Re: Immunity Certified Network Offense Professional

["val smith" <valsmith () offensivecomputing net>]

So I spend a chunk of of my time breaking into computers using old
fashioned techniques (see Tactical Exploitation last years BH
shameless plug) or via web apps. Another chunk of my time reversing
malware in Olly, IDA (starting to look at Immunity Debugger). I
wouldn't call myself an expert exploit developer at the level of some
of the people on this list but I realized a few years ago that being
able to write simple buffer overflows would greatly help me to
understand what all was going on when I broke into a computer.

The skills I gained writing some overflows; like how to use gdb,
windbg, watch network traffic to see what was getting sent, looking at
memory to find my AAAAA's or shellcode, were invaluable in just
getting a feel for how computers and bugs work in general.

Many times I'll download an exploit and find out that it doesn't work,
or isn't reliable and have to port it to metasploit for use on a pen
test. If I didn't have some skills to do this my pen test would be
less successful.

I guess the point of all this rambling is that while not being an
expert in exploit dev, the more you know in general about diverse
subjects in security, the more effective you'll be at your infosec
job, whatever it may be. Like I suspect a lot of people on here, I
don't really have much respect for certifications, but Dave's new
thing might at least spice things up a bit and provide some fun. I
might need a blond, some tequila and a gun to my head to succeed, then
maybe I'll play too :)

V.



On Sun, Jul 13, 2008 at 1:03 PM, Thomas Ptacek <tqbf () matasano com> wrote:
> > The problem I see with this is that people that can't write a simple
> >  exploit also cannot to other very important tasks such as:
> >  - Decide if a crash is exploitable at all
>
> Plenty of people who can't write X86 assembly can discern whether a
> flaw allowed them to corrupt memory. Plenty of people who can write
> X86 assembly, like myself, are content to leave it at that: memory
> corruption bad. MUSTFIX.
>
> >  - Make a judgement about the reliability of any exploits written
>
> This is circular. Sure, if you write exploits, knowing how to do so
> reliably will in fact improve the quality of the checks you write for
> your company's scanner.
>
> >  - Debug the crash to see what input caused the crash in a reasonable time limit
>
> This isn't true. Basic investigative skills, of the sort possessed by
> many 2nd tier call center operators, coupled with the ability to
> generate malicious outputs, and you've got this one nailed. I agree
> it's important, so test for it.
>
> >  - Discuss possible fixes intellegently
>
> What does ret-to-libc have to do with knowing how to manage sign bits,
> check multiplications, or bound copies?
>
> >  - Apply knowledge of the crash to other areas of the program to ensure
> >  that the bug isn't repeated and that the fix is in fact complete
>
> It really sounds like you want to test people's ability to write
> fuzzers. Amen to that. I'm not sure where the shellcode comes in to
> it, though.
>
> --
> ---
> Thomas H. Ptacek // matasano security
> read us on the web: http://www.matasano.com/log
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave



-- 
******************************************
* Val Smith
* CTO Offensive Computing, LLC
* http://www.offensivecomputing.net
*******************************************
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave