The focus of this course is to exploit and gain access on a target with using tools and techniques that are native to different OSs by default. This is due to the fact that while doing a pen test, the rules of engagement do not allow installing software, modifying the configuration, modifying accounts or bringing down services on the target.
Day 1 - Planning, Scoping, and Recon
Almost 3/4th of the day was spent on theory and building up methods of pen testing, developing the mindset a pen tester should have and setting up an infrastructure for pen testing. It also walked us through the business aspect of how to handle a RFP for pen testing services and formulate a contract with rules of engagement. We also discussed legal issues in various countries and how to report the results of a pen test, so that they are beneficial to all tiers of the corporate structure. There were numerous little tid bits a pen tester should avoid and most common pit falls. The rest of the day was spent on DNS recon tools (whois, nslookup, dig, BiLe) and finding vulnerabilities using public resources such as search engines and domain registrations. I would say this was most beneficial day for me, because no other course deals with these important parts of pen tests.
Day 2 - Scanning
The focus of Day 2 was scanning the target and recon. Tools like Nmap, Amap, Nessus, Tcpdump were dicussed in great detail, and, most importantly, advantages and disadvantages of each. We also covered tips on when to use what tool. It also discusses how to fine tune the VA scanners, so that the false positives are reduced. I enjoyed the session on packet crafting with Hping3. Also, there was a great session on manual false positive reduction using some basic tools like Netcat, hping and others, so that the results are more accurate. This is another plus when compared to other courses.
Day 3 - Exploitation
We discussed in detail different categories of exploits (client-side, server-side and privilege escalation), and the difference between simple shell access as compared to full blown terminal access and various techniques to gain each. There are lots of hands on exercises on each. It covers Metaspolit in great detail and advanced meterpreter shell. And finally the very brief preview on the famous "Ed's windows command line kung fu" making windows run commands remotely using psexec, sc and wmic. This was very valuable to me and made me think that if I master this I would need less tools.
The only thing I felt was not covered here was how to modify the publicly available exploit code to suit your needs and OS (using metasploit opcode DB, Hex editor,) etc, though we did it in a certain impromptu exercise.
Day 4 - Password Attacks
This was all about John, Cain, Ophcrack, fgdump and THC Hydra, explaining the inner workings of each in detail. Detailed discussion on account lockouts and techniques to avoid them were also covered. Different types of password representation (LM, NTLM v1, v2, MD5, DES) and where they are stored in different OSs. There was very valuable discussion on the formulation of rainbow tables. Different ways to use Cain, (password cracker, sniffing password hashes, playing VoIP capture). Very detailed hands on exercises on the above tools. The best part off the day which blew me away was gaining access to a machine by passing the hash. With this technique you don’t even need to crack the password to gain access - you can do it by passing the hash representation of a password on Windows systems.
Day 5 - Wireless and Web Apps
These 2 topics were not covered in great detail, but I think there was enough information to learn what are different types of encryptions in Wireless (WEP, WPA, WPA2) and what is the difference between XSS and XSRF or SQL injection and command injection. There was enough information to learn how various wireless attack tools worked. The web apps section had very cool and detailed hands-on exercises to illustrate the various concepts. The must see technique here is gaining netcat functionality without netcat.... a very cool technique.
Day 6 - Capture the Flag
And finally the task/game that brings all the concepts of past 5 days together. All I can say here is that it was a very well engineered game bringing in all the concepts learned throughout the course with emphasis on different techniques on achieving similar goals. Also, paying attention to details was very well illustrated here\. I bring this up here because this was the very valuable lesson our team learned ... which cost us the win !!!!!!!!
ALL in ALL I will say that - this is another "MASTERPIECE from Ed Skoudis", a very well designed course focusing on pen testing using the tools and techniques native to OSs and commands that are commonly available on the target systems. Tools used in this course are all available on the Internet and most other courses will teach you the command line to perform certain tasks. This course teaches you to how to use them better and other options to get the same or better results without using them. I think even a experienced Pen Tester would learn a few tricks from this course.
My KUDO's to ED and SANS for offering it. Also, KUDO's should go to all the invisible contributors and every section should have dedicated slides on stories of Matt Carpenter and Mike Poor ) ..
Finally a word of caution .. this is not a course for newbies and requires advance knowledge of various OSs and TCP/IP. If I were you, to get most out of this course,follow GSEC , GCIH and GPEN and for completeness OSCP. Those are my thoughts .......
Also, It was great meeting "the DON" ...... i hope I will see you again and we can talk over beers !!