Yesterday I finished up the SANS SEC504 Hacker Tools, Techniques, and Incident Handling training course. This was paid for by my employer as part of an internal cybersecurity training program that I'm in.
I first learned about the SANS Institute shortly after changing careers into IT. However, they've always been too expensive for me to take if I had to pay out of pocket. When I first learned of them a 5 or 6 day class cost around $2500. Nowadays, they are north of $8000 and it's another $949 if you want to take the related certification exam. Way too rich for my blood.
Anyway, the agenda for the course I took was as follows:
- 9/26 - Incident Response
- 9/27 - Recon, Scanning, and Enumeration Attacks
- 9/28 - Password and Access Attacks
- 9/29 - Public-Facing and Drive-By Attacks
- 9/30 - Evasion and Post-Exploitation Attacks
- 10/1 - Capture the Flag event capstone
On Monday class ran from 0830 to 1915 but I tapped out at 1830. By that point we were looking at bonus material related to Linux and PowerShell, both of which I'll go through again in preparation for the certification exam.
Tuesday through Friday class ran from 0900 through about 1730, and the CTF event on Saturday was 0900 to about 1500. Of course, we got breaks in the morning and afternoon, and for lunch.
Although the days were long and by Thursday I was feeling it, they went by quickly.
The session I took was presented live at SANS Baltimore made available for remote students via Zoom and Slack for text chatting. This approach worked extremely well except for an hour or so on Thursday afternoon when the hotel hosting the convention lost its Internet connection, and they had to fail over to a backup connection. Rather than losing any productive time, we just worked on labs.
I've been lucky enough to take a lot of training classes over the years, paid for by my employer. Vendors have included Nortel (yeah, I'm old), Alcatel, Red Hat, and Cisco, among others. I have to say this was probably the best out of all of them.
The instructor, Jon Gorenflow was knowledgeable and engaging. The material was well organized and interesting, and reinforced with a large number of labs.
Labs were done using one or both of two virtual machines. One was Slingshot Linux, which is a hacking-oriented distro based on Ubuntu 18.04. The other was a Windows 10 Enterprise VM for which SANS arranged a four-month product key.
I ran the VMs using VMware Fusion on my work MacBook Pro. You can use Fusion or VMware Workstation to run the VMs. My Mac had plenty of power to run both VMs simultaneously, even after I increased the RAM on the Windows VM to 6GB from the default 4GB.
Note that if you plan to take this or other SANS classes, you need a computer with an Intel CPU. I would not have been able to run the VMs on my personal MacBook Air which has an M1 ARM CPU, even though otherwise it has plenty of horsepower to do so.
If you take a SANS course, do not use a laptop with less than 16 GB of RAM, a 512 GB solid state drive, and an Intel i5 CPU with an i7 being better. (I'm sure an AMD processor would be fine but I can't speak to specs.) If you can get a larger SSD it would be better. The SANS VMs and course materials take up a lot of space.
Your laptop's host OS should be Windows, Linux, or macOS if you have an Intel Mac. You'll need administrative rights on the machine and be able to access the network. If you're taking the class remotely and can connect to Ethernet that's better than WiFi.
My original plan was to run the VMs on my Intel NUC which runs the free version of VMware ESXi 7U3, and access their graphical desktops via NoMachine and Remote Desktop Protocol. However, I ran into a problem with the Windows VM. Because they were built on VMware Workstation they wouldn't boot without first converting their virtual disks into ESXi format*. That's not a problem with Linux but on Windows it breaks Windows activation because it sees that the hardware changed. I probably could have run the Windows VM with the OS not activated but I did not want to chance having problems during the class, so I just ran them on my laptop.
However, I learned in the class that running the VMs on a headless ESXi box would not have been optimal anyway. The VMs are configured to use a private network for most of the class, so that they cannot access or be accessed from other hosts on your LAN. This is done because they are in deliberately insecure configurations, especially the Windows VM.
Saturday's capture the flag event was a lot of fun and helped tie everything together. We broke up the class into teams of four people and accessed the CTF environment through a VPN from the Slingshot Linux VM, which was reconfigured to access the network for Internet access.
After the CTF event completed the instructor did a walkthrough, taking a bit of a different approach to hacking into the systems than the CTF instructions presented.
Two of the tools we learned about during the course that I plan to do deeper dives into were Metasploit and netcat. I've used the latter just a little but have only scratched the surface.
As you'd expect, we used nmap quite a bit. This is another tool I use regularly whether to do ping sweeps or for port scanning.
Another tool which we got exposure to is an old school UNIX/Linux utility: awk. We used it a few times in the class to extract useful fields such as email addresses and user names from text files and .csv files. I decided it would be good for me to get a copy of O'Reilly's sed & awk Pocket Reference.
As a long time Linux user, I'm familiar programs that can display the contents of a text file, such as less, more, and cat. The instructor showed us a way to use cat that I've never seen before.
Here's a demonstation done on my MacBook Air, which includes cat as a command line utility (macOS is UNIX under the hood). First, I'll create an empty file using touch, then add text to it using cat and a shell redirect:
Davids-Air:Documents dave$ touch foo.txt
Davids-Air:Documents dave$ cat > foo.txt
Hello
Hello
Hello
^C
Davids-Air:Documents dave$
Davids-Air:Documents dave$
Davids-Air:Documents dave$ cat foo.txt
Hello
Hello
Hello
Note how by issuing the cat command and immediately using the redirect ( > ), it presents you with a way to input text until you hit CTRL-C. I then used cat to show the contents of foo.txt on STDOUT.
Neat!
Another tool we learned about was RITA from Active Countermeasures for analyzing network traffic logs collected by Zeek. When used properly, this combination should help you spot network traffic indicating naughty behavior.
I've experimented with Zeek a bit and it's a part of Security Onion, which I've used on the job. To learn more about RITA I built a Debian 11 VM** on my Nuc running both of them. I may get this running on the networks I help to support.
To continue my learning I grabbed a copy of Metasploitable, another deliberately vulnerable Linux VM. As with the class VMs, it was built on VMware Workstation so you'll need to convert the disk to ESXi format if you want to run it on that platform.
For the past few years cybersecurity has been an increasingly important part of my job. It's also a rapidly growing field. I'm looking forward to immediately putting to use much of the info I learned SEC504.
* For this you need to ssh into your ESXi host and use vmkfstools to clone the disk. An overview of how to do so can be found here: https://thunderysteak.github.io/workstation-vmdk-2-esxi
** Most of the VMs I've built in the current iteration of my home lab have been based on Debian Linux 11. I find it easy to create a stripped-down VM and the dependency resolution is excellent. Ubuntu Linux is based on Debian but for my use it doesn't really add much value, so I go right to the source, so to speak.