BlackHat Review and Advanced Infrastructure Hacking Course Review

I must say this is very late, but I wanted to post this. There are not enough reviews of these courses from BlackHat and DefCon and probably other conferences. I attended BlackHat in 2017 in Las Vegas.

Part 1: BlackHat review

BlackHat is a professional Security Conference composed of two main events. These two events are the Trainings and the Briefings.
Trainings is exactly what it sounds like. BlackHat offers training classes on everything from penetration testing, threat hunting, malware analysis, OSINT, Digital Forensics and more.
Each training class is 2-4 days and costs approx. 2100-3800 based on how early you register and well, the cost. Briefings is about the same as well so getting a briefings + trainings pass can be very expensive. The BlackHat event is held in the Mandalay Bay Conference center.
I did not attend the briefings so I can’t comment on the material very much but generally at least some of the videos will be online so feel free to check out some of the videos to see if the briefings are worthwhile.

Outside of the training however, your training pass will give you access to other events that go on during the blackhat conference. Remember that the first 2 days of training do not occur during the actual event and there won’t be much else to do during that time, however starting Monday, and continuing during the week, you will have access to the vendor area, Arsenal, Business Hall and other activities, including recruiting events. I will leave some of the descriptions to the BH website, however the vendor area is of note. The vendor area is a big room where you can walk around and see prominent and not so prominent companies in the security arena. Everyone from LogRhythm, to FireEye, and numerous others will be talking or presenting their products in demonstrations, and will be giving away free stuff, from t-shirts, to electronic gadgets, fidget spinners, and whatnot. It is important to note that some vendors may hold their goodies for people who stop to see their presentations. Almost all will require you to scan your BH badge.
Badge: The badge is obviously your ID for access to the event, however it is also important to note that it is also an RFID device which contains your registration info. When you register for BH you will have to give info like an email address, phone number, and your real name. While an opportunity is provided to have a handle on your badge and not have your company info or title on the badge, this info is on the RFID device and will be accessible to companies when they scan your badge. This info will be used primarily to send you promotional emails, and contact you after the event to see If they can sell or otherwise push their products.
Parties: Like Defcon, BlackHat likes its parties, though by nature they are different. There will be some advertised online and others you may find out about at vendor booths. You will likely need to provide info to attend, see above. I didn’t want to provide any info so I didn’t attend any, maybe next year I’ll get some fake info to provide to everyone. Popular parties may be put on by vendors like Rapid 7, CyberReason, Flashpoint, Optiv, ect. Some will be open to everyone, and some will require you to get some kind of pass from the vendor’s booth where only a limited amount may be provided. I would however suggest taking the time to sit for some of the presentations, I kind of regret not doing so myself.

Overall, I think BlackHat is definitely something to attend if you can afford it, or have your company pay for it. It is a “professional security conference” so it is a bit more corporate. But no one is going to criticize you for wearing pants and a t-shirt or what not. And I suspect if I were staying closer I would have attended a lot more of the events. Which brings me to the last topic

Special considerations: First and foremost you are in Vegas, it is not the cheapest place in the world (I didn’t find it insanely expensive either). One thing you are going to have to consider is where you will stay during your time there. If you are attending BH, you should understand that BH is held at the MB Hotel and Casino (technically conference center…). So that is the ideal option perhaps. But another option is the unique Luxor Hotel, not very far at all. If you are further away you are going to have to either get cabs to the event or walk. Walking down the strip more than a few blocks is not the easiest thing to do, especially during the day when the heat can surpass 100 degrees. And cabs get more expensive than you would think when you are traveling 2-4 times a day.

Also consider providing alternative information when you can when registering, and when offered the opportunity to do so at the event. A throwaway email (which you can access) and a phone number (Don’t need to access this), will be useful in avoiding unwanted communication.

That is all I have for the moment, if anyone has questions, I’ll answer what questions I can, and up next is the course review.

Find more posts tagged with

Comments

SephStorm

The training classes I would say are likely worth trying. The class I took was 2 day Advanced Infrastructure Hacking (AIH). While there were some issues with internet access (we were supposed to have wired access, I think but that did not happen, and then the three wireless networks all had issues at one point or another), We were able to get everyone connected and the classes mostly went off without any additional issues. The class I took, AIH was very interesting, very different from what I expected in many respects. While the syllabus of the class mentions topics as if they will be discussed as beginner level topics, they really aren’t.

You are being taught about how these topics apply in terms of an advanced penetration test. While I don’t feel a beginner would be totally lost in this class, it would present challenges. A benefit to this course however is that you get to see threats and attacks you would not have imagined. We covered topics like breaking out of applocker protected systems, as well as AV, how powershell can be used to devastating effect, and hacking application servers. Some of these topics were the first time I had seen these methods utilized.

