SEC-T - 0x10sion

Three new talks, trainings sold out

July 13th, 2019

All trainings for 2019 are sold out

We’re both happy and sad to announce that we for the first time have sold all seats to all trainings we have this year! We still have conference tickets left so make sure to grab one before they run out as well!

Three new talks accepted

We now have three more confirmed talks for this year:

• Zero to Millionaire in 60 minutes: Hacking Real Life Financial Applications – by Himanshu Sharma
• Battle in the Clouds: Attacker vs Defender on AWS – by Dani Goland & Mohsan Farid
• Crypto Cobra: Tales of the nation-state actor targeting crypto-exchanges – by Dani Goland & Ido Naor

Our Call for paper is still open so if you have something you want to talk about make sure to send it in before the 15th of August!

First five accepted speakers

July 2nd, 2019

We got a lot of good submissions for the first round of call for papers this year so it was no easy task to decide on the talks. Some were, for different reasons, pushed to a later round but four were accepted this round.

These are the talks we accepted in this first round:

• Cloudhopper – by Vesa
• Game Boy hacking – Making the Midnight Sun CTF Game Boy challenge from hardware to software – by Carl Svensso
• Quantum computing and its impact on the field of cryptology – by Martin Ekerå
• Pwning AWS Cloud services – by Mohammed Aldoub
• Modchips of the State: Hardware implants in the supply-chain – by Trammell Hudson

Our Call for paper is still open so if you have something you want to talk about make sure to send it in!

Dark side ops 2: Adversary simulation training

April 25th, 2019

Dark Side Ops 2: Adversary Simulation is the combination of sophisticated, red team trade craft and cutting-edge, offensive development to simulate real-world adversary activities. Challenge yourself to move beyond reliance on the typical “low-hanging exploitable fruit” from 1999 and start thinking, persisting, pivoting, and operating like a sophisticated adversary. Application whitelisting got you down? No problem. Can’t catch that callback? Been there. No touching disk? No worries. Dark Side Ops 2: Adversary Simulation helps participants up their offensive game by sharing the latest in initial access and post-exploitation, defensive countermeasure bypasses, and unique malware code execution techniques.

Dark Side Ops 2: Adversary Simulation builds on Silent Break Security’s Dark Side Ops: Custom Penetration Testing training by furthering participants’ abilities to think, operate, and develop tools just like sophisticated, real-world attackers. If you want to

1. build confidence in your offensive approach and capabilities,
2. learn about and implement the techniques of stealthy malware and backdoors, and
3. achieve the operational results of a sophisticated adversary, then Dark Side Ops 2: Adversary Simulation is for you.

Dark Side Ops 2: Adversary Simulation provides participants with hands-on labs over an intense, two-day course.

• Discover new external attack techniques to gain stealthy internal network access without social engineering
• Leverage configuration weaknesses to fully compromise database servers
• Reverse engineer .NET applications to identify 0-day vulnerabilities
• Bypass even the tightest of egress controls through custom code execution techniques
• Learn about and perform disk-less pivoting techniques
• Implement the latest in code and DLL injection techniques completely undetectable by AV
• Learn about and bypass the latest in application whitelisting
• Prevent and block defensive incident responders from analyzing your tools, payloads, and backdoors
• Build easy-to-use and versatile malware, backdoors, and loaders to diversify your toolset and capabilities
• As part of the course, participants will receive access to multiple virtual machines where their skills and proficiency will be challenged through a series of intense, hands-on lab exercises. Participants will also be provided with a LOT of custom code to facilitate their learning process and push them to consider improved attack techniques and new attack vectors.

Network forensics training

April 25th, 2019

The two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 – Theory and Practice using Open Source Tools

• Theory: Ethernet signaling
• Hardware: Network TAPs and Monitor ports / SPAN ports
• Sniffers: Recommendations for high-performance packet interception
• PCAP analysis: Extracting evidence and indicators of compromise using open source tools
• Defeating Big Data: Techniques for working with large data sets
• Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
• Challenge Day 1: Find the needle in our haystack and win a honorable prize!

