44CON 2014 Workshops

Some of the following workshops have specific requirements for items that attendees should bring along, full details will be published on the requirements page closer to the event.

Advanced Excel Hacking

Presented By: Didier Stevens

This is a workshop on hacking Excel on Windows without exploits.

Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, …), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.

I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.

Creating A Security Awareness Program

Presented By: Valerie Thomas

Creating a security awareness program from scratch is no easy task. If you’re responsible for building a new program, modifying an existing program, or just want some educational resources for friends and family this workshop is for you. We’ll cover the basic components of an awareness program, training for budgets large and small, and bringing it all together to create a program that’s right for you.

The 100 Qestion InfoSec Quiz

Presented By: Jerry Gamblin

Do you love InfoSec? Do you like Trivia Questions? Do you like naturally ebullient Americans? If so this is the workshop for you.

No More Neck Beards: An Introduction to abusing the Android Kernel

Presented By: Josh Thomas

The Android / Linux kernel seems to still remain a magical place to a lot of us in the security industry. We understand exploitation fairly well, but when it comes to simple manipulation we find ourselves lost. In this workshop, I am hoping to change that paradigm.

We will focus on a guided exploration of some interesting and often overlooked portions of the kernel. We will analyze them, understand them, recompile them and see what happens on a real device. The primary focus will be on recreating the NandX project (hiding data on NAND Flash hardware) and Project Burner (manipulating power routing on device internals), but we will also walk through some other peculiar code that can be found hidden deep in the standard source tree.

The direct goal of this workshop is for all attendees to walk away with a deeper understanding and familiarity of the kernel itself and the ability to recreate and extend my specific kernel research.

Binary Protocol Analysis with CANAPE

Presented By: James Forshaw

CANAPE is an open source network proxy written in .NET. It has been developed to aid in the analysis and exploitation of unknown application network protocols using a similar use case to common HTTP proxies such as Burp or CAT.

This workshop will go through the basics of analysing an unknown application protocol with hands on training examples. By the end of the workshop candidates should be able to better understand CANAPE’s functionality and be able to apply that to other protocols they come across.

Incident Handling with CyberCPR

Presented By: Steve Armstrong & Mike Antcliffe & Ed Tredgett

n this workshop we will demonstrate the functionality of the new FREE Incident Response tool: Cyber Crisis Planning Room (CyberCPR) (www.crisisplanningroom.com). This new free tool has been designed to support Incident Handling. The tool has been written from the ground up by security cleared Incident Responders; so we added the sorts of features we wanted.

Playing the 44CON CTF

Presented By: Tim Pullen

If you’re interested in playing the 44CON CTF, this is the workshop for you. It will focus on my experience playing (and winning) the last 2 years of 44CON CTF, and give some advice on CTFs in general.

Switches Get Stitches

Presented By: Eireann Leverett & Colin Cassidy

Introduce two industrial ethernet switches used in ICS deployments. The GE Multilink ML800 and the Siemens Scalance X200. I will bring these switches to the venue and wire them up. I can bring a few other ICS switches if desired, but I have vulns for these two so far.

Hand out a pcap file of the Multilink ML800 firmware upload. This comprises a mix of HTTPS and FTP traffic. We use TCPtrace to pull out the firmware from the FTP session, and then begin some light firmware analysis. This will involve using strings to learn part of the firmware is compressed inflate. We do some file carving with DD to pull the compressed blob out, and then we extract it by concatenating the GZIP magic bytes on the front. Once we have the firmware we extract some hardcoded RSA Private Keys. One of those keys can be used to decrypt the HTTPS session and recover the switch password and username in the very same pcap file. We discuss key management in ICS devices, and any other vulns from here to now. This key has been reported to GE Energy, but no fix is available yet (exclusive vuln for 44Con). This affects not only this switch but 7/9 in the switch family, and since it is made by Garretcom, it impacts their switches too.

There is a second RSA Private key with a password I have currently been brute-forcing. I expect to have more to say about that by the workshop date. (Exclusive vuln for 44Con)

We present 3 older vulnerabilities in the Siemens Scalance X200 family. Session hijack, bruteforcing of MD5+Nonce, and last but not least: Auth bypass for firmware, configuration, and logfile, upload/download. These vulns are hilariously bad, but show the audience the art of session ID analysis, cracking, and light firmware analysis in embedded/ICS devices. Lastly, while these vulns are old, they will be present in the wild for another 2-5 years because of ICS lifecycles. We finish with a brand new vulnerability on the Siemens newest firmware. A hardcoded private key once again (exclusive vuln for 44con).

We finish with a discussion of key management in industrial ethernet switches, and how MITM is effective in ICS because of poor protocol security. We also explain how MITM is sometimes hindered by the real time constraints of an ICS system.