Secure Canberra 2020

You must bring VMware to run multiple operating systems when performing class exercises. Linux virtual machines with all necessary tools will be provided on the first day of the course. Tools needed for Windows will be issued in class, but you are required to build and bring the Windows virtual machines as listed below under Option 1 or Option 2. The virtual machines must be unpatched, as we will be installing and removing patches in class. If possible, please bring the English Language Pack versions of the designated Windows virtual machines so that everyone is running the same images. If you do not bring the specified OS and/or Service Pack versions, you may experience different outcomes during exercises.

Make sure that you have the administrative ability to disable all security software and protections, including antivirus and personal firewalls. You will likely not be able to complete the exercises without this level of control. In addition, make sure that you can install software that may be blocked by administrative or security controls due to its nature. You will be installing various debuggers and vulnerable applications onto the virtual machines.

Adherence to the following requirements is mandatory:

• A minimum of 4 GB+ of physical memory (RAM), preferably 8 GB to 16 GB+
• VMware Workstation, Fusion, or Player. A 30-day free trial is available at http://www.vmware.com. VMware will send you a time-limited serial number if you register for the trial on its website. VirtualBox is also acceptable, though not thoroughly tested.
• The following four (unpatched, base install) virtual machines, preferably not Enterprise Version. This is mandatory!
• Option 1: Windows XP SP3 (32-bit), Windows 7 32-bit (SP1), Windows 7 64-bit (SP1), and Windows 10 64-bit
• Option 2: Windows XP SP3, Windows 7 32-bit (SP1), Windows 8.0 64-bit - (No Windows 8.1), and Windows 10 64-bit
• Bring your own copy of Backtrack or Kali Linux
• Download Adobe Flex 4.6 SDK from the following link and bring it to class: http://www.adobe.com/devnet/flex/flex-sdk-download.html
• Download and install the Windows Software Development Kit (SDK) for Windows 7 or Windows 8. DO NOT USE THE SDK FOR Windows 8.1. You only have to install debugging tools for Windows when prompted. The kit is available at: http://msdn.microsoft.com/en-us/windows/desktop/hh852363.aspx
• 50 GB of free hard disk space.
• PIII 1Ghz CPU minimum/M Series 1.5 GHz or higher is recommended
• It is strongly recommended that you bring a licensed version of IDA Pro. A 20% discount is available to students signing up for SEC760. Please e-mail the course author, Stephen Sims at stephen@deadlisting.com. You may choose not to purchase a license and use only the trial and free versions; however, if you do that you will not be able to complete some of the exercises because these versions have limitations. You may also bring BinDiff for patch diffing exercises. It is available at http://www.zynamics.com/software.html and is now free. If you do not bring BinDiff, alternate tools will be provided.

***Attention Mac/OSX and Linux Users***

Due to various difficulties when performing Windows Kernel debugging between virtual machines using VMware Fusion, we strongly recommend that you bring a laptop option with a Windows host OS either as your only device, or in addition to your Mac. If you choose to bring only a Mac, or a Linux host, you are required to set up kernel debugging before attending class. Specifically, you must have fully tested your ability to successfully run a kernel debugging session from one Windows virtual machine in Fusion to another Windows virtual machine. You will need to be able to perform kernel debugging against all systems named in Option 1 or Option 2 from above. This also applies to Linux users running VMware.

For assistance you can go to the following link: http://deadlisting.com/files/Remote_Kernel_Debugging_Vmware_Fusion_and_Linux.docx

Note: Your experience with these instructions may vary, depending on your version of OSX, Fusion, and other factors. We will not have time in class to troubleshoot these issues.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Senior Network and System Penetration Testers
• Secure Application Developers (C and C++)
• Reverse-Engineering Professionals
• Senior Incident Handlers
• Senior Threat Analysts
• Vulnerability Researchers
• Security Researchers

It is mandatory that students have previous exploit-writing experience using techniques such as those covered in SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking. This includes experience with stack-based buffer overflows on both Linux and Windows, as well as experience defeating modern exploit mitigation controls such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), canaries, and SafeSEH. Experience with or an understanding of fuzzing tools such as the Sulley Fuzzing Framework and Peach is required. Programming experience is important, preferably with C/C++. At a minimum, scripting experience in a language such as Python, Perl, Ruby, or LUA is mandatory. Programming fundamentals such as functions, pointers, calling conventions, structures, classes, etc. will be assumed knowledge. Experience with reverse-engineering vulnerable code is also required, as is the ability to read x86 disassembly from within a debugger or disassembler. Experience with both Linux and Windows navigation is required, as well as TCP/IP experience. If you do not meet these requirements you may not be able to keep up with the pace of the course.

Courses that lead in to SEC760:

• SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
• FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Courses that are prerequisites for SEC760:

• SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDA Python and IDC scripts, SDL and threat modeling, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to take a look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, utilize return-oriented shellcode (ROP), etc.

SANS gets a lot of questions about this course. Am I ready for SEC760? Should I take SEC660 first? I have taken SEC660 but am I definitely ready for SEC760? I have taken SEC560, so can I jump right to SEC760 if I only want the exploit development material? I have not taken any SANS pen testing courses, so which one should I start with? I have taken a course through Offensive Security or Corelan, is the material the same?

There is no "one size fits all" reply to these types of questions, as everyone has a different level of experience. SANS's recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. The course author, Stephen Sims, is available to answer any questions you may have about the subject matter in order to help you make an informed decision. You can reach Stephen Sims at stephen@deadlisting.com

SANS has prepared written a 10 question exam that will help you determine if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes two days of material on introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, network access control), pentesting cryptographic implementations, fuzzing, Python, network booting attacks, escaping Linux and Windows restricted environments, etc. Many students of SEC760 have taken training from Offensive Security, Exodus Intelligence, Corelan, and others. Though there will certainly be overlap in some sections, there are many unique sections without overlap.

• Various preconfigured *NIX virtual machines; however, you are required to bring the Windows virtual machines discussed in the Laptop Requirements section.
• Various tools on a course USB that are required for use in class.
• Access to the in-class Virtual Training Lab with many in-depth labs.
• Access to recorded course audio to help hammer home important network penetration testing lessons.

• Discover zero-day vulnerabilities in programs running on fully-patched modern operating systems.
• Create exploits to take advantage of vulnerabilities through a detailed penetration testing process.
• Use the advanced features of IDA Pro and write your own IDC and IDA Python scripts.
• Perform remote debugging of Linux and Windows applications.
• Understand and exploit Linux heap overflows.
• Write Return-Oriented Shellcode.
• Perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities.
• Perform Windows heap overflows and use-after-free attacks.
• Use precision heap sprays to improve exploitability.
• Perform Windows Kernel debugging up through Windows 8 64-bit.
• Jump into Windows kernel exploitation.

• Perform labs to reverse-engineer Microsoft patches from 2007-2014 to identify the patched vulnerability and take them through exploitation.
• Perform use-after-free exploit labs against popular web browsers such as Internet Explorer.
• Bypass ASLR through the creation of custom Flash objects and UAF bugs.
• Remote-debug both Linux and Windows applications, and remote-debug the Windows 7 and 8 Kernels.
• Exploit Linux heap overflows.
• Perform threat modeling against applications.
• Bypass modern exploit mitigations.
• Write your own IDA Python scripts.
• Navigate the Windows front-end (LFH) and back-end heap allocators.
• Debug drivers.

"SEC760 is a kind of training we could not get anywhere else. It is not a theory, we got to implement and to exploit everything we learned." - Jenny Kitaichit, Intel