SlideShare a Scribd company logo

Play,Learn and Hack- CTF Training

H
Heba Hamdy Farahat

That was a training for SCIT Symbiosis students at India before their CTF. Training link: https://www.youtube.com/watch?v=OYYuagj9ZvA Training Agenda: Introduction to cybersecurity Famous data breaches How to start in cybersecurity What is a CTF CTF types CTF resources How to gain money out of hacking CTF demo “Let’s Play CTF together”

Education
1 of 48
PLAY,LEARN AND HACK Presented by Heba Hamdy Farahat Information Security Consultant, SecureMisr IFSEC Global Influencer in Security & Fire 2019- #3 in Young Professionals category-
WHOAMI • Information Security Consultant, SecureMisr • One of three finalists Women in Cybersecurity Awards “New Comers” , ISW Conference’19, Vienna • Top Influencers in Security & Fire” for 2019. Ranked #3 in the Young Professionals / Ones-to-Watch category • Recent certifications: OSCP and eWPT • https://www.linkedin.com/in/heba-hamdy-farahat-5501595b/
AGENDA • Introduction to cybersecurity • Famous data breaches • How to start in cybersecurity • What is a CTF • CTF types • CTF resources • CTF demo “Let’s play CTF together ;)”
HOW MANY WAYS CAN A THIEF STEAL THIS CAR?
EVERYTHING & EVERYONE CAN BE HACKED
DATA BREACHES
FACEBOOK ADMITS CYBER ATTACK MAY HAVE EXPOSED INFO FROM 50 MILLION ACCOUNTS A vulnerability in Facebook’s code that impacted “View As”. This allowed attackers to steal Facebook access tokens which they could then use to take over people’s accounts![*] [*] Reference: https://newsroom.fb.com/news/2018/09/security-update/
TWITTER CEO AND CO-FOUNDER JACK DORSEY HAS ACCOUNT HACKED[*] [*]Reference: https://www.wired.com/story/jack-dorsey-twitter-hacked/
IOT ATTACKS
THE MIRAI BOTNET (AKA DYN ATTACK) The largest DDoS attack ever was launched on service provider Dyn Reference: https://www.youtube.com/watch?v=UMTTaMPJ8fc
HUMAN HEART CAN BE HACKED What hackers can do? Gain access Disable some functions Or even Stop device! Reference: https://www.newsmax.com/Health/health-news/heart-pacemaker-device-hack/2018/03/15/id/848918/
Have you been hacked also? WHAT ABOUT YOU? https://haveibeenpwned.com/
HOW TO START IN CYBERSECURITY ?
CYBERSECURITY FUNDAMENTALS  Programming: • JavaScript, HTML, PHP, C,Python,..etc  Network Fundamentals: • CCNA routing & switching  Database Fundamentals  Operating Systems Fundamentals  Linux and Windows Administration
CORE COURSES  Security Fundamentals CEH course ( No need to get certificated),Security+  Network Security Fundamentals • CCNA Security/CCNP Security VPN- Firewall –Network security concepts –IPS –IDS ..etc Information Security Offensive security which covers all penetration testing aspects (network, web, IOT, etc...) Malware Analysis and Reverse Engineering Incident handling and Digital forensics
WEB APPLICATION PENETRATION TESTING • How does web work? Protocols used? • Learn about web attacks • Practice on web attacks and make sure you understand them well • Useful Resources: • OWASP TOP 10 • https://www.cybrary.it/course/web-application-pen-testing/ • https://www.hacker101.com/videos
WEB APPLICATION PENETRATION TESTING • Resources to practice from: • Vulnerable machines deduced for web attacks such as: web for pentester machine https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/ • DVWA (DAMN Vulnerable Web Application) • CTFs websites: will be mentioned in details later
NETWORK PENETRATION TESTING • Hackthebox • Vulnhub • Certification: OSCP ( has market value)
DIGITAL FORENSICS AND INCIDENT RESPONSE • Reference : SANS 500 & 504 & 508 • Note: digital forensics in real world is quite different than CTFs
REVERSE ENGINEERING • Prerequisites before starting to study reverse: Basic programming knowledge ( Preferably C++ ) - Basic understanding of Data structures ( Stack ) • Malware unicorn – Reverse Engineer at Facebook: https://malwareunicorn.org/workshops/re101.html#1 https://malwareunicorn.org/workshops/re102.html#0 • References: Practical Malware Analysis (Great start) • CTF: • http://reversing.kr/ • http://flare-on.com/
WHAT IS A CTF? • CTF (Capture The Flag) • A kind of information security competition that challenges contestants to solve a variety of tasks with different difficulty level( easy  hard)
CTFS(CAPTURE THE FLAG) • “Knowing is not enough; we must apply. Willing is not enough; we must do.” - Johann Wolfgang von Goethe
