skip to main content

DEF CON 24 Hacking Conference



Workshops are back! Workshops will be free to attendees on a first come, first served basis, on-site at DEF CON 24.

WHEN: Thursday 10:00-14:00 and 15:00-19:00, Friday & Saturday. 10:00 - 14:00, and 14:00 to 18:00
WHERE: The 3rd floor of Ballys South tower, The Jubilee Tower. Las Vegas Ballrooms 1-7.
WHAT: Schedule and Descriptions below.


Workshops are free, first come, first served, and seats will fill up fast!

To register for a workshop, you will need to go to the Bally's side in front of the cafe arcade between Thursday 07:00 to 15:00. We will have goons to pre-register you for the workshop(s) of your choosing.

If the workshop that you want has filled up before you got there, don't worry! Just like last year, if you come to the workshop area early the day of, you can wait in the standby line. If a seat opens up, it will be made available to the first person waiting to claim it.

Please Note: You will be issued a workshop "pass". It will be required for class admission. If you lose it we can't help you, your seat will be made available for those in standby.










Workshop Details:

Intro to Memory Forensics With Volatility

Miguel Antonio Guirao Aguilera Security Consultant, Futura - Open Solutions

Introduction to Memory Forensics with Volatility is a workshop for those who do not have a clue about forensics, memory forensics or the Volatility Framework. In order to get the most out of this workshop, you should feel comfortable using the command line interface (either Linux/Mac). I order to get a preview of the tool we will be using, visit

In this workshop, you will learn about memory forensics and how this is performed with one of the best open source frameworks for memory forensics, The Volatility Framework. You will learn how to analyze a memory image or dump, and look for artifacts that enable you, the forensics analyst, to rebuild the digital crime scene and to answer questions as to why, how and when.

You will learn to:

  • Identify rogue process in memory, maybe from malware or backdoors.
  • Get details about these process. When they were started, by whom, additional info.
  • Network connections. From where, at what time, what they launched, etc.
  • Files opened. With which user, link them with processes.
  • Find out the command history, in either Linux or Windows.
  • Check for Signs of a Rootkit
  • Analyze Process DLLs and Handles
  • Dump Suspicious Processes and Drivers

Miguel Guirao (aka Chicolinux) has been in the information security industry for around ten years, he is a freelance consultant at Futura - Open Solutions, where he also has been training professionals about Linux Management, Information Security and Programming. He has been also a professor since 2009 for the Anahuac Mayab University where he teaches at the School of CS Engineering and at the School of Multimedia Design. He teaches Information Security in the Master of Information Technology Management.

Max Class Size: 55
Prerequisites for students: Students must feel comfortable using the CLI (Command Line Interface). Knowledge of the basic commands in Linux, like ls, cd, relative & absolute path, ps, and so on.
Materials or Equipment students will need to bring to participate: Although the Volatility tool is also available to the Windows OS, in order to get it’s full power we will be using GNU/Linux/UNIX so, either install it on your laptop or create a VM with your favorite virtualization software. Volatility requires Python so, in order to save time and get into what really matters, come with your OS fully loaded with the tool and all it’s prerequisites. More info at

Ninja level Infrastructure Monitoring : Defensive approach to Security Monitoring & Automation

Madhu Akula Automation Security Ninja, Appsecco

Riyaz Walikar Chief Offensive Security Officer, Appsecco

For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.

As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customize and deploy their very own FOSS based centralized visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.

Madhu Akula is an Automation Security Ninja at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application & cloud security, DevOps and Automation. He is a security and DevOps researcher with over 3+ years of experience in the industry. He has expertise in building scalable and secure infrastructure. Implemented security solutions and worked with different clients across Govt, E-Commerce and IT industries.

His research has been selected for ToorCon, DefCamp, SkydogCon, NoloCon, etc in the past. He has been a keynote speaker for National Cyber Security conference in Dayananda Sagar College conducted by CompTIA.

Madhu Akula is also an active member with Bugcrowd, Hackerone, Synack etc. He has found vulnerabilities in open source products/platforms such as WordPress, Ntop, Opendocman etc. and is also a contributing bug hunter with Code Vigilant (a project to Secure Open Source Software). His research has identified many vulnerabilities in over 200 organizations including US Department of Homeland Security, Google, Microsoft, Yahoo, Adobe, LinkedIn, Ebay, At&t, Blackberry, Cisco, Barracuda etc.

Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert and researcher with over 9 years of experience in the Internet and web application security industry. He has many years of experience providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.

He also leads the Bangalore chapters of OWASP and the null community, actively encouraging participation and mentoring new comers in the industry.

Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf, OWASP AppsecUSA.

He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google Cisco, Symantec, Mozilla, PayPal, and EBay.

Max Class Size: 55
Prerequisites for students: Comfortable with basic Linux commands
Materials or Equipment students will need to bring to participate: Students will need a laptop with admin privileges as well as have at least 20GB of free space for virtual machines (students will need Virtual Box installed)

Embedded system design: from electronics to microkernel development

Rodrigo Maximiano Antunes de Almeida Professor, Federal University of Itajubá

The workshop consists of a introduction on the embedded systems design. We'll start building a simple electronic embedded system design. This will be used as the target platform. Later I pretend to talk about the low level side of C language as bit fields arrays and bitwise operations, pointers to fixed memory addresses/registers, how to access the microcontroler peripherals etc. These will be the base to develop a full embedded microkernel using ISO-C without the standard libraries. They will have a better understanding on the electronics-programming relationship and how these questions can impact on the kernel development. Aside they`ll get a deep knowledge in the kernel basic functions (processes scheduling, i/o drivers controller etc).

Rodrigo is a professor at Federal University of Itajubá. He has 9 years working with embedded systems, developing projects both in home and electro-medical appliances. He actually teaches classes on electronics, microcontrollerers and embedded operational systems to electronic engineering students. His researches include topics on hardware development, RTOS security and embedded systems usability. Rodrigo has presented on DEF CON, ESC and BSides conferences, mostly talking about embedded development and related security issues.

Max Class Size: 40 Prerequisites for students:Basic/Intermediate C programming knowledge Materials or Equipment students will need to bring to participate: Just laptops. The electronic material will be provided by me to everyone.

Windows Breakout and Privilege Escalation Workshop

Ruben Boonen Lead Security Consultant, Context Information Security

Francesco Mifsud Security Consultant, Context Information Security

This workshop, available to attendees of all levels, will provide the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.

The breakout portion of the workshop will cover fundamental techniques required to get a shell on applications which are deployed through Terminal Services and Citrix or in environments which have been locked down through Software Restriction Policies (SRPs) and Group Policy. Topics covered will include:

  • Abusing intended application functionality
  • Bypassing folder path / type restrictions
  • File protocol handlers
  • Evading black / white lists.

The Windows privilege escalation portion of the workshop aims to provide attendees with a solid understanding of the various steps required to escalate privileges from low level users to SYSTEM level privileges. Automated tools, such as meterpreter's "getsystem", have their place in this process however reliance on automation breeds weakness. Topics covered will include:

  • Enumeration of the target machine
  • Identification of common and uncommon configuration weaknesses
  • Permission analysis
  • Analysis of Windows privilege escalation vulnerabilities

Both portions of the workshop will have real-world examples that attendees can get their hands dirty with in order to solidify the theory. This workshop aims to provide hands-on knowledge which can be directly applied against locked down environments in the field. After taking this workshop you should always hide your smile when someone brags there is no way to compromise their locked down system!

My name is Ruben Boonen (sometimes known as b33f). I have been working in InfoSec since 2012, one year as part of the Offensive Security team, assisting students from around the world as they worked through Offsec's various certifications and a further three years as a security consultant. I have a well-rounded skill set, having taken on many web application, infrastructure and bespoke engagements. I have, however, developed a special interest for Windows exploitation: Domain hacking, exploit development, client-side attacks, restricted environments, privilege escalation, persistence and post-exploitation.

Not only do I enjoy breaking things but I also take great pleasure in helping others understand and replicate the attackers methodology. I was previously an assistant trainer for Offensive Security's Advanced Windows Exploitation course at Black Hat. Since 2011 I have also been maintaining an InfoSec blog to share interesting research with a wider audience.

My name is Francesco Mifsud. I'm relatively new to the InfoSec Industry but I've spent my fair share of sleepless nights staring at debuggers and ASM. I've been working at Context Information Security for the past couple of years as a security consultant: Web applications, infrastructure jobs, mobile engagements, anything the company throws at me.

