2 days to save $500 for SANS San Diego 2013

Golden Gate 2013

San Francisco, CA | Mon Dec 16 - Sat Dec 21, 2013
 

SEC760: Advanced Exploit Development for Penetration Testers

Vulnerabilities in modern operating systems such as Microsoft Windows 7/8, Server 2012, and the latest Linux distributions are often very complex and subtle. Yet, they could expose organizations to significant attacks, undermining their defenses when wielded by very skilled attackers. Few security professionals have the skillset to discover let alone even understand at a fundamental level why the vulnerability exists and how to write an exploit to compromise it. Conversely, attackers must maintain this skillset regardless of the increased complexity. SANS SEC760: Advanced Exploit Development for Penetration Testers teaches the skills required to reverse engineer 32-bit and 64-bit applications, perform remote user application and kernel debugging, analyze patches for 1-day exploits, and write complex exploits, such as use-after-free attacks, against modern software and operating systems.

More

You Will Learn:

  • How to write modern exploits against the Windows 7 and 8 operating systems.
  • How to perform complex attacks such as use-after-free, Kernel exploit techniques, one-day exploitation through patch analysis, and other advanced topics.
  • The importance of utilizing a Security Development Lifecycle (SDL) or Secure SDLC, along with Threat Modeling.
  • How to effectively utilize various debuggers and plug-ins to improve vulnerability research and speed.
  • How to deal with modern exploit mitigation controls aimed at thwarting success and defeating determination.

Hide
Course Syllabus
Course Contents InstructorsSchedule
  SEC760.1: Threat Modeling, Reversing and Debugging with IDA Stephen Sims Mon Dec 16th, 2013
9:00 AM - 5:00 PM
Overview

Definition: Many penetration testers, incident handlers, developers, and other relative professionals lack reverse engineering and debugging skills. This is a different skill than reverse engineering malicious software. As part of the Security Development Lifecycle (SDL) and Secure-SDLC, developers and exploit writers should have experience using IDA Pro to debug and reverse their code when finding bugs or when identifying potential risks after static code analysis or fuzzing.

CPE/CMU Credits: 6

Topics
  • Security Development Lifecycle (SDL)
  • Threat Modeling
  • Why IDA is the #1 tool for reverse engineering
  • IDA Navigation
  • IDA Python and the IDA IDC
  • IDA Plug-ins and extensibility
  • Local application debugging with IDA
  • Remote application debugging with IDA
 
  SEC760.2: Advanced Linux Exploitaiton Stephen Sims Tue Dec 17th, 2013
9:00 AM - 5:00 PM
Overview

The ability to progress into more advanced reversing and exploitation requires an expert-level understanding of basic software vulnerabilities, such as those covered in SANS SEC660. Heap overflows serve as a rite of passage into modern exploitation techniques. This day is aimed at bridging this gap of knowledge in order to inspire thinking in a more abstract manner, necessary for continuing further with the course. Linux can sometimes be an easier operating system to learn these techniques, serving as a productive gateway into Windows.

CPE/CMU Credits: 6

Topics
  • Linux heap management, constructs, and environment
  • Navigating the heap
  • Abusing macros such as unlink() and frontlink()
  • Function pointer overwrites
  • Format string exploitation
  • Abusing custom doubly-linked lists
  • Defeating Linux exploit mitigation controls
  • Using IDA for Linux application exploitation
 
  SEC760.3: Patch Diffing, One-Day Exploits, and Return Oriented Shellcode Stephen Sims Wed Dec 18th, 2013
9:00 AM - 5:00 PM
Overview

It is well known that attackers download patches as soon as they are distributed by vendors such as Microsoft in order to find newly patched vulnerabilities. Often, vulnerabilities are disclosed privately, or even discovered in-house, allowing the vendor to more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched vulnerability. Attackers are well aware of this and quickly work to find the patched vulnerability in order to take control of unpatched systems. This technique is also performed by incident handlers, IDS administrators and vendors, vulnerability and penetration testing framework companies, government entities, and others.

