44CON 2018 Workshops

For a full list of 44CON 2018’s confirmed speakers, please click here.

Bug Bounties: An introduction and path way to winning at bug bounties

Presented by: Shubham Shah and Nathan Wakelam

Today we finally live in a world where we can hack into a diverse range of companies, legally, whenever we want, and get paid for it!

This workshop is primarily for pentesters wanting to learn about the entire process of participating in bug bounties and how to do it well. This workshop will help participants with the following:

  • Which company do I hack, and which platform or program is right for me?
  • How do I (better) discover assets owned by an organisation to maximise attack surface?
  • How does bug bounty hunting differ from pentesting? (while they share similarities, the methodologies for finding bugs can be vastly different)
  • How do I write a good bug bounty report? (including platform specific tips and many examples)
  • How far do I go when I find a security issue to prove its severity? (mostly based off my experience in this tricky area)
  • What should I expect from a bounty and what do they expect from me? (maintaining good relationships with bounty programs)

(60 minute workshop)

Windows Internals and Local Attack Surface Analysis using Powershell

Presented by: James Forshaw

Inspecting the internals of Microsoft Windows and discovering interesting attack surfaces for local privilege escalation can be a dark art. Outside of trivial enumeration and fuzzing of drivers there’s little documentation about how you’d find interesting privileged attack surfaces such as brokers, internal RPC/DCOM services and badly configured applications to escape sandboxes and get administrator privileges.

In this workshop we’ll go through how to use a number of PowerShell tools such as NtObjectManager (https://www.powershellgallery.com/packages/NtObjectManager) that I’ve written to help identify interesting attack surfaces and from that extracting information through reverse engineering to discover how they can be exploited. The workshop will also contain an overview of important areas of Windows internals as they relate to privilege escalation and how PowerShell can give you more a better understanding of how these internal features work together.

Note this will be a 4 hr workshop rather than a 2 hr one.

Orange is the new Hack: Introduction to Machine Learning with Orange

Presented by: Philippe Arteau

Analyzing large number of security alerts can be repetitive and tedious. To help cope with the growing complexity of systems, analysts can use machine learning algorithms and other data analysis concepts. By doing prediction, machine learning algorithm can help prioritize and even reduce the amount of manual work needed. Data analysis can also help gain a better understanding of our data.
The workshop will introduce participants to the world of machine learning using the software Orange. A security-related scenario will be used for the hand-on exercises. For this scenario, a large dataset of vulnerabilities from web applications reported by a static analysis tool will be used. The dataset of vulnerabilities was enriched with key metadata that will help the algorithms. Some metadata will need transformation. Based on issues that were classified, it will be possible to predict which unclassified issues are likely to be actual vulnerabilities.
The attendants will be able to apply the same principles to the dataset in other contexts such as malware classification, system alert classification, vulnerability management, etc.

Breaking (All) Applications With Frida

Presented by: Jay Harris

Frida is a framework which allows us to inject JavaScript into running applications. This has made reverse engineering and modifying applications easier than ever. Although Frida has a large following amongst mobile application testers, Frida also supports desktop applications and with not much effort it is possible to profile, debug and patch code.

This 2 hour workshop will go though the basics of using Frida on Linux and Android and through exercises and walkthroughs show how Frida can be used to rapidly reverse engineer applications to understand logic flow, dump secrets and bypass security controls.

Although what we look at here is relevant to mobile applications, this is not a mobile hacking workshop (in fact, most exercises will take place on Linux binaries) but might be useful to mobile testers looking to take their security testing to the next level.

Advanced Wireless Attacks Against Enterprise Networks

Presented by: Gabriel Ryan

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and networking hardware will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment.

Areas of focus include:

  • Wireless reconnaissance and target identification within a red team environment
  • Attacking and gaining entry to WPA2-EAP wireless networks
  • LLMNR/NBT-NS Poisoning
  • Firewall and NAC Evasion Using Indirect Wireless Pivots
  • MITM and SMB Relay Attacks
  • Downgrading modern SSL/TLS implementations using partial HSTS bypasses

ARM IoT Firmware Emulation Workshop

Presented by: Saumil Shah

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.

