{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2025.2.2"}, "schedule": {"url": "https://cfp.pass-the-salt.org/pts2022/schedule/", "version": "0.4", "base_url": "https://cfp.pass-the-salt.org", "conference": {"acronym": "pts2022", "title": "PTS2022", "start": "2022-07-04", "end": "2022-07-06", "daysCount": 3, "timeslot_duration": "00:05", "time_zone_name": "Europe/Paris", "colors": {"primary": "#3aa57c"}, "rooms": [{"name": "Amphitheater", "slug": "2-amphitheater", "guid": "14eee11d-70b2-54af-a72a-f237cd8c17b5", "description": "The big room where talks will be given", "capacity": 300}, {"name": "Workshop Room", "slug": "3-workshop-room", "guid": "a0160d6c-3b60-5dd3-8e6e-af8d9c4dd81b", "description": null, "capacity": 30}], "tracks": [{"name": "Pentest", "slug": "1-pentest", "color": "#F111B2"}, {"name": "Secured Communications", "slug": "2-secured-communications", "color": "#3B8937"}, {"name": "OS", "slug": "3-os", "color": "#F6090F"}, {"name": "Network", "slug": "4-network", "color": "#F76B10"}, {"name": "Keynote", "slug": "5-keynote", "color": "#059490"}, {"name": "Hardware", "slug": "6-hardware", "color": "#791185"}, {"name": "Reverse & Binary", "slug": "7-reverse-binary", "color": "#290707"}, {"name": "Blue Teams", "slug": "8-blue-teams", "color": "#4C66F1"}], "days": [{"index": 1, "date": "2022-07-04", "day_start": "2022-07-04T04:00:00+02:00", "day_end": "2022-07-05T03:59:00+02:00", "rooms": {"Amphitheater": [{"guid": "4688cc31-9fa6-5284-be33-ab51723aa098", "code": "KTMCGR", "id": 68, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/KTMCGR/logo_sEcFHeq.png", "date": "2022-07-04T14:15:00+02:00", "start": "14:15", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-68-mattermost-end-to-end-encryption-plugin", "url": "https://cfp.pass-the-salt.org/pts2022/talk/KTMCGR/", "title": "Mattermost End-to-End Encryption plugin", "subtitle": "", "track": "Secured Communications", "type": "Talk", "language": "en", "abstract": "This talk will describe the internals of a Mattermost End-to-End Encryption plugin that has been developed at Quarkslab in 2021.", "description": "This talk will include:\r\n\r\n* the problems we are trying to solve, and the attack models considered\r\n* existing plugins / why make a new one\r\n* the underlying cryptography protocol and various tradeoff\r\n* maybe a small demo :)\r\n\r\nThe plugin is open source here: https://github.com/quarkslab/mattermost-plugin-e2ee . You can also read a blog post about it here: https://blog.quarkslab.com/mattermost-end-to-end-encryption-plugin.html .\r\n\r\nIt's been battle-tested and used (almost) seamlessly in production at Quarkslab since September 2021, within a team of around 100 people.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/mattermost-end-to-end-encryption-plugin/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "FXNPBJ", "name": "Adrien Guinet", "avatar": null, "biography": "Adrien Guinet is currently CTO at Quarkslab.", "public_name": "Adrien Guinet", "guid": "a625c478-90eb-507c-ac61-7509ee30ad8e", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/FXNPBJ/"}, {"code": "D89YGB", "name": "Ang\u00e8le Bossuat", "avatar": null, "biography": "R&D Engineer at Quarkslab, Cryptographer, Hippie", "public_name": "Ang\u00e8le Bossuat", "guid": "26404561-f92e-502d-b0e4-75c77b6914c9", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/D89YGB/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/KTMCGR/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/KTMCGR/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/KTMCGR/resources/mattemorst_e2ee_slides_2YRAg7V.pdf", "type": "related"}]}, {"guid": "a305ad8d-a5da-5077-a833-1f873e2a8ed7", "code": "LPMHUA", "id": 62, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/LPMHUA/CryptPad_logo_text_cTakG1P.png", "date": "2022-07-04T14:50:00+02:00", "start": "14:50", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-62-cryptpad-a-zero-knowledge-collaboration-platform", "url": "https://cfp.pass-the-salt.org/pts2022/talk/LPMHUA/", "title": "CryptPad : a zero knowledge collaboration platform", "subtitle": "", "track": "Secured Communications", "type": "Talk", "language": "en", "abstract": "Presentation of the CryptPad.fr project, a 100% encrypted collaboration platform.", "description": "Cloud services are increasingly used and your data is increasingly exposed. Even though cloud services \"promise\" to ensure the security of your data, we do not actually control what is put in place to ensure the security of our data and our privacy. Many cloud services use our data to set up advertising-based business models that read our data and pass it on to advertising services. Others are more transparent, but struggle to effectively secure our data.\r\n\r\nYet another approach is possible!\r\n\r\nIn this presentation, we will present the CryptPad project (https://cryptpad.fr) which offers an end-to-end encrypted collaboration solution. CryptPad has been developed for more than 5 years now and is an end-to-end encrypted collaborative suite allowing the editing of multiple format documents in real time. This platform integrates more than 8 types of documents including Office formats with import and export, a kanban, an HTML editor, a Markdown editor, a drawing tool and a survey creation tool, as well as a Drive with shared folders . The tool also has a management infrastructure and key sharing between users, all end-to-end encrypted to guarantee the strictest possible data confidentiality.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/cryptpad-a-zero-knowledge-collaboration-platform/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "PDGVUT", "name": "Ludovic Dubost", "avatar": "https://cfp.pass-the-salt.org/media/avatars/ludo_97C2UVs.jpeg", "biography": "Creator of XWiki and CEO of XWiki SAS. \r\n\r\nXWiki SAS has been developing free software for 15 years. The XWiki software (xwiki.org) allows companies to better organize information. Since 2016, XWiki SAS has also created CryptPad (cryptpad.fr), an end-to-end encrypted real-time document editing software.", "public_name": "Ludovic Dubost", "guid": "8f6b6d34-2c3d-562f-9397-63bddb976d1b", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/PDGVUT/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/LPMHUA/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/LPMHUA/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/LPMHUA/resources/Pass-The-Salt-2022---CryptPad-_-a-zero-knowledge-co_CNr9zq9.pdf", "type": "related"}]}, {"guid": "ae2f0ef0-692c-54d5-afc3-d6bbc60470dd", "code": "3EXX8R", "id": 54, "logo": null, "date": "2022-07-04T15:25:00+02:00", "start": "15:25", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-54-dataflow-tabular-charts-a-presentation-tool-for-security-architects", "url": "https://cfp.pass-the-salt.org/pts2022/talk/3EXX8R/", "title": "Dataflow tabular charts -- a presentation tool for security architects", "subtitle": "", "track": "Secured Communications", "type": "Short Talk", "language": "en", "abstract": "Security architects commonly have to represent drawings of complex systems to highlight the principles of their security architecture. Most drawings in common use are \"seen from above\", and do not allow a clear presentation of the protocol stacks and data processes along a dataflow.\r\n\r\nDataflow tabular charts are a new kind of drawings to show security boundaries crossed by functional dataflows. We will present the importance of those drawings for documenting security architectures, risk assessments, and penetration test results. We will then show a tool that can produce those charts automatically based on a textual description, similar to how `msggen` creates message charts.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/dataflow-tabular-charts-a-presentation-tool-for-security-architects/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "MVHYGV", "name": "Yves R\u00fctschl\u00e9 (Security architect, Airbus Protect)", "avatar": null, "biography": "After studying electronics and computer architecture, Yves spent a decade developing embedded software, first in a small business, then at Airbus. He then moved on to the Airbus A350 design office to work on its security. There, he practiced supplier management, systems engineering, and security requirements for systems with critical, safety-related impacts. Since then he has worked on various topics related to security, from governance to formal proofs of security properties, in several industrial domains such as aeronautics, railway and automotive.