SHACK TRAINING CLASSES

2 Days Cyber Security Trainings

Course Dates : 31 March - 1 April 2020
Closing Date : 4 March 2020
Location : To be confirmed

Code Title Instructor(s)
SH2021 iOS Device Secure Boot Chain Analysis and Exploitation Team Pangu



3 Days Cyber Security Trainings

Course Dates : 30 March - 1 April 2020
Closing Date : 4 March 2020
Location : To be confirmed

Code Title Instructor(s)
SH2031 Pentesting Industrial Control Systems Arnaud Soullie
SH2032 Attacking and Defending Containerized Apps and Serverless Tech Nithin Jois


4 Days Cyber Security Trainings

Course Dates : 29 March - 1 April 2020
Closing Date : 4 March 2020
Location : To be confirmed

Code Title Instructor(s)
SH2041 WebAssembly Security "From Reversing to Vulnerability Research" Patrick Ventuzelo
SH2042 Practical iOS 13 Kernel Exploitation Stefan Esser
SH2043 Full Stack Web Attack Steven Seeley
SH2044 Android Internals Jonathan Levin

SH2021 - iOS Device Secure Boot Chain Analysis and Exploitation

By Team Pangu


Training Dates

31st March - 1st April 2020


Description

We will focus on analyzing secure boot chain of iOS devices. The boot chain starts from SecureROM which is patterned in silicon and read only. It means Apple is not capable to fix any bugs found in it. After very detailed reverse engineering of SecureROM for different versions, we will move to the second stage of bootloader – iBoot. There are actually different images to be loaded for different boot mode, for example recovery mode. We will also analyze iBoot in very details and you will realize that iBoot/iLLB/iBSS/iBEC are actually shared the same code base (actually they are exactly same for new devices). Also, it turns out that SecureROM is a simplified version of iBoot.

After we understand the working flow of boot chain, we will focus on the attack surfaces of it. Then we should learn from the past, giving details of known bugs and exploits in history.

In the last part, we talk about the recently released exploit checkm8 (by axi0mX). We cover the root cause and exploitation strategy of it which includes how to do heap fengshui and how to control execution flow. Then we will try to do the exercise to add support for devices not included in the open sourced checkm8. Also, we will talk about the post exploitation at the end.


Class Content

Day 1

  • Introduction
  • Basic Knowledges
    • Secure Boot Chain
    • Extract Code Binary
    • IDA Script
    • libirecovery/idevicerestore
  • SecureROM
  • iBoot
  • Attack Surfaces
    • USB
    • Image Decoding
    • File System Driver

Day 2

  • Known Bugs
    • steaks4uce
    • alloc8
    • SHAtter
    • Limera1n
  • Checkm8
    • Root Cause
    • Heap Fengshui
    • Control PC
    • Exercise
    • Post Exploitation

Requirements

Student

  • Python language programming ability
  • Familiar with ARMv7/v8 reverse engineering
  • Knowledge of typical vulnerabilities and exploits
  • Understanding of secure boot chain concepts

Hardware

  • Mac laptop
  • Pre-A12 iPhone (4S/5/5C/5S/6/6S/7/8/X). Suggest bringing one 32bit and one 64bit devices

Software

  • IDA Pro (with Hex-Rays Decompiler)

Instructor

Team Pangu

Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well-known security conferences including BlackHat, CanSecWest, SysCan, POC, and Ruxcon.

SH2031 - Pentesting Industrial Control Systems

By Arnaud Soullié


Training Dates

30th March - 1st April 2020


Description

On this intense 3 - day training, you will learn everything you need to start pentesting Industrial Control Systems . We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.

We will cover the most common ICS protoco ls (Modbus, S7, OPC - UA…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with a challenging hands - on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.


