Training classes offered during SyScan'10 Taipei:
| 課程編碼 | 課程項目 | 講師 | 課程費用 (個人) |
| SyScan_10_TP_01 | Windows Physical Memory Acquisition And Analysis | Matthieu Suiche | NT$20,000 |
| SyScan_10_TP_02 | Web Application Security - Threats and Countermeasures | Shreeraj Shah | NT$20,000 |
| SyScan_10_TP_03 | Weaponizing PHP Application Exploits | Stefan Esser | NT$20,000 |
| SyScan_10_TP_04 | Java Security | Marc Schoenefeld | NT$20,000 |
SyScan_10_TP_01 - Windows Physical Memory Acquisition And Analysis
In this live incident reponse and forensics course, students will learn using software based acquisitions methods (with free utilities like win32dd and win64dd, and even Windows itself) about different full memory dump file format (Microsoft Hibernation file, Microsoft crash dump, and raw dump). Students will learn the difference between hardware and software acquisition method. Based on this, they will learn how to do advanced analysis of these dumps, such as the hibernation file, using free Microsoft Debugger WinDbg. The analysis part of the training will explain basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting, and how to retrieve suspicious application.
Student Prerequisite:
Some scripting basis, and knowing that physical memory is the RAM.
Knowing the difference between user-land and kernel-land.
Knowing Microsoft Windbg a tiny bit.
Software Requirements:
Windd, MoonSols Windows Memory Toolkit (Training Edition) provided by the teacher.
Microsoft Windbg
Hexadecimal Editor
Visual Studio C++ (Express or Pro) (optional)
Hardware Requirements:
A laptop (x86 or x64) using Windows as operating system.
Course Outline (daily basis):
Acquisition First part (first day) is about how to obtain memory dumps and how it works.
• Description of main memory dumps file format
• Raw dump
• Full memory crash dump
• Hibernation file
• How to use and internals of Win32dd and Win64dd utilities.
• Introduction to and how to use MoonSols memory toolkit (provided by teacher) to illustrate previous points by converting a Microsoft hibernation file into a Microsoft crash dump loadable by Windbg.
Analysis The second part (second day) is the analysis part using Windbg.
• Processor Memory Translation (Translation of virtual addresses into physical address on both x86 and x64 architecture)
• Windows Memory Manager internals
• Windows Process Manager internals
• Identification of active, hidden and exited processes.
• Dynamic Libraries (Dlls)
• Files, Handles, Objects
• Registry in memory
• Brief introduction to WinDbg SDK and scripting.
Instructor:
Matthieu Suiche
Matthieu Suiche is a security researcher who focuses on reverse code engineering and volatile
memory analysis. His previous researches/utilities include Windows hibernation file, Windows
physical memory acquisition (Win32dd/Win64dd) and Mac OS X Physical Memory Analysis.
Matthieu has been a speaker during various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon etc. Prior to starting in 2010 MoonSols, a computer security and kernel code consulting and software company, Matthieu worked for companies such as E.A.D.S. (European Aeronautic Defence and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.
SyScan_10_TP_02 - Web Application Security - Threats and Countermeasures
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.
The course is designed by the author of "Web Hacking: Attacks and Defense", "Hacking Web Services" and "Web 2.0 Security - Defending Ajax, RIA and SOA" bringing his experience in application security and research as part of curriculum to address new challenges. Application Security is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.
Target Audience:
Security Managers, Security Consultants and Auditors, Administrators, Developers, QA team and Code reviewers
Hands-on:
All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.
