Thursday, July 30, 2015

SANS SEC660: Day 6 review: CTF and NetWars

If you're on the fence of what training to attend that will maximize your time and money, SANS SEC 660 at a large SANS event would be a great choice.  While I'm not paid nor endorsed by SANS to continually promote the value and excellence of this class, it's a natural byproduct of the experience.  With that said and as the title of the post implies, this post will cover the last day and both NetWars events.

The last day of the class is a capture the flag event/Jeopardy style event.  There were four categories (one was Linux and another was Windows) that had four challenges with point values of 100, 200, 300 and 400.  We broke off into self formed teams to start solving challenges which seemed to cover mostly the last two days of material.  Many challenges had straight forward questions to solve that were explained, demo'ed or labs from the prior days.

It wouldn't be much fun to give away more of the questions, but the advice I can give is to do all of the bootcamp exercises and additional material if applicable.  While it may not necessarily be the same techniques to solve the challenges, it'll help you out regardless in many ways.  It also helped our team to divide and conquer based on what we felt we were strong at.  At the start, one person focused on the Linux challenges, I focused on the Windows challenges and another focused on another category.  But, it's also helpful (as we did) to switch it up and dig into another category.  Most people in the room were tired from the long week and staring at a problem for a relatively long time can get you lost in the weeds.

We ended the CTF about 2:30p and then reviewed the various challenges.  Of course, when you see the answers, it's all obvious what you should and shouldn't have done.  It was still a great learning experience that helps reinforce that the more you do it (like many things in life), the better you get at it.  Of course if you only did this, that and the other thing, you'd have solved that challenge in 5 minutes just like Stephen did to pick up a cool 400 points.  As an aside, I pretty much can't go through this entire review series and not mention "Ram Bro".  I never heard of it before this class, but I'm pretty much a better person for experiencing it.  You should check it out.

It's good to see that the knowledge you gain from the class is expected to be applied to other situations at SANS.  The classic example is through their NetWars challenges held at many SANS events.  In our case, we had the opportunity to play for three nights for the Core NetWars challenge and one night for the CyberCity NetWars challenge.  Prior to the event and from peers, I knew a little bit about the events, but had no real detail of what it was like.  The first day of the SANS class, the instructors kept on promoting the events and told us that it was free to us since we had the 6 day course.  There was nothing to lose and there would be free drinks and appetizers as well as a fun challenge to compete in.  Many people signed up during the first break and I'm pretty glad I did.

The first night felt like being the new kid in class in the Core NetWars challenge room.  They opened up two classrooms to make it a giant room for people to compete.  Not only were there students from all of the classes, but people specifically came to this event to just play NetWars.  There are five levels to progress through with varying categories of challenges.  This is to help it to be accessible to all students in the SANS courses so it doesn't feel like an upper level classes only event.  With it being accessible to all students, that also means it has challenges across all of the classes.

The first two levels were played with a supplied Linux image to solve the questions.  Thankfully, you could attempt up to two tries for an answer.  If you didn't answer the question right the second time, it was negative points.  While they said that there would be cake... no, wait.  While they said that there would be clues to help you, I didn't really find this on the Core challenges in levels 1 thru 3 (I only got up to level 3).  There were clues in the CyberCity challenge that were available to help you and your team out.  Being that the questions could be solved with a Linux VM, all of the questions in those challenges centered around a Linux environment.  It certainly showed the versatility of the questions to help students from the various courses (e.g. Forensics, Pen Testing) use their new knowledge to solve the questions.  

There were giant screens being projected with the current rankings of the first 35 people or so which made it more competitive.  While I didn't offhand know the answers to all of the questions, I certainly learned as fast as I could to help figure it out!  If you go through this class material and the prep material I list in the previous posts, it'd help you answer a fair set of questions for the first few levels.  I didn't get to the last two levels, but from what people said and what the SANS instructors hint at, it'd be a lot of fun!  There's always the option to do the continuos NetWars challenge to get months of access and that could return a lot of value to you as well.  It would be fun to go back through the challenge and see what I could do with more time.  While it was a competitive event, it was a relaxed atmosphere that promoted learning and having fun with other people in the room.  The free drinks and appetizers may have also been a factor and it was certainly a nice addition.

There was definitely a different feel for the Core NetWars versus the CyberCity NetWars.  It was a nice break to have a night off from the Core NetWars to throw in the CyberCity challenge.  The basic premise of CyberCity is that you're trying to control various "sections" of a fictitious city.  For instance, there's a residential area, a water treatment area, airport/military district and others.  We used the same big room as with the Core NetWars, but we were then sectioned off into various starting areas.  Our section was the water treatment section which had us start with a specific selection of questions.  Once our general area was sectioned off, it was about every two rows of tables were then set up to be a team.  That made it an interesting twist to work with people you may not necessarily know and try to work together as a team.  Our team did pretty good and we were able to solve all of our first area challenges to then move onto the rest of the area challenges.  Overall we did good and placed either second or third as a team.  It was fun and further helped me learn more about various topics I had read about and/or only had a little bit of hands-on exposure.

The bonus sessions offered by SANS are worth attending and can provide you value in many ways.  While it was nice to attend various SANS bonus sessions offered by teachers on specialized subjects, participating in the NetWars challenges was a lot of fun.  You can certainly do whatever you want after the class is over and it can be hard to do more learning/challenges at night.  Some sessions may or may not be applicable and/or interesting to you.  I would recommend that if NetWars is available, you should try it out for a night, especially since it could be free.  It may not click for you, but at least you tried it and gave it a shot.  But, it could open your eyes to a whole new set of interests and experiences you may not have had the time to explore.

