Instructor(s): 
Blessen Thomas

Description:

The Droid-Sec Exploitation training will enable attendees to master various android application penetration testing techniques and exploitation methods. With the rise of IoT devices, we have also included IoT smart watch wearable application penetration testing methodology and case studies.

This training focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercises - enabling the attendee to test his acquired skills during the training course.

This two-day fast-paced, brain-melting, revamped, custom-tailored, flag-ship training program will include subjects such as setting up Android pentest environments, identifying and exploiting application vulnerabilities in a variety of mobile application architectures, relevant mobile forensics, malware analysis concepts, and complementary subjects.

Key Learning Objectives:

• Understand the Android ecosystem and application architecture
• Identify specific threats and risks associated with the Android platform
• Perform a hands-on penetration test and reverse engineer an Android application
• Ability to find vulnerabilities in various real world applications for the Android platform
• Ability to audit an android application for client engagements

What not to expect:

• To become Android Ninja overnight.
• Although this training will help considerably to get to the next level in Android Security, continued learning and further research in Android Security would be expected.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Course Modules:

Day 1:

Module 1: Lab setup and in-depth analysis

• Introduction to Android security
• Lab environment setup for Android pentest
• Setting up Android emulator
• Android permission model and security architecture
• Android Debug Bridge (ADB) basics
• "OWASP Top 10 Mobile Risks" classification of vulnerabilities
• Android Lollipop security features
• Threat modelling mobile application

Module 2: Reverse engineering of Android application binaries (static analysis)

• Unpacking APKs
• The APK file package
• Application components activity intents services
• Decoding XML/resource files
• APK extraction - investigating layout, Android manifest, permissions
• Extracting the content of the classes.dex file
• De-compilation
• Using Smali for in-depth analysis
• Finding hard-coded secrets, like geolocation, passwords in code
• Detecting red flags in Android Manifest file
• Modifying Android applications to reveal sensitive info

Module 3: Insecure data storage

• Exploring installed application files at the /data/data directory
• The file system security model
• Insecure file system permissions
• Insecure storage of sensitive data in files
• Searching inside the SD card
• SQLite database storage & data dumping
• Sensitive data in application shared preferences
• Storage of sensitive data at the server side
• Hard-coded secrets in source code
• Sensitive data leakage via insecure log exposure
• Poor cryptography
• Lesser-known vulnerabilities

Module 4: Data interception and manipulation (dynamic analysis)

• Importing SSL certificates & trusted CA's
• Insecure session management
• Authorization
• Data interception for SSL applications
• Transmission of sensitive information
• Exposing insecure traffic
• SSL Pinning bypass techniques
• Labs

Day 2:

Module 5: Analyzing runtime analysis

• Attacking Android apps from Inside
• Memory dumping and analysis
• Analysing logs by parsing logcat and ddms
• Android Hacking 101: Banking Edition
• Real time case study analysis

Module 6: Exploiting logic and code flaws in applications

• Security flaws in debug mode-enabled apps
• Android Lint usage
• Local file inclusion/path traversal flaws
• SQL Injection in Android applications
• Labs

Module 7: Automated assessment with Introspy / & Drozer /Mobile Security Framework, Xposed Framework

• Introduction to Introspy and configuration
• Blackbox approach assessment using Introspy & Hooking
• Introduction to Drozer and configuration
• Introduction to Mobile Security Framework (MobSF) and configuration
• Automated security assessment using MobSF
• Introduction to Xposed Framework & modules

Module 8: Android forensics

• Extracting hidden strings, messages, logs, and sensitive information

Module 9: Android Malware Analysis

• Introduction to Android Malware Analysis

Module 10: Analysing HTML5 applications

• Introduction to HTML5 mobile apps
• Common vulnerabilities in HTML5 Android apps

Module 11: IoT smart watch wearable application penetration testing

• Introduction to Android smart watch wearable application pentests
• Common issues in applications
• Testing methodologies & tools of the trade

