Archive for the Reviews Category

[Review] Pentesting Ninjitsu

Posted in Reviews on August 19, 2010 by Skyler

This is an older (2008) series of webcasts produced by Core Security. It features Ed Skoudis, from InGuardians, and a SANS Instructor.

This was an absolutely fantastic learning experience. If you are like me, when you first learned about hacking you figured that a “real” hacker could just sit down at any machine and do whatever he needed from a command shell; info gathering, scanning, exploitation, maintaining access, etc. After actually learning more about the field, I began to understand the near necessity of tools and the importance of having a nice arsenal.

In this podcast Ed Skoudis brings us back to the leetness of pure command line hacking. And to top it off, its primarily focused on cmd.exe; not what a pen tester would call their weapon of choice.

Skoudis goes over using cmd.exe as a port scanner, backdoor, wardriving tool, and more. I definetly recommend everybody check this out. I guarantee it will help you in your future assessments by overcoming scope issues, as well as post-assessment cleanup.

It reminded me of one of the CTFs at the HBN:Combat course I took at Black Hat this year. I had to capture some packets of a proprietary protocol, and then replay it brute-forcing some hundred different combinations. I ended up capturing it with wireshark, then doing some nasty loop and replace functionality with powershell. I then set up some capture filters on wireshark and was able to get my results. Not very sexy, yet worked. It was my white belt version of PenTesting Ninjitsu.

Anyway, check it out, and enjoy!

you can find it here!

Core Impact

Posted in Reviews, Tools on August 11, 2010 by Skyler

Most of you have probably heard of Core Impact before. If you havn’t then you probably should. Essentially, Impact is a tool created by a company called Core. It is most likely the premier commercial Pen Testing framework. I had often heard about Impact, but never had I really looked at how it worked or what it did specifically. I was looking through their site and a video demo that was pretty impressive! Check it out and start wishing you could afford it!

check out the video demo here!

[Tool] Bait and Switch Honeypot

Posted in Reviews, Tools on August 10, 2010 by Skyler

This is a pretty nifty tool Ive followed for some time.

For those unfamiliar with what a honeypot is, here is a brief definition. A honeypot is a system that is designed to mimic a real production environment. There are different types of honeypots, but they both share the same goal; effective observation and research of hackers and their behavior. By setting up a honeypot, researchers (or security personnel) can create an environment to distract, or in some cases draw in, hostile hackers. They can then observe the attackers activities and learn about his techniques. Most likely the hacker will eventually discover that the honeypot is not real (although there are a ton of honeypots with different functionality), but until then he has been effectively deterred.

Up until recently, Honeypots have really only served those purposes. Not really an active participant in system defense. Thats what ‘Bait and Switch’ does. This honeypot is configured to mimic a production server that is likely to be targeted by hackers. When an attack is detected, its traffic is routed to the ‘bait and switch’. Therefore, the attack has been successfully mitigated while leading the hacker to believe that he has been successful.

here is the definition of ‘Bait and Switch’ as found on its website:

The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense. To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system.  Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data and your clients and/or users still safely accessing the real system. Life goes on, your data is safe, and you are learning about the bad guy as an added benefit. The system is based on snort, linux’s iproute2, netfilter, and custom code for now…

For more information on Bait and Switch, check out their sourceforge here!

for more information about honeypots, check out the honeynet project.

[Review] Hacking By Numbers: Combat Edition by SensePost

Posted in Certifications, Reviews on July 28, 2010 by Skyler

I just returned from the training portion of Black Hat in Las Vegas. This was my second Black Hat, and it was just as good as the first. I took the Combat edition of the Hacking By Numbers course, here is my review:

Review

The Hacking By Numbers courses are a series of trainings done by SensePost, a South African security company. The courses are presented as Cadet, Bootcamp, Web 2.0, Combat, and Chief of Staff editions. I had previously attended the Bootcamp edition (which reminds me, I need to write a review on that), which is the recommended pre-req for Combat edition.

Here is the overview found on the Black Hat website:

This course is the flagship course of the established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to “capture the flag”. In the SensePost tradition, the solutions lie much more in technique and an out-of-box thought process than in the use of scripts or tools. Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures.

The “Capture the Flag” exercises have all been designed to replicate real-life scenarios with real-life-hacker stumbling blocks along the way. Students will have to deal with multiple firewalls, IDS devices and home spun red herrings in their quests to complete the challenge. During the exercises SensePost’s leading technical specialists will discuss possible attacks, possible alternatives and even possible defenses for the scenario in question.

The exercises range from simple layer one attacks to more complex attacks requiring combinations of web application vulnerabilities and TCP/IP covert channels. All tools, documentation and required reading material will be provided to the students.

