In the past few years, many companies have adopted Azure AD as an identity platform for their cloud services, often using their existing on-prem AD in a hybrid setup. Azure AD is vastly different from on-premises AD and requires a different security approach to either attack or defend.
This training explains how organizations use Azure AD to manage modern cloud-based or hybrid environments and what security challenges this brings. It is the result of many years of research into the protocols and internals of Azure AD. The training will give you the knowledge to analyze, attack, and secure Azure AD and hybrid setups from modern attacks.
The training is technical and deep-dives into core protocols such as OAuth2 and application concepts. It includes many hands-on exercises and labs, set up as challenges, to gain access to accounts and elevate privileges.

Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented talks at TROOPERS, DEF CON, Black Hat, BlueHat and Insomni’hack and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

• Introduction
• What is Azure, differences between Azure IaaS, Azure AD and Microsoft 365
• Terminology, components and their connection
• The modern Microsoft workplace way of working
• Identities: users, groups and devices
• Azure AD components – Administrator roles and privileges
• Different roles and role types
• Privilege separation per role
• Privilege escalation in Azure AD
• Azure AD components – data interfaces
• Data gathering in Azure AD
• Portal, API, PowerShell modules and the differences
• Azure AD components – applications
• Apps and how they work
• Privilege model
• Apps and Oauth2 principles
• Breaking and securing applications
• Hybrid environments
• Different integration types with on-premises AD
• Access paths to the cloud from on-prem
• Azure AD connect abuse
• Identity security – Conditional Access
• CA policies and settings
• CA best practices and bypasses
• Primary refresh tokens and device identity
• Interacting with primary refresh tokens via SSO
• Stealing and using primary refresh tokens for lateral movement
• Using device identities to comply with conditional access policies

Attendee requirements – skills
 

This course is meant for people with existing experience in Windows and AD security. While the course explains Azure AD concepts without requiring prior knowledge, general knowledge of HTTP protocols, REST APIs, command line tools and other basic offensive techniques are required for the labs. The hybrid labs assume prior knowledge of common Active Directory attack techniques, since the focus is on Azure AD and not on the on-premises Active Directory.
 

Attendee requirements – technical
 

For the training you will need to bring a laptop, ideally one that can run virtual machines. The recommended setup involves installing VMWare Workstation (free trial available) or VMWare Player (free) and creating a Windows or Linux based virtual machine. If you are unsure which to choose, I recommend going with a Windows virtual machine.
If you are using your corporate machine, make sure that you have admin rights to install tools and that you have unrestricted internet access to set up a VPN to the lab and access the training portals.

This training will familiarize system administrators and security professionals with modern Windows attacks and best security practices, such as Windows security components, network interception, Active Directory mapping, privilege escalation, lateral movements, credentials theft and common persistence techniques. After covering a large attack overview, the course introduces associated counter-measures such as credentials protection and much more. After the workshop, members will understand how to protect their infrastructure against modern attacks. Hands-on: This class is practice-oriented, lectures present real-world attacks that participants put into practice in various labs.

The course gives an idea of how pentesters and hackers think, and the best way to defend against them. To do so, this training is given by a duo of pentesting engineers. Both trainers have in combination more than 15 years of experience in offensive and defensive security.

Clément is an IT security professional with 8 years of experience. He started as a network engineer and then switched to a security engineer career. After working 5 years in the field, he eventually joined SCRT in 2020, thus totaling 6 years of experience in IT security. Aside from the regular audit activities, he also has a strong interest in vulnerability research and exploit development, especially in Windows environments. In this regard, he also publishes his findings and tools on his personal blog and on GitHub. Most notably, he is the maintainer of a Windows privilege escalation enumeration tool called PrivescCheck that helps penetration testers and system administrators identify vulnerabilities and weaknesses on Windows machines.

