Clean file – ROADMAP

8.Advanced Web Attacks and Exploitation *

Days:

Advanced web application source code auditing
Non-interaction XSS attacks and exotic payloads
Leveraging CSRF attacks to achieve virtually unassisted remote code execution
State of the art SQL injection attacks (time based blind)
Authentication weakness/bypass attacks
Bypassing character restrictions in payloads
Command injection attacks
Java deserialization of untrusted data exploitation
PHP Object injection (attacking PHP’s state machine)
Exotic file inclusion attacks (non PHP environments)
Multi-step, chained attacks making use of multiple vulnerabilities
Real world attacks on widely deployed network infrastructure applications.

9.OSINT Techniques and Methodology *

Days:

Conduct advanced search queries across dozens of resources simultaneously
Access content believed to be private on Facebook
Locate a target’s long forgotten Facebook activity
Access restricted information through cached results
Conduct thorough searches on all social networks
Monitor live content and communication on social networks
Recover Twitter posts from deleted and manipulated accounts
Identify users of private cellular telephone numbers from social networks
Retrieve subscriber information from any landline or cellular telephone number
Reverse-search photographs and videos for additional copies and details
Search historical deleted versions of websites
View multiple historic satellite images and street views of any location
Identify all social networks in use by target username
Use Android Emulators to exploit content only available in apps
Create custom operating systems to always have a clean investigation environment

12.Basic Infrastructure Hacking *

Day 1:

TCP/IP basics
The Art of Port scanning
Target Enumeration
Brute-forcing
Metasploit Basics
Hacking recent Unix Vulnerabilities
Hacking Databases
Hacking Application Servers

Day 2

Hacking third party applications (WordPress, Joomla, Drupal)
Windows Enumeration
Hacking recent Windows Vulnerabilities.
Hacking Third party software (browser, pdf, java)
Post Exploitation: Dumping Secrets.
Hacking Windows Domains.

14.Python Hacker Bootcamp: Zero to Hero *

Phase 1: Getting up to speed

Introduction and Environment Setup
Variables and data types
Decisions and loops
Functions, error handling, and imports

Phase 2: Data parsing and I/O

Parsing text files, CSV and XML
Handling networking connections and parsing pcaps
Multi-Threading vs Multi-Processing with Locks, Mutexes, and Semaphores
Parsing large log files quickly

Phase 3: Advanced data manipulation

Building regex
Scraping the web
Handling JSON
Working with APIs

Phase 4: Practical Application Projects

Automate malicious domain discovery from PCAPs with VirusTotal
Generate meaningful reports with a custom log parser
Create a multithreaded port scanner
Build a Pastebin scraping bot

16.Pentesting Enterprise Infrastructure *

Day One:
A quick review of key concepts and technologies
Perform reconnaissance on the Internet & your own internal lab (not shared with anyone else)
Footprinting and fingerprinting like a boss
Targeting Operating Systems (Windows and Linux)
Targeting Databases/App Servers
Vulnerability discovery
Exploiting known vulnerabilities

Day Two:
You’ve found a way in, now what?
Post-Exploitation with Metasploit and Empire
Bypassing common security technologies: sneaky lateral movement
Pivoting and abusing trust relationships
Attacking Microsoft Active Directory
Privilege escalation techniques
Obtaining the crown jewels of an organization
Data exfiltration: the who’s how’s and why’s

17.Advanced Infrastructure Hacking *

Day 1:

IPv4/IPv6 Basics
Host Discovery & Enumeration
Advanced OSINT & Asset Discovery
Mastering Metasploit
Hacking Application and CI Servers
Hacking Third party applications (WordPress, Joomla)
Hacking Databases
Windows Enumeration and Configuration Issues

Day 2

Windows Desktop ‘Breakout’ and AppLocker Bypass Techniques (Win 10)
Local Privilege Escalation
A/V & AMSI Bypass techniques
Offensive PowerShell Tools and Techniques
Post Exploitation Tips, Tools and Methodology
Active Directory Delegation Reviews and Pwnage (Win 2012 server)
Pass the Hash/Ticket.
Pivoting, Port Forwarding and Lateral Movement Techniques

Day 3:

Linux Vulnerabilities and Configuration Issues
User/Service Enumeration
File Share Hacks
SSH Hacks
X11 Vulnerabilities
TTY issues, SSH reverse tunneling
Restricted Shells Breakouts
Breaking Hardened Webservers
Local Privilege Escalation
Post Exploitation

