Training classes offered during SyScan'10 Singapore:
| Course Code | Course Title | Trainer | Early Bird (By 30 April 2010) |
Regular Fee |
Windows Exploitation 101 |
Brett Moore |
SGD$2,000 | SGD$2,500 | |
Web Application (In)Security |
Wade Alcorn |
SGD$2,000 | SGD$2,500 | |
Advanced PHP Auditing at Source and Bytecode level |
Stefan Esser |
SGD$2,000 | SGD$2,500 | |
Building Secure Wireless Network |
Cedric Blancher | SGD$2,000 | SGD$2,500 | |
Web Application Security - Threats and Countermeasures |
Sheeraj Shah |
SGD$2,000 | SGD$2,500 | |
Attacking and Securing IPv6 Infrastructure |
Van Hauser | SGD$2,000 | SGD$2,500 | |
The Black Art of Blackberry Surveillance |
Sheran Gunasekera |
SGD$2,000 | SGD$2,500 |
SyScan_10_01 - Windows Exploitation 101
This is a hands on course that teaches the basics of Windows stack and heap exploitation techniques for Windows 2000, Windows XP, and Windows 2003. The course covers a detailed analysis and explanation of Windows shellcodes and how they function, as well as step by step walkthroughs of multiple exploit examples. These examples will include file based exploits, network based exploits, and browser based exploits. By the end of the session the attendees will be able to understand how exploits work, you a debugger to analyse an exploitable scenario, and to write exploits for windows 2K,XP and 2k3. This will include stack and heap exploits and bypassing DEP.
Requirements:
A laptop or suitable desktop that can load up a few Virtual Machines using vmplayer (or equivalent)
Prerequisites:
A laptop or suitable desktop that can load up a few Virtual Machines using vmplayer (or equivalent)
Instructor:
Brett Moore
Having conducted vulnerability assessments, network reviews, and penetration tests for the majority
of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over eight years
experience in information security. During this time, Brett has also worked with companies such as SUN
Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security
vulnerabilities in their products.
Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.
SyScan_10_02 - Web Application (In)Security
This is a cutting-edge, hands-on course aimed at hackers who want to exploit web applications, and developers who want to know how to defend them. The course is presented by the authors of the critically-acclaimed Web Application Hacker's Handbook, and covers the entire process of hacking a web application, from initial mapping and analysis, probing for common vulnerabilities, through to advanced exploitation techniques.
When the most capable hackers will be challenged and find plenty to take away. We will also demonstrate the very latest hacking techniques developed over the past year.
Some highlights include:
• Exploiting SQL injection using second-order attacks, filter bypasses, query chaining and fully blind exploitation
• Breaking authentication and access control mechanisms
• Reverse engineering Java, Flash and Silverlight to bypass client-side controls
• Exploiting cross-site scripting to log keystrokes, port scan the victim's computer and network, and execute custom payload
• Exploiting LDAP, XPath and command injection; and
• Uncovering common logic flaws found in web applications.
• The course concludes with a catch-the-flag contest.
• Attendees are expected to be familiar with core web technologies like HTTP and JavaScript.
Course Length:
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
What to bring:
Basic networking knowledge required. Understanding of programming languages (especially PHP, ASP and ASP.NET) preferred.
Participants are requested to bring their own laptops. No particular OS is required, but Windows, Linux or Mac is recommended.
Instructor:
Wade Alcorn
Wade Alcorn has experience in numerous aspects of offensive information security assessments. This ranges from
bluetooth, reverse engineering and web application assessments to managing large teams of security professionals.
Prior to joining NGS, Wade had been responsible for cutting-edge PKI and VPN development using technologies including
C/C++ and Java. He has presented at conferences including BlackHat and AusCERT.
Wade has received acclaim for publishing leading research papers and discovering vulnerabilities in numerous software products. He is the creator of the popular open source security tool BeEF (Browser Exploitation Framework).
