Giveway #2 Winner and Upcoming SANS course review

netwars-logoCongratulations to James Lieu for winning the paperback copy of “Hacking Exposed 7: Network Security Secrets & Solutions“.

Last week I attended the SANS SEC575 Mobile Device Security and Ethical Hacking course at Network Security 2014 in Las Vegas. It was an enjoyable class and I just finished the first draft of my index (the book for day #3 is close to 300 pages!). I plan on writing up a review of the course in the next few days.

In addition to the class I was able to spend time with some great people and participate in both nights of Core Netwars. Netwars would be fun no matter what but it was made even better by sitting with friendly and knowledgeable people. I ended up getting about half a dozen questions into level 3 and finished 14th on the alumni scoreboard. While I always feel like I could have done better Netwars is a great way to see the progress that I’ve made from year to year and I felt a lot more comfortable than I have in previous years.

Book Giveaway #2

hackingExposed7Congratulations to book giveaway #1 winner Matt Williams (@mattwilliams31) who won a paperback copy of Richard Bejtlich’s “The Practice of Network Security Monitoring: Understanding Incident Detection and Response“.

Book Giveaway #2 is for a paperback copy of “Hacking Exposed 7: Network Security Secrets & Solutions“.

Once again I’m limiting the book giveaways to U.S. residents only to keep the shipping costs down but I will do a giveaway later this year that will be open to everyone.

The drawing is open until 10/26/2014 so good luck!

a Rafflecopter giveaway

Book Review: Blue Team Handbook: Incident Response Edition

blueTeamHandbookEarlier this year I wrote an extremely short post discussing the Red Team Field Manual (RTFM) book. I’m currently on my third copy of the book (I’ve given the first two away) and I have a copy in my backpack at all times. I recently saw some traffic on a SANS mailing list about similar book geared towards blue teamers and had to check it out.

Like the RTFM, “Blue Team Handbook: Incident Response Edition” is small, affordable and is more of a collection of steps and command examples than a traditional book meant to be read from start to finish. The Blue Team Handbook covers topics such as Windows and Linux volatile data system investigation, network traffic analysis techniques, suspicious network traffic patterns and Snort configuration and usage. Amazon now lists an updated version 2.0 of the book with 20 new pages including information on database incident response.

The book is currently listed for under $14 on amazon and is perfect to keep with the RTFM in my backpack. If having a printed collection of incident response methodology and commands is something you’d like to have the Blue Team Handbook is worth checking out. When I inevitably give my current copy away I’ll have an excuse to get the new version with the database coverage 🙂

Blackhat and Defcon Article Posted on and Book Giveaway #1

pnsm_cover_WEBMy “A First-Timer’s Experience at Black Hat and DEFCON” article I talked about in my last post is now live on the front page of along with a picture of Kevin Mitnick and I. When the article went live earlier this week I couldn’t help inserting a mental caption of “A hacker & a hack” when I saw the picture 🙂

Even though it wasn’t a technical article I’m still quite honored to have an article on the front page of and it’s a nice reminder of the progress I’ve made over the past two and a half years. To spread around a little of the good fortune I’m going to give away some books that I already had copies of but got additional copies of at Blackhat.

I’m limiting the book giveaways to U.S. residents only to keep the shipping costs down but after all the book’s are given away I’ll think of a small giveaway that I’ll open up for everyone.

Giveaway #1 is for one paperback copy of “The Practice of Network Security Monitoring” by Richard Bejtlich. It’s a phenomenal book that I’m sure the winner will enjoy. I’ve set this giveaway up to run between 9/21 and 10/11 so good luck to all.

a Rafflecopter giveaway

Vegas Here I Come!

In a serious contender for the  “my favorite email of the year” award I was recently contacted by Don from and asked if I was interested in a free briefings pass for Black Hat this year. I’ve never been to Black Hat or Defcon so I jumped at the chance.

I’ll be attending Black Hat and Defcon so if anyone has any tips for a first-timer please let me know. The only thing I’m sure of so far is that I’ll keep my Wi-Fi off the entire time 🙂

I haven’t had a ton of time to study recently but what time I have had I’ve used on C and assembly language. I went through a small book on C programming to get more familiar with the language and am currently watching SecurityTube’s “x86 Assembly Language and Shellcoding on Linux” course.

I’m halfway through the course and Vivek has done an outstanding job of explaining and demonstrating the concepts of assembly language in a way that has made it easy for me to learn. I’ll probably do a more in depth review after I’ve watched more videos but I can say that at $39 a month is a great value for learning resources.

My Reluctant New Hobby of Bitcoin Mining

As I discussed in my previous post I recently started playing with GPU password cracking. After some modifications to my desktop system my machine was cracking passwords at a rate I was quite pleased with. After I put it through its paces on a few passwords I wondered how it would perform mining crypto-currency. I had zero experience in that area so I did some internet research to help me get started.

