SANS SEC660 Review intro post

I was able to attend a SANS course, SEC 660: Adv. Pen Testing, Exploit Writing, and Ethical Hacking at the Omni in Austin, TX in May.  It was a great event with lots of activity at night with various extra sessions that kept us pretty busy.  The days started at a standard 9am, had a class elected shortened lunch, and went to around 5:15p.  This class also had a soft requirement of extended hours from 5:15p to 7:30p or so.  Most students elected to stay the entire extra time and then went onto the NetWars tournaments and sessions at night.  Those tournaments and sessions went to 9:30p and were pretty full of attendees from a fair majority of the other classes also being taught at the hotel.  It was an intense week that brought upon a lot of challenges and material in a short amount of time.

As these days were full of activity and covered lots of material often times requiring self study to learn additional material given, there will be posts for each day.  This will help to better discuss the days and material as well as help the reader if they elect to take the class and what may be necessary.  This won't be a brain dump of the materials, but it will go over the publicly available syllabus and discussing those topics with brevity.  It will also discuss the material in a way that the reader can be better prepared for each day.  This post will discuss pre-class requirements and what the reader can read/study to better prepare for the class when they choose to take it on.  

While the requirements for the class are helpfully listed as previous SANS courses, I had not taken those pre-reqs and I still felt I was adequately prepared for most of the material.  My background is a previous Windows engineer now doing security application assessment and evaluation of web sites, Windows/Linux environments and mobile applications.  With that, my experience didn't have me touch networking too much beyond the regular OS and SAN necessities to interoperate in various network scenarios.  I'll list resources that'll help and things I did, but I'd also like to spend a little bit of time talking about what is listed as requirements versus what we did in the class.

There were hard and fast requirements if you were on a Mac to get VMware Fusion set up to do remote debugging from one Windows guest to another Windows guest.  The scenario looked to use WinDBG from one guest to remotely debug the other guest.  There were helpful instructions on the website as a downloadable document to help get this set up and I eventually got both guests working on my Mac with VMware Fusion, but it did take some time.  Not fully understanding the correct order of how to test WinDBG to successfully remotely do kernel debugging against another guest was a bit frustrating (hint: Get the WinDBG 'server' ready to connect to the other guest and then reboot the other guest so you can hook into the 'client' guest when it boots up).  After spending a lot of time and learning more about this process, we didn't do anything in the class with WinDBG.  Just to clarify, there was no actual mention of using WinDBG or doing remote debugging.  Just hopeful wishing of that process and working with scenarios in that configuration based on the prep for the class.  The document did mention it was used for the beta of the SEC 760 class.  Spending all of that time was disappointing as I was looking forward to exploring this process and testing, but I did learn more about how to set up kernel debugging.  But, there's no requirement to get this set up and you just need VMware Fusion/Workstation/something paid to enjoy the benefits of the class.  The Player and other free options will work to a point, but there are times when you should take snapshots of your VM before actions are done.  It is highly encouraged to have virtualization software that can take snapshots and let you configure networking per guest.

As this was a course on exploit writing, it would be an adequate belief that there could be assembly involved.  While x64 assembly is mentioned, there was hardly any work done with that.  All of it was x86 assembly with most of them being basic mnemonics (e.g. mov, xor, jmp) that wouldn't be too hard to pick up if you had no prior experience.  However, I had no experience with that and if you Google x86 assembly, there's a myriad of options to learn and pick up x86 assembly and endian-ness.  From previous exposure to other classes, I watched and went along with the Open Security Training Introductory X86 Assembly course by Xeno Kovah.  Doing a cursory glance at the site, some may feel it's old and not updated to be relevant.  However, it's a tremendous learning experience and helped me to break into assembly.  It's still relevant and a great learning resource.  I did do most of the courses in the class as well as go through the examples.  Although, I have a development background which may have helped me to pick it up as well as I did.  But, it's a highly recommended way to learn x86 assembly and understand why things work.  I've reviewed other resources and how they approach x86 assembly, but the way that Xeno breaks things down has helped me to learn it.  Going through this course and subsequent material has been easier since I did this course above.  It's all free material and they give you the course material that's needed to follow along.  You'll need to provide your own VM and you can use the free Microsoft Visual Studio just fine to follow along.

Another big topic was Python throughout the course and how it's used differently in various scenarios.  While one day specifically calls out Python and Scapy, it's also used in the Windows and Linux days.  You'll find out why in the class, but knowing how to do more than a mere "Hello World" program will be necessary.  They do spend time covering the basics, but it's a quick run through Python to get to the fun stuff.  I used Python in various scenarios and have a pretty good grasp on various syntax/scenarios of Python.  For here, it's hard to say what to use to get better acquainted to use it.  There's many Code School type courses that are free to help you get going with that.  Doing those courses for as long as the free ones will go should get you far enough.  You don't need to be a Python expert to maximize your benefit from the course, but you need to be able to quickly modify scripts, add things to them, and know how to run scripts from the command line as well as from within the interpreter.  PowerShell is a great language, but as it's still just a Windows focused language, there wasn't too much of a focus.  They dedicate a chapter to PowerShell and the awesome things you can do with it, but I think it's more of a gimmick/parlor trick section to show off the offensive capabilities of PowerShell.  Don't get me wrong, I write a lot of PowerShell and think it's an amazing scripting language, but in this case, it felt shoe horned and more of a checkbox requirement.  But, as I inferred earlier, they have packed a lot of great content into this course.  I feel that this particular PowerShell section could have been stuck into the appendix of the day for further self study.

I did have my Windows 7, Windows 8 and Windows 10 VMs ready to go, but I ended up using my Windows 7 x86 VM for most of the work.  There were issues with Immunity Debugger running in a Windows 8.1 x64 VM, so maybe avoid that if you can.  There was an additional appendix section that required Windows XP, but it wasn't necessary to have that up and running for the class.  There was plenty of other work to be done that it didn't leave you much time to mess around with that work.

As far as other requirements, have experience working in Linux (e.g. know how to move around the file system, unzip files, configure eth0 with an IP and bring it up, configure /etc/hosts with a nameserver) and Windows (basic Windows desktop administration).  There were a few times where just from knowing various things (e.g. what you learned in the Intro to X86 class for how assembly works and as well as ATT vs Intel syntax) that'll help you understand other things better.  Knowing how a PE and ELF file are structured will help and additional resource for those things will be listed in their day reviews.  As far as pre-reqs if you have been working in security doing penetration testing and working with various operating systems, that should help you keep your head above water if you also do the recommended items I mention in the other day reviews.  It's a long week, especially if there's additional sessions at night and NetWars is also running.  Our event had additional sessions, Core NetWars and Cyber City NetWars.  It was a busy week, especially when the class ran right up to the time when the additional sessions and NetWar tournaments started.  Get sleep, hydrate, and be sure to eat because you'll be breezing through tons of content with little breathing room during the lab time.  It's an intense class and SEC 760 is also probably an intense and fast paced course.  It's an amazing class and if you have time to do NetWars at night (it should be free if you do this class), you'll walk away with additional experience and skill learned and honed from the week.

In the next posts, I'll talk more about those individual days and experiences without hopefully talking about more of the class than I should.  I'll also make links to various materials that you may want to review and do before the class to help you better prepare for that specific day's material.

Course general prep:

- Have virtualization software ready to go as well as at least a Windows 7 x86 VM you can do snapshots on

- Have hard drive space on your laptop as they recommend on the site

- Do the Intro to x86 course

- Be comfortable in Linux

- Be comfortable in Windows