Training classes offered during SyScan'08 Singapore:
| Course Code | Course Title | Instructor | Course Fee |
| 07-01 | Securing your Oracle Database from hackers | Alexander Kornbrust | SGD$2,000 |
| 07-02 | Web Application (In) Security | NGS Software | SGD$2,000 |
| 07-03 | Designing a Secured VoIP Network | Hendrik Scholz | SGD$2,000 |
| 07-04 | Practical WiFi (In)Security | Cédric Blancher | SGD$2,000 |
| 07-05 | Penetration Testing VoIP Network | The Grugq | SGD$1,000 |
| 07-06 | Network Storage Security Training | iSEC Partners | SGD$2,000 |
| 07-07 | Building Secure ASP.NET Applications | CORSAIRE | SGD$2,000 |
07-01 - Securing your Oracle Database from hackers
The attendees will learn the latest techniques in Oracle security (find vulnerabilities, unsecure configuration, passwords), analyze (custom) PL/SQL applications for vulnerabilities and how to harden Oracle databases. Common attacking techniques (Oracle rootkits and backdoors, Oracle Client attacks) and the appropriate countermeasures are also part of this training.
Pre-requisite:
Students should have at least basic knowledge of Oracle databse.
Class Outline:
Day 1
• Introduction
• Oracle Basics (Oracle Architecture, Oracle Products, Oracle Features)
• Passwords
• SQL-Injection (Database, Web, C/S)
• Hacking mod_plsql
• Google Hacking for Oracle Techniques
• Hardening Oracle Databases
• Hardening Oracle 10g R2
• Checking databases with Repscan
Day 2
• PL/SQL Programming Basics (Execute programs, read/write files)
• PL/SQL-Source-Code Analysis
• Oracle Client attacks
• IDS Evasion
• Oracle Encryption
• Oracle Rootkits & Backdoors
Instructor:
ALEXCANDER KORNBRUST
Alexander Kornbrust is the founder of Red-Database-Security GmbH,
a company specialised in Oracle security.
He is responsible for Oracle security audits and Oracle Antihacker training. Before that he worked several years for Oracle Germany, Oracle Switzerland and IBM Global Services as consultant. Alexander Kornbrust is working with Oracle products as DBA and developer since 1992.
During the last 6 years found over 200 security bugs in various Oracle products like database or application server.
07-02 - WEB APPLICATION (IN)SECURITY
NGS performs penetration tests against some of the most high-profile sites on the internet, and has published the seminal papers in SQL Injection, Oracle Application Server, and many advisories on Web Application Software. This course will demonstrate the full NGS methodology for finding vulnerabilities in web applications, sharing techniques, tools, tips and tricks, and revealing the breakdown of vulnerabilities found on assessment by NGS.
With much of Web Application security now common knowledge, NGS pushes this subject to its new limits, sharing the techniques which make the difference between most methodologies and a deep hack. As well as the conventional attacks covered in this field, delegates will be able to try their hand at some more unique, in-depth attacks:
• Exploiting Cross Site Scripting to log keystrokes, port scan the victim’s computer and network, and execute custom payloads
• Exploiting SQL Injection by bypassing filters, using second-order attacks, chaining queries and fully blind exploitation, using techniques from NGS’ papers as well as some newer ones from the NGS research labs.
• Exploiting LDAP Injection and Command Injection.
• Reverse engineering AcitveX and Java applets to bypass client controls (similar to those currently found in online games)
• See how Authentication and Authorisation are commonly broken
• View the common logic flaws found in web applications, and how these can be exploited with examples.
The course is backed up by a comprehensive manual covering vulnerabilities, hacking methodology, and corresponding security advice. NGS will provide a toolset for delegates in all of the demonstrations, and move on from labs to a final web application where delegates participate in a “capture the flag” contest.
Pre-requisite:
The ideal delegate will have some familiarity with web application security, being familiar with terms such as Cross Site Scripting and SQL Injection even if they haven’t had the chance to exploit these fully. This course has a heavy lab content, so familiarity with common web application tools and vulnerabilities is required for full appreciation of the course. Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.
