SANS Web App Penetration Testing and Ethical Hacking Class – DAY 4
DAY 4:
Today was a long day… my hint for a SANS conference in Europe, is never going drinking with Terry Neal. No, seriously, save yourself before it’s too late 
Still, it’s amazing what you can accomplish on 4 hours of sleep.
Today was finally the Exploitation day… and as we know exploitation is always the fun part (insert evil laugh here). The coverage of a WordPress vulnerability from last year was interesting, but needed a little bit more in-depth explanation of how it functions. Due to the limitation of the class running time though, I think that wasn’t really a possibility. Still, consider it as homework Although this was a lab designed to cover blind SQL injection, the use of a pre-written script for the lab was a little disappointing. I’d like to have seen something with SQLBF or SQLmap personally.
The section on advanced script injection covered a lot of what I came to the course for. If I had a choice the whole 4 days would have been at this level. At the very end of the day we looked at a couple of exploitation frameworks (Attack API, BeEF and XSS Proxy). I’ve not had a chance to play with these much before, so it was good to get some hands-on time with the tool. Although I would have liked to look more at the Atack API setup and configuration. BeEF looks good, but lacks some functions that would improve the functionality. Given the chance I’ll write up some modules to fill the gap.
Overall the course was enjoyable, although a little basic for people already doing web-app testing on a regular basis. I’m looking forward to seeing how the SEC:542 course changes when it goes 6 days (see next years conference lists). I’m expecting something special from the InGuardian guys.
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 3
DAY 3:
Well day 3 has begun, and we’ve passed the half way mark. I’m expecting some serious in-depth parts over the next 2 days. The presentations last night were really interesting. Raul covered Bluetooth attacks, which was interesting on a number of levels. Some people attending didn’t seem to get it from a business point of view. The opinion of one person was that the manufacturers won’t make a more secure version of these devices because it would cost more, and therefore not get enough market share to be effective. A typical argument against security. What he failed to understand was that this is a business problem. As nasty as it is to have your conversations listened to, the real return on investment for attackers lays with attacking businesses. Therefore businesses need to demand the extra level of security for their Bluetooth devices, even if it costs €5 more than a normal device. This will filter down to the cheaper handsets, headsets and other devices after a while, and secure even the lowest end of the market. The second presentation covered NIC and Graphics card firmware, and what can be done to attack and control the firmware in these devices. An eye opener indeed, especially when you learn that an infected firmware can use PCI to PCI communications to bypass your firewall entirely. It’s still a little beyond today’s attackers to use this avenue, but it’s something well within the boundaries of a large government or well financed crime syndicate. Something to look out for in the future…
The day kicked off with some basics on user enumeration. The Burp suite byte/word level page comparison is interesting, and something I’ve used before for cookies, but not for comparing 2 server responses. Coverage of the usual suspects, SQL Injection (including blind SQL injection), Cross-Site Scripting and Cross-Site Request Forgery. The coverage on Web Services was a little sparse for my liking. We’re going to start seeing more of these in the wild during tests, and a in-depth overview with examples would have been nice. Still, you can’t have it all. I think we could have done with some more hands on today, but hopefully we’ll cover some of that in tomorrows Exploitation day
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 2
DAY 2:
Well after a evening drinking on a Thames riverboat, it’s time for day 2 of the Web App course. We begin by covering the usual suspects in recon. A few slides on Google hacking (even stuff I’ve not seen on G groups hacking) and then onto whois, DNS and fingerprinting the remote server. This is all pretty much basic stuff. It seems these topics end up in every class on penetration testing, as the content was covered in SEC:560 as well.
The afternoon covered a little more in-depth stuff, including the use of transparent proxies, and the comparison between the various proxy tools available. Some more information on the RATSPROXY would have been nice, but I guess we can’t cover them all. It’s the small gems that make the course worthwhile for me though. The w3m tool for example. Using it with the -dump command allows you to strip out the HTML tags from a page. This is great for forming wordlists from spidered sites.
w3m -dump index.html > index.txt
Second gem for the day, Wireshark display filters for HTTP content. I’ve not had much call to play with these in the past, another thing on the list as always. Things like “http.content_type contains “jpeg”” “http.response.code == 404” and “http.user_agent contains Wget” are great (incase you wondered, jpeg is a reserved word in Wireshark, so needs to be in quotes). If you’re using the contains option though, it’s case sensitive. To make things easier you can use “lower(http.user_agent) contains wget” to make everything lowercase for the matching process. This kind of thing makes me want to play with Wireshark and TCPDUMP filters some more. Sad, but true….
