SANS Pen Test Hackfest Twitter Contest

We’re delighted to announce a new Twitter-based contest here with a fantastic prize.  And, participating in this one is really easy.  Check it out.

On November 13 through 20, SANS will be running our second annual Pen Test Hackfest training event in Washington DC.  We throw everything we’ve got into this extra special event, including:

  • Two days of amazing, in-depth talks by leading minds of the industry, including the authors of some of the best pen test tools on the planet, including SET, Armitage, and more.
  • Six days of training, with five different classes to choose from.
  • Three nights of NetWars Tournament challenges for hands-on fun and learning.
  • One night of CyberCity missions, where you’ll be defending critical infrastructures against attacks, preventing city-wide mayhem.
  • Coin-a-palooza: A chance to earn up to FOUR SANS Pen Test coins for your collection.
  • One Super Secret Special Evening: On Nov 14, we’ll be taking a mind-blowing trip.

The prize for our new Twitter contest is free admission to the two-day session at the start of the Hackfest on Nov 13-14.  You’ll experience some great talks, learn super useful information, participate in a NetWars evening Nov 13, and join us on the Super Secret Special Evening Nov 14.

How do you enter?  It’s easy — just snap a picture of yourself with one of the items listed below and tweet the photo to  @pentesttips  with the hashtag  #SANSHackfest.  Contest runs August 1st – 15th, 2014:

– Photo of yourself holding a SANS Pen Test Challenge Coin (Just the front!!! Not the back with its sooper sekret cipher) or Coin Sticker
– Photo of yourself wearing a SANS Pen Test T-shirt or NetWars shirt
– Photo of yourself wearing the glowing NetWars T-shirts from last year’s SANS Pen Test Hackfest
– Photo of yourself with any SANS item (book, shirt, etc.)
– Photo of yourself with this SANS pen test website visible (in a browser, on a screen, or even printed out on paper)

Each person that tweets a photo will be entered into a drawing to win a FREE seat at the Pen Test Hackfest Summit Nov 13-14.  The contest ends on August 15th, 2014 and we will announce the winner on August 18, 2014. The more creative the photo, the better…anything goes, just keep it clean and family friendly.  Some more detailed rules follow below.

Have fun & good luck!

–Ed Skoudis.

1. Entry: Contest begins on Friday, August 1st, 2014 and ends Friday, August 15th, 2014. Responses must be submitted by 9:00 pm EDT on August 15th.  Each participant may enter an arbitrary number of times for the challenge.

2. Prize: Each person that correctly submits a photo including the hashtag #SANSHackfest will be entered into a drawing to win a FREE seat at the Pen Test Hackfest Summit this November. SANS will choose only one winner.  The seat is transferable to another in the same organization/company. The winner will be chosen on August 18th and will be notified via Twitter.

3. Odds of Winning: The odds of winning the contest depend upon the total number of all eligible entries received in the contest period, regardless of method of participation.

4. Release of Liability: SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.

Security ADD – Offense, Defense, Or What?

[Editor’s Note: In this post, the unparalleled Seth Misenar tackles the question of whether it’s OK for a security professional to walk the line between offense and defense, or whether someone should take the plunge on one of these two sides. He lays bare his very soul as he debates the options before us all.]

By Seth Misenar

I was recently asked by Ed Skoudis and Mike Poor to serve on a panel discussion at SANS Security West 2014.  The panel topic is Offense Informs Defense, and is kind of a face off wherein SANS Pen Test instructors shoot out a bunch of new techniques and SANS Cyber Defense instructors discuss practical ways of handling the onslaught.

Sounds fun, so I immediately confirmed.  Only later did it occur to me, that I wasn’t sure which side I was supposed to rep.  Hmm…my security ADD seems to rear its ugly head again.

I often joke with students that I appear to suffer a bit from an undiagnosed case of ADD because I seem to flit from topic to topic within security.  One month I’m all about hardcore NSM practices, the next I’m focused on playing with weaponizing XSS and CSRF vulnerabilities, and the next… something completely different.  I routinely get a bit distracted and only later realize that I have refocused my time and efforts.  SQUIRREL!  See… I did it again.  This shifting seems normal to me, but is at odds with what most professionals do at my point in their careers?

So now, back to the question about the panel: which side am I supposed to rep, offense or defense?  Got it, I will just check the schedule for  to see which curriculum I am teaching under at that conference, and I’ll “bet” that guy.  No joy. I’m teaching 504 which actually makes matters worse since that course logically seems to fit under Pen Test, Cyber Defense, and Digital Forensics too.  No obvious answer there… where to go from here?

