CircleCityCon 2022 Workshops

Workshop Structure

These workshops are structured as Capture-The-Flag competitions, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is solving challenges.

All the software used is freely available, and all the projects are copyright-free and available freely on the Web, ready to be used in your classes in any way you wish.

What Participants Need

Participants will need a laptop with a Web browser. The capacity to run local VMware machines is helpful but not necessary. We will provide cloud servers for participants who prefer not to run the machines locally.


Sam Bowne

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.

Formal education: B.S. and Ph.D. in Physics

Industry credentials:

  • Infosec: CISSP, Certified Ethical Hacker, Security+, Defcon Black Badge, Splunk Core Certified User
  • Networking: Network+, Certified Fiber Optic Technician, HE IPv6 Sage, CCENT, IPv6 Forum Silver & Gold, Juniper JN0-101, Wireshark WCNA
  • Microsoft: MCP, MCDST, MCTS: Vista

Elizabeth Biddlecome

Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Kaitlyn Handelman

Kaitlyn Handelman is a security engineer and consultant, defending high-value networks professionally. She has extensive experience in aerospace, radio, and hardware hacking.

Industry credentials:


Full-Stack Incident Response (1 day)

Level: Beginner to Intermediate

Learn the entire process of attacks and defenses, from attacker tools, techniques and procedures from the MITRE ATT&CK knowledge base through networking monitoring, forensics, malware analysis, and Windows internals.

We will cover these topics:


We will begin with a high-level view of attacks: Groups, Tactics and Techniques in the ATT&CK matrix, and attribution. We will use Caldera or a similar product to simulate the stages of an attack and test defenses.

Network Security Monitoring

We will cover centralized security monitoring in detail, using Splunk and Suricata to find and analyze attacks.

We will use a pre-installed Splunk server with archived attack data to find and analyze attacks including vulnerability scans, brute force attacks, ransomware, Web site defacement.

Then we will analyze network traffic with Wireshark, Virus Total, and Packet Total to find suspicious traffic, reconstruct the attacker's actions, and recover downloaded files. We will generate attack traffic with Scapy and monitor traffic with simple Python scripts.

We will practice using Zeek, the powerful network security monitor formerly called Bro. We'll practice writing simple code to customize Zeek, using it to analyze captured traffic, and then install it on a cloud server and use it to detect live attacks.

Defending Windows

We will use many techniques to defend Windows systems, including detecting ransomware with Sysmon and Splunk, RAM analysis, detecting known malware with yara, and prefetch forensics.

We will use Velociraptor extensively for threat hunting on Windows systems, finding malware and persistence mechanisms, scanning for indicators of compromise, and capturing traffic remotely.

Windows Internals and Malware Analysis

We'll use many techniques to analyze the behavior of malware to find indicators of compromise and understand the harm it does. We'll use simple static analysis with strings, PE file analysis tools, and packers. Then we'll perform dynamic analysis with debuggers, disassembly with IDA Pro, and decompiling with Ghidra.

We will explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. We will explore the import table, perform DLL injection and DLL proxying, and examine Windows API calls in userland and the kernel in detail.

Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, debugging a driver, and writing custom shellcode. Tools used include pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, WinDbg, and the Keystone Engine.

We will examine the MBR and a simple bootkit.

Prior Knowledge and Equipment Requirements

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who don't want to run the machines locally.

Key Takeaways

  • Understanding of threat actors and the ATT&CK matrix
  • Experience with network monitoring tools and Splunk
  • Thorough understanding of Windows internals and malware analysis

Who Should Take This Course

Analysts and executives responsible for protecting enterprises who wish to understand threat groups, defenses in overview, and the granular details of Windows exploits and defenses.

Cryptography and Blockchain Security (4 hours)

Level: Beginner

Learn how blockchains, cryptocurrency, coin offerings, and smart contracts work in a series of challenges. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.

We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits including double-spend, reentrancy, integer underflow, and logic flaws.

No previous experience with coding or blockchains is required.

Detailed Outline


The workshop is structured in a CTF format, so each participant can work at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a credit card and a few dollars to rent Cloud servers, or a host machine that can run virtual machines. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

The challenges include:

1. Basic blockchain concepts
   a. Simple conceptual blockchain on Github
   b. Hashes, collisions, and Pollard's Rho method
2. Wallets
   a. MetaMask and Ethereum
   b. Prepraring an Android emulator
   c. MetaMask mobile wallet
3. Smart Contracts
   a. Making a Solidity Contract
   b. Making a Coin with Solidity
   c. Exploiting a contract with a reentrancy attack
   d. Winning an auction by exploiting a logic flaw
   e. Hacking PoWHCoin with an underflow
   f. Performing a double-spend (51%) attack on Bitcoin
4. Servers
   a. Preparing a Linux cloud machine
   b. Making a private Ethereum blockchain
   c. Making a Node on the Kovan Proof-of-Authority Testnet
   d. MetaMask with Local Testnet
   e. Hyperledger IROHA (from IBM)
   f. Using Multichain
5. Essential Cryptography
   a. Symmetric encryption
      i. Substitution ciphers
      ii. One-time pad and Two-time pad
      iii. AES in ECB and CBC modes
      iv. AES-GCM with Libsodium
   b. Asymmetric encryption
      i. RSA
      b. Elliptic-curve cryptography with Libsodium
6. Cryptographic attacks
   a. Padding oracle attack
   b. Existential forgery
   c. Finding large primes
   d. Factoring large numbers
   e. Baby-step, giant-step attack on the Discrete Logarithm Problem (DLP)
   f. Pollard-Rho attack on the DLP
7. Madness
   a. Quantum computing
   b. Homomorphic encryption with Microsoft's SEAL
   c. IBM's homomorphic encryption

Introduction to Exploit Development (4 hours)

Level: Intermediate

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and how to defeat them, including ASLR, DEP, stack cookies, and SEHOP. We will also design custom shellcode with the Keystone Engine.

Previous experience with C and assembly language is helpful but not required.

Posted 4-20-22