Resources: Whitepapers

Resources:

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by penetration testing practitioners seeking certification. SANS attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Featured Papers

This featured paper includes some really useful techniques that penetration testers should master. Read it, learn it, and live it, as you extend your skills.

Penetration Testing Whitepapers
Paper Author Certification
Let's face it, you are probably compromised. What next? Thyer, Jonathan GPEN
Secure Design with Exploit Infusion Wen Chinn, Yew GCIH
An Analysis of Meterpreter during Post-Exploitation Wadner, Kiel GCIH
Creating a Threat Profile for Your Organization Irwin, Stephen GCIH
Modeling Security Investments With Monte Carlo Simulations Lyon, Dan GWAPT
A Qradar Log Source Extension Walkthrough Stanton, Michael GCIH
Differences between HTML5 or AJAX web applications Thomassin, Sven GWAPT
H.O.T. | Security Rocha, Luis GCIH
Small devices needs a large Firewall Mastad, Paul GCIH
Are there novel ways to mitigate credential theft attacks in Windows? Foster, James GCIH
Digital Certificate Revocation Vandeven, Sally GCIH
Incident Response in a Microsoft SQL Server Environment Walker, Juan GCIH
Web Application Penetration Testing for PCI Hoehl, Michael GWAPT
Securing Aviation Avionics Panet-Raymond, Marc GCIH
iPwn Apps: Pentesting iOS Applications Kliarsky, Adam GPEN
Incident Handling Annual Testing and Training Holland, Kurtis GCIH
Rapid Triage: Automated System Intrusion Discovery with Python Bond, Trenton GCIH
Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment Young, Sue GCIH
An Approach to Detect Malware Call-Home Activities Cui, Tianqiang GCIH
Active Security Or: How I learned to stop worrying and use IPS with Incident handling Brown, Douglas GCIH
War Pi Christie, Scott GCIH
Getting Started with the Internet Storm Center Webhoneypot Pokladnik, Mason GWAPT
Getting Started with the Internet Storm Center Webhoneypot Pokladnik, Mason GWAPT
Home Field Advantage: Employing Active Detection Techniques Jackson, Benjamin GCIH
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment Druin, Jeremy GWAPT
Talking Out Both Sides of Your Mouth: Streamlining Communication via Metaphor More, Josh GCIH
SMS, iMessage and FaceTime security Khalil, George GCIH
Using DomainKeys Identified Mail (DKIM) to Protect your Email Reputation Murphy, Christopher GCIH
Detecting Security Incidents Using Windows Workstation Event Logs Anthony, Russell GCIH
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Couture, Erik GWAPT
Event Monitoring and Incident Response Boyle, Ryan GCIH
Website Security for Mobile Ho, Alan GWAPT
Web Log Analysis and Defense with Mod_Rewrite Wanner, Rick GCIH
How to identify malicious HTTP Requests Sarokaari, Niklas GWAPT
Exploiting Embedded Devices Jones, Neil GPEN
InfiniBand Fabric and Userland Attacks Warren, Aron GCIH
Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management Filkins, Barbara GCIH
PDF Obfuscation - A Primer Robertson, Chad GPEN
Attributes of Malicious Files Yonts, Joel GCIH
Exploiting Financial Information Exchange (FIX) Protocol? DeMarco, Darren GCIH
Covert Channels Over Social Networks Selvi, Jose GCIH
Robots.txt Lehman, Jim GWAPT
