This past weekend, I was at the Women in Cybersecurity Summit in Dallas, TX, both recruiting for my company and copresenting a workshop on web application penetration testing. It was a real eye-opening event for me, mostly because it was the first security event I’ve attended where the bulk of the attendees were students or faculty. I had a great time and met a lot of interesting people, and it’s a very small event, which is something I’m not terribly used to, since I usually go to bigger events.

Talking with undergraduates was particularly inspiring – when I was an undergraduate, there weren’t programs at major universities focusing on information security like there are today. (Even if they insist on calling it “cybersecurity” for marketing reasons.) So many of the undergraduates (and graduates!) had a passion that you don’t see even in a lot of working progressionals, whose cynicism dominates their view of the industry. Also amazing is the level of research and innovation being done by undergraduates. I did some research as an undergraduate, and I know how exciting that can be, so I’m glad to hear of the undergraduates who are getting that opportunity. One student told me about her projects involving machine learning and insider threats, which just blew my mind. I was ecstatic to hear when other students mentioned doing research into censorship and mass surveillance – it’s critical that we get more people, especially upcoming professionals, thinking and working about these key issues.

I’m also hopeful to see more diversity in the security industry: diversity helps prevent group think, helps innovation, and ultimately brings more to the table. Though this conference was definitely light on the tech (compared to what I normally attend), I’m glad to see it succeeding and I hope to see the fruits of its labor next time I’m at another conference.

This weekend, I attempted what might possibly be my hardest academic feat ever: to pass the Offensive Security Certified Expert exam, the culmination of OffSec’s Cracking the Perimeter course. 48 hours of being pushed to my limits, followed by 24 hours of time to write a report detailing my exploits. I expected quite a challenge, but it really pushed me to my limits. The worst part of all, however, was the 50 hours or so that passed between the time I submitted my exam report and the time I got my response.

For obvious reasons (and to comply with their student code of conduct), I can’t reveal details of the exam nor the exact contents of the course, but I did want to review a few things about it.

The Course

The course covers a variety of topics ranging from web exploitation to bypassing anti-virus to custom shellcoding with egghunters and restricted character sets. The combination of different techniques to exploit services is also covered. While there are web topics that will obviously apply to all operating systems, all of the memory corruption exploits and anti-virus bypass are targeting Windows systems, though the techniques discussed mostly apply to any operating system. (There is discussion of SEH exploits, which is obviously Windows-specific.)

Compared to PWK, there’s a number of differences. PWK focuses mostly on identifying, assessing, and exploiting publicly-known vulnerabilities in a network in the setting of a penetration test. CTP focuses on identifying and exploiting newly-discovered vulnerabilties (i.e., 0-days) as well as bypassing limited protections. While PWK has a massive lab environment for you to compromise, the CTP lab environment is much smaller and you have access to all the systems in there. The CTP lab, rather than being a target environment, is essentially a lab for creating proofs-of-concept.

My biggest disappointment with the CTP lab is the lack of novel targets or exercises compared to the material presented in the coursebook and videos. For the most part, you’re recreating the coursebook material and experiencing it for yourself, but I almost felt a bit spoonfed by the availability of information from the coursebook when performing the labs. I would have liked more exercises to practice the described techniques on targets that were not described in the course materials.

Depending on how many hours a day you can spend on it and your previous experience, you may only need 30 days of lab time. I bought 60, but I think I would’ve been fine with 30. (On the other hand, I appreciated having 60 days for the PWK lab.)

The Exam

If you’ve successfully completed (and understood) all of the lab material, you’ll be well-prepared for the exam. The course material prepares you well, and the exam focuses on the core concepts from the course.

The exam has a total of 90 points of challenges, and 75 points are required to pass. I don’t know if everyone’s exam has the same number and point value of challenges (though I suspect they do), but I’ll point out that more than one of my challenges on the exam was worth more than the 15 points you’re allowed to miss. Put another way, some of the challenges are mandatory to complete on the exam.

The exam is difficult, but not overly so if you’re well prepared. I began at about 0800 on Friday, and went until 0100 Saturday morning, then slept for about 5 hours, then put in another 3 or 4 hours of effort. At that point, I had managed the core of all of the objectives and felt I had refined my techniques and exploits as far as I could. Though there was a point or two where it could have gotten better, I wasn’t sure I could do that in even 24 hours, so I moved on to the report – I figured I’d rather get a good report and have access to the lab to get any last minute data, screenshots, or fix anything I realized I screwed up. About noon, I had my report done and emailed, and began waiting for results. The fact that my F5 key is now worn down is purely coincidence. :)

Tips:

• Be well rested when you begin.
• Don’t think you’ll power through the full 48 hours. At a certain energy level, you’ve hit a point of diminishing returns and will start even working backwards by making more mistakes than you can make headway.
• You’ll want caffeine, but moderate your intake. Jumpy and jittery isn’t clear-headed either.
• Take good notes. You’ll thank yourself when you write the report.