Class Outline:
COURSE INTRODUCTION
• Course Abstract
• Course Objectives
• Course Instructors
• Course Delegates
• Course Domestics & Timetable
AN INTRODUCTION TO WEB APPLICATIONS
• The Advantages of a Web Application
• Common Uses and Configurations
• The Core Security Issue
APPLICATION STRUCTURE
• Sample Application Overview
• Input Validation
• Authentication
• Session Checking
• Privilege Management
• Administration
• Auditing and Logging
• Error Handling
TECHNOLOGIES
• J2EE
• ASP.Net
• PHP
MAPPING THE APPLICATION
• Profiling
• Determining Technologies in Use
• Dissecting a Request
• Learning the Behaviour of the Application
• Content discovery
BYPASSING CLIENT CONTROLS
• Bypassing HTML Controls
• JavaScript and VbScript
• Java
• ActiveX
• Securing Client-Side Content
AUTHENTICATION VULNERABILITIES
• Design flaws in authentication mechanisms
• Implementation flaws in authentication
• Securing authentication
VULNERABLE SESSION MANAGEMENT
• Background to session management
• Weaknesses in session token generation
• Weaknesses in session token handling
• Securing session management
BROKEN ACCESS CONTROLS
• Common vulnerabilities
• Attacking access controls
• Attacking access controls
• Securing access controls
VULNERABILITIES - INJECTION
• Interpreted Languages
• SQL Injection
• LDAP Injection
• Command Injection
• XML Injection
VULNERABILITIES - LOGIC FLAWS
• Forced Browsing
• Case Study 1: Registration Bug
• Case Study 2: AOL Password Handling
• Case Study 3: Multi-Stage Login
• Case Study 4: The Memorable Word Bypass
• Case Study 5: Text Searches
• Case Study 6: Race Condition During Authentication
• Beating a Business Limit
PATH TRAVERSAL
• Common vulnerabilities
• Detecting and exploiting path traversal vulnerabilities
• Avoiding path traversal vulnerabilities
INFORMATION DISCLOSURE
• Common vulnerabilities
• Preventing information leakage
• Google Hacking
ATTACKING OTHER USERS
• Cross-Site Scripting
• Redirection attacks
• HTTP header injection
• Frame injection
• Cross-site request forgery (XSRF)
• Session fixation
• Attacking ActiveX controls
• Advanced exploitation techniques
CLASSIC VULNERABILITIES
• Classic vulnerabilities in web applications
• Buffer overflows
• Integer vulnerabilities
• Format String Bugs
FLAWS IN WEB APPLICATION ARCHITECTURE
• The Tiered Architecture
• Shared Hosting Environments
• Application Service Providers (ASPs)
• Third Party Systems
WEB SERVER FLAWS
• (Mis)Configuration
• Web Server Vulnerabilities
• Oracle Application Server
A WEB APPLICATION ASSESSMENT TOOLKIT
• Web Browsers
• Site Spiders
• Vulnerability Scanners
• Local Proxies
• Brute Forcing Tools
• Custom Toolkits
• Programming for Pentesters
BRUTE FORCING TECHNIQUES
• Targets for Brute Forcing
• Performing a brute force attack
SECURITY DEVICES
• Module Overview
• Intrusion Detection
• Application Firewalls
IDENTIFYING VULNERABILITIES IN SOURCE CODE
• Approaches to code review
• Signatures of common vulnerabilities
• Java
• ASP.NET
• PHP
• Perl
• SQL
Instructors:
MARCUS PINTO
Principal Information Security Consultant, NGSS
WADE ALCORN
Principal Information Security Consultant, NGSS
07-03 - DESIGNING A SECURED VOIP
The purpose of this course is to provide in-depth information on how to setup a stable and secure VoIP network based on the common SIP protocol. Rather than taking a blackhat approach and attacking preexisting infrastructure participants will learn how to design a VoIP network from the ground up with security in mind. Application scenarios and pitfalls will be shown. One of the goals is to provide students with a set of powerful tools to further analyze tune and test their installations.
Pre-requisite:
Participants will learn how to debug SIP signalling but SIP basic knowledge - i.e. common call scenarios (call flows) and error codes – are a strong plus for understanding the course. A good primer can be found on http://old.iptel.org/sip/siptutorial.pdf.
Students will be provided with a qemu image (Open Source VMware-Clone, http://www.qemu.org) to run hands-on tasks on. Administrative access to the laptop is needed in order to properly run qemu.
