Workshops

With @sambowne, @djhardb, @KaitlynGuru, and @infosecirvin.

Beginners

Cryptography and Blockchain Security
Wireshark CTF
Violent Python 3
Securing Web Apps
Go the Wrong Way
COBOL CTF

Intermediate

Full-Stack Incident Response
Introduction to Attack Techniques
Threat Hunting with Splunk

Advanced

Windows Internals
Malware Analysis
Introduction to Exploit Development
Security Auditing Android and iOS Apps

Structure

All these workshops are structured in a CTF format. Each participant works at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a computer that can run virtual machines, or a credit card and a few dollars to rent cloud servers. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

Full-Stack Incident Response

OVERVIEW

Class structure: A live CTF scoreboard is running so participants can compete to solve challenges. The instructor will briefly explain the principles and demonstrate the attacks, but workshop participants will spend most of their time performing hands-on projects. Complete instructions guide participants through beginning projects, and a series of challenges of escalating difficulty are presented to encourage each participant to progress to their appropriate level of accomplishment. This way, novices can gain awareness of the tools, techniques, and results of each activity, and more advanced participants can delve deeply into the details. Our goal is to make sure each participant learns useful, new things in their area of interest. We will have several instructors available to tutor participants one-on-one as needed.

We will cover these topics:

MITRE ATT&CK

We will begin with a high-level view of attacks: Groups, Tactics and Techniques in the ATT&CK matrix, and attribution. We will use Caldera to simulate all the stages of an attack and test defenses.

Network Security Monitoring

We will cover centralized security monitoring in detail, using Splunk and Suricata to find and analyze attacks.

We will use a pre-installed Splunk server with archived attack data to find and analyze attacks including vulnerability scans, brute force attacks, ransomware, Web site defacement.

Then we will analyze network traffic with Wireshark, Virus Total, and Packet Total to find suspicious traffic, reconstruct the attacker's actions, and recover downloaded files. We will generate attack traffic with Scapy and monitor traffic with simple Python scripts.

We will practice using Zeek, the powerful network security monitor formerly called Bro. We'll practice writing simple code to customize Zeek, using it to analyze captured traffic, and then install it on a cloud server and use it to detect live attacks.

Defending Windows

We will use many techniques to defend Windows systems, including detecting ransomware with Sysmon and Splunk, RAM analysis, detecting known malware with yara, and prefetch forensics.

We will use Velociraptor extensively for threat hunting on Windows systems, finding malware and persistence mechanisms, scanning for indicators of compromise, and capturing traffic remotely.

Analyzing Malware

We'll use many techniques to analyze the behavior of malware to find indicators of compromise and understand the harm it does. We'll use simple static analysis with strings, PE file analysis tools, and packers. Then we'll perform dynamic analysis with debuggers, disassembly with IDA Pro, and decompiling with Ghidra.

We will explore the structure of Windows executables in detail, including using assembly code, exploring the import table, performing DLL injection and DLL proxying, and examining Windows API calls in userland and the kernel in detail.

We will examine the MBR and a simple bootkit.

Prior Knowledge and Equipment Requirements

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who don't want to run the machines locally.

KEY TAKEAWAYS

Understanding of threat actors and the ATT&CK matrix Experience with network monitoring tools and Splunk Thorough understanding of the Windows API and malware analysis methods

WHO SHOULD TAKE THIS COURSE

Analysts and executives responsible for protecting enterprises who wish to understand threat groups, defenses in overview, and the granular details of Windows exploits and defenses.

AUDIENCE SKILL LEVEL

Beginner/Intermediate

WHAT PARTICIPANTS NEED

Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who prefer not to run the machines locally.

WHAT STUDENTS WILL BE PROVIDED WITH

Access to the challenges, complete instructions, and a live running scoreboard. They will remain available after the workshop concludes, and they are all free to use with a Creative Commons license.

Cryptography and Blockchain Security

Level: Beginner

Learn how blockchains, cryptocurrency, coin offerings, and smart contracts work in a series of challenges. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.

We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits including double-spend, reentrancy, integer underflow, and logic flaws.

No previous experience with coding or blockchains is required.

