SANS SEC575 Mobile Device Security and Ethical Hacking Review

IMG_1654I recently attended the SANS SEC575 Mobile Device Security and Ethical Hacking class in Las Vegas and I wanted to post some of my thoughts on the course.

Day One: Architecture and Management

Day one started off with a quick overview of mobile device issues that would be addressed in the course and a lab which has the students extract sensitive data from a network capture file with mobile device traffic. After that there are four “what you need to know” sections about iOS, Android, Blackberry and Windows Phone devices. The sections cover technical specifications, key points, protection mechanisms etc. These sections are well done and provide a solid foundation for the rest of the class.

The next section in the book covers building your own lab using devices, emulators and simulators. There are two exercises where you configure an Android emulator and interact with it using ADB commands. The labs throughout the entire course were very well done and helped reinforce the topics being taught.

The next portion of the book discussed Mobile Device Management (MDM) systems used for enforcing device policy settings. This section included an exercise that had you take a policy for a company and create a profile enforcing the rules of that policy using the iPhone Configuration Utility.

Mobile Malware was next up and we started off covering some basics, progressed to examining specific historical malware attacks and finished by discussing preventative measures to protect your devices. That concluded the class portion of day one but the day one book also has an Appendix on policies and practices as well as a section on miscellaneous topics.

Day Two: Security Controls and Platform Access

Day two begins with a lengthy section on mitigating the threat from stolen devices and includes an exercise where the students recover the swipe pattern from a locked Android. Backups, fingerprints and passcodes were all discussed as well.

Next up was a section on unlocking, rooting and jailbreaking iOS and Android devices. The section started off with general topics and then covered a specific iOS jailbreak and a root for an Android Nexus 7.

The next section was small but packed with great information on data storage and filesystems. Plist, SQLite and XML were all covered as were locations within the filesystem which could contain sensitive data. This section concluded with a lab where the students searched an iPhone backup to look for key pieces of information.

Most of the remainder of day two was spent covering capturing and analyzing mobile application network activity using tools such as Burp Suite, NetworkMiner and Wireshark. There were two well-done exercises in the afternoon which gave the students a chance to utilize these tools.

Tacked on to the end of the day two book was a section on Blackberry classic PIN cracking and backup access as well as a few other miscellaneous topics.

Day Three: Application Analysis

Day three brought 280 pages of hardcore application analysis and I loved every minute of it. Before I give an overview of the day’s content I would like to state that a majority of the class had little to no programming experience and still got a lot out of this section. You don’t need to be a programmer to go through the exercises you just need to understand the concepts taught and use analytical thinking.

The first section is on static application analysis (Android and iOS) and ends with an exercise analyzing an Android application.

The next section is on automating app analysis and has a lab where the student analyzes a piece of Android malware and then another where the student finds a vulnerability in an Android application that can be exploited.

Next up was a lengthy section on manipulating an application’s behavior which includes a lab on modifying Android applications.

The day ends with a short but awesome “App Analysis Walkthrough” where the author goes through the steps he took each day on a near real world analysis of an iOS application and a small section on filesystem monitoring.

By the end of the day your brain is cooked but you’ve learned quite a bit about analyzing mobile device applications in different ways.

Day Four: Penetration Testing Mobile – Part 1

Day’s four and five of this course are really interesting. Day’s one through three covered topics that were largely mobile device related but there is obviously a lot of crossover between mobile device hacking and traditional hacking and that is where day’s 4 and 5 come in.

Day four is a one day mini primer on Wireless hacking and it is FANTASTIC. It starts off with a section on wireless network scanning where it discusses topics like using monitor mode on Linux, Windows and OS X and intros a few basic tools. The first section ends with a lab where students use Kismet to figure out the SSID of a network which is hiding it.

Next up is a short but sweet section on mapping probe requests which includes a lab where the students generate a visual graph of client probe requests.

The next few sections progress through the different levels of encryption.

• On an open network with a captive portal? You’ll cover ways around it.
• On a WEP encrypted network? You’ll crack it in a lab.
• On a WPA-PSK encrypted network? You’ll discusses your options and you’ll crack one in a lab.
• Facing a WPA Enterprise network? You’ll discuss setting up your own modified RADIUS server to grab login credentials.

The day ends with a section and lab on mobile device fingerprinting.

I seriously couldn’t imagine a better one day walkthrough of wireless topics. For the small number of students who had attended the SANS SEC617 wireless or other in depth wireless courses it was a nice refresher but for everyone else it was a fantastic mini wireless course hidden within a course on Mobile Device Security.

Day Five: Penetration Testing Mobile – Part 2

What day four was to wireless day five was to web application type attacks. Day five covers network manipulation attacks like ARP spoofing, sidejacking attacks, SSL/TLS attacks, client side injection attacks, HTTP parameter tampering, XSS attacks and SQL injection.

While the tools the students use are web application testing standards like Burp Suite and SQLmap the labs have you attacking the transactions and infrastructure for mobile device applications you’re running in emulators.

Just like day four they did a fantastic job of boiling down what would have been a week’s worth of content into a day worth great overviews and hands on experience.