Penetration Testing Of A Web Application Using Dangerous HTTP Methods Kim, Issac GWAPT
Shedding Light on Security Incidents Using Network Flows Gennuso, Kevin GCIH
In-house Penetration Testing for PCI DSS Koster, Jeremy GPEN
Remote Access Point/IDS Kee, Jared GCIH
Post Exploitation using Metasploit pivot & port forward Dodd, David GPEN
Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response Fuller, Kevin GCIH
iPhone Backup Files. A Penetration Tester's Treasure Manners, Darren GPEN
Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization Faust, Joseph GCIH
Securely deploying Android devices Alonso-Parrizas, Angel GCIH
Responding to Zero Day Threats Kliarsky, Adam GCIH
Practical OSSEC Robertson, Chad GCIH
Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools Sweeny, Jonny GCIH
An Overview Of The Casper RFI Bot O'Connor, Dan GCIH
Animal Farm: Protection From Client-side Attacks by Rendering Content With Python and Squid. OConnor, Terrence GCIH
Pass-the-hash attacks: Tools and Mitigation Ewaida, Bashar GCIH
Solution Architecture for Cyber Deterrence Mowbray, Thomas GPEN
Malicious Android Applications: Risks and Exploitation Boutet, Joany GPEN
Security Incident Handling in High Availability Environments Kibirkstis, Algis GCIH
Using Windows Script Host and COM to Hack Windows Ginos, Alexander GPEN
Effective Use Case Modeling for Security Information & Event Management Frye, Daniel GCIH
Penetration Testing in the Financial Services Industry Olson, Christopher GPEN
Which Disney© Princess are YOU? Brower, Joshua GCIH
Why Crack When You Can Pass the Hash? Hummel, Christopher GCIH
One Admin's Documentation is their Hacker's Pentest Vandenbrink, Robert GPEN
IOSTrojan: Who really owns your router? Santander Pelaez, Manuel Humberto GCIH
Visualizing the Hosting Patterns of Modern Cybercriminals Hunt, Drew GCIH
PCI DSS and Incident Handling: What is required before, during and after an incident Moldes, Christian GCIH
A Fuzzing Approach to Credentials Discovery using Burp Intruder Dawson, Karl GPEN
Incident Handlers Guide to SQL Injection Worms Folkerts, Justin GCIH
IOScat - a Port of Netcat's TCP functions to Cisco IOS Vandenbrink, Robert GCIH
Bypassing Malware Defenses Christiansen, Morton GPEN
Investigative Tree Models Caudle, Rodney GCIH
A Guide to Encrypted Storage Incident Handling Shanks, Wylie GCIH
The SirEG Toolkit Begin, Francois GCIH
Using GUPI to Create A Null Box Comella, Robert GCIH
Incident Handling as a Service Lundell, Michel GCIH
Zombie profiling with SMTP greylisting Koster, Jeremy GCIH
Using OSSEC with NETinVM Allen, Jon Mark GCIH
Detecting Hydan: Statistical Methods For Classifying The Use Of Hydan Based Stegonagraphy In Executable Files Wright, Craig GCIH
Document Metadata, the Silent Killer... Pesce, Larry GCIH
Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider Abdel-Aziz, Ahmed GCIH
Following Incidents into the Cloud Reed, Jeffrey GCIH
Covering the Tracks on Mac OS X Leopard Scott, Charles GCIH
Winquisitor: Windows Information Gathering Tool Cardosa, Michael GCIH
An approach to the ultimate in-depth security event management framework Pachis, Nicolas GCIH
Exploitation Kits Revealed - Mpack Martin, Andrew GCIH
