SANS Penetration Testing

SANS Penetration Testing

TLS/SSL Failures and Some Thoughts on Cert Pinning (Part 1)

By Chris Crowley

It's going to happen sooner or later...sooner probably. You're going to be asked about your company's mobile app or a mobile app your company wants to install across all mobile devices. They'll put the request in the "yet another duty as assigned" (YADAA) category/bucket. You look at the network traffic; it's using TLS so you can't see the content. Cool, right? Maybe, maybe not. Can an attacker get man in the middle position by tricking users, or by attacking the very root of trust (well, one of the 100 or so root CAs) that is used to sign a TLS server cert? It is a complicated situation and requires a thorough understanding of several systems and protocols to address. I want you to be smart on the subject, so when that YADAA comes your way, you can answer the question knowledgeably and authoritatively. So here you on.

The first installment of this two-part blog post will provide some background on TLS (Transport Layer Security) certificates


Using the SSH Konami Code (SSH Control Sequences)

By Jeff McJunkin

Are you familiar with the Konami code? The one popularized by the Contra video game?

Pictured above: Tangentially related to SSH

If not, let me fill you in. This code is a sequence of control actions for some video games that'll let you jump forward in the game (some call it a "cheat," but I'd rather not judge.). The code itself is a series of button presses as follows (from Wikipedia):


What's the Deal with Mobile Device Passcodes and Biometrics? (Part 2 of 2)

By Lee Neely

In the first installment of this 2-parter, I discussed the use of mobile device fingerprint scanners to unlock the device. As a follow-up, I'd like to discuss how a developer can integrate the scanner into their applications. This discussion may provide some insights into how to secure mobile apps, or even inspire some hacking ideas (this is a pen test related blog, after all). At the end of the article below, I'll discuss some ideas for compromising this type of environment.

In part one, I introduced the secure environment used to manage fingerprints. This environment is called by a couple of names. Most commonly it's called the Trusted Execution Environment (TEE) and Secure Enclave. In both cases, the terms describe a separate environment consisting of hardware and software, which performs


What's the Deal with Mobile Device Passcodes and Biometrics? (Part 1 of 2)

By Lee Neely


Mobile device administrators and end users need to be more cognizant of the risks of allowing unauthorized access to their smartphones and take steps to raise the bar on accessing those devices to mitigate those risks.

This is part one of two articles on securing mobile device access. In this article, I am going to focus on securing access to the physical device itself. In part two, I will discuss on-device security APIs and how one would know they are still in place.

The case for a strong passcode

When the first smartphones were introduced, they were corporate owned, managed, and secured to business standards. Device access was on par with accessing corporate laptop systems. The number, variety, and quantity of applications and personal or sensitive information stored on the device was far less than we see in modern iOS, Android, Windows Mobile, and other devices. While there were


2015 SANS Pen Test HackFest Twitter Contest

Hey folks... check this out!

We're delighted to announce a Twitter-based contest here with a fantastic prize. And, participating in this one is really easy.

On November 16th through 23rd, SANS will be running our third annual Pen Test HackFest Summit and Training event in Washington DC. We throw everything we've got into this extra special event, including:

  • Two days of amazing,in-depth talksby leading minds of the industry, who will give you insight into the offensive tools and tactics being used today to discover an organization's vulnerabilities to potential adversaries.

  • Six days of training, with six different classes to choose from.

  • Three nights of NetWars Tournament challenges for hands-on fun and