From BruCON 2015
Jump to: navigation, search
(Assessing and Exploiting Web Apps with SamuraiWTF by John Sawyer)
m (Protected "Training Web" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
=Assessing and Exploiting Web Apps with SamuraiWTF by John Sawyer=
 
=Assessing and Exploiting Web Apps with SamuraiWTF by John Sawyer=
<!--In the professional information security world, there has yet to be a course which provides the
 
students the knowledge and skills to carry out a real world attack. Traditional penetration
 
testing courses impart only a limited view of the exposure and vulnerabilities companies suffer
 
from. Traditional classes are generally focused on standard scanner, framework and tool usage
 
as well as techniques for collecting “shells” on target systems. In contrast, this course is
 
designed to teach its students how to plan and execute a successful attack against a target,
 
using the same techniques and mindsets that real attackers use.
 
  
Attack Research will bring a unique approach to penetration testing, using deep system
+
=Course Abstract=
knowledge and lesser-known techniques that will arm the student with true offensive
+
Come take the official Samurai-WTF (Web Testing Framework) training course given by one of the founders
capabilities. This class is designed to help students think past the need for known exploits.
+
and lead developers of the project! You will learn the latest Samurai-WTF open source tools and the
Alternating between hands-on exercises and lectures the students will walk away with having
+
latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing
been given the chance to utilize the new skills that they will learn. A virtual target network will
+
methodology, the instructors will lead you through the process of testing and exploiting web applications,
be provided, along with all of the software needed to participate in the labs.
+
including client side attacks using flaws within the application. We’ll introduce you to the best open source
 +
tools currently available, and teach you how these tools integrate with the manual testing techniques. One
 +
of the major goals in this course is teaching you the glue that keeps all these techniques and tools together to
 +
successfully perform a pentest from beginning to end, which is overlooked in most web pentesting courses.
  
The first day of the class will cover the basic, core skill sets, that are needed to be successful in
+
The majority of the course will be performing an instructor lead, hands-on penetration test. We don’t give
an offensive operation. These skills are the foundation for being able to handle and evade a
+
you a list of overly simplistic steps to go an do in the corner. Instead, at each stage of the test we present the
large array of technical defensive measures which the student may experience when attacking
+
goals that each testing task is to accomplish and perform pentest along with you on the projector while you
sophisticated environments. The Metasploit Framework will be used as a development
+
are doing it on your own machine. Primary emphasis of these instructor lead exercises is how to integrate
platform for building custom tools and launching specialized attacks.
+
these tools into your own manual testing procedures to improve your overall workflow. At the end of course,
 +
you will be challenged with a capture the flag event to apply your new skills and knowledge. We will also
 +
send you home with several additional vulnerable web apps to practice your new skills at your own pace and
 +
experiment with your favorite new tools. This experience will help you gain the confidence and knowledge
 +
necessary to perform web application assessments and expose you to the wealth of freely available, open
 +
source tools.
  
In the second day, our attention will turn to the initial target exploitation and lateral
+
==Course Objectives==
movement. The students will learn how to gain persistence and deep footholds into an
+
# Attendees will be able to explain the steps and methodology used in performing web application assessments and penetration tests.
organizations network. We will focus heavily on the persistence and post exploitation
+
# Attendees will be able to use the free and open source tools on the Samurai-WTF CD to discover and identify vulnerabilities in web applications.
techniques that have been perfected by the Attack Research team. At the end of this day
+
# Attendees will be able to exploit several client-side and server-side vulnerabilities.
students will have a strong understanding of how to get into a network and then stay in.
 
The third day will focus on deeply penetrating a Unix environment which is designed to emulate
 
common corporate setups. Many penetration testing classes focus on Windows based
 
methodologies and attacks, neglecting the wide array of Unix scenarios that may be
 
encountered in the real world. After the third day the students will not only be capable of
 
taking over a Windows domain, but they will also be able to compromise Unix domains as well.
 
Some of the techniques covered in the Unix domain are also applicable to mobile devices.
 
