I’ve been working to build up a good quality reference library of Security books for about 2 years now. Ever since I left my job as a Server Administrator to begin learning about security. Some books have been a bit of a letdown (like the Hacking VoIP exposed book) and others have been a great addition to the collection (like XSS Attacks, or the web Application Hackers Handbook). Moving this small home reference library between home and work has started to become a real problem though. You never have the right book in the right place at the right time. It’s Murphy’s law. So, I’ve begun the quest to setup a comprehensive reference library at work for all those special occasions when you just have to know that obscure Python syntax.
With this in mind I’ve started the list of desired titles. Obviously there’s no way I can add every possible title to this list, and some good books are just not suitable for a reference library. With that said, I hope this is at least a good start .:
- Applied Cryptography
- Web-Application Hackers Handbook
- Database Hackers Handbook / Oracle Hackers Handbook
- XSS Attacks
- NMAP Network Scanning
- Learning Python (3rd Edition)
- A Book on C (for those Code Review moments)
- TCP/IP Illustrated (vol.1-3)
To add to these titles, a subscription to the Safari online bookshelf seems like a good idea. Being able to directly search books for specific parameters, configuration options and commands is great thing. If this is beyond budget, then limited use of Google Books would be a possible solution.
There are some good titles that I’ve not listed here, mostly because once they’ve been read I don’t see them as a source of reference that I’ll use on a regular basis.
This list is far from complete, so if you have suggestions then feel free to post a comment. Without discussion, things wil never move forward.
This post is in response to “Fradulent Security Experts” as posted on the SNOsoft Research Team Blog
As a lot of other security professionals (and I use the term loosely), I subscribe to a range of mailing lists to keep my finger on the pulse so to speak. Amongst the usual posts to the Nessus mailing list (followed normally by a rude or at the very least, rudely worded response from Tenable & Co.), and the informative posts on PaulDotCom and the SANS mailing lists, there lies the PenTest mailing list. I tend to prefer lurking on this list, as a lot of what I see makes me cringe. However I’ve never taken the time to comment on the mailing list before. That is until I saw the blog post from Adriel T. Desautels on the SNOsoft Research Team blog.
If you’ve not had a chance to read the blog, then I’ll summaries. His gripe (and rightfully so) is about so-called security professionals selling a service (and we’ll use a penetration test here as an example) and then not being qualified to finish the job. I’ve seen it on the mailing list before, but the latest post regarding SQL injection.
Now I want to quantify something before we move forward. I have no problem with people asking questions. I like to help people out where I can, and if people want to learn then asking questions is a must. However when people start their question with something like “I’m doing a pentest for a customer and…” I start to get worried. After all if you have a customer then you should know enough to cover the basics. Sure some of the questions are real brain teasers, but a lot fall into the “security 101″ arena. So many people seem to think that penetration testing is about running nmap and nessus and walking away. There will always be people looking to make a quick buck, and penetration testing will be no exception.
The problem is, that there is no easy solution. Certification (as was discussed in the PenTest mailing list recently) is no indication of a persons true knowledge. Also at fault here is the Human Resources people who think a CISSP means everything security. Anyway, that’s an argument for another day. There is a lack of regulation and accreditation in the security industry as a whole. What accreditation does exist (i.e. Crest, the Council of Registered Ethical Security Testers in the UK) lacks pull, and is restricted to government contracts. However the problem really lies with the customers. I know it’s hard to say, but the average customer will take the lowest and quickest quote. If I say I can do it $100 cheaper and in 2 days less, then I win, no questions asked. Instead the customers need to be asking, why you’re better suited to do this test. How many have you done before, can you give sample reports, can you give references for previous work, and can we see the CV of the staff doing the test. Maybe it’s time for a list of questions the customer needs to ask, after all right now it’s the penetration testers doing the asking.
We just got the news that Core Impact 8 (with XSS and Blind SQL injection) has been released by Core Technologies. You can read the full press release for the new version HERE.
Main features .:
- XSS and Blind SQL Injection Checks
- Comparing Test Results Over Time
- Scheduling Regular Testing
- Managing Large-Scale Testing
The Blog over at blog.portswigger.net has been buzzing for the last month about the new version of Burp Suite. After a short time in beta testing (with users of the professional version) it’s been released for those using the free version. I’ve had a quick look over the features and think that version 1.2 is a big step in the right direction.
I’ve flitted backwards between using OWASP’s Webscarab, and Burp Suite. As much as I’ve always wanted to go the free route and use Webscarab, something kept pulling me back to Burp. I guess it just makes things easier. The new version seems to fill in some gaps, and I’ll be looking at the pro license soon to really get the full benefit.
The professional version includes the new burp scanner (passive and active scanning) seems to fill a void a lot of people have been looking for. i.e. an affordable web-application scanner that actually works. No automated scan will find everything, but users of Burp suite already know that. so the addition of a scanner just seems to make sense at this point. One thing I wish was in the free version however was the save/restore session function. Then again, I can see why this is held back for the paying customers.
