INFILTRATE 2019 TRAINING COURSES
Event Information
Description
28 (ISC)2 CPE CREDITS
Immunity's Web Hacking class has a heavy emphasis with hands-on-learning, going in-depth on XSS, SQLi, XXE and Web Crypto. The token system has been improved from previous years, which allows us to track how each individual student is performing in class and indicates if a student could use extra help with a particular subject. The token system also allows for students to compete for the top score (often for fabulous prizes). Come to Web Hacking and receive instruction from members of Immunity's senior consulting team!
Syllabus (subject to change):
DAY 1 - INTRODUCTION TO XSS
- Reflected XSS
- Stealing cookies
- Stealing the DOM
- Persistent XSS
- DOM based XSS
- CSRF
- Filter evasion
- XSS via Flash
- Crossdomain.xml issues
- Client side template injection
DAY 2 - COMMAND INJECTION AND XXE/XSLT ATTACKS
- Command injection into the Linux shell
- Command injection into modern Windows
- Blind command injection
- Sighted XXE attacks
- Blind / Out-of-band data retrieval with XXE
- XSLT Injection
DAY 3 - SQL INJECTION
- Sighted SQL Injection
- Error based blind SQL Injection
- Time based blind SQL Injection
- Authoring SQL Injection automation tools
DAY 4 - WEB CRYPTO
- ECB
- CBC
- Padding Oracles
Immunity Java Exploitation - April 29 - May 1, 2019
21 (ISC)2 CPE CREDITS
This class will cover auditing modern Java applications, exploiting vulnerabilities from a wide variety of vulnerability classes. From the home desktop, to the enterprise, Java is consistently present in ways you would not expect it to be. This class will teach you how to take advantage of the insidious layer of Java bubbling through the cracks of the modern enterprise attack surface.
Syllabus (subject to change):
DAY 1
- Java Classes 101
- Class member access
- Classes hierarchy & interfaces
- Important keywords and modifers
- Introduction to Java Security & Sandbx
- Bytecode Verifier
- Security Manager & Access Controller
- Security Manager in Application Servers
- Secure Coding Guidelines
- Environment Setup
- Java Web Applications Introduction
- Information Disclosure
- Input Validation
- Cross Site Scripting
- SQL Injection
- Command Injection
- Logical Bugs
- Path Traversal
- File Disclosure
- File Overwrite
- Privilege Escalation
DAY 2
- Request Forgery
- Client Side Request Forgery
- Server Side Request Forgery
- Dangerous Parsing
- XML
- XSLT
- Deserialization
- JSON
- El Injection
DAY 3
- JNDI/LDAP Manipulation
- Frameworks & Services
- WebServices
- REST APIs
- Vulnerabilities in Popular Frameworks
- Crypto
- Padding Oracle
- PRNGs (Random & RandomStringUtils)
- Exploitation
Immunity Click Here For Ring0 - April 28 - May 1, 2019
28 (ISC)2 CPE CREDITS
Immunity's Click Here for Ring0 class teaches both Windows clientside exploitation, as well as Windows kernel exploitation. These two combined courses complement each other perfectly through hands-on exploitation that takes the student from gaining remote access to elevating privileges on modern Windows systems. This is an intermediate class that requires a solid grasp of userland and kernel debugging on Windows platforms.
Syllabus (subject to change):
DAY 1
- Memory layout analysis
- Client side vectors of explotation
- Memory corruption vulnerabilities
- Use After Free vulnerabilities in practice
- Exploiting browser plugins
DAY 2
- Modern day browser protections
- Information disclosures
- Improving exploit reliability
- Hunting for client-side bugs
- From client to kernel
DAY 3
- Debugging environment setup
- Kernel debugging principles
- Windows kernel architecture
- Kernel-land vs user-land
- Kernel shell coding
- Kernel structures
- Token stealing
DAY 4
- Past vulnerabilities & how to find them
- Protocols
- IOCTL & FSCTL
- Window management
- Arbitrary overwrite exploitation
- Recent techniques
- Hands-on Exploitation
- Custom vulnerable driver
- Real vulnerabilities
Immunity Applied Cryptanalysis - April 28 - May 1, 2019
28 (ISC)2 CPE CREDITS
The Immunity Cryptanalysis class takes traditionally dense Academic cryptanalytic theory and presents it in a practical way. The course relates each topic to practical examples. As students progress through the course they will take away real world cryptanalytic skills they can start employing immediately. Students learn to effectively recognize and exploit weakly implemented cryptography based on real world examples. More importantly, students will learn a methodology for expanding their own cryptanalytic prowess by learning to use a practical cryptanalytic tool chain. This course sets experienced vulnerability researchers up with the base they need to expand into the world of flawed cryptography.
