Great penetration testers, by their very nature, are a creative bunch. Our jobs involve finding flaws, tearing them apart carefully, and artfully explaining our results so an organization can better understand its risk and defend itself.
To provide an outlet for this creativity and to share tips, tools, techniques, and inspiration, SANS is excited to announce:
The SANS Spectacular Pen Test Video Contest
Also known as the SANS SPTVC (rolls off the tongue, now, doesn't it?), the idea here is to share some penetration testing insight, tip, trick, or technique that you've learned on your own or perhaps from a SANS Pen Test Course. Or, you could make an inspirational video about the importance of penetration testing done properly. Record it in video format, edit as you see fit, send it in, and we'll pick the best to win a fine prize. We'll have winners in each of the following categories:
1) Most useful tip
2) Highest production values (with a
by Ed Skoudis
Hope you had a great holiday! I got an unexpected nice gift for the holidays on one of my blogs. Below, you'll see a comment that was submitted to the SANS Pen Test Blog, which I run. As you can see, it is one of those lame pseudo-comments sent in as link-bait for Search Engines and other nefarious purposes. I get a few of this kind of thing a week, and our anti-blog-spam filter catches most of them.
What makes this one special is that the automated tool that barfed it into my blog didn't choose from each grouping of different options; instead, it shot up ALL options for every variation of this blog spam. You can see, by selecting at random from each grouping, untold thousands of combinations are possible. But, with this errant blog spam shot, I've got all potential combinations here. It's almost silly how many different combinations there are, and how each one tries to be super polite. You gotta read through them for a little
[Editor's Note: Here is our final installment of tips from the SANS Pen Test Poster, this time focussed on Pulling It All Together in your pen tests. If youare interested in this type of information, you should know that I'm going to be teaching my SANS SEC 560 course on network penetration testing & ethical hacking in New Orleans in January 2014. From January 20 to 25, we'll cover in-depth technical approaches for penetration testing, plus tons of tips for maximizing your effectiveness as a pen tester. If you are looking to take a SANS course where the student-to-instructor ratio is fairly low so we can have more detailed and personalized discussions, this is a great one to register for. Plus, New Orleans is a fantastic town, with lotsa wonderful restaurants and fascinating history. It's gonna be a GREAT time. Registration details are
[Editor's Note: Here is the fifth in our series of penetrating testing tips drawn from the UltimateSANS Pen Test Poster. This time, our focus is on specific recommendations from Kevin Johnson about web app pen test tips, tools, resources, and other recommendations. Really helpful stuff. Thanks, Kevin!
For earlier posts in this series, feel free to check out:
John Strand's tips for network pen testing.
Steve Sims' tips for exploit development.
Josh Wright's tips for mobile device pen
[Editor's note: In this blog post, Raul Siles goes in-depth exploring how to attack a vulnerability in the way Android device lock works. Although a patch was released last week for this flaw, the slow (or nonexistent) update cycle for many users means this attack mechanism will be valid for quite some time to come. The best part of Raul's write-up is his use of both static and dynamic analysis techniques and a variety of tools to tease apart the flaw. Raul ends by showing how you can test that the newly released fixes for Android block exploitation of the flaw. Nice stuff! --Ed.]
By Raul Siles
Shameless plug: I will be teaching the 6-day SANS SEC 575: Mobile Device Security and Ethical Hacking course in Abu Dhabi, UAE (Apr 26, 2014 - May 1, 2014) and