Ed Skoudis and the Pen Testing Factory

| May 29, 2008
“Inside this [class]room, all of my dreams become realities; and some of my realities become dreams.”

pentestfactory-logo-150.jpgStudent: Ed Skoudis’s opening his factory. He’s gonna let people in!
Teacher: You sure?
Student: It’s all over the net, and he’s giving truckloads of ethical hacking secrets away.
Teacher: Class dismissed.
Student: No, no. The first one’s only for 25 people.
Teacher: Class undismissed.
Student: He’s making available 25 golden tickets, and the people who buy them will win the big prize.
Teacher: Where’s he hidden the tickets?
Student: They’re not really hidden. They’re inside SANS Events. You have to buy SANS courses to get them.
Teacher: Class re-dismissed.

The terms “Ethical Hacking” and “Ethical Hacker” have now become accepted industry terms. But many companies and government agencies were hesitant to support a credential with the word “hacker” in it. There have been many factors leading to the acceptance of ethical hacking such as:

* Regulations such as HIPAA, SOX, GLBA and numerous others.
* PCI DSS Section 11 and its clarification differentiating penetration testing from vulnerability assessment.
* Many courses and certifications using the term in their titles and official descriptions.
* Cisco Press, the Dummies Series and a plethora of book titles are beginning to use the positive connotation of the word hacking. Even Webster’s New World Dictionary has an edition specifically dedicated to hacking.
* A groundswell of professionals using the phrase and showing great interest in this new and maturing field.

Now add to this grass roots movement, a push by one of the most respected names in security training, SANS. The SANS Institute has long been known as a big player in the government sector. And one of its heavy hitters, who has even testified in front of Congress, Ed Skoudis, is the author of a new course with the exact phrase in its title. All of this validates what many of us had hoped for years. Hacking for a living is now a respected profession.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}

News Anchor: And now details on the sudden announcement that has captured the attention of the entire security world. Hidden among the countless billions of SANS courses are 25 gold tickets to the very first offering of an ethical hacking course by one of its most respected practitioners. And to the 25 people who find them will come the most fabulous prize one could wish for:  A lifetime supply of knowledge. And as if this were not enough, each winner before he receives his prize will be personally escorted through the top secret pen testing factory by the mythical Ed Skoudis himself.

gpen.gifThis is what it felt like when news hit the streets that Mr. Skoudis was not only working on a new 6-day course entitled Network Penetration Testing and Ethical Hacking (SANS Course #560) for the SANS Institute, but was also the lead instructor. GIAC, SANS certification wing, is also preparing a new credential named GPEN to accompany this new class. Excitement filled the air with people registering like mad for the first few available courses, even before they knew what the course entailed. Why? The enigmatic Ed Skoudis is why. His reputation for quality work, enthusiasm for the topic and practical knowledge is well known.

Ed Skoudis normally instructs at least 150 students, but he felt very strongly that it would be invaluable to this course’s long-term success to have a beta period to allow for tweaking before ramping up to his normal class size. So the very first offering was for only 25 students and the second only 50. Needless to say, those first two classes sold out in no time. And many of us were left feeling like Charlie Bucket with no hope of ever getting into the factory once the fifth and final golden ticket to Willy Wonka’s Chocolate Factory had been found. We all know that Charlie eventually got into the factory, but imagine what would have happened if he didn’t. Now imagine even further how special he would feel if Willy Wonka himself called Charlie and invited him as the 6th winner! That’s exactly how I felt when Ed Skoudis called me and asked if I would be willing to review his course. In short, that is how I became to be known as Student 26.

The excitement of being in the very first class was daunting enough as I am just a lowly Editor-in-Chief of an online magazine and by no means mentioned in the same breath as Ed Skoudis. Add to it the fact that SANS, EH-Net and the security community at large would be looking to me to reveal in words what they could expect from this new course, and the pressure was on.

Mr. Skoudis, amongst other professional activities, performs penetration tests on a regular basis and hires security professionals at the highest levels. The intention of this class is two-fold. First is to teach the hands-on skills necessary to perform this job task, and secondly to share the fruits of his labors. As Ed states, “When I interview pen testers, I would expect you to know the material in this course.” So if I were to wrap the entire course in one phrase, it would be that Ed Skoudis has opened the doors to his own company and shares with you the needed skills to make pen testing a successful career. An ancillary benefit is that, even if you have no plans on making pen testing a full-time career, the course will also help verse enterprises in the ways of evaluating third-party pen testing companies and their services. Ed warns, “There are charlatans in this business who rip folks off… we want people who take the course to be able to evaluate the value that they are getting from their testers, and, if their jobs require it, do the testing themselves.”

