Comprehensive Training (Nov 4-6, 2019)
Preceding the core conference, we run three days of intensive technical and management training. All content is delivered by some of the world’s most knowledgeable and influential IT security experts in private, public, and research sectors.
Applied Threat Analysis
INSTRUCTOR: Kyle O’Meara
Kyle O’Meara is a Senior Member of the Technical Staff at the Software Engineering Institute (SEI) CERT Coordination Center (CERT/CC) where he works on the Malware Analysis Reverse Engineering Team. Day to day his research focuses on malware and embedded devices. Kyle also teaches cyber security course as an Adjunct Faculty and Faculty Advisor at Carnegie Mellon University and Adjunct Faculty at Duquesne University. Kyle also develops content for and runs the annual BSidesPGH Capture the Flag event. He co-founded Lanesra.io to provide practical cyber security training. Past jobs include technical roles at FireEye and the National Security Agency. Kyle has spoken at national and international cyber security conferences to include DEF CON, Blackhat Arsenal, ShmooCon, FIRST Technical Colloquium, BSidesPGH, and Countermeasure.
Cyber Threat Analysts fuse several data types to provide industry and government with strategic analysis for decision makers. There is a strong need for students to develop the capability to examine cyber threats and provide that information to decision makers. This course deconstructs what governments and industry define as cyber threats by providing students with an understanding of vulnerabilities, exploits, malware, network communications, and actors. In addition to expanding the knowledge base of threats, the course expands the technical understanding of indicators of compromise. In order to understand the adversary, you have to think like the adversary.
- Analyze the vulnerability landscape, impact of bug bounties, and examine analyst tools in practice
- Assess exploit development and usage. Demonstrate knowledge of impacts of exploits upon operating systems and small to large sized networks
- Perform high-level static malware analysis in support of actionable information for decision makers
- Discover, synthesize, and expand network indicators provided from malware analysis
- Synthesize all above data points and produce actionable threat information by correlating and creating analytics
- Understand both offensive and defensive sides of being an analyst
PREREQUISITES AND TECHNICAL REQUIREMENTS:
Students must bring their own laptop with VMware Workstation, Server or Fusion installed (VMware Player is acceptable, but not recommended) running Kali Linux. Students are responsible to troubleshoot your own problems with virtual machine software, the distro itself, and any tools within the distro. Laptops should be able to run VMware smoothly.
Recommend having at minimum 8GB of memory. Students should build their Kali VM with at least 20GB of space. Students should have some working knowledge of Linux and know their way around the command line when applicable.
The ARM IoT Exploit Laboratory
INSTRUCTOR: Saumil Shah
Saumil Shah, is the founder and CEO of Net-Square, providing cutting edge information security services to clients worldwide. Saumil is an internationally recognized conference speaker and instructor for over 18 years. He is also the co-developer of the wildly successful “Exploit Laboratory” courses and authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.
Saumil holds an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time playing Pacman, flying kites, traveling around the world and taking pictures.
ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The all new ARM IoT Exploit Laboratory is a 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.
The class concludes with an end-to-end “Firmware-To-Shell” hack, where we extract the firmware from a popular SoHo router and an IP Camera, build a virtual environments to emulate and debug them, and then build exploits to gain a shell on the actual hardware devices.
- Introduction to the ARM CPU architecture
- Exploring ARM assembly language
- Understanding how functions work in ARM
- Debugging on ARM systems
- Exploiting Stack Overflows on ARM
- Writing ARM Shellcode from the ground up
- Introduction to Return Oriented Programming
- Bypassing exploit mitigation using ROP
- Practical ARM ROP
- An Introduction to extracting firmware from devices
- Emulating and debugging a SoHo router’s firmware in a virtual environment
- “Firmware-To-Shell” – exploiting an actual SoHo router
- “Firmware-To-Shell” – exploiting an actual IP camera
- The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.
- Past x86 Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform.
- Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
- Red Team members, who want to pen-test custom binaries and exploit custom built applications.
- Bug Hunters, who want to write exploits for all the crashes they find.
- Members of military or government cyberwarfare units.
- Members of reverse engineering research teams.
- People frustrated at software to the point they want to break it!
- A conceptual understanding of how functions work in C programming
- Knowledge of how a stack works, basic stack operations
- Familiarity with GDB
- Not be allergic to command line tools.
- Have a working knowledge of shell scripts, cmd scripts or Perl.
- If none of the above apply, then enough patience to go through the pre-class tutorials.
- SKILL LEVEL: INTERMEDIATE (leaning towards advanced)
- A working laptop (no Netbooks, no Tablets, no iPads)
- Intel Core i3 (equivalent or superior) required
- 8GB RAM required, at a minimum
- Wireless network card
- 40 GB free Hard disk space
- If you’re using a new Macbook or Macbook Pro, please bring your dongle-kit (especially for reading USB-A pen drives)
- Linux / Windows / Mac OS X desktop operating systems
- VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
- Administrator / root access MANDATORY
STUDENTS WILL BE PROVIDED WITH:
Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.
