Post on 23-Mar-2016
description
2
root@labla/# whoami
The OWASP Foundationhttp://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ
Software Ltd.
Writing code for fun and food.And security enthusiastic
Twitter:@nahidupa
5
What is the event all about?
Computer security? Information security?Cyber Security?Is it a game? Are we going to learn hacking?
6
Capture The Flag(CTF)
In computer security, Capture the Flag (CTF) is a computer security wargame. Each team is given a machine (or small network) to defend on an isolated network.--wikipedia
7
Its not just a competition… more than it…
HOW?
8
9
10
The domain is giant
11
If you want to be a Penetration Tester
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders with authorize by the owner of that system.
12
Prerequisites1. Good understanding network
architecture.2. How modern operating system
work and system administration.3. Application/Database/Service how
they designed and work.
13
Penetration testingPenetration testing methodology
• Information Gathering/Reconnaissance• Scanning/Enumeration• Vulnerability Identification• Exploitation• Report
14
Tools and tactics • Do not reinvent the wheel…Use
existing tools• But do not just depends on
Tools/Scripts…In some case you have to write your own
15
Books
16
If you want to be a Malware Analyst
17
Kick startBasic Static AnalysisBasic Dynamic Analysis
18
Lab Setup
19
Collect sampleHashing: A Fingerprint for MalwareLook like--
373e7a863a1a345c60edb9e20ec3231
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=308
20
Sysinternals toolsTcpview.exe Procexp.ex
eProcmon.exe
21
Reverse engineering ollydbg Immunity
debuggerIda Pro
22
Books
23
If you want to be a Vulnerability Researcher
24
Common techniquesFuzzingCode review
DisassemblersDebuggers
25
26
Books
27
If you want to be a Exploit Developer
28
PrerequisitesProgrammingAssemblyMemory management Windows/*nix internalKernel
29
Books
30
If you want to be a Forensic Analyst
31
Books
32
Coolest Jobs in Information Security
#1 Information Security Crime Investigator/Forensics Expert#2 System, Network, and/or Web Penetration Tester#3 Forensic Analyst#4 Incident Responder#5 Security Architect#6 Malware Analyst#7 Network Security Engineer#8 Security Analyst#9 Computer Crime Investigator#10 CISO/ISO or Director of Security#11 Application Penetration Tester#12 Security Operations Center Analyst#13 Prosecutor Specializing in Information Security Crime#14 Technical Director and Deputy CISO#15 Intrusion Analyst#16 Vulnerability Researcher/ Exploit Developer#17 Security Auditor#18 Security-savvy Software Developer#19 Security Maven in an Application Developer Organization#20 Disaster Recovery/Business Continuity Analyst/Manager
33
But you have only one life
34
Just become a learning machine
35
Here comes communityCollaborative learning
36
About OWASPOWASP’s mission is “to make application security
visible, so that people and organizations can make informed decisions about true application”
Attacker not use black art to exploit your application
OWASP Bangladesh• Bangladeshi community of Security professional• Globally recognized• Open for all• Free for allWhat do we have to offer?• Monthly Meetings• Mailing List• Presentations & Groups• Open Forums for Discussion• Vendor Neutral Environments
220 Chapters
39
40
Our SuccessesOWASP Tools and
Documentation:• ~15,000 downloads
(per month)• ~30,000 unique visitors
(per month)• ~2 million website hits
(per month)OWASP Chapters are
blossoming worldwide• 1500+ OWASP Members
in active chapters worldwide
• 20,000+ participants
OWASP AppSec Conferences:• Chicago, New York,
London, Washington D.C, Brazil, China, Germany, more…
Distributed content portal• 100+ authors for tools,
projects, and chaptersOWASP and its materials are
used, recommended and referenced by many government, standards and industry organizations.
Conferences
41
Ok enough ! Can you please tell me what I need to do
today?
WE DO NOT HAVE ANY PREPARATION
45
Questions.1. A question from cryptography. (300
points)2. A question from malware analysis. (not
that much hardcore as it sound) (150 points)
3. A forensic analysis ( The easiest question of the contest) (50 points)
46
Final Questions.1. A server named GetRoot_v00t will be given. (500 points)
2. Another server named GetRoot_Drag0n will be given. (1000 points)
Both server is taken down from live, because it is suspected as compromised by attacker and the attacker changed its root password. So your job is to recover the root access of those server as well as create a report of what venerability those server has to the judges.
47
Rules• You must run the given Virtual machine only in NATed mode.
• Take Screenshots in each success steps include them to a document.
• You can ask judge for clue to solve a problem with sacrificing some point(s). It's will be totally depending on judge how much point he will deduct for the clue before he give the clue he will tell you how much point will be deducted. This rule because this type contest is new will not be available in future.
• You are suppose to work with given machine(vmware), Any type of activity that might be destructive for lab setup or host machine or any type of destructive activity using lab internet is strictly forbidden. If any team do such activity, the team cannot continue the contest anymore also IUT will take legal action about such activity.
• You should stay around your work station until it not require to move.
48
We select the winner according the following criteria (We will do partial marking.)
1.How many points the participants has (scoring).
2.How complete the solutions are (quality).3. Creativity, Geek Factor.
49
Not End! Open question hands on