![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Oct. 13th, 2018 09:30 pmTuesday Oct 2
Took the bus and metro to work
worked
at lunch took stuff to post office
worked
took the metro to the airport
flight delayed, got in later than planned which sucked and i was exhausted and confused and cranky
luckily partner got my badge
mom called and told me i needed to quit and come home and help
Wednesday Oct 3
Class like 8am to 5pm
I did NOT get enough sleep
got starbucks oatmeal and chai for breakfast
We got morning coffee break and afternoon snack break, coffee break ran out of black tea day 1 before i got any and continued that trend :(
Lunch was potbelly
i quit during lunch from work
Dinner was #HackerFoodies (hackerfoodies.com)- Against the Grain
Hung out at Sway in the Hyatt (eveent moved to mariott but they were slow and grumpy and loud so many peeps stuck to hyatt, i even stayed at hyatt still)
Class info below
Application Security: For Hackers and Developers
Course name: Application Security: For Hackers and Developers
Trainer name(s): Michael Fowl and Greg Hatcher (VDA Labs)
Course description: Application Security: for Hackers and Developers, is designed for practitioners to learn about the tools and techniques used to prevent and find bugs in real world software. This class is great for anyone in software, testing, management, hacking/vulnerability research, and so much more.
We begin the class with a brief secure-by-design and strategy session. Next, understanding how and when to audit code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are employed, but auditing source manually is the key, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.
Dynamic investigation of web, mobile, and APIs requires skills with tools like burp. While hunters for bugs in core code (C/C++), often use fuzzing: a runtime method for weeding out or finding exploitable bugs. Both techniques are used by a growing number of product and security organizations.
Another technique hackers use to uncover bugs is reverse software. Managed (.net) and unmanaged code (C and C++) are covered. The IDA pro tool is taught and used throughout. Other tools like Binary Ninja are shown as well. Calling conventions, Assembly-to-C, identifying and creating structures, RTTI reconstruction, etc. are covered. Students will see IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.
Finally, students will walk out of this class knowing how to exploit discovered bugs. This is useful to both developers and hackers. The attack portion will teach students how to exploit common bugs such as: command injection, SQLi, IDOR, stack buffer overflows, function pointer overwrite, heap overflow, off-by-one, integer error, uninitialized variable, use-after-free, double fetch, and more. For the exploits, return overwrites, heap spraying, ROP, and gadget discovery are presented. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.
Course outline:
Day 1: Managed, C/C++, and Fuzzing
8am – 8:30am
Handout Material
Pass around Thumb drives for VM Setup
8:30am – 10am
Part 1 – Managed Code/Web Vulns
Lecture 1: SDL and Product Security Testing
Lab 1 – iSpyCentral Architecture Review and Reversing
Lab 2 – iSpyCentral Key Exploit
Lab 3 – SAST iSpy
10am – 10:15am
Break 1
10:15am – 12pm
Continue working on first 5 labs
Lab 4 – DAST iSpy
Lab 5 – iSpyCentral RCE
12pm – 1pm
Lunch
1pm – 3pm
Part 2 – Unmanaged/Native Code Vulnerabilities
Lecture 2: Auditing C and C++
Lab 6 – Basic C Bugs
Lab 7 – UV Investigation
Lab 8 – Warm up with C++
Lab 9 – Basic C++ Bugs
3pm – 3:15pm
Break 2
3:15pm – 5pm
Lecture 3: Fuzzing
Pydbg Demo
Lab 10 – Peach fuzzer (file fuzzing)
Lab 11 – In-memory fuzzing
Day 2: Finish Fuzzing, Reversing, and Native Exploits
8am – 8:30am
Work on anything from yesterday
Ask questions about specific things
8:30am – 10am
Lecture 3: Continue Fuzzing
Lab 12 – AFL
Lecture 4: Reversing C and C++
Lab 13 – Easy Crackme
10am – 10:15am
Break 1
10:15am – 12pm
Keep Reversing
Lab 14 – Med Crackme
Lab 15 – Patcher
Lab 16 – C++
12pm – 1pm
Lunch
1pm – 3pm
Last Reversing Lab
Lab 17 – Scripting
Lecture 5: Exploiting Native Programs
Lab 18 – Function Pointer Overwrite
3pm – 3:15pm
Break 2
3:15pm – 5pm
Lab 19 – Windows Server Exploit
Lab 20 – ROP
Student Requirements:
Students are required to provide a laptop for the course. Your laptop should have at least 30GB of free HD space, 4GB+ of RAM and VMware workstation/player for Windows or Fusion for the Mac installed ahead of time.
You will be given a Windows VM. Copy to your hard drive, and pass the portable Media to your neighbor. You will need a USB port and an OS that can read ExFat FileSystem to copy the data. (Most Mac and Windows have that, but with Linux, check for the driver) You may not share course media with non-students.
