x86 Assembly Language and Shellcoding on Linux Course Review

Most people interested in information security have likely visited before but for those who haven’t it’s a great aggregator for videos of tutorials, demonstrations and conferences. The site’s owner Vivek Ramachandran has produced a ton of free content and a few paid courses. Late last year he transitioned all of his premium courses to a new site at where you can access all of his courses for a monthly $39 fee.

I recently finished going through his “x86 Assembly Language and Shellcoding on Linux” course and wanted to share my thoughts on it. Before watching his videos I knew almost nothing about Assembly language or shellcode but I did know that I needed to have a good understanding of both in order to be any good at reverse engineering and exploit development.

The first seven or so videos cover a lot of system architecture and explain what the different registers are and how they’re used. This is a very tricky section because he’s explaining things that you’ll need to know for the rest of the course but they’re hard to visualize since he hasn’t started the demonstrations yet. I never felt lost during his explanations but once the demonstrations started in videos eight and nine you start applying the information from the first section of slides and it all falls into place.

Videos 8 through 21 walk the student through assembly language concepts like understanding and using the stack, loops, math, strings etc. At the end of those videos I wouldn’t say I was “good” at assembly language but I was at least getting comfortable with it. Before I started I would have looked at assembly language and had no clue what I was looking at. Now I can look at it and while I may not understand what the code is accomplishing I understand each of the little pieces and what they’re doing. Now when I look at the reverse engineering book I’m getting ready to read I don’t feel like I’m reading Klingon.

There is plenty of assembly in videos 22 through 37 but the main focus is on shellcode. Vivek explains what shellcode is, what changes you need to make in your assembly in order for your shellcode to work and writes some hello world shellcode using different techniques like JMP-CALL-POP. Once again I didn’t feel like an expert but I sure understand a lot more. Vivek then covers InfoSec specific content like encoders (both using others and making your own) and polymorphism. The series ends with a look at analyzing other’s shellcode and writing custom crypters.

I’ve gone through several of Vivek’s other videos but this is the first time I’ve gone through one of his courses start to finish. The course is exactly what I needed and I’ve already recommended to a friend who is working on learning reverse engineering but would like a better understanding of assembly. If you’re like me and hitting a point in your InfoSec studies where you realize that you need to understand some of the low level material in order to learn advanced topics this is a great resource. He really does start from square one so no prior knowledge is expected.

One of the reasons I initially signed up for was that I was a big fan of Vivek’s word on securitytube and wanted to support his efforts. I also seem to learn a lot better from video explanations and demonstrations that I do from books. I paid $99 for the first month and $39 a month after that but he occasionally runs specials where the first month is $39. He’s been adding a lot of new content to ongoing courses and coming up with new courses so I don’t think it’s possible to go through everything unless watching videos is your full time job. I think his web app hacking course alone is up to almost 70 videos and still going.

While I was in the arsenal room at Blackhat last month I looked over and saw Vivek checking things out. I went over to him and introduced myself, thanked him for everything he taught me and had a nice conversation with him. He was incredibly friendly, gracious and humble and thanked me for my support. I saw him again at Defcon and he approached me, said “Hi Matt” and asked how I was enjoying the conference. He is a genuinely nice guy.

Even with no bonus points for being a nice guy his site is an amazing training value. He has several free videos in each series so you can get a feel for his teaching style. He just started a free “Make Your Own Hacker Gadget” series that I’m going to follow along with.

If you like video instructionals and have things like “Learn assembly”, “Learn to write exploits” and “Improve my Python” on your to-do list then is well worth your time to check out.

On a completely unrelated topic, I had an absolute blast at Blackhat and Defcon and have already reserved a room at the Defcon site for next year. I did a write up on my experiences as a first timer which should appear on soon. I also grabbed several signed books there which I had already purchased copies of so I’ll probably do a giveaway here for my unsigned copies of those once the article hits.

Vegas Here I Come!

In a serious contender for the  “my favorite email of the year” award I was recently contacted by Don from and asked if I was interested in a free briefings pass for Black Hat this year. I’ve never been to Black Hat or Defcon so I jumped at the chance.

I’ll be attending Black Hat and Defcon so if anyone has any tips for a first-timer please let me know. The only thing I’m sure of so far is that I’ll keep my Wi-Fi off the entire time 🙂

I haven’t had a ton of time to study recently but what time I have had I’ve used on C and assembly language. I went through a small book on C programming to get more familiar with the language and am currently watching SecurityTube’s “x86 Assembly Language and Shellcoding on Linux” course.