Day Six: Hand-on Mobile Security Event (Capture The Flag)

The CTF for day 6 of the 575 course uses the Netwars scoring engine and is very well done. Every student in class got a chance to practice the skills they had been exposed to over the past five days and it really seemed to help add to the learning process. There were the moments of frustration found in any CTF but everyone seemed to really enjoy the day.

Summary

The 575 was a very enjoyable class. There were some topics which I was already a little bit familiar with but now have a much better understanding of after a week of hands on learning and instruction from a world class expert.

The class was taught by Chris Crowley who did a great job teaching and entertaining. He seemed sincerely interested in helping students get what they wanted out of the class, had many sidebar conversations with students at break and after hours and spent the better part of one lunch period going over the previous day’s labs for a few students who wanted to see a walk through. I would take a class from Chris again in a heartbeat.

Pentesteracademy.com x86 Assembly Language and Shellcoding on Linux Course Review

Most people interested in information security have likely visited SecurityTube.net before but for those who haven’t it’s a great aggregator for videos of tutorials, demonstrations and conferences. The site’s owner Vivek Ramachandran has produced a ton of free content and a few paid courses. Late last year he transitioned all of his premium courses to a new site at pentesteracademy.com where you can access all of his courses for a monthly $39 fee.

I recently finished going through his “x86 Assembly Language and Shellcoding on Linux” course and wanted to share my thoughts on it. Before watching his videos I knew almost nothing about Assembly language or shellcode but I did know that I needed to have a good understanding of both in order to be any good at reverse engineering and exploit development.

The first seven or so videos cover a lot of system architecture and explain what the different registers are and how they’re used. This is a very tricky section because he’s explaining things that you’ll need to know for the rest of the course but they’re hard to visualize since he hasn’t started the demonstrations yet. I never felt lost during his explanations but once the demonstrations started in videos eight and nine you start applying the information from the first section of slides and it all falls into place.

Videos 8 through 21 walk the student through assembly language concepts like understanding and using the stack, loops, math, strings etc. At the end of those videos I wouldn’t say I was “good” at assembly language but I was at least getting comfortable with it. Before I started I would have looked at assembly language and had no clue what I was looking at. Now I can look at it and while I may not understand what the code is accomplishing I understand each of the little pieces and what they’re doing. Now when I look at the reverse engineering book I’m getting ready to read I don’t feel like I’m reading Klingon.

There is plenty of assembly in videos 22 through 37 but the main focus is on shellcode. Vivek explains what shellcode is, what changes you need to make in your assembly in order for your shellcode to work and writes some hello world shellcode using different techniques like JMP-CALL-POP. Once again I didn’t feel like an expert but I sure understand a lot more. Vivek then covers InfoSec specific content like encoders (both using others and making your own) and polymorphism. The series ends with a look at analyzing other’s shellcode and writing custom crypters.

I’ve gone through several of Vivek’s other videos but this is the first time I’ve gone through one of his courses start to finish. The course is exactly what I needed and I’ve already recommended to a friend who is working on learning reverse engineering but would like a better understanding of assembly. If you’re like me and hitting a point in your InfoSec studies where you realize that you need to understand some of the low level material in order to learn advanced topics this is a great resource. He really does start from square one so no prior knowledge is expected.

One of the reasons I initially signed up for pentesteracademy.com was that I was a big fan of Vivek’s word on securitytube and wanted to support his efforts. I also seem to learn a lot better from video explanations and demonstrations that I do from books. I paid $99 for the first month and $39 a month after that but he occasionally runs specials where the first month is $39. He’s been adding a lot of new content to ongoing courses and coming up with new courses so I don’t think it’s possible to go through everything unless watching videos is your full time job. I think his web app hacking course alone is up to almost 70 videos and still going.

While I was in the arsenal room at Blackhat last month I looked over and saw Vivek checking things out. I went over to him and introduced myself, thanked him for everything he taught me and had a nice conversation with him. He was incredibly friendly, gracious and humble and thanked me for my support. I saw him again at Defcon and he approached me, said “Hi Matt” and asked how I was enjoying the conference. He is a genuinely nice guy.

Even with no bonus points for being a nice guy his site is an amazing training value. He has several free videos in each series so you can get a feel for his teaching style. He just started a free “Make Your Own Hacker Gadget” series that I’m going to follow along with.

If you like video instructionals and have things like “Learn assembly”, “Learn to write exploits” and “Improve my Python” on your to-do list then pentesteracademy.com is well worth your time to check out.

On a completely unrelated topic, I had an absolute blast at Blackhat and Defcon and have already reserved a room at the Defcon site for next year. I did a write up on my experiences as a first timer which should appear on ethicalhacker.net soon. I also grabbed several signed books there which I had already purchased copies of so I’ll probably do a giveaway here for my unsigned copies of those once the article hits.

Thoughts on the SANS 560 at Cybercon

woo hoo!!!

woo hoo!!!