Tuesday, July 28, 2015

SANS SEC660: Day 5 review: Exploiting Windows for Penetration Testers

The course and experience of going to the SANS SEC660 course has been amazing.  I previously attended a SANS course, but did it remotely through their online offering.  While it was simultaneously done as the in-person class, I felt a deep disconnect to the experience there.  I have done other online courses for various IT things and the SANS online course felt a lot like those.  Disconnected.  I couldn't really connect with the other classmates.  I didn't feel like if I had questions I would as easily understand it as if I was there in class.  

Being at the SANS course in-person was a completely different experience.  Sure I could have done the class remotely as well as the bonus sessions like NetWars.  However, it just feels like a great time being around all of the other folks hacking away at the NetWars challenges in a giant room.  It was a great time meeting people, working with them on challenges, learning alongside them and having fun.  That is what it felt like being there at the conference.  Having fun.

The previous day and night were pretty stellar events.  The previous day was a crash course in Linux exploitation and stretching my mind to quickly understand a lot of new concepts and ideas.  At night, it was a special NetWars as SANS brought out their CyberCity challenge.  Previous NetWars nights were the Core NetWars challenge where you challenged everyone.  The CyberCity NetWars challenge was a random grouping of people to work on challenges together.  That was a pretty fun learning experience as well as fun in general.  But, more on that in another post!  Day 4 was a great day and night to be at the conference.  Let's get on with the Day 5 review.

Here are the events from the SANS website of the contents of this day:

- The state of Windows OS protections on Windows 7, 8, 10, Server 2008 and 2012
- Understanding common Windows constructs
- Stack exploitation on Windows
- Defeating OS protections added to Windows
- Creating a MetaSploit module
- Advanced stack-smashing on Windows
- Using ROP
- Building ROP chains to defeat DEP and bypass ASLR
- Windows 7 and Windows 8 exploitation
- Porting MetaSploit modules
- Client-side exploitation
- Windows Shellcode

The list above was a tall order of material to fit into one day.  We certainly felt the weight of the materials by the end of it.  Going through the previous day's materials did help prepare us for today and the techniques necessary to exploit Windows.  It was time to dig into Windows and learn more about the internals of Windows!

The day started with the internals of Windows covering memory layout in the OS, PE file structure and linking.  It was a good refresher and it was good to dive a bit deeper in other parts as Steve relayed various tidbits of information through various rabbit holes.  We covered Windows debuggers such as OllyDBG (briefly) and Immunity Debugger.  Immunity was the main debugger we used throughout the day for various exercises such as going through a random binary to examine various sections of a PE.  Going through materials like Ange Albertini's examinations of PE files (here and here) would be pretty helpful to pick up this module faster.  Each module has an additional reading/resource section as well to better learn the covered material, so it was good to see those things.  It was a crash course through the Windows Internals books to get us ready to exploit Windows.

We covered the various methods Windows uses to protect Windows and how those methods evolved over the versions of Windows to today.  It is interesting to see the methods that Windows borrowed and improved upon for their protection methods.  Steve gave a talk about EMET and the various Windows mechanisms that were implemented over the years across Operating Systems.  There's certainly been no lack of trying, although it is seemingly hard how to balance usability versus security.  You can certainly completely STIG and/or turn EMET to full protection lockdown, but then the OS isn't as useable as before.  Balancing that with system and business requirements to the best possible protection is hard.  But, that's not our story for today, but how to exploit them!  As a quick note, Steve did do a "preview" for the class talking about these things above in this webcast.  It was pretty good!

It's interesting how different people and tutorials approach Windows debugging and user land exploitation.  In some cases like in the SANS training, Immunity Debugger was used.  In the OpenSecurity and Windows Exploit Dev course, they use WinDBG.  The Corelan tutorial uses mainly WinDBG with some Immunity Debugger.  It is advantageous though to be familiar with both debuggers for Windows.  For the purposes of this class, knowing how to work in the various windows and menus in Immunity will help you out.  It's not necessarily an issue with the main screen, but knowing how to run, see that output to then go back to the main screen can be confusing at first.  The usage of Immunity is kept to the basics to help get the student familiar with the product and not bury them in various sub-screens that Immunity provides.

We covered a lot of technical discussion on DEP, ASLR and using ROP gadgets.  It felt like most of the afternoon was spent working with ROP based exploitation techniques against our vulnerable software.  There were different exercises on using ROP gadgets which helped to absorb the information we were given.  Stephen would talk about the exploit technique, do a demo and then have us do the demos on our own.  If you're new to Windows exploitation, it would be a bit challenging to go through all of the exercises in time.  Luckily you can bring it all home to work on later.  You can of course copy and paste the answers from the book to proceed through the labs, but it may not help you fully understand what's going on without trying without it.

The MetaSploit module section was interesting and has applicability to pen testers and/or modifying exploits to fit your needs.  Many times, there's exploits in MetaSploit that target a specific patch level and system architecture.  But, there are opportunities to take that "shell", tweak it to your specific needs based on understanding how that exploit works, figuring out the offsets for your target and then repackaging up the exploit.  Rather than being a user of MetaSploit, you can go beyond that by taking what other's have started for you and go further.  You would need to spend more time working with the class material to tweak exploits to your situation, but this class helps to get you going in that direction.  It was an overall short module, but a good example of how to use this class to suit your needs back in the world.

