ＨｉｄｅＺｅｒｏＯｎｅ

In this four-day course, the attendees will walk through the Purple Team Exercise Framework, learning each role that plays a part in purple team engagements. Students will learn to collect Cyber Threat Intelligence (CTI), develop and conduct Adversary Emulation plans based on gathered intelligence, then dive into detection engineering to identify and resolve missed detection opportunities. Each day is a dive into one of the roles, and the course will conclude with a capstone that puts it all together in a purple team engagement. This intermediate-level course aims to broaden the students’ understanding of purple team engagements’ different roles and responsibilities and is geared towards red teamers, blue teamers, intelligence analysts, and managers looking to expand their purple team capabilities.

This 4-day course cuts through the mystery of Cloud Services (including AWS, Azure, and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing traditional network infrastructure. Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and knowing how to protect yourself from them is critical. This course covers both the theory as well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure. Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

After a sold-out course last year at Blackhat, we are back with an updated version of our course with additional coverage of ARM64, mobile browser security, and more in-depth coverage of Mobile apps and operating system security. The class starts with a basic introduction to the ARM instruction set and calling conventions followed by some reverse engineering exercises.  We then learn how to write simple exploits for the ARM64 environment. Next, we move to Mobile browser security, understand some of the browser mitigations followed by writing some simple exploits for the mobile browser. We then cover iOS and Android internals in further detail. We then discuss some of the exploitation techniques using real-world vulnerabilities (e.g., voucher_swap, checkm8, etc) followed by a walkthrough of how jailbreaks are written. We also discuss some of the common vulnerability types (Heap Overflows, Use-after-free, Uninitialized Stack variable, Race conditions). We will also look at how to build the Android kernel, customize it using Kernel tunables and then use a 1-day vulnerability to gain kernel r/w access. The training then moves on to application security based on exploiting the Damn Vulnerable iOS app, Android-lnsecureBankv2, and lnsecurePass application written by the authors of this course in addition to a broad range of other real-world applications. We then cover a variety of mitigations deployed in real-world apps and discuss how to bypass them. Slides, videos and detailed documentation on the labs will be provided to the students for practice after the class. Corellium access will be provided to students during the duration of the training course.

Syllabus

• Introduction to ARM64 and Mobile Browser Security [2 modules]
• iOS Exploitation
• Android Exploitation

Offensive Mobile Reversing And Exploitation (2021)

The NSA spent years developing Ghidra as its own internal reverse engineering suite. Now, thanks to the Technology Transfer Program, these powerful capabilities are readily available to the world. With support for dozens of architectures, Ghidra is rapidly gaining popularity as a tool of choice for analyzing compiled code. Ghidra’s extensibility through Java and Python scripting make it ideal for malware analysis and vulnerability research tasks. This class is a hands-on, example-driven introduction to reverse engineering with Ghidra. Attendees will learn the basics of using Ghidra to analyze executables before diving into examples of progressively more sophisticated reverse engineering countermeasures. As topics are introduced, students will reinforce what they’ve learned by solving reverse engineering challenges. Students may work independently or in groups to solve any of the introduced Capture the Flag style challenges. On the first day of this course, students will get familiar with Ghidra and how to create projects and import files. Students will learn how to analyze a program, follow its execution flow, and start customizing the disassembly and associated pseudocode. New for 2022, students will also get hands on time using the Ghidra’s debugger integration as well as newly updated support for binary patching. As we analyze more complicated examples, students will learn about basic tricks malware developers use to obscure functionality. We’ll look at how to identify strings being crafted within code, as well as dealing with code hidden in data sections to escape analysis. These examples will help illustrate how different options and built-in tools are used to improve analysis results. The second day brings more complicated challenges, including layered obfuscation and encryption. The lessons on this day will review in greater detail how to use the Python interpreter in Ghidra. Students will ultimately design and use custom Python scripts to analyze real malware.

BHEU21 – Reverse Engineering with Ghidra (2021)

Whether you are penetration testing, Red Teaming or trying to get a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques is critical. This course covers a wide variety of neat, new and ridiculous techniques to compromise modern Operating Systems and networking devices. This lab also provides a view of logging and monitoring setup in a classic organization giving a birds eye view of how defenders see the attack. While prior pentest experience is not a strict requirement, familiarity with both Linux and Windows command line syntax will be greatly beneficial.