\r\n\r\nUnsatisfied with the lack of coding in the professional life of a security architect, he finds any excuse he can to develop new tools.", "public_name": "Yves R\u00fctschl\u00e9 (Security architect, Airbus Protect)", "guid": "f4d81231-caee-5714-9079-4ba6d3d6a954", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/MVHYGV/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/3EXX8R/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/3EXX8R/", "attachments": [{"title": "Dataflow Tabular Charts White paper", "url": "/media/pts2022/submissions/3EXX8R/resources/dataflow_tabular_charts_5x8XWo7.pdf", "type": "related"}, {"title": "slides", "url": "/media/pts2022/submissions/3EXX8R/resources/PTS2022_--_DataFlow_Tabular_Charts_xe9UN3v.pdf", "type": "related"}]}, {"guid": "9da01c2e-7e2f-5630-af3c-4d62c3ad861f", "code": "BGQGZC", "id": 67, "logo": null, "date": "2022-07-04T16:15:00+02:00", "start": "16:15", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-67-sandboxing-your-application-with-landlock-illustration-with-the-p7zip-case", "url": "https://cfp.pass-the-salt.org/pts2022/talk/BGQGZC/", "title": "Sandboxing your application with Landlock, illustration with the p7zip case", "subtitle": "", "track": "OS", "type": "Short Talk", "language": "en", "abstract": "Landlock is the security sandboxing feature available since Linux 5.13. Its goal is to empower developers by letting them harden their applications. Indeed, it is assumed that with enough skill and time, most of software could be compromised. Sandboxing enables to add a new layer of security to mitigate such attack.\r\n\r\nThis talk quickly introduce the main Landlock properties, and we then explain how to sandbox your own application. We'll use p7zip, a C++ archive manager, as a practical example.", "description": "https://docs.kernel.org/userspace-api/landlock.html\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/sandboxing-your-application-with-landlock-illustration-with-the-p7zip-case/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "NRHYC3", "name": "Micka\u00ebl Sala\u00fcn", "avatar": "https://cfp.pass-the-salt.org/media/avatars/mic_uusst7V.jpg", "biography": "Micka\u00ebl Sala\u00fcn is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now the maintainer. He previously worked for the French national cybersecurity agency (ANSSI) on systems hardening. He is currently employed by Microsoft to work on Linux-related security projects.", "public_name": "Micka\u00ebl Sala\u00fcn", "guid": "9c542be7-523d-5b12-8b85-12e03cc6bdd3", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/NRHYC3/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/BGQGZC/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/BGQGZC/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/BGQGZC/resources/2022-07-04_PTS_-_Sandboxing_your_application_with_L_UeUODl0.pdf", "type": "related"}]}, {"guid": "bc15b11a-f7c3-599d-acd1-f4a0bee243e0", "code": "MTLGWL", "id": 61, "logo": null, "date": "2022-07-04T16:35:00+02:00", "start": "16:35", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-61-building-operating-systems-optimized-for-containers-from-iot-to-desktops-and-servers", "url": "https://cfp.pass-the-salt.org/pts2022/talk/MTLGWL/", "title": "Building operating systems optimized for containers, from IoT to desktops and servers", "subtitle": "", "track": "OS", "type": "Talk", "language": "en", "abstract": "Containers on Linux are a powerful abstraction that help isolate applications from one another. They are now available everywhere: to run applications from small IoT devices to large cloud servers, to easily setup development environments and to enable distribution independent packaging with Flatpak on desktops.\r\n\r\nIn this talk we will go over several variants of Fedora that are focused on containers: Fedora IoT, Fedora CoreOS and Fedora Silverblue/Kinoite. We will look at what makes them particularly well suited to host containers and how their design leads to increased security without compromising their usability.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/building-operating-systems-optimized-for-containers-from-iot-to-desktops-and-servers/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "9QJRWR", "name": "Timoth\u00e9e Ravier", "avatar": "https://cfp.pass-the-salt.org/media/avatars/profile_picture_cut2_wsUfNp3.jpg", "biography": "Timoth\u00e9e Ravier is a Linux system and security engineer interested in safe programming languages and container focused operating systems.\r\n\r\nHe is currently working at Red Hat as a CoreOS engineer. He also created and maintains Fedora Kinoite, a variant of Fedora Silverblue with the KDE Plasma desktop and is packaging KDE applications in Flatpaks for Flathub and Fedora.", "public_name": "Timoth\u00e9e Ravier", "guid": "d5fe5ad2-486e-5713-a56c-0756ed0000e9", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/9QJRWR/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/MTLGWL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/MTLGWL/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/MTLGWL/resources/Building_operating_systems_optimized_for_containers_ah68x4L.pdf", "type": "related"}]}], "Workshop Room": [{"guid": "cde1115c-2457-5c9a-a4e9-db30c9632f75", "code": "T8XSUV", "id": 70, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/T8XSUV/frida_WEuEWgt.png", "date": "2022-07-04T14:20:00+02:00", "start": "14:20", "duration": "03:00", "room": "Workshop Room", "slug": "pts2022-70-workshop-fida-reverse-engineering-introduction", "url": "https://cfp.pass-the-salt.org/pts2022/talk/T8XSUV/", "title": "[Workshop] F\u042fIDA Reverse Engineering Introduction", "subtitle": "", "track": "Reverse & Binary", "type": "Workshop", "language": "en", "abstract": "F\u042fIDA (frida.re) is a dynamic instrumentation tool that supports reverse engineering closed-source applications. Learning how to use this tool enables open-source contributors to build interfaces to closed-source or even re-implement protocols for compatibility.", "description": "Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.\r\n\r\nIn this workshop, you will learn how to use F\u042fIDA on real-world targets. The only prerequisite are basic programming skills, you will learn everything else in the workshop. Depending on your prior knowledge, we will solve simple crackmes or analyze complex applications and daemons on mobile devices.\r\n\r\n**Prerequisites:** if you can, please bring a laptop and install Android Studio including an Android VM without Google Play Services for preparation (see resources attached below). Optionally, you can also bring other devices that support F\u042fIDA, such as rooted Android phones or jailbroken iPhones. This will save time that you can spend on solving challenges and learning F\u042fIDA instead.\r\n\r\nWhile this workshop is meant for beginners, feel free to join as advanced F\u042fIDA user. F\u042fIDA is a great tool to explore proprietary systems like iOS, there's always something new to learn about.\r\n\r\nMaximum of **15 students**.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JPHUEY", "name": "jiska", "avatar": "https://cfp.pass-the-salt.org/media/avatars/IMG_E2423c_dbIUF5e.JPG", "biography": "Jiska is a security researcher at Secure Mobile Networking Lab, TU Darmstadt.", "public_name": "jiska", "guid": "3c860a18-c404-561d-8273-eb6ccd3237e1", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/JPHUEY/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/T8XSUV/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/T8XSUV/", "attachments": [{"title": "F\u042fIDA Cheat Sheet", "url": "/media/pts2022/submissions/T8XSUV/resources/cheatsheet_2_k58M8ig.pdf", "type": "related"}, {"title": "01 - Reverse Engineering Introduction: Ghidra and Frida", "url": "/media/pts2022/submissions/T8XSUV/resources/01_frida_ghidra_2qZNToe.pdf", "type": "related"}, {"title": "02 - Android VM Setup", "url": "/media/pts2022/submissions/T8XSUV/resources/02_vm_software_setup_pcdIAPh.pdf", "type": "related"}, {"title": "03 - Solving Java Crackmes with Smali, jadx, and Frida", "url": "/media/pts2022/submissions/T8XSUV/resources/03_frida_jadx_crackme_YhWtPf2.pdf", "type": "related"}, {"title": "04 - Syscall Fuzzer + Coverage with Stalker", "url": "/media/pts2022/submissions/T8XSUV/resources/04_frida_fuzzer_s4xgPWa.pdf", "type": "related"}]}]}}, {"index": 2, "date": "2022-07-05", "day_start": "2022-07-05T04:00:00+02:00", "day_end": "2022-07-06T03:59:00+02:00", "rooms": {"Amphitheater": [{"guid": "c4afc919-cb47-5e8e-a5ac-b884fab14419", "code": "XTBQ73", "id": 53, "logo": null, "date": "2022-07-05T09:30:00+02:00", "start": "09:30", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-53-sslh-an-applicative-level-protocol-multiplexer", "url": "https://cfp.pass-the-salt.org/pts2022/talk/XTBQ73/", "title": "sslh -- an applicative-level protocol multiplexer", "subtitle": "", "track": "Network", "type": "Short Talk", "language": "en", "abstract": "Once upon a time, corporate firewalls started to block port 22. But we could still `ssh` to port 443. `sslh` was originally written to listen to port 443, figure out the protocol between SSH and TLS, and forward it appropriately. 15 years in the making, `sslh` now supports many other protocols, including TLS SNI. We will cover the main functions and configuration of the tool, both for firewall evasion (its original, malicious use), service hiding and SNI frontend (its current, benign use).", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/sslh-an-applicative-level-protocol-multiplexer/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "MVHYGV", "name": "Yves R\u00fctschl\u00e9 (Security architect, Airbus Protect)", "avatar": null, "biography": "After studying electronics and computer architecture, Yves spent a decade developing embedded software, first in a small business, then at Airbus. He then moved on to the Airbus A350 design office to work on its security. There, he practiced supplier management, systems engineering, and security requirements for systems with critical, safety-related impacts. Since then he has worked on various topics related to security, from governance to formal proofs of security properties, in several industrial domains such as aeronautics, railway and automotive.