SANS 508 Compared to 408 Part Two plus a Side of 610

I’ve now had a chance to go through the OnDemand SANS FOR 508 Advanced Computer Forensic Analysis and Incident Response course and feel a little more comfortable comparing it to FOR 408 Computer Forensic Investigations – Windows In-Depth course. I’ve also recently been exposed to the FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques course content so while this post won’t cover much of the 610 I will talk about how the three courses fit together.

SANS has done a remarkable job of designing the 408, 508 and 610 as courses that stand fine on their own but fit together like pieces of a puzzle. There is virtually no overlap between the 408 and 508 (maybe a very tiny bit in the file system section) and a very small amount of overlap between the 508 and 610 in the memory analysis using Volatility section.

The following hypothetical scenario is my attempt to classify the 408, 508 and 610 to help give others an idea of what each course covers.

You’re a security analyst working for El Paso Widgets LLC and have been asked to examine Bob’s computer for evidence of inappropriate behavior and intellectual property theft. NOW is when you want to have taken the 408. You’ll cover web history analysis, program execution analysis, file activity analysis etc. If I went down to the mall right now and asked 100 people what they thought computer forensics people did they would likely all describe scenarios that the 408 covers.

You find evidence that Bob accessed proprietary information and exfiltrated the data (using a USB drive) in violation of company policy. You also found evidence of inappropriate web browsing and deleted chat history where Bob discusses his actions. Thank you 408!!!! Bob’s employment is terminated and all is right with the world.

Flash forward six months and unbeknownst to you Bob has spent the last six months turning himself into a computer hacker. He knows enough about the company’s personnel, culture and lingo to craft a brilliant spear fishing attempt. He also knows what anti-virus software El Paso Widgets LLC uses and he knows how easy it is to tweak malware in order to keep it hidden from anti-virus. One email and one misguided click later Bob now has a foothold on El Paso Widgets LLC’s network and nobody has a clue.

Over the next four months El Paso Widgets LLC bids on ten contracts and loses every one of them because their competition always bids 2-3% under their sealed bid. This obviously has a huge impact on their business and management starts to suspect an insider threat is revealing sensitive data from their bidding process.

You are approached by management and asked to examine the network in excruciating detail looking for malware which is avoiding detection from anti-virus. NOW is when you want to have taken 508. You examine several memory dumps and on one system you find a process which is actively hiding itself from normal system monitoring utilities. You perform timeline analysis and determine that the system became infected four months earlier. 508 just made you look like a genius!! El Paso Widgets LLC has no idea why you’re working for them instead of some mega company making triple what they pay you. You go home, brag to your spouse about your insane skills and sleep like a baby.

Your hero status is short lived however as the next morning management asks you to examine the malware to find out what it does and how to defend against it. NOW is when you need 610. 610 will teach you how to analyze the malware’s behavior and code to figure out what it does and help you determine how to locate it and defend against it.

That is an honest assessment on how I see the three courses fitting together. The 508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.

In the first post on this topic there were some great comments where we discussed if someone would feel lost taking 508 if they didn’t take 408. As I said back then if you’ve been doing forensics on Windows boxes for a few years and know MRU, Prefetch, LNK files and the registry like the back of your hand than 508 may very well be the course for you. You would probably learn some great tips from the 408 course (and get a write blocker) but the course would likely be rounding out your knowledge rather than giving the true SANS ‘drinking from a fire hose’ experience.

If the above paragraph doesn’t apply to do but you still REALLY want to take 508 than go for it but here’s what may be in store for you.

Day one is a seriously in depth look at file systems. 408 would help you a bit in this section but when the hard core hex starts it will hurt no matter what.

Day two is the memory analysis day. Not having 408 wouldn’t hurt you too bad here but the instructor may talk about acquiring some things that you’re not familiar with.

Day three would probably be the day you would miss 408 the most. Throughout 408 you do a timeline by hand where you learn about each of the artifacts in great detail. In 508 you spend all day pouring over automated timelines looking for anomalies. It would be nice to have a firm grasp of what each of the artifacts means and what a normal looks like before you try to identify anomalies.