CTF TYPES 1. Jeopardy style CTFs 2. Attack/Defense style CTFs
JEOPARDY STYLE CTFS Jeopardy style CTFs challenges are typically divided into categories: • Cryptography - Typically involves decrypting or encrypting a piece of data • Forensic: This consists of investigating and analyzing some type of data, such as network captures (.pcap), core dumps or hard drives. • Steganography - Tasked with finding information hidden in files or images References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
JEOPARDY STYLE CTFS • Web - This type of challenge is focused on finding and exploiting vulnerabilities in the web application such as: SQL Injection, Cross-Site Scripting (XSS), brute force, CRLF, CSRF…. • Pwn - Exploiting a server to find the flag • Reverse Engineering- An executable binary file (BIN, EXE, ELF, APK…) is usually analyzed. Participants must find the flag or key by decompiling the file.Web - Exploiting web pages to find the flag References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
ATTACK/DEFENSE STYLE CTFS • It focus on either attacking an opponent's servers or defending one's own. References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
LEARN HACKING BY PLAYING=CTF
CTF RESOURCES& LINKS
• https://ctftime.org/ - Announces upcoming CTFs worldwide • https://ctftime.org/writeups - CTFs’ writeup • There are many CTFs however that are online 24/7 that can be used as practice and learning tools. Here are some of them: • https://overthewire.org/wargames/bandit/ - To get familiar with linux commands • https://2019game.picoctf.com/problems- Yearly time-limited CTF now available to use as practice – My favorite one- References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/ CTF RESOURCES& LINKS
CTF RESOURCES& LINKS • Root me https://www.root-me.org/?lang=en -Site with many different types of challenges, classified by levels. • NACTF https://www.nactf.com/ • https://ctflearn.com - A collection of various user-submitted challenges aimed towards newcomers • https://github.com/apsdehal/awesome-ctf - Comprehensive list of tools and more References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
CTF RESOURCES& LINKS - These aren’t really in a CTF style like the other ones. They are vulnerable machines with multiple vulnerabilities some of these vulnerabilities are related to web or any other vulnerable running service. This will combine knowledge gained in web along with skills required to do network penetration testing. • Hack The Box: One of the most famous and fashionable hacking laboratories in the world, they have machines with all kinds of operating systems and challenges with different themes. • VulnHub: Vulnerable virtual machines (.OVA) to download and mount on your own computer. References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
THE MOST IMPORTANT RESOURCE Hacking is about learning something on the fly and CTFs give you this skill
LET’S START GAINING MONEY
BUG BOUNTY • Hackerone • Hacker101 CTF to start receiving invitations to private programs • Intigriti • Cesppa • Bugcrowd • Yogosha • Synack
HACKING CONFERENCES • Defcon, La Vegas, USA • Bsides Delhi, India • NULLCON, India • HITB Security Conference, Amsterdam • OWASP Seasides,India
CTF DEMO • Let’s play CTF together ;) • I will choose my favorite one – PICOCTF https://2019game.picoctf.com/
CRYPTO-WARMUP • The numbers flag format of PICOCTF is picoCTF{}
THE NUMBERS SOLUTION • We see that there are exactly 7 letters before {, so each number represents one letter ( ‘P’ -> 16, ‘I’ -> 9, ‘C’ -> 3, etc.). Aha, rule is easy! the letter ‘P’ is on the 16th position in the alphabet, the letter ‘I’ on the 9th, and so on.
THE NUMBERS SOLUTION 16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14}
THE NUMBERS SOLUTION 16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14} P I C O C T F {T H E N U M B E R S M A S O N} PICOCTF{THENUMBERSMASON}
WEB CHALLENGES • First of all, what is burp suite? https://2019shell1.picoctf.com/problem/9509/
WEB CHALLENGES How to configure burp proxy? https://2019shell1.picoctf.com/problem/9509/
INSP3CT0R-WEB CHALLENGE https://2019shell1.picoctf.com/problem/9509/
INSP3CT0R-WEB CHALLENGE • Solution: • Wget –r https://2019shell1.picoctf.com/problem/9509/
OPEN TO ADMINS-WEB CHALLENGE
OPEN TO ADMINS-WEB CHALLENGE
GOOD LUCK IN YOUR CTF  • Feel free to contact me through LinkedIn https://www.linkedin.com/in/heba-hamdy-farahat-5501595b

