Review of Black Hat Advanced Infrastructure Hacking Training (2 day edition)

August 8th at 9:57pm

I had the chance to attend Black Hat this year and attend a 2 day of my choice. This year I took the Advanced Infrastructure Hacking - 2018 Edition: 2 Day session sponsored by NOTSOSECURE. It can be hard to find reviews of these trainings so I think it's worthwhile to post my thoughts here.

Overview

It was clear from the start that the instructor was a qualified subject matter expert, well versed in the majority of the domains covered. One thing I should have paid more attention to is this note at the top of the 'Overview' section for the course:

Note: This is a fast paced version of the original 4 day class, 
cut down to 2 days. To fit the entire training material within 2 days, 
some of the exercises have been replaced by demos which will be 
shown by the instructor.

They were NOT kidding whey they say the class is fast paced! I maybe got a chance to complete 3 of the dozen or so labs that come along with the course material.

Pro Tip 1: If you want to glean the most value out of this course, take the 4 day version.

Pro Tip 2: When they say 'Advanced', they genuinely mean Advanced. You should be proficient at any topic you want to get more out of from the course.

Agenda & Topics

There were a lot of topics covered. Below I've listed the topics along with my rating as to how quickly or comprehensively the training materials and exercises/demos were:

Day 1:

  • [Quick] IPv4/IPv6 Basics
  • [Quick] Host Discovery & Enumeration
  • [Medium] OSINT & Asset Discovery
  • [Comprehensive] Hacking Application and CI Servers
  • [Quick] Oracle Database Exploitation
  • [Comprehensive] Windows Vulnerabilities and Configuration Issues
  • [Comprehensive] Windows Desktop 'Breakout' and AppLocker Bypass Techniques
  • [Comprehensive] A/V & AMSI Bypass Techniques
  • [Comprehensive] Offensive PowerShell Tools and Techniques
  • [Comprehensive] Local Privilege Escalation
  • [Comprehensive] Post Exploitation Tips, Tools and Methodology
  • [Comprehensive] An Introduction into Active Directory Delegation
  • [Comprehensive] Pivoting, Port Forwarding and Lateral Movement Techniques

Day 2:

  • [Comprehensive] Linux Vulnerabilities and Configuration Issues
  • [Comprehensive] User/Service Enumeration
  • [Comprehensive] File Share Hacks
  • [Comprehensive] SSH Hacks
  • [Comprehensive] Restricted Shells Breakouts
  • [Comprehensive] Breaking Hardened Webservers
  • [Medium] Local Privilege Escalation
  • [Quick] MongoDB, TTY, Reverse tunneling
  • [Quick] Post Exploitation
  • [Quick] VLAN Hopping
  • [Super Quick] Docker breakout
  • [Super Quick] Kubernetes vulnerabilities
  • [Quick] Hacking VoIP
  • [Quick] Exploiting Insecure VPN Configurations

It was a little disappointing for me- the focus I had on taking this course was Kubernetes... but there is very little material there. In talking with the instructor after class he said they are working on a more comprehensive training (It's just not ready yet).

Course Material

Instead of being given a VM you can run locally, all the work is done remotely in the 'cloud'. You do get a 1 month subscription to play around in their lab... but I prefer something local that doesn't require a VPN connection.

There is a student resource pack that includes the slide deck and a set of labs/exercises to accomplish. These are pretty light on information and 'connecting the dots', so the instructor feedback is essential to get value or learn any new concepts. Alongside this material there are a set of encrypted PDFs that contain the answer keys for each of the sections. Periodically, the instructor would dole out the decryption passwords for the PDFs after a section or 2 were completed.

On the Cloud kali instance they give you, there are some tools and resources included in the home directory. These tools and scripts are rarely mentioned in the coursework. I zipped and SCP'd the entire contents of the root user directory to my local machine to have as an offline resource in case I want to root around and examine the goodies (hundreds of megabytes of stuff).

The instructor shared a google doc of class notes that he periodically copy/pasted in working (or mostly working) sample code and scripts. I haven't had a chance to do a detailed review of this as compared to the answer key PDFs, but it was helpful during class.

Pacing and Presentation

NOTSOSECURE ran several sessions of this course: A couple of 2 day sessions and a 4 day. My instructor was enthusiastic, engaged and very personable. He overcame the potential dryness of the material and kept class energy high for the duration of course. With that said, there were some issues with the pacing:

Note: Since I did take the 2 day course, it's likely that many of these issues are resolved by taking the 4 day edition

  • Excessive time was given to 'simple' labs like connecting via SSH or RDP
  • Almost zero time was given on what felt like most of the harder labs (byproduct of it being a RUSHED/Accelerated session), but given the amount of time allocated to the basics I feel like there could have been some more availability here
  • Since the slides themselves are not complete informational resources (The answer key pdfs are useful- I just need more of the 'why' to gain real value)
  • An excessive amount of time was given to letting the class 'figure out what they can do'. Nothing wrong with figuring things out, but when I pay nearly $4k for a training class I expect resources to help me figure out how to connect the dots. The people who were popping shells in the short time window available to us would have likely been able to do that anyway, without the class.

And on to the positives:

  • The high quality instructor had real world anecdotes to share about many of the domains we covered. These comments helped connect the dots and bring the material to life
  • Aside from a weak Kubernetes showing, the rest of the material feels pretty current for 2018
  • Many tools and informational resources (websites, blogs, twitter feeds, github repos, etc...) were shared that help augment and build my library

Rating and Recommendation

I would not hesitate to work with NOTSOSECURE in the future, given the opportunity to do so. They are clearly more than competent and it seems like the quality of their work would be high. For trainings, I give them a 4 star out of 5 rating. One star removed for the issues listed above. Just be careful when they say fast paced they mean in!