SHACK TRAINING CLASSES

All Classes
SH2021
SH2031
SH2032
SH2041
SH2042
SH2043
SH2044

2 Days Cyber Security Trainings

Course Dates	: 31 March - 1 April 2020
Closing Date	: 4 March 2020
Location	: Pan Pacific Singapore (map)

Code	Title	Instructor(s)
SH2021	iOS Device Secure Boot Chain Analysis and Exploitation	Team Pangu

3 Days Cyber Security Trainings

Course Dates	: 30 March - 1 April 2020
Closing Date	: 4 March 2020
Location	: Pan Pacific Singapore (map)

Code	Title	Instructor(s)
SH2031	Pentesting Industrial Control Systems	Arnaud Soullie
SH2032	Attacking and Defending Containerized Apps and Serverless Tech	Nithin Jois, Sharath Ramdas, Pavan Kumar

4 Days Cyber Security Trainings

Course Dates	: 29 March - 1 April 2020
Closing Date	: 4 March 2020
Location	: Pan Pacific Singapore (map)

Code	Title	Instructor(s)
SH2041	WebAssembly Security "From Reversing to Vulnerability Research"	Patrick Ventuzelo
SH2042	Practical iOS 13 Kernel Exploitation	Stefan Esser
SH2043	Full Stack Web Attack	Steven Seeley
SH2044	Android Internals	Jonathan Levin

SH2021 - iOS Device Secure Boot Chain Analysis and Exploitation

By Team Pangu

Training Dates

31st March - 1st April 2020

Description

We will focus on analyzing secure boot chain of iOS devices. The boot chain starts from SecureROM which is patterned in silicon and read only. It means Apple is not capable to fix any bugs found in it. After very detailed reverse engineering of SecureROM for different versions, we will move to the second stage of bootloader – iBoot. There are actually different images to be loaded for different boot mode, for example recovery mode. We will also analyze iBoot in very details and you will realize that iBoot/iLLB/iBSS/iBEC are actually shared the same code base (actually they are exactly same for new devices). Also, it turns out that SecureROM is a simplified version of iBoot.

After we understand the working flow of boot chain, we will focus on the attack surfaces of it. Then we should learn from the past, giving details of known bugs and exploits in history.

In the last part, we talk about the recently released exploit checkm8 (by axi0mX). We cover the root cause and exploitation strategy of it which includes how to do heap fengshui and how to control execution flow. Then we will try to do the exercise to add support for devices not included in the open sourced checkm8. Also, we will talk about the post exploitation at the end.

Class Content

Day 1

Introduction
Basic Knowledges

Secure Boot Chain
Extract Code Binary
IDA Script
libirecovery/idevicerestore

SecureROM
iBoot
Attack Surfaces

USB
Image Decoding
File System Driver

Day 2

Known Bugs

steaks4uce
alloc8
SHAtter
Limera1n

Checkm8

Root Cause
Heap Fengshui
Control PC
Exercise
Post Exploitation

Requirements

Student

Python language programming ability
Familiar with ARMv7/v8 reverse engineering
Knowledge of typical vulnerabilities and exploits
Understanding of secure boot chain concepts

Hardware

Mac laptop
Pre-A12 iPhone (4S/5/5C/5S/6/6S/7/8/X). Suggest bringing one 32bit and one 64bit devices

Software

IDA Pro (with Hex-Rays Decompiler)

Instructor

Team Pangu

Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well-known security conferences including BlackHat, CanSecWest, SysCan, POC, and Ruxcon.

SH2031 - Pentesting Industrial Control Systems

By Arnaud Soullié

Training Dates

30th March - 1st April 2020

Description

On this intense 3 - day training, you will learn everything you need to start pentesting Industrial Control Systems . We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.