One of the first themes I started seeing was that if your main motivation for mining crypto-currency was profit than you should likely run away. The consensus was that if you were interested in crypto, alternative currencies or other similar topics then this maybe a nice hobby for you but if your main interest in crypto-currency was money then you would be better off spending your money buying them directly rather than mining them.

One of the next things I found out was that I was not going to be able to mine for Bitcoins using my new graphics card. When bitcoin mining was just starting people were using their computer’s CPUs for mining. The next step in the evolution was bitcoin mining using graphics cards. Just like with password cracking GPUs offer a huge speed advantaged compared to CPUs. Unfortunately for GPU miners there was one more evolution: the transition to application-specific integrated circuit, or ASICs. ASICs are specially made devices that can crack a specific algorithm at a much higher rate than a GPU and usually with much lower power consumption. The downside is that when the ASICs are no longer cost efficient to use for mining purposes they have none of the other uses that a video card has.

When I started doing research into this area I almost bought a Bitmain AntMiner S1 Asic which mines SHA256 (the algorithm used by Bitcoins) at a rate of 180 GHs which is FAR faster than even multiple GPUs can mine. When I crunched the numbers a month and a half ago the price was $240 and they would mine about $5 worth of bitcoin a day. I just checked at the price hasn’t come down but due to crypto currency’s getting harder to mine as they age (by design) the devices now mine about $3.20 worth of bitcoin each day. After you account for the cost of power it’s going to be a while before the cost is recouped.

While Bitcoin is by far the biggest of the crypto-currencies there are other currencies which are often referred to as “alt-coins”. Most of these coins use algorithms other than SHA256. Some of the most common are:

Scrypt (Used by popular alt-coins such as Litecoin and Dogecoin): Within the past two months Scrypt ASICs have been released which makes GPU mining for Scrypt based crypto-currencies inefficient.

N-Scrypt (Used by Vertcoin and a few other alt-coins): There are currently no ASICs for the N-Scrypt algorithm and the developers say that if any N-Scrypt ASICs are ever developed they will fork the algorithm to render them useless.

X-11, X-13 & X-15 (Used by a larger number of alt-coins including Darkcoin and Cryptocoin): X-11 and X-13 are very GPU friendly (low temperature and high efficiency) algorithms used by a larger number of recent alt-coins. As I type this a new algorithm (X-15) is just emerging.

Since I already had a good graphics card and wanted Bitcoins the logical choice seemed to be using my GPU to mine other crypto currencies and trade those for Bitcoins. With a full time job and other obligations I don’t have a lot of time to track trends, trade currencies etc. so my best option was to join a multi-pool where a large number of individuals work together to mine crypto-currencies which are automatically exchanged for bitcoins. I found exactly what I was looking for at The owner of the pool charges .05% to mine there but the pool automatically switches between whatever currency offers the best effort/value ratio for your algorithm of choice. For an extra 2% the pool will also automatically exchange all of the alt-coins you mine into bitcoins. I personally find the fees well worth the cost. The amount I earn every day can vary greatly and it’s definitely been slow lately but in the past month and a half I’ve earned around $40 worth of bitcoins. I’m not sure how much additional power I’m using by having the computer on when I otherwise wouldn’t but since I already had the equipment and I find the whole field interesting I’m more than happy with my results so far.


Getting started with GPU Password Cracking

Last year I decided to buy a desktop computer to keep in my home office to run VMs and eventually set up to crack passwords. I didn’t want to spend too much but I was able to find a new dell XPS on eBay with an i7 processor, 16GB of ram and 2TB of hard drive space for $700. I had used john the ripper to crack password hashes quite a few times but hadn’t messed with using a GPU to crack passwords.

A few weeks ago I decided to finally get the machine setup to use the GPU to crack passwords. I knew that ATI graphics cards tended to perform better than NVIDA cards but I had hoped that since the machine was a XPS the NVIDA graphics card in it would at least do a passable job. As I started doing some research I quickly realized that the NVIDA GX 620 currently in the machine wasn’t going to be able to crack passwords at a rate anywhere near that found in higher end cards so an upgrade was in order.

I did a little bit of reading and the ATI 7950 ($230 with a $20 rebate at seemed like a good option for the price. Unfortunately I knew the card would be quite a bit larger and need more power than the stock card so a new case and power supply were in order as well. I ended up grabbing an Azza 9000 case and 600 watt Corsair power supply. The total cost for the graphics card, case and power supply were just under $500 and hopefully I get back the $50 in rebates I sent off.

