A few weeks ago I saw an ad for Thor’s Microsoft Security Bible: A Collection of Practical Security Techniques (TMSB) by Timothy “Thor” Mullen and thought, “Hey that sounds like it could be useful.” I work for a Managed [...]
A few weeks ago I saw an ad for Thor’s Microsoft Security Bible: A Collection of Practical Security Techniques (TMSB) by Timothy “Thor” Mullen and thought, “Hey that sounds like it could be useful.” I work for a Managed Services Provider (MSP) that supports tons of Microsoft servers, so any extra knowledge can always come in handy. Originally, I thought it might be over my head. I held off on buying it, until I found some reviews. Fortunately (or unfortunately depending on how you look at it) TMSB came out and no reviews have been found. I decided to go on Amazon and read the first chapter for free to see if it was something I could handle. After reading the intro and half of chapter one, I was hooked.
Before I get to the review and some thoughts, I thought I’d offer a couple quick hints. The first hint is to buy the hard copy. Online retailers are selling the electronic version for the same price as the hard copy, and there is media that comes with the book. Therefore, getting the hard copy gets you both for the same price. Second, having read through the book, I’d suggest having the following intermediate level skills: C#, T-SQL, and Server 2008 experience. On with the review!
Discuss in Forums
The introduction for TMSB by Timothy “Thor” Mullen (pictured right) is one of the best I have read of any security related books. First, the author explains that he is going to convey the information with a first person style of writing. He keeps true to his word making reading through the short 298-page book (not including appendixes) very quick, as I felt we were almost having a conversation. Second, the author speaks to three ideas that really struck a chord with me.
1. Feasibility of a hack – sure there is a way, but what is the likelihood of people actually doing it.
2. Motivation behind releasing holes found – less to improve security, more to improve ego/stature.
3. Looking at things from a defensive angle – this could be debated, of course, but you do see more and more that everyone is thinking offensively.
I highly recommend that, even if you don’t purchase the book, to read the introduction for free on Amazon. It is eye opening to say the least. On a final note in regards to the intro, the author focuses on two security domains that he feels remains the same in almost two decades of working in security: least privilege and security in-depth. You’ll find these two ideas to be the themes throughout the book.
Chapter 1 – Securely Writing Web Proxy Log Data to SQL Server and Programmatically Monitoring Web Traffic Data in Order to Automatically Inject Allow/Deny Rules into TMG
Boy is that a mouth full. The first chapter covers using Threat Management Gateway (TMG) to monitor the sites that people are visiting, and write it to an SQL database. On top of that, when the users go somewhere they should not, it adds them to a group that prevents them from accessing any other websites (on top of making fun of them for trying to get to a denied site). When I initially saw this chapter, I thought, “Isn’t this supposed to be a security bible? Where is the change this setting and turn off this service?” You’ll find that the author is teaching through example and while you might not ever implement this system for monitoring web traffic, you can certainly use pieces of this project for other activities that could arise.
Throughout the chapter the author basically walks you step-by-step through the various settings for the security group, SQL, TMG, etc. There are included screenshots and code for everything the author does. Remember the media we spoke about? Well source code is found on it as well as two videos, which I will discuss later. Thor covers securing the data in transit, securing the user with least privilege (allowing it only to add/remove to the security group setup), and near real-time analysis of the logs to auto add users to the group when they go where they shouldn’t.
I really enjoyed the chapter, but there were a couple of issues. First, I believe this should not have been the first chapter. Thor points out that you should read chapter 5 when he begins discussing setting up the user. I would assume we could have made that the first chapter, if you will reference looking at it. Second, for the log analysis he states near real-time (basically a process will analyze the logs every 2 minutes). Somehow giving a user two minutes to continue what they are doing doesn’t sit well with me. But there were some great aspects to it as well. The author’s humor makes a topic that could have been dull, very enjoyable to read. He also goes through three ways of dealing with having SQL analyze the logs and add a user to the denied group. He addresses issues with each, from worst to best, and explains his reasoning. Finally, I loved that he discussed securing the data in transit. This isn’t always something people consider, but it is a great idea (maybe not for blocking web traffic, but practice like you play!).
Chapter 2 – Internet Information Server Authentication and Authorization Models, and Locking Down File Access with EFS and WebDAV
In Chapter 2 the author discusses using a web server to allow users to access files on another server (internally) from anywhere (externally). He takes it a step further by discussing how to setup a mapped drive using http securely (instead of connecting to a VPN), which I really enjoyed. Thor discusses a number of different technologies in this chapter, but I really enjoyed his coverage of Windows Encrypting File System (EFS). This is a feature that I feel is under-utilized, which is a shame. Playing to the security in-depth side of the house, he walks through various features (EFS, least privilege settings, and encryption of traffic) to give an attacker various layers to work through. He ultimately ends with the data being encrypted and the users not being able to view it if they wanted to.
