Sunday, October 02, 2022

SANS SEC504: Hacker Tools, Techniques, and Incident Handling Course Review

Yesterday I finished up the SANS SEC504 Hacker Tools, Techniques, and Incident Handling training course. This was paid for by my employer as part of an internal cybersecurity training program that I'm in.

I first learned about the SANS Institute shortly after changing careers into IT. However, they've always been too expensive for me to take if I had to pay out of pocket. When I first learned of them a 5 or 6 day class cost around $2500. Nowadays, they are north of $8000 and it's another $949 if you want to take the related certification exam. Way too rich for my blood.

Anyway, the agenda for the course I took was as follows:

  • 9/26 - Incident Response
  • 9/27 - Recon, Scanning, and Enumeration Attacks
  • 9/28 - Password and Access Attacks
  • 9/29 - Public-Facing and Drive-By Attacks
  • 9/30 - Evasion and Post-Exploitation Attacks
  • 10/1 - Capture the Flag event capstone

On Monday class ran from 0830 to 1915 but I tapped out at 1830. By that point we were looking at bonus material related to Linux and PowerShell, both of which I'll go through again in preparation for the certification exam.

Tuesday through Friday class ran from 0900 through about 1730, and the CTF event on Saturday was 0900 to about 1500. Of course, we got breaks in the morning and afternoon, and for lunch.

Although the days were long and by Thursday I was feeling it, they went by quickly.

The session I took was presented live at SANS Baltimore made available for remote students via Zoom and Slack for text chatting. This approach worked extremely well except for an hour or so on Thursday afternoon when the hotel hosting the convention lost its Internet connection, and they had to fail over to a backup connection. Rather than losing any productive time, we just worked on labs.

I've been lucky enough to take a lot of training classes over the years, paid for by my employer. Vendors have included Nortel (yeah, I'm old), Alcatel, Red Hat, and Cisco, among others. I have to say this was probably the best out of all of them.

The instructor, Jon Gorenflow was knowledgeable and engaging. The material was well organized and interesting, and reinforced with a large number of labs.

Labs were done using one or both of two virtual machines. One was Slingshot Linux, which is a hacking-oriented distro based on Ubuntu 18.04. The other was a Windows 10 Enterprise VM for which SANS arranged a four-month product key.

I ran the VMs using VMware Fusion on my work MacBook Pro. You can use Fusion or VMware Workstation to run the VMs. My Mac had plenty of power to run both VMs simultaneously, even after I increased the RAM on the Windows VM to 6GB from the default 4GB.

Note that if you plan to take this or other SANS classes, you need a computer with an Intel CPU. I would not have been able to run the VMs on my personal MacBook Air which has an M1 ARM CPU, even though otherwise it has plenty of horsepower to do so.

If you take a SANS course, do not use a laptop with less than 16 GB of RAM, a 512 GB solid state drive, and an Intel i5 CPU with an i7 being better. (I'm sure an AMD processor would be fine but I can't speak to specs.) If you can get a larger SSD it would be better. The SANS VMs and course materials take up a lot of space.

Your laptop's host OS should be Windows, Linux, or macOS if you have an Intel Mac. You'll need administrative rights on the machine and be able to access the network. If you're taking the class remotely and can connect to Ethernet that's better than WiFi.

My original plan was to run the VMs on my Intel NUC which runs the free version of VMware ESXi 7U3, and access their graphical desktops via NoMachine and Remote Desktop Protocol. However, I ran into a problem with the Windows VM. Because they were built on VMware Workstation they wouldn't boot without first converting their virtual disks into ESXi format*. That's not a problem with Linux but on Windows it breaks Windows activation because it sees that the hardware changed. I probably could have run the Windows VM with the OS not activated but I did not want to chance having problems during the class, so I just ran them on my laptop.

However, I learned in the class that running the VMs on a headless ESXi box would not have been optimal anyway. The VMs are configured to use a private network for most of the class, so that they cannot access or be accessed from other hosts on your LAN. This is done because they are in deliberately insecure configurations, especially the Windows VM.

Saturday's capture the flag event was a lot of fun and helped tie everything together. We broke up the class into teams of four people and accessed the CTF environment through a VPN from the Slingshot Linux VM, which was reconfigured to access the network for Internet access.

After the CTF event completed the instructor did a walkthrough, taking a bit of a different approach to hacking into the systems than the CTF instructions presented.