When the video card arrived it was instantly obvious that I made the right call by getting the bigger case as the 7950 dwarfed the gx 620.


If I thought the video card was a big increase in size that was nothing compared to the monster that was the Azza 9000 case that arrived the next day. I wasn’t sure if that thing would fit through the door. I spent a few hours transferring the motherboard and installing all of the components into the new case but the process was relatively painless. When everything was said and done this is how it looked.


Once it was up and running I updated the video card drivers and installed the latest version of the password cracking program hashcat. I ran hashcat in benchmark mode to see what speeds I could expect for different password hash formats and was quite pleased with the results. AES and RIPEMD-160 TrueCrypt passwords were just under 78,000 guess a second and WPA/WPA2 handshake captures were cracked at a rate of 111,000 guesses a second. I tested a few different files and the real world results were very close to the listed benchmarks.


I’ll probably do a more in depth post on hashcat usage in the near future but right now I’m using the 15GB wordlist from crackstation ( Hashcat also has some brute force and hybrid options.

If I had to do it all over again the only change I would make is getting a bigger power supply. The one I have now is perfect for the setup I have but if I ever decide to expand to a multi GPU motherboard in the future I’ll need more then 600 watts.

One unexpected side effect to this upgrade was that I backdoored myself into a new hobby. As soon as I was done testing the password cracking capabilities and the machine was sitting idle I wondered how it would perform mining crypto currencies. I’ve had a lot of fun researching the topic and trying different things and will probably write about that in my next post.

2014 Cybercon Here I Come


My box of books and swag for the 2014 SANS Cybercon showed up today so I’m pretty much like a kid on Christmas morning flipping through my new books. I signed up for the SEC 560 class (taught by Kevin Fiscus) and am looking forward to a great week.

SANS 2013 Holiday Hacking Challenge, 2013 Review and 2014 Goals

I just submitted my report for the SANS 2013 Holiday Hacking Challenge ( ) and it was a great way to end the year. I started my infosec studies in mid-2012 and while I was aware of the 2012 holiday challenge I was swamped with other obligations and didn’t have the time to participate. Every time I saw an update on twitter talking about the challenge I promised myself that I would give it a go in 2013.

The challenge this year requires the user to analyze a pcap file with over 170,000 records in it determine what attacks were leveraged, what defensive techniques were used, etc. It was a lot of fun to start sifting through the records reconstructing what occurred.

I took notes, created a timeline and wrote a report which answered all four questions. I absolutely would not have been able to do as thorough as job a few months ago so it was a great feeling to see how much I’ve improved my skills.

2013 Review

My 2013 goal was to cram in as much information as I possibly could an attempt to make sure that I had a good general overview of infosec. I ended up knocking out the following in chronological order.

  • Finishing up the Attack-Secure Penetration Testing Course
  • Taking the SANS SEC 401 and passing the GSEC
  • Taking the SANS FOR 408 and passing the GCFE
  • Reviewed the new course material for the FOR 508
  • Taking the SANS MGT 414 and passing the CISSP and GISP
  • Passed the CEH
  • Wrote a Python tool to analyze the iPhone application “Burner”
  • Taking the SANS SEC 542 and passing the GWAPT
  • Beta tested the new SANS FOR 585 Smart Phone Forensics Course (huge honor)
  • Taking SANS SEC 503 and passing the GCIA
  • Almost done reviewing the course material for the SEC 617

It was expensive, it was mentally draining and it was TOTALLY AWESOME. The experience was absolutely worth every penny and every hour.

I’m able to listen to the pauldotcom podcast and understand what’s being talked about, able to look at network flow reports and diagnose issues, able to fire up Linux and navigate around, able to quickly develop Python apps to solve problems and even able to look at network traffic at the packet level and know what I’m looking at. I know I’ve got a long way to go but I’m proud of the progress I’ve made.

I would also be remiss if I didn’t mention the fact that every time I’ve attended a conference I’ve met some amazing people that I keep in contact and I’ve also made some virtual friends online that I can’t wait to meet in person. My stable of security friends is growing monthly.

2014 Goals

While 2013 was packed full of classes and certs 2014 will be more about specific skills and projects. There will absolutely still be some classes (I’m already signed up for the SANS Penetration Testing SEC 560 course in February) but I’m more focused on a few particular topics.

Numbers 1 & 2:  Learning C and Assembly Language.

A lot of C looks very familiar from other languages that I’ve coded in (namely Python and PHP) but I never learned to program in C. I’m currently using some online tutorials and a book to work on my C and once I feel like I’ve got a good grasp on that then it’s moving on to assembly language.

Why oh why do I plan on subjecting myself to such pain? Because I know I need to in order to work on numbers 3 & 4.

