WORKSHOPS

Reverse engineering under Windows 10 with malware analysis

by David Baptiste & Plumerault Francois

WORKSHOP OBJECTIVE

Being able to write programs by ourselves is a good thing. But being able to understand how is written one program, made by someone else, is a better thing. For instance, in the case of a malware, it allows us to understand how this one behaves and how we can potentially counter it. In addition, it helps us to understand how the underlying operating system works, the technology used by software, vulnerabilities inside, who can be the author, etc...

At a time where the technology is day after day increasingly diverse and more and more complex, being able to check how it works and understand internals behind the stage has never been as important.

This is the aim of this workshop: give you back the power to master the technology and stop to be mastered by the technology… From operating system internals to malware’s behavior stepping by security and programming consideration (which could lead to vulnerabilities), here is the agenda of the workshop. If you are curious and you have always believed that mysteries in computer science should not stay mysteries and close source software is far to be enough to protect secrets, this workshop should be made for you.

By the end of workshop, participants will be able to:

• Understand assembly language x86 and x64.
• Understand several key components under Windows operating system
• Use IDA software to perform static analysis (and more)
• Use Windbg debugger (new version!) to perform dynamic analysis (and more)
• Have practice about different and real examples on malware and operating system
• Be able to search autonomously something in a program by yourself.

The participants will get the following:

• Several demo samples used for practice
• Slides from the presentation
• Other references to learn more about topics covered in the workshop
• Practice, practice and practice

COURSE CONTENT (it can change, depending to attendee level and interactions during the workshop)

1. General introduction: How program works under operating system
• What a program is?
• How it interacts with operating system?
• How to rule them with simple technics (Sysinternals tools).
• Practice
2. What reverse engineering is about?
• Laws in world about reverse.
• General considerations.
• Static and dynamic analysis.
• Different tools for different purposes.
• Demo & practice.
3. At the end, we all speak assembly.
• Intel assembly language (x86 mainly, x64 about main differences when it matters).
• Most important instructions.
• Different calling conventions.
• Operating system interactions and considerations (under windows).
• Practice: Write your first assembly program.
• Practice: Debug with Windbg.
• Bonus if time: Secure programming and vulnerabilities from weak implementation in software.
4. Operating system internals.
• Presentation of main components under Windows (both user and kernel land).
  • System Architecture
  • Processes and Jobs
  • Threads
  • Memory Management
• Presentation of important changes and security considerations starting from Windows 10.
• Demo: Using reverse engineering to understand how to interact with undocumented functions (and how they work!) under Windows.
• Practice: Do it yourself with IDA.
• Practice: How are corrected flows in software? Differential view between versions.
5. From theory to real world.
• What a malware is?
• How do they work and the different shape they can use (stealth, anti-debug, file-less, lateral movement, etc.)?
• How to protect a software and how to bypass protections for reverse engineering?
• Practice: Analyzing a ransomware.
• Practice: Challenge with a hardened “crack-me” with strong anti-reverse-engineering protections.

PREREQUISITE

1. Hardware:
1. A laptop with enough memory in RAM to be efficient and disk space.
2. Intel or AMD processors (x86 or x64).
2. Software (ideally pre-installed):
1. Windows 10 operating system (downgraded mode with Windows 7).
2. IDA software (free version or a commercial one for a better use).
3. Visual studio community (or others) 2017.
4. Windows Driver Kit for Windows 10.

PARTICIPANTS REQUIREMENTS

There is no real requirement here; basic level in computer science would be enough since we expect that attendees are starting from zero. Nonetheless, in case of doubts:

• With basics in programming (mastering C would be perfect).
• It could be better (but not mandatory) with basic knowledge in assembly or operating system (even if we will do as if you would not have).

WHO SHOULD ATTEND

1. Students in IT and most especially in security.
2. Security and software engineers.
3. Malware analysts.
4. Anyone curious about how operating system and malware analysis is welcome.

WHAT TO EXPECT

1. Get a good knowledge about how things works in Windows and more generally in operating system world.
2. Get practice by reversing software.
3. Get practice by debugging regular software and assembly development.
4. Get practice by performing static and dynamic analysis.
5. Understand the purpose of both static and dynamic analysis.
6. Understand better how tedious bugs in software can lead to real and high consequences.
7. Understand how malware can try to prevent reverse engineering and how to bypass these protections.
8. Good stories and culture about Windows (history, code, architecture, security and internals).
9. Practice, practice and practice… This is the only way to progress in reverse engineering and in IT in general ;-).

