Monday, April 23, 2012

SEC560/GPEN Review

In December of 2011, Donald Donzai, founder of, awarded me the prize of the SANS560 course. In March of 2012, I attended the course using the vLive, online-based training from the SANS Institute. The training was attended by people who were at the SANS course in Orlando, Florida or connected through vLive (Virtual Training Lab). In addition, there were people who signed up using the OnDemand and Mentor program. The SANS SEC560: Network Penetration and Ethical Hacking Course is set to teach you the skills of an ethical penetration tester.  It is a 6-day course that goes step-by-step with topics that are similar to the popular pentesting methodologies. The course roadmap consists of "planning and recon", "scanning", "exploitation","password attacks", "wireless attacks" and "web app attacks". They also have a Capture the Flag event on the last day of the course. In addition, the course is worth 36 cpe points towards security certifications such as the CISSP and the C|EH. The course started on Sunday and ended on Friday, from 9 AM to 5:30 PM.  One nice thing about the course is that it is available on-line for 6 months after the course ends. That is a major plus if you miss any of the course material that is broadcasted over the Internet. About 10 days before the course began, I received a SANS package in the mail. It contained 6 manuals of the coursework, 2 small pamphlets and 1 SANS DVD full of software with vmware ISO's, cheatsheets and documents. We used most of items in the SANS package during the entire course. The documents also included a "Rules of Engagement" and "Scope" template. In addition, a sample penetration report is present on the DVD.

Day 1 Sunday March 25th
Planning and Recon:

On day one, we were introduced to Ed Skoudis and his team. Ed, well-known author and security expert, has over 15 years of offensive and defensive information security. He also had moderators that helped us if the sound or video went out during our vLive connection. We did have either sound or video problems everyday but it never lasted longer than 5 minutes.  It did not take away from the experience of the course. The moderators usually kept us informed of what was going on even if we could not see it or hear it.  We learned about the planning involved to be an effective ethical hacker and penetration tester. That includes creating a well-stocked lab and testing tools.  In addition, you should create a software toolbox, proper hardware and network infrastructure. Ed Skoudis spent some time on the format of a good penetration test and where a lot of testers have been failing in their pentest reports. Ed illustrated that the two worst areas in most pentest reports are the executive summary (brief information meant for the company executives) and the methodology (which describes the process of the penetration test or ethical hacking engagement).  That was very helpful especially if I can avoid common mistakes in future pentest reports. Also, an email was sent by SANS to test our connection to the vLive video cast. I connected using linux and it had no problem running the java applet to see the video or audio from Orlando. We also talked about the "Rules of Engagement" and "Scope" when dealing with the customer. I really enjoyed this part of the day. We broke into teams to emulate the debriefing of a pentester and the client so we can choose the right questions for a customer.  It helps to determine if a client truly wants a pentest or a vulnerability assessment. It was a good lesson to learn that you should not assume the customer knows exactly what they want.

The rules of engagement was defined as how the penetration test will run and who should be involved in the whole testing process. Also, the scope was described as the assets that you can target and which ones you cannot and should not attack. In addition, Ed explained that you should have a limitation of liability and appropriate insurance especially if you are running your own security firm. The last point I want to mention is that you have to pay attention to not only the US laws, but also the laws of other countries. You may be breaking another countries laws during a penetration test if you are not careful. Ed Skoudis gave great effort to bring out this point. Your target may be in another country, so you may have to consult with your lawyer to make sure the attacks you send do not break the laws of your targets country AND the countries in between.

Day 2 Monday March 26th

On day two, the course focused on scanning a target environment. Ed illustrated the importance of having an inventory of assets and their vulnerabilities. I think every student knew how important this was, but it becomes very apparent at the end of the course. It is very upsetting/frustrating when you are trying to exploit vulnerabilities and you do not have enough information to send an effective attack.  The course also described the tools that can be used for quality network scanning. Some of the tools discussed were Nessus, nmap, tcpdump, traceroute/tracert, scapy and netcat.  We went over some of the additional scripts that come with nmap. In addition, we got some insight into how Ed feels about Wireshark vs tcpdump. He explained that tcpdump is lighter, faster and has a smaller attack surface than wireshark.  There seems to be more exploits such as buffer overflows designed for wireshark. As a side note, I do want to mention that Ed did spend time explaining that you want to use "safe" tools and scans for your penetration test. You do not want to be the cause of an inadvertent DOS because you were not aware of what your tools are doing.  Know your tools. Also, he explained that you should have alternatives to your tools, in case, you cannot use them on the network you are testing. "What if netcat is not in that environment?  What would you do?"