Pre-requisites:

Students could be familiar with below topics but not mandatory:

• Common security concepts or common web security issues
• Basic knowledge of the Linux OS and network security basics

Who Should Attend:

• Android Developers
• Information Security Professionals
• Mobile Application Vulnerability Analyst /Auditors
• Mobility, Mobile Security & Operations Team
• Pen testers and Security professionals interested to get into Android Security

What you will need to bring:

Participants are required to bring their own laptop (no Netbooks, no tablets, no corporate laptop due to the restrictions enabled) with Windows 7 64 bit in Host machine installed. Min 500 GB free Hard disk space and 8 GB RAM preferred, with antivirus and firewall disabled. Genymotion free version installed (https://www.genymotion.com/#!/ ), Virtual box installed (https://www.virtualbox.org/), with no VPN installed. Attendees must have administrator privilege, orking USB port and wi-fi enabled. Updated to the latest display drivers.

No need for devices, as training will be done using emulator.

Pentesting and Exploiting Highly Secured Enterprise Networks is an action-packed, hands-on class, giving attendees a chance to perform real-world exploitation on Enterprise network scenarios, accompanied with practical lab exercises in a CTF-style format. The course goes far beyond simple exploitation of low-hanging fruit, and shows pentesters how to perform the abilities of an advanced attacker; finding flaws in a secured networks and calculating the business risk associated with these flaws.

This training is intended for senior/experienced pentesters. Just running a vulnerability scanner and submitting it as your report provides no real benefit to a company. This course goes far beyond your traditional pentesting courses. Real-world Enterprise networks are much more complex in nature, needing your special attention in choosing the techniques and tools that you use in order to infiltrate. A senior penetration tester must succeed where others fail. A senior pentester doesn't give up when a particular exploit is not working - they try to analyse the exploit and make modifications as necessary. They should think outside-of-the-box and come up with solutions to complex problems. They must have knowledge of all domains, and skills that range from network attacks, web attacks, scripting to system exploitation.

This training is a result of years of pentesting experience compromising some of the most highly secured networks, combined into one practical and hands-on class. This course provides in-depth knowledge of the most powerful attack vectors and provides labs to perform these attacks in numerous hands-on scenarios.

Because automation of tools is essential due to time constraints, we have included a module on Python to automate the testing of systems, services, and applications. Multiple python Modules, libraries, and debugging tools have already been written to help simplify and automate fuzzing and research. In order to reach the next level in penetration testing, one must embrace the idea of adding programming into their penetration testing toolkit. Once this power is obtained, tools can be written and shared, allowing you to build up an arsenal for reconnaissance, scanning, fuzzing, and exploitation.

Metasploit and other 3rd party tools are easily detectable by modern security solutions and they have fingerprinted quite well, so it is not possible to have an emulate modern powerful adversary using these tools - there is need for custom code. When we are using custom code that is target specific, there is no mass deployment so antivirus vendors doesn't have signature for those. Building custom scripts will also help in bypassing firewall, IDS/IPS and to evade AV. Custom script will help in post exploitation such as list patches, list users, list AD accounts in active directory, pull passwords with mimikatz, bypass UAC etc. When you are attacking, it is useful to load code into remote process and have it execute within that process' context. So for this we will use DLL injection and we will write DLL injector using Python and this will help us to evade firewalls.

As a pentester you need to be familiar with how to edit, modify and execute shellcodes and be able to understand how exploits work. There are a few scripts online which can cause harm to your system, so you need to how that script works. Metasploit's XOR, shikata_ga_gai encoders are quite well detectable by AntiVirus so we will write our own custom encoders to evade Antivirus and we will use polymorphic engines which is quite difficult to detect and fingerprint.

We will build Command and Control (C2), because network intrusion may be detected and the compromised system can be patched, or some exploits only work once, to survive the reboot. C2 will be Stealth to avoid detection by IDS, persistence to survive reboot, encryption for secure communication and minimising possibility of firewall interference.

