skip to main content

DEF CON 27 Hacking Conference

Workshops

Workshops

Breaking and Pwning Docker Containers and Kubernetes Clusters

Friday, 1430-1830 in Red Rock II

Madhu Akula

An organization using micro services or any other distributed architecture rely heavily on containers and orchestration engines like Kubernetes and as such its infrastructure security is paramount to its business operations. This workshop will focus on how attackers can break into docker container and Kubernetes clusters to gain access, escalate privileges to infrastructure by using misconfigurations and application security vulnerabilities. Trainer will share examples of real world security issues found in penetration testing engagements to showcase mapping of the attack usually happens in the real world.

By the end of the workshop participants will able to identify and exploit vulnerabilities in applications running on containers inside Kubernetes clusters. The key take away for audience will be learning from these scenarios how they can assess their environments and fix them before attackers gain control over their infrastructure.

By the end of workshop participants will be able to:
* Understand Docker and Kubernetes security architecture
* Attack & Audit containerised infrastructure for security vulnerabilities and misconfigurations
* Learning from these scenarios how they can assess their environments and fix them before attackers gain control over their modern infrastructure
* Learn commonly used tools, techniques and procedures (TTPs) for cloud native infrastructure

The participants will get the following:
* Ebooks of the training covering all hands-on in a step by step guide (HTML, PDF, EPub, Mobi)
* Automation scripts, code, playbooks, etc used during the workshop
* Virtual machines to learn & practice scenarios covered in the workshop
* Other references to learn more about topics covered in the workshop

Skill Level Beginner/Intermediate

Prerequisites:
* Basic knowledge of using the Linux command line
* System administration basics like servers, applications configuration and deployment
* Familiarity with container environments like Docker would be useful

Materials:
* GCP free trail account (https://cloud.google.com/free)
* A laptop with administrator privileges
* At least 8GB of RAM, 10GB of Disk space free on the system for VM
* Laptop should support hardware-based virtualization, Install Oracle VirtualBox 6.x and verify it can run a 64-bit operating system.
* Other virtualization software might work but we will not be able to provide support for that.
* USB Ports for copying VM and course content (docs, scripts, etc.)

Max students: 40

Registration: https://www.eventbrite.com/e/breaking-and-pwning-docker-containers-and-kubernetes-clusters-red-rock-ii-tickets-63997062938
(Opens 8-Jul-19)

Madhu Akula
Madhu Akula is a security ninja, published author and cloud native security researcher with an extensive experience. Also he is an active member of the international security, devops and cloud native communities. He holds industry certifications like CKA (Certified Kubernetes Administrator), OSCP (Offensive Security Certified Professional), etc.

Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26), BlackHat USA (2018 & 2019), USENIX LISA 2018, O’Reilly Velocity EU 2019, Appsec EU 2018, All Day DevOps (2016, 2017, 2018, 2019), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 2018), Nullcon 2019, SACON 2019, Serverless Summit, null and multiple others.

His research has identified vulnerabilities in over 200 companies and organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, etc. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible.

Back to top



Modern Debugging^HWarfare with WinDbg Preview

Saturday, 1430-1830 in Flamingo, Lake Mead II

Chris Alladoum Security Researcher, Sophos Labs

Axel Souchet Hacker

It's 2019 and yet too many Windows developers and hackers alike rely on (useful but rather) old school tools for debugging Windows binaries (OllyDbg, Immunity Debugger). What they don't realize is that they are missing out on invaluable tools and functionalities that come with Microsoft newest WinDbg Preview edition. This hands-on workshop will attempt to level the field, by practically showing how WinDbg has changed to a point where it should be the first tool to be installed on any Windows (10) for binary analysis machine: after a brief intro to the most basic (legacy) commands, this workshop will focus around debugging modern software (vulnerability exploitation, malware reversing, DKOM-based rootkit, JS engine) using modern techniques provided by WinDbg Preview (spoiler alert to name a few, JavaScript, LINQ, TTD). By the end of this workshop, trainees will have their WinDbg-fu skilled up.

Skill Level Intermediate

Prerequisites: familiarity with Windows platform and kernel debugging
basic knowledge of debuggers (pref. WinDbg)
basic knowledge of JavaScript

Materials: Any modern laptop with at least one Windows 10 VM guest (pref. 2 for kdnet remote debugging, but can work out with lkd). Also need Internet access.

Max students: 20

Registration: https://www.eventbrite.com/e/modern-debugginghwarfare-with-windbg-preview-lake-mead-ii-tickets-63998510267
(Opens 8-Jul-19)

Chris Alladoum
Chris is a security researcher and part of the Offensive Security team at Sophos Labs in Vancouver, Canada. His focus are around reverse-engineering and exploitation, Windows and Linux OS internals, writing code and CTFs.

Axel Souchet
Axel is a computer and security enthusiast _.

Back to top



Advanced Wireless Exploitation for Red Team and Blue Team

Thursday, 1430-1830 in Flamingo, Red Rock II

Besim Altinok Founder & CEO,Pentester Training

Bahtiyar Bircan Senior Consultant, Eurocontrol / EATM-CERT

In this workshop, participants will be informed about attacks and defense of the wireless networks. Attendees will learn how to attack and gain access to WPA2-PSK and WPA2-Enterprise wifi networks, bypass network access controls, and gain administrative control over an Active Directory environment.

In addition, Attendees will learn to fight against WiFi Pineapple, KARMA attack and fake access point opening techniques and will develop tools with Scapy. At the end of all this will be an award-winning CTF :)

Areas of focus include:
Basically communication for wifi networks
Understanding how monitor mode works
Collect WiFi data
Gain access to WPA2-PSK and WPA2-Enterprise networks
How can we fight against wifi hackers?
How can I improve the WiFi hacking tool?
CTF

Skill Level Intermediate/Advanced

Prerequisites: .-python scripting - be comfortable in Kali Linux

Materials: Students will need to bring a laptop with at least 8 gigs of RAM, a 64-bit operating system, at least 100 gigs of hard drive space (external drives are fine), and at least one free USB port. In addition, they will need to provide a network card that supports monitor mode and injection. - external - (example: TP-LINK WN722N, Alfa Card .. ) Students will also be required to download and install a virtual lab environment prior to participating in the workshop. Everything else will be provided by the instructor team.

Max students: 40

Registration: https://www.eventbrite.com/e/advanced-wireless-exploitation-for-red-team-and-blue-team-red-rock-ii-tickets-63606797644
(Opens 8-Jul-19)

Besim Altinok
Besim Altinok (@AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, Blackhat ASIA, Defcon, and others.

Besim ALTINOK works currently at Barikat Internet Security in Turkey. Besim also founded Pentester Training project.

Bahtiyar Bircan
Bahtiyar Bircan is security enthusiastic with 17 years of experience attacking and securing enterprise IT systems. During his career, he worked on many governments, military and private sector IT security projects.

His experience includes penetration testing, security audit, secure system design, and implementation, virtualization and cloud security, incident response, exploit development, security research, system and network administration.

He is a regular speaker of national and international security conferences like BlackHat, IDC, NATO, OWASP-TR, NOPCon, Tübitak Bilgi Güvenliği Konferans, IstSec, AnkaSec.

Currently, he is a senior security consultant, trainer and managing partner for Barikat Akademi. Previously, he worked in several defense contractors and government agencies, like Tubitak Cyber Security Institute and Havelsan in Turkey. He was a part of numerous security projects for government, military, and public institutions. Also, he is an adjunct instructor teaching cybersecurity at TOBB University. He has authored and contributed to various public/internal tools, training courses, and methodologies.

Back to top



Pwning Serverless Applications

Thursday, 1000-1400 in Flamingo, Red Rock V

Abhay Bhargav Founder, we45

Nithin Jois

Tilak Thimmappa

Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.

This workshop is replete with hands-on labs and presents a red-team perspective of the various ways in which testers can discover and exploit serverless applications to compromise sensitive information, and gain a deeper foothold into cloud database services, IAM services and other other cloud components. The workshop also features real-world serverless implementations, specifically to highlight the lack of frameworks, tooling and security mechanisms that makes life much harder for developers to implement, therefore, easier for attackers to compromise

Skill Level Beginner

Prerequisites: None

Materials: Laptop with ability to access WiFi networks. Admin/Root access to an AWS Account. Free Tier works.

Max students: 50

Registration: https://www.eventbrite.com/e/pwning-serverless-applications-red-rock-v-tickets-63606059436
(Opens 8-Jul-19)

Abhay Bhargav
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of "Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework.

He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world's first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to his work in Application Security Automation, he has created "ThreatPlaybook", a unique open-source framework that marries Threat-Modeling (as-Code) with Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures.

Abhay is a speaker and trainer at major industry events including DEF CON 25 and 26, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan) and so on. He will be training at BlackHat USA 2019. He writes on IT and IT Security-focused areas in his blog. Abhay is the author of two international publications "Secure Java: For Web Application Development" and "PCI Compliance: A Definitive Guide"

Nithin Jois

Tilak Thimmappa

Back to top



Reverse Engineering Android Apps

Friday, 1430-1830 in Flamingo, Red Rock III

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Senior Researcher, Bowne Consulting

Practice finding flaws in real Android apps in this fun, CTF-style hands-on workshop, and you will be ready to avoid making security errors in your own apps.

Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from Wells Fargo, Microsoft, Lyft, WhatsApp, Whole Foods, IBM, Harvard, Progressive, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.

We will analyze Android internals in details, using the Drozer attack framework to inspect and manipulate intents to exploit insecure activities and content providers. We will perform a protection level downgrade attack on an Android 4.3 device, removing security protections from the Twitter app.

All class materials are freely available on the Web, and will remain available after the workshop. All vulnerabilities were reported to the affected companies long ago, where appropriate.

