SEC-T - 0x0Beyond

September 13-14, 2018 – Stockholm, Sweden

Dark Side Ops: Custom Penetration Testing Workshop

Hackers penetrate enterprise networks in the flash of an eye, ravage endpoints for sensitive data, and
silently exfiltrate the keys to your kingdom without ever popping an alert. Dark Side Ops: Custom
Penetration Testing enables participants to “break through” to the next level by removing their
dependence on 3rd-party penetration testing tools, allowing for outside-the-box thinking and custom
tool development designed specifically for the target environment. Participants are provided with
hands-on experience into the black hat techniques currently used by hackers to bypass network-based
enterprise intrusion detection and prevention systems (IDS/IPS), layer 7 web proxies, and data loss
prevention (DLP) solutions. The custom approach doesn’t stop there. Participants learn advanced
evasion techniques of corporate host-based countermeasures including antivirus and application
whitelisting solutions by developing, compiling, and deploying custom backdoors, payloads, and
persistence deep into protected enterprise networks.

At the end of this course students will be able to:
• Build custom payload droppers, beaconing backdoors, and interactive shells.
• Conduct highly targeted and sophisticated custom client-side and social engineering attacks.
• Escalate workstation and network privileges without an exploit.
• Bypass defensive host and network countermeasures such as anti-virus applications, firewalls,
IDS, IPS, SIEMs, and strict egress filtering.
• Establish custom, stealthy persistence in a target network.
• Exfiltrate data from a target networks using custom applications and network monitoring
evasion techniques.
• Compile and deploy an advanced, custom HTTP beaconing payload developed internally by the
trainers and used regularly on engagements to effectively infiltrate company networks.

Participants will receive source code to a variety of offensive tools, including custom shells, backdoors,
C2 listening posts, and social engineering exploitation techniques. To reinforce the knowledge provided
through instruction, participants will have realistic lab projects throughout the day, where the coding
skills, custom payload delivery, and advanced pivoting techniques from course instruction will all be
necessary.

Day 1
Lab 0 Introduction Review course topics
Lab 1 Throwback Learn about stage 1 malware Build and deploy Throwback
Lab 2 Client Side Exploitation Client-side exploitation techniques Build custom payloads
Lab 3 Windows API Windows API abuse and bypasses Build and inject a reflective DLL
Lab 4 Slingshot (RAT) Learn about reflective DLL injection Build Slingshot and convert to a reflective DLL
Lab 5 Post-exploitation hashdump module Learn about post-exploitation techniques Add hashdump module to Slingshot
Lab 6 Post-exploitation Mimikatz module Learn about post-exploitation techniques Add Mimikatz module to Slingshot
Day 2
Lab 7 Covert operations Learn about covert infrastructure and operational security Configure SOHO IP tables as redirector
Lab 8 Evading antivirus Learn how to evade antivirus Build dynamic APIs and in-memory PE loader
Lab 9 Windows persistence Learn about persistence stealthy techniques Identify a DLL hijacking vulnerability for persistence
Lab 10 In-memory Powershell Learn about Powershell execution techniques Run Powershell completely in-memory
Lab 11 Advanced Windows pivoting Learn about named pipes and other pivoting techniques Compile and execute SlingshotSMB
Lab 12 In-memory keylogger Learn Windows API keylogging techniques Implement a keylogger into Slingshot
Lab 13 Privilege escalation Learn about privilege escalation techniques Escalate privileges using DllHijacker
Bonus module Screen-grabber Learn addition post-exploitation tools Take a screenshot through Slingshot

Hands-on SAP Hacking and Defense Workshop

SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, managing suppliers / customers, material management, releasing payments to providers, credit cards processing, business intelligence, etc.

This training provides the latest information on SAP specific attacks and remediation / protection activities.

This training starts with an introduction to SAP (No previous SAP knowledge is required), you will learn through several hands-on exercises and demos, how to perform your own vulnerability assessments, audits and penetration tests on your SAP platform,  you will be very well equipped to understand the critical risks your SAP platform may be facing, how to assess them and more importantly, you will know which are the best-practices to effectively mitigate them, pro-actively protecting your business-critical platform.

