Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: SANS

SANS EMEA Webcasts 2011

In a break from what seems to have become a yearly tradition for me, I won’t be able to make it to the SANS London event this year. As sad as it is not to catchup with old friends and make new ones, I’m taking on another challenge this year (more on that another time) and there just wasn’t enough time to make both happen. However, that doesn’t mean that you readers get off without my regular post on what the great SANS EMEA team are up to in the build-up to the conference taking place in December.

As is customary for the month or so prior to the conference , SANS EMEA have arranged a number of regular Tuesday webcasts to talk about interesting and topical themes that might be interesting for readers of the blog. As much as the webcasts are designed to enthuse about the SANS classes, they also have great content and I feel stand alone even for people who don’t/can’t attend the training themselves. Another plus is that as these are EMEA focused webcasts, you don’t have to stay up till 2AM to watch/listen live (like the US-based webcasts).

I’ll leave it up to you, the reader, wether or not you find them interesting… This year is a good mix of technicaland audit content, with a little Social Engineering thrown in for good measure. Enjoy!

Tuesday October 4th 2pm BST 3pm CEST
Defending Against APT: IT Audit Techniques In Action with David Hoelzer

Are you already compromised?  It can be really hard to know unless you really know your systems.  Sign up and tune in for a one hour fast paced discussion of how to merge some simple continuous monitoring controls together to identify signs of Advanced Persistent Threat malware for which there are no signatures.  David Hoelzer, faculty fellow and well known security lecturer will give you actionable techniques that you can put into practice immediately following the webcast!

Tuesday October 11th 3pm BST 4pm CEST
Attacking the Human: A Look at Client and Customer-side Attack Vectors with Stephen Sims

During this one hour talk, live client-side hacking techniques will be performed, demonstrating the impact of using such attack vectors. How easy or common is it to incorporate social engineering into a client-side attack? We will look at scenarios where this is applicable, as well as some social engineering techniques used on a grander scale. How are attackers stealing money these days? We’ll look at some real-world examples. The low-hanging fruit has dwindled in many instances, forcing attackers to become more clever, or attack with more traditional techniques like physical theft. Gone are the days of simple remote exploits, and lessening are the number of web-based attack vectors. There are only so many 0-day exploits available…

Tuesday October 18th 2pm BST 3pm CEST
The Intersection of Cool Mobility and Corporate Protection: Practical Steps for Assessing the Security of Mobile Devices with James Tarala

Cool Mobility in business terms is mobile productivity. It enables a workforce to have instant access to information through mobile applications anywhere, anytime. People are fundamentally changing the way they work, and in order to remain competitive, organizations are making enterprise applications accessible through mobile devices. But, what about the confidential data? How do we audit those mobile devices? This presentation will provide a streamline approach to auditing endpoint security on mobile devices.

Tuesday October 25th 2pm BST 3pm CEST
Scapy, Packets, Fun: IPv4 and other dead protocols with Johannes Ullrich PhD

IPv4 has been around the block a few times, and attackers have poked at hit whenever it past them along the way. Needless to say that IPv4 of today isn’t the same protocol we got to know and love 30 years ago. Since conception and birth, IPv4 has had its good and bad times and all is visible in the conglomeration of standards defining a protocol that is now a lot more saggy and heavy then the slick and slim streaker defined initially. We will go over some of the realities of modern IP networking. Why did it change? what are some of the issues you may not know about? How do real networks affect how the protocol actually works vs. how it was supposed to work. Buffering, Layer 9 switches, ubiquitous proxies and non compliant firewalls can have interesting affects on network performance, intrusion detection and security controls. We will use scapy as a tool to experiment with these affects.

SANS SEC580: Metasploit Kung Fu for Enterprise Pen Testing – Post Mortem

At the end of my time in London I had the chance to sit in on the new SANS SEC580 class (Metasploit Kung Fu for Enterprise Pen  Testing).

This 2-day class is designed to “show students how to apply the incredible capabilities of the Metasploit Framework in a comprehensive penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective tests”. With Ed Skoudis and John Strand behind the class I had high hopes for something that really goes into the depths of Metasploit.

Day One


The first day started off with a gentle introduction to Metasploit and the MSF project in general, before diving into msfconsole and covering the required commands and options. Even though I’ve taught a few Metasploit workshops, there were a few gems here that I’ve not played with before. Small things (like the connect feature for example), but still gems non the less.

