AppSec California 2019

Course Abstract

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

This training course was custom developed to put you right in the action and simulate real world red team attacks. You'll take the approach as a red teamer to social engineer your way into a company, gain information about the network, pivot to valuable resources, and gain access to all the company's secrets.

This isn't your average pentest course! We built the labs around what we are seeing as red teamers.

Training Syllabus

Day 1:

- Red Team Mindset
- Recon
- Creating Malware For Your Campaigns
- Setting Up C2 Servers
- Social Engineering
- Compromise Your Victims
- Living Off The Land
- Moving Laterally In Windows/Active Directory

Day 2:

- Pivoting/Lateral Movement in Linux
- Compromising Common Applications for Post Exploitation
- DNS C2 And Network Limitations
- Local Linux Privilege Escalation
- Creating Valuable Reports
- CTF

Upon Completion of this training, attendees will know:

How to think like the bad guys do
How to evade AV and network detection tools
How to get around Windows protections
How to live off the land
How to write valuable reports to improve security

System Requirements:

• Download the Custom Virtual Image prior to class: dl1.thehackerplaybook.com/THP-vm-class.zip
• Must have Administrator Access (to disable host firewall)
• Disable any 3rd party firewall/AV 
• Bring all network connectivity dongles
• Have capacity to run two virtual machines simultaneously using either VMware Workstation or Player or Fusion (for OS X).
• 30GB of free disk spaces
• And, a passion to learn!

Pre-check Guidelines

• Install VMware Workstation or VMware Fusion
• Unzip the Custom Virtual Image and double click on the .vmx file
• Make sure the Custom Virtual Machine’s Network Adaptor is configured on Bridged Mode
• Plug in an ethernet cable (disable wireless) and make sure the VMware image can get an IP (This is where most people have problems).  If you have problems:
  • Mac: go to settings on your image, Network Adapter, and change it from autodetect to your network adapter.
  • Windows: go to Edit -> Virtual Network Editor -> Change Settings -> and change the Bridge To to your network adapter.
• Try to nmap your local network with the VMware image and make sure you get results (username root and password toor).

Additional Questions

• Can I use Virtual Box?  Sure, people have used it in the class, but we don’t support Virtual Box.  We highly recommend VMware.  If you do use Virtual Box, please make sure you test prior to coming onsite and that your network adapter is in Bridged Mode.
• Should I update the Virtual Image?  No, please do NOT update the image.  Everything has been tested and validated with the current version of the Virtual Image.
• What should I prepare for the class?  Other than the pre-check guidelines, there isn’t anything else to prepare.  If you aren’t comfortable with basic Linux Commands or never used VMware, it would be a good time to brush up on it.

Pre-requisites for attendees:

Familiarity with Metasploit and similar tools
Basic understanding of penetration testing methodology and tools
Basic GNU/Linux command line
Basic understanding of Active Directory

Course Abstract

The Bug Hunter's Methodology is a comprehensive two day training on offensive web security testing. It is primarily focused for web application security testers and bug bounty hunters. TBHM focuses on the newest tools and techniques for web application testers. The class goes over such topics as:

• Advents in web recon
• Prioritizing target testing areas by technology and features
• Crash course on Burp Suite
• Blind XSS
• Server-side template injection
• Server-side request forgery
• Code injection (SQLi, PHP, ++)
• XXE
• Robbing misconfigured infrastructure (AWS)
• git pillaging
• Github robbing
• CI/Code repositories exploitation
• Subdomain takeover
• and more!

Training Syllabus

Day 1:

Emergent web recon (Large Module, LIVE labs)
- IP enumeration (ASNs and Cloud)
- Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
- Subdomain Enumeration (Scraping and Bruteforcing)
- Effective Port Scanning
- Version based vulnerability analysis
- Directory Bruteforcing / Content Discovery best practices
- Prioritizing target testing areas by technology and features

Crash course on Burp Suite
- Burp Setup and helpers
- Burp proxy and scope
- Burp Intruder
- Burp Repeater and configuration setting
- Getting to know Burp through use-cases: LABS

Blind XSS
- An introduction to BXSS
- Available BXXS frameworks
- LABS

Server-side template injection
- An introduction to SSTI
- SSTI Identification
- SSTI Tooling
- SSTI LABS

Day 2:

Server-side request forgery
- An introduction to SSRF
- SSRF Identification
- SSRF Tooling
- SSRF LABS

Code injection (SQLi, ++)
- Common (still available today) types of code injection
- SQLmap crash course
- SQLi common areas
- LABS

XML External Entity Injection
- An introduction to XXE
- XXE Identification
- XXE Tooling / payloads
- XXE LABS

Access Control Testing
- The ever-giving IDOR and MFLAC
- Examples
- LABS

Robbing misconfigured infrastructure
- introduction to AWS s3 Permissions
-- Labs
- git pillaging
-- Labs
- Github robbing
-- Live exercise
- CI/Code repositories exploitation (no lab)
- Subdomain takeover
-- Labs

Upon Completion of this training, attendees will know:

At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring:

Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees:

General Web application security testing knowledge required.
Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.