We take proud in creating the most comprehensive SAP security agenda:

Day 1

Day 2

Network Forensics Workshop

The two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 – Theory and Practice using Open Source Tools
* Theory: Ethernet signaling
* Hardware: Network TAPs and Monitor ports / SPAN ports
* Sniffers: Recommendations for high-performance packet interception
* PCAP analysis: Extracting evidence and indicators of compromise using open source tools
* Defeating Big Data: Techniques for working with large data sets
* Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
* Challenge Day 1: Find the needle in our haystack and win a honorable prize!

Day 2 – Advanced Network Forensics using Netresec Tools
* NetworkMiner Professional: Learning to leverage the features available in the Pro version
** Port Independent Protocol Identification (PIPI)
** DNS Whitelisting
* NetworkMinerCLI: Automating content extraction with our command line tool
* CapLoader: Searching, sorting and drilling through large PCAP data sets
** Super fast flow transcript (aka Follow TCP/UDP stream)
** Filter PCAP files and export frames to other tools
** Keyword search
* Challenge Day 2

The Scenario
The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:
* Defacement of the Bank’s web server (see zone-h mirror)
* Man-on-the-Side (MOTS) attack (much like NSA/GCHQ’s QUANTUM INSERT)
* Backdoor infection through trojanized software
* Spear phishing
* Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
* Infection with real malware (Nemucod, Miuref / Boaxxe and more

Class attendees will learn to analyze captured network traffic from these events in order to:
* Investigate web server compromises and defacements
* Detect Man-on-the-Side attacks
* Identify covert backdoors
* Reassemble incoming emails and attachments
* Detect and decode RAT/backdoor traffic
* Detect malicious traffic without having to rely on blacklists, AV or third-party detection services

NetworkMiner CapLoader Professional software included FREE of charge
Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

Target Audience
Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.

Training Preparations
Laptop Required
Attendees will need to bring a laptop that fits the following specs:
* A PC running any 64 bit Windows OS (can be a Virtual Machine)
* At least 4GB RAM
* At least 40 GB free disk space
* VirtualBox (64 bit) installed
(VMWare will not be supported in the training)

A VirtualBox VM will be provided on USB flash drives at the beginning of the training.
Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off “Intel Trusted Execution” in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Spring Pub 2018

It might be difficult to imagine now with the snowy landscape and biting cold but we are predicting this situation will eventually change. To nudge the process along we have decided it’s time to announce this years SEC-T Spring Pub Event, without which, as we know, spring cannot arrive.

This year we are again trying a new venue in the hope of eventually find the perfect place to host this lovely annual event. This year we have decided to host the spring pub at Hilma on Torsgatan 10 by Norra Bantorget.

[SCHEDULE] 

Thursday April 19:th 

17.00  Doors open

18.00 Welcome and general information from SEC-T

18.30 A lightning talk

19.15 Another lightning talk

20.00 A third lightning talk

If you are interested in giving a lightning talk or have other ideas you would like to share please send us an email to [email protected] and we will sort it out.

This event is free and requires no pre-registration.

Sincerely,

The SEC-T Organizers

0x0Anniversary Information

Welcome to the 10:th annual SEC-T conference. We are very happy to be back at Nalen again, and even thought it feels like we just left last years con it is already time for the next. This is basically how it has been feeling for the past 10 years for us. We come off one year having a thousand new ideas only to realize we could make a few of them reality when it’s all of a sudden time for SEC-T again. Of course when we look back we see the vast difference between what we are currently doing and how it all started back in 2008.

I know we said last year was “the big squeeze” and we managed to fit nearly 400 people into this room. Well this year there are 440 seats and that’s the amount of tickets circulating.

We have 9 sponsors this year instead of 8, so you’ll have one more sponsor to thank for making this event happen. But most importantly, we have 15 speakers this year. Now you will already have met 5 of them if you attended Community Night last night or if you attended our premiere SEC-T2ion (pronounced “dissection”) Training, and some of them are also doing a talk during the conference. Never before did we get so many high quality submissions, maybe it’s a sign that SEC-T is becoming known, or maybe it’s just because we are paying our speakers. 😉

This year more than ever the schedule is tightly packed, and since you are too I hope you will keep being an awesome audience and help us keep the schedule running.