Structure

The course is two-days in length, and is completely hands on. The instructor, Marco, did a fantastic job as a guide, rather than a lecturer. The entire course is a series of “pracs”, in which a different pen testing technique is exercised. It is important to note that these “pracs” were created based on real world assessments. After a 20 minute intro which primarily included pearls of wisdom gleaned from SensePost’s experience, we were thrown straight into the fray; just as advertised, this course was all hack.

For each “prac” you are given three things: the Objective, Recommended tools, and Obscure hints. The objective gives you the endpoint, as well as the end goal. Most of the end goals was to place yourself on a Wall of Fame (typical of CTF challenges). The recommended tools portion is meant to be a very basic hint if you had no idea where to start. The obscure hints were just that. They served a valuable purpose in the end learning objective of the course. After the completion of the “prac”, a review of the hints would show a clear reverse thinking process that would serve you well on a pen test if you were to internalize it.

As a hurdle would be overcome during a “prac”, the instructor would start giving assistance to those struggling. In some cases he would give further clues, but mostly he would help describe the underlying technology being used for those unfamiliar with it. This ensured that you could get the most out of the exercise by not getting hung-up on step-one. Otherwise you might end up missing out on the rest of the fun.

After each “prac”, the instructor would then poll the class on the methods they used to achieve the objective. I was amazed at his ability to instantly recreate and model a student’s method on multiple platforms. Unlike many trainings in which you can get board waiting for a demo to work, the instructor was in complete sync with the pace of the students, not going too fast, nor dragging on the time.

Content

The content was definitely the masterpiece of this training. Some trainings are simply over priced “script kiddie” tutorials that could be found on YouTube. However, HBN: Combat was nothing like this. Not once did I touch Nessus, Metasploit, or any other framework. I was pleasantly surprised at the small span of tools utilized during the whole process. Mostly it was a mixture of Wireshark, Nmap, some sort of inline proxy, and your CLI.

While speaking with one of the SensePost testers, he explained to me that one of the issues within the industry is the limited “sight” of the testers. So many pen tests are conducted by running Nessus, CANVAS, or some other vulnerability scanner, and dumping the report on their client. Even if they do go on to verify vulnerabilities, it is usually done using Metasploit, Impact or another exploitation framework. This obviously leaves many false positives, and even worse, false negatives. This is why HBN: Combat is so effective. The course is built upon the principle that no system is completely secure; you simply need to find the hole that takes real skill to discover.

In line with that principle, the exercises were highly technical, and very clever; they only required recognizing patterns and thinking outside the box. Some of my favorite practices involved doing:

  • IPS bypass
  • Protocol Reversing
  • Security measure bypassing
  • chained exploitation
  • system misconfiguration
  • Thick app attacks

Overall, I left the course feeling very well equipped and much better prepared.

Conclusion

This was a fantastic course! It was essentially two days of learning pen testing skills gleaned from real world assessments. I feel like I have a better understanding  of the underlying technology in common (and uncommon) implementations. There were very few (if any) technical issues, and the instructor was friendly, and a true expert; he demonstrated an exhaustive understanding of all technologies used. I highly recommend that everyone take this course. It will definetly widen your “sight” in your pen tests, while also teaching you awesome little tricks.

Visit SensePost’s webiste here!

Techtionary

Posted in Reviews on July 22, 2010 by Skyler

If you have ever needed a more visual example of a certain technology, there is now a place where you can find it. Techtionary is a web based visual dictionary. Containing a huge list of topics, you can view animated demonstrations on almost anything you are looking for. This makes the site perfect for those seeking a real understanding of some usual difficult concepts.The only downside is that it seems like it can go a little slower than preferred. A small price to pay for good information.

check it out here!

TCP/IP for Security Administrators

Posted in Reviews on July 21, 2010 by Skyler

A solid understanding of the TCP/IP model and its protocols is essential for penetration testing and incident handling. I stumbled across this old Microsoft video as I was studying for the ECSA. This video gives a good, reasonably quick, and fairly deep coverage of the protocols of the TCP/IP stack. Go ahead and check this one out if you have not yet seen it.

check it out here!

EDIT: This video no longer appears to be available from the current link. If anybody can find this clip, let me know and Ill update it. its definitely worth finding.

Review: Certified Ethical Hacker (312-50)

Posted in Certifications, Reviews on July 16, 2010 by Skyler

After 5 weeks of studying, I finally completed my CEH exam yesterday. I passed with a 90%. I am not permitted to go into too much detail about exact questions, but I can offer my thoughts. I have broken down my review into 3 categories meant to help security professionals decide on the certifications to take. The total score, or the individual scores can be used as a guide for selecting the correct certification for your career path.