Day four and day five would have a similar downside of day two. You wouldn’t lose out on any of the “how” that 508 covers but you might not have the “why” understanding that a lot of your classmates possess.

Hopefully this post helps somebody make an informed decision on deciding between 408 and 508. My next post will likely be a short 508 review but if you have any questions about anything I talked about here ask away and I’ll do my best to answer.

Should I take SANS 408 or 508? (part 1)

I recently got asked a question in a comment that I was planning to answer in about 45 days but I don’t want to wait that long so I’ll give half of an answer now.

The question was a common one: “Should I take SANS 408 or 508?”

First let me provide one HUGE caveat and explanation of why I was already planning on answering this in 45 days. I have taken the 508 (I’m even a proud holder of a GCFA) but I took the course back in 2008.I was completely unprepared but it was still a fantastic learning experience and it taught me concepts that I use to this day. The 508 exam of today has very little in common with the 508 from 2008. The course has been completely re-designed from the ground up and I have yet to take the new version.

I’m taking my GSEC exam at the end of this month but after that I’ll have a narrow window to watch the 508 OnDemand content for a much needed refresher. The new 508 books are actually sitting in a spare room in my house and in an unbelievable act of discipline I haven’t touched them yet as I wanted to knock out my GCFE and GSEC first. Once I’ve gone through the new 508 material I’ll write a post about my thoughts on how 408 and 508 fit together but until then I wanted to share the thoughts from others on the subject.

I’ve been told by individuals far more qualified to speak on the subject than I that there is a fair amount of knowledge taught in 408 that is assumed in 508. One of the best examples is timelines. As I talked about in my 408 review you start the 408 course off by creating a very small timeline of events and build onto that timeline throughout the course by examining every sort of artifact that you can think of. All of the artifacts are examined “manually” and you write your entries into a spreadsheet. Not the quickest process in the world but it gives you a great understanding of both the artifacts themselves and how they relate to one another.

A quick look at the 508 course shows that day three is all about timelines. With a quick glace you would think that it was redundant with 408 but I’ve been told there is little overlap between the two courses. The 508 timeline section is about automating timeline creation so that instead of doing them manually (as is done in 408) you use tools to create them for you. The knowledge from 408 comes into play in several areas:

  1. Understanding what the data means. 508 assumes you have a level of understanding of artifacts and timestamps that one acquires in the 408
  2. Validating the results from the tools used in 508
  3. Performing the process manually when the tools utilized in 508 don’t work correctly for whatever reason

The timeline topic is only one example of how 408 and 508 complement each other and I’m sure I’ll have some more after I go through the updated 508 content next month.

SANS instructor Mike Pilkington (great teacher and even better human being) told our class that in his opinion SANS 408 was an intermediate class since “it teaches the basics, but then goes into some pretty advanced topics”. I couldn’t agree more.

Anyone who’s ever taken a SANS class has probably hit a point where your brain feels like it hit a short circuit. Where the material for a topic takes a complicated turn or where it’s day six and your brain is overflowing but the content keeps coming. In the OnDemand version of 408 Rob Lee is discussing a topic and he realizes it’s probably a “wait, what???” moment for a lot of students. He says something along the lines of “I know a lot of you are thinking that you thought you signed up for basic class and you’re not sure what’s going on…” .

A lot of forensics courses have students leave thinking “I can look at the internet browsing history, I can check for inappropriate pictures, I can run a dirty words list to find relevant documents etc.” . This is all really good stuff and the 408 teaches all of that. The 408 also goes MUCH further and teaches a student what’s going on behind the scenes and how instead of relying on “I ran tool X and it shows Y” the student can transition to “I ran tool X, it shows Y. We can also demonstrate Y by looking at Q, R, S, T…”.

After going through the course and subsequently going through the books while creating my index I really do feel like I can intelligently work my way through a detailed analysis of a Windows machine and not only validate what my tools are telling me but dig deeper in some areas for information that isn’t covered.