As some of you know I’ve been on a SANS binge over the past 18 months at a pace that seemed on the brink of unsustainable at times. Some of the classes like the FOR 408 and FOR 585 were topics very relevant to my duties and interests. Some of the classes covered material that I don’t use much in my current daily life but I knew were big holes in my overall skill set. The SEC 503 squared away my packet analysis skills like I doubt any other course could have. I’ve greatly enjoyed every class I’ve ever taken but the classes were always to learn or refine my skills.

So after 18 months of being mature and taking the appropriate classes I rewarded myself by going the opposite route. I took a class that I knew would absolutely teach me new skills and help refine skills I already possessed but I primarily picked the SANS SEC 560 Network Penetration Testing and Ethical Hacking course because it just sounded like a heck of a lot of fun.

I’ve already been asked one question about my experience and I’ve been involved with some SEC 560 vs. SEC 504 discussions in the past so there are a few topics I wanted to discuss before I do a course summary.

Q: How Was Cybercon compared to a live conference?

A: I talked a little bit about my previous Cybercon experience here http://digitalforensicstips.com/2013/04/early-thoughts-on-cybercon/ and everything I said there remains true. The software used was different this time out but it still had zero issues and felt smooth.

At the last Cybercon I took the 414 CISSP prep course and there were literally zero issues. Twice a day we would pause to go take the practice tests and meet back up afterwards, everything was flawless. This time there were still no issues with instructor interaction but since students had to VPN into remote labs to perform the exercises a few of the students we’re having some issues. The SANS support stuff was extremely friendly and helpful and even ended up remoting into two students machines to get them configured. I can’t say enough good things about those guys.

So there were issues but when you have students with entirely different setups using VPN to connect to remote labs that’s not terribly surprising. Things change so this advice probably has a shelf life worse than sour cream but if I had a friend taking the next virtual 560 class I would advise them to setup the VPN connection on the Linux VM and a Windows system (for me it was my host OS) as soon as they get their disk. For me setup only took a few minutes each and I made sure that I could not only ping the target IP address SANS provided but also that my Windows host could ping my Linux VM (through the VPN) and vice versa (once I disabled my Windows firewall). I personally had zero connection issues during the class except for the occasional dropped connection on the Linux side which always corrected itself.

Connection issues aside the labs worked flawlessly 99% of the time. There was one lab where the second half required a Metasploit pivot from one box to another and for some reason the target box didn’t want to play nice. I haven’t checked to see if the issue is resolved yet but that was honestly the only issue we had the entire week. Once again kudos to the virtual support staff.

All of the above is necessary background but I haven’t actually answered the question yet so here goes.

If SANS was holding an event in my city and running an online course at the same time I would choose to go to the event in person. The opportunity to network on such a grand scale is well worth getting dressed each morning 🙂

If had had a choice to go to a fully funded trip to a SANS conference or take a course online I would go to the conference. Free trip and a conference, come on!

Unfortunately for me neither of the above two scenarios is likely. What is far more likely is the exact scenario I faced this month. SANS is holding an event this week in Scottsdale a little over two hours north of me. I attended last year and had an absolute blast. I saw this year’s conference was going to have the 560 and I was stoked. Later I saw that the week before the conference (last week) was an online version of 560 at Cybercon and I had to make a decision. I ended up choosing Cybercon and saved the money I would have spent driving there, spending six nights in a hotel and eating out.

My situation was about as pure of a decision as possible. I had been to a SANS Scottsdale and a Cybercon and both of them were offering the course I wanted within one week of each other. I viewed the decision as travel expenses vs. personal networking and nothing more. The quality of learning didn’t factor into my decision nor should it have. After two Cybercon experiences I can say I’m very satisfied with the training I’ve received.

One more thing to mention is cost savings isn’t the only advantage online students get. I love the mp3s as much as anybody but I’m a huge fan of video learning and online students get access to video recordings from the course for four months. At one point while the instructor was giving a very detailed description of rainbow table creation I had to go to the front door to sign for a package. Later that afternoon I was able to go to the video to see what I had missed. That’s pretty darn cool.

Earlier I cited the VPN connection as an issue for some people but it’s also one of the biggest perks. Most of the 560 students in Phoenix this week will play around on one network for a few days performing labs and then on another network for a few hours during the CTF and that will be it. Online students get access to both networks for four full months. That’s pretty darn cool. There are a few things on the CTF network that I plan on going back and playing with this week and I like having that opportunity.

Hopefully that does a decent job comparing the pros and the cons of the multiple formats.

The other topic I wanted to discuss was the amount of overlap between SEC 504 and SEC 560.

When I took SEC 504 in September of 2012 there was a really nice guy in class who had commented to me that he was enjoying the class but his previous class was the 560 and there was a lot of overlap. I knew this was a topic of interest (SANS even has a FAQ page on the subject) so I wanted to give my thoughts on it.

SEC 504 was my first ever facilitating gig and honestly I think it was my sixth choice. I lucked out. Only the SEC 401 would have been more appropriate for me at that point in my journey. The 504 was awesome. It introduces you to all sorts of different attacks, explains how they work and then spends a little bit of time discussing how to identify and prevent them. In addition to being the first block on the pen testing course chart the 504 is now (rightfully so) listed as the first block on the forensics course chart as well. That speaks volumes about the course’s usefulness.