In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.

The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.

Length: 2 hours
Skill level: Intermediate

Developing Exploits with Scratch Workshop

Presented by: Kevin Sheldrake and Tim Todd

Scratch is a programming language and IDE targeted at teaching young children how to code. The environment is sprite-based with all code residing behind each of the sprites and the stage (background). It is particularly good at developing games not unlike the flash-based games of the 90s/00s. Typically, the Scratch environment is a sandbox limiting all actions to objects within its own world. With the offline version of Scratch v2, however, it is possible to load ‘experimental HTTP extensions’ that can introduce new blocks linked to python functions via a web service API.

Using the experimental extensions, I have implemented a set of blocks that allow access to TCP/IP functions. With these blocks it is possible to fuzz and exploit vulnerable services on a network-accessible victim machine. As a demonstration I have developed a PoC for the web server running on Saumil Shah’s tinysploit (stack smash) plus PoCs for two echo servers I have added to it (stack smash and format string vulnerability).

The aim of the workshop is for students to fuzz and develop exploits against (simple) vulnerable network services. Students will be provided with a Scratch environment (VM or bootable USB stick) plus a vulnerable VM to attack. Together we will fuzz and exploit two echo servers (stack smash and format string vulnerability) through interactive investigation in gdb and interactive development in Scratch. Students will then be encouraged to fuzz and develop an exploit against the vulnerable web server provided by tinysploit.

Upon completion of the Scratch exploits, we will quickly cover how to achieve similar results directly with python.

If you are new to penetration testing or have been around a while but have never developed your own exploit (maybe you don’t code so well in python or C, or maybe you aren’t comfortable with debugging in gdb) then this workshop will give you the skills to build exploits in Scratch and python and see how to apply this knowledge to more complicated environments.

Sys Mon! Why yu nuh logging dat?

Presented by: Charl van der WaltWillem Mouton, Carl Morris and Wicus Ross

Sysmon from Microsoft is a very powerful host-level tracing tool, which can assist in detecting advanced threats on your network. Its free with Windows and a native extension of the Windows stack. Sysmon performs system activity deep monitoring and logs high-confidence indicators of attacks and compromise, but in contrast to common Antivirus / HIDS solutions … its stable, mature, simple and FREE!

  • Sysmon can monitor lots of interesting activities, including:
  • Process creation (with full command line and hashes)
  • Process termination
  • Network connections
  • File creation timestamps changes
  • Driver/image loading
  • Remote thread creation
  • Raw disk access
  • Process memory access

and more.

Another cool technology – Windows Event Forwarding (WEF) – can then used to read the event log on a device and forward selected events to a Windows Event Collector (WEC) server.

Put these two together, dump it into the SIEM, database or Elastic Stack of your choice, and you have yourself a pretty fine Windows Event monitoring and Threat Hunting platform.

In this presentation we will introduce these powerful tools and show you how to implement WEF and deploy Sysmon using your existing AD infrastructure and Group Policy so there is minimal impact on resources, and how to remotely tune and improve the configuration as necessary.

Win!

So what then?

We will then move on to explore how to extract ‘actionable’ intelligence from these logs – what to look for, how to spot it and what to do when you do find the mythical needle in the haystack, using real, practical examples from our own day-to-day operations.

Finally, we will share in detail some of our experiment (failed and successful) with extracting even more value from these logs, for example:

  • Using Windows Event Logs via Sysmon to detect attacks on Web Applications
  • Performing Event Correlation by pulling Sysmon into MiSP
  • Using Python and scikit-learn to implement a semi supervised learning algorithm using a Markov chain random walk classifier to highlight anomalous events from large volumes of benign ones.

Security module for php7 – Killing bugclasses and virtual-patching the rest!

Presented by: Julien Voisin and Thibault Koechlin

Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.

Source code: https://github.com/nbs-system/snuffleupagus

Website: https://snuffleupagus.readthedocs.io/

Twitter: https://twitter.com/sp_php

Also check our list of Talks for 44CON 2018.