Training will be held on October 3rd and 4th, 2018.

  • Cost for Training is $1,200 per class.
  • Training ticket includes admission to the conference.
  • You do NOT need to purchase another ticket for admission.
  • Note that all tickets are non-refundable. No exceptions.
  • All training tickets are sold out.

Be sure to read the training course and ticket FAQ.

Training tickets are sold out. Thanks to everyone who makes DerbyCon successful!


Course name: Practical Web Application Penetration Testing (PWAPT)

Trainer name(s): Tim (@lanmaster53) Tomes

Course description: PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.

The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack (Python Flask and React) and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won’t be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.

PWAPT is a PortSwigger preferred Burp Suite Training course ( PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a ~2 week trial license for Burp Suite Pro to use during and after the course.

More info and testimonials can be found at

Course outline:

Day 1:

* Methodology

* Reconnaissance

* Mapping

* Automated Discovery

Day 2:

* Manual Discovery

* Exploitation

Student Requirements:

* Laptop with at least one (1) USB port.
* Latest VMware Player, VMware Workstation, or VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality. However, VMware Player should be prepared as a backup.
* Ability to disable all security software on their laptop such as Antivirus and/or firewalls (Administrator).
* At least twenty (20) GB of hard drive space.
* At least four (4) GB of RAM.

Course name: Modern Windows Attacks and Defense

Trainer name(s): Jared Haight and Sean Metcalf

Course description:  In this two day course, students will learn how to leverage built in Windows features and technologies to secure their environment from common (and uncommon) attacks. We’ll cover topics such as hindering lateral account movement, how to manage your environment without leaving your credentials all over the place, and how to detect and respond to malicious activity on your network.

The hands-on course starts out with protecting against very simple attacks and ramps up to more advanced attacks and solutions.  At each stage students will practice the attacks that are used in the wild and then implement security controls to stop them giving them an in-depth understanding of how to leverage and protect against a variety of attacks.

Course outline:

Day 1:

Protecting your privileged accounts

– Local Admin Password Management (including LAPS)

– Developing a Least Privilege Model

– Monitoring Privileged Groups

– Reviewing Role Access

Monitoring the Network

– Monitoring What Matters

– Monitoring PowerShell & Command Line Activity

– Sysmon

– Active Directory Event Auditing

– Detecting Attacks

– Windows Event Forwarding

Day 2:

Protecting the Network

– Attacking Legacy Protocols with Responder & Friends

– Hardening Windows Effectively

– Stopping Malicious Recon

– Windows Firewall

– Controlling Administrative Logon

– Protecting Credentials

– Application Whitelisting

– Windows 10 & Server 2016 Security Enhancements

Secure Administration: from PTH to PAW

– Common System Exploit Methods

– Disrupting the Attacker Playbook

– Credential Exposure

– Privileged Access Workstations (Admin Workstations)

– The New Standard for Domain Admins

– Tiered Model for the Real World

Implementation Guidance

– Supporting Legacy Applications

– Selling People on Security

– Building a Roll Out Plan

Student Requirements:

Students will be required to bring their own laptops for the class. Laptops should have an updated installation of Microsoft’s Remote Desktop Client software. MacOS users should install the client from the app store, Linux users should install Remmina or another RDP client that supports NLA.

Course name: Introduction to Malware Analysis

Trainer name(s): Tyler Hudak

Course description: Due to the prevalence and business impact of malware, security professionals increasingly need the skills necessary to analyze ransomware, trojan horses and other computer viruses. This two day course teaches attendees the proven concepts, techniques and processes for analyzing malware. Students will take multiple “from-the-wild” malware samples in a hands-on environment and learn how to analyze their characteristics and behavior to determine what they do and what risk they present. The course culminates in an analysis that utilizes all of the tools and techniques that have been learned.

No previous malware analysis experience is necessary as this course is designed for those who have never performed malware analysis before.

Course outline:

Day 1:

– Introduction to Malware Analysis

– Setting up a Lab

– Static Analysis

– File Identification

– Hashing

– Header Analysis

– Embedded Strings Analysis

– .NET Malware Analysis

– Packers

Day 2:

– Dynamic Analysis

– System Integrity Monitoring

– System Activity Monitoring

– Baselining

– Process Analysis

– Network Analysis and Monitoring

– Sandnets and Automation

– Advanced Malware Analysis Topics (Document analysis, advanced unpacking techniques, etc.)