SyScan_10_03 - Advanced PHP Auditing at Source and Bytecode level
This course will teach students advanced methods and techniques for PHP applications audits at source code and at bytecode level. The students will get to know the most common PHP security problems and how to find them at source code and bytecode level. Throughout the course several free and open source software tools will be introduced and used in order to visualize application structure, find security problems with static and dynamic analysis on source code and bytecode level and also to break PHP bytecode encryption.
Student Pre-requisite:
Ability to read, understand and develop PHP code.
Software Requirement:
Required software will be delivered in form of a VMWARE Ubuntu Linux installation.
Hardware Requirement:
Laptop Computer
Course Outline:
Source Code Auditing
--------------------
Introduction to PHP Source Code Audits
• What to look for
• How to look for it
Common and lesser known Vulnerabilities
• How they look like
• How to find them
Visualization Techniques
• Code Coverage
• Callgraphs
• Classgraphs
• Function Traces
Static vs. Dynamic Analysis
Tools
• Grep + regular expressions
• Xdebug
• Bytesuite
• Dot / yEd
Bytecode Level Auditing
Introduction to the Zend Engine
Instruction Set of the Zend Engine/PHP Bytecode
• Important PHP Bytecode instructions
• How PHP Vulnerabilities look at Bytecode Level
PHP Bytecode Visualization
• Code Coverage at Bytecode level
• Callgraphs
• Code Flow Graphs
• Classgraphs
PHP Bytecode Encryptors
• How they work
• Weaknesses
• Decryption
PHP Bytecode Decompilation
Static and Dynamic Analysis
• Collecting variable types
• PHP Tainted Mode
• Data flow analysis
Tools
• Dot / yEd
• Xdebug
• Vld
• Bytekit
• Bytesuite
• PHPDecompiler
Instructor:
Stefan Esser
Stefan Esser is best known in the security community as the PHP security guy. Since he became a
PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research.
However in his early days he released lots of advisories about vulnerabilities in software like CVS,
Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot linux directly from the harddisk
of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the
Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved
into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development
for the german web application company SektionEins GmbH that he co-founded.
SyScan_10_04 - Building Secure Wireless Network
Wireless LANs are now widely deployed and have often introduced an explosion of security issues and unique vulnerabilities. Despite nowadays state of the art in terms of wireless security, it still appears a lot of available Wi-Fi networks not being properly secured. Destined to both network administrators and auditors, this training will bring them up to date with state of the art Wi-Fi security technologies, providing detailed background and practical hands-on exercises. At the end of this course, they will be able to integrate secure wireless environments in their existing infrastructure, assess and maintain their security level.
Pre-requisite:
• Ethernet and TCP/IP knowledge, and experience
• 802.11 experience is a plus
This training features practical exercices that need specific prerequisites. In order to get the most out of them, students will need a laptop running Backtrack v2 Stable Release live CDROM[1] properly[2] with an injection capable wireless adapter[3] (Atheros based adapter strongly advised).
• [1] http://www.remote-exploit.org/backtrack.html
• [2] http://backtrack.offensive-security.com/index.php?title=HCL:Laptops
• [3] http://backtrack.offensive-security.com/index.php?title=HCL:Wireless
Class Outline:
• Quick Wi-Fi basics wrap-up
• Wi-Fi networks security assessment
• Wi-Fi security consideration through examples
• Wi-Fi networks enumeration technics and tools
• Wi-Fi weaknesses
• Intrinsic weaknesses
• Bypassing basic security features
• WEP flaws and cracking technics
• Applied malicious traffic injection
• Wi-Fi stations exposure
• Wireless networks assessment methodology
• From discovery to security evaluation
• Building secure Wi-Fi networks
• Wi-Fi security features
• 802.1x authentication
• Wi-Fi Protected Access
• IEEE 802.11i/WPA2
• Wi-Fi Protected Setup
• Integrating Wi-Fi within existing infrastructures
• Possible interactions
• Use cases study
• Roadmap and key points
Instructor:
Cedric Blancher
Cedric has been working for 7 years in network security field, performing audits and penetration
tests. In 2004, he joined EADS Innovation Works and now runs the Computer Security Research Lab in
Suresnes, France. His research focuses on network security, wireless links and protocols security,
Wi-Fi in particular. He is an active member of Rstack team and French Honeynet Project with studies
on honeynet containment, honeypot farms and network traffic analysis. He had delivered technical
resentations and trainings worldwide, written papers and articles on network security and wrote
Wi-Fi traffic injection tool Wifitap. Cedric's website: http://sid.rstack.org/
SyScan_10_05 - Web Application Security - Threats and Countermeasures
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
The course is designed by the author of "Web Hacking: Attacks and Defense", "Hacking Web Services" and "Web 2.0 Security - Defending Ajax, RIA and SOA" bringing his experience in application security and research as part of curriculum to address new challenges. Application Security is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.