After covering the “basics” the class focuses on using Metasploit in a 4-phase penetration test (Recon, Scanning, Exploitation, and Post-Exploitation).

By using the Recon phase as the basis for the afternoons labs, a number of the Metasploit auxiliary modules are discussed, with labs on dns_enum, port scanning, databases and db_autopwn.

The obligatory meterpreter overview was given, as well as some more detailed discussion about meterpreter scripts and their uses.

Day Two

Day two concluded the scanning section from the previous day (demo of netxpose scan and import), before moving on to the exploitation phase.

To provide an complete overview of exploitation, everything some client-side (file format, and browser_autopwn) through to Social Engineering Toolkit (SET) and remote network exploitation was covered in varying detail. Coverage of some of the additional Metasploit command-line tools (msfpayload, msfencode) was included, but wasn’t explored in too much detail outside of a few specific examples.

The labs in this section of the book are well written and really give a good feel as to how specific protections can be bypassed. It was also good to play with SET and sqlmap using MSF payloads. Surprisingly the File Format lab wasn’t on Adobe PDF exploitation, but on Office macros… which makes a change 😉

Moving into the final stages of the class we covered some of the inner workings of Post-Exploitation with meterpreter scripts and some irb scripting. Although the labs gave the chance to write a simple meterpreter script and interact with the irb shell, I would have liked to spend some more time covering Ruby basics and going a little more in-depth. Still, you can’t have it all!

To finish things off a number of sniffer and database modules were used to demonstrate Metasploit’s password sniffing/extracting capabilities.

Wrapping things up was a short discussion of Karmetasploit and the Metasploit web integration.


Overall I really enjoyed this class, even if it wasn’t quite at the “kung-fu” level the name hints at. I was a little disappointed that the Metasploit version used for the class (3.4.0) was so outdated, but I understand the problems keeping a course like this up to date, so fully understand the choices.

This class is certainly a winner if Metasploit isn’t your daily driver! If you get up everyday and pentest using Metasploit, then you’re not going to get the full effect of this class. Then again, there are some real gems in here if you take the time to look for them. I’ve taken a few hints and tips that I’ll be using in the future, so I’m sure there’s something for almost everybody here.

If I had my way, I’d slim down some of the “introduction to…” stuff, and spend a little more time covering Ruby basics and bring in some of the more advanced topics, like module writing (simple modules naturally) and maybe something on Railgun / Racket.

This class certainly motivated me to get moving on some of my (long standing) Metasploit projects. Since getting back I’ve finished up my adduser payload modifications as well as a number of SAP auxiliary modules I had waiting to be finished. So I guess that makes it a resounding success!

If you attend the class in 2011 please let me know what you think… I’m interested to see the transformation of the class over time, as Metasploit is ever changing!

Quote of the class: “Shine on you crazy diamond!”

SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking – Post Mortem

I’d like to say that I’ve been rushed off my feet since getting back from SANS London 2010… but to tell you the truth I haven’t. This review is a little late mostly because I’ve lacked motivation over the past few weeks to write anything. That’s nothing to do with the class, as you’ll read, but sometimes you just have to take a few days and say “what the heck!”. Anyway, on with the action….

SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking is a new class that was run for the first time at SANS London 2010. The class is designed to cover the ground between the SEC560 Network Penetration Testing class and the SEC709/710 that Stephen Sims has been running for a while now (Exploit development).

Day One (Advanced Penetration Testing Essentials)

Day one started off hot and heavy with some discussion of what the authors consider “advanced” penetration testing really is. Unlike some of the penetration testing we’re used to, this class seems to come at things from a slightly different viewpoint at times. “Product Penetration Testing” is an area that maybe not all testers are currently involved in, but it’s certainly something that larger internal penetration testing teams are starting to build into their testing regimes.


The first morning was spent laying the foundations of knowledge required to understand the topics coming in days three through six. This included a lot of theory on OS protections, compilers, shellcode and an (all too brief) introduction to SCAPY. The final segment of day one was spent looking at the Sulley fuzzing framework and running through a number of fuzzing labs.

Comments: Although this day was a little heavy on the theory, it was needed. With that said though, I’m not sure throwing these concepts in on day one was needed. I’d also like to have seen a longer SCAPY discussion with at least 1 lab, but we can’t have everything now can we 😉

Day Two (Network Attacks for Penetration Testers)

Day two was certainly a step back from day one. At the pace of the first day, I could imagine the second day being much more complex, but to be honest that wasn’t the case at all. Day two discussed network based attacks on technologies like NAC, VLANs and routing protocols. The fun here was actually getting to perform some of the attacks in a lab environment. Normally these attacks are discussed but not done due to hardware limitations. Although not everything was possible, it was certainly fun playing with VLAN hopping instead of just covering the theory.