I can honestly say that there was only one thing I didn’t like about this chapter, and it was that the author does a thorough job of scaring you from wanting to use EFS. Let me explain. Thor warns you with a story about what could happen if EFS isn’t setup properly. He goes through how it works (a great overview and explains that you should definitely look further into it), and then tells you how things can go wrong. After reading what could go wrong, I wasn’t too thrilled at the thought of trying to set it up in a production environment. I felt this might work against the author, but you can at least say he is just trying to warn you. Again, the author’s humor was great, and I really did find this chapter to be very interesting. Also, to see a great overview on not only EFS, but RSA encryption (that is easy to understand) was a huge plus for this chapter. The coverage of key encryption was one of the best I have read. Finally, I liked that he built off of the first chapter and chapter 5 (yet another reason why chapter 5 should have been first).
Chapter 3 – Analyzing and Blocking Malicious Traffic Based on Geolocation
This chapter title was pretty self-explanatory. Thor discusses blocking traffic based off the country from which it originated. This is something that even the author will admit, could be an issue setting up on a network. He doesn’t know your business and states clearly that a lot of research should be done prior to deploying a solution of this type. That being said, having the ability could be a nice weapon to have on hand, even if you don’t turn it on until needed. Thor also sites places used for research which is great for the reader.
My main issue with this chapter was really the amount of work that would go into setting it up. It appears that TMG does not store IPs in octet format, and the only way to convert it is with a little code. Now for someone who works with it on a daily basis, this could be no big deal. Also, you could easily go out and find the code already completed for you. I have trust issues, so I am not a huge fan of that idea. However, there is an article in the MSDN that has the code, so you are covered from that point. There are two shining points in this chapter through. One, the author gives an excellent editorial on security policies for developers. His ultimate point is that you cannot simply tell your users what they can’t use (in this sp_executesql) without giving them a viable alternative. Thor points out that more than likely they will attempt another solution that would just open a hole just about the same as the one found in sp_executesql. Two, I do like the idea of being able to block traffic based off of location. In the MSP environment, we do have companies/small businesses like Doctor’s offices that would not receive traffic from outside the US (perhaps even the state, but I wouldn’t make a blanket statement such as that). It’s always nice to have options if the need arises.
Chapter 4 – Creating an Externally Accessible Authenticated Proxy in a Secure Manner
This chapter works to setup a proxy that users on the outside can use to browse the web while appearing to come from inside the network. Thor’s example speaks to allowing a friend to view programming that only those with a US based IP can see. We can skip the legality of this and just focus on the setup. Setting this up was something that I felt should definitely be done for the road warriors at an organization with company provided laptops. Combine it with setting up a mapped drive through http (as discussed in Chapter 2), and you have a one-two punch of awesomeness.
At this point, this was one of my favorite chapters. Thor goes as far as to discuss how to segment this traffic from the LAN, which plays into his security in-depth model. I had nothing bad to say about this chapter, and that could be because I found it applicable to my job (plus it was fairly cool all around). He covers a fair amount of topics from Hyper-V to port redirection. An interesting point he made was about security through obscurity. Like most of you (I make an assumption here), we’ve always heard that security through obscurity isn’t security. But Thor makes a valid point in that it can be security to a degree. The short and sweet of it is, it can be another layer of security (like an onion) albeit quickly uncovered. His example was having the user input 52011 as their port for the proxy and this forward to 8080. This in turn would require an attacker to scan the entire port range. So while they would probably quickly realize what was up, they’d still waste some time.
Chapter 5 – The Creation and Maintenance of Low-Privileged Service Users (with a Focus on SQL)
Finally, we reach the elusive Chapter 5. This chapter became my favorite chapter as it played a little more to the security bible title. Least privilege is a major topic and is very important when you look at security in-depth. Thor specifically speaks on this topic in an example of setting up MS SQL Server with a Service User account. He discusses how if the job only requires them to do two things, why give more access than is needed? More to the point, by doing this you can implement a number for GPOs on the group setup for these accounts (such as password policy and a lockout policy) that they otherwise would not get. Thor even speaks to taking it a step further and through log analysis locking the account if it gets compromised and attempts to access resources it has no business accessing.
