Skip to main content

Posts

Showing posts from 2016

SLAE/SLAE64 Course Review

After recently finishing both the SLAE (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html) and SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html) courses available through SecurityTube Training, and earning both certifications, I thought I would write a review of the training itself. Personally, I chose these course as a way to learn Assembly in preparation for the Crack The Perimeter (CTP) course and OSCE certification. After taking the Pentesting With Kali (PWK) class and earning the OSCP, I knew I needed to fill some gaps in my knowledge, and specifically with C and Assembly programming. Seeing that there aren't many training offerings that aim to teach Assembly specific to penetration testing and shellcoding, I gave SLAE a try.

  If you don't care about the certification itself, you can obtain all of SecurityTube's videos for a small monthly fee through Pentes…

SLAE64 - Assignment 7

This post is a continuation of a seven (7) part blog series as part of the SLAE64 certification challenge. You can read the previous blog posts using the links below.

Previous Posts:
SLAE64 - Assignment 1SLAE64 - Assignment 2SLAE64 - Assignment 3SLAE64 - Assignment 4SLAE64 - Assignment 5SLAE64 - Assignment 6
The requirements for Assignment 7 are as follows:
Create a custom crypter like the one shown in the "crypters" videoFree to use any existing encryption schemaCan use any programming language

SLAE64 - Assignment 6

This post is a continuation of a seven (7) part blog series as part of the SLAE64 certification challenge. You can read the previous blog posts using the links below.

Previous Posts:
SLAE64 - Assignment 1SLAE64 - Assignment 2SLAE64 - Assignment 3SLAE64 - Assignment 4SLAE64 - Assignment 5
The requirements for Assignment 6 are as follows:
Take up 3 shellcodes from shell-storm and create polymorphic versions of them to beat pattern matchingThe polymorphic versions cannot be larger 150% of the existing shellcodeBonus points for making it shorter in length than original

SLAE64 - Assignment 5

This post is a continuation of a seven (7) part blog series as part of the SLAE64 certification challenge. You can read the previous blog posts using the links below.

Previous Posts:
SLAE64 - Assignment 1SLAE64 - Assignment 2SLAE64 - Assignment 3SLAE64 - Assignment 4
The requirements for Assignment 5 are as follows:
Take up at least 3 shellcode samples created using MSFPayload for linux/x86_64Use GDB to dissect the functionality of shellcodeDocument your analysis

SLAE64 - Assignment 4

This post is a continuation of a seven (7) part blog series as part of the SLAE64 certification challenge. You can read the previous blog posts using the links below.

Previous Posts:
SLAE64 - Assignment 1SLAE64 - Assignment 2SLAE64 - Assignment 3
The requirements for Assignment 4 are as follows:
Create a Custom encoding scheme like the "Insertion Encoder" we showed youPoC with using execve-stack as the shellcode to encode with your schema and executeThe full scripts for this assignment can be found here: https://github.com/blu3gl0w13/SLAE64/tree/master/assignment-4.

Supplemental scripts for this assignment can be found here: https://github.com/blu3gl0w13/SLAE64/tree/master/scripts.

SLAE64 - Assignment 3

This post is a continuation of a seven (7) part series for the SLAE64 certification challenge. You can read the first two (2) posts by using the links below.

Previous Posts:

SLAE64 - Assignment 1SLAE64 - Assignment 2
This was a good assignment. Like the SLAE32, I had to create an egg hunter. Here are this assignment's requirements:

Study Egg Hunter shellcodeCreate working demo of Egg HunterShould be configurable for different payloads

SLAE64 - Assignment 2

This is the second blog in the SLAE64 series as part of the certification challenge. If you want to read the previous post first, I provided a link below.

Previous Posts:
SLAE64 - Assignment 1
For this assignment, we had the following requirements:
Create a Shell_Reverse_TCP ShellcodeReverse connects to configured IP and PortNeeds a "Passcode"If Passcode is correct then Execs ShellRemove 0x00 from the Reverse TCP Shellcode discussed

SLAE64 - Assignment 1

Following completion of the SLAE32 course (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html), I decided to take advantage of the Pentester Academy account we have at work to continue the training with SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html). So, we'll delve into each assignment like we did before and because it's part of the certification challenge.

Assignment 1 requirements are as follows:

Create a Shell_Bind_TCP shellcodeBinds to a portNeeds a "Passcode"If Passcode is correct then Execs ShellRemove 0x00 from the Bind TCP Shellcode discussed

SLAE32 - Assignment 7

This is a continuation of a seven (7) part series for the SLAE32 Certification challenge. You can read the first six (6) parts here:

Part 1 - Assignment 1

Part 2 - Assignment 2

Part 3 - Assignment 3

Part 4 - Assignment 4

Part 5 - Assignment 5

Part 6 - Assignment 6

The requirements for this assignment are as follows:

Create a custom crypter like the one shown in the "crypters" videoFree to use any existing encryption shcemaCan use any programming language
Full code can be found on GitHub here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-7

