Windows dla pentesterów

• Krzysztof '_0kami' Marciniak - Poznań Security Meetup

OSINT - wprowadzenie do informatyki śledczej

• Monika Sadlok - xcaliber

Two boys, one router (no CVE yet)

• Adam Haertle & Adam Lange - Zaufana 3 strona

Podatność SSRF - warta czapki gruszek czy miliona dolarów?

• Michał Sajdak - Sekurak

Podmiana treści wcześniej wysłanych SMSów i zabawy z WAP

• Artur Czyż - Sekurak

Security analysis of < portal > element - including SOP bypass and file read in Chrome Canary

• Michał Bentkowski - Sekurak

Live demo kabla USB, który nagle staje się klawiaturą i przejmuje komputer

• Marek Rzepecki - Sekurak

Breaking real-world OAuth 2.0 implementations with state machines

• Marcin Hoppe - Sekurak

Attacking AWS

This workshop shows how tiny misconfigurations in AWS can lead to complete takeover of cloud resources. During the workshop the audience will learn how to detect and exploit the misconfigurations as well as how to defend against such attacks. The workshop consists of 2 parts with hands-on, scenario-based labs. The first part will be focused on privilege escalation scenario: from little vulnerability in the web application to administrator in AWS. The second part will be about finding and exploiting issues related with AWS S3 service: how to detect company resources in cloud and how to automatically scan them in search of valuable information.

The workshop is focused on 2 the most common misconfigurations in AWS, which are: improper permissions and data leaks over misconfigured S3 service. During the first part I’ll explain how to escalate the privileges using the AWS exploitation framework - Pacu. By exploiting the SSRF vulnerability in web application the attendees will reach meta data and gain access key and STS token to assigned IAM profile. Then, I’ll show how, using only permissions to EC2 service is possible to laverege permissions to administrator.

During the second part the attendees will learn how to detect various S3 misconfigurations and how to automatically scan the leaked content in search of keys and passwords using the DumpsterDiver tool based on the KrkAnalytica scenario (a CTF which I’ve prepared for CONFidence 2018).

After all I'll go through the same scenarios, but this time from defender perspective, focused on hardening the AWS resources.

All the attendees are required to have a valid AWS account (can be a free tier account) and a computer with Internet access and SSH client. The labs and machines with test tools will be provided via AWS snapshots so the attendees will mount them under their own accounts.

• Paweł Rzepa

Lab Guide – Threat Hunting Workshop

Welcome to the Threat Hunting Workshop - Get your hands dirty to keep your organization clean In order for your businesses to continually innovate and transform, it must remain secure. To do this, you need a comprehensive security strategy that will enable you to gain visibility and control into all endpoint devices. Join Cisco’s Advanced Threat Solutions Specialists for this hands-on threat hunting workshop to learn:
- How to identify advanced threats that lurk in your environment
- What is your exposure to emerging threats and how should you respond
- How to regain resources and minutes by reducing time to remediate
This workshop complements the Cyber Threat Response Clinic, there is no overlap in the content covered in both.

• Senad Aruc

A quick introduction to radio hacking.

During the workshop we will cover topics such as the basics of radio communication, using Software Defined Radios (SDRs) and analysis of a custom radio protocol. A brief introduction to Bluetooth Low Energy "under the hood" will be covered as well.

• Krzysztof Marciniak