Feb 27, 2017

Training Teaser - Windows AppLocker bypass

In this short teaser, we want to demonstate a simple AppLocker bypass. AppLocker, which will be the main focus of the ‘Windows Breakout’ (Day 1) section of the BruCON spring training, is the de-facto standard for locking down Windows machines in an enterprise environment.

It is the successor to SRP (Software Restriction Policies) and allows definition of fine-grained rules to allow or deny execution based on the path, file hash or publisher of the executable or script.
For this post, let us consider a scenario where the system administrator of a company has deployed the following AppLocker rules on all company machines through Group Policy:

The executable rules permit Administrators to run anything, while users which are part of the 'Employees' group are only allowed to run Microsoft signed binaries, with a few exceptions.

The explicitly-blocked binaries are the usual suspects; each of them would allow users to run arbitrary commands on their corporate machine if not blocked by AppLocker. The training course will go into detail on how to attaining code execution through regsvr32, rundll32 and InstallUtil.
The aim of this exercise is to run PowerShell and subsequently launch any binary on this box, such as a Meterpreter reverse shell.

Trying to run PowerShell directly is a no go:

Even though the publisher information matches an 'Allow' rule in AppLocker, it is explicitly denied by path. 'Explicit Deny' takes precedence over 'Explicitly Allow' in AppLocker. 

If we look closer at the rules, we can see that the offending rule is applied on the path of the binary and hence moving it to another location, such as the Desktop, would invalidate the rule and allow execution:

Easy right? The next step is to run any executable with the help of Powershell. At this point we could either beg Microsoft to sign our Meterpreter reverse shell or use the Invoke-ReflectivePEInjection PowerShell script, which is part of PowerSploit, to reflectively load our executable in memory and execute it that way. 

This time we'll go for the latter. Transfer the Meterpreter reverse shell to the box and run the following commands:

The result is a complete bypass of this AppLocker policy:

This is just a taste of what we'll be covering during the 'Windows Breakout' section of this 3-day training course. 

In addition to this we'll be going through Windows Privilege Escalation and UAC Bypasses. For a more complete overview as well as registration information, please visit this page

BruCON Spring Training is hosted on 19,20 and 21 April 2017 at the Novotel Ghent Centrum in Belgium.  http://2017.brucon.org

See you there!!

Feb 10, 2017

Training Feedback - What we have learned from you !

After each training, we invite our students to complete a feedback form and provide us some input and honest opinions on how we can further improve the BruCON training experience.

On average about 70% of student typically complete the survey and a majority of them go beyond the rating scale and provide us detailed feedback and areas with room for improvement.

So what have we learned so far ? 

There have been an number of issues in the past with the hotel wireless network. That being said, we aim to provide you a standard solid internet connection that allows you to do your research and check your emails and not for heavy downloading. The hotel has improved and upgraded the wireless network since last BruCON. During Spring Training 2017 in April, we'll evaluate the progress and if required we'll be deploying our own wireless (or even wired) network in October once again.

When it comes to food, there is no such thing as pleasing everybody. We've tried different approaches in the past, but as of this year, we'll be going back to a buffet format with cold starters and a choice of three warm main courses (meat, fish and vegetarian). To speed things up, the classes will again be split into two groups giving you more free time during the lunch break.

After a long day of absorbing the sweet security goodness (and possibly frustrations ;-) ) you get during your training, you deserve some time off. And what would be better then having a beer together with your fellow students, after all, BruCON's slogan is still "hacking for beer". After the second day of training, we will be inviting you for a drink in the hotel bar. The first one is on us ! 

Check out our Spring Training 2017 lineup (19-21 April) here
If you want to share with us some other feedback, you can contact us on Twitter or via email at training@brucon.org

Dec 23, 2016

BruCON 0x09 Spring Training open for registration

Right on time for Christmas, we bring you the BruCON 0x09 Spring training track (19-21 April). Early-bird registration till the 20th of January ! 

The line-up! : 
  • Malicious Documents for Blue and Red Teams by Didier Stevens (3-day training) - Our resident trainer Didier Stevens will teach you how to both analyse as well as create malicious files such as PDF, Word and Excel documents. You'll learn how to analyse malicious files as well as create your own for Red team testing ! 
  • Corelan Bootcamp by Peter Van Eeckhoutte (3-day training) - Once again we bring you Corelan ! One of the best exploit development courses available, now in our spring training track. Prepare yourself for 3 long days (+10 hours/day) of intensive exploit development ! Lunch and dinner are included and, as always enough coffee to keep you going! We will be hosting the Advanced course in October (2 - 4 October 2017) and you can now already register for both! (limited seating)
  • Mobile Application Exploitation (iOS and Android) by Prateek Gianchandani and Dinesh Shetty (3-day training) - A completely hands-on training on exploiting mobile applications for the iOS and Android platform. Even wondered how different attacking a Mobile application would be, from a traditional web application? Including iOS 10 and Android 7 Nougat, we are bringing you an updated version of this successful and very well received course !
  • Windows Breakout and Privilege Escalation by Jason Cook and Francesco Mifsud (3-day training) - This training will provide the required knowledge to perform post-exploitation actions on locked down Windows machines. Tools, tips and techniques will be shared to break out of restrictive execution environments and escalate privileges from a low level user to SYSTEM on modern Windows operating systems. Contrary to common perception, Windows machines can be really well locked down if they are configured with care. As such, attackers will need to dig deep in order to break out of restrictive environments and escalate privileges.
  • Open Source Defensive Security Training by Leszek Miś (3-day training) - Open Source Defensive Security Training is a 3-days long, advanced IT Security laboratory dedicated for professionals who need close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive vs offensive approach, based on real world scenarios gives you the best opportunity for making stronger defensive layers inside your Open Source network infrastructures or a Linux-based products. Check out a detailed agenda, find it interesting and register as soon as possible. May the packets be with U!