CPE/CMU Credits: 6

Topics
  • The Microsoft patch management process and Patch Tuesday
  • Obtaining patches and patch extraction
  • Binary diffing with BinDiff, patchdiff2, turbodiff, and darungrim3
  • Visualizing code changes and identifying fixes
  • Reversing 32-bit and 64-bit applications and modules
  • Triggering patched vulnerabilities
  • Writing one-day exploits
  • Handling modern exploit mitigation controls
 
  SEC760.4: Windows Kernel Debugging and Exploitation Stephen Sims Thu Dec 19th, 2013
9:00 AM - 5:00 PM
Overview

The Windows Kernel is very complex and intimidating. This day aims to help you understand the Windows kernel and the various exploit mitigations added into recent versions. You will perform Kernel debugging on various versions of the Windows OS, such as Windows 7 and 8, and learn to deal with its inherent complexities. Exercises will be performed to analyze vulnerabilities, look at exploitation techniques, and get a working exploit.

CPE/CMU Credits: 6

Topics
  • Understanding theWindows Kernel
  • Navigating the Windows Kernel
  • Modern Kernel protections
  • Debugging the Windows Kernel
  • WinDbg
  • Analyzing Kernel vulnerabilities and Kernel vulnerability types
  • Kernel exploitation techniques
 
  SEC760.5: Windows Heap Overflows and Client-Side Exploitation Stephen Sims Fri Dec 20th, 2013
9:00 AM - 5:00 PM
Overview

The focus of this section is primarily on Windows browser and client-side exploitation. You will learn to analyze C++ vftable overflows, one of the most common mechanisms used to compromise a modern Windows system. Many of these vulnerabilities are discovered in the browser and therefore, browser techniques will be taught, such as modern heap spraying to deal with IE 8/9/10 and other browsers such as FireFox and Chrome. You will work towards writing exploits in the Use-After-Free/Dangling Pointer vulnerability class.

CPE/CMU Credits: 6

Topics
  • Windows heap management, constructs, and environment
  • Browser-based and client-side exploitation
  • Remedial heap spraying
  • Understanding C++ vftable/vtable behavior
  • Modern heap spraying to determine address predictability
  • Use-After-Free attacks and dangling pointers
  • Determining exploitability
  • Defeating ASLR, DEP, and other common exploit mitigation controls
 
  SEC760.6: Capture the Flag Stephen Sims Sat Dec 21st, 2013
9:00 AM - 5:00 PM
Overview

Day 6 will serve as a capture the flag day with different types of challenges from material taught throughout the week.

CPE/CMU Credits: 6

Topics
  • Test your reverse engineering, bug discovery, and expoit-writing skills in a full day of capture the flag exercises!
 
Additional Information
 
  Laptop Required

You must bring and will use VMware to run multiple operating systems when performing class exercises. Linux VM's with all necessary tools will be provided on a DVD on the first day. Tools needed for Windows will be issued in class; however, you are required to build and bring the Windows virtual machines as listed below under Option 1 or Option 2. The VMs must be unpatched as we will be installing and removing patches in class. If possible, please ensure you bring the English Language Pack versions of the designated Windows VMs so that everyone is running the same images. If you choose to, or are unable to bring the specified OS and/or Service Pack versions, you may experience different outcomes during exercises.

Ensure that you have the administrative ability to disable all security software and protections, including antivirus and personal firewalls. You will not be able to complete the exercises without this level of control. Also ensure that you can install software that may be blocked by administrative or security controls due to their nature. You will be installing various debuggers and vulnerable applications onto the VM's. Please adhere to the following:

  • 4GB+ of Physical Memory (RAM), preferably 8GB 16GB.
  • VMware Workstation, Fusion, or Player. A 30-day free trial is available at http://www.vmware.com. VirtualBox is also acceptable, though not thoroughly tested.

  • The following three (Unpatched, base install) virtual machines. This is mandatory!