Target Audience:
Security Managers, Security Consultants and Auditors, Administrators, Developers, QA team and Code reviewers
Hands-on:
All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.
Application Security Fundamentals and Principles - The evolution of applications, threats to an application, application security trends, the spectrum of application security attacks
Application Components and Protocols - Understanding multi-layered application architecture, programming languages used in applications – J2EE, .NET, PHP, etc., inside HTTP, HTML forms and browser interaction, introduction to tools useful for testing applications, Web Server configuration, web server vulnerabilities, fingerprinting web servers and application servers, security controls pertaining to web servers and their deployment
Application Footprinting, discovery and profiling applications - Host and Domain discovery, discovering web applications and interfaces, discovering the functional structure of applications – the hacker's viewpoint, Advanced techniques, Discovering Web services and Web applications, Profiling Web services and applications, Ajax fingerprinting, Profiling Ajax applications and Server-side entry point detection
Application Attack Vectors - Mapping assets to attacks, sifting through HTML source, forcing application layer errors, information leakage through error messages, source code disclosure, input tampering and input validation attacks, SQL injection and attacks on the database, injecting malicious code and remote command exec, accessing the underlying file system, brute forcing HTTP authentication, Brute Forcing HTML form authentication, Session Hijacking, Cross Site Scripting (XSS) attacks, Cross Site Request Forgery (XSRF) attacks
Threat Modeling - Threat analysis, Architecture review, Technologies and Source Code, Threat matrix, Security controls for code, Design analysis and review
Assessment methods –Blackbox, Whitebox,analyzing configuration and deployment issues, Reconnaissance and Vulnerability Assessment, Fingerprinting Web servers and Architectures, Defense strategies - Minimizing the window of opportunity, Leveraging Web mashups and search APIs
Application Attack countermeasures - Security by design, The importance of application security controls in the software development life cycle, Secure coding practices, Protecting data at rest and data in transit, Client side security
An Introduction to Advanced Application Architectures - Refreshing classic application security threats and vulnerabilities, Evolution of application architectures, Web services, SOAP and AJAX, Security model for next generation application architectures, Web Services and SOAP, XML-RPC, AJAX enriched clients, New tools and techniques for attacking advanced application architectures
Advanced Web attacks - XPATH injection, XML and Schema poisoning, Blind SQL injection, XSS proxy attacks, Browser hijacking, Intranet scanning, Javascript exploitation
Whitebox Analysis - Entry points detection, Tracing and Digging, Function and Component dissecting, Threat and Impact analysis
Securing Code & Defense - Fundamentals, Controls and Strategies, Input validations, Error handling, Session hardening, Logs and Tracing, Traps for hackers, Assembly hardening, Guarding application code, Fundamentals, Controls and Strategies
XML and Web Services - SOAP, XML-RPC and REST base attacks and security.
Web Fuzzing & Exploits - Web application entry points, the art of fault injection, Exploit framework – Metasploit, Exploiting SQL injection points, Building exploits and launching them effectively
Client side coding - Ajax and JavaScript analysis, Flash based application reviews and Browser security.
Instructor:
Sheeraj Shah
B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior
to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee),
Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security
(Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In
addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences
including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His
articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on
BBC, Dark Reading, Bank Technology as an expert.
