April 2, 2008 at 4:56 pm #2267
Yes, as Don mentioned this was 6 days in Ed’s world of pure imagination. I have attended other Pen testing courses and have a few Certs, but this was by far the best course I have attended. To be fair I thought I would just lay out a summary of each day.
The focus of this course is to exploit and gain access on a target with using tools and techniques that are native to different OSs by default. This is due to the fact that while doing a pen test, the rules of engagement do not allow installing software, modifying the configuration, modifying accounts or bringing down services on the target.
Day 1 – Planning, Scoping, and Recon
Almost 3/4th of the day was spent on theory and building up methods of pen testing, developing the mindset a pen tester should have and setting up an infrastructure for pen testing. It also walked us through the business aspect of how to handle a RFP for pen testing services and formulate a contract with rules of engagement. We also discussed legal issues in various countries and how to report the results of a pen test, so that they are beneficial to all tiers of the corporate structure. There were numerous little tid bits a pen tester should avoid and most common pit falls. The rest of the day was spent on DNS recon tools (whois, nslookup, dig, BiLe) and finding vulnerabilities using public resources such as search engines and domain registrations. I would say this was most beneficial day for me, because no other course deals with these important parts of pen tests.
Day 2 – Scanning
The focus of Day 2 was scanning the target and recon. Tools like Nmap, Amap, Nessus, Tcpdump were dicussed in great detail, and, most importantly, advantages and disadvantages of each. We also covered tips on when to use what tool. It also discusses how to fine tune the VA scanners, so that the false positives are reduced. I enjoyed the session on packet crafting with Hping3. Also, there was a great session on manual false positive reduction using some basic tools like Netcat, hping and others, so that the results are more accurate. This is another plus when compared to other courses.
Day 3 – Exploitation
We discussed in detail different categories of exploits (client-side, server-side and privilege escalation), and the difference between simple shell access as compared to full blown terminal access and various techniques to gain each. There are lots of hands on exercises on each. It covers Metaspolit in great detail and advanced meterpreter shell. And finally the very brief preview on the famous “Ed’s windows command line kung fu” making windows run commands remotely using psexec, sc and wmic. This was very valuable to me and made me think that if I master this I would need less tools.
The only thing I felt was not covered here was how to modify the publicly available exploit code to suit your needs and OS (using metasploit opcode DB, Hex editor,) etc, though we did it in a certain impromptu exercise.
Day 4 – Password Attacks
This was all about John, Cain, Ophcrack, fgdump and THC Hydra, explaining the inner workings of each in detail. Detailed discussion on account lockouts and techniques to avoid them were also covered. Different types of password representation (LM, NTLM v1, v2, MD5, DES) and where they are stored in different OSs. There was very valuable discussion on the formulation of rainbow tables. Different ways to use Cain, (password cracker, sniffing password hashes, playing VoIP capture). Very detailed hands on exercises on the above tools. The best part off the day which blew me away was gaining access to a machine by passing the hash. With this technique you don’t even need to crack the password to gain access – you can do it by passing the hash representation of a password on Windows systems.
Day 5 – Wireless and Web Apps
These 2 topics were not covered in great detail, but I think there was enough information to learn what are different types of encryptions in Wireless (WEP, WPA, WPA2) and what is the difference between XSS and XSRF or SQL injection and command injection. There was enough information to learn how various wireless attack tools worked. The web apps section had very cool and detailed hands-on exercises to illustrate the various concepts. The must see technique here is gaining netcat functionality without netcat…. a very cool technique.
Day 6 – Capture the Flag
And finally the task/game that brings all the concepts of past 5 days together. All I can say here is that it was a very well engineered game bringing in all the concepts learned throughout the course with emphasis on different techniques on achieving similar goals. Also, paying attention to details was very well illustrated here. I bring this up here because this was the very valuable lesson our team learned … which cost us the win !!!!!!!!
ALL in ALL I will say that – this is another “MASTERPIECE from Ed Skoudis”, a very well designed course focusing on pen testing using the tools and techniques native to OSs and commands that are commonly available on the target systems. Tools used in this course are all available on the Internet and most other courses will teach you the command line to perform certain tasks. This course teaches you to how to use them better and other options to get the same or better results without using them. I think even a experienced Pen Tester would learn a few tricks from this course.
My KUDO’s to ED and SANS for offering it. Also, KUDO’s should go to all the invisible contributors and every section should have dedicated slides on stories of Matt Carpenter and Mike Poor :)) ..
Finally a word of caution .. this is not a course for newbies and requires advance knowledge of various OSs and TCP/IP. If I were you, to get most out of this course,follow GSEC , GCIH and GPEN and for completeness OSCP. Those are my thoughts …….
Also, It was great meeting “the DON” …… i hope I will see you again and we can talk over beers !!
April 2, 2008 at 9:32 pm #17205BillVParticipant
Thank you for the write-up and comments. Very much appreciated! This sounds like it was a great course and you had a lot of fun with it… I’ll certainly be looking into it in the future.
April 3, 2008 at 10:14 am #17206RoleReversalParticipant
Thank you for the right up, sounds like it was a great course. I was hoping that the course wasn’t going to be that good, guess I’ve got another course/cert to add to my to-do list 😉
April 3, 2008 at 9:21 pm #17207AnonymousParticipant
hey good write up!