Syllabus (subject to change):
DAY 1
- Academia vs Real World Cryptanalysis
- Performing Crypto Algebra with Sage (Finite Groups, Elliptic Curves, Boolean Polynomial Ring)
- Hands on problem solving with Sage
- The state of PRNG and associated issues
- The state of Hash Functions
- Statistical and Algebraic attacks against Symmetric ciphers
- A focus on Groebner Bases and SAT
DAY 2
- The state of RSA (common mistakes & factorization)
- Solving (EC)DLP (Pollard RHO, Index calculus)
- Elliptic Curves specifics
DAY 3
- Real World Implementation issues
- Symmetric/Asymmetric primitives
- Source / Compilation / Languages / Platform specific issues
- Local timing attacks
- Improvement of an attack using filtering
DAY 4
- Cache attacks
- Padding Oracle
- Remote timing attacks
Immunity Linux Kernel Exploitation - April 28 - May 1, 2019
28 (ISC)2 CPE CREDITS
The Immunity Kernel Exploitation Master Track focuses on modern exploit development and vulnerability discovery techniques. Intermediate to advanced exploit development skills are recommended for students wishing to this class.
Syllabus (subject to change):
DAY 1
* User Land vs Kernel Land
* Introduction to the Kernel Land
* Kernel Debugging Environment
* Kernel Internals
DAY 2
* Memory Models and the Address Space
* Kernel Shellcodes
* Taxonomy of Kernel Vulnerabilities
* Arbitrary Kernel Read/Write
DAY 3
* Kernel Heap Allocators (SLAB/SLUB)
* Kernel Pool Overflows and Use-After-Free
* Race Conditions
DAY 4
* Logical and HW-related Bugs
* Kernel and Hardware Protections
* Bypassing Protections
* The Future of Kernel Vulnerabilities
3rd Party Training:
INFILTRATE 2019 now offers 3rd pary training courses in addition to the IMMUNITY training courses. None of the 3rd party classes offer CPE credits. All students of the 3rd party classes are required to bring their own laptop to use during the class. Technical specifications will be provided. All 3rd party classes are eligible for the the Conference Bundle Discount ticket. All 3rd party classes include breakfast and lunch for the registered student on class days.
Azeria's ARM-based IoT Exploit Development - April 29 - May 1, 2019
*Laptops Not Provided, Students Must Bring Own Laptop*
This course starts with a comprehensive overview of the ARM 32-bit architecture. To give the students more context, advanced concepts like TrustZone and privileged modes will also be part of this introduction. The ARM Assembly part of the course includes all relevant concept needed to reverse engineer ARM-based binaries and write elaborate ROP chains. Writing shellcode gives students practice in assembly and teaches them concepts such as leveraging the “literal pool” to reference strings and struct values. The “reverse engineering” part of this course introduces students to the process of RE and debugging ARM binaries, followed by a lab in which they will reverse engineer their first binary and understand how function flow works on ARM. Students will be introduced to memory-corruption vulnerabilities on the first day. After understanding what is needed to corrupt the stack, students will trigger a stack-based vulnerability and write an exploit allowing them to execute their own shellcode from the stack. After this lab, the concept of NX and Return Oriented Programming will be introduced, followed by a more complex challenge that will require the students to build a ROP chain where the ideal ROP gadgets are not available in the target library. The second day of this course will be 80% lab time. After a quick introduction into NX mitigation bypasses and different ways of bypassing ASLR, students will start exploiting their first real-world target. For each new target, we will start with an overview of the hardware-hacking and firmware-emulation process. Students will write exploits to bypass all of the mitigations on two different IoT targets and learn how to overcome common restrictions encountered during the debugging process. After obtaining a shell through a ROP chain that leverages the system() api, students will then learn an alternative way of gaining access to the target system that is far less noisy. The labs will also teach them how to bypass common memory read and write issues when taking control over the Program Counter register, as well as how to debug real-world vulnerabilities, and how to write elaborate ROP chains to bypass all mitigations on the chosen real-world targets. On the third day, students will be introduced to information leak vulnerabilities by exploiting a buffer overflow coupled with a format string vulnerability and write an exploit to bypass NX and ASLR. Students will then be introduced to Heap exploitation and will write an exploit for a heap overflow vulnerability.
