So You Want to be a Hacker? презентация

Содержание

A BRIEF INTRODUCTION GOTTA START SOMEWHERE

Слайд 1So You Want to be a Hacker?
THEN LET’S GET STARTED
October 16,

2014

Слайд 2A BRIEF INTRODUCTION
GOTTA START SOMEWHERE

Слайд 3Introduction

The necessary prerequisites

Immersing yourself

Educating yourself

Places to practice responsibly

Common tools

Making it count
THE

ROAD TO BRIGHTER PASTURES?

The Talk’s Agenda

Слайд 4DOWN IN FRONT
Who Am I?
Christopher Grayson
cgrayson@bishopfox.com
@_lavalamp
Senior Security Analyst at Bishop Fox

(Pen-Testing FTW)
MSCS, BSCM from GT
Former Research Scientist from GT
Former president, GT hacking club



Слайд 5I currently have my dream job
I’ve never had to choose between

education and safety
I had the good fortune of attending SkyDogCon in 2012
But the story continues…

LITTLE BIT OF LUCK, LITTLE BIT OF SKILL

Why am I Here Today?

Слайд 63 teams at SkyDogCon Duplicity CTF, got 2nd, 3rd and 4th

place
…out of 4 teams
Received tickets to Shmoocon 2013, Offensive Security training
Competed in TOOOL Master Keying competition
Received ticket to Shmoocon 2014

THE PLOT THICKENS…

Many Reasons

Слайд 7We work in the coolest industry. Period.
We need more talented individuals.
We

need safe places to hone our skills.

HOPEFULLY NOT BY ACCIDENT

Why are YOU Here?

Слайд 8Lots of debate around the term

Commonly used by the media to

refer to malicious people with technical skills

Used in the community to show reverence towards another’s capabilities

NOT TO START A DEBATE…

The Term “Hacker”

Слайд 9THREE CHEERS FOR THE MEDIA
What a Hacker Certainly Isn’t

Слайд 10THE APPROACH
COMFORT ZONES TO THE WIND

Слайд 11Patience

Enthusiasm

Perseverance

Interest
KEEPING IT ZEN
What Does it Take to Break?

Слайд 12
You will get frustrated.

You will not learn everything overnight.

You will get

ridiculed.

NOTHING WORTH DOING WAS EVER EASY

Be Wary…

Слайд 13Becoming a “hacker” is not so much a profession as it

is a way of life.

It requires mental fortitude and patience above all else.

Expertise comes slowly.

It’s entirely worth the journey.

STILL INTERESTED?

Takeaways

Слайд 14THE ENVIRONMENT
IN OVER Y(OUR) HEAD

Слайд 15Expertise requires a lot of technical knowledge.

This can’t be gained overnight.

The

first step is to listen to the lingo.

CARE TO GO FOR A SWIM?

The Word of the Day is Immersion

Слайд 16Powerful message board
Lots of infosec boards
/r/hacking
/r/netsec
/r/howtohack
/r/websec
/r/sysadmin
/r/blackhat

EVER HEARD OF IT BEFORE?
Reddit

Слайд 17Hang out on Freenode to talk through challenges and difficulties you

have trouble with.
#metasploit – Metasploit developers
#corelan – Folks from Corelan team
#vulnhub – Folks from Vulnhub team
#offsec – Folks from Offensive Security

NOT ALL THAT DISSIMILAR TO PIRATE SHIPS

Freenode

Слайд 18Good way to keep track of the industry’s pulse

Lots of mailing

lists for all skill levels and areas of interest

http://seclists.org/

#SPAMSPAMSPAM

Mailing Lists

Слайд 19Ghost in the Wires
The Art of Intrusion
The Art of Deception
Kingpin
The Cuckoo’s

Egg
Code
Hacking – The Art of Exploitation

WHAT ARE THOSE AGAIN?

Books

Слайд 20Sneakers
http://www.imdb.com/title/tt0105435/

Hackers
http://www.imdb.com/title/tt0113243/

War Games
http://www.imdb.com/title/tt0086567/


THE GOOD, THE BAD, AND THE UGLY
Movies

Слайд 21DEF CON
https://www.defcon.org/

Black Hat
https://www.blackhat.com/

Shmoocon
http://www.shmoocon.org/

MEET YOUR FELLOW NERDS
Conferences

Слайд 22Some of the venues listed previously are less friendly towards new-comers

than others.

General rule of thumb is to research any questions that you have prior to asking them.

Showing that you’ve done your own work before asking for the help of others goes a long way in this community.

