HYBRID HACKER SUMMER CAMP 2021 GUIDE — Part Three: Ring Zer0

42 min readJul 31, 2021

Welcome to the DCG 201 guide to Hybrid Hacker Summer Camp! This is part of a series where we are going to cover all the various hacker conventions and shenanigans at the end of July to the end of August both In Person & Digital! As more blog posts are uploaded, you will be able to jump through the guide via these links:

HYBRID HACKER SUMMER CAMP — Part One: Surviving Physical + Virtual Vegas
HYBRID HACKER SUMMER CAMP — Part Two: BSides Las Vegas
HYBRID HACKER SUMMER CAMP — Part Three: Ring Zer0
HYBRID HACKER SUMMER CAMP — Part Four: Black Hat USA
HYBRID HACKER SUMMER CAMP — Part Five: FuzzCON
HYBRID HACKER SUMMER CAMP — Part Six: DEFCON 29
HYBRID HACKER SUMMER CAMP — Part Seven: USENIX
HYBRID HACKER SUMMER CAMP — Part Eight: SIGS, EVENTS AND PARTIES

RINGZERO 2021 ONLINE TRAININGS

Date: Saturday, July 31st — Friday August 13th

Website: https://ringzer0.training/

Platform(s): Vimeo

Scheduel: https://ringzer0.training/workshops.html

Live Streams:

N/A

Chat: Discord (Invite N/A)

Accesability: Only registered attendees will be able to partake in the Training Labs and Discord. Video Workshops are FREE.

Tickets: https://ringzer0.training/index.html#buy-tickets

Code Of Conduct: N/A

Ringzer0 provides advanced, hands-on training designed for cybersecurity professionals. Our instructors are top industry experts who offer technical deep dives into a range of core issues, including vulnerability research, exploitation, malware writing, red teaming and practical attacks.

Each class is laser-focused on a specific topic, to pack in as much learning, hands-on experience and instructor face time as possible. Ringzer0 gets students past the learning curve in a 16 or 32 hour advanced course, using a hybrid live instructor-led and self-paced learning format to fit individual schedules and avoid screen fatigue and “Zoom burnout”.

COVID-19 isn’t done yet. All of Ringzer0’s 2021 events shall be held virtually. Train from the comfort and safety of your home with our top Ringzer0 instructors. Our practical and interactive classes are conveniently offered as a hybrid live instructor-led and self-paced learning format to accommodate time zone differences.

Ringzer0 is something new to Hacker Summer Camp, a series of high end professional training for the hacker that has the coin to pay for it. Black Hat Prices, DEF CON skills, these workshops take over the course of multiple days on one single subject. For those with deep pockets who are at an intermediary discipline level with a few certs/bounties under their belt and want to progress to uber advanced 1337, this is the hacking crucible for you!

The Ringzer0 VirtualVegas 2021 RiskRecon scholarship fund is designed to further opportunities for women in cybersecurity, support their professional development and educational goals, and help them thrive in the industry.

Join us in congratulating the winners of the 2021 #VirtualVegas Women In #Cybersecurity Scholarship:

@malumpalumpa, @priyachalakkal, @CarlotaBindner, Anna-Lena Marx and Melanie Niethammer!

Special thanks to Risk Recon for making this possible!

A Salute to Hedy Lamarr

Hedy Lamarr (1914–2000) — Actress, spy and inventor of the Secret Communication System that used frequency hopping to guide torpedoes in a way undetectable by the enemy. We have her to thank for Wi-Fi, Bluetooth and several other FHSS RF technologies.

Cancellation policy: 60+ days before the event 75% of fees refunded; 30–60 days before event 50% refunded, less than 30 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.

DCG 201 RINGZER0 COURSE HILIGHTS

These are some of the multi-day course trainings that stood out to us. Space is limited and this is not the full list so RSVP ASAP and look at the full list of trainings on their website: https://ringzer0.training/#instructors

WEEK 1 — JULY 31-AUGUST 6

Windows Internals for Reverse Engineers

4 DAY u_long 32 CPE Hour Training: August 2021

WEEK 1: JUL 31-AUG 5 [click here for DETAILED SCHEDULE]

Windows Internals for Reverse Engineers

4 DAY u_long 32 CPE Hour Training: August 2021

Abstract

For the first time, join a purpose-built virtual edition of the class and learn the mysteries of Windows Internals from your own home. Take a deep dive into the internals of the Windows NT kernel architecture, covering the recently-shipped 20H2, and the upcoming 21H1 and 21H2 versions. Learn the dirty secrets behind both offensive and defensive work and see how rootkits and other kernel-mode malware abuse obscure mechanisms to persist and evade detection.

Topics covered

We will cover security features and changes in Windows 10, including

Virtualization Based Security (VBS)
Hypervisor Code Integrity (HVCI)
Kernel Data Protection (KDP)
eXtended Control Flow Guard (XFG)
and Intel Control-flow Enforcement Technology (CET).

These features, in addition to other mitigations covered in this class, make exploitation more difficult than ever before. With the addition of VBS, even gaining Ring 0 access is no longer enough to fully “own” a machine. We will also look into improvements made to past Windows features, such as expanding ASLR to the kernel and the secure kernel (KASLR and SKASLR), as well as adding KCFG to protect from kernel exploitation.

This class will also discuss Windows kernel tamper protection. PatchGuard is a well-known name, yet it is one of the most mysterious Windows features and barely any public research was done on it. We will understand the internal workings of this part of Windows and learn why it is so hard to get a definite answer to the eternal question “Does PatchGuard detect this?”. Afterwards, we will meet PatchGuard’s modern sibling – HyperGuard, which uses the benefits of VBS to add another layer of protection to the kernel. Finally, we’ll discuss how Secure Launch, DRTM, and System Guard Runtime Assertions attest the tampering state of modern Windows systems.

In addition to all of these, we will analyze capabilities that are meant for 3rd party security products. We will get to know features such as new ETW providers, which supply information previously available only through user-mode hooks, different callbacks that give drivers built-in detection and prevention abilities, and the Secure Pool, a unique feature that allows drivers to utilize VBS capabilities to protect their data from attacks. These different features all have their benefits and their limitations, and there are areas that are still blind spots for defenders but might already be used by attackers.

This class offers a lot of theory and knowledge, but also lots of hands-on experience: throughout the class you will use tools such as WinDbg, Sysinternals tools, WinObjEx64 and Process Hacker to view, analyze, trace, and edit kernel features. Attendees will get familiar with new debugger capabilities and gain scripting abilities that will significantly simplify complicated operations and allow insight into internal kernel mechanisms.

NOTE: Lectures shall NOT be recorded

Pre-requisites

IMPORTANT: It is helpful to understand x86/x64 assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.

Basic knowledge of Windows, processor architecture, and operating systems is helpful — you should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.

System Requirements

Note that a full class/software installation and preparation e-mail will be sent to you about 2 weeks before the class. That being said, in general, you should expect the following.

First, you should preferably have a Windows machine to attend, and you should have the Windows Driver Kit 10 release, which you can freely grab from the Windows Developer Center or MSDN.

