44CON 2012 Workshops

Have you ever been to a killer talk or heard a fantastic webcast and thought “If I could only get my hands on and try this stuff I’d be all over it?” Well, when planning out 44con this year we decided to offer a unique chance to get some practical training sessions to you that will allow you to learn skills you’d pay a training company a small fortune. Unlike the talks, the workshops will not be on the DVD, so your only chance to acquire this knowledge is in person, kitted out with laptop, tools, and a caffeine-fuelled intensity appropriate to a monk who just escaped from the monastery and found the high street coffee house for the first time.

We have some of the best in the industry sharing killer skills and techniques that will push you to the edge of your game and beyond. So, let’s step into the lab, and see what’s on the slab…


Creating Fake USB Devices

Presented by: Phil Polstra

USB sticks get handed out at conferences, coffee shops, concerts, train stations and even family parties these days. But how do you know what is on that device given to you by that friendly market researcher? USB devices can be used not only to inject attacks through mass storage but also by emulating and exploiting peripherals such as mice, keyboards and scanners. Phil will explain how these devices can be created and used by the penetration tester and what to look for in an incident response.

This workshop will get participants started on the path to creating their own USB devices.  The basics of how USB devices work and what has to be done to emulate them will be covered.  The FTDI Vinculum II chipset will be used for this workshop.  Participants will leave knowing how to build a fake mass storage device such as the USB write blocker Phil presented at Black Hat Europe 2012 or something similar and also knowing how to make a keyboard logger or similar HID device.

Workshop Requirements

Attendees should have their own laptop either running Windows or with Windows installed in a virtual box.

Ideally each attendee would have a V2DIP1-32 development board and a FTDI debug board to use for this workshop.  The cost for these two items is about GBP20.

Burp Plugin Development for Java n00bs

Presented by: Mark Wickenden

Burp Suite stands out as the de-facto attack proxy for web application assessments. Part of its power lies in the Burp Extender interface which allows “developers” to extend Burp’s functionality, including reading and modifying runtime data and configuration, trigger key actions such as Burp Scanner or extend the Burp user interface itself with custom menus and windows.

That’s great, but I’m not a developer, I’m a webapp tester and I want the goodness too

This practical workshop will take you from zero to hero even if you’ve never coded a line of Java in your life. Through some basic hands-on examples I will guide you through the process of getting your machine ready for coding, the key features of Burp Extender and how to use it to solve some real world web application testing scenarios.

Topics covered:

  • The problem Burp Extender solves
  • Getting ready
  • Introduction to the Eclipse IDE
  • Burp Extender Hello World!
  • Manipulating runtime data
  • Decoding a custom encoding scheme”
  • Shelling out” to other scripts
  • Limitations of Burp Extender
  • Examples of really cool Burp plugins to fire your imagination

The workshop will involve the installation of the Eclipse IDE onto attendee laptops. My intention is to distribute via a file share over wifi to save time downloading over the Internet. Alternatively I may provide the software and sample code on USB sticks if people are ok about putting them into their machines!

All workshop notes and code will be made available to attendees on the day and on the Internet for wider consumption after the conference.


Don’t be just another average tester. Optimise your webapp testing and don’t freak out when your client is using the latest funky compression algorithm which Burp doesn’t understand. Attend this workshop and get with the “program”.

Workshop Requirements

Attendees will require:

  • Laptop running Windows 7 (or OSX/Linux but I won’t be demonstrating with/troubleshooting these) with WiFi capability. VM is fine, if not preferred as software installation from an untrusted source (ie, me) is required.
  • Java Runtime Environment 6 or above
  • Burp Suite 1.4 and above (Professional preferred but Free will be ok)
  • Administrator rights to the machine as they will need to install software

Some programming experience is assumed. My background is in Bash, Perl, PHP, Python and Ruby if that helps to gauge your own capabilities.

Advanced Wi-Fi Security Penetration Testing

Presented by: Vivek Ramachandran

We see your SSIDs. We have enough traffic to extract your key hashes. We can inject and fake our way in using discovered credentials. But once you have this, how do you take it to the next level? In this workshop, Vivek will show how Wi-Fi is not just a way into the wired heart of the corporation, but can be used to control key corporate information security assets and pwn the entire network.

This workshop will provide a highly technical and in-depth treatment of Wi-Fi security. The emphasis will be to provide the participants with a deep understanding of the principles behind various attacks and not just a quick how-to guide on publicly available tools. We will start our journey with the very basics by dissecting WLAN packet headers with Wireshark, then graduate to the next level by cracking WEP, WPA/WPA2 and then move on to real life challenges like orchestrating Man-in-the-Middle attacks and creating Wi-Fi backdoors for Fun and Profit!