ARMOR OF THICK SKIN+3

Disclaimer

Слайд 23LESSONS TO BE LEARNED
STRAIGHT EDUMACATED

Слайд 24The hardest part is having the gumption to stick with it.

Technical

skills can be learned (even if learned slowly).

Technical skills are required, and typically the more the better.

PERHAPS, PERHAPS, PERHAPS

So Now we Get Into the Difficult Stuff?

Слайд 25Incredibly-thorough course on Computer Science

https://www.edx.org/course/harvardx/harvardx-cs50x-introduction-computer-1022

LEARN FROM THE BEST OF THEM
Harvard Introduction

to CS

Слайд 26Fundamental understanding of networking is important

https://www.coursera.org/course/comnetworks

ONE BYTES TWO BYTES THREE BYTES

FOUR

Computer Networks on Coursera

Слайд 27The ability to write code greatly helps in this field.

https://www.coursera.org/course/pythonlearn


FROM SCRIPT

KIDDIE TO SCRIPT MASTER

Programming for Everybody on Coursera

Слайд 28OpenSecurityTraining can be found online
http://opensecuritytraining.info/
“Is dedicated to sharing training material for

computer security classes, on any topic, that are at least one day long.”
Has free, professional courses on all matters hacking
Even has course outlines and pre-requisites!

HARDLY KNOWN BUT HUGELY HELPFUL

OpenSecurityTraining.info

Слайд 29SecurityTube can be found online
http://www.securitytube.net/
Large amounts of free videos created by

the site’s founder
Aggregation of conference videos and lectures
Full primers on lots of different hacking areas

AGGREGATE THOSE VIDEOS!

SecurityTube.net

Слайд 30Corelan can be found online
https://www.corelan.be/
In-depth tutorials detailing exploit-writing and binary exploitation
Tons

of other educational resources, primarily focused on binary and RE topics


WRITE YOURSELF SOME EXPLOITS

Corelan.be

Слайд 31Offensive Security can be found online
http://www.offensive-security.com/
The group that created Backtrack and

Kali Linux distributions
Training is not free, but the training you get from their courses is top-notch and well-managed.
Has an IRC channel that you can hang out in!


THE AUTHORS OF KALI, BACKTRACK

Offensive Security

Слайд 32Has a number of certifications for security training

Not free, must pay

to maintain certifications

http://www.sans.org/

GETTING CERTIFIED

SANS Institute

Слайд 33Cisco has a number of certifications in the security space.

Not free,

must pay to maintain certifications

https://learningnetwork.cisco.com/community/certifications/security

MOAR CERTIFICATIONS?!

Cisco Certifications

Слайд 34GO TO WORK
GETTING YOUR HANDS NOT-SO-DIRTY

Слайд 35VulnHub can be found online:
http://vulnhub.com/
A large repository of software images that

are created solely to be vulnerable
Great place to get software packages to hack on
Has an IRC channel you can hang out in!

STAND UP YOUR OWN LAB

Vulnerable Images

Слайд 36Web application that is built specifically to have lots of vulnerabilities

Great

starting place for beginning to hack Web applications

http://www.dvwa.co.uk/

EMPHASIS ON THE D

DVWA

Слайд 37CTF365 can be found online:
http://ctf365.com/
Touts a massive online, persistent CTF
CTFTime can

be found online:
https://ctftime.org/
Keeps track of CTF competitions worldwide, maintains scores for teams across different CTFs

BRUTAL TRAINING GROUNDS

Ongoing Competitions

Слайд 38We Chall can be found online:
https://www.wechall.net/
Is an aggregation site for individual

challenges
Advertises a total of 133 challenges available

SHORT, SWEET, AND TO THE POINT

Stand-Alone Challenges

Слайд 39Managed service provider that consolidates bug bounty programs

Go and hack things

in real life and get $$$

https://bugcrowd.com/



INDUSTRY EXPERIENCE

Bugcrowd

Слайд 40TOOLS OF THE TRADE
AN AWFULLY FULL BAG OF TRICKS

Слайд 41Used for monitoring local network traffic

Great way to learn more about

network protocols

https://www.wireshark.org/

NETWORKS ARE CHATTIER THAN YOU MAY THINK

Wireshark

Слайд 42An HTTP proxy with lots of hacky bells and whistles

Used universally

across the professional security industry

http://portswigger.net/burp/

WEB APP HACKER’S SWISS ARMY KNIFE

Burp Suite

Слайд 43Packaged in with all modern browsers

Used mostly by developers for testing

functionality during the development process

REPURPOSING TOOLS FOR FUN AND PROFIT!