Student Requirements:

Technical Skills: No previous experience in malware analysis is necessary as this course is designed for those who have never performed it before.  High-level understanding of malware is recommended, and students must be experienced with a virtual machine (e.g. Taking snapshots, etc.)
Tools: Students will be required to bring their own laptops for the class.  Laptops will need a VMWare Workstation or VirtualBox installation with an install of Windows (7 or higher) as the guest OS prior to the class. All other tools will be provided.

Course name: Dark Side Ops 2: Adversary Simulation

Trainer name(s): Nick Landers

Course description: Sophisticated adversaries are constantly setting and raising the bar for what are considered advanced attacks. Stealthy persistence, log and disk-less pivoting, advanced malware, custom exploitation, and unrelenting privilege escalation are just a few traits that comprise advanced adversarial trade craft. Adversary simulation is the next step in red team operations to better mimic the stealth, sophistication, and persistence of real-world adversaries. Challenge yourself to Dark Side Dev: Adversary Simulation, and move beyond reliance on the “”low-hanging exploitable fruit”” of unpatched systems, local admin privileges, clear-text passwords, and easy egress.

Dark Side Ops II: Adversary Simulation builds on Silent Break Security’s Dark Side Ops: Custom Penetration Testing training by furthering participants’ abilities to think, operate, and develop tools just like sophisticated, real-world attackers. If you want to 1) build confidence in your offensive approach and capabilities, 2) learn about and implement the techniques of stealthy malware and backdoors, and 3) achieve the operational results of a sophisticated adversary, then Dark Side Ops II: Adversary Simulation is for you.

Dark Side Ops II: Adversary Simulation provides participants with hands-on labs over an intense, two-day course.

– Discover new external attack techniques to gain stealthy internal network access without social engineering

– Leverage configuration weaknesses to fully compromise database servers

– Reverse engineer .NET applications to identify 0-day vulnerabilities

– Bypass even the tightest of egress controls through custom code execution techniques

– Learn about and perform disk-less pivoting techniques

– Implement the latest in code and DLL injection techniques completely undetectable by AV

– Learn about and bypass the latest in application whitelisting

– Prevent and block defensive incident responders from analyzing your tools, payloads, and backdoors

– Build easy-to-use and versatile malware, backdoors, and loaders to diversify your toolset and capabilities

As part of the course, participants will receive access to multiple virtual machines where their skills and proficiency will be challenged through a series of intense, hands-on lab exercises. Participants will also be provided with a LOT of custom code to facilitate their learning process and push them to consider improved attack techniques and new attack vectors.

Go custom or go home!

Course outline:

Day 1:

1 Open source recon/research – Intro to Slingshot

2 Automating infrastructure deployment – Ansible

3 Initial access techniques – OLE and HTA

4 Sandbox evasion – HTA and in-memory malware

5 App whitelisting bypasses – InstallUtil and .NET

6 User profiling

Day 2:

7 Introduction to rootkits – Process hiding

8 Hooking the network – Filtering packets

9 Triggerable implants – ICMP packet to rootkit filter to payload execution

10 Advanced Windows persistence – COM hijacking

11 Advanced Windows Privilege Escalation – Custom service exploitation

Student Requirements:

A Laptop with the following capabilities:
– Administrator access to allow for modifying network configuration, sniffing traffic, etc.
– Wireless connection
– Capable of running two virtual machines simultaneously using either VMware Workstation or Player
– 80GB of free disk space

Course name: Advanced Security: For Hackers And Developers

Trainer name(s): Dr. Jared DeMott and Nick Defoe (VDA Labs)

Course description: As we learned in our first class (Application Security: for Hackers and Developers), there are almost always bugs in code.  We found them by static/auditing, dynamic/fuzzing, reversing code, and more.  Then we crafted exploits.  To counter this reality, vendors have developed a variety of protections.

In this class we continue the battle.  We describe a number of modern day protections: things like EMET, Isolated Heap, and CFG.  We then perform hands-on lab work to show how bypasses can be constructed.  This build-and-break teaching style provides the tools for vulnerability researchers, security engineers, and developers to perform cutting edge work.  The second half of the class is all about the kernel.  You will learn how to debug, audit, fuzz, and exploit kernel code.  The class is fast pasted, but low stress and fun.  Prepare to learn!