My only gripe about this chapter? You got it, should have been chapter one. Can you tell this hit a nerve for me? If I ever get a chance to meet the author (highly doubt that would happen), I would shake his hand and then attempt to get the reasoning for this being Chapter 5. Again the walkthroughs in this chapter were great and the author points out when you should look to another resource to go deeper. Obviously, the book cannot cover everything, and it’s nice to see an author who acknowledges this fact. The other interesting topic covered in this chapter was the author’s idea of true password complexity. I dare not try to truly explain it, so I will leave it as it is very interesting, thought provoking, and if you decide to purchase should be read ASAP.
Chapter 6 – Remote Security Log Collection in a Least Privilege Environment
In Chapter 6 we cover remotely pulling the security logs from a server and placing those events into an SQL database. There is a ton of code for this chapter, so hopefully you have knowledge of T-SQL and C# (or some vague knowledge so you can follow it). The author makes use of RPC and the WMI for pulling his data. He sets up a secure method of connecting using authentication and then encrypts the data in transmission. This chapter builds off of the previous chapters, so a thorough understanding of the concepts covered to this point is needed.
This was a great chapter, but it is very code heavy. A lot of the pages in the chapter were code that the author wanted you to look at. Perhaps he was trying to get the page count of the book up, since he included the source on the DVD, and you could read that at any point. It was very interesting to see the uses of WMI, as from an MSP standpoint we use this for the monitoring of our servers. I do find the chapters that I can apply to what I do on a daily basis are the best and this chapter does get the ideas flowing. Be prepared for a depth of knowledge into the Windows Server 2008 OS!
Chapter 7 – Securing RDP
A chapter with a short title? Yes, I was just as shocked when I read it. In Chapter 7 the author walks through how to secure RDP. He starts off by explaining the various iterations of the naming of RDP, then covers the changes made to make it more secure. He actually answered a question I had in regards to the changes on 2008 Server vs 2003 Server. Thor provides several methods for securing access to the RDP from the Internet and provides a custom program for designating the source port. This chapter wasn’t as heavy in the code as Chapter 6, though he did take up a number of pages for the code itself.
This chapter is probably the most applicable to most Windows environments. Thor discusses his overall theory on RDP and DMZ setups in general, which I believe had many valid points. He offers several options for using RDP and all in a secure matter. Also, he explains how RDP works in general and the common misconceptions in its security. Again, security through obscurity is discussed, and I can side with the author’s opinion on RDP. He also went so far as to cite some data run from a personal experiment that he performed. Obviously, not knowing all the factors we cannot give official credence to the study, but you can get the general idea and form your own conclusion.
Having completed the book I can honestly say that the only problems I had were really not with the content per say. I would have preferred that Chapter 5 be Chapter 1, as it would have been a better starting point. Including the code samples in the text itself when they are on the DVD, made it feel like just page filler. There were a lot of screenshots, which isn’t a bad thing, but I felt as though the placement could have been better thought out. In basically every chapter you had to jump ahead a few pages to see what the author was referencing and that can get confusing. Also, the placement of the included DVD was not correct. Generally, I am use to looking to the back of the book for the media and didn’t find it initially. I flipped through the pages and found it was in the middle, which didn’t make a whole lot of sense to me. Finally, I didn’t understand why there was no general conclusion written for the book. You have a solid introduction, great content, but then there’s the odd choice in just ending the book at Chapter 7. Perhaps I am being picky, but I was looking for a conclusion to give me that warm and fuzzy feeling. It’s like a movie that abruptly ended about 5 minutes before the credits. It didn’t take away from the story it was telling, it just felt disjointed.
Obviously, most of my issues are basically cosmetic. Earlier in my review, I said I was looking for the standard security bible (change this setting or that setting), and I did ultimately get that. Thor’s chosen delivery method does walk through the changing of settings, but does it in such a subtle way as to not make the content boring. This is a book that when you begin, you think “huh?” But once you complete it, you think “Ah ha!” Generally, security bibles can be dull, but given the author’s humor, vast knowledge of securing Windows Server 2008, and his ability to explain the topics to even a novice, makes this work shine. Anyone working in a Windows Server environment is doing themselves a disservice by not reading this book. The included video content was refreshing, as the author continues his dialogue with you. He walks through setting up Chapter 1 and Chapter 7 on the fly, so any mistakes you will see. It was nice to hear his voice, since, if you’re like me, it makes it easier when reading. TMSB is a great book, and for all you Windows 2008 Server Administrators out there, I’d run, not walk, to get this book!