\r\n\r\nUnsatisfied with the lack of coding in the professional life of a security architect, he finds any excuse he can to develop new tools.", "public_name": "Yves R\u00fctschl\u00e9 (Security architect, Airbus Protect)", "guid": "f4d81231-caee-5714-9079-4ba6d3d6a954", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/MVHYGV/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/XTBQ73/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/XTBQ73/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/XTBQ73/resources/PTS2022_--_sslh_9aP6rPe.pdf", "type": "related"}]}, {"guid": "e79439e4-21f4-5a02-a4cd-54ce30ca4869", "code": "AGLDYH", "id": 50, "logo": null, "date": "2022-07-05T09:50:00+02:00", "start": "09:50", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-50-write-faster-suricata-signatures-easier-with-suricata-language-server", "url": "https://cfp.pass-the-salt.org/pts2022/talk/AGLDYH/", "title": "Write faster Suricata signatures easier with Suricata Language Server", "subtitle": "", "track": "Network", "type": "Talk", "language": "en", "abstract": "Writing signatures for Suricata and other intrusion detection systems (IDS) is considered by many to be a form of art. One of the main reasons is that the rule writer needs to start by examining a network trace to identify patterns that are representative to a threat/behavior without being too broad (to avoid false positives) or too narrow (to avoid being escaped at the first change of a bit in the attack). But the language used to write signatures is the second reason. It is not really expressive and doesn\u2019t have advanced constructs. As a result signatures require complex writing to do things that could appear simple. And there are implicit conventions and structures that must be followed to guarantee correct integration in the detection engine.\r\n\r\nThe open-source Suricata Language Server (SLS) has been developed to solve these problems. SLS is a Language Server Protocol implementation that allows the user to benefit from built-in Suricata diagnostic capabilities when editing rules. SLS provides advanced diagnostics as well as auto-completion. In this talk, you will see how SLS can be used and how to make sense of the error messages and learn about some of the optimizations inside the detection engine. You will also discover what Suricata features are used behind the scene to make this possible.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/write-faster-suricata-signatures-easier-with-suricata-language-server/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "KLRNEJ", "name": "\u00c9ric Leblond", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Stamus_Eric_small_W2BJKAY.jpeg", "biography": "\u00c9ric Leblond is the Co-Founder and Chief Technology Officer (CTO) of Stamus Networks and a member of the executive team at Open Network Security Foundation (OISF). Leblond has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open source communities. He has worked on the development of Suricata, the open source network threat detection engine, since 2009 and is part of the Netfilter Core team who is in charge of the Linux kernel's firewall layer. E. Leblond is a well-respected expert and speaker on all things network security.", "public_name": "\u00c9ric Leblond", "guid": "a2fc1a01-ec14-5b94-8e43-a8b74250f3d3", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/KLRNEJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/AGLDYH/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/AGLDYH/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/AGLDYH/resources/PTS2022-Talk-07-Write-faster-Suricata-signatures-ea_PCfmdRx.pdf", "type": "related"}]}, {"guid": "167cc0cc-8892-58df-8362-d9e796fabe5b", "code": "NAZGWD", "id": 59, "logo": null, "date": "2022-07-05T10:25:00+02:00", "start": "10:25", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-59-building-on-top-of-scapy-what-could-possibly-go-wrong", "url": "https://cfp.pass-the-salt.org/pts2022/talk/NAZGWD/", "title": "Building on top of Scapy: what could possibly go wrong?", "subtitle": "", "track": "Network", "type": "Short Talk", "language": "en", "abstract": "A while ago, we decided to use Scapy's packet manipulation capabilities as a basis for our own industrial network protocols' attack framework in Python. At first, it seemed like the best idea ever: there is nothing better than Scapy for handling network protocols. But it was not as easy as we thought it would be, because of the gap between our own specifications and Scapy internals. We wanted users of our framework be able to manipulate valid and invalid packets, as a set of separate type-independent fields. But this is not how Scapy works, so we had to find workarounds. We ended up wrapping Scapy packets inside our own packet objects, using Python tricks and weird adaptations to translate from our framework's syntax to Scapy's mode of operation. And it works fine (as long as we don't touch anything). This is the story of our struggle to make both our tool and Scapy match and what we learned along the way.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/building-on-top-of-scapy-what-could-possibly-go-wrong/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "FMASCV", "name": "Claire Vacherot", "avatar": "https://cfp.pass-the-salt.org/media/avatars/pandaroux_N9Qp14v.jpg", "biography": "Claire\u202fVacherot\u202fis a senior\u202fpentester\u202fat Orange\u202fCyberdefense. She likes to test systems and devices that interact with the real world and is particularly interested in industrial and embedded device cybersecurity. As a former software developer, she never misses a chance to write scripts and tools.", "public_name": "Claire Vacherot", "guid": "854755ce-4c13-5d30-8af6-7193bb2479fc", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/FMASCV/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/NAZGWD/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/NAZGWD/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/NAZGWD/resources/PTS2022-Talk-08-Building-on-top-of-Scapy_3sjcbWo.pdf", "type": "related"}]}, {"guid": "23cbecba-fd6c-555c-9d2d-edffc50634ad", "code": "ZFF89E", "id": 64, "logo": null, "date": "2022-07-05T11:15:00+02:00", "start": "11:15", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-64-use-of-machine-and-deep-learning-on-rf-signals", "url": "https://cfp.pass-the-salt.org/pts2022/talk/ZFF89E/", "title": "Use of Machine and Deep Learning on RF Signals", "subtitle": "", "track": "Hardware", "type": "Talk", "language": "en", "abstract": "An RF Signal is an element that a human cannot see nor hear, but could be measured with many means today. Particularly, the Software-Defined Radio allows even people with a low budget to observe radio frequencies in real-time, and so make they capture different types of communications: AM/FM, Mobile & LPWAN communications, etc. There are many ways to classify all the technologies depending on the used frequency, used bandwidth, duty cycle, and patterns, but it is sometimes hard and/or time-consuming to recognize these technologies.\r\nTo resolve these types of challenges, we thought about using Machine & Deep Learning tools to optimize our classification, and we wanted to share with you our successes, mistakes, and other feedback. In addition to proper classification, RF emanations are also permanent in the air, and we will see that the same techniques can be applied to match harmonics, but also for side-channel attacks as well.", "description": "In this presentation, we will go through the steps of observing a signal, doing capture, talking about challenges to classifying the signal, and show techniques of using ML & DL from making a model, to using algorithms and available functions. \r\n\r\nThis will be an opportunity to talk about our infrastructure, today's results, failures, and future improvements.