Course outline:

Day 1: Exploiting Browsers on Modern Systems

8am – 8:30am

Handout Material

  • Pass around Thumb drives for VM Setup

8:30am – 10am

ROP in Client Side Exploits

  • Dig deep into a complicated IE UaF exploit
  • Learn advanced WinDbg skills for HTML/DOM/JS investigations

10am – 10:15am

Break 1

10:15am – 12pm

EMET includes 5 ROP protections

  • We discuss how they work, and how they could be bypassed
  • Bypass EMET by upgrading existing working exploit

12pm – 1pm


1pm – 3pm


  • Browser vendors have added UaF protections
  • Bypass Isolated Heap and Deferred Free

Control Flow Integrity

  • Describe new-ish feature in Windows/Visual Studio
  • Bypass Microsoft’s Control Flow Guard

3pm – 3:15pm

Break 2

3:15pm – 5pm

Browser Extension Exploitation

  • Discuss Flash and describe an exploit that was disclosed as part of the Hacking Team fiasco
  • Understand and work with the exploit

Day 2: Kernel Vulnerabilities

8am – 8:30am

Work on anything from yesterday

Ask questions about specific things

8:30am – 10am

Kernel Debugging

  • Discuss the Windows Architecture, including the principles and components of the Kernel
  • Learn how to debug system code

10am – 10:15am

Break 1

10:15am – 12pm

Kernel Auditing

  • Windows drivers: how they work and how to find bugs in them
  • Find bugs in the provided driver code

12pm – 1pm


1pm – 3pm

Kernel Fuzzing

  • Syscalls, IOCTLs, User/GDI, Networking/IO stacks, etc.
  • Perform GDI/Font fuzzing

3pm – 3:15pm

Break 2

3:15pm – 5pm

Kernel Exploitation

  • Teach kernel exploits and defenses
  • Examine details kernel exploits: how kernel ROP and elevation works

Student Requirements:

Students are required to provide a laptop for the course. Your computer should have 100GB of free HD space and should have 8GB of RAM. Install ahead of time either VMware workstation/player or Fusion.  You will need a USB port and an OS that can read ExFat FileSystem to copy the data. (Most Mac and Windows have that, but with Linux, check for the driver.) You may not share course media with non-students.

Course name: Application Security: For Hackers and Developers

Trainer name(s): Michael Fowl and Greg Hatcher (VDA Labs)

Course description: Application Security: for Hackers and Developers, is designed for practitioners to learn about the tools and techniques used to prevent and find bugs in real world software.  This class is great for anyone in software, testing, management, hacking/vulnerability research, and so much more.

We begin the class with a brief secure-by-design and strategy session.  Next, understanding how and when to audit code is key for both developers and hackers.  Students learn to zero in on the important components. Automated tools are employed, but auditing source manually is the key, since verifying results is a required skill even when using automated tools.  Spotting and fixing bugs is the focus.

Dynamic investigation of web, mobile, and APIs requires skills with tools like burp.  While hunters for bugs in core code (C/C++), often use fuzzing: a runtime method for weeding out or finding exploitable bugs.  Both techniques are used by a growing number of product and security organizations.

Another technique hackers use to uncover bugs is reverse software.  Managed (.net) and unmanaged code (C and C++) are covered. The IDA pro tool is taught and used throughout.  Other tools like Binary Ninja are shown as well. Calling conventions, Assembly-to-C, identifying and creating structures, RTTI reconstruction, etc. are covered. Students will see IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.

Finally, students will walk out of this class knowing how to exploit discovered bugs.  This is useful to both developers and hackers. The attack portion will teach students how to exploit common bugs such as: command injection, SQLi, IDOR, stack buffer overflows, function pointer overwrite, heap overflow, off-by-one, integer error, uninitialized variable, use-after-free, double fetch, and more.  For the exploits, return overwrites, heap spraying, ROP, and gadget discovery are presented. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.