Equipment: participants must bring a laptop that can run VirtualBox machines. The host system can use Mac OS (best), Linux (OK) or Windows (usable but limited). We will use free Android emulators and a Kali virtual machine. They will be available as free downloads, and also locally on USB sticks.

Skill Level Intermediate

Prerequisites: Familiarity with basic networking and security concepts.

Materials: A laptop capable of running VirtualBox.

Max students: 90

Registration: https://www.eventbrite.com/e/reverse-engineering-android-apps-red-rock-iii-tickets-63609248976
(Opens 8-Jul-19)

Sam Bowne
Sam Bowne is the proprietor of Bowne Consulting and an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.

Elizabeth Biddlecome
Elizabeth Biddlecome is a senior researcher at Bowne Consulting, an independent consultant, and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Back to top



Purple Team CTF

Thursday, 1430-1830 in Flamingo, Red Rock III

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Senior Researcher, Bowne Consulting

Practice red and blue team skills in this fun, CTF-style workshop. Attendees will configure free Linux servers in the Google cloud to detect intrusions using Suricata, log files, and Splunk, and attack them with a Linux cloud server using Metasploit, Ruby, and Python scripts. They will also use Splunk to analyze ransomware and brute-force attacks and perform attribution, using archived event data from a realistic multi-server Windows corporate domain.

All workshop materials are freely available on the Web, and will remain available after the workshop. All required software and cloud resources are free to use.

Skill Level Intermediate

Prerequisites: Familiarity with basic networking and security concepts.

Materials: A computer with a Web browser and a credit card (the credit card won't be charged). All the systems used are free and in the cloud.

Max students: 90

Registration: https://www.eventbrite.com/e/purple-team-ctf-red-rock-iii-tickets-63606850803
(Opens 8-Jul-19)

Sam Bowne
Sam Bowne is the proprietor of Bowne Consulting and an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.

Elizabeth Biddlecome
Elizabeth Biddlecome is a senior researcher at Bowne Consulting, an independent consultant, and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Back to top



Exploit Development for Beginners

Friday, 1000-1400 in Flamingo, Red Rock VII

Sam Bowne Proprietor, Bowne Consulting

Elizabeth Biddlecome Senior Researcher, Bowne Consulting

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and learn how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines.

All materials and challenges are freely available at samsclass.info, and will remain available after the workshop ends.

Skill Level Intermediate

Prerequisites: Familiarity with C programming and assembly language is helpful, but not essential.

Materials: A laptop capable of running a virtual machine in VMware or VirtualBox.

Max students: 70

Registration: https://www.eventbrite.com/e/exploit-development-for-beginners-red-rock-vii-tickets-63608704347
(Opens 8-Jul-19)

Sam Bowne
Sam Bowne is the proprietor of Bowne Consulting and an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.

Elizabeth Biddlecome
Elizabeth Biddlecome is a senior researcher at Bowne Consulting, an independent consultant, and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Back to top



Understanding and Analyzing Weaponized Carrier Files

Friday, 1000-1400 in Flamingo, Red Rock III

Ryan Chapman Incident Response Analyst

Weaponized carrier files, such as PDF and Office docs, are used in various attack campaigns in order to compromise victims. In this workshop, we'll cover the file formats, associated weaponization methods, and analysis techniques of the attack code used with these types of files. We'll pull apart PDF object streams, deobfuscate JavaScript code, and analyze PDf-based attacks. For Office docs, we'll review the OLE file format; take a gander at VBA-based macros; extract, deobufscate, and debug the VBA code; and identify indicators of compromise. We'll be using a Windows-based malware VM along with tools such as oledump, PDFStreamDumper, the MS VBA Editor, and more!

Skill Level Intermediate

Prerequisites: This workshop will cover the file formats for both PDF and Office (e.g. docx) files. If you've never analyzed such a file for maliciousness, fear not! We'll be covering the basics. If you have programming/scripting experience, great. If not, don't worry. If you have worked to deobfuscate code, fantastic. If not, meh.

Materials: You will want to bring a laptop equipped with the following: - The laptop will probably need at least 4GB of RAM, as you'll need to be able to run your host OS (doesn't matter which, I and my room proctors can help with any of them) along with a Windows 10 VM.
- Please try to have a USB port available. I will have USB 3.0 drives with me the day of the workshop. These drives will be FAT-formatted (nothing fancy) and contain the files required for the workshop. I will also pop the files on to a cloud-based file sharing service well ahead of the workshop for folks whom like to setup early. - VM software! You'll need software to run a VM, such as VMware or VirtualBox. Doesn't matter if you're on a Mac with VMware Fusion, Windows, Linux, whatever. As long as you can run a VM (and take at least one snapshot), we're solid!
- If you do not have a Windows 10 malware analysis machine, please check out https://www.microsoft.com/en-us/evalcenter/evaluate-windows, as you can grab a trial of Windows that will work just fine for this workshop
- Speaking of MS products, you're going to want (in order to follow along with VBA file debugging), a copy (evaluation version works fine) of MS Office. Version doesn't really matter, but the more recent the better. Again, check out the MS Evaluation center for a copy of Office that you can use: https://www.microsoft.com/en-us/evalcenter/evaluate-office-365-proplus
- Python! You'll want to have Python installed (2.7.x preferred). I'll have an offline installer available should you need it (make sure you have that USB port available!)
-- I'll be providing some Python-based scripts for analysis, along with some tools such as PDFStreamDumper ahead of the workshop. I will provide direct links to the files as provided by the developers. I will also be providing carrier file samples ahead of time and on the workshop USB.

Max students: 90

Registration: https://www.eventbrite.com/e/understanding-and-analyzing-weaponized-carrier-files-red-rock-iii-tickets-63608133640
(Opens 8-Jul-19)

Ryan Chapman
Ryan Chapman is an incident response (IR) analyst with a background in host and network forensic analysis; malware analysis; threat intelligence; and all the other fun facets of the blue team realm. Prior to working in IR, Ryan worked as a technical trainer for many years. Outside of work, Ryan spends time with his family, gets tapped on the jiu jitsu mats, and plays plenty of Street Fighter. Hadouken!

Back to top



Introduction to Cryptographic Attacks

Thursday, 1000-1400 in Flamingo, Red Rock VIII

Matt Cheung Hacker

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

Skill Level Intermediate

Prerequisites: Students should be comfortable with modular arithmetic and the properties of XOR. Experience in Python or other similar language will be a plus.

Materials: A laptop with VMWare or VirtualBox installed and capable of running a VM.

Max students: 30

Registration: https://www.eventbrite.com/e/introduction-to-cryptographic-attacks-red-rock-viii-tickets-63607132646
(Opens 8-Jul-19)

Matt Cheung
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.

Back to top



Hack to Basics - x86 Windows Based Buffer Overflows, an introduction to buffer overflows.

Saturday, 1430-1830 in Flamingo, Valley of Fire I

Dino Covotsos Founder & CEO, Telspace Systems

Want to learn about exploit development but feeling overwhelmed at all the latest technologies and buzzwords?

Hack to basics is a course which will provide you with foundational level exploit development skills with real world exploitation techniques. This will range from "Vanilla" EIP overwrites through to Structured Exception Handler(SEH) exploitation and how egg hunters work with practical examples.

By the end of the course, Students can expect to know the basics of x86 assembly, including some real world examples of exploiting vanilla EIP overwrites, SEH exploitation and using egg hunters. This will provide an entry to the world of exploit development and a strong foundation to work off in order to make it easier to transition to the newer, more advanced technologies which are in place today.

To get the most out of this training, the following should be studied beforehand:

FuzzySecurity:

http://www.fuzzysecurity.com/tutorials/expDev/1.html
http://www.fuzzysecurity.com/tutorials/expDev/2.html
http://www.fuzzysecurity.com/tutorials/expDev/3.html
http://www.fuzzysecurity.com/tutorials/expDev/4.html

Corelan:

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

We will be using Python to construct our exploits, combined with a debugger such as Immunity or OllyDBG, it it is recommended to be familiar with both.

Skill Level Intermediate/Advanced

Prerequisites: Basic experience in assembly and a debugger, preferably Immunity or Olly.
2-3 years of penetration testing experience would be beneficial.
Experience in Kali linux, as this will be used as the primary operating system.

Materials: Laptops with the following specs or greater:

Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz (or AMD equivalent)
8GB RAM
Kali Linux installed (x86 is fine)
Wireless Network Adapter + Ethernet Adapter
Virtualbox or equivalent installed

Max students: 35

Registration: https://www.eventbrite.com/e/hack-to-basics-x86-windows-based-buffer-overflows-an-introduction-to-buffer-overflows-valley-of-tickets-63998523306
(Opens 8-Jul-19)

Dino Covotsos
Dino Covotsos is the founder and CEO of Telspace Systems. With over 20 years of experience, he leads the research and technical team at Telspace. Covotsos has many years of experience in the information security sector and has been involved in hundreds of information security projects worldwide. He is also a well-known presenter at international conferences, including Hack In the Box, Sector, H2HC, DEF CON and many more. Covotsos is also passionate about the information security community and is involved various community based projects. Covotsos has several industry certifications, such as the OSCE, OSCP, OSWP and CREST CRT.

Back to top



An Introduction to Deploying Red Team Infrastructure

Thursday, 1430-1830 in Flamingo, Red Rock I

Troy Defty Hacker

Erik Dul Hacker

The use of remote-access malware has never been more prevalent, and in order to replicate or mitigate this threat, an understanding as to how the infrastructure supporting such an attack operates is crucial. From accounting for outbound network filtering controls, to building resilience with redundant inbound proxies, deploying an implant blindly into a target is more complex than 'msf > exploit'.

