Monday, August 5, 2019

So You Want to be a Hacker

This post has been on my mind for a while now, but the length and laziness to search my archives and bookmarks has deterred its publication, but alas! it is here now. Since 2014, I have encountered lots of materials here and there that I keep track of and frequent to update my knowledge. This list of resources also includes twitter accounts, but I have excluded that category from this post. There are various sub-domains in cyber security. Hopefully, this post can give you a place to start in the your field of interest. This is a non exhaustive list.

Early 2017, I did a seminar with an old friend on the topic. At that time, I was trying to get students to enroll in my new club on Computer and Network Security. Unfortunately the club was terminated after I graduated in 2018 but it may be resurrected soon (hopefully).  I cringe every time I see a snippet of that video. I don't know why I kept smiling the whole time, but that's story for a different day. I never watched the full video so I may have said some b.s but oh well..

In the same year, I was privileged to be teaching assistant for CSCD27H3 - Computer and Network Security under Prof. Thierry Sans. At the end of the course, I made a final post for the students in case any one wanted to continue their studies in the field. The content of the original post will be in the Appendix section.

This post is an updated take on the original, links have been updated and newer or more useful materials have been added. These are marked as [UPDATE] and [NEW] respectively. The marker [NU] means No updates at this time. Most likely reason being I haven't done much in this domain since the original post. Another reason could be the materials from the original post are still authority in the field. Feel free to suggest

DISCLAIMER:
As much as I try to stay in loop with most of the aspects of Computer and Information Security, I have a strong bias from certain sub-domains. You can expect that my knowledge on materials and resources will be skewed in favor of these areas. If you have a resource that you can vouch for, mention in the comments and I'll add it to the list and credit your mention.

Also, I have not visited or used every resource there is, so if something is missing from this list, it does not in any way imply that the material is subpar. I've just not looked into it. Also, I do not rate content. If I have used a resource and it was beneficial to me in any way (or recommended from the comments) it will be on this list.

Appendix 

Hi Mallories,

This post is in response to <redacted>

Hopefully, for most of you, this course has sparked an interest in Computer and Network Security! and now for those of you interested in pursuing this interest, it's never too late to start. Security hasn't been the most publicly available knowledge but that has changed in the recent years given the rise in breaches and the shortage of grey hats.

I'll attempt to provide a list of resources related to the topics covered in this course and more so you can explore your curiosity! You'll learn by doing so I'll provide books and challenge sites. This is a non exhaustive list and the list is unordered.


Combining it all together:
  • Penetration Testing
    •  Hack the box:
       Site:
      https://www.hackthebox.eu/
       About:
       You're required to hack the invite process before you can register. The platform has a variety of Windows and Linux servers available for compromise over VPN.
      Hackers are ranked by number of system accounts hacked (NT\AUTHORITY and root) and regular user accounts. You start as n00b. This hacker rank also comes with some perks. There are also job postings and you can only apply to jobs whose hacker rank requirement includes your rank.

      Access to servers is completely free but while attacking a server you may get kicked out or the server may be reset by another hacker if you don't cancel the reset request in time. I usually have to wait for off hours to work.
      There's also an in house community. Allowing you to chat with other hackers in case you're stuck. Your questions have to be smart though, no one would give you the direct answer. If you think Prof. Thierry's answers were usually indirect, you haven't met these folks. This is why people there know everyone has earned their stripes. That being said, in this field, talking to someone is better than Google.

      There's also regular challenges on forensics, crypto, exploitation etc. You also cannot find writeups online because that will ruin the fun. My handle on this platform is n33trix. I haven't been active since May but I'll probably spend my holiday on here. If you stop by, hit me up :-)
    • Pentestit Labs
      Site:
      https://lab.pentestit.ru/
      About:Registration is free. The platform simulates a cooporate environment and runs for about six months before a new simulation is up. Hacker progress are also publicly announced on their site and twitter. Since the lab simulates a cooperate environment, there is a sense of accomplishment when you own the Admin servers/boxes.

      You start as an external attacker over VPN. Starting from the external gateway (the only box you initially have access to) you are required to make it into the Admin network, owning as many machines as possible. This is a sample network map. Connectivity is more stable. There's community as well and same applies for the community mentioned above. Hacker's aren't ranked. Write-ups are posted about 3 months in.
  • Malware Design and Analysis
    • Malware DesignNot many books or resources on the design of malware (how to make/write). However, there's this (possibly dated book) does a good job. You'll need to brush up on your assembly skills and knowledge of OS to read this book. Good thing is, if you can analyze Malware, then you can find the recipe to how they work :-). I also haven't researched a lot on this so there may be some resources i'm not aware of. Be curios but that land in the wrong place.
    • Malware Analysis
      Shout out to all the reverse engineers reading binaries on a daily, much respect. Reverse Engineering is not for the faint of heart, so you'll need to be good with that first. After which, you can explore, the following from OpenSecurityTraining. These courses might have pre-reqs, I find it's better to complete the pre-req courses first.

