Hexploitable ~ Software Security Blog

This weekend past, my colleague Alex Evans and I took a trip up to Scotland to go see a bunch of the Abertay Hackers crew. Alex was delivering a talk on password generation and storage, which was very well received. If you’re interested, John Steven’s delivery of the talk can be found here: OWASP AppSecUSA 2012 - Analyzing and Fixing Password Protection Schemes Whilst we were hanging out with the students, they mentioned that a bunch of them were getting together in the University on the Saturday to tackle the CSAW 2014 Capture The Flag event. »

A month or so ago I travelled back up to sunny, sunny, Scotland to visit my friends at Abertay University. I arranged to go deliver our vulnerability assessment workshop on the back of my then recent delivery to the University of Surrey. It’s always good to hang out with the @AbertayHackers crew and it’s great to see the level of passion that’s continuously growing throughout the group. The delivery of the workshop went unbelievably smooth thanks to the volume of feedback from the Surrey students. »

###Introduction First off I want to start by saying that if any of you are interested in binary analysis, reverse engineering, or iOS/OSX thick client pen-testing then I recommend you pick up a copy of Hopper Disassembler. It’s only £50 and it’s awesome. It’s got everything you need to get started, it’s affordable and it has a python API to plug in your own scripts. I’ve been using Hopper as part of my assessments for the past while and the more I use it the more I love it. »

###Overview As mentioned in my previous post, a colleague and myself took the train down to Surrey (Guildford) on Saturday to deliver a vulnerability assessment workshop to some Computing Science students @UniOfSurrey. We spent a full day with the students and all of them stayed right until the end so that is one positive right? The most impressive and awesome take home from the day was that several groups of students managed to get system access on the server yet had no prior vulnerability assessment knowledge. »

So I’ve been working on something pretty cool lately and I wanted to share some thoughts on it. TL;DR - I’m currently delivering a vulnerability assessment workshop at multiple UK universities with the aim of providing a realistic full day workshop on finding vulnerabilities, engaging with clients, and explaining the issues & guidance in a way that can be easily understood by the client. If you have contacts with, or you represent a university, please do get in touch with me at wiresharkGD@gmail. »