Rating:

  1. Technicality (4/5) – The course requires a bit of knowledge regarding the underlying functions of networks, etc. Being able to read code, understand hex dumps/packet captures, and such is a definite must for truly understanding the content. The exam and course is aimed at professionals fairly new to security. Considering that, the amount of technical knowledge gleaned was quite good. I wouldn’t necessarily say fire hose in intensity, (although for some it could easily be that way), but more like a garden-hose-on-full-blast. Most of this is relating to the amount of tools you learn. However, much of the technical knowledge was still quite theoretical, since it was in general more focused on identifying/recognizing attacks or tools, rather than hands-on usage of the such. I give it a 4 our of 5 in technicality in context of its intended audience, yet its lack in more hands-on usage of the tools.
  2. Managerial (2/5) – The CEH is definitely directed to those looking to do the more technical aspect of Penetration Testing and security. However, it still does teach some managerial skills. Mostly they are just short rants about NDAs, Get-out-of-jail-free cards, and staying within scope. There is some policy creation that is emphasized when talking about social-engineering, but only because they test it from that aspect. I give it a 2 because there is some important information gleaned, although they never truly test or prepare on the actual Management topic; it simply occurs as a byproduct of everything else.
  3. Prestige (3/5) – This is the controversy! It comes down to this: DoD 8570 vs TestKing. Yes, the Department of Defense directorate 8570 includes the CEH as one of its recognized certifications. This makes it quite valuable! I dont think I need to say much about it. Its nice because the exam is so cheap, while most of the other 8570 certifications (save the CompTIA ones) are quite costly. Therefore, the CEH is nice because it enables unfunded individuals the opportunity to get a well recognized certification. Just for that I would give it a 5… except for one thing…Test Prep Questions. I used some test prep questions for my final preparation of the test. If I had just taken 5 weeks to memorize all of the answers in those prep questions, i probably would have gotten the same score. Thats right, probably 70-80% of the actual test questions were verbatim to those within test prep questions. What does this mean? well it means that if you are legitimately prepared for the test, this will give you the leg up to guarantee you pass! If you prepared well you will blast through the questions pretty easily. However, this also means that any schmo off the street can memorize the answers and pass the test with flying colors. Unfortunately the only real defense EC-Council has against this is it’s approval process for those wanting to take the test (self-testers need a waiver to take the test w/o attending a course). Some people dont think this is such a big deal. I consider it a big deal since one day I might find an employer who discounts my CEH as being worthless due to a bad experience with some idiot who passed the CEH without learning a thing. For this reason alone I would have given a rating of 1, or 2, except for whole DoD 8570 thing.

total: (9/15)

The Exam:

The examination was pretty good. It is 150 questions, and you are given 4 hours. I completed mine in in 2 hours. The reason it took so long was the length of some of the questions. A majority of the questions are paragraphs long in description, and many have diagrams/dumps to look at.There were some easy questions, and some hard ones; just like every other certification. However, I was surprised that I was not asked questions on certain things. For instance, nmap, virus/backdoors, and ICMP codes/types were strongly emphasized within my prep-material, however I did not have a single question relating to either of them. The reason for this is most likely the dynamic nature of how they generate your exam question set, as well as the huge scope of the course. The course covers so much information that it would require a much lengthier exam to cover it all. There were also a  few control questions. Control questions are very difficult questions, sometimes beyond the scope of the exam, that are scattered throughout the exam. Some say that they are ungraded and used for statistical analysis; I believe they are there to slow you down 😉 The test seemed to do well at addressing the different questions from the angle of the hacker, as well as the administrator/investigator. This makes it a little tricky, but forces you to have a good understanding of the content.

I have broken down my review into 3 categories meant to help security professionals decide on the certifications to take. The total score, or the individual scores can be used as a guide for selecting the correct certification for your career path.

Comparison:

In comparison to the Security+, I would have to say that I enjoyed the CEH more. I tend to be a more technically oriented, and really enjoyed learning the PenTesting methodology and tools. However, the Security+ offered a great deal of managerial and policy information. I would definitely  say that the Security+ was easier than the CEH , simply because there was relatively less technical know-how required for it. The Security+ did serve as a great foundation for the CEH and made passing the CEH much much easier. I would recommend you attain both. Some topics covered in depth in the Security+ and not in the CEH include: Encryption, Access Control models, and policy creation. Another cert on this same level is the mile2 CPTEngineer. The course is advertised as being comparable to the CEH, but more hands-on. I have not taken that course, so I cant say much on it. If anyone has some input, I would be happy to include it.

Conclusion:

Im glad I got the CEH. However, immediately  after completing the test I felt the need to attain the next level of knowledge. I feel a whole lot more knowledgeable because of the CEH, but I still feel miles away from the end goal. A good certification as a starter.