Instructor(s): 
Blessen Thomas

Description:

The Droid-Sec Exploitation training will enable attendees to master various android application penetration testing techniques and exploitation methods. With the rise of IoT devices, we have also included IoT smart watch wearable application penetration testing methodology and case studies.

This training focuses on practical hands-on exercises on several dedicated vulnerable apps, with the basic theory explained prior to the Do-It-Yourself mind-bending exercises - enabling the attendee to test his acquired skills during the training course.

This two-day fast-paced, brain-melting, revamped, custom-tailored, flag-ship training program will include subjects such as setting up Android pentest environments, identifying and exploiting application vulnerabilities in a variety of mobile application architectures, relevant mobile forensics, malware analysis concepts, and complementary subjects.

Key Learning Objectives:

• Understand the Android ecosystem and application architecture
• Identify specific threats and risks associated with the Android platform
• Perform a hands-on penetration test and reverse engineer an Android application
• Ability to find vulnerabilities in various real world applications for the Android platform
• Ability to audit an android application for client engagements

What not to expect:

• To become Android Ninja overnight.
• Although this training will help considerably to get to the next level in Android Security, continued learning and further research in Android Security would be expected.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Course Modules:

Day 1:

Module 1: Lab setup and in-depth analysis

• Introduction to Android security
• Lab environment setup for Android pentest
• Setting up Android emulator
• Android permission model and security architecture
• Android Debug Bridge (ADB) basics
• "OWASP Top 10 Mobile Risks" classification of vulnerabilities
• Android Lollipop security features
• Threat modelling mobile application

Module 2: Reverse engineering of Android application binaries (static analysis)

• Unpacking APKs
• The APK file package
• Application components activity intents services
• Decoding XML/resource files
• APK extraction - investigating layout, Android manifest, permissions
• Extracting the content of the classes.dex file
• De-compilation
• Using Smali for in-depth analysis
• Finding hard-coded secrets, like geolocation, passwords in code
• Detecting red flags in Android Manifest file
• Modifying Android applications to reveal sensitive info

Module 3: Insecure data storage

• Exploring installed application files at the /data/data directory
• The file system security model
• Insecure file system permissions
• Insecure storage of sensitive data in files
• Searching inside the SD card
• SQLite database storage & data dumping
• Sensitive data in application shared preferences
• Storage of sensitive data at the server side
• Hard-coded secrets in source code
• Sensitive data leakage via insecure log exposure
• Poor cryptography
• Lesser-known vulnerabilities

Module 4: Data interception and manipulation (dynamic analysis)

• Importing SSL certificates & trusted CA's
• Insecure session management
• Authorization
• Data interception for SSL applications
• Transmission of sensitive information
• Exposing insecure traffic
• SSL Pinning bypass techniques
• Labs

Day 2:

Module 5: Analyzing runtime analysis

• Attacking Android apps from Inside
• Memory dumping and analysis
• Analysing logs by parsing logcat and ddms
• Android Hacking 101: Banking Edition
• Real time case study analysis

Module 6: Exploiting logic and code flaws in applications

• Security flaws in debug mode-enabled apps
• Android Lint usage
• Local file inclusion/path traversal flaws
• SQL Injection in Android applications
• Labs

Module 7: Automated assessment with Introspy / & Drozer /Mobile Security Framework, Xposed Framework

• Introduction to Introspy and configuration
• Blackbox approach assessment using Introspy & Hooking
• Introduction to Drozer and configuration
• Introduction to Mobile Security Framework (MobSF) and configuration
• Automated security assessment using MobSF
• Introduction to Xposed Framework & modules

Module 8: Android forensics

• Extracting hidden strings, messages, logs, and sensitive information

Module 9: Android Malware Analysis

• Introduction to Android Malware Analysis

Module 10: Analysing HTML5 applications

• Introduction to HTML5 mobile apps
• Common vulnerabilities in HTML5 Android apps

Module 11: IoT smart watch wearable application penetration testing

• Introduction to Android smart watch wearable application pentests
• Common issues in applications
• Testing methodologies & tools of the trade

Pre-requisites:

Students could be familiar with below topics but not mandatory:

