Tweet
Ben Sadeghipour & Olivier Beg - Attack Surface Management & Reconnaissance
Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...reconnaissance
Training description:
Attack Surface Management has become a hot topic in today’s digital world. With organizations growing their presence online, it is harder to track and have visibility into an organization's digital footprint. Whether you are on the defensive or offensive side, this course will help you learn different techniques on how to approach an organization and create an inventory of all their digital assets including web, mobile, code/open source projects, as well as their cloud storage and contributors. In addition to understanding a company's digital assets, we’ll demonstrate some of the easiest ways to find vulnerabilities within these digital assets.
Course overview:
Day 1
What is Attack Surface Management?
Defining different types of Assets
Domains
Subdomains
What are Autonomous System Numbers (ASN)
Mobile Apps
Online Code Repository
Cloud Storage / CDN
Cloud environment
Defining asset permutations
What is permutations?
What are different environments?
Autonomous System Numbers (ASN)
What are Autonomous System Numbers (ASN)?
Finding and mapping a companies ASN
Automation
Passive Reconnaissance
Using SSL certificate to map out an organizations online Presence
Certificate Transparency
What is CT?
Crt.sh
Facebook CT
Google CT
Automating Certificate Transparency Data
Using Different Data Sources
Shodan
Censys
Tooling for Passive Reconnaissance
subfinder
amass
Active Reconnaissance
Subdomain brute forcing
Using dns resolvers
Automation
Code Repository Recon (GitHub/GitLab/etc)
Looking for leaked API keys information
Automation via TruffleHog
Day 2
Extending your attack surface via permutations
Identifying publicly accessible vs internal assets
Fingerprinting and identifying technology stacks
Understanding fingerprinting
Fingerprinting examples
Automation
Port scanning and discovering more assets
Data collection
Identifying and prioritizing assets based collected data
Exploitation examples:
Identifying patterns of vulnerability across an entire organization
Weak or easily guessable passwords
Information leakage to escalate access to internal network
Approaching APIs and discovering API documentation
Student skill level:
Beginner.
Basic understanding of web and networking technologies. Basic knowledge of linux operating system to install tools/run within the command line, as well as manipulate text via scripting languages such as Bash.
What should students bring to the Training?:
- Laptop with a linux operating system (ubuntu preferred).
- Working Python and Go environment.
Bios:
Ben is the VP of Research & Community at Hadrian by day, and a hacker and content creator by night. He has helped identify over 1000 security vulnerabilities across hundreds of web and mobile applications for companies such as Verizon Media, Red Bull, Apple, Airbnb, Snapchat, The US Department of Defense, Lyft, and more. One of the world’s top ethical hackers, he has invested time back into the security community by creating a community of 1000+ active hackers and hosting international conferences dedicated to hacker education and collaboration. He has also held free workshops and training to teach others about security and web application hacking.
Trainer(s) social media links:
Twitter.com/NahamSec
Twitter.com/smiegles
Previous Trainings:
https://usa.globalappsec.org/trainers/
https://hackfest.ca/en/trainings/web/
I have also created a udemy course with really good ratings (16,000+ students):
https://www.udemy.com/course/intro-t...y-by-nahamsec/
DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINERS:Ben Sadeghipour & Olivier Beg
CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test
- 16 hours of training with a certificate of completion for some classes
- COVID safety: Masks required for indoor training
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- Note: Food is NOT included