Application Security Fundamentals and Principles - The evolution of applications, threats to an application, application security trends, the spectrum of application security attacks
Application Components and Protocols - Understanding multi-layered application architecture, programming languages used in applications – J2EE, .NET, PHP, etc., inside HTTP, HTML forms and browser interaction, introduction to tools useful for testing applications, Web Server configuration, web server vulnerabilities, fingerprinting web servers and application servers, security controls pertaining to web servers and their deployment
Application Footprinting, discovery and profiling applications - Host and Domain discovery, discovering web applications and interfaces, discovering the functional structure of applications – the hacker's viewpoint, Advanced techniques, Discovering Web services and Web applications, Profiling Web services and applications, Ajax fingerprinting, Profiling Ajax applications and Server-side entry point detection
Application Attack Vectors - Mapping assets to attacks, sifting through HTML source, forcing application layer errors, information leakage through error messages, source code disclosure, input tampering and input validation attacks, SQL injection and attacks on the database, injecting malicious code and remote command exec, accessing the underlying file system, brute forcing HTTP authentication, Brute Forcing HTML form authentication, Session Hijacking, Cross Site Scripting (XSS) attacks, Cross Site Request Forgery (XSRF) attacks
Threat Modeling - Threat analysis, Architecture review, Technologies and Source Code, Threat matrix, Security controls for code, Design analysis and review
Assessment methods –Blackbox, Whitebox,analyzing configuration and deployment issues, Reconnaissance and Vulnerability Assessment, Fingerprinting Web servers and Architectures, Defense strategies - Minimizing the window of opportunity, Leveraging Web mashups and search APIs
Application Attack countermeasures - Security by design, The importance of application security controls in the software development life cycle, Secure coding practices, Protecting data at rest and data in transit, Client side security
An Introduction to Advanced Application Architectures - Refreshing classic application security threats and vulnerabilities, Evolution of application architectures, Web services, SOAP and AJAX, Security model for next generation application architectures, Web Services and SOAP, XML-RPC, AJAX enriched clients, New tools and techniques for attacking advanced application architectures
Advanced Web attacks - XPATH injection, XML and Schema poisoning, Blind SQL injection, XSS proxy attacks, Browser hijacking, Intranet scanning, Javascript exploitation
Whitebox Analysis - Entry points detection, Tracing and Digging, Function and Component dissecting, Threat and Impact analysis
Securing Code & Defense - Fundamentals, Controls and Strategies, Input validations, Error handling, Session hardening, Logs and Tracing, Traps for hackers, Assembly hardening, Guarding application code, Fundamentals, Controls and Strategies
XML and Web Services - SOAP, XML-RPC and REST base attacks and security.
Web Fuzzing & Exploits - Web application entry points, the art of fault injection, Exploit framework – Metasploit, Exploiting SQL injection points, Building exploits and launching them effectively
Client side coding - Ajax and JavaScript analysis, Flash based application reviews and Browser security.
Instructor:
Sheeraj Shah
B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior
to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee),
Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security
(Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In
addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences
including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His
articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on
BBC, Dark Reading, Bank Technology as an expert.
SyScan_10_TP_03 - Weaponizing PHP Application Exploits
In this PHP security course the students will learn about PHP application exploitation from the attacker's point of view. The course will teach advanced exploitation techniques which are usually found in weaponized PHP application exploits used for targeted web attacks. The students will learn how to write stealthy weaponized exploits that still work when web application firewalls or other countermeasures are in place. The list of discussed topics includes stealthiness (filter bypass, log evasion), information theft, application backdoors and advanced payloads with multiple stages, backchannel communication and local PHP exploits.
While this course mainly concentrates on exploit development it will start with an introduction that presents a collection of auditing tips and tricks that help to find PHP application vulnerabilities.
Throughout the course several real world PHP application vulnerabilities and their exploitation will be discussed. Students will be able to try out working exploits, but also learn to write their own weaponized exploits as part of the hands-on training that accompanies every topic.