Scareware Traversing the World via a Web App Exploit Hillick, Mark GCIH
Mining for Malware - There's Gold in Them Thar Proxy Logs! Griffin, Joe GCIH
Detecting and Preventing Unauthorized Outbound Traffic Wippich, Brian GCIH
Virtual Rapid Response Systems Mohan, Chris GCIH
Computer Security Education The Tool for Today Burke, Ian GCIH
Preventing Incidents with a Hardened Web Browser Crowley, Chris GCIH
Baselines and Incident Handling Christianson, Chris GCIH
Stack Based Overflows: Detect & Exploit Christiansen, Morton GCIH
Application Whitelisting: Panacea or Propaganda Beechey, Jim GCIH
Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester's toolkit Bandukwala, Jamal GCIH
Expanding Response: Deeper Analysis for Incident Handlers McRee, Russ GCIH
Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics Smith, Ricky GCIH
Inside-Out Vulnerabilities, Reverse Shells Hammer, Richard GCIH
DNS Sinkhole Bruneau, Guy GCIH
The December Storm of WMF: Preparation, Identification, and Containment of Exploits Voorhees, James GCIH
Cisco Security Agent and Incident Handling Farnham, Greg GCIH
A Practical Application of SIM/SEM/SIEM Automating Threat Identification Swift, David GCIH
Effectiveness of Antivirus in Detecting Metasploit Payloads Baggett, Mark GCIH
Network Covert Channels: Subversive Secrecy Sbrusch, Raymond GCIH
Utilizing "AutoRuns" To Catch Malware McMillan, Jim GCIH
Exploiting BlackICE When a Security Product has a Security Flaw Gara-Tarnoczi, Peter GCIH
Remote installation of VMware GSX and a virtual machine Condon, Ed GCIH
Valentine's Surprise Firedragging in Action de Nie, Paula GCIH
Microsoft Windows Cursor and Icon Format Handling Vulnerability Perkins, Matthew GCIH
IBM AIX invscout Local Command Execution Vulnerability - HONORS Horwath, Jim GCIH
An Analysis of the Remote Code Execution Vulnerability as Described in Microsoft's MS05-002 Security Bulletin Rose, Jerome GCIH
Identity Theft Made Easy Huber, Eric GCIH
0day targeted malware attack Villatte, Nicolas GCIH
Exploiting Microsoft Internet Explorer Cursor and Icon File Handling Vulnerability Chen, Jerry GCIH
Windows Internet Naming Service - An Exploit Waiting to Happen Berger, Jeremy GCIH
Exploiting Samba Buffer Overflow Vulnerability via MetaSploit Framework Ko, James GCIH
Local Privilege Escalation in Solaris 8 and Solaris 9 via Buffer Overflow in passwd(1) McAdams, Shaun GCIH
rLogin Buffer Overflow Vulnerability - Solaris Corredor, Juan GCIH
A Case Study in Solaris Sadmind Exploitation Nathoo, Karim GCIH
What is Santy bringing you this year? HONORS Danhieux, Pieter GCIH
Fun with Batch Files: The Muma Worm Mackey, David GCIH
Microsoft Internet Explorer SP2 Fully Automated Remote Compromise Davies, Alan GCIH
A Picture is Worth 500 Malicious Dwords Hall, Timothy GCIH
Remote Exploitation of Icecast 2.0.1 Server Pittner, Jakub GCIH
Freezing Icecast in its Tracks McLaren, Jared GCIH
Exploiting PHP code injection: phpMyAdmin Multiple Input Validation Vulnerabilities Kah, Fabrice GCIH
Exploiting Internet Explorer via IFRAME Becher, Jim GCIH
Donald Dick 1.55 with Last Updated GUI Component from Version 1.53 Maglich, Ryan GCIH
A Heap o' Trouble: Heap-based flag insertion buffer overflow in CVS Conrad, Eric GCIH
Mutated Code Kopczynski, Tyson GCIH
