Blog: SANS Penetration Testing

Blog: SANS Penetration Testing

Dealing with the Many Stages of Pen Test Result Grief Part 1

By Ed Skoudis

If you've done penetration testing for any length of time, I'm sure you've encountered it. You perform a beautiful penetration test — technically rigorous, focused on real business risk, all wrapped up with a solid report. You don't wanna brag, but you feel pretty darned proud of completing a job well done.

And then.it happens. Target system personnel, the very people you've labored to help secure, blindside you with a barrage of criticisms of your findings in your draft report. Some penetration testers are shocked as target system personnel, both business decision makers and the technical people responsible for acting on the pen test findings, reject your results. It's almost as though they willfully don't understand your findings and the associated business risk. Your findings make perfect sense to you, yet they just don't get it despite your efforts to explain things as best you can. And, you still have to turn your draft report into a final

...

Winner and Official Answer to Easter Challenge

[Hello, Challenge fans! Last Friday, we posted a nifty holiday-themed crypto & stego challenge by Chris Andre Dale. We offer a special thanks to Chris for creating the challenge and for letting us host it. A whole bunch of people managed to work their way through the challenge and solve it. But, there were two answers that were particularly noteworthy, and will receive two T-shirts each: a NetWars T-Shirt plus our SANS Pen Test Curriculum T-shirt.

Our first-place winner, who had the entire correct answer in the shortest time, was Matt Giannetto! He provided some great code to decipher the message and save the bunny, winningthe two T-shirts. Additionally, we'll provide a bonus prize (of the two T-shirts) for oneof the

...

Easter Challenge - The Mystery of the Missing Easter Bunny

By Chris Andre Dale

The Easter Bunny has been kidnapped, and YOU have to save him! Quickly collect yourself and help save him. Put on your detective hat and start investigating the clues provided.

We managed to intercept a message from the kidnappers. Unfortunately it seems to be scrambled in some way. We also managed to intercept a ciphered message from one of the criminals and the cipher text below. The cipher text was once considered unbreakable, however newer techniques of cryptoanalysis have proven how to beat it. Listen to the intercepted message from the kidnappers, or attack the cipher message. Your choice.

The intercepted message can be played back here:

...

SANS Python Pen Testers | Exploit Heartbleed Vulnerabilities | SEC573

Pen Testers use Python to assess HeartBleed vulnerabilities.

By Mark Baggett

Unless you've been living in a cave without access to the outside world, you already know that OpenSSL 1.0.1 suffers from a serious vulnerability that allows a remote attacker to extract data from the memory of a target computer. The vulnerability was first made "public" (by varying definitions of the word "public") on April 7th. The events leading up to the disclosure are interesting. If you haven't reviewed them, the Sydney Morning Herald does a great job of outlining the events leading up to the disclosure. Check it out here:

http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

So while it is clear as mud who knew about the vulnerability and when, it is very clear what happened

...

Winners of the SANS Spectacular Pen Test Video Contest

Ladies and gentlemen, boys and girls, friends, Romans, and countryman,

I'm delighted to announce the winners to our SANS Spectacular Pen Test Video Contest. Back in January and February, we asked folks to channel their creativity to share some great tips, insights, techniques, and inspiration with other penetration testers. You can read the contest description here.

We got some FANTASTIC entries, and we'd like to thank all who participated. Entries included numerous great technical tips, interesting "acting", noble attempts at humor, and even one Rick Roll, naturally.

So, without further ado (thanks, Ted, for your gracious input), let's announce the winners (click on each picture to see the video). We'll announce the victors in our four categories first, and then select from among them for the GRAND prize winner.

First up, our

...