Binary Ninja Boot Camp
INSTRUCTOR: Josh Watson
Josh Watson is a Senior Security Engineer with Trail of Bits. An acknowledged Binary Ninja expert, he taught “Binary Ninja Bootcamp” at the Pacific Hackers conference in 2018; after its success, he was invited to offer the course for both HackMiami in 2019 and corporate clients. In his spare time, he hosts a Twitch stream in which he reverse engineers binaries with Binary Ninja for a live audience.
This comprehensive 3-day course will teach novice reverse engineers, as well as those looking to enhance their existing skills, to leverage Binary Ninja’s features to reverse engineer binary applications. Students will review the basics of reverse engineering on the first day, including assembly; local, static, and dynamic variables; function calls; and structures, while also gaining experience in navigating the Binary Ninja interface to perform basic reverse engineering tasks. The second day will be spent diving into the Python API to understand how the previous day’s tasks can be enhanced and automated with snippets of Python. We will also cover both the Low Level IL and Medium Level IL, and why they are superior to native assembly for program analysis. Finally, on the third day, students will work to extend the Binary Ninja interface by writing custom plugins to automate repeatable tasks and analyses. At the end of the course, students will not only be able to reverse engineer binary software without source, but also create reusable tools to aid them in their reverse engineering.
- A walk-through of the UI and the different views
- Introduction to automating Binary Ninja with the Python API
- Low Level and Medium Level IL, and why it is better for automated analysis
- Building automation tools on top of both LLIL and MLIL
- Advanced analysis with the ILs’ SSA forms
- Automating string deobfuscation using the Medium Level IL
- Custom Transforms, and how to automate binary encoding/decoding
- Extending Binary Ninja’s functionality with PluginCommands
- Building better plugins with BackgroundTasks and analysis callbacks
- Automating structure recovery to speed up reverse engineering
- Automating bug hunting and exploit generation
- Writing shellcode in C with the shellcode compiler
PREREQUISITES AND TECHNICAL REQUIREMENTS
Students are required to bring a laptop with both Binary Ninja (Personal or Commercial, not Demo) and VMware Workstation/Fusion installed. Some experience with Python and C is necessary; knowledge of C++ or assembly is useful but not strictly necessary.
Hacking and Securing Cloud Infrastructure
INSTRUCTOR: Anthony Webb
Anthony Webb has been a committed tech geek ever since first learning to code on a BBC Micro at around 6 years old. He has worked in IT security specifically for the past 5 years, specializing in both traditional and Cloud infrastructure and is a Principle Senior Consultant at NotSoSecure. Anthony currently holds industry recognised accreditations including CREST CRT and OSCP as well as a number of Amazon Web Services certifications. He is also a trainer for NotSoSecure’s Advanced Infrastructure Hacking
(AIH) class, which he delivers both to classroom-style audiences and large conferences such as Black Hat.
Anthony Webb has previously spoken at :
Black Hat USA Vegas / EU London / Asia Singapore / Trainings Chicago
CheckPoint CPX 360 USA Vegas / EU Vienna
Brand new for 2019, this 3-day course cuts through the mystery of Cloud Services (including AWS, Azure and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing a traditional network infrastructure.
Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and how to protect yourself from them, is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure.
Prior pentest / security experience is not a strict requirement, however, some knowledge of Cloud Services and a familiarity with common Unix command line syntax will be beneficial.
- Introduction to Cloud Computing
- Why cloud matters
- How cloud security differs from conventional security
- Types of cloud services
- Legalities around attacking / pentesting cloud services.
- Understanding the Attack Surfaces of various Cloud offerings, such as IaaS, PaaS, SaaS, FaaS
- Exploiting serverless applications
- Owning cloud machines
- Attacking cloud services such as storage service or database services
- Examples and case studies of various cloud hacks
- Privilege escalation (horizontal and vertical) and pivoting techniques in cloud
- Obtaining persistence in cloud
- Exploiting dormant assets : Id’s, services, resources groups, security groups or more
- Cloud Infrastructure Defence
- Monitoring and logging
- Auditing Cloud Infrastructure (Manual and automated approach)
- Base Images / Golden Image auditing for Virtual Machine / Container Infrastructure
- Preventive measures against cloud attacks
- Host-based Defence
- Using Cloud services to perform defence
- Ending CTF to reinforce the learning
PREREQUISITES AND TECHNICAL REQUIREMENTS
Prior pen test experience is not a strict requirement, however, some knowledge of Cloud Services and a familiarity with common command line syntax will be greatly beneficial.
Students must bring their own laptop and must either be able to launch a Docker Container provided by us, which includes all tools required for the class, or have root/admin access and be comfortable installing command line tools and downloading and building tools from source on GitHub, such as AWS CLI and Nimbostratus and more tools.