Windows Shell Document Viewer shdocvw.dll Feature or Trojan Horse? Fenwick, Wynn GCIH
A J0k3r Takes Over Larrieu, Heather GCIH
Dsniff and Switched Network Switching Bowers, Brad GCIH
Exploiting the MicrosoftWindows Task Scheduler ..job. Stack Overflow Vulnerability Wenchel, Kevin GCIH
Neptune.c the Birth of SYN Flood Attacks Cardinal, Steven GCIH
Apache Web Server Chunk Handling Vulnerability: An Exploit In Action Walker, Martin GCIH
My First Incident Handling Experience Kohli, Karmendra GCIH
Incident Illustration - Corporate Compromise Hall, Russell GCIH
Johnny and the Metasploit - "MICROSOFT LSASS MS04-011 OVERFLOW" ATTACK Greene, Richard GCIH
Lotus Notes Penetration Rademacher, Karl GCIH
System infiltration through Mercur Mail Server 4.2 Ben Alluch Ben Amar, Jamil GCIH
Session stealing with WebMin Murdoch, Don GCIH
Incident Illustration - Missing Files White, Scott GCIH
The Cisco IPv4 Blocked Interface Exploit Johnson, Cortez GCIH
Phone Phreaking and Social Engineering Tuey, Richard GCIH
SMTP Loop Moderate Denial of Service: InterScan VirusWall NT & Lotus Domino Environment Roberts, Brian GCIH
Nachi to the Rescue? Griffith, Russ GCIH
Incident Illustration - Mstream Gallo, Kenneth GCIH
Incident Handling Without Guidelines McKellar, Neil GCIH
Attack of Slammer worm - A practical case study Huang, Dongmei GCIH
Combating the Nachia Worm in Enterprise Environments Johnson, Brad GCIH
Catch the culprit! Perez, David GCIH
Anna Kournikova Worm Ashworth, Robert GCIH
Exploiting the SSH CRC32 Compensation Attack Detector Vulnerability Williams, R. Michael GCIH
Traveling Through the OpenSSL Door Murphy, Keven GCIH
All Your Base Are Belong To Someone Else: An Analysis Of The Windows Messenger Service Buffer Overflow Vulnerability Hewitt, Peter GCIH
Illustration of VS.SST@mm Virus Incident Smith, Kevin GCIH
In Support of the Cyber Defense Initiative Kohlenberg, Toby GCIH
Incident Analysis in a Mid-Sized Company Garvin, Pete GCIH
Author Intruder Alert: Why Internal Security must not take a back seat. Hendrick, Jim GCIH
Incident Illustration Black, Ronald GCIH
BackGate Kit: The Joy of "Experts" DePriest, Paul GCIH
A Management Guide to Penetration Testing Shinberg, David GCIH
GIAC GCIH Assignment - Pass Harrison, Daniel GCIH
A Buffer Overflow Exploit Against the DameWare Remote Control Software Strubinger, Ray GCIH
MS IIS CGI Filename Decode Error Vulnerability Shenk, Jerry GCIH
The t0rn Rootkit Craveiro, Paulo GCIH
At hacker's mercy while surfing the web - A cross-zone scripting exploit for Internet Explorer Leibenzeder, Florian GCIH
Discovering a Local SUID Exploit Pike, Jeff GCIH
Microsoft IIS Superfluous Decoding Vulnerability Orkin, Kevin GCIH
A Security Analysis of the Gnutella Peer-to-Peer Protocol Cheney, Kirk GCIH
SMTP - Always a victim of a good time Lock, James GCIH
A Two Stage Attack Using One-Way Shellcode Mathezer, Stephen GCIH
Once Bitten Twice Sly - Common Exploits Fueled by Common Mishap Melvin, John GCIH
KaZaA Media Desktop Virus: W32/kwbot Will, Rita GCIH
Real World ARP Spoofing Siles, Raul GCIH
Relative Shell Path Vulnerability Evans, Earl GCIH
Buffer overflow in BIND 8.2 via NXT records Talianek, Chris GCIH
Incident Report for a Rootkit attack on a Fedora workstation Norman, Bonita GCIH