Class Content

Day 1

  • Module 1: Introduction to ICS
  • Module 2: Pentesting Basics & tools
  • Module 3: Windows basics and pentesting Windows
  • Module 4: Common ICS vulnerabilities

Day 2

  • Module 5: ICS protocols
  • Module 6: Introduction to safety for security pros
  • Module 7: Programming PLCs
  • Module 8: Pentesting ICS

Day 3

  • Module 9: Securing ICS
  • Module 10: Case study
  • Module 11: Capture The Flag

Requirements

Student

  • This class is suited for security people wanting to discover the world of Industrial Control Systems or automation engineers that want to understand in-depth what are the ICS security issues. An understanding of TCP/IP networking, the ability to work with virtual machines and a command line is required.
  • No previous pentesting or industrial control systems experience is required.

Hardware

  • Students must bring a laptop capable of running 64-bit VMs (8gb RAM, 50gb free disk space)

Software

  • All required software is provided in 3 VMs that each attendee will receive on a USB drive

Instructor

Arnaud Soullié

Arnaud Soullié is a manager at Wavestone, performing security audits for more 10 years and in charge cybersecurity R&D projects. He has a specific interest in ICS security, and has performed ICS security audits & pentests in all kinds of industries (pharmaceutical, energy, manufacturing, food processing...) He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015/2016, Brucon 2015/2017, DEFCON 24/26/27) as well as full trainings (Hack In Paris 2015/2018/2019, CS3STHLM 2018/2019, BlackHat Asia 2019)

SH2032 - Attacking and Defending Containerized Apps and Serverless Tech

By Nithin Jois


Training Dates

30th March - 1st April 2020


Description

Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability.

Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.

Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.

Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture.

This 3-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:

  • Introduction to Container Technology
  • Containerized Deployments and Container Orchestration Technologies
  • Container Threat-Model
  • Attacking Containers and Security deep-dive
  • Introduction to Kubernetes
  • Threat-Model of Orchestration technologies
  • Attacking Kubernetes
  • Kubernetes Defense-in-Depth
  • Logging & Monitoring Orchestrated deployments
  • Introduction to Serverless
  • Deploying Application to AWS Lambda
  • Serverless Threat-Model
  • Attacking a Serverless Stack
  • Serverless Security Deep-dive

Class Content

Day 1

Evolution to Container Technology and Container Tech Deep-Dive
  • Introduction to Container Technology
    • Namespace
    • Cgroups
    • Mount
  • Hands-on Lab: Setting up a Minimal Container with nothing but Namespaces and CGroups
Introduction to Containerized Deployments - Understanding and getting comfortable using Docker
  • An Introduction to containers
    • LXC and Linux Containers
    • Introducing Docker Images and Containers
  • Deep-dive into Docker
    • Docker Commands and Cheatsheet
    • Hands-on:
      • Docker commands
      • Dockerfile
      • Images
Introduction to Basic Container Orchestration with Docker-Compose
  • Docker Compose
    • Introduction to docker-compose
    • Hands-on:
      • Docker-compose commands
  • Docker Compose Deep-Dive
  • Application Deployment Using docker
    • Hands-on
      • Containerize an application
      • Deploying a containerized application
      • Deploy a containerized application using docker-compose
Threat Landscape- An Introduction to possible threats and attack surface when using Containers for Deployments
  • Threat Model for Containerized Deployments
    • Daemon-related Threats
    • Network related Threats
    • OS and Kernel Threats
    • Threats with Application Libraries
    • Threats from Containerized Applications
  • Traditional Threat-Modelling for Containers with STRIDE
    • Spoofing
    • Tampering
    • Repudiation
    • Information Disclosure
    • Denial of Service
    • Elevation of privileges
Attacking Containers and Containerized Deployments
  • Attacking Containers and Containerized Deployments
    • Hands-on
      • Container Breakout
      • Exploiting Insecure Docker Configurations
      • OS and Kernel level exploits
      • Trojanized Docker images
Securing Containers and Container Deployments
  • Container Security Deep-Dive
    • Hands-on
      • AppArmor/SecComp
      • Restricting Capabilities
      • Analysing Docker images
    • Hands-on: KataContainers
    • Container Security Mitigations
    • Hands-on: Container Vulnerability Assessment
      • Clair
      • Dagda
      • Anchore
      • Docker-bench
  • Security Specific CI for containers
    • Hands-on: Setting up a security pipeline to build, scan and push images

