Course Review: Offensive Security AWE (Advanced Windows Exploitation)

| February 21, 2014 | 3 Comments

Offensive Security AWE - Logo BoxIn terms of training, Offensive Security is best known for their Pentesting with BackTrack/Kali (PWK) and Cracking the Perimeter (CTP) courses. While PWK and CTP have reputations for being intense, grueling courses that require months of sacrifice and dedication, the word “Advanced” is conspicuously absent from their titles. This fact alone should emphasize where Offensive Security AWE falls in relation to these other courses.

After registering for the course, the student must complete a reversing challenge to ensure he or she has a basic understanding of the foundation concepts that are required to digest the course content. The material in the course is far more advanced than the challenge, and successfully completing the challenge is no guarantee that the student is fully prepared for the course. However, if the student is unable to complete this challenge, or has extreme difficulty with it, there is a significant gap in requisite knowledge, and it is recommended to pursue the course at a later date after additional preparation. Did I mention “Advanced?”

Offensive Security AWE – The Course

I had the misfortune pleasure of taking the Offensive Security AWE course in-person at Black Hat USA 2013. There are two important caveats when considering taking the course directly from Offensive Security or through Black Hat. First, what is normally a five-day course is compacted into four days to accommodate Black Hat’s training schedule. While content isn’t omitted, the accelerated schedule definitely increases the overall intensity of the course. Second, Black Hat only allows printed materials to be distributed. Therefore, the convenient watermarked PDF that is customarily included with online OffSec courses is not provided through this venue (however, a PDF of the slide deck was provided).

The course was delivered by its creators, Matteo Memelli and Devon Kearns. Matteo handled all of the speaking responsibilities, and Devon apparently participated solely to increase the intimidation factor for us victims students (he actually provided excellent guidance throughout the course for exploitation exercises and other activities). Alexandru Uifalvi was also present and served as a teacher’s assistant (TA). Alexandru not only assisted with basic support issues related to virtual machines and networking, but he also had a firm grasp of the course material and could run circles around the students in terms of exploit development. Welcome to OffSec live training, where even the TAs are terrifying!

While everyone was getting settled in the first day, I paged through the book and started researching the vulnerabilities and exploits that we’d be covering throughout the course. The gravity of the situation that I’d gotten myself into truly became apparent when I discovered that the course authors were the original authors of the MS11-080 kernel exploit which currently has over 23,000 downloads on ExploitDB. The course was created and delivered by those at the forefront of exploit development, and it was an amazing opportunity to interact with these gifted individuals. With equal parts excitement and fear, I prepared for a turbulent ride.

The course syllabus can be found on the Offensive Security AWE official course page, and a brief excerpt of the main topics is included below for easy reference:

  1. Egghunters
  2. Bypassing NX
  3. Custom Shellcode
  4. Venetian Shellcode
  5. Kernel Driver Exploitation
  6. 64-bit Kernel Driver Exploitation
  7. Heap Spraying

The course began by covering Egghunters. This will be a review for students who have taken CTP, and will lull them into a false sense of security by creating the illusion that the rest of the course will be as easy to assimilate. The difficulty skyrockets as additional topics are introduced, and it peaks with 64-bit kernel driver exploitation. The following graph depicts the WTH levels that students will experience as they progress through the course.

Offensive Security AWE - WTH Graph

I personally made the mistake of assuming Heap Spraying on the final day would be a relatively painless way to conclude the course since that was one of the topics I was more familiar with at the time. We were immediately taken down a rabbit hole of reverse engineering with IDA and source code analysis that demonstrated why only specific memory addresses could be used to successfully exploit the heap-based vulnerability. Absolutely nothing in this course was easy, simple, or straight-forward (in a good way, if you’re a masochist).

One of my favorite aspects of OffSec training is that none of the topics are presented in a vacuum. Any given topic is presented along with a host of challenges and problems that must simultaneously be overcome in order to ultimately achieve success. In this case, the course authors scoured the available vulnerabilities and exploits for a given topic to ensure every activity was an unrelentingly challenging experience. Additionally, many of the modules included alternative techniques and approaches which significantly increased the overall breadth of content delivered by the course.

A number of preconfigured virtual machines were provided for the exploitation exercises; there was not a corresponding remote lab as there is for PWK and CTP. Those virtual machines were only intended to be used for the duration of the course, but nearly every configuration is trivial to recreate if the student wishes to review the course exercises at a later date.