When I took the 408 course there were individuals in the class who had been performing analysis on Windows machines daily for the past decade. They both told me that they enjoyed the class and picked up some good tips but they absolutely could have skipped 408 and gone straight to 508. If that’s you and you don’t have the budget for both classes then that’s a tough decision.

If you’re where I was and you understand forensics basics, file systems, prefetch files etc. but don’t feel like you have a truly deep understanding that comes from dealing with things like jump lists, shortcut files and registry artifacts on a daily basis than I think you would love 408.

On the in person vs. OnDemand, you really can’t go wrong with either. The in person experience is always incredible and you get to meet people with similar interests but the great part about OnDemand is the ability to pause, research, practice and then come back to the content. I know it’s a crazy time commitment but for some classes (504 included) I try to watch the on demand videos in addition to the live class. The 504 on demand videos really opened my eyes to how high quality the OnDemand learning experience was. I had a slight preconceived bias that OnDemand was inferior to a live conference but it’s absolutely not and there are some serious pros to each.

Quickie SANS Forensics 408 Review

In January I was able to attend the SANS FOR408: Computer Forensic Investigations – Windows In-Depth course. When choosing what course to take it would be easy to focus on the fact that this is a “400 level” course and assume it’s a beginner class. What shouldn’t be overlooked is the “Windows In-Depth” part of the course title. SANS absolutely delivers on the “in-depth” part.

The course is six days of wholesome forensic goodness with five days of instruction and a day six “forensic challenge” where you examine an image from a case and compile a report of what happened. The course also comes with a hardware write blocker for every student which you get to keep. That’s one heck of a freebie.

Rather than just spending a few minutes over-viewing what a particular type of Windows artifact does, the 408 course covers each artifact in detail, explains the differences across various Windows platforms and has labs throughout the course where the students get a hands on feel for examining a disk image.

What makes the 408 course really special isn’t just the detail in which the various artifacts and registry values are covered, but the methodology provided.

At the start of the course the students are given a disk image from what appears to be an intellectual property case. You examine the first set of artifacts that you learn about to start assembling a timeline of what activity occurred, when it occurred and what artifact demonstrates that it occurred. Throughout the rest of the week you use each of the artifacts, registry settings etc. that you learn about to add details to your timeline. By the end of the week you have a detailed step by step overview of what happened down to the second. There are usually multiple artifacts which prove that an action occurred and you actually know what they all mean.

The SANS course provides other bonuses throughout the course-ware including checklists of step by step things an examiner could look at when examining a specific category of artifacts.

Overall I was extremely pleased with the course. Not only are the students taught forensic concepts, how to use popular forensic tools (commercial and free) etc. but they’re also given a fantastic methodology and given the knowledge to perform a “deep dive” by digging into the artifacts to truly understand what occurred on a system.

Samurai Skills Update #6 – Review

After popping shell on almost every box in the Attack-Secure student lab I finally got shell on the computer which held the key.txt file which had the hash I needed to earn my Attack-Secure Penetration Tester (AS|PT) certificate.  I went to bed with a smile that was still plastered on my face when I woke up 🙂

I still have a bit of unfinished business in the lab that I’d like to clean up and I still haven’t watched the 8th and final video of the series (exploit development) but I can give my opinion on what I have seen and experienced.

Attack-Secure.com is relatively new  to the penetration tester training market but the instructor Mohamed Ramadan has proven his skills by collecting several valuable “bug bounties”  including finding a flaw in the Facebook app on the iPhone.

Before I give me thoughts about the course, let me answer two questions that I’ve been asked about the course.

Q: Is the AS|PT certification recognized by employers?

A: Probably not at this time but I wouldn’t be surprised if it is more recognized in the near future as more and more people are exposed to the course.

If you already have penetration skills and are just looking for a certificate to help you get a job, then the CEH is probably the way to go. I didn’t have those skills and wanted to learn them so this course was perfect for me.

