carnal0wnage [Shared Reader]

Thursday, November 15, 2012

Attack Research Training Release

All too often, we at Attack Research have found that students are not being taught, or are not allowed, to properly perform real-world scenarios. For example, they want to run vulnerability scanners on penetration tests! When we say they are not allowed to perform real-world scenarios, some would say it’s the government or the company that doesn't want the real-world scenario. This might be very true, but those governments and companies received the understanding somewhere that running vulnerability scanners on a penetration test was a good idea, and this understanding came through some form of education. Think of network security back in the late 90's to early 2000's: Real-world attacks really did combine scanning for a vulnerability and then exploiting it. Sasser came along and changed the game, and we then had firewalls, improvements in host configurations, etc. In the early 2000's, we started to see what we currently recognize as training in the industry. This training was based upon the attacks in that time period. Well, the evolution of attack has changed, and so has the defense.

Don't get me wrong; the training industry has also evolved, but not at the rate it did when it first started back in the late 90's and 2000's. Back then, there really wasn't a standard for delivering attack-based training. We have certainly had our fair share of standards since then, but when there is no set standard, it is easier to create a new one than it is to change the current one. Well, it’s time to change that!

Classes at Attack Research are designed to help students with real-world problems. We hope to work at a grass roots level and a management level to change the way governments and companies approach network security. This is why our classes are designed to teach technical-level, real-world content. Not only from an offensive perspective but a defensive one as well.  Students will come out of our classes ready to use the skills they learned. They will learn not only how a certain tool is used but the fundamentals behind it so that when they have differing results from the tools, they will know how to handle it or, better yet, they will not use the tool and write their own!

We are proud to announce that Attack Research will be at a number of conferences and locations in 2013. Last week, we announced our partnership with Trail of Bits to offer training in the New York City area in January, April, and June.

Along with our annual training at Black Hat Las Vegas, we have joined with Source Conference to provide training at all their conferences. At Source Boston, we will be offering a 2-day version of our Offensive Techniques training. We will also be at BruCON in September!

Attack Research can transport any of its classes around the world or at your own company. If you are interested in private trainings, please drop us a line at

Starting in 2013, we will hold trainings at Attack Research headquarters in New Mexico, where we will be offering reduced rates for all classes. The majority of our classes will be offered at this location, and they are scheduled to begin January 29-30. We will debut our brand new class, Operational Post Exploitation. You can register for this class here.

Our list of available classes is:

Offensive Techniques – Offensive Techniques offers students the opportunity to learn real offensive cyber-operation techniques. The focus is on recon, target profiling and modeling, and exploitation of trust relationships. The class will teach students non-traditional methods that follow closely what advanced adversaries do, rather than compliance-based penetration testing, and will also teach students how to break into computers without using exploits.

Operational Post-Exploitation – This class explores what to do after a successful penetration into a target, including introducing vulnerabilities rather than back doors for persistence. Operational Post-Exploitation covers such techniques as data acquisition, persistence, stealth, and password management on many different operating systems and using several scenarios.

Rapid Reverse Engineering Rapid Reverse Engineering is a must these days with APT-style attacks and advanced adversaries. This class combines deep reverse engineering subjects with basic rapid triage techniques to provide students with a broad capability when performing malware analysis. This course will take the student from 0 to 60, focusing on learning the tools and key techniques of the trade for rapidly reverse engineering files. Students will understand how to assess rapidly all types of files.

Attacking WindowsAttacking Windows is Attack Research’s unique approach to actually securing Windows. Students will become proficient in attacking Windows systems, learning the commands that are available to help move around systems and data, and examining and employing logging and detection. It will also cover authentication mechanisms, password storage and cracking, tokens, and the domain model. Once finished with this course, students will have a foundation on how attack models on Windows actually happen and how to secure against them.

Attacking UnixAttacking Unix is Attack Research’s unique approach to actually securing Unix. Students will become proficient in attacking Unix systems, focusing mostly on Linux, Solaris and FreeBSD. SSH, Kerberos, kernel modules, file sharing, privilege escalation, home directories, and logging all will be covered in depth. Once finished with this course, students will have a foundation on how attack models on Unix actually happen and how to secure against them.

Web Exploitation — The web is one of the most prevalent vectors of choice when attacking targets because websites reside outside the firewall. Web Exploitation will teach the basics in SQL injection, CGI exploits, content management systems, PHP, asp, and other back doors, as well as the mechanics of exploiting web servers.

MetaPhishingMetaPhishing is a class designed to teach the black arts for targeted phishing operations, file format reverse engineering and infection, and non-attributable command and control systems. Once completing this class, students will have a solid foundation for all situations of phishing.

Basic Exploit Development — In order to use the tools, one must have an understanding of the basics of how they work. Basic Exploit Development will cover the step-by-step basics, tools, and methods for utilizing buffer/heap overflows on Windows and Unix.

Advanced Exploitation - Reliable exploitation on newer Windows systems requires advanced techniques such as heap layout manipulation, return oriented programming, and ASLR information leaks. In addition, robust exploitation necessitates repairing the heap and continuing execution without crashing the process. Advanced Exploitation focuses on teaching the principles behind these advanced techniques and gives the students hands-on experience developing real-world exploits.

This full listing is available on our website as well under the services/training section. Along with each class, there is a place to allow for notification of when the class will be offered next, either at Attack Research HQ or at a different location.

I will be releasing some example modules from some of our classes over the next few weeks so you can get a feel for what we are offering. If you have any questions, please don't hesitate to contact us at


Anonymous said...


Great to learn about your training offerings, and I plan to do it when the time comes.

Just a suggestion/request if you could have some training back-to-back for overseas trainee like me.

It will be convenient, and of course cost savings. :-)

Anonymous said...

I think you are right. The use of vulnerability scanners is an old technique, but due to time and budget constraints, they are necessary. If an organization is willing to pay me for 6 months to do a pen test, then I would not use the vulnerability scanners. Right now my assessments average 3 to 5 days. The only real argument against using scanners is the fact that they are loud. Well, in the assessments that I have done, that does not matter. They already know my team and I are there so stealth is not really an issue.

Lance said...

Are you saying that no vulnerability testing should be done during a pentest? If that is true, I would say I disagree with you. If you are referring to red teaming/black box testing, then you are right. The purpose of those test is to attack without getting caught. I do not think that is an effective way of providing usable data to a client that wants to know the security holes that are on their network. Don't get me wrong, its cool and sexy, it may not be the best method of conducting pentests. All the assessments I do are time bound. All of them have objectives that align with the business objectives of the organizations I am assessing. If I were to go do a pentest, find one vulnerability and exploit it, then still all the data off the network without being caught, then I have failed as a pentester. What happens to my credibility if I don't find a critical vulnerability that is exploited by a an attacker after I report my findings to my client? I know if I were an executive and it happened to me, I would want my money back. I say all that to say, to be thorough and to meet the time constraints, vulnerability assessments are necessary for white/grey penetration testers.

Megan said...

I totally agree with you. Real-time, interactive test should be completed to give attendees of classes experience. It gives them the same sense of urgency and importance as when a real attacking is going down. Thanks for your insight.