Recommended

A closer look at CTF challenges
A closer look at CTF challengesA closer look at CTF challenges
A closer look at CTF challenges
DNIF
 
Capture The Flag
Capture The FlagCapture The Flag
Capture The Flag
Huu Tung Nguyen
 
Caputre the flag
Caputre the flagCaputre the flag
Caputre the flag
UIT
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGC
Kir Chou
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
Kachkad Narender
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 

Recommended

A closer look at CTF challenges
A closer look at CTF challengesA closer look at CTF challenges
A closer look at CTF challenges
DNIF
 
Capture The Flag
Capture The FlagCapture The Flag
Capture The Flag
Huu Tung Nguyen
 
Caputre the flag
Caputre the flagCaputre the flag
Caputre the flag
UIT
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGC
Kir Chou
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
Kachkad Narender
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
MITRE - ATT&CKcon
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 

More Related Content

What's hot

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
MITRE - ATT&CKcon
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 

What's hot (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 

Similar to Play,Learn and Hack- CTF Training

Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
SuhailShaik16
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
RazorEQX
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 

Similar to Play,Learn and Hack- CTF Training (20)

Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Super1
Super1Super1
Super1
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 

Recently uploaded

Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
goswamiyash170123
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 

Recently uploaded (20)

Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdfMASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
MASS MEDIA STUDIES-835-CLASS XI Resource Material.pdf
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 