We will cover the most common ICS protoco ls (Modbus, S7, OPC - UA…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with a challenging hands - on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

Class Content

Day 1

Module 1: Introduction to ICS
Module 2: Pentesting Basics & tools
Module 3: Windows basics and pentesting Windows
Module 4: Common ICS vulnerabilities

Day 2

Module 5: ICS protocols
Module 6: Introduction to safety for security pros
Module 7: Programming PLCs
Module 8: Pentesting ICS

Day 3

Module 9: Securing ICS
Module 10: Case study
Module 11: Capture The Flag

Requirements

Student

This class is suited for security people wanting to discover the world of Industrial Control Systems or automation engineers that want to understand in-depth what are the ICS security issues. An understanding of TCP/IP networking, the ability to work with virtual machines and a command line is required.
No previous pentesting or industrial control systems experience is required.

Hardware

Students must bring a laptop capable of running 64-bit VMs (8gb RAM, 50gb free disk space)

Software

All required software is provided in 3 VMs that each attendee will receive on a USB drive

Instructor

Arnaud Soullié

Arnaud Soullié is a manager at Wavestone, performing security audits for more 10 years and in charge cybersecurity R&D projects. He has a specific interest in ICS security, and has performed ICS security audits & pentests in all kinds of industries (pharmaceutical, energy, manufacturing, food processing...) He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015/2016, Brucon 2015/2017, DEFCON 24/26/27) as well as full trainings (Hack In Paris 2015/2018/2019, CS3STHLM 2018/2019, BlackHat Asia 2019)

SH2032 - Attacking and Defending Containerized Apps and Serverless Tech

By Nithin Jois

Training Dates

30th March - 1st April 2020

Description

Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability.

Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.

Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required.

Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture.

This 3-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.

The training consists of, but not limited to the following focus areas in Container Security and Serverless Deployment:

Introduction to Container Technology
Containerized Deployments and Container Orchestration Technologies
Container Threat-Model
Attacking Containers and Security deep-dive
Introduction to Kubernetes
Threat-Model of Orchestration technologies
Attacking Kubernetes
Kubernetes Defense-in-Depth
Logging & Monitoring Orchestrated deployments
Introduction to Serverless
Deploying Application to AWS Lambda
Serverless Threat-Model
Attacking a Serverless Stack
Serverless Security Deep-dive

Class Content

Day 1

Evolution to Container Technology and Container Tech Deep-Dive

Introduction to Container Technology

Namespace
Cgroups
Mount

Hands-on Lab: Setting up a Minimal Container with nothing but Namespaces and CGroups

Introduction to Containerized Deployments - Understanding and getting comfortable using Docker

An Introduction to containers

LXC and Linux Containers
Introducing Docker Images and Containers

Deep-dive into Docker

Docker Commands and Cheatsheet
Hands-on:

Docker commands
Dockerfile
Images

Introduction to Basic Container Orchestration with Docker-Compose

Docker Compose

Introduction to docker-compose
Hands-on:

Docker-compose commands

Docker Compose Deep-Dive
Application Deployment Using docker

Hands-on

Containerize an application
Deploying a containerized application
Deploy a containerized application using docker-compose

Threat Landscape- An Introduction to possible threats and attack surface when using Containers for Deployments

Threat Model for Containerized Deployments

Daemon-related Threats
Network related Threats
OS and Kernel Threats
Threats with Application Libraries
Threats from Containerized Applications

Traditional Threat-Modelling for Containers with STRIDE

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privileges

Attacking Containers and Containerized Deployments

Attacking Containers and Containerized Deployments

Hands-on

Container Breakout
Exploiting Insecure Docker Configurations
OS and Kernel level exploits
Trojanized Docker images

Securing Containers and Container Deployments

Container Security Deep-Dive

Hands-on

AppArmor/SecComp
Restricting Capabilities
Analysing Docker images

Hands-on: KataContainers
Container Security Mitigations
Hands-on: Container Vulnerability Assessment

Clair
Dagda
Anchore
Docker-bench

Security Specific CI for containers

Hands-on: Setting up a security pipeline to build, scan and push images

Day 2

Introduction to Scalable Container Orchestrators

Introduction to Container Orchestrators
Getting started with Kubernetes
Understanding Kubernetes Architecture and Components
Hands-on:

Exploring Kubernetes Cluster
Deploying application to Kubernetes

Attacking Kubernetes Cluster

Kubernetes Threat Model
Attack Surface for a Kubernetes Cluster
Hands on:

