What You’ll Uncover in SANS SEC760 Advanced Exploit Development for Penetration Testers Labs
The main focus of at the present time is on the superior exploitation of purposes working on the Home windows OS. For a few years now reminiscence corruption bugs… File Measurement: 4.46 GB
SANS SEC760: Advanced Exploit Development for Penetration Testers Labs
Vulnerabilities in trendy working methods comparable to Microsoft Home windows 10 and the most recent Linux distributions are sometimes very advanced and delicate. When exploited by very expert attackers, these vulnerabilities can undermine a company’s defenses and expose it to important injury. Few safety professionals have the skillset to find why a posh vulnerability exists and learn how to write an exploit to compromise it. Conversely, attackers should preserve this skillset whatever the elevated complexity. SEC760: Advanced Exploit Development for Penetration Testers teaches the abilities required to reverse-engineer 32-bit and 64-bit purposes to seek out vulnerabilities, carry out distant consumer software and kernel debugging, analyze patches for one-day exploits, and write advanced exploits comparable to use-after-free assaults in opposition to trendy software program and working methods.
You Will Study:
The right way to write trendy exploits in opposition to the Home windows 7/8/10 working methods
The right way to carry out advanced assaults comparable to use-after-free, kernel and driver exploitation, one-day exploitation by way of patch evaluation, and different superior assaults
The right way to successfully make the most of numerous debuggers and plug-ins to enhance vulnerability analysis and velocity
The right way to take care of trendy exploit mitigation controls aimed toward thwarting success
Course Syllabus
SEC760.1: Exploit Mitigations and Reversing with IDA
SEC760.2: Linux Software Exploitation
Overview
The flexibility to progress into extra superior reversing and exploitation requires an expert-level understanding of fundamental software program vulnerabilities, comparable to these coated in SANS’ SEC660 course. Heap overflows function a ceremony of passage into trendy exploitation strategies. Today is aimed toward bridging this hole of information to be able to encourage pondering in a extra summary method, which is critical to proceed additional with the course. Linux can typically be a neater working system to study these strategies, serving as a productive gateway into Home windows. Most programs on exploit growth focus purely on the Home windows OS, and it is vital to have an understanding of vulnerability analysis on the Linux OS as properly.
CPE/CMU Credit: 8
Matters
Linux heap administration, constructs, and surroundings
Navigating the heap
Abusing macros comparable to unlink() and frontlink()
Operate pointer overwrites
Format string exploitation
Defeating Linux exploit mitigation controls
Utilizing IDA distant debugging for Linux software exploitation
Utilizing format string bugs for ASLR bypass
Overview
Attackers usually obtain patches as quickly as they’re distributed by distributors comparable to Microsoft to be able to discover newly patched vulnerabilities. Vulnerabilities are normally disclosed privately, and even found in-house, permitting the seller to extra silently patch the vulnerability. This additionally permits the seller to launch restricted and even no particulars in any respect a few patched vulnerability. Attackers are conscious of this and rapidly work to seek out the patched vulnerability to be able to take management of unpatched methods, as many organizations battle with getting patches out rapidly. Binary diffing and patch diffing can be carried out by incident handlers, IDS directors and distributors, vulnerability and penetration testing framework corporations, authorities entities, and others. You’ll use the fabric coated on at the present time to establish bugs patched by Microsoft, taking a few of them by way of to exploitation. We will even concentrate on utilizing Return Oriented Programming (ROP) to string collectively devices that emulate shellcode.
CPE/CMU Credit: 8
Matters
The Microsoft patch administration course of and Patch Tuesday
Acquiring patches and patch extraction
Binary diffing with BinDiff 5
Visualizing code modifications and figuring out fixes
Reversing 32-bit and 64-bit purposes and modules
Triggering patched vulnerabilities
Writing one-day exploits
Utilizing ROP to compiled shellcode on the fly (Return-Oriented Shellcode)
Overview
The Home windows kernel is advanced and intimidating, so at the present time goals that will help you perceive the Home windows kernel and the assorted exploit mitigations added into latest variations. You’ll find out how the kernel works with drivers to speak to units and the way some performance could be uncovered to user-mode, typically insecurely! You’ll carry out kernel debugging on Home windows 10 and study to take care of its inherent complexities. Workouts might be carried out to research Ring 0 driver vulnerabilities, take a look at exploitation strategies, and get working exploits.
CPE/CMU Credit: 8
Matters
Understanding the Home windows kernel
Navigating the Home windows kernel
Fashionable kernel protections
Debugging the Home windows 10 kernels and drivers
WinDbg
Analyzing kernel vulnerabilities and vulnerability varieties
Kernel exploitation strategies
Token stealing and data disclosure vulnerabilities
Overview
The main focus of at the present time is on the superior exploitation of purposes working on the Home windows OS. For a few years now reminiscence corruption bugs have been the de facto customary relating to exploiting Home windows purposes. Examples embrace Use After Free (UAF) and Sort Confusion bugs. Many of those vulnerabilities exist attributable to complexities with massive C++ purposes comparable to object monitoring and dynamic reminiscence administration. On this part we concentrate on all these software vulnerabilities on the Home windows 7, 8, and 10 working methods.