A virtual machine (VirtualBox is strongly preferred — configured in UEFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 10. You should install the Windows Driver Kit on your host — not the VM.

If you have a Linux or Mac device, that’s fine, and then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.

IDA/Hexrays or Ghidra helpful, but not required.

Yarden Shafir

Yarden is a Software Engineer at Crowdstrike, working on EDR features, and a consultant and trainer for Winsider Seminars & Solutions Inc., co-teaching security trainings.

Previously, she worked at SentinelOne as a security researcher and QA engineer.

Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as CET internals, extension host hooking and kernel exploit mitigations.

Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.

The ARM IoT Exploit Laboratory

4 DAY u_long 32 CPE Hour Training: August 2021

Video Preview

Saumil’s Inside ARMX: Emulating IoT Firmware Workshop gives you an glimpse of the wide world of ARM IoT vulnerability research. Saumil uses ARMX extensively in his class.

Class Abstract

“There’s an Intel on every desktop, but an ARM in every pocket.”

“There’s an ARM on every desktop, and Intel in the iPhone baseband”

The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other “smart” appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.

The ARM IoT Exploit Laboratory is a brand new class. This class takes a closer look at the hardware and the firmware running on it. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills.

UPDATED CONTENT

Hardware level firmware extraction from IoT devices
ARMX: A new firmware emulation framework for accurate emulation of IoT devices, including nvram.
New hardware targets: Network video recorders, multiple IP cameras, multiple routers, and perhaps more.

Key Learning Objectives

A quick introduction to ARM architecture and assembly.
An introduction to ARM IoT devices.
Under the hood — circuit boards, pins, interfaces and flash chips.
Firmware Extraction via UART.
Firmware Extraction directly from flash memory.
Introducing the ARMX Firmware Emulation Framework.
How to emulate an IoT device in ARMX.
Exploiting vulnerabilities in the IoT device.
Bypassing exploit mitigation technologies — DEP and ASLR.
Practical ARM ROP chains.
Customised ARM shellcode.
Overcoming limitations — payload size, bad characters, encodings.
A deeper look into firmware emulation — emulating nvram, patching factory defaults.
Working around missing emulated hardware — tracing binaries, patching libraries.
Exercises, exercises and more exercises
The Lab environment is a mixture of physical ARM hardware and ARMX Docker images.

Who Should Attend

Past x86/ARM Exploit Laboratory students
Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
Red Team members, who want to pen-test custom binaries and exploit custom built applications.
Bug Hunters, who want to write exploits for all the crashes they find.
Members of military or government cyberwarfare units.
Members of reverse engineering research teams.
People frustrated at IoT devices to the point they want to break ‘em!

Part 1 — Exploitation

A quick introduction to ARM architecture and assembly language.
EXERCISE — Learn ARM assembly by compiling and reverse engineering binaries.
EXERCISE — Using GDB for debugging ARM ELF binaries.
An introduction to ARM IoT devices.
Introducting the ARMX Firmware Emulation Framework.
Debugging the emulated IoT device.
Memory Corruption
Exploiting Stack Overflow conditions in ARM binaries.
Writing customised ARM shellcode.
EXERCISE — end to end stack overflow exploit.
Bypassing exploit mitigation technologies — DEP and ASLR.
Practical ARM ROP chains.
Attacking the actual hardware.
Overcoming cache coherency issues.
Overcoming limitations in the exploit payloads — size, bad characters and encodings.
EXERCISES — three hardware targets to emulate and exploit.
BONUS CHALLENGES — for those hungry for more.

Part 2 — Firmware Extraction & Emulation

Under the hood — a tour of the circuit boards, pins, interfaces and flash chips.
Obtaining the firmware via UART, bootloader or an EEPROM programmer.
Unpacking the firmware and static analysis.
How to emulate an IP camera in ARMX.
Matching the device — choosing the right CPU to emulate.
Matching the device — compiling a custom kernel.
EXERCISE — emulate a home router in ARMX.
Filling in the blanks — dealing with missing hardware in the emulator.
Working with nvram
Complexities in emulation — hotpatching and hooking functions.
EXERCISE — emulate a compilcated IoT device.

Pre-requisites

A conceptual understanding of how functions work in C programming
Knowledge of how a stack works, basic stack operations
Familiarity with GDB
Not be allergic to command line tools.
If none of the above apply, then enough patience to go through the pre-class tutorials.
SKILL LEVEL: INTERMEDIATE

Pre-class Tutorials

The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.

Operating Systems — A Primer https://www.slideshare.net/saumilshah/operating-systems-a-primer
How Functions Work https://www.slideshare.net/saumilshah/how-functions-work-7776073
Introduction to Debuggers https://www.slideshare.net/saumilshah/introduction-to-debuggers

Hardware Requirements

A working laptop (no Netbooks, no Tablets, no iPads)
Intel Core i3 (equivalent or superior) required
8GB RAM required, at a minimum
Wireless network card
40 GB free Hard disk space

Software Requirements

Linux / Windows / Mac OS X desktop operating systems
Docker installed and working
Command line git client installed and working
Administrator / root access MANDATORY

Students will be provided with

Students will be provided with all the lab images used in the class. Students will also be provided with the fully loaded version of ARMX which is not available publicly.

The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

Cryptography Attacks and Defenses, Reloaded

2 DAY u_short 16 CPE Hour Training: August 2021

Abstract

A freshly redesigned cryptography training covering all the crypto topics that matter in 2021, from cloud infrastructure to mobile and decentralized applications.

Cryptography is an indispensable tool for protecting information in computer systems, but choosing secure protocols and parameters can become quickly overwhelming. To help avoid common traps and failures, this course teaches participants how to reason about the security of crypto constructions, and how to choose secure, efficient, modern crypto components — be it algorithms, protocols, or libraries.

The training starts from the core knowledge and building blocks and gradually moves towards more advanced protocols and techniques used in modern systems, be it cloud infrastructure or decentralized applications. The class is practice-oriented, highly interactive, and includes many examples of real-world failures.

Agenda

1. Foundations:

randomness
hash functions
authenticated encryption
public-key cryptography (RSA, elliptic curves, Diffie-Hellman).

2. Secure Communication:

TLS client-server security
SSH
VPNs (WireGuard)
end-to-end secure messaging
password-based authentication (password hashing, PAKEs).

3. Real World Cryptography:

common coding errors
timing attacks
essential libraries/APIs/utilities
hardware security modules
key management.

4. Advanced Constructions:

zero-knowledge
secret sharing
multi-party computation
post-quantum cryptography
decentralized randomness
consensus protocols.

JP Aumasson

Dr. Jean-Philippe (JP) Aumasson is the Chief Security Officer and co-founder of Taurus, a Swiss financial tech company specializing in digital assets infrastructure. Since 2006, he has authored more than 60 research articles in the field of cryptography and designed the widely used hash functions BLAKE2 and SipHash.

The author of the acclaimed books Serious Cryptography (2017) and Crypto Dictionary (2020), he has been giving crypto training since 2013, and talked at leading crypto and security conferences.