Class Outline:
1. VoIP Network Design
1. SIP Infrastructure Components
1. SIP Proxies, REGISTRARs, Gateways
2. CPEs (End User Devices)
3. Media Gateways
4. Application Servers (i.e. Asterisk for Voicemail, Click-to-Dial, ...)
5. Accounting/Billing
6. Lawful Interception
2. IP Multimedia Subsystem (IMS)
3. Network Design
1. sizing guidelines
2. Impact of Security on design
2. SIP Server Setup
1. SIP Express Router (SER) Configuration (in-depth, hands-on)
2. Participants will install their own SIP proxy
3. Choosing End Devices wisely
1. Debugging End User Devices
4. SIP Peering/Transit
1. hands-on peering between participants
2. Trust Domains
5. Encryption
1. Signalling: TLS, DTLS
2. Media: SRTP, ZRTP
6. SIP testing tools
1. How to automate tests (in-depth, hands-on)
7. SIP Attacks and Countermeasures
1. hands-on SIP attack writing
2. hands-on Defense
3. Attack Detection
8. Non-SIP Protocols
1. MGCP/SS7
9. Legal Issues around the VoIP Universe
Instructor
HENDRIK SCHOLZ
Hendrik Scholz is a VoIP developer and systems engineer at Freenet Cityline GmbH in Kiel, Germany. He joined Freenet more than two years ago after studying and working around the world in Australia and the United States. He has spent of his time working in the security and network field around Linux and *BSD. Nowadays the average work day consists of a healthy mix of design, development and debugging SIP based infrastructure equipment. Having access to all sorts of VoIP devices hacking on those became a spare time passion as well as did hacking the SIP Express Router. Hendrik also is a regular speaker and attendant at Security conferences around the globe (i.e. CanSecWest, Black Hat, Syscan, CCC). Slides from previous presentations are available at: http://www.wormulon.net/publications
07-04 - PRACTICAL WIFI (IN)SECURITY
This training aims at delivering complete WiFi security overview from both attacker and administrator point of vue. It provides intensive hands-on sessions.
Class Outline:
Day 1
• 802.11 introduction
• Physical consideration
• Frame format
• Basis and functionalities
• 802.11 Insecurity
• Intrinsic flaws
• Jamming
• Enumeration/identification (wardriving)
• Management traffic injection + HANDS-ON
• RogueAPs
• WEP
• Crypto/RC4 reminder
• WEP data encryption and authentication
• WEP flaws identification
• WEP flaws exploitation and cracking + HANDS-ON
• Traffic injection based attacks
• Open & WEP infrastructure abuse
• Captive portal bypass + HANDS-ON
• Clients attacks and isolation bypass + HANDS-ON
• Ad hoc mesh networks attacks
Day 2
• 802.11 Exploits Quick Development
• Requirements
• Wifitap code source study
• Case study and exploit development
• 802.11 Security
• Flaws to address identification
• Solutions
• 802.1x and EAP
• WPA
• 802.11i/WPA2
• Configuration guidelines
• WPA/WPA2 support for AP, adapters and OS
• Tricks : PSK vs. EAP, WPA vs. WPA2, TKIP vs. AES
• Architecture thoughts
• Conclusions
• Kiss and goodbye :)
Instructor:
Cedric Blancher
Cédric has spent the last 6 years working in network and Unix systems security field, performing audits and penetration testings. In 2004, he joined EADS Corporate Research Center in France to achieve R&D within network security field, including wireless links. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He's been specializing on WiFi security, with technical presentations (SyScAN, SSTIC, Cansecwest, Recon, Pacsec etc.), articles (MISC, etc.) and trainings (Eusecwest/core06, Cansecwest/core06, Syscan'06, Pacsec/core06).
Specifically regarding WiFi security, Cedric has authored two articles for MISC, the french leading IT security magazin :
• Attacks against 802.11 networks (MISC issue #6)
• WPA/802.11i aspects (MISC issue #12)
He also authored 10 others articles for MISC and Linux Magazine France, most of them related to network security:
• Playing with ARP (MISC issue #3), see http://www.arp-sk.org/
• Netfilter in depth (Linux Magazine SI #12)
• Personal firewalls principles (Linux Magazine SI #13)
• Network discovery technics (MISC issue #9)
• Linux kernel patching (Linux Magazine SI #16)
• Linux network capabilities (Linux Magazine SI #17)
• EAP authentication (MISC issue #11)
• Layer 2 filtering (MISC issue #13)
• Web and email clients protection (MISC issue #17)
• Anonymization (MISC issue #18)
07-05 - PENETRATION TESTING VOPI NETWORK
Conducting security assessments of VoIP platforms is frustrating without the right tools. During this course, you will learn how to utilize the Tactical VoIP toolkit effectively for VoIP penetration tests. You will also learn how to extend the core toolset to create custom attack scripts to better exploit unique environments.