Day 2

Introduction to Scalable Container Orchestrators
  • Introduction to Container Orchestrators
  • Getting started with Kubernetes
  • Understanding Kubernetes Architecture and Components
  • Hands-on:
    • Exploring Kubernetes Cluster
    • Deploying application to Kubernetes
Attacking Kubernetes Cluster
  • Kubernetes Threat Model
  • Attack Surface for a Kubernetes Cluster
  • Hands on:
    • Attacking application deployed on Kubernetes
    • Exploiting a Vulnerable Kubernetes cluster
    • Maintaining Persistent Access and Pivoting in the K8s Cluster
  • Dissecting the K8s Attack and identifying Security Missteps
  • Attacking kubelet and gaining access to all configurations and secrets on the cluster
Kubernetes Security Deep-Dive
  • K8s Threat Model and its counterpoint in Security Practices
  • Hands-on: Ideal Security Journey: Kubernetes
    • Pod Security
    • Access Control
    • Secret Management
  • Hands-on: Kubernetes Vulnerability Assessment
    • Kube-sec
    • Kube-hunter
    • Kube-bench
  • Hands-on: Logging and Monitoring
    • Logging and Monitoring specific Parameters within the K8s Cluster
    • Identifying anomalies (especially security) with the K8s Cluster
  • Hands-on: K8s Secret management
    • Integrating Vault on a K8s cluster
    • Storing secrets securely on Kamus
  • Hands-on: Kubernetes Network Security Implementation
    • Network Security Policy
    • Service Mesh - Istio/Envoy
  • Security Specific CI/CD for kubernetes
    • Setting up a security pipeline to securely deploy on a k8s cluster

Day 3

Serverless Introduction
  • Understanding Serverless and FAAS(Function-As-A-Service)
  • Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
  • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options
Serverless Deep-Dive
  • Introduction to the Architecture of Serverless Deployments
  • Hands-on: Deploying a Serverless application
Attacking Serverless applications
  • Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for Serverless Apps
  • Function Data Event Injection Attacks against FaaS Implementations:
    • Hands-on Labs - Function Data Event Injection (Multiple Sources)
    • Other Injection and Remote Code Execution attacks against Serverless Apps
  • Broken Access Control
    • Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)
      • Algorithm Confusion
      • Inherent JWT flaws - none signed token, etc
      • Attacks based on JWK and JWT Claims
    • Attacking Identity and Access Management through Serverless Implementations
      • Hands-on: View of IAM Sprawl and Permissions
      • Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep
  • Other Serverless Attacks
    • Hands-on: Extracting Secrets from FaaS Implementations
    • Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
    • Hands-on: Exploiting Function Execution Order for fun and profit!
Securing Serverless applications
  • Securing Serverless applications
    • Identity and Access Management
    • Secret management
      • Hands-on Secrets Management with AWS Secret Manager + Rotation
    • Logging and Monitoring Functions
      • Hands-on: Security Practices for Logging Serverless Functions
      • Hands-on Using AWS X-Ray/Zipkin to leverage tracing for security
  • Hands-on: Serverless Vulnerability Assessment
    • Static Code Analysis[SCA]
    • Static Application Security Testing[SAST]
    • Dynamic Analysis Security Testing[DAST]
  • CI/CD for Serverless Functions - With Security specific pipeline
Capture The Flag
  • Attacking a Serverless Application - mini CTF Segment

Requirements

Student

  • Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
  • Basic knowledge of Linux command line
  • Basic knowledge of some (any) programming language
  • Basic/Rudimentary understanding of Cloud concepts and service

Hardware and Software

  • A laptop or a tablet(with keyboard) with a browser installed
  • AWS account with root/admin privileges - Free tier works
  • We have a very powerful (per-user) cloud environment that we use for labs that has been widely appreciated by students at BlackHat and elsewhere. Please read more about our cloud labs here:
    https://drive.google.com/file/d/1YKmaHfx9PqIQX-s0cEI9-iWD3_EstIE-/view?usp =sharing

Instructor

Nithin Jois

Nithin Jois is a Solutions engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely. Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook - An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook.

Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training. Nithin was a trainer and speaker at events like AppSecDC-2019, AppSecUS-2018, LasCon-2018, SHACK-2019, AppSecCali-2019 and CodeBlue-Japan. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee.

SH2041 - WebAssembly Security "From Reversing to Vulnerability Research"

By Patrick Ventuzelo


Training Dates

29th March - 1st April 2020


Description

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web”.

WebAssembly is used everywhere (not exhaustive):

  • Web-browsers (Desktop & Mobile)
  • Cryptojacking (Coinhive, Cryptoloot)
  • Servers (Nodejs, React, Cloudflare workers)
  • Video games (Unity, UE4)
  • Blockchain platforms (EOS/Ethereum/Dfinity)
  • Linux Kernel (Cervus, Nebulet)
  • Etc.

This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerabilities & security issues. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using differents fuzzing techniques.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.


Class content

Day 1 – WebAssembly Reversing

  • Introduction to WebAssembly
  • WebAssembly VM architecture
  • WebAssembly toolchain
  • Writing examples in C/C++/Rust/C#
  • Debugging WebAssembly module
  • WASM binary format (header, sections, …)
  • WebAssembly Text Format (wat/wast)
  • WebAssembly Instructions set
  • Writing examples using WASM Text format
  • Reversing WebAssembly module
  • CFG & CallGraph reconstruction
  • DataFlowGraph analysis
  • Browser Addons reversing

Day 2 – Real-life Modules Analysis

  • Modules Instructions analytics/metrics
  • WASM cryptominers analysis
  • Pattern detection signatures (YARA rules, …)
  • Taint Tracking
  • Dynamic Binary Instrumentation
  • Bytecode (De)-Obfuscation techniques
  • Static Single Assignment & Decompilation
  • Real-life WASM module analysis
  • WebAssembly video game hacking

Day 3 – Wasm Modules Vulnerabilities

  • Traps & Exception handling
  • WebAssembly module vulnerabilities
  • Integer/Buffer/Heap Overflows
  • Advanced vulnerabilities (UaF, TOCTOU…)
  • CFI Hijacking
  • Emscripten vulnerabilities
  • Exploitation NodeJS server running wasm module
  • Vulnerability detection (Static & Dynamic)
  • Lifting WASM bytecode
  • Fuzzing WebAssembly modules

Day 4 – Vulnerability Research inside Wasm VM

  • Web-Browsers CVEs analysis (PoC)
  • WebAssembly VM & Interpreter vulnerabilities
  • WebAssembly JS APIs generation
  • Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
  • WASM module validation mechanism
  • Writing edge case module
  • WAT, WAST & WASM grammar generation
  • Interesting VM targets (kernel, blockchain, …)
  • Fuzzing C/C++/Rust/Go based WASM project
  • WebAssembly for Security Researcher

Requirements

Student

  • Basic reverse engineering skills.
  • Familiarity with scripting languages (Python, Bash, …).
  • Familiarity with C/C++ or Rust programming.

Hardware

  • A notebook capable of running virtual machines.
  • Enough hard disk space to run VM

Software

  • Virtual machine (VirtualBox preferred)
  • Administrator / root access required.

Instructor

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, reverse engineering and program analysis. He is trainer of the two training respectively about "WebAssembly Security" and "RUST Security". Patrick is also the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple blockchain smart contract to help researchers perform closed-source bytecode analysis.

Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick has been speaker and trainer at various international conferences such as REcon Montreal/Brussels, Toorcon, ​hack.lu​, NorthSec, FIRST, Microsoft DCC, SSTIC, BlackAlps, etc.

