Events

TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10

Attackers are everywhere. They are now on the cloud too! Attacking the most popular cloud provider – AWS, requires the knowledge of how different services are setup, what defences do we need to bypass, what service attributes can be abused, where can information be leaked, how do I escalate privileges, what about monitoring solutions that may be present in the environment and so on! We try to answer these questions in our intense, hands-on scenario driven training on attacking and subsequently defending against the attacks on AWS.

As an attacker or defender, if you have ever asked any of the following questions, this training is for you:

  • Is there a process to attacking the cloud or do we go after the services as and when they are discovered?
  • Is SSRF the only vulnerability to access the metadata service on EC2?
  • How do I use stolen AWS secret keys to attack further?
  • How do I hide cover my tracks in AWS environment?
  • If I can’t see a service due to security group, can I still attack it?
  • How do I create better wordlists to discover and exploit S3 buckets that have uncommon names?
  • Can I impersonate other users within AWS?
  • Is there a way to extract secrets from AWS Lambda?
  • How do I prevent credential compromise in AWS?
  • How can I be sure there is no attacker already within my cloud infrastructure?
  • How do I enumerate and move between accounts that are part of AWS organisations?

Continue reading “TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10”

Continue reading
Events

TROOPERS20 Training Teaser: Hacking Node.js & Electron apps, shells, injections and fun!

Did you know that in the ever evolving field of Web and Desktop apps, it turns out these can all now be powered with JavaScript? You read that right: JavaScript is now used to power both web apps (Node.js) as well as Desktop apps (Electron). What could possibly go wrong?

So, the burning question is: how does this affect Web and Desktop app security? If you want to find out, come to our training and you will experience this in a 100% hands-on fashion! 🙂

You will learn about how to hack Web and Desktop apps, with a special focus in JavaScript attack vectors tailored for Node.js and Electron but also broader attack vectors that will also work against regular Web and Desktop apps.

What are the main attack vectors against Web and Desktop apps? How can apps defend against these? How do JavaScript frameworks change this? Come to find out!

Continue reading “TROOPERS20 Training Teaser: Hacking Node.js & Electron apps, shells, injections and fun!”

Continue reading
Events

TROOPERS20 Training Teaser: Swim with the whales – Docker, DevOps & Security in Enterprise Environments

Containerization dominates the market nowadays. Fancy buzzwords like continuous integration/deployment/delivery, microservices, containers, DevOps are floating around, but what do they mean? What benefits do they offer compared to the old dogmas? You’re gonna find out in our training!

We are going to start with the basics of Docker, Containers and DevOps, but soon you’ll end up with your own applications running inside containers with the images residing in your own registry. Of course, following the microservices approach, and the second day hasn’t even started.After the fundamental topics of containerization are understood, you’re going to create and operate your own Kubernetes cluster. A lot of fun and challenging exercises lie ahead, to give you hands-on experience with all the technologies.

We at ERNW have not only security written on our banner, it is a mindset we share. Therefore, be prepared to get knee deep into security in regards of the discussed technologies. We will tackle the security aspects from the bottom-up, what Containerization tools can offer and how all these can be enforced and enhanced with Kubernetes to secure your clusters. From there on you are ready for the final challenge. You will jump into the role of an attacker who did compromise a Container in the cluster and escalate your privileges to Cluster Admin.

Attendees who absolved the training will have a solid understanding of container technology, especially with Docker and Kubernetes and of course the security challenges those technologies bring to the table.

So, if you’re up to a challenging training and want to get not only your feet wet with Docker and Kubernetes, you can reserve your spot for the training right here.

 

Thanks and kind regards,
Jan and Simon

Continue reading
Events

TROOPERS20 Training Teaser: Insight Into Windows Internals

Windows 10 is one of the most commonly deployed operating systems at this time. Knowledge about its components and internal working principles is highly beneficial. Among other things, such a knowledge enables:

  • in-depth studies of undocumented, or poorly documented, system functionalities;
  • development of performant and compatible software to monitor or extend the activities of the operating system itself; and
  • analysis of security-related issues, such as persistent malware.

Continue reading “TROOPERS20 Training Teaser: Insight Into Windows Internals”

Continue reading