The last module before the bootcamp (where you refine your knowledge with more exercises) was Windows Shellcode.  I was looking pretty forward to this class as it's been a fun topic to learn more about.  Stephen has been a great teacher and explaining everything with deep technical detail.  With that, going over shellcode and multi-stage shellcode were easier pills to swallow.  There were good labs and lots of links for further reading to know/learn more.  There's not enough time in a single day to cover all of this material so it was good to see that they didn't leave it at only their materials to learn more from.  A lot of the topics (especially Day 4 and Day 5) had research links/books to learn from that had been where these techniques in the book came from in some cases.

Going into this day had been a bit tough from the week's activities.  There had been three nights of NetWars and other sessions at night.  But, it had been a lot of fun and challenging.  We still had one more day left, but it was a most of the day challenge.  Steven went through the categories of the challenge and it was set up in a Jeopardy style challenge.  It was similar to the NetWars challenges where you enter a md5 hash of the answer into an answer text box.  The class CTF looked like it would be a lot of fun and the coin for SEC660 is pretty neat which would be awarded to the winning team.  Stay tuned for the closing review post!

Day 5 prep:
- OpenSecurity Training: Exploits 2
- Windows Exploit Development Course
- Corelan Exploit Tutorial series
- Immunity Tutorials:  First, Second

Thursday, July 23, 2015

SANS SEC660: Day 4 review: Exploiting Linux for Penetration Testers

One of the main reasons I wanted to attend the SANS SEC660 course was to better learn Linux and Windows exploitation.  I had done work on my own, but sometimes an issue would come up, or I would get curious about a subject, follow some rabbit holes and get to a point where I had to stop for the time being (e.g. sleep).  Going to a training event like this was very exciting as not only would I learn more about Linux/Windows exploitation and various methods to accomplish that, but I would also learn more about fuzzing and being at a SANS event for NetWars.  As expected based on the course so far, these two days would be the biggest and most intense.  Both subjects have their own nuances and ways of going about exploitation to privilege escalation.

As we have done previously, let's list and go through the day's agenda from the course's page:

- Stack and dynamic memory management and allocation on the Linux OS
- Disassembling a binary and analyzing x86 assembly code
- Performing symbol resolution on the Linux OS
- Identifying vulnerable programs
- Code execution redirection and memory leaks
- Identifying and analyzing stack-based overflows on the Linux OS
- Performing return-to-libc (ret2libc) attacks on the stack
- Return-oriented programming
- Defeating stack protection on the Linux OS
- Defeating ASLR on the Linux OS

The class started off with an introduction to memory layout and registers.  It was a quick introduction to the topic though and while I had already been familiar with these concepts, the fast pace could potentially leave some students behind.  Going through basic x86 assembly was good as well, but that also went fast.  Prior to the class, I went through the Intro to x86 course and didn't have any issues with the content, but I have no idea about the other people.  Some knew what was going on, but it seemed that there were others who were being exposed to subjects like a function prologue and epilogue sequence.  Definitely having exposure to x86 like in the class above would greatly help you pick up the topics first introduced today.  Not knowing what the EIP was and it's importance, to suddenly being introduced to the topic and keeping track of EIP, ESP, EBP, ECX and everything else could potentially be confusing if you've never really dug into it.

I would have been even better prepared for the class had I have done the Intro to Software Exploits class as well.  The topics of stack smashing, format strings exploiting, bypassing ASLR, defeating stack canaries can be daunting at first, especially when you're going fast.  I'm not trying to imply that we moved too fast to understand the material, but we only had so much time allocated to the material and labs where we had to continue moving on.  Steve did stop a bit to take questions, make sure we understood what was going on, but again, there's more content than time.

Even if you didn't go through the Intro to Software Exploits class, this course was still good and prepared you for the exploit techniques you would immediately begin practicing after learning.  There definitely is value though of doing the prep work as above and still going to this class.  Steve went into a lot of detail and rabbit holes about various low level topics relevant to the material.  Again, having exposure to that prior to the class, a person could better appreciate the material and information and use it to better their understanding.  Hearing about the TLB and random information about it without knowing anything about it can make it a bit harder to understand before knowing what it even means.

If you're going to talk about Linux exploitation, you'll probably run into the GNU debugger at some point in time.  Many people prefer to look at information in a GUI rather than staring at a command line.  If you are in that camp and never really got into gdb, WinDBG, etc it could be a little bit daunting when you fire up gdb for the first few times.  GDB is a great and free Linux debugger that is a staple for many people when they take apart code.  While there are many great extensions to gdb (e.g. Zach Riggle's PEDA regular PEDA, gef) to make it more friendly/useable for exploitation, we just stuck to the basic gdb version.  There was some hand-holding, but not much time was spent in one place for too long before moving on.  Along with working with gdb, you may also use objdump to check out ELF files.

Based on other resources on the same subject, smashing the stack, going over return-orientated programming (ROP) and performing return-to-libc attacks are common courseware topics.  If you haven't had much hands-on experience, it may be a little intimidating at first especially as you need to quickly pick up certain concepts.  Steve and the courseware go into good detail of the how and why, but there isn't much time given to digest and fully absorb the material.  You move from one topic to the next and build upon the topics to more elaborate exploitation scenarios.  Steve went through the progression of stack protection mechanisms and how they continued to adapt such as with stack canaries.  Evading stack canaries was covered and we had the opportunity to put that knowledge of exploitation into practice with labs.