Day 1 – Planning, Scoping, and Recon

“Little surprises around every corner, but nothing dangerous.”

With the giddiness of a child, Ed Skoudis welcomes the early birds to class with the start of what he calls the classroom soundtrack. His enthusiasm is infectious as you could feel the energy in the room start to build. But before he unleashes his secrets, he wants to make certain that the foundation is set. This led to a first day of very little technical content, but a lot of detail about the process and methodology of penetration testing.

In starting, he lays the foundation for what “Ethical Hacking” is and what is expected of a professional pen tester. I happen to agree with his definition that ethical hacking is a broad term used to encompass many areas of security testing for which network pen testing is one of them. Wireless hacking, web application testing, social engineering et al are all part of the wider concept of ethical hacking. Although he touches on these other areas in his new course, the focus, as the title spells out, is on network penetration testing.

Although most students in this course are not professional pen testers, all in attendance have some technical skills. This is why the first day is dedicated not to throwing you in the deep end of the pool but rather setting the stage with discussions of the mindset of an ethical hacker, types of pen tests each with its own limitations, methodologies, and the business processes behind what you are being tasked to do by an organization. He feels strongly that one should not be sent out into the world with an arsenal of tools with little to no knowledge on how to wield them properly for a client in need of security services. In fact, the flow of the entire course closely matches the steps one would take on a real pen testing job. So, before your ever lay a finger on the keyboard and the client’s network, you must have an actual meeting with the client to discuss your abilities, their needs, the Rules of Engagement, scope of the project, setting up lines of communication, as well as the who, what, when, where and why that will be included in the final report. Because when it comes down to it, the client is not paying you to simply showcase your ability to break into a system with a thousand tools, but rather to identify the business impacts and support them in mitigating the risks brought to light by your work.

This led into our first of many practical exercises in this six day course, Scoping a Project with a Client. The room was split into multiple teams on each side of the business, clients and testers. Each side was handed mystery envelopes describing their company. The contents of the client’s envelope included who they are, the industry in which they work, their main concerns, goals of the desired pen test and the scope of the project (what devices were included in the test, which ones were not, how far the testers could go, what information was given to them in advance, etc.). The tester’s envelope included details on their pen testing company such as how much experience they have, what are their areas of expertise, size of their staff, geographic location of their company and travel abilities. Then the testers were welcomed into the boardroom of the client for a face-to-face meeting.

This exercise has great potential. Being the first time it had ever been attempted, it had its share of wrinkles. Each group had their own agenda and was told to wait for certain items to be addressed by the other side without divulging too much info. I understand the concept of wanting to teach each side that it is just as important to ask the right questions as it is to offer your own thoughts, but without a little more direction as to setting the groundwork for this meeting, it seemed to stunt communication rather than encourage it. This can be easily fixed (and in subsequent conversations with Ed, it has been). But the potential far outweighs the shortcomings of a new idea. On the plus side, it served two great additional purposes. First of all, it set the stage for the rest of the week that this is a course for becoming a professional pen tester and not just a hacking class. Secondly, being held on the first day, it allowed many of the students to become acquainted with each other. In a class of only 25 students, this is needed less. But with the normal size of Ed’s courses of 100+ students, I can see this as a great ice breaker.

Immediately following the exercise was a discussion of the importance of reporting your findings and recommendations to the client. As techies, we often want to show how thorough we are by throwing everything but the kitchen sink into our reports. But mastering an Executive Summary can be an art form worth learning, especially when dealing with a non-technical person who is in charge of signing the check. We closed the Planning and Scoping Section with a quick review of the domestic and international laws governing the activities of a pen tester. Not terribly sexy, but clearly essential information to have when a company is placing their business in your hands.