April 4, 2008 at 2:05 pm #17208bbauerParticipant
I also attended the course at Tyson’s.
To add to Vijay2’s comments –
Ed Skoudis has put together an excellent class for pen-testers, both from technical “wannabees” to people who have been around the block doing it. (You do have to be intensely technical, though, or you will get lost after about the middle of Day 1 – this is NOT an entry level class, as at least one person discovered). Ed covers everything from the initial statement of work to the writing of the report, giving tips and experiential comments on many “arcane” aspects of pen-testing. He covers not only the use of the tools and the concepts needed to actually do the work, but also customer relations and presentation – areas in which a lot of talented engineers can use help.
It was a pleasure to take the class… and meeting Don was a plus. 🙂
April 4, 2008 at 2:54 pm #17209
Welcome to the EH Net, nice to see you here 🙂
April 4, 2008 at 7:29 pm #17210
even though you were brief, you emphasized on the course being more hands-on. this is the same way described by Ed himself. its nice to know that this course is up to date even though from its description it overlaps other training as you did mention GCIH, OSCP. your reference to bile, had me stumble upon http://www.vulnerabilityassessment.co.uk and the rest of thier tools, and thier framework, nice work indeed. as for the attacking windows with the hashes, this is already in Chris Gates blog. how would you say the amount of hands-on as compared to the theory? e.g 60% theory-40% hands on!
do you still have access to the practicals/lab if you need to?
April 4, 2008 at 10:17 pm #17211DummyParticipant
i’m currently looking for a pentest training and after reading this thread, I got quite attracted by SANS GPEN.
Thanks for your summary!
Did you guys also sit for the GIAC test?
I do not really get it, how the training is combined with the test.
If i would subscribe for the test, would it be right after the training (same day / same location)?
@Bill: What do you mean by “intensely technical”?
Do you think having basic knowledge about e.g. TCP vs. UDP, HUBs vs. Switches, SQL injection, XSS is sufficient or are you talking about detailed knowledge about routing protocols and suchlike?
Regarding the hints to the windows attack using hashes, CoreSecurity has apparently also a nice toolset:
April 7, 2008 at 11:19 am #17212
No we do not have access to labs anymore. I would say the course was 50 -50 on theory and Labs. Hope this helps.
The GIAC GPEN is not available as yet, this was the first run of the course and the certification test well be only available after the orlando conference.
April 7, 2008 at 4:12 pm #17213
thanks, how do you feel regarding the labs coverage? was it enough the ones you had during the course, do you feel that you need to ask more questions, and there could be more possible scenarios to cover, or not enough practicals were given?
April 7, 2008 at 4:26 pm #17214
Well as I said earlier this SANS course is more hands on than any other course, as far as the time, I think there was enough time to complete labs and you had help from instructor and the facilitators if you need it. Some labs were just getting to know the command line and others were little challenges. After the course off course you have to build up on all the concepts and tailor it to your environment.
April 8, 2008 at 7:28 pm #17215
Thankyou once again for the informative feedback. will have to allocate a budget and time for that course sometime in the future before the information becomes outdated :-
September 11, 2008 at 3:22 pm #17216
Finally I passed the GPEN exam last week. All I can say is .. between CEH and GPEN, those who have CEH and going for GPEN, there is no comparison it is a tough exam.
September 11, 2008 at 4:37 pm #17217BillVParticipant
Nice job. Congrats, VJ!
I’m hoping to take that exam sometime in the next couple weeks. I’m about 75% through the course (doing OnDemand version).
Thanks for the heads up and congrats again 🙂
September 11, 2008 at 4:57 pm #17218AnonymousParticipant
Excellent summary. I have been planning to take this course with the assumption that since it was developed by Ed that it would be good. It is nice to have confirmation of that.
Thanks for posting!
September 11, 2008 at 7:55 pm #17219geekyoneParticipant
Congrats Vijay! Thanks for the review. I am taking the test Sept 30th, Challenge, so every little bit of information helps.
September 12, 2008 at 9:31 am #17220
September 20, 2008 at 2:18 am #17221guebParticipant
I am also doing the OnDemand SEC560, i just finished the SEC504.
The GCIH certification help me a lot to understand this course, so less time on google to understand, more time focusing on this course.
Are you building your pen test methodologie / howto for your organization while doing the course?
November 8, 2008 at 6:18 pm #17222kcirtapParticipant
Just received my certificate! hahaha
it looks professional. It’s on a wooden frame. 😀
so i guess this means that it’s not just a paper certificate?.. LOL just kidding! ;D
I really enjoy and learn a lot with this course! like Ed mention on the course mp3 it’s like a baseline for penetration testing 😀
BTW i took this course last MAY and lucky enough i was eligible to become one of the facilitator! whoohoo! this is my first SANS course and what an experience! the instructors are awesome!
Highly recommended course for everyone wants to go to IT Security. The course doesn’t only focus you to become a consultant pentester but also an internal security guru. 😀
well i wish everyone a good luck and always have fun! *** always bring a get out of jail card… LOL
- You must be logged in to reply to this topic.