Training

By Net-Square

Trainer: Saumil Shah

Duration: 3 days, October 29-31, 2018

Course description:

ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The ARM IoT Exploit Laboratory is a 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end "Firmware-To-Shell" hack, where we extract the firmware from a popular SoHo router and an IP Camera, build a virtual environments to emulate and debug them, and then build exploits to gain a shell on the actual hardware devices.

Overview:

"There's an Intel on every desktop, but an ARM in every pocket."

The Internet of Things (IoT) universe comprises largely of ARM based systems. The ARM IoT Exploit Laboratory for 2018 brings you an intense 3-day course featuring a practical hands-on approach to exploit development on ARM based systems. This class is perfectly suited for students who are keen to dive into the world of modern ARM exploit development.

Our intermediate level class begins with an introduction to ARM architecture and ARM assembly language and moves quickly onto debugging techniques for ARM systems, exploiting buffer overflows on ARM devices running Linux, writing ARM shellcode from the ground up, and bypassing exploit mitigation techniques with ARM Return Oriented Programming (ROP). Our lab environment features both hardware and virtual machine targets.

The class concludes with an end-to-end "Firmware-To-Shell" hack, testing out ARM exploitation skills against commercial ARM based SoHo routers and IP Cameras. Students will extract the manufacturer's firmware, learn how to analyse and debug them in virtual environments, build exploits involving tight ROP chaining and ASLR bypass, and finally succeed in getting shells on the actual hardware.

As with the popular Exploit Laboratory, all topics are delivered in a down-to-earth, learn-by-example methodology. The same trainers who brought you The Exploit Laboratory for over 12 years have been working hard in putting together an all new class based on past feedback!

Learning objectives:

* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* Understanding how functions work in ARM
* Debugging on ARM systems
* Exploiting Stack Overflows on ARM
* Writing ARM Shellcode from the ground up
* Introduction to Return Oriented Programming
* Bypassing exploit mitigation using ROP
* Practical ARM ROP
* An Introduction to extracting firmware from devices
* Emulating and debugging a SoHo router's firmware in a virtual environment
* "Firmware-To-Shell" - exploiting an actual SoHo router
* "Firmware-To-Shell" - exploiting an actual IP camera
* The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

Target audience:

- Past x86 Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform.
- Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
- Red Team members, who want to pen-test custom binaries and exploit custom built applications.
- Bug Hunters, who want to write exploits for all the crashes they find.
- Members of military or government cyberwarfare units.
- Members of reverse engineering research teams.
- People frustrated at software to the point they want to break it!

Daily schedule:

Day 1

* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* EXERCISE - Examples in ARM Assembly Language
* Debugging on ARM systems
* Understanding how functions work in ARM
* Exploiting Stack Overflows on ARM
* EXERCISE - ARM Stack Overflows

Day 2

* Writing ARM Shellcode from the ground up
* EXERCISE - Embedded Web Server exploit
* Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
* Introduction to ARM Return Oriented Programming
* Bypassing exploit mitigation on ARM using ROP
* ARM ROP Tools
* EXERCISE - Searching for ARM ROP Gadgets

Day 3

* Practical ROP Chains on ARM
* EXERCISE - Exploit featuring ARM ROP Chains
* Bypassing ASLR
* An Introduction to firmware extracting
* Discovering an IoT devices' serial pins and extracting actual firmware via serial console
* Emulating and debugging a SoHo router's firmware in a virtual environment
* EXERCISE - Attacking a DLINK DIR-880L ARM Router - from firmware to shell
* EXERCISE - Attacking a Trivision ARM IP Camera - from firmware to shell

Prerequisites:

* A conceptual understanding of how functions work in C programming
* Knowledge of how a stack works, basic stack operations
* Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent)
* Not be allergic to command line tools.
* Have a working knowledge of shell scripts, cmd scripts or Perl or Python.
* If none of the above apply, then enough patience to go through the pre-class tutorials.
* SKILL LEVEL: INTERMEDIATE (leaning towards advanced)

Pre-class tutorials:

The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.

a) Operating Systems - A Primer
http://www.slideshare.net/saumilshah/operating-systems-a-primer

b) How Functions Work
http://www.slideshare.net/saumilshah/how-functions-work-7776073

c) Introduction to Debuggers
http://www.slideshare.net/saumilshah/introduction-to-debuggers

If you have the time and want to get a bit of a headstart on ARM Basics, I highly recommend Azeria's ARM Basics Tutorials, especially the following:

https://azeria-labs.com/writing-arm-assembly-part-1/
https://azeria-labs.com/assembly-basics-cheatsheet/
https://azeria-labs.com/process-memory-and-memory-corruption/

Hardware requirements:

* A working laptop (no Netbooks, no Tablets, no iPads)
* Intel Core i3 (equivalent or superior) required
* 8GB RAM required, at a minimum
* Wireless network card
* 40 GB free Hard disk space
* If you're using a new Macbook or Macbook Pro, please bring your dongle-kit!

Software requirements:

* Linux / Windows / Mac OS X desktop operating systems
* VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
* Administrator / root access MANDATORY

The expoit lab blog: http://blog.exploitlab.net/
Our Twitter stream: @therealsaumil

Student will be provided with:

Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a "Live Notes" system that provides a running transcript of the instructor's system to all the students. Our lab environment, plus about 700MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

Recent News

October 9th 2018

Cloud security issues are a key focus at this year’s COUNTERMEASURE IT Security Conference, with in depth training as well as key presentation from industry leaders. Graham Thompson, who participated in our 2017 cloud security panel discussion, leads an intensive three day training course, Cloud Security Fundamentals & FedRAMP. IBM’s Jeff Crume will be giving a keynote presentation on Security in the Clouds, and Teri Radichel will present on Top Priorities for Cloud Application Security. For institutions with a cloud infrastructure, these sessions should not be missed.

September 20th 2018

Charlie Miller and Chris Valasek join our growing list of speakers at COUNTERMEASURE 2018.  Their presentation on Security Self-Driving Cars will explore the future security issues of this emerging sector. 

In the not too distant future, we'll live in a world where computers are driving our cars. Soon, cars may not even have steering wheels or brake pedals. But, in this scenario, should we be worried about cyber attack of these vehicles? In this talk, two researchers who have headed self-driving car security teams for multiple companies will discuss how self driving cars work, how they might be attacked, and how they can ultimately be secured.
 
You can view their presentations and those of our other speakers here.

Cancellation Policy

Substitutions can be made at any time. Unfortunately we cannot refund registration fees. Each course is subject to a minimum number of students. In the unlikely event that a course must be cancelled due to low enrolment, full refunds will be provided to registered students.

For more information on COUNTERMEASURE 2018, please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. or our office line at 613-725-2079.