General informationGreHack 2015 will propose four workshops/tutorials during the CTF. They will start between 8:00pm and 10:00pm and last about one hour, depending on the workshop. Conference tickets and CTF-only tickets both give access to workshops.
Registration to workhops is now open. Register at firstname.lastname@example.org, and please give the following details:
- your name,
- the workshop you want to attend to.
Please note that:
- Workshops capacity is (very) limited, so be quick to register
- You can only attend to one workshop
- It is highly possible (and even advised) to attend to both a workshop and the CTF
- There will be no breakthrough bonus for CTF challenges (so no excuse for not attending to a workshop)
This Miasm workshop will focus on a real world shellcode study through three main steps:
- Symbolic execution for information retrieving;
- PE reconstruction for setting a "soft and cozy binary" for tools;
- Shellcode analysis in an emulated Windows environment for highlighting relevant information (C&C, ...) and automation.
- Running a Linux environment (Host or VM)
- Having Miasm installed, with regression tests running (ie, tests/test_all.py fully working)
- Basic knowledge in reverse engineering field (this is not an intro to reverse, but an intro to Miasm for resolving common reverse engineering issues)
Desclaux Fabrice and Mougey Camille are the main Miasm developers.
They both work as infosec engineer at CEA/DAM, mainly working on reverse engineering topics.
Desclaux Fabrice previous talks include a presentation on reverse engineering Skype at BlackHat EU 2006 and another one on Miasm at SSTIC 2013 and 2015.
Mougey Camille previous talks include a presentation on execution trace for disobfuscation
at SSTIC 2014 and another one on DRM analysis at ReCON 2014.
IVRE - Large Scale Network Recon
This workshop covers the tools used for network recon (Nmap, Zmap, Masscan) and the challenges to address to (efficiently) run country-, AS- or Internet-wide scans, depending on the scan objectives. While it focuses on the open source network recon framework IVRE, the concepts discussed can be applied using other tools.
- IVRE - network recon framework
- IVRE - source code, issues
- Scanning Internet-exposed Modbus devices for fun & fun
- Mining public keys with IVRE
- A basic knowledge of network protocols (IP, TCP, UDP and most common applications: HTTP, DNS, etc.), Nmap and Linux is required.
- Come with a (recent enough) laptop running Linux with
- recent versions of Docker and Vagrant installed and IVRE's Docker
images downloaded (just run
for i in agent base client db web; do docker pull ivre/$i; done)
- or IVRE properly installed (we will not deal with installation issues during the workshop)
- if you have troubles getting IVRE installed on your computer, contact the developers or open an issue on Github
- recent versions of Docker and Vagrant installed and IVRE's Docker images downloaded (just run
- Bring a USB flash drive (to exchange results with other participants).
- A remote Linux host to run scans (no scan can be run from the Internet access provided during the workshop) would be really great even if not absolutely necessary. Linode provides cheap servers you can use for that purpose; their hardware and prices are good, their staff is great and they accept network scans from their hosts provided you handle quickly abuse e-mails.
IT security research engineer at CEA/DAM, pentester, intrusion hunter, Unix & network enthusiast.
IRMA - an Incident Response & Malware Analysis plateform
In this workshop, we will briefly introduce you to IRMA concepts and goals, then you will install and customize it to build your own Malware Analysis plateform. We will:
- Recall our major motivations to build such a system,
- Present the overall architecture of IRMA which has been designed as a 3 part system,
- Guide you to setup your own system, running in virtual machines, in less than 30 minutes,
- Develop together a new analyser and include it to your own IRMA setup,
- Discuss the mechanics under the hood for people willing to contribute to or to reuse this project.
- VirtualBox Virtual Machine Manager
- The laptop should preferably have at least 4 GB of RAM, capable processor (i5 or i7), and more than 20 GB of free HD space.
- Vagrant version 1.5 or higher
- Ansible, version 1.6 or higher (see http://docs.ansible.com/intro_installation.html)
Guillaume Dedrie is a software developer at Quarkslab, specialized in full-stack
development. He likes to automate everything and try to evangelize firms
around the world with the emerging DevOps culture. If you’re looking for
him, you’ll probably find him in a Meetup in Paris.
Drone - and they shall fall from the sky
We will briefly introduce you to the basics of drone system and how they are controled. Then, we will show you how to detect AR-DRONE 2 and how to inject traffic to take over a legitimate user. We will:
- explain how to detect drone,
- show how to inject traffic,
- guide you to improve the security.
Cedric Lauradoux is a junior researcher at Inria Grenoble Rhône-Alpes. He is also the undisputed and beloved chair of GreHack 2015. He enjoys working on algorithms and data structures and applying his knowledge to security and privacy problem. He also enjoys bench pressing, lift weight and tackling: it is a major mistake to try to steal his food.