This training has been taken by 1000+ security professionals and red team members worldwide to advance their pentesting and exploitation skills, and we have received extremely positive feedback.

The lab has real-world remote Enterprise networks, including different flavours of operating system such as windows and linux. The lab contains real world Firewalls, IDP/IPS, DMZ, Load Balancers, Web Application Firewalls, Active Directory etc. This course is for you if you want to pentest and exploit highly secured Enterprise networks using cutting edge techniques. The training includes 50+ labs and 30+ challenges inspired by real world vulnerabilities and case studies. After the training, attendees will get 1-month remote lab access free, with an additional 20 challenges, 5+ hours of HD videos of training walkthrough, and pre-access to videos on basic Assembly Language and Python Scripting which will help them in class.

Key Learning Objectives:

• Python programming for Scanning, Fuzzing, Keylogging, Sandbox detection etc
• Learn to use custom code in post exploitation to bypass firewall, IDS/IPS and to evade Anti Virus
• Write your own custom encoders using shellcoding
• Learn to write Python DLL Injector which will allow us to load code into remote process and have it execute within process' context to evade firewall
• Read, edit, modify, execute scripts / shellcode downloaded from internet
• Learn how to port exploit using Powershell
• Build Command and Control (C2) infrastructure using different payload delivery methods such as VBA, Client-side exploits, HTML etc.

Training Outline:

Day 1:

• Advanced Information Gathering, Network Scanning, Enumeration, Stealth Scanning Strategies
• Adding custom Nmap scripts to your arsenal
• Assessing Routers - Router scanning analysis, iptables network analysis
• Evaluating switches - VLAN Hopping attacks, GARP attacks, Layer two attacks
• Working with Virtual Switches Evasion
• Attacking the Thin Clients
• Capturing Traffic to uncover network secrets
• Mimikatz to recover clear text passwords
• Faster and smarter password cracking

Day 2:

• Detecting Honeypot
• Bypassing DMZ
• Exploit routing protocol implementations
• Bypass different types of Network Access Control (NAC) implementations
• Firewalls - Mapping beyond firewall, Firewall identification, Evading Firewalls
• Intrusion Detection System / Intrusion Prevention System (IDS/IPS) - IDS/IPS identification, Evading IDS/IPS
• Antivirus - Bypassing Antivirus using different framework, Evading detection and blocks from the different endpoint protection mechanisms that may encounter during your testing, Generating compiled python executable from the raw the shellcode from Veil framework
• Identification and Enumeration of internal network hosts
• Detection of Web Application Firewall and Load Balancers
• Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewall

Day 3:

• Client Side Exploitation - Backdooring Executable Files, Attacking a System using Hostile Scripts
• Advanced client side exploitation with BeEF
• DLL Injection
• Python programming - Extending Burp Proxy, Scanning, Fuzzing, Keylogging, Sandbox detection
• Bypass Linux service lockdown - AppArmor
• Bypass Windows service lockdown - AppLocker
• Windows Domain Attacks - Modern Enumeration of Windows Environments, Controlling the Domain, Authentication Protocol Downgrade Attacks, Breaking from Restricted Desktops
• Active Directory Domain Enumeration
• Active Directory Exploitation
• Kerberos Vulnerabilities - Golden tickets, Silver tickets, Pass-The-Ticket and more

Day 4:

• Attacking Domain Controller
• Abusing Cross Domain Trusts
• Bypassing Windows User Account Control (UAC)
• WMI Attacks - Lateral Movement, Backdoors, persistence etc.
• Powershell - Client Side Attacks, porting exploits to powershell, privilege escalation, getting system secrets
• Pentester's guide to Pivoting
• Advanced methods for privilege escalation
• Shellcoding
  • Writing your own shellcode for Bind and Reverse TCP, Egg Hunter etc.
  • Use and modify 3rd party shellcode for fun and profit
  • Write your own Encoders, Decoders, Crypters to evade AntiVirus
• Create Polymorphic and Mutation code
• Buid Command and Control (C2) infrastructure for stealth, Remote File Access, Remote Command Execution

