This was my first SANS conference and I wasn't sure what to expect from the course. I had not done the SEC 560 course but felt I had adequate experience to jump right in. Thankfully, this course didn't start off with the "Hello World" type scenario where everyone talks about who they are, where they come from, why they came, etc questions. While those things are helpful to a point, there's so much material that it could be better spent doing coursework. The instructor and primary course author, Stephen Sims, gave an introduction about himself and the class. There is literally more content than class time available so we went right into coursework. With that, we received our USB sticks with files, VMs and other necessary class material that would be needed for our week of the on-coming mountain of material.
As the title implies, the first class day covered penetration testing from a network perspective. This I day I feel is a good "getting your feet wet" day and mildly prepared us for the continual barrage of information spun our way. Since it was doing networking penetration testing at more of the network layer, it wasn't material I was too familiar with. I had used the software we were about to exploit, but from an administrator perspective, not from an attacker's point of view.
Referencing the SANS website of the course, this day brings:
Referencing the SANS website of the course, this day brings:
- Bypassing NAC
- Impersonating devices with admissions control policy exceptions
- Exploiting EAP-MD5 authentication
- Custom network protocol manipulation with Ettercap and custom filters
- Manipulating techniques to get MitM network access
- IPv6 for penetration testers
- Exploiting OSPF authentication to inject malicious routing updates
- Using Evilgrade to attack software updates
- Overcoming SSL transport encryption security with SSLstrip
- Remote Cisco router configuration file retrieval
The above material was covered with custom scenarios as well as scenarios that you can expect to see in the Core NetWars tournaments. A now more often than not scenario is dealing with NAC protection in various settings. For instance, at my work, there's a NAC solution for the public wireless service. If you want Internet for your phone/tablet/laptop and want to use the free public wireless service, you'll need to agree to the terms at the NAC nag screen. But, this scenario also extended to the class's custom solution of bypassing a NAC authentication page in order to play a game. The game was nothing fancy (a simple MUD), but it was an interesting scenario. This could be relatable to bypassing a hotel's NAC window for paid Internet access in order to get free wireless service. They advocate to NOT do that and if you got a hotel room at the conference as well as did it under the SANS block of rooms, you get free Internet. That was super helpful to know as I was considering getting Internet access for my room, but hadn't taken the plunge yet to fork over $10 or so for 24 hours of access. As I had a SANS room, it wouldn't have mattered anyway as there was no special process to use that benefit, but knowing ahead of time would have been nice to know.
The Ettercap section to perform MitM attacks was fairly interesting. I had heard of Ettercap, but never really had a reason to use it. Sure it would have been fun to replace all pictures of lolcats of a person caught in the MitM trap, but it's a novelty. Ettercap though is hardly a novelty tool with a person knowledgeable of the capability of the tool. Without giving away any of the class material, there were very applicable reasons why you would use Ettercap and how it could be leveraged. In my work, I wouldn't really have a reason to use this particular tool and what it can do. If I were a consultant or some scenario where I had to do a complete top to bottom test of an environment, this could be pretty handy.
The other material as suggested above dealt with attacking various parts of a network and how it could be exploited. While some of the attacks rely upon specific scenarios, you may think it could be contrived, but not all networks are organized to best practices. It's important to note how you could leverage IPv6 type attacks to circumvent network controls by translating IPv4 back and forth from IPv6. As networks slowly converge to an only IPv6 (or mostly IPv6) network, it becomes more and more relevant to knowing more about how IPv6 attacks work. The material going over this topic was informative and helps to explain the relative "newness" of IPv6 and how people work with it. Many times, people just leave the IPv6 settings as the default and continue to work with IPv4. Learning from the examples of what you can do with IPv6 and how people overlook that attack vector was pretty neat.
A seemingly more common method of exploitation is to exploit an applications mechanism to do updates. This can go bad pretty quickly depending on how an application (or mechanism in general) retrieves and validates (or not) it's update. This scenario was explored in the lab with a common application and how it could be exploited to deliver an unexpected payload to compromise a machine. Leaving it at that, as a software developer, it is important to ensure that even this seemingly simple process is well protected and tested.
There were additional parts of the day that focused on more network layer attacks focusing on Cisco and routing protocols. While interesting, again, I don't really do anything with this at work for a variety of reasons so I wasn't too interested with this portion. It definitely had applicability to various attack vectors and testing scenarios, but I was already digesting other parts of the day.
By the end of the day, I was immersed in the course and felt like I had consumed a lot of new information. Luckily, it was good they chose to talk about these subjects on day 1 to break in people to the pace and amount of content to cover in a day. It was a firehouse, but fun and well paced. Steve and Jim did a great job of going around to see if people needed help and were knowledgeable of the content and how to resolve issues. But, those other days and books were pretty big and covered some pretty awesome content. While I was excited for the days to come, it was definitely like drinking from a firehose.
No comments:
Post a Comment