More Related Content


Honeypots, Cybercompetitions, and Bug Bounties

  1. Honeypots, Cybercompetitions, and Bug Bounties Oct 1, 2016 Sam Bowne City College San Francisco All materials available at
  2. Violent Python • Step-by-step project • Challenges • No instructions • Increasing difficulty • ty @mqaissaunee
  3. April 2014: Heartbleed
  4. Vulnerable Android Devices
  5. A Job from One Tweet
  6. Exploit Development Class
  7. CNIT 127: Exploit Development
  8. Buffer Overflow Vulnerability • Input more than 1024 bytes will overflow the buffer
  9. DoS Exploit
  10. Nonrepeating Pattern
  11. Gnu Debugger
  12. Generate Shellcode with msfvenom
  13. Construct Exploit
  14. The Stack Frame • The last word is the return value • Must jump into the NOP sled
  15. Listening Shell
  16. Pwnage Remote Code Execution
  17. PHP Shell
  18. Tripwire
  19. Complete Report
  20. Simple Violations Log
  21. Vulnerability Disclosure
  22. • ty @bugcrowd
  23. Hacked by Anonsec
  24. XSS
  25. Rooted My Server
  26. Rooted Twice the Same Way • My first attempt to patch the vulnerability failed • With the help of a student, I got my kernel updated after this
  27. Stealing My Password • Shoulder surfing • samspw
  28. CTFs
  29. How to Start 1. PicoCTF 2. EasyCTF 3. CTFTime
  30. • Many levels, from very easy to very hard • Complete walkthroughs
  31. Graphical Gameboard
  32. • 1 week long • Many easy problems, but also hard ones • Sign up to hear about other easy CTFs
  33. Write-Ups
  34. Find CTFs
  35. Walk-Throughs!
  36. Hacking Club
  37. Remote Speakers • Projector, webcam, Skype, speakers • Two talks from professional penetration testers
  38. Student Contributions • Cleaning up the lab to make an inviting hangout space • Bridging to the CCSF_Coders club • Technical expertise from Google vuln labs • Hacker contacts from Defcon, etc.
  39. Hacking Lab Free Fire Zone
  40. Signs on Wall
  41. Keylogger • One student wrote a Python keylogger and installed it on the lab machines
  42. Internships
  43. Employers • OpenDNS • NASA Ames • Lawrence Berkeley Lab • San Francisco Housing Authority • UCSF Medical Center
  44. Job Fair • Students bring resumes at first (and only) class meeting • Employers describe jobs and grab applicants on the spot • Everyone welcome, including ex-students, students from the Computer Science department, students not enrolled in the internship class
  45. Administrative Resistance • CCSF administrators cancelled the entire program in Spring 2015 • I only saved it by appealing directly to the Chancellor and threatening to resign • However, the person who cancelled it is now the Chancellor
  46. Administrative Resistance • The new curriculum review process doesn't allow any class without lectures, textbook, final exam, etc. • This blocks seminar classes and Internship classes • The solution is to just break the rules--this is what tenure is for
  47. Guest Speakers • At least one per class per semester • "Careers" class consisting of visiting industry speakers