Attacking application deployed on Kubernetes
Exploiting a Vulnerable Kubernetes cluster
Maintaining Persistent Access and Pivoting in the K8s Cluster

Dissecting the K8s Attack and identifying Security Missteps
Attacking kubelet and gaining access to all configurations and secrets on the cluster

Kubernetes Security Deep-Dive

K8s Threat Model and its counterpoint in Security Practices
Hands-on: Ideal Security Journey: Kubernetes

Pod Security
Access Control
Secret Management

Hands-on: Kubernetes Vulnerability Assessment

Kube-sec
Kube-hunter
Kube-bench

Hands-on: Logging and Monitoring

Logging and Monitoring specific Parameters within the K8s Cluster
Identifying anomalies (especially security) with the K8s Cluster

Hands-on: K8s Secret management

Integrating Vault on a K8s cluster
Storing secrets securely on Kamus

Hands-on: Kubernetes Network Security Implementation

Network Security Policy
Service Mesh - Istio/Envoy

Security Specific CI/CD for kubernetes

Setting up a security pipeline to securely deploy on a k8s cluster

Day 3

Serverless Introduction

Understanding Serverless and FAAS(Function-As-A-Service)
Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive

Introduction to the Architecture of Serverless Deployments
Hands-on: Deploying a Serverless application

Attacking Serverless applications

Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for Serverless Apps
Function Data Event Injection Attacks against FaaS Implementations:

Hands-on Labs - Function Data Event Injection (Multiple Sources)
Other Injection and Remote Code Execution attacks against Serverless Apps

Broken Access Control

Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)

Algorithm Confusion
Inherent JWT flaws - none signed token, etc
Attacks based on JWK and JWT Claims

Attacking Identity and Access Management through Serverless Implementations

Hands-on: View of IAM Sprawl and Permissions
Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep

Other Serverless Attacks

Hands-on: Extracting Secrets from FaaS Implementations
Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
Hands-on: Exploiting Function Execution Order for fun and profit!

Securing Serverless applications

Securing Serverless applications

Identity and Access Management
Secret management

Hands-on Secrets Management with AWS Secret Manager + Rotation

Logging and Monitoring Functions

Hands-on: Security Practices for Logging Serverless Functions
Hands-on Using AWS X-Ray/Zipkin to leverage tracing for security

Hands-on: Serverless Vulnerability Assessment

Static Code Analysis[SCA]
Static Application Security Testing[SAST]
Dynamic Analysis Security Testing[DAST]

CI/CD for Serverless Functions - With Security specific pipeline

Capture The Flag

Attacking a Serverless Application - mini CTF Segment

Requirements

Student

Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
Basic knowledge of Linux command line
Basic knowledge of some (any) programming language
Basic/Rudimentary understanding of Cloud concepts and service

Hardware and Software

A laptop or a tablet(with keyboard) with a browser installed
AWS account with root/admin privileges - Free tier works
We have a very powerful (per-user) cloud environment that we use for labs that has been widely appreciated by students at BlackHat and elsewhere. Please read more about our cloud labs here:
https://drive.google.com/file/d/1YKmaHfx9PqIQX-s0cEI9-iWD3_EstIE-/view?usp =sharing

Instructor

Nithin Jois

Nithin Jois is a Solutions engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely. Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook - An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook.

Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training. Nithin was a trainer and speaker at events like AppSecDC-2019, AppSecUS-2018, LasCon-2018, SHACK-2019, AppSecCali-2019 and CodeBlue-Japan. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee.

Sharath Kumar Ramdas

Sharath Kumar is the Lead Solutions Engineer at we45. He has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed integrations for multiple security products including DAST, SAST, SCA and Cloud environments.

Sharath has extensive experience with Cloud Deployments and Container Native Deployments. As part of his role in a security organization, he has led teams that have created intentionally vulnerable apps for CTF competitions both inside and outside we45.

Sharath is a speaker at multiple meetups around Cloud, Containers, Python, DevOps and DevSecOps. He is also the co-author of the Container Security Training Program from we45.

