November to Remember

Today is a day we remember those who gave their lives in the first world war. As we remember their sacrifice, we must also remember that we have a meeting and workshop this week. Please scroll down to the next post for details on the workshop as this post will cover the meeting details.

Our rough agenda is as follows:
19:00 – Announcements with Louai
19:05 – News Roundup with Nick and Adam
19:25 – Rick’s Random Repo Rundown
19:35 – Feature Story with Adam and Louai
19:55 – Guest Speakers Tas and Avneet on LOLBAS
20:25 – Wrap up and refreshments (across the street at the pub)

We have ISSessions on Friday (as well as a workshop this coming Wednesday!). We’ll be doing our usual script followed by a feature story with Adam and Louai and a sweet presentation on LOLBAS by our guest speakers Tas and Avneet!

As attackers, you know it’s hard to bring all the scripts and tools from the outside to the victim network. Modern networks often protected with numbers of (working) security solutions. IDS/IPS, 24/7 Security Analysts, and Advanced Endpoint Protection are some of the example. One of the solutions for this particular problem is to use what is already there, LOLBAS!

LOLBAS or Living Off the Land Binaries And Scripts is numbers of Windows binaries and scripts that can be leveraged by adversary and red team to perform certain tasks, for example code execution or downloading files. These LOLBAS are signed by Microsoft and often whitelisted! This talks will cover LOLBAS in general and we will also try to create a full chain of attack using mostly LOLBAS!

Avneet and Tas are Threat Hunters for Bell Canada Security Operation Center (SOC). They are both located in Mississauga. Their daily tasks, which is hunting, involved researching the use of offensive tools, trying it against on their network while also creating documentations and detections for it. Their team also often involved in major incident response operation and providing training for other team within SOC. Besides their daily job, Avneet and Tas both have strong interest in Malware Analysis and CTF. Tas is also alumni of Sheridan College ISS program graduated in 2018.

We hope to see you all there.

Workshop 3: Malware Analysis and Meeting

Good morning everyone. There will be a Malware Analysis workshop on Wednesday and an ISSessions meeting on Friday. Workshop details are below. Meeting details for Friday are still in progress. Another post will be provided for the ISSessions time and agenda.

Workshop Details
Location: Room S302
Time: Wednesday, November 13, 2019 – 7:00-9:30PM

On Wednesday in S302, we will have the first of a series of workshops on Malware Analsysis and Reverse Engineering. The workshop are designed to follow selected elements of RPISEC’s Malware Analysis course (https://github.com/RPISEC/Malware). Jason Hong and Ken Onuralp will give out take-home exercises and do reviews.

Session 01
The first workshop will be an introductory session into the world of malware analysis and reverse engineering. The coordinators will talk about their experiences in MA/RE, walk you through a couple of FLARE CTF challenges, the mindset required, and then dive into a gentle introduction by teaching basis static and dynamic analysis. A Windows image will be provided (see below).

Prerequisites
– C (or another higher-level programming language)
– Some assembly required (if you do not know assembly, do not worry, we’ll be going over some basic disassembly)
– Linux (basic command-line knowledge, how to install software on your distro)

Requirements
– VirtualBox (will NOT work on VMWare)
Please download the following pre-setup VM at https://drive.google.com/open?id=1BwDWB3WkB3Qj7B5SEq-9P_RN2IjO3gBG

Disclaimer
During some of the workshops, you will be working with live malware. Please act responsibly. Make sure you are taking precautions when running your virtual machines (we will go through set up instructions when we do dynamic analysis). We are not responsible for the things you decide to do on your own time. Do not be evil. Do not be stupid.

Again to reiterate, our workshop is on Wednesday and we have a ISS meeting this Friday.

Workshop 2: SQL Injection & Cross-Site Scripting

As we return back to Standard Time in Canada, our next workshop is slowly approaching on Friday, November 8th.

Smashing the Web is our next workshop being led by Spencer Lee on Friday November 8. This workshop will cover SQL injection (SQLi) and cross site scripting (XSS), spanning introductory examples to complex real world problems.

Software and Hardware:

You will need the following ready and running for the workshop:

  • A laptop with Linux running natively or in a virtual machine
    • The Linux host or VM will also need to have docker and docker-compose installed as well as any web browser (Firefox, Chrome, etc.)

For simplicity, we’ve created the following VMWare Virtual Machine image. It is pre-loaded with all the tools you need. Please download it BEFORE the workshop (it’s ~ 3.9G!). We will be going over how to load it into VMWare during the workshop (so please make sure you have VMWare Player or VMWare Workstation installed by then).

Download Link to Virtual Machine: https://drive.google.com/file/d/1g9y8fhZ5a-Qsz7HHxsAcDRNNRqCl-MWE/view?usp=sharing

Our rough guide for the entire workshop is as follows:
First half – SQL
Intro to basic SQL
Minimal PHP syntax coverage
Overview of injecting SQL into <input> tags
four login examples
two search bar examples
Second half – XSS
Installing local website with docker (github link will be provided)
Overview of XSS scripting
Introduction to Basic Javascript
XSS demonstration
Using local the local web server
– we’ll practice many different XSS attacks in partners

Last but not least here so take home resources to read up on both before and after the workshop.
Take Home Resources:
https://portswigger.net/web-security/sql-injection
https://portswigger.net/web-security/cross-site-scripting