The course provides a comprehensive and progressive approach to understanding advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills, such as:

  • Zero-day vulnerability discovery
  • Reverse engineering
  • Advanced exploitation of a wide variety of targets

The course is designed to turn the students into high-level security experts, and to fully prepare them for working as vulnerability researchers. Participants will learn how to find critical vulnerabilities on different platforms and exploit them, and will be given practical skills in core subjects of cyber security. The course includes immersive hands-on exercises, via online labs, where participants will practice what they have studied during each day.

The course targets participants with advanced knowledge and substantial on-field experience in the cyber security world. Primarily

  • Cyber security technical experts
  • Experienced penetration testers
  • Junior vulnerability researchers
  • Good knowledge and practical experience in penetration testing.
  • Good familiarity and experience with programming languages.
  • Background in Assembly.
  • The Red Team track provides a solid foundation of the knowledge and expertise required for this course.
}

160 Hours

Cyber Security

h

Certificate: No

Price: contact us for more details

Leave your details

Course Outline

Objectives

  • Discovering different levels of vulnerabilities, including zero-day vulnerabilities.
  • Learning to review, isolate, analyze and reverse-engineer malicious code to understand the nature of the threat.
  • Understanding attack methods on various entities and how to protect them.
  • Understanding infrastructure and system defense.
  • Becoming familiar with APT and attacks that have happened recently.
  • Investigating systems.
  • Staying on top of the “vulnerability landscape” and being up-to-date on current attacks or potential threats to prepare counter-measures where possible.
  • Understanding and implementing the best practices, tools and cyber-security management methodologies.

 

Note:

This course is directly followed by RT801 – Mobile Vulnerability Research and Exploit Development, to provide further techniques of vulnerability detection on mobile platforms.

  

Course Outline

Module 1: Vulnerability Research

The first modules will expose students to the unknowns of discovering vulnerabilities, and inspect those methods in-depth. Participants will be provided with a comprehensive perception of how all involved layers work, what bugs are out there and how to exploit them. To lay the foundation, this module will quickly go over the different components that are fundamental for every researcher.

  • Introduction:
  • Memory
  • Processors
  • Stack
  • Heap
  • Assembly
  • C
  • Compilers
  • Debuggers
  • Memory-based bugs:
  • Unchecked boundary values
  • “Off-by-One”
  • Type confusion
  • Integer sizing
  • Integer signedness
  • Format String
  • Use-after-free
  • Heap overflows
  • Reverse Engineering
  • Fault injection
  • Fuzzing
  • Binary diffing
  • Binary analysis
  • Crash binning
  • Crash analysis
  • Taint propagation
  • Code flow analysis
  • Deciphering file formats
  • Windows internals
  • Components and basic architecture
  • Objects and handles
  • Processes and threads
  • Rings
  • Win32 API
  • Executable formats
  • Paging and segmentation
  • Structured exception handling
  • Windows memory management
  • Virtual address space
  • Memory pool and allocation
  • Kernel and user lands
  • Key data structures
  • Dynamic-Link libraries
  • Drivers
  • Windows authorization model
  • Hardware Abstraction Layer (HAL)
  • Kernel vulnerabilities
  • Uninitialized/unvalidated/corrupt pointer dereference
  • Race conditions
  • Logic bugs
  • Insufficient validation of user-mode addresses
  • Repurposing attacks
  • Shared object attacks
  • User end vs. Kernel
  • Hooking
  • Soft and hard
  • IAT
  • Inline
  • DLL injection
  • Code injection
  • System call
  • Linux
  • Architecture
  • Differences from windows
  • User space vs. Kernel space
  • Virtual memory management
  • Privilege model
  • SLUB, SLAB, SLOB
  • Building a basic OS

 

Module 2: Advanced Reverse Engineering

Reverse engineering is the process of discovering the principles of a target through analysis of its structure, function, and operation. This allows to visualize the software’s structure, its operations, and the features that drive its behavior, providing a reasonable method of comprehending the complexity of the software and how to uncover its truth.

  • Short introduction of building a windows debugger
  • Recognizing C and C++ constructs in Assembly
  • Instruction set architectures
        • x86
        • x64
        • ARM
        • MIPS
        • Static analysis
        • Reconstructing type information
        • Recognizing data structures
        • Eliminating noise
        • Dynamic analysis
        • User debugging
        • Kernel debugging
        • Monitoring registry changes
        • Anti anti-debugging
        • Obfuscation
        • Encryption
        • Breakpoints checks
        • API calls
        • Timing
        • Checksums
        • Self-debug
        • Rogue instructions
        • System Kernel debugger information
        • Confusing disassemblers
        • Control flow transformation
        • Data transformation
        • DLL scanning
        • Virtualization detection
        • Reversing UPX and other compression types (vmprotect, and themida)
        • Anti anti-breaking
        • Patching
        • SSL Pinning
        • Keygenning
        • Cracking
        • Understanding portable executables
        • Understanding PE file formats
        • Terminologies – IAT, exports, relocation table etc.
        • PE loader workflow
        • Analyzing a portable executable
        • Analysing the flow of an executable
        • Understanding address spaces
        • DLL imports
        • Analysing API calls
        • Software breakpoints
        • Hardware breakpoint
        • Changing execution flow
        • Digital rights management implementations
        • Hashing functions
        • Bytecodes and decompilation
        • Virtual machines
        • Undocumented APIs
        • Reversing protocols
        • Automating debuggers

        Module 3: Exploits

        The third module will contain everything learnt so far, and take participants to the “heart of the business” – taking over the target. Students will learn how to write shellcodes, develop exploits and execute them, using highly sophisticated techniques. The module will also present how malicious hackers use different techniques on a daily basis, helping participants prepare for the unknown.

        • Controlling the EIP
        • Controlling the SEH
        • Writing shellcode
        • System calls
        • Spawning shells
        • Syntax and filters
        • Using an exploit to get root
        • The address problem
        • The NOP method
        • Defeat non-executable stacks
        • Attack execution
        • Information gathering
        • Triggering the vulnerability
        • Placing the shellcode
        • Forging the shellcode
        • Remote vulnerability discovery
        • Lack of information and control
        • Execution flow redirection
        • Writing arbitrary memory
        • Shellcode installation and execution
        • Heap spray exploits
        • Atom bombing
        • CPU-specific exploitable bugs
        • Intel’s canonical addresses
        • OS-specific exploitable bugs
        • Ret2usr
        • Ret2libc
        • Ret2ZP
        • Metasploit
        • Challenges of the Israeli Secret Services

         

        Module 4: Protections and Bypasses

        There are many defense-mechanisms on our conquest, designed to do everything possible to prevent the attack from succeeding. During this module, participants will understand these mechanisms, and learn how hackers defeat each and every one of them, despite their complexity.

        • GS
        • SafeSEH
        • SEHOP
        • DEP
        • ASLR
        • EMET
        • SMET
        • CET
        • File based sandboxes
        • Anti-viruses
        • Anti-ROP mitigations
        • Anti ROP