WHAT NOT TO EXPECT

1. 1. Disclosure about vulnerabilities not corrected, patents or cracking protection of commercial software. It is not legal in addition not to be moral.
2. 2. Reverse engineering of software written in C# or C++ (it is out of scope even if tools would be presented to proceed if attendee desires to do it). We suppose that software are compiled as if they would have been written in C.

SPEAKERS

Attacking & Auditing Docker Containers

by Madhu Akula

WORKSHOP ABSTRACT

Developers and Operations teams (DevOps) have moved towards containers and modern technologies. Attackers are catching up with these technologies and finding security flaws in them. In this workshop, we will look at how we can test for security issues and vulnerabilities in Dockerised environments. Throughout the workshop we will learn how we can find security misconfigurations, insecure defaults and container escape techniques to gain access to host operating system (or) clusters. In the workshop, we will look at real world scenarios where attackers compromised containers to gain the access to applications, data and other assets.

By the end of workshop participants will be able to:

• Understand Docker security architecture
• Audit containerised environments
• Perform container escapes to get access to host environments

The participants will get the following:

• A Gitbook(pdf, epub, mobi) with complete workshop content
• Virtual machines to learn & practice
• Other references to learn more about topics covered in the workshop

COURSE CONTENT (ToC)

1. Introduction to docker (Quick Primer)
   1. Why & What is Docker
   2. Docker commands
   3. Docker components & concepts
2. Understanding docker architecture
   1. Namespaces
   2. Capabilities
   3. Control Groups
   4. LSM
3. Auditing Docker Containers
   1. CIS Benchmarks (docker bench security audit)
   2. Docker Runtime & API
   3. Docker Images & containersDocker Images & containers
   4. Docker Networks & Volumes
4. Scenarios for Docker Escapes
   1. Capability Escape
   2. Insecure Volume & Socket Mounts
   3. Insecure API & Misconfigurations
   4. Playing a fun game with container capabilities
5. Advanced scenarios
   1. Docker-Compose environments
   2. Docker-Swarm environments
   3. Attacks around clusters
   4. Twisted attack scenarios (Demo-Only)
6. Security Best practices & Take Away
   1. Docker configurations and deployments security checks
   2. Security checks for Docker files and docker-compose files
   3. Security checks for events using Docker events
   4. Logging and Monitoring for events

Pre-Requisite

1. A laptop with administrator privileges
2. 10 GB of free Hard Disk Space
3. Ideally 8 GB of RAM but minimum 4 GB
4. Laptop should support hardware-based virtualization
5. If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
6. Other virtualization software might work but we will not be able to provide support for that

Participants Requirements

1. Able to run linux cli commands
2. Basics of system administration
3. Understanding about virutalization would be useful

Who should attend

1. Penetration Testers
2. Security Engineers/Analysts
3. IT and System Administrators
4. DevOps and Security Teams

What to expect

1. Completely hands-on, intense, fast paced learning using a combination of scenarios, case studies, hacker tools
2. Attacking applications and services hosted in containerised environments. Complete documentation of the attacks and virtual machines

What not to expect

1. A lot of hand holding about basic concepts already mentioned in the things you should be familiar with
2. A lot of theory. This is meant to be a completely hands-on training!!

Speakers

Attacking weak Crypto Implementations

by Ajit Hatti

WORKSHOP ABSTRACT

The aim of the workshop will be to build Solid Understanding of the basic primitives of cryptography and building blocks of PKI. How these different blocks come together and try to provide you end to end security and still there are many ways you can get around and exploit these Implementations.

We will use OpenSSL as our Swiss Army Knife and practically understand how the cryptography, benchmarking, cryptoassessment, back door detection is done. We will see how the balance between security requirements and the performance & compliance is achieved by choosing the right set of primitives.

And One day entirely hands on to attack, bypass or exploit the SSL / TLS implementations in N different ways.