Attendee requirements for this training:

• Modern laptop with wireless networking capabilities and have admin/root access on it. (64-bit Machine)
• Minimum 4 GB RAM installed
• At least 40 GB HD Free
• VMware Workstation / Fusion installed

Pre-requisites:

• Basic Networking knowledge
• Basic Windows and Linux command-line Skills
• Penetration Testing Experience
• Basic Assembly Language knowledge (Videos will be provided 1 month before the training)
• Scripting knowledge in Python (Videos will be provided 1 month before the training)

Who should attend this training:

• Pentesters who want to take their skills to the next level
• Security Professionals and Red teamers
• Blue teamers who want to defend their environment
• Network / System Admins

This class is designed to introduce students to the best tools and technology available for automating vulnerability discovery and crash triage with a focus on delivering a practical approach to applying this technology in real deployments at any scale.

Through an applied understanding of introductory program analysis and binary translation, techniques for finding various bug classes and methods for improved crash debugging will be discussed. We will analyse the properties of memory corruption from integer overflows, uninitialized variables, use-after-free and look at applying tools such as compiler plugins, binary instrumentation frameworks, memory debuggers, and fuzzers to discovering each one.

Next take a deep dive into fuzzing, covering all aspects of this practical approach to finding bugs. As the most approachable and versatile of the available tools, the student will apply various fuzzing techniques to several real-world pieces of software. Students will learn strategies for analysing attack surface, writing grammars, and generating effective corpus. We will explore in detail the latest innovations such as harnessing code coverage for guided evolutionary fuzzing and symbolic reasoning for concolic fuzzing.

We approach crash analysis through the lens of scriptable debuggers and program analysis. We will once again look at properties of how memory corruption manifests in a crashing condition. We will apply tools like reverse debugging and memory debugging scripts to assist in interactively diagnosing root cause of crashes. Then we will leverage the power of dynamic taint tracking and graph slicing to help isolate the path of user controlled input in the program and identify the exact input bytes influencing a crash. Lastly, we will look at possible ways to aid in determining severity of a vulnerability.

This class will focus on x86/x64 architecture and target Windows and Linux environments, however some discussion regarding applications to ARM and mobile platforms will also be included and all of the concepts if not the direct tools will be useful in other environments.

Key Learning Objectives:

• Learn an effective strategy for using the latest tools & technology to discover vulnerabilities
• Understand applications of static analysis for bug hunting
• Learn how to decompose programs and analyze them with powerful frameworks
• Learn how to write basic clang-analyzer plugins
• Introduction to intermediate languages for program analysis
• Introduction to graph search, transformation, and slicing
• Leverage dynamic binary translation for efficient tracing and deep program inspection
• Master the latest fuzzing techniques and strategies for file and network fuzzing
• Learn grammar fuzzing, evolutionary fuzzing, in-memory fuzzing, and symbolic fuzzing
• Best practices for corpus generation, fuzzer deployment, and targeting
• Apply powerful techniques like taint analysis and graph slicing towards crash analysis

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Course Modules:

Day 1: Program Analysis

Morning:

• Strategies for automating vulnerability discovery
  • Analyze properties of memory corruption vulnerabilities
  • Understand capabilities and applications of program analysis
• Programmatic analysis of C/C++ source code
  • Introduction to advanced pattern matching and AST search
  • Introduction to using dataflow analysis for bug detection

Afternoon:

• Clang based programmatic analysis of C/C++ source code
  • Introduction to writing clang plugins
  • Exercises: writing clang plugins

Day 2: Dynamic Binary Instrumentation

Morning

• Introduction to Dynamic Binary Translation
  • Effectively instrument Linux and Windows with binary translation
  • Introduction to Valgrind and Dr. Memory
• Dynamic Binary Translation APIs
  • Introduction to PIN, DynamoRIO, and Dyninst internals
  • Exercises: code coverage plugin development