John R. Luko, Security+, CCENT, CEH
Mr. Luko graduated from Drexel University with a BS in Computing and Security Technology with a concentration in Computing Security in Dec of 2008. He began working as an IT Tech for a chemical company, where he did everything from server administration to troubleshooting and advising management on security concerns as they arose. From there he left for a position at a managed service provider. He is currently a NOC Analyst/Helpdesk engineer, where he does a little a bit of everything. He is also charged with validating PCI Compliance Audits performed by third parties and rememidating any issues.
Article source: http://www.ethicalhacker.net/content/view/386/2/
As most of you know, I do not have a college degree. I’m not alone… Bill Gates, Mark Zuckerberg, Richard Branson and countless others have had great success without this particular piece of paper. A common question in The Ethical Hacker Network Community Forums is if someone should get a degree, gain experience or [...]
As most of you know, I do not have a college degree. I’m not alone… Bill Gates, Mark Zuckerberg, Richard Branson and countless others have had great success without this particular piece of paper. A common question in The Ethical Hacker Network Community Forums is if someone should get a degree, gain experience or achieve certifications to which I quickly respond by saying, “Yes!” All make for a better resume. Unfortunately, I only have 2 out of 3. In addition to sounding hypocritical, there are plenty of other reasons why I get that nagging feeling that I should get my degree: what if this online magazine thing goes caput, what if I ever want to teach, or, the most pressing item at this point in my life, am I setting a good example for my kids? But even if I do want to pursue a degree, how do I find the time? An undergrad degree is no longer good enough, and that adds even more time and effort to reach for a masters. So as always, I’ll put it on the back burner and let those voices continue in my head…
“You’ve got to kill yourself, Don, before it’s too late.”
“Why are you doing this to me?”
“I’m cursed to walk the Earth as the undead until the bloodline is severed. You have to get a degree, Don, or you’ll make others like me.”
This American hacker recently had the opportunity to travel to the UK to attend the launch of the latest update (version 5) of the Certified Security Testing Associate (CSTA) ethical hacking certification course by 7Safe. When looking at their website, every page of every course shows the MSc logo and the credits to be earned towards a Master’s Degree in Computer Security Forensics… that nagging corpse of an idea kept reappearing telling me, “Don… get your degree or people will die!” OK, so I’m not a werewolf from the classic horror film that inspired Thriller, and I’m not spawning a group of undead. It just seems as though every time someone asks me about a college degree, I feel like a new undead idea roams the netherworld of my brain. Will I forever be cursed with these visions?
So what’s the deal with this course, the certification and why should I consider this one over what seems to be a never ending choice of new security training providers? How does it compare with similar courses in areas of content, price, availability and acceptance in the industry? And what’s all the talk of college degrees? Get all the details after the break.
Discuss in Forums
Argh!!!! I fat fingered it AGAIN!
I started my trip by spending a couple days in London to play tourist… uh, I mean… adjust to the time difference. Like a true hacker, even my choice of entertainment seems to be dictated by my desire to learn. And so it was that I found myself at the Shaftesbury Theatre the night before class seeing Svengali, the latest live stage show by the ultimate social engineer, Derren Brown. Of course the rest of the world sees him as a magician, mentalist and wildly charismatic television personality sharing airtime on the same channel that brought you The IT Crowd. It is my perception that he is the best hacker of the human mind, and thus, in my world, a reality. As it turns out, the reality of the evening was truly better than fiction. It was fun to use the powers of observation and a little social engineering to not only crash the after party but also have a conversation with the one and only conjurer himself. With the help of some new friends in the UK, we had a night that, in a word, was brilliant.
With thoughts of the previous evening running through my head, I boarded the train from London Liverpool Street Station and headed for Cambridge with a huge smile on my face. The enjoyment of a new culture continued, as it felt as though I had just left Platform 9 ¾ as the car was filled with uniformed students on their way to institutions so unknown to me that they might as well have been Hogwarts. This sense of wonder persisted throughout the trip including the course itself and not just because of the location or the destination lunches at pubs like The Slaughtered Lamb…
“Wait! You just can’t let them go,” pleads the innkeeper.
“Go!” yell the locals. “Stay on the road. Keep clear of the moors. Beware the moon.”
“What the hell was that all about?”
Soon after arriving at the 7Safe training facility, I see those slick posters for MSc wretchedly staring at me. Clearing my head with some coffee with the other students and reliving my night in the West End seems to do the trick. Before long, our instructor, Jerome Smith, called the class to order. Introductions were the obvious starting point for this 4-day course, and I must say that I was highly interested in getting to know more about Mr. Smith. Another common question in EH-Net’s Forums is how good a class will be, and the best answer is always that it depends on the instructor. I was informed of the instructor’s name and short bio before attending the course, but did not know of him personally. After my time with him, I’m glad I got to know him. He not only was a kind family man, experienced pen tester and a very good instructor but also developed the course and designed all of the hands-on exercises and intricate labs as well. All in all, a lovely chap.