Philipp Jovanovic

Dr. Philipp Jovanovic is an Associate Professor in Information Security at University College London. Before joining UCL in 2020, he worked as a postdoctoral researcher at the Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland. He obtained his PhD from the University of Passau, Germany, in 2015 and received the university’s dissertation award in Mathematics and Computer Science in 2016. He has been giving cryptography trainings since 2016 and is a scientific advisor at cLabs, the organization building the Celo blockchain, since 2019. His research interests broadly include cryptography, decentralized systems security, and privacy-enhancing technologies. Lately he has been working on scalability and interoperability aspects of distributed ledger platforms, public randomness generation, secure multi-party computation, and consensus mechanisms.

WebAssembly Security from Reversing to Vulnerability Research

4 DAY u_long 32 CPE Hour Training: August 2021

Abstract

WebAssembly (WASM) is a new binary format currently developed and supported by all major web-browsers including Firefox, Chrome, Webkit/Safari and Microsoft Edge. This format has been designed to be “Efficient and fast”, “Debuggable” and “Safe” and is often called the game changer for the web.

WebAssembly is beginning to be used everywhere and for everything

Web-browsers (Desktop & Mobile)
Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers)
Video games (Unity, UE4)
Blockchain platforms (EOS, Ethereum, Dfinity)
Cryptojacking (Coinhive, Cryptoloot)
Linux Kernel (Cervus, Nebulet)
… and more

This course will give you all the prerequisites to understand what is a WebAssembly module and its associated runtime virtual machine. At the end of four intensive days, you will be able to statically and dynamically reverse a WebAssembly module, analyze its behavior, create specific detection rules and search for vulnerabilities. You will discover which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will search for vulnerabilities inside WebAssembly VMs (web browsers, standalone VM) using mutation and generation based fuzzing techniques. Students shall be presented with lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.

Key Learning Objectives

Learn what is WebAssembly and what’s inside a WebAssembly module.
Discover the architecture of the WebAssembly virtual machine.
Learn how to analyze statically and dynamically real-life WASM modules.
Discover how to hack video games running on your browsers using WebAssembly.
Learn how to find vulnerabilities inside WebAssembly module and how to exploit them.
Study and analyze the module validation mechanism to bypass it.
Learn how to apply mutation, grammar and evolutionary fuzzing on WebAssembly VM.
Discover how WebAssembly can help you in your day-to-day security work.

Who Should Attend

This class is meant for everyone that want to understand deeper how WebAssembly works such as: malware analysts dealing with cryptominers, professional pentester planning to audit WebAssembly module, developers or students looking to add WebAssembly in their skill-sets, blockchain auditors auditing EOS or Ethereum 2.0 smart contracts and finally vulnerability researchers looking for new targets (like web-browsers) will benefit from this course.

Agenda

Session 1: WebAssembly Reversing

Introduction to WebAssembly
WebAssembly VM architecture and toolchains
Writing examples in C/C++/Rust/C#
Module debugging
WASM binary format (header, sections, etc.)
WebAssembly Text Format (wat/wast)
WebAssembly Instructions set
Writing examples using WASM Text format
Reversing WebAssembly module
CFG and CallGraph reconstruction
DataFlowGraph analysis

Session 2: Analysis of real-life WASM modules

Modules Instructions analytics/metrics
WebAssembly cryptominers analysis
Pattern detection signatures (YARA rules, etc.)
Taint Tracking
Dynamic Binary Instrumentation
Bytecode (De)-Obfuscation techniques
Static Single Assignment and Decompilation
Real-life WASM module analysis
WebAssembly video game hacking

Session 3: WebAssembly Modules Vulnerabilities

Traps and Exception handling
WebAssembly module vulnerabilities
Integer/Stack/Heap Overflows
Advanced vulnerabilities (UaF, TOCTOU)
CFI Hijacking
Emscripten vulnerabilities
Exploiting NodeJS server running WASM module
Vulnerability detection (Static and Dynamic)
Lifting WASM bytecode
Fuzzing WebAssembly modules

Session 4: Vulnerability Research inside WebAssembly VM

Web-Browsers vulnerabilities analysis (CVEs PoC)
WebAssembly VM and Interpreter vulnerabilities
WebAssembly JS APIs generation
Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
WASM module validation mechanism
Writing edge case modules
WAT, WAST & WASM generation using grammars
Interesting VM targets (kernel, blockchain, etc.)
Fuzzing C/C++/Rust/Go based WebAssembly projects
WebAssembly applied for Security Researcher toolings
In-memory fuzzing everything using WebAssembly and Frida

Prerequisites

Basic reverse engineering skills.
Familiarity with scripting (Python, Bash).
Familiarity with C/C++ or Rust programming.
SKILL LEVEL: BEGINNER / INTERMEDIATE

Laptop Requirements

A working laptop capable of running virtual machines
8GB RAM required, at a minimum
40 GB free Hard disk space
VirtualBox
Administrator / root access MANDATORY
IDA Pro would be helpful but not required

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, reverse engineering and program analysis. He is the creator of two trainings namely “WebAssembly Security” and “Rust Security”. Patrick is also the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple blockchain smart contract to help researchers perform closed-source bytecode analysis.

Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick has been speaker and trainer at various international conferences such as REcon Montreal/Brussels, Toorcon, hack.lu, NorthSec, FIRST, Microsoft DCC, SSTIC, BlackAlps, Devcon, etc.

Advanced Malware Analysis and Reverse Engineering

4 DAY u_long 32 CPE Hour Training: August 2021

Video Preview

Josh’s Hands-On Malware Analysis: UNPACKING MALWARE USING REVERSING TOOLS AND DEBUGGERS takes you on a 2-hour journey through the art and craft of unpacking Windows malware. This workshop gives you a peek into Josh’s Advanced Malware Analysis training offered at VirtualVegas 2021.

Abstract

Obfuscation, packing and other forms of anti-analysis are commonly used by malware authors to prevent or disrupt deep technical analysis. This helps the threat actors to avoid detection by even the most advanced security products deployed in your enterprise.

In this course, you will get hands on reverse engineering modern native code malware. Using tools such as IDA Pro, Ghidra, x32/x64dbg, PE Studio and more, you will learn how to perform deep technical analysis of today’s most prevalent threats. You will develop effective strategies for reverse engineering using both static and dynamic techniques and tools.

You will also learn how to identify and unravel prevalent packing techniques, anti-analysis techniques and other forms of obfuscation such as control-flow obfuscation and hiding string and API calls.

We will get hands on reversing native code malware, malware that uses interpreters such as AutoIT scripts and analyze shellcode.

By the end of this course you will have the insight to understand and anticipate where malware authors will employ these techniques to disrupt your analysis and how to unravel their obfuscation. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.

This is a fast-paced course designed to take you deep into malware reverse engineering! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 4 days of lecture, but an immersive and interactive learning experience. This is an ideal course for security analysts, malware analysts/researchers and blue teams that need to get hands-on diving deep into malicious software.

