44CON 2014 Workshops

Some of the following workshops have specific requirements for items that attendees should bring along, full details can be found here on the requirements page.

Advanced Excel Hacking

Presented By: Didier Stevens

This is a workshop on hacking Excel on Windows without exploits.

Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, …), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.

I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.

Creating A Security Awareness Program

Presented By: Valerie Thomas

Creating a security awareness program from scratch is no easy task. If you’re responsible for building a new program, modifying an existing program, or just want some educational resources for friends and family this workshop is for you. We’ll cover the basic components of an awareness program, training for budgets large and small, and bringing it all together to create a program that’s right for you.

The 100 Question InfoSec Quiz

Presented By: Jerry Gamblin

Do you love InfoSec? Do you like Trivia Questions? Do you like naturally ebullient Americans? If so this is the workshop for you. This will take place on the Wednesday Evening of 10th September.

No More Neck Beards: An Introduction to abusing the Android Kernel

Presented By: Josh Thomas

The Android / Linux kernel seems to still remain a magical place to a lot of us in the security industry. We understand exploitation fairly well, but when it comes to simple manipulation we find ourselves lost. In this workshop, I am hoping to change that paradigm.

We will focus on a guided exploration of some interesting and often overlooked portions of the kernel. We will analyze them, understand them, recompile them and see what happens on a real device. The primary focus will be on recreating the NandX project (hiding data on NAND Flash hardware) and Project Burner (manipulating power routing on device internals), but we will also walk through some other peculiar code that can be found hidden deep in the standard source tree.

The direct goal of this workshop is for all attendees to walk away with a deeper understanding and familiarity of the kernel itself and the ability to recreate and extend my specific kernel research.

Binary Protocol Analysis with CANAPE

Presented By: James Forshaw

CANAPE is an open source network proxy written in .NET. It has been developed to aid in the analysis and exploitation of unknown application network protocols using a similar use case to common HTTP proxies such as Burp or CAT.

This workshop will go through the basics of analysing an unknown application protocol with hands on training examples. By the end of the workshop candidates should be able to better understand CANAPE’s functionality and be able to apply that to other protocols they come across.

Incident Handling with CyberCPR

Presented By: Steve Armstrong & Mike Antcliffe & Ed Tredgett

n this workshop we will demonstrate the functionality of the new FREE Incident Response tool: Cyber Crisis Planning Room (CyberCPR) (www.crisisplanningroom.com). This new free tool has been designed to support Incident Handling. The tool has been written from the ground up by security cleared Incident Responders; so we added the sorts of features we wanted.

Playing the 44CON CTF

Presented By: Tim Pullen

If you’re interested in playing the 44CON CTF, this is the workshop for you. It will focus on my experience playing (and winning) the last 2 years of 44CON CTF, and give some advice on CTFs in general.

This will take place on the Wednesday Evening of 10th September

Switches Get Stitches

Presented By: Eireann Leverett & Matt Erasmus

This 2 hour workshop will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other other homes of industrial automation equipment. In other words, scada and ICS switches. You will gain familiarity with the basic usage of these switches, and do some very light traffic analysis and firmware reverse engineering.

Not only will vulnerabilities be disclosed for the first time (exclusively at 44CON), but the methods of finding those vulnerabilities will be shared. If you have never done any reverse engineering or firmware analysis, this might be a good place to start.

You will need to be familiar with a linux commandline, and the usage of tools such as BURP and wireshark. If you are an IDA Pro wizard we welcome your attendance, but we won’t be teaching you anything new. However, we will examine firmware and device embedded webservers with tools such binwalk, strings, grep, xxd, python, scapy, and compression utilities.

All vulnerabilities taught/disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. So this work will be fresh and useful for your penetration tests in the future.

You might even find new vulnerabilities with the chance to play with these devices (which are being brought to 44CON for this workshop)!

ARM Wrestling a Printer – How to Mod Firmware

Presented By: Michael Jordon

How secure is encrypted, embedded ARM firmware? This talk discovers how an encrypted firmware image may be hijacked to run custom malware, demonstrated using a Canon printer. This talk will explain the full process, from breaking the encryption, identifying and understanding the flash file format, reverse engineering the binaries, bootloader, compression, and ARM instructions, patching the binary, development of an ARM backdoor, reversing the functionality to steal printed documents and scanned files, and finally rebuilding the firmware to create a malicious image which may be uploaded it to the printer. The entire process is carried out from without the need for authentication, and this work can be deployed simply by being on the same LAN/WLAN as the printer, or deployed via CSRF in the case of internet connected printers. All the above takes place on an ARM device which has no a full OS, no debugger and no console. In the final demo I will show how far you really can take a printer.