Tuesday, December 29, 2015

Wide Open to Interpretation: Java

Duke has gotten a lot more hard-core lately - I'm worried he's a Trump supporter.

We do private classes sometimes, and the most requested class by far is the Java class, which we are also giving at INFILTRATE 2016. But just because something is "Java" doesn't make it easy. I did a re-read of the whole Wide Open: Java class today. In many slides we suggest using "mature frameworks", but of course, in the last section of the talk there is a note about the bugs in so-called "mature frameworks".

Here's the thing about maturity: It makes you more complex. That line makes me feel like I'm writing an entry on my dating blog, but the reality is that when I learned Java, a class was a class and XXE was not a thing. Ah, the good ol' days, when "Beans" were a brand new, hip technology and you were probably using Solaris.

Your modern Enterprise web application runs in a very different way, and is audited in a very different way, and is being attacked by much more modern adversaries, some of which we've hired to do commercial services for you, and of course, teach you this class.

We knew you liked templates so we put an expressive templating system into your templates!
To sum up, "Mature Frameworks" are one small step from being "Legacy Frameworks", which are widely known to not be up to security standards. What this class does is go through modern Java, and how it's built today, from the standpoint of Immunity's professional auditing team. This is the exact same class we make our new consultants take, and it's excellent, and you can sign up today while there are still spots.

Monday, December 28, 2015

Wide Open to Interpretation: PHP

We're teaching a 2 day class at INFILTRATE this year on PHP and another one on Java. Both of them are linked, but in fact cover very different concepts. My main point is this: Just because you don't use PHP at your company doesn't mean you don't use PHP-like technologies. The deserialization issues PHP had last year, Java has this year. Getting ahead in software security means cross-training where possible.

It's also true that auditing PHP apps never goes out of style. Everyone uses PHP apps, just as everyone eats fries, no matter how vegan.

So what are you going to learn if you come to INFILTRATE and take the class? Here are some slides.

We've of course cut our sample target code down to show basic concepts but each is pulled from an impactful vulnerability.

PHP bugs can be deceptively simple at first.

One hint is that the researcher was wrong is that we include them in our slides. :)

In any case - you should sign up for the class before it fills up, as it invariably does RIGHT BEFORE EVERYONE WANTS TO SIGN UP. But we cannot add more seats last minute. So a little prep-time is all I'm asking for this year. :)

Monday, November 16, 2015

Teaching Crypto without the Sandworms

Patterns are bad for fictional characters and our web cryprographics

The Immunity ethos for education is that learning only comes from struggle and suffering. But suffering is always better as a team.

We’re constantly trying to balance not coddling our students with making the content achievable by most. Another key thing to understand is that at Immunity a critical part of our consulting output is exploits, so we expect our students to solve most of the exercises with PoCs. At Immunity there’s a heavy internal emphasis on each member of the technical team teaching one of our courses, and we also ensure our own team goes through each course.

Of course, the primary activity of any security consultant is web security assessments. Because of that, we've worked hard tuning our Web Hacking class.

Web Hacking is a three day course with 21 hours of hands on instruction. Unlike many classes in this area, we dedicate the entire last day to nothing but crypto. The most important element of successfully teaching this kind of material is the following rule: There cannot be more than 20 minutes of lecture before the students are doing an exercise.
"I have talked all I can talk, and now it is your turn."

The culminating exercise of each section is usually the students working independently for over an hour. Thinking in terms of constraints for crypto: we have 7 hours of classroom time to teach cryptographic attacks to a extremely varied audience. A brief pause here to acknowledge my coworker Matias Soler (@gnuler) who wrote this portion of the class - it’s the most difficult content we cover and it’s also the content we get the most positive feedback about. There's a lot of work in-between "How do I do this?" and "How do I teach this?" when it comes to some of these attacks, and we've built quite a lot of infrastructure to help us in class, from games, to sample bugs, to automation.

This is not a slide. It's a fully dynamic website to help you understand the attack.

So why learn the alphabet crypto soup that is ECB, CBC and padding oracles? It makes more sense to work backwards from padding oracle vulnerabilities. This is something we see a lot in consulting ECB gets you blocks and padding. CBC gets you IVs and IMVs. You need all of that to understand padding oracle attacks. So how do we teach that?

