Difference between revisions of "Ctf-evenings"
Line 104: | Line 104: | ||
* [https://github.com/longld/peda Python Exploit Development Assistance] | * [https://github.com/longld/peda Python Exploit Development Assistance] | ||
* [http://www.onlinedisassembler.com/odaweb/ Online Dissassembler] | * [http://www.onlinedisassembler.com/odaweb/ Online Dissassembler] | ||
+ | * [http://ropshell.com] | ||
Tools: objdump, readelf, gdb, ktrace/kdump | Tools: objdump, readelf, gdb, ktrace/kdump |
Revision as of 22:46, 22 February 2014
Projects | |
---|---|
Participants | MRieback |
Skills | Hacking, forensics, problem solving |
Status | Active |
Niche | Software |
Purpose | Fun |
Welcome to the Tech Inc Capture the Flag (CTF) training event series!
The format of this series is likely to evolve over time, but I currently assume that these evenings will feature a combination of web-based challenges, online competitions, and general-purpose learning/workshop evenings covering a variety of computer security (i.e. hacking, defensive) topics. Everyone of all skill levels is welcome!!!!
Contents
Past Activities
Training evenings
- 3 February, 2014 - Burp Suite and SQLmap
- 27 January, 2014 - PhDays retrospective + walkthroughs
- 13 January, 2014 - Intro to web hacking + Certified Secure
- 6 January, 2014 - Wireshark Jumpstart 101 + GitS teaser (Armorall - VNC pcap)
- 23 December, 2013 - Intro to x86 disassembly + I/O Smash the Stack war-game
- 9 December, 2013 - UNIX + Bandit wargame
Competitions
- We compete occasionally as Team Knuffelhackers!
- And we occasionally partner w/ team VUBAR
Upcoming
- Codegate Preliminaries - 22-23 February, 2014 (Team Knuffelhackers)
Past
- Olympic CTF Sochi - 7-9 February, 2014 (w/ Team VUBAR)
- Positive Hack Days Qualifiers 2014 - 25-27 January, 2014 (Team Knuffelhackers)
- RuCTFe 2013 - 14 December, 2013 (w/ Team VUBAR)
- UCSB iCTF 2013 - 6-7 December, 2013 (w/ Team VUBAR)
Write-ups
CTF:Writeup-Olympic-CTF-Sochi-2014
About the CTF Training Evenings
Types of evenings
I envision the following 3 kinds of CTF training evenings:
- 1 - Workshop/learning evenings - network analysis/forensics (Wireshark), filesystem forensics, reversing(Ollydbg, etc..)/Pwnables, code deobfuscation, pen testing (Kali-Backtrack/Metasploit/buffer overflows), cryptanalysis, web security (XSS, SQL injection, etc..), stegonography, Commandline kung-fu, recon/trivia/etc..
- Example: I've got a whole slew of Wireshark training videos - we can watch them together!
- We could also occasionally screen Defcon/CCC/Other videos on fun topics!
- 2 - Challenge website evenings
- I setup a Scoreboard, so we can keep track of who's done which challenges
- 3 - Actual CTF events
- There's a bunch of them on CTF Time - we participate occasionally!
Other things that we can do
- Setup a vulnerable server (Damn Vulnerable Linux, Metasploitable, etc..) and attack it
- Other examples: http://exploit-exercises.com/
- Preparing for competitions
- Setup Etherpad (or another online "multiplayer notepad") so people can make notes and work together for each challenge
- We're currently using: Riseup Pad
- Preparing tools (Backtrack VM, other VM images with different tools)
- Being able to emulate weird architectures for binaries
- Being able to test shellcode on our own system
- Maybe we can do something with hardware in the space (i have no idea what the status is of VMWare cluster in space, but i think we have one..)