  • WLAN Protocol Basics using Wireshark
  • Bypassing WLAN Authentication – Shared Key, MAC Filtering, Hidden SSIDs
  • Cracking WLAN Encryption – WEP, WPA/WPA2 Personal and Enterprise, Understanding encryption based flaws (WEP,TKIP,CCMP)
  • Attacking the WLAN Infrastructure – Rogues Devices, Evil Twins, DoS Attacks, MITM
  • Advanced Enterprise Attacks – 802.1x, EAP, LEAP, PEAP, IPSec over WLAN
  • Attacking the Wireless Client – Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc Networks and Viral SSIDs, WiFishing
  • Breaking into the Client – Metasploit, SET, Social Engineering
  • Enterprise Wi-Fi Worms, Backdoors and Botnets
  • Wireshark as a Wireless Forensics Tool
  • Programming and Scripting Wireless packet sniffers and Injectors for fun and profit


  1. Trainer is author of the book – “Backtrack 5 Wireless Penetration Testing” which is now used as a guide to teach Wi-Fi pentesting and has discovered multiple attacks on Wi-Fi such as Caffe Latte attack, WEP cloaking cracking and Wi-Fi backdoors on Windows 7.
  2. Workshop is an advanced look into Wi-Fi pentesting in the enterprise on mechanisms such as PEAP, EAP-TTLS etc. which very few people know and understand well
  3. Every attack in the workshop will be shown as a live practical demo or a video – so participants will get a feel for how it is actually done, rather than death by PPT

Workshop Requirements

  • Internet connection

If you want to try some examples with Vivek using pcap files which will be provided, then you will need to have a BT5 R1/R2 installation – though this is not mandatory to follow the class

OpenCL on .Net

Presented by: Bob Weiss

Ben utilized OpenCL for .Net for our software for the Enigma. This has broader applications for other crypto and computationally intensive applications. In this workshop we explore how the OpenCL library can be used to penetrate cryptographic protection systems and expose secrets that were thought impregnable!

Malware Analysis 101: Malware Analysis with Cuckoo Sandbox

Presented by: Michael Boman

To analyze malware at speed you need the tools to do it consisting of an automated system that does all the hard work for you and the skills to interpret the results from the tool and the knowledge to enhance the tool to perform tasks it doesn’t yet know how to perform. This workshop will teach you to install and configure Cuckoo Sandbox, How to analyze samples and interpret the results and how to enhance Cuckoo Sandbox.

Workshop Content:

  1. Installation and configuration of Cuckoo Sandbox
  2. Analysis of samples
  3. Review of sample reports
  4. Extending and enhancing Cuckoo Sandbox

Malware Analysis 102: Manual Reversing of Malware

Presented by: Siavosh Zarrasvand

This workshop will teach you how to reverse basic malware, understanding the malware at assembly level and learn how to debug it. You will also learn how to packers work and some anti-debugging techniques.

Workshop Content:

  1. Introduction to Assembly for reversers (means you won’t be able to write assembly, only read and understand it)

Instructions, registers, flags, memory segments, etc

  1. Introduction to debugging

Will go a bit deep into breakpoints, soft, hard, memory

Short stop at patching

  1. Group exercise
  2. Packers, how they work
  3. Basic anti debugging techniques
  4. Group exercise on how to bypass basic anti debugging techniques. (Can be executed individually, depending on the will of the audience)

Using relationship data to unseat undetected persistent malware

Presented by: Michael Viscuso

Most defenders claim that the digital defenders are at a serious disadvantage to attackers. The defender must be perfect. If he makes a single mistake, or leaves one door open, he will lose. The attacker on the other hand just has to be correct once, and can try, and try, and try again until he is. What’s worse, says the defender, is that when the attacker is successful, it’s incredibly difficult for the defender to find him. More often than not he has to make a mistake or fall behind the curve in order for the defender to find his presence.

Today we are going to turn the tables. After learning the techniques presented in this workshop, you will be finally be able to leverage new research findings against historical data to identify morphing malware and advanced persistent threats.

NIPS and Tatties

Presented by: Arron Finnon

The ‘Network Intrusion Detection/Prevention Systems’ (NIDS/NIPS) market can be a complicated place, even for a seasoned security professional. People in reality could think themselves more than justified in saying “they’re useless”, especially in the wake of countless network compromises. It’s hard to avoid a situation, past or present where total network compromise has came to light even though NIDS/NIPS had been in place. Their purpose by name alone is clear, they’re there to prevent and/or detect intrusions.

Depending on how you look at it, I have been fortunate or unfortunate enough to be involved with NIDS/NIPS for some time – although my involvement hasn’t been within the world of vendors and products, but detection and mitigation. NIDS/NIPS devices have, and rightly so, faced a lot of criticism over the years. NIDS/NIPS have been “dead for a number of years” some have said, which has always amazed me. Especially as they’re deployed in large numbers since those obituaries were written. In some cases they’re deployed to satisfy compliance, and in other cases they’re there to actually defend. Still the facts are as follows:

– They do have a place and a purpose

– They don’t always do what they claim

– The security community will continue to moan about them not being a “silver-bullet” solution.

