Pen Test Hackfest Europe #PenTestHackfestEU

Transcription

1 2 2 n d J U LY BERLIN Pen Test Hackfest Europe 2019 #PenTestHackfestEU

2 Agenda We strive to present the most relevant, timely and valuable content. As a result, this Agenda is subject to change. Please check back frequently for changes and updates. Sunday 21 st July :00 20:00 Pre-Summit Meet and Greet This optional session offers the opportunity to meet and network with your fellow attendees the night before the Summit kicks off. We highly recommend you attend if possible. Monday 22 nd July :30 09:30 Registration and Coffee This is another great opportunity to meet, greet and interact with your peers so come down early. 09:30 09:45 Welcome and Introduction by Summit Chair Erik Van Buggenhout, Certified Instructor & Author, SANS 09:45 10:30 Keynote Speech James Lyne, Head of Research & Development, SANS 10:30 11:05 Blame Wars - How to Attribute Responsibility In November 2018, Austrian security consultancy SEC Consult published a security advisory concerning a vendor of ID solutions using the German national ID card. Authenticating with a real ID card, the researchers had been able to trick a web app into believing they were Johann Wolfgang von Goethe. Technically the bug leading to the vulnerability is easy to describe and reproduce (it is a well-known mishandling of the complex SAML authentication mechanism). Still, a fierce debate between researchers, vendor and circles of German government contractors erupted - not so much about the impact of the vulnerability itself, but more about where to place blame. Since the bug was contained in an accompanying SDK, it could be both the vendor's as well as users' fault. Others blamed SAML itself - and therefore either the standards authors or the German government for picking the standard. In the presentation, I will track the origin of the bug both technically and historically/"politically" to generate some insights into the question who should be to blame for vulnerabilities and security incidents: a sketch for a theory of attribution. David Fuhr, Head of Research, HiSolutions AG 11:05-11:35 Networking Break: Drinks and snacks will be served

3 Monday 22nd July :35 12:10 Pillaging Modern Windows User Profiles Sure, dumping hashes, grabbing user tokens and BloodHound-ing your way to domain admin is great but, there are all kinds of juicy postexploitation morsels helpfully left behind by users if you know where to look for them. This talk explores these avenues and will give you a newfound appreciation for Outlook data, command history, temp files and more! Jason Nickola, Director of Technical Services, Pulsar Security 12:10 12:45 A Journey Through Adversary Emulation During this talk, NVISO will take you on a journey through adversary emulation, from its inception to its adoption and application. They will show you how they integrated adversary emulation into their red teaming approach using MITRE s ATT&CK framework. Next to the more classic red teaming assessments, other adversary emulation flavors such as purple teaming and integration with the TIBER framework will be covered as well. To top things off, concrete examples from recent assessments and lessons learned will be shared. After this talk, you will have a structured overview of everything adversary emulation and enough inspiration to tackle every adversary emulation challenge coming your way. Jonas Bauters, Senior Security Consultant, NVISO 12:45-13:45 Networking Luncheon Lunch is served onsite to maximize interaction and networking among attendees. 13:45 14:20 Well, that escalated quickly! - A Local Privilege Escalation Approach Companies engage security experts to penetrate their infrastructures and systems in order to find vulnerabilities before malicious users do. During these penetration tests, security experts often encounter Windows endpoints or systems and gain low privileged access to these. To fully compromise the system, privileges have to be escalated. Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and apply these. This talk imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most relevant privilege escalation methods, techniques and names suitable tools and commands. These methods and techniques have been categorised, included into an attack tree and were tested and verified in a realistic lab environment. Based upon these results, a systematic and practical approach for security experts on how to escalate privileges was developed. Khalil Bijjou, Senior Security Consultant, SEC Consultant

4 Monday 22nd July :20 14:55 Pentesting Cars Given the increasing popularity of automotive hacking, more and more bug bounty programs are setup by vehicle manufacturers, enabling researchers to collect a nice reward for reporting new vulnerabilities they find in their cars. A car pentesting apprentice will inevitably raise the question: How can I be part of this and how do I start doing some research on my own car? In this presentation, we will provide a quick walk-through of our penetration testing methodology for embedded systems, specifically tailored to automobiles. The interested audience will get to know a framework they can utilize to perform a full blown penetration test, starting on individual control units, i.e. the computers that are the basic building blocks of a car's electronics system, and from there work the way up to analysing the car as a whole. The methodology, will of course touch on the vehicle s backend communication, as connected features are an integral and especially from a pentester s perspective - very attractive part of the modern vehicle s extras. Practical examples will be used to demonstrate how the methodology can be put to work in real life scenarios. With the framework at hand, attendees will have the necessary tool to get started with car security research in a structured and comprehensive manner. Oliver Nettinger, R&D, NVISO 14:55 15:30 With Just a Search Engine & Cup of Coffee: Hunting Vulnerabilities on the Web Our security team conducted several security studies in 2018, intended to discover vulnerabilities and weaknesses in web servers in the Czech Republic (or in the.cz cctld and on IPs located in Czech Republic, to be more specific). Two of these studies (1. Identification of servers with open/ browsable directories and sensitive files and 2. Search for open redirection vulnerabilities) were conducted with not much more than a search engine. Given how simple it is (at least in theory) to identify and remove these vulnerabilities, one might assume they wouldn't be too common. Yet the results proved otherwise - in a quite interesting turn, we've managed to identify sensitive data and open redirection vulnerabilities on more that 250 servers, number of which were running fairly high-profile sites or belonged to a critical service providers. In the end, although we weren't looking for them, we found some interesting vulnerable servers outside the Czech Republic as well. The presentation would cover our methodology for conducting both of the studies, discussion of what we found/what was the impact of what we found, and how well (or less so) things went when we informed the subjects responsible for the impacted servers. Jan Kopriva, CSIRT Team Leader, Alef Nula a.s. 15:30-16:00 Networking Break Drinks and snacks will be served

5 Monday 22nd July :30 17:05 Erik Van Buggenhout, Certified Instructor & Author, SANS 17:05 17:20 Closing Remarks by Summit Chair Erik Van Buggenhout, Certified Instructor & Author, SANS Social events and informal networking activities are hosted after the Summit.

6