Day 4:

Breaking and abusing Docker
Kubernetes vulnerabilities
Exploiting Insecure VPN Configuration
VLAN Hopping
Hacking VoIP
B33r 101

18.Social Engineering and Physical Security *

Phase One: Social Engineering

Terminology
Ethics
Legality
Building Rapport
Influence Techniques
Rapport and Influence Challenge
Body Language
Body Language Lab

Phase Two: Vishing

Scoping Vishing Assessments
Vishing OSINT
Vishing OSINT Challenge
Caller ID Spoofing
Vishing Goals
Vishing Techniques
Vishing Challenge

Phase Three: Phishing

Scoping Phishing Assessments
Phishing vs Spear Phishing
Phishing OSINT
Phishing OSINT Challenge
Setting up a phishing web server
Cloning websites
Creating email templates
Phishing campaign logistics
Phishing Lab

Phase Four: Physical Security

Scoping Physical Security Assessments
Physical Security OSINT
Physical OSINT Challenge
Pretext Development
Pretext Support Items
On-site Reconnaissance
Physical Security Assessment Goals
Non-Destructive Entry Tools
USB Drops
RFID Cloning
RFID Lab
Pentesting Automation Devices
Physical Security Kit
Physical Security assessment logistics

19.Advanced Wireless Exploitation *

Days:

Bypassing WLAN Authentication – Shared Key, MAC Filtering, Hidden SSIDs
Cracking WLAN Encryption – WEP, WPA/WPA2 Personal and Enterprise, Understanding encryption based flaws (WEP,TKIP,CCMP)
Attacking the WLAN Infrastructure – Rogues Devices, Evil Twins, DoS Attacks, MITM, Wi-Fi Protected Setup
Advanced Enterprise Attacks – 802.1x, EAP, LEAP, PEAP, EAP-TTLS
Attacking the Wireless Client – Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc Networks and Viral SSIDs, WiFishing
Breaking into the Client – Metasploit, SET, Social Engineering
Enterprise Wi-Fi Worms, Backdoors and Botnets
Scripting Wi-Fi Attack Tools with Python and Scapy (includes Attack Automation)
Custom Firmware Attacks – Reversing and Backdooring router firmware
Spectrum Analysis, Card Selection and Hardware theory (antenna, cables, calculating loss, etc)
How to generate complex wordlists for cracking
High performance cracking (Hashcat, Amazon GPU cloud mostly)
Wireless reconnaissance and WiFi direction finding
Pentesting IoT device Wi-Fi stacks
Extracting firmware from Wi-Fi routers using hardware techniques
Checklists and cheatsheets for conducting a Wi-Fi pentest

20.Adaptive Penetration Testing *

Day 1:

Effective Assessment Management
Network Footprinting
Network Enumeration
Vulnerability Identification
Gaining Access Through Network Exploitation
Password Cracking

Day 2:

Network Attacks
Gaining Situational Internal Awareness
Escalation of Access
Internal Lateral Movement
Impact Demonstration

21.Adversary Tactics: PowerShell *

Day 1:

Motivations/Goals
PowerShell Basics Refresher
PowerShell Remoting
PowerShell Without PowerShell
3rd party, alternate PowerShell hosts
Supported Microsoft PowerShell hosts
Unintended Microsoft PowerShell hosts
Command-line logging evasion

Day 2:

Windows Management Instrumentation (WMI)
Interacting with WMI
Querying WMI and discovery
Eventing
Attacks/defenses
Active Directory
Interacting with Active Directory
LDAP search filters
Active Directory ACLs
Command and control
PowerView “PowerUsage”

Day 3:

Reflection
Internal .NET member access/invocation
In-memory .NET assembly loading
Add-Type internals, host footprint, and evasion strategies
Dynamic code generation
Low-level, Win32 Interop
P/Invoke and Win32 API basics
Borrowing internal methods
PSReflect

Day 4:

PowerShell Prevention – Implementation, Auditing, and Bypasses
Constrained Language Mode
Just Enough Administration (JEA)
Downgrade attack mitigation
Anti-malware Scan Interface (AMSI)
Exploiting code injection vulnerabilities
Code signing and trust enforcement
PowerShell Detection – Implementation, Auditing, and Bypasses
Classic and modern event logs
Event Tracing for Windows (ETW)