Supplemental scripts developed for this class can be found on GitHub here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

SLAE32 - Assignment 6

This is a continuation of a seven (7) part series for the SLAE32 Certification challenge. You can read the first five (5) parts here:

Part 1 - Assignment 1

Part 2 - Assignment 2

Part 3 - Assignment 3

Part 4 - Assignment 4

Part 5 - Assignment 5

The requirements for this assignment are as follows:

Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matchingThe polymorphic versions cannot be larger 150% of the existing shellcodeBonus points for making it shorter in length than original
Full code can be found on GitHub here:

https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-6

Supplemental scripts developed for this class can be found on GitHub here:

https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

SLAE32 - Assignment 5

This is a continuation of a seven (7) part series for the SLAE32 Certification challenge. You can read the first four (4) parts here:

Part 1 - Assignment 1

Part 2 - Assignment 2

Part 3 - Assignment 3

Part 4 - Assignment 4

The requirements for this assignment are as follows:

Take up at least 3 shellcode samples created using Msfpayload (msfvenom) for linux/x86Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcodePresent your analysis
Full code can be found on GitHub here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-5

Supplemental scripts developed for this class can be found on GitHub here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

SLAE32 - Assignment 4

This is a continuation of a seven (7) part series for the SLAE32 Certification challenge. You can read the first three (3) parts here:

Part 1 - Assignment 1

Part 2 - Assignment 2

Part 3 - Assignment 3

The requirements for this assignment are as follows:

Create a custom encoding scheme like the "Insertion Encoder" we showed youPoC with using execve-stack as the shellcode to encode with your schema and execute
The code for this assignment can be found on GitHub here:

https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-4

Supplemental scripts I developed for this course can be found on GitHub here:

https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

SLAE32 - Assignment 3

This is part three (3) in a seven (7) part series for the SecurityTube Linux Assembly Expert 32-bit certification challenge. You can find part one (1) here: Part 1 - Assignment 1.

You can read part two (2) here: Part 2 - Assignment 2.

In assignment three (3), we were given the following instructions:

Study about the Egg Hunter shellcodeCreate a working demo of the Egg HunterShould be configurable for different payloads
The full code for this assignment can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-3.

Supplemental scripts can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

I must say, I really enjoyed this assignment. I had some experience with Egg Hunters during the Pentesting with Kali (PWK) course offered by Offensive Security. With my new found assembly skills though, this offered a chance to really understand some of the assembly instructions being used. For this assignment I relied heavily on the following articles:

http://ww…

SLAE32 - Assignment 2

Welcome to part two (2) in our seven (7) part series for the SecurityTube Linux Assembly Expert 32-bit certification challenge. This blog represents the second assignment out of seven (7) and the requirements for assignment two (2) are as follows:

Create a Shell_Reverse_TCP shellcodeReverse connects to a configured IP and PORTExecs shell upon connectionThe IP and PORT should be easily configurable
Part one (1) can be found here: https://infoseccafe.blogspot.com/2016/10/slae32-assignment-1.html

The code for this assignment can be found on GitHub at the following location: https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-2

Supplemental scripts that I developed for this class can be found on GitHub at the following location: https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

Compared to assignment one (1), this code was actually a lot shorter, and if we think about this a little bit, it makes a lot of sense. Instead of using four (4) different SOCKET system calls (SOCKET,…

SLAE32 - Assignment 1

In preparation for the next Offensive Security certification class and challenge (CTP and OSCE), I decided to invest some time and energy into the Security Tube Linux Assembly Expert 32-bit class. That way I can have a solid foundation in understanding the finer workings of Assembly. Especially since my focus for my second Bachelor's degree was more along the lines of system administration and back-end web development instead of the programming focus of Computer Science. Still, I never stop with my learning and barely slow down at times.

This was the first assignment out of seven (7) and the requirements for assignment one (1) were as follows:

Create a Shell_Bind_TCP shellcodeBinds to a portExecs shell upon connectionThe PORT number should be easily configurable
This is a pretty standard request but I must admit the process was only somewhat familiar. I knew I could write the code pretty easily once I understood the process. For this, I had to fall back on my love for Python to un…

PWK and the OSCP Review

Back in 2014 I started down the Pentesting With Kali (PWK) course about a month after passing the CISSP exam, for which I self studied for about 4 months. What can I say, I was a glutton for punishment but it was well worth it. I started off with 90 days, but due to a crazy work schedule, wound up extending it another 30 for a total of 120 days of lab access. I'm not as young as I would like to think I am and have other important responsibilities as Dad and Husband which I consider "Priority 1". So, my time to study, perform the homework assignments, go through the modules, videos, and lab work were limited to 2 hours in the morning before work (typically 5am until 7am), and then again for a few hours after everyone was asleep in the house (typically 9pm until 11pm or Midnight). Weekends I could usually spend up to 6 hours on Saturdays and Sundays studying which helped tremendously.

Other people have already done a great job at reviewing the PWK course and the OSCP chall…