While the 504 was exactly what it claims to be (a great overview on hacker techniques and exploits) the 560 is also exactly what it claims to be, a great overview on pen testing.

One stark contrast between the two courses is the coverage of Metasploit. In the 504 students are introduced to Metasploit, start it up, and fire it at vulnerable servers. It’s a great introduction and the students get a chance to play with it more during the day six CTF. In the 560 students get the same intro but then go way more in depth looking at the various sorts of modules, at integrating Metasploit with a database so it can use nmap or Nessus results to identify useful exploits, at different ways they can pivot from one machine on a network to another one etc. I have used Metasploit in multiple courses and practicing on my own but I definitely have a better understanding of it now.

I loved the 560 for a lot of the same reasons I loved the 408 Windows forensics course. The courses were very systematic and well laid out. Day one covers a lot of the legalities, best practices and some recon. Day two provides GREAT coverage on scanning so you can map out targets. Day three is using Metasploit and some other tools to get a foot hold on the network and move around. Day four is a great look at password attacks and covers both attacks over the network using tools like hydra and offline attacks using John the Ripper and Ophcrack. Day five was a little different but enjoyable. The first half of the day was wireless and the second half was web applications. I’ve already taken the 617 wireless hacking class and the 542 web application attack class so I would have preferred different content but the content was very well done and enjoyable. Just like the 504 day 6 is a capture the flag event.

The 504 and 560 are both 500 level SANS courses designed by Ed Skoudis with “hack” in the title so there are going to be some similarities. Once again I lucked out in that I went to the classes in the correct order. The 504 exposed me to a lot of techniques and the 560 helped me refine my use of the techniques and develop a game plan. If I had gone to the classes in opposite order (like the gentleman I spoke to had) then I likely would have had similar thoughts. I would have gone from a course which covered tools in depth to a course which covered them with less detail but exposed me to other attacks and techniques.

If you’ve taken the 504 and are interested in the 560 then go for it. The overlap is headed in the right direction. If you’ve taken the 560 and are considering the 504 then it may indeed be an awesome class for you but I would take a good look at your options and what you could get from each of them. If I was  recommending courses to a friend new to pen testing I would recommend both the 504 and the 560 but specify that they should be done in that order.

Kevin Fiscus is a great instructor with a gift for explaining difficult concepts in a way anyone can understand and I was able to take lessons learned from my 504 CTF (mainly to stay organized) and come in first in the 560 CTF. All in all it was a great week and I’m sure it won’t be my last online class or my last class with Kevin.

SANS 503 and GCIA Thoughts

I attended the SANS SEC 503 ‘Intrusion Detection In-Depth’ course at SANS Network Security two months ago and just took the GCIA certification exam yesterday so I thought I’d post a few thoughts on the class and the exam. It’s not a full review but if you have questions feel free to ask and I’ll do my best to answer them.

In the past people I respect greatly have told me that I should be able to look at raw tcpdump output and decipher what was going on. I thought this class would help me out quite a bit in this area and I was 100% correct. In fact late on the exam yesterday I caught myself smiling as I worked through a somewhat complicated problem which presented me with a bunch of hex and asked me what was going on. I assure you that I would not have been smiling if I had to answer that question two months ago.

I may have very well been the only student in class who had never held a networking job so in addition to learning low level packet skills I picked up a lot of knowledge about filters, improved my familiarity with Wireshark quite a bit and got a more in depth look at a lot of correlation and analysis topics that I learned about in SEC 401.

I had a harder time studying for this exam than any of the previous GIAC exams I’ve taken as I often felt mentally exhausted. It’s tough for me to know what percentage of that was from the material itself and what percentage was the 17 certifications in under two years pace I’ve been on but I still wanted to mention it.

I had heard that the GCIA was one of the more difficult SANS exams, saw that the passing score was only 67% and was honestly a little worried about the test. The practice exams drained me mentally but my scores were well above passing so I scheduled my test. I started the exam with a good score but on a slower than acceptable pace. My pace got quicker and quicker and I ended up finishing with a score of 92 and an hour left.

A few tips for anyone taking the GCIA exam:

  • I know I’m Mr. Index and I had a good one for this exam too but I used my index less on this test than I ever have before. You still absolutely need to make one (and make sure you include the packet header spreadsheet included on the course VM and a common port cheat sheet) but a lot of the questions required you to understand and apply concepts and analyze hex in addition to the normal syntax questions. Use lots of tabs on the books for this one my friends.
  • On the cover of my index I put what question I should be on at the one hour mark, two hour mark and three hour mark. I would recommend you do the same if you’re at all worried about time but don’t overreact if you’re behind pace early. I was 5 or 6 questions off the pace at the one hour mark but like I said earlier I ended up having an hour left at the end. You’ll end up performing the same sort of packet analysis repeatedly and will likely speed up quite a bit.