COURSE CONTENT (ToC)

• Understanding the Basic Building Blocks of Cryptography & PKI
  • Using Trustable Crypto Source & Libraries
  • OpenSSL: Swiss Army knife of Cryptography [Lots of hands on assessment here]

• Defining & Testing Secure Communications
  • Configuring an HTTPS server
  • Understanding SSL / TLS communication & Flaws
  • Attacks on SSL / TLS protocols using web Proxies
  • Undocumented Attacks & Bypasses for SSL / TLS
  • Perfect Forward Secrecy

• Storing and Retrieval / Archiving of the Sensitive Data
  • Basic Cryptographic algorithms
  • Understanding the Limitations & attacks on cryptographic algorithms
  • Malware precaution & protection
  • Storing & Securing sensitive Data in Cloud

• Processing Sensitive Data
  • In memory processing of sensitive data
  • Securing data processing in Cloud
  • Browser Hacks on sensitive data caching

• Recent & Popular attacks
  • Heart Bleed to SSL Sniff / Strip
  • Back-dooring the (P)RNG & other crypto algorithms
  • Hashes & Collisions

• Exploitation in Post Quantum Scenario
  • Post Quantum & Contemporaneity Cryptography
  • Quantum Key Generation & Distribution
  • Post Quantum Crypto Systems

• More Attacks
  • Timing Attacks
  • OCSP stappeling
  • HSTS time stamps
  • PRNG Functions
  • Crypt Analysis
  • Side Channel Attacks

• Miscellaneous
  • Quantum CryptoGraphy
  • Quantum Key Distribution
  • Quantum Resist crypto premitives
  • Attacks on Quantum Computing
  • Few Practical tips on Privacy and security

Pre-requisite

• Mac or a A laptop with a Linux of your choice is must
• Openssl any version, C / C++ compilers
• Browser, web proxy & any Web Server instance on your machine

Participants Requirements

Understanding of basic concept of Information Security

Who should attend

Security Professionals responsible for Testing, Developing, Designing, Auditing critical systems with Cryptographic implementations.

WHAT TO EXPECT

• Walk away with the pratical knowledge of
• Working use and abuse of PKI systems using Openssl Toolkit
• Know how to test and exploit secure protocols, encrypted networks, few crypt analysis techniques
• Where to look for flaws in systems secured by cryptography
• What are the latest attacks in the Cryptographic world and how do they work Know end to end use and abuse of Browser to Web server secure channels
• Know few advanced standards and theoretical attacks

WHAT NOT TO EXPECT

• A to Z of the Mathematics Behind the Cryptographic standards
• Breaking Google, FB, Banks secure communication by successful cryptanalysis
• This course tries to gives you basic but essential knowledge of cryptography to be an effective Pen-testers, auditors, to become a Cryptographer Lets join a PHD course

Speakers

Building a Real-World Attack Monitoring Solution by leveraging the ELK Stack

by Himanshu Kumar Das & Prajal Kulkarni

COURSE CONTENT

The 2 day training course outlines defense in depth on Network and Application Layer attacks using Elastic stack. During the 2 day training programme, we would conduct hands-on exercise on simulating, correlating, analyzing and mitigating multiple attacks from Layer 4 - Layer 7. We would also cover various case-studies on day-day security requirements on cloud as well as enterprise networks. The course would end with a CTF exercise to participants on visualizing security facts using Elastic stack.

Detailed Course Abstract

With growing trend of Big data, companies tend to rely on high cost SIEM solutions. Continuous Security Monitoring/Alerting of medium and big enterprise is a large challenge in hand today. Logs from thousands of endpoints, servers and perimeter devices is difficult to aggregate, analyze and correlate in real time that can enable better security incident response & event handling. Organization usually end up with massive data breaches due to lack of visibility in their network activities across the infrastructure. Our course would expose you to take control of enterprise wide logs, analyze them in real time using the ELK frameworks. During our course, you would learn to scale the Elastic Stack and generate powerful visualization & data modeling using kibana making analysis of data and decision making simple.

The training will also cover simulating real-world attack scenarios, alerts customisation necessary to respond to a real world attacks/anomalies. With growing cloud based offerings it becomes crucial to understand systems for detecting and responding to attacks. With tools like osquery we will show how a scalable solution for system level anomaly detection can be build.

This training is meant for security enthusiast, DevOps, and startups trying to build an in-house solution. This will be a great learning to set-up one's own an affordable Security Analytics Platform.