Afternoon

• Dynamic memory analysis for vulnerability detection
  • Heap overflow detection
  • Use-after-free detection
  • Exercises: memory debugging plugin development
• Taint analysis
  • Introduction to Dynamic Taint Analysis
  • Introduction to dynamic taint analysis with BAP
  • Exercises: using and processing taint traces

Day 3: Fuzzing & Triage I

Morning:

• Attack surface analysis for blackbox vulnerability research
  • Enumerating trust boundaries
  • Enumerating inputs
  • Leveraging graph reachability analysis
  • Exercises: reachability analysis
  • Best practices for generational and mutational fuzzing
  • Triggering vulnerabilities through fuzzing
  • Effective mutation engines
  • Effective corpus generation
  • Creating protocol and file format grammars
  • Crash detection
  • Exercises: generational fuzzing

Afternoon:

• Evolutionary fuzzing
  • Code coverage driven fuzzing
  • Modifying targets for optimal evolutionary fuzzing
  • Best practices for high performance
  • Exercises: evolutionary fuzzing binary and source targets
• Interactive and scripted crash debugging
  • Root cause identification for memory corruption bug classes
  • Memory debuggers and code coverage
  • Debugger plugins and scripting APIs
  • Reverse debugging
  • Exercises: debugger scripting

Day 3: Fuzzing & Triage II

Morning:

• Advanced fuzzing
  • Fuzzing kernels and other architectures with QEMU
  • Hybrid fuzzing with concolic execution
  • Browser and language interpreter fuzzing
  • Exercises: concolic, browser, and interpreter fuzzing

Afternoon:

• Advanced crash analysis
  • Dynamic taint analysis and graph slicing
  • Forward symbolic execution for exploitability analysis
  • Exercises: debugging with taint slicing and symbolic execution

Pre-requisites:

Students should be prepared to tackle challenging and diverse subject matter and be comfortable writing functions in in C/C++ and python to complete exercises involving completing plugins for the discussed platforms. Attendees should have basic experience with debugging native x86/x64 memory corruption vulnerabilities on Linux or Windows.

What you will need to bring:

Students should have the latest VMware Player, Workstation, or Fusion working on their machine.

Who Should Attend:

This class is meant for professional developers or security researchers looking to add an automation component to their software security analysis. Students wanting to learn a programmatic and tool driven approach to analysing software vulnerabilities and crash triage will benefit from this course.

Overview

This is a fast paced course designed to introduce attendees to Windows Kernel Exploitation. We will cover the basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will deep-dive into exploit development of Pool based buffer overflow vulnerability in Kernel driver.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Key Learning Objectives

Upon completion of this training, participants will be able to:

• Know the basics of Windows Internals
• Understand how kernel and kernel mode driver works
• Understand exploitation techniques in kernel mode
• Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
• Understand how Windows Pool Allocator works in order to write reliable exploit for complex
• Deal with bugs like Pool Overflow(s) and Use After Free(s)
• Learn to write your own exploits for the found vulnerabilities in Kernel or Kernel mode drivers

What Not to Expect:

• Becoming an elite Kernel Hacker in two/three day(s)
• Basics of ASM/C/Python

Course Content

Windows Internals

• Windows NT Architecture
• Executive and Kernel
• Hardware Abstraction Layer (HAL)
• Privilege Rings

Memory Management

• Virtual Address Space
• Memory Pool
• Pool Allocator

Why to Attack Kernel?

• User Mode vs Privileged Mode
• User Mode Exploit Mitigations

Windows Driver Basics

• I/O Request Packet (IRP)
• I/O Control Code (IOCTL)
• Data Buffering

Fuzzing Windows Kernel

• IOCTL Fuzzing

Exploitation

• Pool Overflow

Kernel Payload

• Escalation of Privilege Payload
• Kernel Recovery

Miscellaneous

• Q/A and Feedback

Who should attend? Information Security Professionals, anyone with an interest in understanding Windows Kernel exploitation, Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level. 

