XTREME WEB HACKING

Trainer Name: Akash Mahajan(Left) and Riyaz Walikar(Right)
Title: Xtreme Web Hacking
Duration: 1 Day
Date: 13th February 2014

What will you learn?

You will learn how to attack compromise vulnerable web applications. How you can gain access on such servers and use that to attack and compromise corporate networks. The learning is based on real world attacks using a hypothetical network setup. Additionally you will find out that there is lot more to hacking than just doing VA/PT of web applications.

This training is for you if

Advances in modern ICS systems such as the energy sector's "Smart Grid" brings great benefits for electric utilities and customer alike, however these benefits come at a cost from a security perspective. With increased functionality and addition inter-system communication, the smart grid brings with it a greater risk of compromise that both utilities and customers must accept to realize their desired business benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit the critical infrastructures that exist in all countries around the world.

Training Details

The training is a 6 hour of hands on hacking on a hypothetical scenario based attack. Each target will have vulnerabilities that can be exploited with web based attacks. Based on the access certain objectives will need to be accomplished. Scenarios will include uploading web shells, doing LFI/RFI, password hash cracking, data exfiltration using SQL injection and more.

Familiar with the following

• Web Security Fundamentals including how HTTP works.
• You should be able to execute simple commands on shells in Windows and Linux.
• Server side web programming basics and database server systems like MySQL, MSSQL.

What you will need to bring?

• Bring your laptop with enough free space.
• You will need at least 20 GB of free space for all the virtual machines.
• The laptop should have a working wireless connection.
• Your laptop should be capable of running Virtual Box or VMWare.

What to expect

• Fast paced intense training that will be cover many different things in 8 hours.
• Complete hands-on work which you will need to complete on your own with guidance.
• An amazing sense of fulfillment at completing the training.

What not to expect

• A lot of hand holding about basic concepts already mentioned in the things you should be familiar with.
• Any theory about web application security testing.
• To become an accomplished hacker in a day.

About the Trainers

Akash Mahajan (@makash | akashm.com)

Akash is "That Web Application Security Guy". A Certified Ethical Hacker with more than 8 years of experience in Application and Network Security. Before becoming an expert security consultant he was a technical lead for one of the leading American commercial security software companies specialising in end point security. He started in security working on web infrastructure for the government of India.

Along with his day job Akash is heavily involved in the wider global security community, ranging from his work with OWASP, to being one of the founders of null The Open Security Group, India's foremost non-profit computer security organisations. He used to be actively involved with the Bangalore Barcamp Planners group, has done events like App Jam and Mobile Camps all over India where he evangelized security to Small and Medium Enterprises. He is also the co-founder of Headstart Network Foundation a Section 25 Non-Profit company.

Akash is currently one of the two OWASP chapter leads for Bangalore and the Community Manager for null at India level. When not working or advising you'll find Akash speaking at industry conferences on all things computer security related.

Riyaz Walikar (@riyazwalikar | www.riyazwalikar.com)

For food, shelter and fun, Riyaz is employed as a Senior Engineer at the world's largest auditing firm with the Core Security Group. He is a Certified Ethical Hacker (CEH) and has been active in the security community for the better part of the last 6 years. He has been an active member of the null Security Community for the last 3 years and is the moderator for the Bangalore Chapter.

He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd, .NET Script Injection Bypass and has had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. for which he is on the Hall of Fame for most of these services. He has also been a speaker at several security conferences including OWASP AppsecUSA 2012, BlackHat Abu Dhabi 2012, nullcon Delhi 2012 and c0c0n 2011.

His technical interests lie with programming, bug bounty, malware analysis, breaking web applications, playing CTFs and penetration testing networks exposed to the Internet. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.