skip to main content

DEF CON 25 Hacking Conference

Workshops

Workshops

DEF CON 25 Workshops are Sold Out!

Linux Lockdown: ModSecurity and AppArmor

Friday, 10:30 to 14:30 in Octavius 1

Jay Beale Co-Founder and COO, InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use AppArmor to contain an attack on any program running on the system and to use ModSecurity to protect a web application from compromise. You will be given a vulnerable command line program and a vulnerable web application to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then build up a defense and attempt your attack again. This workshop is being taught for the first time and provides two topics from the long-running Black Hat class, "Aikido on the Command Line."

Prerequisites: Students should bring a working understanding of Linux.

Materials: Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system must be 64-bit. Students should also download the virtual machines and confirm that they run before the class begins.

Max students: 30 | Registration: https://dc25_beale.eventbrite.com (Sold out!)

Jay Beale
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. Jay is a founder and the Chief Operating Officer of the information security consulting company InGuardians.

Back to top



Building Application Security Automation with Python

Thursday, 10:30 to 14:30 in Octavius 5

Abhay Bhargav CTO, we45

In an age of rapid-release applications, DevOps and small application security teams, the only way application security can scale, is with automation. In this workshop, I will introduce some key automation practices and techniques using Python that students can use in their own application security programs for quick wins. These techniques will predominantly focus on developing automation scripts harnessing API from Open Source Web Vulnerability Scanners (like OWASP ZAP), Building fuzzers harnessing features of tools like mitmproxy with as little as a few lines of code and using NoSQL databases for easy search and to generate powerful application security analytics. The session will be entirely hands-on, with a lot of coding and very little theory.

Prerequisites:
Knowledge of Python basics preferred but not required ( Basic Python skills are good enough. Knowledge of variables, loops, modules, imports and data structures would suffice). Examples with complete source code would be given to participants to study further. Hands-on exercises will be "templatized" to ensure that people are up and running quickly, even if they are not familiar with Python.

Materials:
Laptop with 64bit CPU (Mac/Win/*nix) is good with 8GB+ RAM (Host Machine) preferred, and atleast 50GB of free HDD to import a Virtualbox VM
For Windows Laptops please ensure that Virtualization is enabled at the BIOS to run the VM. There have been issues where Virtualization being disabled at the BIOS has resulted in the VM not working. Please ensure that you have the necessary permissions to change BIOS settings if required (especially for work/corporate laptops)
64 bit CPU is required. we would be using Docker images and docker doesn't support 32bit systems
Please have the latest version of Virtualbox installed on the laptop.

Max students: 50 | Registration: https://dc25_bhargav.eventbrite.com (Sold out!)

Abhay Bhargav
Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world’s first hands-on Security in DevOps workshop that has been delivered in multiple locations, and recently as a highly successful workshop at the OWASP AppSecUSA 2016, OWASP AppSecEU 2017 and OWASP Appsec USA 2017. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others.

Back to top



Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics

Saturday, 14:30 to 18:30 in Octavius 7

Anshuman Bhartiya

Anthony Bislew Red Teamer, Intuit

Running reconnaissance on a target network is almost always time-consuming and cumbersome. For experienced hackers, the process of manually enumerating and scanning target networks comes to feel like a gratuitous journey through Mordor on our way to the glory of shells, pivoting, and pilfering. Even worse, most of the automated reconnaissance solutions out there are expensive, limited in their effectiveness, opaque in their functionality...or all of the above.

What if you could automate your own customized approach to reconnaissance and exploitation by leveraging an entirely free and open-source framework to
1. Integrate the tools you trust and
2. Build tools of your own to capture those tricks that are unique to the special snowflake that is you?

In this workshop, we'll introduce you to the power of Docker and Kubernetes to supercharge your hacking tactics. We'll walk you through the process of building your tools as Docker images, scheduling and launching those tools in a Kubernetes cluster, and storing your results in a way that's easy to analyze and act upon. We'll spawn and destroy some attack environments and show how easy it is to do your testing without stressing out on how to get started. We'll even use some of the recon results to automate running exploitation tools against them and getting to the keys of the kingdom! By the end of this workshop you should have all the tools you need to build and extend your own recon and exploitation framework, that is supercharged and hyper scalable, thanks to Kubernetes.

Prerequisites: Attendees should be:
Comfortable using a MacOS/Linux shell terminal
Comfortable enough with a common scripting language (preferably Python/Ruby) to write simple tools/scripts
Familiar with command-line tools common to security professionals (e.g. curl, Nmap, etc.)
Familiar with Docker (e.g. its purpose, the concepts of containers and images, etc.)
https://www.docker.com/

Familiar with Google Cloud Platform offerings (e.g Compute Engine, Container Engine, Storage, BigQuery, etc.)
https://cloud.google.com/

A basic knowledge of Kubernetes is extremely helpful but not required. https://kubernetes.io/

Materials:
• Laptop with a Linux-based OS (preferably Mac/Ubuntu)
• A Google Cloud Platform (GCP) account - You can use the GCP Free Tier to get one. They give $300 worth of free credits which is more than enough.
• https://cloud.google.com/free/
• A Slack account configured with an incoming webhook - https://api.slack.com/incoming-webhooks
• An IDE such as Atom or Visual Studio Code.
• We will walk through installation of any other tools/software necessary such as Docker, Minikube, Google SDK, Golang, Python, etc. so you don’t have to have these pre-installed but it would help if you do.

Max students: 60 | Registration: https://dc25_bhartiya.eventbrite.com (Sold out!)

Anshuman Bhartiya
Anshuman Bhartiya has been in the IT industry for about 10 years now and has had the opportunity to wear multiple hats. Anshuman has been a web developer, cloud consultant, systems engineer and security engineer to name a few. Anshuman has a varied skillset and he likes to tinker with the latest technology coming up with innovative solutions for difficult and challenging problems. Security, Automation and Innovation are some things he is really passionate about and he firmly believes in sharing knowledge and the Open Source community. You can find some of Anshuman's work at his Github here - https://github.com/anshumanbh

Anthony Bislew
Anthony Bislew is a red teamer for the Intuit security team, with 17 prior years of experience in the IT industry. He was the co-founder of two Infrastructure as a Service (IaaS) startups and architected multiple data centers from the ground up. He is a co-founder of SD Hackers, a San Diego-based group of security professionals that come together to learn from and collaborate with each other. He is also the creator of the public penetration testing lab Infoseclabs, which was recently converted into a private security research lab for local San Diego penetration testers and researchers.

Back to top



UAC 0day, all day!

Saturday, 10:30 to 14:30 in Octavius 4

Ruben Boonen

"This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.

Auto-Elevation:
- Identifying auto-elevating processes
- Analyzing process workflows
- Finding UAC bypass targets

Elevated File Operations:
- Using the IFileOperation COM object
- Tricking the Process Status API (PSAPI)

Getting UAC 0day (Pre Windows RS2):
- Analysis of known UAC bypasses
- Understanding the Windows Side-By-Side Assembly
- Creating proxy DLL's
- Using the Bypass-UAC framework (https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC)
- Dropping 0day(s)!

Triaging Windows RS2:
- Environment variables
- Registry abuse
- COM objects
- Process tokens

The workshop has intense hands-on labs where attendees will put the theory into practice. After attending, you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!

Prerequisites:

Materials: To participate in the hands-on sections, attendees need to bring a laptop with 2 GB RAM which can be dedicated to a virtual machine. Both VirtualBox and VMware player can be obtained for free. Two virtual machines and all necessary tools will be provided during the workshop!

