news || headlines || arhcives || search
Where do I begin?
So, I just got another e-mail from someone asking where to begin in terms of training for oCTF. The person did so in a very good way, asking for sources of information. Since this is a common question (and probably increasingly so as the desire of hacking grows). So I thought I'd share my advice with more than just one person (now both readers of our news section will also know).
My reply, in part:
As for learning about this sort of thing, there are some books that people I respect have highly recommended such as "the art of exploitation", "the shell coders handbook" and a few others.
I learned the majority of what I know by doing it. For guides on that, there are little challenges which people put out. Onces that come to mind are: http://reverse.israeltorres.org/ http://www.decoderclub.org/ http://learnsecurityonline.com (I know less about this last one than the previous two). These sites all seem to be a good overview and give some hands on experience.
http://www.astalavista.com/ used to be a good resource, and a quick glance at their site leads me to believe this is still the case.
Also, Israel Torres gives out a crypto challenge every month which has a cash prize. Here's the archive: http://crypto101.israeltorres.org/crypto-challenge-archive.txt
Get of the Irvine Underground mailing list if you want to be included when they're released. He's also at IVU meetings every month, and once in a while he makes it to our meetings (which are a bit further away from him).
hackin9 and 2600 are two 'zines which I know are good.
Getting on some security warning mailing lists will help get you on the pulse of what's new and exciting. Then you can look up all the things which they mention that you don't understand. If "CERT" doesn't mean anything to you, then you should go to a search engine and start searching.
Knowing how to code in C and ASM isn't required, but if you want to learn about buffer overflows, stack corruption/smashing, debugging release binaries, how viruses work (at a low level), and things like this... you'll learn them one way or the other. I suggest taking the proactive approach.
If you don't know SQL, you won't be very good at SQL injection. mysql.org gives you an SQL engine you can play with (on windows/mac/linux/bsd/etc.) as well as very good documentation.
If you know Javascript and a little bit about the HTTP protocol, you'll have have a leg up on XSS attacks. Knowing web-based languages (such as PHP, ASM, PERL, Ruby, Python, Coldfusion...) would also be a bonus.
Learning about the topics covered by oCTF isn't something you're going to pick up overnight. We make sure to cover all sorts of things of various difficulties. I'd suggest taking them on one at a time instead of trying to learn about everything all at once (not to say there isn't any overlap, there's actually a lot of it).
I expect all of the dc949 members to chime in on the comments with additional resources, suggestions, and so on.
My reply, in part:
As for learning about this sort of thing, there are some books that people I respect have highly recommended such as "the art of exploitation", "the shell coders handbook" and a few others.
I learned the majority of what I know by doing it. For guides on that, there are little challenges which people put out. Onces that come to mind are: http://reverse.israeltorres.org/ http://www.decoderclub.org/ http://learnsecurityonline.com (I know less about this last one than the previous two). These sites all seem to be a good overview and give some hands on experience.
http://www.astalavista.com/ used to be a good resource, and a quick glance at their site leads me to believe this is still the case.
Also, Israel Torres gives out a crypto challenge every month which has a cash prize. Here's the archive: http://crypto101.israeltorres.org/crypto-challenge-archive.txt
Get of the Irvine Underground mailing list if you want to be included when they're released. He's also at IVU meetings every month, and once in a while he makes it to our meetings (which are a bit further away from him).
hackin9 and 2600 are two 'zines which I know are good.
Getting on some security warning mailing lists will help get you on the pulse of what's new and exciting. Then you can look up all the things which they mention that you don't understand. If "CERT" doesn't mean anything to you, then you should go to a search engine and start searching.
Knowing how to code in C and ASM isn't required, but if you want to learn about buffer overflows, stack corruption/smashing, debugging release binaries, how viruses work (at a low level), and things like this... you'll learn them one way or the other. I suggest taking the proactive approach.
If you don't know SQL, you won't be very good at SQL injection. mysql.org gives you an SQL engine you can play with (on windows/mac/linux/bsd/etc.) as well as very good documentation.
If you know Javascript and a little bit about the HTTP protocol, you'll have have a leg up on XSS attacks. Knowing web-based languages (such as PHP, ASM, PERL, Ruby, Python, Coldfusion...) would also be a bonus.
Learning about the topics covered by oCTF isn't something you're going to pick up overnight. We make sure to cover all sorts of things of various difficulties. I'd suggest taking them on one at a time instead of trying to learn about everything all at once (not to say there isn't any overlap, there's actually a lot of it).
I expect all of the dc949 members to chime in on the comments with additional resources, suggestions, and so on.
Recovery Mode
As with every year, we're now in recovery mode. There's a meeting tonight for anyone who is able and willing to show up. Topics will include: website move/redesign (posting oCTF IV things, pictures, releasing source, etc), sushi development, skynet development, the posibility of putting these on a public SVN server (sourceforge?), and of course next years oCTF (yeah, we live for this).
For any of the teams who played oCTF and are watching our site, just so you know, we'll be talking about having a section for you to post your solutions to our stuff, honorable mentions, and so on. XS's "physical access hack" was great, and the XSS was another thing we didn't expect. If your boot sector has been customized by us, all we can say is... you should have known better!
For any of the teams who played oCTF and are watching our site, just so you know, we'll be talking about having a section for you to post your solutions to our stuff, honorable mentions, and so on. XS's "physical access hack" was great, and the XSS was another thing we didn't expect. If your boot sector has been customized by us, all we can say is... you should have known better!
Content Management Powered by CuteNews