Maybe I am just a generalist?  That doesn’t sound very desirable, even though most folks that I meet who work in security are expected to be some kind of generalist.  An often-quoted phrase comes to mind, “Jack of All Trades Master of None”.  Am I forsaking my true potential in offense OR defense, because I choose offense AND defense?  While it doesn’t seem to have been a career-limiting move, I could certainly have sharper offensive or defensive skills if I neglected the other side of the coin, or could I?

Then I come back to the Skoudis mantra, “Offense Informs Defense.”

I honestly think, and maybe this is simply rationalizing my own inherent behavior, that cyber/information security is better served as a whole by having both the single-minded, laser beam focused, offensive OR defensive experts as well as the security ADD encumb^H^H^H^H^H^Hmpowered offense AND defense professionals.  Those of us who play on both sides can help synthesize and match offense to practical defenses, and can also think of new ways around the defenses we deployed.  I don’t mean to take anything away from those who have chosen to focus on one side such as our panel leads Ed (offense) and Mike (defense).  But, those of us with InfoSec ADD are an important piece of the puzzle in constructing effective enterprise security programs.

Anyway, that is how I will justify answering for both the offensive and defensive curricula on the panel, if Ed and Mike let me get away with it.

So, feel free to point to this blog entry next time you start feeling a little disloyal to Pen Testing by moonlighting in Cyber Defense (or by taking <shameless plug> the soon-to-be-released SANS SEC511: Continuous Monitoring and Security Operations 😉 ) even though you are, by trade, a penetration tester.  Or, if you are a Cyber Defense person, point your boss this way when you feel like you are stepping out of line by taking a hand in helping your organization with its next penetration test.

Remember Defense Informs Offense Informs Defense after all.

Come check out the panel on 5/11/2014 if you happen to be at SANS Security West, and then stick around for Eric Conrad and me giving our Continuous Ownage: Why You Need Continuous Monitoring talk.

-Seth Misenar

Mission Impossible? Thwarting Cheating in an Advanced Pen Test Class CtF: The SANS SEC660 Experience

[Editor’s Note: SANS course on advanced pen testing (SEC660) teaches a lot of great, in-depth topics, including exploit development, network manipulation (NAC bypass, Scapy packet crafting, man-in-the-middle attacks, and more), and Python for pen testers with tons of hands-on exercises.  The whole class culminates in a full-day, intense capture the flag event, where the winners earn a 660 challenge coin  (which includes a cool cipher, natch).

But, when you teach a bunch of skills like that and hold a CtF on the last day, sometimes, a few students get a little too  rambunctious in applying their new-found skills.  At the risk of being indelicate, I’ll come out and say it — they try to cheat.  By using their Python skills along with their MiTM capabilities, they try to snarf flags from other teams attempting to send them to the score server.  What’s an enterprising course author to do?  Well, Steve Sims has some clever things up his sleeve, turning the tables on such shenanigans using the concepts taught in the course with a little Python magic of his own.  

I recommend you read through Steve Sims’ script to see how he uses Python with Scapy to call Nmap, call the underlying OS, formulate HTTP requests, and more.  Check it out! –Ed.]

By Stephen Sims

Here is a short blog article about an attack that students were attempting to pull off in some of the Capture the Flag (CtF) events as part of SANS SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking.  To thwart their attempts,  I wrote a python script.  In this article, I’d like to review the skills and techniques students use to try to undermine the CtF, and tell you my technical approach to address it in class.

The Source

During Day 1 of class, which is focused mostly on network attacks, we spend a lot of time looking at various ways to pull off a Man-in-the-Middle (MitM) attack, and then what you can accomplish by having that position. We cover techniques such as attacking SSL, routers, switches, and Network Access Control (NAC) solutions. During Day 3 of class, we spend a lot of time on Python, and various Python-based tools such as Scapy (by Philippe Biondi) and the Sulley Fuzzing Framework (by Pedram Amini / Aaron Portnoy  / Ryan Sears).

