.

Security Courses & Windows XP

<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Wed Feb 08, 2012 6:30 pm

Post Mon May 19, 2014 11:53 am

Security Courses & Windows XP

I recently took a SANs course at SANs West. Overall, I was really happy with the course content and delivery. Yeah, it's expensive, probably prohibitively for a lot of people, but there is a lot of great material in there. SANs seems to make an active effort to keep their stuff current, e.g. the VM we got was Windows 8. I remember being somewhat dismayed at the number of XP machines in the OSCP lab, but at that time XP still had a significant share of the computing market despite being a 12+ year old OS. Add to that, OSCP is/was technically a 101 course.

However, when my SANs instructor showed a demo of an exploit on an XP, I felt a little disappointed. Yes, I know it (XP) was just a vehicle to demonstrate the exploit but in the back of my mind I thought, "XP pssfth, ANYTHING can crack an XP machine." IMHO, using XP implies a) you haven't updated your slides in a while or b) you're demonstrating something that is only vulnerable on XP. More to the point, XP makes any slide or demo appear dated and in my mind, for any non-101 course to make the claim "current", they need to eliminate XP from their material. Even for a 101 course - show how vulnerable XP is and move on (Win 7, 8, etc). The rest of the world is moving off XP, it's time security courses do too.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 621

Joined: Sat Apr 17, 2010 12:12 pm

Post Sat Nov 01, 2014 5:32 am

Re: Security Courses & Windows XP

I know this is an old post, but I agree. Its often used because it's repeatable, but the problem is that it does not indicate advanced techniques. They aren't demonstrating how to bypass ASLR, UAC, Windows Firewall, ect. These are things a pentester needs to understand, and isn't being taught. I find myself turning off firewalls and UAC in my labs because I don't know how to get past them except with SET.
sectestanalysis.blogspot.com/‎
<<

Grendel

User avatar

Sr. Member
Sr. Member

Posts: 257

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Sat Nov 01, 2014 2:31 pm

Re: Security Courses & Windows XP

So here's the deal, and I think you're missing the point -

There are multiple attack vectors we (as instructors) want to provide our students. One attack vector is the process we use as pentesters to exploit known vulnerabilities with exploitable code, which can seem simplistic - find a vulnerable system, run metasploit, own the box. This is true for older systems and new OSes with zero-days. So when we teach students this technique it's easier to demonstrate against a box with multiple exploits on it.

Let me say this another way. Would you rather learn about a single known exploit against a new OS, or learn about 20 different exploits that behave differently (language packs, injection techniques, etc.) on an older system? By learning multiple exploits on older systems, you learn some of the specifics surrounding each type of exploit and why some work better than others. Showing you a new system with a few number of exploits is actually a worse instructional tool than one with a lot of exploits - not only do you learn different types of attacks (against different services), you learn the history of attacks and which services tend to be more exploitable as time progresses.

Using Windows XP as an target is definitely a good way to teach people how to exploit systems. It shouldn't be the final step in teaching pentesting techniques, but there is a lot to learn from older, exploitable systems during your journey.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 621

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Nov 05, 2014 9:54 am

Re: Security Courses & Windows XP

I don't disagree Grendel, my issue is that there appears to be little that connects the training we get with how it can be applied to the modern world. For instance, in the MSFE course, we see the instructor using a few exploits to own an WXP system, his point is to demonstrate the principles of exploitation and showcase use of metasploit. IIRC, he continues to utilize the same exploit through the rest of the course when possible. What would be more useful would be to show the WXP exploit, then showcase a different exploit on a different OS, say W7 to show the student that indeed the same principles apply. Often times services are exploited, which is fine, but there aren't many workable remote service exploits available for workstation OS's. So a person can complete a course having utilized one or two exploits and having no idea what to do when they encounter a system with no service vulnerabilities.

I speak from my experience. Most of my recent time has been spent learning to push beyond what I was taught learning how to use SET to attack software vulnerabilities, but I still have gaps in my knowledge. We really need training that covers a good baseline that a person can build upon.
sectestanalysis.blogspot.com/‎

Return to General Certification

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software