Play,Learn and Hack- CTF Training

  • 1. PLAY,LEARN AND HACK Presented by Heba Hamdy Farahat Information Security Consultant, SecureMisr IFSEC Global Influencer in Security & Fire 2019- #3 in Young Professionals category-
  • 2. WHOAMI • Information Security Consultant, SecureMisr • One of three finalists Women in Cybersecurity Awards “New Comers” , ISW Conference’19, Vienna • Top Influencers in Security & Fire” for 2019. Ranked #3 in the Young Professionals / Ones-to-Watch category • Recent certifications: OSCP and eWPT • https://www.linkedin.com/in/heba-hamdy-farahat-5501595b/
  • 3. AGENDA • Introduction to cybersecurity • Famous data breaches • How to start in cybersecurity • What is a CTF • CTF types • CTF resources • CTF demo “Let’s play CTF together ;)”
  • 4. HOW MANY WAYS CAN A THIEF STEAL THIS CAR?
  • 5. EVERYTHING & EVERYONE CAN BE HACKED
  • 7. FACEBOOK ADMITS CYBER ATTACK MAY HAVE EXPOSED INFO FROM 50 MILLION ACCOUNTS A vulnerability in Facebook’s code that impacted “View As”. This allowed attackers to steal Facebook access tokens which they could then use to take over people’s accounts![*] [*] Reference: https://newsroom.fb.com/news/2018/09/security-update/
  • 8. TWITTER CEO AND CO-FOUNDER JACK DORSEY HAS ACCOUNT HACKED[*] [*]Reference: https://www.wired.com/story/jack-dorsey-twitter-hacked/
  • 10. THE MIRAI BOTNET (AKA DYN ATTACK) The largest DDoS attack ever was launched on service provider Dyn Reference: https://www.youtube.com/watch?v=UMTTaMPJ8fc
  • 11.
  • 12. HUMAN HEART CAN BE HACKED What hackers can do? Gain access Disable some functions Or even Stop device! Reference: https://www.newsmax.com/Health/health-news/heart-pacemaker-device-hack/2018/03/15/id/848918/
  • 13. Have you been hacked also? WHAT ABOUT YOU? https://haveibeenpwned.com/
  • 14. HOW TO START IN CYBERSECURITY ?
  • 15. CYBERSECURITY FUNDAMENTALS  Programming: • JavaScript, HTML, PHP, C,Python,..etc  Network Fundamentals: • CCNA routing & switching  Database Fundamentals  Operating Systems Fundamentals  Linux and Windows Administration
  • 16. CORE COURSES  Security Fundamentals CEH course ( No need to get certificated),Security+  Network Security Fundamentals • CCNA Security/CCNP Security VPN- Firewall –Network security concepts –IPS –IDS ..etc Information Security Offensive security which covers all penetration testing aspects (network, web, IOT, etc...) Malware Analysis and Reverse Engineering Incident handling and Digital forensics
  • 17. WEB APPLICATION PENETRATION TESTING • How does web work? Protocols used? • Learn about web attacks • Practice on web attacks and make sure you understand them well • Useful Resources: • OWASP TOP 10 • https://www.cybrary.it/course/web-application-pen-testing/ • https://www.hacker101.com/videos
  • 18. WEB APPLICATION PENETRATION TESTING • Resources to practice from: • Vulnerable machines deduced for web attacks such as: web for pentester machine https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/ • DVWA (DAMN Vulnerable Web Application) • CTFs websites: will be mentioned in details later
  • 19. NETWORK PENETRATION TESTING • Hackthebox • Vulnhub • Certification: OSCP ( has market value)
  • 20. DIGITAL FORENSICS AND INCIDENT RESPONSE • Reference : SANS 500 & 504 & 508 • Note: digital forensics in real world is quite different than CTFs
  • 21. REVERSE ENGINEERING • Prerequisites before starting to study reverse: Basic programming knowledge ( Preferably C++ ) - Basic understanding of Data structures ( Stack ) • Malware unicorn – Reverse Engineer at Facebook: https://malwareunicorn.org/workshops/re101.html#1 https://malwareunicorn.org/workshops/re102.html#0 • References: Practical Malware Analysis (Great start) • CTF: • http://reversing.kr/ • http://flare-on.com/
  • 22. WHAT IS A CTF? • CTF (Capture The Flag) • A kind of information security competition that challenges contestants to solve a variety of tasks with different difficulty level( easy  hard)
  • 23. CTFS(CAPTURE THE FLAG) • “Knowing is not enough; we must apply. Willing is not enough; we must do.” - Johann Wolfgang von Goethe
  • 24. CTF TYPES 1. Jeopardy style CTFs 2. Attack/Defense style CTFs
  • 25. JEOPARDY STYLE CTFS Jeopardy style CTFs challenges are typically divided into categories: • Cryptography - Typically involves decrypting or encrypting a piece of data • Forensic: This consists of investigating and analyzing some type of data, such as network captures (.pcap), core dumps or hard drives. • Steganography - Tasked with finding information hidden in files or images References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
  • 26. JEOPARDY STYLE CTFS • Web - This type of challenge is focused on finding and exploiting vulnerabilities in the web application such as: SQL Injection, Cross-Site Scripting (XSS), brute force, CRLF, CSRF…. • Pwn - Exploiting a server to find the flag • Reverse Engineering- An executable binary file (BIN, EXE, ELF, APK…) is usually analyzed. Participants must find the flag or key by decompiling the file.Web - Exploiting web pages to find the flag References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
  • 27. ATTACK/DEFENSE STYLE CTFS • It focus on either attacking an opponent's servers or defending one's own. References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
  • 28. LEARN HACKING BY PLAYING=CTF
  • 30. • https://ctftime.org/ - Announces upcoming CTFs worldwide • https://ctftime.org/writeups - CTFs’ writeup • There are many CTFs however that are online 24/7 that can be used as practice and learning tools. Here are some of them: • https://overthewire.org/wargames/bandit/ - To get familiar with linux commands • https://2019game.picoctf.com/problems- Yearly time-limited CTF now available to use as practice – My favorite one- References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/ CTF RESOURCES& LINKS
  • 31. CTF RESOURCES& LINKS • Root me https://www.root-me.org/?lang=en -Site with many different types of challenges, classified by levels. • NACTF https://www.nactf.com/ • https://ctflearn.com - A collection of various user-submitted challenges aimed towards newcomers • https://github.com/apsdehal/awesome-ctf - Comprehensive list of tools and more References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
  • 32. CTF RESOURCES& LINKS - These aren’t really in a CTF style like the other ones. They are vulnerable machines with multiple vulnerabilities some of these vulnerabilities are related to web or any other vulnerable running service. This will combine knowledge gained in web along with skills required to do network penetration testing. • Hack The Box: One of the most famous and fashionable hacking laboratories in the world, they have machines with all kinds of operating systems and challenges with different themes. • VulnHub: Vulnerable virtual machines (.OVA) to download and mount on your own computer. References: https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
  • 33. THE MOST IMPORTANT RESOURCE Hacking is about learning something on the fly and CTFs give you this skill
  • 35. BUG BOUNTY • Hackerone • Hacker101 CTF to start receiving invitations to private programs • Intigriti • Cesppa • Bugcrowd • Yogosha • Synack
  • 36. HACKING CONFERENCES • Defcon, La Vegas, USA • Bsides Delhi, India • NULLCON, India • HITB Security Conference, Amsterdam • OWASP Seasides,India
  • 37. CTF DEMO • Let’s play CTF together ;) • I will choose my favorite one – PICOCTF https://2019game.picoctf.com/
  • 38. CRYPTO-WARMUP • The numbers flag format of PICOCTF is picoCTF{}
  • 39. THE NUMBERS SOLUTION • We see that there are exactly 7 letters before {, so each number represents one letter ( ‘P’ -> 16, ‘I’ -> 9, ‘C’ -> 3, etc.). Aha, rule is easy! the letter ‘P’ is on the 16th position in the alphabet, the letter ‘I’ on the 9th, and so on.
  • 40. THE NUMBERS SOLUTION 16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14}
  • 41. THE NUMBERS SOLUTION 16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14} P I C O C T F {T H E N U M B E R S M A S O N} PICOCTF{THENUMBERSMASON}
  • 42. WEB CHALLENGES • First of all, what is burp suite? https://2019shell1.picoctf.com/problem/9509/
  • 43. WEB CHALLENGES How to configure burp proxy? https://2019shell1.picoctf.com/problem/9509/
  • 45. INSP3CT0R-WEB CHALLENGE • Solution: • Wget –r https://2019shell1.picoctf.com/problem/9509/
  • 46. OPEN TO ADMINS-WEB CHALLENGE
  • 47. OPEN TO ADMINS-WEB CHALLENGE
  • 48. GOOD LUCK IN YOUR CTF  • Feel free to contact me through LinkedIn https://www.linkedin.com/in/heba-hamdy-farahat-5501595b