Each topic is covered separately, so we have two exercises on ECB, two for CBC and two for padding oracle. Students tend to get very nervous about the math but there really isn’t anything more complex than algebra in the content we cover. The only mathematical operation students probably didn’t cover in high school is xor. Since we’ve been teaching this we haven’t had any student say they got stuck on the math. Much more problematic is thinking through the CBC algorithm, I think students immediately start imagining how impossible it would be to keep all the state in your head when processing more than a handful of blocks.

We put a lot of effort into diagramming the algorithms, we wrote a pretty extensive suite of ‘helper’ web applications where students can plug values in to different parts of the process and see how it affects everything else. If a student comes into our class with 0 programming experience I can be pretty satisfied as a teacher if they can solve the exercise with the helpers. We tend to throw multi-step problems at students but we’ve built up optional content that breaks the problems down into their component steps and solutions so that if someone is REALLY struggling we can inch them forward. At least once per class a student comes up to the front and we whiteboard a problem with them.

There is a vast wealth of crypto content that is relevant to penetration testers that we could cover. ECB, CBC and padding oracle fits together neatly and within the time we have available. Internally we’ve been talking about what we might add to it, what will be covered in master class and so on. Since we make a real effort to make the content modular it’s not impossible that we may offer a course that only covers crypto at some point in the future. And of course, there's even more cryptographic work happening in the INFILTRATE Master Class, but that's something for another post. :)

Thursday, June 11, 2015

Paddington Oracle Bear

Immunity does a lot of commercial consulting, and one thing I make sure to do is follow up on essentially every gig. I think it's important to know what we're getting into customers with, and why. This is the major benefit of any services arm - you get a ground truth for how all this stuff applies in the wild.

For example: Does training effect phishing? What do people build web applications with? What vulnerabilities are in .Net applications these days? Is Java on the Server still vulnerable to the same things it used to be, or have new frameworks made it better?

This is different than the sorts of data you get from web application scanners. You can only reach so deeply with a scanner, which means that applications can, over time, appear to be getting MORE secure. But what they MIGHT be doing is getting more secure from the kinds of things scanners can find!

The Paddington Oracle: "I see something over there! IT IS BAD CRYPTOGRAPHY IN YOUR SESSION ID!"

For example: in the past year, we've found more Padding Oracle cryptographic attacks than SQL Injections. This introduces another problem: Development teams are well prepared to understand certain classes of vulnerabilities.  I find SQL Injection and File Include are something you can easily explain, but CSRF and XSS are a lot harder. Imagine the fun we have on a consulting readout when we hand over ten pages of explanation of the cryptographic differences between what they did, and what they should do to defeat a complex attack that while hard to explain, still "got a shell".

Good consulting is more TRAINING than services. If you don't teach them how to do padding oracle attacks, then they'll just re-code the bug into something else. And failing that, you have to at least teach them it is important to get right, and to test it before they ship it. Sometimes that alone is the win of the engagement.

Thursday, January 22, 2015

INFILTRATE 2015 Training Redux: Let us info(s)t(r)ain you!

So as is tradition, we've completely overhauled our training curriculum for Infiltrate 2015. Here's a rundown of what the new options are, what they entail, and how they might suit you and your team.

Keep in mind, as always, we only run these courses once a year, and only during INFILTRATE.


4 days, Apr 20-23, $4,500 USD

Our flagship class is revamped for 2015 with the return of the Linux Kernel exploitation component. This section is taught by one of the authors of "Attacking the core", which set the industry standard for Kernel exploitation books. The class was rewritten to include new exploitation and bypass paradigms and will boost your Linux Kernel exploit skills into the modern era where SMEP is a thing, and NULL dereferences are (sort of, sometimes) VOID.

To prevent burnout and keep peak brain momentum we have made the masterclass 4 days long, as opposed to 5 days. This means you get an extra Friday to roam the beach and meditate on your newly acquired skills and whether to use them for good or evil (or some morally ambiguous combination of both).

For the first 2 days of masterclass you'll be running through the 2015 edition of the Immunity SMT class, which will be even more hands on and exercise oriented this year, to ensure you go home with practical and applicable SMT solving skills.

As with previous editions, the Immunity masterclass is intended for people that are already very comfortable with exploit development and general computer science theory. If you want to push further into the cutting edge of offensive theory and methodology, the Masterclass is for you.

Wide open to Interpretation 

4 days, Apr 20-23, $4,500 USD

New in the 2015 Infiltrate Training line up is the Wide open to Interpretation class. In this class we take two widely used interpreted serverside web application languages, and run through advanced exploitation and vulnerability analysis scenarios for both.

