The course gives an idea of how pentesters and hackers think, and the best way to defend against them. To do so, this training is given by a duo of Red Team / Blue Team engineers. Both trainers have in combination more than 15 years of experience in offensive and defensive security.

Day 1

• Windows Security Models (Authentication, Kerberos, NTLM, Active Directory)
• Windows Network Discovery (Network Scan, Active Directory Discovery, PingCastle)
• Metasploit in a nutshell (Modules, Exploit, Meterpreter)
• Lateral Movements (Pass-the-hash, Pass-the-ticket, Kerberoast, GPP, Bloodhound)
• Physical Attacks (Coldboot attack, DMA, Bitlocker, Secureboot)
• Vulnerability Exploitation & Protections (ASLR, MS17-010)

Day 2

• Windows Monitoring & Log Management (Windows event forwarding, Sysmon)
• Understanding Protection Techniques
• Privileged Access Management (Logon Types, GPP, Restricted Admin, Powershell Remoting, DSC, JEA, GMSA)
• Advanced Authentication Systems (vSmartCard, Windows Hello, MFA)
• Credential Protections (LSA Protection, VSM, Credential Guard)
• Active Directory Auditing tools
• Monitoring System Activity (Sysinternals tools)
• Anti-virus evasion (Windows Defender, AppLocker, Device Guard, Software restriction policy, Attack Surface Reduction)

CLASS REQUIREMENTS

Participants should have some familiarity with Windows Domains. A notebook capable of running an SSH/RDP client in order to connect to the infrastructure containing the exercises. The training will be given in French.

Nicolas Grégoire (aka @Agarri_FR) has nearly 20 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then, either privately or during infosec events. Outside of that, he runs Agarri, an one-guy company where he finds security bugs for customers and for fun. His public security research (that mostly deals with XML, XSLT and SSRF) was presented at numerous conferences around the world (HackInTheBox, ZeroNights, HackInParis, Nullcon, ...). He was also thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.

Every trainee goes through the main track, composed of nearly 100 challenges. Plenty of additional ones are available, depending on your speed, taste, skills and professional needs. No way to get bored! Among the available challenges: complex brute-force, data extraction, support of custom formats, automatic management of anti-CSRF tokens, WebSockets, weak cryptography, webhooks, NoSQL injections, authorizations bugs, aggressive disconnection, JWT-authenticated APIs, arbitrary Java deserialization, blind stored XSS, instrumented Java applications, strict workflows, ...

Day 1
After an introduction to the training platform and its challenges, this day is spent on well defined tasks where the goal is to find flags, like in CTF contests. We practice basic automation using tools like Proxy, Repeater and Intruder. The goal is to improve the speed of our interactions with the tool, while monitoring and self-assessing our attacks.

• Introduction: rules and advice, connecting to the network, description of the training platform and its challenges
• Getting started: navigating the GUI, loading custom options, using hotkeys, sorting and filtering data
• Match & Replace: well-known examples, live traffic modifications
  Repeater: keyboard-only usage, replaying WebSockets traffic, dealing with streamed data
• Intruder: coverage of all attack types and most payload types, automatic processing of results with “Grep – Match” and “Grep - Extract”, data extraction, managing CSRF-tokens without session handling rules, atypical injection points, frobbing and fuzzing.

Day 2

On the second day, challenges get more realistic: solving them requires a good understanding of the underlying application and the usage of multiple Burp Suite tools, possibly including extensions. Additionally, we keep working on the efficiency of the testing workflow (using shortcuts or extensions) and on self-monitoring (now with Logger++). The latter skill will prove itself invaluable when working on session handling rules.

• Traffic interception: HTTP exchanges and WebSocket messages are intercepted and modified on the fly, in order to bypass client-side protections or to subvert the logic of (emulated) mobile apps. That’s the only section where “Intercept is On” isn’t a problem
• Macros and session handling rules for Web applications: terminology, basic setups, common use-cases (like managing CSRF tokens or logging-in automatically), applying session handling rules to third-party tools like sqlmap. Note that dealing with Web services (either SOAP or REST) is quite different and is covered in the separate section, on the third day
• Extensions: review and testing of the most useful and/or popular extensions (Logger++, Hackvertor, JSON Beautifier, Paramalyzer, Turbo Intruder, ...)

Day 3
The third day is used to dig deeper in advanced subjects. That covers authorization testing, custom active scanning, Web Services and much more! Built-in features are pushed to their limits, and extra ones provided by extensions are commonly used.

