Back to top

Important Notice: Workshops are limited to 15 participants, first come first served at the registration desk on the 10th. Check the requirements so you're prepared.


IntelMQ - The full processment of a threat (11:00)

André Garrido

The excess or absence of information available today combined with the lack of automation makes incident handling a huge challenge. IntelMQ was created for a constant improvement of feed processing so it can support the work of incident response teams.
IntelMQ was developed by FCCN (Fundação para a Computação Científica Nacional) and was later supported by other European CSIRTs with the aim of speeding up the treatment of information and improve the tool through shared development.
Through the collection and processing of feeds it is possible to filter molded data for the desired purpose.

This workshop intends to provide the trainees with the following skills:
[+]Understanding the IntelMQ framework
[+]Installing and configuring IntelMQ
[+]Understanding the structure of a bot
[+]Feed IntelMQ with Kippo SSH Honeypot


Students are expected to bring their own laptop with Virtualbox installed.

Static analysis of a RAT campaign (14:00)

Ricardo Dias

This workshop is a deep-dive into a remote access tool (RAT) distribution campaign. We will do static analysis all the way through, from the weaponised attachment, second stage downloaders, to the RAT config extraction in the end.

What you will learn:

- The workflow of static analysis
- Extract valuable information from a wide range of file formats
- Decompile .NET and Java
- Defeat encoding/encryption puzzles
- Develop python scripts for automation
- Extracting the RAT configuration file


Students are expected to bring their own laptop with VMWare or Virtualbox installed, and a running instance of REMnux. So be sure to download your version from, prior to the workshop, so that we can spend more time with the fun stuff. Workshop deliverables will be available either online or via USB sticks in class.

Web application testing with SWAG (Susceptible Web App Generator) (16:30)

Colin McLean

SWAG (Susceptible Web App Generator) is a new application designed for people learning Web Application testing. The application itself has a web front-end and allows the user to generate a unique vulnerable web application. There are 12 different basic types of web application that SWAG generates e.g. different on-line store, file sharing application, member management etc). Each application created is injected with random vulnerabilities (e.g. SQL injection, file upload vulnerabilities, file injection etc). The SWAG user can then perform a security test of the generated application. SWAG will also generate a report of the injected vulnerabilities for feedback purposes (i.e. the answers). The following video shows the application

The workshop will cover:
- The basic use of SWAG.
- Information gathering techniques.
- Enumeration techniques.
- SQL injection.
- Local File Inclusion vulnerabilities.
- File upload vulnerabilities.


Participants should have a laptop with at least 4Gb RAM and have either VirtualBox or VMWare installed. The SWAG virtual machine will be distributed via a USB memory stick. For information, the virtual machine is based on Tiny Core linux and has the main hacking tools installed (e.g. OWASP ZAP, nmap, OWASP Mantra, sqlmap etc).