Max students: 72 | Registration: https://dc25_boonen.eventbrite.com (Sold out!)

Ruben Boonen
Ruben Boonen (@FuzzySec) has been working in InfoSec since 2012. He has a well-rounded skill set, having taken on many application, infrastructure and bespoke engagements. _He has, however, developed a special interest for Windows: Domains, exploit development, client-side attacks, restricted environments, privilege escalation, persistence, post-exploitation and of course PowerShell!

He loves breaking stuff, but finds it is equally important to him to share that knowledge with the wider community. He has previously been a trainer at Black Hat, Def Con and various BSides events in the UK. Additionally, he maintains an InfoSec blog (http://www.fuzzysecurity.com/) and GitHub account (https://github.com/FuzzySecurity) where he publishes research on a variety of topics!

Back to top



Practical Malware Analysis: Hands-On

Saturday, 10:30 to 14:30 in Octavius 7

Sam Bowne

Devin Duffy-Halseth

Dylan James Smith

Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges.

1. Basic static analysis with file, strings, PEiD, PEview, Dependency Walker, and VirusTotal
2. Basic dynamic analysis with Process Monitor, Process Explorer, RegShot, and Wireshark
3. Advanced static analysis with IDA Pro Free and Hopper
4. Advanced dynamic analysis with Ollydbg and Windbg

The first challenges are easy enough for beginners, and the later ones get difficult enough to interest intermediate security professionals. We will demonstrate the challenges, discuss the technologies and techniques, and help participants get through them as needed.

These challenges use harmless malware samples from the "Practice Malware Analysis" book by Michael Sikorski and Andrew Honig.

All materials and challenges are freely available at samsclass.info, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends.

Prerequisites: Participant should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.

Materials: Participants must bring a laptop (any OS) with VMware or VirtualBox installed on it. Each participant will need a 32-bit Windows virtual machine to run malware samples. USB sticks with a Windows Server 2008 VM will be available for students to copy. Some projects also use a Kali Linux VM to simulate the Internet, but that's not required.

Max students: 80 | Registration: https://dc25_bowne.eventbrite.com (Sold out!)

Sam Bowne
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEFCON, HOPE, RSA, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Devin Duffy-Halseth:
I really love hearing about different malware attack vectors and APT campaigns. I'm currently seeking a junior pentesting position.

Dylan James Smith
Dylan James Smith has assisted Sam Bowne with hands-on workshops at DEF CON, RSA, B-Sides LV and other conferences. He has worked in and around the computer support industry since adolescence. Now he’s old(er.) Currently focused on learning and teaching "the cybers."

Back to top



Introduction to Cryptographic Attacks

Thursday, 10:30 to 14:30 in Octavius 6

Matt Cheung

Cryptography can seem like a mysterious black box making attacks even more mysterious. Introduction to Cryptographic Attacks is for those who have no experience with cryptographic attacks and how they work. In this workshop you will learn how simple some of these attacks are, and you will build a foundation in cryptographic primitives and potential weak points of real world systems.

The workshop will lead attendees through CTF style crypto challenges that illustrate critical cryptographic weaknesses. I recommend coming prepared with a Python environment and the following modules: cryptography or PyCrypto, gmpy2 (requires installing gmp), and requests.

Prerequisites: None, though some moderate math and programming experience is useful.

Materials: Laptop installed with Python as I will have some code snippets to help with the exercises.

Max students: 30 | Registration: https://dc25_cheung.eventbrite.com (Sold out!)

Matt Cheung
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.

Back to top



Pwning machine learning systems

Saturday, 14:30 to 18:30 in Octavius 6

Clarence Chio Security Researcher

Anto Joseph Security Engineer, Intel

Pwning machine learning systems is an offensive-focused workshop that gives attendees a whirlwind introduction to the world of adversarial machine learning. This three-hour workshop will not be your run-of-the-mill introduction to machine learning course, (are you kidding? you can get that from a thousand different places online!) but will focus on hands-on examples, and actually attacking these systems. Every concept covered in this workshop will be backed-up with either a worked example or a challenge activity, (done in groups of 1 to 3) with minimal lecturing and maximum "doing". By the end of the workshop, students will be able to confidently pwn machine-learning-powered malware classifiers, intrusion detectors, and WAFs. We will cover the three major kinds of attacks on machine learning and deep learning systems - model poisoning, adversarial generation, and reinforcement learning attacks. As a bonus, attendees will emerge from the session with a fully-upgraded machine learning B.S. detector, giving them the ability to call B.S. on any "next-generation system" that claims to be impenetrable because of machine learning. This is an intermediate technical class suitable for attendees with some ability to read and write basic Python code. To get the most out of this workshop, surface-level understanding of machine learning is good. (be able to give a one-line answer to the question "What is machine learning?")

Prerequisites: Basic familiarity with Linux Python scripting knowledge is a plus, but not essential

Materials: latest version of virtualbox Installed administrative access on your laptop with external USB allowed at least 20 GB free hard disk space at least 4 GB RAM (the more the merrier)

Max students: 36 | Registration: https://dc25_chio.eventbrite.com (Sold out!)

Clarence Chio
Clarence Chio @cchio graduated with a B.S. and M.S. in Computer Science from Stanford within 4 years, specializing in data mining and artificial intelligence. He is in the process of co-authoring the O'Reilly book "Machine Learning and Security", and currently works as a Security Researcher and Data Scientist. Clarence spoke on Machine Learning and Security at DEF CON 24, GeekPwn Shanghai, PHDays Moscow, BSides Las Vegas and NYC, Code Blue Tokyo, SecTor Toronto, GrrCon Michigan, Hack in Paris, QCon San Francisco, and DeepSec Vienna (2015-2016). He had been a community speaker with Intel, and is also the founder and organizer of the"Data Mining for Cyber Security" meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.

He has been/will be giving trainings/workshops in on machine learning and security at TROOPERS 17 (Heidelberg), HITB Amsterdam 2017, VXCON (Hong Kong), HITB GSEC (Singapore), and AppSec EU (Belfast).

Anto Joseph
Anto Joseph @antojosep007 is a Security Engineer for Intel. He has 4 years of corporate experience in developing and advocating security in machine learning and systems in mobile and web platforms. He is very passionate about exploring new ideas in these areas and has been a presenter and trainer at various security conferences including BH USA 2016, DEF CON 24, BruCon, Hack in Paris, HITB Amsterdam, NullCon, GroundZero, c0c0n, XorConf and more. He is an active contributor to many open-source projects and some of his work is available at https://github.com/antojoseph.

Back to top



A B C of Hunting

Thursday, 10:30 to 14:30 in Octavius 1

Julian Dana Mandiant / FireEye

We heard it all before. The old school SOC/CIRTs is not enough to fight the sophisticated attacks we see these days; being reactive to alerts and the known BAD model is not cutting it anymore. We need to move forward -> the CDC (Cyber Security Center) or the SOC/CIRT 2.0+, extra, super, plus! And, that means making the changes to become: Proactive, Predictive and Reactive too. And for that you need to start the HUNTING! .... BUT what is that? How do I do it? Where do I start? Which is the simplest for me as an analyst? Logs? Intelligence?

Let's start from the ABC... We will cover the theory and a few practical LABs. How to map the active Hunting to the Attack LyfeCycle. We will talk about the IOCs, Frequency Analysis (stacking). Intel driven LAB. And lastly ask you to use your imagination to create your own Hunting case.