We were receiving a lot of awesome information, but it was a torrential downpour of information.  Last, but not least, we talked about ASLR on Linux and how to defeat it.  A lot of topics that we covered in Linux also have similar mechanisms on Windows.  Learning how to defeat ASLR on Linux also helped us for the next day when we talked about it in the Windows day.  Without going into too much more detail of how it was presented and how we better cemented the knowledge into our brains, I will say that it was well done.  Regardless of how much (or little) time we had, it never felt like we moved on from a point where we were lost.  It felt like everyone got to a "good enough" state where they grasped the concept.  We could implement the exploit given to us and comprehend the lesson behind the lab.  While we weren't experts at fully knowing completely why certain things worked as they did, it was meant to get you headed in the right direction.

This day was certainly packed full of information and it was also the last night for the Core NetWars.  Many topics covered today though had applicability to the next day with Windows, so it wouldn't be another day full of new topics.  Going full steam for four days for around 9 to 10 hours of class, doing bonus sessions/NetWars at night, talking with the family, staying up beyond that with reading/learning more while working on the NetWars challenges was starting to wear down on me.  There were still two days to go, but it was a good feeling knowing that I was definitely learning and growing rapidly with all of this new knowledge.  While I mention in this article and others of resources outside of SANS, there still is a lot of great value in still doing those other resources and going to this class.  I think that by doing the prep work mentioned and other resources you may find will help you have a greater foundation to build upon for this class.

Day 4 prep:
- Intro to x86
- Intro to Software Exploits

Tuesday, July 21, 2015

SANS SEC660: Day 3 review: Python, Scapy and Fuzzing

Up to this point, the SEC660 course had been manageable and not too bad.  The additional bonus sessions and the first night of Core NetWars made for quite a day and night.  Free beverages and appetizers at night certainly helped and it was an enjoyable, but long set of days.  But, there were still 3 days of instruction and a day of CTF to do yet as well as continued competition with NetWars.  This day though focused on a more enjoyable aspect of InfoSec (at least for me!) of scripting and fuzzing!  While it wasn't PowerShell scripting, it was working with Python and a popular Python library called Scapy.  Fuzzing has always been an interest of mine to further pursue, but I had yet up to that point really done any amount of meaningful work with any fuzzer.

To further set the frame of mind for this article, here are the topics for the third day from the course website:

- Becoming familiar with Python types
- Leveraging Python modules for real-world pen tester tasks
- Manipulating stateful protocols with Scapy
- Using Scapy to create a custom wireless data leakage tool
- Product security testing
- Using Taof for quick protocol mutation fuzzing
- Optimizing your fuzzing time with smart target selection
- Automating target monitoring while fuzzing with Sulley
- Leveraging Microsoft Word macros for fuzzing .docx files
- Block-based code coverage techniques using Paimei

While it wasn't (and still isn't) mentioned on the SANS site, there has been an addition of lcamtuf's afl fuzzer.  But, I'm getting ahead of myself of the day's events!  Back to more of an order of the day, as the list above implies, we covered the basics of Python and how it works.  While I don't feel it was a long module, doing the basics of Python and how it can be leveraged in an offense-based setting was interesting.  However, I think there could have been a better usage of our time by making an intro to Python and some work to be done a course pre-req.  Not necessarily shove this back into 560, but make it a "prior to class you need to accomplish" requirement.  That way there can be maybe a short refresher of Python and basics to then dive into the more technical usage of Python for our class.  But, going into the class without Python experience and then diving into Python heavy exercises may leave you at a disadvantage.  You don't necessarily need to be writing complex Python scripts, but knowing how to read, create, edit and run scripts would help you have a running start on getting through the labs.  Knowing how to work with Python IDLE is also helpful to quickly run scripts for various fuzzing, exploitation or other needs.

Python is one of the industry standard scripting tools used in InfoSec.  With that, it has many, many libraries for all kinds of needs.  One of those needs is doing network packet manipulation with the popular Scapy library.  While I have heard of this library from various sources, it's fun to read about it, make a packet, send it along and move on from there.  Without any pressing need to really use it, it's hard to better appreciate the versatility and use of the library.  The module for Python and Scapy was well done and helped to better appreciate the tool with a need to use it.  Also, it is very helpful in a problem in the Core NetWars challenge.

Moving onto fuzzing in the day made it a bit confusing why we would do Python first and then move onto fuzzing.  Looking back on the course as a whole, it does make sense to combine the two to help cement ideas and when/where to use tools.  But, we first went onto fuzzing techniques and using Taof.  In previous reading/exploration, I heard of Taof, but hadn't heard of anyone actually using it.  The scenario that we tested Taof in was a good practice of how to use the tool and the value of fuzzing.  For me, it's helpful to have an introduction to various ways to tackle a situation before choosing one way that better fits for me.  Fuzzing in this day was much like that as we were introduced to Taof, PaiMei, Sulley and afl.  Knowing how to use those tools and when/where to use them is pretty helpful when you want to do fuzzing.  Some tools (e.g. afl) are good for Linux binaries and when you have the source.  But, when you want a gentle introduction to fuzzing, Taof was a good start.

One of the more common ways to get into fuzzing would be to use Sulley.  Again, having a reason to use Sulley and work with it is a good motivator to get it working and fuzzing.  The class gave a good approach of how to use it on a single workstation as well as distributed if you were going to have it in a more production like environment.  Seeing this approach and setting it up was pretty helpful to better appreciate the fuzzing process and how to get it up and running.  Working with Sully was fun and it didn't feel like boring work to do with getting it up and running.  Once it was set up and running, it was a rewarding experience seeing it try various permutations to fuzz the web input to our target application.

