One of the main reasons I wanted to attend the SANS SEC660 course was to better learn Linux and Windows exploitation. I had done work on my own, but sometimes an issue would come up, or I would get curious about a subject, follow some rabbit holes and get to a point where I had to stop for the time being (e.g. sleep). Going to a training event like this was very exciting as not only would I learn more about Linux/Windows exploitation and various methods to accomplish that, but I would also learn more about fuzzing and being at a SANS event for NetWars. As expected based on the course so far, these two days would be the biggest and most intense. Both subjects have their own nuances and ways of going about exploitation to privilege escalation.
As we have done previously, let's list and go through the day's agenda from the course's page:
- Stack and dynamic memory management and allocation on the Linux OS
- Disassembling a binary and analyzing x86 assembly code
- Performing symbol resolution on the Linux OS
- Identifying vulnerable programs
- Code execution redirection and memory leaks
- Identifying and analyzing stack-based overflows on the Linux OS
- Performing return-to-libc (ret2libc) attacks on the stack
- Return-oriented programming
- Defeating stack protection on the Linux OS
- Defeating ASLR on the Linux OS
The class started off with an introduction to memory layout and registers. It was a quick introduction to the topic though and while I had already been familiar with these concepts, the fast pace could potentially leave some students behind. Going through basic x86 assembly was good as well, but that also went fast. Prior to the class, I went through the Intro to x86 course and didn't have any issues with the content, but I have no idea about the other people. Some knew what was going on, but it seemed that there were others who were being exposed to subjects like a function prologue and epilogue sequence. Definitely having exposure to x86 like in the class above would greatly help you pick up the topics first introduced today. Not knowing what the EIP was and it's importance, to suddenly being introduced to the topic and keeping track of EIP, ESP, EBP, ECX and everything else could potentially be confusing if you've never really dug into it.
I would have been even better prepared for the class had I have done the Intro to Software Exploits class as well. The topics of stack smashing, format strings exploiting, bypassing ASLR, defeating stack canaries can be daunting at first, especially when you're going fast. I'm not trying to imply that we moved too fast to understand the material, but we only had so much time allocated to the material and labs where we had to continue moving on. Steve did stop a bit to take questions, make sure we understood what was going on, but again, there's more content than time.
Even if you didn't go through the Intro to Software Exploits class, this course was still good and prepared you for the exploit techniques you would immediately begin practicing after learning. There definitely is value though of doing the prep work as above and still going to this class. Steve went into a lot of detail and rabbit holes about various low level topics relevant to the material. Again, having exposure to that prior to the class, a person could better appreciate the material and information and use it to better their understanding. Hearing about the TLB and random information about it without knowing anything about it can make it a bit harder to understand before knowing what it even means.
If you're going to talk about Linux exploitation, you'll probably run into the GNU debugger at some point in time. Many people prefer to look at information in a GUI rather than staring at a command line. If you are in that camp and never really got into gdb, WinDBG, etc it could be a little bit daunting when you fire up gdb for the first few times. GDB is a great and free Linux debugger that is a staple for many people when they take apart code. While there are many great extensions to gdb (e.g. Zach Riggle's PEDA regular PEDA, gef) to make it more friendly/useable for exploitation, we just stuck to the basic gdb version. There was some hand-holding, but not much time was spent in one place for too long before moving on. Along with working with gdb, you may also use objdump to check out ELF files.
Based on other resources on the same subject, smashing the stack, going over return-orientated programming (ROP) and performing return-to-libc attacks are common courseware topics. If you haven't had much hands-on experience, it may be a little intimidating at first especially as you need to quickly pick up certain concepts. Steve and the courseware go into good detail of the how and why, but there isn't much time given to digest and fully absorb the material. You move from one topic to the next and build upon the topics to more elaborate exploitation scenarios. Steve went through the progression of stack protection mechanisms and how they continued to adapt such as with stack canaries. Evading stack canaries was covered and we had the opportunity to put that knowledge of exploitation into practice with labs.
We were receiving a lot of awesome information, but it was a torrential downpour of information. Last, but not least, we talked about ASLR on Linux and how to defeat it. A lot of topics that we covered in Linux also have similar mechanisms on Windows. Learning how to defeat ASLR on Linux also helped us for the next day when we talked about it in the Windows day. Without going into too much more detail of how it was presented and how we better cemented the knowledge into our brains, I will say that it was well done. Regardless of how much (or little) time we had, it never felt like we moved on from a point where we were lost. It felt like everyone got to a "good enough" state where they grasped the concept. We could implement the exploit given to us and comprehend the lesson behind the lab. While we weren't experts at fully knowing completely why certain things worked as they did, it was meant to get you headed in the right direction.
This day was certainly packed full of information and it was also the last night for the Core NetWars. Many topics covered today though had applicability to the next day with Windows, so it wouldn't be another day full of new topics. Going full steam for four days for around 9 to 10 hours of class, doing bonus sessions/NetWars at night, talking with the family, staying up beyond that with reading/learning more while working on the NetWars challenges was starting to wear down on me. There were still two days to go, but it was a good feeling knowing that I was definitely learning and growing rapidly with all of this new knowledge. While I mention in this article and others of resources outside of SANS, there still is a lot of great value in still doing those other resources and going to this class. I think that by doing the prep work mentioned and other resources you may find will help you have a greater foundation to build upon for this class.
Day 4 prep:
- Intro to x86
- Intro to Software Exploits
- ELF
No comments:
Post a Comment