SyScan_10_06 - Attacking and Securing IPv6 Infrastructure
Today IPv6 is available on every desktop and every server, as all operating systems since Windows XP and Linux Kernel 2.2 support IPv6. Hosting providers start to offer IPv6 addresses and networking. IPv6 is already available in corporations, e.g. all major mobile providers already support it on their backbone.
This training explains the IPv6 concentrating on the security vulnerabilities inherent in the protocol. All so far known vulnerabilities are presented and students will be able to try them all out themselves with supplied tools. Switching sides it is then explained how to secure IPv6 systems (Windows, Solaris, Linux) and especially large networks including routing and how to solve the difficult firewalling questions which arise with IPv6. New advances like SEND, new DHCP6 developments and ISATAP etc. are included.
Student Prerequisite:
Trainees must have basic knowledge in Linux, TCP/IP and IT security - the more the better.
Software Requirements:
Trainees should have a Laptop with WLAN and Linux (2.6 kernel) installed. If no Linux is available for a trainee, I will provide them with a live boot CD/DVD.
Hardware Requirements:
Internet connection, with a cable connection to my Laptop and a WLAN for the trainees and me.
Course Outline (daily basis):
Day 1
Introduction to IPv6 (the mindset behind IPv6, how does it work, what is different to IPv4, new features)
Vulnerabilities in IPv6 (problems in IP6, problems in ICMP6, mobile IPv6 vulnerabilities, tunnel and migration issues (e.g. 6to4, Teredo, ISATAP))
Hands-on time (scanning local and remote networks, performing various man-in-the-middle attacks based on ICMP6, attacking dual stack systems, mobile IPv6, etc.)
Day 2
Securing ipv6 in systems (Windows, Solaris, Linux)
Firewalling and filtering IPv6 networks
Routing in IPv6 networks
IPSEC in IPv6
Securely migrating to IPv6
DNS and IPv6
Instructor:
Van Hauser
My pseudonym is van Hauser, founder of the Hacker group The Hacker's Choice in 1995, and working as a security professional since 1997.
Tool publications: THC-Scan, hydra, amap, ipv6-attack-toolkit, secure_delete, and many more
Article publications: Attacking the IPv6 Protocol Suite, Anonymizing Unix Systems, Placing Backdoors through Firewalls, How to cover your tracks, and many more
Conference speaking engagements:
• "Attacking the IPv6 Protocol Suite": Pacsec 2005, Tokyo;
• CCC Congress 2005, Berlin; Eusecwest 2006, London;
• Cansecwest 2006, Vancouver;
• Hack in the Box 2006, Kuala Lumpur;
• Hack LU 2006, Luxemburg;
• VNSec 2007, Saigon
• IDC - Security Conference 2003: "Continuous Measuring of IT security in Corporations"
• Information Systems Security Society of the Philippines 2003: "Global Intrusion Tracing"
• Fraunhofer Institute: CAST Forum 2003: "Firewalls and Infrastructures",
• CAST Forum 2002: "Secure Operating Systems"
• MiS - Superstrategies 2000, London, "Critical Risks in Unix"
• Chaos Computer Club Congress 1999, Berlin, "Finding security vulnerabilities in source code"
Additionally numerous training engagements in (Anti-)Hacking, forensic, secure development etc. trainings, always with very high ratings from the attendees.
SyScan_10_07 - The Black Art of Blackberry Surveillance
Little is known about how BlackBerry surveillance works and yet a small number of companies sell their commercial surveillance software to anyone willing to part with a couple of hundred dollars. Whether you are part of an organization that wishes to retain full supervision on your employee smartphone usage habits or are a part of law enforcement looking to fast-track your surveillance activities, knowing exactly how to monitor information on a handheld is invaluable. Given how the convergence of technology has rapidly escalated, handhelds see a signi!cant increase in usage and with it, a large amount of con!dential information is stored on them. Because of it’s dynamic, users typically tend to believe that a smartphone is still a phone and do not pay much attention to the fact that most of the data on a handheld is the same as what is found on the typical office computer. Learning how to monitor this information is the !rst step in Information Risk Management.