Day 2 – Advanced Network Forensics using Netresec Tools

• NetworkMiner Professional: Learning to leverage the features available in the Pro version
• Port Independent Protocol Identification (PIPI)
• DNS Whitelisting
• NetworkMinerCLI: Automating content extraction with our command line tool
• CapLoader: Searching, sorting and drilling through large PCAP data sets
1. Super fast flow transcript (aka Follow TCP/UDP stream)
2. Filter PCAP files and export frames to other tools
3. Keyword search
• Challenge Day 2

The Scenario

The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:

• Defacement of the Bank’s web server (see zone-h mirror)
• Man-on-the-Side (MOTS) attack (much like NSA/GCHQ’s QUANTUM INSERT)
• Backdoor infection through trojanized software
• Spear phishing
• Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
• Infection with real malware (Nemucod, Miuref / Boaxxe and more

Class attendees will learn to analyze captured network traffic from these events in order to:

• Investigate web server compromises and defacements
• Detect Man-on-the-Side attacks
• Identify covert backdoors
• Reassemble incoming emails and attachments
• Detect and decode RAT/backdoor traffic
• Detect malicious traffic without having to rely on blacklists, AV or third-party detection services

NetworkMiner CapLoader Professional software included FREE of charge

Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

Target Audience

Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.

Training Preparations

Laptop Required
Attendees will need to bring a laptop that fits the following specs:

• A PC running any 64 bit Windows OS (can be a Virtual Machine)
• At least 4GB RAM
• At least 40 GB free disk space
• VirtualBox (64 bit) installed (VMWare will not be supported in the training)

A VirtualBox VM will be provided on USB flash drives at the beginning of the training. Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off “Intel Trusted Execution” in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Basics of binary exploitation training

April 25th, 2019

Overview

Binary exploitation is the topic concerning the finding and exploitation of vulnerabilities in low-level code, particularly machine level code. It is usually considered one of the more complex areas of IT security and some of the exploits produced sometimes chain together dozens of moving parts in mind-boggling ways to cause programs to behave in a completely unintended manner. The field is the basis of high-severity exploits such as OS privilege escalation, jailbreaks and browser exploits.

Learning goals and expected outcomes

This two-day training aims to give the participant a deeper understanding of how programs execute and interact with the rest of the system, an understanding of the basic building blocks, terminology and anatomy of binary exploitation as well as hands on experience and creating some basics exploits of their own. It will also cover various protection mechanisms, how they work and how to deal with them. Throughout the course, techniques for finding vulnerabilities, analyzing and turning them into exploits will be covered and practiced in the form of hands on exercises.

After completing the training the student will have a solid foundation from which they can continue exploring the field of binary exploitation and allowing them to start learning advanced topics such as kernel exploitation, different architectures and exploiting real-world software such as browsers and phones. The student will also have a basic understanding of some of the various techniques used for working with analysis and exploitation of programs.

Course contents

The course will cover the following topics will be covered in the course. Topics marked with “*” will be covered as part of the introduction/background without accompanying exercises. Topics marked with “**” are advanced topics covered as part of an introduction into how to proceed after the training.

• Stack based attacks
• Buffer overflow
• ROP
• Stack shifting
• Format string attacks
• Heap based attacks
• Buffer overflow
• Use-after-free
• Type confusion
• General concepts
• Memory layout*
• x86 basics*
• Writing exploits
• Function pointers (vtables)
• Program analysis
• Fuzzing
• Symbolic execution
• Debugging
• Tracing
• Exploit primitives
• Arbitrary read (absolute, relative)
• Arbitrary write (absolutely, relative)
• Protections
• Stack canaries
• NX/DEP
• ASLR + PIE
• CFG**
• PAC**

Outline

Below is a rough outline of the planned schedule for the training. This is preliminary and subject to change. A more definitive schedule will be posted prior to the training.

• Day 1
Intro
• Stack exploit basics
• Protection mechanisms
• Format string vulnerabilities
• Heap exploit basics
• Day 2
• Fuzzing
• Symbolic execution
• Debugging
• More exploit exercises

Tools used

We will be using mostly free and open source tools throughout the training. Programs will be debugged with gdb with the pwndbg addon. The exercises can be solved with a programming language of your choice but examples will be presented in Python with the pwntools framework.

The only commercial tool we will use is Binary Ninja which is a reverse engineering platform. A personal non-commercial license for Binary Ninja is included in the price of the training which you get to keep and can, if desired be upgraded to a commercial license. All tools and exercises will be available as a pre-packaged VM/container. Instructions on how to obtain and get it set up on your computer will be provided to all participants ahead of the training.

Prerequisites

The student is expected to have basic understanding of computers, programs and operating systems. Some basic programming skills are also required, particularly some basic Python knowledge is very helpful. Finally it is expected that the student can read simple C code and understand very basic concepts of assembler.