Pavan Kumar

Pavan Kumar works at an Application security company(we45) as Senior Security Lead. He has worked and led multiple Penetration testing projects of web, mobile applications and Infrastructure pentests for some fortune 500 companies in different domains such as Data storage, manufacturing and E-commerce. He has done in depth research on AWS cloud services and is an expert in identifying vulnerabilities related to AWS cloud.

Pavan Kumar has identified several critical P1 flaws in private Bug bounty programs. He has also written custom scripts to automate multiple reconnaissance activities done during audits of applications. He has also conducted trainings and spoken in multiple meetup events on his research associated with new vulnerability discovery and exploits. He participates in multiple CTF events (Defcon, HacktheBox, etc.) and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training.

SH2041 - WebAssembly Security "From Reversing to Vulnerability Research"

By Patrick Ventuzelo

Training Dates

29th March - 1st April 2020

Description

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web”.

WebAssembly is used everywhere (not exhaustive):

Web-browsers (Desktop & Mobile)
Cryptojacking (Coinhive, Cryptoloot)
Servers (Nodejs, React, Cloudflare workers)
Video games (Unity, UE4)
Blockchain platforms (EOS/Ethereum/Dfinity)
Linux Kernel (Cervus, Nebulet)
Etc.

This courses will give you all the prerequisites to understand what’s a WebAssembly module and its associated virtual machine. At the end of this intensive 4 days, you will be able to reverse statically and dynamically a WebAssembly module, analyze its behavior, create detection rule and search for vulnerabilities & security issues. You will learn which security measures are implemented by the WebAssembly VM to validate and handle exceptions. Finally, you will discover how to find vulnerabilities inside WebAssembly VMs (Web-browsers, Standalone VM) using differents fuzzing techniques.

Along this training, students will deal with a lots of hands-on exercises allowing them to internalize concepts and techniques taught in class.

Class content

Day 1 – WebAssembly Reversing

Introduction to WebAssembly
WebAssembly VM architecture
WebAssembly toolchain
Writing examples in C/C++/Rust/C#
Debugging WebAssembly module
WASM binary format (header, sections, …)
WebAssembly Text Format (wat/wast)
WebAssembly Instructions set
Writing examples using WASM Text format
Reversing WebAssembly module
CFG & CallGraph reconstruction
DataFlowGraph analysis
Browser Addons reversing

Day 2 – Real-life Modules Analysis

Modules Instructions analytics/metrics
WASM cryptominers analysis
Pattern detection signatures (YARA rules, …)
Taint Tracking
Dynamic Binary Instrumentation
Bytecode (De)-Obfuscation techniques
Static Single Assignment & Decompilation
Real-life WASM module analysis
WebAssembly video game hacking

Day 3 – Wasm Modules Vulnerabilities

Traps & Exception handling
WebAssembly module vulnerabilities
Integer/Buffer/Heap Overflows
Advanced vulnerabilities (UaF, TOCTOU…)
CFI Hijacking
Emscripten vulnerabilities
Exploitation NodeJS server running wasm module
Vulnerability detection (Static & Dynamic)
Lifting WASM bytecode
Fuzzing WebAssembly modules

Day 4 – Vulnerability Research inside Wasm VM

Web-Browsers CVEs analysis (PoC)
WebAssembly VM & Interpreter vulnerabilities
WebAssembly JS APIs generation
Fuzzing Web-Browsers (Chrome, Firefox, WebKit)
WASM module validation mechanism
Writing edge case module
WAT, WAST & WASM grammar generation
Interesting VM targets (kernel, blockchain, …)
Fuzzing C/C++/Rust/Go based WASM project
WebAssembly for Security Researcher

Requirements

Student

Basic reverse engineering skills.
Familiarity with scripting languages (Python, Bash, …).
Familiarity with C/C++ or Rust programming.

Hardware

A notebook capable of running virtual machines.
Enough hard disk space to run VM

Software

Virtual machine (VirtualBox preferred)
Administrator / root access required.

Instructor

Patrick Ventuzelo

Patrick Ventuzelo is a French Independent Security Researcher specialized in vulnerability research, reverse engineering and program analysis. He is trainer of the two training respectively about "WebAssembly Security" and "RUST Security". Patrick is also the author of Octopus, an open-source security analysis tool supporting WebAssembly and multiple blockchain smart contract to help researchers perform closed-source bytecode analysis.