The next fuzzer was PaiMei and from what I had read, it was good, but difficult to get it setup and working.  Luckily, we were provided with scripts to help spin up PaiMei into a ready state.  This is one of the times when having snapshots was very handy.  If you somehow messed up PaiMei or whatever, you could revert your VM back to when you had PaiMei fresh and good to go.  The script proved to be pretty helpful, reduce downtime with getting it built and let us dive in quickly.  This was also one of the more fascinating modules as well with code block based testing with IDA Pro.  It just sounds cool talking about it!  Working through the disassembly through IDA, using the PaiMei tools and doing analysis was a lot of fun.  It was amazing seeing the fuzzing going through various code paths, verifying the blocks being tested in IDA and retesting it to hit different code blocks.  Pretty fun stuff.

As I talked about earlier, afl is a new and already producing immediate results fuzzer.  It's written by lcamtuf of Google fame and proving to be an amazing fuzzer.  He gives a pretty good description for his fuzzer with, "American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary."  Neat.  His wall of fame (or shame?) shows some interesting ways the fuzzer has found various bugs.  Well worth using when you can and there's been work the Cisco Talos team has been doing (here and here) to get that over to Windows.  Fuzz all the things!

This class like the previous ones had a treasure trove of material and less time to go through it all.  Plus, what we have learned up to that point wasn't academic use only with no real world possibilities.  What we learned could be leveraged in so many other ways with our specific work use cases and wherever else.  Even with the additional two hours of time for class and labs, we still didn't have time to fully explore all of the material.  Again, the teachers made it abundantly clear that they were available to help you out and do what they could to help you out.  It was also a night full of activities and learning.  This night was the second day of the Core NetWars and two bonus SANS sessions.  Many people stayed in the classroom working on materials and then went into the Core NetWars to continue competing/learning there for a few more hours.  The firehouse of knowledge didn't let down nor the opportunity to continue to learn and grow.  Two more days of instruction awaited and I was getting pretty excited for those two days of Linux and Windows exploitation.

Day 3 prep:
- Python and Fuzzing
- Scapy

Thursday, July 16, 2015

SANS SEC660: Day 2 review: Crypto, Network Booting Attacks, and Escaping Restricted Environments

There was a lot of excitement for the second day and the fun to be had in the day of SEC660.  It seemed that people had survived the completely booked class and were back for more.  If the pace and content for day 1 was "manageable" and didn't seem too crushing, then why wouldn't the rest of the days be the same?  Based on my time with SANS SEC542: Web App Pen Testing, the other days are about the same as the others.  In that course, I didn't have too much trouble with any day in particular and had idle time during the labs after they were quickly accomplished.  That was a 500 level course and this is a 600 level course.

Let's quickly list the items of Day 2 from the SANS SEC660 website:

- Pen testing cryptographic implementations
- Exploiting CBC bit flipping vulnerabilities
- Exploiting hash length extension vulnerabilities
- Delivering malicious operating systems to devices using network booting and PXE
- PowerShell essentials
- Enterprise PowerShell
- Post Exploitation with PowerShell and MetaSploit
- Escaping Software Restrictions
- Two-hour evening Capture the Flag exercise using PXE, network attacks and local privilege escalation

The first item has the scary "C" word of cryptographic.  Sounds like math and scary.  Sure enough, right out of the gate first thing in the morning is cryptography.  If you studied the CISSP domain of cryptography, it was sort of a refresher.  As the first two items imply, it's about CBC and how to take advantage of them.  As mentioned earlier, it wasn't too bad if you remember your cryptography information from the CISSP study material (in reference to the Shon Harris book).  But, it's still early in the morning before coffee has settled in and got you ready to take on the day.

However, Steve and Jim did a great job of presenting the material and showing examples where doing bit flips in web sites needing authentication can be helpful.  The material covering the hash length extensions was also helpful and it seems to be reminiscent of material covered in the SEC542 Web App Pen Testing course I took back in December.  While it didn't appear to cover the exact same material, it seemed to be a little bit of overlap.  But, this course in general is focused on advanced pen testing across multiple domains, so covering web attacks seemed appropriate, even with slight overlap.  This was a more scenario to take advantage of a web site with these attacks.

Again, as mentioned in the previous day material, I don't do much with network based attacks at work nor have much interest to delve too far into this topic off-hours.  But, the PXE based attacks were interesting and definitely have usage in the real world depending on the organization.  Some organizations use PXE a lot to deliver images to various people across the network.  Leveraging that same deliver system to perform attacks and privilege escalation was actually interesting.

The next sections of the day dealt with PowerShell and how to leverage it to an attacking scenario.  There was an obligatory "Intro to PowerShell" module which had to be done to make sure everyone was on at least a familiar level with PowerShell.  This module should have been sidelined to a "pre-req" module or something to get it out of the way from the valuable class time.  Granted, I know not everyone is at the same level with PowerShell (or Python), but the intro for this could have been a pre-req that everyone needs to accomplish prior to the class.  I wrote this down as a suggestion in the lab evaluation, so maybe something will come of it.  But, it was good to see PowerShell getting more recognition as a more versatile tool beyond scripting administrative tasks and as an attack vector.  These modules covered decent scenarios with PowerShell and if you've written a few scripts in PowerShell or Python, these modules would probably be considered easy.