Editor's Notes

  1. “Data breaches occur through weak credentials, poor password policies, lack of multi-factor authentication, unnecessary exposure of systems and services to the internet or unpatched vulnerabilities,” said Alex Hinchliffe, threat intelligence analyst at Unit 42 - a threat research team at American cybersecurity firm Palo Alto Networks. Why does data breaches occur?
  2. https://newsroom.fb.com/news/2018/09/security-update/ https://9to5mac.com/2018/09/28/facebook-admits-cyber-attack-may-have-exposed-info-from-50-million-accounts-to-hackers/ Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
  3. https://www.wired.com/story/jack-dorsey-twitter-hacked/
  4. Back in October of 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet. This lead to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN. This IoT botnet was made possible by malware called Mirai. Once infected with Mirai, computers continually search the internet for vulnerable IoT devices and then use known default usernames and passwords to log in, infecting them with malware. The infected household infected devices like: printers, baby monitors, cameras and smart refrigerators, digital cameras and DVR players...etc [mainly smart devices] ================================================================================================ It targets the smart devices within your home network. Mirai has been used in some of the cyber attacks ever recorded. In October 2016,attackers managed to infect thousands and thousands of household connected devices like printers, baby monitors, cameras and smart refrigerators just as those u may have around in ur home. They took control of smart devices and used them to flood the server’s of an important internet infrastructure company with malicious traffic appearing to come from millions of internet locations. Many major websites became unavailable to users in Europe and North America “DDoS attack” flooded with tons of lookup requests for web addresses servers  can’t cope with all these traffic so they stopped working and the websites they supposed to sent traffic to become unavailable. Mirai’s job is to create a botnet where a group of computers( in this cases smart devices) once infected act like a zombie army, owners remain unware that their smart devices that been tuning to zombies that receive instructions to launch malicious attacks that’s why it is so important to protect your smart devices https://www.youtube.com/watch?v=UMTTaMPJ8fc
  5. Massive Ddos attack – many companies went Offline
  6. Heart Devices Vulnerable to Hacking: Here's How to Protect Yourself | Newsmax.com  Someone wants to physically harm the patient can gain remote access to the person’s implanted device by using a computer with an Internet connection. The hacker could disrupt the functioning of the device or deactivate certain features. These hacks aren’t just limited to pacemakers, but could also include cardiverter defibrillators. As many as 465,000 pacemakers made by Abbott (formerly St. Jude Medical) may be vulnerable to hacking, according to the U.S. Food and Drug Administration. pacemakers, https://www.newsmax.com/Health/health-news/heart-pacemaker-device-hack/2018/03/15/id/848918/
  7. Networks: https://www.youtube.com/watch?v=0Rb0L6A5VnY&list=PLCIJjtzQPZJ8YwgQp5MgyROUrNjTZSWax Web Application penetration testing https://www.cybrary.it/course/web-application-pen-testing/ https://www.youtube.com/user/Zigoo0/videos [ Arabic course]
  8. Web for pentester: https://pentesterlab.com/exercises/web_for_pentester/course
  9. https://www.youtube.com/watch?v=ZUqzcQc_syE
  10. https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
  11. https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04 https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
  12. https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
  13. PicoCTF: https://2019game.picoctf.com/problems – Bandit – OverTheWire: Great for starting out in the hacking world and getting familiar with Linux commands.
  14. https://www.sothis.tech/en/ctf-learn-hacking-by-playing/