I attended NorthSec in Montreal last week and weekend and had an awesome time.
NorthSec 2019 – Introduction
Note: First, I know this post is way back-dated, but I’m still trying to catch up. That said, if I leave anything or anyone out, then please let me know!
Since BrrCon wasn’t far enough north for my tastes, it was time to try out NorthSec.
If you’ve never been, NorthSec is a week long conference held every year in Montreal. There are 3-4 days of training, followed by 2 days of talks and workshops, and then another two separate days for the CTF competition!
I attended a training session, a few workshops, and several talks this year. This was not only my first time at NorthSec, but my first time in Montreal in general, so it was a fantastic opportunity.
I also got to meet a few people that I knew online (unexpectedly), so that was a fun surprise.
This post is getting finished and published a little late, so I apologize if some of the information is light on details. That said, trust me when I say this was easily worth the trip.
This was only my second time in Canada, and my first trip to Montreal. I was in town for a week counting the conference, so I had a little time to myself to explore.
The downtown Marriott was awesome, and I had a great view.
I also got a great welcome letter and gift, so I felt fancy already.
That said, the hotel was repairing the gym, so I did have to work out in the world’s strangest hallway.
Once I finally left the hotel, I went on an adventure including a brewery tour. The tour was awesome, and the final stop was a Benelux bar, which I loved.
During the brewery tour, we passed the haberdashery of Henri Henri, who allegedly invented the hat trick.
After the tour, I grabbed some dinner, and had my first helping of legit poutine. It was obviously amazing and would not be the last time that I had some on this trip.
I also spent most of one day/evening in my hotel room, relaxing before my intense training began.
NorthSec Training – Windows Kernel Exploitation
This course was awesome, and a perfect follow-up to my OSCE (review still coming) certification.
Before even starting the course, I got an e-mail listing the following as pre-requisites.
- C (Understanding of low level programming)
- Assembly (read/write/understand basic ASM)
- Windows Memory Management (https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/virtual-address-spaces)
- Driver basics (IRP/IOCTL/Data Buffering) (https://msdn.microsoft.com/en-us/library/windows/desktop/aa363219(v=vs.85).aspx, https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode , https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/i-o-request-packets, https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-buffered-i-o, https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-direct-i-o, https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-driver-objects)
- Access Tokens (https://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx)
- Exploit development in user mode. Understanding of different types of software vulnerabilities like buffer overflow, use after frees, out of bound access, etc and also exploitation primitives.
- Complete the HEVD challenges on Windows 7 x86 (https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
That said, I had a vague understanding of most of these, and the rest were covered in the first day.
I haven’t done any kernel exposure before, so this was a great introduction and ramp up. It was difficult at times, but the material and instruction were there whenever I felt something was lacking. I do have to go back and refresh on some topics, especially stuff like pool grooming.
I’m hoping to have at least a few blogs to come out of the course, especially write-ups for the newest HEVD.
In addition to the learning, there was an ongoing CTF during the class. I ended up taking first, with a few flags right before it ended. The only challenge that I was unable to complete by the conclusion was a full privilege escalation exploit, but I’m hoping to still finish and blog about that as well.
Finally, we got an awesome BSoD shirt, that I’ve already got a few compliments on in various places!
After two days of training, the conference itself started.
The conference was hosted at the Montreal Science Centre, which was a sweet location. There was plenty of room for the talks and workshops, and there was a foodcourt right next door. Other than that, there were plenty of places within walking distance, including the St. Lawrence River.
Also, not to be outdone, the foodcourt had poutine at almost every option, including the Mexican food one!
As far as the conference itself was concerned, I actually made it to a few talks!
- The SOC Counter ATT&CK – this was another talk about the ATT&CK framework, but from a more defensive point-of-view. He covered detection, how to use it, why to use it, and which tools will detect what.
- The (Long) Journey To A Multi-Architecture Disassembler – this talk was a lot more in-depth than I expected, and a bit over my head. That said, I now understand just how difficult it is to build a single-architecture disassembler, let alone one for multiple architectures. JEB sounds super sweet, and you can check out their presentation here.
- DNS On Fire – this was a neat talk from the Talos group about some DNS hijacking attacks in the wild. Most of them revolved around the “Sea Turtle” campaign, which I had not heard about before. That said, these attackers went as far as hijacking DNS from the server/administrative level, which was awesome to see.
In addition to those three talks, I attended two (free) workshops during the conference.
Using angr to augment binary analysis workflow
I’ve never used angr before but read about it in plenty of binary CTF challenges especially.
They covered what angr might be used for, how it could be used, and any caveats to worry about. In addition to that, they demonstrated using it to solve an unsolved CTF challenge from NSec 2018.
My only real concern with this workshop is that they provide you with a pre-built Docker image. While it is great to have everything configured and ready to go, it’d be nice to know what issues might occur when trying to install it etc.
That said, by the end of the class, I completed one of the “extra challenge” exercises and solved a real CTF problem using angr!
[email protected]:~/hostcwd$ ./morph 34C3_M1GHTY_M0RPh1nG_g0 What are you waiting for, go submit that flag!
I’m sure I’ll have at least an introductory post for this tool, including the above solution. Let me know if you know of any other binaries to point it at for examples, or more practice.
Red Teaming Workshop
I also attended a Red Teaming workshop taught by Mr.Un1k0d3r.
This course covered a few different TTPs, with a big emphasis on phishing and post exploitation. The slides were great, but we did go through them a bit quickly.
I couldn’t get through the entire lab environment, but we ran out of time with everyone trying to get things setup. That said, I still learned a bit, and have a few more ideas for TTPs to blog about soon.
NorthSec 2019 – Conclusion
I know the actual publishing for this post was 4 months late, but I’m still trying to catch up!
That said, this was an awesome conference, and I’m hoping to be able to go back.
Stay on the lookout for at least one post about angr, and a ton about kernel exploitation/HEVD.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.