Detailed Outline

Format

The workshop is structured in a CTF format, so each participant can work at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a credit card and a few dollars to rent Cloud servers, or a host machine that can run virtual machines. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

The challenges include:

1. Basic blockchain concepts
   a. Simple conceptual blockchain on Github
   b. Hashes, collisions, and Pollard's Rho method
2. Wallets
   a. MetaMask and Ethereum
   b. Prepraring an Android emulator
   c. MetaMask mobile wallet
3. Smart Contracts
   a. Making a Solidity Contract
   b. Making a Coin with Solidity
   c. Exploiting a contract with a reentrancy attack
   d. Winning an auction by exploiting a logic flaw
   e. Hacking PoWHCoin with an underflow
   f. Performing a double-spend (51%) attack on Bitcoin
4. Servers
   a. Preparing a Linux cloud machine
   b. Making a private Ethereum blockchain
   c. Making a Node on the Kovan Proof-of-Authority Testnet
   d. MetaMask with Local Testnet
   e. Hyperledger IROHA (from IBM)
   f. Using Multichain
5. Essential Cryptography
   a. Symmetric encryption
      i. Substitution ciphers
      ii. One-time pad and Two-time pad
      iii. AES in ECB and CBC modes
      iv. AES-GCM with Libsodium
   b. Asymmetric encryption
      i. RSA
      b. Elliptic-curve cryptography with Libsodium
6. Cryptographic attacks
   a. Padding oracle attack
   b. Existential forgery
   c. Finding large primes
   d. Factoring large numbers
   e. Baby-step, giant-step attack on the Discrete Logarithm Problem (DLP)
   f. Pollard-Rho attack on the DLP
7. Madness
   a. Quantum computing
   b. Homomorphic encryption with Microsoft's SEAL
   c. IBM's homomorphic encryption

Wireshark CTF

Level: Beginner

Analyze packet captures to identify protocols, recover passwords and files, identify malicious traffic, and more.

No previous experience with Wireshark is required.

Windows Internals

Level: Beginner

Abstract

Explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, and debugging a driver. Tools used include FLARE-VM, pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, and WinDbg.

No previous experience with programming is required.

Details

Format

The workshop is structured in a CTF format, so each participant can work at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a credit card and a few dollars to rent Cloud servers, or a host machine that can run virtual machines. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

We will provide a prebuilt FLARE-VM virtual machine based on Windows 10 for participants to use.

The challenges include:

1. Basic static analysis of malware
   a. Using VirusTotal for an overview of its function
   b. Using PEview to see the structure of a PE file
   c. Identifying the development language with PEiD
   d. Identifying packers
   e. Extracting strings with BinText
   f. Identifying library usage with Dependency Walker
2. Packed code
   a. Using UPX to unpack a packed executable
   b. Building a custom version of UPX
   c. Manual unpacking with OllyDbg and pestudio
3. Disassembly
   a. Using assembly language in the Jasmin emulator
   b. Disassembling with IDA Pro
   c. Recognizing C constructs in assembly code
   d. Disassembling and decompiling code with Ghidra
4. Windows libraries
   a. Examining the Import Address Table (IAT)
   b. Repairing and rebuilding the IAT
   c. DLL hijacking with companion trojans 
   d. Building a keylogger with Visual Studio
   e. Building a DLL proxy
   f. Stealing passwords with API Monitor
5. Debugging in user-land
   a. Modifying a windows EXE with OllyDbg
   b. Hacking minesweeper
   c. Source-level debugging
6. Debugging the kernel
   a. Examining Kernel structures with a single computer
   b. Kernel debugging with breakpoints and two machines
   c. Debugging a device driver
7. Bootkits
   a. Bootkit analysis with Bochs
   b. Understanding the MBR and a malicious MBR
8. The .NET Framework
   a. Common Language Runtime
   b. Building .NET Apps in Visual Studio
   c. Reversing .NET apps with .NET Reflector and other tools 
9. Assembly language coding
   a. Basic coding
   b. Printing and simple debugging
   c. Using ASCII
   d. Debugging with gdb
   e. Using files
   f. Encryption with the Caesar cipher
   g. XOR encoding 

Introduction to Attack Techniques

Level: Beginner

Learn fundamental tools and techniques used to attack and defend Windows and Linux systems. Topics include Linux and Windows command-line, command injection and SQL injection, network scanning, traffic analysis, and cryptography. Tools used include Nmap, Metasploit, PowerShell, Splunk, and Python.

No previous experience with programming or attacking is required.

Violent Python 3

Level: Beginner

Even if you have never programmed before, you can quickly and easily learn how to make custom hacking tools in Python. We build tools that perform port scanning, brute-force attacks, crack password hashes, and XOR encryption. Python is among the top three programming languages in the world, for good reason: it's the easiest language to use for general purposes.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer and a Web browser.

Securing Web Apps

Level: Intermediate

Participants will attack Web applications with: command injection; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation; and Server-Side Template Injection. We will also exploit Drupal and SAML. We will then implement network defenses and monitoring agents. We will use Burp, Splunk, and Suricata. Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.

