June 25, 2016

Classes Now Available For Sale & Preorder

Here at Hack All The Things, our development team has been working around the clock for more than 18 months to bring you the best professional training for zero-day exploit development and mitigation available on the market. We're proud to present Dr. Owen Redwood's completely revamped Offensive Computer Security Course, as well as our entirely new and innovative SQL injection workshop. In addition to the course and workshop, we've developed various tools, some of which are publicly available on github, with the remainder available privately for our pre-launch customers. For pricing or questions about these offers, you can reach out by emailing sales [at] hackallthethings.com or through Twitter or Reddit. Interested parties may also simply comment on this blog post, and we will respond via email without publishing your comment. For news and updates, follow our twitter and subscribe to /r/hackallthethings.

Pre-Launch Specials

Exclusive Prelaunch Order Bonuses

  • "Hack All The Things" T-shirt
  • Waived final exam fee (where applicable - a $500 value)
  • Operating System Security Guide (a $250 value)
  • Exclusive discounts after launch

As we will be launching very soon, we've decided to offer pre-launch specials (including exclusive pre-launch discounts and add-ons) on two of our products: the interactive SQL injection workshop (available for pre-order), and Dr. Redwood's Offensive Computer Security 2.0 (available for immediate access). As well as receiving the normal pre-launch order bonuses, each course offers its own exclusive pre-launch benefits.

Pre-launch offers are subject to bulk and/or academic pricing with competitive discounts.

Offensive Computer Security 2.0's Pre-launch Sale Benefits

Bonus Workshop Videos

  • C/C++ vulnerability fundamentals
    • Stack & heap vulnerabilities
    • Integer bugs
    • Pointer bugs
    • Format string vulnerabilities
  • UAF exploitation workshop
  • ROP exploit development workshop
  • Web exploitation workshop

All pre-launch purchases of the OCS courseware exclusively include individualized instructor feedback and grading by Dr. Redwood, and access to the Hack All The Things academic "CTF Summer Sessions" workshop videos. These workshop videos are currently exclusively offered to university students (.edu) over the course of 2016, and are hosted live for the 3-time CCDC champions: HackUCF. The CTF Summer Session workshop videos start by covering the fundamental offensive cybersecurity topics, then dive in deep with hands-on walkthroughs on real CTF exploitation challenges. There are limited seats available for this pre-launch special due to the time intensiveness of individualized instruction and manual grading. Enroll now to secure your seat!

SQL Injection Workshop Pre-order Benefits

PoC Features

  • Automated testing for SQL injection vulnerabilities
  • Automated exploitation for multiple types of injection:
    • In-band injection
    • Error-based injection
    • Second-order injection
    • Partial-blind injection
    • Full-blind injection
  • An interactive SQL shell for post-exploitation

The SQL injection workshop pre-orders will provide exclusive pre-release access to our feature-rich SQL injection proof-of-concept script (video demo). When watching the video, keep a keen eye out for visibility notices, which it prints as it retrieves multiple bits per request from blind injections!

Pre-orders will also grant immediate access to our innovative SQL injection sandbox, which allows the user to choose from in-band, error-based, second-order, partial-blind, and full-blind vulnerability types. The vulnerability sandbox also provides an interface to configure the vulnerable input's data type, and multiple types of bareword and character filters (as well as the way these are filtered). It also contains a debug panel showing the user the application-generated SQL query and any SQL errors it may have caused.

All features of the proof-of-concept script are fully documented in the workshop, along with the basics of SQL and the anatomy of a SQL injection. Additionally, the workshop explains countermeasures to SQL injection and methods of circumventing several of them. The workshop also details the ways in which multi-byte characters can remove sanitizing from an input.

Offensive Computer Security 2.0

Prerequisites

  • Familiarity with C/C++
  • Comprehension of Assembly
  • Basic understanding of security concepts
  • Capability to setup and use a Virtual Machine

This course is for anyone who wants to become an incident responder, penetration tester, security professional, forensics professional, or vulnerability researcher. It includes ten assignments, two tests, and a final exam. Upon successful completion of the course, students will have found their own 0-day vulnerability and obtained a CVE for it. Books that will be used throughout the course are Hacking: The Art of Exploitation (2nd edition - Jon Erickson), and The Web Application Hacker's Handbook (2nd edition - Dafydd Stuttard).

