Blog: SANS Penetration Testing

Blog: SANS Penetration Testing

Winners of the SANS Spectacular Pen Test Video Contest

Ladies and gentlemen, boys and girls, friends, Romans, and countryman,

I'm delighted to announce the winners to our SANS Spectacular Pen Test Video Contest. Back in January and February, we asked folks to channel their creativity to share some great tips, insights, techniques, and inspiration with other penetration testers. You can read the contest description here.

We got some FANTASTIC entries, and we'd like to thank all who participated. Entries included numerous great technical tips, interesting "acting", noble attempts at humor, and even one Rick Roll, naturally.

So, without further ado (thanks, Ted, for your gracious input), let's announce the winners (click on each picture to see the video). We'll announce the victors in our four categories first, and then select from among them for the GRAND prize winner.

First up, our

...

SANS Checklist for Securing Mobile Devices in the Enterprise

[Editor's Note: Lee Neely has developed a very useful spreadsheet checklist to help organizations better plan and mitigate security risks associated with mobile devices, including phones and tablets. It's really handy stuff, and I strongly recommend you check it out! --Ed.]

By Lee Neely

To help organizations better understand, manage, and mitigate risks associated with mobile devices and their infrastructures, we've released an updated SANS SCORE Mobile Device Checklist.This checklist is designed to provide a repeatable approach to adding mobile devices to your environment in a secure fashion. The intent is to be device agnostic, to support long-lasting results, and to provide a basis for making consistent decisions around having these devices in your environment, as well as proper protection of the information on and around them. Too often, I've seen instances where mobile devices were

...

Tor-nonymous - Using Tor for Pen Testing

[Editor's Note: In this article, Chris Crowley provides some really useful tips for using Tor to anonymize your penetration testing. He provides details on strategy and tactics, along with some helpful configuration settings and scripts. His discussion of Privoxy is especially useful. Thanks, Chris! --Ed.]

By Chris Crowley

Pen testing derives its value from being able to emulate the behavior of real world attackers. We pen testers need to train ourselves to behave like those with malicious intent, but simultaneously maintain appropriate decorum and sensitivity to the operations of the networks we're trying to improve. Malicious attackers have no such restrictions.

This post is to share a method I use for obscuring the source IP address of my computer. Pen testers have two basic reasons for obscuring their source IP address. First, is to connect to malicious (or suspected malicious) resources when we perform research. Second, is to obscure the

...

Building a Pen Test Lab - Hardware for Hacking at Home on the Cheap

[Editor's Note: Jeff McJunkin shares some insight into building a good virtualization infrastructure for practicing your pen test skills, evaluating tools, and just plain becoming a better penetration tester, all without breaking the bank. Nice! --Ed.]

By Jeff McJunkin

Practical, hands-on experience is a good thing, right? As good as it is though, it doesn't excuse accidentally taking down your employer's production environment while doing some testing.

While NetWars (obligatory plug for my new employer) is great for getting this experience, it doesn't fit every situation. For example, if one of your servers crashed while being scanned by Nessus, you might want to isolate exactly which plugin is causing the crash, while avoiding future production outages.

Having a home lab with a trial version of the software creates a safe environment for otherwise disruptive testing and facilitates fast

...

Security ADD - Offense, Defense, Or What?

[Editor's Note: In this post, theunparalleledSeth Misenar tackles the question of whether it's OK for a security professional to walk the line between offense and defense, or whether someone should take the plunge on one of these two sides. He lays bare hisverysoul as he debates the options before us all.]


By Seth Misenar

I was recently asked by Ed Skoudis and Mike Poor to serve on a panel discussion at SANS Security West 2014. The panel topic is Offense Informs Defense, and is kind of a face off wherein SANS Pen Test instructors shoot out a bunch of new techniques and SANS Cyber Defense instructors discuss practical ways of handling the onslaught.

Sounds fun, so I immediately confirmed. Only later did it occur to me, that I wasn't sure which side I was supposed to rep. Hmm...my security ADD seems to rear its ugly head again.

I often joke with students that I appear to

...