The idea behind the Wide Open class is to get the student thinking in terms of primitives and concepts that may translate into any interpreted language with exposed remote surface. For the first 2 days of the class we take a deep dive tour of PHP based exploitation, and for the second half of class we get into the nooks and crannies of Java based serverside exploitation.

We consider this class to be a great follow up to our Websploitation (AKA Webhacking) class. If you've taken our Webhacking class previously, you may want to consider signing up for the Wide Open class this year.

Click here for ring 0 

4 days, Apr 12-15, $4,500 USD

Another new addition to our training lineup for 2015 is the "click here for ring 0" course. This class is all about hands on exploitation and we consider it the follow up to our infamous (and now retired) "unethical hacking" class. 

In this class you will go through the process of writing a clientside exploit as well as a local privilege escalation attack against a modern Windows system. Thus providing you with the workflow and methodology used by many modern APT-style teams to gain access to your infrastructure.

If you are a penetration tester with a knack for exploit development interested in goal based hacking, then this is the class for you. It gets right to the point, and you'll walk out of it with practical exploit development skills you can start using immediately to build and improve your arsenal of clientside and privilege escalation attacks.

Wait, no Unethical Hacking this year? Serio?

Yep, serio. Even though we know people love the unethical class, and it always sells out, we wanted to rejuvenate our curriculum with a more refreshed and updated look at the modern vulnerability and exploitation landscape. Having said that, if you reeeeeaaaaallllly want to take the unethical class, we might consider flying out to your location to come teach it, provided you have a large enough group of students (20 minimum). If you're interested in setting something like that up, just contact us at admin (at) immunityinc.com or give us a call at +1-786-220-0600 (ask for Dave, Dave loves phonecalls).


3 days, Apr 13-15, $3,300 USD

Our always popular webhacking class is back leaner and stronger than ever in the 2015 Websploitation curriculum. We've trimmed the fat to ensure you get the absolute most bang for buck in this 3 day hands on web application hacking class.

This class teaches you how to tackle many common web application attacks in a CTF style token grabbing format that builds a fun, friendly, yet competitive environment for the student.

The Websploitation class  is fantastic for both the modern penetration tester as well as the memory corruption dinosaur looking to refresh and update their Web 2.0 hacking ability.

If you've never taken one of our courses, and you want to get down to the hacking part of the puzzle without having to stare at a debugger for days, we highly recommend the Websploitation class as your introduction to the INFILTRATE training lineup.

Sold! I want to sign up! Now what?

Awesome. If you have any questions about group discounts, incentives and pricing feel free to contact us at admin (at) immunityinc.com, or give us a call at +1-786-220-0600.

For a more detailed overview of what is and isn't covered in each course, please visit us at: http://infiltratecon.org/training.html

Monday, January 12, 2015

Infiltrate 2015 - Free Ticket Challenge #1 (Solved)

Infiltrate 2015 is right around the corner! Only three short months until we can all enjoy two days of highly technical offense focused conference goodness in sunny South Beach.

As we get closer to the conference we decided to give away some free tickets to Infiltrate by way of puzzle challenges. And what better first challenge for a Miami Beach based con than a Cuban Number Station?

So we put out the following audio file for people to analyze and decode. Gaston, our winner, was the first to submit a correct solution, and an elegant one at that.

The audio consists of a female voice reading a list of numbers. The numbers represent nibbles of a PNG file. You could solve this by hand with Google translate, but this process is very error prone. If you miss one number you are basically up that one creek without a paddle.

Gaston produced this clever script to extract the bytes from the audio:

If everything adds up correctly you end up with the following image (md5: d4549b09612ade7e8459ddd7c16f95f7):

The final part of the first Infiltrate 2015 Ticket Challenge, was to extract the secret message embedded in this image. We used a very simple LSB steganographic algorithm hiding bits in RGB bytes. This graph from DFI News (http://www.dfinews.com/articles/2009/06/find-incriminating-contraband-images) explains the algo in a nutshell:

Our winner then extracted the bits with the following script:

After extracting the bits you quickly discover that the secret message is:


I wonder who could have left that? All indicators currently point at Immunity's Lord of Attribution and Prime Minister of remote sensing, our very own CEO, Dave Aitel.

So that's it for the first Infiltrate 2015 Ticket Challenge, we plan on doing a few more, so stay tuned to your local number stations and congrats to Gaston for his free Infiltrate ticket!