This workshop looks at the current situation that surrounds the murky world of vendor spin and Intrusion Detection/Prevention Systems. Discussing the potential avenues that as a security community we can take, to gain some control over a lost situation. The ability to deploy simple and effective tests to gauge your own reactions to attempts to subvert your detection system is beneficial in its own right. Adopting an approach where detection rates outweigh network performance figures may also give a better understanding of signs of attack.

However either way, having your own facts and figures to discuss issues with vendors is priceless.

If NIDS/NIPS are a “no silver bullet solution” then a more hands on approach is required. By no means is this workshop going to secure your network overnight, and it is no grantees that some blackhat will fail or succeed. The aim of this workshop is to plant a seed, allowing people to walk away finding that more questions need to be asked of their detection systems, and so we must find a better way of asking them. Hopefully, attendees will leave with at least one major question niggling at their sub-consciousness: “What questions would an IPS hacker ask a vendor?”

Get More From Your Pentest The Tiger Scheme Way

Presented by: Steve Lord

This is an interactive 90 minute workshop for end users of penetration testing from the day to day security ops guy up to the CSO on how to get more from your security test. Lots of people get security tests done and have a fairly ingrained workflow at their end. Often this means copying and pasting from a PDF into a document into a spreadsheet and a whole load of other mundane tasks while the report sits on the shelf. As a customer, you deserve better from us pentesters.

Over the course of the workshop we’ll start with the penetration test cycle, including developing actionable intelligence and integration with your forensic readiness capabilities, I’ll take you through a typical Internet-facing penetration test from start to finish from the provider view, walking through actual pentest output, our small and big methodology documents and a real report. This will be followed by an open discussion on things that we as pentesters can do to make things better.

If you’re a penetration tester please do feel free to come along, but bear in mind that if it’s fairly busy in the workshop I might ask you to leave so that more end users of penetration testing can come in.


The workshop will is interactive. It’s part classroom format but do ask questions and the second half is fully interactive, so if you don’t ask questions I might accidentally Nerf you. As expected, I will be strict on time as I’m sure people will try to Nerf me if I run over, and rightly so! The topics covered in the workshop include:

  • Penetration testing and other related processes
  • Integrating processes with your penetration testing
  • Actionable intelligence
  • Setting goals
  • Scope and rules of engagement
  • Schemes, badges and certifications
  • Methodologies
  • A typical penetration test
  • Threat ratings, traffic lights and voodoo
  • The wash-up
  • Handling findings (snog, marry, avoid)
  • Information sharing and intelligence management
  • The known knowns we can help with
  • The known unknowns we might be able to help with
  • The unknown unknowns (or over to you)

Shamelessly stealing from Stephen Bonner I will be handing out sweets/choccies to people that ask questions or have confessions to make. As such, this workshop will most definitely not be filmed, and will operate under the Chatham House rule.


I’ve been a penetration tester for over a decade as well as a customer in the past. I also invigilate QSTM exams and occasionally review reports by other testers. I interact with security teams across various sectors around the world with budgets ranging from a chalk outline of a shoestring to millions of pounds on a daily basis. As such I get a lot of sight of the things people do, the things that work and the things that fail and even worse, the things that fail so hard the organisation has to migrate to the ostrich paradigm and work around the problem rather than admit fault and fix it. If you’re someone that uses penetration test reports and you find you have a keyboard or desk-edge shaped wedge in your forehead from dealing with either processes or fallout, this is probably a good workshop to attend.

Attendees will need to bring

The ability to interact (i.e. no major restrictions on sharing anonymised anecdotes about their experiences with attendees)

SecBiz Workshop – Bridging the Security/Business Gap

Presented by: Rafal Los

Too many security professionals struggle for relevance in their organizations. The primary reason for much of this struggle is the significant disconnect between the goals of protecting the business, and actually conducting business. After countless conversations with security professionals in organizations large and small, it has become apparent that the security community needs a course on aligning security and business values, and understanding exactly what you’re protecting before you can answer how. If you’re frustrated, and feel disconnected from the business you serve as a security professional you need to be in this workshop. In a collaborative environment we will work through your organization’s goals, your actual security objectives and give you the tools and perspective to be a better agent of change, and to allow you to understand what it is you’re protecting before you start to formulate a strategy of how. In the spirit of Security BSides, there will be no spectators so if you sign up, please be ready to participate, and have as much of the pre-work ready as possible.

Requirements before the workshop:

Attain (through interview, or other information gathering) the following information:

  • Corporate mission statement
  • The organization’s yearly, and quarterly goals (as accurate as possible)
  • Your Information Security strategic goals for the current & next Fiscal Year (FY)
  • Your information security budget (doesn’t need to be specific dollar amounts, or vendor names… only ‘what do you spend money on?’)
  • The business’s top 3 “gripes about security”3 recent relevant business events in your industry (product recall of a competitor, industry buzz, etc)
  • 3 recent relevant information security events in your industry