Tuesday, March 18, 2008

SANS Security 504: Hacker Techniques, Exploits and Incident Handling

When people ask me what my focus area in information security is, I usually answer with "upper-tactical to mid-strategic levels" if it is someone with a business background, or "just about anything non-technical" when it is someone with a technical background. At the moment, my focus seems to be mainly in four areas: policy development, business continuity & disaster recovery, user awareness and incident management. In the past, I have done architectural work (mostly related to SIM/SIEM, NIDS/NIPS, HIPS, etc.) and lots of hands-on things (sysadmin, some packet analysis, vulnerability scanning, etc.)

The last year-and-a-half or so, I have been (too) far away from operational things, which is why I was very happy when I was given the opportunity to take some additional training. Not only does it keep me in touch with "real work", it also gives me a good refresher on what the bad guys are up to, and more specifically, HOW they do it.

For the last few days, I have been really enjoying the SANS SEC504: Hacker Techniques, Exploits and Incident Handling course, which I follow via the SANS OnDemand program. Very interesting material, and I enjoy Ed Skoudis's presentation style a lot. I learned some new things (nifty stuff, that idle scanning), and also some scary things (Windows NULL sessions giving out system information to someone without a username, without a password, without a domain and without knowing where they are coming from?!).
The SANS institute is also very good about given feedback on comments that I sent them, or questions that I asked. Typos get fixed almost immediately, and certain comments that I made are countered with well-argued reasons.
While I haven't made up my mind yet if I'm going to shell out the $500 to do a certification attempt at the end of the road, I feel that the course fee is worth the expense.
Interestingly enough; with the course fee comes a CD with Bad Stuff on it. Since I more or less expected it, I made sure that my machine was not connected to the network before I put it in. Good thing I did; Symantec Antivirus must have popped up at least three of four times to warn be about bad things on the disc :-)
Also included on the disc is a VMware image (compressed with the RAR archiver) that contains a RedHat OS. Unfortunately, I either missed the required username/password, or it was not provided with the CD (my books have not arrived yet), so I had to 'gain entry' to the image another way. Most likely, the easiest way is as follows:

  1. Boot the vmware image. Right after the VMWare splash screen disappears, hit ESC. That should take you right to the GRUB menu
  2. Highlight the entry you want to boot, and hit the e-key.
  3. At the end of the first line (the one that boots the kernel), add the word 'single' (no quotes) and hit ENTER
  4. Hit the b-key to boot the system. After the usually overly elaborate RedHat boot chatter, you should now be sitting at a root prompt. Just give the command 'passwd student' and pick a nice new password for that user.
  5. Give the command 'shutdown -r now' and wait until your virtual machine reboots. You can now log in with username student and your new password. Best-practice dictates that you do not log on using the (privileged) root account.

Oh; another thing that you might want to do: in the VMware settings, change the properties of the network card from Bridged to Host-only. A Bridged network card will manifest itself directly onto your (corporate) network with a newly generated MAC-address. More often than not, this is NOT what you want.
Not that I do not trust Ed, but,.. you know :) Just to be sure, you might also want to run a packet capturing software (e.g. wireshark) on your host-os's host-only interface to figure out what other goodness is there.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.