0.3 ringzer0-bootstrap24-austin 2024-02-23 2024-02-24 2 00:05 https://cfp.ringzer0.training https://cfp.ringzer0.training/media/ringzer0-bootstrap24-austin/img/ringzer0_bootstrap_white_gold_FXdfJAK.png US/Central Bootloader 📍Under The Oaks Workshop 2024-02-23T18:30:00-06:00 18:30 00:45 Ever wondered how compiler mitigations are built? Or how a sophisticated build chain attack can target a compiler to place backdoors and other miscreants? Wonder no more, this hands-on workshop shows you how to build your own compiler pass, which can any source code you build to your liking. We'll learn how source code makes its way through the different stages of a compiler into its final binary form, how compilers perform modifications and optimizations of the code, and how they translate their view of the code to a given architecture's binary representation. Students will get a glimpse how some mitigations everybody knows and loves are actually implemented in a compiler. They'll work hands on with LLVM Clang, following along theoretical chapters of the workshop, and eventually they'll implement a Clang plugin themselves to sneak a backdoor into otherwise perfectly secure code. Prerequisites: Linux computer or virtual machine or cloud instance ringzer0-bootstrap24-austin-39524-compiler-backdooring-for-beginners Marion Marschalek en Start of workshop: Download and build your own LLVM clone Introduction to compiler architecture - Frontends, Backends, and Intermediate Languages - Basic compiler passes - GCC and LLVM Clang in a nutshell Compiler plugins - Passes vs. plugins, pros and cons - Exercise: "Hello World" as a Clang pass Compiler mitigations walkthrough - How DOES a compiler build canaries? - (AddressSanitizer at 10.000ft if time allows) Lab: Homemade Backdoors Description: We'll be working on a specially crafted application, which contains a function reading data into a buffer in a safe way. The exercise will be to remove sanitization checks and to modify the buffer so that memory corruption becomes possible. Students will receive a skeleton Clang plugin, and will be walked through code constructs needed to locate the target function, the checks and the buffer, and to perform the requested modifications. The students themselves will complete the plugin and verify its efficacy. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/7HFFHD/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/7HFFHD/feedback/ Bootloader 📍Under The Oaks Talk 2024-02-23T19:30:00-06:00 19:30 00:45 This talk looks at some of the best of the worst examples of disclosing bugs to vendors. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk. ringzer0-bootstrap24-austin-44619-best-of-the-worst-misadventures-in-bug-disclosure Brian GorencDustin Childs en Founded by TippingPoint in 2005, the Zero Day Initiative (ZDI) program rewards security researchers for responsibly disclosing vulnerabilities. Since that time, the ZDI has grown to be the world's largest vendor-agnostic bug bounty program. Being vendor agnostic means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc... We don't buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. This talk looks at some of the best of the worst examples of disclosing bugs to vendors. Disclosing bugs can get contentious. It can also be confusing when a vendor doesn't have a mature response process. Some reports are frustrating. Some reports are comical. And some are absolutely wild. All of them resulted in face palms at multiple levels. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk. Finding, disclosing, and fixing bugs are three different processes, and none of those processes are inconsequential. Here at the ZDI, we try to improve all three areas wherever we can. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3KT8RD/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3KT8RD/feedback/ Bootloader 📍Under The Oaks Talk 2024-02-23T20:30:00-06:00 20:30 00:45 Increasingly threat actors are moving off of Windows endpoints and into places less visible like appliances. An analysis of CISA’s Known Exploited Vulnerabilities from 2023, and recent years, reveals that threat actors are targeting and exploiting appliances with both known vulnerabilities and 0-days of their own. This talk covers the vulnerability research process used to discover 16 vulnerabilities across three different security appliances in the Fortinet product line. From command injection, SQLi, file reads, and more, this journey started what I dubbed the “Forti Forty”, a goal (cut short) to find 40 CVE’s in Fortinet appliances. Attendees can expect to walk away with a general overview of how to approach reverse engineering security appliances, methodology used in reviewing large systems and code bases, and the common pitfalls that developers make in these complex systems. ringzer0-bootstrap24-austin-39516-rust-won-t-save-us-finding-and-exploiting-0-days-in-security-appliances Zach Hanley en - **Who Am I** (1 min) - Security researcher with many years of experience in vulnerability research, implant development, and attacker TTPs across the commercial and government sector.  - **Overview** (1 min) - **A Shift In Tactics** (2 min) - CISA KEV Breakdown - 2023’s Most Targeted Devices by Device Type - Initial Access via Border / Security Appliance - Why is this thing on the internet? - **The Vulnerabilities** (38 min) - Target Selection - Fortinet falls squarely in the type of device’s routinely targeted and exploited by threat actors in CISA KEV - Fortinet has many security devices that have not received recent CVEs - FortiSIEM was acquired via Fortinet acquiring a company, possibly meaning more room for error or a difference in security stack - Vulnerability Research Process - Attack Surface Analysis - Control Flow Analysis - Web Routing Framework - Unauthenticated and Authenticated Handlers - Non-Web Backed Services - Communication Protocol - Authentication - Business Logic - Controllable Inputs - Fortinet FortiSIEM - Appliance Overview - Discovering the Service - Fortinet FortiNAC variant analysis - developers often make the same mistakes - Investigating the license upload functionality in Web UI revealed it communicated with a “backend” service, phMonitor, via TCP socket - “Backend” service is listening on all interfaces - not so backend… - Developing a Service Client - Reversing the Java Web UI class reveals its a custom messaging scheme over TCP sockets with message format: - 1\. Command Type - The integer enum mapped to specific function handlers inside the phMonitor service - 2\. Payload Length - The length of the payload in the message - 3\. Send ID - An arbitrary integer value passed in the message - 4\. Sequence ID - The sequence number of this message - 5\. Payload - The specific data the function handler within phMonitor will operate on - Test client with “LicenseInfo” request returns success! - Reversing the Service - What is the phMonitor service? - At a high-level, it monitors different services across different roles, and exposes an API interface for performing many of the system functions that would be accomplished in the administrative web interface.  - It is the authoritative service when it comes to managing deployment configuration, licensing, and administrative functions of itself and remote roles. - With a working service client, now starts the process of analyzing control flow of the service, and any potential mistakes in command handlers - 100 different command handlers - Change storage configurations - Often calls to a utility “doSystem”, a system() wrapper - interesting! - Write system settings - Passwords, backup servers, etc - Initiate reverse SSH tunnels with integrated servers - FortiSIEM often deployed with SIEM in located in MSP and “Collectors” in client environments - Pivot into client environments! - Developing the Exploit - Determining the Expected XML Format - Command Injection in XML Field - Post-Exploitation possibilities - pivoting, reading integration secrets, clearing logs - Fortinet FortiWLM - Appliance Overview - Attack Surface - Web Service backed by Python and Perl - Django Authentication Middleware - Several Unauthenticated Endpoints - Command Injections - SQL Injections - File Reads - Fortinet FortiWeb Manager - Appliance Overview - Attack Surface - Web Service backed by Python - Authenticated Command Execution - Authenticated Arbitrary File Write - Authenticated Arbitrary File Read - Common Developer Pitfalls and Areas of Improvement - Focusing on the Happy Path - Developers, intuitively, focus most of their time and effort in validating the most common user journeys in their applications - Often, along a products lifetime, new features are added for customers - and sometimes in critical areas like authentication - Developing in a Vacuum - Applications and systems often reach enormous levels of complexity, hard to single engineers to know the in-and-outs to safely add a feature - Architecture and code reviews are necessary and critical to spot missteps - Paired programming with a senior can help juniors understand the design and security aspects of features to up-level them - Defense In Depth - Often, weaponized exploits combine several vulnerabilities to reach system compromise - Auditing the authenticated attack surface for simple primitives can limit the blast radius of these chains - Run services as least privilege - **Future Outlook** (1 min) - Security isn’t just for infosec - involve developers more in our community - “Memory-safe” languages like Rust won’t save us, but they can help - We and threat actors will continue to find vulnerabilities from the 90s, adjust security programs to be as wholistic as possible - **Q\&A** (2 min) - **References** - Fortinet PSIRTs - FortiSIEM -  ****<https://www.fortiguard.com/psirt/FG-IR-23-130> - FortiWLM - <https://www.fortiguard.com/psirt/FG-IR-23-140> - <https://www.fortiguard.com/psirt/FG-IR-23-143> - <https://www.fortiguard.com/psirt/FG-IR-23-142> - FortiWeb Manager - Awaiting patches false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/EAXQYM/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/EAXQYM/feedback/ BlackHoodie 📍Room 1.124 Workshop 2024-02-23T09:00:00-06:00 09:00 08:00 Ever wanted to know what a binary looks like from the inside? Wonder no more, binary insides is all you will see in this class. We’ll go from 0 to yo there’s a bug in your application in just one day. This training is very busy, from file formats, loaders and process execution, disassemblers and debuggers, to bug hunting of the special kind. But don’t worry, we’ll arm you with all the necessary skills! The target will be x86-64 Linux ELF executables. ringzer0-bootstrap24-austin-44621-blackhoodie-training-introduction-to-software-reverse-engineering Marion Marschalek en Ever wanted to know what a binary looks like from the inside? Wonder no more, binary insides is all you will see in this class. We’ll go from 0 to yo there’s a bug in your application in just one day. This training is very busy, from file formats, loaders and process execution, disassemblers and debuggers, to bug hunting of the special kind. But don’t worry, we’ll arm you with all the necessary skills! The target will be x86-64 Linux ELF executables. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/QQWFQU/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/QQWFQU/feedback/ Track 1 📍 Auditorium 1.110 Talk 2024-02-24T09:00:00-06:00 09:00 00:45 In 2017, I gave a keynote at ZeroNights Moscow about the role of AI in security, both on the offensive and the defensive side. This keynote will revisit the topics of 2017, and discuss how the changing landscape of AI and security has affected and changed, and which parts remain unchanged. ringzer0-bootstrap24-austin-44620-revisiting-2017-ai-and-security-7-years-later Thomas Dullien en In 2017, I gave a keynote at ZeroNights Moscow about the role of AI in security, both on the offensive and the defensive side. This keynote will revisit the topics of 2017, and discuss how the changing landscape of AI and security has affected and changed, and which parts remain unchanged. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/BJF77N/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/BJF77N/feedback/ Track 1 📍 Auditorium 1.110 Talk 2024-02-24T10:00:00-06:00 10:00 00:45 The world is awash in large-language model (LLM) AI (e.g., ChatGPT) news, predictions, and of course, content (all for good and ill). This talk takes a step back from the posturing and hype to look at how these models work, and how to detect the content they produce. We will look at the fundamentals of LLM-generated text detection, compare the best in breed: GPTZero, Roberta, etc. detector with a novel detector, ZipPy. ZipPy is a new, open-source LLM text detector (and attribution tool!) developed by Thinkst Labs that is 60-100x faster than the competition, over 1000x smaller (< 200KB), and for many types of content, more accurate. We will explain the intuition behind ZipPy, show how it works, and they types of content it struggles with. Finally we look at where LLMs can improve their stealth, and fundamental shortcomings in their designs that enable detection long-term. ringzer0-bootstrap24-austin-38844-exploring-the-lay-of-the-llm-detection-landscape Jacob Torrey en Are LLMs going to upend, or just end the world? Will malevolent AIs spread disinformation and FUD to enslave humanity in a world of fear? Will Roko's Basilisk come to pass? In order to help stay these dramatic end-times, LLM content detectors are here! We can build safe, AI-free zones to limit the digital "noise" that these models can blast out at scale, if only we can reliably detect and classify a content's origin. This talk does a deep dive into the leading LLM text detectors, both open-source and commercial, and compares them against a number of different datasets. Next, we throw into the mix ZipPy, a novel open-source detector based on code written in the mid-1980s that outperforms the state-of-the-art in a number of dimensions. ZipPy is simple (less than 200 lines of Python), and it codifies the intuition about a core difference between LLMs and humans that no additional amount of data or training cores can overcome--being unique! Using ZipPy we can walk through the features used to differentiate a text's origins and how with a simple, embedded detector we can build a human-centric world where LLMs are used only to help us rather than subvert us. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/NXCUE3/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/NXCUE3/feedback/ Track 1 📍 Auditorium 1.110 Talk 2024-02-24T11:30:00-06:00 11:30 00:45 Advances in embedded device security features have led to more and more researchers utilizing fault injection techniques to bypass security features and gain increased access to systems. While some open-source tools exist to perform these types of attacks, there are still many hurdles that researchers must overcome when conducting their power analysis of a device that they wish to perform a fault injection attack. While vulnerable to voltage glitching attacks, sudden voltage drops at specific timings can cause permanent damage to devices. We will begin this talk by describing our power analysis research that led us to an RDP bypass on the STM32F4 via voltage glitching. Despite being able to bypass RDP protections with a traditional voltage glitch, the attack would occasionally permanently damage the device. As a result of this, we developed a more reliable EMFI attack. This talk describes utilizing open-source tools to perform an EMFI attack on an STM32F4 microcontroller, allowing for a full RDP (read-out-protection) bypass via a targeted EMP. This research will release the open-source tooling used to instrument a generic 3D printer and examples of how we integrated it into the workflow utilizing the ChipWhisperer Husky and PicoEMP. ringzer0-bootstrap24-austin-39464-glitching-in-3d-low-cost-emfi-attacks /media/ringzer0-bootstrap24-austin/submissions/8FM8V3/EMFI_4vbWVM2.jpeg Matthew Alt (wrongbaud) en This work describes the process of performing a new fault injection attack. We begin with the test firmware we used to dial in the physical glitch parameters such as location, placement, etc. After dialing in these glitch parameters for maximum consistency, we target the boot ROM of the STM32F4. To determine **where** to place the glitch, we review the power trace of the boot ROM and an extracted boot ROM in ghidra. The first section of the talk will focus on traditional voltage glitching and power trace analysis. After demonstrating that a readout protection bypass is possible via voltage glitching, we will discuss the risk of these attacks and how they can permanently damage devices. Given this risk, we attempted to trigger the same glitch with an EMP instead of a traditional voltage glitch. Performing an EMFI attack introduces new variables, probe shape, placement, and pulse shape, to name a few. While some tools exist to help instrument and perform EMFI attacks, they are prohibitively expensive and require bespoke training and extensive experience. We wanted to complete one of these attacks as cheaply as possible and utilize open-source hardware for the instrumentation of the EMP probe, leading us to use the PicoEMP to generate the EMP and a 3D printer to automate the positioning and placement of the probe. After 3D printing a custom bracket for the EMP and developing software to control the printer, we could automate glitch data collection while instrumenting the X/Y/Z coordinates of the probe. We determined the optimal probe placement for performing our previously discovered RDP bypass using the resulting data. A portion of this talk will review that data and some of the tools we developed to help visualize the data collection results to determine optimal probe placement. Using the probe placement data generated from our testing, we developed a consistent RDP bypass for the STM32F4 via a targeted EMP using the power trace analysis from our first glitch. This attack allowed for flash readout capabilities on locked STM32F4 processors. We also will discuss how we've used these tools and resulting workflows to target other microcontrollers, such as the Nuvoton M032 series. After this talk, we will release the Jupyter notebooks, libraries, tools used to instrument the 3D printer, and the ChipWhisperer Husky and PicoEMP. We will also publish a long-form write-up (blog post) describing the process. false Glitch Graph Glitch Graph 2 Glitching Rig https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/8FM8V3/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/8FM8V3/feedback/ Workshop Track 1 📍Room 1.124 Workshop 2024-02-24T11:00:00-06:00 11:00 01:30 Emulation and fuzzing are among the many techniques that can be used to improve cybersecurity; however, utilizing these efficiently can be tricky. This workshop will help you understanding how these powerful tools and techniques work. Using a couple of real-world use cases and practical examples, this talk will help you grasp the fundamental concepts of fuzzing and emulation along with advanced vulnerability research, providing you with the tools and skills needed to find security flaws in your software. The workshop will showcase the QEMU Course, were we move among different architectures and harnesses. We will show famous tools such as American Fuzzy Lop (AFL) and its improved version, AFL++. You’ll learn how to combine these powerful tools to create your own emulation and fuzzing environment and then use it to discover vulnerabilities in various systems, such as iOS, Android, and Samsung’s Mobile Baseband software, Shannon. ringzer0-bootstrap24-austin-38467-qemu-for-fuzz-and-profit-emulation-fuzzing-deep-dive-into-cybersecurity-techniques /media/ringzer0-bootstrap24-austin/submissions/JEETKU/emu_Uird1ft.jpg Antonio Nappa en "Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques" Join us for a comprehensive 90-minute workshop where we delve into cutting-edge techniques of emulation and fuzzing, drawing insights from Fuzzing Against the Machine. This immersive session