FRIDAY, NOVEMBER 8, 2024
The Unlock your brain workshops
NATURAL LANGUAGE PROCESSING (NLP) FOR THREAT INTELLIGENCE
Pauline BOURMEAU
Natural language processing is a subfield of AI. It is at the core of large language models. In this workshop you learn how to break AI into tools and build your first NLP program. You learn to use natural language processing to extract
knowledge and uncover patterns in text data. This workshop provides you with practical knowledge and skills that you can apply in your daily practice as a security professional. It is designed for beginners, you will be introduced to t
he foundations of NLP and gain practical experience in text pre-processing, representation, and classification.
Goals:
- Learn how to leverage natural language processing for Threat Intelligence and investigation in cybersecurity.
- Acquire practical skills to allow you to build your own pipelines.
- Guide you to an intuitive path for learning NLP and integrate it progressively to your daily tasks.
Program:
- Building a sentiment analysis pipeline using pre-trained models and industry-standard libraries.
- Learn the essential steps of text pre-processing by practicing on a real dataset.
- Explore different methods of representing text data.
- Build a simple text classifier using popular techniques.
- Learn to measure accuracy of your model.
- Discussions and resources to go further.
Conclusion:
We quickly discuss diverse ranges of applications of NLP, including Open-Source Intelligence (OSINT), Security research and Incident Response.
And finally, we highlight the significance of working with structured and unstructured data.
Requirements: Knowledge in Python, no prior experience in AI is required.
_______________
About the speaker:
Pauline Bourmeau (Cookie): Pauline focuses on offensive cybersecurity, artificial intelligence, hacker culture, cognition, and the human aspects of cybersecurity.
She has a diverse background with experience in various fields, including linguistics, criminology, cybersecurity, computer engineering, and education. Using a cross-disciplinary approach, she draws on both humanistic and technical perspectives to provide a comprehensive understanding of cyber threats and their evolution. She also dedicates part of her work to information sharing.
Detecting and exploiting prototype pollution in JavaScript applications
BitK
Prototype pollution is a critical vulnerability in JavaScript applications, exploiting the prototype inheritance feature to introduce malicious properties. This workshop will provide an in-depth, hands-on experience to help participants understand, identify, and mitigate prototype pollution vulnerabilities.
Workshop Objectives:
- Understand JavaScript prototypes and prototype pollution attacks.
- Learn to identify prototype pollution vulnerabilities in JavaScript codebases.
- Use our custom-developed tool to assist in identifying gadgets and vulnerabilities.
- Perform a live demo targeting popular JavaScript libraries to showcase the tool's effectiveness.
- Equip researchers and developers with practical skills to secure JavaScript applications against prototype pollution.
Workshop Outline:
1. Introduction to JavaScript Prototypes and Prototype Pollution
- Overview of JavaScript prototype inheritance
- Explanation of prototype pollution
- Real-world impacts of prototype pollution vulnerabilities
2. Identifying Prototype Pollution Vulnerabilities
- Common patterns and indicators of prototype pollution
- Manual techniques for detecting vulnerabilities in code
3. Introducing pp-finder for Gadget Identification
- Overview of the tool's features and capabilities
- Instrumentation techniques used in the tool
- Benefits of using the tool for whitebox audits
4. Using the tool
- Setting up the tool in a development environment
- Instrumenting a sample codebase
- Identifying and analyzing potential gadgets and vulnerabilities
5. Targeting Popular JavaScript Libraries
- Demonstration of the tool on well-known JavaScript libraries
- Step-by-step walkthrough of identifying and exploiting a vulnerability
Prerequisites:
- Basic understanding of JavaScript
- Familiarity with JavaScript objects and inheritance
- Laptop with a development environment set up (Node.js, preferred text editor/IDE)
__________
About the speaker:
Lucas, also know as BitK, is 28 y/o. He's a French guy who lives in Lyon. If you play CTF you have probably already met him during an on site event as he plays a lot of them with the French team Hexpresso.
Before joining YesWeHack he was writing / reversing software for power plants.
He's also a bug hunter and has been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.