Day 3 Tuesday March 27th

On day three, we worked on exploitation and the infamous MetaSploit. We went thru the commands, exploits and payloads of the MetaSploit console and Meterpreter.  If you have taken the OSCP, you know a lot of this module already. It is still an enjoyable section in which you are bound to pick up something new. He walked us through setting up the database to connect with MetaSploit so you can keep records of machines and their vulnerabilities.  We also went through the auxillary section of MetaSploit which can be helpful at finding a vulnerability quickly in a network range of IP addresses.  Also, a very important point Ed made during this section was the "portfwd" command in MetaSploit. This is how you can setup "pivot" points into an organization to gain further access into additional machines. It can help bypass blocked ports and firewalls by getting inside the organization through just one host. We worked on windows commands since you may not have all your usual techniques/commands in the environment you find yourself in. The two commands we worked with were sc and wmic. We used the sc (service console) and the wmic commands usually to identify running services/processes and to stop them if they interferred with our progress. 

Day 4 Wednesday March 28th
Password Attacks:

On day four, the topic was password attacks. The main points of the password attacks are password guessing, password cracking and pass the hash. He split up the tools for password guessing and password cracking. For the former, he suggested hydra, Cain, xhydra and maybe your own personal scripts. For the latter, he demonstrated the use of the tools pwdump, fgdump, Cain (again), John the Ripper (compiled for NT-hashes with SSE2 functionality), and Ophcrack (rainbow tables). Some of these tools are just for extracting Microsoft password hashes to crack later for passwords.  Sidenote, Ed mentioned you have to be careful here. When using a password guessing technique, you want to check if there is account lockout policies enabled on the client network. You start by asking the client directly and never just take their word on it. Imagine using hydra on 10,000 accounts and locking 10,000 users out of their account during your pentest. It is an easy way to get fired.  Another idea that Ed Skoudis stressed was that you may have to use multiple password crackers to extract passwords from hashes. We learned that Windows and Linux store their passwords differently. Linux stores passwords in hashes that are actually salted. This adds another layer of defense since identical hashes may not have the same corresponding passwords unlike Windows hashes. Lastly, we were learning how devastating "passing the hash" can be once you have even one "good" password hash. We used the psexec exploit in MetaSploit to pass the password hashes. The whole time I was enjoying this SANS topic, I was wishing that I had built the box from "".   

Day 5 Thursday March 29th
Wireless and Web Apps:

On day five, the course focused on two main topics, wireless attacks and web application attacks.  With wireless attacks, you want to make sure you have the right tools. You want the right wireless adapter cards, drivers, antennas, cables, cable connectors,  and GPS receivers. You may need multiple tools and apps also.  You want to start sniffing traffic with multiple apps such as wireshark, tcpdump, aircrack-ng and kismet. There are also commercial tools such as WildPackets' OmniPeek. In addition, you want to know how to get your wireless cards in managed/monitor mode. In monitor mode, you can get your wireless card to listen to all packets coming in on the interface. Also, we got a quick lesson in wireless, LISTEN TO JOSH WRIGHT. I caught a couple of his youtube videos [], and he is definitely an expert in wireless penetration testing.  He is also starting a SANS class called SANS575: Mobile Device Security and Ethical Hacking.  It is definitely worth a look IMO. There are wireless tools on both Windows and Linux with their own pluses and minuses. You have CAIN, NetStumbler and InSSIDer with Windows. With Linux, you can use Kismet, Aircrack-ng, CoWPAtty, Airpwn and AirJack to name a few. You will probably have more luck if you use Linux as your wireless penetration testing OS. However, Ed Skoudis, kept reinforcing the point that you will want to use as many tools/techniques/OS' as possible to get the job done. As Ed would say, just use both. 

Finally, Ed also mentioned that not only should you attack the access point, but the clients as well. Here is where he mentions Karma with the help of MetaSploit.  You can attack clients whom are still sending out probe requests to their access points even though they are out of range of them. Karma will pretend to be their access point and give DHCP to them. With MetaSploit, it will serve up a series of exploits for various vulnerable clients when they try to connect to the "new" access point.  When we moved on to web application attacks, we discussed Nikto, Zap Proxy, XSS, XSRF, command injection and SQL injection.  All of these tools and techniques take advantage of vulnerabilities of a company's web site which usually are hosted on a company's network on the DMZ.  Most attacks, find flaws in 3 components and the way that they interact with each other: the logic of the web application on the web server, the web server and web browser's interactions, and the web server and database's interactions. We started with Nikto and the various web tests it can perform. Ed demonstrated that Nikto used the TRACE method to discover XSS and directory indexing for a "web application" from the course. 