SH2042 - Practical iOS 13 Kernel Exploitation

By Stefan Esser


Training Dates

29th March - 1st April 2020


Description

For the last six years Antid0te has been teaching iOS Kernel Exploitation to a wide variety of students interested in the iOS kernel. Many of our former students have ended up finding and exploiting iOS kernel vulnerabilities since then and have practically demonstrated that by contributing to public jailbreaks of reporting vulnerabilities to Apple. Teaching iOS exploitation during this time has often be hard due to the lack of access to devices running the most current iOS version. This has dramatically changed in the last weeks with the release of the checkm8 bootrom exploit for iOS devices. This opens up a whole new world of opportunities regarding training practical iOS kernel exploitation to students. For the first time in history we will be able to perform actual hands-on kernel exploitation tasks on devices running the latest firmware. In this fully redesigned course we will use this to our advantage and will teach students how they can make use of the bootrom exploit to jailbreak current and future iOS versions on demand and how they can disable certain security mitigations to slowly ramp up the difficulty when performing training exercises. In comparison to our previous courses this course will provide more exercises at different difficulty levels.


Class content

Day 1

  • Setting up your Mac for iOS kernel research/vulnerability development
  • Using checkm8 to boot own kernels
  • How to patch old vulnerabilities back for training exercises
  • How to debug the iOS kernel with own code
  • Loading kernel modules

Day 2

  • The iOS Kernel Heap
  • Modern iOS Kernel Heap Feng Shui
  • Software based iOS Mitigations and their Weaknesses
  • Hardware based iOS Mitigations and their Weaknesses

Day 3

  • Exploitation of different types of heap memory corruptions by example (UAF, reference counting issues, heap overflows, out of bounds writes, …)
  • Exploitation Strategies for different bug types

Day 4

  • Understanding and attacking the iOS sandbox
  • Understanding and attacking iOS codesigning
  • Subverting and abusing iOS security for arbitrary code execution
  • Other jailbreaking related questions

Requirements

Student

  • This course will not give an introduction to ARM assembly basics. The trainee is required to understand basic ARM64 assembly. It is not required to have previous lowe level experience with ARM64 cpus, because the necessary information is discussed within the training. Low level ARM64 CPU knowledge will be helpful, but is not required for this course - all necessary parts will be explained within the course.
  • This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...

Hardware

  • An Apple Mac Notebook is required in order to run MacOS and XCode.
  • Students are encouraged to bring their own iOS devices (that are supported by checkm8 (iPhone X or lower) on the latest OS version
  • For students who cannot bring their own device we will provide some devices for usage throughout the course

Software

  • IDA Pro 6.x/7.x license (ARM64 support required)
  • Alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool
  • Hexrays for ARM64 helpful, but not required
  • BinDiff for IDA helpful, but not required

  • Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)
  • Additional Software will be made available during the training

Instructor

Stefan Esser

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German security company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.

SH2043 - Full Stack Web Attack

By Steven Seeley


Training Dates

29th March - 1st April 2020


Description

In today’s society, web technologies are incredibly complex and play a vital role to online security. As a result, many security professionals are specializing in a particular niche within the web application hacking realm.

This niche, is commonly client-side web security which focuses on attacking or tricking the user. Yet, a server-side remote code execution vulnerability is sitting right in front of their eyes and has a significantly higher impact.

Over time, we have witnessed excellent techniques getting buried within past advisories and exploits whilst innovative techniques are being discovered frequently, however they are not reaching a wider audience.

Have you ever been on an engagement and found an interesting attack surface, yet haven’t had enough time for additional research?

Full Stack Web Attack is NOT an entry-level course. It's designed to push you beyond what you thought was capable and set you on the path to develop your own workflow for zero-day offensive web research.

This course is designed for web penetration testers and developers that want to make a switch to web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use proxy tools such as Burp Suite and have a basic understanding of common web attacks as well as perform moderate scripting tasks using common languages such as Ruby, Python, PHP and JavaScript. A basic understanding of Object Oriented programming will significantly help.

Some vulnerabilities have been mirrored from real zero-day while others are in fact zero-day/n-day vulnerabilities that have been discovered by the author. Using this as a base, your instructor will focus on not just on the exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you. Leave your XSS at the door.