I’m halfway through the course and Vivek has done an outstanding job of explaining and demonstrating the concepts of assembly language in a way that has made it easy for me to learn. I’ll probably do a more in depth review after I’ve watched more videos but I can say that at $39 a month is a great value for learning resources.

My Reluctant New Hobby of Bitcoin Mining

As I discussed in my previous post I recently started playing with GPU password cracking. After some modifications to my desktop system my machine was cracking passwords at a rate I was quite pleased with. After I put it through its paces on a few passwords I wondered how it would perform mining crypto-currency. I had zero experience in that area so I did some internet research to help me get started.

One of the first themes I started seeing was that if your main motivation for mining crypto-currency was profit than you should likely run away. The consensus was that if you were interested in crypto, alternative currencies or other similar topics then this maybe a nice hobby for you but if your main interest in crypto-currency was money then you would be better off spending your money buying them directly rather than mining them.

One of the next things I found out was that I was not going to be able to mine for Bitcoins using my new graphics card. When bitcoin mining was just starting people were using their computer’s CPUs for mining. The next step in the evolution was bitcoin mining using graphics cards. Just like with password cracking GPUs offer a huge speed advantaged compared to CPUs. Unfortunately for GPU miners there was one more evolution: the transition to application-specific integrated circuit, or ASICs. ASICs are specially made devices that can crack a specific algorithm at a much higher rate than a GPU and usually with much lower power consumption. The downside is that when the ASICs are no longer cost efficient to use for mining purposes they have none of the other uses that a video card has.

When I started doing research into this area I almost bought a Bitmain AntMiner S1 Asic which mines SHA256 (the algorithm used by Bitcoins) at a rate of 180 GHs which is FAR faster than even multiple GPUs can mine. When I crunched the numbers a month and a half ago the price was $240 and they would mine about $5 worth of bitcoin a day. I just checked at the price hasn’t come down but due to crypto currency’s getting harder to mine as they age (by design) the devices now mine about $3.20 worth of bitcoin each day. After you account for the cost of power it’s going to be a while before the cost is recouped.

While Bitcoin is by far the biggest of the crypto-currencies there are other currencies which are often referred to as “alt-coins”. Most of these coins use algorithms other than SHA256. Some of the most common are:

Scrypt (Used by popular alt-coins such as Litecoin and Dogecoin): Within the past two months Scrypt ASICs have been released which makes GPU mining for Scrypt based crypto-currencies inefficient.

N-Scrypt (Used by Vertcoin and a few other alt-coins): There are currently no ASICs for the N-Scrypt algorithm and the developers say that if any N-Scrypt ASICs are ever developed they will fork the algorithm to render them useless.

X-11, X-13 & X-15 (Used by a larger number of alt-coins including Darkcoin and Cryptocoin): X-11 and X-13 are very GPU friendly (low temperature and high efficiency) algorithms used by a larger number of recent alt-coins. As I type this a new algorithm (X-15) is just emerging.

Since I already had a good graphics card and wanted Bitcoins the logical choice seemed to be using my GPU to mine other crypto currencies and trade those for Bitcoins. With a full time job and other obligations I don’t have a lot of time to track trends, trade currencies etc. so my best option was to join a multi-pool where a large number of individuals work together to mine crypto-currencies which are automatically exchanged for bitcoins. I found exactly what I was looking for at The owner of the pool charges .05% to mine there but the pool automatically switches between whatever currency offers the best effort/value ratio for your algorithm of choice. For an extra 2% the pool will also automatically exchange all of the alt-coins you mine into bitcoins. I personally find the fees well worth the cost. The amount I earn every day can vary greatly and it’s definitely been slow lately but in the past month and a half I’ve earned around $40 worth of bitcoins. I’m not sure how much additional power I’m using by having the computer on when I otherwise wouldn’t but since I already had the equipment and I find the whole field interesting I’m more than happy with my results so far.


Getting started with GPU Password Cracking

Last year I decided to buy a desktop computer to keep in my home office to run VMs and eventually set up to crack passwords. I didn’t want to spend too much but I was able to find a new dell XPS on eBay with an i7 processor, 16GB of ram and 2TB of hard drive space for $700. I had used john the ripper to crack password hashes quite a few times but hadn’t messed with using a GPU to crack passwords.