This course is designed by the author of PhoneSnoop, the proof-of-concept phone monitoring software, bringing his experience and knowledge in BlackBerry surveillance and countersurveillance to address this emerging concern for information privacy and data loss prevention. While the software is not inherently malicious, a malicious person may target an unsuspecting user’s BlackBerry and effectively turn the smartphone into a remote “bug” allowing the interception of ambient sounds. This prompted The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to issue a warning to all BlackBerry users regarding PhoneSnoop. This course will feature the analysis and workings of PhoneSnoop along with other popular surveillance software. It will also teach students how to develop similar applications for use within their organizations and will provide them with an insight into how common spyware software works.
At the conclusion of the course, the students will be able to develop their own surveillance software for execution on the BlackBerry handheld and will have an in-depth understanding of which BlackBerry API’s are most useful in achieving their goals.
The class will be taught in a hands-on lab style with practical work being done at least 60% of the time. Pre-prepared development environments will be provided to minimize setup time. While in-depth knowledge of Java is not required, student will best bene!t if they are already familiar with Java and Object Oriented programming concepts.
Target Audience:
• Security Consultants
• Security Software Developers
• Security & Software Architects
• Security Administrators
Student Pre-requisites:
• Laptop is essential
• Students should have a fundamental understanding of software development concepts
• Students should have a basic understanding of the Java and Object Oriented programming languages
• Knowledge of Java Micro Edition or Mobile Development is an advantage
Software Requirements:
For running native:
Windows XP, Vista or 7
Otherwise, a VMWare image containing a pre-prepared development environment will be provided
Hardware Requirements:
For running a VMWare Image:
• Minimum 1GB of RAM
• Minimum 5GB free storage space
For running native:
• Minimum 1GB RAM
• Minimum 700MB storage space
Course Outline:
Day 1
• Fundamentals of Mobile Application Development
• Overview of developing for the BlackBerry smartphone
• The BlackBerry API
• Writing your !rst BlackBerry "Hello World" application
• Developing your !rst Client / Server framework
• Decompilation and Analysis of the "Etisalat Spyware"
• Things not to do when designing surveillance applications for mobiles
• Types of data that can be monitored
• APIs and code to monitor email messages
• Safely transporting captured data to a remote server
Day 2
• APIs and code to monitor SMS messages
• APIs and code to track a GPS equipped phone
• APIs and code to track call log data
• Analysis of PhoneSnoop - Remote Bugging Application
• How to turn the BlackBerry into a remote listening device or "bug"
• Poor man's phone-taps; how to listen in on a phone conversation
• Techniques for deploying onto the client handheld
• Tying in to corporate policy
• Typical corporate solution architecture
• Legal implications and admissibility in court
Instructor:
Sheran Gunasekera
Sheran A. Gunasekera is the Founder and Director of Research & Development for ZenConsult Pte. Ltd. Before founding ZenConsult, Sheran was the Principal Consultant for Scanit Middle East in Dubai and Technical Advisor to the ISP services section of Emirates Telecommunications Corporation (ETISALAT) in the UAE. Gunasekera has extensive experience in web application security. He has developed tools and methodologies to improve results of security assessments and has trained consultants based on these methodologies. More recently, he focuses on mobile platforms and conducts research into BlackBerry handheld security. He has spoken at the 2009 Hack In The Box conference in Malaysia where he presented results of his research into BlackBerry lawful interception and spyware. He will also speak at the Troopers 2010 security conference in Germany on the same topic. His work has been quoted in online publications like Wired News, The Register, PC World, CNET News and Dark Reading. He maintains a website for application security, reverse engineering and mobile platform security. He has been credited with discovering security vulnerabilities in commercial applications and has also discovered several critical vulnerabilities in core banking and Internet banking applications from companies like Oracle Financial Services (previously iFlex), Polaris, ebWorx and SilverLake.