During my research on exploit-development I have realized that a lot of material is out there on how to get a shell on the box, but not much on how to proceed afterwards. What happens if you don't get Admin or Root? If the obtained shell is severely restricted can you really say you have successfully compromised a machine? Due to this, I have developed an interest in post-exploitation, namely Breakouts and Privilege Escalation. I have come a long way since then (or that's what I like to believe) and now it's time to pass this knowledge on to others!

Max Class Size: 55
Prerequisites for students: There are no special requirements to attend the workshop, everyone is welcome and can benefit from the theoretical parts covered in each section.
Materials or Equipment students will need to bring to participate: To participate in the hands-on portions, attendees will need to bring a laptop with 1GB RAM (2GB recommended) which can be dedicated to a Virtual Machine, both WMWare Player and VirtualBox can be downloaded for free.

We strongly recommend attendees download a free "Windows 10" evaluation version and bring it with them to the workshop. A pre-made 90-day trial image (VMWare/VirtualBox/Hyper-V) can be obtained from the following URL:

Exploit Development for Beginners

Sam Bowne Professor, City College San Francisco

Dylan James Smith

This workshop helps participants move beyond using attacks others have developed to understanding how programs work at the binary level and how to exploit their weaknesses. With these techniques, you can find new vulnerabilities and write proof-of-concept attack code, compete in cyber competitions, or earn bug bounties.

All materials, projects, and challenges are freely available at

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, HOPE, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Dylan James Smith assisted Sam Bowne with hands-on workshops last year at DEF CON and B-Sides LV. He's a Mac guru and skilled at fixing PC's, Linux problems, and network problems too.

Max Class Size: 55
Prerequisites for students: Familiarity with C, Python, and assembly code is helpful but not required.
Materials or Equipment students will need to bring to participate: Participants need a computer with Kali Linux running, either in a virtual machine or locally. I will have a few loaner computers for students who don't have a usable computer.

Hands-on Cryptography with Python

Sam Bowne Professor, City College San Francisco

Dylan James Smith

Learn essential concepts of cryptography as it is used on the modern Internet, including hashing, symmetric encryption, and asymmetric encryption. Then perform hands-on projects calculating hashes and encrypting secrets with RSA and AES, and compete to solve challenges including cracking Windows and Linux password hashes, short and poorly-chosen RSA public keys, and poorly-chosen AES keys.

All materials, projects, and challenges are freely available at

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, HOPE, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Dylan James Smith assisted Sam Bowne with hands-on workshops last year at DEF CON and B-Sides LV. He's a Mac guru and skilled at fixing PC's, Linux problems, and network problems too.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Students need to bring a computer that can run Python; any version of Mac, Windows, or Linux will be fine. I will have a few loaner computers for students who don't have a usable computer.

Advanced Blind SQL Injection Exploitation

David Caissy Web App Penetration Tester, Albero Solutions Inc.

SQL Injection (SQLi) vulnerabilities are the most common injection flaws found in web applications today, ranking number one in the OWASP Top 10 most critical web application security risks. When an attacker is able to find and exploit such a vulnerability, the end result is often disastrous: complete database downloaded, application backdoor created or even remote code execution. Suffice to say that penetration testers need to find these vulnerabilities before the bad guys do.

But vulnerability scanners and automated exploitation tools like sqlmap can only do so much when it comes to finding and exploiting SQLi vulnerabilities. While they do a good job for regular or error-based SQLi vulnerabilities, their success rate lowers drastically when blind SQLi is encountered, especially when time-based attacks are required. And if you need to be quiet on the network, most tools are just insanely noisy…

This course is designed to help penetration testers who have been using these tools to get to the next level, where finding and exploiting SQLi is no longer easy. When only a browser and notepad are available to you or when being quiet is critical, you will be glad you know this stuff.

  1. SQL crash course for hackers (15 min)
  2. Error-based SQL Injection (1h 15min)
    • Bypassing login (demo)
    • UNION exploitation techniques (exercise)
  3. Blind SQL Injection (2h 30min)
    • Splitting and Balancing
    • Boolean exploitation techniques (exercise)
    • Time-based exploitation techniques (exercise)

Bonus exercise: Exploiting error-based SQLi and blind SQLi using sqlmap

David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.

Max Class Size: 55
Prerequisites for students: This course is for penetration testers who have used sqlmap and other automated tools before, but now want to go to the next level. Basic knowledge of the SQL language is required as well as a basic understanding of error-based SQL injection techniques.
Materials or Equipment students will need to bring to participate: Participants need to bring a laptop with VMWare Workstation/Player/Fusion or VirtualBox pre-installed. I will give them a virtual machine containing a vulnerable web application where they will be able to do the exercises.

Nmap NSE development for offense and defense

Paulino Calderon Co-founder, Websec

Tom Sellers Security Researcher

This workshop will teach participants how to use the Nmap Scripting Engine (NSE) to extend the power and capabilities of Nmap. It will cover the basics of the Nmap usage, NSE, and the Lua programming language before diving into how to solve problems by writing custom scripts. By the end of the workshop you will have in depth knowledge of the Nmap Scripting engine and how to develop scripts for offensive and defensive tasks. Participants will be provided with a virtual machine that they can use during the training.

Paulino Calderon (@calderpwn) has been in Information Security for more than 10 years. He is the co-founder of Websec, a company offering information security consulting services based in Mexico and Canada. He loves learning new technologies, conducting big data experiments, and developing and destroying software.

In 2011 Paulino joined the Nmap team during the program Google Summer of Code to work on the project as a NSE developer. He focused on improving the web scanning capabilities of Nmap and has kept on contributing to the project since then. He has also published ‘Nmap 6:Network Exploration and Security Auditing Cookbook’ and ‘Mastering the Nmap Scripting Engine’ covering practical tasks with Nmap and NSE development. He loves attending information security conferences and has given talks and workshops in over 20 events in Canada, United States, Mexico, Colombia, Peru and Bolivia.

Tom Sellers (@TomSellers) is a Security Researcher in the Rapid7 Labs team. He has spent 20 years in IT, 10 of which InfoSec. He has been responsible for defensive Information Security for companies in the finance, service provider, and security software industries. He started contributing to Nmap in 2007 with his contributions primarily focusing on service and operating system detection. He has also contributed multiple modules to the Metasploit Project.

Max Class Size: 35
Prerequisites for students: Participants should be familiar with basic TCP/IP networking, general security concepts, and basic Nmap usage. Previous programming experience would be helpful but isn’t required.
Materials or Equipment students will need to bring to participate: Participants will need a computer with VMware Player, VMware Fusion, or VirtualBox. USB thumbdrives with the target virtual machine images will be available.

Raspberry Pi and Kali Deluxe Spy workshop

Dallas Security Researcher

Sean Satterlee (ohm)

EventBrite Link: Required for Tickets and/or buying kits:

Back by popular demand. This year will be a tight 4 hour run through of lots of great information. There will be 2 classes (both the same) of 4 hours each – so pick the best one for you. This class is appropriate for ages 15 and above who want to learn more about Raspberry Pi hardware and the Kali security framework. Kali is a combination of operating system and hacker security tools used for security testing (spying as well). If you choose the kit, you will leave with an excellent starting point for hardware, robotics, spying, and security fun. Space is limited, so sign up quickly.

Cutoff is July 15-ish for kits. We will also be inviting guest speakers / hardware village / vendors (if available) to drop by and say hello during class who are key to the Raspberry Pi / Maker movement and Kali / Metasploit frameworks. You never know what new release or feature might show up. A Laptop is required. See sign-up information below for more information of pre-installed tools needed. We will also email this out to registered guests as well. In four hours we will cover the Raspberry Pi including:

  • History / hardware in kit
  • Installing the OS
  • Python Programming (Intro, Hello World, Hardware Interfacing options)
  • Controlling LED’s (Light up LED, Loops, timer)
  • Controlling Multi Color Led Strips (1000’s of colors) – Different type of LED
  • Distance and Motion Sensors (detecting motion / Distance) – Interface a sensor
  • Sensors (Advanced)
  • Controlling Relays (Controlling real world objects, motors, lights)
  • Interfacing to the outside world
  • Updating components of the OS
  • Introduction to Kali (Pen testing platform)
  • Updating Kali OS / Components
  • Kali command set tools on the Rpi
  • Using tools to spy on your target
  • Modules to install on Kali (discussion of Metasploit)
  • Networking (Discovery / Setup)
  • Wireless Networking
  • Social Media Spying
  • Sniffing Wi-fi and setting up multiple adapters
  • Penetration testing overview and discussion
  • Uses for Physical Security
  • Discussion of the Role of Rpi and Kali / Security
  • Discussion and kits provided for Kali also on your PC (Distro)
  • Optional (camera and vision)

We will have options for people who want to bring their own or just buy a kit. Keep in mind, if you bring your own and dont bring everything - it may not work. We wont have time to work around your specific configuration. This workshop is free, however you need a ticket and a defcon badge to attend. The kits are not free. If something goes wrong and the conference is cancelled, then you will get the kit and documentation. If something bad happens during the workshop (lose power, kicked out, no wifi, whatever) - sorry, its free (the workshop), but you will still have the kit if you bought that type of kit.