22.Software Defined Radio

Day 1

Introduction to Software Defined Radio
Exercise: Finding a Signal
Complex vs. Real Signals
Exercise: Working with Complex Signals (part 1)
Exercise: Working with Complex Signals (part 2)
Aliasing and Sampling Theory
Exercise: Transmission and Simulation
Exercise: Digital Filters
Bandwidth

Day 2

Exercise: Replay
Modulation
Exercise: Modulation Identification
Reverse Engineering
Exercise: Reverse Engineering
Decoding Digital Signals
Exercise: Decoding

23.Practical IoT Hacking

Attendees will be provided with:

1. Drona – an attack VM that has most of the required tools and features for IoT security analysis.
2. ExplIoT – Open Source IoT exploitation framework created by us specifically for IoT penetration testing.
3. DIVA–IoT – a vulnerable IoT sensor made in-house for hands-on exercises.
4. Practical IoT Hacking Lab Manual – with detailed and step by step information on each lab.

Course Layout
Software

IoT Architecture
IoT Attack Surface
IoT Security Testing process
ExplIot Framework architecture
Writing your own exploits/test cases using ExplIoT
IoT Protocol attacks – MQTT, CoAP…

Hardware

Radio IoT Protocol attacks – ZigBee, BLE
Conventional attacks on Sensors
Firmware analysis and Reverse engineering
External Storage Attacks
Hardware components and Reconnaissance
Identifying Debug ports
Interfacing with debug ports
Analyzing and extracting data from memory chips
Sniffing bus communication
Hardware protocol understanding – UART, I2C, SPI, JTAG…

25.Physical Penetration & Electronic Access Control Hacking

Physical Penetration video (3:30)

Credential Cloning video (1:00)

Protocol Sniffing video (2:00)

26.Assessing and Exploiting Control Systems and IoT

Day 1 Outline – Assessing and Exploiting Controllers
Understanding basic control system concepts, systems, and devices

Control system architectures
PLCs, RTUs, and IEDs
Understanding RTOS
Industrial and non-Industrial
What is IIoT and how it differs from IoT
Field devices, buses, and loops
DCS vs SCADA

Understanding controller logic

Velocio PLCs vs other PLCs
Hands-on exercise creating controller logic
Hands-on exercise programming a PLC
Hands-on exercise creating an HMI

Architecture Reviews of major ICS and smart grid systems

Supervisory control and data acquisition (SCADA)
Distribution Grid Management (DGM) and Substation Automation (SA)
Wide Area Management, Protection, and Control (WAMPAC)
Demand Response (DR)
Distributed Energy Resources (DER)
Advanced Metering Infrastructure (AMI)
Electric Vehicles (EV)

Introduction to Control Things Platform

Setting up the virtual machine
Walk through the tools and functionality
Introduction to the student hardware kits

Introduction to the NESCOR methodology for penetration testing

Preparing for a penetration test
Architecture reviews
Testing the master servers
Testing the user interfaces
Testing the network communications
Testing the embedded field devices
End-to-end assessment
Reporting

Types of ICS user interfaces

Traditional applications
Web applications
Terminal interfaces

Pentesting maintenance interfaces on ICS field and floor devices

Functional analysis of field technician interfaces
Hands-on exercise capturing USB communications to tech interfaces
Hands-on exercise analyzing captured USB communications
Impersonating endpoints in field tech interface communications
Hands-on exercises impersonating vendor endpoints with Python
Exploiting vulnerabilities found during analysis

Day 2 Outline – Assessing and Exploiting ICS Communication Protocols
Performing traditional network pentests on control systems

Overview of a traditional network penetration test methodology
Dangers of port and vulnerability scanning
Strategies to perform port and vulnerability scanning

Pentesting Different Communication Layers

Testing of communication mediums vs communication protocols
Where security defenses should be place …… and tested

Serial communications

RS-232, TIA-422, and TIA-485
Fieldbus Protocols and Protocol Families
Hands-on sniffing and injection of serial Modbus RTU

Pentesting TCP/IP based ICS protocols

Protocol capture and analysis
ModbusTCP, ProfiNet, EnternetIP/CIP, DNP3, IEC 104, IEC 61850, ICCP
Dealing with unknown protocols
Hands-on entropy analysis of network payloads
Reverse engineering unknown protocols
Hands-on ICS protocol fuzzing

Day 3 Outline – Assessing and Exploiting ICS RF Communications
Pentesting RF communications between master servers and field devices

