Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.

Hack Night culminates in a practical application of the skills and techniques taught, students complete a research project inspired by one of the lectures or exercise materials. By the end of the course, each student is expected to have a good understanding of all topics and a mastery of at least one topic.

Due to the involved nature of this course, we recommend students attend Hack Night in person.

If you have any questions, or would like to attend a Hack Night session, you can contact Evan Jensen or Marc Budofsky at [email protected] or you can file a ticket in Github.

Sign up for the Cyber Security Club mailing list to recieve weekly e-mails about seminars and training sessions brought to you by the ISIS Lab.

Hack Night is run every Wednesday during the regular semester at 6 PM in RH 219, check our calendar for updates.

ISIS Lab, RH 219
Six MetroTech Center
Brooklyn, NY 11201

In order to get the most out of Hack Night, you should be familiar with some basic security concepts.

1. PicoCTF Resources

1. Sun Certified Security Administrator for Solaris 9 & 10 Study Guide Chapter 1

1. OWASP Secure Coding Principles

1. Windows ISV Software Security Defenses

1. OWASP Top 10

1. Common Types of Network Attacks

1. University of Washington's The Hardware/Software Interface Currently Unavailable to New Students
2. University of London's Malicious Software and its Underground Economy: Two Sides to Every Story

1. OWASP Top 10

This is an introduction session to the Hack Night curriculum, this session tries to give an overview of what rest of Hack Night sessions is to be followed. More importantly, it also gives the ethics necessary to keep in mind when you learn something as powerful as your going to do now. Next, we will cover various types of disclosure that hackers have followed since its inception.

Before diving into the Hack Night semester, we recommend you take a look at the resources below and become familiar with some of the material.

1. Trends in Vulnerability Disclosure
2. Intrusion via Web Application Flaws
3. Intrusion via Client-Side Exploitation

1. IRC: #hacknight on isis.poly.edu port 6697 (ssl only)
2. ISIS Lab Blog
3. ISIS Lab Github
4. Project Ideas
5. Resources Wiki
6. CyFor
7. Cyber Security Club Mailing List
8. ISIS Lab Calendar

This session will cover Code Auditing. Code Auditing an application is the process of analyzing application code (in source or binary form) to uncover vulnerabilities that attackers might exploit. By going through this process, you can identify and close security holes that would otherwise put sensitive data and business resources at unnecessary risk. Topics that will be covered are Identifying Architectural, Implementation and Operational vulnerabilities.

1. Design & Operational Reviews [slides]
2. Code Auditing 101 [slides]

1. Client Request Access Protocol We believe this protocol to be severely flawed and require your assistance in identifying vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can.

1. Source Code Analysis
2. Application Security
3. The Art of Software Security Assessment
4. Integer Overflows
5. Catching Integer Overflows
6. The Fortify Taxonomy of Software Security Flaws

This week we will continue with the final video on Code Auditing, and provide you with 2 more applications that are intentionally vulnerable. Your job is to audit the source code and find vulnerabilities in them. Test the skills that you have learned last week to efficiently go over the process of auditing applications.

1. Code Auditing 102 [slides]

1. News Paper Simple Usage This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. These are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files). Assume the application runs on Linux and is compiled with gcc.
2. Siberia Crimeware Pack (Password: infected) The Siberia kit contains live exploit code and will likely set off AV, however none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilites have been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM.

1. Source Code Analysis
2. Application Security
3. The Art of Software Security Assessment
4. Integer Overflows
5. Catching Integer Overflows
6. The Fortify Taxonomy of Software Security Flaws

1. Source Navigator
2. Scitools Understand
3. List of tools for static code analysis

This session will cover web hacking. This session is about getting familiarity with various vulnerabilities commonly found in web applications. You will be able to identify and exploit web application vulnerabilities. Topics to be covered are web application primer, Vuln. commonly found in web apps. (OWASP Top 10) and Basic web testing methodologies.

1. Web Hacking 101 [slides]

1. Google Gruyere

1. Web Security
2. The Tangled Web
3. OWASP Top 10
4. OWASP Top 10 Tools and Tactics

In this session, we will continue with the second video on Web Hacking. We will then be using some more intentionally vulnerable web applications to identify and analyze the top ten vulnerabilities commonly found in the web applications You will be going through the steps of busticating a real site and throwing a fire sale using freely available tools.

1. Web Hacking 102 [slides]

1. OWASP WebGoat
2. Damn Vulnerable Web Application

1. Web Security
2. The Tangled Web
3. OWASP Top 10
4. OWASP Top 10 Tools and Tactics

This session is about Reverse Engineering. Most of the software we use everyday is closed source. You don't have the liberty to look at the source code, at this point we need to analyze the available compiled binary. Reversing a binary is no easy task but can be done with the proper methodology and the right tools. This is exactly what two of world's best reverse engineers are going to teach you.

1. Reverse Engineering 101
2. Reverse Engineering 102 [slides]

In this section we will go through the basic idea of a binary and how your source code is converted into an executable form. We will then look at the assembly language used by executable programs and develop our own low level programs. We will write simple assembly language programs and teach the basic skills needed to understand more complex assembly language uses.