Some of the new features include .:
- Site map showing information accumulated about target applications in tree and table form
- Fully fledged web vulnerability scanner [Pro version only]
- Suite-level target scope configuration, driving numerous individual tool actions
- Display filters on site map and Proxy request history
- Ability to save and restore state [Pro version only]
- Suite-wide search function
- Support for invisible proxying
Checkout the full details at www.portswigger.net
SANS SEC:709 – Developing Exploits for Penetration Testers – Day 2
I didn’t get a chance to post up my thoughts on the second day of the SEC:709 class before leaving London, so here’s a quick recap of the second day.
Today we began looking at the Windows side of exploit writing. Although in theory things are slightly harder with Windows exploitation than with Linux (at least at the level we were working at), things seemed to click on the second day. Whereas the first day was new concepts mixed with exercises to show how things work, the second day looked at the same points made in day 1 from a Windows standpoint. The examples were a chance to review some points from day 1 in a new light, and introduce some new points. The day was finished off with a Capture the Flag. Most people managed to get a couple of flags at least, but with the limited time, and a raging brain ache from “drinking from the fire-hose” so to speak, it was slow going. One person managed to get almost all the flags, which was impressive given the time spent learning these points. I guess with some more reviewing of the topics and some practice, I’ll be able to get the hang of this mystical side to penetration testing and security research.
Overall the course was very fun. As it’s a 700 level course (from my understanding SANS does 400, 500, 600 and now 700 level courses. 400 being the basics, through to 700, which is, more than a little advanced) so you get what you ask for. It’s high-tech from moment 1, and the pace is fast and furious. It’s not one of those courses where you can get into class 10 minutes late from lunch and still catchup. If you miss a concept, then everything that follows will be that much harder to grasp. Stephen Sims (the class author and the teacher for the London class) is looking to take the class to 4 days. I think this would make the concepts easier to grasp, as more time could be spent in labs to drill the concepts into your head. One of the other facilitators (class helpers, of which I was lucky enough to be one) said that the 4 day course should be the contents from days 1 and 2 repeated twice 
. Still Stephen said he wants to put more into the 4 day course. So keep your eyes peeled for that in the near future.
Overall my time in London was great. I managed to meet some really smart people, and the SANS Christmas dinner was really fun. Working as a facilitator for a SANS conference is fun, but a lot of work. If you’re thinking of try it out, expect a lot of >12 hour days, and bleeding fingers. Still, from my experiences it’s 100% worth it. Just getting a chance to work with the SANS instructors and staff is reward enough. If anybody will be attending the upcoming SANS Munich 2009 (June/July time) then looking for a stressed and tired looking facilitator, it’ll probably be me…
SANS SEC:709 – Developing Exploits for Penetration Testers – Day 1
Day 1 of the SEC:709 course is finished. Before I give some points on the course, I want to say that I’m not a coder, and to be honest, scripting is enough of a challenge for me. So, when I said I’d facilitate for the course, I knew things would be above my head. Still, 50% through and I’m surprised at how much clearer things seem.
Day 1 covered the Linux side of exploit writing, as well as covering the basic points needed for tomorrows trip into the world of Windows. The pace is hectic and fast paced. Then again, with the amount to cover and the topics being highly technical (this is a SANS 700 level course), the exercises will need to be redone, and redone, and then once more to be sure. These are not the kind of labs you can GET in one try. Sure some of the basics fit together without too much brain ache, but the more advanced (well advanced for me) stuff will need some more work.
If you’re a penetration tester who wants to move beyond Metasploit and into the world of custom proof of concepts, then this is a great introduction. No 2 day course will take you from A to Z, but this one will give you the foundation to build on. I’ll let you know how day 2 does tomorrow… that is, if I survive
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 4
DAY 4:
Today was a long day… my hint for a SANS conference in Europe, is never going drinking with Terry Neal. No, seriously, save yourself before it’s too late Still, it’s amazing what you can accomplish on 4 hours of sleep.
Today was finally the Exploitation day… and as we know exploitation is always the fun part (insert evil laugh here). The coverage of a WordPress vulnerability from last year was interesting, but needed a little bit more in-depth explanation of how it functions. Due to the limitation of the class running time though, I think that wasn’t really a possibility. Still, consider it as homework Although this was a lab designed to cover blind SQL injection, the use of a pre-written script for the lab was a little disappointing. I’d like to have seen something with SQLBF or SQLmap personally.
The section on advanced script injection covered a lot of what I came to the course for. If I had a choice the whole 4 days would have been at this level. At the very end of the day we looked at a couple of exploitation frameworks (Attack API, BeEF and XSS Proxy). I’ve not had a chance to play with these much before, so it was good to get some hands-on time with the tool. Although I would have liked to look more at the Atack API setup and configuration. BeEF looks good, but lacks some functions that would improve the functionality. Given the chance I’ll write up some modules to fill the gap.