This workshop aims to build an understanding around how malware Command and Control (C2) infrastructure is designed, built, and configured, and to provide attendees with experience in deploying malware within a realistic network environment. This will include:

- A run-through of a basic red team campaign
- The properties of a solid malware implant
- Spinning-up Command and Control (C2) infrastructure, including burner inbound proxies, etc.
- Configuring an implant to find and utilise outbound routes from a realistic corporate network, and to call back to our new infrastructure
- Basic delivery of malware via common delivery routes
- Gaining a persistent presence, and identifying routes to the campaign objectives

We will be using Meterpreter and the Metasploit framework as the implant supported by Kali Linux, alongside Apache as a reverse proxy; all of which will be cloud-hosted. We will be using a variety of post-exploitation techniques to help attendees get to grips with some of the potential nuances of remote malware interaction (long RTTs, blind command execution, etc.).

Reading list:

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf
https://ionize.com.au/reverse-https-meterpreter-and-empire-behind-nginx/
https://medium.com/@truekonrads/reverse-https-meterpreter-behind-apache-or-any-other-reverse-ssl-proxy-e898f9dfff54

Skill Level Intermediate

Prerequisites: Basic knowledge of networking, Meterpreter/Metasploit Framework, basic Linux administration, knowledge of basic Windows privilege escalation

Materials: Laptop, 8GB RAM, Kali as a base or a VM, with all updates applied Ethernet cable

Max students: 24

Registration: https://www.eventbrite.com/e/an-introduction-to-deploying-red-team-infrastructure-red-rock-i-tickets-63439433052
(Opens 8-Jul-19)

Troy Defty
Having worked in the UK InfoSec industry for around five and a half years at Deloitte and later Context Information Security, Troy abandoned a dreary sun-less London and has been working in the Australian industry out of Sydney for nearly a year with PS+C Pure Hacking. His interest and experience is largely in bespoke penetration testing engagements (red teaming, scenario-based assessments, etc.), with broad coverage across the penetration testing spectrum. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and being bad at golf.

Erik Dul
Erik's first encounter with IT security was when he discovered the fascinating internals and configurability of ISDN NT boxes. Since then he has worked in various network security roles, spending the last few years as a penetration tester in the UK and Australia. He is currently heading up the offensive security team of PS+C Pure Hacking in Sydney. His main professional focus is scenario based and bespoke engagements, with particular interest in network and embedded device security. When not hard at work, you can find him somewhere close to the water, or playing tennis.

Back to top



Hacking Wifi

Thursday, 1430-1830 in Flamingo, Red Rock VIII

Philippe Delteil Computer Science Engineer

Victor Faraggi Student, University of Chile

Ilana Mergudich Thal Student, University of Chile

Wireless Networks (Wifi) are the most used type of network nowadays and most people don't know really how vulnerable they are, even WPA/WPA2 Enterprise.

In this workshop we will cover most wifi encryptions being used today, how they work behind the scenes and the theory of the cracking process. Also, you will be able to apply this knowledge on the spot with some real-life-scenario wifi networks.

Some encryptions are mathematically difficult to crack, where the cracking process could take lifetimes. But not to worry, there still are ways to get around this with an attack called Man-in-the-middle (MITM). Be wary! You never know to whom's Internet Access Point you're connecting and who's eavesdropping on you.

Ever wondered how to get somebody's passwords of a website? After this workshop you will be able to supplant a website without the victim ever knowing it with Wifiphishing or DNS Spoofing the client's router.

What to know before
Linux commands (sed, awk, grep and the basic ones)
Basic shell scripting
Basic knowledge about WEP/WPA/WPA2/WPS

What you will learn
How wifi security works
How to audit a wireless network
How to perform and automate Wifi attacks (WEP/WPA/WPA2 (personal & enterprise)/WPS)
How to use the cloud to crack passwords (GpuHash.me, AWS EC2)
How to use your own GPU to crack passwords. (in case you have one)

How technical is the class
40% theory and concepts
60% writing and testing commands/scripts and attacking wifis.

What tools are we going to use
aircrack-ng (ifconfig, iwconfig, airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, airbase-ng, airdecap-ng)
Reaver (reaver, wash)
Radius Servers (radiusd)
Pyrit
tshark/Wireshark/tcpdump
Ettercap

What to read in advance Vivek Ramachandran & Cameron Buchanan, 2015, Kali Linux Wireless Penetration Testing Beginner's Guide, Birmingham B3 2PB, United Kingdom.

Skill Level Beginner

Prerequisites: Shell scripting basic skills Basic Linux Commands Basic networks knowledge

Materials: Laptop with Kali Linux (native or virtual machine). Wireless network card adapter (ALFA models, AWUS036NHA or similar) that allows packet injection. (NOTE: STUDENTS WILL NEED TO BRING THEIR OWN ADAPTER)

Max students: 60

Registration: https://www.eventbrite.com/e/hacking-wifi-red-rock-viii-tickets-63607346285
(Opens 8-Jul-19)

Philippe Delteil
Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at Defcon 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, over 3 Ministries shut down all their information systems afraid that Philippe would reveal some serious bugs and that Defcon attendees would hack the government, but the systems only were down from friday to monday, the only days hackers work. While living in Brazil he hacked over 3,000 wifi routers of the biggest ISP. Most of the time, he gives classes for free in various topics: CTF, pentesting, programming, Basic computer knowledge. He's been working with Wifi hacking during the last 3 months. He has a company with a very clever name: Info-sec.

Victor Faraggi
Victor Faraggi is a student of Computer Science Engineering at the University of Chile. He has developed an interest for Mobile Development, Privacy and, of course, Computer Security. This year, he has been working as a mobile developer in his University Campus. His free time is spent between analog photography, family, friends and HTB. He's also a former student of Philippe's workshop 'Introduction to Pentesting and CTF's'. That's how they met. Now, together with Ilana Mergudich, they bring Wifi Hacking workshop that has already been done in this year's first Defcon China. He remembers dearly the little boy of 15 years old that played OverTheWire wargame's, coming to Defcon 27 is another step in his life.

Ilana Mergudich Thal
Ilana Mergudich Thal is a Computer Science student at Universidad de Chile. She spent a semester in Sweden studying computer security and is currently specializing in cryptography. Trainee at Info-Sec doing Wifi hacking research. Works as a teaching assistant for mathematical and theoretical computer science courses and teaches computational thinking/programming to young children in schools. She became the first woman to represent her university internationally in competitive programming.

Back to top



Attacking Layer 2 Network Protocols

Friday, 1430-1830 in Flamingo, Red Rock I

Erik Dul Hacker

Troy Defty Hacker

Layer 2 can be a lesser-known attack surface; the techniques have been known for a while, have well-documented mitigations, and are often thought of as so old, they _can't possibly still be around, right?_

But this under-represented attack surface is also of great value to an attacker. Network segregation on a typical internal network is commonplace, and often heavily relied upon to segregate, isolate, and limit the spread of a compromise. A misconfigured switch or switch port can be the difference between an attacker compromising the desk phones, and core business server infrastructure. And when the misconfiguration can be a single two-word line in a ten-thousand line switch configuration file, it's easy to see how the basic hardening controls can be missed.

This workshop will run through analysing Layer 2 network traffic, identifying protocols and information of interest within network traffic, launching DTP attacks to pivot within a misconfigured network, and man-in-the-middling traffic via this pivot to compromise a target host (including using various tools in conjunction with virtual network interfaces). In terms of tooling, we will be looking to utilise the likes of Wireshark, Yersinia and Bettercap to launch the various network attacks, with standard Kali tooling/normal Linux functionality to exploit and escalate privileges on the target host.

Reading list (not required, but can be of interest):

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_arp/configuration/15-mt/arp-15-mt-book/arp-config-arp.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swvlan.html
https://www.computernetworkingnotes.com/ccna-study-guide/vlan-tagging-explained-with-dtp-protocol.html
https://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf
https://digi.ninja/blog/abusing_dtp.php

Skill Level Beginner

Prerequisites: Basic knowledge of networking particularly with Linux, knowledge of basic Linux exploitation and privilege escalation.

Materials: Laptop, 8GB RAM, Kali as a base or a VM with all updates applied, a network card/interface which supports VLAN tagging (this is usually the case with most kit nowadays by default, but just in case!)

Max students: 24

Registration: https://www.eventbrite.com/e/attacking-layer-2-network-protocols-red-rock-i-tickets-63439506271
(Opens 8-Jul-19)

Erik Dul
Erik's first encounter with IT security was when he discovered the fascinating internals and configurability of ISDN NT boxes. Since then he has worked in various network security roles, spending the last few years as a penetration tester in the UK and Australia. He is currently heading up the offensive security team of PS+C Pure Hacking in Sydney. His main professional focus is scenario based and bespoke engagements, with particular interest in network and embedded device security. When not hard at work, you can find him somewhere close to the water, or playing tennis.

Troy Defty
Having worked in the UK InfoSec industry for around five and a half years at Deloitte and later Context Information Security, Troy abandoned a dreary sun-less London and has been working in the Australian industry out of Sydney for nearly a year with PS+C Pure Hacking. His interest and experience is largely in bespoke penetration testing engagements (red teaming, scenario-based assessments, etc.), with broad coverage across the penetration testing spectrum. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and being bad at golf.

Back to top



Functional Programming for the Blue Team

Saturday, 1000-1400 in Flamingo, Valley of Fire II

eigentourist Software Engineer, Data Scientist

This is an introduction to functional programming concepts. It's not an intro to a language or a tool, but to a set of ideas. It's a powerful one for any hacker to learn, but especially for blue teamers who find themselves writing or maintaining increasingly complex code. Practicing it can help defenders write safer code that scales well.

Why speak particularly toward blue team?

Defenders are often unsung heros today. Blue teamers, like system admins, may find themselves writing code to glue things together, fill in the gaps between existing tools, or make up for lack of tools altogether. If your codebase evolves into a critical system, the work of managing its rising complexity can become a serious challenge. Defense is hard, and studying the esoterics of software architecture can be a rare luxury (or an exercise in frustration, depending on your situation.) This workshop aims to hand you the distilled, demystified truth, sans the cryptic terminology. We will collectively build some code that illustrates the philosophy of the functional paradigm, and has a good chance of being useful in your work.

