2 root@labla/# whoami the owasp foundation nahidul kibria co-leader, owasp bangladesh, senior...
Post on 15-Jan-2016
227 Views
Preview:
TRANSCRIPT
2
root@labla/# whoami
The OWASP Foundationhttp://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ
Software Ltd.
Writing code for fun and food.And security enthusiastic
Twitter:@nahidupa
5
What is the event all about?
Computer security?
Information security?
Cyber Security?
Is it a game?
Are we going to learn hacking?
6
Capture The Flag(CTF)
In computer security, Capture the Flag (CTF) is a computer security wargame. Each team is given a machine (or small network) to defend on an isolated network.--wikipedia
7
Its not just a competition… more than it…
HOW?
8
9
10
The domain is giant
11
If you want to be a Penetration Tester
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders with authorize by the owner of that system.
12
Prerequisites
1. Good understanding network architecture.
2. How modern operating system work and system administration.
3. Application/Database/Service how they designed and work.
13
Penetration testingPenetration testing methodology
• Information Gathering/Reconnaissance
• Scanning/Enumeration
• Vulnerability Identification
• Exploitation
• Report
14
Tools and tactics
• Do not reinvent the wheel…Use existing tools
• But do not just depends on Tools/Scripts…In some case you have to write your own
15
Books
16
If you want to be a Malware Analyst
17
Kick startBasic Static Analysis
Basic Dynamic Analysis
18
Lab Setup
19
Collect sampleHashing: A Fingerprint for Malware
Look like--373e7a863a1a345c60edb9e20ec3231
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=308
20
Sysinternals tools
Tcpview.exe Procexp.exe
Procmon.exe
21
Reverse engineering ollydbg
Immunity debugger
Ida Pro
22
Books
23
If you want to be a Vulnerability Researcher
24
Common techniquesFuzzing
Code review
Disassemblers
Debuggers
25
26
Books
27
If you want to be a Exploit Developer
28
PrerequisitesProgramming
Assembly
Memory management
Windows/*nix internal
Kernel
29
Books
30
If you want to be a Forensic Analyst
31
Books
32
Coolest Jobs in Information Security
#1 Information Security Crime Investigator/Forensics Expert#2 System, Network, and/or Web Penetration Tester#3 Forensic Analyst#4 Incident Responder#5 Security Architect#6 Malware Analyst#7 Network Security Engineer#8 Security Analyst#9 Computer Crime Investigator#10 CISO/ISO or Director of Security#11 Application Penetration Tester#12 Security Operations Center Analyst#13 Prosecutor Specializing in Information Security Crime#14 Technical Director and Deputy CISO#15 Intrusion Analyst#16 Vulnerability Researcher/ Exploit Developer#17 Security Auditor#18 Security-savvy Software Developer#19 Security Maven in an Application Developer Organization#20 Disaster Recovery/Business Continuity Analyst/Manager
33
But you have only one life
34
Just become a learning machine
35
Here comes communityCollaborative learning
36
About OWASPOWASP’s mission is “to make application security
visible, so that people and organizations can make informed decisions about true application”
Attacker not use black art to exploit your application
OWASP Bangladesh• Bangladeshi community of Security professional
• Globally recognized
• Open for all
• Free for all
What do we have to offer?
• Monthly Meetings
• Mailing List
• Presentations & Groups
• Open Forums for Discussion
• Vendor Neutral Environments
220 Chapters
39
40
Our SuccessesOWASP Tools and
Documentation:
• ~15,000 downloads (per month)
• ~30,000 unique visitors (per month)
• ~2 million website hits (per month)
OWASP Chapters are blossoming worldwide
• 1500+ OWASP Members in active chapters worldwide
• 20,000+ participants
OWASP AppSec Conferences:
• Chicago, New York, London, Washington D.C, Brazil, China, Germany, more…
Distributed content portal
• 100+ authors for tools, projects, and chapters
OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations.
Conferences
41
Ok enough ! Can you please tell me what I need to do
today?
WE DO NOT HAVE ANY PREPARATION
45
Questions.1. A question from cryptography. (300
points)
2. A question from malware analysis. (not that much hardcore as it sound) (150 points)
3. A forensic analysis ( The easiest question of the contest) (50 points)
46
Final Questions.
1. A server named GetRoot_v00t will be given. (500 points)
2. Another server named GetRoot_Drag0n will be given. (1000 points)
Both server is taken down from live, because it is suspected as compromised by attacker and the attacker changed its root password. So your job is to recover the root access of those server as well as create a report of what venerability those server has to the judges.
47
Rules• You must run the given Virtual machine only in NATed mode.
• Take Screenshots in each success steps include them to a document.
• You can ask judge for clue to solve a problem with sacrificing some point(s). It's will be totally depending on judge how much point he will deduct for the clue before he give the clue he will tell you how much point will be deducted. This rule because this type contest is new will not be available in future.
• You are suppose to work with given machine(vmware), Any type of activity that might be destructive for lab setup or host machine or any type of destructive activity using lab internet is strictly forbidden. If any team do such activity, the team cannot continue the contest anymore also IUT will take legal action about such activity.
• You should stay around your work station until it not require to move.
48
We select the winner according the following criteria (We will do partial marking.)
1.How many points the participants has (scoring).
2.How complete the solutions are (quality).
3. Creativity, Geek Factor.
49
Not End! Open question hands on
top related