Day two also introduced some discussions of MITM attacks (ettercap) and the use of tools like Evilgrade in penetration testing. The final bootcamp lab was back to the day one topics to perform file format fuzzing with WinDBG / CDB.

Comments: Although it was fun to play with some VLAN hopping exercises, I would have liked to have seen a Cisco router or two (nothing too flashy/expensive) for some live demos/labs on the routing protocol material.

Day Three (Attacking the Domain)

Day three was somewhat of an oddity for me. Although I enjoyed it, I thought the material covered was more akin to a 500 level class for the most part. That’s not to say it wasn’t useful, but the difficulty level was certainly lower than the rest of the course (maybe this should be day one!).


Day three centered around attack Windows Domains and Database systems and ran through the phases of testing from enumeration through to attacking systems. Although some of the concepts were simple ones, the information and techniques shown were interesting and maybe not as well-known to all testers. Labs included RDP MITM attacks with CAIN as well as attacks on MS-SQL.

The day finished up with some information on Restricted Desktops, and a short CTF style bootcamp.

Comments: As I mentioned I’m not sure the difficulty was really there when compared to the other days… it was certainly the calm before the storm!

Day Four (Exploiting Linux for Penetration Testers)

Day four was the day most people in class where looking forward to, and dreading at the same time. Linux exploitation… the start of the really technical stuff.


Kicking things off gently we covered a quick introduction to memory and Dynamic Linux Memory before getting stuck in to smashing the stack both with and without Linux OS protections (Stack Canaries, ASLR) in place.

The bootcamp was used to go back and try out some of the exploitation we’d covered during the day. Starting off with a bit of simple fuzzing to trigger the exploit, and working through a simple (yeah right) exploit.

Comments: This day made my head hurt… I’d have loved more time to play with the concepts and more labs, but you can only do so much in one day.

Day Five (Exploiting Windows for Penetration Testers)

Continuing on from where we left of on day four, we moved into exploitation on Windows platforms.


After a quick introduction on the differences between Linux and Windows platforms and executables, we moved into a lab heavy day using WarFTP for a majority of the exploit labs. Working through the day we covered basic exploitation , as well as bypassing DEP and discussed HEAP exploitation briefly (not full coverage). The day finished up with some shellcode basics and the bootcamp section.

Comments: And I thought the Linux day was hard! Even after running through all the labs I’m not sure I took everything in… Certainly one to look at again when I have time!

Day Six (Capture the Flag)

Day six, along with most of the SANS penetration testing classes, is a CTF style event. Although I can see the point of this, I’d have loved to dig more into some of the harder topics from days 4 and 5 instead of fumbling around in a CTF style day 6. Still, overall it was fun, and I’m sure our team would have done well if I’d not spent the whole time trying to exploit one of the Windows challenges (despite being warned that nobody ever does them).

Final Opinions

Overall I think I got a lot out of the class, even if I never will be one of the premier exploit developers. There was a number of points I can take and use in my testing, and that’s the real point isn’t it. If this stuff isn’t useful, then why bother!


Even though the class is not 100% exploit writing, I can see people who are interested in getting into this area being drawn to the SEC660 class. It’s a quick and wild ride, but a good grounding for further learning. If you expect to come out being the next HD Moore however, then you’d better think twice… this kind of thing take years of dedication and study to master… no 6 day class will ever offer that!

Even though programming knowledge isn’t needed for the class, I would highly recommend anybody looking to take the class to at least have some scripting experience. The LABS do include Python scripting, and although it’s nothing too technical, some experience with it really allows you to concentrate on the real goals of the class and not get distracted by Python syntax.

Considering this was the first run for SEC600, I think the class was very well put together. With a few tweak and alterations I can see SEC660 being a great extension to the SEC560 class.

SANS European Webcasts

In the buildup to the SANS London conference, the nice folks over at SANS Europe are running a few interesting Webcasts especially for us EU folks. It’s nice to have some interesting content that doesn’t involve staying up till midnight to watch 😉

Some of the content sounds interesting… If you’re headed to SANS London make sure to say hi (I’ll be attending the SEC660 and SEC580 classes).