Why functional programming?

This is a paradigm from the days of Lisp and the original generation of MIT hackers. After decades of obscurity, it is moving into the mainstream because it answers two serious problems particularly well: rising code complexity, and the need to support parallelism. Any parts of it that you take away from this workshop are likely to improve your quality of life as a software engineer.

For this workshop, we will choose two programming languages to work with: one for comfort, and one for stretching. Python will be the comfort language, because of its widespread use in many fields. Haskell will be the stretch language, and no one is expected to try it if they're not comfortable. What we want is for you to get a sense of how the functional approach looks, not just in a mainstream language like Python, but also in a language built especially with the functional style in mind.

Skill Level Intermediate

Prerequisites: Some CS fundamentals are helpful, but anyone who has written code as part of their job should be able to walk away with something of value. We won't be using the arcane vocabulary associated with this field, except in the tiniest of amounts, until we begin to talk theory at the end. We don't do theory until everyone has had experience of success writing code based on the concepts.

Materials: .- A laptop that can last A good three hours on battery under light/medium workload (or else the good fortune to sit near A power outlet.) - Your operating system of choice with Your preferred text editor ready to go

Max students: 35

Registration: https://www.eventbrite.com/e/functional-programming-for-the-blue-team-valley-of-fire-ii-tickets-63998222406
(Opens 8-Jul-19)

eigentourist
eigentourist is a programmer turned data scientist, with 20 years in application development, and three years in the world of big data and machine learning. He began formal education in computer science when the height of software engineering discipline meant avoiding the use of GOTO statements. Over the course of his career, he has created code of beautiful simplicity and elegance, and of horrific complexity and unpredictability. Sometimes, it's hard to tell which was which. Today, he works on predictive models and computing clusters in the health care industry.

Back to top



Finding Vulnerabilities at Ecosystem-Scale

Friday, 1000-1400 in Flamingo, Red Rock IV

Isaac Evans Hacker

r2c is writing and helping others write tools to exploit and eradicate entire vulnerability classes at scale. In this workshop, we'll show how to develop program analysis tools that can be depended on in analysis pipelines and quickly run at massive scale. If you've ever wondered "but surely, no programmer would upload something that does that do NPM" this is the place to be! Our command line tool for local analyzer development is freely available and publicly documented—we'll show you how to get started and invite you to collaborate with us on to build pipelines that use pre-computed intermediary representations that we already have. We'll also show how to use our collaborative triage tools with impact prioritization that can quickly allow turning these analysis results into bug-bounty submissions. No program (static/dynamic) analysis background required (though it is helpful!) Motivated developers should be able to make at least one bug bounty submission by the end of the workshop.

Skill Level Intermediate

Prerequisites: Basic programming knowledge (what is a function call?), able to run docker hello-world as user, able to write and run small programs, very comfortable with command line interfaces

Materials: Laptop with network access, OSX or Linux available (Windows ok with WSL installed)

Max students: 80

Registration: https://www.eventbrite.com/e/finding-vulnerabilities-at-ecosystem-scale-red-rock-iv-tickets-63608247982
(Opens 8-Jul-19)

Isaac Evans
Isaac Evans is the leader of a small startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.

Back to top



Malware Triage - Analyzing The Modern Malware Delivery Chain

Friday, 1000-1400 in Flamingo, Red Rock II

Sergei Frankoff Co-Founder, Open Analysis

Sean Wilson Co-Founder, Open Analysis

Malspam with an attached malicious document has now become the standard delivery vector for most criminal malware. In order to evade detection it is not uncommon for these malicious documents to execute a long chain of scripts involving macros, Javascript, and PowerShell before downloading the final payload. As a result incident responders and malware analysts need to be comfortable analyzing different document formats, and script languages to make sense of these delivery chains.

In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document formats, and malscripts while you practice the skills required to manually analyze these delivery chains. This workshop focuses on the fundamental analysis techniques used when identifying, deobfuscating, and analyzing maldocs and malscripts. However, we will also provide an introduction to some free and open source tools that can be used to speed up the analysis process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop.

You will be provided with a VirtualMachine to use during the workshop, please make sure to bring a laptop that meets the following requirements. Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course. Your laptop must have at least 60GB of disk space free, preferably 100GB. Your laptop must also be able to mount USB storage devices. Make sure you have the appropriate dongle if you need one.

Skill Level Beginner

Prerequisites: None

Materials: Students will be provided with a VirtualMachine to use during the workshop. They will need to bring a laptop that meets the following requirements: - The laptop must have VirtualBox or VMWare installed and working prior to class. - The laptop must have at least 60GB of disk space free, preferably 100GB. - The laptop must be able to mount USB storage devices (ensure you have the appropriate dongle if you need one).

Max students: 35

Registration: https://www.eventbrite.com/e/malware-triage-analyzing-the-modern-malware-delivery-chain-red-rock-ii-tickets-63609242958
(Opens 8-Jul-19)

Sergei Frankoff
Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With over a decade of experience Sergei has held roles both as the manager of an incident response team, and as a malware researcher.

Sean Wilson
Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.

Back to top



Mind the Gap Between Attacking Windows and Mac: Breaking In and Out of Protected MacOS environments

Saturday, 1000-1400 in Flamingo, Lake Mead I

Richard Gold Hacker

MacOS has a strong reputation for security and comes with many restrictions such as the usage of an App Store to prevent malicious code being installed. However, we have found that since MacOS is the minority platform for many software packages and security platforms, it rarely gets the same attention from security vendors as Windows. This workshop will teach you to exploit that lack of attention from software like Microsoft Office and security platforms like a leading EDR solution to break in and out of a MacOS estate. The principles also apply to other *nix environments like Linux.

We will walk you through how to use open source tools, both unmodified and customized, can be used to take advantage of the difference in capability, e.g., script detection, between Windows and non-Windows platforms. We will show you how to map out an environment, how to gain code execution in multiple ways, grab credentials, find files, collect screenshots and webcam shots and exfiltrate the loot while remaining undetected.

The key takeaway is that despite the myriad of operating system security features present in MacOS and Linux, and the addition of EDR, protected MacOS or Linux environments can still be compromised by a diligent attacker using open source tooling. This workshop will show you how!

[Unfortunately we cannot provide an EDR system for you to play with, so please bring your own or practice the techniques without that particular opponent.]

Skill Level Intermediate

Prerequisites: Intermediate command line skills with *nix-style environments like MacOS or Linux

Materials: Their own MacOS laptop. Preferably with an EDR solution in place, but the principals will still be valid without one. Microsoft Office is strongly recommended for the client-side attacks.

Max students: 40

Registration: https://www.eventbrite.com/e/mind-the-gap-between-attacking-windows-and-mac-breaking-in-and-out-of-protected-macos-environments-tickets-63608046379
(Opens 8-Jul-19)

Richard Gold
Richard Gold is a hands-on information security professional, who has over a decade's worth of experience in understanding and securing computer networks. With his background as a Certified SCADA Security Architect and a Ph.D. in Computer Networking, Richard uses knowledge he's gained from breaking into systems to better detect and protect networks, as well as build custom tooling. He regularly speaks on these topics at industry events, universities, and in the media.

Back to top



Hacking Wi-Fi for Beginners

Thursday, 1000-1400 in Flamingo, Red Rock III

Alex Hammer Hacker

Penelope 'Pip' Pinkerton

Wi-Fi attack capability is an important part of any hacker's toolbox. Wi-Fi extends the perimeter of a supposedly-secure network to sidewalks, parking lots, and trendy coffee shops. But many hackers don't know how Wi-Fi is simultaneously both easy and difficult to attack. To understand this duality, hackers must get hands-on time attacking all kinds of networks. You really need to see both success and failure, both self-inflicted and environmental, to fully understand how to compromise Wi-Fi networks.

This workshop isn't targeted at Faraday-level attendees. We assume that you know what a laptop and Wi-Fi is and continue from there. What you'll be doing in this workshop is:

0. Determining your desired result of the attack
1. Reconnoitering Wi-Fi networks and RF spectrum
2. Identifying and prioritizing network and station targets
3. Determining the best attack type for identified targets
4. Hacking the bejeezus out of the target while avoiding detection
You'll do all of these amazing things with your laptop and Kali Linux. Kali has an exceptional set of Wi-Fi hacking tools built right in that you'll become much more familiar with during this session. You'll use a variety of tools to identify networks and connected stations, conduct broadcast denial of service attacks, capture authentication handshakes, and crack session keys.

Pip and Alex will demonstrate some techniques using different hardware like spectrum analyzers and noise generators so you can decide whether those are tools you want to add to your toolbox as well. However, none of those tools are necessary for the workshop, and many hackers never need anything beyond a laptop, Kali, a good wordlist, and practice.

We'll tweet any last minute workshop updates or preparation steps from @alexhammeratt.

Skill Level Beginner

Prerequisites: Basic familiarity with Kali Linux and a basic understanding of Wi-Fi

Materials: A laptop running Kali Linux (NO virtual machines) and a Wi-Fi adapter that supports monitor mode (either a built-in or external USB WNIC is fine). Attendees should arrive with their laptop fully charged and their Kali fully updated.

Max students: 90

Registration: https://www.eventbrite.com/e/hacking-wi-fi-for-beginners-red-rock-iii-tickets-63605681305
(Opens 8-Jul-19)

Alex Hammer
Alex Hammer started hacking as a phreak using a Blue Box and running his own BBS. He's been hacking networks and computers for his entire career. Alex has worked as a computer forensic investigator, a penetration tester, and a security software architect. He has also written books and taught numerous classes on penetration testing, ethical hacking, and network defense. His specialties are PKI, Wi-Fi cracking, and teasing Pip when an 802.11 standard totally ignores standard security practices.