The training location will be Novotel Ghent Centrum.

All training details and registration links can be found on the BruCON training pages (link)

your BruCON team.

Nov 8, 2016

BruCON 0x09 Spring Training - Call for trainings

BruCON 0x08 is over and we had a great time hosting the trainings, workshops and conference ! Our 0x09 Spring Training edition will take place on 19, 20 and 21th of April 2017 and we are once again looking for some great training courses. 

We have the following guidelines for you: 
  • BruCON hosts predominantly offensive technical security training sessions. We don't have any specific focus areas for now, so please submit any training you deem interesting !
  • Training should be either 2 or 3 days with a preference for the latter.
  • You are allowed to submit multiple training suggestions, however please specify if they can be hosted simultaneously.
  • If you have additional hardware that need to be taken into account, please specify including the additional costs.
If you submit a training, please include, at minimum, the following information : 
  • Description
  • Course content
  • Target audience
  • Trainer biography
  • Hosted before ? If so, where and when
Our prices for trainings are :
  • 2-day trainings - 1100€ (Early-bird) / 1200€ (Regular) *
  • 3-day trainings - 1400€ (Early-bird) / 1500€ (Regular) *
* Not taking into account any additional hardware which might be included.
We have a 50% profit split in place between the trainer and us. If you have any particular question or you would like us to work out a concrete example, don't hesitate to reach out!

The deadline for you submissions is Monday 28 November COB (GMT+1). You can submit per mail to training@brucon.org. You will receive an acknowledgement that your submission has been well received. 

Please also use this address if you have any questions.

Kind regards

The BruCON Training crew

Oct 14, 2016

Raising the stakes with 3 CTFs at BruCON 0x08!

This year we will have three (3!) different CTF competitions at BruCON! All the CTFs are free to join!
  • Team CTF on Wednesday 26/10/2016 at Monasterium
  • Student CTF on Wednesday 26/10/2016
  • Individual CTF during the BruCON conference (27-28/10/2016) 

Team CTF

Level: Medium / Advanced
This contest will allow up to 10 teams to compete, solving challenges, creating exploits to attack opponents and defending their own infrastructure. In this CTF we will give you challenges related to exploitation of vulnerabilities, Web security, Databases Security, Reverse engineering and Cryptography.
Players will compete for 8 hours to get first place in the CTF.

Location and Timing

Location : Monasterium - Oude Houtlei 56 - 9000 Gent (http://monasterium.be/)
The CTF begins promptly at 10h00 and end around 18h00 . Out of consideration for your fellow CTF teams, please try to be there around 09h30

Student CTF

In a fully fledged CTF requires a specific set of skills, for this, BruCON will be organising a student CTF where we will guide students through a CTF competition! The student CTF covers 4 different topics each containing a number of challenges. After each topic you can try the challenges yourself and see how you can use your acquired skills! We will learn about SQL Injection attacks, Android reverse engineering, Traffic analysis with Wireshark and a number of CTF tips and tricks. This CTF is focused on beginning students, no prior knowledge is required since most of the CTF is seen as an introductory session.

Location and Timing

Location: BruCON venue - Volderstraat 9, Ghent
The CTF begins promptly at 9h30 and end around 17h00 . Out of consideration for your fellow students, please try to be there around 09h00

Individual CTF

This contest is played on a Jeopardy scheme with 20 different classic challenges such as categories: reverse engineering, cryptography, digital forensics, web security, vulnerability exploitation and perhaps some hardware hacking;)
The CTF will be open for 30 hours during the BruCON two-day event (27 and 28 October).
Participation in the CTF is free.
The expectation is that you can have a good time, playing and learning about different security issues.
Requirements: Register as an individual player for the CTF Bring your own equipment and tools
Level: Basic / Medium

For more information an registration:

Jun 28, 2016

BruCON 0x08 Trainings information

We are proud to present to you our program for the 2016 BruCON 0x08 Training (24-26 October)

The line-up! : 

