Pwn.college (opens in new tab)

(pwn.college)

339 pointsthrowaway_77186y ago35 comments

35 comments

fybe6y ago

Looks good but if I may add a suggestion is to remove the slides from google docs. Maybe let us download them locally?

1. Corp VPN's will block google docs very regularly 2. Some people refuse to use google services 3. It shouldn't take you to a different domain to read the learning material

deevnullx6y ago

Great job getting this in front of people as soon as possible, this is a very polished product for a beta. Nothing worse than sitting on something waiting for it to be perfect or "complete". Excited to see where you go with this!

_8j506y ago

Another software exploit thing that appears to be entirely Linux centered. Nothing against it but this doesn't even touch "core cybersecurity concepts". As crappy as it is, a security+ will teach you more infosec than knowing how to write kernel rootkits and create rop gadgets in your sleep. Case in point: most "advanced" attackers (except the "equation group" lol) very very rarely use a zero day, A majority of attacks by these guys does not even see new exploits out of known public vulns. As easy and comfy as Linux is to hacker, try doing this in Windows land. You will gain a broader perspective. Just my $0.02c ,I am still glad to see more content like this.

carom6y ago

We must have a different definition of advanced attackers because I can think of numerous countries that use zero days. A handful more that use COTS malware (i.e. NSO) that employs zero days.

_8j506y ago

Yes a few, very few compared to the rest. You will note I said most of them don't use 0 days and even 1 days. A lot attempt exploitation in some form of another, typically for vulns older than a few months.

It's simply too easy to use other means of delivery.

Look at drive by: https://attack.mitre.org/techniques/T1189/

In most cases the only thing exploited is the sites hosting their malware (typical joomla/wp sites).

Spear phishing attachment: https://attack.mitre.org/techniques/T1193

I see about 3 examples out of 40 that use exploits.

Spearphishing link: https://attack.mitre.org/techniques/T1192/

2/20

https://attack.mitre.org/techniques/T1190/ only 5 examples for public facing asset exploit,mostly sql injection.

Mitre is not a complete list but they do a good job of keeping up with APT techniques. The most famous ones indeed use 0days and that is one of the reasons they're famous. But the end of the day they should be noteworthy based on damage done not "coolness" of the hack.

Software exploitation is a thing but not only is it seen less and less, modern mitigations are making a lot of the techniques obsolete. Look at the fall of exploit kits as an example.

TACIXAT6y ago

I do not consider spear phishing an advanced attack (despite many governments doing it). Credential theft definitely is not. Malicious docs generally are not (as they are typically just macros that the user has to run).

Watering holes can be depending on how the malware is delivered once the user visits the site. If it just tries to download it and hope they click, that is not advanced IMO.

I do agree that this is what most organizations face as threats though. Resources like these are for people who want to eventually sell exploits, hunt for bugs, or learn enough to analyze them effectively. I do not think these are for teaching someone to teach corp users to not run docms.

1 more reply

stedaniels6y ago

There are far more advanced hacking groups than there are nation states. There are likely more criminal hacking groups in each individual country than there are nation states.

TACIXAT6y ago

There are many criminal groups, but few are advanced. It takes investment and large teams to get full chain zero days. Most criminal groups will implement n days, but they are not coming up with Eternal Blue, you know? They are just grabbing it and hitting unpatched machines. It is skilled for sure, but it is not my definition of advanced threats.

If you have some examples of criminal groups using zero days in hard targets, I'm very interested. From what I see, no one's mobile phones are getting hit with ransomware via fresh vulns. That behavior is generally reserved for nation states with the ability (financial and legal) to purchase the exploits.

gyanchawdhary6y ago

spot on !!

gyanchawdhary6y ago

Check out:

https://blog.ret2.io/2018/09/11/scalable-security-education/ These guys have built an epic b0f research education platform - could be also sold as a cloud-based research platform for vuln developers

Another one is https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/vid... for mostly C/C++ overflow type education

movedx6y ago

> could be also sold as a cloud-based research platform for vuln developers

You'd have a tough time getting any public Cloud provider to allow you to run known vulnerable software, on purpose, on their network and then exposing it to the Internet.

If you kept it under a decent amount of network security and heavily restricted access it might work.

I would suspect you'd need permission to set this up, though.

gyanchawdhary6y ago

True. I think the biggest buyer of this would be gov institutions that are constantly looking for building their offensive capabilities (mainly around exploit dev) but find it hard to get new recruits trained up. The alternatives are mostly instructor-led training which is good but combined with this type of platform + remote assistance via chat etc could scale things up.

movedx6y ago

Yeah.

I'm just in the beginning phases of learning pen testing. I want to move from DevOps to DevSecOps to PT.

I'm keen to see what labs exist out there already and how I can build my own complex labs (consisting of complete virtual networks) that I can hack against. A real wargame.

joshschreuder6y ago

35 comments

fybe6y ago

Looks good but if I may add a suggestion is to remove the slides from google docs. Maybe let us download them locally?

1. Corp VPN's will block google docs very regularly 2. Some people refuse to use google services 3. It shouldn't take you to a different domain to read the learning material

deevnullx6y ago

_8j506y ago

carom6y ago

We must have a different definition of advanced attackers because I can think of numerous countries that use zero days. A handful more that use COTS malware (i.e. NSO) that employs zero days.

_8j506y ago

It's simply too easy to use other means of delivery.

Look at drive by: https://attack.mitre.org/techniques/T1189/

In most cases the only thing exploited is the sites hosting their malware (typical joomla/wp sites).

Spear phishing attachment: https://attack.mitre.org/techniques/T1193

I see about 3 examples out of 40 that use exploits.

Spearphishing link: https://attack.mitre.org/techniques/T1192/

2/20

https://attack.mitre.org/techniques/T1190/ only 5 examples for public facing asset exploit,mostly sql injection.

Software exploitation is a thing but not only is it seen less and less, modern mitigations are making a lot of the techniques obsolete. Look at the fall of exploit kits as an example.

TACIXAT6y ago

Watering holes can be depending on how the malware is delivered once the user visits the site. If it just tries to download it and hope they click, that is not advanced IMO.

1 more reply

stedaniels6y ago

There are far more advanced hacking groups than there are nation states. There are likely more criminal hacking groups in each individual country than there are nation states.

TACIXAT6y ago

gyanchawdhary6y ago

spot on !!

gyanchawdhary6y ago

Check out:

https://blog.ret2.io/2018/09/11/scalable-security-education/ These guys have built an epic b0f research education platform - could be also sold as a cloud-based research platform for vuln developers

Another one is https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/vid... for mostly C/C++ overflow type education

movedx6y ago

> could be also sold as a cloud-based research platform for vuln developers

You'd have a tough time getting any public Cloud provider to allow you to run known vulnerable software, on purpose, on their network and then exposing it to the Internet.

If you kept it under a decent amount of network security and heavily restricted access it might work.

I would suspect you'd need permission to set this up, though.

gyanchawdhary6y ago

movedx6y ago

Yeah.

I'm just in the beginning phases of learning pen testing. I want to move from DevOps to DevSecOps to PT.

I'm keen to see what labs exist out there already and how I can build my own complex labs (consisting of complete virtual networks) that I can hack against. A real wargame.

joshschreuder6y ago