Conclusion

The Cracking the Perimeter class is totally worth the experience. Before this class, I’d never implemented an egghunter, and I’d barely even touched Win32 exploitation. Though some people have complained that the material is dated, I believe it’s a case of “you have to walk before you can run”, and I definitely feel the material is still relevant. (That’s not to say it couldn’t use a bit of an update, but it’s definitely useful.) Now I have to find my next course. (Too bad AWE and AWAE are always all full-up at Black Hat!)

I’ve been having a lot of trouble lately, feeling like I’m not doing the things I need to do to move towards my personal goals or ensure that I continue to do interesting work. As one of several things I’m trying to do, I’m trying to catalog things that have inspired me recently, or whose work I aspire to imitate. This is a no-particular-order list of classes, presentations, videos, papers, and other that remind me why I love working in Information Security, in hopes that it will help me find my mojo and enthusiasm for what I do again.

• Reverse engineering hardware for software reversers: studying an encrypted external HDD
• jtagsploitation
• RPISEC Modern Binary Exploitation
• RPISEC Malware Analysis
• Planning Effective Red Team Exercises
• Tales of a Bug Bounty Hunter
• IOActive Labs Research: Got 15 minutes to kill? Why not root your Christmas gift?
• CVE-2016-1562: Unauthenticated “filter” parameter leads to customer information leak in the DTE Energy Insight app – jeffq, published
• jhaddix/tbhm: The Bug Hunters Methodology
• An Introduction to radare2 – sushant94
• XSS via PNG Content Types
• Encoding Web Shells in PNG IDAT chunks
• Uber Bug Bounty: Turning Self-XSS into Good-XSS – fin1te

There’s a lot of debate going on right now about banning encryption. Now, some people might refer to this as a backdoor or “providing government access” or whatever term they’d like to use to discuss it, but as a security professional, I see only one thing as encryption: the kind that’s completely unbreakable, even by the FBI or the NSA or the Chinese government or anyone else. Anything else is simply not encryption, as it does not guarantee your confidentiality. So, I’m going to talk about banning encryption as equivalent to providing a government backdoor or any of the other clever ways it’s being spun.

First, I want to talk about why banning encryption will fail. Encryption software is a Pandora’s Box, and it’s already open. Attempting to ban all encryption would work about as well as banning nuclear weapons, banning guns, or banning drugs. The war on drugs alone is enough evidence that government bans do not have meaningful impact, and that the people who are affected the most are the innocent bystanders. Strong cryptosystems already exist, and attempting to ban them will result in insecurity for the masses, but criminals will continue to use the existing systems, resulting in no improvement in the ability to fight crime.

Further, so long as any government supports liberty and freedom, there will be other places to get their strong crypto. Even if companies in the United States and the United Kingdom are prohibited from distributing strong cryptography, there are nearly 200 other countries in the world where such software might come from. So, we can assume that criminals will continue to have access to these tools, while the legitimate users are deprived of their use.

So, if the US demands a back door in a previously-secure system, and the author complies, then China comes along and demands a back door, we end up with a swiss cheese of backdoors waiting to fall over. We know that governments can’t secure their own data, so what makes us think they’ll be able to secure their keys for these systems?

America’s constitution is based on foundations of freedom and liberty, and it seems we’ve been scared by our own politicans into giving up these freedoms. Anonymity and privacy are critical to democracy – they allow minorities to express their viewpoint without fear of retribution, they allow groups to organize, and they allow whistleblowers to do so safely. Cases like the breach of the Democrat donor database show how strong encryption could have protected privacy in the political process.

According to Human Rights Watch, “Strong encryption and anonymity are critical for protecting human rights defenders, journalists, and ordinary users in the digital age,” and the United Nations Commission on Human Rights states:

Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity. Because of their importance to the rights to freedom of opinion and expression, restrictions on encryption and anonymity must be strictly limited according to principles of legality, necessity, proportionality and legitimacy in objective.

We’ve hit upon a critical era for society, and it’s important we don’t lose sight of the freedoms and liberties that have built what we have and have made America great. It’s because I believe in personal liberties that I support the EFF and the ACLU, and consider privacy my single most important issue in the 2016 election cycle.

Just a quick note to go with something I dropped on Github recently: pwnpattern is a python library and stand-alone script that replicates most of the functionality of Metasploit Framework’s pattern_create.rb and pattern_offset.rb. The patterns created are identical to those from Metasploit, so you can even mix and match tools.

There are several reasons I wrote this:

• You don’t need a full copy of metasploit installed for creating patterns for e.g., wargames, CTFs, etc.
• It loads much more quickly: on my machine, Metasploit’s pattern_create.rb takes 2.29s, my script takes 0.01s. This is due, of course, to dependencies (MSF’s requires the entire Rex library to be loaded) but it is kind of nice to not wait for things.
• It can be embedded in python scripts (just like Rex can be embedded in Ruby scripts).