2

root@labla/# whoami

The OWASP Foundationhttp://www.owasp.org

Nahidul Kibria

Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ

Software Ltd.  

Writing code for fun and food.And security enthusiastic

  Twitter:@nahidupa

5

What is the event all about?

Computer security? Information security?Cyber Security?Is it a game? Are we going to learn hacking?

6

Capture The Flag(CTF)

In computer security, Capture the Flag (CTF) is a computer security wargame. Each team is given a machine (or small network) to defend on an isolated network.--wikipedia

7

Its not just a competition… more than it…

HOW?

8

9

10

The domain is giant

11

If you want to be a Penetration Tester

A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders with authorize by the owner of that system.

12

Prerequisites1. Good understanding network

architecture.2. How modern operating system

work and system administration.3. Application/Database/Service how

they designed and work.

13

Penetration testingPenetration testing methodology

• Information Gathering/Reconnaissance• Scanning/Enumeration• Vulnerability Identification• Exploitation• Report

14

Tools and tactics • Do not reinvent the wheel…Use

existing tools• But do not just depends on

Tools/Scripts…In some case you have to write your own

15

Books

16

If you want to be a Malware Analyst

17

Kick startBasic Static AnalysisBasic Dynamic Analysis

18

Lab Setup

19

Collect sampleHashing: A Fingerprint for MalwareLook like--

373e7a863a1a345c60edb9e20ec3231

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=308

20

Sysinternals toolsTcpview.exe Procexp.ex

eProcmon.exe

21

Reverse engineering ollydbg Immunity

debuggerIda Pro

22

Books

23

If you want to be a Vulnerability Researcher

24

Common techniquesFuzzingCode review

DisassemblersDebuggers

25

26

Books

27

If you want to be a Exploit Developer

28

PrerequisitesProgrammingAssemblyMemory management Windows/*nix internalKernel

29

Books

30

If you want to be a Forensic Analyst

31

Books

32

Coolest Jobs in Information Security

#1 Information Security Crime Investigator/Forensics Expert#2 System, Network, and/or Web Penetration Tester#3 Forensic Analyst#4 Incident Responder#5 Security Architect#6 Malware Analyst#7 Network Security Engineer#8 Security Analyst#9 Computer Crime Investigator#10 CISO/ISO or Director of Security#11 Application Penetration Tester#12 Security Operations Center Analyst#13 Prosecutor Specializing in Information Security Crime#14 Technical Director and Deputy CISO#15 Intrusion Analyst#16 Vulnerability Researcher/ Exploit Developer#17 Security Auditor#18 Security-savvy Software Developer#19 Security Maven in an Application Developer Organization#20 Disaster Recovery/Business Continuity Analyst/Manager

33

But you have only one life

34

Just become a learning machine

35

Here comes communityCollaborative learning

36

About OWASPOWASP’s mission is “to make application security

visible, so that people and organizations can make informed decisions about true application”

Attacker not use black art to exploit your application

OWASP Bangladesh• Bangladeshi community of Security professional• Globally recognized• Open for all• Free for allWhat do we have to offer?• Monthly Meetings• Mailing List• Presentations & Groups• Open Forums for Discussion• Vendor Neutral Environments

220 Chapters

39

40

Our SuccessesOWASP Tools and

Documentation:• ~15,000 downloads

(per month)• ~30,000 unique visitors

(per month)• ~2 million website hits

(per month)OWASP Chapters are

blossoming worldwide• 1500+ OWASP Members

in active chapters worldwide

• 20,000+ participants

OWASP AppSec Conferences:• Chicago, New York,

London, Washington D.C, Brazil, China, Germany, more…

Distributed content portal• 100+ authors for tools,

projects, and chaptersOWASP and its materials are

used, recommended and referenced by many government, standards and industry organizations.

Conferences

41

Download Get OWASP Books

Ok enough ! Can you please tell me what I need to do

today?

WE DO NOT HAVE ANY PREPARATION

45

Questions.1. A question from cryptography.  (300

points)2. A question from malware analysis. (not

that much hardcore as it sound) (150 points) 

3. A forensic analysis ( The easiest question of the contest) (50 points)

46

Final Questions.1. A server named GetRoot_v00t  will be given. (500 points)

2. Another server named GetRoot_Drag0n will be given. (1000 points)

Both server is taken down from live, because it is suspected as compromised by attacker and the attacker changed its root password. So your job is to recover the root access of those server as well as create a report of what venerability those server has to the judges.

47

Rules• You must run the given Virtual machine only in NATed mode.

• Take Screenshots in each success steps include them to a document.

• You can ask judge for clue to solve a problem with sacrificing some point(s). It's will be totally depending on judge how much point he will deduct for the clue before he give the clue he will tell you how much point will be deducted. This rule because this type contest is new will not be available in future.

•  You are suppose to work with given machine(vmware), Any type of activity that might be destructive for lab setup or host machine or any type of  destructive activity using lab internet is strictly forbidden. If any team do such activity, the team  cannot continue the contest anymore also IUT will take legal action about such activity.

• You should stay around your work station until it not require to move.

48

We select the winner according the following criteria (We will do partial marking.)

1.How many points the participants has (scoring).

2.How complete the solutions are (quality).3. Creativity, Geek Factor.

49

Not End! Open question hands on