Please get ready to talk, as it is going to be interactive (I'm not expecting to be the only one talking).

Prerequisites: Basic Incident Response knowledge. Basic security architecture knowledge. Basic log review knowledge. Basic OS knowledge.

Materials: The attendees should bring a laptop or a VM running Windows 7 or above with 2GB of RAM (4+ GB would be better) with connection to the Internet (the one provided by DEF CON works perfectly). Software: Spreadsheet editor, favorite text editor or log viewer. Admin rights to be able to install software if required.

Max students: 36 | Registration: https://dc25_dana.eventbrite.com (Sold out!)

Julian Dana
Julian is a Professional Services Director at Mandiant (a FireEye company). He has experience teaching IR, Network Investigations and other trainings. During his carrier, he has developed SOC/CIRTs, performed many penetration tests, responded to security breaches and worked on strategical security engagements for International Companies and Government institutions.

Back to top



Introduction to x86 disassembly

Friday, 10:30 to 14:30 in Octavius 5

DazzleCatDuo

Jumping into the world of disassembly can be incredibly intimidating and quite painful. This talk aims to introduce disassembly by walking through how to recognize basic logic flows and data structures in assembly. We'll look at locating common flow controllers such as if/else/loops/switch cases, as well as data structures. The talk will specifically address static disassembly using IDA, looking at c compiled to x86_32, but the principles can be applied to any other language and assembly architecture. x86, is one of the most common assembly architectures, and incredibly useful for security engineers to understand. x86 is the assembly architecture running almost all Mac, Windows, and Linux computers.

Prerequisites: Students must have a basic coding knowledge, and understand what if/else/loops/switches logically do, in any coding language.

Materials: Please bring a laptop with Virtual Box (latest version) and at least 20 gigs of free disk space. VM's with examples and tools will be distributed in class via USB sticks.

Max students: 90 | Registration: https://dc25_dazzlecatduo.eventbrite.com (Sold out!)

DazzleCatDuo
The DazzleCatDuo are both security engineers who specialize in x86 research.

Back to top



Exploitation/Malware Forward Engineering

Saturday, 14:30 to 18:30 in Octavius 5

Sean Dillon Senior Security Analyst, RiskSense, Inc.

Zachary Harding Senior Security Analyst, RiskSense, Inc.

Windows post-exploitation is the penetrating step of every penetration test if you're on a Windows network. You're obviously swimming in shells (it's Windows after all), but you aren't in full control yet. Your best account is Network Service and you want Enterprise Admin.

Elevating privileges, either through bypassing UAC or finding local exploits, stealing tokens, pivoting to other systems, scanning the local network, dumping credentials. There are few open source tools available, such as PowerShell Empire, Koadic C3, and Metasploit's Meterpreter. We will go through the low-level code that makes it all work.

The training will explore shellcode, COM, WMI, Windows API, and .NET, and how these open source tools bring it all together. You will walk away with the knowledge to write your own plugins for these systems, as well as your own custom malware. An in-depth understanding of antivirus detection and evasion will be included. This workshop is a focus on the code, not just the tactics.

Prerequisites: Programming knowledge, one or all of the following: x86/x64, Python, JavaScript, PowerShell, Ruby, C Pentesting knowledge: Basic Windows post-exploitation

Materials: Bring favorite OS and code editor, Windows VMs, WiFi.

Max students: 90 | Registration: https://dc25_dillon.eventbrite.com (Sold out!)

Sean Dillon
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and other contributions to the project. He has previously been a software engineer in the avionics and insurance industries, and his favorite IDE is still GW-Basic on DOS.

Zachary Harding
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration tool he can get a hold of. You know the guy who's always looking for available public WiFi, or fiddling with a kiosk machine? That's Zach.

Back to top



Windows - The Undiscovered country

Friday, 14:30 to 18:30 in Octavius 4

Chuck Easttom

This workshop will explore new ways to use little known or undocumented programming techniques in a Windows system. The focus will be on methods that can be used to subvert the security of the system. For example api calls that can be used in manipulating the system or even in creating spyware. There will also be coverage of important SQL stored procedures that can be used in the same manner, for example there is an undocumented stored procedure that will blank the System Administrator password.

Prerequisites: Some knowledge of a C like programming language

Materials: Bring a laptop with some version of Windows (even on a VM is fine). A c++ compiler and or a copy of Visual C#

Max students: 72 | Registration: https://dc25_easttom.eventbrite.com (Sold out!)

Chuck Easttom
Chuck has been in the IT industry for over 25 years, he has authored 21 books, including many on computer security, forensics, and cryptography. Chuck has also authored a number of research articles related to cyber security including a few on spyware creation techniques. Mr Easttom is a frequent speaker at many security events including presenting a workshop at DefCon 2016 but also: SecureWorld Dallas, SecureWorld Houston,ISC2 Security Congress, HakonIndia, Secure Jordan, and many others.

Back to top



Subverting Privacy Exploitation Using HTTP

Friday, 14:30 to 18:30 in Octavius 5

Eijah Founder, Demonsaw

The world has become an increasingly dangerous place. Governments and corporations spend hundreds of millions of dollars each year to create new and cutting-edge technology designed for one purpose: the exploitation of our private communications. How did we let this happen? And what are we going to do about it? Are we willing to stand idly by and live in a state of fear while our freedom of speech is silently revoked? Or is there something we can do to challenge the status quo and use our skills to protect our privacy and the privacy of others?

The Hypertext Transfer Protocol (HTTP) is an application-layer protocol that's the foundation of the modern Internet. Initially created by Tim Berners-Lee in 1989, HTTP is still the most popular protocol in use today. One of the core strengths of HTTP is that it's flexible enough to transmit any type of data. HTTP is also everywhere - it's in use on desktops, mobile devices, and even IoT. Due to the ubiquitous nature of HTTP, firewalls and proxies are configured by default to allow this type of traffic through. Could HTTP be used to communicate securely while completely bypassing network management rules?

This workshop challenges the assumption that HTTP cannot guarantee confidentiality of data. It will introduce you to the HTTP protocol and demonstrate how it can be used to send data securely. We'll create command-line applications in C/C++ on Linux that will use HTTP to securely send messages across the Internet, while bypassing firewall and proxy rules. We'll use a variety of ciphers, hashes, and other cryptographic routines that are part of open-source libraries. Whether you're a professional programmer, find yourself a little rusty and want a refresher course, or even if you'd never created a secure application in C/C++ before; this workshop is for you.

Please note that this is a medium-level, technical workshop and requires that attendees have prior experience in at least one programming language, preferably C or C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.9.2 or msvc 2015).

Prerequisites: Previous experience in at least one programming language is required. Previous experience with C/C++ and cryptography is helpful, but not required.

Materials: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

Max students: 90 | Registration: https://dc25_eijah.eventbrite.com (Sold out!)

Eijah
Eijah is the founder of Demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master's degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Back to top



Applied Physical Attacks on Embedded Systems, Introductory Version

Friday, 10:30 to 14:30 in Octavius 7

Joe FitzPatrick Instructor & Researcher, Securing Hardware

Syler Clayton Security Engineer

Chris Castellano Senior Enterprise Windows Sysadmin

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi development board. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Prerequisites: No hardware or electrical background is required. Computer architecture knowledge, Linux internals, command-line familiarity, and low-level programming experience all very helpful but not actually required.

Materials: All equipment, including laptops, will be provided for use in the class. Students will be provided with a lab manual that includes an equipment list of all materials used for the class.