M@STER@GENTS: Masters of "SPAM" Ashland, Joanne GCIH
Support for the Cyber Defense Initiative Fresen, Lars GCIH
Penetration Testing of a Secure Network Pakala, Sangita GCIH
ICQ URL Remote Exploitable Buffer Overflow de Beaupre, Adrien GCIH
PHP-Nuke: From SQL Injection to System Compromise Paynter, Eric GCIH
Employees Are Crackers Too Stapleton, Curt GCIH
Apache Web Server Chunk Handling Apache-nosejob.c Sarrazyn, Dieter GCIH
The Tactical Use of Rainbow Crack to Exploit Windows Authentication in a Hybrid Physical-Electronic Attack Mahurin, Mike GCIH
Cisco IOS Type 7 Password Vulnerability Massey, Lee GCIH
DreamFTP - The Nightmare Begins! Sorensen, Robert Peter GCIH
WU-FTPD Heap Corruption Vulnerability - HONORS Allen, Jennifer GCIH
Solaris in.lpd Remote Command Execution Vulnerability Seah, Meng Kuang GCIH
When Script-kiddies become the target, as well as the menace: A variant of the WU-FTPD File Globbing Heap Corruption Vulnerability Hall, Stephen GCIH
Testing Web Applications for Malicious Input Attack Vulnerabilities Grill, Robert GCIH
Exploiting the Microsoft Internet Explorer Malformed IFRAME Vulnerability Tu, Alan GCIH
What to do when you break WEP Wireless Security and the LAN Poer, Geoffrey GCIH
SMBdie'em All - Kill That Server Kirby, Craig GCIH
A Study of the o_wks.c Exploit for MS03-049 Arnoth, Eric GCIH
WebDAV Buffer Overflow Vulnerability Beckley, Peter GCIH
Incident Illustration - Firewall Attack Reed, Bill GCIH
Sub Seven: A Risk to Your Internet Security Ostrowski, Paul GCIH
Network Printers: Whose friend are they? Hutcheson, Lorna GCIH
The enemy within: Handling the Insider Threat posed by Shatter Attacks Layton, Meg GCIH
Open Shares Vulnerability Hill, Siegfried GCIH
Simple Network Management Protocol: Now More than a "Default" Vulnerability Fluharty, Daniel GCIH
The Microsoft IIS 5.0 Internet Printing ISAPI Extension Buffer Overflow Clemenson, Christopher GCIH
Multithreaded, Dictionary-Based, Brute Force Password Attack on Linksys BEFSR41 With Remote Management Enabled Using A Modified THC-Hydra Tool Kirch, Joel GCIH
IP Masquerading Vulnerability for Linux 2.2.x - CVE-2000-0289 Baccam, Tanya GCIH
IIS 5 In-Process Table Privilege Escalation Vulnerability Fatnani, Kishin GCIH
Hijacked Server Serves Up Foreign Bootlegged Pornography Meyer, Russell GCIH
Stay Alert While Browsing the Internet LaValley, Jim GCIH
The fascinating tale of a lame hacker, a Linux Box, and how I received permission to deploy my IDS Markham, George GCIH
Sun snmpXdmi Overflow Miller, Kevin GCIH
0x333hate.c: Samba Remote Root Exploit Embrich, Mark GCIH
Robbing the Bank with ITS/MHTML Protocol Handler Balcik, James GCIH
Exploit Analysis Jenkinson, John GCIH
FTP Port 21 "Friend or Foe" Support for the Cyber Defense Initiative Karrick, Stephen GCIH
Port 1433 Georgas, Mark GCIH
eMule Exploit Renna, Scott GCIH
Reverse Engineering Srvcp.exe Zeltser, Lenny GCIH
Widespread SNMP Vulnerabilities Brooks, Greg GCIH
A Weak Password And A Windows Rootkit: A Recipe For Trouble Ives, John GCIH
Pass - Questions Stackhouse, Brent GCIH
Phising Attack in Organizations: Incident Handlers Perspective Ong, Leonard GCIH
Revisiting the Code Red Worm White, Ravila GCIH
Linux NTPD Buffer Overflow Stadler, Philipp GCIH