The Attack

Armed with this information taught in class, every so often a CtF team attempts to steal key submissions from other teams. Now, one could certainly argue that there is technically no cheating in a CtF; however, this does not mean it should be really easy to pull the attack off. To score in the SEC660 CtF, SHA-1 hashes, which act as keys, are submitted into the scoring system by each team. If a hash/key matches a challenge, points are awarded to the team. Regardless of whether SSL or simple HTTP is being used as the transport protocol to the scoring server, the aforementioned teams were attempting to, and sometimes successfully, performing ARP cache poisoning and SSL stripping. This would allow the teams performing the attack to potentially read valid key submissions from other teams and get the points without completing the challenge.  Ouch.

The Solution

The script you are about to read was written in about 90 minutes during a live CtF, so please forgive the stylistic issues and cut corners, such as not putting in the full paths to binaries when using the system() function. One of the solutions I designed to thwart this type of attack, and note that I am only sharing just one of them, was to create a script that would make a lot of noise on the wire. The script is not well-commented (again with the quick turnaround during the game), but it’s easy to read as it’s in Python. I decided to use Scapy together with Python to do the following:

  • Scan the student subnets to look for inactive IP addresses within the valid range assigned during class, using Nmap. This way it doesn’t stand out as an IP address that is obviously part of the script.
  • Use one of these addresses very briefly and also use a random MAC address in the VMware OUI range.
  • Automatically configure my interface with these addresses and perform a valid TCP_HTTP session to the scoring server.
  • Submit a pseudo-random SHA-1 hash as a key submission and use a pseudo-random PHP session ID.
  • Loop through this script until terminated.

The bottom line here is that my script injects false flags into the network, so anyone looking to steal a flag will likely get a non-valid flag delivered by my script.  Instead of stealing a valid flag from a legitimate student, they will have stolen a false flag from my script, netting them  NOTHING, except some wasted time.

Getting an automated script like this working with Scapy, that shows no errors when sniffing with a tool like Wireshark, can sometimes be challenging.  There are multiple ways to get it working. Feel free to read through the script and use it to improve your Scapy skills, or even better, improve it and send it to me at I will totally buy you a beer! Don’t forget to change the interface listed in the script if necessary.

–Stephen Sims

p.s. Josh Wright, Jake Williams, and I will be teaching SEC 660 using SANS on-line training system, vLive, from March 4 through April 17.  No travel is required, as you can take the class from the comfort of your home or office.  We meet twice a week, and we’ll be sharing our best tips and tricks for advanced pen testing.  Details are here:

from scapy.all import *
from time import sleep
from hashlib import sha1
from random import random, sample, randint
import string
from os import system
import logging
print "\nPlease stand by while NMAP results are collected... This could take a minute...\n"
f = os.popen("nmap -n -PA -p0 10.10.75,76,77,78.1-254 | grep 'scan report for'") #Grab IP Addr from student range
z = []

for lines in f:
    y = lines.split("\n") #Split \n from extra possible host addr's shorter than 3 digits.
    x = [] # Empty list
    x.append(y[0]) #Append the IP addr from y, and ignore the possible \n's
    r = y[0] #Assign the list element (IP ADDR) from y to r
    z.append(r[21:33]) #Grab only the IP ADDR from the NMAP scan results

print "Collected %d IP Addresses... Standby..." % len(z)
while True:
    print "Spoofing process started..."
    sp = RandNum(1025,65535) #Random number for ephemeral port assignment.
    char_set = string.ascii_lowercase + string.digits #Random string for PHPSESSID
    w = ''.join("10.10."+str(randint(75,78))+"."+str(randint(1,254)))

    for x in z:
        if w == x:
                w = ''.join("10.10."+str(randint(75,78))+"."+str(randint(1,254)))

    system("ifconfig eth1 down") #You may have to change interface number...
    system("ifconfig eth1 hw ether " + str(RandMAC("00:0c:29:*:*:*")))
    system("ifconfig eth1 " + w + " " + "netmask")
    system("ifconfig eth1 up")
    system("iptables -A OUTPUT -p tcp --destination-port 80 --tcp-flags RST RST -s " + str(w) + " -d -j DROP")
    ah = os.popen("ifconfig eth1 | grep 00:0c:29") #Grab IP Addr
    for lines in ah:
            x = lines.split("\n")
            y = []
            ah = x[0]
            ah = ah[-19:]
            print "Using MAC Address: " + ah

    p = IP(src=w,dst="") #Random IP from student subnets.
    saveip = p[IP].src
    print "Saved IP IS: " + str(saveip)
    key = sha1(str(random())).hexdigest()
    print "Using key: " + key
    myseq = 1000
    q= TCP(sport=sp, dport=80, flags="S", seq=myseq)
    SYNACK = sr1(p/q)

    my_seq = myseq+1
    my_ack = SYNACK.seq+1
    ACK = TCP(sport=SPORT2, dport = 80, flags="A", seq=my_seq, ack=my_ack)
    derp = send(p/ACK)