As a result of taking this course, I don’t think I’ll have any problems passing the CEH exam.  Most importantly, as a result of taking this course I now kind of know what I’m doing.

Q: How is the English in the instructional videos?

A: It never bothered me but you don’t have to take my word for it, you can check it out for yourself for free. Mohamed has a one hour YouTube video of him hacking the Kioptrix 4 distro at http://www.youtube.com/watch?feature=player_embedded&v=SR7tmgDloIA .

I watched a good chunk of the video before I signed up for the course and it gave me an idea of what to expect in the course videos. The videos have a “live and unedited” feel which I personally love.  I really felt like I was sitting behind Mohamed and looking over his shoulder as he demonstrated these techniques.  Because the videos show the tools running in real time instead of just cutting to the results I was able to get a feel for how long tools take and what results I could expect.

With those two questions out of the way, here are my thoughts on the course: it rocks!

The Attack-Secure Samurai Skills course is the best value I’ve ever received for any technical training. I bought the course during one of the 50% off sales so for a little under $400 I got 17 hours of instructional videos, corresponding PDFs AND 90 days of lab time to run all of the tools I needed to learn and practice the techniques I needed to practice. That is a ridiculously good value.

Speaking of the 90 days of lab time….. When I saw the 50% off sale I decided that it was a no risk opportunity and worst case, I was out $400. I had some other stuff going on in my life (all positive) so when I signed up I asked Mohamed if I could please receive the materials now but delay my 90 days of lab time until I had time to utilize it. He responded right away with “Absolutely, just shoot me an email when you’d like me to start your lab time.”

That experience was the first of many times that I found Mohamed knowledgeable, responsive, friendly and helpful. Not “Run exploit XXX” helpful, just “keep trying, you’ll get it” helpful. When I sent emails asking for boxes in the lab to be reset, I would sometimes get a response within minutes. It took a bit longer sometimes but we’re on opposite sides of the earth and the man needs to sleep sometime 🙂

I had a blast doing this course, learned a ton and will be at the front of the line to get the upcoming “Ninja Skills” course.

If you’re in the same situation I was (heavy on desire, light on skills) then watch the video I linked above. If you like that style of demonstration then do yourself a favor and sign up. You’ll get a lot more videos and a place to work on your new found samurai skills.

I’ll post an update of the exploit development section as soon as I watch them. If you have any specific questions about my experience with the course, feel free to ask them here and I’ll do my best to answer them.

Samurai Skills Update #5

While I still haven’t been able to devout nearly as much time as I would like to play in the student labs I still wanted to post another update on how the Samurai Skills course is going for me.

I’ve now watched all of the videos except for the last one on windows exploit development. I’m looking forward to watching it but I want to wait until I have a full day or two to devote to practicing the techniques covered.

On the lab front, it’s a very weird dynamic. I still go long periods of time with little to no progress which is frustrating and leads to a lot of doubt but I also tell myself that I’m light-years ahead of where I was before I started the class.

The student lab network recently got modified so I had to duplicate the enumeration and scanning phase. Before I started the attack-secure course I had already been exposed to Nmap, Nessus, Nikto and Enum from my SANS 504 course. I had ran all of these tools on the student network previously and now it was time to run them again. The difference was this time I felt a lot more confident and I ran the scans much more efficiently.

My first step was running an Nmap scan across the entire subnet. That scan identified 20 targets which I then piped into Nessus to start that scan. As soon as the Nessus scan started I cranked out the following quick little bash script to check all of the targets with Nikto.

#!/bin/bash
for i in {129..164}
do (cd /pentest/web/nikto/ ; ./nikto.pl -host 172.16.222.$i - output /pentest/web/nikto/student_remix/172_16_222_$i.txt)
Done

And a similar script for enum4linux

#!/bin/bash
for i in {129..164}
do /root/enum4linux-0.8.8/enum4linux.pl -M 172.16.222.$i
Done

These are about the simplest shell scripts imaginable but three months ago I had never written a shell script in my life so I’m proud of them 🙂 Even basic scripts like this can make your Linux life much easier.