- Setup Etherpad (or another online "multiplayer notepad") so people can make notes and work together for each challenge
- Brainsmoke could talk about binary exploitation
- We can also look at gdb / objdump / IDA / Hex-Rays
Challenge websites
Link to the Tech Inc Challenge Website Scoreboard: TechInc-CTF-Scoreboard
- http://captf.com/practice-ctf/
- http://ctf.forgottensec.com/wiki/
- http://www.overthewire.org/wargames/ (Bandit is good for beginners)
- https://www.certifiedsecure.com
- http://io.smashthestack.org
- http://ismellpackets.com/
- http://www.kroosec.com/?m=1
- http://exploit-exercises.com/fusion
- http://exploit-exercises.com/protostar
- http://opensecuritytraining.info/Training.html
- http://www.securitytreasurehunt.com/
- http://forensicscontest.com/
- http://ebctf.nl/challenges
- http://sourceforge.net/projects/owaspshepherd/files/ - VM
- http://www.hackthissite.org
- https://microcorruption.com/ - Embedded hacking
- http://www.bright-shadows.net
- http://www.matasano.com/articles/crypto-challenges/ - crypto challenges
Reversing and Exploitation
- GDB Tips - Some beginning tips for how to use GDB
- https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard - Helpful for finding C constructs that can be exploited
- http://sourceware.org/gdb/current/onlinedocs/gdb/index.html - GDB manual
- http://sourceware.org/binutils/docs-2.24/binutils/index.html - GNU Binutils manual
- http://www.youtube.com/watch?v=gYOy7CGpPIU - The Making of Atlas: from Script Kiddie to Hacker in 5 Sleepless Nights (video)
- Hacking: The Art of Exploitation (book)
- Reversing: Secrets of Reverse Engineering (book)
- http://www.woodmann.com/fravia/howto1.htm
- http://www.woodmann.com/crackz/Orc.htm
- Python Exploit Development Assistance
- Online Dissassembler
- [1]
Tools: objdump, readelf, gdb, ktrace/kdump
Windows binaries
- http://innounp.sourceforge.net - Inno Setup Unpacker
- OllyDbg
- Ida Free
UNIX hacking
Web hacking
- https://www.owasp.org/index.php/Category:Attack
- https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
- http://w3schools.com
- http://yehg.net/lab/#toolbox
- https://hackvertor.co.uk/public
- Burp Suite
- fuzzdb
- Nikto
- http://www.irongeek.com/i.php?page=videos/web-pen-testing-workshop - Nice series of videos
Network challenges
- For VNC: rfbproxy / Rfbplayer
- chaosreader
Steganography
- http://www.jjtc.com/Steganography/tools.html
- http://www.slideshare.net/null0x00/nullcon-2010-steganography-stegananalysis-a-technical-psychological-perspective
- http://sox.sourceforge.net - Sound eXchange (audio "swiss army knife")
- http://spek.cc - Spek spectrum analyzer
- Audacity
- SDRsharp
Forensics
- File Signatures Table, File Signatures.net, DF Magic Numbers - File format signatures
Crypto
Cryptanalysis
- http://www.simonsingh.net/The_Black_Chamber/chamberguide.html
- http://www.cryptool-online.org/index.php?option=com_content&view=article&id=55&Itemid=53&lang=en
- http://luizfirmino.blogspot.nl/2011/10/cryptanalysis-tools.html
Cracking
- http://hashcat.net/oclhashcat/ - Hashcat
Setting up a CTF
Other stuff
- http://ctftime.org/ - Event listings and write-ups
- http://hackflag.org/forum/
- http://sysexit.wordpress.com/category/writeups/
- http://www.hackers.nl/about/introduktie/
- http://www.enigmagroup.org/pages/basics/
- http://shell-storm.org/repo/CTF/ - Archive of previous CTFs
- http://mitrecyberacademy.org/stem/moodle/course/view.php?id=13
- http://opensecuritytraining.info/Training.html
- http://www.irongeek.com/i.php?page=security/hackingillustrated