promises to equip you with both foundational knowledge and advanced practices in the realm of cybersecurity. Workshop Highlights: Setting the Stage: Get acquainted with the prerequisites and tools vital to grasp the nuances of this workshop, ensuring you can make the most of the content ahead. Journey Through Time: Embark on a historical exploration of emulation, understanding its evolution, nuances, and its paramount role in the ever-evolving landscape of cybersecurity. QEMU - The Emulator Spotlight: Get an in-depth understanding of QEMU - our system emulator of choice, learning about its internals, capabilities, and previous success stories. Fuzzing with QEMU: Dive into the intricacies of QEMU's execution modes and the dynamic world of fuzzing. Understand static versus dynamic fuzzing and their practical applications. Case Studies Galore: Relive the discovery of a 2011 vulnerability in VLC through the synergy of QEMU and AFL. Understand the real-world implications with a look into the vulnerability found in modern Samsung phones. Venture into full-system fuzzing with studies on OpenWRT, diving into nuances when targeting different architectures such as ARM. Witness the marvel of iOS full-system fuzzing, understanding the unique challenges and solutions involved. Explore the world of Android libraries and their vulnerabilities, leveraging the open-source project Sloth. Concluding Thoughts: Summarize the wealth of knowledge, emphasizing the significance of the research and future directions in this critical domain of cybersecurity. This workshop promises a holistic understanding, from basics to advanced techniques, ensuring participants can apply these insights to real-world challenges. Whether you're a novice in cybersecurity or a seasoned practitioner, this session has something valuable for everyone. Join us in this engaging journey, drawing from the extensive research and practical examples from Fuzzing Against the Machine. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/JEETKU/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/JEETKU/feedback/ Workshop Track 1 📍Room 1.124 Workshop 2024-02-24T13:30:00-06:00 13:30 01:30 Most of you have likely heard about hardware *Fault Injection*. Actually, it's likely some of you have experience injecting glitches into chips. However, many of you are likely still unaware of the full potential of the faults you are, sort of randomly, bringing to life. In this workshop, you will conduct a hands-on *Fault Injection* experiment and model your faults systemically. This understanding allows you to envision, and potentially devise, powerful *Fault Injection* exploits. ringzer0-bootstrap24-austin-39515-fault-injection-characterization tieknimmers en In this Fault Injection workshop you will be doing the following: - Build a Fault Injection setup using NewAE Husky - Perform Fault Injection Characterization experiments - Describe the faults you are creating by injecting glitches Note, the activities performed in this workshop are also part of our 'The Art of Fault Injection' training. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/97FX9D/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/97FX9D/feedback/ Workshop Track 1 📍Room 1.124 Workshop 2024-02-24T15:30:00-06:00 15:30 01:30 The goal of this workshop is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Microsoft Windows via (CVE-2023-28308) and Android via (CVE-2022-36934). The main point of the workshop is to help researchers understand that they already have the information and tools needed to understand complex vulnerabilities. By learning to patch diff "in the dark", a researcher can progress from knowing about a vulnerability to actually understanding its root cause. ringzer0-bootstrap24-austin-38297-patch-diffing-in-the-dark /media/ringzer0-bootstrap24-austin/submissions/3XSPQZ/_b1034b85-ebb0-4c2b-9717-21b31ae1a6e5_vnOJpXO.jpg John McIntosh en The workshop will cover the following topics: 1. Introduction (15 minutes) - Explain what patch diffing is and why it is useful for vulnerability research - Give an overview of both CVE vulnerabilities and their impact - Introduce the tools and data sets that will be used in the workshop (Ghidra, patched and unpatched binaries, updates files, etc.) - Exercise: - Check participants can run required tools and have access to provided resources 2. Patch Analysis (40 minutes) - Learn the different methods to obtain the binaries needed for patch diffing across Windows and Android - Demonstrate how to use Ghidra to compare the patched and unpatched binaries and identify the changes - Explain how to interpret the diff results and locate the vulnerable function - Exercise: - Have participants import and analyze binaries, and perform patch diff 3. Vulnerability Analysis (40 minutes) - Teach a method to determine how to reach the identified vulnerable function - Explain how the vulnerabilities can be triggered by sending a specially crafted input - Show how to use a debugger (WinDbg / adb) to attach to a process and set breakpoints