• Common security concepts or common web security issues
• Basic knowledge of the Linux OS and network security basics

Who Should Attend:

• Android Developers
• Information Security Professionals
• Mobile Application Vulnerability Analyst /Auditors
• Mobility, Mobile Security & Operations Team
• Pen testers and Security professionals interested to get into Android Security

What you will need to bring:

Participants are required to bring their own laptop (no Netbooks, no tablets, no corporate laptop due to the restrictions enabled) with Windows 7 64 bit in Host machine installed. Min 500 GB free Hard disk space and 8 GB RAM preferred, with antivirus and firewall disabled. Genymotion free version installed (https://www.genymotion.com/#!/ ), Virtual box installed (https://www.virtualbox.org/), with no VPN installed. Attendees must have administrator privilege, orking USB port and wi-fi enabled. Updated to the latest display drivers.

No need for devices, as training will be done using emulator.

Overview

This is a fast paced course designed to introduce attendees to Windows Kernel Exploitation. We will cover the basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will deep-dive into exploit development of Pool based buffer overflow vulnerability in Kernel driver.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Key Learning Objectives

Upon completion of this training, participants will be able to:

• Know the basics of Windows Internals
• Understand how kernel and kernel mode driver works
• Understand exploitation techniques in kernel mode
• Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
• Understand how Windows Pool Allocator works in order to write reliable exploit for complex
• Deal with bugs like Pool Overflow(s) and Use After Free(s)
• Learn to write your own exploits for the found vulnerabilities in Kernel or Kernel mode drivers

What Not to Expect:

• Becoming an elite Kernel Hacker in two/three day(s)
• Basics of ASM/C/Python

Course Content

Windows Internals

• Windows NT Architecture
• Executive and Kernel
• Hardware Abstraction Layer (HAL)
• Privilege Rings

Memory Management

• Virtual Address Space
• Memory Pool
• Pool Allocator

Why to Attack Kernel?

• User Mode vs Privileged Mode
• User Mode Exploit Mitigations

Windows Driver Basics

• I/O Request Packet (IRP)
• I/O Control Code (IOCTL)
• Data Buffering

Fuzzing Windows Kernel

• IOCTL Fuzzing

Exploitation

• Pool Overflow

Kernel Payload

• Escalation of Privilege Payload
• Kernel Recovery

Miscellaneous

• Q/A and Feedback

Who should attend? Information Security Professionals, anyone with an interest in understanding Windows Kernel exploitation, Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level. 

Prerequisites

• Basics of User Mode Exploitation
• Basics of x86 Assembly and C/Python
• Familiarity with Vmware/VirtualBox
• Familiarity with WinDbg
• Patience

Hardware & Software Requirement

A laptop capable of running two virtual machines simultaneously (8 GB of RAM) and 40 GB free hard drive space. Everyone should have Administrator privilege on their laptop.

HackerOne's bug hunters have earned $20-Million in bug bounties by 2017, and are expected to earn $100-Million by the end of 2020. Some of HackerOne's customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities are for bug hunters in the upcoming years. This course will provide you with a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex, and it's all about full-stack nowadays. That's why we will dive into full-stack exploitation so that you can master web attacks and maximize your payouts. Say "No" to classical web application hacking, and instead join this unique hands-on training to become a full-stack exploitation master.

Key Learning Objectives:

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking
• DOM-based exploitation
• Bypassing Content Security Policy
• Server-side request forgery
• Browser-dependent exploitation
• DB truncation attack
• NoSQL injection
• Type confusion vulnerability
• Exploiting race conditions
• Path-relative stylesheet import vulnerability
• Reflected file download vulnerability
• Subdomain takeover
• and more...

Students will be provided with a VMware image with a specially prepared testing environment to play with the bugs. This environment will be self-contained, and when the training is over students can take it home to hack again at their own pace, after signing a Non-disclosure Agreement.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Pre-requisites:

To get the most out of this training, an intermediate knowledge of web application security is recommended. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy or similar, to analyse or modify the traffic.

What you will need to bring:

Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version).

Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

Who Should Attend:

Penetration testers, bug hunters, security researchers/consultants.