KIT OVERVIEW: (Not Complete listing)

  • Raspberry Pi 3
  • Case
  • Power Supply(2.5amp)
  • Display Screen (working on largest 5-7") - HDMI or Ribbon Based
  • Potential Display Powersupply and Cable (pending)
  • Relays
  • Sensors (Distance and Motion)
  • Bread Board
  • Jumper Wires (Matched to work with sensors and such)
  • MicroSD Card (OS)
  • MicroSD Card (Kali)
  • Additional Wi-fi Adapter (beyond the one included)
  • Keyboard w/ Touchpad
  • Power Strip (At least 3 outlet)
  • LEDs (Usual 2 wire type)
  • Resistors
  • Motor
  • Buttons
  • LED Strip
  • Arduino (Yep you get one of these as well)
  • Camera (Optional - see ticket add-on)

NOTE: We price the kit based on Electronics resellers such as MTM, Amazon, AdaFruit and trusted shipping companies in the US for bulk pricing. We are working on getting as large an LCD screen and other features as possible. If we get a good discount, you can expect more in your kit (surprise) and maybe some cash to roll at the tables. We wont know quantity until late June, then expected ship times until very late June (i.e. right before DEF CON). If we need to priority ship something that costs more money. We price the kits to be standard, cost effective, and do not try to make money. Our main goal is to make them standard as possible for the class to go smoothly in the time allowed, and ensure everything works together. Nothings worse than getting everything in the kit but say the keyboard or the display, so we have to hedge our bets. Based on previous workshops, people wanted to pay more for a larger screen vs a small 4inch screen. People wanted to have options (such as camera or cool led strip) included vs parting it out. [i.e. a new person didn’t know what the camera or other items are used for]. When we get the exact parts list (models and pn) we will list here for someone bringing their own. Previous workshops have shown bring your own did not generally work out very well (takes more time to get yours to work vs ours) - with a few exceptions.


LAPTOP (Recommend Windows 7 or Higher) with Wifi and Network ports
Suggest a extra power cord and outlet strip (not required, but we never know what the hotel will provide), we do a good job planning around this, but just in case.

OTHER Information:

If you buy a workshop BYOS ticket (IE you are bringing your own stuff), make sure you bring your own stuff. Anyone who does not have their gear, will be asked to stand and make room for other peoples laptops and Raspberry Pi kits. The cost on this ticket is only for the SD Cards to go through the workshop. We wont have a complete list of what to bring until Mid/late July. Watch this space for more info on what to order/bring.

If you get the Free workshop ticket, then you will be asked to stand to make room for other attendees who bring their laptop and kits. If there is room, then a seat may be made available. We cannot guarantee seating for people who attend without a kit (just to watch) due to the space constraints in the room. However you can download the presentation after the conference.

Dallas is a presenter at DEF CON, going on for his 13th year for DEF CON 24. Volunteering as a Goon for the last 9 years, and generally found on the floor Friday – Sunday. He has presented at DEF CON, MakerFaire SF, Government Security workshops, the Internet Warfare Summit, and other training and security venues. When not at DEF CON he is involved in his local Makerspace, robotics and Red Dirt Hackers. Professionally (and occasionally for fun) Dallas works as a security sort of guy for a company that wishes to remain nameless spending most of his time in the true Midwest. He travels internationally, does consulting, volunteers for stuff, does other stuff and likes to help people. Sometimes when the moon is just right, his partner in crime “OHM” will join him for training, which often leads to all sorts of interesting knowledge, sometimes helpful. He has some certifications, and other awards and crap, none of which he thinks you would care about. But if you need some help or a point in the right direction, stop by and say hello.

Sean Satterlee (ohm) - current record holder for longest RFID hack. Founding Member of the DC405 and is an internal red teamer for a UK based investment firm. He has previously been a member of bastardlabs and snosoft. Currently lounging with the red.dirt.hackers and occasionally hanging out at the range.

Max Class Size: 40
Prerequisites for students: Being able to read, light programming and a basic understanding of networking. This will cater to all levels, no matter what most people will learn something from the class. If you are in security now, you will pick up new tricks with hardware and Kali, if you are just getting into security we will fill your head. If you are at DEF CON you have the pre-req out of the way.
Materials or Equipment students will need to bring to participate: There is a requirement for hardware. We offer a kit at cost, or the option to bring your own.

Introduction to x86 disassembly

Dazzle Cat Duo Security Engineers

Jumping into the world of disassembly can be incredibly intimidating and quite painful. This talk aims to introduce disassembly by walking through how to recognize basic logic flows and data structures in assembly. We’ll look at locating common flow controllers such as if/else/loops/switch cases, as well as memory access and data structures. The talk will specifically address static disassembly using IDA, looking at c compiled to x86_32, but the principles can be applied to any other language and assembly architecture. x86, is one of the most common assembly architectures, and incredibly useful for security engineers to understand. x86 is the assembly architecture running almost all Mac, Windows, and Linux computers.

The Dazzle Cat Duo are both security engineers who specialize in x86. In addition both serve as adjunct faculty members where they teach C and x86 .

Max Class Size: 55
Prerequisites for students: Students must have a basic coding knowledge, and understand what if/else/loops/switches logically do, in any coding language.
Materials or Equipment students will need to bring to participate: Please bring a laptop with Virtual Box (latest version) and at least 20 gigs of free disk space. VM's with examples and tools will be distributed in class via USB sticks.

The in’s and out’s of Steganography

Chuck Easttom Computer Scientist

The class will start with an overview of basic steganography and a history. Now this part is probably common knowledge to many attendees. But then we will delve into specific tools including hiding data in wav files. We will also explore forensic techniques to detect steganography. Then we will look at cutting edge new steganography techniques. One of my 6 patents is for distributed steganography so that will be one of the new techniques we will explore. Finally, the training will culminate with reviewing actual source code that does steganography. Attendees will get the working source code to take with them. The idea is to start with basics that probably over 3/4 of attendees know and then move deeper into topics most people don’t know. That way everyone can benefit from the workshop, both novices and experts.

Chuck Easttom has been in the IT industry for over 25 years and training for over 15. He has 2 masters degrees and holds 40 industry certifications. He is the author of 20 computer science books and inventor with 7 patented inventions (including a steganography invention). He travels around the world teaching computer security and speaking on security related topics. He has conducted compute security training for, a wide range of law enforcement officers, various companies, and a variety of government agencies from around the world

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: If they bring a laptop they can do hands on.

C/C++ Boot Camp for Hackers

Eijah Founder, demonsaw

The C/C++ programming language is one of the most important programming languages ever created. Ever since Dennis Ritchie invented the language and Bjarne Stroustrup added object-oriented capabilities to it, C/C++ has been the standard by which all other languages are judged. C/C++ is considered the lingua franca of UNIX, Linux, BSD, and Windows as well as many software toolsets including GNU, Aircrack-ng, and the GCC compiler. And not only that, but C/C++ has influenced many other languages including C#, Java, Perl, PHP, and Python.

As hackers, we sometimes have to write code. And while there are more modern and higher-level languages available, C/C++ still plays a strong and prominent role in the hacking world due to its close ties to Linux and BSD. Whether we're writing shell scripts, python programs, PHP websites, contributing to a FOSS project, reverse engineering a binary, or rebuilding/patching the OS kernel; having a familiarity with C/C++ gives us a tremendous advantage and adds a powerful tool to our hacker arsenal.

This workshop is a C/C++ boot camp for hackers. It's an intense hands-on experience designed to get you up-to-speed with the most important parts of the C/C++ programming language using the GCC/G++ compiler. You'll learn about variables, functions, pointers, operators, classes, libraries, threads, templates, data structures, algorithms, exception handling, memory management, and design patterns. Whether you're a professional programmer, find yourself a little rusty and simply want a refresher course, or even if you'd never programmed in C/C++ before; this workshop is for you.

Please note that this is an intermediate-level, technical workshop and requires that attendees have prior experience in at least one programming language. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.7 or msvc 2013).

