black hat home / abu dhabi home / briefings / training / schedule / sponsors / venue / press

+ EMAIL
+ RSS
+ TWITTER
+ FACEBOOK
+ LINKED.IN

Advanced PHP Hacking

TEHTRI-Security

---

Overview:

PHP is a general-purpose scripting language used worldwide on infrastructures of many governments and companies (Facebook, etc). Unfortunately, behind the power and the ease of this environment, real technical threats exist. Many vulnerabilities can be exploited remotely, which allows attackers to steal or destroy data from sources involved in the targeted infrastructure (SQL databases, emails, files, etc).

During this training, we will focus on advanced PHP hacking techniques, that might be used by attackers in order to penetrate and compromise remote networks, systems, services, applications, code... Thanks to this training, you will learn every needed concept to become a master at PHP Security thanks to the lectures, and you'll also master practical issues thanks to the hands-on exercises in our local information warfare laboratory.

After this session with hacking experts from TEHTRI-Security, you will really know how cyber invaders work and move through PHP attacks so that they can jump down to your networks and commit evil cyber-crimes.

COURSE SYLLABUS:

Phase 1: Compromise the target

• Reminder and introduction about PHP, web servers, SQL technologies, etc
• Preparing an attack, by gathering information with direct or indirect methods
• Full description of vulnerabilities: LFI, RFI, SQL injection, execution, disclosure, etc
• Learn how to find vulnerabilities and 0days through code analysis, fuzzing, dynamic tests, etc
• And then exploit the targets to get different kind of accesses

Phase 2: Post-Intrusion Activities

• Keeping the control with backdoors
• Escalating privileges
• Exploring a compromised target
• Bouncing on other targets (in-depth hacking, anonymous hacking)
• Abusing incoming web clients (clients-side and fishing attacks)
• Cleaning fingerprints with stealth behaviors

Phase 3: Defense through all layers (networks, systems, applications)

• Protection & Containment
• Deception (Honeypots) & Detection of evil PHP activities

Phase 4: Live InfoWar Hacking Simulation

• Final training through a step by step Hacking Session, with in-depth infiltrations on live PHP targets
• This will help students at coming back to previous hands-on exercises and concepts learnt with us

WHO SHOULD TAKE THIS COURSE

• Pentesters and other IT security staff will be able to improve their tools and methods to detect vulnerabilities or attackers
• Sysadmins and network staff will learn how to improve their protections against skilled attackers
• Developers and project managers will learn how to avoid errors that might cost a lot in PHP projects

STUDENT REQUIREMENTS:

• Basic experience with web technologies: PHP, SQL and HTTP
• No stress: Minimum needed knowledge will be reminded and explained at the beginning of the training
• Experience of Windows or Unix-like operating systems, networking, and at least basic hacking knowledge

WHAT TO BRING:

• Please bring a laptop with at least 2 GB RAM and network support to connect to the hands-on lab
• Use your favorite Operating System, but please be sure to come with Vmplayer, Vmware workstation, or Vmware Fusion. Virtual machines will be provided, but you're welcome to use your own custom system (e.g. BackTrack Linux)

WHAT YOU GET:

• Book of whole materials.
• Package of highly offensive tools and methods used in the underground (caught on honeypots, etc)
• Exploits + 0days about products currently running on real servers on earth

TRAINERS:

Laurent OUDOT is a senior IT Security consultant, CEO and founder of TEHTRI-Security. Last 15 years, he has been hired as a security expert to protect and pentest networks and systems of highly sensitive places like: French Nuclear Warhead Program, Ministry of Defense, United Nations, etc.
He has been doing research on defensive technologies and underground activities with numerous security projects handled (Steering Committee of the Honeynet Research Alliance, creator of RstAck, etc). Laurent has been a frequent presenter or instructor at computer security and academic conferences like BlackHat, Cansecwest, Pacsec, Defcon, HITB, US DoD/DoE, Hope, Honeynet, PH-Neutral, Hack.LU, as well as a contributor to several research papers for SecurityFocus, MISC Magazine, IEEE, etc.

Laurent ESTIEUX is a senior IT Security consultant, CTO of TEHTRI-Security, and has over 10 years of experience in security audit, penetration testing and vulnerability research. He graduated from Telecom ParisTech with a French engineer degree (master degree).
Before joining TEHTRI-Security, he has been working in various French ministries or European institutions, as a senior security expert at the French IT security Agency (ANSSI). His main research interests are web technologies security and applied security in large environments. Laurent was a member of team RstAck and contributed to MISC Magazine. He has been a regular instructor in computer security lectures dedicated to governmental or business attendance, including top ranking management sessions.

---

Best: Ends August 15	Early: Ends October 17	Late: Ends December 12
$2000	$2200	$2400