ＨｉｄｅＺｅｒｏＯｎｅ

The NSA spent years developing Ghidra as its own internal reverse engineering suite. Now, thanks to the Technology Transfer Program, these powerful capabilities are readily available to the world. With support for dozens of architectures, Ghidra is rapidly gaining popularity as a tool of choice for analyzing compiled code. Ghidra’s extensibility through Java and Python scripting make it ideal for malware analysis and vulnerability research tasks. This class is a hands-on, example-driven introduction to reverse engineering with Ghidra. Attendees will learn the basics of using Ghidra to analyze executables before diving into examples of progressively more sophisticated reverse engineering countermeasures. As topics are introduced, students will reinforce what they’ve learned by solving reverse engineering challenges. Students may work independently or in groups to solve any of the introduced Capture the Flag style challenges. On the first day of this course, students will get familiar with Ghidra and how to create projects and import files. Students will learn how to analyze a program, follow its execution flow, and start customizing the disassembly and associated pseudocode. New for 2022, students will also get hands on time using the Ghidra’s debugger integration as well as newly updated support for binary patching. As we analyze more complicated examples, students will learn about basic tricks malware developers use to obscure functionality. We’ll look at how to identify strings being crafted within code, as well as dealing with code hidden in data sections to escape analysis. These examples will help illustrate how different options and built-in tools are used to improve analysis results. The second day brings more complicated challenges, including layered obfuscation and encryption. The lessons on this day will review in greater detail how to use the Python interpreter in Ghidra. Students will ultimately design and use custom Python scripts to analyze real malware.

BHEU21 – Reverse Engineering with Ghidra (2021)

Whether you are penetration testing, Red Teaming or trying to get a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques is critical. This course covers a wide variety of neat, new and ridiculous techniques to compromise modern Operating Systems and networking devices. This lab also provides a view of logging and monitoring setup in a classic organization giving a birds eye view of how defenders see the attack. While prior pentest experience is not a strict requirement, familiarity with both Linux and Windows command line syntax will be greatly beneficial.

This is a hand-on practical concentrated course on securing and attacking web and cloud APIs. APIs are everywhere nowadays: In web apps, embedded systems, enterprise apps, cloud environments and even IoT, and it is becoming increasingly necessary to learn how to defend, secure and attack API implementation and infrastructure. This training aims to engage you in creating secure modern APIs, while showing you both new and old attack vectors.

Syllabus

Defending and attacking Web APIs (REST, GraphQL..etc)
Attacking and securing AWS APIs and infrastructure.
Launching and mitigating modern Injection attacks (SSTI, RCE, SQLi, NoSQLi, Deserialization & object injection)
Deploying practical cryptography.
Securing passwords and secrets in APIs.
API authentication and authorization.
Targeting and defending API architectures (Serverless, web services, web APIs)
Securing development environments.

Attacking and Securing APIS (2021)

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. This advanced course provides a comprehensive end-to-end view of the modus-operandi of rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by malware through hands-on labs and real-world case studies. Kernel security enhancements that have been progressively added to Windows are discussed along with some circumvention techniques. Attendees will study key techniques used by rootkits to understand the real-world applicability of these concepts for offensive and defensive purposes. This training is beneficial to anyone responsible for developing, detecting, analyzing, and defending against rootkits and other Windows kernel post-exploitation techniques including EPP/EDR software developers, anti-malware engineers, security researchers, red/blue/purple teamers. A special version of this training is also available for malware, rootkit forensics analysts where the focus is not on implementing rootkit functionality but rather on investigating rootkits using tools such as WinDBG and Volatility. This analyst version does not require attendees to have a programming background and contains topics related to rootkit detection and case studies.

User mode malware on Windows is ubiquitous and custom user mode implants are used regularly in red-team engagements. Knowledge of the latest malware techniques helps red teamers improve their custom tooling, malware analysts in taking apart malware, and anti-malware solution developers in designing behavioral solutions to detect malicious activity. The common theme amongst all Windows malware and implants is that they abuse the facilities provided by the Windows platform to achieve their objectives. Knowledge of the rich set of Windows APIs, understanding their usage in various stages of an implant, and leveraging them to detect and bypass various defenses in the system is essential for red and blue teamers. This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by PE file-based implants at every stage of their execution. Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training will help attendees with real-world red teaming engagements and in defending against both custom advanced persistent threat (APT) tooling and common-off-the-shelf (COTS) malware. Attendees will learn about how malware and implants interact with the latest version of Windows and how the different stages of malware abuse and exploit various components of Windows OS to achieve their goals and evade defenses.