GO FIGUR by yourself
Darcosion
It all starts with a small spam campaign to sell fake drugs on Facebook. And it ends with a multinational infrastructure of spam, account creation farms, identity theft, and black SEO.
On the agenda: OSINT, web infrastructure analysis, SOCMINT, GEOINT, FININT, IMINT, and plenty of bonus content specific to this field.
This ‘workshop’ isn’t really a workshop in the sense that you won’t be doing any hands-on work on your computer. It’s more of a deep dive into the world of OSINT in all its forms, even the most unexpected ones. Buckle up. 😉
__________
About the speaker:
Cybersecurity integrator, passionate about OSINT, and CTF competitor, Darcosion has been practicing hacking for about ten years and gives talks related to OSINT, CTI, and cybersecurity in general. Through the OSINT-FR community, Darcosion has participated in several major OSINT-based investigations and has also created his own OSINT CTF, the 'FullDebilosCTF,' which gathered over 200 participants over more than 2 weeks, with a total of 70 challenges.
Zeek and Destroy with Python and Machine Learning
Eva SZILAGYI
Zeek is an open-source network security monitor (NSM) and analytics platform that has been around for quite some time (since the mid-90s). It is used at large university campuses and research labs, but in the past few years, more and more security professionals in the industry have turned their attention to this fantastic tool.
But Zeek is so much more than just a NIDS generating alerts (notices) and log files! Zeek's scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or, most importantly, interfacing with external sources, such as Python! The Zeek Python bindings allow us, the analysts, to use powerful Python libraries such as Numpy, Pandas, and Tensorflow and apply machine learning-based detection on network traffic.
During this four-hour workshop, we will learn about the following topics:
- Super fast introduction to Zeek (architecture, events, logs, signatures, etc.)
- Using machine learning and data science tools on Zeek logs (as an example, we will use Fourier Analysis to detect C2 beaconing)
- Super fast crash course in Zeek scripting (just enough to understand how to create new logs)
- Connecting Zeek and Python via the Zeek Broker Communication Framework
- Using machine learning tools in Python on the data we receive from Zeek for detection (as an example, we will use convolutional neural network and random forest models to compare them, and then use them to find unknown malware in live network traffic)
Requirements for the workshop:
- A laptop with at least 16 GB of RAM and more than 50 GB of free disk space (VT-x support must be enabled on the host system)
- Application to run Virtual Images (type-2 hypervisor): VMWare Workstation Pro (recommended), VMWare Workstation Player, VMWare Fusion, or VirtualBox
- Only 64-bit Intel-compatible (Intel or AMD) processors are supported.
WARNING: ARM-based (like Apple Silicon, Qualcomm Snapdragon, some Microsoft Surface laptops) devices cannot perform the necessary virtualization and therefore cannot be used for the workshop.
________
About the speaker:
Eva is a principal consultant at Alzette Information Security, an information security consulting company based in Europe. She has more than ten years of professional experience in various areas like penetration testing, security source code review, vulnerability management, digital forensics, IT auditing, telecommunication networks, and security research. Eva has two master's degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications, such as GSEC, GICSP, GCFE, GCIH, GCFA, GMON, GRID, GSSP-JAVA, GWAPT, GDSA, GCDA, GMOB, GMLE, CDP, CCSK, eCIR, eWPT, and eJPT.
Eva regularly speaks at international conferences like BruCON, Hack.lu, Nuit du Hack, Hacktivity, Black Alps, BlackHoodie, BSides London, BSides Munich, BSidesBUD, BSides Stuttgart, Pass the SALT, Security Session, SANS @Night Talks, and she is a former member of the organizer team of the Security BSides Luxembourg conference.
Deserialization attacks: exploit research and development
Vincent MICHEL
Gaëtan CARABETTA
Deserialization attacks can enable remote code execution on a system. During this workshop, participants will have the opportunity to try out this type of attack on vulnerable applications and develop their own exploit.
Unsafe code deserialization attacks are one way to achieve remote code execution on a system. One could say that deserialization exploits are the equivalent of ROP chains, but at higher application layers.