• Authorization testing: from quick tests w/o specific configuration to deep tests requiring business-specific knowledge (extensions “Authz”, AutoRepeater”, “SessionAuth” and “AuthMatrix” are covered)
• REST and SOAP WebServices: why is a specific toolbox needed, generating requests from definition files (WSDL, OpenAPI, ...), using session handling rules to manage authentication in cookie-less environments
• Two-way communication with the target: deploying and using a private Collaborator instance, patching the target byte-code with Infiltrator in order to receive additional details (filename, line number, ...), running an Infiltrator-only active scan
• Scans and live tasks: differences between v1 and v2 (terminology, GUI, usage), using the scanner like in v1, description and testing of the much-improved crawler, configuring and running specialized scans, observing the oriented-graphs generated during crawling, using these graphs with “Crawl and Audit” (in order to audit CSRF-protected forms without macros)
• Headless usage: driving Burp Suite Pro via a REST API (provided by 3^rd-party extensions)
• Vuln-specific tooling: Blind XSS, from builtin features to 3^rd-party tools like Sleepy Puppy

Adrien Stoffel (@__awe) is a full stack pwner at Bugscale SA, where he focuses on security research. He's been involved in the CTF community for more than 6 years and he currently leads the 0daysober team. While he focuses on Linux exploits he also loves to tackle some Windows challenges. He has also created the W3Challs hacking platform, hosting challenges in categories including web, crypto, and userland/kernel pwnables.

Topics for the first part of the course include:

• Review of the current state of Linux userland security
• ROP and JOP techniques on Intel x86 and x86_64 architectures
• SSP bypasses
• Other vulnerability classes
• Miscellaneous tips and tricks relevant to both real life exploits and CTFs
• Improving exploit reliability
• C++ exploitation (vftables, corruption of std objects...)

Then we will dive into heap-based exploitation and detail the inner workings of the glibc heap allocator so that you can finally understand the magic behind ptmalloc and how it can be abused to achieve remote code execution. Once you have made sense out of the allocator, we'll move onto exploitation, with step-by-step practice labs:

• manipulate allocations to put the heap in a deterministic state
• concepts behind heap overflow and Use After Free vulnerabilities
• discover the memory layout using some heap-fu to defeat Full-ASLR
• abuse heap data to get code execution or arbitrary read/write primitives
• achieve the same results with metadata-only techniques
• find the best suitable target to get code execution

Both trainers hold PhDs in cryptography and have in combination more than 20 years of experience in designing cryptosystems and in finding vulnerabilities in real-world applications. The trainers are also experienced speakers, regularly presenting at leading industry and research conferences all around the world.

JP Aumasson

Jean-Philippe (JP) Aumasson is the founder and managing director of Teserakt, a Swiss-based company specialised in IoT security and offering an end-to-end encryption solution. He is an expert in cryptography and the author of the reference book Serious Cryptography (No Starch Press, 2017). He designed the widely used cryptographic algorithms BLAKE2 and SipHash, which he developed after a PhD from EPFL (Switzerland, 2009). He regularly speaks at leading security conferences about topics such as applied cryptography, quantum computing, or blockchain security. JP also holds advisory roles in Kudelski Security and Taurus Group.

Philipp Jovanovic

Philipp Jovanovic is a post-doctoral researcher at EPFL’s Decentralized and Distributed Systems (DEDIS) Lab, Switzerland. In 2015, he obtained his PhD in cryptography from the University of Passau, Germany and in 2020 he will join the Information Security Research Group (ISRG) at the University College London (UCL) as an Associate Professor. Philipp has worked on a broad set of topics in cryptography, security, privacy, and systems design, including encryption algorithms like NORX and OPP/MRO, and distributed security protocols like ByzCoin, RandHound, OmniLedger or drand. Philipp's research is regularly published at top-tier academic crypto/security venues and you can find him frequently speaking at conferences around the globe.

DAY 1, morning

• Randomness (40min)
• Randomness notion and applications in cryptography
• How to safely generate randomness on Linux, Windows, and macOS
• Examples of real bugs caused by randomness failures
• Break (15min)
• Symmetric cryptography (50min)
• Hash functions: how (not) to use them, which one to choose?
• Ciphers: AES or not AES? What are the good modes of operations?
• Authenticated encryption, or how to encrypt and authenticate at once
• Break (15min)
• Public-key cryptography (50min)
• Fundamental differences with symmetric crypto
• Elliptic curves and ECDH key agreement, ECDSA signatures
• Which curves to use? Curve25519 or NIST curves?
• Security concerns: unsafe curves, timing attacks, randomness
• Performance concern, why using ECC vs RSA

DAY 1 afternoon

• Hands-on exercise session (~3h)
• Post-quantum cryptography (40min)
• Quantum computing basics, myths, and reality
• Real risk for public-key and symmetric cryptography
• Classes of post-quantum cryptography, focus on hash-based signatures

DAY 2 morning

• Cryptography libraries and APIs (40min)
• Overview of existing libraries (OpenSSL, Sodium, BouncyCastle, NSS, etc.)
• Difference between low-level libraries and "crypto boxes"
• How to choose a library? In terms of security, performance, license, etc.
• Recommendations of safe design approaches
• Attacking and defending crypto software (40min)
• Notion of side-channel and info leak in cryptography
• Example of timing and cache-timing attacks
• Examples of oracle attacks on symmetric and asymmetric crypto
• Example of bugs caused by programmer error or compiler behavior
• Transport Layer Security (TLS) (30min)
• History and design goals of CSS
• TLS' security features and limitations
• TLS 1.3 and its benefits compared to earlier version
• Securing your client and server TLS configuration