Eijah is the founder of demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V for PS3, Xbox 360, PS4, Xbox One, and PC. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Max Class Size: 55
Prerequisites for students: Previous experience in at least one programming language is required, although it doesn't have to be in C/C++.
Materials or Equipment students will need to bring to participate: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

Operation Dark Tangent: The DEF CON Messaging Protocol (DCMP)

Eijah Founder, demonsaw

The war with the Machines has been brutal. We've suffered so many casualties. And now we're weak, and the Machines know it. New D.C. is the last remaining human stronghold. Right now the Machines are preparing for one final assault that, if successful, will mean the end of all humanity. But it gets even worse. We've just received word that our leader, the Dark Tangent, has been captured. Without him we'll be unable to defend ourselves or mount a counter strike.

Your mission is to lead a group of brave hackers to rescue the Dark Tangent. But before you can do that you'll need to work together to devise a secure messaging protocol that the Machines won't be able to break. This secure protocol is vital so that the troops can communicate in secret during the operation without the Machines figuring out what we're doing. It's all up to you now. Do you have what it takes to defeat the Machines? Will you save us all?

This is a completely different kind of workshop. I'll present a very specific infiltration scenario with attack vectors that we can expect the Machines to use, e.g. session hijacking, message poisoning, replay and MITM attacks, etc. As a group we'll then work through our mission objectives and design a messaging protocol that will allow us to communicate securely. Finally, we'll implement the protocol in C++ and use it to communicate with each other in real-time. If everything works as expected we'll be able to defeat the Machines and rescue the Dark Tangent. If not… then all of humanity is lost.

Please note that this is an intermediate-level, technical workshop and requires that attendees have a strong working knowledge of C/C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.7 or msvc 2013).

Eijah is the founder of demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V for PS3, Xbox 360, PS4, Xbox One, and PC. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Max Class Size: 55
Prerequisites for students: Previous experience in C/C++ is required along with at least a basic understanding of cryptographic fundamentals.
Materials or Equipment students will need to bring to participate: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

XSS Remediation: All the questions you were wise enough to ask, but your security team is too afraid to answer

Mike Fauzy President & Principle Consultant, FauzyLogic LLC

Fixing XSS is much harder than the generic recommendation lets on. They say "validate inputs and encode outputs." Great. Thanks. What should be allowed in? What should be encoded? What shouldn't? What is canonicalization? What packages can help me? These aren't easy questions to answer and most people get the complicated cases wrong. The OWASP XSS Cheat Sheet lists 8 rules, a sub rule, a reference to more rules, and (I kid you not) 4 "bonus rules." Yet it barely touches nested contexts or the different validating and encoding options out there.

You will leave this class understanding how to approach complex XSS remediation scenarios.

This will be a very technical class, so a basic understanding of what XSS is as well as basic HTML, Java, and JSP syntax is highly recommended, but not absolutely required.

Mike Fauzy has been writing and hacking web applications for 17 years. Most of his work has been in the financial, healthcare, manufacturing and government sectors. He has helped write OWASP ESAPI, as well as minor contributions to Scrubbr, JavaSnoop, and other web app security projects. Experience in hacking contests include taking second at the AppSecEU CTF, and winning Hack Fortress at DEF CON and ShmooCon as part of team Jolly And Friends a couple of times. His day job is building/expanding web application security teams.

Max Class Size: 55
Prerequisites for students: Experience developing Java web applications using JSP is highly recommended, but not absolutely necessary.
Materials or Equipment students will need to bring to participate: None

Applied Physical Attacks on Embedded Systems, Introductory Version

Joe FitzPatrick Instructor & Researcher, SecuringHardware

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Joe (@securelyfitz) is an Instructor and Researcher at Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spend the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks on x86 or Embedded Systems, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Max Class Size: 48
Prerequisites for students: No hardware or electrical background is required. Computer architecture knowledge, Linux command-line familiarity, and low-level programming experience helpful but not required.
Materials or Equipment students will need to bring to participate: All equipment, including laptops, will be provided for use in the class. Students will be provided with a lab manual that includes an equipment list of all materials used for the class.

iOS Forensics

Prateek Gianchandani Security Researcher

This course will share the tools & techniques needed to perform forensic acquisition and analysis of iOS devices. We will start with explaining the iOS security model and the iOS file system. We will look at the directory structure of iOS devices and understand the locations where certain data is stored. We will then provide techniques to extract data from iCloud and iTunes backups, brute forcing encrypted backups, and subsquently analyzing the data in them. Some physical acquisition techniques will also be discussed. We will conclude with a brief walkthrough on reverse engineering iOS application for malicious behaviour. In this course, we will demonstrate use of both commercial and open source tools used in real world situations.

Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at Conferences like Defcon, Blackhat USA, Brucon, Hack in paris, Phdays etc.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: TBD

Vulnerability Assessment & Exploitation of Crypto-Systems : A Bottom up Approach

Ajit Hatti Security Researcher

This is a unique workshop on "Vulnerability Assessment & Exploitation of Crypto-Systems". In this course, instead of taking the regular flaws in crypto-implementations or popular attacks from past, we will take a holistic approach. Build strong understanding of the crypto-subsystems, their inherent security issues and how to discover, exploit and remediate them all in Flat-4-Hours.

This workshop takes the participants to next level of practical crypto-assessment and exploitation. With deeper understanding of crypto-systems, plenty of hands on vulnerability assessments and exploitation using Openssl and Open source tools and my custom scripts, participants will learn the important concepts which they can apply in real world RedTeam Pentesting or BlueTeam Defending, assessments & audits of crypto implementations.

The workshop starts with a dive into the crypto systems present on participant’s own (virtual) machine. Taking a bottom up approach, we start form of Hardware Modules, Firmware, Crypto-Libraries, Network services & we will go all the way up to applications, trust/key stores, understanding the role of each layer in cryptography, test for quality + vulnerabilities and exploit them.

Some of the unique modules covered in the workshop are testing the quality of numbers generated from RNGs & PRNGs from various sources, Extracting prime numbers from the Private keys, DH parameters, Secrete keys and testing for backdoors (Number Fixation), quality of randomness, Safety parameters (like Sofie German Test). And as we go upwards we will search and steal the insecure keys for network hopping like APT/malwares, pin rogue certificates, bypass HSTS checks to steal cookies, exploit certificate switching, Look for Seeds used in PRNG functions, re-usage of keys and flaws in SCEP implementations. And we top it up with the popular named Attacks from HEARTBLEED to LOGJAM and other popular CVEs.

I will be sharing numerous scripts written by me and open source tools which participants can use to test or automate the assessment of their own crypto-systems.

Workshop is best suited for pen-testers, developers, security engineers, auditors, compliance consultants in general but a must for those who deal with products or services involving cryptography and PKI implementations. The contents + flow of the workshop is well structured to accommodate participants from beginner to advanced level of competence.

Ajit is a founder of "SECURITY MONX" & author of LAMMA project, an Open Source Initiative to - improve security of Crypto Implementations & - better consume Cyber Threat Intelligence, which also is his primary area of research.

Currently Ajit is Principle consultant (Cryptography & System Security) with Payatu Technologies. He has worked as a Security Researcher with Symantec, Emerson, IBM, Bluelane Technologies in past & has presented his research at BlackHat, Defcon-CnPV & Nullcon.

Ajit is also a co-founder of "null Open Security Community", a hardcore volunteer and contributor through the community efforts of Null, Nullcon, & BSidesLV. Ajit is also a Marathon Runner and Organizes "World Run By Hackers" during these conferences.

Max Class Size: 55
Prerequisites for students:

  • Basic understanding of Cryptographic schemes.
  • High level Knowledge of application, system security.
  • Basic understanding of Encryption, Hashing schemes, Digital Certificates.

Materials or Equipment students will need to bring to participate: Laptop with Openssl installed

Ready? Your Network is Being Pwned NOW!

Robin Jackson Senior Partner, WT Forensics

Ed Wlliams Senior Partner, WT Forensics

Students will experience four hours of simulated incident response. From alerting on the first malware detection on a workstation, to finding the lateral movement and web shells that actors quickly place to maintain access, users will get to experience the thought processes and tools used in an response scenario in a relaxed environment that will let them learn to think and react while a network is under attack. The scenario incorporates many of the Tools, Techniques and Processes used by advanced attackers today.

Robin Jackson and Ed Williams are Senior Partners of WT Forensics. Robin is also a Security Researcher for HPE Field Intelligence and Ed is a Senior Incident Responder for HPE Digital Investigation Services.

The duo were the Defense Cyber Crime Center (DC3) Forensics competition overall US winners an EC-Council International EC Commerce winners in 2010. They have worked together at HPE to successfully thwart a myriad of attacks against customers.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop that can play a virtual machine.

Fuzzing Android Devices

Anto Joseph Security Engineer, Intel

Droid-FF is the very first Android fuzzing framework which helps researchers find memory corruption bugs written in c /c ++ . In this workshop , all you need to start fuzzing mobile devices is presented as a VM which is ready to go and easy to work with. You will get hands on experience fuzzing real devices and finding bugs and tracing them back to source and triage them for exploitability.

