Advanced Infrastructure Security Assessment Training @nullcon with Abhisek and Omair

It’s another nullcon year in Goa with awesome new venue, with some more beautiful memories, friends, learning’s and community gathering. This time got a chance to attend the training on Advanced Infrastructure Security Assessment by Abhisek and Omair who are known for their vulnerability exploitation skills in the security industry.

Though nullcon website provides the brief trainer profile and their introduction, you don’t need one if you are good enough into InfoSec industry.

Nullcon Website Reference: https://nullcon.net/website/nullcon-bang-2016/training/infrastructure_security_assessment_training.php

Last year I dived on web application security world with Akash and Riyaz, this year it was time to get the hands dirty with infrastructure assessment with Abhisek and Omair. I was prepared with the mindset prefilled with last years’ experience, but as usual nullcon has lots of surprises for you and when you have trainers from the rich technical background it is always fun. Belonging to the defensive side of the InfoSec, I am always curious to learn the offensive side of it. And that’s exactly was the point put forth by Abhisek in start of the training. “Without knowing actual attacking side you are half prepared to defend one”. You should always walk the path of an attacker first to defend any ‘Good attack’; rest is already sold in the market as security products to defend the ‘attacks’ (No offense please ;)).

As expected Abhisek and Omair started with the presentation slides on day 1, but wait, unexpected things has to happen when you are with such technocrats. Slides hardly lasted for few minutes and the actual fun started with hands on session. As Abhisek already clarified that we are attending “Advanced” infrastructure assessment and not the normal security assessment training, so do not expect any tutorials about the tools or basics of the vulnerability assessment to be provided.

Our Day 1 covered up the security assessment phases and importance of each phase.

Then we started hands-on with below topics followed by understanding of Metasploit framework, types of exploits / payloads, payload handlers, etc.

• Discovery using nmap / arping / nbtscan,
• Port scanning and service fingerprinting,
• OS fingerprinting,
• Host discovery and fingerprinting,
• Auxiliary scanner module

The idea of the training was to throw the real-time challenges at the participants to make them develop the methodology to identify the vulnerabilities into the system and try exploiting those using different methods. In these challenges we learned below topics.

• Exploitation

o Remote exploitation

o Client side exploitation

o Local exploitation

• Post exploitation (Meterpreter)
• Pivoting
• Meterpreter SOCKS4 Proxy
• Proxy chaining
• Payloads

o Payload generation

o Payload handlers

o Payload encoders

o Multiple payload output formats

Consecutive Day 2 and Day 3 were followed by different challenges in terms of hosted vulnerable systems to pawn. Identifying the vulnerabilities into the given systems and finding the best possible way to exploit the same to get the highest privilege access. The range of the systems was varying very effectively covering the major types of the systems / exploits. It was not the case in all scenarios where readily available Metasploit exploits were working; we need to hunt for various unique methods to pawn the systems.

Last day was full fun packed with exciting CTF, where all the participants were competing with each other by forming the groups and applying the skills which they developed in these 3 days training. CTF score board was published for all the teams participating, you need to get the highest privilege to the systems given and find the hidden flag inside which we need to submit to earn the points in scoreboard. All the teams were fighting tough to each other; overall it was fun mixed learning session on last day of the training.

Target infrastructure and exploits:

Within this 3 days training we have been thrown into scenarios covering various types of infrastructure and exploits, few them i have listed below for your reference.

Takeaway from the training:

:) Approach towards infrastructure assessment

:) Identification of vulnerabilities

:) Identifying methods of exploitation

:) Metasploit framework and it’s modules

:) Vulnerability Exploitation with and without Metasploit

:) Developing attacker mindset

Conclusion:

I love talking about new buzz word in cyber world i.e. “Cyber Range”. And that exactly somewhere reflected in this 3 days training to me. Like we have shooting range in the real world for training the shooters to attack the targets in efficient manner, it’s need of an hour to build the cyber range to train the security teams doing the offensive penetration testing and defending the critical infrastructure from external attacks. In this training our trainers had put lot of efforts in building the cyber range where we can apply our thought process to crack inside the targets with / without the readily available exploits. I will restrict myself here for the topic otherwise it will go along.

Last but not the least, best part of the training was the trainers who hardly speak out after throwing you into challenges, and want us to explore the multiple ways on our own rather waiting for them to tell us the way out.