Vulnerability Assessment Course – Spring 2023

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on March 28 2023 in Austin, TX.

The intermediate course, titled the Vulnerability Assessment Class, covers a wide range of vulnerability and exploitation related topics and is intended for the beginner to intermediate level practitioner. This course is intended to prepare the student to fully defend the modern enterprise by being aware and equipped to assess the impact of vulnerabilities across the breadth of the application space.

Attendees should plan to travel and arrive prior to Tuesday, March 28th. The course work will conclude on Friday, March 31st, 2023.

Seating is limited. Since this training will be in person, there are a limited number of seats available.

**Later this year we will also be offering an updated version of our popular Vulnerability Development Master Class. This course will cover advanced topics such as dynamic reverse engineering, kernel exploitation concepts, browser exploitation, mitigation bypasses, and other topics. Later this year we will also be offering our Mobile Vulnerability Exploitation Class. This class will cover advanced topics concerning mobile platforms.

Vulnerability Assessment Class

This 4 day course is designed to provide students with a comprehensive and progressive approach to understanding vulnerability and exploitation topics on both the Linux and Windows platforms. Attendees will be immersed in hands-on exercises that impart valuable skills including a deep dive into the various types of vulnerabilities exploited today, static and dynamic reverse engineering, vulnerability discovery, and exploitation of widely deployed server and client-side applications. This class will cover a lot of material and move very quickly.

Prerequisites

      • Computer with ability to run a virtual machines (recommended 16GB+ memory)

      • Some familiarity with debuggers, Python, C/C++, x86 ASM. IDA Pro or Ghidra experience a plus.

    • No prior vulnerability discovery experience is necessary

    Pricing and Registration

    The cost for the 4-day course is $4000 USD per student. You may register and pay below, or you can e-mail training@exodusintel.com to register and we will supply a purchase order.

     

    Syllabus

    Vulnerability and risk assessment

    • NDay risk and patching timelines
    • Vulnerability terminology: CVE, CVSS, CWE, Mitre Attack, Impact, Category
    • Risk assessment
    • Vulnerability mitigation

    Web-based vulnerabilities

    • Basics of HTTP
      • Format of HTTP request and response, URI
      • Command Injection and Directory Traversal attacks
      • Cross-site scripting and cross-site request forgery
    • XML External Entity attacks
    • Request Smuggling
    • SQL Injection
    • Deserialization

    Modules include examples of affected CVEs and practicals.

    Binary exploitation

    • Basics of binaries
      • Platformns: Linux and Windows
      • x86 assembly, PE, and ELF formats
      • Stack, Heap, Dynamic modules
      • PIE, ASLR, DEP
    • Tools
      • Ghidra, WinDBG, and gdb
    • Stack buffer overflow
      • OS/Theme: Linux
      • Return to shellcode, Return to libc, Stack pivot, etc.
      • Linux-based practical and demo
    • Use after free
      • OS/Theme: Windows
      • Overview of NT Heap, LFH
      • Practical and demo