Then it was straight into the courseware with Section 1: Introduction. This started with a quick look at what hacking is, what it is not, a little history… common items for a course with this focus. The time dedicated to this task was timed perfectly as to not be too long to bore the old guard but enough to get all of the students into the mindset of a hacking class. This was followed by a quick mention of the hacking methodology used in the course. Although it was a common set of bullet points, I thought it was odd to not even mention other methodologies like OSSTMM. It’s a small point, but I thought it was worth mentioning as many in the course were not pen testers, and it would be nice for them to know that there are accepted methodologies already out there and accepted by the industry. I think he did bring it around by making very clear that there is a big difference between the methodology that a real attack might have and one that is used by an authorized penetration tester. The Introduction Section came to a close after a quick overview of the lab environment and how the exercises utilized it.
Section 2: Networking Refresher was also a good choice, as this course was not meant to be on the basics of security or networking, yet his audience would consist not of advanced hackers but those with different levels of experience. This short, 11-slide section was just enough to make sure that students of varying backgrounds were now focused in a common direction. It covered the obligatory OSI Model followed by a quick progression down from covering the TCP/IP protocol suite to TCP/UDP to ports. This led right into the first of many well designed lab exercises. The Sniffing Traffic Exercise was a great toe-in-the-water type of lab for two reasons. First reason is that the students we introduced to a technical exercise very early on in the very first day, and, secondly, it also gave a good indication of how the labs, quizzes and reviews would work throughout the course. This particular lab presented packet capture using Wireshark and Ettercap. The XP host machine had a copy of Outlook Express already setup to send and receive email with Wireshark used for the capture. We also used the XP host to run VMware with a customized version of Backtrack running Ettercap. This combination allowed us to quickly get used to the lab setup, run both Windows and Linux tools, see common packets like those associated with the 3-way handshake, find the username and password of the email account as well as get used to common Linux commands. Notice that I did not mention the inclusion of a Linux primer. Intermixed in the exercise itself were enough steps to get those unfamiliar with Linux to learn as they went. There are also questions asked in the labs where the students are required to write the answers, since the information gathered even at this early stage are utilized in later labs. This cumulative concept also keeps the students focused on the fact that everything you do needs to be recorded and can be used later just as in a real-world penetration test. Being an ethical hacking course, this section, as all of the others, ends with a summary as well as a discussion of countermeasures.
Now would be a good time to make a few general observations about the exercises and lab environment as well as the choices made by Jerome in designing the class, because the following statements apply to the course as a whole. The most important thing to mention right off the bat is that the course is held in a classroom containing computers already setup including fully licensed copies of Windows. Many other courses require the students to bring their own laptops leading not only to wasted time in setting up the environment but also hampered learning due to the lack of a real corporate Windows environment in which to hack. Therefore, the entire custom lab environment was ready to go from the first keystroke with XP client machines containing common apps, a fully functioning domain controller with varying user accounts, a customized copy of Metasploitable serving up email, web apps, etc. and an updated, slightly modified version of Backtrack. With each of OSs being customized to maximize interactivity during the exercises, it was obvious that a lot of work, forethought and testing went into creating this course. Extra kudos go to Jerome and the crew, because all of the exercises worked flawlessly. For a first time run of a course, this was mightily impressive. And it went right along with their philosophy that the students would be learning by doing instead of listening to boring lectures. I can’t speak highly enough on how the design of the lab environment not only maximized time but also learning. And remember, this is only a 4-day course, and thus efficiency would be vastly important. In the end, the labs are what truly separate CSTA from other courses.
As it would in the methodology, the next section of the course was Section 3: Information Gathering. Nothing too complex was discussed in this section. All of the normal big picture ideas one would expect to find were discussed such as technical vs. non-technical methods as well as active vs. passive information gathering. Specific tasks were also covered such as google dorking, website crawling, metadata discovery, DNS enumeration and more. But the more important facets to mention are the way in which these methods are taught. First of all, the students will find that they are not overloaded with every tool under the sun, yet will concentrate on utilizing best-of-breed tools that are readily available and used by professionals every day. This is true for the entire course and not just this section. The second facet harkens back to my previous paragraph on the virtues of the lab environment. During the first exercise, the students use wget to copy the contents of the labs web server. While perusing the metadata, a username is found in the creator field of a document. Take a wild guess where that username will appear again? You got it… in a lab further down the course. The same thing happens during the second lab on DNS enumeration using both dig and fierce, where the students discover DNS records, IP addresses, email addresses and more from the live lab network surely to be utilized later. In following the idea of exploring best-of-breed tools instead of every single one, I found that the extra time spent in the labs on fierce was very effective, especially using the built-in dictionary list and playing with the reverse lookups of neighboring IP addresses of found hosts. Good stuff.