In addition, we went through various proxies such OWASP Zed Attack Proxy (ZAP), Burp Proxy, Fiddler, w3af and paros. ZAP could interrupt HTTP requests and responses to give an attacker a better view at what was happening behind the scenes of a web application.  In addition, it had web crawling capabilities so you can index the entire site to find more vulneraibilities that may not be visible at first glance. Of course, it can scan the site directly to find XSS, SQLi flaws, private IP disclosure, indexable directories, and obsolete files.  It can also manipulate cookies to track if the web application will react differently.  This was a very big day in learning more web attack techniques that included cross-site request forgery (XSRF).  Today, IMO was the longest, most insightful day with the examples Ed gave with each technique. At the end of the day, SANS is hosting NetWars. I did not get a chance to see it but I am sure I would have loved it. It seems to be a set of security challenges like capture the flag. I think this is the one drawback with attending the course through vLive.  You are not present for some of the additional speakers and programs that happen after the course is over for the day. The students that were in Orlando, were about to sign up for NetWars or at least view it.  It would be nice in the future if you can get the recording of NetWars if you are connecting to vLive.  

Day 6 Friday March 30th
Penetration Testing Workshop and Capture the Flag:

The last day of the course consisted of "Capture the Flag".  This was my first CTF btw, so I was very excited for this last day.  We were broken into teams of 5 people.  However, we did not have enough people who were connected through vLive so we joined up into one big team.  Unfortunately, we did not capture the flag in time, but we were very close to coming in 2nd.  The exercise required for you to exam an environment, find encryption keys/files of 4 users of the network and to decrypt the files in order. We needed the last file decrypted by the time someone was declared a winner. I still had a great time however. The CTF included all the techniques that were taught in the course.  The CTF exercise illustrates to yourself how much you have actually learned and how big of an impact these techniques can have on an organization. The exercise allowed us to understand that we need to go step by step, recon, scanning exploitation and attacks. Without the proper recon and scanning, you will not get anywhere when you try to exploit vulnerabilities and attack a system or organization. The game started at 9:00 AM and ended at around 3:00 PM.  We were to treat the game as an actual pentest. It does create an atmosphere of a real pentest, just without the interaction with the client.  I think there were 3 teams that captured the flag at the end. I think the award was to get a signed copy of "CounterHack" book. Also, I received the CPE certificate of completion which amounted to 36 credits which helped me complete my CPE requirements for at least a year and half.

I would recommend this course to anyone serious about becoming a pentester or any other security professional.  It gives many lessons that a security professional would learn during his/her every day responsibilities.  To be totally honest, I would recommend that you take this course in addition to the OffSec OSCP course.  I would not do them at the same time, of course, but I would take them both at some point. I think the compliment each other well, in their approach to teaching the technical and "soft" skills which are needed to be a professional penetration tester. You will understand how to engage the client, determine what kind of test you will perform, investigate the company along with its weaknesses, and present a high quality report that the customer can use to make well-informed business decisions about the security of their assets. The major plus of the course is the fact that I can go back to the SANS website and log back into the course.  Then, I can watch each day of recording and not only watch the videos again but also, review what was talked about in the chat section between the vLive students and the moderators. The moderators also added information to the course such as links to important information that was discussed by Ed Skoudis. One negative would be that the missing audio or video will also be included in these recordings. However, as I said before, it did not impact the overall success of the teachings of the course. In addition, I will be taking the GPEN exam in a few weeks. It is open book so all the books from the GIAC course should come in handy.

UPDATE: I took the GPEN exam and I think the books are great assets to have during the exam. I think people would have a little trouble with some of the questions without the books from the course.  The exam is for 4 hours and there are a lot of rules on what you can and cannot bring into the room with you. I think it would be a good idea for GIAC group to talk to the companies proctoring, so they are sure what is actually allowed.  There is a lot of confusion there from what I experienced. Do not take this exam for granted like I did.  It is a complete representation of the course and it will test all skills that you have learned in the course also. I think I just did not want to deal with multiple choice after taking OffSec courses.  I did not even take the practice courses which I probably should have.

Thanks again to Don and EthicalHacker.Net.