Penelope 'Pip' Pinkerton is a veritable Goddess of Wi-Fi and all things RF. She is an expert in radio design, RF behavior, and IEEE standards, and holds an Extra level ham radio license. Pip has taught countless corporate IT staff Wi-Fi topics including security, site survey, RF coverage, and Wi-Fi configuration and management. She has worked at or with many of the large Wi-Fi chipset and device manufacturers and has provided input on standards. Her specialties are knowing pretty much every field defined in every 802.11 standard and making fun of Alex when he doesn't know one.

Back to top



Learning to Hack Bluetooth Low Energy with BLE CTF

Thursday, 1000-1400 in Flamingo, Red Rock IV

Ryan Holeman Global Security Overlord, Atlassian

BLE CTF is a series of Bluetooth low energy challenges in a capture the flag format. It was created to teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively teach a new concept to the user. For this workshop, we will step through a series of exercises to teach beginner students new concepts and allow more seasoned users to try new tools and techniques. After completing this workshop, you should have a good solid understanding of how to interact with and hack on BLE devices in the wild.

If you have done BLE CTF in the past, this class is still valuable. This class will be based off of a complete rewrite of BLE CTF which is being released as version 2.0. It will still have many of the challenges from 1.0, but restructured, where every flag is hosted in a completely separate GATT service. Along with the v1.0 flags, new new version allows for more advanced challenges which were not possible in the past.

To prepare for the workshop, please follow the the setup documentation located at https://github.com/hackgnar/ble_ctf/blob/master/docs/workshop_setup.md

Skill Level All

Prerequisites: None

Materials: Preferably a Linux box with a bluetooth controller or a bluetooth usb dongle. An OSX or Windows machine with a Linux VM and usb passthough works as well but should be setup and tested before the workshop. The workshop exercises run on a relatively cheap piece of hardware (ESP32). If attendees want to bring their own to get flashed, we can assist. If they want to buy one, I sell them pre-flashed for $20.

Max students: 80

Registration: https://www.eventbrite.com/e/learning-to-hack-bluetooth-low-energy-with-ble-ctf-red-rock-iv-tickets-63605954121
(Opens 8-Jul-19)

Ryan Holeman
Ryan Holeman resides in Austin Texas where he works as the Global Security Overlord on Atlassian's Security team. He is also an advisor for the endpoint security software company Ziften Technologies. He received a Masters of Science in Software Engineering from Kent State University. His graduate research and masters thesis focused on C++ template metaprograming. He has spoken at many respected venues such as Black Hat, DEF CON, Lockdown, BSides, Ruxcon, Notacon, and Shmoocon. He has also published papers though venues such as ICSM and ICPC . You can keep up with his current activity, open source contributions and general news on his blog. His spare time is mostly spent digging into various network protocols, random hacking, creating art, and shredding local skateparks.

Back to top



Hacking the Android APK

Thursday, 1430-1830 in Flamingo, Red Rock V

Ben Hughes Hacker

Liana Parakesyan Hacker

Mattia Campagnano Hacker

This cross-discipline, hands-on training will walk participants through Android application testing and APK reversing basics. The tools and techniques imparted in this training will help guide APK analysis, mobile threat research, and mobile application penetration testing. Free and open source tools will be emphasized, while recognizing the potential role of commercial tools in static and dynamic analysis of APKs. The training will conclude with a CTF-style competition requiring participants to use their new skills to dissect actual Android applications including malicious APKs, vulnerable APKs, and custom APKs. A VM with the necessary tools and APKs will be provided.

Skill Level Beginner/Intermediate

Prerequisites: Previous mobile development or general pen testing experience is helpful, but not required.

Materials: Students will need to bring to participate: Students will need to bring their own Windows/Linux/macOS laptop with 8+ GB RAM, WiFi, USB, and VirtualBox or VMware installed. A VM will be made available to students for download beforehand, as well as available on USB flash drives at the start of the workshop. A LIMITED number of physical, rooted Android devices will be available for students to share during the workshop; students are also welcome to bring their own physical, rooted Android devices for use during the workshop.

Max students: 40

Registration: https://www.eventbrite.com/e/hacking-the-android-apk-red-rock-v-tickets-63607020310
(Opens 8-Jul-19)

Ben Hughes
Ben (@CyberPraesidium) brings over 12 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including vulnerability assessments, penetration testing, incident response, forensics, and threat hunting. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GCFA, GWAPT, and Splunk Power User certifications.

Liana Parakesyan
Liana has a wide range of experience in cybersecurity. She has created tailored cybersecurity frameworks for companies and federal agencies. She has a background in building cybersecurity labs for clients, consulting on Defense-in-Depth strategies based on threat modeling, and performing penetration testing. She holds a Master's degree in Cybersecurity and has earned the Security+, CEH, and CISSP certifications.

Mattia Campagnano
Mattia brings a wide range of experience in IT and cybersecurity, including as Desktop Support with the Italian agency for foreign trade and as a SOC analyst with a major US cybersecurity company. He has worked with SIEMs and conducted penetration testing. He has two Associate's of Applied Science degrees from Stark State College (Cyber Security & Forensics and Network Security, Linux Database Admin). He also has an MBA from Università di Napoli Federico II (Italy) and Security+ certification.

Back to top



Introduction to Reverse Engineering With Ghidra

Friday, 1430-1830 in Flamingo, Red Rock V

Wesley McGrew Hacker

Tyler Holland Operator-Analyst, HORNE Cyber

The open-source release of the NSA's Ghidra disassembler gives software reverse engineers a free option for high-capability interactive analysis of binary code. Many software reverse engineering (SRE) practitioners have been spending time since the release learning about Ghidra and bringing it into their workflow. It also gives those new to SRE a toolset to learn with that is not restricted by commercial license costs or "demo" limitations.

The purpose of this workshop is to teach beginners, with no prior experience in software reverse engineering, about the analysis of software in the Ghidra disassembler. We'll cover the following major topics, with high degree of interaction between the instructors and students:

- Defining software reverse engineering terms
- Setting up an environment for Ghidra
- Ghidra configuration and usage
- Linking and Loading
- Data types
- C data types and constructs in assembly
- Simple anti-RE tricks and how to analyze them
- Methodology for approaching unknown programs (prioritization, analysis)
- Analysis exercise with a malware sample

Skill Level Beginner

Prerequisites: Students should have experience with at least one high-level programming language. C is preferred, but experience with any other language should provide you with the experience necessary to at least read C code. You will not be required to *write* code. No prior software reverse engineering experience is required.

Materials: Students that wish to "follow along" in Ghidra and participate in hands-on exercises should bring a laptop. Laptops should be running a 64-bit operating system (macOS, Windows, or Linux), and have at least 4GB RAM (more preferred, especially if you're using virtual machines). Before the workshop, please download and install OpenJDK and Ghidra as described in the instructions at https://ghidra-sre.org/ . We can troubleshoot installation problems in-class, but don't count on reliable/fast network access, so try to get it set up ahead of time.

We will be analyzing *live malware* provided to you on USB. You will need to have administrative capability on your laptop in order to disable or set exclusions on your AV software. While we will not be intentionally executing code (this course is limited to static analysis), you are expected to take whatever measures necessary to protect yourself, to include: bringing a "burner" laptop, having backups, virtualization, and/or common sense.

If you do not bring a laptop, you can still get some good exposure to reverse engineering with Ghidra! I'll be working in Ghidra most of the time on the projector, and you may coordinate with another student to collaboratively discuss what you're looking at on a shared laptop.

Max students: 50

Registration: https://www.eventbrite.com/e/introduction-to-reverse-engineering-with-ghidra-red-rock-v-tickets-63609250982
(Opens 8-Jul-19)

Wesley McGrew
As Director of Cyber Operations at HORNE Cyber, Wesley McGrew oversees and participates in offense-oriented services for clients in many areas, including finance, healthcare, manufacturing, and national critical infrastructure. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Tyler Holland
Tyler Holland is an Operative-Analyst at HORNE Cyber, where he conducts penetration testing, red teaming, and application security engagements. Tyler is an expert in reverse engineering malicious software in support of incident handling engagements.

Back to top



Hands on Adversarial Machine Learning

Friday, 1000-1400 in Flamingo, Red Rock VI

Yacin Nadji Engineer, Security Scorecard

Machine learning has become commonplace in software engineering and will continue to grow in importance. Currently, most work focuses on improving classifier accuracy. However, as more and more models interact with the real world, practitioners must consider how resilient their models are against adversarial manipulation. Successful attacks can have serious implications, like crashing a car, misclassifying malicious code, or enabling fraud.

In this workshop, you will learn how to think like an adversary so that you can build more resilient machine learning systems. You'll discover how to use free and open source tools to construct attacks against and defenses for machine learning models, as well as how to holistically identify potential points of attack an adversary could exploit. You'll leave able to critically examine a machine learning system for weaknesses, mount attacks to surface problems, and implement and evaluate practical defenses.

Skill Level Intermediate

Prerequisites: Familiarity with Python (or similar programming language) and basic Machine Learning. For the latter, students that have preprocessed data and trained & evaluated a model will be in good shape to tackle the material.

Materials: Laptop capable of running Docker or Jupyter notebooks.

Max students: 70

Registration: https://www.eventbrite.com/e/hands-on-adversarial-machine-learning-red-rock-vi-tickets-63608585993
(Opens 8-Jul-19)

Yacin Nadji
Yacin Nadji is an engineer at Security Scorecard where he applies machine learning to identify companies' infrastructure and understand their security risk. He received his Ph.D. from the School of Computer Science at Georgia Institute of Technology with a focus in Computer Security. He has published 20 academic papers with hundreds of citations, many focused on applying ML to solve security problems.

Back to top



Advanced Custom Network Protocol Fuzzing

Friday, 1430-1830 in Flamingo, Red Rock VI

Joshua Pereyda Software Engineer

Carl Pearson Security Analyst

Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol "smart fuzzing." Exercises will utilize the open source network protocol fuzzing framework, boofuzz.

Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities.

After:

1. You will know the basics of fuzzing.
2. You will know how to write custom network protocol fuzzers using state of the art open source tools.
3. You will have hands on experience with this widely-discussed but still largely mysterious test method.

Before (Prerequisites): You should:

1. Be comfortable doing some basic programming in Python.
2. Understand basic network protocol concepts (e.g. what is a protocol and what is a network layer).
3. Be familiar with WireShark and how to use it.
4. Have a laptop with at least 8 GB of RAM (16 GB recommended).

What you won't learn:

1. Exploit development.
2. Python programming. Because you can already do that (see above). ;)

Fuzzing is a wide and deep field with a wide array of technologies. This class is a beginner-friendly deep dive into one niche of the fuzzing world.

Skill Level Intermediate

Prerequisites: 1. Some basic Python programming experience (some programming ability is REQUIRED). 2. Basic understanding of network protocols. 3. Basic familiarity with Wireshark. 4. Optional: Fuzzing experience.

Materials: 1. Laptop with at least 8 GB of RAM (16 GB recommended). 2. Have a recent version of VMWare Player installed. 3. Strongly recommended: configure for Defcon secure Wi-Fi access beforehand.

Max students: 70

Registration: https://www.eventbrite.com/e/advanced-custom-network-protocol-fuzzing-red-rock-vi-tickets-63609251985
(Opens 8-Jul-19)

Joshua Pereyda
Joshua is a software engineer specializing in information and network security. He has worked in the critical infrastructure and cloud computing industries with employers heavily invested in software and hardware security. Among his passions are hacking, teaching kids to program, attending orchestral concerts with his wife, and figuring out how he can get paid to do it all... legally.

Joshua is the maintainer of the boofuzz network protocol fuzzing framework.

Carl Pearson
Carl is a security analyst with a passion for network and application security. He works as a blue team member in the higher education field by day and an independent red team researcher by night. His interests include poking around inside software and systems, figuring out what makes them tick. When he's not hunting bugs or writing code, you can find him exploring the great outdoors.

Back to top



Hacking Medical Devices

Thursday, 1000-1400 in Flamingo, Red Rock II

Jay Radcliffe Hacker

Fotios Chantzis Principal Information Security Engineer, Mayo Clinic

In the world of connected devices some are more dangerous than others. Devices that connect our bodies to a network are especially intriguing. These devices are often fraught with vulnerabilities and security concerns. In this workshop participants will have an opportunity to learn about different medical devices and explore their attack surfaces. There will be a collection of connected medical devices on-premise that we will scan, take-apart, and explore. Some of the topics in the course will include: network scanning for medical devices, firmware analysis, vulnerability hunting, Wireless/RF analysis, and hardware analysis and assessment.

We will cover vulnerabilities on the insecure DICOM protocol. We are going to showcase how to leverage pynetdicom to write python scripts for attacking DICOM and exploit insecurely configured PACS servers leading to the extraction of sensitive PHI (Protected Health Information). DICOM, being a highly complex protocol, can also allow for other attack vectors such as embedding PE malware. Another aspect of the training will cover vulnerabilities found in IoT infrastructure with a focus on IP cameras and video management servers. These often run insecure protocols like zeroconf and have web portals that are easily authentication brute-forceable and poorly configured. We are specifically going to examine the WS-Discovery protocol which provides some interesting attack vectors by putting too much trust on the local network.

Hands-on exercises will be conducted by the students throughout the training for each section under the guidance of the instructors.

Skill Level Intermediate

Prerequisites: None

Materials: Laptop with Wired Ethernet connection (NOT Wireless)

Max students: 40

Registration: https://www.eventbrite.com/e/hacking-medical-devices-red-rock-ii-tickets-63605552921
(Opens 8-Jul-19)

Jay Radcliffe
Jay Radcliffe (CISSP) has been working in the computer security field for over 20 years. Coming from the managed security services industry as well as the security consultation field, Jay has helped organizations of every size and vertical secure their networks and data. Jay presented ground-breaking research on security vulnerabilities in multiple medical devices and was featured on national television as an expert on medical device cyber-security. As a Type I diabetic, Jay brings a lifetime of being a patient to helping medical facilities secure their critical data without compromising patient care. Not only is Jay a prolific public speaker, but also works with legal firms on expert witness consultation related to IoT and cyber security issues. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.

Fotios Chantzis
Fotios (Fotis) Chantzis is a principal information security engineer at Mayo Clinic, where he manages and conducts technical security assessments on medical devices and clinical support systems as well as engaging in penetration tests and red team exercises. Fotis has over 10 years of experience in the information security industry, which includes time spent researching network protocol vulnerabilities and developing security tools. He has been a contributor to the Nmap project since 2009, when he wrote the Ncrack network authentication cracking tool and has published a video course on "Mastering Nmap". His research on network security includes exploiting the TCP Persist Timer (Phrack #66) and inventing a stealthy port scanning technique by abusing XMPP. He is a regular speaker in conferences of the information security industry and has been lately leading the technical segment of the Defcon Biohacking Village. His most recent research focus has been on medical device & IoT security.

Back to top



From EK to DEK: Analyzing Document Exploit Kits

Thursday, 1000-1400 in Flamingo, Red Rock I

Josh Reynolds Senior Security Researcher, Crowdstrike

Exploit Kits haven't disappeared, they've simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.

In this workshop you will learn how to analyze exploits, shellcode, and infection chains produced by modern Document Exploit Kits such as ThreadKit and VenomKit.

This workshop is aimed at security professionals who are interested in gaining experience with reverse engineering, malware analysis and exploit development. Previous experience in any of these areas will assist the attendee in completing the workshop successfully in a timely fashion. The skills learned in this workshop are most applicable to those who work or are interested in blue team areas, such as those in security operations centers (SOCs), incident responders, intel analysts, and reverse engineers. Those who work or are interested in red team areas will find the content applicable for re-implementation for use in offensive exercises.

The following tools will be used in this workshop:

- rtfobj for OLE object extraction
- x64dbg for dynamic analysis of exploits, shellcode, and infection chains
- procmon and procexp for dynamic analysis of infection chains
- IDA Pro for static analysis of vulnerable applications and shellcode
- ffdec for static analysis of Adobe Flash exploits
- FakeNet-NG and Wireshark for network traffic analysis

Skill Level Intermediate

Prerequisites: .- A basic understanding of Microsoft Windows operating system internals
- A basic understanding of exploit development
- A programming background with C/C++ and/or x86 assembly
- Experience with debugging binary applications
- Optional: Experience with reverse engineering and/or malware analysis on Microsoft Windows

Materials: Students will be provided with a virtual machine to use during the workshop. They will need to bring a laptop that meets the following requirements:
- The laptop must have VirtualBox installed and working (VMWare is not supported).
- The laptop must be able to allocate 2GB of RAM to a guest OS, and provide a stable amount of RAM to the host OS.
- The laptop must have at least 60GB of disk space free but 100GB of free space is preferred.
- The laptop must be able to mount USB storage devices (please ensure that you have the appropriate adapter if needed).

Max students: 24

Registration: https://www.eventbrite.com/e/from-ek-to-dek-analyzing-document-exploit-kits-red-rock-i-tickets-63438831252
(Opens 8-Jul-19)

Josh Reynolds
Joshua Reynolds is a Senior Security Researcher with CrowdStrike, where he performs malware reverse engineering and intelligence analysis. Joshua has presented at BSides Calgary, BSides Edmonton and RSAC focusing on Ransomware, malicious document analysis and cryptojacking malware. He is also the co-author of the SAIT Polytechnic Information Systems Security diploma malware analysis course.

Back to top



Introduction to Sandbox Evasion and AMSI Bypasses

Friday, 1430-1830 in Flamingo, Red Rock IV

Anthony Rose Co-founder, Blockchain Security

Jacob "Hubble" Krasnov Co-founder, Blockchain Security

Vincent "Halycon" Rose Software Engineer

Microsoft is constantly adapting their security to counter new threats. Specifically, the introduction of the Microsoft Antimalware Scripting Interface (AMSI) and its integration with Windows Defender has significantly raised the bar. In this hands-on class, we will learn the methodology behind obfuscating malware and avoiding detection. Students will explore the inner workings of Windows Defender and learn to employ AMSI bypass techniques and obfuscate malware using Visual Basic (VB) and Powershell. Then identify and evade sandbox environments to ensure the payloads are masked when arriving at the intended target. The final capstone will be tying all the concepts together.

In this workshop we will:

1. Introduce AMSI and explain its importance
2. Learn to analyze malware scripts before and after execution
3. Understand how obfuscate code to avoid AMSI and Windows Defender
4. Detect and avoid sandbox environments

Skill Level Beginner

Prerequisites: None

Materials: Students will need a laptop with VMWare or Virtualbox (installed and working).

Max students: 80

Registration: https://www.eventbrite.com/e/introduction-to-sandbox-evasion-and-amsi-bypasses-red-rock-iv-tickets-63609241955
(Opens 8-Jul-19)

Anthony Rose
Anthony 'C01_' Rose, CISSP, is the Co-founder of BC Security and Lead Pentester at Merculite Security. He has more than a decade's worth of experience as an Electrical Engineer, managing Red and Blue teams, and hacking buffoonery. His work focuses on wireless network penetration and non-IP based system security with an emphasis on embedded systems security. He has presented at DEF CON 24 and RSA 2017.

Jacob "Hubble" Krasnov
Jake "Hubble" Krasnov is the Co-founder of BC Security. He has spent most of his career as an Astronautical Engineer but has transitioned to cybersecurity. He has spent the last three years developing embedded system cyber testing tools and as a member and Red Team Lead.