The instructor

Carl Svensson is a security professional and hobbyist currently working as the head of security at Swedish healthcare startup, KRY. He is a frequent CTF player for the Swedish top team HackingForSoju and an active member of the Swedish and international security community with a great fondness for a broad range of topics, reverse engineering being one of his favorites. If you have questions about the contents of this training, feel free to get in touch at [email protected].

Call for Speakers and Teachers!

January 16th, 2019

Click here if you are you interested in speaking at SEC-T 2021

Click here if you are interested in teaching a two day training program at SEC-T2ion 2021

Dark Side Ops: Custom Penetration Testing Workshop

April 19th, 2018

Hackers penetrate enterprise networks in the flash of an eye, ravage endpoints for sensitive data, and
silently exfiltrate the keys to your kingdom without ever popping an alert. Dark Side Ops: Custom
Penetration Testing enables participants to “break through” to the next level by removing their
dependence on 3rd-party penetration testing tools, allowing for outside-the-box thinking and custom
tool development designed specifically for the target environment. Participants are provided with
hands-on experience into the black hat techniques currently used by hackers to bypass network-based
enterprise intrusion detection and prevention systems (IDS/IPS), layer 7 web proxies, and data loss
prevention (DLP) solutions. The custom approach doesn’t stop there. Participants learn advanced
evasion techniques of corporate host-based countermeasures including antivirus and application
whitelisting solutions by developing, compiling, and deploying custom backdoors, payloads, and
persistence deep into protected enterprise networks.

At the end of this course students will be able to:
• Build custom payload droppers, beaconing backdoors, and interactive shells.
• Conduct highly targeted and sophisticated custom client-side and social engineering attacks.
• Escalate workstation and network privileges without an exploit.
• Bypass defensive host and network countermeasures such as anti-virus applications, firewalls,
IDS, IPS, SIEMs, and strict egress filtering.
• Establish custom, stealthy persistence in a target network.
• Exfiltrate data from a target networks using custom applications and network monitoring
evasion techniques.
• Compile and deploy an advanced, custom HTTP beaconing payload developed internally by the
trainers and used regularly on engagements to effectively infiltrate company networks.

Participants will receive source code to a variety of offensive tools, including custom shells, backdoors,
C2 listening posts, and social engineering exploitation techniques. To reinforce the knowledge provided
through instruction, participants will have realistic lab projects throughout the day, where the coding
skills, custom payload delivery, and advanced pivoting techniques from course instruction will all be
necessary.

Day 1
Lab 0	Introduction	Review course topics
Lab 1	Throwback	Learn about stage 1 malware	Build and deploy Throwback
Lab 2	Client Side Exploitation	Client-side exploitation techniques	Build custom payloads
Lab 3	Windows API	Windows API abuse and bypasses	Build and inject a reflective DLL
Lab 4	Slingshot (RAT)	Learn about reflective DLL injection	Build Slingshot and convert to a reflective DLL
Lab 5	Post-exploitation hashdump module	Learn about post-exploitation techniques	Add hashdump module to Slingshot
Lab 6	Post-exploitation Mimikatz module	Learn about post-exploitation techniques	Add Mimikatz module to Slingshot
Day 2
Lab 7	Covert operations	Learn about covert infrastructure and operational security	Configure SOHO IP tables as redirector
Lab 8	Evading antivirus	Learn how to evade antivirus	Build dynamic APIs and in-memory PE loader
Lab 9	Windows persistence	Learn about persistence stealthy techniques	Identify a DLL hijacking vulnerability for persistence
Lab 10	In-memory Powershell	Learn about Powershell execution techniques	Run Powershell completely in-memory
Lab 11	Advanced Windows pivoting	Learn about named pipes and other pivoting techniques	Compile and execute SlingshotSMB
Lab 12	In-memory keylogger	Learn Windows API keylogging techniques	Implement a keylogger into Slingshot
Lab 13	Privilege escalation	Learn about privilege escalation techniques	Escalate privileges using DllHijacker
Bonus module	Screen-grabber	Learn addition post-exploitation tools	Take a screenshot through Slingshot

Hands-on SAP Hacking and Defense Workshop

April 19th, 2018

SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, managing suppliers / customers, material management, releasing payments to providers, credit cards processing, business intelligence, etc.

This training provides the latest information on SAP specific attacks and remediation / protection activities.