My thoughts on Section 4: Target Scanning will follow the same pattern as the last section. It was efficient in its presentation, long on lab work and integrated into the entire course nicely. As you would expect, not every tool ever created is discussed, which allowed the students lots of time to get hands-on work with nmap, netdiscover and tcpdump. Also covered in this section was banner grabbing which included exercises with amap and netcat. Don’t let the length of this paragraph fool you. There was plenty of depth in this section not only on the tools but also the hows and whys of port scanning, leading us naturally to our next section.
Section 5: Vulnerability Assessment started with some short lectures on the nature of vulnerabilities, the difference between an assessment and a full penetration test, as well as some additional discussions on design flaws. Most impressive was Jerome’s discussion of buffer overflows. Having heard a number of instructors’ attempts to reach their students, this was perhaps one of the most effective. The chosen words, style of speaking and helpful animations made even some of the less technical students understand programming speak on the stack, remote code execution and return pointers. Although not necessary information to know for novice ethical hackers, it made it easier for them to understand what they were doing when it came time to play with Nikto and Nessus in the labs.
It is here that it becomes important to mention a fact about the CSTA course as stated by 7Safe themselves. “This 4-day ethical hacking training course is a hands-on journey into the hacking mindset, examining and practically applying the tools and techniques that hackers use to launch ‘infrastructure’ attacks.” So this is not a course on web application security, wireless security or reverse engineering. 7Safe has other courses dealing with these topics, and therefore barely touch on these topics in this course. In interviewing Jerome Smith as well as Alan Phillips, CEO of 7Safe, it was a conscious decision for 2 main reasons. In the first place, the last version of CSTA was only 3 days, and, in the current economy, every extra day means more expense for the student and/or their company. So they had to make important decisions about what can be included and what can’t in their compromise of deciding on a 4-day course. That naturally led to the second point. They wanted to make sure that the focus was on being an infrastructure course, which would allow them to include more lab time on the core ideas of network pen testing and leave the other topics for their other courses.
…Other courses? That would mean more credits towards MSc. Their glossy brochures shine with the possibilities. Hmmm… according to their site, an MSc is worth 180 credits broken down into 12 modules of 15 credits each. Each 7Safe course ( exam, where applicable) and associated written assignment constitutes a module. The independent study is a further module, and the MSc project is worth 60 credits (the remaining 4 modules). 7 security courses all with credit towards a masters, very interesting…
The focus of the course becomes more important as we move forward through the rest of the sections, as it makes clear what is and is not covered. But without getting into the details of everything in the course, let’s just say that the meat is contained in the next 4 sections on hacking Windows and Linux.
Although Section 6: Attacking Windows and Section 7: Privilege Escalation – Windows covers the obvious topics of Windows hacking, what stands out in these sections are the use of new technology and a lab that contains a working domain controller. For the sake of brevity, let me cover both of these sections in just a few sentences. Together these 2 sections have 15 labs allowing for hours of hands-on work with the latest and greatest tools and techniques. Just a few of the highlights include Windows enumeration with lots of command line time, extensive use of Metasploit with Meterpreter including using one of the vulnerabilities used by the infamous Stuxnet malware, and thorough coverage of password attacks including 0phcrack, John the Ripper, Cain, rainbow tables and even learned about Windows workstations that use salts when storing cached domain credentials. There was also a great exercise on token stealing and the use of the Meterpreter module, incognito, in addition to working with the latest technique for the ‘pass the hash’ attack. Oh, and that domain controller… it wasn’t just there to fill in a bullet point. It was actually utilized to show how a network looks and reacts when one is present. There was no single exercise dedicated to hacking domain controllers. Better yet, it was simply put as another integral part of the lab network with which the students had to deal.
The Linux portion of the course includes Section 8: Attacking Linux and Section 9: Privilege Escalation – Linux. As was done with the Windows sections, I’ll cover the Linux sections in a brief manner. Sections 8 and 9 included nine more labs for your hacking pleasure. More work was done with Metasploit including pivoting, the differences in password attacks including salts, OpenSSH/OpenSSL attacks, and exercises on exploiting sudo, suid and flawed scripts. There was some great work on shell script flaws including command injection and path exploits that were a lot of fun.