Key Learning Objectives

Understand different attack methods used by malicious actors and how they map to attack frameworks such as MITRE ATTACK
Perform exhaustive analysis on native code binaries (PE files) and shellcode
Learn how to reverse engineering unconventional malware such as malware created with AutoIT scripts.
Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
Learn how malware authors dynamically construct import tables for function calls
Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behavior (PE file format)
Learn how to use reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes

Who Should Attend

This course will take students through key phases of malware operations, providing deep technical analysis and hands-on labs to gain experience detecting, analyzing and reverse engineering malware. This is an ideal course for security analysts, threat researchers, malware researchers and anyone tasked with defending an organization to get hands-on diving deep into malware.

Agenda

Session 1: Reverse Engineering Malware

Identifying signs of packing and obfuscation in native code formats (PE files)
Developing strategies for detecting known and custom packers
Unpacking malware using reversing tools and debuggers

Session 2: Reversing Interpreted Malware and Finding Anti-Analysis

Reversing malware that uses AutoIt
Identifying anti-analysis techniques and developing mitigations
Process hollowing and other code injection techniques

Session 3: Reversing Shellcode and the PE File Format

Malware use of shellcode — extracting and analyzing
Digging deep into the PE file format
Dynamically constructing import tables and other methods for calling Windows APIs
Identifying string obfuscation through hashes, encryption and other techniques

Session 4: Finding Malware Configs and C2

Dissecting modular malware such as TrickBot
Identifying malware configurations
Identifying malware C2 patterns

Pre-requisites

The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:

Basic malware analysis
An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage
Ability to read assembly for Intel 32 and 64 bit architectures
Proficiency with a Windows-based debugger such as WinDbg, x64dbg or Immunity

Pre-class Tutorials

To help prepare for this course, it is recommended that students be familiar with information from the following sources:

A brief overview of malicious office documents
Hack-in-the-Box CommSec Track 2018
Assembly and Intel’s 32/64-bit architecture
Specifically concepts from chapters 1 − 5
Getting started with reverse engineering

System Requirements

Linux/Windows/Mac desktop environment
A laptop with the ability to run virtualization software such as VMWare or VirtualBox
Access to the system BIOS to enable virtualization, if disabled via the chipset
Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
A laptop that the attendee is comfortable handling live malware on
Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used

Students will be provided with

Students will be provided with all of the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This course will also utilize several live classroom sharing resources, such as chat and notes to ensure that students have access to all material discussed throughout the training. Comprehensive lab guides will also be provided to ensure that students have the ability to continue learning after the course ends and maximize the knowledge gained from this course.

Dr. Josh Stroschein

Dr. Josh Stroschein is an Assistant Professor at Dakota State University where he teaches malware analysis, software exploitation, reverse engineering, and penetration testing. Josh also works as a malware analyst for Bromium, an end-point security company and is the Director of Training for the Open Information Security Foundation (OISF). Josh has spent years developing security-related courses and is passionate about sharing that knowledge with others all over the world. Josh lives in South Dakota with his wife Janice and three children.

WEEK 2 — AUGUST 7–13

Embedded Automotive Security: A Hands-on Introduction

4 DAY u_long 32 CPE Hour Training: August 2021

Abstract

This training is geared towards offensive security researchers, penetration testers or red teamers who want to dip their toes into the field of automotive security. The basis of this training are developments boards that give the attendees a practical introduction to bus systems such as CAN, LIN and FlexRay. After the students have learned about common ECU classes, protocols and the AUTOSAR standards we will write some parts of an ECU ourselves to put us in the position of a developer. We then switch to an offensive security perspective and take apart and analyse an ECU image step by step until we will have (a) working exploit(s) against that system at the end of the week.

In contrast to other trainings, we will not look into infotainment units as we see them as too similar to other embedded and mobile systems. Rather we will concentrate on the specifics of automotive embedded systems. To help with this process we will show the attendees how to snapshot and emulate systems to be faster in assessing them.

This hands-on training requires additional hardware. We intend to empower you not just with the know-how, but also with properly vetted tools for continued research and analysis.

Please refer to the SHOPPING LIST at the bottom for details.

Key Learning Objectives

Develop an understanding of the AUTomotive Open System ARchitecture (AUTOSAR) architecture and development processes
Be able to independently evaluate the security of ECUs and find vulnerabilities in them.
Rate the technical depth of automotive security assessments.

Agenda

Session 0:

Classes of ECUs in cars
Protocols in use in cars
Exercise #0: Hypothesising potential vulnerabilities by reading standards
Automotive network topologies
Exercise #1: Test communications with an ECU
Q&A / Wrap-up Session 0

Session 1:

AUTomotive Open System ARchitecture (AUTOSAR) Basics
Exercise #2: Build your own ECU firmware (using S32 Design Studio)
Obtaining ECU firmware and memory
Exercise #3: Use JTAG to snapshot a device for emulation
Speeding up your analysis using emulation
Exercise #4: Disassemble and emulate an ECU flash image
Q&A / Wrap-up Session 1

Session 2:

Detailed explanation of CAN, CAN-FD and LIN buses
Exercise #5: Reverse engineering functionality and finding bugs
Automotive Ethernet, Gateways and Ethernet switches as isolators
Exercises #6: Mapping and understanding attack surface
Q&A / Wrap-up Session 2

Session 3:

Attack planning/Chaining vulnerabilities
Exercises #7: Reverse engineering functionality and finding bugs (continued)
FlexRay
Exercise #8: FlexRay
Q&A / Wrap-up Session 3

Session 4:

Real-world car hacking: How to source parts, how not to tear apart your car, where to find documentation and tools
Exercise #9: Understanding and doodling schematics
Building benches and labs
Exercise #10: Exploiting the bugs you found (or didn’t find, we’ll share and compare)
Q&A / Final Wrap-up

Who should take this course?

Offensive Security Researchers/Pentesters/Red-teamers starting to work on automotive embedded systems
Ex. technical roles that are now managing teams doing automotive embedded work and need to guide projects and/or assess results

Required Skills

Written/Read code on at least one CPU Instruction Set (ARM or PowerPC knowledge is a plus).
Know how to do some basic reversing tasks like loading a plain file into a common “mainstream” Disassembler (IDA, Ghidra, Binja, Radare, etc.) navigating basic blocks etc.
Have used a debugger before. (GDB knowledge is a plus).
SKILL LEVEL: INTERMEDIATE

System Requirements

1x Computer capable of running VMware (Workstation or Fusion) with Ethernet, 40G disk space, 6GB of free RAM for VM
A decent Internet connection in order to access exercises and material

Shopping List

We will need 2 development boards for secure gateway applications. Here are the tools that you need, and sources from where you can purchase them.

2x DEVKIT-MPC5748G (approximate price: EUR 100/each + VAT) Yes, you need TWO units. You can purchase them from Amazon / NXP / DigiKey / Mouser / Arrow / Farnell or anywhere else you can find them.
2x 12V 1amp DC Power adapters to power up the DEVKIT-MPC5748G boards. These have a 2.1/5.5mm inner/outer diameter jack, and are available from several sources. Here are a few references: Amazon US / Amazon EU / Amazon UK
20 jumper cables male ↔ male Amazon US / Amazon EU / Amazon UK
1x Ethernet cable
(optional) Digital Oscilloscope (for example Siglent SDS1104X-E/SDS1202X-E or Rigol DS1054Z). While the digital oscilloscope is optional, it is a worthwhile investment if you are serious about getting into embedded automotive testing.