      1. Malware Dynamic Analysis

      2. Reverse Engineering Malware

      3. RPISEC on Malware

      Books:

      1. Practical Malware Analysis
  • Bug bounty
    • Introduction to bug bountyThis is a new step to better security. Essentially, companies release their software or service for hacking and the successful hacker gets rewarded. You will need to report the bug to the company and probably work with them to fix it. Hacker's are registered, no fowl play. This book will enlighten you further. HackerOne and BugCrowd are example bounty platform. Companies like Google also have standalone bounty programs.

  • CTFs
    After you have trained like a pro, go out there and join a team! All of this is to much work for one person, find a niche you love the most, specialize in it and play CTF games for fun and profit. For more about CTFs, read this and check out CTFtime.org to join a team and play


Best of luck!

The Old Bytes

In case you've ever wondered the meaning of my blog title, this post would serve as some context! The name of this blog is inspired from the idiomatic expression; 'chip off the old of the block' which means 'likeness in character ...'.

There are many individual whose knowledge, influence and inspiration have contributed to and still contribute to who I have become in this field. Since we are in the digital/hacker world, I refer to these individuals as the old bytes and I believe they deserve an honorable mention.

1. Harold Kim
    I e-met Harold in 2014 on Facebook. His photo from a CTF event got me intrigued about this field. He gave me the initial pointers; books to read and websites to visit. Interestingly, I and Harold have been trying to meet for the last 5 years to no avail.

2. Harold Rodriguez
    I met Harold in 2017 from the DC416 community; a Defcon chapter in Toronto. Harold lent a helping hand when I was starting out in actual exploit development. He answered and explained everything I couldn't Google or found difficult to understand. I look up to him when it comes to Exploit Development and Penetration Testing.

3. Nick Aleks
   I met Nick in 2017 from the DC416 community. It was a very interesting encounter. He had pressured me (in a good way of course) to go up to the stage and participate in the on going CTF. I have never been so anxious! I was visibly shivering but it was one of my best experience in that community and I made some new friends after. Some of the best advice I have received with regards to career development came from Nick. He also has a wealth on knowledge in Security and Software Engineering and there is still a tonne I'm looking to learn. Nick was my manager for about 2years, If you get to have him too, consider your life blessed!

4. Thierry Sans
   Professor Thierry Sans; he is the best thing that happened to me during University. He's a renowned Professor in Software Engineering and Computer Security. I was privileged to be in the first set of students he thought when he moved to University of Toronto. I was even more privileged to teach for him. He was more than a Professor, he cared about my growth in the field and shared knowledge and experience with me. In the ranks of relationships I value, his is way up there.

5. Eugine Yevgeny
   I don't know of many advanced members of the community that would put up with naive individuals like myself; no, for real. I met Eugine from DC416 community as well, I believe in 2018. Eugine once gave a talk on Malware Analysis. I remember asking Dolev, about a 6-months later who that speaker was. Once Dolev responded, I was in his inbox. If you've been on twitter, it's very easy to be left on read simply because you're unknown so I'm pretty used to it. Eugine however, responded. During this time, I was going over Practical Malware Analysis and Eugine readily clarified confusions. Fast-Forward to now, we work on side projects together. I have learned a lot from him, technical, career advice, name it. Thank you for accepting to work with me despite my n00b status. I look forward to more projects with you

6. Dolev  Farhi
    I met Dolev in 2017 from the DC416 community. I remember always bugging him with computer networking and web application questions and he would readily respond and clear up confusions. I also remember the countless times we tried to meet but our schedules would not let us until the DC416 community meetings. At this time of writing, I haven't seen Dolev in a while, but I'm going to fix that. I don't intend to lose touch with such a great mind

7. John Simpson
    John is my team lead at TrendMicro's VRS. He's a great, patient and very knowledgeable guy. Recently, he introduced me to Java security research by walking me through an Oracle de-serialization vulnerability. That one session sparked a level of curiosity and since then I have studied a variety of materials from papers to YouTube videos on the subject of Java Security. If John, hadn't introduced me to Java security when he did, i probably would have never looked into CVE-2019-0230.
   