    ACK = TCP(sport=SPORT2, dport = 80, flags="PA", seq=my_seq, ack=my_ack)
    b = ''.join(sample(char_set,26)) #Joining 26 random chars from char_set for SESSID.
    spoof = "HTTP/1.1 Host:"+\
    "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: "+\
    "Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"+\
    "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"+\
    "Accept-Language: en-us,en;q=0.5"+\
    "Accept-Encoding: gzip,deflate"+\
    "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"+\
    "Keep-Alive: 300"+\
    "Connection: keep-alive"+\
    "Cookie: PHPSESSID="

    r = "GET /checkscore.php?key=" + key + spoof + b

    getReq = sr1(p/ACK/r)

    my_seq = myseq+507
    ACK = TCP(sport=SPORT2, dport = 80, flags="FA", seq=my_seq, ack=my_ack)
    derp = sr1(p/ACK)
    ACK = TCP(sport=SPORT2, dport = 80, flags="A", seq=my_seq+1, ack=my_ack+1)

    derp = send(p/ACK)
    print "Successfully spoofed packet, no errors..."

Getting the Most Out of DEF CON: Some Tips for First Timers

by Ed Skoudis

Are ya going to DEF CON?  Thousands of hackers, infosec pros, security researchers, curious newbies, reporters, and countless others will.  I’ve had the honor of attending the world’s biggest hacker conference for 13 of the past 14 years (I missed in 2011 because my wife needed big-time surgery… she’s doing great now, thankfully!).  I thoroughly enjoy the conference and bring my whole team there each year.  I have always been amazed at its ability to attract first-timers to the conference.  During the closing ceremony, The Dark Tangent, DEF CON’s venerable founder and fearless leader, asks for a show of hands: Raise your hand if this is your first DEF CON.  On my completely unscientific guestimate of the number of hands raised among the several thousand people in the ginormous room, about 30 to 40% are brand new to the DEF CON experience.

This year, two of my closest friends will be embarking on their first trip to the ultimate hacker mecca, and we’ve been chatting about it for the past several weeks.  I’ve written up a couple of tips below for them, and I thought others might find them interesting as well.  Please note that I’m neither an organizer nor in the leadership of DEF CON.  I’m just a little hacker, a happy DEF CON attendee, wanting to share some tips that I’ve found useful over the years.

Tickets: You don’t register or pay in advance for DEF CON tickets. Just show up and pay cash for them at the door.  The lines get kinda long, so bring some water and a snack, as well as a friend, to help pass the time while waiting.

Badges: DEF CON typically has amazing badges chock full of electrical gadgetry and ciphers, but they often run out of the super cool ones early, leaving paper or cardboard badges for everyone else.  If you want one of the best badges, get in line early on Thursday.  The most common kind of badge is the “human” badge, which is for general attendees.  Other badges include speaker, goon, press, and the much coveted uber black badge for top conference leaders and winners of the most prestigious contests.

Hotel: The conference is an all-encompassing experience which may tie up 14 to 20 hours a day of your time.  Don’t spend a lot of money on a hotel, because you won’t be there much.  You can find cheap hotels within walking distance for Thursday night and Sunday night, likely in the $49/night or less range.  Friday and Saturday get more expensive, as tourists flock to Vegas, but if you hunt around and sweet talk some hotel reservation lines, you may be able to find something in the $59 to $109 range.  Early in my career, I’d share a room with two or three other attendees to split the costs, getting our average per night room rate to about $30 or so.  It was great fun, and quite affordable.

When to Get There?  The con runs from Thursday to Sunday.  A lot of the activities get underway on Friday, so many people show up then.  But, I recommend making sure you get there on Thursday.  There are some amazing vendor parties on Thursday night for people staying over from the Black Hat conference to attend DEF CON.  Plus, there’s a much better chance you’ll get a cool badge if you are there on Thursday.

When to Go Home?  Around 5:30 PM on Sunday, the conference quickly becomes a ghost town.  I am always filled with sadness as the conference winds down and disappears.  You could leave Sunday night, just like almost everyone else.  But, I started a little ritual about 8 years ago that helps assuage my post-con blues. I go out for a nice meal with a bunch of my closest friends, and then fly back on Monday morning.  You may want to try something similar.