DAY 2 afternoon

• Hands-on exercise session (~3h)
• Passwords (40min)
• How to protect hashed password databases
• Password-based key derivation and hash algorithms
• Password-based authentication (SRP, OPAQUE)

The exercise sessions will include the following challenges, and potentially others created specifically for the event based on recent vulnerabilities:

• Find bugs in weak pseudo-random generators, and fix them
• Decrypt messages encrypted using RSA without the private key
• Break a bad implementation of AES-based encryption
• Implementing the logic of elliptic curve-crypto schemes (DH, DSA, ElGamal)
• Exploit CBC padding oracles to decrypt messages without the AES key
• Break the authenticated encryption in the open smart grid protocol
• Cryptanalyze hash functions to find colliding messages
• Recover ECDSA private keys by exploiting a flawed randomness generator

Roland Sako is a security researcher based in Geneva, Switzerland, working as part of the Kaspersky ICS CERT team. He is particularly interested in embedded devices security and gamification for security related subjects. He previously worked as a security consultant as well as part of the education team of Kaspersky Lab. Roland graduated from the University of Lausanne in Legal Issues, Crimes and IT Security.

Topics covered in the class include:

• IoT vulnerability research
• Methodology
• A few cases
• Overview of our final target (smart home)
• Information gathering Lab :
• Hardware reconnaissanc
• Firmware analysis
• Intro to different types of firmware
• Obtaining the firmware
• Basic firmware analysis – Labs :
• Firmware static analysis
• Firmware emulation
• Hardware Interfaces and protocols
• Reading datasheets
• Getting familiar with the hardware tools
• Passive and active interaction with interfaces – Labs :
• Identifying pins manually
• Reading from and writing to an EEPROM with SPI
• Sniffing I2C buses
• Gaining root shell, debugging and dumping memory through UART
• Debugging the target and dumping memory over JTAG
• Enumerating and interacting with BLE device
• Analyzing resources
• Hunting for interesting resources – Labs
• Finding backdoors and hardcoded secret
• Binary analysis
• Intro to reversing ARM binaries using r2 – Labs
• Automating the process
• Responsible disclosure
• Conclusion
• Final Lab
• Attacking a smart home

Abhinav Singh is an information security researcher for Netskope, Inc. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.

Day 1

1. Introduction

• Introduction to cloud services
• Basic terminologies: IAM, VPC, AMI, serverless, containers etc.
• Introduction to Logging services in cloud.
• Introduction to shared responsibility model.
• Setting up your free tier account.
• Setting up AWS command-line interface.

2. Detecting and monitoring against IAM attacks

• Detecting and responding to user account brute force attempts.
• Detecting compromised credentials of IAM user.
• Detecting privilege escalation and access permission flaw using aws_escalate.
• Attacking and defending against user role enumeration.
• Brute force attack detection using cloudTrail.
• PagerDuty notification for alarms and notifications.

3. Malware detection and investigation on/for cloud infrastructure

• Quick introduction to static and dynamic malware analysis
• Building clamAV based static scanner for S3 buckets using AWS lambda.
• Integrating serverless scanning of S3 buckets with yara engine.
• Building signature update pipelines using static storage buckets to detect recent threats.
• Malware alert notification through SNS and slack channel.
• Adding advanced context to slack notification for quick remediation.
• Detecting malware command and control through VPC traffic mirroring and GuardDuty.

Day 2

4. Threat Response & Intelligence analysis techniques on/for Cloud infrastructure

• Auto remediation of malware files through event notifiers and object tags.
• Building highly scalable heuristic feature extractor using docker containers.
• Optimizing the workload with malware file-type identification and hash calculations.
• Integrating playbooks for threat feed ingestion and Virustotal lookups.
• Advance alerting and threat intelligence gathering using AWS Elasticsearch and Athena.
• Building dashboards and queries for real-time monitoring and analytics.
• Advance Dynamic analysis using cuckoo sandbox on AWS EC2 instance and using DynamoDB.

5. Forensic Acquisition, analysis and intelligence gathering of cloud AMI's.

• Analysis of an infected EC2 instance.
• Building an IR 'flight simulator' in the cloud.
• Creating a step function rulebook for instance isolation and volume snapshots.
• lambda functions to perform instance isolation and status alerts.
• Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
• Automated timeline generation and memory dump.
• Storing the artifacts to S3 bucket.
• On-demand execution of Sleuthkit instance for detailed forensic analysis.
• Enforcing security measures and policies to avoid instance compromise.

6. Security Assessment Automation for cloud infrastructure

• Introduction to cloud infrastructure security assessment.
• Using scout for automated security assessment.
• Analyzing report and plugging the holes.