Now that the stage is set, it is time to get into the beginning stages of an actual pen test with recon. Reconnaissance is the very first step in any project after the legalities and logistics are completed. We covered the obligatory Google searches, WHOIS lookups, zone transfers and other ways of mining for data with DNS. And although there were some nice tricks that were shared on how to best go about gleaming these resources for information without ever touching the clients’ systems, the real gems were the recon tools by SensePost. BiLE (Bi-direction Link Extractor) is a suite of tools used to combine the data retrieved from Google searches, DNS lookups and web crawling to find very interesting connections between your customer and other systems outside of their organization that could reveal interesting ways to achieve your ethical hacking goals.

The day ended with a review of what was contained on the course DVD, setting up your laptop for interaction with the classroom network, overview of the target environment for which the rest of our exercises would be aimed (including Virtual Machines on your own systems), and finally the Ground Rules for interaction with the target machines and your fellow students. Being an “Ethical” Hacking course and understanding that your classmates’ machines were not in scope helped make the rest of the week go smoothly. Although not as much fun as some other courses I’ve attended where we regularly launched attacks and counter hacks on the other students, it nonetheless continued the philosophy that this is not a hacking course but a highly technical, professional development course that just so happens to feature lots of great hacking.

While actually going through the first day, I was disappointed by the lack of technical activities. But as they say, hindsight is 20/20. Knowing the intention of the course is to help launch a career as a network pen tester, having a solid foundation in the non-technical, business aspects of the field is invaluable. And I’d be willing to bet that most of our scales dip heavily toward the technical side, so a direct connection between ethical hacking and business success was welcomed. Plus, planning and scoping are essential steps in the real world, and they were great examples for the class as well. And even Willy Wonka made the 5 lucky children go through the formalities of introductions and contracts (and even slight misdirection) before a world of pure imagination was shown to them.

Day 1 – Special Evening Session on the Fundamentals of Linux

“I am now telling the computer exactly what he can do with a lifetime supply of chocolate!”

Like it or not, Windows dominates the operating system world, and many long-time IT professionals get frustrated when it comes to starting in Linux much less getting it to do what you want. But for those only fluent in the language of Microsoft technologies, your career aspirations in a security field will be greatly limited as well as your ability to participate in the exercises in many of the courses. Luckily SANS provides a primer at nearly every training event it hosts, and this one was instructed by someone adept at making the seemingly inaccessible seem easy to grasp.

In Ed Skoudis’ book, Counter Hack Reloaded, he gives a wonderful introduction to Linux. As a special bonus on the evening of the first day, Ed himself does a live rendition of everything you need to know about Linux in order to complete the course. And since many courses at this SANS event, not just 560, rely on the ability to navigate through Linux, this bonus session was open to everyone.

This evening session gets my praises for many reasons. First of all, many in the security field can be off-putting when it comes to new Linux users with comments like, “If you don’t know it, you shouldn’t be here,” or, “Google it before you bother me with simple, noobie questions,” or even the simple brush-off of “RTFMan Pages.” Kudos for SANS for taking the high road with an emphasis on learning. Secondly, it never hurts to hear someone else’s take on a subject, even if you use it every day. You may learn a new trick or two. Thirdly, if you are taking either GCIH 504 or GPEN 560, Ed drops hints for the different Capture the Flag exercises included in each of those classes. That alone is worth an extra hour of your time.

Day 2 – Scanning

“My dear friends, you are now about to enter the nerve center to the entire Wonka Factory.”

With a solid foundation beneath our feet and a desire to sink our teeth into the gooey center of a Wonka treat, we begin our second day. And as the standard next step in the pen testing process, it is time that we learn about scanning the target environment. This is the first time that the tester actually begins to touch client systems.

One thing I found particularly interesting is the actual number of tools used during this day of scanning or rather the lack thereof. Although there are several steps to the scanning process and numerous available tools both free and commercial, the total number of tools that most professional pen testers use is actually quite small in comparison. This was not only an intentional approach of the 560 course but also a welcomed one. All too often, we are inundated with tools, tools and more tools, yet when all is said and done, a fraction of those are permanent additions to our toolbox. Perhaps it is a good idea to learn every hacking tool ever created, just as we all had to learn our multiplication tables during grade school. But there comes a time when one must graduate and get down to work. Ed does mention other tools, but he is sharing the deep, dark secrets of the nerve center of the pen testing factory. In fact, Ed continues this approach throughout the course by selecting best-of-breed tools for a more efficient use of time, allowing the students to become more proficient with a given toolset. You’ll quickly understand why I appreciate this approach and mention it as one of the highlights of the entire course.