Lecture Videos

  • Secure C Programming 101, 102, and 103
  • Auditing C code for vulnerabilities
  • Linux OS Overview and the permissions spectrum
  • Windows OS & API overview
  • Rootkit design for Linux & Windows
  • Reverse Engineering x86 101 & 102
  • Fuzzing binaries for vulnerabilities 101, 102, and 103
  • Exploit Development 101, 102, 103, 104, 105, and 106
  • Use-After-Free exploit development
  • Networking 101 & 102
  • Web Exploitation 101, 102, 103, and 104
  • Forensics
  • Social Engineering
  • Physical Security
  • Post-exploitation techniques

Graduates will be able to identify, classify, exploit, and mitigate a variety of vulnerability types, including:

  • Stack and heap buffer overflows
  • Integer overflows/underflows
  • Use-after-free vulnerabilities
  • Format string vulnerabilities
  • Pointer-based vulnerabilities
  • SQLi vulnerabilities
  • XSS vulnerabilities
  • XSRF vulnerabilities
  • Metacharacter injection vulnerabilities
  • Network protocol vulnerabilities

Dr. Redwood's Offensive Computer Security course materials are currently being taught at multiple universities across the world. The courseware has been used by CTF clubs to improve the skills of their members, and professors have utilized the course as an additional elective towards information security degrees.

The Interactive SQL Injection Workshop

Course Overview

  • Introduction to the web and SQL
  • How web applications interact with SQL services
  • Problems with SQL oriented code
  • The anatomy of an injection
  • Obstacles & countermeasures to SQL injection
  • Advanced testing for SQL injection vulnerabilities
  • Testing with timing functions
  • Remote type checking
  • Information gathering
  • Determining the currently executing SQL query
  • Remote DBMS identification and fingerprinting
  • In-band and error-based data retrieval
  • Second-order injections
  • Four techniques for out-of-band data retrieval
  • Mitigating SQL injection vulnerabilities

This workshop is for anyone who wants to become a better defender, incident responder, security professional or vulnerability researcher regardless of experience level. It also provides explanations of SQL injection techniques in MySQL, PostgreSQL, Microsoft SQL Server, and Oracle environments. Each segment provides interactive examples of the techniques provided in the workshop through the SQL injection sandbox. The student is provided with interactive CTF-style skill assessments and quizzes through the sandbox between sections. This ensures they are learning and retaining the material as they proceed through the various segments of the course.

This workshop fully explains the methods in which out-of-band vulnerabilities can allow the attacker to retrieve multiple bits per request, both with partial blind injections and fully blind (timing-based) injections.

The proof of concept video shows these techniques in action. Combined with the interactive sandbox and the proof of concept, this workshop takes education on SQL injection to the next level!

June 23, 2016

Using Multi-byte Characters To Nullify SQL Injection Sanitizing

There are a number of hazards that using multiple character sets and multi-byte character sets can expose web applications to. This article will examine the normal method of sanitizing strings in SQL statements, research into multi-byte character sets, and the hazards they can introduce.

SQL Injection and Sanitizing

Web applications sanitize the apostrophe (') character in strings coming from user input being passed to SQL statements using an escape (\) character. The hex code for the escape character is 0x5c. When an attacker puts an apostrophe into a user input, the ' is turned into \' during the sanitizing process. The DBMS does not treat \' as a string delimiter and thusly the attacker (in normal circumstances) is prevented from terminating the string and injecting malicious SQL into the statement.

If a multi-byte character supported by the server ended in the hex code 0x5c, it is possible for an attacker to insert the prefix to this character before the apostrophe, so that the escape, in combination with this prefix, turns into a different character altogether and allows the single quote to escape the string input unscathed. While this idea isn't necessarily new, finding research online that includes an entire list of character sets and characters is cumbersome at best. This article attempts to put all of the research and tools in one place.

Researching Multi-byte Character Sets

A small python script was devised to determine which character set and characters within them contained multi-byte characters ending in 0x5c. The script iterates over all installed character sets and then inspects their hexadecimal values for each character. A list of character sets found to contain valid multi-byte character sets ending in 0x5c is provided in Figure A. Additionally, a video of running the script has been provided to show what the output should look like in Figure B.

Figure A:Character sets containing valid multi-byte characters ending in 0x5c
Big5
Used in Taiwan, Hong Kong, and Macau for "Traditional Chinese"
HKSCS
Hong Kong's Big5 Supplementary Character Set
CP932
Windows-31J (Japanese)
CP950
Microsoft's implementation of Big5
GB18030
Chinese National Character Set
GBK
Simplified Chinese
JOHAB
Korean Legacy Encoding
SHIFT_JIS
Shift Japanese Industrial Standards
Figure B:Multi-byte Inspection Script Video

Conclusion

In conclusion, there are hundreds of multi-byte characters that could potentially allow attackers to perform SQL injection through sanitizing. It is interesting to note that these character sets are intended for use in a specific region of the world. Ways to fix this by forcing both the webserver and the SQL server to use the same character set exist, as this vulnerability only occurs when multiple (and different) character sets are in use. Those looking to do so may find this research interesting.