Threat Hunting with Splunk

Level: Beginner

Splunk is "Google for log data" and it is the leader in network security monitoring. Learn how to find attackers, identify malware, and attribute attackers to real-world APT groups. We will use cloud servers running the free version of Splunk, with open-source network data from Splunk's "Boss of the SOC" contest.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer with a Web browser.

Incident Response and the ATT&CK Matrix

Level: Beginner

Use modern techniques to detect, analyze and respond to intrusions. In this workshop, you will build vulnerable systems in the cloud, attack them, and respond to the attacks. Tools used include Splunk, GRR, Zeek, and the ATT&CK matrix.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Session Details

We will construct targets and attackers on the Google cloud, and send attacks using Metasploit and Caldera to emulate APT attackers. We will monitor and analyze the attacks using Splunk, Suricata, Sysmon, Wireshark, Yara, GRR, Zeek, osquery and online analysis tools including PacketTotal and VirusTotal.

We will cover the ATT&CK Matrix in detail, which enumerates threat actors, tactics and techniques, so red and blue teams can better communicate and work together to secure networks.

This is not a 30-minute talk, but a CTF which should run for hours, or the whole conference duration. We will host the challenges and scoring engine on our own servers, and provide a Zoom session for demonstrations and to help participants with questions.

This is a learning CTF, not a hard-core serious competition. The intention is not to identify the strongest competitor, but to ensure that everyone finds challenges at their level so they learn something new.

All materials are free, and will remain available online after the conference ends.


Challenges include:

Defending Linux Servers
   Google Cloud Linux Server
   Splunk & Suricata
   Metasploit & Drupalgeddon
   osquery
   Using Bash: Linux Journey
   Bandit Challenges 

Preparing a Windows Server
   Essential PowerShell

Defending Windows Servers
   Installing Splunk on a Windows Server
   Detecting Ransomware with Splunk and Sysmon
   Capturing a RAM from a Process
   VirusTotal & Wireshark
   PacketTotal
   Yara
   refetch Forensics
   GRR Rapid Response
   Zeek

ATT&CK Matrix
   ATT&CK Tactics 
   ATT&CK Techniques  
   ATT&CK Groups
   ATT&CK Navigator
   Caldera

Metasploit
   Metasploit v. ActiveMQ
   Adding a Custom Exploit to Metasploit
   Writing a Custom Metasploit Module
   Creating a Trojan with Metasploit

Networking
   Nmap
   Wireshark
   Scapy
   Threat Hunting with Splunk Boss of the SOC

Malware Analysis

Analyze malware to find indicators of compromise using static and dynamic techniques. We will use PEstudio, IDA Pro, Ghidra, OllyDbg and other tools. Familiarity with programming in C and assembler is helpful but not necessary.

We will use Windows 2016, FLARE-VM, and harmless malware samples. Some projects can be done on free cloud servers, but for the best experience, participants should prepare a FLARE-VM in advance as explained here:

https://samsclass.info/126/proj/PMA40.htm

Introduction to Exploit Development

Level: Intermediate

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.

Previous experience with C and assembly language is helpful but not required. Participants will need a computer with two monitors. We will provide cloud servers for participants who don't want to run the machines locally.

Go the Wrong Way

Level: Beginner

Good developers study documentation carefully and thoroughly understand their language. However, some people just want to code fast, break into things, and skip over the details. This CTF is for them.

Even if you've never programmed before, you can make simple attack tools in Go. We'll peform port scans, HTTP requests, brute-force logins, crack password hashes, and perform encryption using XOR and AES.

COBOL CTF

Level: Beginner

The world runs on COBOL! 95% of ATM swipes rely on COBOL, but few people know how to use it. Let's fix that!

In this workshop, participants will learn basic COBOL programming and solve challenges including building HTTP requests, processing strings, file I/O, ASCII encoding, modular arithmetic and RSA encryption. We will use free Google cloud servers and a real public IBM mainframe.

The workshop is structured in a CTF format. Each participant works at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns something new.

Participants need a Debian Linux virtual machine, or a few dollars to rent a cloud server, . All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

Party like it's 1959! COBOL will never die!

Security Auditing Android and iOS Apps

Level: Intermediate

Practice finding flaws in real Android and iOS apps in this workshop, and you will be ready to avoid making similar security errors in your own apps.

Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.

Participants need a laptop that can run VirtualBox to run Android emulators. To audit iOS apps, particpants will need a Mac laptop. We will bring some loaner iPhones to use.

Crypto Hero

Learn essential concepts of modern cryptography, including hashing, symmetric encryption, and asymmetric encryption. Compete to solve challenges. No previous programming experience required.

Most challenges require only a computer with Python. Some of them require a Windows machine.

Updated 8-30-21