Examples of where RF is used in ICS and IIoT
Overview of the RF Pentesting methodology

Capturing RF Signals

Hardware used for different RF protocols
SDR vs rfcat
Comparison of different SDR hardware
Finding the right frequencies
Using the right antenna
Hands-on RF spectrum analysis
Hands-on RF signal capture

Analyzing the captured signal

Spread Spectrum types and strategies
Strategies for recovering frequency hopping
Modulation and Demodulation
Methods for identifying modulation type
Hands-on traffic demodulation with Universal Radio Hacker (URH)
Hands-on signal demodulation with GNU Radio

Data Extraction

Understanding how data streams are assembled
Hands-on analysis of data streams with URH
Hands-on packetization with URH

RF Transmission

Traffic transmission and exploitation
Hardware needed for transmission
Replaying attacks
Signal transmission with URH
Hands-on signal generation with rfcat and Great Scott Gadgets’ Yardstick

Day 4 Outline – Assessing and Exploiting ICS Embedded Electronics

Overview of pentesting embedded device circuits
Local attack through physically exposed devices
Expanding physical attacks to remote attacks
Cryptographic keys and firmware

Analysis of embedded electronics in ICS field and floor devices

Discussion of device disassembly
Component analysis on embedded circuits
Datasheet acquisition and analysis for target components

Dumping data at rest on embedded circuits

Using the Bus Pirate and other similar tools
Overview of I2C or two-wire serial protocol
Hands-on exercise dumping I2C EEPROMs

Overview of SPI serial protocol

Hands-on exercise dumping SPI EEPROMs
Overview of JTAG
Hands-on exercise interfacing with debug interfaces
Bus Snooping on embedded circuits

Overview of bus snooping

Hands-on exercise snooping busses
Analyzing data obtained from data dumping and bus snooping
Hands-on exercise doing string analysis of datasets
Hands-on exercise doing entropy analysis of datasets
Hands-on exercise doing systematic key searches through datasets
Hands-on exercise doing file carving from datasets

Analyzing field and floor device firmware

Obtaining field and floor device firmware
Hands-on exercise disassembling firmware
Hands-on exercise analyzing disassembled firmware
Exploiting firmware flaws

27.Malware Analysis Crash Course *

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis – not just running tools

28.Practical Vulnerability Discovery with Fuzzing *

Protocol and specification analysis
Mutational and grammar-based input generation
Target monitoring using custom developed test harnesses
Best practices in analyzing software exceptions
Tips and guidance in how to discover 0-day vulnerabilities

29.The Shellcode Lab *

Day 1:

Shellcode and Exploitation Introduction
Memory Management
Introduction to Assembly
32-bit and 64-bit Registers
Tiny Shellcode Techniques
Virtual Shellcode Development Environment
Shellcoding Tools
Disassembling Binaries
Assembly Layout
Linux Syscalls
Compiling and Extracting Shellcode
Techniques to Removing Bad Characters
Debugging Shellcode Using Various Debuggers
Linux Shellcode and File Descriptors
Locating and Manipulating Strings in Memory
Reusing Shellcode Blocks
Learn an Easier Way to Compile and Extract Shellcode
Linux Command Execution Shellcode
Mac OS X 64-bit Shellcode
Tools and techniques to compile 64-bit Shellcode for Mac OS X
64-bit Null Free Shellcode
Port Bind Shellcode
Write 64-bit portbind shellcode for OS X from scratch
Modify 64-bit OS X shellcode to be null free and small
Metasploit Shellcode Tools for Generation and Encoding

Day 2:

Windows 32-bit Memory Layout
Windows 64-bit Memory Layout and ASLR
Windows Library Layout – Real Limits
Windows Shellcoding Techniques
Windows Shellcoding – 32-bit vs 64-bit
Locating memory addresses of functions in Windows DLLs
Debugging Windows Shellcode using various debuggers
Windows Shellcode Function Call Techniques
Windows Shellcode to Dynamically Locate Kernel32.dll
Windows 64-bit Command Exec Shellcode
Converting 32-bit Shellcode to 64-bit Shellcode
Windows Shellcode Networking
Connect Back Shellcode
Develop Connect Back Shellcode
Egg Hunter Shellcode
Windows System Calls
Implement your own Egg Hunter
Reviewing Public Exploits for Malicious Shellcode
Modifying Shellcode to Fit Into Exploits
Encoding Shellcode to Work In Exploits
Exploitation Using Your Custom Shellcode
Creating Metasploit Payload Modules
Integrating Shellcode into Metasploit
Staged Loading Shellcode
Protocol Tunnelling Shellcode
Kernel Level Shellcode Concepts
Kernel Level Shellcode Walkthrough