The 503 doesn’t have the sexiness of the hacking courses or the forensics courses but I enjoyed the class and it was a very important one for me as I really needed to work on my packet analysis skills. Next up on my to-do list is assembly language for reverse engineering and exploit development.

Review of the new SANS 585 Smartphone Forensics Course

I recently had the opportunity to beta test the soon to be released SANS 585 Smartphone Forensics course and I wanted to share some thoughts about the course content and the labs.

The course page on the SANS website (http://www.sans.org/event/for585-advanced-smartphone-mobile-device-forensics/course/advanced-smartphone-mobile-device-forensics) provides an accurate overview of each day’s topics so I’ll focus more on thoughts and opinions than lists.

Overview

The course starts with an overview of cellular technology and networks and quickly moves on to explore advanced topics. The jump from the basics into topics like wear leveling, garbage collection and so on is an earmark of a SANS forensics course, which is one of the reasons why I love these courses so much. The refresher of the basics is nice, but the integration of advanced issues – which is where many of us need the help – is nothing short of awesome. Throughout all five days, the course provides full-page examples that demonstrate the concepts explained within the content.

The initial section on parsing the contents of a SIM in hex is a smooth introduction into a course that delivers a healthy dose of hex each day.  It’s important to understand that the emphasis on hex is never “hex for the sake of using hex.”

Hex is used to locate and parse artifacts that commercial programs will not automatically parse and for digging for deleted artifacts not present in the tools’ reporting mechanisms. One lab shows a tool reporting six entries in an application. Analyzing the underlying sqlite database confirms that the table does indeed have six entries. You can then look at the sqlite database in hex to uncover how many messages were not picked up in the report. This course is full of tricks of the trade that can make huge differences in efficacy in real world settings.

Also, the labs are all incredible and the ‘answers’ sections at the back of each lab are perfect. They don’t just give an answer; they give detailed walkthroughs with plenty of screenshots. It’s another testament as to how meticulous, knowledgeable and detail-oriented the course – and its designers – are.

Day One

The core concepts section covers the basics and continues with the overview of smartphone handling and acquisition and a tool overview. The course moves on to using FTK imager to examine an SD card and to parsing SIM card data at the hex level. The first day ends with a section on general mobile device repair that provides an overview of resources, tools, and tips.

Day One’s appendix is a step-by-step guide to acquire data utilizing Cellebrite, XRY and Oxygen. Students who already perform mobile device forensics on a daily basis may not crack open this section of the book, but it contains great walkthroughs with plenty of pictures and is a great reference for those who are new to these tools.

Day Two

Day Two provides a detailed look at the Android file system, including where certain types of evidence may be located. While this section makes up the bulk of the day, the section at the end is where I’d like to share my observations.

The last part of Day Two starts off with a talk about malware and using Cellebrite PA to scan devices for malware. It also includes a few slides that introduce various Android spyware programs, available for purchase on the internet, and then show artifacts that these different applications could leave on a device. Mobile device spyware applications aren’t something that I look for on a regular basis, but this will be a fantastic resource for those times when I am in need of this information.

The appendix contains a guide to examining an image in Internet Evidence Finder and using XRY to parse a Samsung Kies backup.

Day Three

Day Three is for iOS devices and provides an in-depth look at the iOS file system and where certain types of evidence may be located. It also includes information on how to identify if a device has been jailbroken or wiped, how to recover data from third-party communication applications, and so on. In addition, there is some tool-specific content, including keyword searches and timeline generation.

Day Four

Day Four is split in half, with the first portion covering Blackberry devices and the second covering forensics on backup files.

The Blackberry device presentations are extremely in depth and include familiarization with Blackberry artifacts at the hex level.

Several of the 585 labs do a solid job of reinforcing the concept that an examiner should use multiple tools to examine a device. However, one of the Day Four labs takes it to the next level by having the student examine a Blackberry device using four different methods. The student is given a list of questions to answer, and every one of the four examination methods used in the lab will reveal artifacts that the other three do not.

Day Five

Day Five is a grab bag day that covers Windows mobile, Nokia & Symbian, knock-off devices and third party applications.

The Nokia & Symbian section does a great job covering the file system and artifacts down to the hex level. The next time I have a question concerning a device running these operating systems, this book will be the first thing I reach for.

The Windows Mobile forensics section covers several topics including Windows Mobile registry analysis and usage artifacts.

The knockoff section provides both a good overview of dealing with clones and some specific guidance and examples for artifact parsing.

The final section discuses different types of third party applications on iOS and Android devices and parsing these types of applications.

The Day Five appendix gives a step-by-step walkthrough for using a Cellebrite PA with CHINEX to examine a clone phone.

Conclusion

I’ve taken multiple mobile device forensics courses, including the SANS 563, and can say with the utmost confidence that this course is phenomenal. The books will be an invaluable desk reference the next time I’m poking around inside a file system, and the labs do a great job re-enforcing lessons taught in the course.

The topics covered in the course can be considered advanced but are also very practical. Topics such as parsing and searching devices not supported by commercial tools and digging in hex for deleted artifacts are extremely important and not incredibly intuitive to try to learn through trial and error.