This will be a 1-day class and will be conducted on 4th July 2007.
Instructor:
THE GRUGQ
07-06 - NETWORK STORAGE SECURITY TRAINING
The storage security class targets storage or security professionals interested in learning more about the security weaknesses in storage networks (SANs and NAS). The training course will analyze storage security concerns, perform attacks on storage networks, and show students how to secure their storage environment.
Class Outline:
Day 1:
Storage Analysis
• Authentication
- CHAP, DH-CHAP, None
• Authorization
- WWN, iQNS, UID/GID, SIDs
• Encryption
• Denial of Service
- Data Destruction and unavailability
• Protocol Analysis
- Fibre Channel, iSCSI, CIFS/NFS
Storage Attacks (Part I)
• iSCSI SANs
- CHAP Attacks
- iQN Spoofing (Authorization Bypass)
- SNS Man-in-the-Middle
- iGroup/Domain and Zone Hopping
Day 2:
Storage Attacks (Part II)
• NAS
- Enumeration
- Authentication Attacks
- CIFS File Permission bypass
• Fibre Channel SANs
- WWN Spoofing
- Zone Hopping
- DH-CHAP Attacks
- LUN Masking Bypass
Securing Storage
• NAS Devices (NetApp Filers)
• Fibre Channel Switches
• iSNS Servers
• iSCSI/Fibre Channel Storage Controllers
• CIFS/NFS clients
Instructor:
ISEC PARTNERS
iSEC Partners, LLC is a information security firm that specializes in application, network, host, and product security. iSEC training courses are specialized classes designed to instruct individuals on security testing and defenses. Attack classes, techniques, mitigation procedures and secure guidelines are the primary focus of iSEC Partners’ training curriculum.
07-07 - BUILDING SECURE ASP.NET APPLICATIONS
Courses provide a valuable insight into how attackers target applications, expose the pitfalls of web application design and provide practical solutions to prevent web based attacks. Delegates learn how to create secure web applications, how to identify common security vulnerabilities, and how to test their applications for weaknesses.
Pre-requisite:
A working knowledge of web application design and implementation, and some basic familiarity with Visual Studio is required.
Class Outline:
Day 1:
Introduction
• Why we need secure web applications
• Legal and policy requirements
The OWASP Web Application Vulnerabilities
• Explaining the Top 10
Threat Modeling Web Applications
• What is threat modeling and why should you use it?
• Finding vulnerabilities
• Using STRIDE and SRS during development
User Management
• Secure registration methods
• Password management
• Account management (including lockout)
• Password complexity and expiration design
• Correct methods to authenticate users
Authentication
• Designing a secure authentication scheme
• ASP.NET or J2EE impersonation
• Available methods of authentication
• Identity flow
• Login pitfalls and solutions
• Exposing credentials
Authorisation
• Examples of authorisation weaknesses
• Choosing the correct authentication mechanism
• Designing an access control matrix
• Leveraging ASP.NET or J2EE built-in functions
Day 2:
Session Management
• Problems with session management
• Attacks on session management functions
• What constitutes secure session management
• Generating a secure session ID
• Storing the session ID
• Available options present in ASP.NET or J2EE
• Dangers of storing state client-side
Data Validation
• Common data validation attacks
• Dangers of poorly validated code
• Creating trust boundaries between components/apps
• Deep validation
• Character encoding techniques and solutions
• Available validation routines in ASP.NET or J2EE
• Preventing validation attacks
Cryptography
• Using HTTPS and SSL
• Key storage and generation
• ASP.NET or J2EE crypto functions
Error Handling & Event Logging
• Correct method for handling application errors
• ASP.NET or J2EE error handling functions
• Why event logging is important
• What should be logged and when
Web Application Penetration Test
• Thinking like an attacker
• Performing web application penetration tests
• Understanding the vulnerabilities
• Applying a risk threat guide to vulnerabilities
Instructor:
COSAIRE