Previously, he worked for Quoscient GmbH, P1Security, the French Department Of Defense and Airbus D&S Cybersecurity.

Patrick has been speaker and trainer at various international conferences such as REcon Montreal/Brussels, Toorcon, hack.lu, NorthSec, FIRST, Microsoft DCC, SSTIC, BlackAlps, etc.

SH2042 - Practical iOS 13 Kernel Exploitation

By Stefan Esser

Training Dates

29th March - 1st April 2020

Description

For the last six years Antid0te has been teaching iOS Kernel Exploitation to a wide variety of students interested in the iOS kernel. Many of our former students have ended up finding and exploiting iOS kernel vulnerabilities since then and have practically demonstrated that by contributing to public jailbreaks of reporting vulnerabilities to Apple. Teaching iOS exploitation during this time has often be hard due to the lack of access to devices running the most current iOS version. This has dramatically changed in the last weeks with the release of the checkm8 bootrom exploit for iOS devices. This opens up a whole new world of opportunities regarding training practical iOS kernel exploitation to students. For the first time in history we will be able to perform actual hands-on kernel exploitation tasks on devices running the latest firmware. In this fully redesigned course we will use this to our advantage and will teach students how they can make use of the bootrom exploit to jailbreak current and future iOS versions on demand and how they can disable certain security mitigations to slowly ramp up the difficulty when performing training exercises. In comparison to our previous courses this course will provide more exercises at different difficulty levels.

Class content

Day 1

Setting up your Mac for iOS kernel research/vulnerability development
Using checkm8 to boot own kernels
How to patch old vulnerabilities back for training exercises
How to debug the iOS kernel with own code
Loading kernel modules

Day 2

The iOS Kernel Heap
Modern iOS Kernel Heap Feng Shui
Software based iOS Mitigations and their Weaknesses
Hardware based iOS Mitigations and their Weaknesses

Day 3

Exploitation of different types of heap memory corruptions by example (UAF, reference counting issues, heap overflows, out of bounds writes, …)
Exploitation Strategies for different bug types

Day 4

Understanding and attacking the iOS sandbox
Understanding and attacking iOS codesigning
Subverting and abusing iOS security for arbitrary code execution
Other jailbreaking related questions

Requirements

Student

This course will not give an introduction to ARM assembly basics. The trainee is required to understand basic ARM64 assembly. It is not required to have previous lowe level experience with ARM64 cpus, because the necessary information is discussed within the training. Low level ARM64 CPU knowledge will be helpful, but is not required for this course - all necessary parts will be explained within the course.
This course will not give basic introduction to exploitation or ROP. Trainees are required to know concepts like ROP or buffer overflows, integer overflows, etc...

Hardware

An Apple Mac Notebook is required in order to run MacOS and XCode.
Students are encouraged to bring their own iOS devices (that are supported by checkm8 (iPhone X or lower) on the latest OS version
For students who cannot bring their own device we will provide some devices for usage throughout the course

Software

IDA Pro 6.x/7.x license (ARM64 support required)
Alternatively Ghidra/Hopper/Binary Ninja can be used but script support varies by tool
Hexrays for ARM64 helpful, but not required
BinDiff for IDA helpful, but not required 
Mac OS X 10.14/15, with latest XCode and iOS 12.x SDK (or newer)
Additional Software will be made available during the training

Instructor

Stefan Esser

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German security company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.

SH2043 - Full Stack Web Attack

By Steven Seeley

Training Dates

29th March - 1st April 2020

Description

In today’s society, web technologies are incredibly complex and play a vital role to online security. As a result, many security professionals are specializing in a particular niche within the web application hacking realm.

This niche, is commonly client-side web security which focuses on attacking or tricking the user. Yet, a server-side remote code execution vulnerability is sitting right in front of their eyes and has a significantly higher impact.

Over time, we have witnessed excellent techniques getting buried within past advisories and exploits whilst innovative techniques are being discovered frequently, however they are not reaching a wider audience.

