Final Course and Exam Review: Pen Testing with BackTrack

| March 1, 2010

pwb_box.jpgRyan Linn continues his insider’s look at Offensive Security’s online training course, ‘Pentesting with BackTrack.’ In Parts 1 – 4, he presented the reader with details of the training as he did it. Now in this final review (Part 5), he compiles his thoughts on the course in its entirety and then gives you an extended look at the process of preparing and taking the Offensive Security Certified Professional (OSCP) exam.  PWB is described by Offensive Security as, "An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet."

Visit Ryan Linn’s Column Page for Parts 1 – 4 as well as several other contributions to The Ethical Hacker Network and our community of security professionals.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Linn}

When I was presented with the opportunity to review the Pentesting with BackTrack (PWB) course by Offensive Security I was excited as this course has a reputation for being a skills and technique-based course as opposed to some of the other courses that focus on methods and memorization.  This final review will detail my overall thoughts on the course, a comparison of this course with the SANS Network Penetration Testing and Ethical Hacking course, and my experience with the Offensive Security Certified Professional (OSCP) exam.

The Pentesting with BackTrack course was originally released as Offensive Security 101 and consists of 3 separate training segments.  The core of the course is the course manual where all of the information in the course is presented.  The manual consists of content, exercises, and bonus questions which will earn additional bonus points towards the OSCP certification.  The second portion of the course offers flash videos that cover all of the core modules of the course.  These are viewable on any platform with a flash viewer and cover the same material in the manual.  The third portion of the course is delivered via a remote lab environment.

backtrack4.jpgThe remote lab environment is accessed via a set of VPN files that are delivered with the course content.  The files are installed into your choice of a BackTrack distribution which you must install prior to taking the course.  I took the course on BackTrack 4 Pre-Final on my MacBook with 2G of memory using VMWare Fusion.  The course is designed for BackTrack 3, but, depending on your familiarity with Linux, more recent distributions can be used. The only drawback is that some of the exercises may just look slightly different from the manual.  Once BackTrack is installed, the VPN setup is quick and easy.  There is even a connectivity test that is delivered prior to the course material to ensure that there are no connectivity issues.

The course itself is laid out into 8 basic concepts: Introduction, Discovery/Enumeration, Exploitation, Post Exploitation, Web Exploitation, Bonus Information, and Labs.  Each concept is not explicitly laid out.  Instead the tools that are part of the concepts are explained and enumerated.  There is another section which is generally outlined and is focused on deeply in both the exercises and the OSCP exam and that is documentation.  A documentation file of bonus questions is built up throughout the course, and it is that documentation that is submitted for the bonus points on the OSCP exam.

The Introduction section consists of 1 module broken down into 5 chapters.  This module starts off by helping setup all of the services in BackTrack that will be needed for the course, ensuring that networking is setup properly, and then an introduction to some of the core tools that will be necessary for every part of the course: Bash, Netcat, and Wireshark.   Each tool or set of tools is backed up with both video tutorials and exercises to get the student accustomed to the environment and basic tools that will be needed for the course.  This section also acts as an intermediate introduction to Linux skills, so those with basic Linux skills should be able to get up to speed with a small amount of additional research.

The Discovery/Enumeration section consists of 3 modules broken down into 11 chapters.  The course starts off with non-invasive techniques such as Google Hacking and the utilization of other web resources designed to provide profiling information about a target.  From there each module becomes more invasive, working into concepts such as DNS recon, SNMP recon, and Netbios recon where individual services are queried for information about the host.  The third module is the most invasive in this section and discusses port scanning in-depth using Nmap and other tools.

The Discovery/Enumeration section contained a number of tools that I was not familiar with but found to be incredibly useful both in the labs and in real world.  This section did a good job of providing a useful outline for discovering services, configurations, and users from exposed services.  These tools aren’t explicitly used after this section, but as the course progresses they are critical to many of the exercises as portions of the lab exercises require information be discovered before boxes can be exploited.  After discussing the course with other individuals who have taken it, it seems that many of the difficulties that people have with the course come back to this chapter.  Understanding the enumeration and discovery of services is critical for success in the labs and for passing the OSCP exam.