30.Tactical Exploitation: Attacking Unix *
Introductory Concepts and Thinking Like an Attacker
Host Recon
Leveraging Trusts & Lateral Movement
Kerberos Inherent Weaknesses
SSH Abuse
LD_PRELOAD Tricks
PAM Trojaning
X11 Attacks

31.AWS & Azure Exploitation

In this course you will:

Exploit serverless (e.g. Lambda) applications for initial access into targets.
Pivot between data and control planes to expand access (e.g. secrets, snapshots).
Evade and disrupt cloud logging platforms (e.g. CloudTrail) to remain undetected.
Breach and backdoor boundaries (e.g. VPCs) to access hard to reach systems.
Leverage stealthy persistence techniques to ensure long-term access (e.g. session tokens).

The Course Syllabus includes…

Day 1:

Recon for AWS Services of Interest (e.g. Subdomain Takeovers)
Hunting for Secrets to the AWS Control Plane (e.g. S3 buckets)
Obtaining Secrets via Web App Vulnerabilities (e.g. XXE, LFI)
Surveying & Persisting Access within the AWS (e.g. Session Tokens)
Pivoting from the AWS Control Plane to the Data Plane (e.g. Snapshots)
Gaining RCE via Web App Vulnerabilities (e.g. SSTI, RFI)
Post Exploitation within AWS EC2 Instances (e.g. User Data Scripts, DynamoDB)

Day 2:

Serverless Exploitation w/ Lambda (e.g. Keeping it Hot, Exfiltrating via Services)
Breaching Boundaries: Bypassing VPCs (e.g. API Gateway + Lambda Bypass)
Logging Disruption within AWS (e.g. Cleaning CloudTrail Logs w/ Lambda)
Pivoting from Azure Control Plane to the Data Plane (e.g. Storage Manipulation)
Expanding Access via PaaS Specific Azure Attacks (e.g. RDP “debug”)
Stealthy Azure Persistence Techniques (e.g. Offline Minting of SAS Keys)
Overview of Defensive Countermeasures (e.g. MFA, Logging, Alerting, etc…)

32.In-depth code injection for attackers *

Day 1: Introduction to the Windows API, code injection, and detection/forensics techniques
Introduction to our toolset:

Visual Studio, x32/x64dbg, IDA Pro (freeware edition), and Volatility
Lab: Tool familiarity/installation
Introduction to virtual memory, cross process injection, and hooking
Lab: Investigating cross process injection with Process Hacker
Building code injection tools with CreateRemoteThread – the OG of code injection
Lab: Building and using CreateRemoteThread code injection tools
Memory forensics topics in code injection
Lab: Investigating code injection using memory forensics
Investigating code injection tools that use CreateRemoteThread
Lab: Investigating CreateRemoteThread code injection tool artifacts
DLL Sideloading and path abuse
Constructing DLL sideloading attacks and how to detect/investigate them

Day 2 – Reflective injection and process hollowing

Reflective code injection – code injection that never touches disk
Building reflective injection code and investigating how it works
Lab: Building and deploying reflective injection code
Detecting reflective injection code and investigating attacks that use it
Lab: Detecting and investigating reflective injection attacks
Process hollowing – what is it, why does it exist, and how can we use it
Lab: Building and deploying process hollowing code injection tools
Detecting process hollowing code and investigating attacks that use it
Lab: Detecting and investigating process hollowing code injection attacks

Day 3: Bam – Crank it up another notch!

Hollowing processes that are already running to bypass AV
Lab: Building and deploying running process hollowing tools
Putting it together like a nation state – chaining code injection techniques like Stuxnet
Lab: Build your own Stuxnet
Detecting and investigating chained code injection techniques
Lab: Investigate your own Stuxnet
Hooking to inject code
Lab: Building and detecting code injection using hooking

Day 4: The good, the bad, and the WTF was that?!