Have you ever been on an engagement and found an interesting attack surface, yet haven’t had enough time for additional research?

Full Stack Web Attack is NOT an entry-level course. It's designed to push you beyond what you thought was capable and set you on the path to develop your own workflow for zero-day offensive web research.

This course is designed for web penetration testers and developers that want to make a switch to web security research or see how serious adversaries will attack their web based code.

Students are expected to know how to use proxy tools such as Burp Suite and have a basic understanding of common web attacks as well as perform moderate scripting tasks using common languages such as Ruby, Python, PHP and JavaScript. A basic understanding of Object Oriented programming will significantly help.

Some vulnerabilities have been mirrored from real zero-day while others are in fact zero-day/n-day vulnerabilities that have been discovered by the author. Using this as a base, your instructor will focus on not just on the exploitation, but also on the discovery.

So if you want to learn how to exploit web technologies without client interaction for maximum impact, that is, remote code execution then this is the course for you. Leave your XSS at the door.

Each of the techniques and vulnerability classes have been especially picked because they have been used in real, targeted environments. Additionally many of the techniques and exploitation primitives in this course are either poorly documented or not documented at all

Key Learning Objectives

Feel comfortable reading code (looking for vulnerabilities)
Feel comfortable writing code (developing exploits)
Debug complex web applications using source code debuggers
Attack complex object oriented vulnerability patterns
Chain multiple vulnerabilities to achieve remote code execution
Bypass authentication systems without client side vulnerabilities
Leverage information disclosure for remote code execution

Class content

Day 1

Introduction

PHP & Java language fundamentals
Debugging PHP & Java applications
Module overview and required background knowledge
Auditing for zero-day vulnerabilities

PHP

Loose typing
Logic authentication bypasses
Code injection
Filter bypass via code reuse
Patch bypass

Day 2

Java

Java Remote Method Invocation (RMI)

Java Remote Method Protocol (JRMP)

Java naming and directory interface (JNDI) injection

Remote class loading
Deserialization 101 (using existing gadget chains)

PHP

Introduction to object instantiation
Introduction to wrappers
External entity (XXE) injection

Regular file disclosure
Blind out-of-band attacks

Error based exfiltration using entity overwrites
Exfiltration using protocols

Day 3

Patch analysis and bypass
Introduction to object injection
- Magic methods
- Customized serialization
- Phar deserialization
- Property oriented programming (POP)
- Custom gadget chain creation
Information disclosure
Phar planting
Building a 7 stage exploit chain for Remote Code Execution

Day 4

PHP

Blacklist bypasses (zero-day vulnerability)

Java

Introduction to reflection
Expression language injection
Bypassing URI filters
URI forward authentication bypasses (zero-day technique)
Deserialization 102 (custom gadget chains)

Trampoline gadgets
Exploiting reflection
Whitelist (ab)use

A zero-day bug hunt in a real target

Requirements

Student

At least moderate scripting skills using common languages such as Bash, Python, Ruby, PHP and JavaScript.
At least a basic understanding of various web technologies such as HTTP(S), proxies and browsers.

Hardware

A 64bit Host operating system
16 Gb RAM minimum
VMWare Workstation/Fusion
100 Gb Hard disk free minimum
Wired and Wireless network support
USB 3.0 support

Instructor

Steven Seeley

Steven is an independent security researcher with a focus on the discovery of high impact vulnerabilities affecting products used by thousands of companies and individuals.

Starting out as a Java developer, Steven discovered his passion for security after switching to penetration testing.

Previously, Steven was also the lead developer of the Advanced Web Attacks and Exploitation (AWAE) course held by Offensive Security and taught the course multiple times at Black Hat USA and ASIA. He has spoken numerous security conferences such as HITB, Ruxcon, Bluehat and BSides Mexico.