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/use-of-machine-and-deep-learning-on-rf-signals/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "EPHKZY", "name": "S\u00e9bastien Dudek", "avatar": "https://cfp.pass-the-salt.org/media/avatars/sebastien_dudek_Igzg5ph.jpg", "biography": "S\u00e9bastien Dudek is a security researcher at Trend Micro and is also the founder of the PentHertz consulting company specialized in wireless and hardware security. He has been particularly passionate about flaws in radio-communication systems and published research on mobile security (baseband fuzzing, interception, mapping, etc.), and on data, transmission using the power-line (Power-Line Communication, HomePlug AV) like domestic PLC plugs, as well as electric cars and charging stations. He also focuses on practical attacks with various technologies such as Wi-Fi, RFID, and other systems that involve wireless communications.", "public_name": "S\u00e9bastien Dudek", "guid": "7953cfe2-8c05-5593-8a35-609d89cc8cbb", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/EPHKZY/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/ZFF89E/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/ZFF89E/", "attachments": [{"title": "Slides of the talk", "url": "/media/pts2022/submissions/ZFF89E/resources/RF_signal_Hunting-w-MLDL-Sebastien_Dudek_s0SWxAf.pdf", "type": "related"}]}, {"guid": "5bd64bd9-5c37-5ecc-8d7c-f1d5f13f70bd", "code": "LXHHPG", "id": 57, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/LXHHPG/why-follow-ethics_JZT8w1S.jpg", "date": "2022-07-05T11:50:00+02:00", "start": "11:50", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-57-ethics-in-cyberwar-times", "url": "https://cfp.pass-the-salt.org/pts2022/talk/LXHHPG/", "title": "Ethics in cyberwar times", "subtitle": "", "track": "Keynote", "type": "Talk", "language": "en", "abstract": "Despite not getting a lot of attention, questions of ethics and morality are everywhere in the cybersecurity field. As our community concentrates more and more political power through the giant technology companies ruling the digital realm, a discussion on acceptable practices is needed more than ever.\r\nIn this talk, I want to bring forward new security dilemmas that have surfaced in the recent years and that practitioners face every day. My hope is to foster a much-needed reflection about our role in the cybersecurity world, especially as it it being transformed by its first military conflict ever.", "description": "The aim is not to be patronizing and distribute brownie points, or shame people or companies that are not behaving ethically (well, maybe NSO). Instead, I would like to use these 20 minutes to recognize the very real and complex problems that we face, mostly in isolation. The list below contains a few of the topics I intend to address:\r\n- The morality of open-source security software\r\n- Threat intelligence's function as an *intelligence* broker\r\n- Is it possible to remain neutral in a cyber-war?\r\n- The morality of cyberattacks in the context of the war in Ukraine\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/ethics-in-cyberwar-times/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "BNDFWU", "name": "Ivan Kwiatkowski", "avatar": null, "biography": "Ivan Kwiatkowski is an OSCP and OSCE-certified penetration tester and malware analyst who has been working as a Senior Security Researcher in the Global Research & Analysis Team at Kaspersky since 2018. He maintains an open-source dissection tool for Windows executables and his research has been presented during several cybersecurity conferences. As a digital privacy activist, he operates an exit node of the Tor network. Kwiatkowski also delivers Kaspersky\u2019s reverse-engineering training in Europe.", "public_name": "Ivan Kwiatkowski", "guid": "d3296c77-838a-5f20-9715-d4839a766291", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/BNDFWU/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/LXHHPG/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/LXHHPG/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/LXHHPG/resources/ivan_pts_slides_9YY1Syf.pdf", "type": "related"}]}, {"guid": "1552b5c8-38ce-515b-92b9-d0e3749f6e9c", "code": "JPRTLR", "id": 35, "logo": null, "date": "2022-07-05T14:00:00+02:00", "start": "14:00", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-35-abusing-archive-based-file-formats", "url": "https://cfp.pass-the-salt.org/pts2022/talk/JPRTLR/", "title": "Abusing archive-based file formats", "subtitle": "", "track": "Reverse & Binary", "type": "Talk", "language": "en", "abstract": "If a format structure isn't vulnerable, can that change once wrapped in an archive ?", "description": "File formats abuses depend on specific structure characteristics, which makes some file formats not vulnerable. It's however quite common to wrap some formats in specific archive formats.\r\nCombining a format structure with an archive structure may change the outcome, making the result vulnerable by exploiting outside of the box.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/abusing-archive-based-file-formats/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "D9PG33", "name": "Ange Albertini", "avatar": null, "biography": "Reverse engineer passionate for file formats.\r\nCurrently infosec engineer at Google.", "public_name": "Ange Albertini", "guid": "819d6c8e-5ad8-55f1-ab9a-b16e7ba3ec4e", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/D9PG33/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/JPRTLR/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/JPRTLR/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/JPRTLR/resources/PTS2022-Talk-11-Inside_out__Abusing_archive_file_fo_WxrDxEX.pdf", "type": "related"}]}, {"guid": "7cf5a731-114d-5f0e-a351-c4a807d2c3ae", "code": "VXNE8H", "id": 66, "logo": null, "date": "2022-07-05T14:35:00+02:00", "start": "14:35", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-66-binbloom-reloaded", "url": "https://cfp.pass-the-salt.org/pts2022/talk/VXNE8H/", "title": "Binbloom reloaded", "subtitle": "", "track": "Reverse & Binary", "type": "Talk", "language": "en", "abstract": "Reverse-engineering hardware devices usually requires extracting data from\r\nmemory, be it from an internal Flash of a SoC, an external NAND or SPI\r\nflash chip. Extracting memory content is part of the job, but once done we still\r\nneed to analyze it and face the inevitable truth : we may be in front of an\r\nunknown memory dump or just have no idea of how information is stored in it,\r\nor even how it is loaded into the SoC or MCU memory.\r\nIn this talk we will introduce Binbloom version 2, a tool able to identify the base address of any firmware code and also some specific structures such as UDS databases (often encountered in ECUs), no matter what the architecture (32 or 64 bits).", "description": "Detailed outline\r\n============\r\n\r\nI. Introduction (5 minutes)\r\n---------------------------\r\n\r\nI.1. Quick introduction and demo of the tool\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nI will start the talk by introducing the main reason why this new version of Binbloom has been developed and will show it live on various firmwares (on 32-bit and 64-bit firmwares). I will also insist on the fact this tool implements a new method that will be detailed in this talk, and that other tools exist too.\r\n\r\nI.3. How existing tools work\r\n~~~~~~~~~~~~~~~~~~~~~\r\n\r\nI then talk about how I came to improve Binbloom, the fact that other tools do exist that are able to guess a firmware base address (like *rbasefind* for instance), and I will detail their internals (basically, they try every possible base address and compute a score based on some heuristics).\r\n\r\n\r\nI.4. Actual limitations (64-bit architecture)\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nI will then talk about the actual limitations of these existing tools, the lack of support for 64-bit architecture.\r\n\r\nII. Bruteforce vs. Inference (7 minutes)\r\n----------------------------------------\r\n\r\nIn this part of the talk, I will detail the algorithm implemented in Binbloom v2, which does not rely on bruteforce but try to infer the base address based on data found in the firmware.\r\n\r\nII.1. Entropy\r\n~~~~~~~~~\r\n\r\nI present the first interesting metric other tools are lacking: entropy. Firmware entropy can be useful to tell code and data apart, based on thresholds that have to be determined.\r\n\r\n\r\nII.2. Introducing Binbloom v2 internals\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nIt is time to go into the details with a focus on the inference mechanism implemented in Binbloom v2. This mechanism allows Binbloom to deduce a set of potential base address rather than bruteforcing any possible values, that is more efficient on 64-bit architecture firmware files but also backward-compatible with 32-bit architectures.\r\n\r\nII.3. Implementation constraints (memory usage, performances and firmware file size)\r\n\r\nI will then talk about some technical constraints I faced during the development of Binbloom, especially memory usage issues or how I had to deal with a huge number of candidate addresses. I will also talk about performances issues and code optimization.\r\n\r\nII.4. 