The steps of scanning the target environment include networks sweeps, network tracing, port scans, operating system fingerprinting, version scanning and vulnerability scanning. And when it comes to scanning, Ed has basically broken it down to only five tools, and one of them is a sniffer. Tcpdump and its Windows counterpart, windump, are packet capture tools AKA sniffers. As a professional pen tester, you need to make sure that your interactions with the target are doing what you intended. Remember, we are no longer just playing around with some hacking tools as a hobby. We are training to do this as a profession, and companies are footing the bill. We want to make absolutely certain that we don’t unintentionally bring down services or machines. If we do, then we need to know right away, so we can communicate with our point of contact stipulated by our contract, right? It’s also a good practice to see the packets in their raw form. After a while, it almost becomes second nature like Tank watching the code of The Matrix.

Although the order of the steps is usually done as listed above, we are taught in class to be flexible and able to think on our feet. Therefore, the order can be easily manipulated for each case. We are also taught that we may even want to go back and perform a step again based on newfound data later in the process. That being said, the first step should be to find out what is actually there by performing a network sweep. Ed’s tool of choice for this step is Hping with the latest version being Hping3. As with most tools, each version adds functionality that takes it beyond its originally intended purpose. But for simply finding out what is out there, Hping3 does this job quite nicely.

Network tracing is our next step. This is usually done by built-in tools such as traceroute or tracert. Ed goes through a number of cool tools that even include mapping features to figure out the actual physical route a packet can take to get to our target. These are all mentioned very briefly in class not only because most people at this level are familiar with traceroute, but also because Hping can perform this task.

Speaking of tools that can perform many tasks in the scanning process, we could literally do the previous 2 steps as well as the next 3 (Port Scanning, OS Fingerprinting and Version Scanning) all with a single tool, Nmap. Nmap, continually developed by our friend Fyodor of insecure.org, is rightfully one of the most popular tools. Instead of going through all of the awesome things we did in class, let’s simply mention one of the new features of this wonderful piece of software, the Nmap Scripting Engine (NSE). In the course, we performed a hands-on exercise in which we reviewed various NSE scripts and used them to gather information and find vulnerabilities in the target lab environment. Still in the very early stages, the NSE project has a number of lofty goals. As you can tell from what we did in the exercise, those goals include moving into the next step of the scanning process, vulnerability assessment.

The current king of the vulnerability scanning hill is Nessus, and this probably won’t change any time soon. Add to the fact that this tool has its roots in the open source community and a very large user base, and therefore is covered heavily by Ed at this point. Nessus has many options and a multitude of plug-ins that add functionality to the base product. The hands-on exercises for Nessus takes you through the setup of the Nessus environment as well as a scan of the target network. We also reviewed a number of ways to view the scanning results culminating in report generation that helps greatly in producing that all-important executive summary. All in all, Nessus is a quality tool, but since they are moving more towards a commercial application, this may leave the door open for the Nmap SE. Only time will tell.

We have officially completed the scanning process, but there are a couple more items that we must cover before continuing into the Exploitation and Password Attacking Phases on Days 3 and 4 respectively. First, user accounts must be enumerated, and this is handled quickly and adeptly by Ed. Secondly, Netcat, the swiss army knife of networking tools, must be understood by all students if they plan on keeping pace the rest of the week, and the exercises in class bore that out. Knowing that a client can’t have downtime due to our testing, Ed created a lab exercise where we all created live heartbeats in class from a Netcat session to a target machine from our laptops. If something we do is fatal, the heartbeat stops, and we know to immediately call our technical contact for the client organization. All I can say is, “Wow.” Netcat, for as simple as it is, is truly only limited by your own imagination.

Ed’s imagination and practical needs as a professional pen tester led to a perfect ending to the day. With laptops beating in an unmistakable electronic cadence to the delight of their owners, our fearless leader could only look on with joy knowing that his vision is truly becoming reality. My disappointment the prior day was now turning to excitement as we had plenty of hands-on technical exercises under our belts. It was the perfect transition from a less technical first day to what is sure to be a mind-blowing third day of exploitation.

Day 3 – Exploitation

“Oh, you should never, never doubt what nobody is sure about.”

