From BruCON 2015
Jump to: navigation, search
(Rapid Reverse Engineering by Russ Gideon)
(Rapid Reverse Engineering by Russ Gideon)
Line 1: Line 1:
 
=Rapid Reverse Engineering by Russ Gideon=
 
=Rapid Reverse Engineering by Russ Gideon=
<!--In the professional information security world, there has yet to be a course which provides the
+
===Course Description===
students the knowledge and skills to carry out a real world attack. Traditional penetration
+
This course combines deep understanding of reverse engineering with
testing courses impart only a limited view of the exposure and vulnerabilities companies suffer
+
rapid triage techniques to provide students with a broad capability to
from. Traditional classes are generally focused on standard scanner, framework and tool usage
+
analyze malicious artifacts uncovered during incident response. By
as well as techniques for collecting “shells” on target systems. In contrast, this course is
+
tailoring the instruction to rapid assessment of binaries, we equip
designed to teach its students how to plan and execute a successful attack against a target,
+
students with the skills required to keep up with modern malware and
using the same techniques and mindsets that real attackers use.
+
rapidly extract the most valuable and pertinent data to their
 +
investigations, including Indicators of Compromise (IOCs). Rapid RE
 +
includes considerable lab time utilizing replicated enterprise
 +
networks and attacks as observed in the wild. Students will leave with
 +
an understanding of:
  
Attack Research will bring a unique approach to penetration testing, using deep system
+
* How real world attacks are carried out
knowledge and lesser-known techniques that will arm the student with true offensive
+
* File triage processes and techniques
capabilities. This class is designed to help students think past the need for known exploits.
+
* Intelligence extraction techniques from malware
Alternating between hands-on exercises and lectures the students will walk away with having
+
* How to deal with binary obfuscation techniques
been given the chance to utilize the new skills that they will learn. A virtual target network will
+
* How to get indicators from a file in a hurry
be provided, along with all of the software needed to participate in the labs.
 
  
The first day of the class will cover the basic, core skill sets, that are needed to be successful in
+
===Course Outline===
an offensive operation. These skills are the foundation for being able to handle and evade a
+
* Rapid inspection of various file formats
large array of technical defensive measures which the student may experience when attacking
+
** Metadata extraction from PE, PDF, and Office docs
sophisticated environments. The Metasploit Framework will be used as a development
+
** Finding buried artifacts in files
platform for building custom tools and launching specialized attacks.
+
* Assured Dynamic Analysis
 +
** Extracting Host IOCs from file formats with dynamic analysis
 +
** Working with DLLs
 +
** Splatter network IOC extraction and log file analysis
 +
** Memory Analysis
 +
* Process Tracing for Rapid File Assessments
 +
** Intro to Intel PIN
 +
** Code tracing with Pin
 +
** Shellcode analysis with Pin
 +
* IDA Efficiencies
 +
** Intro to IDA Scripting
 +
** x86 emulation
 +
** De-obfuscation techniques
 +
* Unpacking
 +
** Using IDA for unpacking assistance
 +
** Unpacking in-memory
  
In the second day, our attention will turn to the initial target exploitation and lateral
+
===Student Requirements===
movement. The students will learn how to gain persistence and deep footholds into an
+
Student machines must be able to run at least 2 virtual machines
organizations network. We will focus heavily on the persistence and post exploitation
+
utilizing VMware Workstation 8.0 and above (which can be obtained
techniques that have been perfected by the Attack Research team. At the end of this day
+
through a demo license). To run multiple machines usually means at
students will have a strong understanding of how to get into a network and then stay in.
+
least 4 gig’s of memory is needed. Student laptops must be running
The third day will focus on deeply penetrating a Unix environment which is designed to emulate
+
either OSX, Linux, or Windows and must have the ability to disable all
common corporate setups. Many penetration testing classes focus on Windows based
+
antivirus, sniff traffic, adjust firewalls, etc. We encourage students
methodologies and attacks, neglecting the wide array of Unix scenarios that may be
+
to have a copy of IDA Pro version 6.0 or greater. Students are
encountered in the real world. After the third day the students will not only be capable of
+
responsible for bringing a XP or Windows 7 VMware virtual machine that
taking over a Windows domain, but they will also be able to compromise Unix domains as well.
+
can be instrumented and infected with malware.
Some of the techniques covered in the Unix domain are also applicable to mobile devices.
 
 
 
Students will test all of the skills they have gained in the course against a virtual network
 
specially designed for the class. The labs will be interwoven into the lecture so that students
 
will receive a significant amount of time practically exercising these new skills as they learn. By
 
the end of the class students will have spent roughly 50% of the time in a lab environment.
 
 
 
===Technical Requirements and prerequisites===
 
Student machines must be able to run at least 2 virtual machines utilizing either: VMWare
 
Workstation (which can be obtained through a demo license) or Virtual Box. This usually means
 
at least 4 gig’s of memory is needed.
 
