BruCON 0x10

In this 2 hour workshop, Didier will guide you through XOR Cryptanalysis exercises using several open source tools (several of these tools are created and maintained by Didier).

After an introduction to the XOR operator and its use in cryptography, we will work through several exercises that will familiarize you with tools like:

• CyberChef
• translate.py
• XOR 010 Editor script
• XORSearch
• xor-kpa.py 

And we will end with exercises using custom ransomware decryption tools that Didier developed for a particular ransomware strain with flawed crypto. 

Code obfuscation is fast becoming a normal part of modern Windows malware. Pioneered by Emotet and popularized by the Conti ransomware leaks, we now see even simple credential stealers using cracked versions of commercial grade code virtualization! The solution… if you can’t reverse it, just run it!

In this workshop we will cover different tracing techniques that can be used to bypass and extract information from protected code. The workshop is divided into modules covering tracing with x64dbg, dynamic binary instrumentation with PIN, and API tracing with DTrace. A challenge binary is provided with each module for students to practice and the final challenge is a real world malware sample that has been virtualized.

This workshop is aimed at reverse engineers and malware analysts who have experience analyzing malware and are comfortable with debugging in userland. If you don’t have experience with malware but you do have a few hours behind the debugger you should have no problem completing the workshop.

Requirements:

1. Students must bring a laptop/workstation capable of running a Windows Virtual Machine (VM)
2. A preinstalled Windows 10 (64bit) 20H1(or later) VM with at least 50G of free space.
   You will be provided with detailed tools installation and setup instructions prior to the workshop

With more and more organizations moving away from traditional on-prem infrastructures towards hybrid or full cloud environments, the need for breaching the network perimeter as an attacker becomes increasingly redundant to cause any impact. The primary identity solutions for companies are shifting from Active Directory towards Microsoft Entra ID, on-prem SMB shares are replaced by OneDrive and SharePoint Online, and Exchange Servers are decommissioned in favor of Exchange Online.

With the most sensitive information of an organization now being stored in the cloud, penetration testers and red teamers need to adapt their techniques and focus on this shifted attack surface. This led to the creation of GraphSpy, the Swiss Army Knife for attacking Microsoft 365 & Entra. In this workshop, you will be able to play with some of the most powerful capabilities of the tool to compromise and move laterally inside a realistic lab environment created by the author of GraphSpy.

Requirements:

1. This workshop requires a laptop or virtual machine on which python3 is installed (any OS should work). 

The workshop will be accessible for beginners, while also being fun and challenging for the more advanced participants. Both red and blue team backgrounds are welcome!