1. Assembly Programming Exercises

1. Reverse Engineering
2. Application Security
3. IDA Demo
4. x86 Win32 Reverse Engineering Cheatsheet
5. IDA Pro Shortcuts
6. All Materials for Introductory Intel x86
7. Reverse Engineering
8. nasm
9. x86 Intel Manuals

Picking up from previous session, we will watch the last video on Reverse Engineering, and present you with an application which has no source code. Your job is to understand what the application is doing and figure out any loopholes present in that application. You'll use static analysis tools like IDA and varied dynamic analysis to analyze the binary and get a complete understanding of the application.

1. Dynamic Reverse Engineering [slides]

1. Challenge Application 1
2. Challenge Application 2

1. Reverse Engineering
2. Application Security
3. IDA Demo
4. x86 Win32 Reverse Engineering Cheatsheet
5. IDA Pro Shortcuts
6. All Materials for Introductory Intel x86
7. Reverse Engineering
8. nasm
9. x86 Intel Manuals

In this session we will cover Introductory Intel x86: Architecture, Assembly, Applications, and Alliteration by Xeno Kovah from OpenSecurityTraining. Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 50% of the time will be spent learning Windows/Linux tools and analysis of "simple" programs.

1. Introductory Intel x86 Lectures

1. CMU Bomb Lab (Linux/IA32 binary)

1. Reverse Engineering
2. Application Security
3. IDA Demo
4. x86 Win32 Reverse Engineering Cheatsheet
5. IDA Pro Shortcuts
6. All Materials for Introductory Intel x86
7. Reverse Engineering
8. nasm
9. x86 Intel Manuals

Picking up from the last week's session, we will continue to explore the world of x86. This is going to be a workshop were we will write programs at assembly level. Once, we get familiar to basic x86 instructions we will switch to analyzing a real application and try to get high level understanding of what the application is doing. The goal would be to get familiar with calling conventions, stack and stack frames.

1. Introductory Intel x86 Lectures

1. RPI Bomb Lab
2. Write readFile.c in x86 by hand

1. Reverse Engineering
2. Application Security
3. IDA Demo
4. x86 Win32 Reverse Engineering Cheatsheet
5. IDA Pro Shortcuts
6. All Materials for Introductory Intel x86
7. nasm
8. x86 Intel Manuals

In this week's session, we will go over some advanced concepts related to computer security. Dino Dai Zovi will go over various memory errors that an application can cause often leading to catastrophic results. Topics that will be covered are various memory errors like buffer overflows, uninitialized variables, use after free etc. and how we can use them to take control of an application. We will also look at exploitation mitigation that your current OS implements, it's not 1988 anymore. Finally, we will look at some techniques used to bypass modern mitigations.

1. Memory Corruption 101 [slides]

1. Vulnerable Application

1. Exploitation
2. VMWare Player
3. Linux Machine (preferably, Ubuntu)
4. IDA Demo
5. Windbg

Picking up from the last session, we will finish watching Dino Dai Zovi's lecture and do a live exploitation of a vulnerable program. We will go through all the steps that Dino explained in his lecture to write a control flow hijacking exploit and take over the program. Once we are done with 1990's style exploitation, we will re-compile the program with modern mitigation technologies and look at various techniques used to bypass these mitigation's.

1. Memory Corruption 101 [slides]

1 CSAW 2013 Exploitation 2

1. Exploitation
2. VMWare Player
3. Linux Machine (preferably, Ubuntu)
4. IDA Demo
5. Windbg

1. Gera's Insecure Programming by Example
2. Exploit-Exercises

In this week, we will cover post-exploitation. Post-exploitation is the stage in the intrusion kill chain wherein the attacker uses persistence techniques after the victim's system is compromised to maintain his/her presence on the machine. In addition the attacker also wants his presence to be hidden, this includes evading antivirus software, covering his/her tracks, etc. We will look at various techniques used by attackers to achieve the aforementioned goals.

1. Post Exploitation

As shown in the lecture video, setup two VM’s. One VM will have metasploit running, backtrack is preferred and the other machine will be a Windows box. Preferred, win xp professional or win 7 professional. Use the psexec module available in metasploit to gain access to the Windows box. Once, you have a meterpreter session available, apply different techniques demonstrated in the lecture like getting the password hash of Administrator, so that you can re-login as Administrator which gives you elevated privileges.

Having a meterpreter session open isn’t necessarily good enough. For instance, run cmd.exe in windows box; get back to your meterpreter session and find the pid of cmd.exe using “ps” command. Once you are able to figure out the pid, use the migrate command to switch to that process. Now, close the command prompt in the windows box. Do you still have the session open? What do you think a stable process might be to migrate?

If you have found the stable process that you as an attacker want to migrate to, chances are your persistence is good. Although, this may not be the case if the victim restarts his machine. What do you think a better approach would be to keep your connection persistent, even after several reboots? Try to use this method and see for yourself, if you have a persistent connection or not.

1. Symantec Stuxnet Dossier

In this, the last session of Hack Night. We will be going over Fuzzing and later have a short discussion on what you can do to continue improving your skills. Fuzzing is a black box software testing technique, which consists of finding implementation bugs by manipulating input data sent to an application automatically. We will go over different types of fuzzing, various methods used for fuzzing, and finally the process of "smart" fuzzing.

1. Fuzzing

1. fuzz.py
2. HaikuSyscallFuzzer

1. Fuzzing

Hack Night is designed to culminate in each student developing some kind of deliverable related to computer security, the goal being that everyone leaves the program with more knowledge about security.

1. Project Ideas
2. Project Ideas Wiki