In terms of training, Offensive Security is best known for their Pentesting with BackTrack/Kali (PWK) and Cracking the Perimeter (CTP) courses. While PWK and CTP have reputations for being intense, grueling courses that require months of sacrifice and dedication, the word “Advanced” is conspicuously absent from their titles. This fact alone should emphasize where Offensive Security AWE falls in relation to these other courses.
After registering for the course, the student must complete a reversing challenge to ensure he or she has a basic understanding of the foundation concepts that are required to digest the course content. The material in the course is far more advanced than the challenge, and successfully completing the challenge is no guarantee that the student is fully prepared for the course. However, if the student is unable to complete this challenge, or has extreme difficulty with it, there is a significant gap in requisite knowledge, and it is recommended to pursue the course at a later date after additional preparation. Did I mention “Advanced?”
Offensive Security AWE – The Course
I had the
misfortune pleasure of taking the Offensive Security AWE course in-person at Black Hat USA 2013. There are two important caveats when considering taking the course directly from Offensive Security or through Black Hat. First, what is normally a five-day course is compacted into four days to accommodate Black Hat’s training schedule. While content isn’t omitted, the accelerated schedule definitely increases the overall intensity of the course. Second, Black Hat only allows printed materials to be distributed. Therefore, the convenient watermarked PDF that is customarily included with online OffSec courses is not provided through this venue (however, a PDF of the slide deck was provided).
The course was delivered by its creators, Matteo Memelli and Devon Kearns. Matteo handled all of the speaking responsibilities, and Devon apparently participated solely to increase the intimidation factor for us
victims students (he actually provided excellent guidance throughout the course for exploitation exercises and other activities). Alexandru Uifalvi was also present and served as a teacher’s assistant (TA). Alexandru not only assisted with basic support issues related to virtual machines and networking, but he also had a firm grasp of the course material and could run circles around the students in terms of exploit development. Welcome to OffSec live training, where even the TAs are terrifying!
While everyone was getting settled in the first day, I paged through the book and started researching the vulnerabilities and exploits that we’d be covering throughout the course. The gravity of the situation that I’d gotten myself into truly became apparent when I discovered that the course authors were the original authors of the MS11-080 kernel exploit which currently has over 23,000 downloads on ExploitDB. The course was created and delivered by those at the forefront of exploit development, and it was an amazing opportunity to interact with these gifted individuals. With equal parts excitement and fear, I prepared for a turbulent ride.
The course syllabus can be found on the Offensive Security AWE official course page, and a brief excerpt of the main topics is included below for easy reference:
- Bypassing NX
- Custom Shellcode
- Venetian Shellcode
- Kernel Driver Exploitation
- 64-bit Kernel Driver Exploitation
- Heap Spraying
The course began by covering Egghunters. This will be a review for students who have taken CTP, and will lull them into a false sense of security by creating the illusion that the rest of the course will be as easy to assimilate. The difficulty skyrockets as additional topics are introduced, and it peaks with 64-bit kernel driver exploitation. The following graph depicts the WTH levels that students will experience as they progress through the course.
I personally made the mistake of assuming Heap Spraying on the final day would be a relatively painless way to conclude the course since that was one of the topics I was more familiar with at the time. We were immediately taken down a rabbit hole of reverse engineering with IDA and source code analysis that demonstrated why only specific memory addresses could be used to successfully exploit the heap-based vulnerability. Absolutely nothing in this course was easy, simple, or straight-forward (in a good way, if you’re a masochist).
One of my favorite aspects of OffSec training is that none of the topics are presented in a vacuum. Any given topic is presented along with a host of challenges and problems that must simultaneously be overcome in order to ultimately achieve success. In this case, the course authors scoured the available vulnerabilities and exploits for a given topic to ensure every activity was an unrelentingly challenging experience. Additionally, many of the modules included alternative techniques and approaches which significantly increased the overall breadth of content delivered by the course.
A number of preconfigured virtual machines were provided for the exploitation exercises; there was not a corresponding remote lab as there is for PWK and CTP. Those virtual machines were only intended to be used for the duration of the course, but nearly every configuration is trivial to recreate if the student wishes to review the course exercises at a later date.
The student is required to bring a laptop that is capable of running several virtual machines simultaneously on a supported operating system and virtualization platform. It is imperative to only use recommended configurations, since the course requires very specific configurations such as the ability to perform kernel debugging in one virtual machine through another via a virtual serial connection. The Black Hat 2013 course requirements were:
- 60 GB of free usable storage
- VMware Workstation installed version >= 6.0 on Windows/Linux
- VMWare Fusion version >= 3.0.2 on Mac OS X
- Modern system with a 64-bit CPU supporting NX functionalities
- Minimum of 4GB of RAM
Offensive Security is notorious for issuing cold, dispassionate “Try Harder” responses to students seeking guidance. While there were plenty of “jokes” about taking pleasure in the students’ suffering, and a wall of shame for those that resorted to hints, at no point did any of the OffSec team simply tell a student to try harder. Matteo, Devon, and Alexandru were all immensely helpful during exercises, breaks, and after class. There was so much material being covered so fast, that it would have been extremely difficult to get caught up once fallen behind, and they all went well out of their way to ensure everyone was on the same page before proceeding.
That said, there was certainly no shortage of trying harder throughout the course. A bullet point in one of the introductory slides discouraged attending Vegas parties because of homework. The course materials number a dense 341 pages with 221 footnotes. Those who are serious about the course should expect to dedicate the majority of their day to the course during its duration, including time outside of normal classroom hours. The student will likely need to perform some review and/or additional research prior to moving on to new material the following day, and it is the student’s responsibility to cover this ground on his or her own.