Understanding how code injection attacks can use scripting languages like PowerShell
Lab: Deploying and investigating PowerShell code injection
Data Execution Prevention (DEP) and Return Oriented Programming (ROP) fundamentals
Atom Bombing (no, not the Manhattan Project) – learning about Desktops, Atoms, and other Windows objects
Lab: Building and deploying Atom Bombing code
Investigating artifacts left by Atom Bombing attacks
Lab: Detecting and investigating Atom Bombing attacks
Evading memory forensics detection using Gargoyle (another ROP based technique)
Building Gargoyle code to avoid detection by traditional antivirus

33.Dark Side Ops-Custom Penetration Testing *
Execute PowerShell scripts covertly through in-memory only execution techniques.
Compile custom code to keylog target workstations, take screenshots, execute Mimikatz, and much more…all while running in memory!
Build custom payload droppers, beaconing backdoors, and interactive shells.
Conduct highly targeted and sophisticated custom client-side and social engineering attacks.
Escalate workstation and network privileges without an exploit.
Bypass defensive host and network defense countermeasures such as anti-virus applications, firewalls, IDS, IPS, SIEMs, and strict egress filtering.
Establish custom, stealthy persistence in a target network.
Pivot undetected throughout a network like a pro using SMB named pipes and other new and novel techniques.
Exfiltrate data from a target network using custom applications and network monitoring evasion techniques.
Compile and deploy an advanced, custom HTTP beaconing payload developed internally by the trainers and used regularly on engagements to effectively infiltrate company networks.

34.Hacking Firmware & Hardware *

Some skills taught include:

Bus spying, tampering, spoofing, injection on simple serial interfaces like UART, SPI, I2C and others
Finding, identifying, analyzing, and interfacing with JTAG, Serial, and other interfaces
Configuring, Interfacing, Using, Misusing, and Abusing JTAG for reverse engineering, manipulation, and exploitation
Non-destructively extracting firmware via software, JTAG and serial interfaces
Invasively extracting firmware by directly accessing or physically removing flash storage
Parsing, extracting, and analyzing firmware images
Manipulating firmware images to embed backdoors or other functionality
Binary analysis of executables on firmware to enable software exploitation

Students will get hands-on experience with tools like:

USB serial cables
Bus Pirate
Various JTAG Adapters
Logic Analyzers
Multimeters
JTAGULATOR
OpenOCD
UrJtag
GDB
IDA

35.Windows Kernel Primer *

Windows Kernel Primer – Day 1
The Restaurant
Virtual Memory
Privilege Levels
Crash Dumps
LAB Assignment
Symbols
Windbg
Lab Assignment
Windows Kernel Overview
System Calls
Live Kernel Debugging
Lab Assignment
Object and Handles
Linked Lists
Lab Assignment
Processes and Threads
Access Tokens
ActiveProcessLinks
Lab Assignment
DKOM
Lab Assignment

Windows Kernel Primer – Day 2
Interrupts and Exceptions
IRQLs
User Land
Lab Assignment
Pools
Devices and Drivers
Lab Assignment
IRPs
LiveKD
Lab Assignment
PCR / PRCB
Damn Vulnerable Windows Driver
Lab Assignment
Kernel Security Controls
Kernel CVEs
Lab Assignment

36.Windows Kernel Rootkit Techniques *

Kernel Architecture

Kernel Execution Contexts
Key Kernel Data Structures
Kernel Address Space Layout
Memory Protection Mechanisms
Objects and Pool Layout
X64 Calling Convention and Stack Layout

Kernel Security Mitigations and Bypasses

Kernel mode code signing (KMCS)
Kernel patch protection (PatchGuard)
Supervisor Mode Execution Prevention (SMEP)
No-Execute (NX) Pools
Pool Safe Unlinking and Integrity Checks
Control Flow Guard (CFG)
Secure, Measured and Trusted Boot

Kernel Mode Shellcode Techniques

Kernel Exploitation Phases
Kernel Execution Vectors
Shellcode Injection
64-bit Shellcode Considerations
Leveraging Special Purpose CPU Registers
Multi-Processor Safe Patching

Hooking Techniques

Types of Hooking
Code Flow Subversion
Function Hooking
Common Pitfalls
Hook Detection

Filtering Mechanisms

IRP Filters
Image Load Notifications
Process and Thread Callbacks
Object Callbacks
Registry Callbacks
File System Mini-Filters
Early Load Anti-Malware Drivers (ELAM)
Forensic Footprint of Filters

Covert Communications

Net Buffer Lists (NBL) and Net Buffers (NB)
Windows Filtering Platform (WFP)
NDIS Intermediate Drivers
NDIS Lightweight Filters (LWF)
NDIS Internal Data Structures & Hooking
Host Firewall Bypass