Even while fun was had by all, the theme remained true. Everything we had found during the first few steps of the methodology and attacked in the last four sections were all interconnected. Designing this into the course was not an easy task, yet it was done very well. Knowing the importance of each individual step was also not lost during the course itself, as Jerome was very quick to help someone who had difficulty in an exercise. He was always sure to stress the importance of paying attention and completing every step of every exercise, all while being polite and courteous, another feat for a tech guy.
…Speaking of feats, I haven’t even accomplished the goal of a bachelor’s degree. How in the world could I even consider a master’s degree? Wait a minute… Was it another vision or did Mr. Phillips tell me that the University of Bedfordshire would apply all of my experience towards the bachelor’s degree and be allowed to enter to MSc program straight away? It’s true. It’s not a dream. Maybe breaking this curse is closer than I…
Now that the hacking was done, it now became time for the rest of the methodology. Section 10: Retaining Access covered some nice discussions on the topic and then went into some additional exercises of its own including some more fun with netcat as a backdoor and Bandook RAT. For those of you not familiar with the latter tool, it is a backdoor from NWC, and it was recommended that you visit their site at your own risk. Although this is something that would never be done during a real pen test, it was nonetheless nice to replicate such an attack. And it was done so thoroughly that we even re-enacted the entire client-side attack by configuring the backdoor tool, then we started a bandook listener, created a bad PDF with a meterpreter payload, sent it to the victim via an email attachment, opened the attachment and then watched the fun from the other VM. Simply put, this could not be done with a run of the mill lab running metasploitable and backtrack. This is yet another testament to the exceptional lab environment in the CSTA course.
It was time for some additional playing in the lab during Section 11: Covering Tracks. A little obfuscation, some rootkit time, a touch of log manipulation with a topping of TOR action, and this was a fun way to end our time in the lab. So the only thing left to do was to wrap things up in Section 12: Conclusion. The conclusion, like most of the lectures, was quick and to the point. Jerome wrapped things up with a reminder of the methodology, a quick overview of what we had accomplished during our 4 days, some trends for the future, additional reading recommendations and then finally a discussion of the certification exam to commence soon after the conclusion.
Let’s not forget that in addition to everything we learned and all the sleep we lost, there was still a very important task left to end the week. The CSTA exam is a 1 hour online exam of 50 multiple choice questions. It only takes 50% to pass, which I was told was a requirement for them to be able to utilize this certification towards the attainment of a master’s degree. But because of this, they also have additional ‘grades’ of Merit at 66% and ‘Distinction’ at 80%. The exam was pretty straight forward, with the ability to mark questions and return to them later. I felt as though the questions were not difficult, and paying attention in class was enough to make the grade. I’m not sure how much this had to do with my prior knowledge, the class or the exam. Either way, I felt pretty confident when the exam was over. Unfortunately, it is 7Safe’s policy not to reveal the results immediately. So I had to wait until after I returned to the States to get my results from Jerome personally through email.
An argument could be made that an attack is an attack, and, as long as one knows the method of an attack, the age, effectiveness and current use of the attack is irrelevant. I think this is a bunch of BS and an excuse for not updating courseware. In the real world of real people spending real money to learn ethical hacking and advance their careers, learning in an environment with the latest OSs with the most recent types of attacks is the only way to show real value. I also feel that it indicates a vested interest by the training company in their students when it cares enough to make the investment in creating new courseware and labs to keep up with the times. 7Safe has accomplished this task in spades.
Each carefully plotted exercise in the well-designed lab not only had clearly marked starting points for what VMs had to be on and when, but also provided was the exact step-by-step commands needed to accomplish a given task. Now I know what you’re thinking. This is simply spoon feeding the students. This is true to a certain extent. But for almost every exercise, there were “Extra Time” portions for those who were more advanced and/or finished the exercises ahead of the class. So Jerome even thought of that. In a post course interview, he was also quick to point out that this strict structure of the course made it easier to offer the course anywhere in the world and eventually online with a very similar outcome regardless of instructor. Either way, with Jerome’s forethought, his creation of the CSTA v5 felt more like a novel than a collection of short stories.
Although the course is clearly up-to-date with hands-on exercises second to none, I must mention another CSTA fact as I had done earlier in this review. 7Safe states, “The course is therefore suited to system administrators, IT security officers and budding penetration testers.” Therefore, it must be made clear that this is not an advanced pen testing course. The amount of coding presented in Section 5 is about all you’ll get. It’s not necessarily a good or a bad thing. It just helps determine the proper audience. But if you do fit into their descriptions as to the expected student, then you can’t do much better than 7Safe’s CSTA.
