SANS Hacker Techniques report - day 3

Other posts in this thread:

• Overview
• Day 1
• Day 2
• Days 4 and 5
• Day 6

Day 3 entered the dark realm of exploiting systems. While we dealt with a wide variety of fascinating material, the balance between lecture and exercise was off today. There was a lot of lecturing about topics that, let's face it, are difficult to lecture about like buffer over flows. First off, it is difficult material that cannot be explained quickly. It would be great to step through some actual running software walking an jumping down the stack, but this is not an assembly language class. Somebody should, and maybe already has, come up with a way to visualize the process of a buffer overflow in an animated form.

The two main exercises were very interesting involving remote command execution using netcat. However both exercises were about, well, netcat, one on Windows and one on Linux. This was a bit of a let down when there are so many other cool tools under discussion. I was itching to take the Metasploit framework for a ride, or to man-in-the-middle my neighbor's TLS session with the DSniff webmitm tool, but alas, it was not to be.

Here is a fun and safe format string attack to try out from the Windows command line:

C:\> sort %x%x%x
7c812ca900The system cannot find the file specified.

Now try adding a few more percent x's and watch the hex grow!

Summary

• Day: Day 3
• Topics: Expoiting systems, IP spoofing, sniffing, session hijacking, DNS cache poisoning, backdoors, buffer overflows, protocol and parser problems, hiding payloads, steganography
• Tools: ethereal, snort, Sniffit, Dsniff, hunt, TTYWatcher, IP-Watcher, Ettercap, jizz, Zodiac, netcat*, Metasploit, inetd, tftp, ADMutate, Hydan, printf format strings*
• Overall value: 3 out of 5
• Coolness: 4 out of 5

* Starred items were part of hands on exercises.

Tags: infosec sans courses reviews