Blog: SANS Penetration Testing

Blog: SANS Penetration Testing

Security ADD - Offense, Defense, Or What?

[Editor's Note: In this post, theunparalleledSeth Misenar tackles the question of whether it's OK for a security professional to walk the line between offense and defense, or whether someone should take the plunge on one of these two sides. He lays bare hisverysoul as he debates the options before us all.]

By Seth Misenar

I was recently asked by Ed Skoudis and Mike Poor to serve on a panel discussion at SANS Security West 2014. The panel topic is Offense Informs Defense, and is kind of a face off wherein SANS Pen Test instructors shoot out a bunch of new techniques and SANS Cyber Defense instructors discuss practical ways of handling the onslaught.

Sounds fun, so I immediately confirmed. Only later did it occur to me, that I wasn't sure which side I was supposed to rep. security ADD seems to rear its ugly head again.

I often joke with students that I appear to


Mission Impossible? Thwarting Cheating in an Advanced Pen Test Class CtF: The SANS SEC660 Experience

[Editor's Note: SANS course on advanced pen testing (SEC660) teaches a lot of great, in-depth topics, including exploit development, network manipulation (NAC bypass, Scapy packet crafting, man-in-the-middle attacks, and more), and Python for pen testers with tons of hands-on exercises. The whole class culminates in a full-day, intense capture the flag event, where the winners earn a 660 challenge coin (which includes a cool cipher, natch).

But, when you teach a bunch of skills like that and hold a CtF on the last day, sometimes, a few students get a little too rambunctious in applying their new-found skills. At the risk of being indelicate, I'll come out and say it -- they try to cheat. By using their Python skills along with their MiTM capabilities, they try to snarf flags from other teams


Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage

Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:

  • Exploiting and automating data harvesting from iOS devices

  • Extracting stored secrets from iTunes backups

  • Effective Anti Virus evasion with Veil

  • Windows host compromise and privilege escalation, along with UAC bypass

The slides below cover all the tools and techniques for doing all that great stuff, and more.

The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to


Holiday Challenge 2013: Winners and Answers

And now, after nearly two weeks of intense analysis, detailed deliberation, and outright hand-to-hand combat, our esteemed judges emerge from their bunker, slightly bruised and battered, holding a single sheet of paper upon which, scrawled in blood, are the names of the winning entries to our annual Holiday Hacking Challenge.

In the background, a trumpet fanfare begins boldly proclaiming the announcement, with a scene that looks something like this:

Click here for the full video of the ceremony:

Go ahead and watch that video. It's brilliantly cut and really fun. Don't worry, we'll wait until you are finished with it. OK? Now that you've seen it, we'd


Announcing the SANS Spectacular Pen Test Video Contest!

Great penetration testers, by their very nature, are a creative bunch. Our jobs involve finding flaws, tearing them apart carefully, and artfully explaining our results so an organization can better understand its risk and defend itself.

To provide an outlet for this creativity and to share tips, tools, techniques, and inspiration, SANS is excited to announce:

The SANS Spectacular Pen Test Video Contest

Also known as the SANS SPTVC (rolls off the tongue, now, doesn't it?), the idea here is to share some penetration testing insight, tip, trick, or technique that you've learned on your own or perhaps from a SANS Pen Test Course. Or, you could make an inspirational video about the importance of penetration testing done properly. Record it in video format, edit as you see fit, send it in, and we'll pick the best to win a fine prize. We'll have winners in each of the following categories:

1) Most useful tip

2) Highest production values (with a