Sense of Security will have 2 tutorials and 3 presentations at AusCERT 2014, details are accessible at the tutorials and the presentations pages of the event.
Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.
Penetration Testing for Mobile Applications and Web Services
- Mobile Applications 101
- Preparing a mobile pen-test lab
- Auditing platform integration
- Compile options, Encryption, Storage, Caching, Logs
- Reverse engineering
- Unpacking, Deobfuscating, Permission Management
- Source code analysis, Protection bypass, Sandbox Issues
- Runtime manipulation, Debugging
- Transport and communication features
- Certificate pinning, MITM, Fake services
Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.
Next Generation Attacks and Countermeasures for VoIP
- Network Infrastructure Analysis
- WAN/LAN/VLAN analysis, Service discovery
- IP Telephony Server Security
- Weak configuration, Management issues
- SIP, Skinny and RTP Analysis
- Discovery, Authentication, Call tests, VAS
- Enumeration, Eavesdropping, Call Spoofing
- VoIP Clients’ Security
- Advanced Attacks
- Trust hacking, Proxy hacking, DoS, Fuzzing
