BruCON 0x0B

Analyzing a binary or firmware often starts from a more or less blank page of assembly code. Decompilers such as the Hexrays or Ghidra decompiler can make assembly code more readable but if symbol information such as function names, user defined structures or class information are missing it can still be a mess to work through.

Enriching you project with symbol information is a lot of work but in the end can be the difference of successfully achieving your reversing/bug finding goals.

Within this workshop i will present various approaches and open source tools to add symbol information to a real world firmware and then will train to use these with the attendees inside a prebuild virtual machine.

Elastic Stack is one of the most commonly used open source data analysis and management platform today.  It quickly became popular among security professionals too and it is also the building block of many open source and commercial SIEM.  Elastic Stack is designed for speed and ease of use; it indexes data as it is ingested (write once read many or "WORM" storage) and it is extremely scalable and powerful, making ad-hoc queries and real-time visualization very easy.

The components in the Elastic Stack are designed to be used together and releases are synchronized to simplify the installation and upgrade process. The stack consists of:
- Beats, which is the platform for single-purpose data shippers;
- Logstash, which is a server-side data processing pipeline that ingests data from multiple sources, transforms it, and then sends it to one or more outputs ("stash");
- Elasticsearch, which is a distributed, RESTful search and analytics engine;
- Kibana, which lets users visualize data with charts, graphs, and dashboards.

During this two-hour workshop, we will see how to use Elastic Stack for security monitoring and cover the following topics:
- Beats (filebeat, winlogbeat, auditbeat, etc.)
- Logstash (input, filter, and output plugins)
- Elasticsearch (cluster, node, index, shard, mapping, search, aggregation, etc.)
- Kibana (index patterns, searches, visualizations, dashboards, etc.)
- Elastic Stack Alerting and Security (X-Pack, ElastAlert, Search Guard, ReadonlyREST, etc.)

Technical requirements for the workshop:
- A laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
- VMware Workstation, VMware Fusion or VMware Player installed.

Rich Text Format (RTF) documents are also used to deliver a malicious payload. Unlike Word documents, they can not contain VBA macros. To achieve code execution, malware authors have to exploit vulnerabilities, or social engineer the recipient into executing an embedded payload.

Microsoft Equation Editor vulnerabilities are being widely exploited, and this is reflected in the increased popularity of the RTF format with malware authors.

The RTF format also lends itself to many obfuscation tricks, making the task of the analyst much harder.

In this workshop, Didier Stevens will teach you analysis of malicious RTF documents in his typical workshop style: this means hands-on, many exercises, and just a few slides.

Bloodhound is an open-source Active Directory object relationship graphing tool.
Initially design for offensive purposes, it has lately become a tool of choice for defense as well as regular admins wanting to have a clearer picture of their domains/forest.
In this session, attendees will learn the core Bloodhound concepts and UI navigation, before diving into Cypher - the Neo4j database query language.

Understanding the basic Cypher syntax is important for users to start writing custom queries, including 'Metric' queries that can not be perform in UI.

Various Cypher input techniques will be demonstrated, as well as a custom PowerShell tool build to interact with the bloodhound Database.

## What is bLoodnound?
-Intro to BloodHound & relational databases
-Bloodhound Node types and relationships
*Break15*
-Sharphound: Harvesting and Ingesting AD data
-Initial Setup & Sample DB
-Self Discovery & UI Secrets

## What is Cypher?
-Intro to neo4j Cypher language
-BloodHound Cypher 101
-Custom Cypher Queries (UI/Browser)
-Cypher over REST API
-Maniplulating BH DB with Cypher
-Advanced Neo4j Syntax tricks
-Pulling AD metric from BH DB
-Tool Demo: CypherDog

Welcome in PacFirm, the most insecure network ever, we have a very large Active Directory environment and we do no security at all. For now, no ghost has ever hacked our corporate network (at least we hope) but our new CISO requires us to perform a security assessment.

Your mission, should you choose to accept it, is to evaluate our security level and fix the issues.

In this fully hands-on workshop, we’ll guide you through 8 of the lowest hanging fruits weaknesses that we witnessed during numerous penetration tests. You’ll learn how to:

- Spot passwords inside user descriptions
- Find passwords on shared folders
- Spray passwords over accounts
- Quickly detect obsolete workstations and servers
- Get free password hashes by kerberoasting
- Pivot from machine to machine by reusing local credentials
- Spot machines where Domain Admins are connected
- Retrieve Domain Admins credentials in memory

Crackmapexec, Powerview, Rubeus, Mimikatz will be your best friends during this workshop.

Hand-on exercises will be performed on our lab environment with more than twenty virtual machines. For each attack, we will also discuss about mitigation techniques.

This training is aimed at sysadmins or security professionals willing to start with Active Directory security and hands-on sessions. There is no specific requirement for attendees except a basic IS and infosec culture.

All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) and an up-to-date RDP client. Each attendee will be given a USB key with a Windows virtual machine with the necessary pentesting tools to perform the lab sessions.

With this 4h workshop we will teach you how to use threat modeling as an offensive weapon. Traditional threat modeling looks at the attacker, the asset and the system.

With offensive threat modeling we look at the defender to understand his tactics and expose weaknesses.
The workshop uses a real-world use case provided by Toreon.

The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of offensive threat modeling. They will analyse the weaknesses of an Internet of Things (IoT) smart home deployment. This will enable the student to better perform a penetration test, red team engagement or bug bounty.

During this workshop an introduction of the new Tsurugi Linux open source project will be done and several DFIR investigations will be performed.