These kinds of display filtering would come in handy for large captures, like those you make when performing a penetration test. After all, we all capture all traffic while we’re doing a penetration test, right
A quick look at the session and cookie analysis of WebScarab and day 2 is over. I’d like to have seen Burp Suite as the analysis tool of choice personally. The Burp analysis of cookie values is so much more in-depth than the single spread chart provided by WebScarab. Still, each to their own.
Things are warming up. Start slow and end fast, that’s what I say
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 1
DAY 1:
The first day on most classes of this type seems to be a basic outline day. As usual everybody needs to be at the same level for the remaining 3 days of the course, this is a must. Overall the first day covered things that most people who work as a penetration tester will already know. Then again, there are others moving into this area that need the review. A review on the HTTP METHODS was interesting, especially the section on the CONNECT method. The real benefit for me though was the detailed run-through of the authentication options. I managed to get a few minutes to read through the RFC on Digest Authentication and reenact the challenge response process at the command line (using openssl with the MD5 option). It’s always good to understand how it works behind the scenes.
Raul Siles has a good teaching style (as I learned in the VoIP Security class) so I’m looking forward to the next 3 days. I’m hoping for a couple of nuggets of pure gold from the course. We’ll see how days 2,3 and 4 go.
Update: From comments on Twitter it looks like Ed Skoudis is working on an update to the class. From what I’ve heard it looks like it will be a 6 day class in the future, so should cover some more in-depth topics in later versions of the class.
While at the SANS London conference I attended the VoIP Security class held by Raul Siles. VoIP is not a small topic, and the field is still in flux when it comes to security. We had 2 days to cover a range of topics, and to fit it all into the 2 days the course was run bootcamp style (9am to 8pm). Overall I got a lot out of the course, in particular the lab exercises and the review of the underlying protocols (SIP and RTSP).
The first day lays the foundation by reviewing the protocols, and learning the networking side of VoIP security. The second day concentrates more on attacks against the environment, and where possible, remediation to defend against these attacks. As theVoIP arena is in flux, and growing day by day, the solutions are not 100%. However a majority of issues are covered from both attack and defence viewpoints.
Overall I though the course was well formed, although it could do with a little less theory and more on the hands on side. After all, we can all read a book on the theory side, but not everyone has the facilities to do the hands-on exercises. This is the first time theVoIP course has been done in Europe, so I hope they take our comments back and streamline the course for future attendees.
Next is the Web App Penetration Testing and Ethical Hacking class (SEC:542)
I finally had the chance to catch up on a couple of the OWASP videos over the past few days. Of all the presentations, the one from Chris Eng entitled “Cryptography for Penetration Testers” jumped out at me as a good watch. The information contained in the 45 minute presenation is something that I know personally will be very useful to me as a penetration tester. I would encourage anybody interested in Web-Application penetration testing but not so much into the maths behind encryption, to take the time to watch. It’s a lot to take in at once, but a couple of pauses and a copy of the slides make things a lot easier to understand.
Video / Slides (HQ)
In preparation for the upcoming SANS London VOIP Security course, I’ve been reading through the Hacking Exposed: VOIP book. I finally got the chance to finish up the book over the weekend and must say, I came out the other end feeling a little disappointed. I’d skimmed the book before, and at first glance the contents seems really in-depth. However after reading the book cover to cover, the amount of repetition really began to become tiring. I found myself actually skipping sections as the tests discussed seemed to be repeats from earlier sections of the book, together with the same suggestions for blocking attacks. I understand the reasoning for this however, as there are only a certain amount of protections against Denial of Service floods, spoofing or Man in the Middle attacks. However, that said the solutions could easily have been grouped together as a separate chapter to prevent the repetition.
VOIP has come a long way in the last few years, and the attacks mentioned in the book have probably been overtaken by newer exploits and attack vectors. Maybe this was simply a case of too little content to fill the book with new and exciting attack types. Here’s hoping that the second edition will be reformatted to make the most of the information held within.