One of the basic philosophies of this course is to make the processes and technology used in the course available to the masses. There are plenty of fantastic commercial products out there, but the price points put them out of the reach of most budding ethical hackers. Once Ed’s pen testing factory produces the next crop of great security professionals, organizations with large budgets can pay for you to play with those polished products. Until then, when it comes to exploit frameworks, Metasploit is the only choice we have and thus dominates this day of the course.

As before, I won’t spend loads of time explaining the inner workings of Metasploit or some of the other common tools. I will however touch on many of the tips and tricks shared in the course. One such feature of Metasploit we explored in-depth was the Meterpreter, short for Metasploit Interpreter. In short, the Meterpreter is a payload installed into memory on the target machine after being exploited that in essence has its own command shell environment. Why is this so cool? Well first of all, there is nothing copied on the hard drive of the target machine. Secondly, you really don’t have to know the command line features or options of the various target machines, but only the shell environment of the Meterpreter itself in order to make the target machine do what you want. The Meterpreter represents a command shell fine-tuned for exploitation purposes – just what a professional penetration tester needs.

This may become important as the dilemma of the differences between simply having a command shell and having full terminal access is presented to you. Ed explored this dilemma in detail. I found this part of the lecture to be fascinating as yet another area of real world pen testing that is not often discussed. Then again, having the Meterpreter may not be the fix you need for this dilemma. Remember, not every vulnerability has an exploit, not every exploit has accompanying Metasploit code and not every exploit works consistently. This is the crux of the problem facing the entire exploitation phase of pen testing, and why it is best described as an art rather than a science. Many times we found in class (and you may find in reality) that if you try an exploit once, it doesn’t work. There is a certain probabilistic measure to most exploits’ successfully functioning. Try it again using the same exact steps, and amazingly it now works. Thank goodness there are plenty of other ways to not only get exploit code, but also other methods used to take advantage of lax security in given systems. And once a machine is owned, that is only the beginning.

A common question for those new at ethical hacking is, “I have a shell. Now what?” The answer can be vastly different depending on whom you ask. Considering that we are on the white hat side of the equation, that answer starts very basically, “What is in your project scope?” That being said, what is your next goal? Are you simply looking to search the machine you compromised or do you plan to use it as a hopping point to another system? Either way, the final three sections of the day answer that question. We start with moving files with exploits, whether that be a data file from the target that was determined to be your goal at the start of the engagement or sending the target copies of Netcat to use as relays into other machines. This is a skill worth learning. The third area, Making Windows Run Commands, is actually covered in the next day before diving into Password Attacks.

So that leaves us with the fruits of Ed’s labor over the last two to three years as the curtain call for our day of exploitation, Windows Command Line Kung Fu for Penetration Testers. In talking to Ed about this topic, his goal was to be able to do everything he needed to with a compromised Windows box without having to move files over to the machine. The only way to do this was to utilize the Windows Command Line and all of the built-in tools to its fullest extent. A shortened version of this session was presented during a Core Security Webcast and also presented by Matt Carpenter at ChicagoCon 2008s. Don’t tell anyone (wink wink nod nod), but rumor also has it that Ed is creating a book solely on this topic! That alone says that this portion of the course is extensive and highly valuable. So without giving away the farm, let me offer up just a few of the highlights of what can be accomplished with simply utilizing the Windows Command Line:

* Ping Sweep
* Enumerating Users including Administrative Accounts
* Password Guessing

Speaking of password attacks…

Day 4 – Password Attacks

“A little nonsense now and then is relished by the wisest men.”

It seems like nonsense to dedicate the better part of a day to passwords, but when we take an honest look at the weakest link in the security chain, humans, and the main form of authentication, passwords, this simple method should be relished by wise pen testers.

But before jumping head first into password attacks, there is one module left to finish from the Exploitation Day, and that is getting Windows machines to do your bidding by running remote commands on your behalf. Once again, we start off with some tried and true methods and tools, but what Ed does so well is take his passion for researching and turns it into unique ways of using standard tools to almost do the hard work for him. Three such examples are the Service Controller, WMIC commands and scheduling jobs using the ‘at’ and ‘schtasks’ commands. Very simple yet very powerful. So much so that most of us completely overlooked it, but not Ed.

Prior to the actual process of attacking an organization through their passwords, Ed again lays the foundation with definitions, tips on making your attacks more efficient and faster as well as account lockout, probably the most overlooked aspect of password guessing. This is not much of a concern when it comes to attacking passwords from the black hat side of the equation. But keeping with the professional theme of the course, most companies will not allow an account to be locked out, as this could be considered a Denial of Service (DoS) attack on an individual or service. This was stressed quite adamantly in class, as almost everything during our day of password attacks came back to this point. And since most systems should (strong hint to admins) now have account lockout set, this is a true and real concern.