Course Outline

Day 1

• Elastic 5
  • Overview & Architecture of Elastic Stack
  • Capacity Planning of Elastic Stack
  • Overview of ElasticSearch API’s
  • Dumping data into ElasticSearch
  • Extending Elastic capabilities using X-Pack
• Logstash 5
  • Introduction to Logstash 5
  • Exercise - Various use cases(webservers,syslog,etc)
  • Introduction to GROK filters
  • Pattern matching using GROK filters
  • Exercise – Normalizing Logs using GROK Filters (firewall, webserver,syslog,etc)
• Elastic Stack on Cloud & Enterprise Network
  • Introduction to Data shippers
  • Shipping & Correlating logs from heterogeneous sources
  • Exercise – Collect and correlate logs (filebeat, packetbeat)
• Scaling Elastic Stack for High Availability Architectural
  • Overview of Scaling Elastic Stack using HAproxy & Redis
• Interpolation of Security Events into Elastic Stack
  • Exercise – Correlating Layer 4 and Layer 7 attacks (SYN Flood, HTTP Verb Flood)

Day 2

• Kibana 5
  • Overview of Kibana Dashboard
  • Setting up Visualizations in Kibana
  • Setting up multiple dashboards in Kibana
  • Exercise - Kibana Visualizations(Area, Pie,Line,etc)
• Alerting Attacks
  • History on alerting – Evolving from script to automation
  • Overview Of ElastAlerts
  • Exercise – Writing Elastalert rules
• Case Studies on Elastic Stack
  • NMAP with Elastic Stack
  • Burp with Elastic Stack
  • Threat Intel with Elastic Stack
• Approaching Internal Security on Cloud & Enterprise Network
  • Overview and architecture of osquery
  • Understanding tables & packs in osquery
  • Integration of osquery with Elastic Stack
• Capture the Flag on Elastic Stack

What to Expect

Over the duration of 2 day workshop, you would get a detailed knowledge on how to build a no cost attack monitoring solution as one stop solution for external as well as internal security both on cloud as well as enterprise network. We will have various classroom exercise to engage participants on real world security use-cases as well as scaling the entire Elastic Stack for large scale networks. Labs will include all necessary tools and configs necessary to run a full functional stack for attack monitoring. The workshop would have a mega challenge at the end of the course on a pre-populated data to get a hands-on experience on production grade Elastic Stack.

What Not to Expect

Elasticsearch programming Writing Plugins for Logstash Any exercise/demo on a physical network device.

Pre-requisite of Training

• A laptop with administrator privileges.
• 30 GB of free Hard Disk Space.
• Ideally 8 GB of RAM but minimum 4 GB
• Laptop should have a working wireless and wired/Ethernet connection
• Latest Oracle Virtualbox(preferred) or VMWare Workstation or VMWare Fusion installed Other virtualization software might work but we will not be able to provide support for that.

**Note: We do not support Windows XP

What you will get

• Tools and software provided for the training
• Completely documented script and programs
• A simple to follow step by step walkthrough of the entire training in a PDF file
• Virtual machines with code used during the training so that you can even practice after the training is over

Speakers

Burp Suite for Web and Mobile Security Testing

by Riddhi Shree

WORKSHOP ABSTRACT

If you care about application security, the one tool that you must absolutely be familiar with is an “Interception proxy”. Although there are several interception proxies in existence, depending on the intensity of penetration tests that need to be performed, a penetration tester might choose a simple or an advanced tool with advanced features. Burp Suite is a collection of several simple-yet-powerful tools. It not only works as an 'interception proxy' but also gives users the ability to automate attacks, attack multiple parameters, generate PoCs, statically detect vulnerabilities, perform out of band exploitation, manage sessions across authorization levels, transform data across multiple types, save and export session data between users, and much more! This completely hands-on workshop is meant for web and mobile security testers, penetration testers and security enthusiasts who want to eliminate the grunt work involved in manual analysis of server traffic, and who want to craft customized and effective attacks against web applications to discover high risk security vulnerabilities.