The student is required to bring a laptop that is capable of running several virtual machines simultaneously on a supported operating system and virtualization platform. It is imperative to only use recommended configurations, since the course requires very specific configurations such as the ability to perform kernel debugging in one virtual machine through another via a virtual serial connection. The Black Hat 2013 course requirements were:

  • 60 GB of free usable storage
  • VMware Workstation installed version >= 6.0 on Windows/Linux
  • VMWare Fusion version >= 3.0.2 on Mac OS X
  • Modern system with a 64-bit CPU supporting NX functionalities
  • Minimum of 4GB of RAM

Offensive Security AWE - Try Harder Image

Offensive Security is notorious for issuing cold, dispassionate “Try Harder” responses to students seeking guidance. While there were plenty of “jokes” about taking pleasure in the students’ suffering, and a wall of shame for those that resorted to hints, at no point did any of the OffSec team simply tell a student to try harder. Matteo, Devon, and Alexandru were all immensely helpful during exercises, breaks, and after class. There was so much material being covered so fast, that it would have been extremely difficult to get caught up once fallen behind, and they all went well out of their way to ensure everyone was on the same page before proceeding.

That said, there was certainly no shortage of trying harder throughout the course. A bullet point in one of the introductory slides discouraged attending Vegas parties because of homework. The course materials number a dense 341 pages with 221 footnotes. Those who are serious about the course should expect to dedicate the majority of their day to the course during its duration, including time outside of normal classroom hours. The student will likely need to perform some review and/or additional research prior to moving on to new material the following day, and it is the student’s responsibility to cover this ground on his or her own.

The prerequisites for the course are unexpectedly enormous. For example, the following list enumerates the programming languages that the student should be proficient with in order to fully understand the course contents:

  • x86 Assembly
  • x64 Assembly
  • Python (Especially Ctypes)
  • C/C++
  • JavaScript

Unlike the PWK and CTP courses, which integrate varying degrees of exploit development into the broader penetration testing process, AWE focuses exclusively on exploit development. Those that are coming from a network/systems penetration testing background, such as myself, may struggle with some of the concepts related to Windows development and internal Windows operations.

Therefore, I’ve assembled the following list of supplemental resources that can help bring those people up to speed. It’s not necessary to master the material in every resource listed below, but the more prepared the student is, the easier it will be to assimilate the course material. The last thing a student would want is to struggle performing basic IDA or WinDBG tasks instead of being able to focus on the course material itself.

In conclusion, Offensive Security AWE is unquestionably one of the most cutting-edge and intense courses available, and it is highly recommended for anyone who is serious about Windows exploit development. The content is extremely relevant and consistently challenging, and the courseware is exceptionally detailed and polished, to the point where it could easily be a stand-alone book. Despite being sadistic industry leaders with remarkable levels of knowledge and experience, all the Offensive Security personnel were laid-back, easily approachable, and a genuine pleasure to interact with. In all regards, Advanced Windows Exploitation is another amazing offering from Offensive Security.

Offensive Security Exploitation Expert (OSEE) – The Certification

The Advanced Windows Exploitation course has a corresponding certification known as the Offensive Security Exploitation Expert (OSEE). Certificates of completion were provided to students at the end of the course, but these basically amounted to verifications of attendance. While these certificates can provide the student with CPEs, a true sense of accomplishment and mastery of the course material is only available through the OSEE certification exam.

Offensive Security AWE - StudentsHunterIt’s not possible to say much about this certification without ruining it for future challengers, so the details provided here will be brief and vague. In order to obtain the OSEE, the student must successfully exploit custom executables within 72 hours, as well as provide the exploits and supporting documentation within an additional 24 hours. The challenge was interesting in that it was significantly more difficult than either the OSCP and OSCE challenges (as expected) while simultaneously being much more straight-forward.

There wasn’t any need to research vulnerable third-party software, recreate the target in a local VM for analysis, or go beyond what was provided in any other way. Additionally, all the necessary techniques were thoroughly detailed in the course materials. The challenge simply revolved around whether the student could successfully identify how to exploit the vulnerabilities and creatively apply the knowledge delivered by the course.

Due to time constraints, the challenge does not comprehensively cover every technique that was detailed in the course. Instead, it focuses on some of the most intense material, and it’s safe to assume that students who successfully complete these challenges also have a good handle on the material that was omitted from the exam.

The OSCP and OSCE challenges have a larger number of targets and do not require all of them to be fully compromised in order to pass the exam. However, since the OSEE is more focused, the student should plan on successfully compromising all targets to guarantee a pass. Points for some targets can fluctuate slightly based on techniques used, and the higher point values for these targets may allow for a pass in a risky partial-credit scenario if the others aren’t fully compromised. However, since scores and scoring methodology are not disclosed, it’s strongly recommended to strive for full compromises of all targets. Otherwise, much of the student’s fate will be left to chance, and we all know what can happen when one leaves the decision in the hands of the judges.