I’ve recently re-discovered the wonderfully named shell-fu website. If you use Linux a lot then some of the tips and tricks here are going to certainly come in handy. Sure some of them are wild and wacky, some are even older than I am (don’t ask), still there’s some nice little tricks that every real Linux user should appreciate.
My favourite, which I’ve been using with great success over the past few months is the shortcut to run a follow-up command with the same arguments as your previous command. You can simply use !* to repeat all arguments from the previous command, or !:x where x is the argument number you want to repeat. you can also use !! to repeat the whole command (useful if you need to sudo a command) An example is in order I think.
mkdir /etc/configuration/really_long_and_hard_to_remember_directory_name
cd !:1
This command will use the 1st argument (!1 is 1st argument)from the previous command line and add it to the cd command. Saves valuable seconds that you could be using surfing for lolats of browsing the FAIL blog
Check out the site for some more great time saving hints…
I’ve recently passed the big 6 month mark as a penetration tester. It doesn’t seem like much in the scheme of things, and it certainly doesn’t give me the right to preach to you. It has however made me think about what I’ve really learned since starting work as a full-time penetration tester. In the true style of incident responders, I’ve entered the “lessons learned” phase, and here’s what I came up with (in no particular order) .:
- The report is the most important part of a test.
- Exploits are only a small peice of what a penetration test is all about.
- If you don’t understand the protocols, all is lost. RFC’s are your friend here.
- Testing your tools and exploits before a test is more than just a good idea.
- Writing testing notes in a notebook may seem old fashioned, but it really helps.
- Charts and Screenshots make people go “Ooooh” when they read the report.
- No matter what you say in the final report, someone will always disagree on some point or another
- Linux is your friend. Windows is also your friend, albeit a slightly slower friend that annoys you at times.
- When you test something and can’t find a weakness, this is not a bad thing… and yes the good parts should also be in the report.
- No one person can know everything (except Ed Skoudis) so knowing where to find the facts, and who to ask is an important skill to possess.
With the above said, I’ll try and expand on a few of these points in the coming weeks.
Happy hunting…
Over the last 6 months EC-Council have been implementing their new ECE points system for retaining your qualifications (ISC² style). Now I’ve blogged before a few times on the C|EH, ECSA and L|PT qualifications, so I don’t want to re-hash those view. However, the whole ECE points rollout has been one disaster after another. Although the system was meant to be released at New Year, nothing appeared. When the members on the forums asked questions, nobody answered. Emails where pretty much the same, with an occasional mindless response that made no attempt to even answer the question at all. However, we (the forum members) persevered, and were rewarded a few months late with the brand new ECE portal in all it’s glory. It was buggy, badly designed and the points were wildly disproportionate. If you did a course with EC-Council, or talked at an EC-Council event, you’d get 4 times the points than if you talked at something like DefCon. A truly WTF moment if I’ve ever had one. Anyway, things got better. To EC-Council’s credit, they took some of the comments from the forum users and actually made some changes to the points system. They added Security related Podcasts to the list, and changed the points allocations. Things were on the upturn.
ECE DELTA
Fast forward a few months and I’ve added a few things to the points list. After all, no matter what I think of the quality of the qualification it seems a waste to just not spend 5 minutes filling out the form to retain it. Well, maybe it is a waste, but that’s something I’ll consider in the future. Added to the points list are a number of security related books I’ve read, as well as the SANS GPEN course/exam and an article I’ve written for Linux Magazine about Snort IDS. No problems so far, everything is fine and dandy. That is until I write an article for Hakin9 magazine about security training. I added it to the ECE system yesterday while I was taking a 5 minute break from breaking a web-app.
I thought nothing of it… that is, until I get an email asking for a copy of the article. Suddenly EC-Council wants to see proof that I’ve written an article. They don’t want proof of the Linux Magazine article, the SANS course, or anything else I’ve done. However, an article on security training is something different it appears. I’m not so worried about loosing my C|EH/ECSA status (never bothered paying for the L|PT) if EC-Council dislike my article, but seems like they’re not a big fan of criticism when it comes to their courses.
I’ve replied asking them for clafficiation why they need proof for only this item and not the others. We’ll see what they give as a reason. Maybe they’re just getting their act together on checking these things, but I doubt it. If the article was about something else, I doubt they’d care to check. Things smell a little fishy to me.