Anto Joseph is a Security Engineer for Intel. He is enthusiastic about MobileSecurity and IOT .He is very passionate about research and is currently researching on Mobile Malware . He has developed custom tools and fuzzers for helping in PT's and Vulnerability Research .He has been speaker / trainer in various security conferences including BruCon, HackInParis, HITB Amsterdam , NullCon , GroundZero , c0c0n , XorConf etc and has good expertise in Practical Security.

Max Class Size: 55
Prerequisites for students: Familiar with Android / IOS eco-system
Materials or Equipment students will need to bring to participate: Good enough laptop to host two virtual machines in virtualbox.

Analyzing Internet Attacks with Honeypots

Ioannis Koniaris Security Engineer

In the field of computer security, honeypots are systems aimed at deceiving malicious users or software that launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by human hackers or malware. In this workshop we will outline the operation of two research honeypots, by manual deployment and testing in real time. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. As an example, we will see how to index all the captured information in a search engine like Elasticsearch and then utilize ElastAlert, an easy to use framework to setup meaningful alerting. Lastly, visualization tools will be presented for the aforementioned systems, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.

Ioannis is an Information Security engineer and researcher, working to protect company assets, data and operations. His general interests are programming, security, development operations (DevOps) and cloud computing while his academic interests include honeypots, honeyclients, botnet tracking, malware analysis, intrusion detection and security visualization. Ioannis has released a number of utilities to aid information security professionals using honeypots. Some of them are Kippo-Graph, Honeyd-Viz and HoneyDrive; a self-contained honeypot bundle Linux distribution. These tools are used by numerous university researchers, various CERT teams worldwide and have also been included in the “Proactive detection of security incidents II – Honeypots” report by ENISA (European Union Agency for Network and Information Security).

Max Class Size: 55
Prerequisites for students: Setup of VirtualBox for their OS
Materials or Equipment students will need to bring to participate: Only their laptops.

Car Hacking Workshop

Robert Leale President, CanBusHack

KC Johnson Security Researcher

Introduction to connecting to Vehicle Networks. In the workshop we'll connect and send data to vehicle simulators and use scripts to fuzz messages. We will learn about vehicle systems and how they are connected.

Robert Leale is the President of CanBusHack a company specializing in vehicle network reverse engineering. He currently runs the DEF CON Car Hacking Village and is the trainer for Black Hat's Car Hacking Hands-On.

Hey, KC Johnson is really good at car hacking, no really! I saw him hack a car so that it's blinkers turned on. True Story. He can also connect things to cars, like, really fast. Also, he is like totally good at volleyball. OMG.

Max Class Size: 50
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop with Windows

Pragmatic Cloud Security: Hands-On Turbocharged Edition

Rich Mogull (Crash) Analyst & CEO, Securosis

This workshop takes the very best of our Black Hat cloud security defensive training classes and crams them into a high-speed, 4-hour DEF CON session. If you work in cloud, or are just cloud-curious, we’ll get you up to speed on the latest and greatest practical techniques for securing Amazon Web Services. We are cutting out all the theory to focus exclusively on the technical implementation.

Before coming to the session you should know what AWS is and be able to launch and connect to an instance (we’ll provide instructions ahead of time just to be safe). You should also be comfortable with a Linux command line and basic scripting. That’s all you need walking in, but by the time you leave we will have shown you:

  • How to build complex AWS virtual networks with cross-account and VPC connectivity.
  • How to leverage auto scale groups for building immutable infrastructure. What’s that? Servers that are impossible to log into and replaced every few hours with 0 downtime.
  • Techniques for advanced IAM policies in AWS. For example, using tags or other conditionals for dynamic, fine-grained access.
  • Building server less infrastructure for automating security. You can, and we sh*t you not, create actual self-healing infrastructure in AWS without any running servers.
  • Automation techniques to play with the AWS APIs like a boss. Sure, we’ll focus on the defensive side, but let’s just say you offensive types might pick up a thing or two.
  • How to build an automated deployment pipeline using Git, Jenkins, Packer, and Ansible to push new images to AWS. (We’ll use a scripted build for time, but you’ll see how it all pieces together).
  • If we have time, we’ll show you how t use Amazon’s Key Management Service to encrypt… everything. Plus cover how to make things subpoena proof, if you are into that sort of thing.

The focus of the workshop is on defense, and how to best use the tools in AWS for security. We can’t cover anything in four hours, so we will focus on the technical techniques you can use to most-quickly build up your skills. 

Rich has twenty years experience in information security, physical security, and risk management. He specializes in cloud security, data security, application security, emerging security technologies, and security management. He is also the principle course designer of the Cloud Security Alliance training class and actively works on developing hands-on cloud security techniques. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.


Rich is the Security Editor of TidBITS and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DEF CON, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).

Max Class Size: 55
Prerequisites for students: Comfortable with some flavor of Linux and command lines. Ideally basic scripting skills in bash/python/and/or/ruby
Materials or Equipment students will need to bring to participate: Laptop or tablet that can connect to Amazon Web Services. An AWS account (labs will be mostly on the free tier, so total costs will be less than a beer). Ability to make SSH connections to arbitrary AWS instances. Instructions for setting up your account will be made available before the workshop.

Guaranteed Security

Vivek Notani PhD Student University of Verona

Dr. Roberto Giacobazzi Senior Professor, University of Verona

Can you guarantee that the software you created does not contain any runtime errors or data races and would not be susceptible to buffer overflow or floating point errors? Can you create a program that can take any arbitrary program as an input and certify it as free from such errors or alert you of possible avenues of errors? Is such a thing even possible? Turns out, yes you can, or at least after this training you will be able to.

Recent advances in the field of formal program analysis have led to development of theories and tools that can, given a program as input, either guarantee absence of certain types of errors or raise alarms to alert of possible weaknesses in the given program. Sounds like black magic? The goal of this training is to de-mystify the science behind automated program analysis and build a solid foundation for attendees to start building their own tools that can automatically analyze and certify code correctness.

The workshop will cover the challenges in automated program analysis, what is possible and what is not possible, and why. We will focus on using Abstract Interpretation, a widely used formal framework, for describing sound by construction program analysis algorithms as approximations of semantics of the language. Finally, in the hands-on session, we will build our own code analyzer for a simple language that can analyze any program written in that language and issue certificates of correctness.

Vivek Notani is a PhD student at University of Verona, under Dr. Roberto Giacobazzi. Previously, Vivek used to work as a research scholar at University of Louisiana at Lafayette (USA) focusing on dynamic methods of malware analysis and machine learning applications to malware analysis and reverse engineering. His research at UL Lafayette led to the creation of Virusbattle, an automated malware analysis system that harvests intelligence from large malware repositories which was presented at BlackHat last year. VirusBattle has since been commercialized by Cythereal LLC. USA. Early on in his career, Vivek used to work in humanoid robotics and helped create Acyut, series of India's first indigenously developed humanoid robot which created a world record in humanoid weightlifting at FIRA-2010.

Roberto Giacobazzi is a senior professor of computer science at University of Verona and the Scientific Leader of the SPY-Lab. He received his Ph.D. in Computer Science in 1993 from the University of Pisa. From 1993 to 1995 he had a Post Doctoral Research position at Laboratoire d'Informatique (LIX), Ecole Polytechnique (Paris) in the equipe Cousot, the creator of the theory of Abstract Interpretation. His research interests include abstract interpretation, static program analysis, semantics of programming languages, program verification, abstract model-checking, program transformation and optimization, digital asset protection, code obfuscation, software watermarking and lattice theory. He is author of more than 100 publications in international journals and conferences and he is involved in national (italian) and international (european) research projects in the field of static program analysis. His main current research interest is in formal methods for systematic design of domains and transfer functions or abstract interpretation, with application in security, digital asset protection, code obfuscation, watermarking, malware analysis, semantics, program analysis, and abstract model-checking. In the past, he gave a declarative semantics for Prolog control features and he studied new methodologies to design static program analyzers and optimization techniques for logic and constraint-based languages by abstract interpretation. In lattice theory he contributed to understanding of the structure of the lattice of closure operators and complete congruence relations on complete lattices. He is in the Steering Committee of the Static Analysis Symposium and of the ACM Conference on Principles of Programming Languages, POPL. Dr. Giacobazzi's research in abstract interpretation led to the creation of Julia in 2006, which has since been acquired by the Corvallis Group,a leading firm in software development and assurance in the banking market.

