Workshops

With @sambowne, @djhardb, @KaitlynGuru, and @infosecirvin.

Structure

All these workshops are structured in a CTF format. Each participant works at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a credit card and a few dollars to rent Google Cloud servers. We will use Debian Linux and Windows Server 2016 systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

Introduction to Attack Techniques

Level: Beginner

Learn fundamental tools and techniques used to attack and defend Windows and Linux systems. Topics include Linux and Windows command-line, command injection and SQL injection, network scanning, traffic analysis, and cryptography. Tools used include Nmap, Metasploit, PowerShell, Splunk, and Python.

No previous experience with programming or attacking is required.

Violent Python 3

Level: Beginner

Even if you have never programmed before, you can quickly and easily learn how to make custom hacking tools in Python. We build tools that perform port scanning, brute-force attacks, crack password hashes, and XOR encryption. Python is among the top three programming languages in the world, for good reason: it's the easiest language to use for general purposes.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer and a Web browser.

Securing Web Apps

Level: Intermediate

Participants will attack Web applications with: command injection; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation; and Server-Side Template Injection. We will also exploit Drupal and SAML. We will then implement network defenses and monitoring agents. We will use Burp, Splunk, and Suricata. Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.

Threat Hunting with Splunk

Level: Beginner

Splunk is "Google for log data" and it is the leader in network security monitoring. Learn how to find attackers, identify malware, and attribute attackers to real-world APT groups. We will use cloud servers running the free version of Splunk, with open-source network data from Splunk's "Boss of the SOC" contest.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer with a Web browser.

Incident Response and the ATT&CK Matrix

Level: Beginner

Use modern techniques to detect, analyze and respond to intrusions. In this workshop, you will build vulnerable systems in the cloud, attack them, and respond to the attacks. Tools used include Splunk, GRR, Zeek, and the ATT&CK matrix.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Session Details

We will construct targets and attackers on the Google cloud, and send attacks using Metasploit and Caldera to emulate APT attackers. We will monitor and analyze the attacks using Splunk, Suricata, Sysmon, Wireshark, Yara, GRR, Zeek, osquery and online analysis tools including PacketTotal and VirusTotal.

We will cover the ATT&CK Matrix in detail, which enumerates threat actors, tactics and techniques, so red and blue teams can better communicate and work together to secure networks.

This is not a 30-minute talk, but a CTF which should run for hours, or the whole conference duration. We will host the challenges and scoring engine on our own servers, and provide a Zoom session for demonstrations and to help participants with questions.

This is a learning CTF, not a hard-core serious competition. The intention is not to identify the strongest competitor, but to ensure that everyone finds challenges at their level so they learn something new.

All materials are free, and will remain available online after the conference ends.


Challenges include:

Defending Linux Servers
   Google Cloud Linux Server
   Splunk & Suricata
   Metasploit & Drupalgeddon
   osquery
   Using Bash: Linux Journey
   Bandit Challenges 

Preparing a Windows Server
   Essential PowerShell

Defending Windows Servers
   Installing Splunk on a Windows Server
   Detecting Ransomware with Splunk and Sysmon
   Capturing a RAM from a Process
   VirusTotal & Wireshark
   PacketTotal
   Yara
   refetch Forensics
   GRR Rapid Response
   Zeek

ATT&CK Matrix
   ATT&CK Tactics 
   ATT&CK Techniques  
   ATT&CK Groups
   ATT&CK Navigator
   Caldera

Metasploit
   Metasploit v. ActiveMQ
   Adding a Custom Exploit to Metasploit
   Writing a Custom Metasploit Module
   Creating a Trojan with Metasploit

Networking
   Nmap
   Wireshark
   Scapy
   Threat Hunting with Splunk Boss of the SOC

Malware Analysis

Analyze malware to find indicators of compromise using static and dynamic techniques. We will use PEstudio, IDA Pro, Ghidra, OllyDbg and other tools. Familiarity with programming in C and assembler is helpful but not necessary.

We will use Windows 2016, FLARE-VM, and harmless malware samples. Some projects can be done on free cloud servers, but for the best experience, participants should prepare a FLARE-VM in advance as explained here:

https://samsclass.info/126/proj/PMA40.htm

Introduction to Exploit Development

Level: Intermediate

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines, and a credit card to register for free Google Cloud machines.

Go the Wrong Way

Level: Beginner

Good developers study documentation carefully and thoroughly understand their language. However, some people just want to code fast, break into things, and skip over the details. This CTF is for them.

Even if you've never programmed before, you can make simple attack tools in Go. We'll peform port scans, HTTP requests, brute-force logins, crack password hashes, and perform encryption using XOR and AES.

COBOL CTF

Level: Beginner

The world runs on COBOL, but few people remember it: "an elegant weapon for a more civilized age." Learn COBOL programming in a fun CTF-style workshop. Challenges include building Web requests, brute-forcing logins, number theory, classical encryption, and RSA. We will use Open COBOL on free Debian Google cloud servers. Participants need a credit card, which won't be charged. Familiarity with coding (in any language) is helpful but not required.

Come party like it's 1959! COBOL will never die!

Security Auditing Android and iOS Apps

Level: Intermediate

Practice finding flaws in real Android and iOS apps in this workshop, and you will be ready to avoid making similar security errors in your own apps.

Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.

Participants need a laptop that can run VirtualBox to run Android emulators. To audit iOS apps, particpants will need a Mac laptop. We will bring some loaner iPhones to use.

Crypto Hero

Learn essential concepts of modern cryptography, including hashing, symmetric encryption, and asymmetric encryption. Compete to solve challenges. No previous programming experience required.

Most challenges require only a computer with Python. Some of them require a Windows machine.

Updated 11-2-2020