Dr. Andrew Blyth

Dr. Andrew Blyth is Co-Founder Merimetso, a boutique cyber security training company. As a former Professor of Computer Forensics he has more than twenty years of experience in education/training and hardware hacking/forensics. He is passionate about working with, and mentoring, students to help them develop new skills that are relevant to the needs of industry.

Campbell Murray

Campbell Murray has been established in information security for over 20 years and was the founder of Encription Limited before coming the Global Head of Cybersecurity for Blackberry. Founding Merimetso in 2020, Campbell brings his knowledge of penetration testing, IoT and security engineering with him.

Inside RISC-V: Analysis and Exploitation

4 DAY u_long 32 CPE Hour Training: August 2021

CLASS RESCHEDULED TO SEPTEMBER 7, 2021

Abstract

This training is designed to give students the knowledge and skills required to analyze, identify, target, and exploit flaws in both RISC-V processors, and applications and kernels written for the architecture. Not only will RISC-V application level exploitation be a focus of the training session, processor exploitation will also be a focus, providing students with insights into architectural design choices that make RISC-V more resilient to side channel attacks, “trustzone” escapes, and privilege “ring” escalation attacks.

Students will complete the class with a full understanding of the RISC-V architecture and its variants, how to identify/analyze a RISC-V processor, and how to target and exploit an application or kernel running on a RISC-V CPU. Students will learn how the architecture’s formal definition differs from implementations of the processor specification, and will learn how to target subtleties in the specification that grant implementors the flexibility to introduce potential architecture flaws that can be exploited in order to cross privilege boundaries or leak/exfil privileged data.

Variations of RISC-V technology will be discussed, such as the “unhackable” Morpheus microarchitecture, production variants such as SiFive’s product line, and security focused chips such as HexFive and LowRISC.

Agenda

Cluster 1

RISC-V Architecture Specification
RISC-V Architecture Variants and Extensions
RISC-V Peripheral Integration Model (Bus Architecture)
RISC-V Debugging and Testing

Cluster 2

Application Development Environment
Toolchains and Soft Debugging
Privilege Layers from a Kernel and App Perspective
Exploiting Kernels
Exploiting Applications

Cluster 3

Tagged Memory
Side channel attacks
Privilege escalation
Privileged data leakage
TrustZone Analogs
Exploiting Privilege Boundary Flaws

Cluster 4

Secure Core Implementations and their Weaknesses
Errata: Hacking Implementations versus Specifications
Exploiting Secure Cores

Tools Used

QEMU
Linux
gdb / llvm / gcc
Python
JTAG / SWD

Required Skills

Basic assembly knowledge with any RISC architecture CPU
Basic low-level programming (C, assembly)
Basic Python
Familiarity with the Linux command line and its common tools

System Requirements:

A working computer
Virtual machine(s) running Linux
The ability for your Linux system to run virtual machines (QEMU)
Python installed (2 and 3)
Basic development toolchain installed: gcc/llvm, gdb, vim, make/automake/autoconf, OpenOCD, telnet/nc

Don Andrew Bailey

Don A. Bailey is an 18 year veteran of the information security space. His groundbreaking research has shaped information security and has been featured in news agencies from NPR and Reuters, to Fox News and CNN. Don was the first to break Apple’s MFi security architecture, demonstrate car hacking, to remotely compromise GPS systems, “broke the Internet” with a critical and wide-spread compression algorithm exploit, and the first to find and develop a working exploit for the RISC-V privilege model security flaw, among other firsts.

Previously the Director of Research at the prestigious iSEC Partners think tank, Don founded his own consulting firm in 2012 with a research grant from DARPA. Don went on to help shape the vulnerability, exploit acquisitions, and response ecosystem, becoming a “top 10 hacker” at HackerOne and a Bugcrowd affiliate. During this time, Mr. Bailey consulted with startups on building secure technology from the ground up, and assisted corporations on integrating vulnerability response programs into their engineering process. Don currently leads a startup, Lab Mouse Inc., focused on using secure RISC-V technology to solve social problems in underfunded communities. Mr. Bailey is currently the Chair of the RISC-V Security Response Team, which coordinates vulnerability disclosure between researchers and the RISC-V Foundation.

iOS 14 Userspace Exploitation

4 DAY u_long 32 CPE Hour Training: August 2021

Abstract

The iOS 14 Userspace Exploitation Training course is a new addition to our syllabus since 2019. It is meant to complement our set of iOS related training courses and extend them into the userland field.

In this course we will discuss how to attack not only applications and daemons but also Apple’s iMessage, which on the one hand has become a favorite target of nation states and on the other hand a place where Apple added new mitigations.

In this four day training participants will take a deep dive into topics related to iOS 14 userpace level exploitation. This starts with an introduction into the specifics of the iOS platform so that trainees with or without deep knowledge of iOS are on the same track. The following days will then concentrate on real world vulnerabilities in applications, daemons, services, and Apple’s iMessage.

This 4 day course is an enhanced version of the course we did in 2020 and is targeted at intermediate to advanced exploit developers that want to switch over to iOS or learn how to deal with modern iOS user space targets. To improve on our 2020 course we have selected a number of previously disclosed real world vulnerabilities so that students can learn from real examples and not only via mockup bugs. We have also added more material regarding Swift targets.

Throughout the course we will discuss possible avenues for fuzzing the attack surface of discussed targets. However this is not an iOS fuzzing training course and therefore for full coverage of iOS fuzzing we suggest signing up for another of our courses.

The training excercises will be performed on devices running on 14.x. Students are required to bring their own devices on iOS 14 as long they are supported by the public checkra1n jailbreaks.

The goal of this training is to enable trainees to find and exploit new vulnerabilities in iOS userpace programs despite newest mitigations.

Course Topics

Introduction

How to set up your Mac and Device for Vuln Research/Exploit Development
iOS Userspace Memory Layout
Dynamic Loading Frameworks, Libraries and ASLR
iOS Sandboxing and Inter Process Communication
Userspace Exploit Mitigations
Userspace Attack Surface

Objective-C and SWIFT

Exploitation strategies for Objective-C targets
Exploitation strategies for Swift targets

iOS Userland Debugging

Using the iOS Userland Debugger for vulnerability research
How to deal with iOS Anti Debugging Tricks

iOS Userland Heap

Discussion of the iOS Userland Heap implementation
Discussion of other heap implementations in our targets
Introduction of new iOS userland heap visualization toolset

MIG and other forms of IPC

Introduction to MIG/IPC
Understanding the MIG/IPC architecture and its attach surface
Mach messages
Fuzzing and Exploitation of MIG services

XPC services

Introduction to XPC services
Understanding the XPC architecture and attack surface
Understanding target specific mitigations
XPC serialization / deserialization
Fuzzing XPC services
Exploiting XPC services

iMessage Exploitation

Introduction to iMessage and its architecture
Understanding the attack surface
Understanding target specific mitigations
Introspection and instrumentation
Fuzzing iMessage
Exploiting iMessage

What is new in iOS 14

New mitigations in iOS 14 will be covered

Prerequisites

The course will start with an introduction to the specialities of the iOS platform and is therefore suited for trainees with and without iOS userspace exploitation basics
This course is an advanced exploitation course it is therefore assumed that all students are familiar with ARM64 exploitation or reverse engineering.