Get instantly obtain SANS SEC760: Advanced Exploit Development for Penetration Testers Labs
CPE/CMU Credit: 8
Matters
Home windows heap administration, constructs, and surroundings
Understanding the low fragmentation heap
Browser-based and client-side exploitation
Understanding C++ vftable/vtable conduct
Use-After-Free assaults and dangling pointers
Avoiding protections comparable to MemGC and Remoted Heap
Coping with ASLR, DEP, and different frequent exploit mitigation controls
Overview
Day six will function a Seize-the-Flag occasion using various kinds of challenges from materials taught all through the week. Check your reverse-engineering, bug discovery, and exploit-writing abilities in a full day of Seize-the-Flag workouts!
CPE/CMU Credit: 6
Further Info
Laptop computer Required
You will need to convey VMware to run a number of working methods when performing class workouts. All vital digital machines with all vital instruments might be supplied on the primary day of the course, together with Home windows 10, numerous Linux distributions, and a 2-month license of IDA Professional with the choice of buying it by way of Hex-Rays at a reduced worth. There are some labs the place the OS and software configuration are very particular. For these labs you’ll use RDP to hook up with digital machines residing on the in-class community. You will be unable to take these methods residence, however you might be given the small print required to recreate them at residence if you’ll be able to get hold of the particular OS and/or software builds.
Just be sure you have the executive means to disable all safety software program and protections, together with antivirus and private firewalls in your host OS whether it is inflicting connectivity points between digital machine visitors. You might not be capable of full the workouts with out this stage of management. As well as, just remember to can set up software program that could be blocked by administrative or safety controls attributable to its nature. You’ll need to have the ability to set up Home windows debugging instruments onto your host OS for Home windows Kernel debugging through a community connection. A Home windows 10 host is really helpful. In case your host is Mac OS or a Linux distribution you might be required to convey a Home windows 10 visitor VM with you.
Adherence to the next necessities is obligatory:
A minimal of 16GB of RAM.
VMware Workstation, Fusion, or Participant. A 30-day free trial is offered at http://www.vmware.com. VMware will ship you a time-limited serial quantity when you register for the trial on its web site. VirtualBox can be acceptable, although not totally examined.
100 GB of free laborious disk house to carry VM’s.
64-bit Intel i5/i7 2.0+ GHz processor
A two-month license to IDA Professional is included with this course. Throughout registration you should conform to the phrases the place your title and an e-mail deal with are supplied to Hex-Rays to be able to get hold of the license. When you select to opt-out, then you should convey a replica of IDA Professional 7.4 superior or later.
When you’ve got extra questions in regards to the laptop computer specs, please contact [email protected].
Senior community and system penetration testers with exploit growth expertise
Safe software builders (C and C++)
Reverse-engineering professionals
Senior incident handlers with exploit growth expertise
Senior menace analysts with exploit growth expertise
Vulnerability researchers
Safety researchers
It’s obligatory that college students have earlier exploit-writing expertise utilizing strategies comparable to these coated in SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Moral Hacking. This contains expertise with stack-based buffer overflows on each Linux and Home windows, in addition to expertise defeating trendy exploit mitigation controls comparable to Knowledge Execution Prevention, Handle House Format Randomization, canaries, and SafeSEH. Expertise with or an understanding of fuzzing instruments comparable to AFL, the Sulley Fuzzing Framework, and Peach is required. Programming expertise is vital, ideally with C/C++. At a minimal, scripting expertise in a language comparable to Python, Perl, Ruby, or LUA is obligatory. Programming fundamentals comparable to features, pointers, calling conventions, buildings, polymorphism, and courses might be assumed information. Expertise with reverse-engineering weak code can be required, as is the power to learn x86/x64 disassembly from inside a debugger or disassembler. ARM and MIPS isn’t coated on this course. Expertise with each Linux and Home windows navigation is required. If you don’t meet these necessities you could not be capable of sustain with the tempo of the course.
Programs that lead in to SEC760:
SEC660: Advanced Penetration Testing, Exploit Writing, and Moral Hacking
FOR610: Reverse-Engineering Malware: Malware Evaluation Instruments and Strategies
Programs which might be stipulations for SEC760:
SEC660: Advanced Penetration Testing, Exploit Writing, and Moral Hacking
SEC760 is a really difficult course masking subjects comparable to distant debugging with IDA, writing IDA Python and IDC scripts, Linux heap overflows, patch diffing, use-after-free assaults, Home windows Kernel debugging and exploitation, and way more. Please see the course syllabus for an in depth itemizing, and make sure you take a look at the really helpful stipulations and laptop computer necessities. You’re anticipated to already know learn how to write exploits for Home windows and Linux purposes, bypass exploit mitigation controls comparable to DEP and ASLR, and make the most of return-oriented programming (ROP).
