Skip to main content

SLAE/SLAE64 Course Review

  After recently finishing both the SLAE (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html) and SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html) courses available through SecurityTube Training, and earning both certifications, I thought I would write a review of the training itself. Personally, I chose these course as a way to learn Assembly in preparation for the Crack The Perimeter (CTP) course and OSCE certification. After taking the Pentesting With Kali (PWK) class and earning the OSCP, I knew I needed to fill some gaps in my knowledge, and specifically with C and Assembly programming. Seeing that there aren't many training offerings that aim to teach Assembly specific to penetration testing and shellcoding, I gave SLAE a try.

  If you don't care about the certification itself, you can obtain all of SecurityTube's videos for a small monthly fee through Pentester Academy http://www.pentesteracademy.com/. We have a subscription where I work, so following the SLAE course, I jumped right into the videos for SLAE64 to learn the differences between ia-32 and x86_64 Assembly. After quickly identifying the main differences as it pertains to shellcode and system calls, I skimmed the remaining videos and signed up for the class and certification attempt. A week later, I was writing the scripts and blogging for the certification challenge. I also reused whatever code I could from the SLAE course and reworked those scripts to be compatible on x86_64. There were enough similarities between the two that this technique worked really well. Ok, enough of an intro, let's dive into the meat of each course. We'll start with the ia-32 SLAE course.

SLAE Course


SLAE Logo
This course starts with the very basics of ia-32 Assembly with a brief introduction and definition of Assembly language and its purpose, an explanation of the various parts of a processor, how it interacts with memory, a brief history of Assembly, General Purpose Registers, and some of the expanded features of a modern Intel processor such as the Floating Point Unit (FPU), and MMX registers. Once the student is familiar with these concepts, Vivek Ramachandran walks the student through the various general purpose registers, basic Assembly programming, how to compile Assembly programs, how to link them, and how to execute them. GDB is also covered in depth and a benefit to registering for the class, as opposed to Pentester Academy subscription, is the Student will also get the full GDB course. I found this helpful to extract little useful nuggets and commands within GDB to help with debugging the Assembly scripts during the SLAE course. As the class progresses, the student is introduced to System Calls on Linux, and taught how to execute system calls directly in Assembly. From here, concepts like the Stack and Heap are introduced, as well as specific purposes for some of the General Purpose registers. Memory models are covered as in depth as possible without losing the student, and a few helpful Linux commands for discovering information about the current processor on the system.

  The student is then walked through how to code a typical "Hello World" program in Assembly, compile and link it, and finally debug the program in GDB. As the course continues, the level of difficulty is increased at what I thought was a good pace. Stack interaction, system calls, how to use specific sections of an Assembly program (.text, .data, etc...), Data Types, Loops, Jumps, commonly used instructions, each with an example exercise for the student to complete follows suit. All exercises are then debugged in GDB so the student becomes familiar with debugging his/her code. I thought this was probably one of the more helpful parts of the course to understand how to troubleshoot your code not executing properly (segfaults!). As the class continues, some of the more complex instructions are taught along with homework exercises for the student to practice what they learned. Dynamically assigning addresses using a JMP CALL POP technique is introduced, as well as polymorphism and how to handle unknown shellcode. The class recommends using a 32-bit Ubuntu Desktop VM but I found using a 32-bit version of Kali Linux the most helpful, especially towards the end of the course when tools like Libemu, and NDISASM are taught to help figure out what unknown shellcode does. It's also important to get familiar with these tools because they are required for one of the certification challenges. Additional topics are taught throughout the course such as how to dump the actual shellcode from each program the student writes. Once Module Two (2) is reached, there is a ton of hands on practice with each video and section of slides. The difficulty gradually increases up through the end of the course when encoders, crypters, and polymorphism is covered in a bit more depth.

  The certification challenges are probably the best part about this course and even if you don't care about certifications, I encourage you to try them anyways and here's why. The course itself gives the student the tools for being able to perform the certification challenges but the challenges themselves take the class to a whole other level! I found myself quite challenged when doing the certification challenges, even more so than the challenge I encountered during the class itself. It was really riveting and well worth it. Think about how you feel on Christmas when you get something you forgot to put on your Christmas list that you really always wanted. That's what the certification challenges felt like. You can see my solutions if you want here: https://infoseccafe.blogspot.com/2016/10/slae32-assignment-1.html. Overall, I feel this course and certification challenge has prepared me for the CTP and OSCE very well. I can only hope Vivek makes a class to teach C programming as it pertains to Penetration Testing and Exploit Development. Until then, I'll brush up on C elsewhere.