Max students: 60 | Registration: https://dc25_fitzpatrick.eventbrite.com (Sold out!)

Joe FitzPatrick
Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com (@securinghw). Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Syler Clayton
Syler Clayton (@SylerClayton) is known in the homebrew scene for his work reverse engineering and developing exploits for the Nintendo 3DS and Wii U. Professionally, he has spent the past 5 years as a Security Engineer doing reverse engineering, exploit development, penetration testing & software development. Since 2015, Syler has led the Red Team for the Collegiate Cyber Defense Competition At-Large regional. In his free time, Syler enjoys hacking on embedded systems in the form of video games, racing drones, virtual reality & electric longboards.

Chris Castellano
Chris Castellano (@StealthyC) is a Senior Enterprise Windows Sysadmin, with a high focus in defensive security. Pew Pew.

Back to top



Malware Triage: Malscripts Are The New Exploit Kit

Thursday, 14:30 to 18:30 in Octavius 1

Sergei Frankoff Co-Founder, Open Analysis

Sean Wilson Co-Founder, Open Analysis

Malware triage is an important function in any mature incident response program; the process of quickly analyzing potentially malicious files or URLs to determine if your organization has exposure. Traditionally malware triage has focused on exploit kits which were the initial infection vector of choice, but this is changing. In recent years malscripts and file based exploits have become an equally common initial infection vector. Often delivered via email, malscripts can take many different forms, WScript, Javascript, or embedded macros. However, the goal is always the same; obtain code execution and deliver a malicious payload.

In this workshop you will work through the triage of a live malscript sample. During this process you will identify and extract malscripts from Office documents, manually deobfuscate the malscripts, circumvent anti-analysis techniques, and finally determine the purpose of the scripts and payload in order to develop countermeasures. The focus of this process will be the intersection between the techniques used to analyze malscripts and the larger incident response process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop. Please make sure to bring a laptop that you are able to analyze malware on (we recommend using a VM). We also recommend that you have Google Chrome installed, no other tools are required to be installed prior to the workshop.

Prerequisites: None

Materials: Students must bring a laptop that they are able to analyze malware on. We strongly recommend a VM with all anti-virus software disabled.

Max students: 35 | Registration: https://dc25_frankof.eventbrite.com (Sold out!)

Sergei Frankoff
Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With almost a decade of experience Sergei has held roles both, as the manager of an incident response team, and as a malware researcher.

Twitter: @herrcore
GitHub: https://github.com/herrcore and https://github.com/OALabs
Video Tutorials: https://vimeo.com/album/4455336

Sean Wilson
Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.

Twitter: @seanmw
GitHub: https://github.com/idiom and https://github.com/OALabs
Video Tutorials: https://vimeo.com/album/4561104

Back to top



Practical BLE Exploitation for Internet of Things

Saturday, 10:30 to 14:30 in Octavius 1

Aditya Gupta Founder, Attify

Dinesh Shetty Security Innovation

The Practical BLE Exploitation for Internet of Things is a new training class focusing on exploiting the numerous IoT devices using BLE as the medium.

Bluetooth Low Energy (or BLE) is found in most of the popular IoT and smart devices - be it smart home automation, retail, medical devices and more. This class will go through the internals of BLE from a security perspective, and then jump right into how you could interact with BLE devices all the way to taking control over a complete IoT devices using BLE exploitation techniques.

At the end, we will also look at some of the automation tools and scripts you can use/write in order to make the process much faster - as it's required in a pentest.

Prerequisites: [+] Basic Linux knowledge [+] Interest in IoT security

Materials:- Laptop with 2 available USB ports
- 2 Ubuntu 16.04 VM instances (either one as host and one in a VM, or both inside separate VMs)
- Instructor will provide additional tools and devices to use during the workshop

Max students: 35 | Registration: https://dc25_gupta.eventbrite.com (Sold out!)

Aditya Gupta
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, a specialized IoT and mobile security firm, and a leading mobile security expert and evangelist.

He has done a lot of in-depth research on mobile application security and IoT device exploitation. He is also the creator and lead instructor for the popular training course "Offensive Internet of Things Exploitation," which has been sold out at numerous places including Black Hat US 2015, Black Hat US 2016, Brucon etc.

He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe and many more.

He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation." In his previous roles, he has worked on mobile security, application security, network penetration testing, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities and so on.

He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, DefCon, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack amongst others, and also provides private and customized training programmes for organizations.

Dinesh Shetty
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and IoT technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites.

Dinesh Shetty has previously presented his work at security conferences around Europe, Boston, New York, Australia, India and a bunch of Middle East and South East Asia countries. He continues to enhance his knowledge by undergoing security trainings and certifications around the world.

Back to top



Scanning the Airwaves: building a cheap trunked radio/pager scanning system

Friday, 10:30 to 14:30 in Octavius 4

Richard Henderson

Bryan Passifiume

Every second of every day, radio communications are flying through the air: many cities around the world have implemented multi-million dollar trunked radio systems for their transit, municipal, public safety, police, fire and EMS radio networks. Have you ever wondered what's being said over the air? Many of these systems are easily listenable with some basic software and very inexpensive hardware dongles originally designed for capturing over-the-air television broadcasts. This workshop will walk you through the basics of trunked radio systems, how they work, and how you can set up a listening post to decode these systems and listen in. We'll also cover the legalities of listening in, and where to find information online about your local radio systems. This workshop will cover setting up and using the Trunk88 scanning software, and how to scan other conventional (non-trunked) radio systems. A free SDR USB stick will be provided to the first 35 attendees. If time permits, we will also quickly walk through scanning popular archaic pager systems like POCSAG

Prerequisites: No prerequisites required - only a desire to want to listen in on the radio systems around you, a basic understanding of radio might help, but is not essential.

Materials: Laptop with Windows installed (no guarantees a VM will work with the hardware, so set up proper dual boot on your MacBooks and Linux machines, please) Notepad, pen. The first 35 participants will be given a free SDR/DVB-T USB stick in order to participate in the practical portion of the workshop. Any attendees beyond that will need to purchase their own SDR stick at the vendor village. There should be multiple vendors selling them. No fees are required. A small capacity USB drive with all the class notes/handouts, frequency lists, and software will also be provided.

Max students: 50 | Registration: https://dc25_henderson.eventbrite.com (Sold out!)

Richard Henderson
Richard Henderson is a writer, researcher, and ham radio/electronics nerd who has worked in infosec and technology for well over a decade. Richard is currently co-authoring a book on cybersecurity for ICS/Scada systems.

Bryan Passifiume
Bryan Passifiume is a journalist, writer and photographer who covers the crime/police beat at Calgary's biggest daily newspaper. A co-founder of the alt-amateur radio group Hamsexy, he's been involved in the monitoring and radio hacking scene for nearly twenty years.

Back to top



Industrial Control System Security 101 and 201

Friday, 14:30 to 18:30 in Octavius 6

Matthew E. Luallen Executive Inventor, CYBATI

Nadav Erez Senior Researcher, Claroty's Research team

This 4-hour session is designed to arm incident response teams and security researchers with vital skills needed to monitor, analyze and respond to attacks against the unique networks that make up the backbone of the world's critical infrastructure. With recent attacks on critical infrastructure demonstrating the real and present danger to ICS networks, it is more important than ever to hone these skills and reduce the blind spots that exist for security teams. Understanding the inner workings of these networks, their unique protocols and the methods adversaries will employ to disrupt (including using legitimate commands to ICS network components) is of paramount importance as we witness an increasingly active threat landscape unfolding.