For instance, one of the first activities in the class (at least in the PDF, excuse me some of this is being added a year after the course) is writing a bruteforce tool for SNMP. Then the class breaks into attacking an application delivery system called Jenkins. I hd never seen this app but most importantly I haven't seen discussion of attacking this type of system in order to gain access to an organization. This system allows companies to centralize application builds and deployments. But what if this system is compromised? We go from there to compromising MY SQL and Postgres. My previous experience with postgres was limited to starting it before starting metasploit.

The course then got into recent exploits like POODLE, Heartbleed, Shellshock. It covered enumerating domain users, something most courses don't address, they are targeted towards workgroup systems. As stated previously we address bypassing applocker, have you audited your policies? Are there any unintentional places where applications can run from? Are your service binaries in user writable locations?

One nice thing is that for this class, they provide access to the lab for 30 days after the con (access doesn't start until after the con so you don't have to worry about rushing during DefCon.)

There actually was more but I recognized I was out of my depth and skipped out of Day 2 to get more vendor stuff and prepare for DefCon. I haven't decided whether I will take a class this year, but I think I would like to, I have to decide what might be in my capability, but still provide a challenge.

JoJoCal19

Thanks for the write-up! It's been my goal for years to get to Black Hat but since neither my wife or I had been to Vegas, I'd held off. We are supposed to go in June to get our first trip to Vegas out of the way, so hopefully I can finally make it out there to BlackHat. I'm hoping to have at least on pentesting course under my belt so I can take a training there, but if not I'll just do the briefings pass.

SaSkiller

Going in June this year for BlackHat? BlackHat and DefCon are in August this year. 4-7th for BH.

Danielm7

Not sure if I'll be going this year yet, especially when they won't cover the training costs so the price for just the talks themselves is a hard sell most years. Between 2K+ for BH, Defon, flights, hotel and then add in a training course you can be out 10K for a week or so pretty fast.

636-555-3226

+1 and totally agree this place needs more Blackhat training reviews. I'll be going this year and will report back afterwards!

airzero

I'm thinking of signing up for the Specterops adversary tactics: red team ops this year. Anyone else considering this course?

JoJoCal19

SaSkiller wrote: »

Going in June this year for BlackHat? BlackHat and DefCon are in August this year. 4-7th for BH.

Shoot, editing post for clarification. My wife and I are going to Vegas in June, so that I can then go to Vegas for BlackHat and other conferences guilt free lol. She's one that ribs me for having fun while traveling to new places for work or training.

NetworkNewb

SephStorm wrote: »

First and foremost you are in Vegas, it is not the cheapest place in the world

Can't you just win some money at the casinos to pay for things though?

markulous

I'm debating which class to sign up for. The social engineering ones seem the most fun but it probably doesn't help the business too much. Saw this one but we don't do any pen testing in house so probably won't choose this one but it sounds fun.

yoba222

markulous wrote: »

I'm debating which class to sign up for. The social engineering ones seem the most fun but it probably doesn't help the business too much. Saw this one but we don't do any pen testing in house so probably won't choose this one but it sounds fun.

Might help the business. You could volunteer to give an informal training session to some of your job's employees so they know the latest techniques on what to watch out for. If you sell it right, it might justify attending the training.

jcundiff

the Luxor and Excaliber are 35-55 a night during BH if you register soon enough... you didnt mention the tram which runs between several of the hotels and the MB... I have been the last 2 years, 1st year stayed at the MGM and had to go through the MGM to the walkway to NYNY through it to the walkway to Excaliber to catch the tram... last year I registered and booked early enough to stay at MB... I want to say it averaged around 160 a night so no, Vegas is not that expensive... I took the Maltego training in 2016 and Practical Threat Intelligence last year. Its something every InfoSec professional should attend at least once just for the experience. I also attended a much (100 +/-) invite only conference in Dallas last year... I will be going back to it this year... BH, well, SANS FOR578 is a better option for me

SaSkiller

So heres my link to some reviews of courses:

http://www.techexams.net/forums/off-topic/125044-blackhat-training-reviews.html

I also found a few more reviews.

https://securityreliks.wordpress.com/2010/07/28/review-hacking-by-numbers-combat-edition-by-sensepost/

https://www.linkedin.com/pulse/black-hat-usa-2017-review-ops-hacking-pentesters-master-barnes

https://www.linkedin.com/pulse/black-hat-usa-2016-review-adaptive-red-team-tactics-veris-barnes

https://www.linkedin.com/pulse/my-experience-offensive-iot-exploitation-black-hat-2016-bahirwani

technogoat

interesting, monitoring this thread and will investigate

SaSkiller

https://h4ck.co/blackhat-2017-advanced-infrastructure-hacking-4-day-course-review/ - AIH course 4 day

SaSkiller

Here is what appears to be Greg Carson's original post that was mentioned in one of the other articles. It is a review of Adaptive Red Team Tactics

red|blue: Black Hat USA 2015 Course Review - Adaptive Red Team Tactics from Veris Group

SaSkiller

My review of the Pentesting Enterprise Infrastructure Journeyman level course at BlackHat 2018

Day 1

Class started off with a standard introduction and included an explanation of the company’s mindset on training. They made effort to stress that its not about the tools used, or even the end goal, but breaking down an attack into smaller more manageable questions.