8. Pengsu Cheng
    Pengsu is a senior colleague at TrendMicro's VRS. Pengsu showed me a couple tips and tricks that I have consistenly found invaluable anytime I venture into Windows binary patch diffing. Like John, and the rest of the squad on this team, he's patient, knowledgeable and all round awesome guy. I'm happy to be working with these guys!

There's also the online humans who freely share awesome knowledge. There are very many of them, but below are the online accounts I frequent.

1. Live Overflow
   If I started writing about this guy, the chances of  'overflowing' this textbox and probably some server somewhere are probably high. I hope you know him already, but if you don't check out his website. He posts very well explained no bullshit instructional videos. He tries to be funny on twitter too. He's an awesome dude, but I've never met him before. He virtually held my hand in introduction to Browser Exploitation with his newest series (at time of writing) on the topic

2. Ippsec
   Although a spend a fair chunk of my research and practice time on the binary, vulnerability and exploitation side of life, I'm also into Penetration Testing. IPPSEC is like a gold mine without the mining part when it comes to Red teaming/penetration testing. I've also never met him in person but his instructional videos are one of a kind. He always looks for opportunities to share something new even with the simplest of challenges. Again, I hope you already know him, if not, please visit his link.

3. Matthais Kaiser
   Soon after the introduction to Java security by John, I began gathering and studying materials already available. That's when this name started popping up every corner. I watched all his videos and boy did I feel uber enlightened. As CVE-2019-0230 made the rounds on the internet mainly due to fake PoCs, I decided to look at the vulnerability. He was the original discover and just knowing this, I was certain he submitted an actual RCE PoC to Apache. I was challenged and determined to find it. Of course, my environment was right; John had gotten rid of the external pressure, offloaded some of his Java research techniques to me and let me take my time. I learned a tonne and in the end, after ZDI published the research, Matthais reached out, we connected and it was a really special day. I look forward to meeting him in person in the future!

This post will updated frequently.. stay tuned!

Saturday, July 6, 2019

SpiderMonkey Research - The Beginning

For a while now, I have been really interested in getting into browser exploitation but the thought alone has been daunting. I checked out Browser Hacker's Handbook briefly but that scared me too. I then decided to contribute to Mozilla to get my hands dirty. Although I have not contributed as much as I would love to, I have been fortunate to e-meet Matthew Gaudet. Matthew is a really friendly, smart and helpful dude. I also stumbled across his blog while scouting for resources on SpiderMonkey

Few days ago while checking on LiverOverflow, I saw he has just began his browser exploitation journey! This was amazing, his first video spoke to me on a personal level. As a young researcher, it is easy to see what other known researches are up to and feel like you'll never get there because time waits for no one and the industry is rapidly changing. Seeing LiveOverflow explain his own challenges and take on it re-inspired me. I thought to myself; I can start with him, with discipline, by the time he has become advanced, I would too! Maybe not as good but I will be somewhere better than where I am now.

Fortunately, I had Mozilla's Firefox repo since I was contributing to that. I decided to use SpiderMonkey as the research Engine on Windows. This is pretty different from LiveOverflow's setup but that's the fun part!

Approach

My goal is to mirror his research closely. Discover the (near) equivalence or differences between both engines, pick a similar bug to his, walk-through it and share my part of the story like he is doing. I'm excited and scared at the same time but this is gonna be fun. This blog would help keep me accountable and responsible.

Every post on this topic would contain an "Into the weeds" section where I hope to elaborately describe my challenges and mistakes. It would typically be at the end of the post and the intention is make the posts less magical and more realistic.

Honourable Mentions

Stanko Jankovic a Bugcrowd researcher is also doing similar work with V8 and Windbg. Check it out!

Conclusion

LiveOverflow, I'm just one of the many people you inspire and teach indirectly. Once again, thank you for what you are doing in and for the community. Shout out to other researchers bringing knowledge that once rested among gods to the average man,  encouraging and inspiring us to work hard and consistently. I look forward to contributing more than I have received/been given.

Anyone, finally, if you see anything wrong, weird, etc. Feel free to correct me. Without further ado, let's get to it!

0x01 - SpiderMonkey Research - Setup & Debug >>

SpiderMonkey Research - 0x01 - Setup & Debug

Anyone else find Setup of any sort to be somewhat always complicated? Whether its setting up dev environment, going through documented installation steps etc. For me most things just would not work like they have been documented to. Maybe it's just me. Well, this was one of those. Check out the "Into the weeds the section" at the end of the post for more details on mistakes, frustrations, challenges and general lolz and facepalm moments and troubleshooting tips.