Number 3: Learn Reverse Engineering

After I’m decent at C and Assembly I’m planning on going through the Practical Malware analysis book. I may try to attend a SANS FOR 610 course later in the year but I’d really like to good a good grasp on the subject first.

Number 4: Learn Exploit Development

There are a lot of great online tutorials for exploit dev (inc. Corelan) but after my C and ASM I’m going to try to start off by signing up for a Joe McCray exploit dev course. I’ve watched a few of his YouTube videos on the subject ( and ) and I really enjoyed his teaching style.

Number 5: Continue Improving my Python

I’ve gotten very comfortable with Python and have written multiple tools with it but I want to continue improving it. I’ve signed up for Vivek’s  site and am currently working my way through his Python for Pentesting class. I will also make time to finally finish Violent Python. I love the book but it kept getting pushed aside for my courses and certs. I’d love to take the SANS 573 course at some point but we shall see.

Number 6: Continue to Improve my Linux skills

In 2013 I got comfortable in Linux. I can move around in it, run programs, solve basic problems etc. I even find myself using vi instead of gedit for simple tasks. I’ve still got A LOT of work to do on my Linux. I need to get more comfortable using sed, awk and other tools, making SSH second nature etc.

I know that I’ll never get my Linux skills to level of someone who is a sys admin for Linux boxes every day but I know I need to get better.

Number 7: Improve my Macintosh skills

This one is easy since they’re pretty much nonexistent 🙂 I don’t really have a specific plan for this one other than I recently purchased a Mac Mini and I’m going to make an effort to use that more instead of my Windows laptop.

Number 8: Get my CTF on

This is the only one on the list that isn’t my idea. I discussed my 2014 to-do list with someone MUCH more skilled than I and he loved my list but suggested that I try to work in some CTFs to reinforce my skills and have some fun.

The only CTF type activity I’ve done have been NetWars at a SANS conference but I’m going to keep an eye out for opportunities this year.

I have a few other minor ones but those are the big ones. I’d love to hear any thoughts or suggestions.

GSEC passed and my 2012-2013 Security-Cert-A-Palooza

I passed the GSEC exam early last week and got my certificate in the mail today. It made me stop and think what a crazy eleven months it’s been.

Last May I was fortunate enough to attend a computer forensics course in Phoenix where we took the CHFI and CCFE tests at the end of the week. Those were my first two computer security certificates and I was hooked. I hadn’t seen my wife in a week and we met up at the Phoenix Comicon (yes my wife and I are that big of nerds) and my wife said that I was “glowing” and that she had never seen me so happy. I realized that I had spent the previous six days either in class or in my room studying yet I was unbelievably happy. It’s amazing how smooth things feel when you’re doing what you should be doing.

I had taken the SANS 508 course back in 2008 but never had a chance to put those skills to use but now that I had knocked the dust off my forensics skills I was anxious to put myself to the test and try my hand at the GCFA. I passed that last summer and felt fantastic. It was by far my greatest achievement in the field. The week after I took the Access Data ACE exam to round out my forensic skillset.

I decided to start filling in my many knowledge gaps by going through the certificate gauntlet. I knocked out my A+ first and while I was studying for the Net+ I got an opportunity to attend the SANS 504 course. The course was amazing and I studied for that thing like I had never studied before. I passed the test with a 94 and had a much better test experience than I had on the GCFA since I knew how to properly prepare.

I knocked out my Net+ real quick and then decided that I wanted to supplement my GCIH knowledge with some more hands on hacking knowledge so I signed up for the “samurai skills” penetration testing course. In addition to some good videos the course came with 90 days of access to a student network of over two dozen boxes to try to hack. I learned a ton and a lot of the concepts from GCIH made a lot more sense when I was forced to put them to use. A great side benefit to this course was giving me a decent understanding of Linux command line usage.

When I got shell on the final box on the network and got access to the file that I needed to earn my “Attack Secure | Penetration Tester” cert I was very proud. I know the cert is very much an unknown and I’ve got a lot more to learn but it was a step in the right direction.

I went straight from my online hacking course to the SANS 408 Windows Forensic Course in Phoenix and learned a ton about examining Windows systems. Four weeks after that class I attended the 401 course and had a great week, learned a lot and met some great people. Now that I’ve knocked out my GCFE and GSEC certificates I’ve set my sights on the CISSP. I’ll be taking the SANS 414 course in a few weeks and I’ve scheduled my CISSP exam in late May.

In Eleven months I obtained a CCFE, CHFI, GCFA, A+, GCIH, Net+, AS|PT, GCFE and GSEC and hopefully I can add a tenth cert in twelve months by passing my CISSP.

It hasn’t been cheap or easy and there are absolutely times when I feel mentally drained but the feeling I get from knowing what I’m talking about is well worth it.