Student Prerequisite:
• Decent PHP knowledge
• Knowledge of C or Python is optional
Hardware / Software Pre-Requisite:
• Own Notebook capable of running VMWARE
• installed VMWARE Player / VMWARE Workstation or VMWARE Fusion to use the supplied Ubuntu Linux VMWARE Images
Topics:
Finding your own 0-day
• Collection of tips and tricks for auditing PHP applications
Filter-/Detection-Bypass
• bypassing web application firewalls and intrusion detection systems
• obfuscating executable PHP code
• exploiting hard filtered SQL injections
Local PHP Exploits
• Bypassing common protections
• Stealing interesting information from PHP's own memory
• Taking over the webserver
Logging and Logfiles
• Understanding possible log trails
• How to be more stealthy - keep log trail to a minimum
• Cleaning of logfiles
Exploit Staging / Backchannel Communication
• How to download more payload
• How to communicate with the payload
Placing permanent Backdoors in applications
• PHP level backdoors
• Application level backdoors
• Database level backdoors
Targeted payloads to steal specific pieces of information
• Creating application specific payloads
Instructor:
Stefan Esser
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core
developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in
his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD
or Internet Explorer. In 2003 he was the first to boot linux directly from the harddisk of an unmodified
XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to
develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security
System in 2006. Since 2007 he works as head of research and development for the german web application
company SektionEins GmbH that he co-founded.
SyScan_10_TP_04 - Java Security
JEE is known as a framework to build java business applications. Vulnerabilities in these applications are on the one hand introduced by the software, and on the other and more likely created by the application developers. For a complete JEE security audit it is therefore more important to build up the skill to \"feel\" the attack surface than just applying pre-build exploits that only expose framework bugs. This class starts with describing the important parameters that define the attack surface, such as dangerous code patterns, configuration settings and reasonable secure defaults. Examples of real-life vulnerabilities are used introduce the participatents to the experience that simple bugs are able to create holes, we cover both perspectives, the bug and the fix. The curriculum goes on with presenting and train the use of the tool set, necessary to spot vulnerable code parts. We presented techniques such as code skim reading, binary scanning, reverse engineering and interpreting the hidden security message of harmless looking heap, thread and stack dumps. The trainer has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. This class does not require prior knowledge of the java bytecode set but a deeper understanding how JVMs work mixed with creativity is very helpful to transfer the presented techniques into personal success. The examples and exercises shown in this class cover apache tomcat, apache geronimo, jboss and sun glassfish. Prerequisite Knowledge Working knowledge of distributed java concepts No specific OS knowledge required Be able to work easily with java developer tools (command line, eclipse/netbeans IDE) Understanding of Java (secure) programming and JEE concepts would be a bonus (boosts your mileage).
Student Pre-Requisite:
• Decent Java knowledge
• Bring your own Laptop (C2D or better)
• Install Virtual Box (I'll bring a project image we will work on)
The topics presented are:
• The Java architecture, JVMs and bytecode
• The java security model
• Secure programming in a nutshell
• Java vulnerabilities, how they differ from C-type bugs
• The JEE architecture
• Open holes in JEE, how to spot them
• How to harden a JEE server
• Tools and toys to prepare and conduct JEE pentests
• Writing self-assessment clients
• Short excursion to web security, xss and xsrf, how to spot and prevent in JEE
Individual plus of this training:
In depth training, author has a track of giving java security talks since 2002 and acquired PhD on this topic - author has researched various java vulnerabilities in the last years - real-life examples
Remarks:
Training participants also get a signed copy of Marc's book as a free gift: (link)
Instructor:
Marc Schoenefeld
Marc Schoenefeld has graduated with a Dr (rer. nat.) degree in Computer Science in 2010 with his night time
dissertation on "Security Antipatterns in Distributed Java Components", during day time he works for Red Hat.
Since 2002 he is a regular speaker at security conferences (Blackhat, SyScan, HITB, RSA and others) and has
showed many vendors and also open source projects that their software has security holes. Among others he
found serious flaws in JDK, OpenOffice, Tomcat, Apache ODE, Apache JackRabbit, Geronimo, HP SOA Registry, TeX,
Pango (highlights of the last last 12 months). He is also author of the undx tool that retransforms dalvik
bytecode back to java bytecode for reverse engineering purposes (decompilation, static analysis).