The course and experience of going to the SANS SEC660 course has been amazing. I previously attended a SANS course, but did it remotely through their online offering. While it was simultaneously done as the in-person class, I felt a deep disconnect to the experience there. I have done other online courses for various IT things and the SANS online course felt a lot like those. Disconnected. I couldn't really connect with the other classmates. I didn't feel like if I had questions I would as easily understand it as if I was there in class.
Being at the SANS course in-person was a completely different experience. Sure I could have done the class remotely as well as the bonus sessions like NetWars. However, it just feels like a great time being around all of the other folks hacking away at the NetWars challenges in a giant room. It was a great time meeting people, working with them on challenges, learning alongside them and having fun. That is what it felt like being there at the conference. Having fun.
The previous day and night were pretty stellar events. The previous day was a crash course in Linux exploitation and stretching my mind to quickly understand a lot of new concepts and ideas. At night, it was a special NetWars as SANS brought out their CyberCity challenge. Previous NetWars nights were the Core NetWars challenge where you challenged everyone. The CyberCity NetWars challenge was a random grouping of people to work on challenges together. That was a pretty fun learning experience as well as fun in general. But, more on that in another post! Day 4 was a great day and night to be at the conference. Let's get on with the Day 5 review.
Here are the events from the SANS website of the contents of this day:
- The state of Windows OS protections on Windows 7, 8, 10, Server 2008 and 2012
- Understanding common Windows constructs
- Stack exploitation on Windows
- Defeating OS protections added to Windows
- Creating a MetaSploit module
- Advanced stack-smashing on Windows
- Using ROP
- Building ROP chains to defeat DEP and bypass ASLR
- Windows 7 and Windows 8 exploitation
- Porting MetaSploit modules
- Client-side exploitation
- Windows Shellcode
The list above was a tall order of material to fit into one day. We certainly felt the weight of the materials by the end of it. Going through the previous day's materials did help prepare us for today and the techniques necessary to exploit Windows. It was time to dig into Windows and learn more about the internals of Windows!
The day started with the internals of Windows covering memory layout in the OS, PE file structure and linking. It was a good refresher and it was good to dive a bit deeper in other parts as Steve relayed various tidbits of information through various rabbit holes. We covered Windows debuggers such as OllyDBG (briefly) and Immunity Debugger. Immunity was the main debugger we used throughout the day for various exercises such as going through a random binary to examine various sections of a PE. Going through materials like Ange Albertini's examinations of PE files (here and here) would be pretty helpful to pick up this module faster. Each module has an additional reading/resource section as well to better learn the covered material, so it was good to see those things. It was a crash course through the Windows Internals books to get us ready to exploit Windows.
We covered the various methods Windows uses to protect Windows and how those methods evolved over the versions of Windows to today. It is interesting to see the methods that Windows borrowed and improved upon for their protection methods. Steve gave a talk about EMET and the various Windows mechanisms that were implemented over the years across Operating Systems. There's certainly been no lack of trying, although it is seemingly hard how to balance usability versus security. You can certainly completely STIG and/or turn EMET to full protection lockdown, but then the OS isn't as useable as before. Balancing that with system and business requirements to the best possible protection is hard. But, that's not our story for today, but how to exploit them! As a quick note, Steve did do a "preview" for the class talking about these things above in this webcast. It was pretty good!
It's interesting how different people and tutorials approach Windows debugging and user land exploitation. In some cases like in the SANS training, Immunity Debugger was used. In the OpenSecurity and Windows Exploit Dev course, they use WinDBG. The Corelan tutorial uses mainly WinDBG with some Immunity Debugger. It is advantageous though to be familiar with both debuggers for Windows. For the purposes of this class, knowing how to work in the various windows and menus in Immunity will help you out. It's not necessarily an issue with the main screen, but knowing how to run mona.py, see that output to then go back to the main screen can be confusing at first. The usage of Immunity is kept to the basics to help get the student familiar with the product and not bury them in various sub-screens that Immunity provides.
We covered a lot of technical discussion on DEP, ASLR and using ROP gadgets. It felt like most of the afternoon was spent working with ROP based exploitation techniques against our vulnerable software. There were different exercises on using ROP gadgets which helped to absorb the information we were given. Stephen would talk about the exploit technique, do a demo and then have us do the demos on our own. If you're new to Windows exploitation, it would be a bit challenging to go through all of the exercises in time. Luckily you can bring it all home to work on later. You can of course copy and paste the answers from the book to proceed through the labs, but it may not help you fully understand what's going on without trying without it.
The MetaSploit module section was interesting and has applicability to pen testers and/or modifying exploits to fit your needs. Many times, there's exploits in MetaSploit that target a specific patch level and system architecture. But, there are opportunities to take that "shell", tweak it to your specific needs based on understanding how that exploit works, figuring out the offsets for your target and then repackaging up the exploit. Rather than being a user of MetaSploit, you can go beyond that by taking what other's have started for you and go further. You would need to spend more time working with the class material to tweak exploits to your situation, but this class helps to get you going in that direction. It was an overall short module, but a good example of how to use this class to suit your needs back in the world.
The last module before the bootcamp (where you refine your knowledge with more exercises) was Windows Shellcode. I was looking pretty forward to this class as it's been a fun topic to learn more about. Stephen has been a great teacher and explaining everything with deep technical detail. With that, going over shellcode and multi-stage shellcode were easier pills to swallow. There were good labs and lots of links for further reading to know/learn more. There's not enough time in a single day to cover all of this material so it was good to see that they didn't leave it at only their materials to learn more from. A lot of the topics (especially Day 4 and Day 5) had research links/books to learn from that had been where these techniques in the book came from in some cases.
Going into this day had been a bit tough from the week's activities. There had been three nights of NetWars and other sessions at night. But, it had been a lot of fun and challenging. We still had one more day left, but it was a most of the day challenge. Steven went through the categories of the challenge and it was set up in a Jeopardy style challenge. It was similar to the NetWars challenges where you enter a md5 hash of the answer into an answer text box. The class CTF looked like it would be a lot of fun and the coin for SEC660 is pretty neat which would be awarded to the winning team. Stay tuned for the closing review post!
Day 5 prep:
- OpenSecurity Training: Exploits 2
- Windows Exploit Development Course
- Corelan Exploit Tutorial series
- Immunity Tutorials: First, Second
No comments:
Post a Comment