From BruCON 2015
Jump to: navigation, search
m
 
(11 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=Offensive Techniques by Russ Gideon=
+
=Offensive HTML, SVG, CSS and other Browser-Evil by Mario Heiderich=
In the professional information security world, there has yet to be a course which provides the
+
(or How to make sure your Pentest Report is never empty)
students the knowledge and skills to carry out a real world attack. Traditional penetration
 
testing courses impart only a limited view of the exposure and vulnerabilities companies suffer
 
from. Traditional classes are generally focused on standard scanner, framework and tool usage
 
as well as techniques for collecting “shells” on target systems. In contrast, this course is
 
designed to teach its students how to plan and execute a successful attack against a target,
 
using the same techniques and mindsets that real attackers use.
 
  
Attack Research will bring a unique approach to penetration testing, using deep system
+
===Course Description===
knowledge and lesser-known techniques that will arm the student with true offensive
+
This workshop was formerly held in closed environments for government
capabilities. This class is designed to help students think past the need for known exploits.
+
contractors, companies and other organizations and is now available on
Alternating between hands-on exercises and lectures the students will walk away with having
+
conferences and alike. This comprehensive hands-on no-bullshit guide
been given the chance to utilize the new skills that they will learn. A virtual target network will
+
through the crazy world of HTML and its satellite technologies will
be provided, along with all of the software needed to participate in the labs.
+
give a very detailed overview on the current attack landscape.
  
The first day of the class will cover the basic, core skill sets, that are needed to be successful in
+
* Did you know that CSS3 can function as XSS filter and steal session tokens?
an offensive operation. These skills are the foundation for being able to handle and evade a
 
large array of technical defensive measures which the student may experience when attacking
 
sophisticated environments. The Metasploit Framework will be used as a development
 
platform for building custom tools and launching specialized attacks.
 
  
In the second day, our attention will turn to the initial target exploitation and lateral
+
* Did you know that copy & paste from an Office-Document is completely unsafe?
movement. The students will learn how to gain persistence and deep footholds into an
 
organizations network. We will focus heavily on the persistence and post exploitation
 
techniques that have been perfected by the Attack Research team. At the end of this day
 
students will have a strong understanding of how to get into a network and then stay in.
 
The third day will focus on deeply penetrating a Unix environment which is designed to emulate
 
common corporate setups. Many penetration testing classes focus on Windows based
 
methodologies and attacks, neglecting the wide array of Unix scenarios that may be
 
encountered in the real world. After the third day the students will not only be capable of
 
taking over a Windows domain, but they will also be able to compromise Unix domains as well.
 
Some of the techniques covered in the Unix domain are also applicable to mobile devices.
 
  
Students will test all of the skills they have gained in the course against a virtual network
+
* Did you know that you have a SOP violation whenever you can control the first byte of a HTML document?
specially designed for the class. The labs will be interwoven into the lecture so that students
 
will receive a significant amount of time practically exercising these new skills as they learn. By
 
the end of the class students will have spent roughly 50% of the time in a lab environment.
 
  
===Who Should Attend===
+
The focus of this workshop will be on the offensive parts of HTML, the
This training is for technical IT security professionals like pentesters, but also for interested hackers.
+
nasty and undocumented stuff, dozens of new attack techniques straight
 +
from the laboratory of horrors of those maintaining the HTML5 Security
 +
Cheatsheet... and will even cover the defence parts necessary to
 +
protect one's fine web-applications.
  
===Technical Requirements and prerequisites===
+
We'll learn how to attack any web-application with either legacy
Student machines must be able to run at least 2 virtual machines utilizing either: VMWare
+
madness - or the half-baked results coming to your browser from the
Workstation (which can be obtained through a demo license) or Virtual Box. This usually means
+
meth-labs of W3C and WHATWG without you even knowing it. Whether you
at least 4 gig’s of memory is needed.
+
want to attack classic web-apps or shine Chrome Packaged Apps - you'll
 +
not be disappointed.  Whoever likes crazy HTML, CSS and JavaScript
 +
will enjoy and benefit from this workshop. A bit of knowledge on
 +
either of those is required, rocket scientists and adepts will be
 +
satisfied equally.
  