A few weeks ago I decided to finally get the machine setup to use the GPU to crack passwords. I knew that ATI graphics cards tended to perform better than NVIDA cards but I had hoped that since the machine was a XPS the NVIDA graphics card in it would at least do a passable job. As I started doing some research I quickly realized that the NVIDA GX 620 currently in the machine wasn’t going to be able to crack passwords at a rate anywhere near that found in higher end cards so an upgrade was in order.

I did a little bit of reading and the ATI 7950 ($230 with a $20 rebate at seemed like a good option for the price. Unfortunately I knew the card would be quite a bit larger and need more power than the stock card so a new case and power supply were in order as well. I ended up grabbing an Azza 9000 case and 600 watt Corsair power supply. The total cost for the graphics card, case and power supply were just under $500 and hopefully I get back the $50 in rebates I sent off.

When the video card arrived it was instantly obvious that I made the right call by getting the bigger case as the 7950 dwarfed the gx 620.


If I thought the video card was a big increase in size that was nothing compared to the monster that was the Azza 9000 case that arrived the next day. I wasn’t sure if that thing would fit through the door. I spent a few hours transferring the motherboard and installing all of the components into the new case but the process was relatively painless. When everything was said and done this is how it looked.


Once it was up and running I updated the video card drivers and installed the latest version of the password cracking program hashcat. I ran hashcat in benchmark mode to see what speeds I could expect for different password hash formats and was quite pleased with the results. AES and RIPEMD-160 TrueCrypt passwords were just under 78,000 guess a second and WPA/WPA2 handshake captures were cracked at a rate of 111,000 guesses a second. I tested a few different files and the real world results were very close to the listed benchmarks.


I’ll probably do a more in depth post on hashcat usage in the near future but right now I’m using the 15GB wordlist from crackstation ( Hashcat also has some brute force and hybrid options.

If I had to do it all over again the only change I would make is getting a bigger power supply. The one I have now is perfect for the setup I have but if I ever decide to expand to a multi GPU motherboard in the future I’ll need more then 600 watts.

One unexpected side effect to this upgrade was that I backdoored myself into a new hobby. As soon as I was done testing the password cracking capabilities and the machine was sitting idle I wondered how it would perform mining crypto currencies. I’ve had a lot of fun researching the topic and trying different things and will probably write about that in my next post.

Some Basic Options When Dealing with TrueCrypt (aka Finally a Forensics Post)

I’ve recently been working on a presentation I’ll be giving in a few weeks on the topic of memory forensics. I’ve learned a ton while working on it and the old adage of “The best way to understand something is to teach in to others” has proven extremely beneficial to me.

One of the topics that required me to do some digging was on the subject of memory analysis as it relates to TrueCrypt. A few years ago I was asked to examine a system within an extremely short time frame. I looked at the software installed on the system and saw TrueCrypt. I didn’t know a ton back then but I knew enough to know that there was nothing quick about dealing with TrueCrypt.

I’m writing the post that I wish I would have had on that day a few years back. If you see TrueCrypt installed on a system and aren’t quite sure what to do with that bit of information, hopefully this quick overview and some of the resources I’ll mention help. I’m not going to cover using artifacts like prefetch files to determine if TrueCrypt is installed and how frequently it’s been used, we’ll just cover hunting for and dealing with the containers.

Locating TrueCrypt:

One of the things that makes locating TrueCrypt files difficult is their lack of a standard file signature that one would normally use to locate all of a particular file format. There is a free tool called “TCHunt” that will scan a drive or directory and look for files that may be TrueCrypt containers. TCHunt looks for miles that meet specific size requirements (file size divisible by 512 and at least a minimum size), doesn’t have the file header of a known common type and appears to contain a higher than average randomness of data which is a key indicator that the contents may be encrypted.





For everything that TCHunt does it’s also amazingly quick. I ran it against a 750GB Hard drive which had over 500GB of data and the complete scan took around three minutes. The tool correctly identified all four TrueCrypt containers on the drive.

Cracking TrueCrypt:

Using Memory:

Ideally you have a memory dump which was acquired while the TrueCrypt container was mounted. In lieu of that the hiberfil.sys may have been written while the container was mounted. TrueCrypt no longer stores it’s password in memory but it does store encryption keys in memory while the container is mounted so the password doesn’t need to be re-entered every time a file is accessed. These keys can be located using tools like bulk extractor and are the key to unlocking the container.