The rest of the day was spent on sandboxed/restricted environments and how to circumvent those restrictions.  It was an interesting amount of material for this scenario.  While at the time it seemed like an almost trivial bit of information to cover, it was actually very appropriate for the Day 2 CTF!

As if these courses with extended hours along with the bonus sessions, Core NetWars, CyberCity NetWars and Day 6 cumulative course CTF weren't enough, we had the option to play in a PXE network attack based CTF challenge!  To maximize the potential to win this CTF, you would have had to done well with the Day 1 and Day 2 material.  Since they just covered the Day 2 material, reading ahead would have been beneficial.  But, it wasn't just a once offered two hour challenge.  Knowing that this material would be a lot to cover, they made this challenge available all week.  As people had time after the class and/or during the class (e.g. during the labs), you were free to work on cracking the CTF.  It was reasonably tough and not a walk in the park.  I believe that it was finally cracked either Thursday or Friday.  The instructor went through the challenge after it was solved to explain what was needed and how to get it solved.  It was a pretty sweet challenge though!

This night was the first night for the Core NetWars challenge.  It was the start of a three night event which was then broken up by a special one night only CyberCity NetWars challenge.  But, that's another post for another day!  There's a lot to cover in those four nights that would be better served with their own post.  Also of note, it's good to see the course authors/co-authors continuing to update and tweak content on the course.  A great example is when Josh Wright (a course co-author) posted on Twitter how he's updating the course by covering the POODLE attack.  It's great to see the relevant and always changing landscape of InfoSec reflected in SANS training materials.

Day 2 prep material:
- CBC bit flipping
- CBC bit flipping with Mutillidae
CBC bit flipping with the Matasano challenges
- PXE attacks
- PowerShell resources here and here

Tuesday, July 14, 2015

SANS SEC660: Day 1 review: Network Attacks for Penetration Testers

This was my first SANS conference and I wasn't sure what to expect from the course.  I had not done the SEC 560 course but felt I had adequate experience to jump right in.  Thankfully, this course didn't start off with the "Hello World" type scenario where everyone talks about who they are, where they come from, why they came, etc questions.  While those things are helpful to a point, there's so much material that it could be better spent doing coursework.  The instructor and primary course author, Stephen Sims, gave an introduction about himself and the class.  There is literally more content than class time available so we went right into coursework.  With that, we received our USB sticks with files, VMs and other necessary class material that would be needed for our week of the on-coming mountain of material.

As the title implies, the first class day covered penetration testing from a network perspective.  This I day I feel is a good "getting your feet wet" day and mildly prepared us for the continual barrage of information spun our way.  Since it was doing networking penetration testing at more of the network layer, it wasn't material I was too familiar with.  I had used the software we were about to exploit, but from an administrator perspective, not from an attacker's point of view.  

Referencing the SANS website of the course, this day brings:

- Bypassing NAC
- Impersonating devices with admissions control policy exceptions
- Exploiting EAP-MD5 authentication
- Custom network protocol manipulation with Ettercap and custom filters
- Manipulating techniques to get MitM network access
- IPv6 for penetration testers
- Exploiting OSPF authentication to inject malicious routing updates
- Using Evilgrade to attack software updates
- Overcoming SSL transport encryption security with SSLstrip
- Remote Cisco router configuration file retrieval

The above material was covered with custom scenarios as well as scenarios that you can expect to see in the Core NetWars tournaments.  A now more often than not scenario is dealing with NAC protection in various settings.  For instance, at my work, there's a NAC solution for the public wireless service.  If you want Internet for your phone/tablet/laptop and want to use the free public wireless service, you'll need to agree to the terms at the NAC nag screen.  But, this scenario also extended to the class's custom solution of bypassing a NAC authentication page in order to play a game.  The game was nothing fancy (a simple MUD), but it was an interesting scenario.  This could be relatable to bypassing a hotel's NAC window for paid Internet access in order to get free wireless service.  They advocate to NOT do that and if you got a hotel room at the conference as well as did it under the SANS block of rooms, you get free Internet.  That was super helpful to know as I was considering getting Internet access for my room, but hadn't taken the plunge yet to fork over $10 or so for 24 hours of access.  As I had a SANS room, it wouldn't have mattered anyway as there was no special process to use that benefit, but knowing ahead of time would have been nice to know.

The Ettercap section to perform MitM attacks was fairly interesting.  I had heard of Ettercap, but never really had a reason to use it.  Sure it would have been fun to replace all pictures of lolcats of a person caught in the MitM trap, but it's a novelty.  Ettercap though is hardly a novelty tool with a person knowledgeable of the capability of the tool.  Without giving away any of the class material, there were very applicable reasons why you would use Ettercap and how it could be leveraged.  In my work, I wouldn't really have a reason to use this particular tool and what it can do.  If I were a consultant or some scenario where I had to do a complete top to bottom test of an environment, this could be pretty handy. 

The other material as suggested above dealt with attacking various parts of a network and how it could be exploited.  While some of the attacks rely upon specific scenarios, you may think it could be contrived, but not all networks are organized to best practices.  It's important to note how you could leverage IPv6 type attacks to circumvent network controls by translating IPv4 back and forth from IPv6.  As networks slowly converge to an only IPv6 (or mostly IPv6) network, it becomes more and more relevant to knowing more about how IPv6 attacks work.  The material going over this topic was informative and helps to explain the relative "newness" of IPv6 and how people work with it.  Many times, people just leave the IPv6 settings as the default and continue to work with IPv4.  Learning from the examples of what you can do with IPv6 and how people overlook that attack vector was pretty neat.

