December 8, 2008
Posted by on
SANS SEC:709 – Developing Exploits for Penetration Testers – Day 1
Day 1 of the SEC:709 course is finished. Before I give some points on the course, I want to say that I’m not a coder, and to be honest, scripting is enough of a challenge for me. So, when I said I’d facilitate for the course, I knew things would be above my head. Still, 50% through and I’m surprised at how much clearer things seem.
Day 1 covered the Linux side of exploit writing, as well as covering the basic points needed for tomorrows trip into the world of Windows. The pace is hectic and fast paced. Then again, with the amount to cover and the topics being highly technical (this is a SANS 700 level course), the exercises will need to be redone, and redone, and then once more to be sure. These are not the kind of labs you can GET in one try. Sure some of the basics fit together without too much brain ache, but the more advanced (well advanced for me) stuff will need some more work.
If you’re a penetration tester who wants to move beyond Metasploit and into the world of custom proof of concepts, then this is a great introduction. No 2 day course will take you from A to Z, but this one will give you the foundation to build on. I’ll let you know how day 2 does tomorrow… that is, if I survive 😉
December 6, 2008
Posted by on
SANS Web App Penetration Testing and Ethical Hacking Class – DAY 4
Today was a long day… my hint for a SANS conference in Europe, is never going drinking with Terry Neal. No, seriously, save yourself before it’s too late 😉 Still, it’s amazing what you can accomplish on 4 hours of sleep.
Today was finally the Exploitation day… and as we know exploitation is always the fun part (insert evil laugh here). The coverage of a WordPress vulnerability from last year was interesting, but needed a little bit more in-depth explanation of how it functions. Due to the limitation of the class running time though, I think that wasn’t really a possibility. Still, consider it as homework 😉 Although this was a lab designed to cover blind SQL injection, the use of a pre-written script for the lab was a little disappointing. I’d like to have seen something with SQLBF or SQLmap personally.
The section on advanced script injection covered a lot of what I came to the course for. If I had a choice the whole 4 days would have been at this level. At the very end of the day we looked at a couple of exploitation frameworks (Attack API, BeEF and XSS Proxy). I’ve not had a chance to play with these much before, so it was good to get some hands-on time with the tool. Although I would have liked to look more at the Atack API setup and configuration. BeEF looks good, but lacks some functions that would improve the functionality. Given the chance I’ll write up some modules to fill the gap.
Overall the course was enjoyable, although a little basic for people already doing web-app testing on a regular basis. I’m looking forward to seeing how the SEC:542 course changes when it goes 6 days (see next years conference lists). I’m expecting something special from the InGuardian guys.
September 19, 2008
Posted by on
I’ve recently passed the big 6 month mark as a penetration tester. It doesn’t seem like much in the scheme of things, and it certainly doesn’t give me the right to preach to you. It has however made me think about what I’ve really learned since starting work as a full-time penetration tester. In the true style of incident responders, I’ve entered the “lessons learned” phase, and here’s what I came up with (in no particular order) .:
- The report is the most important part of a test.
- Exploits are only a small peice of what a penetration test is all about.
- If you don’t understand the protocols, all is lost. RFC’s are your friend here.
- Testing your tools and exploits before a test is more than just a good idea.
- Writing testing notes in a notebook may seem old fashioned, but it really helps.
- Charts and Screenshots make people go “Ooooh” when they read the report.
- No matter what you say in the final report, someone will always disagree on some point or another
- Linux is your friend. Windows is also your friend, albeit a slightly slower friend that annoys you at times.
- When you test something and can’t find a weakness, this is not a bad thing… and yes the good parts should also be in the report.
- No one person can know everything (except Ed Skoudis) so knowing where to find the facts, and who to ask is an important skill to possess.
With the above said, I’ll try and expand on a few of these points in the coming weeks.
August 29, 2008
Posted by on
So I never did have a chance to update my blog after my GPEN exam. As you can see by the title I passed the exam, so all is good with the world. I’m talking to SANS at the moment about working as part of their Mentor team and doing some training (or Mentoring) in Vienna at some point. I’ll hopefully flesh out the details on this at some point in December as I’m in London at the SANS London ’08 training sessions helping out with the Sec:540 VOIP and Sec:542 Web-Application Penetration testing courses.
If you’re headed to London for the SANS classes let me know….