Vincent "Halycon" Rose
Vincent "Halcyon" Rose is a software engineer with experience in cloud services. He has a decade of experience in software development and networking. Recently, his focus has been on building ad-serving technologies, web and ad-tracking applications.

Back to top



Defending environments and hunting malware with osquery

Friday, 1430-1830 in Flamingo, Red Rock VII

Guillaume Ross Hacker

In this workshop, you will learn how to defend Linux and Windows environments with osquery, using techniques that could easily be adapted to Mac and containerized environments. Then, we will look at how we can leverage osquery to hunt for malware and attackers, as well as how we could use osquery in a controlled environment to do some basic malware analysis.

We will cover osquery deployment scenarios and configurations as well as ways we can implement it to improve the security of servers and workstations.

Specifically, we will use osquery to monitor specific security configurations, detect lateral movement, detect malware, and even see how we can use it in lab environments to analyze malware.

If you have never used osquery before, this workshop will get you started. If you have used osquery before, this workshop will help you get the most out of it, by allowing you to develop queries and an understanding of the schema and how it can be applied to protect environments and detect attacks.

The topics covered will include:

* Setup, configuration and flags
* Logging results
* Building simple to complex queries
* Monitoring for lateral movement
* Tracking important security configurations on Windows and Linux
* Detecting malware
* Performing basic malware analysis on a VM with osquery

Skill Level Beginner

Prerequisites: Basic understanding of Linux and Windows. Mac and Docker optional. No knowledge of osquery itself is needed.

Materials: A computer with a SSH and RDP client. Linux and Windows systems in the cloud will be provided. Local Linux and Windows VMs are welcome as well, but not necessary.

Max students: 60

Registration: https://www.eventbrite.com/e/defending-environments-and-hunting-malware-with-osquery-red-rock-vii-tickets-63606251009
(Opens 8-Jul-19)

Guillaume Ross
Guillaume has worked as a security engineer and consultant, as a manager of blue teams, and way before that, as an enterprise IT person focused on endpoints. Guillaume is currently the Principal Security Researcher at Uptycs, finding new ways to defend systems using the power of osquery. He is also a trainer for Pluralsight, producing training content around topics such as network security monitoring.

Having worked for startups as well as Fortune50 companies, he knows how to build a security program, but having had to do the work, he also dislikes doing meaningless "best practices" work that has no practical value, and really enjoys leveraging the great open source software available to all of us.

Guillaume has spoken and given workshops at various conferences like BSidesLV, Thotcon and Northsec on many topics, including mobile security, endpoint security, logging and monitoring and much more.

Back to top



Constructing Kerberos Attacks with Delegation Primitives

Thursday, 1000-1400 in Flamingo, Red Rock VII

Elad Shamir Managing Security Consultant, The Missing Link Security.

Matt Bush Security Consultant, The Missing Link Security

Kerberos delegation is a dangerously powerful feature that allows services to impersonate users. Due to the complexity of Kerberos delegation attacks, they are often overlooked or left unexplored. However, the introduction of Resource-based Constrained Delegation substantially widens the Kerberos attack surface, making it more important than ever for security professionals to engage with this challenge. This workshop will offer security professionals a deep dive into Kerberos delegation and demonstrate how it can be abused for privilege escalation and lateral movement.

We will open with a crash-course in Microsoft's Kerberos implementation and its delegation features, from the fundamentals of Kerberos authentication, through legacy unconstrained delegation, to classic constrained delegation. We will offer demos and hands-on labs to experiment with abusing these features.

In the second half of the workshop, we will cover resource-based constrained delegation, explain the differences between classic constrained delegation and resource-based constrained delegation, and explore novel attack primitives including:

- Compromising hosts by modifying Active Directory computer objects
- Bypassing restrictions on protocol transition to impersonate arbitrary users
- Compromising a host by abusing the ticket-granting-ticket of a computer account
- Performing local privilege escalation on Windows 10 and Windows Server 2016/2019 hosts by abusing account profile pictures
- Performing remote code execution on SQL Servers through directory listing abuse
- Achieving hostless domain persistence

Participants will get an opportunity to try the above attacks in a lab environment.

We will also explore mitigating controls, as well as detection opportunities.

Skill Level Intermediate

Prerequisites: Basic familiarity of Windows and Active Directory environments

Materials: A laptop with the ability to connect to a VPN and establish an RDP connection with a remote host.

Max students: 70

Registration: https://www.eventbrite.com/e/constructing-kerberos-attacks-with-delegation-primitives-red-rock-vii-tickets-63606378390
(Opens 8-Jul-19)

Elad Shamir
Elad Shamir leads a team of talented security consultants and operators as the Managing Security Consultant at The Missing Link Security. Elad has a passion for red teaming, and extensive experience in identifying security design flaws in complex systems. He enjoys abusing intended functionality in novel attack techniques and chaining seemingly innocuous security issues in elaborate scenarios.

Matt Bush
Matt Bush is a security consultant and operator at The Missing Link Security. Matt's current research focuses on developing and weaponizing novel tradecraft for advanced threat simulation.

Back to top



Evil Mainframe Jr: Mainframe hacking from recon to privesc

Friday, 1000-1400 in Flamingo, Red Rock I

Soldier of Fortran Hacker

Big Endian Smalls Director of North American Operations for RSM Partners

Mainframes power every industry you care about. Yet hackers have no idea how to even begin approaching this these big iron beasts. Where do you even start? VTAM? CICS? TSO? This workshop aims to give you the tools and language you can use to hack a mainframe. Starting with reconnaissance and ending with privilege escalation this workshop will walk you through all the tools and techniques you can use to hack a mainframe in 2019. Students will be introduced to the platform by being allowed to explore the operating system and allowing students to understand the weaknesses within. Students will also get introduced to open source tools and libraries available for all the steps of a penetration test including Nmap, metasploit, python scripts, REXX scripts and even HLASM. The majority of the workshop will be spent performing instructor led hands on mainframe testing with the tools available. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a test could and should be performed. Exercises will be based on real world attack scenarios developed by the trainers. This training specifically focuses on z/OS.

Skill Level Intermediate

Prerequisites: Background in penetration testing/red team and knowledge of tools like nmap, metasploit and scripting languages like Python/Ruby

Materials: Laptop capable of running a VM, power for their laptop.

Max students: 24

Registration: https://www.eventbrite.com/e/evil-mainframe-jr-mainframe-hacking-from-recon-to-privesc-red-rock-i-tickets-63439560433
(Opens 8-Jul-19)

Soldier of Fortran
Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he has established himself as the thought leader in mainframe penetration testing. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, allowing those with little mainframe capabilities the chance to test their mainframes. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.

Big Endian Smalls
Chad Rikansrud, aka Big Endian Smalls, is the Director of North American Operations for RSM Partners - a world leader in IBM mainframe security consulting services. Chad is a nationally recognized security industry speaker, with appearances at: DEF CON, RSA2017, SHARE, and other regional conferences. Most of Chad's 20-year career has been in technology leadership for the financial services industry where he has held various senior leadership positions, including worldwide datacenter operations, infrastructure and recovery responsibility, as well as enterprise-wide system z storage

Back to top



Advanced Wireless Attacks Against Enterprise Networks

Thursday, 1430-1830 in Flamingo, Red Rock VII

Gabriel "solstice" Ryan

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and preconfigured live USBs will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment.

Skill Level Intermediate

Prerequisites: A previous wireless security background is helpful but certainly not required.

Materials: Students will be required to provide their own laptops. Student laptops must be capable of running virtualization software such as VMWare or VirtualBox, and must have at least one free USB port. The instructor will provide each student with a single external wireless interface for use within the lab environment. Students will be responsible for downloading and installing the lab environment before the start of the workshop.

Max students: 70

Registration: https://www.eventbrite.com/e/advanced-wireless-attacks-against-enterprise-networks-red-rock-vii-tickets-63607316195
(Opens 8-Jul-19)

Gabriel "solstice" Ryan
Gabriel Ryan is an offensive security R&D and consultant at SpecterOps. He is the author of EAPHammer, a toolkit for performing targeted rogue access point attacks against enterprise wireless networks. Gabriel has presented at DEF CON, DerbyCon, Hackfest, and several Security BSides conferences on topics ranging from infrastructure security to access control protocols and red team tradecraft. His professional interests include wireless security, systems internals, low-level programming, and infrastructure automation.

Back to top



Hacking ICS: From Open Source Tools to Custom Scripts

Friday, 1000-1400 in Flamingo, Red Rock V

Valerie Thomas Technical Lead, Securicon

Harry Regan Technical Lead, Securicon

Harry Thomas Technical Lead, Securicon

Recently, Industrial Control System (ICS) attacks have gained popularity in the media. However there are many misconceptions on what exactly ICS systems are and how they function. Although there are similarities to IT systems, there are a multitude of differences that an attacker needs to understand in order to properly assess this type of equipment. In this course, students will be introduced to what ICS is and isn't in terms of technology and functionality. Protocols such as Ethernet/IP, Modbus, and DNP3 will be discussed and illustrated in order for students to have a foundation to build their arsenal. Students will then explore openly available open source tools and examine the functionality of the protocols. After dissection of protocol commands and activities, the students will be led to create their own custom scripts that interact with ICS devices in the classroom.

Skill Level Beginner

Prerequisites: An understanding of basic networking concepts.

Materials: For those who want to participate in the hands-on portion of the workshop, a laptop with Kali Linux installed on the host or as a virtual machine.

Max students: 50

Registration: https://www.eventbrite.com/e/hacking-ics-from-open-source-tools-to-custom-scripts-red-rock-v-tickets-63608296126
(Opens 8-Jul-19)

Valerie Thomas
Valerie Thomas is the Technical Director and utilizes her Electrical Engineering education and security consulting background to incorporate a variety of evaluation techniques specific to ICS.

Harry Regan
Harry Regan serves as the Vice President of Consulting Services and has over 40 years of experience in IT and ICS security environments.