Ed’s overall philosophy of the course was also shining through on this day. When it comes down to it, there may be plenty of password guessing and cracking tools, but why be forced to learn 100 tools when just a handful will suffice. And for fear of sounding like a broken record myself, I’ll forgo the extensive review of every detail of the day as well as parts most would know and hit a few highlights.

Although THC Hydra is looked upon favorably by Ed and still used in upwards of 80% of the tests he performs, its use can become limited during certain real-world pen tests due to the strong possibility that it could cause account lockout. For this reason, the best thing to do is to try to capture the password representation, and then perform password attacks on a different system dedicated to cracking.

Seeing as how the structure of Linux is based on files, grabbing usernames and password representations is as simple as knowing where to find them and having the appropriate privileges. On Windows machines, it’s a little more complicated, but can be done. Pwdump has been the tool of choice for many years for dumping password hashes from Windows systems. Many iterations have been introduced, and the one most used now is Fgdump by Fizzgig of the Foofus Hacking Group. Once you have the password representations, it’s now time to crack them. Since we retrieved them from the target systems and are attempting to crack them remotely, there is no chance for account lockout.

A good general rule of thumb I gathered during the Password Attack phase of pen testing is prioritizing your attack based on the OS. Although John the Ripper is a great tool for Linux passwords, when compared to a tool that uses Rainbow Tables for Windows passwords, it’s not as effective. Same for the other direction. Linux passwords are salted and therefore can’t be broken efficiently with Rainbow Tables, so use John. Now, which tool to use with your Rainbow Tables? Ed makes a great recommendation in Opcrack which has versions for both Linux and Windows. It also has a bootable CD that uses a Linux environment, but it can be loaded into a virtual machine using either platform. You can also use the Windows only tool, Cain, with your Rainbow Tables. This is not to say that you should use only one tool to crack passwords, but simply use the best tool for the given job first.

Now what if you can’t grab the password representations and thus are unable to use all of those great tools? Well how about sniffing them right off the wire? Many tools can do this, but Cain can do this as well. And if you’re using Cain for other purposes, why not use it for more. Cain is an anomaly in the pen testing world. Not only, as mentioned above, is it a Windows only tool, but it has so many tools built into it, that it can’t be classified in one category. Bottom line… get it, use it, love it.

As promised, here are a few items shown to us during our day of Password Attacks that you may not get anywhere else:

* More fun with Netcat
o Get your password dumps from a Windows box into your Ophcrack LiveCD Virtual Machine or over to your Linux box running John the Ripper
o Capture passwords dumps from a target using a third compromised machine as a relay
* Pass the Hash – Utilize a password in its hashed form without ever cracking it.

The only negative comment during this day could be made about the amount of time spent on the theory and construction of Rainbow Tables. Exciting and interesting as it may be, I think this is a perfect candidate for a topic for further exploration by an individual outside of this course. This was the only part of the entire 6-day course that seemed to drag. Barring that, I think it would be safe to assume that none of the students thought that spending the better part of a day on password attacks was nonsense, and all were firmly on the side of Ed’s wisdom.

Day 5 – Wireless and Web Apps

“Where is fancy bred? In the heart, or in the head? Shall we roll on?”

The medical field in its infancy was solely focused on the general practitioner. InfoSec, and ethical hacking in particular, is no different. As our industry continues to mature, professionals will begin to specialize. We are starting to see this already with groups of individuals, each with expertise in a given area, come together in what are called tiger teams, blue teams and red teams. But as we begin to specialize, we still must have the ability to understand the broad concepts handled by our fellow team members. So even though this course is titled Network Penetration Testing, we at least need to cover the basics of wireless infrastructures as well as web applications. How else will we recognize the need to call-in another expert much less be able to amply communicate our needs or their findings? So even though you may fancy network pen testing as a passion in your heart, your head dictates that you must roll on into other areas.

