A SANS Review Trifecta: SEC642, NetWars & Facilitating
I’ve always wanted to try a SANS course, as after doing my OSCP and OSCE, I figured it might actually be quite pleasant to have my hand held a little bit and any gaps in my knowledge be addressed instead of skipped under the ‘try harder’ mantra. Now don’t get me wrong, I love the challenge of an Offensive Security course, but while there are some great benefits about their methods, their lack of formal instruction is not one of them.
Initially I had written off SANS; my company is going through a bit of a training drought and €6,275+€1255(VAT) is a pretty hefty sum to pay yourself. However, I recently learned about the SANS work study program, which allows you to apply for a reduced rate of €1300+€260(VAT) in return for help setting up and tearing down the event, along with some other minor duties and early mornings. They also include a free GIAC certification attempt if the course has a corresponding exam.
Due to my existing background in penetration testing I was only interested in the SEC642 (Advanced Web Application Testing) and SEC660 (Advanced Penetration Testing & Exploit Development) courses, so I applied for these. Then a few weeks ago, I was accepted to facilitate at an event, letting me attend the SEC642 course and take part in the NetWars CTF. So here are my reviews for all three.
SEC642 — Advanced Web App Penetration Testing
I was initially sceptical of the SEC642 course, as unlike its Advanced Penetration Testing sibling SEC660, which has the GXPN, it does not have a corresponding certification. However, after taking the course I can safely say these fears were unfounded. While there was no certification, the skills I’ve gained will be invaluable when working on application security assessments and the course really helped patch some holes I had in my knowledge.
Day 1 was the ‘Advanced Attacks’ module. It started with a warm up of where we were told 542 finishes off. I was instantly relieved I had chosen the advanced course as 542 seems to be too basic for anyone who performs application security assessments regularly. The meat of this day was centred around some interesting ways to get RCE via Local File Inclusion (which would have been helpful on my OSCE!), advanced SQL injection, attacking NoSQL implementations and bypassing CSRF tokens with custom JavaScript.
Day 2 covered PHP Type juggling (did you know that “string” == 0 evaluates as True?) and how it can be used to bypass authentication. It also went over attacking java implementations via deserialization flaws.
Day 3 was of particular interest to me, as ‘Web Cryptography’ was definitely an area where I didn’t have much prior experience. It covered multiple attacks against cryptography implementations such as how to attack encryption keys, stream ciphers, ECB shuffling, CBC Bit Flipping and the Padding Oracle Attack.
Day 4 covered ‘Alternative Web Interfaces’, such as Flash, REST, SOAP, Websockets, HTTP2 and Wireshark HTTP extraction for non-proxy aware clients. It also covered Xpath Injection and XML External Entity Injection.
Day 5 wrapped up the course content by focusing on ‘Web Application Firewall and Filter Bypass’s. It was primarily focused on ModSecurity, but what I found interesting, was that it didn’t focus on a specific bypass, but how to enumerate your own based on the rulesets of the target. To do this we were taught how to fuzz the WAF’s with wordlists to find which phrases, functions and characters we could use in an attack.
Day 6 was dedicated entirely to a CTF which hammered home the concepts taught in the course. I’m happy to say I ‘managed’ to lead my hand-picked team ‘Management’ to victory and came back with a 642 Samurai & Dragon coin to show for it!
Overall, this was an excellent course and Moses Frost was a fantastic instructor. In addition to being useful in my day job as a penetration tester when working on application tests, I feel the course content will also be useful when undertaking the upcoming OSWE Certification that Offensive Security plans to release later this year to complement their AWAE course.
However, if you are after a certification, either to help get a job or secure a promotion, you might be better served with another course.
Facilitating
As I mentioned earlier, I would never have been able to justify the full price of a SANS course on my own dime. However, with the SANS work study program, I was able to get a fantastic discounted rate of around 20% of the cost of the full priced course. SANS also throws in online recordings of the classes for 4 months following the event, as a free perk to their work study facilitators. As the saying goes though, there are no free lunches!
I first applied for the work study program a few months before the event, filling in the relevant forms on the SANS site. I only heard back from them 2 days before the event on a Thursday evening, asking if I was available to help set up the conference on Saturday. I was sceptical as it was such short noticed, but decided to jump in and booked holiday for the following week off work to do the course. I replied to a few emails, signed some forms and paid my €1560 for the course.
I arrived at the venue at 10am on the Saturday to meet the other facilitators and the event organisers. We started with a quick overview of our duties, which would be; setting up the conference, arriving early to open our rooms each day, lunchtime guard duty, evaluations and tearing down the conference.
Saturday and Sunday were spent unloading the delivery van, unpacking boxes, setting classrooms and networking certain rooms. These were the most intensive days (6–8 hours) and really worked up a sweat.
The rest of the event was much easier. I went in thinking that I would be called out of the classroom all the time and that I would be missing sections of the class due to having the online version. However, SANS made it clear that this was not the case, and that I was there primarily as a student. All that was required were the following duties:
1. To arrive an hour early each day to open the classrooms and bring across the laptops holding the classes virtual machines for exercises.
2. To guard the corridor outside your own and a fellow facilitators classroom for half your lunch break, swapping with the other facilitator so you could go to lunch.
3. To give out a daily evaluation sheet to each student in class, collect their response and organise and read the results to the event organisers.
Following these on the final Saturday afternoon after the event had closed, we helped tear everything down for shipping to the next event. This took a fraction of the time that setup did and we were done around 4pm.
Overall, facilitating was a fantastic experience. I got a free workout, an 80% discount on my SANS course and free access to the online version of the course for 4 months. All the facilitators were also given a free SANS swag bag with a woolly hat, hoodie and socks.
Oh, they also make you wear one of these sexy little red aprons for the entire event:
NetWars
As part of the training event, SANS ran their complimentary Capture the Flag (CTF) NetWars tournament, which took place over two evenings after class. This is a really interesting CTF covering many aspects of security, including areas I didn’t have much experience in such as forensics. It also has an awesome Star Wars theme; from debugging a HK-47 Hunter-Killer assassin droid to exploiting your way through the Stormtrooper academy website. It was very engaging and fun.
The only problem with the event was that it was designed to be played multiple times, with you getting further along as your skills grow. This unfortunately means that new players are at a huge disadvantage. There were a number of players who attended that just plugged in all of their saved answers from the last event, completely distorting the leader boards and putting off many of the new players. I was told this isn’t usually a problem at US events, as they split the first-time players off onto a separate scoreboard, however for some reason it’s not standard policy to do this outside of the US.
This upset a large number of players at the event, but in turn actually highlighted how responsive SANS was to the feedback from their attendees. By the following afternoon, following numerous complaints, they had separated the players into first timers and veterans, and it became an action-packed evening with everything to play for. The excitement in the classes when it was announced towards the end of the day was palpable.
I even managed to walk away with 3rd place in the first-timers’ category, earning a coveted NetWars challenge coin!
So, to summarise, all of the above were fantastic experiences, and I would recommend SANS training to anyone who wants to up-skill or even get started in the security industry. SANS work study programs are an excellent way to afford a world class training course when you don’t have an employer willing to sponsor your development.