  
Students will test all of the skills they have gained in the course against a virtual network
+
==Course Prerequisites==
specially designed for the class. The labs will be interwoven into the lecture so that students
+
A basic understanding of web application vulnerabilities and attacks is assumed. This course will focus on use of the tools and their integration into your manual testing procedures, not the theories behind the attacks. This course is designed for novice to intermediate level security professionals, be they developers, managers, or penetration testers.
will receive a significant amount of time practically exercising these new skills as they learn. By
 
the end of the class students will have spent roughly 50% of the time in a lab environment.
 
  
===Technical Requirements and prerequisites===
+
==Resources You Are Responsible to Bring==
Student machines must be able to run at least 2 virtual machines utilizing either: VMWare
+
# Latest VMware Player, VMware Workstation, VWware Fusion installed. (Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case.)
Workstation (which can be obtained through a demo license) or Virtual Box. This usually means
+
# Ability to disable all security software on their laptop such as Antivirus and/or firewalls
at least 4 gig’s of memory is needed.
+
# At least twenty (20) GB of hard drive space
 +
# At least four (4) GB of RAM
  
Student laptops must be running either OSX, Linux, or Windows and they must have the ability
+
==Resources Provided at the Course==
to disable all antivirus on the machine. You must have administrative access on your machine as
+
# Power for your laptop
well for sniffing traffic, adjusting firewalls, etc, etc.
+
# Internet connectivity may or may not be available depending on the facility hosting the course
 +
# ISO of the latest Samurai-WTF release
 +
# PDF version of the course slide deck
  
Students must have:
+
==Concepts and Tools Covered==
* a concept of scripting languages such as Python/Perl/Ruby
+
* Samurai-WTF project and distribution
* A medium level of systems administration on a Windows or Linux machine (Windows preferable but not a must)
+
** About the project
* Student’s laptop must be capable of running the Metasploit software
+
** Using the Live-DVD
 +
** Joining the project
 +
* Testing methodology overview
 +
* Introduction to our testing targets
 +
* Reconnaissance techniques and tools
 +
* Hands-on WHOIS and DNS techniques
 +
** Google hacking and social networks
 +
** Next Generation Recon
 +
** Hands-on Recon-ng usage and tricks
 +
* Mapping web applications techniques and tools
 +
** Hands-on nmap basic and NSE scans for web apps
 +
** Hands-on nmap optimization for web apps on large networks
 +
** Hands-on Zenmap usage
 +
** Hands-on interception proxy usage (Zed Attack Proxy)
 +
** Hands-on browser proxy and SSL configurations for ZAP
 +
** Hands-on request/response mapping and baseline techniques
 +
** Hands-on technology fingerprinting techniques
 +
** Hands-on functional analysis techniques
 +
** Hands-on process flow modeling techniques
 +
** Hands-on FireFox extensions (Wappalyzer, FoxyProxy, Firebug)
 +
* Vulnerability Discovery Techniques and Tools
 +
** Hands-on default configuration testing techniques
 +
** Hands-on default configuration scanning (Nikto, ZAP Scan)
 +
** Hands-on unlinked resource fuzzing (ZAP Force Browse, Raft)
 +
** Hands-on useragent fuzzing (User Agent Switcher, ZAP Fuzzer)
 +
** Hands-on unlinked resource fuzzing (DirBuster)
 +
** Hands-on authentication testing techniques
 +
** Hands-on account lockout testing (iMacro)
 +
** Hands-on password fuzzing (ZAP Fuzzer, CeWL)
 +
** Hands-on session management testing techniques
 +
** Hands-on session token testing (ZAP TokenGen)
 +
** Hands-on session token testing (Burp Sequencer)
 +
** Hands-on authorization testing techniques
 +
** Hands-on injection testing techniques
 +
** Hands-on automated vulnerability scanning (ZAP Scanner)
 +
** Hands-on automated vulnerability scanning (w3af)
 +
** Business logic testing techniques
 +
** Denial of service (DOS) testing techniques
 +
** Hands-on client-side code testing techniques
 +
** Hands-on flash disassembly (flare)
 +
* Exploitation Techniques and Tools
 +
** Hands-on session hijacking
 +
** Hands-on dumping databases via SQL Injection (sqlmap)
 +
** Hands-on shells via RFI vulnerabilities (Laudanum)
 +
** Hands-on client side attacks via XSS (BeEF)
 +
* Testing Web Services
 +
** Hands-on SOAP testing techniques
 +
** Hands-on reading WSDLs and making SOAP requests (SoapUI)
 +
** Hands-on fuzzing SOAP requests (ZAP Fuzzer)
 +
* Student Challenge (aka Capture the Flag)
 +
** Finding flags during mapping
 +
** Finding flags during discovery
 +
** Finding flags during exploitation
 +
* Conclusions
  
