Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

IUTGetRoot

advertisement 
2
root@labla/# whoami
The OWASP Foundation
http://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Senior Software Engineer, KAZ Software
Ltd.
Writing code for fun and food.
And security enthusiastic
Twitter:@nahidupa
What is the event all
about?
Computer security?
Information security?
Cyber Security?
Is it a game?
Are we going to learn hacking?
5
Capture The Flag(CTF)
In computer security, Capture the Flag
(CTF) is a computer security wargame.
Each team is given a machine (or small
network) to defend on an isolated
network.--wikipedia
6
Its not just a competition… more than it…
HOW?
7
8
9
The domain is giant
10
If you want to be a Penetration Tester
A penetration test, occasionally pentest, is a method of
evaluating the security of a computer system or network by
simulating an attack from malicious outsiders with authorize by
the owner of that system.
11
Prerequisites
1. Good understanding network
architecture.
2. How modern operating system work
and system administration.
3. Application/Database/Service how they
designed and work.
12
Penetration testing
Penetration testing methodology
• Information Gathering/Reconnaissance
• Scanning/Enumeration
• Vulnerability Identification
• Exploitation
• Report
13
Tools and tactics
• Do not reinvent the wheel…Use existing
tools
• But do not just depends on
Tools/Scripts…In some case you have
to write your own
14
Books
15
If you want to be a Malware Analyst
16
Kick start
Basic Static Analysis
Basic Dynamic Analysis
17
Lab Setup
18
Collect sample
Hashing: A Fingerprint for Malware
Look like-373e7a863a1a345c60edb9e20ec3231
http://www.kernelmode.info/forum/viewto
pic.php?f=16&t=308
19
Sysinternals tools
Tcpview.exe
Procexp.exe
Procmon.exe
20
Reverse engineering
ollydbg
Immunity debugger
Ida Pro
21
Books
22
If you want to be a Vulnerability Researcher
23
Common techniques
Fuzzing
Code review
Disassemblers
Debuggers
24
2
5
Books
26
If you want to be a Exploit Developer
27
Prerequisites
Programming
Assembly
Memory management
Windows/*nix internal
Kernel
28
Books
29
If you want to be a Forensic Analyst
30
Books
31
Coolest Jobs in Information Security
#1 Information Security Crime Investigator/Forensics Expert
#2 System, Network, and/or Web Penetration Tester
#3 Forensic Analyst
#4 Incident Responder
#5 Security Architect
#6 Malware Analyst
#7 Network Security Engineer
#8 Security Analyst
#9 Computer Crime Investigator
#10 CISO/ISO or Director of Security
#11 Application Penetration Tester
#12 Security Operations Center Analyst
#13 Prosecutor Specializing in Information Security Crime
#14 Technical Director and Deputy CISO
#15 Intrusion Analyst
#16 Vulnerability Researcher/ Exploit Developer
#17 Security Auditor
#18 Security-savvy Software Developer
#19 Security Maven in an Application Developer Organization
#20 Disaster Recovery/Business Continuity Analyst/Manager
32
But you have only one life
33
Just become a learning machine
34
Here comes community
Collaborative learning
35
36
About OWASP
OWASP’s mission is “to make application security visible, so
that people and organizations can make informed decisions
about true application”
Attacker not use black art to exploit your application
OWASP Bangladesh
• Bangladeshi community of Security professional
• Globally recognized
• Open for all
• Free for all
What do we have to offer?
• Monthly Meetings
• Mailing List
• Presentations & Groups
• Open Forums for Discussion
• Vendor Neutral Environments
220 Chapters
39
Our Successes
OWASP Tools and
Documentation:
•
~15,000 downloads (per
month)
•
~30,000 unique visitors
(per month)
•
~2 million website hits (per
month)
OWASP Chapters are
blossoming worldwide
•
1500+ OWASP Members in
active chapters worldwide
•
20,000+ participants
OWASP AppSec Conferences:
•
Chicago, New York, London,
Washington D.C, Brazil, China,
Germany, more…
Distributed content portal
•
100+ authors for tools,
projects, and chapters
OWASP and its materials are
used, recommended and
referenced by many
government, standards and
industry organizations.
40
Conferences
41
Download
Get OWASP Books
Ok enough ! Can you please tell
me what I need to do today?
WE DO NOT HAVE ANY PREPARATION
Questions.
1. A question from cryptography. (300 points)
2. A question from malware analysis. (not that
much hardcore as it sound) (150 points)
3. A forensic analysis ( The easiest question of
the contest) (50 points)
45
Final Questions.
1. A server named GetRoot_v00t will be given. (500 points)
2. Another server named GetRoot_Drag0n will be given.
(1000 points)
Both server is taken down from live, because it is suspected as
compromised by attacker and the attacker changed its root
password. So your job is to recover the root access of those
server as well as create a report of what venerability those
server has to the judges.
46
Rules
•
You must run the given Virtual machine only in NATed mode.
•
Take Screenshots in each success steps include them to a document.
•
You can ask judge for clue to solve a problem with sacrificing some point(s). It's will be
totally depending on judge how much point he will deduct for the clue before he give the
clue he will tell you how much point will be deducted. This rule because this type contest
is new will not be available in future.
•
You are suppose to work with given machine(vmware), Any type of activity that might
be destructive for lab setup or host machine or any type of destructive activity using lab
internet is strictly forbidden. If any team do such activity, the team cannot continue the
contest anymore also IUT will take legal action about such activity.
•
You should stay around your work station until it not require to move.
47
We select the winner according the
following criteria (We will do partial
marking.)
1.How many points the participants has (scoring).
2.How complete the solutions are (quality).
3. Creativity, Geek Factor.
48
Not End! Open question
hands on
49
Related documents
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
Common Web Vulnerabilities
Common Web Vulnerabilities
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
Application Security 101
Application Security 101
Laboratory work 2 SEC
Laboratory work 2 SEC
WebSecurity_Commonsecuritythreats_and_hacking
WebSecurity_Commonsecuritythreats_and_hacking
Training_Instructor_Agreement
Training_Instructor_Agreement
What is an OWASP? Open Web Application Security Project 
What is an OWASP? Open Web Application Security Project 
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
Security Policies - Personal Web Pages
Security Policies - Personal Web Pages
Media: An_introduction_to_penetration_testing
Media: An_introduction_to_penetration_testing
OWASP Plan - Strawman - OWASP AppSec USA 2011
OWASP Plan - Strawman - OWASP AppSec USA 2011
Application Security Tools
Application Security Tools
OWASP's Ten Most Critical Web Application Security Vulnerabilities
OWASP's Ten Most Critical Web Application Security Vulnerabilities
OWASPIL-2014-06-16_OWASP-Top-10_-_Security
OWASPIL-2014-06-16_OWASP-Top-10_-_Security
The Secure SDLC Panel Real answers from real experience
The Secure SDLC Panel Real answers from real experience
Lulu Guide
Lulu Guide
Secure Coding Practices
Secure Coding Practices
Web Application Security
Web Application Security
OWASP_Flyer_Sep06
OWASP_Flyer_Sep06
OWASP Application Security Assessment Standards Project
OWASP Application Security Assessment Standards Project
Download
advertisement