  • Offensive PowerShell for Red and Blue Teams by Nikhil Mittal (3-day training) - In this course, you'll learn how to attack Windows network using PowerShell, based on real world penetration tests. The course runs on a lab network to which attendees will have Free access for one month after the training. The class consists of hands-on, challenges and demonstrations.
  • Windows Kernel Exploitation by Ashfaq Ansari (3-day training) - In this 3-day training course, you'll learn to fuzz Windows Kernel Mode driver and find vulnerabilities. You'll be taken from basics of Windows Architecture, it's Kernel and introduction to different software vulnerabilities along with their exploitation in Kernel mode. These 3 days will be full of hands-on, kernel debugging and WinDbg-Fu.
  • Assessing and Exploiting Control Systems by Justin Searle (3-day training) - This is not your traditional SCADA/ICS/IoT security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? In this 3-day version of the course, you will receive all six days worth of slides.
  • Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more by Dawid Czagan (2-day training) - Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique two-day hands-on training!
  • Attacking with Excel by Didier Stevens (2-day training) - In this training, our resident trainer Didier will teach you how to use Microsoft Office for offensive security. Performing a port scan, injecting and execute shellcode or even loading your own DLL's without touching the disk, only by using the Excel process !
  • Hardware hacking training with Hardsploit by Julien Moinard (2-day training) - Tired of watching hardware products getting hacked every day without having your part of fun ? Don't worry it will not be the case anymore! This training teaches you hardware hacking in its most pragmatic aspects by using both theory and practice (hands-on). It follows a simple (but efficient) training methodology based on a "Discover / Analyze / Attack & Protect" guideline that can be applied to any kind of hardware product (Internet of Insecure Things included). Each student will receive a Hardsploit hardware hacking tool, with a value of 250 euros.

Registrations will be opened on the 1st of July. Early-bird registration till the 1st of August!
The training location will be Novotel Ghent Centrum.

All training details and registration links can be found on the BruCON training pages (link)

your BruCON team.

Jun 21, 2016

Brucon 0x08 Talks and Workshops

It's taken us a bit of time and some hard deliberation, but here are your talks and workshops for Brucon 0x08 !!

Firstly we'd like to thank everyone who took the time to submit. We had some truly awesome talks and workshops submitted and it was difficult to whittle it down to the final list.

So without further ado...


  • "Building a Successful Internal Adversarial Simulation Team" - Chris Nickerson and Chris Gates
  • "What Does the Perfect Door or Padlock Look Like?" - Deviant Ollam
  • "New Adventures in Active Defense, Offensive Countermeasures and Hacking Back" - John Strand
  • "NO EASY BREACH:Challenges and Lessons Learned from an Epic Investigation" - Matthew Dunwoody and Nicholas Carr
  • "Decepticon The Rise and Evolution of an Intelligent Evil Twin…!!!" - Rushikesh Nandedkar, Amrita Iyer and Krishnakant Patil
  • "Hello to the Dark Side: Understanding YOUR Adversaries without All Those Expensive Threat Intel Tools" - L. Grecs
  • "Security through design - Making security better by designing for people" - Jelle Niemantsverdriet
  • "Esoteric Web Application Vulnerabilities" - Andres Riancho
  • "Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em'" - Daniel Bohannon
  • "Virtual Terminals, POS Security and becoming a billionaire overnight" - Grigorios Fragkos
  • "Hacking KPN: Lessons from the trenches" - Jeremy Goldstein and Bouke van Laethem
  • "Scraping leaky browsers for fun and passwords" - Stefaan Truijen, Adrian Toma and Arne Swinnen
  • "Smart Sheriff, Dumb Idea. The wild west of government assisted parenting" - Abraham Aranguren, Fabian Fäßler and Abraham Aranguren
  • Talk title incoming...listen to "Last Writes" at full volume in the mean time - Dual Core


  • "The Control Things Workshop" - Justin Searle
  • "Hacking The Enterprise" - Eden Froemming and Wim Remes
  • "Hello Friend: Creating a Threat Intelligence Capability" - Rebekah Brown and Scott J Roberts
  • "Brewcon" - Chris Lytle
  • "Hunting Malware with osquery at scale" - Nick Anderson, Sereyvathana Ty and Javier Marcos
  • "Analyzing Malicious Office Documents" - Didier Stevens
  • "Incident Response Workshop" - Maxim Deweerdt and Erik Van Buggenhout
  • "Crowdsourced Malware Triage: Making Sense of Malware With a Browser and a Notepad" - Sergei Frankoff and Sean Wilson
  • "How to securely build your own IoT enabling embedded systems: from design to execution and assessment" - Jens Devloo, Jean-Georges Valle and Vito Rallo
  • "802.11 Leakage: How passive interception leads to active exploitation: I now know where you live, work, and play, and oh btw, I have also MiTM'd your smart phone and laptop" - Solomon Sonya and Solomon Sonya
  • "Putting a lock around your containers with Docker Security Primitives" - Nils De Moor
  • "Visual Network and File Forensics using Rudra" - Ankur Tyagi

We will be publishing more detailed information on each of the talks in the coming weeks.
The training program will be announced soon ! 

In the mean time, we will be working on getting tickets ready for purchase.

Looking forward to seeing everyone in Ghent in October !!

BruCON Crew