Course Content

Day-1: Getting Started

1. Burp Suite Features:
   • Target
   • Proxy
   • Spider
   • Scanner
   • Intruder
   • Repeater
   • Sequencer
   • Decoder
   • Comparer
   • Project Options
   • User Options
   • Alerts
2. Attacking with Intruder (Hands-On):
   • Attack Types
   • Sniper
   • Battering Ram
   • Pitch Fork
   • Cluster Bomb
   • Payload Types
   • Simple list
   • Runtime file
   • Custom iterator
   • Character substitution
   • Case modification
   • Recursive grep
   • Illegal Unicode
   • Character blocks
   • Numbers
   • Dates
   • Brute Force
   • Null Payloads
   • Character Frobber
   • Bit flipper
   • Username generator
   • ECB Block Shuffler
   • Extension-generated
   • Copy other payload

Day-2: Tools of the Trade

1. Setting-up the Web and Mobile Application Security Testing Environment:
   • Memory allocation to avoid crashing of Burp
   • Exclusive Firefox profile setup
   • Defining the 'Target Scope'
   • Setting up the 'Proxy Listeners'
   • Hot-keys setup
   • Upstream proxies and SOCKS proxies
   • SSH tunneling
   • Installing Burp Certificate
   • Mozilla Firefox
   • Microsoft IE and Google Chrome
   • iOS or Android
   • SSL pass-through
   • Invisible proxy
2. Attacking web applications using Burp Suite tool: Hands-on

Pre-Requisite

1. Laptop with administrator access (mandatory)
2. Minimum 4 GB RAM
3. At least 10 GB of free hard disk space
4. Oracle VirtualBox 5.x or later installed
5. Burp Suite Community Edition installed (https://portswigger.net/burp/communitydownload)
6. Make sure Burp Suite can start
7. Firefox browser with FoxyProxy Standard add-on installed (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/)
8. Familiarity with HTTP Request and Response Structure

Who should attend

Anyone who is getting started with Web Application Security Testing and who would want to use Burp Suite powerfully should attend this training. Folks who are seasoned security testers would also benefit from the advanced usage of Burp Suite during the training.

WHAT TO EXPECT

Gain confidence in customizing your Web Application Security Testing approach to suit application-specific pentesting needs, by gaining clarity on the powerful features provided by the Burp Suite tool.

WHAT NOT TO EXPECT

As this is a hands-on training, do not expect a lot of theory

Speakers

JavaScript for Pentesting the Modern Application Stack

by Bharath Kumar & Subash SN

WORKSHOP ABSTRACT

JavaScript is everywhere! JS is on the client side, JavaScript is on the server side (Node.js), there are way too many JavaScript frameworks both on client and server side. Understanding JavaScript is not optional anymore for Web Security testers. JavaScript is not just one of those things a tester needs to know just so he/she can write XSS payloads. Understanding JavaScript is one of the most fundamental and crucial skills a Web Application security tester can have. Knowledge of Javascript makes you a better security tester and it makes an immense difference in the way someone looks/test applications.

In this workshop, we will start with absolute basics of JavaScript and how JavaScript fits into the web ecosystem. We'll take a deep dive and look at all the essential JavaScript concepts that a security tester must know. We'll look at JavaScript both from client side and server side. You'll gain hands-on practice with real-world vulnerabilities in JavaScript based applications/frameworks. We'll wrap up the training with a Capture The Flag on an application that resembles a real life application.

Learning outcomes

1. You'll learn the essentials of JavaScript both on client side and server side
2. You'll understand the importance of JavaScript in the web ecosystem and importance in web security
3. You'll gain hands-on experience with multiple attacks both on client side and server side
4. You'll have hands-on practice on how to test for vulnerabilities in JavaScript based applications and also utilizing JavaScript to exploit other vulnerabilities for maximum impact (like script injection attacks)

Course Content (ToC)

The training will more or less adhere to the following outline

1. Essentials of JavaScript
   • JavaScript Language Fundamentals
   • Intro to DevTools(Chrome/Firefox)
   • Manipulating DOM & Events
   • Local & Session Storage
   • Asynchronous JavaScript, Ajax & Fetch API
2. Client-side attacks
   • DevTools(Chrome/Firefox) for security testing
   • Bypassing client-side restrictions using DevTools
   • Advanced Cross Site Scripting (XSS) attacks
     • o XSS in modern JS frameworks
     • o Advanced XSS payloads - going beyond alert('xss')
     • o Esoteric XSS payload - bypassing XSS filters
   • Understanding SOP & CORS(using JS)
   • JSON hijacking
   • Client Side Template Injection(CSTI)
     • o CSTI in AngularJS
   • Attacking Single-Page Applications (SPAs)
3. Server side attacks
   • OWASP Top 10 on a Node.js application
   • Server Side JavaScript Injection(SSJI)
   • Server Side Template Injection(SSTI)
4. Extras
   • Attacking Token Based Authentication
   • Attacking JSON Web Token (JWT)
   • Remote Code Execution in JavaScript applications
   • Performing JavaScript static analysis to find security vulnerabilities
5. Custom Capture The Flag (CTF)