Syllabus (subject to change):
DAY 1
ARM 32-bit Architecture
- Difference between Architecture and Microarchitecture
- ARM processor types
- RISC CPU features
- Privilege Modes
- TrustZone Extension
- Memory model, memory types, memory segments
ARM Assembly Language
- Syntax of Assembly programs
- User mode registers and privileged banked registers
- Exception handling process
- Status registers (CPSR and SPSR)
- Conditional execution
- Thumb mode
- Most common instructions
- Data processing instructions
- Load immediate restrictions
- Literal pool
- Load and store instructions
- Load and store addressing modes and offset modes
- Load and store multiple register processing
- Function calls and subroutines (function prologue and epilogue)
- Preserving runtime environment via stack
Writing ARM Shellcode
- Overview of Shellcode writing process
- Tracing system calls and determining Syscall number
- Mapping out function parameters
- Translation to assembly
- Checking for null-bytes and avoiding them
- Converting assembly into hex string
Lab: Reverse Shell
Students will translate the following function calls into assembly: socket, connect, execve, dup2. This exercise teaches them how system functions are being invoked in assembly and how to make use of the literal pool when trying to reference strings and values like IP addresses.
Reverse Engineering
- Introduction to ELF binaries
- Process of gathering information about the binary
- Static analysis of ARM functions
- Understanding function flow
- Debugging with GDB, useful commands
- Dynamic analysis of function flow
Lab: Debugging with GDB
Debugging an ARM binary with GDB and analyzing the function flow with guidance of a workbook in which students will answer questions about the binary and learn the process of static and dynamic analysis. This exercise will familiarize the students with the debugging process and prepare them for the exercises that follow.
Memory corruption vulnerabilities
- Stack frames
- Examples of vulnerable functions
- Visualization of a vulnerable function call
- Stack corruption
- Executing Shellcode on the stack with a simple gadget
- Introduction to gadget hunting
Lab: Exploiting BoF
In this exercise students will corrupt the stack by exploiting a vulnerable function and create their first exploit in which they identify the offset for the PC crash and leverage a simple gadget to jump to their Shellcode on the stack.
Exploit mitigations
- Introduction to the NX bit which makes the stack non-executable
- Ways around this restriction
- Introduction to Return Oriented Programming
- invoking system() via ROP to execute a command - the traditional way
Lab: Bypassing NX
In this exercise, students can’t use the traditional way of invoking system(“/bin/sh”), which is only possible with old libraries containing the ideal gadget. This challenge uses a newer Libc library, in which the ideal gadget is not present. This lab challenges students to creatively think about a restriction and come up with a workaround.
DAY 2
Return Oriented Programming
- More detailed explanation of ROP
- Gadgets that break your ROP chain
- Workaround through register initialization
- Noisy vs stealth ways of exploitation
Mprotect ROP chains
- Technique of making a stack region executable through ROP
- Building mprotect ROP chains
- How to avoid null-bytes when trying to fill a register with a small value
- How to make stack addresses page aligned
First target: D-Link DIR890
- Process of gaining access to the device via UART and getting shell access to the device
- Process of extracting and emulation the firmware
- The vulnerable service
Lab: Bypassing memory-write issue to take over PC
Taking control over the Program Counter is not always as trivial as supplying a long string of A’s. Our first target crashes before reaching the PC overwrite. Students need to identify the issue, understand why it occurred, and find a way to bypass this issue in order to continue execution until the PC crash.