Michael Hale Ligh wrote a great blog post on Volatility Labs earlier this year discussing identifying and acquiring these keys. In the post he references a 2011 blog post by Michael Weissbacher  where he outlines patching TrueCrypt to allow an examiner to use acquired AES keys to mount a TrueCrypt container without knowing the password. There are commercial tools such as passware and elcomsoft which will also allow an examiner to access a TrueCrypt container using keys acquired from a memory dump.

Without Memory:

If no useable memory dump is available and you still want to access a locked TrueCrypt container you’re hoping for quite a few things.

• The user used a short password
• The user stuck to the default settings (RIPEMD-160 and AES) when creating the TrueCrypt container
• You have access to a system with a powerful graphics card

Modern graphics cards (GPUs) can crack passwords at a MUCH faster rate than a computer processor (CPU) can. I recently upgraded to an ATI 7950 3GB model ($230 at Newegg) and I’m able to crack passwords on a TrueCrypt container created with default settings at a rate of 77,000 guesses per second. That sounds like a lot and it’s great for wordlists (I can go through the entire 14,000,000 word rockyou list in under three minutes) but when you start crunching the numbers on a brute forcing attempt you’ll quickly become discouraged.

If standard wordlists don’t crack the password there could be multiple causes. The user could have changed the default settings when creating the container or could have used a password not in your word lists. You could try generating custom wordlists or using your wordlists with different encryption options.

I threw one of the TrueCrypt containers TCHunt found at oclHashcat to try to crack the password. oclHashcat has multiple TrueCrypt encryption options but I tried the default RipeMD160 and AES option first.


It turns out that the password (123mango) was in the rockyou wordlist I was using so the password was cracked in under a minute.








I can’t overstate the value of having some good wordlists for times like these. Brute forcing a password 8 characters or longer is a road nobody wants to go down.

I’ve been using john the ripper for a few years but am just now starting to seriously delve into GPU password cracking so I’d love to hear any tips, techniques or stories you have on these topics.

Bash Script to Help With base64 and echo File Transfers

Recently I had remote access to a Linux terminal with an extremely limited command set and I wanted to place a full featured web shell on the box. My usual methods of netcat and wget weren’t available but someone much smarter than I (Craig Swan at SensePost) suggested I use base64 to encode the shell (to avoid any issues with foreign characters) copy each line, and paste each line on the target box as part of an echo statement which builds a copy of the file on the target box.

I thought the idea was great and it worked like a champ. I figured that this likely wasn’t the last time I would use this technique so I wrote a bash script to automate the process as much as possible.

base64 $1 > based.tmp
[ -f based_output.txt ] && rm based_output.txt
prevar=’echo “‘
postvar='” >> ‘
cat based.tmp | while read line; do
echo $prevar$line$postvar$file_name >> based_output.txt

The code takes an input file and prepares that file for transfer. The command “ webshell.php” would take the contents of webshell.php, encode it with base64, copy the encoded data to a temp file, go through that file line by line and  copy the contents of each line to an output file where it is turned into an echo >> webshell.php command. Below is a screenshot of the process.



The script speeds up the process a little bit and helps avoid typing errors. The contents of the based_output.txt file are ready to be pasted into the target’s terminal window. Once each of the echo commands has been run on the target machine the resulting file can be decoded with base64 and the webshell will have been successfully transferred.

It’s a very short and simple script but it was a good excuse for me to work on my bash.

Book Review: Red Team Field Manual

rtfmIt feels kind of weird to call this a “book review” when the book is under 100 pages and costs $9 on Amazon but the Red Team Field Manual is worth sharing.

I first heard about the book on a SANS mailing list a few weeks ago when a poster said that the book was awesome and not to be scared off by the Amazon reviews which are joke reviews written by the author’s friends. I went to read the reviews (some of them were pretty darn funny) and since the book was only $9 I ordered it. It may very well go down as the handiest $9 I’ve ever spent.

The book’s author originally wrote the book as a reference for members of his penetration testing red team and got permission from his employer to publish it. The book is just under 100 pages and is nothing but a well-organized list of handy pen-testing commands for Linux, Windows, networking, pen testing tools, databases etc.

  • Looking for some Linux commands to cover your tracks? Page 7
  • A little fuzzy on the exact netsh command to forward a port in Windows? Page 18 has you covered.
  • Want to use Powershell to run a command every four hours? Page 23

I’ve kept my copy in my backpack since the day it arrived and it will probably stay there for many years. If you’re at all interested in pen testing and the book sounds like something you could use it’s definitely worth the $9 to check it out.

Thoughts on the SANS 560 at Cybercon

woo hoo!!!

woo hoo!!!

As some of you know I’ve been on a SANS binge over the past 18 months at a pace that seemed on the brink of unsustainable at times. Some of the classes like the FOR 408 and FOR 585 were topics very relevant to my duties and interests. Some of the classes covered material that I don’t use much in my current daily life but I knew were big holes in my overall skill set. The SEC 503 squared away my packet analysis skills like I doubt any other course could have. I’ve greatly enjoyed every class I’ve ever taken but the classes were always to learn or refine my skills.

So after 18 months of being mature and taking the appropriate classes I rewarded myself by going the opposite route. I took a class that I knew would absolutely teach me new skills and help refine skills I already possessed but I primarily picked the SANS SEC 560 Network Penetration Testing and Ethical Hacking course because it just sounded like a heck of a lot of fun.

I’ve already been asked one question about my experience and I’ve been involved with some SEC 560 vs. SEC 504 discussions in the past so there are a few topics I wanted to discuss before I do a course summary.

Q: How Was Cybercon compared to a live conference?

A: I talked a little bit about my previous Cybercon experience here and everything I said there remains true. The software used was different this time out but it still had zero issues and felt smooth.

At the last Cybercon I took the 414 CISSP prep course and there were literally zero issues. Twice a day we would pause to go take the practice tests and meet back up afterwards, everything was flawless. This time there were still no issues with instructor interaction but since students had to VPN into remote labs to perform the exercises a few of the students we’re having some issues. The SANS support stuff was extremely friendly and helpful and even ended up remoting into two students machines to get them configured. I can’t say enough good things about those guys.

So there were issues but when you have students with entirely different setups using VPN to connect to remote labs that’s not terribly surprising. Things change so this advice probably has a shelf life worse than sour cream but if I had a friend taking the next virtual 560 class I would advise them to setup the VPN connection on the Linux VM and a Windows system (for me it was my host OS) as soon as they get their disk. For me setup only took a few minutes each and I made sure that I could not only ping the target IP address SANS provided but also that my Windows host could ping my Linux VM (through the VPN) and vice versa (once I disabled my Windows firewall). I personally had zero connection issues during the class except for the occasional dropped connection on the Linux side which always corrected itself.

Connection issues aside the labs worked flawlessly 99% of the time. There was one lab where the second half required a Metasploit pivot from one box to another and for some reason the target box didn’t want to play nice. I haven’t checked to see if the issue is resolved yet but that was honestly the only issue we had the entire week. Once again kudos to the virtual support staff.

All of the above is necessary background but I haven’t actually answered the question yet so here goes.

If SANS was holding an event in my city and running an online course at the same time I would choose to go to the event in person. The opportunity to network on such a grand scale is well worth getting dressed each morning 🙂

If had had a choice to go to a fully funded trip to a SANS conference or take a course online I would go to the conference. Free trip and a conference, come on!

Unfortunately for me neither of the above two scenarios is likely. What is far more likely is the exact scenario I faced this month. SANS is holding an event this week in Scottsdale a little over two hours north of me. I attended last year and had an absolute blast. I saw this year’s conference was going to have the 560 and I was stoked. Later I saw that the week before the conference (last week) was an online version of 560 at Cybercon and I had to make a decision. I ended up choosing Cybercon and saved the money I would have spent driving there, spending six nights in a hotel and eating out.

My situation was about as pure of a decision as possible. I had been to a SANS Scottsdale and a Cybercon and both of them were offering the course I wanted within one week of each other. I viewed the decision as travel expenses vs. personal networking and nothing more. The quality of learning didn’t factor into my decision nor should it have. After two Cybercon experiences I can say I’m very satisfied with the training I’ve received.

One more thing to mention is cost savings isn’t the only advantage online students get. I love the mp3s as much as anybody but I’m a huge fan of video learning and online students get access to video recordings from the course for four months. At one point while the instructor was giving a very detailed description of rainbow table creation I had to go to the front door to sign for a package. Later that afternoon I was able to go to the video to see what I had missed. That’s pretty darn cool.

Earlier I cited the VPN connection as an issue for some people but it’s also one of the biggest perks. Most of the 560 students in Phoenix this week will play around on one network for a few days performing labs and then on another network for a few hours during the CTF and that will be it. Online students get access to both networks for four full months. That’s pretty darn cool. There are a few things on the CTF network that I plan on going back and playing with this week and I like having that opportunity.

