44CON 2017 Workshops

ARM Assembly and Shellcode Basics

Presented by: Saumil Shah

A two hour workshop on writing ARM Shellcode from scratch. This workshop will cover some simple ARM assembly, and then two shellcode examples: A simple execve() shell and a fully working Reverse Shell. The shellcode will be tested in an ARM QEMU Emulator as well as on actual ARM hardware.

Participants will be provided with ARM images running on QEMU for testing their shellcode. A shared Raspberry Pi-2 cluster will be made available for testing the shellcode on proper ARM hardware. Participants are encouraged to also bring their Raspberry PI-2 devices to the workshop.

Introduction to Windows Logical Privilege Escalation

Presented by: James Forshaw

This workshop will go through an introduction to finding and exploiting logical privilege escalation vulnerabilities on Windows. More and more code running on Windows is done inside sandboxes or as non-administrators. This makes privilege escalation more important than ever. Memory corruptions are a common way of gaining higher privileges but Windows has been introducing more mitigations making exploitation harder. Logical vulnerabilities on the other hand are typically not affected by mitigations such as ASLR or DEP, but they’re generally more difficult to find. As an added complication they cannot be easily discovered through typical fuzzing approaches. Some of the topics to be presented will be:

  • Windows Internals as relevant to privilege escalation
    • Types of sandboxes, restricted and low box tokens
    • Under the hood
  •  Attack surface analysis:
    • Probing the sandbox and the system
    • COM services
    • Exposed device drivers
  • File and registry vulnerabilities
    • How to find them and what to look for
    • Exploitation
  • Token vulnerabilities
    • How to find them and what to look for
    • Exploitation
  • UAC and unusual unfixed vulnerabilities
  • Working examples of based on previous vulnerabilities

Attendees are welcome to participate through the workshop by having access to a Windows 10 32 bit VM installation. Access to all tools and examples demonstrated on the day will be provided.

UAC 0day, all day!

Presented by: Ruben Boonen

This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.


  • Identifying auto-elevating processes
  • Analyzing process workflows
  • Finding UAC bypass targets

Elevated File Operations:

  • Using the IFileOperation COM object
  • Tricking the Process Status API (PSAPI)

Getting UAC 0day (Pre RS2):

Looking forward:

  • Triaging Windows 10 Redstone 2
  • Leaving IFileOperation behind
  • COM objects & Fileless elevation​

The workshop has intense hands-on labs where attendees will put the theory into practice. After attending you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!

Breaking Crypto the Easy Way With FeatherDuster

Presented by: Daniel Crowley

While there is a very large and rich body of academic work in cryptography, there is a comparatively small body of work regarding practical cryptographic issues. While it’s useful, possible, interesting, and even easy at times to apply 10 year old attacks to modern applications and systems, it doesn’t make for a good thesis paper. There’s also a general reluctance from application security folk to learn cryptography.

FeatherDuster is a tool which attempts to bridge the gap between cryptographers and application security professionals by making crypto review and exploitation as simple as possible, like Metasploit for crypto. In some cases, FeatherDuster can identify and exploit practical crypto flaws given nothing other than a series of encrypted messages.

This workshop will show attendees how to use FeatherDuster, from the easy-mode button that is FeatherDuster’s autopwn feature, all the way to writing your own FeatherModules and Python scripts which leverage FeatherDuster’s cryptanalysis module, Cryptanalib.

Developing Burp Suite Extensions

Presented by: Luca Carettoni

This workshop covers building Burp Suite extensions from start to finish. Starting with an introduction to Burp Suite, the Burp Extender and the Burp Suite APIs, the workshop will then cover setting up the IDE and generating a basic “Hello Burp” extension, and then move on to how to build a simple Burp Scanner extension

The workshop is suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic Object-Oriented Programming experience. While Burp extensions are developed live in Java, attendees can work on Python or Ruby since all exercises are also provided in those languages.

Attendees should bring their own laptop with the latest Java JDK installed, and a working IDE. While we develop in NetBeans, Eclipse and IDEA are also good alternatives.