In closing, this course is a much needed – and valuable addition – to the SANS forensics course lineup.

Thoughts on SANS Network Security 2013

I had six weeks between passing my GWAPT exam and attending SEC 503 at the SANS Network Security 2013 so for the first time in the past fourteen months I took a break from studying and certifications. I still spent some time setting up a VM and building a python web scrapping app but nothing worth blogging about.

For the second year in a row I was able to attend SANS Network Security in Las Vegas and for the second year in a row it was well worth it. I got back home last week and thought I’d type up a few quick thoughts on the conference since it’s been over a month since I’ve posted here.

In addition to seeing people that I wish I got to see more often I also got to meet some great new people that I look forward to talking more with in the future.

I (of course) attended the DFIR talk put on by Alissa Torres, Chad Tilbury, Lenny Zeltser and Rob Lee. It was a great talk and gave a sneak preview of each class and a nice overview of how they all fit together. That talk was followed by Jason Fossen’s talk “Windows Exploratory Surgery with Process Hacker”. The two main takeaways from this talk were:

  • He know more about Windows than I will ever know about anything
  • He is friggin hilarious

The only other night talk I got a chance to attend was John Strand’s talk covering tools on the ADHD distro including HoneyBadger and ReconNG. I’ve used ReconNG  few times but a few of the other tools were new to me and the talk as a whole was highly informative and obviously entertaining.

There were a few other night talks that I wanted to attend but Netwars was calling my name. I got a chance to play for about an hour last year and had a blast so I was looking forward to being able to play for two full nights. I did a lot better than I did last year but I also identified several areas where I need to improve my skills in 2014.

While all of the things above were awesome the main reason for attending any SANS conference is the class itself. This year I was in Mike Poor’s 503 class on intrusion detection and packet analysis.

I was excited to get a chance to attend Mike’s class as packet analysis is an area where I have a ton of room for improvement as I rarely deal with it on a day to day basis. I always put in a lot of after class studying and test prep but this class may set the record as there’s a lot for me to work on. I’ll definitely have another post or two on my study process.

Regarding the in class experience, Mike Poor is a fantastic instructor. He’s mellow, friendly, seems genuinely interested in his students leaves a very good impression.

Our teaching assistant was Judy Novak. I heard several “the legend of Judy Novak” stories from John Strand last year during my 504 class so it was cool to get to meet her. She is Knowledgeable, helpful, funny, sweet and just 100% awesome. She gave an extra session on “IDS evasion using Scapy” late one afternoon which was a cool bonus.

All in all it was a great experience and I can’t wait until I get a chance to go to another.

Sans 542 and GWAPT Review

I recently finished the OnDemand version of the SANS 542 Web App Penetration Testing and Ethical Hacking course and passed the GIAC Web Application Penetration Tester (GWAPT) exam so I thought I would post a few quick thoughts on the course and exam.

It’s more than a little redundant to say a SANS instructor did a great job but Kevin Johnson rocked. I was slightly biased coming in as I talked to him for about 90 seconds last year in Vegas and he was really friendly but even setting that massive amount of personal experience aside Kevin is both incredibly entertaining and a great teacher. I really want to take a class from him in person so I need to keep my eyes peeled for any 642 offerings out west.

Mr. Johnson is very upfront about what the class is and isn’t. While there is a full day devoted to exploitation the class is not a collection of “Here’s exploit A, now here’s exploit B…” but rather an overall look at web app pen testing methodology and best practices as a whole.

What this class won’t give you:  “If they’re using WordPress version 3.2 I’ll use exploit X but if they’ve upgraded to 3.3 I’ll use exploit Y”

What this class will give you: The ability to properly examine a website, determine the underlying technologies, give you an understanding of possible attack vectors based on your earlier findings and expose you to the tools to help you locate these vulnerabilities and attempt to exploit them.

It really boils down to the old give a man a fish vs. teach a man to fish thing and I’m extremely happy this class takes the approach they do. The SANS website course breakdown is accurate so there’s no need for me to give a play by play on what was covered but you will learn concepts to test both specific types of technologies (AJAX, Flash, Javascript etc.) and technology independent design and logic flaws. The course also covers using Python scripts to help automate your testing.

I had played with a lot of these tools and been exposed to a lot of the concepts from earlier courses and practice but the 542 did a great job of providing a systematic approach and a barrel full of real world stories which tie concepts taught in class to practical applications. As penetration testing is a hobby rather than a daily job for me I greatly enjoyed and appreciated these.

Regarding the test, it’s short and I loved it! The test is 75 questions long and you have two hours to complete it. I finished with 30 minutes left and got a score in the low 90s so it’s very doable.

My GWAPT index was quite a bit shorter (7-8 pages) than a lot of my previous indexes but it honestly wasn’t a matter of laziness as much as it was the material didn’t seem to lend itself to a fat index as well as other courses have. During the test I never looked for a topic in my index and came up empty so mission accomplished.

There were definitely questions on the exam which required me to understand multiple concepts rather than just reference a particular page. I’m perfectly ok with that if the tradeoff is a two hour enjoyable test instead of a five hour exam that has me questioning my life choices towards the end. I hope more classes go to the shorter exam format.