The workshop is composed of two, 2-hour sessions of ICS Fundamentals 101 and ICS Advanced 201. The two sessions step both the novice and intermediate skilled participant through the risks and mitigations of critical infrastructure and control system security.

The participant will use open source and trial editions of RexDraw, PeakHMI, NRL Core, Kali Linux, Python and Raspberry PIs.

The instructors will also perform demonstrations using real industrial devices. Participants will learn the ICS fundamentals and the value of technical, operational and physical security controls within ICS environments.

ICS 101 will guide the participants through the elements of ICS technical components (hardware, software, logic and protocols) through reversing engineering a bottling facility and a traffic light. The participants will learn about physical I/O, functional logic, industrial protocols and user interface design using the philosophy of build, break and secure. The participants will reverse a pre-built HMI user interface, OPC tag server and functional logic; break using industrial protocols overrides, MitM modifications and logic manipulations; secure using social, communication, application/os, firmware and hardware controls.

ICS 201 will teach students how to understand the content of network packet captures across a wide variety of proprietary ICS protocols. Using this understanding, we will explore in-depth the attacks and defenses demonstrated in ICS 101 to associate the value of active defense.

Participants will learn how to utilize WireShark to perform a deep packet analysis on multiple PCAPs ranging from simple to complex. Students will be taught the fundamental skills necessary for performing blind protocol analysis on proprietary ICS protocols, and learn how to create custom rules for specific addresses within the packets as well as ICS vendor specific commands. This analysis will give insight into the attacks performed, the elements manipulated and valuable tools available to actively defend the environment. Participants will gain in-depth understanding of industrial protocols and their complexity as well as detailed explanation of "behind the scenes" of ICS operations. When leaving this workshop, participants will be able to capture, and analyse industrial communication flows originating from different network segments using open source tooling (e.g. Snort, Wireshark, etc), and how to identify potential anomalous network traffic.

Prerequisites: Experience with Linux and Windows operating system administration. Experience with TCP/IP networking. Experience with Kali Linux.

Materials: A laptop with at least one USB port, 40GB of unused hard disk space, minimum of Intel i3 processor, most recent VMWare Player or equivalent VMWare product. Local administrator rights on the laptop, ability to turn off anti-virus software.

Max students: 36 | Registration: https://dc25_luallen.eventbrite.com (Sold out!)

Matthew E. Luallen
Matthew Luallen is the Executive Inventor at CYBATI, a cybersecurity education company. Mr. Luallen has provided hands-on cybersecurity consulting and education within critical infrastructure for over 20 years. During this time he has owned and sold 3 companies, developed and educated upon cybersecurity products and technical assessment methodologies, maintained CISSP and CCIE status for 16 years. Mr. Luallen's passion is education and to expand knowledge through building, breaking, securing and making.

Nadav Erez
Nadav Erez is a Senior Researcher at Claroty's Research team, leading OT protocol analysis, reverse engineering and blind protocol reconstruction. Prior to joining Claroty, Nadav served in an elite cyber unit in the Israel Defense Forces (IDF) Intelligence corps, where he led a team of cybersecurity researchers in various operations.

Back to top



Penetration Testing in Hostile Environments: Client & Tester Security

Friday, 14:30 to 18:30 in Octavius 1

Wesley McGrew Director of Cyber Operations, HORNE Cyber Solutions

Brad Pierce Director of Network Security For HORNE Cyber

Penetration testers can have the tables turned on them by attackers, to the detriment of client and tester security. Vulnerabilities exist in widely-used penetration testing tools and procedures. Testing often takes place in hostile environments: across the public Internet, over wireless, and on client networks where attackers may already have a foothold. In these environments, common penetration testing practices can be targeted by third-party attackers. This can compromise testing teams in the style of “ihuntpineapples”, or worse: quietly and over a long period of time. The confidentiality, integrity, and availability of client networks is also put at risk by "sloppy" testing techniques.

In this workshop, we present a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical recommendations, policies, procedures, and guidance on how to communicate and work with client organizations about the risks and mitigations. The goal is to develop testing practices that:
- ...are more professionally sound
- ...protect client organizations
- ...protect penetration testers' infrastructure, and
- ...avoid a negative impact on speed, agility, and creativity of testers

The recommendations are illustrated with entertaining and informative hands-on exercises. These include:
- Vulnerability analysis of a penetration testing device's firmware
- Quick and dirty code audits of high-risk testing tools
- Monitoring and hijacking post-exploitation command and control
- Layering security around otherwise insecure tools.

After this workshop, you will walk away with actionable recommendations for improving the maturity and security of your penetration testing operations, as well as an exposure to the technical aspects of protecting the confidentiality of sensitive client data. You will participate in hands-on exercises that illustrate the importance of analyzing your own tools for vulnerabilities, and learn how to think like an attacker that hunts attackers. You'll hear about the challenges that are inherent in performing penetration tests on sensitive client networks, and learn how to layer security around your practices to reduce the risks.

Prerequisites: To get the most out of this class, students should have the ability to read/follow code in many programming languages (C/C++, Python, PHP, etc.). Students should also be familiar with navigation and use of the Linux command line. Experience with penetration testing will be useful, but those new to penetration testing should not be discouraged. The entire point is to pick up good operational security habits.

Materials: Students who wish to participate in the hands-on exercises should bring a laptop with at least 8GB of RAM, the operating system of their choice, and VMware Workstation or Fusion installed (sign up for a trial license from VMware just before the conference, if necessary). Virtual machines will be provided on USB sneakernet, so you may prefer to bring/configure a burner laptop. One exercise uses Wi-Fi. Apart from that, everything takes place within the virtual machines, and you will be able to disconnect all of your physical networking interfaces.

Max students: 36 | Registration: https://dc25_mcgrew.eventbrite.com (Sold out!)

Wesley McGrew
Wesley McGrew oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi State University's Department of Computer Science and Engineering and previously worked at the Distributed Analytics and Security Institute. He holds a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems.

Brad Pierce
Brad Pierce manages penetration testing engagements and network infrastructure as Director of Network Security For HORNE Cyber. He brings more than 10 years of experience in network deployment, management, support and internal customer technology support. Brad served eight years in the United States Marine Corps receiving an Honorable Discharge in 2003. Brad is a graduate of The University of Southern Mississippi with a Bachelor of Science in Business Administration with an emphasis in management information systems.

Back to top



Introduction to Practical Network Signature Development for Open Source IDS

Thursday, 14:30 to 18:30 in Octavius 6

Jack Mott Researcher, Proofpoint

Jason Williams Researcher, Proofpoint

"In "Introduction to Practical Network Signature Development for Open Source IDS" we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. This class is designed for an analyst who spends their days investigating and responding to network IDS alerts and has something everyone can take back with them-- entry level or expert. Students will gain invaluable information and knowledge including usage, theory, malware traffic analysis fundamentals, and enhanced signature writing, for Open Source IDS such as Suricata and Snort. Student will be given handouts to help them develop and read with IDS signatures. Lab exercises will train students how to analyze and interpret hostile network traffic into agile IDS rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Phishing Attacks, Crimeware Backdoors, Targeted Threats, and more. Students will leave the class armed with the knowledge of how to write quality IDS signatures for their environment, enhancing their organization's ability to respond and detect threats.

Prerequisites: Familiarity with TCP/IP, familiarity with packet analysis tools (Wireshark, etc), Basic Malware Analysis fundamentals.