===Detailed Agenda===
+
''Wed. 23 - Fri. 25 April (09:00 - 17:00)''
 
 
'''Day 1'''
 
* intros
 
* schedule & venue
 
* class setup
 
* class overview / philosophy
 
* Metasploit Tutorial
 
** msf background / history
 
** core components/meterpreter
 
** Multihandler
 
** auxiliary modules / scanners
 
** exploits & payloads
 
* recon activities
 
 
 
'''Day 2'''
 
* Initial Penetration
 
** Web / sqli
 
** Social Engineering
 
** File format attacks
 
** Java applet
 
** Physical & Hardware
 
* Post Exploitation
 
** Command & Control
 
** Persistence
 
** Stealth
 
** PSP Evasion
 
** Cleanup
 
** Data Exfiltration Strategies
 
 
 
'''Day 3'''
 
* Unix Domain Takeover
 
** Unix Intro
 
** NFS
 
** Authentication Systems
 
** Kerberos
 
** SSH
 
* Windows Domain Takeover
 
** Lateral Movement
 
** SMB
 
*** WPAD
 
*** SMBRELAY
 
* Insecure Services
 
* Privilege Escalation
 
* RDP/VNC/Sethc
 
* Authentication Abuse
 
** Hashes and Passwords
 
** Token Hijacking
 
* Domain Enumeration
 
 
 
=Trainer Biography=
 
[[File:Attack-Research-Logo.jpg|190px|thumb|left]] '''Russ Gideon''' has many years of experience in information security fulfilling many diverse roles from
 
being a core component of an Incident Response operation to managing an effective Red Team.
 
Russ excels both at malware reverse engineering, which enables him to deeply understand how
 
the attackers do what they do, as well as at high end Red Teaming where he has to penetrate
 
sophisticated and well protected high value systems. Russ currently serves as the Director of
 
Malware Research at Attack Research, LLC.
 
 
 
More information is available on [http://carnal0wnage.attackresearch.com carnal0wnage]
 
 
 
[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/#!/attackresearch @attackresearch]
 
 
 
[http://www.attackresearch.com http://www.attackresearch.com]
 
 
 
[[File:Attack-Research-Logo.jpg|190px|thumb|left]] '''Dave Sayre''' has worked in the computer security area for the past ten years. He has specialized in reverse engineering, malware research, and penetration testing. He is currently a researcher at Attack Research.  Dave specializes on *nix systems and enjoys figuring out how to abuse various trust relations between *nix systems.-->
 
 
 
<br><br><br><br><br><br><br><br><br><br><br>
 
''23 - 25 April (09:00 - 17:00)''
 
  
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
  
 
[[Training|Back to Training Overview]]
 
[[Training|Back to Training Overview]]

Latest revision as of 08:18, 28 January 2014

Assessing and Exploiting Web Apps with SamuraiWTF by John Sawyer

Course Abstract

Come take the official Samurai-WTF (Web Testing Framework) training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and the latest manual techniques to perform an end-to-end penetration test. After a quick overview of pen testing methodology, the instructors will lead you through the process of testing and exploiting web applications, including client side attacks using flaws within the application. We’ll introduce you to the best open source tools currently available, and teach you how these tools integrate with the manual testing techniques. One of the major goals in this course is teaching you the glue that keeps all these techniques and tools together to successfully perform a pentest from beginning to end, which is overlooked in most web pentesting courses.