Hardware Requirements

An Apple Mac Notebook/Desktop is required in order to run MacOS and XCode
We strongly recommend using an M1 based Mac
A device running iOS 14 up to iPhone X, that can be used for testing.
For the best experience please use a jailbroken device. You may use the checkra1n jailbreak.
[optional] In addition to the iOS test device, you may also bring an iOS device newer than the iPhone X for some PAC hands-on. However this is entirely optional.

Software Requirements

IDA Pro 7.x or IDA Home license (ARM64 support required)
Alternatively Ghidra can be used and is fully supported
Hexrays for ARM64 helpful, but not required
BinDiff for IDA helpful, but not required
Hopper / Binary Ninja or other tools might work but are not officially supported
Mac OS X 11, with latest XCode and iOS 14.x SDK (or newer)
Additional Software will be made available during the training

Training Takeaways

The whole training material (multiple hundred slides) will be handed to the students in digital form.

Students will get a license for the Antid0te software and scripts that are used during the training that allows usage but not redistribution of said software. This software is currently going through a complete cleanup and modernization to ensure compatibility with all new devices.

Stefan Esser (Antid0te UG)

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer.

In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook. In 2013 he founded Antid0te UG a company that focuses on iOS security research and consulting.

Electron Security

Threat Modeling, Vulnerability Research and Exploitation

Overview

With the increasing popularity of the ElectronJs Framework, Doyensec has developed a unique workshop to teach students how to perform hands-on threat modeling and vulnerability research against modern desktop applications.

Doyensec was the first security company to publish a comprehensive security overview of the Electron framework during BlackHat USA 2017. Since then, we have reported dozens of vulnerabilities in the framework itself and popular Electron-based applications. This training is the result of several years of applied security research and will provide a condensed lesson in Electron security to all attendees.

The class is hands-on with many live examples and labs, enabling participants to not only understand how Electron applications work, but also how to find and exploit vulnerabilities in a matter of hours. Attendees will get a clear picture of Electron’s security model and risk exposure. We will review the ecosystem, attack surface, unexpected navigation attacks, isolation, sandboxing, and many other interesting topics. Doyensec tutors will also demonstrate real-life vulnerabilities which have affected popular software. The class will be highly interactive to answer all questions attendees might have and potentially review attendees’ code.

Key Learning Objectives

Understand the anatomy and lifecycle of Electron-based applications
Examine the attack surface and standard threat model of Electron-based applications
Identify the most common design flaws which lead to vulnerabilities
Explore implementation misconfigurations and security anti-patterns
Hands-on exploitation of bugs in the framework and custom code
Learn Electron security best practices and hardening

Agenda

Session 1: Electron Overview, Internals and Security Model

Electron Overview
Electron Internals
Codebase, building Electron
Anatomy of Electron-based Desktop applications
Security settings (nodeIntegration, sandbox, contextIsolation)
InternalIPC (IpcMain, ipcRenderer)
Packaging (executables, asar file format)
Testing tools
Governance and versioning
Security Model
Browser vs Electron
Full chain exploit steps
Attack surface

Session 2: Attacking the Application Iceberg

Vulnerable foundation
Subverting the framework (Part I)
Taking control of the DOM
External navigation
Loading remote resources
MITM and certificate pinning
Protocol handlers
Cross-Site Scripting (XSS)
Drag&Drop attacks
Middle-click attacks
Bypassing isolation
History of nodeIntegration bypasses
Framework “Glorified” APIs
Deviations from browser standards
SameOriginPolicy enforcement
Security and privacynotifications
Local handlers (e.g. file://)

Session 3: Attacking the Application Iceberg

Subverting the Framework (Part II)
Prototype pollution against ElectronJS
Exploits for contextIsolation
Software updates
Vulnerable dependencies

Session 4: Attacking Custom Code

Insecure webPreferences settings
nodeIntegration, nodeIntegrationInWorker and nodeIntegrationInSubFrames
Missing sandbox or nativeWindowOpen
Missing contextIsolation
Disabling webSecurity
Allowing webViewTag
Insecure preload scripts
Functionalities that can be abused
Native APIs (e.g. openPath)
Custom functions
Sandbox bypass
Prototype pollution attacks against preload
Dangerous custom protocol handlers
Exposed functionalities

Session 5: Electronegativity and Security Automation

Electronegativity
Origins, Design and Internals
Installation and usage
Developing a new atomic check
Developing a new global check
Electronegativity on CI
Programmatically
Github Action
Simulation of a real-world AppSec review using Electronegativity
Automated vulnerability discovery
Findings review and code annotations
Q&A
Conclusion

Who should take this course?

Security engineers, auditors, researchers, pentesters, and those in similar roles
JavaScript and Node.js developers

We will provide details on how to both find and fix security vulnerabilities, which makes this class suitable for both blue and red teams.

If you enjoy the write-ups in https://github.com/doyensec/awesome-electronjs-hacking, you’re likely going to love our class!

We expect all students to have:

Basic JavaScript development experience
Basic understanding of web application security (e.g. XSS, ClickJacking, …)

Requirements

A laptop and the possibility to install software. We will provide all necessary tools
A decent Internet connection is also required in order to access exercises and material

What attendees will be provided with

Attendees will receive all necessary material, including:

Workshop slides (over 250 pages)
Code and artifacts of all exercises
Our custom DamnVulnerableElectronApp
Most recent release of Electronegativity (Private Beta)

Luca Carettoni

With over 15 years of experience in the application security field, Luca Carettoni is a respected application security expert. Throughout his career, he worked on security problems across multiple industries and companies of different size. He is the co- founder of Doyensec, an application security consultancy working at the intersection of offensive engineering and software development. At LinkedIn, he led a team responsible for identifying new security vulnerabilities in applications, infrastructure and open source components. Prior to that, Luca worked as the Director of Information Security at Addepar, a startup that is reinventing global wealth management. Proud to be a Matasano Security alumni, he helped bootstrapping the Silicon Valley office by delivering high-quality security assessments to software vendors and startups. As a security researcher, he discovered numerous vulnerabilities in software products of multiple vendors including 3com, Apple, Barracuda, Cisco, Citrix, HP, IBM, Oracle, Sun, Siemens, VMware, Zend and many others. Since the beginning of his career, he has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master’s Degree in Computer Engineering from the Politecnico di Milano University.

Automated Program Analysis using Machine Learning

4 DAY u_long 32 CPE Hour Training: August 2021

Video Preview

Hahna’s Hands-On Machine Learning for Automated Program Analysis gives you an introduction to ML concepts and how they can be used to detect malware or malicious code in binaries. This workshop gives you a peek into Hahna’s Automated Program Analysis using Machine Learning training offered at VirtualVegas 2021.