Max Class Size: 55
Prerequisites for students:

  • Programming background in C++
  • Understanding of Software development and testing methods
  • Basic understanding of these theories will be helpful but is not required: static analysis, dynamic analysis, lattice theory, FixPoint Theory and, abstract interpretation.

Materials or Equipment students will need to bring to participate: Laptop with Linux. Instructors will be using Ubuntu.
Please install IKOS library. Download from:
Installation instructions available here:

Writing Your First Exploit

Rob Olson Instructor, State University of New York at Fredonia

DEF CON isn’t just for hardened hackers with 5up3r 3l173 hacking skills. As DEF CON has grown, more and more attendees are looking for knowledge that will help them get started in the world of hacking. If that’s what you’re looking for, this training workshop is for you!

This training will teach students how to discover and exploit their first buffer overflow exploit. This is not a class in how to use the tool of the day; students will be writing their own tools in Python every step of the way. Students will learn how to configure their virtual lab environment, how to write a fuzzer that can produce a crash in a network service, how to take control of a crash, and how to embed a customized payload in order to complete the exploit. As time permits, there will also be a discussion of writing Windows payloads by hand in shellcode.

Understanding exploit development is good. Understanding how to prevent exploits is better. In addition to examining the offensive techniques involved in exploiting buffer overflow vulnerabilities, students will dig through C source code to understand these vulnerabilities and how they could be mitigated. As time permits, there will also be a discussion of host-based mitigation strategies such as DEP and ASLR.

Rob Olson (@nerdprof) is an instructor in the Department of Computer and Information Sciences at the State University of New York at Fredonia where he teaches courses including Computer Security and Ethics, Ethical Hacking, and many more traditional computer science courses. His philosophy is that students ought to learn how to write many of their own security tools before using existing ones. He holds several graduate degrees (but no Ph.D.) and along the way, he also picked up CEH, CISSP, and OSCP certifications.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: One laptop capable of running a Kali Linux 2 virtual machine and a Windows (any version) virtual machine. Students should come with these virtual machines set up. Students will need to download and install several pieces of free software on their Windows virtual machine during the training workshop.

VoIP Wars: The Live Workshop

Fatih Ozavci Managing Consultant, Context Information Security

VoIP attacks have evolved, and are targeting Unified Communications (UC), commercial services, hosted environment and call centers, using major vendor specific and protocol vulnerabilities. This workshop is designed to experience these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Modern attack vectors and broad threats against the VoIP ecosystem will be discussed and analyzed for major vendor and protocol vulnerabilities with references to their targets.

In this hands-on workshop, the participants will learn about Unified Communications security fundamentals and testing with practical attacks to improve their skills. Attack scenarios will be discussed for various types of UC implementations to cover business services such as call centers, service operator networks and cloud services. In addition, participants will be provided with the workshop and exercises notes as well as a USB stick that includes virtual machines and software to be used during workshop. The workshop exercises will be conducted using the open source tools and Viproy VoIP penetration testing kit developed by the trainer.

Fatih Ozavci is a Managing Consultant with Context Information Security and the author of the Viproy VoIP Pen-Test Kit, Viproxy MITM analyser and the VoIP Wars research series. He has fifteen years extensive experience in the field of information security as a leading security consultant, researcher and instructor.

His current research is focused on securing IMS and UC services, IPTV systems, mobile applications, mobility security testing, hardware hacking and BYOD/MDM analysis. He has discovered previously unknown (zero-day) security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments and has published several security advisories for SAP Netweaver, Clicksoft Mobile, Cisco CUCM/CUCDM and Microsoft Skype for Business platforms.

Fatih has previously presented at major security conferences such as Blackhat Europe’15, HITB Singapore 2015, BlackHat USA’14, DEF CON 22 and 21, Troopers’15, Cluecon 2013 and Ruxcon 2013. He has provided VoIP and Mobility Security training at DEF CON 23, AustCert 2014 and 2016, Kiwicon 2015 and Troopers’15.

Homepage (personal) :
Homepage (corporate) :
Linkedin :

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: For the live exercises, the participants should have a laptop which can run 2 VMware Virtual Machines at the same time. The exercises VMs may require at least 2GB memory. (The VM images will be provided by the tutor).

Taking a bite out of Apple

John Poulin Principal Application Security Consultant, nVisium

This workshop will provide a solid introduction to the concepts of iOS application security from a black-box perspective. Students will learn concepts relating to assessing the security iOS applications. In this course we will use real-world examples from the Apple App Store in contrast with several intentionally vulnerable examples. Students are expected to have little to no experience.

John Poulin is a principal application security consultant for nVisium who specializes in web and mobile application security. He worked previously as a web developer and software engineer. When he's not hacking on apps, John spends his time building tools to help him hack on web apps!

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Mac OS X w/ XCode. Jailbroken physical devices are recommended.

Mobile App Attack : Taming the evil app!

Sneha Rajguru Security Consultant, Payatu Technologies Pvt.Ltd.

This full-fledged hands-on workshop will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms. The main objective of this workshop is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks. The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

This workshop will mainly focus on the following :

  1. Reverse engineer Dex code for security analysis.
  2. Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.3. Runtime analysis of the apps by active debugging.
  3. Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.
  4. Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
  5. Hooking an application and learn to perform program/code modification.
  6. By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges.

The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.

Sneha works as a Security Consultant with Payatu Technologies Pvt.Ltd. and holds C.E.H and E.C.S.A certifications. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp #6 and Nullcon 2016.

Max Class Size: 25
Prerequisites for students: The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly.
Materials or Equipment students will need to bring to participate: Students will need the following:

  • Laptop with a minimum 4GB RAM and more than 20 GB Free Hard Disk Space
  • Android device ( >=2.3) or iPhone/iPad (preferable Rooted/Jailbreak)

Laptops will need to meet the following software requirements:

  • Windows 7/8, Mac OS X 10.5, or *Nix
  • Administrative privileges on your machines
  • Virtualbox or VMPlayer
  • SSH Client
  • Xcode 6 or higher
  • ADB
  • Android Studio 1.3 or higher
  • Android SDK

Use Microsoft Free Security Tools as a Ninja

Simon Roses CEO, Vulnex

Microsoft has published a great deal of free security tools for developers and IT Pros that are widely unknown. This hands-on lab will introduce you to some of these tools and how they can be used to improve your end game: better security for your products and enterprise.

For developers we have all kinds of security tools that can be used across the entire SDLC to create secure software, and for IT Pros we have a bunch of tools to analyze and secure desktops and servers easily and faster.

This hands-on workshop contains a lot of demos covering topics such as:

  • Threat Modeling
  • Static analysis of C/C++ and .NET code
  • Binary analysis
  • Fuzzing applications
  • System Attack Surface analysis
  • Insecure configurations and vulnerabilities scanning
  • Malware Scanning
  • Desktop and Server hardening

Some of the tools are Windows focused, but others are technology agnostic so they can be used for other technologies as well.

Whatever you are a developer, a sysadmin or an infosec guy, there is something for you! By the end of the workshop, you will have learned some free and cool tools you can use right away.

It is time to step up your security game!

Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid).

Currently is the CEO at VULNEX, driving security innovation. Former Microsoft, PriceWaterhouseCoopers and @Stake.

Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products.

He was awarded a DARPA Cyber Fast Track (CFT) grant to research on software security.

Frequent speaker at security industry events including BLACK HAT, RSA, HITB, OWASP, AppSec, SOURCE. DeepSec and Microsoft Security Technets. CISSP, CEH & CSSLP

Max Class Size: 55
Prerequisites for students: Basic Windows skills
Materials or Equipment students will need to bring to participate: Students must bring a laptop with a Windows 7 virtual image (recommended) or later (Windows 10). Note: Administrator permission is required to install some of the tools.

Practical Android Application Exploitation

Dinesh Shetty Lead of Mobile Security, Testing Center of Excellence at Security Innovation

Aditya Gupta Founder and Principal Consultant, Attify

Ever wonder how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.

This will be an detailed course with extensive hands-on on exploiting Android applications. The training will be based on exploiting Android-InsecureBankv2 and other vulnerable applications that are written by the trainer in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Android applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.

Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id amongst others. Dinesh is a Hall of Fame member of Apple, Adobe, and Barracuda Networks for his identification and responsible disclosure of critical security vulnerabilities in their products, web sites, and web services.

Aditya Gupta (@adi1391) is the founder and principal consultant of Attify ( ) , an IoT and Mobile security firm, and leading mobile security expert and evangelist. He has done a lot of in-depth research on Mobile application security and IoT device Exploitation. He is also the author of the popular Android security book "Learning Pentesting for Android Devices" selling over 10000+ copies, since the time of launch in March 2014. He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack etc, and also provides private training for organisations for developers and red teams all over the world.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate:

  • Laptop with Genymotion installed.
  • 20+ GB free hard disk space
  • 3+ GB RAM
  • Android Studio installed on the machine.