When we started streaming SEC-T we were a bit worried that maybe people would not come to the venue, maybe it would be just as fun to stay in the office and watch YouTube all day. But obviously this does not impact the participation in the least. Which makes us happy, because there are undoubtedly people sitting out there that want and need this information but does not have an employer that will pay for them. It also hit us that since we can take questions for our speakers from the audience via email, audience participation from the internet isn’t really a problem. We have the IRC channel #SEC-T on EFNET and we have the [email protected] email. So if anyone is running a hackspace or organize an event in their office or living room anywhere that place, that space, could be just as much part of SEC-T as this main hall is. To try this out we have an extra room this year, downstairs, or more correctly, around the corner, is the entrance to Stacken. In Stacken you will find the stream running, you’ll find some cinema seating like in this room, some tables to sit by if you’re playing CTF or need a place to put your laptop, a lounge area, an Ice Cream machine, our gadget sales. Lunch will also be served down there to make it less tight, there is a bar and… there is also a SEC-T Anniversary T-shirt waiting for you if you bring your ticket QR-code. We have a T-shirt for everyone so take it at your leisure.

I mentioned the CTF, the CTF has actually been up and running since yesterday afternoon, the scoreboard should be visible, so register to play now at http://sec-t.ctf.rocks and may the people with the most time on their hands win. 😛

There is also something else about the stream this year that might be interesting. We have säkerhetspodcasten here in the audience, and they have promised to try to interview every speaker after their presentation, on video, and deliver the video to the streaming guys in the back so that people watching the stream can see them while you guys are on a coffee or lunch break. The interviews will of course be available on YouTube later when you’re back in the office on Monday.

Our tradition at SEC-T is that I come on stage after every talk and try to come up with smart sounding questions for the speakers, I have never written any questions in advance so far and sometimes it’s a bit of a challenge, but I think it’s a good tradition and something we will continue doing. However, when I’m on stage I will not be reading the IRC channel, and we do not have enough goons to do this so I would appreciate if anyone could keep an eye on the channel an proxy the questions to our speaker (please only do this with SFW questions). And if you are shy, email the question to [email protected] BEFORE the QnA and I can ask the question for you. But as you can see there is a stack of presents on stage, and those presents are for our speakers to hand out to those asking questions. We used to have books for the speaker to choose from, and we still do. The presents are books, mostly, but to add some surprise to the game Hanna was kind enough to play Christmas and wrap them all. So it’s worth being brave, first audience question for each talk gets a present.

This is also the first year we have a decent voting system for the speakers. As you know we are paying our speakers to perform, but the speaker that has performed the best according to you, the audience, will also be paid double. The webpage you got your ticket on has a voting system where you can vote on each speaker. You can’t vote in advance, but please remember to vote and the best way is if you do it directly after each talk.

I think there are still some Lightning Talk slots available this afternoon and we have been hoping for lightning talks to become something more spontaneous. So please, if you have something you want to share, let me or any organizer know and we’ll fit you into the schedule.

We hope you will have two awesome days!

Time for the first talk.

Birthday coming soon

As most of you might have seen we are sold out earlier than previous years. To be sure we have mixed feelings about this, we are very happy that so many see the value in what we are doing. But at the same time we are getting flooded with emails and tweets asking how to get a ticket. Currently if you visit our ticket system there is only the option to buy Training tickets (which includes a conference ticket), but we are going through our system to find if there are in fact more spaces to fill this year. Should there be any tickets left we will announce this.

The ticketing system wasn’t really designed with training in mind so that’s why it can look slightly confusing. We are sorry for the inconvenience this causes. We feel your pain.

It is also currently two weeks to the event this year and we got overwhelmed by the number of quality submissions we received this year. Many of which said they would be willing to speak at the Community Night (Wednesday the 13:th). Therefore we decided to expand the Community Night event to have 5 talks. As always the Community Night is a free event with no registration required so we hope to see those missing a ticket there. And we would suggest being on time (17.00) as the room might get full.

The video stream will be up sometime during the Community Night as well and run through the entire event for those who want to follow us on YouTube.

When you arrive on Thursday morning be sure to bring your ticket, you should have gotten a link to where you can download your ticket containing a QR code that we must scan for you to get access to the event. We have currently expanded the event as much as we believe it is possible at this venue and we hope for your help making it run as smooth as possible.

We will release more information in the days to come.

Sincerely,

The SEC-T Organizers

News at Spring Pub

The SEC-T Spring Pub is just kicking off in Stockholm and for you who are not able to be there here is the information being presented.