The first exercise involved a limited shell which you had to escape on the system and gain command execution. A rough exercise, I think only one person really got it at first and it took a lot of hints. But as the instructor noted it wasn’t about the answer, as much as it was introducing people to the frustrations a tester encounters, as well as introducing input validation.

We then got into the concepts of the hackers process, starting with recon Our exercise was to gain as much data as we could about a giving organization. It included an introduction to using bing for some fuctions, google dorking, discussion about leaks, gathering email addresses, looking at WHOIS data (including how GDPR is affecting the ability to use that.) One interesting note was we were given a South African business to research and the whois data was a lot more… useful than with many examples in the US, so it was interesting to see.

One thing I liked about this section is they discussed intermediate targets between you and the target.

We discussed gathering intel on the target organization as well as other businesses they do business with, so it may be worthwhile, if you plan to compromise target A with a phishing attack, rather than sending them an email straight up, why not compromise organization B they do business with, then send an email from a legitimate source within B to A. So not only have you demonstrated phishing vulnerabilities, but you are also abusing trust relationships. We also discussed how this can affect companies from they network blue team prospective. How often do blue teams inspect data from trusted partners? I know in the past I have made the mistake of doing so. “That IP belongs to a business we work with, ignore that alert.” I’m going to have to rethink that. I may have to talk to the people at the blue team village at DefCon and see what they suggest.

We utilized DNS to gather additional data as well as looked at a way to see recent domain and certificate registration. Again we used some search engines to gather additional data, see if we can find error pages or files related to the company. I have seen cases where an organization published guides on using their portals online, which from an attackers prospective meant they could understand the site, how it likely worked, how to navigate it, and possible points of vulnerability before even gaining access to the organization.

We talked about footprinting and had an overview of utilizing nmap and a quick TCP/IP overview. In this section we discussed some particular targets of interest including fining OWA portals, VPN endpoints, and discussed issues with shared hosting.

We did a series of exercises with nmap, and discussed fingerprinting active services. I liked that the instructors mentioned UDP scanning and discussed the issues with it as well as possible workarounds.

We then discussed vulnerabilities. Not just talking about vulnerabilities in code, but configuration errors, business logic errors, ect. Which can be vulnerabilities as well. Covering the normal information, databases for vulnerabilities, as well as a brief coverage of some scanners to include fuzzers. We covered nmap scripts (NSE) which I liked. The instructor noted that it is rarely a situation where we can find a 1-1 mapping of technical vulnerability to an exploit. I would have liked to have seen a lab on downloading an exploit and recognizing the broken code or otherwise modifying it to work against a host. We did discuss the weaknesses of automated scanners.

I wasn’t a big fan of the exercise for this section, the point was to take advantage of a configuration weakness, but we were left to try to learn how to utilize a unknown program (redis) while also learning how to use ssh keys and do things through redis. Long story short we spent at least an hour or two working with this, as well as re-walking through it after class, and I’m not sure it was needed to get the point across. I think that the exercise in adding SSH keys to a host to allow us to login was a useful exercise in and of itself, but yeah…

Day 1 ended with a start to our discussion of exploits. We discusses that sometimes it is useful not just to try to get a shell on a system but sometimes we want to do something different, whether it be sending an implant, modifying the application or OS, or delivering shellcode.

Day 2

Our first practical of the day was utilizing Nmap to find a host vulnerable to EternalBlue and to use Metasploit to exploit the vulnerability. For me this was a refresher, I have mostly been doing web app testing, so getting back into MSF was fun, they covered details on using MSF for new people.

We then exploited some additional vulnerabilities on the same server as well as another system that we were able to discover by doing some post exploitation on one of the servers. We were going back and forth between using nmap as well as MSF, using auxilary and scanner modules as well as exploits and payloads.

We discussed privilege escalation, then talked about SMB, password cracking, where the instructors did a live demo of hashcat and discussed how to use the tool effectively.

Discussed Active Directory including trust relationships. We discussed impersonating users and moved onto our final challenges, pivoting, and compromising the domain.

All in all this was a really good course with good instructors. If you are looking to brush up on pentesting skills with modern systems this is a good course.

SaSkiller

Wanted to add this to the list:

http://theevilbit.blogspot.com/2016/09/offensive-security-advanced-web-attacks.html