Each of the techniques and vulnerability classes have been especially picked because they have been used in real, targeted environments. Additionally many of the techniques and exploitation primitives in this course are either poorly documented or not documented at all

Key Learning Objectives

  • Feel comfortable reading code (looking for vulnerabilities)
  • Feel comfortable writing code (developing exploits)
  • Debug complex web applications using source code debuggers
  • Attack complex object oriented vulnerability patterns
  • Chain multiple vulnerabilities to achieve remote code execution
  • Bypass authentication systems without client side vulnerabilities
  • Leverage information disclosure for remote code execution

Class content

Day 1

Introduction
  • PHP & Java language fundamentals
  • Debugging PHP & Java applications
  • Module overview and required background knowledge
  • Auditing for zero-day vulnerabilities
PHP
  • Loose typing
  • Logic authentication bypasses
  • Code injection
  • Filter bypass via code reuse
  • Patch bypass

Day 2

Java
  • Java Remote Method Invocation (RMI)
    • Java Remote Method Protocol (JRMP)
  • Java naming and directory interface (JNDI) injection
    • Remote class loading
    • Deserialization 101 (using existing gadget chains)
PHP
  • Introduction to object instantiation
  • Introduction to wrappers
  • External entity (XXE) injection
    • Regular file disclosure
    • Blind out-of-band attacks
      • Error based exfiltration using entity overwrites
      • Exfiltration using protocols

Day 3

  • Patch analysis and bypass
  • Introduction to object injection
    • Magic methods
    • Customized serialization
    • Phar deserialization
    • Property oriented programming (POP)
    • Custom gadget chain creation
  • Information disclosure
  • Phar planting
  • Building a 7 stage exploit chain for Remote Code Execution

Day 4

PHP
  • Blacklist bypasses (zero-day vulnerability)
Java
  • Introduction to reflection
  • Expression language injection
  • Bypassing URI filters
  • URI forward authentication bypasses (zero-day technique)
  • Deserialization 102 (custom gadget chains)
    • Trampoline gadgets
    • Exploiting reflection
    • Whitelist (ab)use
  • A zero-day bug hunt in a real target

Requirements

Student

  • At least moderate scripting skills using common languages such as Bash, Python, Ruby, PHP and JavaScript.
  • At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers.

Hardware

  • A 64bit Host operating system
  • 16 Gb RAM minimum
  • VMWare Workstation/Fusion
  • 100 Gb Hard disk free minimum
  • Wired and Wireless network support
  • USB 3.0 support

Instructor

Steven Seeley

Steven is an independent security researcher with a focus on the discovery of high impact vulnerabilities affecting products used by thousands of companies and individuals.

Starting out as a Java developer, Steven discovered his passion for security after switching to penetration testing.

Previously, Steven was also the lead developer of the Advanced Web Attacks and Exploitation (AWAE) course held by Offensive Security and taught the course multiple times at Black Hat USA and ASIA. He has spoken numerous security conferences such as HITB, Ruxcon, Bluehat and BSides Mexico.

SH2044 - Android Internals

By Jonathan Levin


Training Dates

29th March - 1st April 2020


Description

This course, modeled after Jonathan's Levin's seminal works of the same name, discusses the architecture of Android - covering both its design and its implementation. We examine the features of the Android Operating System, and highlight exactly what it inherits from its Linux core, as well as how it diverges with its idiosyncrasies and "Android-isms". Every nook and cranny of the architecture is explored, with modules discussing specific subsystems, such as the Dalvik Virtual Machine, Android RunTime (ART), the Binder IPC mechanism, Hardware Abstraction Layer (HAL), the Media Framework and Android Power Management