Pre-requisite

• Laptop with administrator access (mandatory)
• Minimum 2 GB RAM and 5 GB free hard disk space.(More the better)
• Preferably running Linux as primary OS but Windows/Mac is permissible
• Oracle VirtualBox 5.x or later installed. (VMWare users are on their own)
• An SSH client on the host OS. (Most Linux distributions have SSH client by default, Windows user can use putty)
• Your own Internet connectivity (Internet is needed for few exercises and also for additional reading)

Participants Requirements

• Little bit of programming experience in some language but not necessarily JavaScript is preferable. (Enough to know what is a variable, 'if' conditonal, 'for' loop etc.)
• Some exposure to Web application penetration testing is expected. We don't expect audience to be proficient at pentesting but we will expect that you know the basics of web application penetration testing especially OWASP Top 10
• Able to use at least any one command line and one graphical text editor (nano, vim, gedit, Sublime, VS Code etc)

Who should attend

• Pentesters and Security Testers
• Security Professionals
• Web Application Developers(JavaScript) who are interested in understanding the security aspects

WHAT TO EXPECT

• - Everything in the training will be hands-on, fast paced training
• - Lab-driven approach (You'll get to practice every attack we discuss)
• - Attacker focused, although there will be mitigation discussion when applicable this class is focused towards testers

WHAT NOT TO EXPECT

• Lots of theory
• This workshop is geared towards Web Application Security professionals so don't expect more development related discussion

Speakers

Secure code Audit

by Manoj Kumar & Ranjith Menon

Pre-requisite

Training will be hands on so you need to bring your own laptop to perform different types of attacks on web based applications.

System Requirements

1. Windows/Linux/OsX Installed machine
2. RAM – 8GB
3. Free space in your machine – 10GB
4. Installed VMware Player in your machine
5. Visual Studio installed
6. Notepad++

Who should attend

1. Having knowledge to develop web application in Java & .Net
2. Understanding of server client architecture
3. Those having development background
4. Eager to learn secure source code practices

WHAT TO EXPECT

• Exposure to different tools used for performing attacks
• Demo application to perform secure coding practices

WHAT NOT TO EXPECT

• Any professional tools

DURATION

2 Days

The course covers relevant web application issues to subsequently demonstrate how to design and develop code defenses into an application.

1-Day: Secure Source Code Practices

Module 1: Introduction to Secure Source Code Practices (SSCP)

• What is SSCP
• Need for SSCP security solution

Module 2: Parameter manipulation attack and Defenses

• Bypassing client-side validation
• Variable manipulation attacks
• Input validation types
• Black list vs White list filters
• File Upload attacks and best practices
• Exploit CSV based export features using formula injection
• Best practices and guidelines to avoid these Attacks
• Demo

Module 3: SQL- Injection

• Blind & Second Order SQL injection
• Enumerating database tables and columns
• Demo

Module 4: Cross Site Scripting (XSS)

• Reflected, Stored and DOM based XSS
• Same domain Policy in browsers
• Best practices and guidelines to avoid Cross Site Scripting Attack
• Demo

Module 5: Cryptography

• Encryption & Decryption
• Encoding
• Hashing
• Demo

2-Day: Secure Source Code Practices

Module 1: Client Side Attacks and Defenses

• Back-refresh attack
• Insecure caching
• Sensitive data in History
• Insecure Local Storage issues
• Demo

Module 2: Broken Authentication and Session Management

• Session expiry
• Session fixation
• Secure attribute for Cookies
• Best practices to manage session
• Demo

Module 3: Error Handling and Logging

• Proper implementation of log
• Proper error handling
• Demo

Module 4: Code quality

• Hard coded information
• Critical information in comment
• Client side hardcoded information
• Demo

Module 5: Backend storage Information

• Password storage
• Salted hash technique
• Storage of critical information in backend side
• Demo

Module 6: Insecure Direct Object References

Module 7: Cross Site Request Forgery (CSRF)

Module 8: Hands-on practice on vulnerable source code application for attendees

Speakers

Mobile App Exploitation

by Arun.S & Karthik Lalan

Workshop Abstract

Mobile App Exploitation is a unique training which covers security and exploitation on mobile platforms on both Android and iOS. The entire class will be based on intentionally crafted real-world vulnerable Android and iOS apps. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. This is a 2 days fast paced training with full of hands-on Labs & challenges for both Android and iOS environment.