Stealth Behavior

Kernel Structure Manipulation
Rootkit Self-Defense
Persistence Methods
Anti-Debugging & Anti-VM
Detection Bypass
Forensic Analysis

Detection Tools & Case Studies

Memory Acquisition
Volatility Framework
Live Rootkit Detection
Endpoint Security Products
Rootkit Analysis

37.Dark Side Ops 2-Adversary Simulation *
Discover new external attack techniques to gain stealthy internal network access without social engineering
Leverage configuration weaknesses to fully compromise database servers
Reverse engineer .NET applications to identify 0-day vulnerabilities
Bypass even the tightest of egress controls through custom code execution techniques
Learn about and perform disk-less pivoting techniques
Implement the latest in code and DLL injection techniques completely undetectable by AV
Learn about and bypass the latest in application whitelisting
Prevent and block defensive incident responders from analyzing your tools, payloads, and backdoors
Build easy-to-use and versatile malware, backdoors, and loaders to diversify your toolset and capabilities

38.ARM Iot Exploit Laboratory: Intro *

LEARNING OBJECTIVES:
——————-
* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* Understanding how functions work in ARM
* Debugging on ARM systems
* Exploiting Stack Overflows on ARM
* Writing ARM Shellcode from the ground up
* Exercises: Putting together practical end-to-end ARM/Linux exploits
* The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

DAILY SCHEDULE:
—————
DAY 1
* Introduction to the ARM CPU architecture
* Understanding ARM assembly language
* EXERCISE – Examples in ARM Assembly Language
* Debugging on ARM systems
* Understanding how functions work in ARM
* Exploiting Stack Overflows on ARM
* EXERCISE – ARM Stack Overflows

DAY 2
* Writing ARM Shellcode from the ground up
* Simple ARM Shellcode
* Complex ARM Shellcode
* Shellcode optimization, avoiding NULL bytes and bad characters
* EXERCISE – Embedded Web Server exploit

39.Offensive Mobile Exploitation & Reversing *

Course Outline
———————
Part 1 – iOS Exploitation
Module 1 : Getting Started with iOS Pentesting

iOS security model
App Signing, Sandboxing and Provisioning
Setting up XCode 8
Changes in iOS 11
Primer to iOS 11 security
Exploring the iOS filesystem
Intro to Objective-C and Swift4
What’s new in Swift 4 ?
Setting up the pentesting environment
Jailbreaking your device
Cydia, Mobile Substrate
Getting started with Damn Vulnerable iOS app
Binary analysis
Finding shared libraries
Checking for PIE, ARC
Decrypting ipa files
Self signing IPA files

Module 2: iOS exploitation basics

How jailbreak exploits are written ?
Diffing for Patches
Intro to ARM assembly
ROP, KASLR and KPP
Use after free, Heap overflow basics
Reversing the Kernel
Code signing bypass techniques
Sanbox bypass techniques
Exploiting Mach Ports
Chaining exploits
Patching the Kernel
Achieving persistence

Module 3 : Static and Dynamic Analysis of iOS Apps

Static Analysis of iOS applications
Dumping class information
Insecure local data storage
Dumping Keychain
Finding url schemes
Dynamic Analysis of iOS applications
Cycript basics
Advanced Runtime Manipulation using Cycript
Method Swizzling
GDB basic usage
Modifying ARM registers
Basic App Exploitation techniques using Frida
Advance App Exploitation techniques using Frida

Module 4 : iOS application vulnerabilities

Exploiting iOS applications
Broken Cryptography
Side channel data leakage
Sensitive information disclosure
Exploiting URL schemes
Client side injection
Bypassing jailbreak, piracy checks
Inspecting Network traffic
Traffic interception over HTTP, HTTPs
Manipulating network traffic
Bypassing SSL pinning

Module 5 : Reversing iOS Apps

Introduction to Hopper
Disassembling methods
Modifying assembly instructions
Patching App Binary
Logify

Module 6 : Securing iOS Apps

Securing iOS applications
Where to look for vulnerabilities in code?
Code obfuscation techniques
Piracy/Jailbreak checks
iMAS, Encrypted Core Data

Part 2 – Android Exploitation

Module 1

Why Android
Intro to Android
Android Security Architecture
Android application structure
Signing Android applications
ADB – Non Root
Rooting Android devices
ADB – Rooted
Understanding Android file system
Permission Model Flaws
Attack Surfaces for Android applications