Course outline:

Day 1: Managed, C/C++, and Fuzzing

8am – 8:30am

Handout Material

  • Pass around Thumb drives for VM Setup

8:30am – 10am

Part 1 – Managed Code/Web Vulns

Lecture 1: SDL and Product Security Testing

  • Lab 1 – iSpyCentral Architecture Review and Reversing
  • Lab 2 – iSpyCentral Key Exploit
  • Lab 3 – SAST iSpy

10am – 10:15am

Break 1

10:15am – 12pm

Continue working on first 5 labs

  • Lab 4 – DAST iSpy
  • Lab 5 – iSpyCentral RCE

12pm – 1pm


1pm – 3pm

Part 2 – Unmanaged/Native Code Vulnerabilities

Lecture 2: Auditing C and C++

  • Lab 6 – Basic C Bugs
  • Lab 7 – UV Investigation
  • Lab 8 – Warm up with C++
  • Lab 9 – Basic C++ Bugs

3pm – 3:15pm

Break 2

3:15pm – 5pm

Lecture 3: Fuzzing

  • Pydbg Demo
  • Lab 10 – Peach fuzzer (file fuzzing)
  • Lab 11 – In-memory fuzzing

Day 2: Finish Fuzzing, Reversing, and Native Exploits

8am – 8:30am

Work on anything from yesterday

Ask questions about specific things

8:30am – 10am

Lecture 3: Continue Fuzzing

  • Lab 12 – AFL

Lecture 4: Reversing C and C++

  • Lab 13 – Easy Crackme

10am – 10:15am

Break 1

10:15am – 12pm

Keep Reversing

  • Lab 14 – Med Crackme
  • Lab 15 – Patcher
  • Lab 16 – C++

12pm – 1pm


1pm – 3pm

Last Reversing Lab

  • Lab 17 – Scripting

Lecture 5: Exploiting Native Programs

  • Lab 18 – Function Pointer Overwrite

3pm – 3:15pm

Break 2

3:15pm – 5pm

  • Lab 19 – Windows Server Exploit
  • Lab 20 – ROP

Student Requirements:

Students are required to provide a laptop for the course. Your laptop should have at least 30GB of free HD space, 4GB+ of RAM and VMware workstation/player for Windows or Fusion for the Mac installed ahead of time.
You will be given a Windows VM. Copy to your hard drive, and pass the portable Media to your neighbor.  You will need a USB port and an OS that can read ExFat FileSystem to copy the data. (Most Mac and Windows have that, but with Linux, check for the driver) You may not share course media with non-students.

Course name: Advanced Open Source Intelligence for Social Engineers

Trainer name(s): Ryan MacDougall

Course description: Information is the lifeblood of the social engineer. But there is now so much information available that it can be overwhelming. How can we dial in and narrow your focus in ways that will enhance your social engineering abilities? This course will show you the techniques, tricks, and tips used by the professional social engineering penetration testers of Social-Engineer, LLC. This two-day course is not a laundry list of tools. We will also share the methodology, processes, and our own experiences that allow us to successfully apply information to plan and launch realistic SE scenarios for our clientele. Having the information is only half of what you need.

Lots of tools are nice, but we find that just 3-4 can get the job done 100% of the time. This class is designed with a live practical certification as part of the class that you will get a chance to put your skills to applicable use – live and in person.

Course outline:

Day 1:

Non-Technical OSINT

Observational Skills


Google Hacking

Day 2:


Social Media Recon

Practical Certification

Student Requirements:

Laptop with NIC card, Some knowledge of OSINT, Willingness to learn new things, Willingness to work as part of a team

Course name: Memory-Resident Code: Analysis, Detection, and Development

Trainer name(s): Matt “scriptjunkie” Weeks

Course description: This two-day class introduces students to Windows memory-resident malware techniques, analysis, and defenses. Students will learn how memory-resident malware is created and operates invisible to many defenses, with real-world examples and context. Students will also gain understanding of how the Windows operating system manages memory and active defense techniques to detect and eradicate memory resident malware.

Course outline:

Day 1:

– Introduction

– Windows Memory Basics – Allocations, Paging, Permissions, and Mapping

– Powershell Basics

– Scanning Methodologies

– Live analysis tools

– Memory dump analysis tools

– Signs of Malware in Memory

– Case studies; memory-resident code, packers, rootkits

– Malicious memory contents; signs of loaded code

– Assembly basics and opcodes

– Shellcode structure

– Day 1 final exercise

Day 2:

– Development environment setup and shellcode harness

– General development strategies

– API lookup; hash vs name

– Function tables

– Reflective loading

– Injection techniques and exercises

– Remote allocation and thread spawning

– DLL loading

– Asynchronous procedure calls

– Process hollowing

– Write-only method

– Section mapping

– Combined techniques

Student Requirements:

