Exploit Development for Beginners

HOPE Eleven, July 24, 2016, NYC

IEEE Orange County Cybersecurity SIG
Wed, July 27, 2016 Tustin, CA 6-8 PM

DEF CON: Friday, Aug 5, 2016
10 am - 2 pm, Las Vegas Ballroom 4

Sam Bowne

Workshop Description

This workshop helps participants move beyond using attacks others have developed to understanding how programs work at the binary level and how to exploit their weaknesses. These techniques help move you towards the skill levels needed to find new vulnerabilities, write proof-of-concept attack code, compete in cyber competitions, and earn bug bounties.


Prerequisites

The first few projects are easy, even for beginners. For the later projects, familiarity with C, Python, and assembly code is helpful but not required.

Equipment Students Will Need to Bring

Participants need a computer with Kali Linux or some other Linux, such as Ubuntu, either in a virtual machine or locally. I will have a few loaner computers for students who don't have a usable computer.

Projects

Easy

Command Injection Projects
1. Ping Form Winners
2. Buffer Overflow Winners
3. ImageMagick Winners

Intermediate

4. SQL Injection Winners 1
Winners 2
Winners 3

Hard

Linux Buffer Overflow Projects
5. Without Shellcode Practice
5a. 64-bit Overflow
5b. 64-bit PPT
6. Local Challenges
7. Remote Challenge Winners
8. Dash Shellcode Practice
9. Metasploit Shellcode Practice
10. Metasploit Shellcode Challenges Winners
Entire Exploit Development Course

Cloud Blockchain Voting Prototype

What's a Blockchain?    ·    Vote (easy)    ·    Join the Blockchain (harder)

Lectures

Real Hacking (key)
Data Breaches: Real and Imaginary (ppt)
Bitcoin (key)
Security at Colleges
NETLAB password insecurity

The lectures are in Keynote and HTML formats.
If you want them in PowerPoint, use the Cloud Convert site.


Other Projects

Basic SQL

CodeCademy SQL Lesson

SQL Injection Attack and Defense

Installing SQLol
SQLi: Attacking with Havij and Defending with Input Filtering
Exploiting SQLi with sqlmap
Fixing MySQL with Parameterized Queries

Games and Cybercompetitions

Password Guessing Games
PicoCTF
Bandit Challenges
CTFTime

Posted 6-29-16 by Sam Bowne
Cleaned up 7-26-16
New Challenge 7 added 7-30-16
8-5-16