Prerequisites

• Basics of User Mode Exploitation
• Basics of x86 Assembly and C/Python
• Familiarity with Vmware/VirtualBox
• Familiarity with WinDbg
• Patience

Hardware & Software Requirement

A laptop capable of running two virtual machines simultaneously (8 GB of RAM) and 40 GB free hard drive space. Everyone should have Administrator privilege on their laptop.

HackerOne's bug hunters have earned $20-Million in bug bounties by 2017, and are expected to earn $100-Million by the end of 2020. Some of HackerOne's customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities are for bug hunters in the upcoming years. This course will provide you with a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex, and it's all about full-stack nowadays. That's why we will dive into full-stack exploitation so that you can master web attacks and maximize your payouts. Say "No" to classical web application hacking, and instead join this unique hands-on training to become a full-stack exploitation master.

Key Learning Objectives:

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking
• DOM-based exploitation
• Bypassing Content Security Policy
• Server-side request forgery
• Browser-dependent exploitation
• DB truncation attack
• NoSQL injection
• Type confusion vulnerability
• Exploiting race conditions
• Path-relative stylesheet import vulnerability
• Reflected file download vulnerability
• Subdomain takeover
• and more...

Students will be provided with a VMware image with a specially prepared testing environment to play with the bugs. This environment will be self-contained, and when the training is over students can take it home to hack again at their own pace, after signing a Non-disclosure Agreement.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Pre-requisites:

To get the most out of this training, an intermediate knowledge of web application security is recommended. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy or similar, to analyse or modify the traffic.

What you will need to bring:

Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version).

Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

Who Should Attend:

Penetration testers, bug hunters, security researchers/consultants.

"There's an Intel on every desktop, but an ARM in every pocket." ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The ARM IoT Exploit Laboratory is a 4-day intermediate (approaching advanced) level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices. The class concludes with an end-to-end "Firmware-To-Shell" hack, where we extract the firmware from a popular SoHo router and an IP Camera, build a virtual environment to emulate and debug them, and then build exploits to gain a shell on the actual hardware devices. The 4-day format features lots of hands-on exercises allowing students to internalise concepts taught in class.

This class is perfectly suited for students who are keen to dive into the world of modern ARM exploit development. As with the popular Exploit Laboratory, all topics are delivered in a down-to-earth, learn-by-example methodology. The same trainers who brought you The Exploit Laboratory for over 12 years, have been working hard in putting together an all new class based on past feedback!

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Learning Objectives

• Introduction to the ARM CPU architecture
• Exploring ARM assembly language
• Understanding how functions work in ARM
• Debugging on ARM systems
• Exploiting Stack Overflows on ARM
• Writing ARM Shellcode from the ground up
• Introduction to Return Oriented Programming
• Bypassing exploit mitigation using ROP
• Practical ARM ROP
• An Introduction to firmware extracting
• Emulating and debugging a SoHo router's firmware in a virtual environment
• "Firmware-To-Shell" - exploiting an actual SoHo router
• "Firmware-To-Shell" - exploiting an actual IP camera
• The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a "Live Notes" system that provides a running transcript of the instructor's system to all the students. Our lab environment, plus about 700MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

TARGET AUDIENCE

• Past x86 Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform
• Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
• Red Team members, who want to pen-test custom binaries and exploit custom built applications
• Bug Hunters, who want to write exploits for all the crashes they find
• Members of military or government cyberwarfare units
• Members of reverse engineering research teams. - People frustrated at software to the point they want to break it!

PREREQUISITES

• A conceptual understanding of how functions work in C programming
• Knowledge of how a stack works, basic stack operations
• Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent)
• Not be allergic to command line tools
• Have a working knowledge of shell scripts, cmd scripts or Perl
• If none of the above apply, then enough patience to go through the pre-class tutorials.