For the wireless portion of the day which took only a couple hours, we actually had a welcome break from the hands-on technical labs. Because of the added infrastructure needed to setup wireless, hands-on sessions were understandably omitted. In short, we covered the discovery and sniffing of wireless LANs as well as crypto and client attacks. Again, I won’t go into too much detail on this portion of the course, as this was only meant as a primer to allow better communication with the wireless experts on your team. This is not to say that Ed didn’t include what we’ve come to expect – some practical advice. A question often posed is which wireless card is best for ethical hacking? While none is perfect, Ed recommends the Atheros cards. He also threw in some very helpful advice on GPS receivers and antennas.

But for web application pen testing, it was right back to more labs. This one too was less detailed than other web app courses provided by SANS and many other training companies that dedicate 5 – 6 days to this specific topic, but it nonetheless occupied the better part of day five. Just as with the other topics covered during the course, Ed methodically pulls you along the process of actually performing this type of pen test. From defining what a web app really is to vulnerability scanning with Nikto, from analyzing the app with Paros Proxy to launching the attack phase. Once in the attack phase, we covered most of what you would expect in a one-day course on web app pen testing such as XSS and SQL Injection. But in true Ed style, he even threw in a few up-and-coming attack vectors like Cross-Site Request Forgery (XSRF) and Command Injection that may not be included in other dedicated courses. The XSRF lab was pretty detailed and showed precisely what this attack can accomplish and how it differs from XSS. The Command Injection labs were nicely done and foreshadow some of Ed’s latest research on Netcat without Netcat. Go Google it. It’s really cool fu.

And with that came the end of our lecture and lab time for SANS 560. It is now time to put it all together. And in that, I mean not only your skills with the tools, but also your ability as a member of a team. The overriding theme of the course thus far has been pen testing as a career, and there is no reason to believe that this theme will disappear during the Capture the Flag exercise.

Day 6 – Capture the Flag Event

Fax mentis incendium gloriae. "The torch of glory kindles the mind."

It’s one thing to learn by reading or listening to lectures. It’s another to get hands-on exercises tailor-made for the specific topic covered in class. But it’s a whole different animal when you must combine all you have learned into a single, practical pen test with scope, objectives and time limits. This is the lofty goal of the Capture the Flag event on the last day of the course. And even though this is meant to be an educational exercise, who are we kidding? We want to win!

In an effort to continue the spirit of the entire course and treat this exercise as a real project, Ed recommended that each team schedule regular meetings to update progress. The members of our team agreed to go even further with assigned duties, checklists, and detailed organization. We had a well-balanced team of five with each member having strengths and weaknesses. So as it turns out, my main strength was my management skills. So my task was to briefly talk to each member of the team to assign duties. One of our members is great at shell scripting and exploitation, another is great with Linux, the third gentleman and I are proficient in Windows, and the fifth was pretty new at pen testing. The makeup of our team was very similar to what a real-world pen testing team would look like. To train the newer employees, they are often made members of the team albeit billed at a much lower rate. The senior members of the team will hopefully teach the junior member the tools, techniques and proper procedures. In the rush to compete with other teams, I hope we accomplished that unassigned task for the sake of our junior member. I fear we were inadequate.

I won’t go into details of the CtF, because I don’t want future 560 students to be able to grab any clues that I may inadvertently leak out. I will report however that the team worked very well together. Scanning and vulnerability assessment was done in no time. The Linux and Windows targets were assigned. I happened to have a pretty decked out laptop, so I also volunteered to be the password cracking station for the group. As each target was compromised and accounts were collected, off they went to me for cracking. When done, a list of accounts (now with passwords) was shared with the group to use to hop onto other machines with no exploitable vulnerabilities other than synched passwords. We kept great notes which allowed us to communicate clearly and quickly with each other to facilitate a more efficient job. This also made it very easy when the flags were captured and the exercise was complete. Keeping with the theme, the requirement of the exercise was not only to capture the flags, but then be able to report your findings and discuss exactly the process taken to accomplish the tasks with the client (played by Ed).

So did all this planning and communication work? Yes and no. We captured all the flags, but unfortunately came in second by about 5 minutes.

Some of my teammates had taken SANS 504, Ed’s other class on Incident Handling, and made some comments on the 560 CtF exercise on the final day. The attention to detail and the business aspects of the 560 CtF were very apparent to them. The constraints of working as a team hired by a company to perform specific tasks within a given scope made 560 seem more practical. Seeing as though this new course is not for simply hacking or stopping hackers, but rather to make a new breed of professional pen testers, I personally believe it fit 560 like a glove.