With 3 information packed modules, the Exploitation section is one of the areas where PWB shines.  This section begins with ARP spoofing, and the course does a good job of explaining the theory, the potential problems, and the potential information that can be gathered from successful exploitation.  This module isn’t loaded with exercises like many of the other modules due to the potential impact on the network.

The second module of the Exploitation section is the Buffer Overflow module.  This module sets this course apart more than any of the others as it helps the student understand how buffer overflow exploits work from concept to execution.  The module begins by discussing how to look for bugs and find a basic overflow, and then walks the student step by step through creating a working buffer overflow exploit.  Each step progresses through the process and provides in depth demonstrations and explanations about what is happening on the system.  There are even bonus exercises to practice these skills further, so that a better understanding is formed.

Once the student understands how to create exploits, the final module in this section focuses on how to find exploits that have already been written.  The focus is on taking exploits from Milw0rm and Security Focus and understanding how to compile both Linux and Windows exploits on BackTrack for use in the labs.  This section also discusses how to build Windows executables within BackTrack, so that they can be used for privilege escalation on other systems.

The exploitation section of the course is incredibly strong and covers information on why many of the exploits work in addition to how to apply them.  The information in the course won’t create an expert exploit developer, but if a student masters these concepts then he/she should have skills that will set him/her apart from many of the entry and mid-level penetration testers in the industry.  These aren’t skills that will frequently be used in penetration tests themselves, but for specialized assessments they may be useful.  The use of Milw0rm and Security Focus however is important, and the exploit building background helps in understanding some basic fundamentals about what is happening in the third party scripts.

The Post-Exploitation section begins with an explanation of transferring files once a basic shell has been established on a machine, and then moves into discussing two exploitation frameworks: Metasploit and Core Impact.  These frameworks are discusses at this point as they both have capabilities for exploitation, but, more importantly, they have advanced payloads which facilitate post exploitation.  After the frameworks are discussed port redirection and tunneling is covered in order to facilitate other attacks using the compromised host as a pivot point.

The final post exploitation module is on passwords.  This module is very in-depth and covers everything from brute forcing services, to cracking captured passwords, to physical attacks on devices to allow resetting passwords.  This module is full of different tools and provides some good exercises to practice the skills involved.

The post exploitation section does a good job of covering the different exercises that may be performed once access has been gained to a machine.  The introduction of both the open source Metasploit and commercial Core Impact frameworks helps understand what advanced payloads can be deployed and introduces some of the basic features.  These features are further reinforced by standalone solutions which do some of the same things.  This section is another area that applies strongly to real world network penetration testing and the skills involved will make the student a strong penetration tester.

The final section which has both video and book exercises is the web exploitation section.  This section focuses on SQL injection attacks but also covers command injection and has some basic application for any type of attack on input validation.  This is probably the weakest section of the course and while the SQL injection attacks are covered very well, there are tons of other web attacks which aren’t even addressed.  This is most likely because the course focuses on getting access on the box and less on gaining access to data, and so SQL injection is used to gain access to the shell through the web application and database.  Overall not an incredibly strong section, but it does give some additional techniques to get onto a machine.

The bonus sections are only in the manual and they consist of modules for Trojan horses, Windows Oddities, and rootkits.  The Trojan horses module focuses on some of the features of Trojans that are available and gives usage scenarios for each Trojan described.  The Windows Oddities module covers Windows Alternate Data Streams (ADS) and registry tricks.  The rootkit module covers a number of rootkits and even provides actual rootkits to play with in the lab environment.  Most of this information isn’t overly useful for penetration testing, but does have a lot of impact on incident response.  It was a good opportunity to play with some of these tools in a safe environment and it provided some exposure that most people don’t get on a daily basis.