Module 2

Understanding Android Components
Introducing Android Emulator
Introducing Android AVD

Module 3

Proxying Android Traffic
Reverse Engineering for Android Apps
Smali Learning Labs
Smali vs Java
Dex Analysis and Obfuscation
Android App Hooking

Module 4

Exploiting Local Storage
Exploiting Weak Cryptography
Exploiting Side Channel Data Leakage
Manual and Automated Root Detection and Bypass
Exploiting Weak Authorization mechanism
Identifying and Exploiting flawed Broadcast Receivers
Identifying and Exploiting flawed Intents
Identifying and Exploiting Vulnerable Activity Components
Exploiting Backup and Debuggable apps
Analysing Proguard, DexGuard and other Obfuscation Techniques
Exploiting Android NDK
Manual and Automated SSL Pinning Bypass techniques

Module 5

App Exploitation using Drozer
Basic App Exploitation techniques using Frida
Advance App Exploitation techniques using Frida
App Exploitation using AppMon
Automated source code analysis
Detecting Leaks in Android Apps

40.The Security Automation Lab *

Automating the collection and analysis of internal and external intelligence data
Automating targeted attacks to more frequently and efficiently identify security weaknesses and attack techniques
Automating security testing of applications to enforce a continuous security baseline
Automating incident response processes, data collection, analysis and response to efficiently contain security breaches
Automating preventative and responsive controls through integration with security devices and infrastructure
Automating the generation of real-time security visualization dashboards, threat reports, and alerts for critical operational security team actions
Automating the orchestration of end-to-end intelligence and security controls and analysis for immediate capability enhancements

Day 1:

Introductions
What is the demand for security automation?
Other Industries’ Automation Achievements
Security Automation and Orchestration Introduction
Difference between Automation and Orchestration
Business Benefits from Security Automation
Automation in Different Organizations
Automatable Security Operations Areas

Lab 1 – Virtual Security Automation Environment
Lab 2 – Security Automation Tools

Automated Intelligence Collection and Analysis
External Intelligence Types and Sources
Internal Intelligence Types and Sources
Intelligence Collection Techniques
Transformation of Intelligence Data
Aggregation, Correlation and Analysis of Intelligence Data

Lab 3 – Orchestration and Automation of External Intelligence Collection and Transformation
Lab 4 – Orchestration and Automation of Internal Intelligence Collection and Transformation
Lab 5 – Automated Correlation of Intelligence Data

Automated Penetration Testing as Intelligence Collection
Orchestrating Repeatable Penetration Testing
Automating the Prioritization of Vulnerability Mitigation
Integrating Penetration Test Results with Ticketing Systems
Integrating Automated Security Testing into CI/CD Systems

Lab 6 – Automated Exploit Identification for Vulnerability Prioritization
Lab 7 – Automated Internal Penetration Testing
Lab 8 – Orchestrating Automated CI/CD Security Testing

Day 2:

Automated Incident Detection Techniques
Incident Detection through Intelligence Correlation
Automated Incident Investigation Intelligence Collection
Types of Incident Investigation Data
Automated Incident Investigation Intelligence Analysis
Automatically Extracting Indicators of Compromise
Automatically Searching for Indicators of Compromise
Automated Incident Response Actions

Lab 9 – Automated Incident Detection
Lab 10 – Automated Incident Data Collection
Lab 11 – Automated Extraction of IoCs
Lab 12 – Automated Incident Response Actions

Automated Security Infrastructure Orchestration
Types of Intelligence and Security Infrastructure
Automating Integration of Intelligence Data into Security Infrastructure

Lab 13 – Automated Security and Intelligence Infrastructure Orchestration

Operational Security Team Communication Types (Slack, Jira, etc)
Automating Security Alerts into Communication Channels
Automating Real-Time Charts and Visualizations
Automating Real-Time Tables
Automating Real-Time Dashboards
Automating Security Reporting – Intelligence
Automating Security Reporting – Vulnerability Tracking
Automating Security Reporting – Incident Response
Automating Security Reporting – Infrastructure Events
Automating Security Reporting – Automation Events

Lab 14 – Automating Security Alerts to Chat Channels
Lab 15 – Orchestrating Real-Time Dashboards
Lab 16 – Automated Security Reporting

Automated Security Operations Orchestration
Chaining Workflows for Repeatable Security Orchestration

Bonus Lab 17 – Chaining Workflows for Orchestrating Automation