Course Abstract

The days of exploiting MS08-067, encoding with Shikata Ga Nai, and blindly scanning are gone. Both Blackhat hackers and pentesters alike have shifted to using more advanced techniques to bypass AV, implement a smaller footprint to evade SIEM detection, and continually stay persistent to devastate enterprise networks. If you are looking to take your craft to the next level, this is the primer course for you.

This training course was custom developed to put you right in the action and simulate real world red team attacks. You'll take the approach as a red teamer to social engineer your way into a company, gain information about the network, pivot to valuable resources, and gain access to all the company's secrets.

This isn't your average pentest course! We built the labs around what we are seeing as red teamers.

Training Syllabus

Day 1:

- Red Team Mindset
- Recon
- Creating Malware For Your Campaigns
- Setting Up C2 Servers
- Social Engineering
- Compromise Your Victims
- Living Off The Land
- Moving Laterally In Windows/Active Directory

Day 2:

- Pivoting/Lateral Movement in Linux
- Compromising Common Applications for Post Exploitation
- DNS C2 And Network Limitations
- Local Linux Privilege Escalation
- Creating Valuable Reports
- CTF

Upon Completion of this training, attendees will know:

How to think like the bad guys do
How to evade AV and network detection tools
How to get around Windows protections
How to live off the land
How to write valuable reports to improve security

System Requirements:

• Download the Custom Virtual Image prior to class: dl1.thehackerplaybook.com/THP-vm-class.zip
• Must have Administrator Access (to disable host firewall)
• Disable any 3rd party firewall/AV 
• Bring all network connectivity dongles
• Have capacity to run two virtual machines simultaneously using either VMware Workstation or Player or Fusion (for OS X).
• 30GB of free disk spaces
• And, a passion to learn!

Pre-check Guidelines

• Install VMware Workstation or VMware Fusion
• Unzip the Custom Virtual Image and double click on the .vmx file
• Make sure the Custom Virtual Machine’s Network Adaptor is configured on Bridged Mode
• Plug in an ethernet cable (disable wireless) and make sure the VMware image can get an IP (This is where most people have problems).  If you have problems:
  • Mac: go to settings on your image, Network Adapter, and change it from autodetect to your network adapter.
  • Windows: go to Edit -> Virtual Network Editor -> Change Settings -> and change the Bridge To to your network adapter.
• Try to nmap your local network with the VMware image and make sure you get results (username root and password toor).

Additional Questions

• Can I use Virtual Box?  Sure, people have used it in the class, but we don’t support Virtual Box.  We highly recommend VMware.  If you do use Virtual Box, please make sure you test prior to coming onsite and that your network adapter is in Bridged Mode.
• Should I update the Virtual Image?  No, please do NOT update the image.  Everything has been tested and validated with the current version of the Virtual Image.
• What should I prepare for the class?  Other than the pre-check guidelines, there isn’t anything else to prepare.  If you aren’t comfortable with basic Linux Commands or never used VMware, it would be a good time to brush up on it.

Pre-requisites for attendees:

Familiarity with Metasploit and similar tools
Basic understanding of penetration testing methodology and tools
Basic GNU/Linux command line
Basic understanding of Active Directory

Course Abstract

The Bug Hunter's Methodology is a comprehensive two day training on offensive web security testing. It is primarily focused for web application security testers and bug bounty hunters. TBHM focuses on the newest tools and techniques for web application testers. The class goes over such topics as:

• Advents in web recon
• Prioritizing target testing areas by technology and features
• Crash course on Burp Suite
• Blind XSS
• Server-side template injection
• Server-side request forgery
• Code injection (SQLi, PHP, ++)
• XXE
• Robbing misconfigured infrastructure (AWS)
• git pillaging
• Github robbing
• CI/Code repositories exploitation
• Subdomain takeover
• and more!

Training Syllabus

Day 1:

Emergent web recon (Large Module, LIVE labs)
- IP enumeration (ASNs and Cloud)
- Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
- Subdomain Enumeration (Scraping and Bruteforcing)
- Effective Port Scanning
- Version based vulnerability analysis
- Directory Bruteforcing / Content Discovery best practices
- Prioritizing target testing areas by technology and features

Crash course on Burp Suite
- Burp Setup and helpers
- Burp proxy and scope
- Burp Intruder
- Burp Repeater and configuration setting
- Getting to know Burp through use-cases: LABS

Blind XSS
- An introduction to BXSS
- Available BXXS frameworks
- LABS

Server-side template injection
- An introduction to SSTI
- SSTI Identification
- SSTI Tooling
- SSTI LABS

Day 2:

Server-side request forgery
- An introduction to SSRF
- SSRF Identification
- SSRF Tooling
- SSRF LABS

Code injection (SQLi, ++)
- Common (still available today) types of code injection
- SQLmap crash course
- SQLi common areas
- LABS

XML External Entity Injection
- An introduction to XXE
- XXE Identification
- XXE Tooling / payloads
- XXE LABS

Access Control Testing
- The ever-giving IDOR and MFLAC
- Examples
- LABS

Robbing misconfigured infrastructure
- introduction to AWS s3 Permissions
-- Labs
- git pillaging
-- Labs
- Github robbing
-- Live exercise
- CI/Code repositories exploitation (no lab)
- Subdomain takeover
-- Labs

Upon Completion of this training, attendees will know:

At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.

Attendees should bring:

Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.

Pre-requisites for attendees:

General Web application security testing knowledge required.
Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.