Open Source Malware Lab

Robert Simmons Director of Research Innovation, ThreatConnect, Inc.

The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.

For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation. For each tool covered, the class will login to live instances of each and learn the basics of malware analysis using each one.

Robert Simmons is the Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert is also the author of PlagueScanner, an open source virus scanner framework.

Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Bring a laptop with the current version of Chrome installed and a tested and working network connection (provide your own internet, please - only rely on the conference network if absolutely needed). Everything is remote and connected to via web browser - no malware will be worked on your equipment. Everything is remote.

Pentesting ICS 101

Arnaud Soullie Senior Consultant, Solucom

There is a lot of talking about ICS, SCADA and such nowadays, but only few people have the opportunity to get their hands dirty and understand how it works. The goal of this workshop is to give the knowledge required to start attacking Scada networks and PLCs, and give hands-on experience on real devices and have fun hacking a model train !

In this workshop, you will learn the specifics of performing a penetration test on industrial control systems, and especially on Programmable Logic Controllers (PLCs). We will cover the main components and the commonly associated security flaws of industrial control systems, aka SCADA systems. We will discover how they work, how they communicate with the SCADA systems, to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring a robot arm and a model train !

Arnaud Soullié is a senior consultant at Solucom, where he performed 120+ security audits and pentests. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015, Brucon 2015) as well as full trainings (Hack In Paris 2015).

Max Class Size: 20
Prerequisites for students: A knowledge of penetration testing is a plus, but I try to make it work for newbies as well.
Materials or Equipment students will need to bring to participate: Each student should come with a laptop capable of running VMs and WiFi. 4gb of RAM recommended, as well as 50Gb disk space.

Cyber Deception: Hunting advanced attacks with MazeRunner

Dean Sysman CTO and co-founder @ Cymmetria

Detecting advanced threats is now under the assumption of impossibility or unlikeliness. One of the main waves in cyber security promising to enable that ability is cyber deception, a field that has garnered much attention and investments in the last couple of years. Based on the same concepts as honeypots, but on a different technology, cyber deception promises to create decoys and other assets to make attackers expose themselves and allow it's users to not only detect them, but collect forensics that can be used for immediate mitigation.

During this workshop, attendees will learn about MazeRunner, Cymmetria's cyber deception solution which is being released for the first time as the first cyber deception free general use tool. Along with it they will be able to set up deception across environments that will be composed of decoys - real virtual machines that can be linux/windows systems. Configure these machines with different network protocols and content to make them look like anything to deceive a hacker, and lastly creating the connections and credentials to these configurations to deploy to the endpoints, thereby creating a complete layer of deception to lead an attacker. Next we will show how to use the alerts and forensics gathered in order to enable automatic mitigation of threats and enrich your threat intel efforts.

Dean Sysman is CTO and co-founder of Cymmetria, an Israeli cyber deception start-up. A unit 8200 veteran, Dean started his military intelligence career first as a low-level security researcher, later on promoted to the rank of Captain to lead high level security research, earning multiple awards for his service. Already when he was 15, he won first place in the prestigious Robotics Olympiad, and by the age of 19 earned his B.Sc. in computer sciences. Before joining Cymmetria, Dean was involved in the development of cross platform translation compiler for embedded processors.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Laptop with these software requirements: web browser, Metasploit framework is optional.

Hunting Malware at Scale with osquery

Sereyvathana Ty Security Engineer, Facebook

Nick Anderson Security Engineer, Facebook

Javier Marcos de Prado Security Engineer, Uber

Teddy Reed Security Engineer, Facebook

Matt Moran Security Engineer Facebook

This workshop is an introduction to osquery, an open source SQL-powered operating system for instrumentation and analytics. osquery is developed and used by Facebook to proactively hunt for abnormalities. Since osquery allows us to easily ask questions about our infrastructure, it provides powerful capabilities, such as finding malware persistence techniques and scanning IOCs across our fleets of machines. This workshop is a very hands-on training and we expect participants to be comfortable with CLI. The workshop is broken into three components:

Part I - hunting malware with osquery (1.5 hours) The first section of the workshop will make use of the interactive osquery command line tool (osqueryi) to hunt for characteristics of malware residing on a local system. The goal of this section is to get students familiar with writing SQL statements and to understand how osquery makes use of core tables to abstract operating system artifacts.

Part II - osquery at scale (1.5 hours): The second part of the workshop will focus on automation and deployment of osquery at a larger scale. You will learn how to write “query packs” which are utilized to collect and analyze the results from various endpoints in an enterprise. We will demonstrate this concept with the use of virtual machines, however the methodologies can be extrapolated to larger enterprises.

Part III - osquery development (optional - 0.5 to 1 hours): The last part of the workshop focuses on osquery development. We will walk you through some of the core components of osquery so you can have a deeper understand of this application. The goal being to give the student sufficient information to hack on the osquery project. This segment is largely optional and designed for people who want to get familiar with how osquery works under the hood.

Who should attend?

This workshop is designed for information security professionals who defend small to large scale enterprise networks.

What you need to know?

  • Linux/MAC operating systems and CLI environments
  • Comfortable writing and operating in SQLite
  • Knowledge of ELK stack or splunk deployment/functionality is helpful
  • Some programming experience is helpful

What do you need to bring?

  • General knowledge of malware TTP is helpful
  • A laptop capable of running two virtual machines (2 cores +, 8GB RAM, and 40GB Free disk space)
  • Pre-installed VMWare client

Sereyvathana Ty is a member of Detection Infrastructure at Facebook working on network security monitoring instrumentations. Before joining Facebook, he was a malware researcher for Palo Alto Networks where he was researching new techniques for detecting malware and developing mitigation strategies for WildFire, a malware analysis platform. He enjoys malware analysis, and he has a strong passion for developing security applications using machine learning techniques.

Javier Marcos Javier Marcos is a Security Engineer at Uber with experience working on both offensive and defensive teams. He is currently a member of Uber's Platform Security team and he created the Facebook CTF platform.

Nick Anderson is a Security Engineer at Facebook working in the Detection Infrastructure team on the osquery project. He came to Facebook after working at Sandia National Labratories as a Cybersecurity Engineer and enjoys malware analysis and reverse engineering in his free time.

Teddy Reed is a Security Engineer at Facebook developing production security tools. He is very passionate about trustworthy, safe, and secure code development. He loves open source and collaborative engineering when scale, resiliency, and performance enable defensive and protective software design. Teddy has published at security conferences on trusted computing, hardware trusted systems, UAVs, competition game theory, and other security-related research.

Matt Moran is a security engineer at Facebook working on building and improving network security monitoring tools. In the past, Matt worked as a system administrator deploying and maintaining scalable services for both Facebook and Yahoo. Matt has a bachelor’s degree in Information Technology from Mount Saint Mary college in New York.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop capable of running two virtual machines (2 cores +, 8GB RAM, and 40GB Free disk space). Pre-installed VMWare client.

You CAN haz fun with with cars!

Javier Vazquez Vidal Product Security Engine Code White GmbH

Ferdinand Noelscher Security Researcher

So you already know that you can hack cars and do nasty remote stuff, right? But what about all the underlying data transfers that are going on in it? Do you want to learn how a target is approached, what info can you get out of each ECU, or what Security measures are in place to prevent you from doing so on a protocol level? We want to show you how all this stuff works, and what can you do about it! And for this, we will have the help of the CANBadger. Come and learn about protocols used over CAN, and use a CANBadger connected to real ECUs to learn what you can do with it. Oh, and you can assemble your own CANBadger board too!

Javier Vazquez Vidal is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was presented at DEF CON 21, the ECU tool. He developed the CHT, a tool to take over the CAN network, and had some fun with the "paella country" smart meters. He is currently working as a Product Security Engineer at Code White GmbH, and has worked at companies such as Tesla, Daimler, Airbus Military and Visteon.

Ferdinand Noelscher is an information security researcher from Germany. He has been working in Information Security for several years now. Ferdinand is very passionate about Offensive Security research and has been working on numerous embedded security projects, and some lasers too. Furthermore, he gave a training together with Javier at He is currently a Security Researcher at Code White.

Max Class Size: 50
Prerequisites for students: Basic understanding of how in-vehicle communications work is an advantage.
Materials or Equipment students will need to bring to participate: No materials are required to participate, but if you want to build a fully working CANBadger, you should bring an mBed LCP1768 board or a LPCXpresso LPC1769 evaluation board and a laptop with LPCXPRESSO installed.