Took the bus and metro to work
worked
at lunch took stuff to post office
worked
took the metro to the airport
flight delayed, got in later than planned which sucked and i was exhausted and confused and cranky
luckily partner got my badge
mom called and told me i needed to quit and come home and help
Wednesday Oct 3
Class like 8am to 5pm
I did NOT get enough sleep
got starbucks oatmeal and chai for breakfast
We got morning coffee break and afternoon snack break, coffee break ran out of black tea day 1 before i got any and continued that trend :(
Lunch was potbelly
i quit during lunch from work
Dinner was #HackerFoodies (hackerfoodies.com)- Against the Grain
Hung out at Sway in the Hyatt (eveent moved to mariott but they were slow and grumpy and loud so many peeps stuck to hyatt, i even stayed at hyatt still)
Class info below
Application Security: For Hackers and Developers
Course name: Application Security: For Hackers and Developers
Trainer name(s): Michael Fowl and Greg Hatcher (VDA Labs)
Course description: Application Security: for Hackers and Developers, is designed for practitioners to learn about the tools and techniques used to prevent and find bugs in real world software. This class is great for anyone in software, testing, management, hacking/vulnerability research, and so much more.
We begin the class with a brief secure-by-design and strategy session. Next, understanding how and when to audit code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are employed, but auditing source manually is the key, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.
Dynamic investigation of web, mobile, and APIs requires skills with tools like burp. While hunters for bugs in core code (C/C++), often use fuzzing: a runtime method for weeding out or finding exploitable bugs. Both techniques are used by a growing number of product and security organizations.
Another technique hackers use to uncover bugs is reverse software. Managed (.net) and unmanaged code (C and C++) are covered. The IDA pro tool is taught and used throughout. Other tools like Binary Ninja are shown as well. Calling conventions, Assembly-to-C, identifying and creating structures, RTTI reconstruction, etc. are covered. Students will see IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.
Finally, students will walk out of this class knowing how to exploit discovered bugs. This is useful to both developers and hackers. The attack portion will teach students how to exploit common bugs such as: command injection, SQLi, IDOR, stack buffer overflows, function pointer overwrite, heap overflow, off-by-one, integer error, uninitialized variable, use-after-free, double fetch, and more. For the exploits, return overwrites, heap spraying, ROP, and gadget discovery are presented. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.
Course outline:
Day 1: Managed, C/C++, and Fuzzing
8am – 8:30am
Handout Material
Pass around Thumb drives for VM Setup
8:30am – 10am
Part 1 – Managed Code/Web Vulns
Lecture 1: SDL and Product Security Testing
Lab 1 – iSpyCentral Architecture Review and Reversing
Lab 2 – iSpyCentral Key Exploit
Lab 3 – SAST iSpy
10am – 10:15am
Break 1
10:15am – 12pm
Continue working on first 5 labs
Lab 4 – DAST iSpy
Lab 5 – iSpyCentral RCE
12pm – 1pm
Lunch
1pm – 3pm
Part 2 – Unmanaged/Native Code Vulnerabilities
Lecture 2: Auditing C and C++
Lab 6 – Basic C Bugs
Lab 7 – UV Investigation
Lab 8 – Warm up with C++
Lab 9 – Basic C++ Bugs
3pm – 3:15pm
Break 2
3:15pm – 5pm
Lecture 3: Fuzzing
Pydbg Demo
Lab 10 – Peach fuzzer (file fuzzing)
Lab 11 – In-memory fuzzing
Day 2: Finish Fuzzing, Reversing, and Native Exploits
8am – 8:30am
Work on anything from yesterday
Ask questions about specific things
8:30am – 10am
Lecture 3: Continue Fuzzing
Lab 12 – AFL
Lecture 4: Reversing C and C++
Lab 13 – Easy Crackme
10am – 10:15am
Break 1
10:15am – 12pm
Keep Reversing
Lab 14 – Med Crackme
Lab 15 – Patcher
Lab 16 – C++
12pm – 1pm
Lunch
1pm – 3pm
Last Reversing Lab
Lab 17 – Scripting
Lecture 5: Exploiting Native Programs
Lab 18 – Function Pointer Overwrite
3pm – 3:15pm
Break 2
3:15pm – 5pm
Lab 19 – Windows Server Exploit
Lab 20 – ROP
Student Requirements:
Students are required to provide a laptop for the course. Your laptop should have at least 30GB of free HD space, 4GB+ of RAM and VMware workstation/player for Windows or Fusion for the Mac installed ahead of time.
You will be given a Windows VM. Copy to your hard drive, and pass the portable Media to your neighbor. You will need a USB port and an OS that can read ExFat FileSystem to copy the data. (Most Mac and Windows have that, but with Linux, check for the driver) You may not share course media with non-students.