Hopefully that does a decent job comparing the pros and the cons of the multiple formats.

The other topic I wanted to discuss was the amount of overlap between SEC 504 and SEC 560.

When I took SEC 504 in September of 2012 there was a really nice guy in class who had commented to me that he was enjoying the class but his previous class was the 560 and there was a lot of overlap. I knew this was a topic of interest (SANS even has a FAQ page on the subject) so I wanted to give my thoughts on it.

SEC 504 was my first ever facilitating gig and honestly I think it was my sixth choice. I lucked out. Only the SEC 401 would have been more appropriate for me at that point in my journey. The 504 was awesome. It introduces you to all sorts of different attacks, explains how they work and then spends a little bit of time discussing how to identify and prevent them. In addition to being the first block on the pen testing course chart the 504 is now (rightfully so) listed as the first block on the forensics course chart as well. That speaks volumes about the course’s usefulness.

While the 504 was exactly what it claims to be (a great overview on hacker techniques and exploits) the 560 is also exactly what it claims to be, a great overview on pen testing.

One stark contrast between the two courses is the coverage of Metasploit. In the 504 students are introduced to Metasploit, start it up, and fire it at vulnerable servers. It’s a great introduction and the students get a chance to play with it more during the day six CTF. In the 560 students get the same intro but then go way more in depth looking at the various sorts of modules, at integrating Metasploit with a database so it can use nmap or Nessus results to identify useful exploits, at different ways they can pivot from one machine on a network to another one etc. I have used Metasploit in multiple courses and practicing on my own but I definitely have a better understanding of it now.

I loved the 560 for a lot of the same reasons I loved the 408 Windows forensics course. The courses were very systematic and well laid out. Day one covers a lot of the legalities, best practices and some recon. Day two provides GREAT coverage on scanning so you can map out targets. Day three is using Metasploit and some other tools to get a foot hold on the network and move around. Day four is a great look at password attacks and covers both attacks over the network using tools like hydra and offline attacks using John the Ripper and Ophcrack. Day five was a little different but enjoyable. The first half of the day was wireless and the second half was web applications. I’ve already taken the 617 wireless hacking class and the 542 web application attack class so I would have preferred different content but the content was very well done and enjoyable. Just like the 504 day 6 is a capture the flag event.

The 504 and 560 are both 500 level SANS courses designed by Ed Skoudis with “hack” in the title so there are going to be some similarities. Once again I lucked out in that I went to the classes in the correct order. The 504 exposed me to a lot of techniques and the 560 helped me refine my use of the techniques and develop a game plan. If I had gone to the classes in opposite order (like the gentleman I spoke to had) then I likely would have had similar thoughts. I would have gone from a course which covered tools in depth to a course which covered them with less detail but exposed me to other attacks and techniques.

If you’ve taken the 504 and are interested in the 560 then go for it. The overlap is headed in the right direction. If you’ve taken the 560 and are considering the 504 then it may indeed be an awesome class for you but I would take a good look at your options and what you could get from each of them. If I was  recommending courses to a friend new to pen testing I would recommend both the 504 and the 560 but specify that they should be done in that order.

Kevin Fiscus is a great instructor with a gift for explaining difficult concepts in a way anyone can understand and I was able to take lessons learned from my 504 CTF (mainly to stay organized) and come in first in the 560 CTF. All in all it was a great week and I’m sure it won’t be my last online class or my last class with Kevin.

2014 Cybercon Here I Come


My box of books and swag for the 2014 SANS Cybercon showed up today so I’m pretty much like a kid on Christmas morning flipping through my new books. I signed up for the SEC 560 class (taught by Kevin Fiscus) and am looking forward to a great week.

SANS 2013 Holiday Hacking Challenge, 2013 Review and 2014 Goals

I just submitted my report for the SANS 2013 Holiday Hacking Challenge ( ) and it was a great way to end the year. I started my infosec studies in mid-2012 and while I was aware of the 2012 holiday challenge I was swamped with other obligations and didn’t have the time to participate. Every time I saw an update on twitter talking about the challenge I promised myself that I would give it a go in 2013.

The challenge this year requires the user to analyze a pcap file with over 170,000 records in it determine what attacks were leveraged, what defensive techniques were used, etc. It was a lot of fun to start sifting through the records reconstructing what occurred.