Student laptops must be running either OSX, Linux, or Windows and they must have the ability
+
''Wed. 23 - Fri. 25 April (09:00 - 17:00)''
to disable all antivirus on the machine. You must have administrative access on your machine as
 
well for sniffing traffic, adjusting firewalls, etc, etc.
 
 
 
Students must have:
 
* a concept of scripting languages such as Python/Perl/Ruby
 
* A medium level of systems administration on a Windows or Linux machine (Windows preferable but not a must)
 
* Student’s laptop must be capable of running the Metasploit software
 
 
 
===Detailed Agenda===
 
 
 
'''Day 1'''
 
* intros
 
* schedule & venue
 
* class setup
 
* class overview / philosophy
 
* Metasploit Tutorial
 
** msf background / history
 
** core components/meterpreter
 
** Multihandler
 
** auxiliary modules / scanners
 
** exploits & payloads
 
* recon activities
 
 
 
'''Day 2'''
 
* Initial Penetration
 
** Web / sqli
 
** Social Engineering
 
** File format attacks
 
** Java applet
 
** Physical & Hardware
 
* Post Exploitation
 
** Command & Control
 
** Persistence
 
** Stealth
 
** PSP Evasion
 
** Cleanup
 
** Data Exfiltration Strategies
 
 
 
'''Day 3'''
 
* Unix Domain Takeover
 
** Unix Intro
 
** NFS
 
** Authentication Systems
 
** Kerberos
 
** SSH
 
* Windows Domain Takeover
 
** Lateral Movement
 
** SMB
 
*** WPAD
 
*** SMBRELAY
 
* Insecure Services
 
* Privilege Escalation
 
* RDP/VNC/Sethc
 
* Authentication Abuse
 
** Hashes and Passwords
 
** Token Hijacking
 
* Domain Enumeration
 
 
 
=Trainer Biography=
 
[[File:Attack-Research-Logo.jpg|190px|thumb|left]] '''Russ Gideon''' has many years of experience in information security fulfilling many diverse roles from
 
being a core component of an Incident Response operation to managing an effective Red Team.
 
Russ excels both at malware reverse engineering, which enables him to deeply understand how
 
the attackers do what they do, as well as at high end Red Teaming where he has to penetrate
 
sophisticated and well protected high value systems. Russ currently serves as the Director of
 
Malware Research at Attack Research, LLC.
 
 
 
More information is available on [http://carnal0wnage.attackresearch.com carnal0wnage]
 
 
 
[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/#!/attackresearch @attackresearch]
 
 
 
[http://www.attackresearch.com http://www.attackresearch.com]
 
 
 
<br><br><br><br><br><br><br><br><br><br><br>
 
''24 & 25 September (09:00 - 17:00)''
 
  
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
  
 
[[Training|Back to Training Overview]]
 
[[Training|Back to Training Overview]]

Latest revision as of 08:09, 23 January 2014

Offensive HTML, SVG, CSS and other Browser-Evil by Mario Heiderich

(or How to make sure your Pentest Report is never empty)

Course Description

This workshop was formerly held in closed environments for government contractors, companies and other organizations and is now available on conferences and alike. This comprehensive hands-on no-bullshit guide through the crazy world of HTML and its satellite technologies will give a very detailed overview on the current attack landscape.

  • Did you know that CSS3 can function as XSS filter and steal session tokens?
  • Did you know that copy & paste from an Office-Document is completely unsafe?
  • Did you know that you have a SOP violation whenever you can control the first byte of a HTML document?

The focus of this workshop will be on the offensive parts of HTML, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet... and will even cover the defence parts necessary to protect one's fine web-applications.

We'll learn how to attack any web-application with either legacy madness - or the half-baked results coming to your browser from the meth-labs of W3C and WHATWG without you even knowing it. Whether you want to attack classic web-apps or shine Chrome Packaged Apps - you'll not be disappointed. Whoever likes crazy HTML, CSS and JavaScript will enjoy and benefit from this workshop. A bit of knowledge on either of those is required, rocket scientists and adepts will be satisfied equally.

Wed. 23 - Fri. 25 April (09:00 - 17:00)

Register.jpg

Back to Training Overview