A seemingly more common method of exploitation is to exploit an applications mechanism to do updates.  This can go bad pretty quickly depending on how an application (or mechanism in general) retrieves and validates (or not) it's update.  This scenario was explored in the lab with a common application and how it could be exploited to deliver an unexpected payload to compromise a machine.  Leaving it at that, as a software developer, it is important to ensure that even this seemingly simple process is well protected and tested.

There were additional parts of the day that focused on more network layer attacks focusing on Cisco and routing protocols.  While interesting, again, I don't really do anything with this at work for a variety of reasons so I wasn't too interested with this portion.  It definitely had applicability to various attack vectors and testing scenarios, but I was already digesting other parts of the day.

By the end of the day, I was immersed in the course and felt like I had consumed a lot of new information.  Luckily, it was good they chose to talk about these subjects on day 1 to break in people to the pace and amount of content to cover in a day.  It was a firehouse, but fun and well paced.  Steve and Jim did a great job of going around to see if people needed help and were knowledgeable of the content and how to resolve issues.  But, those other days and books were pretty big and covered some pretty awesome content.  While I was excited for the days to come, it was definitely like drinking from a firehose.

This SANS conference had multiple nights with multiple activities and this night was no exception.  If going an extra two hours for this class wasn't enough, there were bonus sessions available at night.  Fortunately, one of them was offered by Steve which talked about the effectiveness of Microsoft's EMET.  It was a good session talking about the defenses of the Windows platform and how EMET builds upon those defenses in a standalone package.  He then demonstrated the effectiveness of EMET against a vulnerability and showed how EMET is a great addition to any organization big or small.  It definitely is a great tool, it just takes care and feeding with all of the applications and scenarios in an organization.  But, once deployed in an effective scenario for the organization, it's is a great value add.  There was another session after Steve's, but by this time, I wanted to head back to my room, review the material and get ready for another day at it.

Thursday, July 9, 2015

SANS SEC660 Review intro post

I was able to attend a SANS course, SEC 660: Adv. Pen Testing, Exploit Writing, and Ethical Hacking at the Omni in Austin, TX in May.  It was a great event with lots of activity at night with various extra sessions that kept us pretty busy.  The days started at a standard 9am, had a class elected shortened lunch, and went to around 5:15p.  This class also had a soft requirement of extended hours from 5:15p to 7:30p or so.  Most students elected to stay the entire extra time and then went onto the NetWars tournaments and sessions at night.  Those tournaments and sessions went to 9:30p and were pretty full of attendees from a fair majority of the other classes also being taught at the hotel.  It was an intense week that brought upon a lot of challenges and material in a short amount of time.

As these days were full of activity and covered lots of material often times requiring self study to learn additional material given, there will be posts for each day.  This will help to better discuss the days and material as well as help the reader if they elect to take the class and what may be necessary.  This won't be a brain dump of the materials, but it will go over the publicly available syllabus and discussing those topics with brevity.  It will also discuss the material in a way that the reader can be better prepared for each day.  This post will discuss pre-class requirements and what the reader can read/study to better prepare for the class when they choose to take it on.  

While the requirements for the class are helpfully listed as previous SANS courses, I had not taken those pre-reqs and I still felt I was adequately prepared for most of the material.  My background is a previous Windows engineer now doing security application assessment and evaluation of web sites, Windows/Linux environments and mobile applications.  With that, my experience didn't have me touch networking too much beyond the regular OS and SAN necessities to interoperate in various network scenarios.  I'll list resources that'll help and things I did, but I'd also like to spend a little bit of time talking about what is listed as requirements versus what we did in the class.

There were hard and fast requirements if you were on a Mac to get VMware Fusion set up to do remote debugging from one Windows guest to another Windows guest.  The scenario looked to use WinDBG from one guest to remotely debug the other guest.  There were helpful instructions on the website as a downloadable document to help get this set up and I eventually got both guests working on my Mac with VMware Fusion, but it did take some time.  Not fully understanding the correct order of how to test WinDBG to successfully remotely do kernel debugging against another guest was a bit frustrating (hint: Get the WinDBG 'server' ready to connect to the other guest and then reboot the other guest so you can hook into the 'client' guest when it boots up).  After spending a lot of time and learning more about this process, we didn't do anything in the class with WinDBG.  Just to clarify, there was no actual mention of using WinDBG or doing remote debugging.  Just hopeful wishing of that process and working with scenarios in that configuration based on the prep for the class.  The document did mention it was used for the beta of the SEC 760 class.  Spending all of that time was disappointing as I was looking forward to exploring this process and testing, but I did learn more about how to set up kernel debugging.  But, there's no requirement to get this set up and you just need VMware Fusion/Workstation/something paid to enjoy the benefits of the class.  The Player and other free options will work to a point, but there are times when you should take snapshots of your VM before actions are done.  It is highly encouraged to have virtualization software that can take snapshots and let you configure networking per guest.