Julien is an IT security professional with 8 years of experience. He started his career in 2013 as a scientific collaborator at the Fribourg Engineering College where he worked on various projects related to critical infrastructure security. He joined the SCRT Pentesting team in 2015 and he is now Deputy Head of the Audit Division. Over the years, he performed missions on a wide range of technologies including Windows, Linux, mobile/web application, and social engineering. He specialized on Windows environment and organized many Red Team audits. Besides the pentesting activity, he is also a trainer for multiple courses given by SCRT and a forensic analyst.

Network access to initial account

• Windows network protocols poisoning (LLMNR, NetBIOS, DHCPv6)
• Initial network discovery (nmap port scan)

Active Directory mapping

• Active directory enumeration (Bloodhound, PingCastle)
• Kerberos authentication
• Common domain password extraction techniques (GPP passwords, Kerberoast, ASREPRoast)

Lateral movement

• Kerberos delegation (Unconstrained, constrained, ressource-based)
• NTLM authentication and cross-protocol relay attacks
• Ways to coerce a machine account NTLM authentication and abuse it (Printer Bug, PetitPotam, ntlmrelayx)

Windows credentials dumping

• Windows credentials storage (SAM, LSA secrets, LSASS, etc.)

Getting access to a key asset

• From RDP access to administrator
• Abusing impersonation privileges in Windows services

Domain compromise and persistence

• Domain credentials storage
• Kerberos Silver/Golden tickets

Bonus

• Physical device security (BitLocker and known attacks)
• LSA protection (how it works and how it can be bypassed)
• Credential Guard (how it works and how it can be bypassed)

A laptop with a SSH, RDP and VNC client.

This is a hands-on training which covers a broad scope of vulnerabilities that can be found in Web applications. The objective is to provide participants with the methodology and tools required in order to assess a Web application. It is tailored for developers or junior security engineers who want to start their journey in attacking and compromising Web applications. It does not dive in-depth into specific vulnerabilities, but rather covers a broad spectrum of issues to provide the participants with a basic understanding of all the relevant topics.
 

Alain Mowat joined SCRT in 2008 as a penetration tester and is now leading the pentesting team in the same company. While still performing various engagements throughout the year, Alain is also dedicated to exploring new approaches to be used by the offensive security industry to better secure client infrastructures.
Aside from these activities, Alain was an active member in the 0daysober CTF team that finished 3^rd at DEFCON CTF in 2015 and has responsibly disclosed vulnerabilities in multiple products such as Citrix NetScaler, SonicWall SRA & SMA, Barracuda, Twitter and McAfee’s ePolicy Orchestrator.
Alain is also responsible for giving Web and general security awareness trainings at SCRT and has presented at several Swiss conferences, such as Insomni’hack, Secure IT VS and CyberSecurity Alliance.
 

# Introduction
 * Overview of technologies in use
 * Encodings
 * Introduction to BurpSuite

# Information gathering
 * Generic information gathering
 * Specific information gathering

# Entry point analysis
 * Identifying entry points
 * Analysing entry points
 * Fuzzin entry points

# Authentication & Authorisations
 * Session issues
 * Authentication issues
 * Delegating authentication
 - SAML
 - Oauth2/OIDC
 - JWT
 * Access control
 - Function
 - Resource-based

# Server-side attacks
 * Injections
 * XML
 * Path traversal
 * Server-Side Request Forgery
 * Deserialization
 * Race conditions

# Client-side attacks
 * Same Origin Policy
 * Cross-Origin Resource Sharing
 * PostMessage API
 * JSONP
 * Cross-Site Scripting
 * Cross-Site Request Forgery
 * Websockets

# Infrastructure attacks
 * Attacking encryption mechanisms
 * Request smuggling
 * Cache poisoning
 

Basic knowledge of Web technologies

This mobile training covers common vulnerabilities that can be discovered in Android & iOS mobile applications. The participants will discover the methodology and the tools used to attack and exploit mobile applications. This workshop focuses on practical learning, demonstrating real-world attacks that participants apply in diverse lab scenarios. This includes reverse engineering vulnerable applications and crafting malicious applications that exploit security vulnerabilities. This training is designed specifically for mobile developers or security engineers seeking to initiate and improve their knowledge in the realm of attacking mobile applications.