Overall the course was enjoyable, although a little basic for people already doing web-app testing on a regular basis. I’m looking forward to seeing how the SEC:542 course changes when it goes 6 days (see next years conference lists). I’m expecting something special from the InGuardian guys.
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 3
DAY 3:
Well day 3 has begun, and we’ve passed the half way mark. I’m expecting some serious in-depth parts over the next 2 days. The presentations last night were really interesting. Raul covered Bluetooth attacks, which was interesting on a number of levels. Some people attending didn’t seem to get it from a business point of view. The opinion of one person was that the manufacturers won’t make a more secure version of these devices because it would cost more, and therefore not get enough market share to be effective. A typical argument against security. What he failed to understand was that this is a business problem. As nasty as it is to have your conversations listened to, the real return on investment for attackers lays with attacking businesses. Therefore businesses need to demand the extra level of security for their Bluetooth devices, even if it costs €5 more than a normal device. This will filter down to the cheaper handsets, headsets and other devices after a while, and secure even the lowest end of the market. The second presentation covered NIC and Graphics card firmware, and what can be done to attack and control the firmware in these devices. An eye opener indeed, especially when you learn that an infected firmware can use PCI to PCI communications to bypass your firewall entirely. It’s still a little beyond today’s attackers to use this avenue, but it’s something well within the boundaries of a large government or well financed crime syndicate. Something to look out for in the future…
The day kicked off with some basics on user enumeration. The Burp suite byte/word level page comparison is interesting, and something I’ve used before for cookies, but not for comparing 2 server responses. Coverage of the usual suspects, SQL Injection (including blind SQL injection), Cross-Site Scripting and Cross-Site Request Forgery. The coverage on Web Services was a little sparse for my liking. We’re going to start seeing more of these in the wild during tests, and a in-depth overview with examples would have been nice. Still, you can’t have it all. I think we could have done with some more hands on today, but hopefully we’ll cover some of that in tomorrows Exploitation day
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 2
DAY 2:
Well after a evening drinking on a Thames riverboat, it’s time for day 2 of the Web App course. We begin by covering the usual suspects in recon. A few slides on Google hacking (even stuff I’ve not seen on G groups hacking) and then onto whois, DNS and fingerprinting the remote server. This is all pretty much basic stuff. It seems these topics end up in every class on penetration testing, as the content was covered in SEC:560 as well.
The afternoon covered a little more in-depth stuff, including the use of transparent proxies, and the comparison between the various proxy tools available. Some more information on the RATSPROXY would have been nice, but I guess we can’t cover them all. It’s the small gems that make the course worthwhile for me though. The w3m tool for example. Using it with the -dump command allows you to strip out the HTML tags from a page. This is great for forming wordlists from spidered sites.
w3m -dump index.html > index.txt
Second gem for the day, Wireshark display filters for HTTP content. I’ve not had much call to play with these in the past, another thing on the list as always. Things like “http.content_type contains “jpeg”” “http.response.code == 404” and “http.user_agent contains Wget” are great (incase you wondered, jpeg is a reserved word in Wireshark, so needs to be in quotes). If you’re using the contains option though, it’s case sensitive. To make things easier you can use “lower(http.user_agent) contains wget” to make everything lowercase for the matching process. This kind of thing makes me want to play with Wireshark and TCPDUMP filters some more. Sad, but true….
These kinds of display filtering would come in handy for large captures, like those you make when performing a penetration test. After all, we all capture all traffic while we’re doing a penetration test, right
A quick look at the session and cookie analysis of WebScarab and day 2 is over. I’d like to have seen Burp Suite as the analysis tool of choice personally. The Burp analysis of cookie values is so much more in-depth than the single spread chart provided by WebScarab. Still, each to their own.
Things are warming up. Start slow and end fast, that’s what I say
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 1
DAY 1:
The first day on most classes of this type seems to be a basic outline day. As usual everybody needs to be at the same level for the remaining 3 days of the course, this is a must. Overall the first day covered things that most people who work as a penetration tester will already know. Then again, there are others moving into this area that need the review. A review on the HTTP METHODS was interesting, especially the section on the CONNECT method. The real benefit for me though was the detailed run-through of the authentication options. I managed to get a few minutes to read through the RFC on Digest Authentication and reenact the challenge response process at the command line (using openssl with the MD5 option). It’s always good to understand how it works behind the scenes.
Raul Siles has a good teaching style (as I learned in the VoIP Security class) so I’m looking forward to the next 3 days. I’m hoping for a couple of nuggets of pure gold from the course. We’ll see how days 2,3 and 4 go.
Update: From comments on Twitter it looks like Ed Skoudis is working on an update to the class. From what I’ve heard it looks like it will be a 6 day class in the future, so should cover some more in-depth topics in later versions of the class.