Materials: Nothing required, but if the student wishes, they may bring a computer capable of analyzing PCAPs and running Snort or Suricata to follow along with the presentation. Labs are provided for after class / take home practice.

Max students: 30 | Registration: https://dc25_mott.eventbrite.com (Sold out!)

Jack Mott
Jack is a Security Researcher on the Emerging Threats Research team at Proofpoint where he spends all day long in packet-land playing with malware and writing comprehensive IDS rules for the ETPRO and OPEN ruleset. In addition to IDS sigs, writes sigs for ClamAV and Yara to hunt, detect, and analyze internet-borne threats. Jack loves analyzing exploit kits, malicious docs, and ransomware. Jack is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Additionally, Jack has spoken at various educational institutions and information security conferences on malware related topics.

Jason Williams
Jason is a Security Researcher on the Emerging Threats Research team at Proofpoint where he flops around in a metaphorical ball pit of network packets all day and night. He works on the ETPRO and OPEN rulesets, having written over four thousand signatures. He loves turning malware inside out and fights phishers and scammers 24/7. Seriously. He hates em. I once saw him 360 noscope 3 at once. I'm getting off topic. Outside of his work automating phishing research, he also works on Red Onion - a Centos/Redhat centric NSM solution combining Suricata, Bro, and Moloch. Jason is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Jason has trained at Derbycon and spoken at Thotcon as well as various educational institutes on forensic and malware related topics.

Back to top



Free and Easy DFIR Triage for Everyone: From Collection to Analysis

Saturday, 10:30 to 14:30 in Octavius 6

Alan Orlikoski

Dan M.

The hardest part of Digital Forensics and Incident Response (DFIR) is getting a meaningful look at "the goods". The digital artifact collection and parsing process usually requires a lot of time, money, or both. Wouldn't it be nice if there was a way to do this with a straightforward tool chain that was 100% free*, easy to setup, didn't require a PHD in coding, GitHub command mastery, and endless hours of "Where the @%^@$ did that dependency come from and how do I get it?" This course is a tutorial to the CyLR, CDQR, Forensics Virtual Machine (CCF-VM) where attendees will learn how to establish a working collection, data processing, and analysis solution for any size environment.

Attendees will setup and learn to use their own CCF-VM that includes: secure data collection from Windows and Linux Hosts, automated processing, and meaningful presentation of the data. After the data has been collected and processed, attendees will learn how to optimize dashboards for common kill chain analysis and Data Stacking.

*Your time must be worthless and your hardware free flowing

Prerequisites: Functional knowledge of Digital Forensics and Incident Response (DFIR) fundamentals including; the IR life-cycle, artifact collection and preservation, Timeline analysis, and modern threat kill chains. Attendee should have a working knowledge of network fundamentals, Windows and Linux configurations, and virtualization. Familiarization with VMWare / VirtualBox, Python, ElasticSearch, Kibana, and Plaso is ideal but not required.

Materials: A laptop capable of running either VirtualBox or VMWare software with 100GB Free HD space and; 8Gb Ram and an i5 equivalent processor (minimum), 16Gb Ram and i7 equivalent processor (preferred). All software is available from GitHub while virtual machines and data files will be available at the course. A 32Gb USB3.0 flash drive with the software, virtual machines, and data files will be made available for the attendees at a cost of $20 (materials fee).

Max students: 30 | Registration: https://dc25_orlikoski.eventbrite.com (Sold out!)

Alan Orlikoski
Alan has over 17 years of experience in both private and public sectors of the IT industry, with over 11 years of experience leading cyber security related projects. He has an extensive forensics background, written multiple open source forensic tools, profiled on the SQRRL Threat Hunter Blog, and presented at multiple security conferences. Alan has been a leader in some of the largest incident response and security operations center development programs in the history of multiple Fortune 100 companies. He also teaches Historical European Martial Arts (yup, he knows how to fight with a sword, poleaxe, spear...you get the picture)

Dan M.
Dan is a broad-spectrum technology professional with 18 years of experience, 13 in direct performance of Digital Forensics and Incident Response (DFIR). Dan has served as a contributor, Technical Lead, and Practice Lead for a Fortune 10 Incident Response service. In this role, Dan provided oversight to the goals and delivery of the service as well as a functioning as a senior incident handler and critical incident lead. Dan's investigation experience includes support for basic forensic analysis up through responses to complete enterprise breach scenarios. During this work Dan contributed to the patent development of enterprise threat intelligence sharing technologies. Dan has also been a presenter at events such as FIRST, Evanta, HTCIA, APWG, IEEE and many customer engagements.

Back to top



SDR Crash Course: Hacking your way to fun and profit

Thursday, 14:30 to 18:30 in Octavius 7

Neel Pandeya Sr. Software Engineer & Manager, Ettus Research

Nate Temple Support/Software Engineer, Ettus Research

Wireless devices and wireless systems are increasingly becoming a fundamental and integral part of our world, and are becoming more of interest to security research professionals and hobbyists alike. Software Defined Radio (SDR) is rapidly becoming the tool of choice and a necessary skill for exploring and analyzing the wireless world. There has been significant innovation and development over the past several years, and SDR hardware and software has become much more capable and accessible than at any time before.

This workshop will provide a thorough introduction to SDR and will build a solid foundation for getting started in wireless security research. We will first cover the fundamental building blocks of digital signal processing, wireless communications and SDR hardware/software. We will then walk through various hands-on interactive exercises. We will then conclude with live demonstrations of a variety of applications utilizing SDR technology.

The workshop is based on USRP hardware and GNU Radio, an open-source SDR/DSP software framework, as well as other open-source tools. Attendees do not need to pre-install anything before coming to the workshop, and will use a customized Live Linux USB image to boot from.

The workshop will consist of three sections.

In Part One, we will review the theoretical background and fundamentals of wireless communications, DSP, RF and SDR. We will then discuss in detail the software and hardware used in SDR. Next, we will provide an overview of analog and digital modulation schemes, spectrum monitoring, and the identification and analysis of signals using all open-source software.

In Part Two, attendees will be guided step-by-step in the implementation of transmitters and receivers for a variety of analog and digital wireless systems. We will then analyze, inspect and visualize real-world wireless signals such as ASK, FSK, PSK, OFDM, LTE, 802.11.

In Part Three, we will perform a live demonstration of Radio Direction Finding and a wireless Replay Attack. We will then show a demonstration of receiving and demodulating recorded GPS signals, and other satellite signals such as Outernet, APT, LRPT. We will conclude with passively detecting and identifying on-air LTE networks with SDR hardware.

Prerequisites: Attendees should have some previous experience with Linux, the Linux command line, and a programming language such as C, C++, or Python. Basic familiarity with DSP and RF fundamentals would be helpful but is not required.

Materials: Attendees should bring a laptop with at least 4 GB RAM and two USB ports, where at least one port is USB 3.0. It is recommended that you bring the most powerful laptop that you can, and in general laptops over five years old may not be suitable for the workshop. Attendees should also bring a blank USB 3.0 flash drive, with minimum capacity of 16 GB. Attendees will also be provided USRP SDR hardware to use during the workshop. Optionally, attendees are welcome to bring their own SDR hardware.

Max students: 50 | Registration: https://dc25_pandeya.eventbrite.com (Sold out!)

