Last night's OWASP Long Island Meeting
I hosted the local Long Island chapter of OWASP last night at my place of work for a hands-on evening of playing around in a bring-your-own-laptop lab environment. I had set up an virtual infrastructure that was so vulnerable to attack that it almost looked like a real work place.
For this session, the OWASP guys provided bootable BackTrack 5 RC1 DVDs, and I provided the virtual machines, a switch, power, networking cables, etc. After a brief introduction, we got started right away.
We went through a number of hands-on exercises, ranging from quick exercises with the Metasploit Framework and the w3af to arp poisining and dsniff. After having identified some credentials on the wire, we did some hands-on exploitation of a SQL injection flaw, and we mucked around a bit more with other "features" in this custom-developed web app. All in all, we managed to covered about 6 examples of the OWASP top-10. Around 10:30pm, we called it quits and wrapped up for the night, but not after having agreed to a to-be-continued sessions some time in January.
As a firm believer in hands-on learning (in addition to studying texts), it was very satisfying to see how quickly participants who may have never even used a Linux distribution, took to getting into "breaking stuff". As everything was running on a virtual infrastructure, participants did not have to be afraid to cause accidental damage, and that showed ;)
All-in-all, I think we had a good time. Next time, I'll make a few more tweaks and bring a slightly more powerful server for the VM infrastructure, but that's about all that needs to happen to take this show on the road.