 15 years of experience in offensive and defensive security.

Clément is an IT security professional with 8 years of experience. He started as a network engineer and then switched to a security engineer career. After working 5 years in the field, he eventually joined SCRT in 2020, thus totaling 6 years of experience in IT security. Aside from the regular audit activities, he also has a strong interest in vulnerability research and exploit development, especially in Windows environments. In this regard, he also publishes his findings and tools on his personal blog and on GitHub. Most notably, he is the maintainer of a Windows privilege escalation enumeration tool called PrivescCheck that helps penetration testers and system administrators identify vulnerabilities and weaknesses on Windows machines.

Julien is an IT security professional with 8 years of experience. He started his career in 2013 as a scientific collaborator at the Fribourg Engineering College where he worked on various projects related to critical infrastructure security. He joined the SCRT Pentesting team in 2015 and he is now Deputy Head of the Audit Division. Over the years, he performed missions on a wide range of technologies including Windows, Linux, mobile/web application, and social engineering. He specialized on Windows environment and organized many Red Team audits. Besides the pentesting activity, he is also a trainer for multiple courses given by SCRT and a forensic analyst.

Network access to initial account

• Windows network protocols poisoning (LLMNR, NetBIOS, DHCPv6)
• Initial network discovery (nmap port scan)

Active Directory mapping

• Active directory enumeration (Bloodhound, PingCastle)
• Kerberos authentication
• Common domain password extraction techniques (GPP passwords, Kerberoast, ASREPRoast)

Lateral movement

• Kerberos delegation (Unconstrained, constrained, ressource-based)
• NTLM authentication and cross-protocol relay attacks
• Ways to coerce a machine account NTLM authentication and abuse it (Printer Bug, PetitPotam, ntlmrelayx)

Windows credentials dumping

• Windows credentials storage (SAM, LSA secrets, LSASS, etc.)

Getting access to a key asset

• From RDP access to administrator
• Abusing impersonation privileges in Windows services

Domain compromise and persistence

• Domain credentials storage
• Kerberos Silver/Golden tickets

Bonus

• Physical device security (BitLocker and known attacks)
• LSA protection (how it works and how it can be bypassed)
• Credential Guard (how it works and how it can be bypassed)

A laptop with a SSH client