Two of the tools we learned about during the course that I plan to do deeper dives into were Metasploit and netcat. I've used the latter just a little but have only scratched the surface.

As you'd expect, we used nmap quite a bit. This is another tool I use regularly whether to do ping sweeps or for port scanning.

Another tool which we got exposure to is an old school UNIX/Linux utility: awk. We used it a few times in the class to extract useful fields such as email addresses and user names from text files and .csv files. I decided it would be good for me to get a copy of O'Reilly's sed & awk Pocket Reference.

As a long time Linux user, I'm familiar programs that can display the contents of a text file, such as less, more, and cat. The instructor showed us a way to use cat that I've never seen before.

Here's a demonstation done on my MacBook Air, which includes cat as a command line utility (macOS is UNIX under the hood). First, I'll create an empty file using touch, then add text to it using cat and a shell redirect:

Davids-Air:Documents dave$ touch foo.txt

Davids-Air:Documents dave$ cat > foo.txt





Davids-Air:Documents dave$ 

Davids-Air:Documents dave$ 

Davids-Air:Documents dave$ cat foo.txt




Note how by issuing the cat command and immediately using the redirect ( > ), it presents you with a way to input text until you hit CTRL-C. I then used cat to show the contents of foo.txt on STDOUT.


Another tool we learned about was RITA from Active Countermeasures for analyzing network traffic logs collected by Zeek. When used properly, this combination should help you spot network traffic indicating naughty behavior.

I've experimented with Zeek a bit and it's a part of Security Onion, which I've used on the job. To learn more about RITA I built a Debian 11 VM** on my Nuc running both of them. I may get this running on the networks I help to support.

To continue my learning I grabbed a copy of Metasploitable, another deliberately vulnerable Linux VM. As with the class VMs, it was built on VMware Workstation so you'll need to convert the disk to ESXi format if you want to run it on that platform.

For the past few years cybersecurity has been an increasingly important part of my job. It's also a rapidly growing field. I'm looking forward to immediately putting to use much of the info I learned SEC504.

* For this you need to ssh into your ESXi host and use vmkfstools to clone the disk. An overview of how to do so can be found here:

** Most of the VMs I've built in the current iteration of my home lab have been based on Debian Linux 11. I find it easy to create a stripped-down VM and the dependency resolution is excellent. Ubuntu Linux is based on Debian but for my use it doesn't really add much value, so I go right to the source, so to speak.

Friday, September 30, 2022

Nice Little Pliers

The mailman brought this to me today (US quarter for scale).

It's from White Elk Trading in Utah. It's the large size, about 4.7" long. I wanted a small pair of pliers for my shooting pouch but wanted something that looked like it might have been used in the 18th or 19th Century, not something from Lowe's.

I might grind the ends to be screwdrivers, we'll see.

Saturday, September 24, 2022

Made a Short Starter and a Leather Capper

 I was feeling crafty so I made these today. The antler is from a buck I shot last year. The other parts are a length of 3/8" poplar dowel, a short length of 3/8" brass rod, and a .38 Special case with the end turned down. All parts are glued and pinned together with brass pins I cut from brass rod.

The capper was made from a piece of scrap leather. The top right hole is to tie it to my shooting bag. The row of holes all have a slit going to the edge of the leather. It's sized for #11 caps.

Friday, September 23, 2022

Sent the Broken Lock Out for Repair

As mentioned in my last post, at this point I’ve decided to have a professional repair the canoe gun's lock, so I shipped the lock today Brad Emig at Cabin Creek Muzzleloading, which is just East of York, PA.  For lock repair he came highly recommended on the Muzzleloading Forum, and it’s nice that he’s relatively close.

Another reason I went with CCM is that I got a reply and a phone call very shortly after emailing him. I still haven't heard back from Jim Chambers Flintlocks. I called CCM this morning to confirm his shipping address and to ask whether I should include payment and Emig picked up the phone and was very friendly. He'll call me when it's done with the final cost and I can then either pay via a credit card or send him a check.

His base price for a lock tune is $95 + any parts he might need + return shipping.

It should get there Monday.

I’ve seen Emig’s guns at the Dixon’s Gunmakers Fair and they are gorgeous, absolute works of art (and priced commensurately).

And since the lock is a Siler, the other day I ordered from the Log Cabin Shop a large Siler flint and a vent liner to match the drum’s threads. Hope to get that next week.