32-bit and 64-bit architectures support\r\n\r\nAgain, I will insist in this part of the talk on the fact that this method is generic and may be used for 32-bit and 64-bit based firmware files, with the same efficiency. \r\n\r\nIII. Binbloom v2 (3 minutes)\r\n----------------------------\r\n\r\nIII.1. Comparison between Binbloom v2, rbasefind and Binbloom v1\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nI will present in this section the result of a comparative analysis performed on Binbloom v1 and v2 and rbasefind, aiming at evaluating the efficiency of these three toos on a set of firmware files gathered on Internet (thanks Twitter !) and internally at Quarkslab. \r\n\r\nIII.2. Improvements\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nI will then present some improvements (in our todo list) for Binbloom v2, and what they may bring to the tool. It is also a good time to ask the audience to contribute to this project ! I will give the repository URL and invite attendees to give it a try (and report issues as well) =)\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/binbloom-reloaded/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "TNZWVD", "name": "Damien Cauquil (R&D Engineer at Quarkslab)", "avatar": null, "biography": "Damien Cauquil is a Security Researcher at Quarkslab who loves reverse-engineering hardware devices, firmwares and protocols.", "public_name": "Damien Cauquil (R&D Engineer at Quarkslab)", "guid": "b50d3796-ed38-53cf-b380-b977f71804b2", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/TNZWVD/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/VXNE8H/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/VXNE8H/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/VXNE8H/resources/pts2022_damien-cauquil_binbloom-reloaded_2DjCYfa.pdf", "type": "related"}]}, {"guid": "26f78edc-51e5-5bb9-bce7-95602ce95b3a", "code": "HSBGXM", "id": 56, "logo": null, "date": "2022-07-05T15:40:00+02:00", "start": "15:40", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-56-gnu-poke-the-extensible-editor-for-structured-binary-data", "url": "https://cfp.pass-the-salt.org/pts2022/talk/HSBGXM/", "title": "GNU poke, the extensible editor for structured binary data", "subtitle": "", "track": "Reverse & Binary", "type": "Talk", "language": "en", "abstract": "GNU poke is an interactive editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them. Once a user has defined a structure for binary data (usually matching some file format) she can search, inspect, create, shuffle and modify abstract entities such as ELF relocations, MP3 tags, DWARF expressions, partition table entries, and so on, with primitives resembling simple editing of bits and bytes. The program comes with a library of already written descriptions (or \"pickles\" in poke parlance) for many binary formats.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/gnu-poke-the-extensible-editor-for-structured-binary-data/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "3W3KMZ", "name": "Jose E. Marchesi", "avatar": "https://cfp.pass-the-salt.org/media/avatars/jemarch-t_z3qvxBy.png", "biography": "Jose E. Marchesi is a GNU hacker and maintainer. Currently employed by Oracle as the Tech Lead of their Toolchain/Compilers team.", "public_name": "Jose E. Marchesi", "guid": "9ef127be-d49d-5ed1-ad7d-9950047c5558", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/3W3KMZ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/HSBGXM/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/HSBGXM/", "attachments": [{"title": "Slides", "url": "/media/pts2022/submissions/HSBGXM/resources/poke_acyJfBE.pdf", "type": "related"}]}, {"guid": "0c3bb649-a093-5dd5-9669-d6df851484bf", "code": "RJCGBC", "id": 52, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/RJCGBC/featured_FbDh2BN.png", "date": "2022-07-05T16:15:00+02:00", "start": "16:15", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-52-the-poor-man-s-obfuscator", "url": "https://cfp.pass-the-salt.org/pts2022/talk/RJCGBC/", "title": "The Poor Man's Obfuscator", "subtitle": "", "track": "Reverse & Binary", "type": "Talk", "language": "en", "abstract": "The purpose of this lightning talk is to present executable files formats tricks (ELF and Mach-O)\r\nto prevent static analysis tools (like IDA, BinaryNinja, ...) from working correctly.\r\n\r\nWhile these tricks do not break the execution of the original binary, when they are opened in IDA, BinaryNinja and, Radare2\r\nthe code looks obfuscated while only the file format is modified (not the instructions)\r\n\r\nThese modifications are leveraged by LIEF and the scripts will be published at the end\r\nof the conference with an associated blog post.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/the-poor-mans-obfuscator/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "3CPJ3Y", "name": "Romain Thomas", "avatar": "https://cfp.pass-the-salt.org/media/avatars/picture_OYH59kO.jpg", "biography": "Romain Thomas is a security engineer working on mobile applications and obfuscated code. \r\n\r\nAuthor of LIEF, a library to parse and manipulate executable file formats (ELF, PE, Mach-O), \r\nhe enjoys going back and forth between reverse engineering and tool development to see which part of the process can be automated.\r\n\r\nRomain is also interested in iOS, whitebox cryptography and reverse engineering app protocols. \r\nHe contributed in the past to the Triton project, especially on de-obfuscation based on symbolic execution.", "public_name": "Romain Thomas", "guid": "7cb07139-b888-5555-b724-d3d13fb6e1ef", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/3CPJ3Y/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/RJCGBC/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/RJCGBC/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/RJCGBC/resources/PTS2022-Talk-14-The-Poor-Man-s-Obfuscator_APMnn3I.pdf", "type": "related"}, {"title": "whitepaper", "url": "/media/pts2022/submissions/RJCGBC/resources/PTS2022-Talk-14-The-Poor-Man-s-Obfuscator-WHITEPAPE_2rWoxDn.pdf", "type": "related"}]}], "Workshop Room": [{"guid": "6644c3dd-d762-5194-bdca-87d346b26f7e", "code": "EWYSJ7", "id": 58, "logo": null, "date": "2022-07-05T09:30:00+02:00", "start": "09:30", "duration": "03:00", "room": "Workshop Room", "slug": "pts2022-58-workshop-malware-analysis-with-ghidra-x64dbg", "url": "https://cfp.pass-the-salt.org/pts2022/talk/EWYSJ7/", "title": "[Workshop] Malware analysis with Ghidra & x64dbg", "subtitle": "", "track": "Reverse & Binary", "type": "Workshop", "language": "en", "abstract": "This workshop is designed to the beginner who want to discover the malware analysis and the reverse engineering.", "description": "Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.\r\n\r\nWe will start by explaining the x86 assembly language. Once we have discovered the basic instructions, we will directly reverser our first malware: a ransomware. We will work statically with Ghidra and dynamically with x32dbg two open-source software. The purpose will be to be acquainted with the tools and reply to a couple of questions: what is the encryption algorithm? Can I restore the encrypted file? Where is stored the ransom note?\r\n\r\n**Prerequisites:** for the attendees who would like to work dynamically, a virtual machine running Windows must be configured before the workshop. The free Windows virtual machines provided by Microsoft works perfectly for this workshop: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/\r\n\r\nMaximum of **10 participants**.", "recording_license": "", "do_not_record": false, "persons": [{"code": "LQDQBN", "name": "Paul Rascagn\u00e8res", "avatar": null, "biography": "Paul Rascagneres is a threat researcher within Volexity. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for ten years, mainly focusing on malware analysis, malware hunting and more specially on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.", "public_name": "Paul Rascagn\u00e8res", "guid": "c6be116b-009b-5d50-ab01-345ab8fcb1d0", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/LQDQBN/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/EWYSJ7/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/EWYSJ7/", "attachments": []}, {"guid": "e583429e-d943-571e-ac8e-1d8eac8ba912", "code": "SJJZDE", "id": 47, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/SJJZDE/logo_NfnTtbY.png", "date": "2022-07-05T14:00:00+02:00", "start": "14:00", "duration": "03:00", "room": "Workshop Room", "slug": "pts2022-47-workshop-mi-lxc-mini-internet-testbed-for-network-security-training-and-security-tools-demonstration", "url": "https://cfp.pass-the-salt.org/pts2022/talk/SJJZDE/", "title": "[Workshop] MI-LXC (Mini-Internet testbed) for network security training and security tools demonstration", "subtitle": "", "track": "Network", "type": "Workshop", "language": "en", "abstract": "MI-LXC is a platform to simulate an internet-like environment (BGP routing, DNS hierarchy, several organizations, pre-configured services such as mail with graphical clients, ...), currently composed of 28 hosts distributed in 10 AS. It can be used for network security training and can also serve as a substrate to deploy and demonstrate network security tools. It is based on LXC using the infrastructure-as-code principle and runs as a VM on a standard laptop.", "description": "Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.\r\n\r\nDuring this workshop, we will explore the MI-LXC platform. First, we will see how to use it to illustrate MitM attacks such as BGP or DNS attacks, to deploy a global ACME Certification Authority (Smallstep), to simulate a phishing and intrusion scenario (reverse-shell, nmap, ...) or to deploy IDS sensors (Suricata, OSSEC, Prelude SIEM). Second, we will study how to extend this skeleton architecture to deploy, demonstrate and train in other network security tools by adding new hosts or AS or modifying existing ones.