0. Students should have basic familiarity with at least one scripting or programming language, ideally able to create a “”Hello World”” program in C on Windows.
1. A laptop with a 64-bit operating system and hardware virtualization supported and enabled (you may need to enable this in the BIOS). Note: I do not recommend using government-owned or employer-owned equipment for this malware class in general, especially if you are unable to turn off the antivirus software.
2. VirtualBox installed: (note: VMWare workstation will also work)
3. Download and set up a Kali Linux Virtual Machine as one VM (
4. Download the 64-bit USGCB Win7 VHD as a second VM, create a virtual machine using it as a hard disk, and make sure they can boot it and log in: Attach the VHD to the IDE controller instead of the default SATA controller when setting up the VM, or you will get a blue screen. To do that, after creating the VM, click on it in VirtualBox, then click the Settings gear button, then click Storage, then remove any hard drives from the SATA controller and add the “USGCB Windows7 SP1 x64 Enterprise – 20111014.vhd” hard drive to the IDE controller. Then start the VM.
5. Download the Debugging Tools for Windows (windbg) and install it on the Windows 7 VM:
6. Download and install Visual Studio community edition in the Windows VM

Course name: Achieving Security Awareness Through Social Engineering Attacks

Trainer name(s): Jayson E. Street and April Wright

Course description: The ability to “think like an attacker” is the best way to defend against attacks. Your employees are your biggest asset, but also at the biggest risk for social engineering (SE). Awareness is the best defense against SE threats. Through hands-on exercises, SE risks will be discussed and evaluated with an emphasis on developing awareness programs. Class activities will introduce students to profiling the online presence of employees and enterprises, as well as performing attacks against WiFi and computers. After successful completion of this course, students will have a better understanding of how to detect and/or prevent to SE events by looking at their defenses from a different perspective. Students will gain insight into how to educate others and create greater awareness about the various dangers that can occur. The primary goal of this course is to substantially increase the security posture of an organization by implementing changes to better handle malicious SE attacks. This 2-day course will introduce students to current Red Team strategies to develop a better understanding of how attackers use SE, as well as provide methods to prevent and detect these attacks via awareness programs and “teachable moments”.

Course outline:

Day One:

Intro to Social Engineering

– Methods

– How does it work

– Why does it work

Recon Phase


– Social Media opportunities

– Other sources of value

– Browser recon

– Case Study

– Exercise

Attack Phase: No-tech

– Pretexting basics, methods

– Phishing and Spearphishing

– Case Study

– Exercise

Attack Phase: Technical

– Wired Networks

– Wireless Networks

– Physical Attacks

– Payloads

Day 2:

Attack Phase: Technical (continued)

– Methods and exercises

Building Awareness Programs

– Steps and Strategy

– Getting Buy-in

– Creating Effective Policy

– Exercise

– Ways to Engage Users

– Practical tips, everyday activities

– Testing Goals, Scenarios

– Example Checklists and User Guides

Student Requirements:

A laptop with WiFi capability, A phone or a tablet with WiFi capability (A 2nd laptop would also work), If required for their laptop (e.g. newer Macbooks), an adapter so the student is able to connect a USB-A cable (e.g. USB-C to USB-A adapter)

Course name: Adversarial Attacks and Hunt Teaming (Red Team vs. Blue Team) Hands-On

Trainer name(s): Larry Spohn and Ben Ten

Course description: This course is completely hands-on, focusing on the latest attack techniques and building a defense strategy around them. This workshop will cover both red and blue team efforts and provide methods for understanding how to best detect threats in an enterprise. It will give penetration testers the ability to learn the newest techniques, as well as teach blue teamers how to defend against them.

This course is completely hands on!

This course applies real-world offense and defense capabilities to truly paint the full picture of understanding how attacks happen today and how to best prevent them.

This is a new course and is completely fresh. It contains all of the latest pentester methods as well as unreleased methods for detecting attacks.

Students can have a penetration testing background, or someone that focuses on defense.