PCB Design Crash Course: A primer to designing your own hacking tools

Seth Wahle Electronics Engineer & Hardware Hacker

Have you ever seen a system that knew you could hack, if you could only find a way to connect to its ridiculously exotic interface? What about that idea for an awesome hacking tool you imagined but didn't know how to build? If the massive learning curve to hardware design is holding back your plans to hack the world, then this is the workshop for you!

In this workshop, you will design your own basic LAN tap (based on the throwing star LAN tap from Great Scott Gadgets). We will go from the very basics all the way to a full set of design documentation that you could use to get your hardware design mass produced.

Seth Wahle is an electronics engineer and hardware hacker. He was featured in Forbes and BBC for hacking android phones using an implanted NFC chip in 2015. Seth has developed hardware that allows for 4k streaming video, produced a device that detects and eliminates enemy I.E.D.’s, and developed radio communications equipment for the next generation of fighter jets. Now as the lead engineer for Cyberdonix, Seth is developing next-gen I.O.T. based security appliances.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate:

Introduction to Penetration Testing with Metasploit

Georgia Weidman CEO & Founder, Shevirah

This class will be conducted using Kali Linux against Windows and Linux target virtual machines. Students will become familiar with the phases of the Penetration Testing Execution Standard (PTES) and the common tools of the trade such as Metasploit, Nmap, Nessus, Maltego and others. Beginning with using Kali Linux and the Metasploit Framework, this course will then simulate each phase of penetration testing with the target virtual machines. Students will learn how to gather information about a target organization using open source reconnaissance, discover and verify vulnerabilities on targets, and use tools, public exploits, and manual techniques to exploit issues. In post exploitation we will gather information, pivot onto additional networks, perform privilege escalation, etc. Due to the short time this course is a great kick starter into completing additional material on penetration testing including an additional penetration testing target from the instructors book and an online lab of additional targets of varying difficulty which will be made available to students at the end of the course.

Shevirah founder and CEO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has spoken on her research at venues such as the NSA, West Point, and top security conferences. She has provided technical training such as exploit development and penetration testing at conferences such as Blackhat USA, Brucon, and CanSecWest. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press, “On edge graceful labelings of disjoint unions of 2r-regular edge graceful graphs” in the Journal of the Institute of Combinatorics and its Applications, and the principal investigator on pending patent "METHOD AND SYSTEM FOR ASSESSING DATA SECURITY". She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary and the nonprofit Digital Citizens Alliance.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: If students wish to follow along hands on materials to be downloaded will be made available online a week before the course. Since this is first come first serve people who do not make it into the workshop may of course download the materials and work through my book with them if they so choose. Additional targets and exercises will be available for after class, so even those who prefer to watch and listen during class are encouraged to download the materials for practice later.

Physical Security for Computing Systems, a Look at Design, Attacks and Defenses

Steve Weingart Security Researcher

Physical security for computing systems is a topic that usually gets left to FIPS 140 and tamper labels, but it is a much broader and more interesting subject. As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely. At the low end are locks and tamper labels, at the high end are complex mechanisms to detect and respond to tampering and intrusion from the box level all the way down to the chip level. All of this technology requires constant review and improvement, just as other competitive technologies need review to stay at the leading edge. The bar is ever rising.

Physical security is an interdisciplinary field. The materials and chemistry are as important as the electronics, circuits and physics. A tamper label can be defeated by application of the right solvent. A cover switch can be defeated by piping super glue in through an air vent or a slightly bent cover. Hard epoxies can be removed with drain cleaner and a tamper detection circuit can be defeated by setting the supply voltage to a critical value or a microprocessor's start up tests bypassed by manipulating the width of the reset pulse.

This training session will show many of the known attack and defense methods from the basic to the exotic. It will include easy and low tech ways of performing high tech attacks, as well as descriptions of the highest tech methods.

Design examples will be shown with examples of the tools, devices, circuits and materials used to implement both attack and defense systems. Demonstrations will be included.

Steve Weingart has been active in the Security Standards and Physical Security communities since the 1980's. He was on the NIST panel that wrote FIPS 140-1 and has been a continuing contributor to both FIPS 140 and Common Criteria development. At the IBM Thomas J. Watson Research Center, he was the lead engineer for the IBM 4758 secure coprocessor which was the first cryptographic module validated at Security Level 4 under FIPS 140-1. He has continued to work in the security field as a developer of secure cryptographic modules, a consultant, a standards test lab engineer and as a standards test lab manager. Steve now coordinates security standard certifications for Aruba and continues to consult, contribute to the standards community and trains others in security standards and physical security.

Max Class Size: 55
Prerequisites for students: Some knowledge of analog and digital electronic circuits would be very helpful. Knowledge of materials and some chemistry is handy too.
Materials or Equipment students will need to bring to participate: None, I will supply any needed.

Hacking Network Protocols using Kali

Thomas Wilhelm Associate Professor, NSACAE University

Todd KendallSecurity Consultant

There are a lot of hacking tutorials on how to compromise servers, but what about network devices?

In this workshop, we will demonstrate how to conduct penetration tests against a number of different network protocols, specifically those at layer 2 and 3 of the OSI model, in order to assess and circumvent the security of an organization. Participants will be able to watch a demonstration on how to leverage insecurities in different protocols, and replicate the attacks themselves in a lab environment at the workshop. In addition, we will discuss what steps network engineers can do to limit the insecurities.

This workshop will contain network devices in which participants will be able to connect to and perform the demonstrated attacks. Participation will be reduced since network equipment resources are limited, unless additional lab equipment can be procured.

Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security.

Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled “Professional Penetration Testing (vol 2),” published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM

Todd Kendall is a security consultant with extensive experience in both the commercial and government security world. Todd is currently responsible for performing vulnerability assessments on operational networks to Fortune 100 companies, and has been heavily involved in incident response and management for finance, healthcare, and utility industries. Todd has expe

Max Class Size: 32
Prerequisites for students: It is required for students to understand the OSI model and specifics of well-known network protocols, particularly those found at layer 2 and layer 3 of the OSI model.
Materials or Equipment students will need to bring to participate: Participants should have a laptop that contains an up to date Kali Linux image. In addition, if they want to participate in actual network protocol attacks, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.

Intrusion Prevention System (IPS) Evasion Techniques

Thomas Wilhelm

John Spearing Co-founder and Operations Manager, Crystal Defense Network Information Security

In most professional penetration tests, the pentester is given unrestricted, unfettered access to a network. However, this does not provide an effective evaluation of all preventative measures available to an organization that prevent and identify ongoing attacks. As a result, more businesses now require pentesters to confront Intrusion Detection / Prevention Systems aimed at limiting attacks in their network. The ability to understand how IDS/IPS systems work and effective techniques to circumvent their efforts to restrict your activities within the network is becoming essential for pentesters.

In this workshop, we will build an IPS system and examine their inherent limitations. We will then perform attacks within a test lab environment to see how effective the IPS is against our typical attacks. Once we understand how IPS systems limit our ability to pentest, we will then look at ways to exploit IPS limitations to be more effective in our professional penetration tests.

Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security.

Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled “Professional Penetration Testing (vol 2),” published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM.

John Spearing works in the field of network and physical security, and has obtained a Masters Degree in both Computer Science and Organizational Behavior. John is the co-founder and Operations Manager of the MSSP company known as Crystal Defense Network Information Security, located in central Colorado. John's specialty within the Information Security realm is centralized around network intrusion detection and prevention, as well as endpoint security.

Max Class Size: 55
Prerequisites for students: Students should already be familiar with penetration testing techniques and tools (and their flags). The use of proxies will be required to participate, so knowledge of how to configure your hacking platform to intercept and ability to modify packets is essential.
Materials or Equipment students will need to bring to participate: Since this is an advanced penetration testing subject, participants should have a laptop with the ability to host virtual images, which also contains an up to date Kali Linux image. In addition, if they want to participate in actual attacks within the lab, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.

Brainwashing Embedded Systems

Craig Young Security Researcher, Tripwire

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has more recently turned his attention to a different part of the wireless spectrum with research into home automation products as well as RFID/NFC technology.

Max Class Size: 55
Prerequisites for students: Basic *nix knowledge; comfort with a shell; understanding of HTTP
Materials or Equipment students will need to bring to participate: If you need to collect a fee for materials, list them in your application, you will need to provide a list so attendees can purchase materials themselves in advance.

Nothing is required but in order to make the most out of the workshop, students will want to have a laptop with an 802.11 adapter and virtualization software capable of running an x86_64 virtual machine from an OVA/OVF (e.g. VirtualBox or VMWare). Virtual machine files will be made available on USB so an open USB port is preferred.