Abstract

This 4-day 32h course features a practical hands-on approach to automated program analysis using machine learning. Given the increasing pervasiveness of IoT devices and malware, there is a great need to perform automated reverse engineering at scale, especially since reverse engineering software and firmware can often be a manual, labor-intensive, and time-intensive process. This class is perfectly suited for students who are new to machine learning and want to learn how to leverage it to automate their program analysis and reverse engineering efforts.

This class kicks off with performing advanced program analysis to automatically identify shared code relationships between applications using different binary features, compute code sharing similarity over a data set to determine binary groupings, and then determine a new binary’s similarity to previously seen samples based on code sharing patterns. We will also cover intermediate representations of binaries and how they can be used for advanced program analysis.

Next, we will introduce machine learning concepts and their applications to automated reverse engineering. We will first use unsupervised machine learning algorithms to find data patterns and features which can be useful for categorization. Then we will develop supervised machine learning models to classify binaries and make certain predictions about them. Lastly, we will apply deep learning to automate program analysis by building and evaluating neural networks. Throughout the class, labs will be conducted in a virtual environment. Students will leave the course with the necessary hands-on experience, knowledge, and confidence to conduct automated program analysis at scale using machine learning.

Key Learning Objectives

Performing Shared Code Analysis
Leveraging intermediate representations for advanced program analysis
Introduction to Machine Learning
Exploring Unsupervised ML algorithms
Developing Supervised ML models
Building Neural Networks
Evaluating and measuring the effectiveness of ML systems

Who Should Attend

Reverse engineers, security researchers, and analysts with little to no experience with machine learning
Analysts, security researchers, and reverse engineers who want to automate and scale their program analysis and reverse engineering process

Agenda

Session 1:

Introduction to advanced program analysis
Identifying and extracting program features
EXERCISE: Similarities Lab
Leveraging N-Grams for program analysis
EXERCISE: N-Grams Lab
Performing agnostic program analysis
EXERCISE: Architecture and Compiler Agnostic Analysis Lab
Introduction to intermediate representations
EXERCISE — IR Lab

Session 2:

Introduction to Machine Learning
Evaluating ML systems
Unsupervised ML algorithm: K-Means Clustering
EXERCISE: K-Means Lab
Unsupervised ML algorithm: Agglomerative Hierarchical Clustering
EXERCISE: Agglomerative Analysis Lab
Unsupervised ML algorithm: Divisive Hierarchical Clustering
EXERCISE: Divisive Analysis Lab

Session 3:

Introduction to Supervised Machine Learning
Supervised ML algorithm: Logistic Regression
EXERCISE: Logistic Regression Lab
Supervised ML algorithm: Decision Tree
EXERCISE: Decision Tree Lab
Supervised ML algorithm: Random Forest
EXERCISE: Random Forest Lab
Supervised ML algorithm: K Nearest Neighbors
EXERCISE: KNN Lab
Supervised ML algorithm: Support Vector Machines
EXERCISE: SVM Lab

Session 4:

Introduction to Neural Networks
Building Neural Networks for Program Analysis
EXERCISE: Neural Networks Development Lab
Evaluating Neural Networks
EXERCISE: Neural Networks Performance Lab

Pre-requisites

Knowledge of Python 3 programming
Knowledge of computer architecture concepts
Knowledge of an assembly language (e.g., x86/x64, ARM, etc.)
Familiarity with navigating Linux environments and command line knowledge

Hardware Requirements

A working laptop or desktop (no Netbooks, no Tablets, no iPads)
Intel Core i3 (equivalent or superior) required
8GB RAM required, at a minimum
10 GB free hard disk space, at a minimum

Software Requirements

The following software needs to be installed on each student laptop prior to the workshop:

Linux / Windows / Mac OS X desktop operating systems
VMware Workstation or Fusion. The free 30-day trial is sufficient and can be downloaded here: https://www.vmware.com/try-vmware.html
Administrator / root access MANDATORY

Students will be provided with

Students will be provided with access to course slides, sample code, and lab exercises which attendees can keep to continue their learning and practicing after the training ends.

Hahna Kane Latonick

For the past 15 years of her engineering career, Hahna Kane Latonick has worked throughout the defense industry specializing in cybersecurity as a security researcher for the Department of Defense and other defense contracting companies. She has been featured as a cybersecurity subject matter expert on Fox Business News, ABC, U.S. News and World Report, and other national media outlets. She has led three tech startups, serving as CTO of two of them and Director of R&D. She has trained and developed security researchers at one of the top five aerospace and defense industry companies. Over the years, she has also taught at different conferences, such as Ringzer0 and Security BSides Orlando. In 2014, she became a DEFCON CTF finalist, placing in 6th and ranking in the top 1.5% of ethical hackers worldwide. She also holds a CISSP and CEH certification. Latonick attended Swarthmore College and Drexel University where she earned her B.S. and M.S. in Computer Engineering along with a Mathematics minor.

Reverse Engineering of Modern Android Malware

2 DAY u_short 16 CPE Hour Training: August 2021

Abstract

In this workshop, you will learn how to analyze Android malware and understand what they are doing. The workshop consists in a majority of hands-on lab sessions, with demo and many exercises on real, and recent, Android malware. Of course, you also learn how to deal with those malware safely ;-)

Malware Samples covered during the training

Android/Alien
Android/Bread (Joker)
Android/EventBot
Android/Ghimob
Android/SpyNote
Android/Sandr (Sandro RAT)

Agenda

Session 1: Android background and first steps

Introduction / Welcome
Android malware trends
Google Play Protect
Contents of Android application: manifest, assets, native libraries…
Certificates and application signature
Presentation of Reverse Engineering tools
Setup of tools. A dedicated Docker container is provided to attendees
3 Labs: compiling an Android app, disassembling it and patching.

Session 2: Reverse engineering of Android Malware

Demo of reverse engineering of Android/SpyNote
Exercises on other samples
Using Quark Engine to spot malicious behaviour
Writing custom rules for Quark Engine
Using MobSF for an overview and quick analysis of a sample

Session 3: Dynamic loading and obfuscation

Dynamically loaded classes
Unpacking packed malware with Dexcalibur
Decrypting obfuscating string with Frida

Session 4: Advanced reverse engineering

De-obfuscation like a Pro
Using House
Implementing a JEB script
Malware abusing Accessibility Services
Anti-debug/VM tricks and solutions based
Detection with APKiD
Modifying default Dexcalibur hooks
SSdeep and dexofuzzy to find similar samples

Session 5: Malicious network activity

Locating the CnC of a malware
Reversing the contents of an obfuscated HTTP Post
Searching through classes with Smalisca
Re-activating debug messages with a Frida hook
Dealing with native libraries

Tools used during the training

Androguard
Android Studio
APKiD
Apksigner
APKTool
Baksmali / Smali
Dexcalibur
Frida
House
JADX
JD-GUI
JEB
MobSF
Quark
Smalisca
Pithus

Required Skills

Familiarity with Unix command-line tools
Basic understanding of Java programming concepts (classes, methods, inheritance, etc.)
Be able to write scripts or small programs in a language of your choice (e.g. Python, Java, etc.)
OPTIONAL: Familiarity with Docker: pull images, run containers, configure ports and shared directories. This is not strictly mandatory knowledge for the training, but it will help.