\r\n\r\nMI-LXC is available at https://github.com/flesueur/mi-lxc/ and this workshop will be more-or-less based on the tutorial : https://github.com/flesueur/mi-lxc/blob/master/doc/TUTORIAL.md\r\n\r\n**Prerequisites for this workshop**\r\n\r\nThe workshop will run on a pre-configured Virtual Machine of MI-LXC v1.4.2. Attendees thus need :\r\n\r\n* A personal laptop with 4GB of RAM (8GB recommended) and 10GB of free hard-drive space (15GB recommended)\r\n* VirtualBox or VMWare Player\r\n* Having downloaded and imported the VM archive (2.5GB, v1.4.2) : https://flesueur.irisa.fr/mi-lxc/images/milxc-debian-amd64-1.4.2.ova\r\n\r\nMaximum of **15 participants**.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NJVADP", "name": "Fran\u00e7ois Lesueur", "avatar": "https://cfp.pass-the-salt.org/media/avatars/FLE_DLXLV9y.jpg", "biography": "Fran\u00e7ois Lesueur is an Associate Professor at Universit\u00e9 Bretagne Sud (Vannes, France) where he teaches network and digital security. He is particularly interested in security of distributed/federated systems and fights for an empowering security rather than an enslaving one.", "public_name": "Fran\u00e7ois Lesueur", "guid": "857b1473-0bf4-5c09-bc48-fe583bbbbc19", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/NJVADP/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/SJJZDE/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/SJJZDE/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/SJJZDE/resources/PTS22_milxc_o4afCEo.pdf", "type": "related"}]}]}}, {"index": 3, "date": "2022-07-06", "day_start": "2022-07-06T04:00:00+02:00", "day_end": "2022-07-07T03:59:00+02:00", "rooms": {"Amphitheater": [{"guid": "1319fca5-b60a-5d86-8293-6a5aa7cd26db", "code": "ER89BJ", "id": 45, "logo": null, "date": "2022-07-06T10:00:00+02:00", "start": "10:00", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-45-sudo-logs-for-blue-teamers", "url": "https://cfp.pass-the-salt.org/pts2022/talk/ER89BJ/", "title": "Sudo logs for Blue Teamers", "subtitle": "", "track": "Blue Teams", "type": "Talk", "language": "en", "abstract": "Using sudo, you can control and log administrative access to your hosts. Recent sudo versions allow you to send log messages in JSON format, while the latest sudo features also allow you to watch and control previously blind spots.", "description": "What does this mean for your Blue Team? You have more control in defining both the people who can access your system, and the actions they can perform in it. The resulting log messages contain a lot more information in an easy to process format. This way you do not just collect more logs, but it becomes easier to detect and react to important sudo events.\r\n\r\nFrom my talk, you can learn about JSON-formatted logging in sudo and how to work with those logs in syslog-ng. I will introduce you to some of the latest sudo features, like chroot and cwd support, and logging and intercepting sub-commands. I will also show you how to work with these logs within syslog-ng: for example, how to parse JSON-formatted log messages and working with name-value pairs to create alerts on critical sudo events.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/sudo-logs-for-blue-teamers/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "RRBVLJ", "name": "Peter Czanik, One Identity", "avatar": "https://cfp.pass-the-salt.org/media/avatars/czp_uj_balabit_crop_36wP6Rd.jpg", "biography": "Peter is an engineer working as open source evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.Note to recruiters to save time for both of us: even with 20+ years of Linux & FreeBSD sysadmin/engineer/architect/whatever experience I am NOT looking for my next sysadmin job. Peter is an engineer working as open source evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.", "public_name": "Peter Czanik, One Identity", "guid": "4ebe43d9-92da-56e9-b538-7535b68c3101", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/RRBVLJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/ER89BJ/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/ER89BJ/", "attachments": [{"title": "Slides", "url": "/media/pts2022/submissions/ER89BJ/resources/czp_pts2022_sudo_v2_tKdIU1f.pdf", "type": "related"}]}, {"guid": "55caabfe-d499-5ca1-850f-518f851fce42", "code": "9TPFEL", "id": 46, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/9TPFEL/95911680_B4NoVer.png", "date": "2022-07-06T10:35:00+02:00", "start": "10:35", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-46-dfir-iris-collaborative-incident-response-platform", "url": "https://cfp.pass-the-salt.org/pts2022/talk/9TPFEL/", "title": "DFIR-IRIS - collaborative incident response platform", "subtitle": "", "track": "Blue Teams", "type": "Short Talk", "language": "en", "abstract": "DFIR-IRIS is a collaborative incident response platform recently published in open-source. It provides operational and efficient features to respond to IR challenges. Information sharing, real-time collaboration, timeline creation, forensic evidence ingestion, task logging, daily reports for customers... These are all necessary steps in an investigation that need to be simplified in order to reduce analysts' workload. From this statement was born DFIR-IRIS.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/dfir-iris-collaborative-incident-response-platform/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "GFYTKE", "name": "Th\u00e9o Letailleur", "avatar": null, "biography": "Th\u00e9o Letailleur is an incident response analyst. He worked at Airbus Cybersecurity CSIRT for 4 years where DFIR-IRIS was born and will join the incident response team at Synacktiv. Th\u00e9o is interested in software reverse-engineering and malware analysis.", "public_name": "Th\u00e9o Letailleur", "guid": "3250fa21-2e09-53af-a8f6-35418aef5585", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/GFYTKE/"}, {"code": "DJCXYK", "name": "Paul Amicelli", "avatar": null, "biography": "Incident responder", "public_name": "Paul Amicelli", "guid": "9d3b1bb2-a189-5e79-88ec-108a6ed15f33", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/DJCXYK/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/9TPFEL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/9TPFEL/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/9TPFEL/resources/PTS2022-Talk-16-DFIR-IRIS_IRiGFZW.pdf", "type": "related"}]}, {"guid": "b9042f2b-ddd8-5d76-bc6e-794356ce9943", "code": "DQPJCB", "id": 51, "logo": null, "date": "2022-07-06T11:25:00+02:00", "start": "11:25", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-51-tapir-trustable-artifact-parser-for-incident-response", "url": "https://cfp.pass-the-salt.org/pts2022/talk/DQPJCB/", "title": "TAPIR : Trustable Artifact Parser for Incident Response", "subtitle": "", "track": "Blue Teams", "type": "Short Talk", "language": "en", "abstract": "This talk will present two new open-source incident response tools and a new rust library dedicated to Incident Response.\r\nbin2json a tool to extract metadata from multiple file formats to json and TapIR a collaborative server for incident response accessible through a REST API, a web ui, and python command line tools.", "description": "This talk is about two new incident response tool : TapIr and bin2json and the Tap rust library there are based on. \r\n\r\nThose two tools are based on the TAP (Trustable Artifact Parser) rust library, that come with different plugins to parse specific artefacts (NTFS, MTF, regitry, evtx, prefetch, ...),\r\nand include a search engine that let you create complex query. \r\n\r\n- bin2json can take different kinds of input like : disk image, partition, or collection of artifacts and automatically generate a json file containing metadata extracted from those inputs.\r\nIt can also generate the json file as a timeline. The generated file can then be analyzed via tools like jq or sent to elastic search or splunk for further analysis. \r\n\r\n- TapIR is a service that can ingest the same kind of file as bin2json, then let you access extracted data and metadata through a rest API. \r\nYou can install it and make it accessible on a local network, a remote host or  on the cloud, thus leveraging remote collaborative analysis.\r\n\r\nTapIR come with web UI and a python client as command lines tools that lets you automate your IR task via scripting.\r\n\r\n- The two aforementioned tools take advantage of the TAP library, written in RUST that make parsing secure and fast by leveraging heavy multithreading \r\n\r\nDuring the presentation we will go through the architecture of the TAP library, when and how to use TapIR and bin2json,  and finally we will make a demonstration of the different tools.