Objectives

  • Describe the architecture of the Android operating system
  • Describe the similarities between Linux and Android
  • Describe the differences between Linux and Android
  • Understand core architectural differences from Froyo (2.2) to Oreo (8.1), Pie (9.0) and the latest Android 10!
  • Describe the functions and architecture of the Android Kernel
  • Reverse Engineer Android Apps
  • Understand Android Security, its evolution over history, and its weaknesses
  • Monitor, trace and intercept inter process communication on Android
  • Understand the frameworks of Android, and interception points
  • Understand both the framework layers and the native layer of Android
  • Gain deep knowledge of the DEX, ART and OAT formats
  • Learn to use innovative free tools, such as Dextra, bindump, and jtrace

Class content

Day 1

Introduction - The Android Architecture
  • Android features
  • Android vs. Linux vs. Embedded Linux
  • Filesystem layout and directories
  • The Runtime Environment
  • The Frameworks
  • Dalvik (Java)
  • Version differences - 1.5 through L (5.0) to Pie (9.0)
  • User-Mode and Kernel-Mode Architecture
  • Android Kernel modifications
  • Recompiling the Kernel

Android's Hardware Abstraction Layer
  • The need for a hardware abstraction layer
  • The basic devices
    • Camera
    • Flashlight
    • GPS
    • Leds
    • Sensors
    • Vibrator
  • The User Event Daemon
  • HAL stubs
  • The last stretch - from HAL to the driver
  • Android O HAL modifications ("Project Treble")

Day 2

Booting
  • The Boot loader, and FastBoot
  • Samsung Odin
  • ARM TrustZone (32-bit) and ELx (64-bit)
  • Kernel Startup
  • User mode init - /init and /init.rc
  • Boot-to-root: Rooting techniques by unlocking the bootloader

Native Services
  • adbd
  • servicemanager
  • healthd (K +)
  • logd (L +)
  • lmkd (L +)
  • keystore
  • keymaster (M +)
  • zygote/app_process
  • debuggerd

Day 3

Android IPC
  • IPC and RPC basics
  • The servicemanager
  • Binder by layers
    • Java: AIDL
    • Frameworks: android.os.Binder
    • Native level: libBinder, BBinder, BpBinder
    • Kernel interface: ProcessState and IPCThreadState
    • Kernel implementation: ioctl(2) codes and protocol
    • hwbinder, vnbinder and other O improvements
  • Other communication mechanisms: Sockets and socketpairs

The Input Architecture
  • The Linux Kernel Input Model
  • The EventHub
  • The InputReader
  • The InputDispatcher
  • The Activity Views

Day 4

Dalvik
  • The Dalvik VM architecture
  • The DEX file format
  • The DEX OpCode and instruction format
  • Optimizing DEX
  • Reversing DEX
  • Obfuscating DEX
  • The JNI model

ART
  • The concepts behind ART
  • Advantages over Dalvik
  • the ART and OAT file format
    • L: ART 009/012, OAT: 039/045
    • M: ART 017, OAT: 064
    • N: ART 030, OAT: 083
    • O: ART 039, OAT: 117
  • Reversing ART
  • ART Memory Management
  • Return of the (profiled) JIT
  • The JNI implementation

Security
  • Java level modifiers: Private and Public
  • Java level Permissions
  • UNIX/native level Permissions
  • Digital Signatures (code signing, etc)
  • Key storage and encryption
  • Service Hooks
  • Protected APIs
  • Kernel mode security
    • The Linux Capabilities model
    • Linux Security Modules (LSM) and SELinux
    • Kernel buffer overflow protection - ExecShield and randomization
  • Extensions and improvements in Oreo and Pie (e.g. seccomp-bpf, Webview-Zygote)
  • Why it all fails - Android Exploitation

Requirements

Student

  • None

Hardware

  • Though you can get by with an emulator, we strongly recommend bringing a rooted device, of at least Lollipop or higher. You will also need a Linux host - though we will gladly supply a VM

Software

  • The Android SDK, NDK, and full sources of Android - all of which freely obtainable, from developer.android.com and android.googlesource.com, respectively

Instructor

Jonathan Levin

Author of "*OS Internals" and "Android Internals", CTO of Technologeeks.com, long time specializing in the internals of Linux and Darwin variants. Spoke at all major conferences save BlackHat.




Contact Us