I took notes, created a timeline and wrote a report which answered all four questions. I absolutely would not have been able to do as thorough as job a few months ago so it was a great feeling to see how much I’ve improved my skills.

2013 Review

My 2013 goal was to cram in as much information as I possibly could an attempt to make sure that I had a good general overview of infosec. I ended up knocking out the following in chronological order.

  • Finishing up the Attack-Secure Penetration Testing Course
  • Taking the SANS SEC 401 and passing the GSEC
  • Taking the SANS FOR 408 and passing the GCFE
  • Reviewed the new course material for the FOR 508
  • Taking the SANS MGT 414 and passing the CISSP and GISP
  • Passed the CEH
  • Wrote a Python tool to analyze the iPhone application “Burner”
  • Taking the SANS SEC 542 and passing the GWAPT
  • Beta tested the new SANS FOR 585 Smart Phone Forensics Course (huge honor)
  • Taking SANS SEC 503 and passing the GCIA
  • Almost done reviewing the course material for the SEC 617

It was expensive, it was mentally draining and it was TOTALLY AWESOME. The experience was absolutely worth every penny and every hour.

I’m able to listen to the pauldotcom podcast and understand what’s being talked about, able to look at network flow reports and diagnose issues, able to fire up Linux and navigate around, able to quickly develop Python apps to solve problems and even able to look at network traffic at the packet level and know what I’m looking at. I know I’ve got a long way to go but I’m proud of the progress I’ve made.

I would also be remiss if I didn’t mention the fact that every time I’ve attended a conference I’ve met some amazing people that I keep in contact and I’ve also made some virtual friends online that I can’t wait to meet in person. My stable of security friends is growing monthly.

2014 Goals

While 2013 was packed full of classes and certs 2014 will be more about specific skills and projects. There will absolutely still be some classes (I’m already signed up for the SANS Penetration Testing SEC 560 course in February) but I’m more focused on a few particular topics.

Numbers 1 & 2:  Learning C and Assembly Language.

A lot of C looks very familiar from other languages that I’ve coded in (namely Python and PHP) but I never learned to program in C. I’m currently using some online tutorials and a book to work on my C and once I feel like I’ve got a good grasp on that then it’s moving on to assembly language.

Why oh why do I plan on subjecting myself to such pain? Because I know I need to in order to work on numbers 3 & 4.

Number 3: Learn Reverse Engineering

After I’m decent at C and Assembly I’m planning on going through the Practical Malware analysis book. I may try to attend a SANS FOR 610 course later in the year but I’d really like to good a good grasp on the subject first.

Number 4: Learn Exploit Development

There are a lot of great online tutorials for exploit dev (inc. Corelan) but after my C and ASM I’m going to try to start off by signing up for a Joe McCray exploit dev course. I’ve watched a few of his YouTube videos on the subject ( and ) and I really enjoyed his teaching style.

Number 5: Continue Improving my Python

I’ve gotten very comfortable with Python and have written multiple tools with it but I want to continue improving it. I’ve signed up for Vivek’s  site and am currently working my way through his Python for Pentesting class. I will also make time to finally finish Violent Python. I love the book but it kept getting pushed aside for my courses and certs. I’d love to take the SANS 573 course at some point but we shall see.

Number 6: Continue to Improve my Linux skills

In 2013 I got comfortable in Linux. I can move around in it, run programs, solve basic problems etc. I even find myself using vi instead of gedit for simple tasks. I’ve still got A LOT of work to do on my Linux. I need to get more comfortable using sed, awk and other tools, making SSH second nature etc.

I know that I’ll never get my Linux skills to level of someone who is a sys admin for Linux boxes every day but I know I need to get better.

Number 7: Improve my Macintosh skills

This one is easy since they’re pretty much nonexistent 🙂 I don’t really have a specific plan for this one other than I recently purchased a Mac Mini and I’m going to make an effort to use that more instead of my Windows laptop.

Number 8: Get my CTF on

This is the only one on the list that isn’t my idea. I discussed my 2014 to-do list with someone MUCH more skilled than I and he loved my list but suggested that I try to work in some CTFs to reinforce my skills and have some fun.

The only CTF type activity I’ve done have been NetWars at a SANS conference but I’m going to keep an eye out for opportunities this year.

I have a few other minor ones but those are the big ones. I’d love to hear any thoughts or suggestions.