Reverse Engineering Windows Malware 101 Workshop

Presented by: Amanda Rousseau

Reverse engineering already sounds like black magic, when in reality it’s just lot’s of practice and strong foundations in computer science concepts. You might not always remember what you learned in computer science classes or understood it enough to actually apply it to the real world. The best way to learn is by getting hands on practice. In this workshop, the main take away is learning how to set analysis goals. By using tools and computer science concepts you can work step by step to those analysis goals. This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by creating a basic x86 assembly program, and reviewing RE tools and malware techniques. The workshop will conclude by attendees performing hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C\C++, Python, or Java Requirements: Laptop with an OS that supports VirtualBox, and wifi connection
Provided: A virtual machine and tools will be provided

Cracking HiTag2 Crypto – Detailed Look at the Academic Attacks

Presented by: Kevin Sheldrake

NOTE: The corresponding talk “Cracking HiTag2 Crypto – Weaponising Academic Attacks for Breaking and Entering” is a pre-requisite for this workshop. You must attend the talk if you plan to attend the workshop.

HiTag2 is an RFID technology operating at 125KHz.  It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions – the majority of RFID technologies at 125KHz feature no authentication or encryption at all.  As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2.  They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools.  Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but so far none have been forthcoming.

In this workshop I will explain how HiTag2 RFID works in detail, including the PRNG and the authentication and encryption protocols, and will present my own implementations of the attacks, written for RFIDler and supported by desktop computers.  The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key.  The second and third attacks use time/memory trade-off brute force and cryptanalytic attacks to recover the key, such that the contents of the read-protected pages can also be accessed.  The attacks are weaponised and permit cloning of tags, which I will demonstrate.

All tools will be publicly released.

A Hands On Introduction To Software Defined Radio

Presented by: Didier Stevens

Software Defined Radio is a fascinating playfield for hackers. But the learning curve is steep, and SDR devices are expensive. This two hour hands on workshop introduces SDR via a gentle learning curve, and with cheap devices, so that everyone can participate. Operating SDRs via the open source software GNU Radio offers a wealth of possibilities, but it is hard for beginners to start with GNU Radio. You need a good grasp of the radio concepts to find your way through the software. SDR is quite different from analogue radio, and for most attendees, even analogue radio is quite mysterious.

With GNU Radio and GNU Radio Companion, I will guide the attendees through a set of exercises (specially designed for this workshop) intended to familiarize them with radio technology, SDR, GNU Radio and GNU Radio Companion. Each attendee should bring their own laptop and Didier will supply 20 cheap SDR devices (USB digital TV receivers RTL2832U) and a couple of more performant devices, like the HackRF One, a WiSpy, and a handheld digital spectrum analyzer. We will boot from a Live CD and start with simple exercises to understand SDR. Because of the limited number of devices (20 devices), the workshop is limited to 20 attendees. But attendees can bring their own RTL2832U.

How to Hack Radios: Hands-On with RF Physical Layers

Presented by: Matt Knight and Marc Newlin

The Age of the Radio is upon us: wireless protocols are a dime a dozen thanks to the explosion of mobile devices and the Internet of Things. While proprietary wireless solutions may offer performance benefits and cost savings over standards like 802.11 or Bluetooth, their security features are rarely well-exercised due to a lack of access to these interfaces. The adoption of Software Defined Radio (SDR) by the security research community has helped shift this balance, however SDR remains a boutique skillset. Join us as we lift the veil on SDR and show that a PhD is not needed to pwn the Internet of Things’ Radios.

This workshop offers an applied tutorial on how to apply Software Defined Radio, with an emphasis on the “Radio” part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.

We begin with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to just about any IoT wireless system. The bulk of this session will demonstrate how this workflow can be applied to recover and inject packets from/into a variety of devices with proprietary modulations by walking through it, live and in detail, with attendees actively contributing to reverse-engineered solutions and working along in parallel.

Attendees should expect to walk away with practical knowledge of how to apply SDR to examine and deconstruct proprietary wireless protocols. We encourage attendees to bring along their own SDR hardware, though we’ll provide a handful of RTL-SDRs and live USB images for those who lack equipment. Finally, we will release all GNU Radio flowgraph templates and shell scripts for further hacking and development.

Capture-The-Flag 101

Presented by: Olivier Bilodeau

This workshop is a deep-dive into Capture-The-Flag (CTF) competitions for CTF first timers. It will introduce CTFs and then assist both teams and individuals prepare for them and evolve their applied cybersecurity skills in the process.

The workshop will have various levels (easy, medium, hard) of CTF challenges in several categories (binaries, Web, crypto) and hints and solutions will be provided during the workshop.