First of all we’ve made an invitation video for the SEC-T 2017 Anniversary! Share and enjoy!

If it’s still early enough and you’re planning to show up at the Spring Pub at 19.00 you can still catch all of the evenings lightning talks. At present time there are four registered speakers, of which one is a short live recording of the new Podcast “Säkerhetssnack”.

As is tradition, the ticket sales to this years SEC-T Conference are also open now so if you need an Early Bird ticket you should probably hurry up before they are gone.

Annoucements

There are also a few announcements regarding this years SEC-T, namely:

 

Spring Pub 2017

The ice is slowly melting outside and it’s almost that time of the year again.

When we started SEC-T we realized how far it was in between the conferences and that we were not alone dreading the long haul until we get to socialize again. Thus we created the spring pub event.

This year the spring pub event takes place on Thursday, April 27:th and we are again trying out a new pub in search of the perfect venue for our particular style of event. The location this year is Torsgatan, Bonnierhuset (Entry Lokstallsgatan 1) and we will open the doors at 17.00.

The first 150 people to arrive can expect wraps and drink tickets as usual, but our sponsors will of course have more tickets to hand out during the evening.

As always there will be some talks on stage and we will make this years announcements about the Anniversary edition of SEC-T so make sure you don’t miss out on the fun.

Make sure to register below so we know you are coming!

Wanna speak? There will be four smalltalk/lightning talk slots available for those who feel like they have something interesting to share. Some slots are already taken but if you know you want to give a talk (5-30min) please send an email to [email protected].

 

Planning for SEC-T 2017

It is early now a cold early February and it is hard to imagine what the end of the summer will look like. But we organizers are already fast at work with planning and preparing for this years SEC-T conference.

Last year was an awesome event and as you may already have heard, we have decided that changing venues would be tantamount to changing a winning concept. (Also it would probably end up generating a lot of unnecessary costs from having such a large new arena to make mistakes in.) So we will be staying at Anrika Nalen for this years conference as well.

This year however is something special for us, as this year marks the 10 year anniversary of the SEC-T conference. Ten years ago some of us decided that traveling far and wide for a decent con was, not only one of the highlights of the year, but also a frustration over how poor the Swedish conference selection was. And a lot of hard labor, sweat and silly, but costly mistakes later, we believe to have constructed a pretty decent floating ship. Something that our faithful and well behaved audience as well as returning top speakers can attest to.

So how can we make this year something special, I hear you ask. Well, apart from the obvious and increasing the audience with another 50 seats (yes it will be tight) we have resolved to embrace a larger portion of the venue to provide a community and lounge area. We also realize that we made a blunder with last years video recording and this year we will not only be streaming live 24×7, providing interviews with the speakers between talks, making sure everything is properly recorded, but also make sure we have proper interaction with those watching the stream.

We have also frequently gotten requests for organized training session, so we will give this concept a serious go this year as well. The days leading up to the conference there will be a few two day, in depth training session for a small number of students who want to learn about specific topics. We are going to hold the classes small to ensure every student getting proper time for questions and guidance. We will announce when the sessions  and the tickets are available.

The ticket sales for this years SEC-T will start during the annual Spring Pub Event on April 27:th. Venue will be announced shortly, but if you already know you have a lightning talk you want to present, please send us an email and we’ll jot you down for a slot. (As always lightning talks are a maximum of 15 minutes and as always may not be used for marketing commercial organizations or products.)

If you are interested in helping out or being a part of making this years conference something extraordinary. If you have a project, are a part of a hack space, run a security related interest group or anything else that could be interesting to collaborate around, please contact us at [email protected].

After all this year will be something very special, for this year is…

0x0Anniversary

 

Getting started 2017

The cold is still gripping here in Sweden and still no sign of spring. But in our minds it is already on SEC-T 2017 this September and we are eager to find this years speakers and trainers.

So if you think your research will be finished by September and you would love to come present it, or if you just have lots of awesome material and always wanted to come to Stockholm Sweden. Now is your time to act! Read our Call for Papers for more information.

If you are a trainer / teacher with a one or two day training courses and would like to perform them in Stockholm in conjunction with this years SEC-T. We would be delighted if you sent us your material too. See our Call for Teachers for more information.