SecTor Episode MMXXI: Return of The Hack Lab | The State of Security
I’m happy to announce that arrangements have now been finalized for the Tripwire team to return for the Tripwire VERT Hack Lab at the MTCC!
We will be bringing some new hardware devices as well as a new virtualized hack target. This new virtual target, an ASUS DSL modem with recent firmware, can be compromised by applying the tools & methods we’ve taught in the classroom and in the Hack Lab since day 1.
If you’ve previously visited the Hack Lab or taken one of my IoT classes, I would highly encourage visiting the booth again this year to complete this latest exercise. We will also be taking a closer look at hardware hacking/modification and software-defined radio attacks. Whether you have visited us before or not, please stop by and say hello to Tyler, Andrew, and me next month.
Don’t forget that the Hack Lab is strictly BYOL – Bring Your Own Laptop.
A Beginner’s Guide to Reversing with Ghidra
Registration is also open for A Beginner’s Guide to Reversing with Ghidra which will be held virtually on account of my not wanting to miss Halloween in Atlanta with my kids. In this training, students will learn how to use Ghidra by solving a series of incremental challenges. As a final challenge, students will analyze an IoT malware sample (Mirai) and figure out how to statically identify and decrypt CnC configuration from the sample.
Students taking this class should have, at a minimum, a basic understanding of programming and computer architecture, but they do not need prior reversing experience.
Concepts and processes covered in class include:
- Ghidra UI conventions
- Importing programs
- Decompiling functions
- Annotating code with variable names and comments
- Defining data structures (automatic and manually)
- Enumerating program strings
- Navigating program references
- Instruction patching (and program exporting)
- Loading PDB symbols for Windows components
- Program diffing
- Automating Ghidra with Python REPL
- Writing Ghidra scripts (Java & Python)
Students will learn how to make sense of disassembled or decompiled code and then apply that information toward achieving an objective.
On the first day, I will review some foundational concepts regarding computer architecture and reversing before walking through Ghidra’s major features. Throughout the day, students will perform lab exercises to experiment with these features. This will present students with the perfect opportunity to ask questions and clarify any confusion.
By the second day, a suitable foundation has been built to look more closely at the tricks developers can employ to frustrate software reversing efforts. The hands-on exercises on this day include investigating the techniques by which developers can hide data within code, code within data, or various combinations thereof.
In the final challenge, students will be given a (harmless) Mirai sample and tasked with recovering encrypted configuration values using Ghidra.
The class will be held online as part of the SecTor cybersecurity conference.
The Hack Lab will be held on November 1-2, 2021 at the Metro Toronto Convention Center in Toronto. Learn more here: https://sector.ca/pre-conference/
Read More about Ghidra
Ghidra 101: Cursor Text Highlighting
Ghidra 101: Slice Highlighting
Ghidra 101: Decoding Stack Strings
Ghidra 101: Loading Windows Symbols (PDB files)
Ghidra 101: Creating Structures in Ghidra
Ghidra 101: Loading Windows Symbols (PDB files) in Ghidra 10.x