Course outline:

Day 1

  • Introduction to Attacker Techniques
  • Common Methods for Exploitation
  • Methods for Persistence and Evasion
  • Lateral Movement and Pivoting
  • Circumventing Security Defenses
  • Understanding Attacker Mindsets
  • Performing an adversarial simulation
  • Simulated Attack Scenario on Live Network

Day 2

  • Social Engineering and physical attacks
  • Developing a Common Defense
  • Introduction to Hunt Teaming
  • Performing a hunt team exercise
  • Tools, tricks, and free scripts!
  • Identifying threats on the network
  • Identifying threats on the endpoint
  • Using existing technology in the network

Student Requirements:

Laptop with VMWare/Fusion or similar (VirtualBox is not recommended).
 Kali Linux in a virtual machine (or primary OS) or Ubuntu (LTS) with PenTesters Framework already loaded and up-to-date (

Course name: Practical Signature Development for Open Source IDS

Trainer name(s): Jason Williams and Jack Mott

Course description: In Practical Signature Development for Open Source IDS we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. Students will gain invaluable information and knowledge including the configuration, usage, architecture, traffic analysis fundamentals, signature writing, and testing of an Open Source IDS like Suricata and Snort. Students will be given handouts to help them understand and develop their own network signatures. Updated lab exercises featuring current threats will train students how to analyze and interpret hostile network traffic into agile rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Cryptocurrency Miners, Phishing Attacks, Malicious Documents, Crimeware Backdoors, and Targeted Threats. Students will leave the class armed with the knowledge of how to write quality signatures for their environment, enhancing their organization’s ability to respond and detect threats. The class is very hands-on with a robust workbook featuring exercise walkthroughs/explanations and a physical copy of the material presented. The class exercises feature paths for those that are brand new to writing signatures and signature experts who dream in pcre. The class has been updated for Derbycon 8 with new exercises and the latest Suricata functionality such as the SMB2/3 protocol, whitespace transforms, and new detection buffers.

Course outline:

Day 1:

Network and Malware Analysis Fundamentals

IDS Engine Fundamentals

Rule Writing Fundamentals

Writing Signatures for DNS

Writing Signatures for HTTP

Writing Signatures for SMB

Day 2:

Advanced Rule Features

Writing Signatures for SSL / TOR

Detecting Cryptocurrency Miners

Detecting Phishing Communications

Detecting Ransomware Communications

Detecting Exploit Kits

Detecting Malicious Documents

Detecting Targeted Threats

Student Requirements:

Basic knowledge of *nix and the command line
Basic knowledge of Wireshark
Basic TCP/IP knowledge
Laptop with at least:
    4 GB RAM
    VMware Player or Latest Virtualbox
    VMware Workstation/Fusion
    Available for free 30-day trial at
    Administrative rights
    No AV / Ability to temporarily disable
    Please do not bring a company laptop containing sensitive materials or that you cannot modify

Course name: PowerShell for Blue/Red Teams

Trainer name(s): Carlos Perez and Jose Quinones

Course description: This course will cover from basics to advance use of Windows PowerShell for the the security professional that works either in a Blue or Red Teams.

Course outline:

–  PowerShell Login

–  Logging per version of PS

–  Bypass of PowerShell Logging

–  Obfuscation

–  Mitigations

–  PowerShell Execution

–  Using PowerShell.exe

–  General considerations

–  Macros

–  HTA files

–  Using the PowerShell Engine

–  .Net Executable using System.Management.Automation.dll

–  WMI win32_process

–  PowerShell in Post Exploitation

–  Enumeration

–  AD via ADSI

–  WMI Basics

–  Persistence

–  Scheduled Task

–  WMI Permanent Events

–  Mitigations

And much much more.

Student Requirements:

Laptop with a Win10 Ent VM with Office trial (they can download the 90day demos from MS) and Sysinternals Sysmon installed.

Course name: Advanced Attack Infrastructure

Trainer name(s): Jason Lang

Course description: Still sending shells directly to your private C2 server? This course will teach you how to proxy your traffic through the cloud (AWS), ensuring your C2 endpoints are protected at all times. We will cover dealing with incoming sandbox connections, domain categorization, and complete infrastructure buildout start to phish. 🙂

Students will come away with full knowledge of how to build out a red team infrastructure capable of handling the demands of modern red teaming, including supporting multiple team members and clients simultaneously while ensuring your C2 servers are protected from prying defenders.