Harry Thomas
Harry Thomas is the Lead ICS Security Consultant and performs risk, vulnerability, and penetration tests and assessments for a multitude of ICS organizations. He's developed countless IT and ICS indicators of compromise to help protect the ICS industries against threats. He utilized both offensive and defensive skills to create, design, and implement safe ICS security practices.

Back to top



Red Teaming Techniques for Electronic Physical Security Systems

Saturday, 1000-1400 in Flamingo, Valley of Fire I

Valerie Thomas Technical Lead, Securicon

Terry Gold Founder, D6 Research

Organizations spend millions of dollars to keep their assets safe with physical security systems, but these are not without flaw. This course is designed to help you assess, strategize, and navigate your way through the complex electronic physical access control systems and into the largest enterprise organizations. In this course, we will cover enterprise architecture, access control systems, wiring, protocols, controllers, door readers, RFID technologies and techniques, magnetic stripe and PIN attacks, as well as blending social engineering attacks. With our complete physical access lab you'll get hands on experience analyzing and programming multiple RFID card formats.

Skill Level Beginner

Prerequisites: None. Previous experience is not required

Materials: For students who wish to participate in the hands-on portion, a laptop (Windows, Linux, or OSX) with at least one available USB port. Students will need local administrative privileges for software installation.

Max students: 40

Registration: https://www.eventbrite.com/e/red-teaming-techniques-for-electronic-physical-security-systems-valley-of-fire-i-tickets-63606408480
(Opens 8-Jul-19)

Valerie Thomas
Valerie Thomas is the Technical Director and utilizes her Electrical Engineering education and security consulting background to incorporate a variety of evaluation techniques specific to ICS.

Terry Gold
Terry is the founder of D6 Research, an independent security analyst firm specializing in identity credentialing, authentication and access control. Terry has spent the last 15 years specializing in large scale enterprise assessments, strategy and remediation for both information and physical security. Terry is a trusted advisor to the enterprise information security, audit, and white hat communities. He is a frequent speaker and trainer to private industry and law enforcement, and is engaged with specialized red teams and active investigations for assistance with situations that involve identity and fraud related crime and attacks.

Back to top



Pentesting ICS 102

Saturday, 1430-1830 in Flamingo, Valley of Fire II

Alexandrine Torrents Consultant, Wavestone

Arnaud Soullié Manager, Wavestone

ICS cybersecurity has been a new subject for years now, especially since Stuxnet. Has the security level of ICS improved?

Well, even if ICS are more and more interconnected, we can probably say yes for network segmentation, as well as patching. And it is mostly true for critical infrastructures that must comply with multiple laws around the world. But what about the most critical components such as PLCs?

In this workshop, you will learn how to attack PLCs, by attacking ICS protocols: a well-known legacy protocol, Modbus, as well as an open source protocol considered as the future of ICS communications, OPC-UA. And to do so, what could be better than giving you hands-on experience on real devices by hacking our model train?

We will start by defining industrial control systems and its main components, as well as explaining the key risks and vulnerabilities that affect them. We will then focus on their key assets, Programmable Logic Controllers (PLCs), and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring robot arms and a model train! And to conclude, probably the most difficult, let's discuss how to secure ICS communications.

Skill Level Beginner

Prerequisites: A knowledge of penetration testing is a plus, but we try to make it work for newbies as well.

Materials: A computer with 4gb of RAM, 30GB disk space and Virtualbox. We will provide a Virtual Machine for attendees.

Max students: 40

Registration: https://www.eventbrite.com/e/pentesting-ics-102-valley-of-fire-ii-tickets-64797701670
(Opens 8-Jul-19)

Alexandrine Torrents
Alexandrine Torrents is a cybersecurity consultant at Wavestone, a French consulting company. She is specialized in penetration testing, and performed several security assessment on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and she developed a particular tool to request Siemens PLCs. Moreover, she is also working at securing ICS, in the scope of the French military law, enforcing companies offering a vital service to the nation to comply to security rules.

Arnaud Soullié
Arnaud Soullié is a manager at Wavestone, performing security audits and leading R&D projects. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015/2016, Brucon 2015/2017, DEFCON 24, DEFCON 26) as well as full trainings (Hack In Paris 2015 and 2018, BlackHat Asia 2019).

Back to top



scapy_dojo_v_1

Saturday, 1430-1830 in Flamingo, Lake Mead I

Hugo Trovao Hacker

Rushikesh D. Nandedkar Hacker

The workshop aims towards making beginners aware and comfortable with various facets of Scapy and its real time usages in various task of penetration testing.

The flow of workshop will be as under:
1. Scapy basics
2. TCP Basics
3. DHCP server
4. DHCP server flooder || DNS/MDNS
5. Crafting a layer using Scapy
6. Fuzzing protocols with Scapy
7. Covert channel using Scapy
8. Scapy-radio

Added value to the workshop:

What attendees will learn:
- sending/receiving/displaying/modifying packets with Scapy
- implementing custom layers in Scapy
- implement answerMachines in Scapy
- to construct tools implementing some real life examples
- simple fuzzing through Scapy and generators
- to decode live traffic with an implemented protocol

Working in Scapy consequently attendees will learn:
- TCP basics
- DHCP/DNS/MDNS basics
- AJP13 protocol
- fuzzing
- Scapy-radio
+
Prebuilt VM containing all scripts and dependencies in place.

An ISO in progress can be found at: https://drive.google.com/open?id=1wJ9OQOAnew3upyoFdMUz1hlo0WEuogJW (/root contains install script. /src contains scripts. python-netaddr dependency needs to be installed manually as of now with apt.)

Skill Level Beginner

Prerequisites: Basics of Python scripting and networks.

Materials: For Windows users:
1. Virtualbox installed
2. Administrator privileges
3. 4GB+ RAM
4. 50 GB free space

For *nix users:
1. Virtaulbox installed (optional)
2. Root privileges
3. 4GB+ RAM
4. 50 GB free space
(In case *nix users do not want to use Virtualbox, they can run scripts directly on their boxes, provided Python and Scapy is installed there.)

Max students: 26

Registration: https://www.eventbrite.com/e/scapy-dojo-v-1-lake-mead-i-tickets-63439609580
(Opens 8-Jul-19)

Hugo Trovao
Hugo is a computer enthusiast since he was a kid and always curious to know how things worked. He liked everything related to computers. He's a researcher by passion, consultant by job and penetration tester by heart. He finds himself at peace while poking holes in applications/networks/systems, while writing security tools tailored to the assessments requirement and indeed while meditating. Always wants to known a better more efficient way of doing things.

Rushikesh D. Nandedkar
He is a security analyst. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon '14 & '18, HITCON '14, Defcamp '14, BruCON '15 '16 '17 '18, DEFCON 24, x33fcon '17 & '18, c0c0n-X '17, Bsides Delhi '17, BlackHat USA '18, DEFCON 26 + Co-author of "DECEPTICON," an intelligent evil-twin. Being an avid CTF player, for him, solace is messing up with packets, frames, and shellcodes.

Back to top



Writing custom backdoor payloads using C#

Saturday, 1000-1400 in Flamingo, Lake Mead II

Mauricio Velazco Threat Management Team Lead

Olindo Verrillo Hacker

This workshop aims to provide attendees hands-on experience on writing custom backdoor payloads using C# for the most common command and control frameworks including Metasploit, Powershell Empire and Cobalt Strike. The workshop consists in 7 lab exercises; each of the exercises goes over a different technique that leverages C# and .NET capabilities to obtain a reverse shell on a victim Windows host. The covered techniques include raw shellcode injection, process injection, process hollowing, runtime compilation, parent pid spoofing, antivirus bypassing, etc. At the end of this workshop attendees will have a clear understanding of these techniques both from an attack and defense perspective.

Skill Level Intermediate

Prerequisites: Basic to intermediate programming/scripting skills. Prior experience with C# helps bot not required.

Materials: Laptop with virtualization software. A Windows virtual machine A Kali Linux Virtual Machine.

Max students: 40

Registration: https://www.eventbrite.com/e/writing-custom-backdoor-payloads-using-c-lake-mead-ii-tickets-63439591526
(Opens 8-Jul-19)

Mauricio Velazco
Mauricio Velazco (@mvelazco) is a Peruvian, Infosec geek who started his career as a penetration tester and jumped to the blue team 7 years ago. He currently leads the Threat Management team at a financial services organization in New York where he focuses on threat detection/hunting and adversary simulation. Mauricio has presented and hosted workshops at conferences like Defcon, Derbycon and BSides. He also holds certifications like OSCP and OSCE.

Olindo Verrillo
Olindo Verrillo is a Senior Security Engineer who straddles the line between blue and red. He currently focuses most of his attention on purple teaming and detection engineering. Olindo has worked as Senior consultant, performing both offensive and defensive engagements for numerous Fortune 500 companies.

Back to top



Analysis 101 for Hackers and Incident Responders

Thursday, 1430-1830 in Flamingo, Red Rock IV

Kristy Westphal Hacker

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and malware analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren't meant to be found, but we'll also discuss how to make the best of any conclusion that you reach.

Skill Level Beginner/Intermediate

Prerequisites: Security Operations Center background helpful, but not required. Operating Systems and Network basics helpful. A curiosity to figure out stuff is mandatory!

Materials:Bring a laptop with OS of your choice. You will need the Kali Linux (suggest VM or Virtual Box) and free Splunk (Splunk Light) installed ahead of time. You will also need to download sample files from this link: https://drive.google.com/drive/folders/1wimiz_aEHQxqQIxhBeTrePICnvR5r6b6?usp=sharing

Max students: 80

Registration: https://www.eventbrite.com/e/analysis-101-for-hackers-and-incident-responders-red-rock-iv-tickets-63606992226
(Opens 8-Jul-19)

Kristy Westphal
Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk. She currently runs an incident response team at a large organization in Tempe, AZ. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.

Back to top