I’ve also started being able to spot the low hanging fruit of the ethical hacking world. If Nikto shows that HTTP PUT is allowed, I’ll throw a php web shell or backdoor if the box runs php or use the IIS webdav upload exploit in Metasploit if it’s an IIS box. Once again, about as simple as it gets but it’s still information I didn’t know a few months ago.

I’ve also been able to acquire shell on several boxes where a CMS allows me to upload a file (perhaps as part of a comment or post) or modify a file (a little php backdoor code in a WordPress theme never hurt).

I’m still not great at popping shells but even when I do get a shell I’m horrible at Linux privilege escalation. Most exploits you stumble across on the internet require you to modify them to get them to work on your machine and I don’t have enough knowledge in that area to determine what to modify yet.

I have started running ‘ps aux’ on any Linux shell I get to see what programs are running as root but I only know how to exploit a few of them if I find them like MySQL. I understand the basics of why SUID is important but not quite enough to make it work for me yet.

As I stated earlier it’s a weird feeling when you aren’t making much progress but deep down you know you’re learning. I keep failing, but I’m failing better and better every day.

Samurai Skills Update #4

Between work, the holiday and other demands on my time (I’ve got another cert test coming up this week) I haven’t had a ton of time to play around in the attack-secure student labs but I wanted to give a quick update.

Video seven (there are eight total) is a five hour monster which I’m about two hours into so I’m getting close to the end of the videos.

My wife had to work on a late night project Thanksgiving evening so I had a few ‘free’ hours which I spent playing around in the lab. I decided to go SQL injection hunting and ended up finding a box which looked promising. I fired up the command line tool ‘sqlmap’ and fed it a tasty looking URL. Within a minute sqlmap came back and confirmed that the web app was indeed vulnerable to a SQL injection attack.

I was able to use sqlmap to enumerate the databases, to dump the content and even crack a password hash found in one of the databases.

NOTE: The initial password cracking attempt of sqlmap only takes a minute or so but when sqlmap asks you if you want to try common suffixes for the passwords and warns you that it will be slow, it means S L O W. I sat there for an hour wishing I had not pressed yes but not wanting to cancel the process.

I took the file grabbing options of sqlmap for a test drive and downloaded the /etc/passwd and /etc/hosts files. I tried to grab the /etc/shadow file but didn’t have rights to the file.

I ran into a hiccup trying to obtain shell using sqlmap and haven’t had a chance to go play on the box more but hopefully I can parlay progress on that box into shell and root.

As usual, the videos were quite helpful on this one. The penetration testing field requires a ton of Google searching and there are a lot of free video resources on sites like security tube but it’s still nice to have a course like this which is laid out in logical manor and lets you watch the tool being used while you listen to the author explain what’s happening.

I’ve learned a ton from the videos (with a ton more to learn) but the labs have remained the big draw for me. Having a student network to play in and work on my skills has been awesome.

There is a huge difference in knowing what an attack or a process is and actually trying to get it to work on a box. I’m not where I want to be yet but I’m very happy with the progress I’m making.

Samurai Skills Update #2

I’ve now had a few days to ‘play’ with the Samurai Skills course online hacking lab and I wanted to post some early thoughts.

I’ve found the labs both awesome and frustrating. Awesome because it’s nice to have a network to test all of my new-found ethical hacking knowledge on. Frustrating because my knowledge isn’t where I want it to be yet so I found myself spinning my wheels for a few hours this afternoon trying to get various privilege escalations running on a Linux box.

My first act upon receiving access to the “student network” (the easiest of the three networks in the lab) was to run an Nmap scan. The scan showed about two dozen machines running a mix of operating systems.

My next step was to run a Nessus scan to look for vulnerabilities on the machines Nmap found. There were quite a few exploits found on some of the systems so I picked a juicy looking windows box and decided it would be target number one.

