BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Defeating VPN Always-On\n When: Saturday\, Aug 12\ , 10:00 - 10:45 PDT\n Where: Caesars Forum - Academy - 407-410 - Track 4 - [1]Map\n\n SpeakerBio:Maxime Clementz \, Cybersecurity Senior Manager at PwC\n Luxembourg\n Maxime Clementz is a Senior Manager within the Cybersecurity Advisory\n team of PwC Luxembourg. He develops his ethical hacker skills by\n committing himself to various assignments for big co mpanies\, banks and\n European institutions. As a technical specialist\, he leads penetration\n tests\, red-teaming\, digital forensics and inci dent response missions.\n\n He contributes to the development of the tea m’s hacking capabilities\n by sharing the results of his technology wa tch and R&D and is now\n leading the CSIRT and Threat Intelligence initi atives of PwC\n Luxembourg. He especially enjoys sharing knowledge by pr esenting the\n results of each mission or by giving talks (Hack.lu 2012\ , 2015\, 2017)\n and training courses. Maxime teaches IT security at a F rench\n engineering school and organizes a Capture the Flag event for th e\n students.\n\n Twitter: [2]@maxime_tz\n\n Description:\n VPN Al ways-On is a security control that can be deployed to mobile\n endpoints that remotely access corporate resources through VPN. It is\n designed to prevent data leaks and narrow attack surface of enrolled\n end-user e quipment connected to untrusted networks. When it is\n enforced\, the mo bile device can only reach the VPN gateway and all\n connections are tun neled.\n\n We will review the relevant Windows API\, the practicalities of this\n feature\, look at popular VPN software\; we will then consider \n ridiculously complex exfil methods and... finally bypass it with\n unexpectedly trivial tricks. We will exploit design\, implementation\n a nd configuration issues to circumvent this control in offensive\n scenar ios. We will then learn how to fix or harden VPN Always-On\n deployment to further limit the risks posed by untrusted networks.\n\n REFERENCES\n \n VPN on untrusted networks\, captive portals: - ANSSI (France)\n Rec ommandations sur le nomadisme numérique ("3.4.3 Maîtrise des flux\n rése aux sur le poste de travail"): [3]https://www.ssi.gouv.fr/uploads/2018/10/ guide_nomadisme_anssi_pa_054_v1.pdf\n (I will translate the relevant par t in my slide)\n\n Understanding "Windows Filtering Platform": - Microso ft documentation\n : [4]https://learn.microsoft.com/en-us/windows/win32/ fwp/windows-filtering-platform-start-page\n - Pavel Yosifovich : [5]http s://scorpiosoftware.net/2022/12/25/introduction-to-the-windows-filtering-p latform/\n - Pavel Yosifovich : [6]https://github.com/zodiacon/WFPExplor er -\n Sagie Dulce : [7]https://github.com/zeronetworks/wtf-wfp\n\n Re verse Engineering of Windows Filtering Platform and its\n implementation in Windows VPN agents: - Ole André V. Ravnas - [8]https://frida.re/\n - James Forshaw - [9]https://github.com/googleprojectzero/sandbox-attacksur face-analysis-tools/tree/main/NtObjectManager\n\n '\n\n 1. #CaesarsAca demyBR\n 2. https://twitter.com/maxime_tz\n 3. https://www.ssi.gouv.fr /uploads/2018/10/guide_nomadisme_anssi_pa_054_v1.pdf\n 4. https://learn. microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-pag e\n 5. https://scorpiosoftware.net/2022/12/25/introduction-to-the-window s-filtering-platform/\n 6. https://github.com/zodiacon/WFPExplorer\n 7 . https://github.com/zeronetworks/wtf-wfp\n 8. https://frida.re/\n 9. https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/ tree/main/NtObjectManager\n\n\n DTEND:20230812T174500Z DTSTART:20230812T170000Z LOCATION:DC - Caesars Forum - Academy - 407-410 - Track 4 SUMMARY:Defeating VPN Always-On END:VEVENT END:VCALENDAR