 
 
Student laptops must be running either OSX, Linux, or Windows and they must have the ability
 
to disable all antivirus on the machine. You must have administrative access on your machine as
 
well for sniffing traffic, adjusting firewalls, etc, etc.
 
  
 
Students must have:
 
Students must have:
* a concept of scripting languages such as Python/Perl/Ruby
 
* A medium level of systems administration on a Windows or Linux machine (Windows preferable but not a must)
 
* Student’s laptop must be capable of running the Metasploit software
 
  
===Detailed Agenda===
+
* A concept of scripting languages such as Python/Perl/Ruby
 
+
* A familiarity with Windows administration.
'''Day 1'''
+
* A concept of malware analysis and reverse engineering malware processes
* intros
+
* Programming in C and previous knowledge of assembly will help students, but is not a must.
* schedule & venue
 
* class setup
 
* class overview / philosophy
 
* Metasploit Tutorial
 
** msf background / history
 
** core components/meterpreter
 
** Multihandler
 
** auxiliary modules / scanners
 
** exploits & payloads
 
* recon activities
 
 
 
'''Day 2'''
 
* Initial Penetration
 
** Web / sqli
 
** Social Engineering
 
** File format attacks
 
** Java applet
 
** Physical & Hardware
 
* Post Exploitation
 
** Command & Control
 
** Persistence
 
** Stealth
 
** PSP Evasion
 
** Cleanup
 
** Data Exfiltration Strategies
 
 
 
'''Day 3'''
 
* Unix Domain Takeover
 
** Unix Intro
 
** NFS
 
** Authentication Systems
 
** Kerberos
 
** SSH
 
* Windows Domain Takeover
 
** Lateral Movement
 
** SMB
 
*** WPAD
 
*** SMBRELAY
 
* Insecure Services
 
* Privilege Escalation
 
* RDP/VNC/Sethc
 
* Authentication Abuse
 
** Hashes and Passwords
 
** Token Hijacking
 
* Domain Enumeration
 
  
 
=Trainer Biography=
 
=Trainer Biography=
Line 115: Line 70:
  
 
[http://www.attackresearch.com http://www.attackresearch.com]
 
[http://www.attackresearch.com http://www.attackresearch.com]
 
[[File:Attack-Research-Logo.jpg|190px|thumb|left]] '''Dave Sayre''' has worked in the computer security area for the past ten years. He has specialized in reverse engineering, malware research, and penetration testing. He is currently a researcher at Attack Research.  Dave specializes on *nix systems and enjoys figuring out how to abuse various trust relations between *nix systems.-->
 
  
 
<br><br><br><br><br><br><br><br><br><br><br>
 
<br><br><br><br><br><br><br><br><br><br><br>

Revision as of 17:49, 9 December 2013

Rapid Reverse Engineering by Russ Gideon

Course Description

This course combines deep understanding of reverse engineering with rapid triage techniques to provide students with a broad capability to analyze malicious artifacts uncovered during incident response. By tailoring the instruction to rapid assessment of binaries, we equip students with the skills required to keep up with modern malware and rapidly extract the most valuable and pertinent data to their investigations, including Indicators of Compromise (IOCs). Rapid RE includes considerable lab time utilizing replicated enterprise networks and attacks as observed in the wild. Students will leave with an understanding of:

  • How real world attacks are carried out
  • File triage processes and techniques
  • Intelligence extraction techniques from malware
  • How to deal with binary obfuscation techniques
  • How to get indicators from a file in a hurry

Course Outline

  • Rapid inspection of various file formats
    • Metadata extraction from PE, PDF, and Office docs
    • Finding buried artifacts in files
  • Assured Dynamic Analysis
    • Extracting Host IOCs from file formats with dynamic analysis
    • Working with DLLs
    • Splatter network IOC extraction and log file analysis
    • Memory Analysis
  • Process Tracing for Rapid File Assessments
    • Intro to Intel PIN
    • Code tracing with Pin
    • Shellcode analysis with Pin
  • IDA Efficiencies
    • Intro to IDA Scripting
    • x86 emulation
    • De-obfuscation techniques
  • Unpacking
    • Using IDA for unpacking assistance
    • Unpacking in-memory

Student Requirements

Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gig’s of memory is needed. Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. We encourage students to have a copy of IDA Pro version 6.0 or greater. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.

Students must have:

  • A concept of scripting languages such as Python/Perl/Ruby
  • A familiarity with Windows administration.
  • A concept of malware analysis and reverse engineering malware processes
  • Programming in C and previous knowledge of assembly will help students, but is not a must.

Trainer Biography

Attack-Research-Logo.jpg
Russ Gideon has many years of experience in information security fulfilling many diverse roles from

being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research, LLC.

More information is available on carnal0wnage

300px-twitter-icon.jpg @attackresearch

http://www.attackresearch.com












23 - 25 April (09:00 - 17:00)

Register.jpg

Back to Training Overview