The majority of the course will be performing an instructor lead, hands-on penetration test. We don’t give you a list of overly simplistic steps to go an do in the corner. Instead, at each stage of the test we present the goals that each testing task is to accomplish and perform pentest along with you on the projector while you are doing it on your own machine. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. At the end of course, you will be challenged with a capture the flag event to apply your new skills and knowledge. We will also send you home with several additional vulnerable web apps to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Course Objectives

  1. Attendees will be able to explain the steps and methodology used in performing web application assessments and penetration tests.
  2. Attendees will be able to use the free and open source tools on the Samurai-WTF CD to discover and identify vulnerabilities in web applications.
  3. Attendees will be able to exploit several client-side and server-side vulnerabilities.

Course Prerequisites

A basic understanding of web application vulnerabilities and attacks is assumed. This course will focus on use of the tools and their integration into your manual testing procedures, not the theories behind the attacks. This course is designed for novice to intermediate level security professionals, be they developers, managers, or penetration testers.

Resources You Are Responsible to Bring

  1. Latest VMware Player, VMware Workstation, VWware Fusion installed. (Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case.)
  2. Ability to disable all security software on their laptop such as Antivirus and/or firewalls
  3. At least twenty (20) GB of hard drive space
  4. At least four (4) GB of RAM

Resources Provided at the Course

  1. Power for your laptop
  2. Internet connectivity may or may not be available depending on the facility hosting the course
  3. ISO of the latest Samurai-WTF release
  4. PDF version of the course slide deck

Concepts and Tools Covered

  • Samurai-WTF project and distribution
    • About the project
    • Using the Live-DVD
    • Joining the project
  • Testing methodology overview
  • Introduction to our testing targets
  • Reconnaissance techniques and tools
  • Hands-on WHOIS and DNS techniques
    • Google hacking and social networks
    • Next Generation Recon
    • Hands-on Recon-ng usage and tricks
  • Mapping web applications techniques and tools
    • Hands-on nmap basic and NSE scans for web apps
    • Hands-on nmap optimization for web apps on large networks
    • Hands-on Zenmap usage
    • Hands-on interception proxy usage (Zed Attack Proxy)
    • Hands-on browser proxy and SSL configurations for ZAP
    • Hands-on request/response mapping and baseline techniques
    • Hands-on technology fingerprinting techniques
    • Hands-on functional analysis techniques
    • Hands-on process flow modeling techniques
    • Hands-on FireFox extensions (Wappalyzer, FoxyProxy, Firebug)
  • Vulnerability Discovery Techniques and Tools
    • Hands-on default configuration testing techniques
    • Hands-on default configuration scanning (Nikto, ZAP Scan)
    • Hands-on unlinked resource fuzzing (ZAP Force Browse, Raft)
    • Hands-on useragent fuzzing (User Agent Switcher, ZAP Fuzzer)
    • Hands-on unlinked resource fuzzing (DirBuster)
    • Hands-on authentication testing techniques
    • Hands-on account lockout testing (iMacro)
    • Hands-on password fuzzing (ZAP Fuzzer, CeWL)
    • Hands-on session management testing techniques
    • Hands-on session token testing (ZAP TokenGen)
    • Hands-on session token testing (Burp Sequencer)
    • Hands-on authorization testing techniques
    • Hands-on injection testing techniques
    • Hands-on automated vulnerability scanning (ZAP Scanner)
    • Hands-on automated vulnerability scanning (w3af)
    • Business logic testing techniques
    • Denial of service (DOS) testing techniques
    • Hands-on client-side code testing techniques
    • Hands-on flash disassembly (flare)
  • Exploitation Techniques and Tools
    • Hands-on session hijacking
    • Hands-on dumping databases via SQL Injection (sqlmap)
    • Hands-on shells via RFI vulnerabilities (Laudanum)
    • Hands-on client side attacks via XSS (BeEF)
  • Testing Web Services
    • Hands-on SOAP testing techniques
    • Hands-on reading WSDLs and making SOAP requests (SoapUI)
    • Hands-on fuzzing SOAP requests (ZAP Fuzzer)
  • Student Challenge (aka Capture the Flag)
    • Finding flags during mapping
    • Finding flags during discovery
    • Finding flags during exploitation
  • Conclusions

Wed. 23 - Fri. 25 April (09:00 - 17:00)

Register.jpg

Back to Training Overview