Lab: invoking system to get a reverse shell connection
After bypassing the restriction in the previous lab and gaining control over PC, students are introduced to the easy but noisy way of exploitation. Students will learn how to craft a quick Proof of Concept exploit and learn how to get a back connect without the possibility to execute reverse Shellcode from the stack.
Lab: D-Link mprotect ROP chain
The goal of this lab is to write an entire mprotect ROP chain. This type of exploit usually Involves writing around 60-80 lines of code, 80% of which is the mprotect ROP chain itself. Students will get a deep understanding of building ROP chains of any kind. The exploit is then launched against the vulnerable service to get a shell.
Lab: Bypassing memory-read issue to take over PC
The goal of the following two labs is to take control over the Tenda router using similar. This lab is yet another example of real world restrictions when attempting to crash the application and take over PC. Students will debug a Tenda buffer overflow and find a way around a memory read issue that prevents the service from crashing in PC.
Day 3
Lab: Tenda mprotect ROP chain
This lab is for students who managed to finish the previous labs ahead of time. The mprotect ROP chain of this target is similar to the previous one, however there are two problems: one part of the D-Link mprotect ROP chain needs to be modified to fit the new target, and the Shellcode needs to be modified to avoid certain characters that would cut off the payload. These characters are returns which pose a problem when exploiting a buffer overflow in a cookie header. Students learn how to think outside the box and adopt their exploit to the new target.
Address Space Layout Randomization
Techniques for bypassing ASLR:
- Brute-Force
- Partial PC overwrite
- Information leaks via string format vulnerabilities
Lab: Exploit to bypass ASLR with format string vulnerability
Students will exploit a buffer overflow and a format string vulnerability. The goal of this lab is to write an exploit that takes advantage of a buffer overflow to get a shell and calculates the Libc base address from an information leak to bypass ASLR.
Introduction to Heap Exploitation
- Introduction to the heap
- Heap layout
- Vulnerability types affecting the heap
- Categories of heap vulnerabilities
- Concepts and exploitation techniques
- Use-after-free
Lab: Writing an exploit for a heap-based buffer overflow vulnerability
Vector 35's Reverse Engineering with Binary Ninja - April 30 - May 1, 2019
*Laptops Not Provided, Students Must Bring Own Laptop*
Ready to be more efficient with the time you spend reverse engineering? Reverse Engineering with Binary Ninja covers everything you need to be faster with your manual RE tasks and also build automation using Binary Ninja's API for both RE and VR. Students will also learn how to extend CPU architectures and create their own binary views for custom file formats. You'll become immersed in the type system, all the layers of Binary Ninja's Intermediate Languages (BNIL), and come out with the ability to write concise powerful scripts to solve a wide variety of RE and VR challenges. A free student license to Binary Ninja is included with each registration -- if you already have a license, feel free to gift it to a friend!
Students should already be familiar with reverse engineering concepts such as memory, stack, registers, calling conventions and at least one low-level assembly language (multiple architectures will be used throughout the course but in-depth knowledge in them is not required). Familiarity with python is strongly recommended as most of the samples will be written in python though very few advanced python features are required.
Students are required to bring their own laptop to use in class. Any laptop capable of running both Binary Ninja and an Ubuntu 18.04 virtual machine (VMWare or VirtualBox) is acceptable. A commercial license for Binary Ninja is recommended for multithreading and headless processing, but students will receive a redemption code for a free personal license in the course. Students may opt to pay the difference for a commercial license separately from course registration. Recent MacOS, Linux, and Windows (x64 versions of Win10) are all supported though please test your Linux build if it is not Ubuntu LTS or most recent stable.
*CANCELLATION INFORMATION *
-
Conference Briefings and Training Session fees are non-refundable after April 5th, 2019.
-
Registrants who must cancel may substitute another person. Substitutions are allowed with the written permission of the original registrant.
-
All cancellation and substitution requests shall be made in writing and sent to infiltrate@immunityinc.com from original registrant.
-
Paid registrants who do not cancel by April 5th, 2019, fail to send a substitute or do not attend the conference and/or training forfeit their entire registration fee.
For more information on Cancellation/Substitution policy, please click HERE.