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/tapir-trustable-artifact-parser-for-incident-response/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "393PQW", "name": "Solal Jacob", "avatar": null, "biography": "Solal Jacob is an incident responder but also a contributor and developer of open source tools. He is the creator of DFF (Digital Forensics Framework),  and other tools related to forensics and memory analysis.", "public_name": "Solal Jacob", "guid": "8b547002-af40-57a7-a095-4612db6e9bcf", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/393PQW/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/DQPJCB/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/DQPJCB/", "attachments": [{"title": "Slides", "url": "/media/pts2022/submissions/DQPJCB/resources/tapir-pts2022_RNN2loo.pdf", "type": "related"}]}, {"guid": "0103aa50-db8f-55d6-89e2-73cb709b7a81", "code": "8NDEN8", "id": 44, "logo": null, "date": "2022-07-06T11:45:00+02:00", "start": "11:45", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-44-improve-your-malware-recipes-with-cyberchef", "url": "https://cfp.pass-the-salt.org/pts2022/talk/8NDEN8/", "title": "Improve your Malware Recipes with Cyberchef", "subtitle": "", "track": "Blue Teams", "type": "Talk", "language": "en", "abstract": "Cyberchef is an awesome tool developed by GCIH (the UK Intelligence Services). Easy to deploy and maintain, it offers a complete toolbox to manipulate data. This talk will briefly introduce the core features of Cyberchef and, on a second part, we will discuss how to speed up the analysis of data in the context of malware analysis (decoding C2 traffic, decoding configuration files and many more examples)", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/improve-your-malware-recipes-with-cyberchef/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "RU9UTJ", "name": "Xavier Mertens", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Photo_Xavier_800_Bl1BSrp.jpg", "biography": "Xavier Mertens is a freelance security consultant based in Belgium. With 12+ years of experience in information security, his job focuses on protecting his customers' assets by providing services like incident handling, investigations, log management, security visualization, OSINT). Xavier is also a Senior Handler at the SANS Internet Storm Center, SANS FOR610 instructor, a security blogger  and co-organizer of the BruCON security conference.", "public_name": "Xavier Mertens", "guid": "56915001-aa85-5973-ad1f-3b14a2df40ab", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/RU9UTJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/8NDEN8/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/8NDEN8/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/8NDEN8/resources/Introduction-to-Cyberchef-PTS_88AfAzp.pdf", "type": "related"}]}, {"guid": "6630c3c9-2be1-548a-a0a2-b95d4d25beb3", "code": "778XUY", "id": 63, "logo": null, "date": "2022-07-06T14:00:00+02:00", "start": "14:00", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-63-mobsf-for-penetration-testers", "url": "https://cfp.pass-the-salt.org/pts2022/talk/778XUY/", "title": "MobSF for penetration testers", "subtitle": "", "track": "Pentest", "type": "Short Talk", "language": "en", "abstract": "MobSF is a free and OpenSource security scanner for mobile application.\r\n\r\nFirst, this talk will introduce MobSF and its different features. Then, the talk will present how MobSF can be used during a penetration test or a red team. \r\n\r\nAfter presenting how to setup the tool for penetration testing, different use cases will be presented, regarding two different points of view:\r\n- a security review of a mobile application (or an SDK), in this case, the mobile application or the specific SDK is the target.\r\n- an assessment where the mobile application is not directly the target, in this case, the mobile application is used for recon (and more).\r\n- a quick use case of usage for every penetration tester who don't want to dig into complex android methods\r\n\r\nThese use cases will also point MobSF limits and how to handle them by using the API and homemade scripts. For some cases, a comparison with other tools (such as apkleaks) will be done.\r\n\r\nAt last, a quick review of how bug report and feature requests are handled by the MobSF team.", "description": "See also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/mobsf-for-penetration-testers/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "EKA73F", "name": "Antoine Cervoise", "avatar": null, "biography": "Antoine is a penetration tester at Synacktiv. He enjoys computer science, electronics and D.I.Y., beers (drinking and making) by night\u2026 and he\u2019s fond of cigars!", "public_name": "Antoine Cervoise", "guid": "41d2ab36-e89e-5241-97f2-06b8968fcbff", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/EKA73F/"}, {"code": "VYF3XL", "name": "Mickael Benassouli", "avatar": null, "biography": "Pentester at Synacktiv", "public_name": "Mickael Benassouli", "guid": "b9005de6-2bd4-50b7-b715-0007cd05b135", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/VYF3XL/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/778XUY/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/778XUY/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/778XUY/resources/202206_mobsf_for_pentester_auVLbVV.pdf", "type": "related"}]}, {"guid": "c20b72dd-08df-5566-a729-29c5a101d1e9", "code": "CQ98BD", "id": 60, "logo": null, "date": "2022-07-06T14:20:00+02:00", "start": "14:20", "duration": "00:35", "room": "Amphitheater", "slug": "pts2022-60-finding-java-deserialization-gadgets-with-codeql", "url": "https://cfp.pass-the-salt.org/pts2022/talk/CQ98BD/", "title": "Finding Java deserialization gadgets with CodeQL", "subtitle": "", "track": "Pentest", "type": "Talk", "language": "en", "abstract": "Arbitrary object deserialisation vulnerability in Java applications can be really dangerous, but also worthless if you are not able to find a gadget chain.\r\n\r\nSome gadgets chains are known and can be used without much consideration, but most of them don't work anymore.\r\n\r\nIndeed, most known gadgets are 3 or 5 year olds. This can be explained by the fact that finding such chains is hard and few tools exist to automate this process. In this talk I want to present a new technique to easily find new gadgets by leveraging the power of CodeQL. CodeQL is a very powerful static code analyzer that provides a way to analyze code by querying it like a data store. It's open source and can work on open source projects as it requires the source code of the analysed application. CodeQL can find paths between different methods and calls inside an application. This is really useful for gadget chain as we need to look for code paths from a deserialization method to a dangerous one which can lead to arbitrary code execution.", "description": "I'll first describe what a deserialization vulnerability is and how gadgets are constructed / found to perform malicious actions. Then I'll introduce CodeQL and the different possibility of this tool and finally I'll present a new technique to automate the process of finding Java gadget chains with CodeQL.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/finding-java-deserialization-gadgets-with-codeql/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "TWQU7E", "name": "Hugo Vincent", "avatar": null, "biography": "I'm a pentester at Synacktiv", "public_name": "Hugo Vincent", "guid": "f28198dc-adfe-5123-9d8a-c7c7ee78681c", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/TWQU7E/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/CQ98BD/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/CQ98BD/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/CQ98BD/resources/codeql_wVJ8iVu.pdf", "type": "related"}]}, {"guid": "20fe484e-308e-5b0b-80a9-26eb7732e0fb", "code": "NEYFDV", "id": 69, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/NEYFDV/passthesalt_fZbrqiP.jpg", "date": "2022-07-06T14:55:00+02:00", "start": "14:55", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-69-dissecting-ntlm-epa-building-a-mitm-proxy", "url": "https://cfp.pass-the-salt.org/pts2022/talk/NEYFDV/", "title": "Dissecting NTLM EPA & building a MitM proxy", "subtitle": "", "track": "Pentest", "type": "Short Talk", "language": "en", "abstract": "Have you ever come across a website that used NTLM-based authentication, and you just could not authenticate with your browser nor BurpSuite even though you knew your credentials were correct? NTLM Extended Protection for Authentication (EPA) might be the culprit... Indeed, Firefox, among others, does not support the NTLM EPA mechanism and fails to authenticate.\r\n\r\nThis new protection was implemented to prevent relay attacks on webservers. With the rise of the powerful attack chain that involves ADCS, Petit Potam and NTLM relay, this protection has proven to be very useful!\r\n\r\nWhat can we do then?! How are we going to use all our favorite tools? By creating a proxy of course! This implied multiple problematics, such as TLS interception, HTTP parsing, NTLM authentication, EPA implementation, and so on.", "description": "In the first part of this talk, I will give a short overview of the NTLM protocol over HTTP. Then I will explain how EPA fits into all this, and how it impacts NTLM relay over HTTPs. Finally, I will present our interception proxy Prox-Ez and the obstacles we encountered during the development.