Dylan Iffrig-Bourfa is an IT security engineer with 6 years of experience. He started his career at Airbus and Thales, working initially in the fields of avionics and aerospace security. Later on, he shifted domains and specialized in security assessments of mobile banking applications and, more broadly, the world of penetration testing. In 2019, he joined SCRT as a security engineer and continued his mobile audit activities within the company. Aside from these responsibilities, he is also involved with the Insomni'hack organization, contributing to the creation of Capture The Flag (CTF) challenges annually for both the Teaser and Finale editions.

Fabrice Caralinda is an IT security professional with 9 years of experience. He started his career in 2014 as a scientific collaborator at School of Engineering and Management Vaud where he was in charge of the student’s hacking laboratories. He joined SCRT Team in 2016 as a penetration tester and is also one of the team leaders of the ethical hacking team. Specialized in the world of mobile pentesting, he has conducted more than hundred projects with customers in various sectors during his career. Next to the pentest activities, Fabrice is also a trainer for multiple courses given by SCRT and has been lecturer for Swiss universities. In addition to these activities, he is also involved in the organisation of Insomni'hack , helping to create the Capture The Flag competition.

Day 1 Focus on Android

## Module 01 - Android testing methodology

- Part 1: Creating an Android application testing environment
- Part 2: Attack surface and testing methodology

## Module 02 - Exploiting vulnerabilities in Mobile Applications

- Part 1: High-level IPC issues.
- Part 2: Common permission issues.
- Part 3: Accessing Content providers.
- Part 4: Attacking Webviews.

## Bonus 1: Memory corruptions bugs.

Day 2 Focus on iOS

## Module 03 - iOS testing methodology

- Part 1: Creating an iOS application testing environment
- Part 2: Attack surface and testing methodology

## Module 04 - Exploiting vulnerabilities in Mobile Applications

- Part 1: Local Data Storage
- Part 2: Broken Cryptography
- Part 3: Local Authentication
- Part 4: iOS Platform

## Bonus 2: Mobile resilience

Pre-Requisites

- Basic knowledge in *nix ecosystems
- Basic reverse engineering experience (Java, ASM)

Software requirements

- A working laptop with SSH and RDP

If you want to really understand what’s going on and master Wi-Fi attacks in such a way that you can vary them when you encounter real world complexities, this course will teach you what you need to know.

This course is highly practical, with concepts taught through theory delivered while your hands are on the keyboard, and semi-self-directed practicals at the end of each section to reinforce the learning. The course is hosted in a “Wi-Fi in the cloud” environment we invented several years ago, which means no more fiddling with faulty hardware or turning the classroom into a microwave. Designed, developed and delivered by the team behind some of the most commonly used Wi-Fi hacking tools such as hostapd-mana, berate_ap and wpa_sycophant. This course aims to expose you to the Wi-Fi hacking methodologies used by active penetration testers on their day to day journey with clients and assessments.

Michael Kruger is a senior security analyst at SensePost and previously completed an honours degree in Computer Science at Rhodes University. He spends most of his time procrastinating writing reports, and in between manages to persist at Wi-Fi hacks others told him would never work.

SensePost Training is a division of Orange Cyberdefense South Africa focused on the creation and delivery of world-class ethical hacking trainings. Providing real-world trainings derived from the work performed for clients it is practical and lab driven. SensePost have trained 1000s of students over the last 2 decades.

## Module 1 – Introduction
- How & Why
- When and why to use Wi-Fi attacks
- Physical & Low Level
- Understanding spectrum, signals and propagation
- Peculiarities of crowded Wi-Fi spectrum & resulting behaviour in Tx & Rx
- Understanding hardware - cards, antennas. Practical recommendations
- Specifics of Wi-Fi signalling

## Module 2 – Monitor Mode
- How it works. What you get. Why it isn't promiscuous.
- Prism/Radiotap headers & how driver implementations differ.
- Investigating different frequencies such as 5GHz and 6GHz.

