TECH TRAINING 5 – THE SHELLCODE LAB

OVERVIEW

So you have found a vulnerable target. You throw your exploit at it with its default shellcode. You sit there with high hopes of compromising the system, but you don’t get a shell. So what happened? There is a good chance the victim machine failed to connect back to you with the pre-packaged shellcode. Wouldn’t it be great if you could write your own shellcode to bypass security controls such as firewalls and authenticated proxies to increase your exploitation success rate?

Well now you can! You will be provided with a “Virtual Shellcode Development Environment” that is designed to enable shellcode development across multiple platforms. Students will learn how to write shellcode for Linux, Mac 64-bit OSX and Windows. The development of the shellcode is presented using easy to learn techniques. Starting off with an introduction to different shellcoding techniques on each platform, an introduction to basic memory management and assembly, followed by creating simple shellcode to write to stdout and call functions.

This gives students a base understanding and practical experience to develop simple shellcode. The complexity is then increased to more useful shellcode such as command execution, dynamic Windows shellcode, setting up backdoor listeners using sockets, shellcode networking to remotely gain a command shell, and egg hunter shellcode to search through memory for our payload. All of this is done whilst holding your hand so that you don’t miss a beat. Students will also learn about staged-loading shellcode to bypass security controls such as firewalls and authenticated proxies, and kernel level shellcode to perform privilege escalation.

Students are taught how to encode their shellcode using the Metasploit Exploit Framework (MSF), and insert it into exploits that will be used to show that their shellcode was successfully executed. They will learn how to use MSF to generate shellcode for a variety of platforms, as well as how to integrate their shellcode into MSF so that it is available to all Metasploit exploits.

WHO SHOULD ATTEND

• Penetration Testers, Security Officers, Security Auditors, System Administrators and anyone else who wants to tune their elite security skills.

• Anyone who is interested in shellcoding, exploitation, vulnerabilities or Metasploit are prime candidates for this course. Students will be taught from scratch everything they need to know to complete this course successfully and walk away with a thorough knowledge and practical skills on how to create shellcode.

• This class is a great follow on course to “The Exploit Laboratory” and “The Exploit Laboratory: Black Belt”. These students will have learned a lot about exploitation, but are still limited to pre-packaged shellcode. This course lets you create custom shellcode to maximize exploitation success rates.

• Developers who want to learn low-level security development skills with shellcoding and assembly.

• Managers who want to gain a more in depth understanding of how systems can be compromised, how security controls can be bypassed both at the operating system level and network level, and how network access controls and intrusion prevention systems play a big part in preventing shellcode successfully connecting back to the attacker, and the general risks associated with your network security.

WHAT TO BRING:

A working laptop with the following hardware/software requirements:

Hardware Requirements

• Intel 64-bit machine.

  Hardware must be able to run a 64-bit VM

  If you can only get an Intel 32-bit machine you will still be able to do 85% of the labs, so don’t fret.

• MINIMUM 2048 MB RAM required.

  If you can only get 1GB then you will get by but just slowly.

• Wireless network card – no wired network provided

• 20 GB free Hard disk space

• USB 2.0 port to copy lab VMs

Operating Systems (one of the following)

• Windows XP SP2/SP3 or Windows 7 (I don’t trust Vista so you are on your own, but go for it)

• Administrator access mandatory

• If it’s a company laptop with user access only, get your administrator to allow USB and install the latest version of VMWare Player

  • Ability to disable Anti-virus / Anti-spyware programs

  • Ability to disable Windows Firewall or personal firewalls

  • An SSH client, such as PuTTY

  • OR

  • Linux kernel 2.4 or 2.6

  • Kernel 2.4 or 2.6 required

  • Root access mandatory

  • Ability to use an X-windows based GUI environment

  • SSH should be available

NOT SUPPORTED: Macs

Up to you if you want to take the risk. As long as you can run VMWare machines in fusion you should be ok, but there are no guarantees and if you find you can’t boot the VMs up then you will be watching over someone else’s shoulder whilst they give you the evil eye.

PRE REQUISITES:

• Ability to work your way around Windows. If you don’t know how to “double-click” then you probably won’t find your way to the course anyway.

• Ability to work your way around Linux. Just the basic command line navigation.

• Ability to use a Linux text editor, such as vi, pico, joe, etc.

• Understand how to run a shell script.

• Understanding of basic assembly programming would be a huge bonus. If not don’t worry. The course is structured to hold your hand.

ABOUT THE TRAINER

Ty Miller (Chief Technology Officer, Pure Hacking)

Ty Miller is the Chief Technology Officer at Pure Hacking in Sydney Australia. He leads their specialist security team to ensure that his team is at the forefront of specialist information security services. Ty performs independent security research and presented at Black Hat 2008 in Las Vegas USA on his development of Reverse DNS Tunneling Shellcode. He is also a co-author of the book Hacking Exposed Linux 3rd Edition. Ty runs the popular shellcoding site Project Shellcode and was also involved in the design of the bootable CHAOS Linux cluster distribution. Ty has been in the IT security area for around ten years and has run numerous training courses to clients around the world and at various security conferences. These courses include web application penetration testing, web application secure coding, and infrastructure penetration testing. These have been run both face-to-face and online.