\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/dissecting-ntlm-epa-building-a-mitm-proxy/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "V9YUBX", "name": "Pierre Milioni", "avatar": null, "biography": "Security Ninja @ Synacktiv", "public_name": "Pierre Milioni", "guid": "15a5c733-86ac-5533-8601-4452d827a73f", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/V9YUBX/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/NEYFDV/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/NEYFDV/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/NEYFDV/resources/ntlm_epa_ii5RVAD.pdf", "type": "related"}]}, {"guid": "dbf795bd-caea-504a-955c-f0d35885f821", "code": "EQ8QFD", "id": 72, "logo": "https://cfp.pass-the-salt.org/media/pts2022/submissions/EQ8QFD/kdigger_d5RH8S1.jpeg", "date": "2022-07-06T15:15:00+02:00", "start": "15:15", "duration": "00:20", "room": "Amphitheater", "slug": "pts2022-72-kdigger-a-context-discovery-tool-for-kubernetes-penetration-testing", "url": "https://cfp.pass-the-salt.org/pts2022/talk/EQ8QFD/", "title": "kdigger: A Context Discovery Tool for Kubernetes Penetration Testing", "subtitle": "", "track": "Pentest", "type": "Short Talk", "language": "en", "abstract": "kdigger, short for \"Kubernetes digger\", is a context discovery tool for Kubernetes penetration testing. This tool is a compilation of various plugins called buckets to facilitate pentesting Kubernetes from inside a pod.", "description": "During this short session, I'll demonstrate a scenario of a multi-tenant attack in a Kubernetes cluster. I will explain the risks, see how to prevent this kind of attack and show how kdigger can speed up the discovery process of the environment.\r\n\r\nOn top of discovering a new tool, this presentation will give you an idea of how pentesters generally try to pivot in typical Kubernetes clusters\r\n\r\nSee also: [\ud83c\udfa5 video](https://passthesalt.ubicast.tv/videos/kdigger-a-context-discovery-tool-for-kubernetes-penetration-testing/)", "recording_license": "", "do_not_record": false, "persons": [{"code": "JBAK9X", "name": "Mah\u00e9 Tardy", "avatar": null, "biography": "Mah\u00e9 Tardy is a Security R&D Engineer at Quarkslab specializing in Kubernetes security and enjoying any new tech a bit too much.", "public_name": "Mah\u00e9 Tardy", "guid": "64b4e81f-f445-57d4-a701-66eb9b804fef", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/JBAK9X/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/EQ8QFD/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/EQ8QFD/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/EQ8QFD/resources/pts-kdigger_MRQhYqI.pdf", "type": "related"}]}], "Workshop Room": [{"guid": "fb76a79b-8a43-5a30-bc7e-ebc4c56cb342", "code": "M7ZQC3", "id": 65, "logo": null, "date": "2022-07-06T09:30:00+02:00", "start": "09:30", "duration": "03:00", "room": "Workshop Room", "slug": "pts2022-65-workshop-rfid-nfc-rise-of-proxmark3-hands-on", "url": "https://cfp.pass-the-salt.org/pts2022/talk/M7ZQC3/", "title": "[Workshop] RFID/NFC: Rise of Proxmark3, hands on", "subtitle": "", "track": "Hardware", "type": "Workshop", "language": "en", "abstract": "You will enjoy hacking with RFID/NFC cards and devices by means of open source.\r\nYou will have plenty of time to get familiar with the Proxmark3 RDV4 and operate it by yourself in various conditions and challenges.", "description": "Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.\r\n\r\nYou will enjoy hacking with RFID/NFC cards and devices by means of open source. The primarily tool being used in this workshop is the Proxmark3 RDV4, the latest and most featured of the Proxmark3 generations (additional onboard storage, SIM interface, swappable antennas, etc).\r\nYou will have plenty of time to get familiar with the Proxmark3 RDV4 and operate it by yourself in various conditions and challenges.\r\nYou will deal with different types of the most common transponders that can be found in the wild (aka tags, tokens, etc.), guided by Doegox, who will make sure you have a pleasant and instructive time.\r\n\r\nThe workshop covers RFID from the Low Frequency band (mainly used for individual physical access to buildings, garages, hotels, etc.) to the High Frequency band, where credit cards, passports, but also NFC come into play.\r\nYou will understand which type of access cards can be emulated or even cloned.\r\n\r\nTo setup your development environment, there are guides on the Proxmark3 RDV4 github repo which are essential to follow. If everyone comes prepared we can have better focus during the workshop on using / compiling / flashing / jtaging the proxmark3 device.\r\n\r\nIf you already have a Proxmark3 device, bring it with you and we show you how to use it with new firmware as well.\r\n\r\n**Requirements:**\r\n\r\nBring your laptop with a configured development environment already installed:\r\n\r\nIf you are under Linux (preferred), please [follow these instructions ](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Linux-Installation-Instructions.md) and make sure ModemManager is removed;\r\n\r\nIf you are under Windows, please [follow these instructions](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Windows-Installation-Instructions.md) (we recommend WSL or Proxspace v3.2);\r\n\r\nIf you are under OS X / Homebrew users, please [follow these instructions](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Mac-OS-X-Homebrew-Installation-Instructions.md).\r\n\r\nMaximum of **15 students**.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PWE377", "name": "Philippe Teuwen", "avatar": null, "biography": "Philippe Teuwen (@doegox) is Security Researcher at Quarkslab.\r\nHe\u2019s one of the libnfc and Proxmark3 RDV4 maintainers and gave about 20+ workshops on RFID & NFC security and privacy issues at Troopers, Hack.lu, Brucon, RFIDsec, Hackito Ergo Sum, RMLL, etc. along with talks on other security topics such as Wi-Fi Protected Setup, eBanking, eVoting, reverse-engineering, Side-channel and fault injection, White-Box cryptanalysis etc.\r\n\r\nHe\u2019s in the editorial team of the International Journal of PoC/GTFO and makes hardware-oriented CTFs.", "public_name": "Philippe Teuwen", "guid": "ff1bb2e7-bdae-5ecc-b2b5-b0d45b032c8a", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/PWE377/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/M7ZQC3/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/M7ZQC3/", "attachments": []}, {"guid": "cafd5819-b6ce-55cd-87bc-6e3ad2977ab1", "code": "BNNNQX", "id": 55, "logo": null, "date": "2022-07-06T14:00:00+02:00", "start": "14:00", "duration": "03:00", "room": "Workshop Room", "slug": "pts2022-55-workshop-threat-hunting-with-selks-and-suricata-6", "url": "https://cfp.pass-the-salt.org/pts2022/talk/BNNNQX/", "title": "[Workshop] Threat Hunting with SELKS and Suricata 6", "subtitle": "", "track": "Blue Teams", "type": "Workshop", "language": "en", "abstract": "Threat hunting with network data can be done with Suricata that combines a signature based IDS with network security monitoring capabilities. In this workshop we will show through SELKS usage. SELKS is a complete network threat hunting stack based on Suricata and Elasticsearch. We will use some of the recent capabilities of Suricata like dataset to show that it goes far beyond the traditional role of an IDS.", "description": "Organization note: **registration to the workshop will be done directly on-site during the event**. Nothing to do on-line.\r\n\r\nWith this workshop, attendees will get a good understanding of Suricata generated data and of some of its main features. By working an network trace, we will see how it is possible to understand a network,  discover threats and deploy detection at the organization level.\r\n\r\n**Prerequisites:** hardware requirements for the attendees is a computer with at least 2 cores and 9 Gb of memory running preferably under Linux but Windows or MacOS X should work.\r\n\r\nMaximum of **15 participants**.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KLRNEJ", "name": "\u00c9ric Leblond", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Stamus_Eric_small_W2BJKAY.jpeg", "biography": "\u00c9ric Leblond is the Co-Founder and Chief Technology Officer (CTO) of Stamus Networks and a member of the executive team at Open Network Security Foundation (OISF). Leblond has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open source communities. He has worked on the development of Suricata, the open source network threat detection engine, since 2009 and is part of the Netfilter Core team who is in charge of the Linux kernel's firewall layer. E. Leblond is a well-respected expert and speaker on all things network security.", "public_name": "\u00c9ric Leblond", "guid": "a2fc1a01-ec14-5b94-8e43-a8b74250f3d3", "url": "https://cfp.pass-the-salt.org/pts2022/speaker/KLRNEJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2022/talk/BNNNQX/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2022/talk/BNNNQX/", "attachments": [{"title": "slides", "url": "/media/pts2022/submissions/BNNNQX/resources/SELKS-Suricata-6-Workshop_Z7l0FBD.pdf", "type": "related"}]}]}}]}}}