Memory dump, network behaviors, malware analysis, disk image investigations and much more will be treated in the time-slot.

Attendee's need to download and install a Tsurugi linux VM for this workshop. They can download the required files from: https://tsurugi-linux.org/downloads.php

Maintaining real-time insight into the current state of your endpoint infrastructure is crucial.  It is very important from operational, continuous security monitoring, and incident response perspective.  Created by Facebook in 2014, osquery is an open-source instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD operating systems.  

Osquery exposes the operating system as a relational database and allows you to write SQL queries to explore system data. The generic SQL tables represent running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, etc. These SQL tables are implemented via an easy to extend API and several tables already exist and more are being written. The main advantage of osquery is that it allows you to use one platform for monitoring complex operating system state across an entire infrastructure. It has a high-performance and low-footprint distributed host monitoring daemon, osquery and also an interactive query console, called osqueryi.

During this two-hour workshop, we will learn about osquery's capabilities and cover the following topics:
- Osquery basics (installation, osqueryi, osqueryd, osquery schema);
- SQL refresher (SELECT, FROM, WHERE, LIKE, JOIN, etc.);
- Osquery configuration (flagfile, packs, schedule, logging, file integrity monitoring, etc.);
- Fleet management (Kolide Fleet, Doorman, SGT, etc.);
- Osquery extensions.

Technical requirements for the workshop:
- A laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
- VMware Workstation, VMware Fusion or VMware Player installed.

This workshop will help users with some AWS experience to understand how to exploit AWS IAM (Identity and Access Management) configuration weaknesses in order to obtain elevated privileges. During this hand on workshop, we will cover:

- Overview of AWS security model and how IAM works
- How users, roles, groups and policies are used by organisations to give permissions to AWS resources
- Common security weaknesses and misconfigurations that could allow privilege escalation
- How to identify and exploit these weaknesses
- Tools and resources to assist with the process

During this workshop we will discuss RFID implementations such as access cards and badges. We will start some theory (about 20 minutes) describing different RFID based products and security solutions and their inherent problems. To demonstrate the workings of RFID badges and dongles, each student will receive a package containing an Arduino clone, an RFID reader/writer and several badges to play around with.

We will help the students set up their environment and show them different ways to read and write RFID badges (13,56 Mhz). Several exercises will be performed; each student will be able to try while we (myself and 1 colleague) help them out. For each we will of course also provide a sample solution. These exercises are interrupted with some extra theory before so each student realizes what he is trying to achieve.


We are going to show demo's using RFID shields (125KHz and 13.56 MHz) with an Arduino and/or Raspberry Pi as well as at least one ready-made product to clone 13.56MHz badges.

The exercises with the students will be on 13.56MHz only but we provide the hardware for them to use (they can keep this afterward). We will first show them how to read the cards and then break any protection / encryption present and write a new card that can be used. For some exercises we will look at Salto locks, some custom implementations we have encountered during red teaming, ISO standards 14443 (on which MIFARE is built) and 15693 (on which the HID products are built). We will try to stay away from theory since that would take us too long. We had the idea to focus on MIFARE since we encounter that the most but since we operate mostly in Belgium this might be different for an international audience, in that case, we are more than willing to change our focus.

Some of the exercises are:
- installing the development environment
- reading a badge
- writing data to a badge
- cloning a badge
- cracking a MiFare implementation

The workshop aims towards making beginners aware and comfortable with various facets of Scapy and its real time usages in various task of penetration testing.

The flow of workshop will be as under:
1. Scapy basics
2. TCP Basics
3. DHCP server
4. DHCP server flooder || DNS/MDNS
5. Crafting a layer using Scapy
6. Fuzzing protocols with Scapy
7. Covert channel using Scapy
8. Scapy-radio

Key takeaways for attendees:
- sending/receiving/displaying/modifying packets with Scapy
- implementing custom layers in Scapy
- implement answerMachines in Scapy
- to construct tools implementing some real life examples
- simple fuzzing through Scapy and generators
- to decode live traffic with an implemented protocol

Working in Scapy consequently attendees will learn:
- TCP basics
- DHCP/DNS/MDNS basics
- AJP13 protocol
- fuzzing
- Scapy-radio

Prebuilt VM containing all scripts and dependencies in place.
An ISO in progress can be found at:
https://drive.google.com/open?id=1wJ9OQOAnew3upyoFdMUz1hlo0WEuogJW
(/root contains install script. /src contains scripts. python-netaddr dependency needs to be installed manually as of now with apt.)

ICS cybersecurity has been a new subject for years now, especially since Stuxnet. Has the security level of ICS improved?

Well, even if ICS are more and more interconnected, we can probably say yes for network segmentation, as well as patching. And it is mostly true for critical infrastructures that must comply with multiple laws around the world. But what about the most critical components such as PLCs?

In this workshop, you will learn how to attack PLCs, by attacking ICS protocols: a well-known legacy protocol, Modbus, as well as an open source protocol considered as the future of ICS communications, OPC-UA. And to do so, what could be better than giving you hands-on experience on real devices by hacking our model train?

We will start by defining industrial control systems and its main components, as well as explaining the key risks and vulnerabilities that affect them. We will then focus on their key assets, Programmable Logic Controllers (PLCs), and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring robot arms and a model train! And to conclude, probably the most difficult, let's discuss how to secure ICS communications.

Prerequisites: A computer with 4gb of RAM, 30GB disk space and Virtualbox. We will provide a Virtual Machine for attendees.