## Module 3 - Probing, Tracking & Deanonymisation
- Management frames - beacons & probes
- Device probe'ing behaviour

## Module 4 - WPA/2/3 PSK
- What it is
- IEEE & WEP history
- 4-way handshake crypto
- Handshakes, Capturing & Deauthing
- Broken handshake debugging
- PMKID attacks
- WPS attacks
- Advanced attacks
- Approaches and methodologies for the real world
- WPA3
- The Dragonfly handshake
- Other WPA3 improvements/defences
- Opportunistic Wireless Encryption (OWE) overview

## Module 5 - EAP
- What it is
- Generic EAP flow
- Specific EAP types and how they work
- PEAP
- Deep inside the second tunnel
- CVE-2019-6203
- EAP-GTC downgrade attack (LootyBooty)

## Module 6 - EAP-TLS
- What it is
- Understanding/breaking cert validation

## Bonus Module (If time permits) - Tunnelled EAP Relays
- What it is
- Understanding defences

Practical exercises per module and to be completed throughout.

Pre-Requisites

- Knowledge with linux command line
- Understanding of computer networking

Software requirements

- A working laptop with a modern browser (FireFox/Chrome Preferred)

The world is full of data; people and organizations share, expose and divulge an immense amount of information on a daily basis. With the right skills, knowledge and mindset all this information can become useful for targeted attacks and compromise.

In this course we’ll expose you to the gathering of actionable intelligence across all realms of Open Source Intelligence including HUMINT (Human Intelligence) and SOCMINT (Social Media Intelligence) in order to facilitate and position attacks against individuals and organizations through various operations.
This course will expose you to the techniques to distinguish between valuable and invaluable information, points of gathering and the lifecycle of information intelligence.

Jason Spencer is a senior security analyst at SensePost. He found his passion in information security during his honours year at Rhodes university where he studied computer science and information systems. Over the years he has delivered public talks, provided various trainings internationally and have shared his hacking knowledge with 100s of organisations. When he is not busy hacking into the night, he often breaks company signs.

Ulrich Swart is the training manager at SensePost - Orange Cyberdefense. Given his years of experience as a penetration tester he naturally fell into the hacking training realm - wanting to share his knowledge with others. He’s given training all over the world and have delivered public talks. He has a passion for information security and business, but he usually approaches non infosec topics from a weird angle so try and not get lost in his philosophical ramblings.

SensePost Training is a division of Orange Cyberdefense South Africa focused on the creation and delivery of world-class ethical hacking trainings. Providing real-world trainings derived from the work performed for clients it is practical and lab driven. SensePost have trained 1000s of students over the last 2 decades.

## Introductions

## Intelligence landscape
- Defining Information
- Different INTs (HUMINT, SIGINT, SOCMINT)
- How it can be used in attacks (SOCENG & INTRUSION) - Actionable Information

## Operational Security
- Anonymity
- Hiding Identity
- Personas & Sock Puppets (How to create the ideal puppet)
- Building Legitimacy / Repertoire (Using AI to create content/context)

## Search Engine Operators and Sources Of Information
- Valuable information
- Where to find information online
- OSINT Framework / Similar Tools
- Search Engines

## Intelligence Operations Fundamentals
- Phases/Methodology of a INTOP
- How it can go wrong
- Planning for what you need in your op * Deep/Dark Web
- Tor/Forums

## Targeting Organisations
- General Information
- Physical Information
- Digital Information
- Social Information

## Gathering Human Intelligence
- General Information
- Physical Information
- Digital Information
- Social Information

## Geolocation and Tracking
- Positioning, tracking and identification
- Meta data and identifiable data points

## Social Engineering Techniques
- Types of SOCENG
- What information will be required
- AI in SOCENG

## Discreet Information Dissemination
- Comms Channels
- Steganography
- Newer techniques

## Conclusion
- Why this is all important

Pre-Requisites

- Basic knowledge with linux command line
- Basic information technology understanding

Software requirements

- A working laptop with a modern browser (FireFox/Chrome Preferred)