The prerequisites for the course are unexpectedly enormous. For example, the following list enumerates the programming languages that the student should be proficient with in order to fully understand the course contents:
- x86 Assembly
- x64 Assembly
- Python (Especially Ctypes)
Unlike the PWK and CTP courses, which integrate varying degrees of exploit development into the broader penetration testing process, AWE focuses exclusively on exploit development. Those that are coming from a network/systems penetration testing background, such as myself, may struggle with some of the concepts related to Windows development and internal Windows operations.
Therefore, I’ve assembled the following list of supplemental resources that can help bring those people up to speed. It’s not necessary to master the material in every resource listed below, but the more prepared the student is, the easier it will be to assimilate the course material. The last thing a student would want is to struggle performing basic IDA or WinDBG tasks instead of being able to focus on the course material itself.
- Open Security Training (Assembly, Exploitation, and Reversing material)
- A Guide to Kernel Exploitation
- Windows System Programming (4th Edition)
- Windows via C/C++
- Windows Internals Part 1
- Windows Internals Part 2
- Advanced Windows Debugging
- The IDA Pro Book
- Reversing: Secrets of Reverse Engineering
In conclusion, Offensive Security AWE is unquestionably one of the most cutting-edge and intense courses available, and it is highly recommended for anyone who is serious about Windows exploit development. The content is extremely relevant and consistently challenging, and the courseware is exceptionally detailed and polished, to the point where it could easily be a stand-alone book. Despite being sadistic industry leaders with remarkable levels of knowledge and experience, all the Offensive Security personnel were laid-back, easily approachable, and a genuine pleasure to interact with. In all regards, Advanced Windows Exploitation is another amazing offering from Offensive Security.
Offensive Security Exploitation Expert (OSEE) – The Certification
The Advanced Windows Exploitation course has a corresponding certification known as the Offensive Security Exploitation Expert (OSEE). Certificates of completion were provided to students at the end of the course, but these basically amounted to verifications of attendance. While these certificates can provide the student with CPEs, a true sense of accomplishment and mastery of the course material is only available through the OSEE certification exam.
It’s not possible to say much about this certification without ruining it for future challengers, so the details provided here will be brief and vague. In order to obtain the OSEE, the student must successfully exploit custom executables within 72 hours, as well as provide the exploits and supporting documentation within an additional 24 hours. The challenge was interesting in that it was significantly more difficult than either the OSCP and OSCE challenges (as expected) while simultaneously being much more straight-forward.
There wasn’t any need to research vulnerable third-party software, recreate the target in a local VM for analysis, or go beyond what was provided in any other way. Additionally, all the necessary techniques were thoroughly detailed in the course materials. The challenge simply revolved around whether the student could successfully identify how to exploit the vulnerabilities and creatively apply the knowledge delivered by the course.
Due to time constraints, the challenge does not comprehensively cover every technique that was detailed in the course. Instead, it focuses on some of the most intense material, and it’s safe to assume that students who successfully complete these challenges also have a good handle on the material that was omitted from the exam.
The OSCP and OSCE challenges have a larger number of targets and do not require all of them to be fully compromised in order to pass the exam. However, since the OSEE is more focused, the student should plan on successfully compromising all targets to guarantee a pass. Points for some targets can fluctuate slightly based on techniques used, and the higher point values for these targets may allow for a pass in a risky partial-credit scenario if the others aren’t fully compromised. However, since scores and scoring methodology are not disclosed, it’s strongly recommended to strive for full compromises of all targets. Otherwise, much of the student’s fate will be left to chance, and we all know what can happen when one leaves the decision in the hands of the judges.
Aside from the actual exploitation, one of the most difficult aspects of the challenge was staying motivated for its entire duration. Lack of sleep and mental fatigue compounds frustration as time goes on, and it becomes increasingly difficult to resist raising the white flag. There were many instances of hours disappearing in a blink of an eye without any apparent progress being made, and I sincerely lost count of how many times I was at the brink of giving up.
My personal run lasted 68 hours and consisted of only a few short breaks and very, very little sleep. The entire experience was excruciating, and an innocent bystander would have thought screaming obscenities at my monitor and cursing everyone I have ever met from Offensive Security were key components of a winning strategy. However, the feeling when the shells rolled in was indescribable. Out of all the professional credentials and designations I’ve obtained, the OSEE was undoubtedly the most arduous and difficult as well as the one I am the most proud of earning.
Andrew Johnson (OSEE, OSCE, OSCP, OSWP, Red and Blue Team Cyber Guardian, GSE, GXPN, GWAPT, GPEN, GCFA, GCIA, GCIH, GPPA, GSEC, CISSP, et al) has over a decade of experience in information technology and security and delivers penetration testing, customized training, and a variety of other professional services as a Senior Security Consultant at GuidePoint Security. He has extensive consulting experience and has provided a multitude of information assurance services to hundreds of Fortune 500 companies, financial institutions, healthcare providers, Web 2.0 start-ups, retail businesses, and various other organizations across several countries. He has also served as the Information Security Manager for the US operations of a global financial services ASP, servicing over 650 financial institutions and safeguarding over 40 million sensitive records. Andrew is a perpetual learner and enjoys sharing knowledge with others. He is a member of OWASP, InfraGard, and American MENSA and can be followed @acjsec. Tags: certification course review exploit dev offensive security windows