The Blind Leading The Blind - Sadmind/IIS Worm Barger, Richard GCIH
BIND 8.2 NXT Remote Buffer Overflow Exploit Mcmahon, Robert GCIH
Local Exploit: dtprintinfo for Solaris 2.6 and 7 Sipes, Steven GCIH
BruteSSH2 - 21st Century War Dialer Thompson, Bill GCIH
Exploiting Vulnerabilities in Squirrelmail Bong, Kevin GCIH
Port 80 (HTTP) - Apache Web Server Chunk Handling Vulnerability Oksanen, Scott GCIH
Breaking Windows 2000 Passwords via LDAP Password Crackers Hamby, Charles GCIH
Incident Illustration - SGI Penetration Roth, Jeffrey GCIH
Exploiting the LSASS Buffer Overflow Wohlberg, Jon GCIH
Code Red and the Unix Impact Mcguire, David GCIH
Port 443 and Openssl-too-open Lee, Chia-Ling GCIH
Hacker Techniques, Exploits, and Incident Handling Brooker, Denis GCIH
Deep Throat 3.1 Analysis Prue, Patrick GCIH
phpMyAdmin 2.5.7 - Input Validation Vulnerability Thurston, Tracy GCIH
FTP Security and the WU-FTP File Globbing Heap Corruption Vulnerability Webb, Warwick GCIH
Port 1433 Vulnerability: Unchecked Buffer in Password Encryption Procedure Bryner, Jeff GCIH
Windows Media Services NSIISLOG.DLL Remote Buffer Overflow Smith, Steve GCIH
Jolt2 or "IP Fragment Re-assembly Beciragic, Jasmir GCIH
Importance of a Minor Incident: W32/Goner@MM Legary, Michael GCIH
Nimda - Surviving the Hydra Schmelzel, Paul GCIH
GIAC Certified Incident Handling Practical Yachera, Stanley GCIH
An Attacker On RPC Compromised Remote VPN Host Runs Arbitrary Code on Microsoft Exchange Server 2000 Ho, Wai-Kit GCIH
Ramen Worm Ives, Millie GCIH
Buffer Overflow in /bin/login Puusaari, Matthew GCIH
SQL Server Resolution Service Exploit in Action Hoover, Jim GCIH
Welchia Worm vs. Policy Makers Fighting Malware with Policy, not with Fire Corll, Benjamin GCIH
The Search for "Kozirog" Weaver, Greg GCIH
How to Gain Control of a Windows 2000 Server Using the In-Process Table Privilege Escalation Exploit Stidham, Jonathan GCIH
SQL Slammer Worm Hayden, Chris GCIH
Microsoft RPC-DCOM Buffer Overflow Attack using Dcom.c Farrington, Dean GCIH
Incident Ilustration Chervenka, Dan GCIH
Tracking the Back Orifice Trojan on a University Network Knudsen, Kent GCIH
First Response: An incident handling team learns a few lessons the hard way Cragg, David GCIH
Bad ESMTP Verb Usage Equals Bad Times for Exchange Smith, Aaron GCIH
Automated Execution of Arbitrary Code Using Forged MIME Headers in Microsoft Internet Explorer Winters, Scott GCIH
False Alarm...Or Was It? Lessons Learned from a Badly Handled Incident Graesser Williams, Dana GCIH
SQL Slammer and Other UDP Port 1434 Threats In support of the Cyber Defense Initiative Ray, Edward GCIH
Real Network's Remote Server Remote Root Exploit Lastor, Michael GCIH
Wireless LAN Honeypots to Catch IEEE 802.11 Intrusions Mitchell, Gordon GCIH
Netscape Enterprise Server Denial of Service Exploit Smith, Tony GCIH
Back-Door'ed by the Slammer Hally, John GCIH
Eradicating the Masses & Round 1 with Phatbot? Fulton, Lora GCIH
FreeBSD 4.x local root vulnerability -- exec() of shared signal handler Durkee, Ralph GCIH
Identifying and Handling a PHP Exploit Edelson, Eve GCIH
Exploiting Sambas SMBTrans2 Vulnerability Darrah, Byron GCIH
Incident Illustration - LoveLetter VBS Gerber, John GCIH