This training starts with an introduction to SAP (No previous SAP knowledge is required), you will learn through several hands-on exercises and demos, how to perform your own vulnerability assessments, audits and penetration tests on your SAP platform,  you will be very well equipped to understand the critical risks your SAP platform may be facing, how to assess them and more importantly, you will know which are the best-practices to effectively mitigate them, pro-actively protecting your business-critical platform.

We take proud in creating the most comprehensive SAP security agenda:

Day 1

• Introduction to SAP
• What SAP security used to be in the past
• What SAP security is nowadays
• Introduction to SAP security tools (the open-source way)
• Securing the SAP Infrastructure
• SAP Router
• SAP Web-dispatcher
• The role of a firewall
• How to attack and secure: SAP & Windows
• How to attack and secure: SAP & Unix
• How to attack and secure: SAP & Oracle
• How to attack and secure: SAP & HANA
• Authentication mechanisms
• User Security
• Password Policy
• Authorizations
• SAP Gateway & RFC
• SAP Message Server
• SAP Management Console

Day 2

• SAP Solution Manager
• SAP System Landscape Directory
• ABAP Security
• SAP Back-doors
• SAP Updates
• Encryption

• SAP ICM (Continued)
• SAP J2EE
• Understanding the J2EE Framework
• Different SAP Web J2EE Applications
• J2EE Authentication Mechanisms
• SAP JCO
• SAP Security Audit Trail
• How to react in case of an SAP Intrusion
• SAP Lab – Packet wars! (Game subject to time constrains)

Network Forensics Workshop

April 19th, 2018

The two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 – Theory and Practice using Open Source Tools
* Theory: Ethernet signaling
* Hardware: Network TAPs and Monitor ports / SPAN ports
* Sniffers: Recommendations for high-performance packet interception
* PCAP analysis: Extracting evidence and indicators of compromise using open source tools
* Defeating Big Data: Techniques for working with large data sets
* Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
* Challenge Day 1: Find the needle in our haystack and win a honorable prize!

Day 2 – Advanced Network Forensics using Netresec Tools
* NetworkMiner Professional: Learning to leverage the features available in the Pro version
** Port Independent Protocol Identification (PIPI)
** DNS Whitelisting
* NetworkMinerCLI: Automating content extraction with our command line tool
* CapLoader: Searching, sorting and drilling through large PCAP data sets
** Super fast flow transcript (aka Follow TCP/UDP stream)
** Filter PCAP files and export frames to other tools
** Keyword search
* Challenge Day 2

The Scenario
The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:
* Defacement of the Bank’s web server (see zone-h mirror)
* Man-on-the-Side (MOTS) attack (much like NSA/GCHQ’s QUANTUM INSERT)
* Backdoor infection through trojanized software
* Spear phishing
* Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
* Infection with real malware (Nemucod, Miuref / Boaxxe and more

Class attendees will learn to analyze captured network traffic from these events in order to:
* Investigate web server compromises and defacements
* Detect Man-on-the-Side attacks
* Identify covert backdoors
* Reassemble incoming emails and attachments
* Detect and decode RAT/backdoor traffic
* Detect malicious traffic without having to rely on blacklists, AV or third-party detection services

NetworkMiner CapLoader Professional software included FREE of charge
Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

Target Audience
Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.

Training Preparations
Laptop Required
Attendees will need to bring a laptop that fits the following specs:
* A PC running any 64 bit Windows OS (can be a Virtual Machine)
* At least 4GB RAM
* At least 40 GB free disk space
* VirtualBox (64 bit) installed
(VMWare will not be supported in the training)

A VirtualBox VM will be provided on USB flash drives at the beginning of the training.
Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off “Intel Trusted Execution” in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Spring Pub 2018

February 27th, 2018

It might be difficult to imagine now with the snowy landscape and biting cold but we are predicting this situation will eventually change. To nudge the process along we have decided it’s time to announce this years SEC-T Spring Pub Event, without which, as we know, spring cannot arrive.

This year we are again trying a new venue in the hope of eventually find the perfect place to host this lovely annual event. This year we have decided to host the spring pub at Hilma on Torsgatan 10 by Norra Bantorget.

[SCHEDULE] 

Thursday April 19:th 

17.00  Doors open

18.00 Welcome and general information from SEC-T

18.30 A lightning talk

19.15 Another lightning talk

20.00 A third lightning talk

If you are interested in giving a lightning talk or have other ideas you would like to share please send us an email to [email protected] and we will sort it out.

This event is free and requires no pre-registration.

Sincerely,

The SEC-T Organizers