As this was a course on exploit writing, it would be an adequate belief that there could be assembly involved.  While x64 assembly is mentioned, there was hardly any work done with that.  All of it was x86 assembly with most of them being basic mnemonics (e.g. mov, xor, jmp) that wouldn't be too hard to pick up if you had no prior experience.  However, I had no experience with that and if you Google x86 assembly, there's a myriad of options to learn and pick up x86 assembly and endian-ness.  From previous exposure to other classes, I watched and went along with the Open Security Training Introductory X86 Assembly course by Xeno Kovah.  Doing a cursory glance at the site, some may feel it's old and not updated to be relevant.  However, it's a tremendous learning experience and helped me to break into assembly.  It's still relevant and a great learning resource.  I did do most of the courses in the class as well as go through the examples.  Although, I have a development background which may have helped me to pick it up as well as I did.  But, it's a highly recommended way to learn x86 assembly and understand why things work.  I've reviewed other resources and how they approach x86 assembly, but the way that Xeno breaks things down has helped me to learn it.  Going through this course and subsequent material has been easier since I did this course above.  It's all free material and they give you the course material that's needed to follow along.  You'll need to provide your own VM and you can use the free Microsoft Visual Studio just fine to follow along.

Another big topic was Python throughout the course and how it's used differently in various scenarios.  While one day specifically calls out Python and Scapy, it's also used in the Windows and Linux days.  You'll find out why in the class, but knowing how to do more than a mere "Hello World" program will be necessary.  They do spend time covering the basics, but it's a quick run through Python to get to the fun stuff.  I used Python in various scenarios and have a pretty good grasp on various syntax/scenarios of Python.  For here, it's hard to say what to use to get better acquainted to use it.  There's many Code School type courses that are free to help you get going with that.  Doing those courses for as long as the free ones will go should get you far enough.  You don't need to be a Python expert to maximize your benefit from the course, but you need to be able to quickly modify scripts, add things to them, and know how to run scripts from the command line as well as from within the interpreter.  PowerShell is a great language, but as it's still just a Windows focused language, there wasn't too much of a focus.  They dedicate a chapter to PowerShell and the awesome things you can do with it, but I think it's more of a gimmick/parlor trick section to show off the offensive capabilities of PowerShell.  Don't get me wrong, I write a lot of PowerShell and think it's an amazing scripting language, but in this case, it felt shoe horned and more of a checkbox requirement.  But, as I inferred earlier, they have packed a lot of great content into this course.  I feel that this particular PowerShell section could have been stuck into the appendix of the day for further self study.

I did have my Windows 7, Windows 8 and Windows 10 VMs ready to go, but I ended up using my Windows 7 x86 VM for most of the work.  There were issues with Immunity Debugger running in a Windows 8.1 x64 VM, so maybe avoid that if you can.  There was an additional appendix section that required Windows XP, but it wasn't necessary to have that up and running for the class.  There was plenty of other work to be done that it didn't leave you much time to mess around with that work.

As far as other requirements, have experience working in Linux (e.g. know how to move around the file system, unzip files, configure eth0 with an IP and bring it up, configure /etc/hosts with a nameserver) and Windows (basic Windows desktop administration).  There were a few times where just from knowing various things (e.g. what you learned in the Intro to X86 class for how assembly works and as well as ATT vs Intel syntax) that'll help you understand other things better.  Knowing how a PE and ELF file are structured will help and additional resource for those things will be listed in their day reviews.  As far as pre-reqs if you have been working in security doing penetration testing and working with various operating systems, that should help you keep your head above water if you also do the recommended items I mention in the other day reviews.  It's a long week, especially if there's additional sessions at night and NetWars is also running.  Our event had additional sessions, Core NetWars and Cyber City NetWars.  It was a busy week, especially when the class ran right up to the time when the additional sessions and NetWar tournaments started.  Get sleep, hydrate, and be sure to eat because you'll be breezing through tons of content with little breathing room during the lab time.  It's an intense class and SEC 760 is also probably an intense and fast paced course.  It's an amazing class and if you have time to do NetWars at night (it should be free if you do this class), you'll walk away with additional experience and skill learned and honed from the week.

In the next posts, I'll talk more about those individual days and experiences without hopefully talking about more of the class than I should.  I'll also make links to various materials that you may want to review and do before the class to help you better prepare for that specific day's material.

Course general prep:
- Have virtualization software ready to go as well as at least a Windows 7 x86 VM you can do snapshots on
- Have hard drive space on your laptop as they recommend on the site
- Be comfortable in Linux
- Be comfortable in Windows

Tuesday, July 7, 2015

BSides Iowa 2015 - Intro to Web App Pen Testing with Mutilldae

Welcome to my INFOSEC encyclopedia site!  As I continue to learn and grow as an InfoSec professional, I find it helpful to transfer what I learn to this site for future reference (for myself as well as others!).  My intent is to create a reserve of IT security topics as well as any interesting crossover topics that I find.  I will stockpile up info and links for topics on web app pen testing, CTF challenges and more!

The BSides Iowa 2015 security conference in April was a worthwhile event to attend and hear a lot of great talks.  There were great talks such as an assessment of malware analysis network appliances, malware analysis of an exploit kit and integrating a vulnerability scanner into the SDLC process.  I was fortunate enough to be selected during the CFP (call for papers) to do my talk titled, "Intro to Web App Pen Testing with Mutillidae".  This talk was an introduction to web app penetration testing.   I recommend Mutillidae to anyone currently working with web app pen testing or anyone who is interested in it and wants to know how to do it.

Mutillidae is an OWASP project that aims to help testers break into a web app/site and exploit various intentional vulnerabilities.  As the testers get better at exploiting the low hanging fruit, they can harden the app to be like a production ready system with varying levels in between.  This helps the tester learn from a more contrived system to something they would more than likely see closer to in the field.  Mutillidae is also a great resource as it's a system that teaches the tester in various ways with hints, tutorials and easy to test pages.