I combed through the Nessus report on that box looking for vulnerabilities which had exploits available in Metasploit. I tried a few different exploits which all failed but finally hit on one which after a few seconds popped up the prompt every penetration tester dreams of, meterpreter.

For those new to ethical hacking & penetration testing, meterpreter is a payload in Metasploit which gives you a ton of great options (dumping password hashes in Windows, obtaining shell etc.). My first meterpreter command was dumping the password hashes on the target machine and then firing up John the Ripper on my computer while I obtained shell on the target machine and poked around.

My first hacking session ended on an incredible high note.

Last night I decided to target a Linux box. After trying (and failing) to get several exploits to work I finally picked one which targeted a vulnerable web application hosted on the machine and was able to get meterpreter running on that machine. All was well in hacking land, or so I thought…..

My first act was grabbing the contents of the “passwd” file. The file showed quite a few accounts. I didn’t expect to be able to view the contents of the shadow file but I had to try. That didn’t work. Why? The application I exploited wasn’t running as root so when broke out of that application and into shell, I was running as that user and not root. I went to bed last night figuring I would wake up in the morning and get my privilege escalation on.

After a nice breakfast out with my wife I came back to watch football and try to get root on that Linux box. While I was half paying attention to the football games on TV, I was also going through exploit-db.com and trying to find some privilege escalation code (mostly c) which I could get running on the machine. I tried around a dozen different attacks, all appropriate for the kernel version my target machine was running but I couldn’t get any of them to work.

A few wouldn’t compile, a few needed services which weren’t on the target machine and a few just plain didn’t work. It was very frustrating to spend several hours trying to accomplish something and finally stop (due to other obligations, not frustration) without having made any progress.

The only good thing about my experience this afternoon was that I knew exactly what needed to be done, I researched correctly, had no problems getting the code onto my target machine, was able to compile several of the exploits (no small achievement for a lifelong Windows guy).

While I take all of this for granted now, I would have had no idea what to do several months ago. I feel like I’ve learned so much and I’m only getting started. Still, I’m in the same situation I was in last night. I have a funny feeling I may be skipping ahead to the privilege exploitation video of the course very soon 🙂

Early Impressions of the attack-secure.com Samurai Skills Course

I’ve been in the process of studying for my GCIH cert test and have had a feeling that I could benefit from some hands on experience testing some of the tools and tactics covered in the SANS SEC 504 course.

I saw a post on ethicalhacker.net about ninja-sec.com (now attack-secure.com) having a 50% off sale on their course. The course had some fairly favorable reviews and most importantly for me came with 90 days of lab time. A full instructional course along with 90 days of lab time for under $400 seemed like a good deal so I decided to grab a copy.

While I’ve only watched the first part of the course material, I wanted to give me early impressions.

The Samurai Skills course is quite different from other online instructional content I’ve viewed. As opposed to the common “mostly lecture with a few demonstrations thrown in” courses the Samurai Skills course is almost all demonstration as the instructor is explaining what the tool is doing. It is true “over the shoulder” training as you’re basically sitting next to the instructor watching his screen while he’s explaining what’s going on.

While I personally love that style of instruction, I know it’s not for everybody. I think the main reason I enjoy the style is while it’s one thing to read about a tool and know what it’s used for, it’s another to actually see it in action. This style gives me a better idea of what to expect when I go to use a tool myself.

There is a demo video on the website that I would definitely encourage people watch before they purchase the course. There is also a free trial video available if you provide your email address. The video is a great way to get a feel for the instructor’s style of teaching. The audio can be a tiny bit hard to understand at times but it hasn’t bothered me or detracted from my learning experience.

The 90 day of lab time was a huge draw. The lab consists of three networks with increasing levels of difficultly. The only way to progress from one network to the next is to hack into all of the machines until you find a machine which is on both networks at which point you need to pivot to the more difficult network. If it sounds like I’m speaking from experience, I’m not J I’m only 2 days into my lab time but I’ve only scratched the surface on two boxes so far.

I’ll be doing a lot more posts about my experience with this course but so far so good and I think it represents an excellent value.