Course outline:

Day 1:

Infrastructure Design

Proxying vs Redirecting

Apache & Apache Modules

Proxy Cloud Buildout

Automation & Security

Domain Categorization & URL Filtering

Day 2:

C2 Endpoint Design & Installation

Proxying DNS Channels

Domain Fronting

Handing Sandboxes

Payload Crafting

Putting It Together

Student Requirements:

Students will need a laptop capable of running Windows 7/10 (at least 40GB free space) in a VM via Fusion/Workstation. Materials and VMs will be provided upon arrival. Additionally, students will be required to register for a free AWS account *prior* to coming to class.
It would be extremely helpful if students were familiar with the process of standing up and logging in to free-tier Ubuntu servers.

Course name: Evil Mainframe Penetration Testing

Trainer name(s): Philip “Soldier of FORTRAN” Young and Chad “Big Endian Smalls” Rikansrud

Course description: Have you ever been mid pentest with mainframe credentials and thought ‘now what?’ Or were you ever asked to do a mainframe pentest and didn’t even know where to start? Maybe you’re a sysprog and think your systems are impenetrable. No matter your background this course is for you!

This course provides training on mainframe penetration testing using the most recent and up to date attack vectors. Walking through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to ‘own’ the mainframe.

After a quick overview of how z/OS works and how to translate from Windows/Linux to “z/OS” the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the training. The areas explored in this course include VTAM, CICS, TSO, Unix and Web. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some of the misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, JCL, C and CLISTs.

The majority of the course will be spent performing instructor led hands on mainframe testing with tools provided by the instructors. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a mainframe pentest could and should be performed. Exercises will be based on real world attack scenarios.

While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python.

Course outline:

Day One: Mainframe Basics, User Interaction, Scripting, Network Protocols & Security

– About us and the course

– Mainframes: A *brief* History

– z/OS Basics


– Unix



LAB: Creating a folder on a mainframe. Copy/Pasting to that folder. Writing JCL, submitting the job and viewing the output.

– Patching

– System Startup Understanding the boot process

– Storage (Memory)

– Security: How security is handled on mainframes and what to look for

LAB: RACF commands, accessing dataset in warning mode. Submitting JCL with ‘SURROGAT’ authority

– Writing *real* JCL

– Writing REXX

– Writing CLISTs

– Writing and compiling C

LAB: Write REXX script to create a reverse shell. Compile C program to create reverse shell.

– Writing HLASM

– CICS: Understanding how CICS works and used in the enterprise

LAB: Connecting to CICS, accessing a transaction and gathering information

– TN3270: How the major mainframe protocol works and how to use it to our advantage

LAB: Using TN3270 python script to hack poorly coded TN3270 apps


Day Two: Let’s Hack a Mainframe!

– Reconnaissance

– OSINT and the Mainframe

– Using Nmaps *new* tn3270 library

– Writing your own Nmap scripts to target mainframe applications

LAB: Using Nmap enumerate LU names, VTAM Application IDs, CICS transactions.

– System Interaction/Shells

– Breaking in through TSO, CICS, Web

– Using Python for infil/exfil

– Using x3270 & s3270 scripting

LAB: Using Python and Tn3270 to automate

– CICS Security Bypass

– Using CICS to get a shell

LAB: CICSPwn reverse shell

– FTP and JCL

LAB: Using FTP and JCL to run a job & get a shell.

– Automating it all with metasploit

– System Enumeration

– Gathering system information

– SuperC

– Memory storage locations

– Enum (rexx script)

– SETRCVT (rexx script)

LAB: Identify all APF authorized libraries

– Offline Cracking

– How passwords are stored

– Where they are stored

– Understanding the hashing algorithm

– Cracking the passwords with John/Hashcat

– Privilege Escalation


– Warnmode

– BPX.Superuser

– SURROGAT authority

– Search/SuperC

– APF Authorized

LAB: Using ELV.APF (rexx script) to escalate privileges

– Review

– Cover any questions/remaining items


– The last hour is a mainframe CTF which uses everything learned in the class to ‘own’ a mainframe.

– Students attack the in-house mainframe to gain points. First team to get the highest wins!

Student Requirements:

Students must bring their own laptop to class. This device should be capable of running VMware player/Fusion or Virtualbox. A virtual machine image will be provided prior to class.
If students wish to build their own here’s the required software:
– Linux (Ubuntu, CentOS, Arch)
– Nmap – current SVN version
– Metasploit – Current nightly
– X3270 Compiled from source
– BIRP – with x3270 patches installed
– SSH Client
– Python 2.7+
– Git client (to install tools discussed in the class, the virtual image has these tools pre-installed)