There was a lot of excitement for the second day and the fun to be had in the day of SEC660. It seemed that people had survived the completely booked class and were back for more. If the pace and content for day 1 was "manageable" and didn't seem too crushing, then why wouldn't the rest of the days be the same? Based on my time with SANS SEC542: Web App Pen Testing, the other days are about the same as the others. In that course, I didn't have too much trouble with any day in particular and had idle time during the labs after they were quickly accomplished. That was a 500 level course and this is a 600 level course.
Let's quickly list the items of Day 2 from the SANS SEC660 website:
- Pen testing cryptographic implementations
- Exploiting CBC bit flipping vulnerabilities
- Exploiting hash length extension vulnerabilities
- Delivering malicious operating systems to devices using network booting and PXE
- PowerShell essentials
- Enterprise PowerShell
- Post Exploitation with PowerShell and MetaSploit
- Escaping Software Restrictions
- Two-hour evening Capture the Flag exercise using PXE, network attacks and local privilege escalation
The first item has the scary "C" word of cryptographic. Sounds like math and scary. Sure enough, right out of the gate first thing in the morning is cryptography. If you studied the CISSP domain of cryptography, it was sort of a refresher. As the first two items imply, it's about CBC and how to take advantage of them. As mentioned earlier, it wasn't too bad if you remember your cryptography information from the CISSP study material (in reference to the Shon Harris book). But, it's still early in the morning before coffee has settled in and got you ready to take on the day.
However, Steve and Jim did a great job of presenting the material and showing examples where doing bit flips in web sites needing authentication can be helpful. The material covering the hash length extensions was also helpful and it seems to be reminiscent of material covered in the SEC542 Web App Pen Testing course I took back in December. While it didn't appear to cover the exact same material, it seemed to be a little bit of overlap. But, this course in general is focused on advanced pen testing across multiple domains, so covering web attacks seemed appropriate, even with slight overlap. This was a more scenario to take advantage of a web site with these attacks.
Again, as mentioned in the previous day material, I don't do much with network based attacks at work nor have much interest to delve too far into this topic off-hours. But, the PXE based attacks were interesting and definitely have usage in the real world depending on the organization. Some organizations use PXE a lot to deliver images to various people across the network. Leveraging that same deliver system to perform attacks and privilege escalation was actually interesting.
The next sections of the day dealt with PowerShell and how to leverage it to an attacking scenario. There was an obligatory "Intro to PowerShell" module which had to be done to make sure everyone was on at least a familiar level with PowerShell. This module should have been sidelined to a "pre-req" module or something to get it out of the way from the valuable class time. Granted, I know not everyone is at the same level with PowerShell (or Python), but the intro for this could have been a pre-req that everyone needs to accomplish prior to the class. I wrote this down as a suggestion in the lab evaluation, so maybe something will come of it. But, it was good to see PowerShell getting more recognition as a more versatile tool beyond scripting administrative tasks and as an attack vector. These modules covered decent scenarios with PowerShell and if you've written a few scripts in PowerShell or Python, these modules would probably be considered easy.
The rest of the day was spent on sandboxed/restricted environments and how to circumvent those restrictions. It was an interesting amount of material for this scenario. While at the time it seemed like an almost trivial bit of information to cover, it was actually very appropriate for the Day 2 CTF!
As if these courses with extended hours along with the bonus sessions, Core NetWars, CyberCity NetWars and Day 6 cumulative course CTF weren't enough, we had the option to play in a PXE network attack based CTF challenge! To maximize the potential to win this CTF, you would have had to done well with the Day 1 and Day 2 material. Since they just covered the Day 2 material, reading ahead would have been beneficial. But, it wasn't just a once offered two hour challenge. Knowing that this material would be a lot to cover, they made this challenge available all week. As people had time after the class and/or during the class (e.g. during the labs), you were free to work on cracking the CTF. It was reasonably tough and not a walk in the park. I believe that it was finally cracked either Thursday or Friday. The instructor went through the challenge after it was solved to explain what was needed and how to get it solved. It was a pretty sweet challenge though!
This night was the first night for the Core NetWars challenge. It was the start of a three night event which was then broken up by a special one night only CyberCity NetWars challenge. But, that's another post for another day! There's a lot to cover in those four nights that would be better served with their own post. Also of note, it's good to see the course authors/co-authors continuing to update and tweak content on the course. A great example is when Josh Wright (a course co-author) posted on Twitter how he's updating the course by covering the POODLE attack. It's great to see the relevant and always changing landscape of InfoSec reflected in SANS training materials.
Day 2 prep material:
- CBC bit flipping
- CBC bit flipping with Mutillidae
- CBC bit flipping with the Matasano challenges
- PXE attacks
- PowerShell resources here and here
No comments:
Post a Comment