Aside from the actual exploitation, one of the most difficult aspects of the challenge was staying motivated for its entire duration. Lack of sleep and mental fatigue compounds frustration as time goes on, and it becomes increasingly difficult to resist raising the white flag. There were many instances of hours disappearing in a blink of an eye without any apparent progress being made, and I sincerely lost count of how many times I was at the brink of giving up.

My personal run lasted 68 hours and consisted of only a few short breaks and very, very little sleep. The entire experience was excruciating, and an innocent bystander would have thought screaming obscenities at my monitor and cursing everyone I have ever met from Offensive Security were key components of a winning strategy. However, the feeling when the shells rolled in was indescribable. Out of all the professional credentials and designations I’ve obtained, the OSEE was undoubtedly the most arduous and difficult as well as the one I am the most proud of earning.


Andrew Johnson (OSEE, OSCE, OSCP, OSWP, Red and Blue Team Cyber Guardian, GSE, GXPN, GWAPT, GPEN, GCFA, GCIA, GCIH, GPPA, GSEC, CISSP, et al) has over a decade of experience in information technology and security and delivers penetration testing, customized training, and a variety of other professional services as a Senior Security Consultant at GuidePoint Security. He has extensive consulting experience and has provided a multitude of information assurance services to hundreds of Fortune 500 companies, financial institutions, healthcare providers, Web 2.0 start-ups, retail businesses, and various other organizations across several countries. He has also served as the Information Security Manager for the US operations of a global financial services ASP, servicing over 650 financial institutions and safeguarding over 40 million sensitive records. Andrew is a perpetual learner and enjoys sharing knowledge with others. He is a member of OWASP, InfraGard, and American MENSA and can be followed @acjsec.

Tags: , , , ,

Category: /root

Comments (3)

Trackback URL | Comments RSS Feed

  1. UNIX says:

    Nice review, dynamic, thanks for the write-up! Although AWE covers some different topics than corelan’s training, could you give a comparison of these two courses?

    Again, congrats on the pass! :)

  2. dynamik says:

    Good question. Someone else asked me this on LinkedIn, so I’m sure others are curious as well.

    The Corelan course is designed to be a boot camp that’ll take someone from a complete novice to being competent with many common exploitation techniques. I personally think it’d be best if someone had a basic understanding of assembly and CPU/memory operations prior to taking the course since that is A LOT of material to understand and retain over two days. However, the course will indeed start with the absolute basics, and there are technically no prerequisites. AWE is, of course, the polar opposite, and has an enormous amount of prerequisites.

    There are several other key differences. The Corelan course is 32-bit only, and it focuses on userland exploitation. Therefore, 64-bit and kernel exploitation will be new in AWE. Corelan also revolves largely around the use of Mona.py (which is awesome). This mimics real-world exploit development in that you’d want to automate as many tedious and repetitive tasks as possible. Note: the concepts behind each technique are thoroughly explain, so it’s not like you’re just running a command that magically gives you an exploit. You still learn how everything works behind the scenes. However, per typical OffSec style, nothing in AWE is automated; they make you suffer through everything manually to truly ingrain the concepts and techniques. Actually, they do give you one ROP script that helps you find bricks. Unfortunately, it’s partially broken, and they literally make you find the error and fix it yourself :o

    As I mentioned in the review, OffSec went way out of their way to find convoluted vulnerabilities that not only covered a given technique but also brought tears to your eyes in the process. Therefore, heap spraying on the Corelan course focuses largely on that technique itself, while in the AWE course, you have to disassemble the binary with IDA and review the source code on top of that.

    Comparing these two courses is really comparing apples and oranges. They each focus on unique areas and target different skill levels, and there’s no point in trying to determine which one is "better". I think they compliment each other well, and it makes a lot of sense to do Corelan first and then move to an advanced course like AWE. I absolutely loved the Corelan course, and I would do things in the same order if I had to do everything again. It was undeniably a critical component of my AWE preparation.

    Also, like the OffSec team, it was absolutely a privilege to spend that time with Peter. Despite being another leader in the field, he was completely humble and awesome to interact with. I picked up a lot of neat tips and tricks just from chatting with him during breaks and asking random questions during the course. Even if you think you have a good handle on the boot camp material, you’ll probably still get a lot out of the overall experience.

    Finally, Corelan might have OffSec beat in terms of per-day intensity. He covers an insane amount of material in two days, and we went 14-16 hours each day (bring Red Bull, for both you and Peter). Peter is an absolute beast, and he was still energetic and wanting to do exercises at 10PM the second day, despite having a 6AM flight back to Belgium the next morning. Unfortunately, he had succeeded in reducing our brains to pudding at that point, and we had to draw the line there :)

  3. Congrats on this great achievement!

Leave a Reply