System Requirements

A working laptop capable of running virtual machines
15 GB free Hard disk space
Docker and docker-compose: https://docs.docker.com
Training container: ‘docker pull cryptax/android-re:latest’
SSH, SCP and/or VNC client
Recent Java Development Kit (JDK)
Android Studio: https://developer.android.com/studio/
Python 3.x
A programming environment of your choice — Vim, Emacs, Sublime, etc.
A build environment
Discord

Axelle Apvrille

Axelle is Principal Security Researcher at Fortinet, where she focuses on malware analysis for smartphones and other smart devices (IoT). She has presented at numerous conferences such as Virus Bulletin, Black Hat Europe, RSA, Troopers, typically on mobile malware, medical malware and IoT hacking. She enjoyed giving several workshops at Hack.Lu, Nuit du Hack and Insomni’hack.

Axelle is also the lead organizer for Ph0wn CTF, an on-site Capture The Flag event dedicated to smart devices. She enjoys both creating challenges for Ph0wn, or playing other CTFs.

Before joining Fortinet (12 years ago!), Axelle worked for 10 years on the implementation of cryptographic algorithms and security protocols. This is probably where her handle “cryptax” (twitter) or “cryptogirl” comes from. In those ancient days, she was a lecturer in French engineering schools.

A complete list of her talks and papers can be found at http://wikisec.free.fr/papers/papers.html

Low Level Android for Researchers and Red Teamers

4 DAY u_long 32 CPE Hour Training: August 202

Abstract

This course teaches you the tools and techniques used to work with low-level Android features and native code. It is a practical class aimed at researchers and developers who want to better understand the native Android environment or start developing their own red-teaming tools.

Students will begin by learning the architecture of Android including how APKs and native code interface, moving on to building and debugging standalone native binaries with NDK toolchains. Students will learn how to replicate the system calls of an APK from native code by working directly with Binder, the underlying information broker of Android. Students will gain experience in instrumenting and debugging native binaries with Frida and GDB, and an introduction to working with AOSP to aid research into system components. This course features a deep dive into how security is enforced in Android from sandboxed APKs to protected system services in an SELinux locked environment. The course will be a combination of practical and lecture-based sessions with examples provided throughout.

Course Topics

Setting up your Android device and PC for native research
How Android runs native code and how it fits into the Android architecture
Using ADB to look under-the-hood and explore Android processes
How to build, deploy, execute and debug your own native code on Android, both
launched from within an APK, and
from a (simulated) exploit.
How to use the NDK toolchain to target different architectures
How to communicate between the native and Java environments using JNI
The differences between developing for emulators and real devices
Accessing device data from native code
Android’s security measures and how they limit what you can do
How to use common Android reverse engineering tools to investigate and instrument native code

Detailed Agenda

Session 1 — Introduction to Android

Android eco-system
Android architecture and boot process
Looking under the hood
Emulators v Devices

Session 2 — Building and Debugging native code in APKs

APK form and format
Native code in APKs
Debugging in Android Studio

Session 3 — Building and Debugging code without Android Studio

What is the NDK
Building native code with the NDK
Debugging native code outside APKs
Debugging native code inside APKs

Session 4 — Interacting with the Android OS

How to get data from different places on a device
Introduction to Binder
Working with Binder
Working with intents

Session 5 — Android Security Measures

SELinux
App signing
Partitions
App sandboxing

Session 6 — Reverse Engineering

Working with Frida
Researching into AOSP
Editing AOSP

Session 7 — Wrap-up and final exercise

Open Q&A
End exercise

Who Should Attend

Red teamers looking to build their own Android toolsets
Researchers interested in analysing and interfacing directly with platform subsystems
Penetration testers looking to expand their low-level Android knowledge
Developers interested in understanding more about the internals of Android

Prerequisites

Some experience in working with Android, development, research or penetration testing.
Some experience in C/C++ and basic development skills.
Basic Linux knowledge, able to carry out basic commands.

System Requirements

Course specifics will be distributed 2 weeks prior to the course however, the following will be helpful:

A Windows or Linux device with root/administrator rights.
Android Studio and AVD
Docker

Whilst most of the course will be taught using AVD virtual machines, students are encouraged to bring a physical Android phone to gain experience working with real devices.

Cam Buchanan

Cam is a director of Foundry Zero, a cyber security consultancy and training company.

With 10 years of experience in Cyber Security, Cam has had multiple roles from Penetration Tester to Software engineer with a focus on research. He has performed large scale penetration testing exercises and written multiple books about the subject.

Having worked with Android across his entire career with a focus on low-level research into native vulnerabilities, Cam is experienced in taking apart Android libraries and investigating deep into the Android OS.

Tim P

Tim has worked in cyber security for over 18 years, and is now a director of Foundry Zero — a specialised consultancy delivering low-level cyber research and training.

Most of Tim’s career has involved taking things apart to see how they work — starting as a software developer he built a lot of experience in low-level and kernel-mode Windows, then moved into a research role where he’s done detailed work on iOS, Android, and a selection of niche operating systems.

Tim has written and delivered a range of training courses and presentations on technical security matters, and would one day love to get back to playing CTFs as well as running them.

Q DIVISION: Hardware Tools for Close Quarter Hacking

2 DAY u_short 16 CPE Hour Training: August 2021

Abstract

“Q Division: Hardware tools for close quarter hacking” is a two day course bringing together the theory and practical operation of a bunch of cool hardware tools that can be used when you can gain physical access or nearby access to an environment. Things like Ethernet Person in the Middle techniques, HID attacks (from Rubber Duckies to WHID, P4wnP1 A.L.O.A and O.MG cable), RF peripheral hacks from MouseJacking to LOGITacker, and covert channel devices (like USaBUSe).

Course Contents

Close quarters attack surface, and the gadgets you need to exploit it:

Ethernet

Drop boxes
Avoiding detection
Transparent proxying of intercepted devices
Dealing with 802.1x
Connection interception and tampering
WiFi, GSM and other remote access techniques

USB Attacks

Class Driver basics
HID Attacks
Typed payload basics
Minimising on-screen time
Target runtimes: power shell, C#, more …
Mouse jiggling
Payloads (traditional, advanced)
HID over RF
Targeting specific devices (MAC addresses, antennas)
Mouse Jacking
Covert channels
USaBUSe
LOGITacker
Other types of devices
Network interfaces
Mass storage
Disguising malicious devices
O.MG Cable
Implanting in innocent carriers

Students will be provided with

A bunch of neat hardware and the knowledge to use it.

Hardware Requirements

Laptop — powerful enough to run VMs
8GB RAM minimum
35GB free HDD space minimum
USB-A slot or dongle to copy VM

Software Requirements

Windows / Linux / macOS
One of the following virtualization suites:
VMWare Player
VMWare Workstation
VMWare Fusion
VirtualBox

Rogan Dawes, Orange Cyber Defence

Rogan Dawes is a senior researcher at Orange Cyber Defence and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

CONTINUE TO: HYBRID HACKER SUMMER CAMP — Part Four: Black Hat USA