The final section in the manual is the labs.  The labs consist of bonus questions where the skills learned in all of the modules of the course are used to attack real boxes.  These questions are designed to be the training and prep for the OSCP exam.  The lab network is extremely well setup and almost everything is attackable.  There are boxes in the environment which range in difficulty from easy all the way to extremely difficult.  The scenarios were good and a variety of different types of boxes were provided for hacking and the different scenarios required good usage of the skills laid out throughout the course in order to successfully exploit the target servers.

PWB is a great skill-based course that will help everyone from those interested in simply helping the security posture of their own environments to those who desire to become an actual penetration tester.  Novice and intermediate penetration testers will improve skills that can be applied to real-world penetration tests.  The course has good reinforcement of the skills as they are learned and revisits all of the skills as part of bonus exercises at the end of the course where the skills must be applied for a successful exploitation of target machines.

There have been many questions in the community about how the various courses compare to each other and who should take each course.  At the time of taking this course, I already had the GIAC Certified Penetration Tester (GPEN) certification and the GIAC Web Application Penetration Tester (GWAPT) certifications, so these are the certifications that I will compare the PWB course to.  The GPEN certification covers some of the same tools presented in PWB such as Netcat, Nmap, Metasploit, and some other basic exploitation, but the GPEN is set apart as the GIAC certification which covers the business side of penetration testing.  Obtaining the GPEN certification means that you have some basic penetration testing skills but understand the sensitivity and business concerns of the penetration testing process.

The GWAPT exam covers almost strictly web penetration testing.  There is very little overlap with the exception of SQL Injection.  So if you are looking specifically for web application penetration testing knowledge, PWB probably isn’t the course for you.

Overall, the course that you should take first depends on what your goal is.  If you are just starting with security and penetration testing, then starting with GPEN first may be ideal as it will help understand why you are going through the process to begin with.  If you already have experience as a penetration tester, but want to improve your skills, taking PWB will definitely improve your ability to perform network penetration tests.  Finally, if you want to focus on web attacks, then the GWAPT path is where you should start.

The certification associated with this course is the OSCP, Offensive Security Certified Professional.  The exam is similar to the course in that you supply your own copy of BackTrack and a VPN file is supplied that allows you to connect to a lab environment.  The exam lasts 24 hours, and requires you to submit documentation of all of the bonus points from the PWB course as well as documentation from your exam at the end of the examination to be graded.  Once the documentation is reviewed an email is sent with the exam results.

The exam mirrors the labs very well.  My exam had 5 boxes which ranged from very easy to hard.  I began the exam at 7pm on a Saturday and worked into Sunday until about 3am, when I finally completed the exam.  The documentation takes a long time, but, as it’s required, it is important to manage the documentation as you go along.  Each box that you are required to compromise has a point value, and you are required to achieve a total of 70 points to pass.  With that in mind, you should have a good idea of your score when you hand in the exam.  The bonus points from the PWB class are added to the exam score in order to determine the final score, so doing all of the bonus exercises in the PWB course can definitely help you.

There have been a number of questions regarding how long students should need lab access.  I only did 30 days of lab time as I had already done some of this material before.  If you are new to this type of material, then 60 days would probably be appropriate. But in my opinion, anyone who has penetration testing skills and who has some moderate time to apply to the course should be able to do the material in 30 days.  If you cannot complete at least half of the boxes in the final exercises, you should then sign up for additional lab time.

Overall I highly enjoyed the PWB course.  I left the course feeling like I had gained some valuable skills that will apply directly to any penetration testing that I do.  I passed the OSCP certification and received the paper certificate within 3 weeks.  I have since used a number of these tools at work and in my lab, and I feel like I am a stronger penetration tester due to this course.


Ryan Linn, CISSP, MCSE, GPEN – Ryan is currently an Information Security Engineer at SAS Institute. Employed in the computer industry since 1997, he has held positions ranging from web developer to Unix Systems Programmer at a large university to his current position in Information Security. Ryan has been responsible for working with large scale deployments of various flavors of *nix, high availability web and database clusters, as well as for application programming in high availability environments. In the past few years, Ryan has incorporated Windows security into his responsibilities, and is now part of the team responsible for information security globally in one of the largest privately held software companies in the world.

Category: Linn

Comments are closed.