    • Option 1:

      • Windows XP SP3, Windows 7 32-bit (SP0 or SP1), and Windows 7 64-bit (SP0 or SP1)

    • Option 2:

      • Windows XP SP3, Windows 7 32-bit (SP0 or SP1, and Windows 8 64-bit (SP0)
  • 50GB of free hard disk space.
  • PIII 1Ghz CPU Minimum / M Series 1.5 GHz or higher is recommended
  • It is strongly recommended that you bring a licensed version of IDA Pro. A 20% discount is available to students signing up for SEC760. Please e-mail the course author, Stephen Sims, at stephen@deadlisting.com. You may choose not to purchase a license and use only the trial and free versions; however, you will not be able to complete some of the exercises as these versions have limitations.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
 
  Who Should Attend
  • Senior Network and System Penetration Testers
  • Secure Application Developers (C & C++)
  • Reverse Engineering Professionals
  • Senior Incident Handlers
  • Senior Threat Analysts
  • Vulnerability Researchers
  • Security Researchers
 
  Prerequisites

Previous exploit-writing experience is required, such as those techniques covered in SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. This includes experience with stack-based buffer overflows on both Linux and Windows, as well as experience defeating modern exploit mitigation controls such as DEP, ASLR, canaries, and SafeSEH. Experience with various fuzzing tools such as the Sulley Fuzzing Framework is required. Programming experience is important, preferably with C/C++. At a minimum, scripting experience in a language such as Python, Perl, Ruby, or LUA is mandatory. Programming fundamentals such as functions, pointers, calling conventions, structures, etc is mandatory and will be assumed knowledge. Experience with reverse engineering vulnerable code is also required, as is the ability to read x86 disassembly from within a debugger or disassembler. Experience with both Linux and Windows navigation is required, as well as TCP/IP experience. Failure to meet these requirements may result in the inability to keep up with the pace of the course.

Courses that Lead-in:

  • SEC660 Advanced Penetration Testing, Exploits, and Ethical Hacking
  • FOR610 Reverse Engineering Malware
  • FOR526 Windows Memory Forensics In-Depth

Courses that are Pre-reqs:

  • SEC660 Advanced Penetration Testing, Exploits, and Ethical Hacking
 
  What You Will Receive
  • You will receive various preconfigured *NIX virtual machines; however, you are required to bring the aforementioned Windows VMs.
  • You will receive various tools on a course DVD that are required for use in class.

 
  You Will Be Able To
  • How to how to discover zero-day vulnerabilities in programs running on fully-patched modern operating systems.
  • How to create exploits to take advantage of vulnerabilities through a detailed penetration testing process.
  • How to use the advanced features of IDA Pro and write your own IDC and IDA Python scripts.
  • How to perform remote debugging of Linux and Windows applications.
  • How to understand and exploit Linux heap overflows.
  • How to write Return Oriented Shellcode.
  • How to perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities.
  • How to perform Windows heap overflows and use-after-free attacks.
  • How to use precision heap sprays to improve exploitability.
  • How to perform Windows Kernel debugging up through Windows 8 64-bit.
  • Jump into Windows kernel exploitation.
 
  Hands-on Training
  • You will be performing labls to reverse engineer several Microsoft patches from 2013 to identify the patched vulnerability, as well as take them through exploitation.
  • You will perform use-after-free exploit labs against popular web browsers such as Internet Explorer.
  • You will be remote-debugging both Linux and Windows applications, as well as remote-debugging the Windows 7 and 8 Kernels.
 

Author Statement

As a perpetual student of information security, I am excited to offer this course on advanced Exploit Writing for Penetration Testers. Exploit development is a hot topic as of late and will continue to grow moving forward. With all of the modern exploit mitigation controls offered by operating systems such as Windows 7 and 8, the number of experts with the skills to produce working exploits is highly limited. More and more companies are hiring to fill experts with the ability to aid in a Secure-SDLC process, perform threat modeling, determine if vulnerabilities are exploitable, and perform security research. This course was written to help you get into these highly sought after positions and to teach you cutting edge tricks to thoroughly evaluate a target, providing you with the skills to improve your exploit development. Contact me at stephen@deadlisting.com if you have any questions about the course! -Stephen Sims

Pricing
Price Options
$3,735
Event starts in 76 Days
 
Downloads
Share

SANS training is like a catalyst. It not only boosts your knowledge but also inspires you to learn more.
Tan Koon Yaw

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Last 25 Papers »

Latest Tweets @SANSInstitute

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage