Markdown
# Syllabus To Learn Security ## Web * Create a secure Django website ([AltSci Blog](https://www.altsci.com/blog/), [CryptoML](https://www.altsci.com/crypto/), [42](https://www.altsci.com/42/), [J4va](https://j4va.com/), or similar). * Output: One website finished and published, send patch. * Work with [a web developer] to finish the necessary features for the website. * See [Education Websites](/Education-Websites) * Put all [OWASP top 10](https://www.owasp.org/index.php/Top_10_2013-Top_10) into two websites (not the above) written in two languages. * Output: Two websites in different languages. * Use your knowledge of programming to make two websites but leave out all security mechanisms. See how easy is it to screw up. * Hint: Any website that has all 10 is acceptable, pick two that have 9 and add one. * Exploit all vulnerabilities in the two websites leaving no stone unturned. * Output: A list of repros. * Exploit every vulnerability. If you leave any unfound it will make it difficult to solve the previous. If the patch you provide fixes holes you didn't exploit, you'll be forced to go back and do them. If you don't document what you did you won't understand why you missed a vulnerability. * Hint: Use [Burp](https://portswigger.net/burp/) effectively for two birds with one stone. * Fix all vulnerabilities in the two websites. * Output: Git commits for all fixes. * Since you know how you added the bugs, you should be able to fix them, right? * Hint: Use Git effectively for two birds with one stone. * Learn to use [Burp Suite](https://portswigger.net/burp/) or similar to automate the above process. * Output: Be able to show [a hacker] how a web pentest goes. * Use the free version. Create a handful of custom payloads that work well against your website. It's unfortunate that the free version doesn't allow save. Copy and paste for now. * Find and Fix one bug in [AltSci website](https://www.altsci.com/). * Output: A vulnerability report and a patch. * Find a vulnerability in AltSci (it shouldn't be hard). Ask [Javantea](/Javantea) for the code, fix the code and submit the patch. * Find a vulnerability in a website not owned by AltSci. * Output: A vulnerability report. * Find a vulnerability in a website used by more than just you and your friends. Don't violate obvious rules of politeness. If the website owner doesn't want to fix or doesn't want you to publish, let them know your intention to publish full disclosure. * Publish above vulnerability full disclosure with proof of concept. * Output: A vulnerability report and CVE. * Teach the website owner a valuable lesson by releasing it to [full-disclosure mailing list](http://seclists.org/fulldisclosure/) as soon as they receive it in their inbox. * [Request a CVE ID](http://cve.mitre.org/cve/request_id.html). * Solve as many [Natas challenges](https://overthewire.org/wargames/natas/) as possible and record all your progress. * Output: A list of Natas passwords. * Natas isn't perfect, but it's about as good as a challenge web site can get. Much better than hack this site. * Hint: When you get stuck early on, search for solutions but don't read ahead. Only get unstuck. Why did your tools fail you? Because you don't know every web trick. * Create a (private or public) wiki which describes your security knowledge. * Output: A private or public wiki which can be given to someone when they ask you what you can do. * Keep daily notes. Don't forget. Make this available to [a hacker you trust]. * Secure above wiki from spammers (like [Javantea](/Javantea)) without disabling anonymous access. * Output: A patch for the wiki which solve the spam problem. * [A hacker] may decide to relentlessly spam the wiki. Make it possible for a system to deal with spammers that can get past Recaptcha and who can type in a web browser. This can be done through moderation. See [ifixit.com](https://www.ifixit.com/). Javantea wrote a patch to Realms Wiki to do this and it is currently being used for [this wiki](https://neg9.altsci.com/) and others. ## Code * Make a significant contribution to a [Python](https://pypi.python.org/) project. * Output: A patch which expands the value of a project significantly. * Commit a complete feature, fix a huge bug, take a product from dev to release, or take a released product and maintain it for the first month of its release. * Write two chapters to a "Learning Programming in 28 Days" book. * Output: Two chapters of a book. * Day 1: Hello World * Day 2: Input * Day 3: Dots and Loops * Day 4: Strings, Length, and Matching * Day 5: Files * Day 6: Functions * Day 7: The Big Program * Day 8: GUIs * Day 9: Audio * Day 10: Images * Day 11: Network * Day 12: HTTP * Day 13: SSL * Day 14: Trivial Web Browser * Day 15: Math Problems * Day 16: Physics Problems * Day 17: Biology Problems * Day 18: Engineering Problems * Day 19: Computer Problems * Day 20: Other Fields * Day 21: Science App * Day 22: Economics * Day 23: Security * Day 24: Breaking Code * Day 25: Projects * Day 26: Standards * Day 27: Core Values * Day 28: HC S & I * As you can see, many projects are ripe. If you need help, ask [Javantea](/Javantea) for Days 1-8 of his book. * Successfully describe every program in a "Learning Programming in 28 Days" book. * Output: Explain what is going on in each function. * Hint: write it down. * Document one non-trivial open source function that does not document itself. * Output: Release quality documentation for one function. * Pick a function in a project that you use. Decide whether it is documented properly. If it is not, document it and submit it to [a hacker]. * If the function documents itself using variable names, don't attempt to submit it. * Research and implement one exotic programming topic. * Output: A function, a program, or patch that can easily demoed. * Understand a topic that isn't easily solved. Do a bit of research to find hard problems and exotic solutions. * Use [git](https://git-scm.com/) effectively. * Output: A git repositority that has been properly committed to. * Use branches effectively, use cleanup techniques to make it easy for someone to read. Sign all commits with a PGP key. Put that PGP key on the keyserver with at least one signature that isn't yours. * Use a mailing list to submit patches. * Output: A handful of e-mails sent to a mailing list containing valid patches to a project. * Hint: Subscribe to a mailing list weeks before submitting a patch and read what people say. * Contribute one non-trivial patch to an open source project. * Output: One patch to an open source project. * The patch doesn't have to be accepted, the quality of the patch has to be high enough to be accepted normally. * Understand complexity and be able to quantify. * Output: Defend yourself in an argument about complexity with [a hacker]. * Complexity is a big and serious topic in programming. You won't get it if you are lackadaisical with your research. * Hint: Read [Complexity](https://seattle.bibliocommons.com/item/show/2574490030_complexity) or [Gödel Escher Bach](https://seattle.bibliocommons.com/item/show/2045204030_g%C3%B6del,_escher,_bach) for further understanding. ## Hacking * Learn two critical operations in x86-64 assembly (not `call`). * Output: one simple assembly function that has a purpose and doesn't crash. * Hint: Use [JavRE](https://www.altsci.com/concepts/javre/) or objdump to find a good one. * Learn two critical operations in a RISC assembly (not `bl`). * Output: one simple assembly function that has a purpose and doesn't crash. * Hint: Use an ARM toolchain. * Hint: Use an ARM system or an ARM emulator. * Use [Wireshark](https://www.wireshark.org/) effectively to pull a password out of thin air. * Ask [a hacker] to saturate an wireless network with HTTP traffic (downloading the internet) * At some point, have [the hacker] send a flag in the clear. Be ready and don't run out of HDD space. * Output: one flag. * Exploit a buffer overflow. * Do the easiest one from the leaderboard. For example [vortex3](http://overthewire.org/wargames/vortex/vortex3.html). * Correctly handle a virus without being infected. * Ask [a hacker] for a pair of viruses. Each will phone home and format your hard drive if it gets the chance. Don't execute either. Run objdump or [JavRE](https://www.altsci.com/concepts/javre/) on both and find the flag. Return the flag. * Read 40 CVEs. * Output: a list of the top 4 CVEs and the list of CVEs you read. * Hint: [All CVEs gzipped (.gz)](https://cve.mitre.org/data/downloads/index.html) * Read a full month of [full-disclosure](http://seclists.org/fulldisclosure/). * Output: a list of the top 4 posts and the month of full-disclosure you read. * Read a python exploit and describe it in detail. * Output: [Class of vulnerability](https://cwe.mitre.org/) being exploited, rough [CVSS](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator) approximation, human interpretation of severity, efficacy of the code, reliability, protocols. * Read the [SANS Top 25](https://www.sans.org/top25-software-errors/) and be able to describe any. * Describe 4 random inane entries from SANS Top 25 to [a hacker]. * Read [Art of Software Security](https://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426). * Output: Be able to discuss a topic from the book. * Hint: Many hackers have this book sitting idly on their shelf, borrow it. * Write a python TCP client to a serious service (i.e. BitTorrent). * Output: a python TCP client for a serious service. * Use the [Sushi source](https://barrebas.github.io/blog/2015/03/18/bsides-vancouver-ctf-sushi/) to connect to a service. * Don't use any libraries that abstract the socket part. * Don't use any libraries that do the rest for you once you give it a socket. * Use Wireshark and the [French Cafe technique](https://download.samba.org/pub/tridge/misc/french_cafe.txt). Use an RFC if you need to. * Write a python UDP client to a serious service (i.e. BitTorrent). * Output: a python UDP client for a serious service. * Use the DNS client, iax client, SIP client or something similar to connect to a service. * Don't use any libraries as with the TCP client above. * Use Wireshark and the [French Cafe technique](https://download.samba.org/pub/tridge/misc/french_cafe.txt). Use an RFC if you need to. * Use [NMap](https://nmap.org/) effectively to find all open ports on 500 systems from a list of bad actors. * Output: gnmap file with all open and closed ports for all hosts. * This a very slow process. Deal with it. 99.9% will be waiting for results. Learn to use flags appropriate for targets. Don't get Amazon or other hosts mad at you. These may be bad actors but their hosts may not be. * Use [Metasploit](https://metasploit.com/) ineffectively once. * Output: Script showing using Metasploit to "exploit" one system. * Metasploit is a beast, use it once so you know what you're doing. * Don't use Metasploit on your resume. You are a hacker not a auditor. * Social engineer five people. * Output: Deliverable information about five targets. * Hint: Everything is deliverable. * Promising something in return is absolutely acceptable. * Encourage at least one person to work on an AltSci project who was otherwise not interested. * Output: As long as you try. * Many people could help out AltSci but they don't know how cool AltSci is. Tell them how cool AltSci is and how they can be saved. * Crack a weak password hash. * Output: Password. * Get hashes from the [Crack Me If You Can Contest](http://contest.korelogic.com/). Use [John the Ripper](http://www.openwall.com/john/), [HashCat](https://hashcat.net/hashcat/), or another effective tool to crack it. * Read one article from [PoC||GTFO](https://www.alchemistowl.org/pocorgtfo/), reproduce it. * Output: Script showing the repro. * Hint: POC||GTFO 0x7 is a good one. A local wrote one of the articles to be friendly to the community. * Pick a hacking topic, become well versed in it. * Output: Be able to argue why a certain topic is important. * Too many topics exist for everyone to be an expert on everything. You will not be an expert in everything. Pick one thing and make it cry. * Write a simple thesis and be prepared to defend it. * Output: Defend thesis in an argument. * A thesis is a true statement that you wish to argue. Papers are written to defend theses, but you don't need to write a paper on the topic. * Hint: Specificity is important, don't be as broad as privacy is desirable. Don't be too specific, arguing about one bug will of course get tedious after seconds. * Use knowledge of complexity to explain why passwords exists and why software is difficult to vet. * Output: Describe these two complex issues and be prepared to reject false statements. * Passwords exist for a reason. Complexity gives you a reason. * Software is difficult to vet. Why is that true? Complexity gives you a reason. * Hint: How long does it take for you to vet hello world? * Reject invalid statements. * Output: Do not make false statements. Do not let important people in the community make false statements. * Undefended statements are allowed. Uncited statements are allowed. Opinionated statements are allowed. False statements are not. * Hint: People are more likely to accept your contradiction to their thesis if you have published a PoC or an exploit. ## Public Speaking * Give a lightning talk at a local event (Batman's Kitchen, Ignite, [Ada's](http://www.seattletechnicalbooks.com/), [Toorcon Seattle](https://toorcon.net/), [BSides](http://www.securitybsides.com), [AltSci](https://www.altsci.com/concepts/), [2600](http://www.wa2600.org/), [CitySec](https://www.reddit.com/r/netsec/wiki/meetups/citysec), etc). * Output: A 5 minute talk given at a small event. * Research a topic. Schedule your talk. Give the talk. * Hint: Test the projector beforehand because many people with experience have trouble. * Promote your talk before hand to get at least 3 interested listeners. * Output: 3 interested listeners at your talk. * Talk with people before hand about stuff. Use social engineering to get them excited enough to understand what you're talking about. * Prepare meticulously to not bore the listeners. * Output: an exciting talk. * Spend hours preparing. * Hint: Be overprepared or have a good exploit. * Explain 20 vulnerabilities to someone who doesn't have technical experience. * Output: One enlightened person. * Technical people know some stuff about computers. Non-technical people don't understand computers well enough to get to the first step. Talk at the level of the person you're talking to so that they understand each issue. Target the vulnerabilities to keep the person interested. * Hint: Use a person who has asked for help as a victim. Use a captive audience. * Hint: Caffeine or alcohol sometimes helps loosen the tongue. Use with discretion. [Javantea](/Javantea) has done all of these. If you need help, ask someone you trust.
Preview