Blog: SANS Penetration Testing: Category - Presentations

Blog: SANS Penetration Testing:

Demanding MOAR From Your Vulnerability Assessments and Pen Tests - Slides and Link

A few weeks ago, I did a presentation on Demanding MOAR from Your Vulnerability Assessments & Pen Tests. I'd like to share the slides with you now. The presentation is full of tips, some easy and others more complex, for providing extra value in vuln assessment and pen test work.

Here's the official description of the talk:

You pay good money for your vulnerability assessments and penetration tests, right? But are you getting real business value from these projects? Do you ever get the sense that your assessors and pen testers are just phoning it in, checking off boxes, and not really properly helping you improve your security stance? In this lively presentation, Ed Skoudis will provide hugely valuable tips for getting the maximum business value out of your vulnerability assessments and pen tests. With specific recommendations for people procuring such projects as well as for testers themselves, this webcast is chock full of insights for effective scoping,


Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage

Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:

  • Exploiting and automating data harvesting from iOS devices

  • Extracting stored secrets from iTunes backups

  • Effective Anti Virus evasion with Veil

  • Windows host compromise and privilege escalation, along with UAC bypass

The slides below cover all the tools and techniques for doing all that great stuff, and more.

The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to


DerbyCon Keynote Presentation - Kinetic Pwnage

by Ed Skoudis

This morning, I had the honor of presenting at DerbyCon. My talk focused on the ability to cause physical impact through hacking computers and networks. I call it "Kinetic Pwnage". The slides are available below, and the talk touches on several themes of the recent work my team and I have focused on, including CyberCity, a miniature city with a real power grid and other computer controlled components used to build capabilities of cyber warriors.

By the way, right after the talk, lotsa people asked me how they could do CyberCity missions. If you are interested in participating in CyberCity missions hands-on, we'll be running our first ever CyberCity missions at a public conference event during the SANS Pen Test Hackfest Summit & Training event, in Washington DC on November 7-14. If you take a full six-day class there, you can join us for one whole evening of CyberCity missions hands-on, plus four evenings devoted to NetWars. Oh,


The Bad Guys Are Winning, So Now What? Slides

By Ed Skoudis

Below are the slides for my talk called "The Bad Guys Are Winning, So Now What?" It's my most requested talk ever.

In my job, I write two or three new presentations per year, and deliver each of them two or three times at various conferences before retiring the talk and moving onto another topic. My butterfly attention span doesn't let me stay on a particular topic for longer than that. In the past year, I've written talks titled "Please Keep Your Brain Juice Off My Enigma" (Debuted at SANS in Sept 2012 and posted here), "Unleashing the Dogs of Cyber War" (Debuted at BruCON in Sept 2012), and "Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World" (Debuted at SOURCE Boston in April 2013 a week and a half ago).

But, of all the talks I've ever written, there is one that I get more requests for than ever: my talk titled "The Bad Guys Are Winning, So Now What". I originally wrote the talk a couple of years ago, and have


Invasion of the Mobile Phone Snatchers - Part 1

[Editor's Note: Last Friday, Josh Wright did an awesome webcast on how penetration testers can extract sensitive information from mobile devices during an ethical hacking project, simulating what could happen if a bad guy snags a device and uses it to gather info to attack an organization. Josh provides some commentary as well as his slides below. These slides are a sampling of Josh's brand-new 575 course on Mobile Device Security and Ethical Hacking. I have to say -- the new course is completely amazing! It gives folks the knowledge they need to help protect their organizations against the onslaught of new mobile devices popping up everywhere -- iPhones, iPads, Android devices, RIM Blackberries, and Windows Phone are all covered. The course is selling out wherever SANS offers it, usually a month or two in advance. Course details are available