Hands-On Exploit Development for Beginners

Sam Bowne


Workshop Description

Participants will hack into a series of vulnerable servers and get onto Winners boards. Instead of using tools, you will create your own attacks. The easier challenges require nothing but a Web browser: command injection and SQL injection. The harder challenges require a Kali Linux virtual machine and exploit buffer overflows at the binary level.

Prerequisites

The first few projects are easy, even for beginners. For the later projects, familiarity with C, Python, and assembly code is helpful but not required.

Equipment Students Will Need to Bring

Participants need a computer with Kali Linux or some other Linux, such as Ubuntu, either in a virtual machine or locally. I will have a few loaner computers for students who don't have a usable computer.

Reference Book

"The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q Buy from Amazon

Projects

Easy

Command Injection Projects
1. Ping Form Winners
2. Buffer Overflow Winners
3. ImageMagick Winners

Intermediate

4. SQL Injection Winners 1
Winners 2
Winners 3

Hard

Linux Buffer Overflow Projects
5. Without Shellcode Practice
5a. 64-bit Overflow
5b. 64-bit PPT
6. Local Challenges
7. Remote Challenge Winners
8. Dash Shellcode Practice
9. Metasploit Shellcode Practice
10. Metasploit Shellcode Challenges Winners
Entire Exploit Development Course

Lectures

Real Hacking (key)
Data Breaches: Real and Imaginary (ppt)
Bitcoin (key)
Security at Colleges
NETLAB password insecurity

The lectures are in Keynote and HTML formats.
If you want them in PowerPoint, use the Cloud Convert site.


Other Projects

Basic SQL

CodeCademy SQL Lesson

SQL Injection Attack and Defense

Installing SQLol
SQLi: Attacking with Havij and Defending with Input Filtering
Exploiting SQLi with sqlmap
Fixing MySQL with Parameterized Queries

Games and Cybercompetitions

Password Guessing Games
PicoCTF
Bandit Challenges
CTFTime

Posted 10-20-16 by Sam Bowne