Course Outline

DAY 1

• Introduction to the ARM CPU architecture
• Exploring ARM assembly language
• EXERCISE - Examples in ARM Assembly Language
• Debugging on ARM systems
• Understanding how functions work in ARM
• Exploiting Stack Overflows on ARM
• EXERCISE - ARM Stack Overflows

DAY 2

• Writing ARM Shellcode from the ground up
• Simple ARM Shellcode
• Complex ARM Shellcode
• Shellcode optimization and avoiding NULL bytes
• EXERCISE - Embedded Web Server exploit
• Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
• Introduction to ARM Return Oriented Programming
• Bypassing exploit mitigation on ARM using ROP
• ARM ROP Tools
• EXERCISE - Searching for ARM ROP Gadgets

DAY 3

• Practical ROP Chains on ARM
• EXERCISE - Exploit featuring ARM ROP Chains
• Bypassing ASLR
• EXERCISE - End to end exploit with ASLR and XN/DEP bypass

DAY 4

• An Introduction to firmware extracting
• Emulating and debugging a SoHo router's firmware in a virtual environment
• "Firmware-To-Shell" - exploiting an actual SoHo router
• EXERCISE - Attacking a DLINK DIR-880L ARM Router - from firmware to shell
• EXERCISE - Attacking a Trivision ARM IP Camera - from firmware to shell

REQUIREMENTS

The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class. 
a) Operating Systems - A Primer b) How Functions Work c) Introduction to Debuggers

HARDWARE REQUIREMENTS:

• A working laptop (no Netbooks, no Tablets, no iPads)
• Intel Core i3 (equivalent or superior) required
• 8GB RAM required, at a minimum
• Wireless network card
• 40 GB free Hard disk space
• If you're using a new Macbook or Macbook Pro, please bring your dongle-kit

SOFTWARE REQUIREMENTS:

• Linux / Windows / Mac OS X desktop operating systems
• VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
• Administrator / root access MANDATORY

For the last few years we have taught iOS and OS X kernel exploitation to a wide variety of students. As Apple keeps adding new security mitigations into the kernel or changes how security relevant implementations like how the kernel heap works, we have continued to update our course curriculum. For 2018 we went a step further, and for the first time in the history of our courses, we are offering an advanced version of our kernel exploitation course that builds on top of our previous courses.

In this advanced course, we will focus less on what security features were added by what iOS version, and more on questions and topics that arise during the development of kernel exploits for real kernel vulnerabilities that were made public in 2017.

During the training we will make available devices on iOS 11.0 to perform the hand on tasks, because they can only be performed on devices having vulnerabilities.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Topics

Introduction:

• How to set up your Mac and iOS Device for Vuln Research/Exploit Development
• How to load own kernel modules into the iOS kernel
• How to write Code for your iDevice

Low Level ARM64:

• Low level ARM64 features required for exploitation
• Hardware Assisted Security Mitigations (iPhone 7+)

iOS Kernel Debugging:

• Panic Dumps
• Working around the lack of KDP Kernel Debugging
• Kernel Heap Debugging/Visualization

iOS Kernel Vulnerability Types

• Discussion of different kernel vulnerability types
• Exploitation strategies for different types

iOS Kernel Heap Exploitation:

• How the iOS 11 Kernel Heap works
• Controlling the Kernel Heap on iOS 11
• Exploitation of Kernel Heap Vulnerabilities on iOS 11

iOS Kernel Exploit Mitigations

• Discussion of Mitigations and how to bypass them in exploits
• Discussion of Kernel Patch Protection

iOS Kernel Vulnerabilities

• Discussion and exploitation of several Kernel Vulnerabilities from (end) 2016 - (beginning) 2018

iOS Kernel Jailbreaking

• What was patched in earlier jailbreaks
• Data-only workarounds for previous patches

Pre-requisites

Students must have prior knowledge in exploitation (basics will not be taught) and must be capable of understanding/programming exploits in C. Students will get an introduction into low level ARM/ARM64 as part of the course.