on the vulnerable function - Demonstrate how to craft a malicious input to trigger the CVE - Exercise: - Have participants try to identify the vulnerable function and provide guidance. - Have participants step through the vulnerable function 4. Conclusion (15 minutes) - Summarize the main points and learning outcomes of the workshop - Provide some tips and resources for further learning and practice on patch diffing and vulnerability analysis - Answer any questions from the participants and collect feedback Requirements for the Workshop: - Laptop with Ghidra installed or ability to run workshop VM - Internet access to download workshop resources false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3XSPQZ/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3XSPQZ/feedback/ Workshop Track 2 📍Room 1.126 Workshop 2024-02-24T13:30:00-06:00 13:30 01:30 Diffing is used in reverse-engineer, to analyze two variants or versions of a same software whether its a legit executable or a malware. It is useful to transfer information from a program to another, for anti-plagiarism or for patch analysis and thus vulnerability research. While multiple diffing tools exists little has been done to perform it at scale on numerous binaries. This workshop introduces a variety of tools to both analyze binaries by working on their representation extracted from a disassembler and also tools to automate diffing with Bindiff. All these tools have been open-sourced very recently and documentation is available at https://diffing.quarkslab.com. ringzer0-bootstrap24-austin-38729-binary-reversing-and-whole-firmware-diffing Robin David en This workshop is targeting tech savy eager to know more about reverse-engineering up to experienced red teamers. Anyone will be able to take advantage of this workshop and to take away practical knowledge, get familiar with various tools and to get an overview of various use-cases where it can be applied. The outline of the workshop is given below. First, the workshop will recall basics about reverse-engineering, x86_64 assembly, ELF format, and how to get familiar with IDA Pro or Ghidra for analyzing programs at binary level. Once everyone is back on the same basis we will move to scripting some analyzes. Then, we will introduce the concept of binary exporters which aims at dumping the whole Ghidra/IDA Pro disassembly into a file that can then be manipulated without having to keep the disassembler open. We will present [python-binexport](https://github.com/quarkslab/python-binexport), a wrapper around Binexport (Google's exporter) to automated the export and the processing of exported files. Then we will present [Quokka](https://github.com/quarkslab/quokka) that we developed which is better than Binexport by being more exhaustive and more compact. From there, we will start manipulating executable files exported with binexport or quokka to start digging into the binary. Multiple exercises will be given to get familiar with the API, and to search for various information in the binary e.g: which function is using a specific string ? What are the parameters given to a specific function call. Various binaries will be used as examples including some malware code. We will also write scripts that can be batched on multiple executables. Thenafter, we will move to the binary diffing use-case and to show how to analyze an update by comparing the two programs in order to understand what has been patched. First, an introduction to [Bindiff](https://www.zynamics.com/bindiff.html) will be done to show how to do manual diffing. Then we will introduce [python-bindiff](https://github.com/quarkslab/python-bindiff/) to show how to automate the diffing process and how to manipulate the result seamlessly. No existing utilities or libraries enables manipulating a diff programatically to perform security analyzes. We will give a glimpse of how this can be done using our collection of tools with some exercises aiming at finding the key modifications between two binaries. We will conclude with a practical to perform a diff between two firmware versions used at Pwn2own 2022. The goal of the practical is identifying key changes in order to understand what has been updated by performing **whole firmware diffing**. This practical will also leverage another tool [Pyrrha](https://github.com/quarkslab/pyrrha) that we developped for firmware cartography. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/HCTCHK/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/HCTCHK/feedback/ Workshop Track 2 📍Room 1.126 Workshop 2024-02-24T15:30:00-06:00 15:30 01:30 Hooking is a powerful method employed to monitor, intercept and manipulate the flow of data and control within an application. It involves injecting custom code inside a target process to alter, or enhance its functionality. Hooking plays a pivotal role in anti-game cheats, fortifying security controls, gathering valuable telemetry data, and empowering Endpoint Detection and Response (EDR) systems. This workshop delves deep into advanced hooking techniques, and provides a unique opportunity for participants to master this intricate art. Whether you're a seasoned malware researcher seeking to dissect threats or a red teamer looking to uncover defense blind spots, this workshop will equip you with the skills and knowledge needed to excel in your security endeavors. ringzer0-bootstrap24-austin-38416-mastering-offensive-hooking-and-unhooking Soumyadeep BasuArun Nair en Section 1 – The first section of the workshop will focus on basics concepts of Portable executable, PE file formats, introduction to windows APIs and foundation setting for advanced concepts and hands on in later sections. - PE basics - Students will understand the program execution lifecycle in windows, PE file structure - imports,exports etc - Windows API - Students will learn about inner working of windows and how various GUI components interact with the kernel via APIs and syscalls. This will include hands on labs that will require participants to use Windows APIs via code (C++) to perform simple operations like process creation, file creation etc. - NT API & Syscalls – Students will be introduced to NT APIs present in ntdll. These APIs will be later hooked to monitor API calls transitioning from user to kernel mode via syscalls Section 2 – Focus on this session will be to get started with hooking windows API, via manual methods as well as tools like Frida. Through these exercises, students will be made accustomed to hook windows application and monitor API arguments. - Introduction to hooking – Students will be introduced to basics of hooking. Both manual as well as automated hooking techniques (using tools like Frida, Detour) will be demonstrated - Hooking native windows and commercial applications - Students will be given live demonstration of hooking on few windows applications and how to identify correct APIs on which hooks need to be placed - Simple keylogger Section 3 – Focus of this section will be to demonstrate legitimate usage of hooking in windows systems by EDRs. Unhooking(removing existing hooks) as a concept will also be introduced as a means to bypass security controls present on a host - EDRs - Students will receive a primer on Endpoint Detection and Response systems and how they use hooks to gather telemetry and obtain visibility inside individual processes. Decisions to resume or kill the process are formulate based on the telemetry. - Introduction to unhooking (NTDLL/IAT) – Students will be introduced to IAT (Import Address Table) and NTDLL unhooking techniques as one of the means to evade EDR systems. Section 4 – The final section will focus on dissecting various unhooking techniques and how evolution of these techniques happened over time as and when EDR's caught up with them - Hells gate and Halos gate - Students will use the knowledge acquired in the previous section to understand different unhooking strategies employed in diverse scenarios to bypass EDR solutions - Review / Key Takeaways / Q&A – The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions. In addition to the presentation material, students will be provided with a virtual machine (VM) that includes a fully functional development environment and all the necessary code samples for replicating the demonstrations showcased during the presentation. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/DNUPPY/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/DNUPPY/feedback/ Workshop Track 3 📍Under The Oaks Workshop 2024-02-24T13:30:00-06:00 13:30 03:00 The Dark Wolf "Hack Our Drone" workshop provides participants the ability to learn hands-on cybersecurity testing techniques for evaluating Unmanned Autonomous Systems. The workshop includes a full Unmanned Autonomous System test target composed of a BeagleBone Blue Flight Vehicle (UAV), a Ground Control System (GCS), and a MAVLink over 802.11 WiFi Communications system. The workshop includes both instructor assistance and detailed lab manuals to guide participants through a series of tasks to discover and exploit cybersecurity weaknesses in the UAS. Tasks include firmware analysis, network service exploitation, password cracking, elevation of privilege, and UAV over-the-air hijacks. Participants are expected to bring a laptop with either Kali Linux installed or one that can boot a Kali Linux Live USB drive. ringzer0-bootstrap24-austin-38828-hack-our-drone Ronald Broberg en This workshop is divided into three hands-on modules: 1. Ground Control System 2. Uncrewed Aerial Vehicle 3. Radio Communications Each module includes tasks involved in describing the component, collecting software, analyzing for security vulnerabilities, and demonstrating exploits against those vulnerabilities. These tasks are drawn from our real-world experiences as cyber professionals providing security analysis of Uncrewed Aerial Systems in both commercial and governmental sectors. false https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/FYRSRA/ https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/FYRSRA/feedback/