Obligatory Environment Details

1. Windows 10 Enterprise Evaluation v1809

Setup & Debug
In each step, where applicable, the superscript numbers reference the official Mozilla Documentation. This would help with troubleshooting when required.

1. Getting SpiderMonkey Source.
  • Get the latest Mozilla-build 1. Use default installation settings.
  • Run the start-shell.bat file in C:\mozilla-build
  • From within a new Shell navigate to a location where you would want the source to reside
  • Fetch the source using mecurial
    hg clone https://hg.mozilla.org/mozilla-central
    This is going to take some time
    2. Compiling SpiderMonkey 2

        SpiderMonkey requires some pre-requisites as mention in Mozilla build docs.
    1. Follow the instructions from Getting-Ready till Required Tools. During the Visual Studio Setup also select clang for Windows in the individual components. 
    2. Download and Install Microsoft Visual C++ Compiler for Python 
    3. Install .NET Framework 3.5 from "Turn Windows Features Off or On"
    4. launch the start-shell.bat script and navigate to your repo location
    5. Execute the following command to properly configure your environment and catch any missing deps

    6. mozilla-central$ ./mach bootstrap
    7. In the js/src folder create a build directory. Mine is called BUILD_DBG.OBJ (as recommended by Mozilla)
      mozilla-central/js/src$ mkdir BUILD_DBG.OBJ
    8. From within the new directory run the following commands
              mozilla-central/js/src/BUILD_DBG.OBJ$ autoconf-2.13 #Note the official docs use autoconf2.13 but checking C:\mozilla-build\msys\local\bin we see the correct command
         mozilla-central/js/src/BUILD_DBG.OBJ$ ../configure --enable-debug --disable-optimize --enable-nspr-build

         mozilla-central/js/src/BUILD_DBG.OBJ$ mozmake -j4 -s

    3. Debugging

        We want to be able to instrument the JS engine from within the debugger and break into it to examine memory. We would be using WinDbg.
    1. Install the WinDbg Preview App from the Windows Store. You can find the app by searching WinDBG in Cortana search box. If you prefer, you can install WinDbg by following these instructions from Download Debugging Tools for Windows
    2. Configure WinDbg as a Postmortem debugger by following these instructions from Microsoft
    3. Configure Symbol path in the debugger
      .sympath srv*c:\symbols*https://msdl.microsoft.com/download/symbols
      .sympath+ srv*C:\symbols*https://symbols.mozilla.org/
    4. Next, we would be using a tool by @0vercl0k. Follow the installation guide on GitHub
      1. Note that to use the command interface on the debugger, you'll have to have attached to a process. You can start and attach to the JS shell at
        /path/to/debug/build/dist/bin/js.exe
    5. Install python3.7 from Python
    6. Two notable functions only available in Debug build of JS shell are dumpObject() and objectAddress()
    7. Now we should be set to start our Journey

    Resources

    1. https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites
    2. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Build_Documentation
    3. https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/#setting-it-up


    Into the Weeds
    I originally tried to use the source from GitHub using the following command.
    git clone --depth 1 https://github.com/mozilla/gecko-dev.git
    The build time using this method was supposed to be significantly faster. However, I ran into problems running step 7 using that source.The major reason was ./mach bootstrap which is supposed to help with dependencies only works with the Mecurial source. Technically, I could go through the code, see what it does and validate the environment myself but that would be way too much work (I think).

    Now, there's definitely a way to use Mecurial and still get cloning to complete in a significantly shorter time but I did not explore this option. Feel free to share your quick clone/build tips in the comment below.

    Oh, I almost forgot. Step 2 and 3 where written after multiple fails in step 5. So you may have more fails but that means step 5 is really doing it's job. Just make the fix to your environment as it suggest. Also it does take sometime.

    I also ran into problems using the following options for configure. --host=x86_64-pc-mingw32 --target=x86_64-pc-mingw32. Definitely, If you have some advice regarding this please share in the comments! But I don't think we need this.

    I ran config without the --enable-nspr-build option and mozmake failed with 'prinit.h' not found. This was frustrating because I thought I had done everything right. A quick check on my configure and I returned here to update Step 7!

    In the debugging stage. Setting the symbols path, at this point of writing. I'm not sure if that step is required. I seemed to be able to find symbols without specifying the symbols path. This is probably a result of the debug build.

    Special Thanks to 0vercl0k, his blog on Introduction to SpiderMonkey Exploitation3 is a useful reference as I compare and contrast with LiveOverflow's work on Webkit. It has really helped fast-track my progress