Pre-Requisites

• Passion to Learn New Things
• Basic Knowledge of HTTP Protocol & Basic programming fundamentals (any language)
• Basic Knowledge on how to Install & use Mobile Apps & VirtualBox

What to expect

• Hands-on Training
• Fast Paced Learning
• Real World Case Studies & Scenarios

WHAT NOT TO EXPECT

• A lot of Theory
• To become a Mobile App Pentester Overnight

What Should Participants Bring

• A jailbroken iPhone / iPad for iOS testing is must for hands-on.
• Laptop with 40+ GB free hard disk space & 8 GB RAM.
• Android Training - Windows/Macbook is required & for iOS Training - Macbook with Xcode (8.2 or above) Installed.
• Install Android Studio latest, Oracle Virtual Box 5.2.x & above, Install Android Virtual Device Images – OS Version 5/6/8.
• Root/Administrative access on your laptop with external USB allowed.
• Make sure Intel / AMD Hardware Virtualization enabled in OS.
• Google Drive link for other tools & resources
  • https://drive.google.com/open?id=0B7EvnEyvoZxsQlB5N0FxdkhBM2c

Takeaways For Participants

• Mobile App Concepts & Reference
• Bug Bounty Approaches & Methodologies
• Get in touch with the trainer's even after the training via a Whatsapp Group for a month Course Duration

16 hours of Training in 2 days (8 Hours Daily).hours of Training in 2 days (8 Hours Daily).

Course Outline

Day 1: Android Pentesting

Android Basics

• Android Security Model
• Application Signing & Sandboxing
• Android Permission Model
• Basics of Android Rooting
• Understanding Android File System
• Application Components and Structure

Setting up the Pentesting Environment

• Setting up Android Debug Bridge(ADB)
• Setting up the Android Studio Emulators
• Setting up Intercepting proxy – BurpSuite
• Setting up Automated Tools like – MobSF, Qark,Drozer etc.,

Reverse Engineering

• Manifest File Analysis
• Runtime Manipulation & Code Patching
• Decompiling & Recompiling the APK
• Code Signing.
• Code Obfuscation using Proguard & Dexguard
• Root Detection techniques and bypass via Reverse Engineering

Static & Dynamic Analysis

• Exploiting Application Components & Security
• Exploiting Local Storage
• Exploiting Side Channel Data Leakage
• Exploitation Using Drozer
• Automated Static Code Analysis using MobSF, Qark etc
• Exploiting apps on non-rooted device
• Run time analysis using JDB / Frida

Network Analysis & Data Manipulation

• Certificate Validation
• Bypassing SSL Pinning
• Insecure communication
• WebViews & JavaScript Interfaces
• Analyzing Network based weaknesses

Day 2 : iOS Pentesting

Getting started with iOS Pentesting

• iOS Security Model
• App Sandboxing
• App Provisioning
• Changes in iOS 10/11 Security
• Exploring the iOS Filesystem
• Code Obfuscation Techniques
• App Signing

Setting up the Pentesting Environment

• Setting up iOS Simulators
• Jailbreaking Basics (iOS 10.x - 11.x)
• Setting up iPhones & iPads
• Working on Test Flight Builds. Cydia, Mobile Substrate

Reverse Engineering & Binary Analysis

• Reversing AppStore Binaries
• Checking for PIE, ARC
• Finding Shared libraries
• Reversing un-encrypted binaries
• Disassembling using hopper
• Binary Analysis
• Patching, Repackaging, and Re-Signing IPA Files

Static & Dynamic Analysis

• Exploiting Local Data Storage Flaws
• Dynamic Analyis on Non-Jailbroken Devices
• Keychain Storage
• Data Storage in SQLite,Core Data, Realm & YAP DB
• NSUserDeafaults
• Dumping Keychain Storage
• Cycript Basics
• Side Channel Data Leakage
• Sensitive information disclosure

Analyzing iOS Network Traffic

• Intercepting HTTP/HTTPS Traffic
• Attacking Weak Server Side Controls
• Client Side Injection
• Inspecting & Manipulating Network Traffic
• Bypassing SSL pinning using Frida

Speakers