This type of vulnerability is often identified during source code audits but also during vulnerability research in open-source applications. When a public gadget chain exists within the application, it can be used directly. But what if that's not the case? What if the public gadget chain doesn't work?
During this workshop, participants will:
- Understand the unserialization mechanisms applied to the PHP language
- Learn the methodology for researching and building a gadget chain
- Perform a basic attack on a demo application using a simple gadget chain
- Use the phpggc tool
- Tackle challenges on applications of increasing difficulty
Prerequisites for participants:
- Basic knowledge of object-oriented development (ideally in PHP)
- Workstation
- VM or Linux host (e.g., Debian) with Docker installed
About the speakers:
Vincent works as a pentester in a cybersecurity company. He runs a blog (https://darkpills.com/) aimed at sharing his thoughts and experiences on various topics, hoping to help others: web and internal penetration tests, vulnerability research, write-ups, exploit development, security best practices, tooling, etc. He previously worked as a senior software developer before transitioning to this wonderful field of security. 🙂
Gaëtan, naturally curious, began his professional career in construction before transitioning to the digital field, specifically into infosec within a pure-player cybersecurity firm. A consultant by day, game hacker by night, he isn't afraid to tackle hexadecimal instructions and enjoys the company of debuggers and disassemblers during his learning sessions. Always seeking new challenges, 'impossible' is not a word in his vocabulary.
Exploring OpenSSH: Hands-On Workshop for Beginners
William ROBINET
During this workshop, you will learn how to use the various tools from the OpenSSH suite. We will start with a presentation of the problems that are solved by OpenSSH, then we will dive into the details of its most important and useful features.
Among the topics covered, we will discuss about remote host authentication, password and public key client authentication, key generation, local and remote port forwarding, forward and reverse SOCKS proxying, X11 forwarding, jumphosts, connection to legacy systems, and more.
Hands-on exercises will be proposed throughout the exploration of the tool suite using real-life scenarios. There will be space for questions and discussion.
This workshop is intended for beginners who wants to improve their practical knowledge and experience with OpenSSH.
Basic networking and Linux shell knowledge are required in order to follow this workshop. Each participant will need a Linux machine (on which they have root access) with Docker pre-installed and Internet access.
Workshop's outline:
- Workshop author presentation
- Illustration of the confidentiality, authenticity, and integrity issues related to the use of network communications with traditional tools such as telnet
- Lab: Generate traffic with *telnet* or *netcat* and dump it with Wireshark/tcpdump
- SSH & OpenSSH history
- Presentation of the OpenSSH tool suite
- Remote machine authentication
- Client authentication methods: password & public key
- Lab: Login using a password, generate a keypair, configure it, and use it
- SOCKS proxying (forward & reverse)
- Lab: Reach an internal web application (via its DNS name) through a SOCKS proxy on the remote machine
- Lab: Provide Internet access to a remote isolated machine
- Local port forwarding
- Lab: Reach an internal web application via a local port forwarding (-L)
- Remote port forwarding
- Lab: Reach a local *netcat* server from the remote machine through a remote port forwarding (-R)
- Jumphost
- Lab: Reach the shell of an internal machine with a single command (-J)
And if time permits, we will discuss some other points:
- Graphical application forwarding
- Lab: Start a graphical application remotely (-X)
- Legacy systems
- Lab: Show how to connect to legacy SSH implementations
- Honeypot
- Lab: Demonstrate the use of an SSH honeypot
- Quick introduction to *tmux*
- Lab: Demonstrate the use of *tmux*
A Linux machine (VM or physical) with root access and Docker pre-installed is required for the labs. This machine will need Internet access with at least TCP port 22 being open to the outside.
__________
About the speaker:
William manages the technical team behind AS197692 at Conostix S.A. in Luxembourg. He’s been working with free and opensource software on a daily basis for more than 25 years. Recently, he presented his ASN.1 templating tool at Pass The SALT 2023 in Lille, and his OpenSSH workshop at Hacktivity 2023 in Budapest and CONFidence 2024 in Krakow. He contributed to the cleanup and enhancement efforts done on ssldump lately. He particularly enjoy tinkering with ML and open (and not so open) hardware.