Goons: The folks who do crowd control at DEF CON are known as Goons.  They are all volunteers and work diligently to make the conference flow.  The Goons may sometimes sound gruff or pushy, but treat them well, respect them, and do what they say.  I know that one of the themes of DEF CON is questioning authority, but the Goons really have the conference goers’ best interests in mind.  Be good to them, and they’ll be good to you.

Sleep:  Don’t plan on getting much sleep at the conference.  Sleep in advance.  Sleep afterward.  Many of us get 4 hours or less per day of sleep during conference time.  Priest (the head goon at DEF CON) said to me years ago at the conference, “Sleep? You’ll have plenty of time to sleep when you’re DEAD!”  Whenever I grow weary at DEF CON, I can actually hear Priest’s voice in my head saying that, which helps get me going again,for more DEF CON learning, fun, and mayhem.

Parties: Some of the best attractions at DEF CON are the plentiful parties hosted by several different hacker groups.  Some of the parties are open attendance, while others are invite only.  I’ll often go to three or four parties each night, just to make the rounds, see old friends, meet new people, and have fun.  Make sure you take in some parties.  Even if you aren’t the partying type, these events are a great way to network and learn.  I typically learn more during the parties than I do at the talks themselves.  If you are the shy type, look around for other shy people just standing around at the party and engage in a conversation.  “Is this your first DEF CON?” “Where are ya from?” “What was the coolest talk you saw today?” are decent conversation starters.  Various groups post a list of DEF CON parties online, so make sure you check them out regularly, as they are frequently updated during the con itself.  Simply searching for “DEF CON parties” and the year will get you a good list.

Talks: Try and attend at least a few talks on a variety of topics.  Some of the most popular talks, though, are a mad house, with long lines, overflow crowds, and room size restrictions so some people are turned away.  Early on in the con, pick a few must-go-to talks that you really want to see, but always have a backup alternative, just in case your first pick’s room is maxed out.

Hardware Village: Stop by the hardware village at least once, check out all the electrical gizmos, and pick a lock.  Don’t know how to pick?  No problem.  There will be coaches there to help you, and it’s super fun.  In fact, it is surprisingly easy to pick most locks, and it’s a great thrill to pop your first lock. You’ve gotta check it out.

On the Topic of Drinking: Vegas lies in the middle of a big honkin’ desert.  Daytime temps often surpass 107 degrees Fahrenheit.  Even if you stay indoors, the air itself will vacuum water out of your body and your very soul.  Drink lots of water, double or triple what you’d normally consume.  And, if you plan on imbibing some alcohol while at the conference, have even more water, perhaps a glass in between each alcoholic beverage you enjoy.  Otherwise, your colossal headache the next morning will prevent your full enjoyment of the con.

Chill: DEF CON is so full of different activities, it can be overwhelming. Make sure you get some down time to relax.  There is typically a large breakout room for just hanging out and resting.  Use it.  If there’s not enough stimulation in that room for you, take a stroll through the big Capture the Flag room and watch some of the crazy videos played on the big wall.

Con Network: DEF CON has a big wireless network that is free for anyone at the conference to use. That’s the good news.  But, I have had many friends and associates get hacked big-time while on this network, their systems laced with malware and other nasty stuff.  I recommend staying off of the conference network entirely.  In fact, I recommend disabling Wifi and Bluetooth on your laptops and mobile devices at the conference.  I carry only a cell phone, which I use for text messaging friends to meet at the conference, and to review the conference agenda and party list, but NEVER via Wifi.  Also, it’s probably wise to avoid any ATMs for getting cash at the conference.  In past years, cash machines have mysteriously appeared and later disappeared at the conference, likely there to dupe unsuspecting users into providing a mag stripe and a PIN.

The Closing Ceremony: At the end of DEF CON on Sunday, the whole DEF CON crew stages a multi-hour closing extravaganza.  This event includes some great conference memories, applause for all the organizers of various events, and the announcement of winners for various contests held during the conference, including the awarding of the black badges.   Although it is always too long, the closing ceremony is an excellent way to wind down the conference.  I wouldn’t miss the closing ceremony for the world.

Well, I hope those tips serve you well.  Have fun at the con!

–Ed Skoudis.
SANS Fellow
SANS Penetration Testing Curriculum Lead