Neel Pandeya
Neel is a Senior Software Engineer and Manager of the Technical Support Group at Ettus Research. His background and interests are in open-source software development, Linux kernel and embedded software development, wireless and cellular communications, DSP and signal processing, and software-defined radio (SDR). He holds a Bachelor's Degree in electrical engineering (BSEE) from Worcester Polytechnic Institute (WPI), and a Master's Degree in electrical engineering (MSEE) from Northeastern University. He has an Amateur Radio License, and is aspiring to obtain a private pilot license.

Nate Temple
Nate is a Support Engineer/Software Engineer at Ettus Research working in the areas of product support and software development. His background is in Embedded Linux Development, Micro-controller Development, Web Application Development and Security. He is passionate about SDR technology and is active within the community. His general interests are programming, wireless security, amateur radio, radio direction finding, and SATCOM hunting/hacking. He has contributed to many open-source SDR software projects over the years.

Back to top



Principals on Leveraging PowerShell for Red Teams

Saturday, 14:30 to 18:30 in Octavius 4

Carlos Perez Director of Reverse Engineering

Workshop will focus on the fundamentals on how PowerShell is leveraged by an attacker in code execution and post-exploitation. We will also cover how depending the leverage of maturity of a target organization affects the techniques used and way to operate around some of the controls.

Prerequisites: Basic Windows sysadmin knowledge, basic scripting knowledge and a understanding of PowerShell Basics:

- What is PowerShell
- Cmdlets and Modules
- Using help and documentation
- Pipeline basics

Materials: Laptop with a Win10 Ent VM with Office trial (they can download the 90day demos from MS) and Sysinternals Sysmon installed.

Max students: 72 | Registration: https://dc25_perez.eventbrite.com (Sold out!)

Carlos Perez
Carlos Perez is the Director of Reverse Engineering at a security vendor and also worked as a Sr Solution Architect for a large IT Integrator in the areas of Security. He has won the Microsoft MVP award several years for his work on PowerShell and Enterprise Security. He is mostly known for his contributions to the Metasploit Framework and co-host in the Security Weekly podcast.

Back to top



Edge cases in web hacking

Saturday, 10:30 to 14:30 in Octavius 5

John Poulin Principal Application Security Consultant, nVisium

Learn how to identify, exploit, and chain web-app vulnerabilities that you don't see every day. These vulnerabilities will include Server-Side Template Injection, Serialization vulnerabilities and more. We will identify how common protection mechanisms in languages such as Ruby on Rails, Django and PHP can be bypassed/exploited.

Prerequisites: Basic experience with common web hacking, including Cross-Site Scripting, SQL Injection, Remote Code Execution and more.

Materials: Laptop with VMWare or Virtualbox.

Max students: 90 | Registration: https://dc25_poulin.eventbrite.com (Sold out!)

John Poulin
John is a Principal Application Security Consultant who specializes in web application security. John has over 9 years of experience in development, management, and code analysis of web applications. John specializes in Ruby on Rails applications, but is happy to work in any MVC framework. John is leading the development of a tool called Httpillage, which provides the ability to perform distributed attacks against web applications. He also plays a role in developing and maintaining nVisium's internal security services. John graduated from the University of Maine with a degree in Computer Science and a minor in German.

Back to top



Mobile App Attack 2.0

Friday, 10:30 to 14:30 in Octavius 6

Sneha Rajguru Security Consultant, Payatu Software Labs LLP

Mobiles Apps are the most preferred way of delivering the attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers.

So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then the 'Mobile App Attack 2.0’ is of definite interest to you, as the Mobile App Attack 2.0 workshop familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them. Along with the various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using intentionally crafted real-world vulnerable Android and iOS apps by the author, we shall look into the some of the common ways as to how the malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that we shall have a brief understanding of what is so special with the latest Android 7 and iOS 10 security and the relating flaws.

Prerequisites: The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly.

Materials: Hardware Requirements
Minimum 4GB RAM and more than 20 GB Free Hard Disk Space
Android device ( >=2.3)
iPhone/iPad >= 7.1.2
(preferable Rooted/Jailbreak)

Software Requirements
Windows 7/8
*Nix
Mac OS X 10.5
Administrative privileges on your machines Virtualbox or VMPlayer
SSH Client
Xcode 6 or higher
ADB
Android Studio 1.3 or higher
Android SDK

Max students: 25 | Registration: https://dc25_rajguru.eventbrite.com (Sold out!)

Sneha Rajguru
Sneha works as a Senior Security Consultant with Payatu Technologies Pvt.Ltd. and holds C.E.H and E.C.S.A certifications. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp #6, DEF CON 24, BSidesLV and Nullcon 2017.

Back to top



Attacking and Defending 802.11ac Networks

Thursday, 14:30 to 18:30 in Octavius 5

Vivek Ramachandran Founder, Pentester Academy

Thomas d'Otreppe Wireless Security Researcher

802.11ac networks pose a significant challenge to existing Wi-Fi hacking tools and techniques. Unlike the previous generation of 802.11 networks, AC brings about significant complexities with features such as multi-user MIMO, advanced beamforming, up to 8 spatial streams, extremely high speeds (Gbps) and wide channel bandwidths 80-160. This workshop will help you "upgrade" your existing tools and techniques for both attacking and defending these networks. After this workshop, you will be able to create your own 802.11ac monitoring and attack platform.

Prerequisites: Working knowledge of Wi-Fi and Linux

Materials: We will be providing files which can downloaded to follow the class. Wireshark needs to be installed.

Max students: 90 | Registration: https://dc25_ramachandran.eventbrite.com (Sold out!)

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started"SecurityTube.net"in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon and others

Thomas d'Otreppe
Thomas D'Otreppe is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues

Back to top



Advanced Wireless Attacks Against Enterprise Networks

Friday, 14:30 to 18:30 in Octavius 7

Gabriel Ryan Security Consultant, Gotham Digital Science

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Students will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and explore how wireless can be leveraged as a powerful means of lateral movement through an Active Directory environment.

Topics of interest include:

- Wireless Reconnaissance and Target Identification Within A Red Team Environment
- Attacking and Gaining Entry to WPA2-EAP wireless networks
- SMB Relay Attacks and LLMNR/NBT-NS Poisoning
- Data Manipulation and Browser Exploitation Using Wireless MITM Attacks
- Downgrading Modern SSL/TLS Implementations Using Partial HSTS Bypasses
- Firewall and NAC Evasion Using Indirect Wireless Pivots

Each student will receive a course package containing a comprehensive course guide and preconfigured virtual machines. External wireless adapters and other wireless networking hardware will be provided by the instructor, and material learned in the lectures will be practiced within a realistic lab environment. The instructor will make himself available via email for questions and guidance in the weeks leading up to and following the workshop.

Prerequisites: A previous wireless security background is helpful but not required.

Materials: Students will be required to bring their own laptops capable of running virtualization software such as VMWare or VirtualBox. Other than that, I plan on providing the necessary hardware to complete the workshop. Hardware that will be provided to students includes:

- 1 TP-Link WN722N external wireless interface per student
- wireless access points

Max students: 85 | Registration: https://dc25_ryan.eventbrite.com/ (Sold out!)

Gabriel Ryan
Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Back to top



Attacking Active Directory and Advanced Methods of Defense

Thursday, 10:30 to 14:30 in Octavius 4

Adam Steed Associate Director, Protiviti

Andrew Allen Senior Consultant, Protiviti

This hands on workshop teaches you how to both attack and defend Active Directory. We will start by deploying an Active Directory environment using the typical security settings found in most medium to large organizations. Participants will then learn current common methods and tools used to exploit Active Directory against their test environments. Participants will create a hardened Active Directory environment using advanced methods to secure domain controllers from attack and then try to compromise their hardened environments.

