SANS Penetration Testing: Category - Presentations

SANS Penetration Testing:

Pen Test Hackfest Talks - Some GREAT Reads

A couple weeks ago, we held our annual SANS Pen Test Hackfest, a really wonderful event where we run 3 nights of NetWars challenges, 1 night of CyberCity missions, Coin-a-palooza (where attendees can earn SANS Pen Test Coins for classes they've taken before), and much more. This year, we even went on a field trip to the National Cryptologic Museum, where we enjoyed my wife's fresh-baked cookies, an ice cream sundae station, and an open bar. Yes... at the museum, which was chock-full of cryptographic treasures including Enigma machines and more. The museum trip was incredible, sharing such amazing history with over one hundred great friends.


How Not to Fail at a Pen Test: Slides and Stream

Earlier this week, John Strand presented a fantastic webcast that was chock full of pen test tips. This post contains the slides as well as a link to the streaming slides and webcast audio.

Here's the description of the talk:

In this presentation, John and Ed will cover some key components that many penetration tests lack, including why it is important to get caught, why it is important to learn from real attackers, and how to gain access to organizations without sending a single exploit.

One of my favorite slides in the presentation is John's concluding Code of Ethics. Click on the image below to download all of John's slides.

Demanding MOAR From Your Vulnerability Assessments and Pen Tests - Slides and Link

A few weeks ago, I did a presentation on Demanding MOAR from Your Vulnerability Assessments & Pen Tests. I'd like to share the slides with you now. The presentation is full of tips, some easy and others more complex, for providing extra value in vuln assessment and pen test work.

Here's the official description of the talk:

You pay good money for your vulnerability assessments and penetration tests, right? But are you getting real business value from these projects? Do you ever get the sense that your assessors and pen testers are just phoning it in, checking off boxes, and not really properly helping you improve your security stance? In this lively presentation, Ed Skoudis will provide hugely valuable tips for getting the maximum business value out of your vulnerability assessments and pen tests. With specific recommendations for people procuring such projects as well as for testers themselves, this webcast is chock full of insights for effective scoping,


Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage

Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:

  • Exploiting and automating data harvesting from iOS devices

  • Extracting stored secrets from iTunes backups

  • Effective Anti Virus evasion with Veil

  • Windows host compromise and privilege escalation, along with UAC bypass

The slides below cover all the tools and techniques for doing all that great stuff, and more.

The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to


DerbyCon Keynote Presentation - Kinetic Pwnage

by Ed Skoudis

This morning, I had the honor of presenting at DerbyCon. My talk focused on the ability to cause physical impact through hacking computers and networks. I call it "Kinetic Pwnage". The slides are available below, and the talk touches on several themes of the recent work my team and I have focused on, including CyberCity, a miniature city with a real power grid and other computer controlled components used to build capabilities of cyber warriors.

By the way, right after the talk, lotsa people asked me how they could do CyberCity missions. If you are interested in participating in CyberCity missions hands-on, we'll be running our first ever CyberCity missions at a public conference event during the SANS Pen Test Hackfest Summit & Training event, in Washington DC on November 7-14. If you take a full six-day class there, you can join us for one whole evening of CyberCity missions hands-on, plus four evenings devoted to NetWars. Oh,