Monday, September 19, 2022

Ugh, Canoe Gun NOT Fixed, and Other Stuff

Last weekend I was upstate at my friend's cabin. We had a good trip and I got to shoot the canoe gun a little. Unfortunately it is not fixed. The hammer stopped holding at full cock so I’m looking at sending it out for repair before I completely screw it up. Today I reached out to Jim Chambers Flintlocks, who is the current maker of Siler locks, to see if they'll service it. It's an older lock that may have been built from a kit so I'm not expecting a freebie. <grrr>

While it was still working, I patterned a load of 1-1/8 oz. of #5 shot on top of 70 grains of Goex 2Fg. This is a square load. I used a 1/8” lubed over powder wad, the shot inside a paper shot cup made from a Post-It note, and a thin over shot card. The target was at 15 yards and POA was center hold.

The SR-1 target I shot at has an 8" bullseye. Here's a closer pic:

I’m happy with the pattern.

I also put 150 rounds thru my Ruger LCP .22.
  • 50 rounds of CCI Mini Mag solids were flawless although the slide failed to lock back after the 50th shot.
  • 50 rounds of Federal 550 bulk pack had a couple failures to fire. Both rounds fired when struck on another spot on the rim. This is par for the course with that ammo in other guns.
  • 50 rounds of Federal Punch, which is a 29 grain nickel plated flat point in an extended, nickeled case. This had several failures to eject. I’m not writing this off yet because the gun was pretty dirty by the time I got to it.

I’m at the point where I’d be comfortable carrying it loaded with Mini Mag solids as long as it’s cleaned and lubed.

I also put 50 rounds of .38 full charge wadcutters through my S&W Model 15. I shot about half at the man-sized silhouette we have about 70 yards out. My hit ratio was probably around 50%, and except for 6 shots was all fired double action. I'm pretty sure that the Model 15 would be the absolute last gun I ever sell.

And here’s a doe that stood looking at me for a minute or two Friday afternoon, downrange near the silhouette.

The other major activity was a trip to Zett's Fish Farm to pick up some fish for my friend's quarter-acre pond. He bought some minnows, shiners, and large mouth bass. We're hoping that in a couple years he'll have a balanced ecosystem in the pond with not only those fish, but bluegills, catfish, and frogs (those last three are already in it).

We have our next trip planned for late October when the early antlerless deer season is open, along with small game and upland birds.

Wednesday, September 14, 2022

Fixed the Canoe Gun

My order with the replacement Siler tumbler from Track of the Wolf arrived today. It took me about a half hour after work to fit the hammer to the tumbler. I think the lock may have been assembled from a Siler kit based on the shape of the square hole in the hammer which slides over the end of the tumbler. Anyway, it now functions correctly, locking securely into the half and full cock notches.

If I get upstate this coming weekend I hope to be able to shoot it on paper to check point of impact with ball loads, and patterns with shot.

Sunday, September 11, 2022

Shot the Canoe Gun Today, and Broke It

I got a chance to shoot the canoe gun today over at a friend's place. He has some land and we can shoot safely in his yard. Unfortunately it was raining and the only place I could load while under overhead cover was his patio. I'd then step out to shoot and some tin cans we placed on a hillside.

My load of 1 oz. of #5 shot on top of 65 grains of Scheutzen 3Fg black powder penetrated both side of a #10 can from about 20 yards, so it's got enough power for hunting.

I also tried a couple varieties of ball loads. I shot a half dozen .570 balls loaded in paper cartridges on top of 65 grains of powder. I also tried a few shots with .575 balls loaded on top of a tow wad, with another tow wad over the ball to hold it in place. The balls loads shot high with how I was holding the gun.

I absolutely need to put both shot and ball loads on paper.

Everything went mostly well until the gun fell over onto the brick patio, landing on the hammer which was on half cock. That broke the half cock notch on the tumbler. (Insert vast amounts of profanity here.)

When I was done I used tow wrapped around a worm to scrub the bore. This was the first time I've tried using tow for cleaning and it works pretty well, much like a bore brush. I'll be using it at least for my smoothbores in the future.

Tonight I ordered a replacement tumbler from Track of the Wolf and I paid extra for 2 day delivery. I may be going upstate next weekend and if so I'd really like to bring the gun with me to pattern shot loads and figure out how to hold it when shooting ball.