Browser Developer Tools

Слайд 44Good tool for generating password lists

Made by yours truly ☺

https://github.com/lavalamp-/LavaPasswordFactory

A GOOD

PASSWORD LIST IS NICE TO HAVE

LavaPasswordFactory

Слайд 45Where LavaPasswordFactory generates password lists, John the Ripper cracks them!

http://www.openwall.com/john/

CRACK GOES

THE PASSWORD

John the Ripper

Слайд 46The de facto standard penetration testing Linux distribution

Comes with all of

the bells and whistles at installation

http://www.kali.org/

BELLS AND WHISTLES GALORE

Kali Linux

Слайд 47Great platform for virtualization

If you don’t know what virtualization, check it

out!

http://www.vmware.com/

VIRTUALIZATION IS YOUR FRIEND

VMWare Fusion / Workstation

Слайд 48MAKING IT COUNT
WHAT NEXT?

Слайд 49Penetration testing

Security analyst

Security engineer

All the technical things!
HACKING FOR GOOD
Positions in the

Field

Слайд 50Doing this stuff maliciously is a bad idea

Far too many opportunities

to help others and the community

Don’t let it go to waste

WE’VE ALREADY GOT ENOUGH BAD GUYS

Don’t Let it go to Waste

Слайд 51REFERENCES
A CENTRALIZED STORY

Слайд 52The Electronic Frontier Foundation on the Computer Fraud and Abuse Act
https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(CFAA)
Wikipedia

on Aaron Swartz
http://en.wikipedia.org/wiki/Aaron_Swartz
H3 at Georgia Tech Research Institute
http://h3.gatech.edu/
The UCSB iCTF
http://ictf.cs.ucsb.edu/
SECCDC
http://www.seccdc.org/


TAKE ONE

References

Слайд 53VulnHub – Vulnerable by Design
http://vulnhub.com/
CTF365
http://ctf365.com/
CTF Time!
https://ctftime.org/
WeChall – A Challenge Aggregation Site
http://www.wechall.net/


TAKE

TWO

References

Слайд 54Atlanta OWASP
https://www.owasp.org/index.php/Atlanta_Georgia
Security Mailing Lists
http://seclists.org/
Sneakers movie on IMDB
http://www.imdb.com/title/tt0105435/
Hackers movie on IMDB
http://www.imdb.com/title/tt0113243/


TAKE THREE
References

Слайд 55War Games movie on IMDB
http://www.imdb.com/title/tt0086567/
Hacking movies list on IMDB
http://www.imdb.com/list/ls055167700/
DEF CON
https://www.defcon.org/
Black Hat
https://www.blackhat.com/


TAKE

FOUR

References

Слайд 56Shmoocon
http://www.shmoocon.org/
Harvard Introduction to Computer Science
https://www.edx.org/course/harvardx/harvardx-cs50x-introduction-computer-1022
Computer Networks on Coursera
https://www.coursera.org/course/comnetworks
Programming for Everybody on

Coursera
https://www.coursera.org/course/pythonlearn


TAKE FIVE

References

Слайд 57OpenSecurityTraining
http://opensecuritytraining.info/
Security Tube
http://www.securitytube.net/
Corelan.be
http://corelan.be/
Offensive Security
http://www.offensive-security.com/


TAKE SIX
References

Слайд 58SANS Security Training
http://www.sans.org/
Cisco Security Training
https://learningnetwork.cisco.com/community/certifications/security
DVWA
http://www.dvwa.co.uk/
BugCrowd
https://bugcrowd.com/


TAKE SEVEN
References

Слайд 59Wireshark
https://www.wireshark.org/
Burp Suite
http://portswigger.net/burp/
Reddit
http://www.reddit.com/
Freenode IRC
http://freenode.net/


TAKE EIGHT
References

Слайд 60QUESTIONS?
HOPEFULLY YOU’VE GOT A FEW

Слайд 61THANK YOU
@_LAVALAMP

Похожие презентации

Региональный этап Всероссийского фестиваля Российская студенческая весна 247
Challenges, Benefits and Best Practices of Performance Focused DevOps  0
Дополнительное образование детей как элемент региональной системы образования 221
Факультет кібернетики КНУ 220
Первый межрегиональный форум Школьные библиотеки нового поколения 305
Обзор современных технологий обучения 221

Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.

Для правообладателей

Яндекс.Метрика