SH2044 - Android Internals

By Jonathan Levin

Training Dates

29th March - 1st April 2020

Description

This course, modeled after Jonathan's Levin's seminal works of the same name, discusses the architecture of Android - covering both its design and its implementation. We examine the features of the Android Operating System, and highlight exactly what it inherits from its Linux core, as well as how it diverges with its idiosyncrasies and "Android-isms". Every nook and cranny of the architecture is explored, with modules discussing specific subsystems, such as the Dalvik Virtual Machine, Android RunTime (ART), the Binder IPC mechanism, Hardware Abstraction Layer (HAL), the Media Framework and Android Power Management

Objectives

Describe the architecture of the Android operating system
Describe the similarities between Linux and Android
Describe the differences between Linux and Android
Understand core architectural differences from Froyo (2.2) to Oreo (8.1), Pie (9.0) and the latest Android 10!
Describe the functions and architecture of the Android Kernel
Reverse Engineer Android Apps
Understand Android Security, its evolution over history, and its weaknesses
Monitor, trace and intercept inter process communication on Android
Understand the frameworks of Android, and interception points
Understand both the framework layers and the native layer of Android
Gain deep knowledge of the DEX, ART and OAT formats
Learn to use innovative free tools, such as Dextra, bindump, and jtrace

Class content

Day 1

Introduction - The Android Architecture

Android features
Android vs. Linux vs. Embedded Linux
Filesystem layout and directories
The Runtime Environment
The Frameworks
Dalvik (Java)
Version differences - 1.5 through L (5.0) to Pie (9.0)
User-Mode and Kernel-Mode Architecture
Android Kernel modifications
Recompiling the Kernel

Android's Hardware Abstraction Layer

The need for a hardware abstraction layer
The basic devices

Camera
Flashlight
GPS
Leds
Sensors
Vibrator

The User Event Daemon
HAL stubs
The last stretch - from HAL to the driver
Android O HAL modifications ("Project Treble")

Day 2

Booting

The Boot loader, and FastBoot
Samsung Odin
ARM TrustZone (32-bit) and ELx (64-bit)
Kernel Startup
User mode init - /init and /init.rc
Boot-to-root: Rooting techniques by unlocking the bootloader

Native Services

adbd
servicemanager
healthd (K +)
logd (L +)
lmkd (L +)
keystore
keymaster (M +)
zygote/app_process
debuggerd

Day 3

Android IPC

IPC and RPC basics
The servicemanager
Binder by layers

Java: AIDL
Frameworks: android.os.Binder
Native level: libBinder, BBinder, BpBinder
Kernel interface: ProcessState and IPCThreadState
Kernel implementation: ioctl(2) codes and protocol
hwbinder, vnbinder and other O improvements

Other communication mechanisms: Sockets and socketpairs

The Input Architecture

The Linux Kernel Input Model
The EventHub
The InputReader
The InputDispatcher
The Activity Views

Day 4

Dalvik

The Dalvik VM architecture
The DEX file format
The DEX OpCode and instruction format
Optimizing DEX
Reversing DEX
Obfuscating DEX
The JNI model

ART

The concepts behind ART
Advantages over Dalvik
the ART and OAT file format

L: ART 009/012, OAT: 039/045
M: ART 017, OAT: 064
N: ART 030, OAT: 083
O: ART 039, OAT: 117

Reversing ART
ART Memory Management
Return of the (profiled) JIT
The JNI implementation

Security

Java level modifiers: Private and Public
Java level Permissions
UNIX/native level Permissions
Digital Signatures (code signing, etc)
Key storage and encryption
Service Hooks
Protected APIs
Kernel mode security

The Linux Capabilities model
Linux Security Modules (LSM) and SELinux
Kernel buffer overflow protection - ExecShield and randomization

Extensions and improvements in Oreo and Pie (e.g. seccomp-bpf, Webview-Zygote)
Why it all fails - Android Exploitation

Requirements

Student

None

Hardware

Though you can get by with an emulator, we strongly recommend bringing a rooted device, of at least Lollipop or higher. You will also need a Linux host - though we will gladly supply a VM

Software

The Android SDK, NDK, and full sources of Android - all of which freely obtainable, from developer.android.com and android.googlesource.com, respectively

Instructor

Jonathan Levin

Author of "*OS Internals" and "Android Internals", CTO of Technologeeks.com, long time specializing in the internals of Linux and Darwin variants. Spoke at all major conferences save BlackHat.