Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Exploitation

60 views

Published on

How to get started in learning offensive security. An opinionated selection of self learning tools.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Introduction to Exploitation

  1. 1. Intro to Exploitation September 12th, 2018
  2. 2. Get Involved ● Discord - discord.gg/kuejt8p ● Fire Talks - October 24th, 2018 ● Live Stream - Whenever you want* ● CSG CTF - ctf.utdcsg.club
  3. 3. Events ● Hardware Hacking Hangout - Friday @ 7 pm in ECSS 4.619 ● CSAW CTF - Saturday @ 1 pm to 5 pm in ECSS 4.619 ● Elastic - Next Wednesday @ 7 pm in MC 2.410
  4. 4. Goal for tonight: Answer the question “How do I get started?”
  5. 5. Getting started in Computer Security ● Plenty of resources exist to get started with different areas of security ● You get out what you put into it
  6. 6. Intro to Exploitation ● General Goals: ○ Lateral Movement ○ Command and Control ○ Data Exfiltration
  7. 7. General Tools ● Kali Linux - contains many exploitation tools pre-installed ● FLARE VM - contains many security tools for use in a Windows environment
  8. 8. “Fields” of Exploitation ● Network ● System ○ Linux ○ Windows ○ Other ● Cryptography ● Web ● Binary
  9. 9. Network Attacking the network and network services, often to access machines on said network. Examples: ● Attacking Windows domains ● Attacking cloud infrastructure Tools: ● nmap Practice: ● HackTheBox ● CloudGoat
  10. 10. Linux Escalating privileges, exfiltrating data, establishing persistence, and more. Examples: ● Hacking Linux? Tools ● bash ● Metasploit ● Linux Knowledge Practice ● OverTheWire - Bandit ● HackTheBox ● Metasploitable 2
  11. 11. Windows Escalating privileges, exfiltrating data, establishing persistence, and more. Examples: ● Hacking Windows? Tools ● Powershell ● Metasploit ● Windows Knowledge Practice ● HackTheBox ● Metasploitable 3 ● Immersive Labs (Powershell)
  12. 12. Cryptography Breaking ciphers, forging signatures, doing magic(?) Examples ● Forging authentication tokens ● Breaking encryption Tools ● SAGE ● Python ● Patience Practice ● CryptoPals ● id0-rsa
  13. 13. Web Dumping databases, gaining code execution, breaking webscale, learning too many frameworks Examples ● SQL Injection ● Code Execution ● Local File Includes Tools ● Burp Suite ● Browser Developer Tools Practice ● HackTheBox ● OverTheWire - Natas ● WebGoat
  14. 14. Binary Exploiting flaws in a program to do “fun” things Example ● Bypassing authentication ● Gaining code execution Tools ● gdb (Debuggers) ● IDA Pro (Disassemblers) Practice ● pwnable.kr ● Protostar ● The Assembly Group
  15. 15. Overall Being well “read” can give you a significant edge in security YouTube - Tutorials ● LiveOverflow ● GynvaelEN YouTube - Talks ● DefCon ● BlackHat ● media.ccc.de (34C3) News/Blogs ● /r/NetSec ● HackerNews
  16. 16. Demo Physical access attacks with Tiny Core Linux ● Replacing Magnify.exe with cmd.exe

×