In summary I enjoyed the course, learned a lot, passed the test and had a good time doing it all.

Passed My CISSP Exam

I’m back from my self-imposed month of silence and am happy to report that I passed my CISSP exam.

I allowed for a hair over three weeks from my CISSP boot camp to my test date which seemed very aggressive but doable. What I didn’t count on was an unforeseen incident causing me to miss a week of study time. 4-5 days before my exam I was seriously considering postponing my test but the next available date for the local testing center was over a month away and I didn’t want this test hanging over my head for another month. Thankfully I was able to pass my test with no extensions.

Here is a quick overview of how I studied for the exam.

Step 1: Bootcamp

I choose the SANS 414 course for my CISSP bootcamp. I can’t say how it compares to any other CISSP prep course since I haven’t taken any others but I can say that I enjoyed the class and I passed the test. It’s redundant to say that a SANS instructor did a great job but Eric Conrad and Eric Cole are two of the greatest instructors I’ve ever had the privilege to learn from.

One thing I think I could have done better was take a few of the cccure practice exams before I started the bootcamp. I think bombing a few practice tests would have probably forced me to pay a little more attention to some of the minutia in the more mind numbing sections.

One HUGE bonus of the SANS bootcamp is that you get the entire course on MP3. I spent nights and weekends barricaded in the guest room studying but still got a lot of value from listening to the MP3s on my commute to work and while working out. I even listened on my way to the exam and one of the questions Eric Cole discussed was on the test. I’ve always enjoyed having a different instructor for the live class and the pre-recorded content because You get the same content but from two different points of view, different teaching styles, different war stories etc.

Step 2: CISSP study guide

Right after the bootcamp I started reading Eric Conrad’s CISSP study guide. I would definitely recommend that you visit a bookstore and pick a book you’re comfortable with but for me this book would have been an easy choice even if it didn’t come with the class.

A lot of the CISSP books on the market are well over 1,000 pages. Eric’s books cover the exact same material in 500 pages. It’s actually a really quick read with a lot of charts and practice tests at the end of each domain. The fans of the larger books point out that they cover each topic in greater detail but Eric’s guide absolutely provides the level of knowledge you need to pass the exam. On the few occasions I was interested in a bit more detail I Googled the subject, spent a few minutes reading and happily moved on.

Step 3: Practice tests

This is probably the most important step of them all. Most of the people that have problems on the CISSP don’t say that the exam was too technically difficult , they say they had problems with questions being poorly worded, having multiple “correct” answers etc. Practice tests help prepare you for the style of questions asked and force you to come to terms with the fact that you can’t change the questions no matter how badly you want to. The question may frustrate you, you make think it’s stupid, but you still have to try to figure out which answer is correct in CISSP land.

I started off by taking practice exams from cccure with varying results. I only had a week until my test so I got a copy of the Exam Cram CISSP Practice Question book and spent three evenings taking all ten of the tests in the book. I used the scores of those tests to dictate which domains I should be taking cccure practice tests for during the next two days. I would recommend the exam cram practice questions book and a cccure subscription to anyone preparing for the CISSP.

Step 4: The day before my test

I spent the day before my exam curled up with Eric Conrad’s other book, his 11th hour CISSP study guide. The book is around 150 pages of extremely concise CISSP information. It did a great job providing a final walkthrough of each domain for the exam.

All of this wasn’t cheap and it took an entire month but it accomplished the mission of passing the CISSP exam on the first attempt. The scariest part of all of this is how beat felt after spending a month straight studying for this thing. It definitely makes me wonder how much of a recluse I’ll become when I attempt the OSCP at some point in the next twelve months.

Early thoughts on Cybercon

Anyone can look at my blog articles or my list of certifications and know that I’m a huge fan of SANS trainings. I’ve taken in person courses and OnDemand courses but what I had yet to take is a vlive or simulcast course. I’m currently on my lunch break from Day Three of the SANS 414 (CISSP prep) course at Cybercon and thought I would make a few observations about their online courses.

The cost savings are huge. Costs of hotel and travel can fluctuate wildly but free is always the best option. While I was able to keep the hotel and food costs of my Community course in Phoenix under $1,000 my week at Caesars last September for Network Security was probably closer to $2,000. At Caesars a sandwich wrap, bag of chips and soda for lunch was $20 which is far greater than what I pay my wife for similar fare.

The whole “attend class in your pajamas” thing does indeed rock.

Before the class I felt like “I won’t get to meet the instructor (Eric Conrad) face to face so it won’t feel as real”. There may be a tiny bit of that but the flip side of that coin is I have unparalleled access to the instructor to ask questions. Eric is teaching from an island off the coast of Maine while I’m in the middle of the desert yet somehow he does a remarkable job at creating an intimate feel.

Anytime I attend an in person SANS training and a fellow student expresses concern about passing the associated certification exam I always recommend that they acquire the OnDemand version of the course if at all possible. The MP3s are a great resource too but there is just something about being able to see the instructor explain a concept on a whiteboard that I prefer. With any online course SANS gives you access to all of the course materials for six months after the start of the course date. The ability to go back and listen to your instructor explain a concept again once a course is done and your reviewing your material and compiling your index is invaluable.

