Archive for the workshop Category

Securely connecting though several host to a remote server and obfuscating the local configuration will also be part of the workshop. If there is time, we will also look at the server side of things and work through a few possible improvements. This workshops targets beginner to intermediate SSH users. As long as you have a fairly recent command line OpenSSH client, you are welcome no matter what operating system you are using. Basic knowledge of the Linux or BSD command line is required. (navigating the file system, editing files, …). OpenSSH 7.4 or higher recommended!

Attendees should have basic knowledge of shell commands and a recent version of OpenSSH installed on their laptops. If you bring a (long) network cable, you could use our demo-environment to follow the workshop.

@maclemon: Sysadmin by trade, strong supporter of anonymity and privacy, that odd person doing strange things with Macs, Hackspace and community affiliations: Metalab; Chaos Computer Club Wien; BSidesVienna, Cocoaheads
@leyrer: Providing advanced IT-Wizardry for over 20 years by now. Boldly managing systems where angels fear to tread. Hackspace and community affiliations: Metalab; Chaos Computer Club Wien; BSidesVienna

Shellcode Lab (Marco Lux)

| February 17th, 2017

Before you ask: No, i won’t fix your shellscript! %$^&@&!!!!@!@

It seems like in times of msfvenom and alike everyone has forgotten that there was once a way to write your shellcode by your own. Even worse, nowadays people mix up shellcoding with shellscripting.
As you are still reading, you are interested in what shellcoding is or improve your already skillset.
Shellcoding defines the fine task of creating bytes of opcodes, placed in your exploit payload to gain a remote or privileged shell. While shellcode can be used for other tasks as well, the name has kept. So we do will learn and write assembly. Looking into the basics of CPU architecture, learning about Linux Syscalls and how to use them to create our own payloads. This class focuses on 32Bit shellcoding.

The workshop syllabus:

  • 0x1 Intro to 32Bit Intel CPU
  • 0x2 Intro to GDB
  • 0x3 Shellcoding Syscall Basics
  • 0x4 Shellcoding Network Shells

Marco Lux has an experience of 15y in the IT-Security field. He has been speaker at other security conferences like CCC, Easteregg, BSI, Berlinsides, BSides Hamburg.
He has given security trainings to the community and industry and is a strong believer in open source and open source security software. He is passionate about coding. While nowadays he does prefer python, back in the days assembly and c were his favorite. Marco is also the host of the yearly Hacker conference “hack4“. Which will get this year the 4th edition – yes you are invited 😀

On the business side he has his own security company which is conducting technical it-security. You know, the guys who break your stuff and not stating on paper its secure.

A typical mistake repeatedly seen in many SOCs is that they collect such a large amount of events that at the end they suffocate their SIEM solution. “”Collect all the events!!!”” sounds nice in theory but in practice, less is often more and security teams must select and focus on events that have an actual use-case and provide real value from a security perspective. But what if we do not even have a SIEM and cannot afford one? Luckily, in a Microsoft Windows environment we have built-in and free tools at our disposal to get quickly started with security monitoring and hunting using Windows Events Logs.

In this workshop, we will see how to collect events with Windows Event Forwarding (WEF), go through some of the most important and valuable Windows Events to be collected such as AppLocker, EMET or LAPS events, user and service creation events, PowerShell commands, etc. We will discuss how to properly configure Security Audit Policy Settings and how to set up Sysmon for advanced application monitoring.

Once we have the events we need, we will slice and dice them with PowerShell commands like Get-WinEvent (or with Get-EventLog in case of older Windows/PowerShell versions) and see a few simple PowerShell scripts and modules that can help us as well as some tools that are specifically made for monitoring and detection. Finally, we will use the free Power BI Desktop to build some nice dashboards to give us a better overview of the data we are collecting.

Attendees need to bring their laptop to follow the hands-on parts:

  • A laptop with at least 4 GB of RAM and more than 20 GB of free disk space
  • Windows 7/8/8.1/10 or Windows Server 2008/2012/2016 installed (on the laptop or in a virtual machine) with PowerShell 4.0 or higher

David Szili is a freelancer IT security consultant with penetration testing, security monitoring and incident response background, previously working for companies like POST Telecom PSF, Dimension Data, Deloitte and Balabit.

David has two Master’s degrees in Computer Engineering and in Networks and Telecommunication and a Bachelor’s degree in Electrical Engineering. He also holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GMOB, OSCP, OSWP and CEH.

In his spare time, David likes working on hobby electronics projects, develop new IT security tools or sharpen his skills with CTFs and bug bounty programs.