2
root@labla/# whoami
The OWASP Foundation
http://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Senior Software Engineer, KAZ Software
Ltd.
Writing code for fun and food.
And security enthusiastic
Twitter:@nahidupa
What is the event all
about?
Computer security?
Information security?
Cyber Security?
Is it a game?
Are we going to learn hacking?
5
Capture The Flag(CTF)
In computer security, Capture the Flag
(CTF) is a computer security wargame.
Each team is given a machine (or small
network) to defend on an isolated
network.--wikipedia
6
Its not just a competition… more than it…
HOW?
7
8
9
The domain is giant
10
If you want to be a Penetration Tester
A penetration test, occasionally pentest, is a method of
evaluating the security of a computer system or network by
simulating an attack from malicious outsiders with authorize by
the owner of that system.
11
Prerequisites
1. Good understanding network
architecture.
2. How modern operating system work
and system administration.
3. Application/Database/Service how they
designed and work.
12
Penetration testing
Penetration testing methodology
• Information Gathering/Reconnaissance
• Scanning/Enumeration
• Vulnerability Identification
• Exploitation
• Report
13
Tools and tactics
• Do not reinvent the wheel…Use existing
tools
• But do not just depends on
Tools/Scripts…In some case you have
to write your own
14
Books
15
If you want to be a Malware Analyst
16
Kick start
Basic Static Analysis
Basic Dynamic Analysis
17
Lab Setup
18
Collect sample
Hashing: A Fingerprint for Malware
Look like-373e7a863a1a345c60edb9e20ec3231
http://www.kernelmode.info/forum/viewto
pic.php?f=16&t=308
19
Sysinternals tools
Tcpview.exe
Procexp.exe
Procmon.exe
20
Reverse engineering
ollydbg
Immunity debugger
Ida Pro
21
Books
22
If you want to be a Vulnerability Researcher
23
Common techniques
Fuzzing
Code review
Disassemblers
Debuggers
24
2
5
Books
26
If you want to be a Exploit Developer
27
Prerequisites
Programming
Assembly
Memory management
Windows/*nix internal
Kernel
28
Books
29
If you want to be a Forensic Analyst
30
Books
31
Coolest Jobs in Information Security
#1 Information Security Crime Investigator/Forensics Expert
#2 System, Network, and/or Web Penetration Tester
#3 Forensic Analyst
#4 Incident Responder
#5 Security Architect
#6 Malware Analyst
#7 Network Security Engineer
#8 Security Analyst
#9 Computer Crime Investigator
#10 CISO/ISO or Director of Security
#11 Application Penetration Tester
#12 Security Operations Center Analyst
#13 Prosecutor Specializing in Information Security Crime
#14 Technical Director and Deputy CISO
#15 Intrusion Analyst
#16 Vulnerability Researcher/ Exploit Developer
#17 Security Auditor
#18 Security-savvy Software Developer
#19 Security Maven in an Application Developer Organization
#20 Disaster Recovery/Business Continuity Analyst/Manager
32
But you have only one life
33
Just become a learning machine
34
Here comes community
Collaborative learning
35
36
About OWASP
OWASP’s mission is “to make application security visible, so
that people and organizations can make informed decisions
about true application”
Attacker not use black art to exploit your application
OWASP Bangladesh
• Bangladeshi community of Security professional
• Globally recognized
• Open for all
• Free for all
What do we have to offer?
• Monthly Meetings
• Mailing List
• Presentations & Groups
• Open Forums for Discussion
• Vendor Neutral Environments
220 Chapters
39
Our Successes
OWASP Tools and
Documentation:
•
~15,000 downloads (per
month)
•
~30,000 unique visitors
(per month)
•
~2 million website hits (per
month)
OWASP Chapters are
blossoming worldwide
•
1500+ OWASP Members in
active chapters worldwide
•
20,000+ participants
OWASP AppSec Conferences:
•
Chicago, New York, London,
Washington D.C, Brazil, China,
Germany, more…
Distributed content portal
•
100+ authors for tools,
projects, and chapters
OWASP and its materials are
used, recommended and
referenced by many
government, standards and
industry organizations.
40
Conferences
41
Download
Get OWASP Books
Ok enough ! Can you please tell
me what I need to do today?
WE DO NOT HAVE ANY PREPARATION
Questions.
1. A question from cryptography. (300 points)
2. A question from malware analysis. (not that
much hardcore as it sound) (150 points)
3. A forensic analysis ( The easiest question of
the contest) (50 points)
45
Final Questions.
1. A server named GetRoot_v00t will be given. (500 points)
2. Another server named GetRoot_Drag0n will be given.
(1000 points)
Both server is taken down from live, because it is suspected as
compromised by attacker and the attacker changed its root
password. So your job is to recover the root access of those
server as well as create a report of what venerability those
server has to the judges.
46
Rules
•
You must run the given Virtual machine only in NATed mode.
•
Take Screenshots in each success steps include them to a document.
•
You can ask judge for clue to solve a problem with sacrificing some point(s). It's will be
totally depending on judge how much point he will deduct for the clue before he give the
clue he will tell you how much point will be deducted. This rule because this type contest
is new will not be available in future.
•
You are suppose to work with given machine(vmware), Any type of activity that might
be destructive for lab setup or host machine or any type of destructive activity using lab
internet is strictly forbidden. If any team do such activity, the team cannot continue the
contest anymore also IUT will take legal action about such activity.
•
You should stay around your work station until it not require to move.
47
We select the winner according the
following criteria (We will do partial
marking.)
1.How many points the participants has (scoring).
2.How complete the solutions are (quality).
3. Creativity, Geek Factor.
48
Not End! Open question
hands on
49