Everything isn’t rainbows and ponies, though. So here are some places where I feel that the CSTA v5 course can improve:
1. Making a Business Case for Ethical Hacking – I felt the class could have done a better job with emphasizing the business aspects of pen testing. This wouldn’t take much more than the editing of a few slides and a bookending of the course with the discussion and reiteration of the business side of things at mixed intervals during the course, but it doesn’t do that currently. Jerome makes a few comments here and there, but I felt it wasn’t a big enough commitment. We preach time and again how IT needs to embrace the business side to justify the expenses, and I feel strongly that this must also be true for security in general and ethical hacking more specifically.
2. CtF – Another addition that would have been nice in order to wrap up all of the newly learned skills would be to have a Capture-the-Flag exercise. I understand the time constraints in a four-day course, but a few extra hours could have been easily made up by maybe starting a little earlier and ending a little later each day.
3. Exam – The exam wasn’t too difficult, and the grading scale leaves room for criticism. Again, I understand the reasoning behind it, but it still leaves that room. At the time I took the course, there was no practical portion of the exam. This will be addressed with a new level of certification called CSTA+ which is currently in the works. I’m not sure when this will come to fruition, but this is definitely a step in the right direction not only for the credential itself, but also for the student looking for a degree. Aaaaaooooooooooouuuuu! I hear the werewolf crying out my name!
4. Not on the US DoD 8570 List – This is not a game changer, but if this credential is to really make inroads in the United States, this is a must. It still has the added benefit of being eligible for college credit. Editor’s Note: In a post course interview, I understand that qualifying for the 8570 is in the works. Good choice 7Safe.
5. Expanding (Good Bad) – 7Safe is following the Microsoft model with the licensing of their courseware. So in addition to it also being available currently in England, Ireland, Scotland, Cyprus and the US, ATPs from more countries are sure to join their growing family of training providers. This will be great as the number of certified professionals will increase making the credential more known and thus more valuable. The downside is that you’re going to run into an all too familiar situation, where you’re not sure who the instructor will be. As mentioned earlier, the core of the course, the lab and exercises, won’t vary between accredited training providers. Also, in the post course interview, 7Safe shared with me their selection and training process of new trainers, so it looks promising. But this is a question that only time can answer.
So I assume the question that most of you want to ask is how does it stack up against other courses? There are numerous courses out there of varying popularity utilizing different delivery mechanisms, so I’ll stick to comparing the CSTA course to 2 live, in-person, instructor-led courses offering a certification. CEH by EC-Council is the most widely known ethical hacking certification. I feel like the CEH course, even including the latest version 7 released earlier this year, is now behind the curve. Although they now have information on newer OSs and techniques, the course, by their own design, is meant to be encyclopedic. That’s all well and good if it is an actual encyclopedia you want, but the best-of-breed approach taken by pretty much all other training providers offers the best utilization of your time and thus your money. Hands down, CSTA is a far better course than the CEH. How about SANS GPEN? I’d say this is a tossup. Here’s how I see it. GPEN by Ed Skoudis is a very well done course. It deals more with the business aspects of pen testing and covers more of the overlapping topics of wireless and web app security. It also has a pretty cool CTF on the last day. On the other hand, it is 2 days longer, costs more and the exam is not included in the price nor is it taken during the 6 days of course time. With the CSTA at approximately $3000 per course, exam included and fewer days of travel and expenses, CSTA wins out on price. Using a boxing analogy, I think pound for pound CSTA is just as strong as GPEN, but with the 2 more days of the course, GPEN is in a heavier weight class. So if you’re looking for a more focused, inexpensive, shorter course, CSTA is for you.
And what about me and the corpses of ideas about college degrees come and gone? The trip was exciting, the course was memorable and the dreams will have to remain just that, dreams. But dreams can become reality, and one never knows what the future holds. Having a degree has not held back numerous successful people around the globe, and neither does it affect my ability to pass CSTA with Distinction, write this review or become the creator and editor of an online magazine not to mention husband and father. All I can say is that I’m glad it’s not a life or death situation, and I’m happy it’s just a story. I’ve offered up mine. Now the rest is up to you.
Then again… maybe it’s best to stay off the road, remain in the warm confines of your neighborhood pub with a firm eye on the candle-lit pentangle, and pray. Aaaaaaaooooooooouuuuuuuu!!!!
Donald C. Donzal
The Ethical Hacker Network
Article source: http://www.ethicalhacker.net/content/view/387/24/