The software is awesome. I’ve used it to attend a few small webinars but never for a prolonged period of time. It’s easy to use, balances the whiteboard and the chat window and does an unreal job at handling any lag. If you hit a phase where you’re having minor connection issues for whatever reason and your session freezes for a few seconds when you hear the instructor again you’ll hear him at a sped up pace similar to hitting the 1.5 speed button on an iPod. This will continue until you’re caught up when the instructor will seamlessly go back to normal speed again. I wish all online video content was done like this.

Quickie review of the SANS 508 course

I just finished the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response course OnDemand version and I wanted to write up a quick review on the class.

The 2012 & 2013 version of the 508 course bears little resemblance to the version I took back in 2008. There is still a day on in depth filesystem analysis and a section on The Sleuth Kit tools but that is where the similarities end. In 2008 memory analysis consisted of “dump the RAM and run strings on it to see if you find anything interesting.” By contrast the current version of the course has an entire day on memory analysis using Volatility and Redline. There are some amazing people making some amazing advances in this industry.

In addition to the normal books that come with the class the students get a workbook to utilize with the practical exercises. The workbook not only possesses questions that the student should answer but also provides walkthroughs if a student needs a helping hand. Those walkthroughs can prove invaluable when a student is practicing their skills back home after the class is complete. The workbook is a great idea and a nice touch.

Day one is all filesystem talk all the time. If looking at hex makes you seasick than take a Dramamine before class 🙂 . Rob Lee tells a story of an organization’s forensic examiners having stacks of hard drives on their desks. When Rob asked what they were he was told those were the drives that they were unable to acquire data from. Rob said that while some of them were indeed shot, he was able to fix several of them by making manual hex modifications to the drive.

While corrupt master file tables aren’t a daily occurrence for most people knowledge is never a bad thing and when the time comes to do something like that it won’t be the first time you’ve seen it. Rob is very honest about his goal for 508 to turn students into the “go to people” in their respective organizations.

Day two is the memory analysis day. The main tools used are Mandiant’s Redline and the Volatility framework. I was aware of the capabilities of memory analysis and had dabbled with it a tiny bit but this was an excellent overview of the process from start to finish including hands on experience with both tools and a good explanation of the pros and cons of each.

While one day won’t give you the depth of knowledge I imagine one would get from the 526 course you will be comfortable with what memory can provide and how to obtain and analyze it.

Day three is timeline day. Those of you who have taken the 408 or read a review of the 408 will know that in that course students start a timeline on day one of the course and add entries to it throughout the week. As a result of this the student becomes familiar with each of the artifacts, what they can demonstrate and how the fit together. Day three of 508 assumes you understand what artifacts like MRU are and jumps straight into how to automatically generate these timelines. Rob jokes that when returning students see how to automate timelines they want to throw stuff at him for making them do them manually in the 408.

One ‘downside’ of the automated timeline approach is that is pulls A LOT of data so the course spends time showing techniques to analyze and reduce the data. Rob includes a handy dandy excel spreadsheet which automatically color coordinates your timeline by the type of user activity it references.

You will finish the day comfortable with generating timelines but your comfort level in analyzing them will be largely dependent on the knowledge you brought into the course from the 408 or relevant experience.

Day four starts off by taking a quick look at obtaining information from the Restore Points in Windows XP and the Volume Shadow in newer versions of Windows. It was more of a “here’s what can be done” than a full day deep dive on the topic but its great information.

Day four then transitions to recovering data using The Sleuth Kit tools and some lesser known tools with some great capabilities. Some of these free tools really can rival and in some areas surpass what is available on the commercial market.

Day five is a two part day. The first part discusses finding malware. There is a little bit of overlap with the FOR610 Reverse Engineering Malware course in this section but it’s really unavoidable and doesn’t detract from either class in the slightest.

The focus of 508 is locating the malware while analyzing it is left to the 610. There’s also a section on investigating hackers. Like all SANS classes the combination of technical knowledge with actual war stories is tough to beat.

The second half of 508 is a legal day where they talk about what’s legal, what’s not legal and some of the challenges in dealing with cross-border investigations. Not surprisingly this section is very well done.

Like a lot of SANS courses day six is the capture the flag day. The 508 version is the Intrusion Forensic Challenge where you get to put the skills you picked up in the previous five days to the test. If you go to a live class you split up into teams and the team with the best presentation earns SANS lethal forensicator coins. I cannot speak about these coins because I want one so badly that I cannot be rational. When the time comes and I finally earn one I will likely squeal and shake my fists uncontrollably for ten seconds.

The 508 is a great course and the only decision most prospective students have to make is whether or not to take the 408 first or go straight into the 508. I’ve written about this topic and given my thoughts twice previously but either way you’ll attend a great course and have a great time.

I attend my first ever online sans class tomorrow (the 414 at Cybercon) so my next post will likely be some thoughts on that experience.