The past few years were a sort of lull for me. While I’ve continued to read and review books, watch and listen to webcasts and podcasts and do my best to stay ‘fresh’ on the pentesting front, I’ve not had a good opportunity to squeeze in any more ‘structured’ training courses. Ever since completing the OSCE course by Offensive Security (OffSec), I’d been feeling good about much of my repertoire but had been itching to get some solid web courses under my belt. I had contemplated OffSec’s OSWE, but as it’s only offered at BlackHat, has no self-study options and because my work and personal life haven’t offered me time to go down that road, I’d been itching for other options. Enter the eLearnSecurity WAPTX online course.
Rewind the clock to a couple of months ago. I’ve long been familiar with eLearnSecurity, having previously reviewed the eCPPT certification training here at The Ethical Hacker Network (EH-Net) and discussing their various offerings with CEO and Founder, Armando Romeo. Each time I’ve looked at their materials in the past, I’ve been pleased with both the materials presented and the overall ‘bang for the buck’ that they’ve provided. Most recently, I’d been looking at the web application courses they offer, specifically Web Application Penetration Testing – WAPT and Web Application Penetration Testing Extreme – WAPTX. On the one hand I knew that eLearnSecurity was soon to be releasing an updated version of the WAPT course. But the subject matter and descriptions of the WAPTX were really intriguing to me, so I decided to go to the extreme (pun intended). Suffice it to say, I have been very happy with that decision. This course has been outstanding, and I’ve learned a TON from the material in these past two months! Let’s take an in-depth look.
Earlier this year, I wrote of my long love affair with Ruby coming to an end and my desire to get back to python in order to build additional skills for the purposes of defense and response. That first step back into python resulted in the article, Book Review: Gray Hat Python by Justin Seitz. That book was one of the more interesting ones that I’ve reviewed, so when I had the opportunity to look at his latest work, Black Hat Python: Python Programming for Hackers and Pentesters, I was really excited.
Python has been the language of choice in the pen testing universe for a while now, and so having a good reference for building attack and analysis tools for use during attack exercises is really important. The back cover of the book ponders the question of how the magic of creating these tools happens and offers that, “…you’ll explore the darker side of Python’s capabilities—writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more.” Sounds perfect. Let’s take a closer look and see if it delivers.
As a life-long learner, and someone who is passionate about both bettering myself and helping others to reach higher and achieve their goals, I’m constantly on the lookout for fresh educational materials particularly in the areas of IT Administration and Security. I’m always amazed at the breadth of knowledge that is available, albeit, often at a substantial cost. I’m even more amazed at the amount of free content available but can’t help but be anxious about the quality, validity and dubious characters claiming to be experts just because they have a YouTube Channel. I’ve recently had the opportunity to get an up-close look at Cybrary, a relatively new online training provider with some known instructors. Oh… And before I forget, I should mention – they’re FREE! Could this be the best of both worlds?
Cybrary’s goal is spelled out very clearly when they describe “Our Revolution” throughout their site. They state, “We believe IT and Cyber Security training should be free, for everyone, forever. We believe that everyone, everywhere, deserves the OPPORTUNITY to learn. What they do with the opportunity is up to them, but the opportunity should be available. Join us in demanding liberation, help us in forcing change.” That’s all well and good. But how’s the actual training?
eLearnSecurity has long been a trusted training provider with multiple courses on offer. They recently updated their Penetration Testing – Student (PTS) course. The eLearnSecurity PTSv3 course is tailored for beginners. In addition to a brand new version, they also made available a new pricing structure that includes an Elite Edition, a Standard Edition and a free Bare Bones Edition. The Bare Bones Edition includes lifetime access to the training materials as well as email tech support. For a full rundown of the difference between the editions, click here.
Unfortunately, this is available only to those with an invitation. Luckily, we scored 100 seats in the invite-only free version of the eLearnSecurity PTSv3 Course. And this time there are no gimmicks, no contests, no requirements. It is simply a first come, first served deal for EH-Netters. Read on for the code that gives you access as well as some more details on the new pentesting course. This is for a limited time, so HURRY!!
“Hacking and Penetration Testing with Low Power Devices” by Philip Polstra is an excellent read. The author bases this book on his experiences in both hardware, software and penetration testing and combines the various disciplines to both educate and enlighten the reader. Ultimately, the subject matter revolves around using the BeagleBone Black and a customized ARM penetration testing Linux distro, which Polstra’s dubbed ‘The Deck,’ to perform various types of hacking activities. It’s described as, “A practical guide to performing penetration tests from a distance with low-cost, battery-powered devices.” Oh yeah… just what the doctor ordered.
Let me open by saying that this book struck my “techie geek” nerve. Years and years ago, not too long after I became a computer guy, but far before becoming a professional penetration tester, I managed a Radio Shack store (sad to see they’re going away). I guess you could say I was a maker before it was called that. This book, while discussing pentesting, code, automation and stealth, offers the reader a great experience as he brings them into a world of hardware manipulation, discussions of power consumption, radio communication, and other really cool topics. It truly embraces the mindset of the hacker in a cross-disciplinary way and acts like a perfect bridge for those currently in the computer hacking arena into the exciting wider world of the maker movement. I’m excited to share this experience with you, so let’s get to it.
After a long love affair with Ruby, I was excited to get back into more Python in the new year. One of my main goals was to build additional skills with Python, and continue to build up skills in defense and response. When “Python Forensics: A workbench for inventing and sharing digital forensic technology“ by Chet Hosmer came out, I was excited about all of the possibilities. There are a number of books about using Python for attacking, but a strong book on building forensics tools is a nice change of pace.
Python Forensics target audience is “anyone who has a desire to learn how to leverage the Python language to forensic and digital investigation problems.” Hosmer hits the target audience well by both having introductory sections that go over some Python basics as well as a number of cookbook-style chapters that have programs to perform a number of different forensic functions. Let’s take a closer look at this Syngress Publishing title.
“Georgia, Georgia…” The tune “Georgia on My Mind” was spinning through my head when I was given the chance to review “Penetration Testing: A Hands-On Introduction to Hacking,” a book by Georgia Weidman from No Starch Press. Having watched some of her conference presentations online and knowing the work she’s put into the Smartphone Pentest Framework (SPF), I’ve been looking forward to the opportunity to dive into the book for a while now, and her enthusiasm and efforts made it a worthwhile wait. Amazon’s book description includes the following:
“In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine-based lab that includes Kali Linux and vulnerable operating systems, you’ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you’ll experience the key stages of an actual assessment – including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more.”
So with the new year upon us, this gives everyone the opportunity to dive into a topic whether it be for advancing your current career, jumping into a new one or simply to amaze your friends and families. Hacking news both good and bad are everywhere these days. It’s time for you to get into the game. Find out how Ms. Weidman can help.
Dark Side Ops: Custom Penetration Testing enables participants to “break through” to the next level by removing their dependence on 3rd-party penetration testing tools, allowing for outside-the-box thinking and custom tool development designed specifically for the target environment.
Dark Side Ops (DSO) is a course on targeted attacks, evasion, and advanced post exploitation… with a twist. The thesis of DSO is this: if you want to credibly simulate a real world attacker, you need advanced capability. You can’t do this with unmodified open source tools. This course teaches students how to build and modify advanced capabilities. Let’s take a closer look.