Get instantly obtain SANS SEC760: Advanced Exploit Development for Penetration Testers Labs
SANS will get lots of questions on this course. Am I prepared for SEC760? Ought to I take SEC660 first? I’ve taken SEC660, however am I undoubtedly prepared for SEC760? I’ve taken SEC560, so can I leap proper to SEC760 if I solely need the exploit growth materials? I’ve not taken any SANS pen testing programs, so which one ought to I begin with? I’ve taken a course by way of Offensive Safety or Corelan, is the fabric the identical?
There isn’t a “one size fits all” reply to those questions, as everybody has a unique stage of expertise. SANS”advice is to totally learn by way of the course syllabus and prerequisite statements for any course you might be contemplating. Course co-author Stephen Sims is offered to reply any questions you will have about the subject material to be able to allow you to make an knowledgeable resolution. You’ll be able to attain him at [email protected]
SANS has ready a ten query examination that may allow you to decide in case you are higher suited for SEC660 or SEC760. Do not forget that that is purely from an exploit growth perspective. SEC660 features a two-day introduction to take advantage of growth and bypassing exploit mitigation controls. A lot of the opposite materials in SEC660 is on a variety of superior penetration testing subjects comparable to community system exploitation (routers, switches, community entry management), pen testing cryptographic implementations, fuzzing, Python, community booting assaults, and escaping Linux and Home windows restricted environments. Many SEC760 college students have taken coaching from Offensive Safety, Exodus Intelligence, Corelan, and others. Although there will definitely be overlap in some sections, there are numerous distinctive sections with out overlap and college students usually say the programs complement each other.
Carry out labs to reverse-engineer Microsoft patches to establish the patched vulnerability and take the patches by way of exploitation
Carry out use-after-free exploit labs in opposition to widespread net browsers
Distant-debug each Linux and Home windows purposes, and debug the Home windows 10 Kernel
Exploit Linux heap overflows
Bypass trendy exploit mitigations.
Write your individual IDA Python scripts
Navigate the Home windows front-end (LFH) and back-end heap allocators
Debug drivers
A two-month license to IDA Professional, which is supplied by Hex-Rays, is included on this course. With a purpose to get hold of the license, you should conform to the phrases, together with offering your title and an e-mail deal with, in order that Hex-Rays could assign the license. After the course ends, college students could select to increase the license at a reduced charge by contacting Hex-Rays. (When you select to opt-out, then you should convey a replica of IDA Professional 7.4 superior or later.)
Numerous preconfigured digital machines, comparable to Home windows 10.
Numerous instruments on a course USB which might be required for use in school.
Entry to the in-class Digital Coaching Lab with many in-depth labs.
Entry to recorded course audio to assist hammer residence vital community penetration testing classes.
Uncover zero-day vulnerabilities in applications working on totally patched trendy working methods
Use the superior options of IDA Professional and write your individual IDA Python scripts
Carry out distant debugging of Linux and Home windows purposes
Perceive and exploit Linux heap overflows
Write Return-Oriented Shellcode
Carry out patch diffing in opposition to applications, libraries, and drivers to seek out patched vulnerabilities
Carry out Home windows heap overflows and use-after-free assaults
Carry out Home windows kernel debugging up by way of Home windows 10 64-bit Construct 1903
Carry out Home windows driver and kernel exploitation.
“SEC760 is a kind of training we could not get anywhere else. It is not theory, we got to implement and exploit everything we learned.” – Jenny Kitaichit, Intel
“I’ve taken many other advanced exploit dev classes and none of them break it down and step through the exploits like this class.” – Adam Logue, SecureWorks
Writer Assertion
“As a perpetual student of information security, I am excited to offer SEC760: Advanced Exploit Writing for Penetration Testers. Exploit development is a hot topic and will continue to increase in importance moving forward. With all of the modern exploit mitigation controls offered by operating systems such as Windows 10, the number of experts with the skills to produce working exploits is highly limited. More and more companies are looking to hire professionals with the ability to discover vulnerabilities, determine if those vulnerabilities are exploitable, and carry out general security research. This course was written to help you get into these highly sought-after positions and to teach you cutting-edge tricks to thoroughly evaluate a target, providing you with the skills to improve your exploit development.”
– Stephen Sims
“Teaching and helping author SEC760: Advanced Exploit Writing for Penetration Testers has given me the opportunity to distill my past experiences in exploit writing and technical systems knowledge into a format worth sharing. This course is meant to give you a look into a number of different exploitation techniques and serves as an amazing jumping-off point for exploitation of any modern application or system. Even if you don’t plan on having a career in exploit writing or vulnerability research, this course will be valuable in understanding the thought process that goes into constructing an exploit and what technologies exist to stop an exploit writer from being successful.”
– Jaime Geiger
Further Assets
Take your studying past the classroom. Discover our web site community for extra assets associated to this course’s subject material.
IMPORTANT: This whole “SANS SEC760: Advanced Exploit Development for Penetration Testers Labs” is totally downloadable and obtainable in your account
(In case of a damaged hyperlink, we’ll renew your hyperlink shortly).
Your persistence is appreciated.