SLAE64 Course


Like the SLAE course the SLAE64 course begins along the same lines with slight differences. Obviously it covers the new labels for the 64-bit registers along with the additional 64-bit registers not found in ia-32 processors. System calls are different, some of the gotchas associated with some of the legacy registers are covered with references straight out of the ia32-64 developer's manual. The stack is covered again, polymorphism, encoders, decoders, crypters, and additional cool features within GDB (--tui mode). Unlike the SLAE course though, the SLAE64 class covers changes to SOCKET system calls (and they are a big deal). RIP relative addressing is covered along with JMP CALL POP again. Throughout the course, the student will have hands on examples after each video, the GDB course is given to those who register for the class, as opposed to a Pentester Academy subscription, each video exercise is also debugged in GDB so the student becomes familiar with using GDB to troubleshoot code issues. Segfaults are a normal occurrence through out this class and I found them to be both frustrating and extremely rewarding when the issue causing the segfault was overcome.

  My favorite part of this course was learning the difference between ia-32 and x86_64 and working through the hands on exercises. It was helpful to go through these thoroughly so that I could overcome my thinking that I could apply the same tactics in x86_64 as I did in ia-32. Don't get me wrong, you'll learn there are similarities but the differences are drastic enough that you'll be forced to learn them and remember them to reduce the likelihood of a coding mistake. This was the biggest lesson for me personally.

  The certification challenges were nearly identical to those of the SLAE class with a few modifications, outside of the expected ia-32 and x86_64 differences. Still, I found myself reusing some of my code from the SLAE certification challenge for this class and only had to modify it slightly. And, as expected, offered quite a bit more challenge than the course exercises. The student really has to apply what they learn which I prefer for certification challenges. You can read about the certification challenges here: https://infoseccafe.blogspot.com/2016/11/slae64-assignment-1.html

Final Thoughts


  If you're thinking about taking this class, don't wait any longer. The price is relatively inexpensive compared to other similar training courses out there. Vivek Ramachandran is well respected in the InfoSec community as it is and I think he does a great job breaking down the concepts into digestible pieces and ramping up the difficulty gradually throughout the course. I also had the chance to meet him at DefCon 22 and he's a super humble guy which is great to see. Both courses are really well laid out and progress very logically and the student will be appropriately challenged when coding the certification challenges. I can tell you that after taking this course, I can actually write Assembly and pull out the shellcode. Co-workers have come to me with requests and its fun to actually be able to help them. I've also recently built a vulnerable VM for our work lab encouraging my teammates to get into GDB and Assembly.

  If you're preparing for either the OSCP or the OSCE by Offensive Security, I highly recommend diving into the SLAE and SLAE64 courses. Yes, I know, SLAE and SLAE64 is specific to Linux and that is correct, however, and this is a big however, the foundations of Assembly are the same on both Windows and Linux. What I mean is, XOR RAX, RAX will accomplish the same thing on Linux as it will Windows. The differences lie in System Calls on Linux vs. Win32 API but the normal Assembly language is relatively the same. Once you have the Assembly down, you can easily translate it to Windows and start focusing on Windows specific nuances.

  I didn't give away all of the each course's details because I don't want to spoil some of the more fun exercises during each course but hopefully you have enough information to make an effective decision whether to spend time on these courses or not. Until next time, hack responsibly!

Comments

Post a Comment

Please leave a comment. Keep it on topic and appropriate for all audiences.

Popular posts from this blog

SLAE64 - Assignment 1

Following completion of the SLAE32 course (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html), I decided to take advantage of the Pentester Academy account we have at work to continue the training with SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html). So, we'll delve into each assignment like we did before and because it's part of the certification challenge.

Assignment 1 requirements are as follows:

Create a Shell_Bind_TCP shellcodeBinds to a portNeeds a "Passcode"If Passcode is correct then Execs ShellRemove 0x00 from the Bind TCP Shellcode discussed

PWK and the OSCP Review

Back in 2014 I started down the Pentesting With Kali (PWK) course about a month after passing the CISSP exam, for which I self studied for about 4 months. What can I say, I was a glutton for punishment but it was well worth it. I started off with 90 days, but due to a crazy work schedule, wound up extending it another 30 for a total of 120 days of lab access. I'm not as young as I would like to think I am and have other important responsibilities as Dad and Husband which I consider "Priority 1". So, my time to study, perform the homework assignments, go through the modules, videos, and lab work were limited to 2 hours in the morning before work (typically 5am until 7am), and then again for a few hours after everyone was asleep in the house (typically 9pm until 11pm or Midnight). Weekends I could usually spend up to 6 hours on Saturdays and Sundays studying which helped tremendously.

Other people have already done a great job at reviewing the PWK course and the OSCP chall…