Prerequisites: A basic to intermediate understanding of how Active Directory works including day to day administration of users and implementing group policy.

Materials: All participants will need be bring a laptop to the workshop that can be used to spin up virtual machines or have access to a personal AWS or Azure instance.

Max students: 72 | Registration: https://dc25_steed.eventbrite.com/ (Sold out!)

Adam Steed
Adam Steed prides himself in not just being an Information Security professional, but has been part of the culture that has defined Defcon for the last two decades. He has over 20 years of experience in working for Financial, Websites and Healthcare organizations. Currently Adam an Associate Director at Protiviti as part of the Security and Privacy practice. He has also spoken at Bsides and other events across the United States.

Andrew Allen
Andrew Allen is a senior consultant in the IT Security and Privacy Management Practice at Protiviti. He served as an Information Assurance Security Officer in the United States Army before receiving a B.S. in Information Science and Technology from Temple University. His career has centered on penetration testing and is an offensive PowerShell enthusiast.

Back to top



Build your stack with Scapy, for fun and profit

Thursday, 10:30 to 14:30 in Octavius 7

stryngs

Jack64

zero-x

802.11 is still the Wild West in 2017. It has been around since the 90's, yet as most things with the Internet, security has always been a bolt-on addition. Through passive and active observations over the past couple years, it occurred to us that a workshop on how to abuse wifi would be interesting. This in and of itself is a spiderweb. There are so many ways to approach it; jam it, DOS it, crack it, so forth and so on.

We decided on the "ride the wave" approach. Take the existing infrastructure, and use it to your advantage by molding custom frames as you see fit. We feel this is under utilized and thus: demonstrations, beatings and examples should be given. ARP, ARP, ARP, who let the ARPs out. That is typically the battle cry for anything "LAN" these days. Pop the network, hop on the network, do your ARP, grab your MITM and go. Tried and true, it works, but it's outdated, oldskool and quite frankly, boring. Any hacker worth their salt should be able to arpspoof and ettercap. Any WIDS/WIPS should instantly lock on to what's going on and ban or alert accordingly. What we need, is a new approach.

Enter, Scapy. Without spending an hour on the wonders of Scapy and what it can do for you as a Pentester in this briefing, we'd quite frankly rather cut down to the nuts and bolts, and just, show you.

This workshop is going to center around Scapy and how you as a Pentester can use it to your advantage. Take the 802.11 and bend it to your will. Make it do your bidding and leave the SysAdmins scratching

Prerequisites: Familiarity with RFC 1149

Materials: - Laptop with bootable Linux of some variety
- Debian based is preferred
- apt is way easier than yum...
- WiFi NIC with Monitor Mode capability
- Curiosity

Max students: 85 | Registration: https://dc25_stryngs.eventbrite.com/ (Sold out!)

stryngs
stryngs has been into the scene since 2006 when he first discovered wifi. Since then he has learned and absorbed all he can. He has bothered many a person on the IRC. Though he might have perturbed you with his questions, he is grateful for the knowledge you bestowed upon him. Without the community, stryngs wouldn't be where he is today. As such, hopefully with this workshop, he is truly giving back to the community which brought him to where he is at today.

Jack64
João Pena Gil (Jack64) is a computer security researcher from Portugal, working in the field since 2015. Currently working at Checkmarx as the AppSec Analysis Team Leader by day and a Cobalt Core Researcher by night, Jack64's interests are broad in information security, ranging from networking protocols to application security and cryptography. Stryngs had a big influence in Jack64's interest in information security, sharing with him his proof-of-concept for airpwn-ng, which prompted Jack64 to learn more about 802.11 and the rest of the networking stack in general, leveraging the powerful capabilities of scapy and python. This is some of the knowledge he hopes to share in this workshop.

zero-x
Bio Coming Soon

Back to top



Hacking Network Protocols using Kali

Saturday, 14:30 to 18:30 in Octavius 1

Thomas Wilhelm Security Solutions Expert, HP Inc.

John Spearing

There are a lot of hacking tutorials on how to compromise servers, but what about network devices? In this workshop, we will demonstrate how to conduct penetration tests against a number of different network protocols, specifically those at layer 2 and 3 of the OSI model, in order to assess and circumvent the security of an organization. Participants will be able to watch a demonstration on how to leverage insecurities in different protocols, and replicate the attacks themselves in a lab environment at the workshop. In addition, we will discuss what steps network engineers can do to limit the insecurities.
This workshop will contain network devices in which participants will be able to connect to and perform the demonstrated attacks. Participation will be reduced since network equipment resources are limited, unless additional lab equipment can be procured.

Prerequisites: Since the subject matter discusses network protocols, it is required for students to understand the OSI model and specifics of well-known network protocols, particularly those found at layer 2 and layer 3 of the OSI model.

Materials: Since this is an advanced penetration testing subject, participants should have a laptop that contains an up to date Kali Linux image. In addition, if they want to participate in actual network protocol attacks, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.

Max students: 32 | Registration: https://dc25_wilhelm.eventbrite.com/ (Sold out!)

Thomas Wilhelm
Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security. Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled "Professional Penetration Testing (vol 2)," published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM

John Spearing
John Spearing works in the field of network and physical security, and has obtained a Masters Degree in both Computer Science and Organizational Behavior. John is the co-founder and Operations Manager of the MSSP company known as Crystal Defense Network Information Security, located in central Colorado. John's specialty within the Information Security realm is centralized around network intrusion detection and prevention, as well as endpoint security.

Back to top



Brainwashing Embedded Systems

Thursday, 14:30 to 18:30 in Octavius 4

Craig Young Security Researcher, Tripwire

Lane Thames Security Researcher, Tripwire

JivaSecurity Research Engineer, Tripwire

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

Prerequisites: Intermediate *nix knowledge; proficiency with a shell (including writing BASH or similar scripts); strong understanding of HTTP. Familiarity with tools for working with HTTP is a big plus (i.e. cURL, Burp, urllib, etc)

Materials: Nothing is required but in order to make the most out of the workshop, students will want to have a laptop with an 802.11 adapter and virtualization software capable of running an x86_64 virtual machine from an OVA/OVF (e.g. VirtualBox or VMWare). Virtual machine files will be made available for download from the Internet before the workshop and it is best for participants to load the content in advance. The material will also be available on USB and a local file server.

Max students: 72 | Registration: https://dc25_young.eventbrite.com/ (Sold out!)

Craig Young
Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways.

Lane Thames
Lane Thames is a software development engineer and security researcher with Tripwire's Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management software. He also spends time looking for new vulnerabilities, contributing to the Tripwire State of Security blog, and understanding emerging cybersecurity threats. Lane received his PhD in Electrical and Computer Engineering from the Georgia Institute of Technology and has spent over 10 years working in information technology and software/hardware development. Lane worked for nCircle prior to their acquisition, and continues his research work now for Tripwire.

Jiva
Jiva is a Security Research Engineer on the Vulnerability and Exposures Research Team (VERT) at Tripwire. Prior to Tripwire, Jiva worked at Coalfire doing consulting/penetration testing, Dell SecureWorks as a network security analyst, and worked at UGA doing penetration testing on departmental web applications. Jiva went to school at the University of Georgia for a Bachelor's and Master's degree in Computer Science, and is a long time member of the CTF teams disekt and SecDawgs.

Back to top