Conclusion

“We are the music makers, and we are the dreamers of dreams.”

While going through the week, I was completely taken in by Ed’s teaching style. So much so, that after completing the course, I thought it was not as technically challenging as I had thought it would be. But it wasn’t until after I had reviewed the material and my notes while writing this review article, that I realized two very important points. First of all, it not only was highly technical but very well paced and constructed. The first day was less technical for now obvious reasons, and the labs throughout the course were very well done and detailed. Secondly, Ed’s instructing ability, with his ultimate confidence in the material, excitement for the topic, and ability to start simple and quickly bring the students up to speed, made it all seem easy to understand. I found myself often thinking, “Well of course it works that way. That’s easy.” When in reality, I had never done it before Ed showed me how.

An aspect of ethical hacking that is hotly debated is whether programming is required. The direction of this debate depends on exactly how the question is posed. If you want to be a professional pen tester, then it is recommended but not required. If you want to be an Uber Haxor, then yes, it is required. I also completely understand that training on this scale is a business, and getting too focused limits your target audience. So with this, I am torn and will thus leave you simply with this fact. There is no programming in SANS 560 other than some shell scripting of .bat files and some pre-written bash scripts that you get to tweak. It would have been nice to have an “Intro to Programming” for an hour or two somewhere in the mix very similar to the treatment of wireless.  Would something need to be cut to fit it in? Probably (Rainbow Theory is a candidate ;-) ). Could it be an optional evening session provided by SANS like the “Fundamentals of Linux?” Certainly. Does it take away from the value of the course? Not at all!

One other important realization is the difference between an instructor who teaches a course developed by someone else, and one that is written and taught by the same individual. The insights into the thought processes, the understanding of the direction of the entire course and many other benefits come from the latter. Wrap it all up with an individual who can delve into both sides of his brain with aplomb, and it makes for one unforgettable experience. My concern is that as 560 grows in importance in the industry, other SANS instructors won’t be as effective. Knowing some of the other SANS instructors as I do, that is less of a concern than with other organizations, but a concern nonetheless.

So let’s take a look at a quick outline of my thoughts on SANS 560, Network Penetration Testing & Ethical Hacking:

Positives
1. Amount of practical exercises
2. Focus on specific, best-of-breed tools
3. Concentration of the business and career aspects of pen testing
4. Ed Skoudis!

Negatives
1. Slightly flawed first day Scoping Exercise
2. Too much on the theory behind rainbow tables
3. A little on programming would be nice, even if only a primer like wireless or web app
4. Ed can’t possibly teach every course

As a reviewer, it is my job to point out at least a few negatives, and the shortcomings are minor indeed. But please don’t let too much light blind you and not see the forest for the trees. Overall, this course is not only one of the best technical courses I’ve ever taken, but also one of the most helpful professional development courses. It is unique in so many ways, that it should without a doubt be on your short list of courses regardless of the provider. And if your technical chops are not up to snuff, put this on your long-term career plan. As an aspiring professional pen tester, this course has everything you need and then some.

When I look back on the week I spent exploring the pen testing factory through the eyes of its creator, I can’t help but think how different it would be if it were given by a tour guide. No matter how effective or knowledgeable that tour guide may be, there’s nothing like learning the chocolate business directly from Willy Wonka. And in his now immortal words…

“Don’t forget what happened to the man who suddenly got everything he always wanted. He lived happily ever after.”

Donald C. Donzal
Editor-in-Chief
The Ethical Hacker Network

Additional Resources:

“So shines a good deed in a weary world.”

Atheros
Cain
fgdump
Hping
John the Ripper
Metasploit
Nmap, Nmap SE
Nessus
Netcat
Nikto
Ophcrack
Paros Proxy
SensePost
tcpdump / windump
THC Hydra
WMIC

Quotes and themes used throughout this article are from the 1977 film, Willy Wonka & the Chocolate Factory by Warner Bros Entertainment, Inc. All rights reserved.

Donald C. Donzal
Editor-In-Chief
The Ethical Hacker Network

Additional Resources:

EH-Net Page on GPEN
EH-Net Forum Discussion on GPEN

SANS 560 – Network Pen Testing & Ethical Hacking
SANS What Works in Penetration Testing Summit

Category: Editor-In-Chief

Comments are closed.