Open source software security

InfoSec Institute Ethical Hacking Day 1

30 November -0001

I've just finished the first day of InfoSec Institute's Ethical Hacking class ( I'm going to try and write a blog entry each day to keep up with what is going on and provide an overview - if I'm able. This may turn out to be a Sisyphean task, however. Tomorrow is election day and I'm going to stay up and watch the results even if it kills me, because I think this election will be as much a defining moment as 9/11 was in my life - but I digress. I'm also challenged with taking CIT 591 at the University of Pennsylvania, which includes weekly assignments, from which I've been given no respite despite my training, so I'm literally doing all computers all the time. Added to which my carpal tunnel is acting up and, well, you get the idea.

Jeremy Martin ( is teaching the course and we got underway promptly at 8:30 this morning. We had received a somewhat mammoth (550+ pages) course guide in the mail prior to the class. This covered the slides that are presented, along with a lot of extra interesting information. As we sat down at class we each got a study guide for the exams, a lab notebook with exercises, and a CD. Additionally we each got a laptop that had VMWare installed on it so we could run through labs using either our host operating system (Windows XP) or target OS'es (Windows 2003 and Linux (a BackTraq 3 based VM)). The class launched right into the material with little precursor. I did notice the course laptops were running Windows XP SP 1, and despite being on a protected LAN I quickly downloaded Firefox 3 and the NoScript, Flash Block, and Web Developer plugins to minimize my risk of p0wn4g3 via web surfing.

Today we covered quite a plethora of information. The day started with an introduction to the class. We quickly moved on to Ethical Hacking, what it is and various methodologies, frameworks and models. This material included not only an overview of penn tests (penetration testing) but also various penn test models (white box, gray box, black box) and approaches (white team, red team, blue team). There was a heavy emphasis on consistent methodology and documentation - a clear sign that the field is maturing past so called testers running canned tools and forking over reports. Jeremy did a great job of supplementing the material with anecdotes and insights that kept the material interesting. Additionally he did a great job of fielding questions from the class, even when the fell far afield of the material in the slides.

After a quick introduction to the VMWare images, the command line, and linux, we moved into passive intelligence gathering. This included DNS querying, passive reconnaissance through sources like ARIN, WHOIS and EDGAR as well as website interrogation (things like robots.txt, directory guessing, and source code inspection). From there we moved deeper into DNS, covering things like zone transfers and the type of information that DNS can reveal. DNS is an oft overlooked source of information and it was refreshing to see a course cover it in detail given it's ongoing relevance and relative obscurity.

Next we skimmed through SNMP, just covering the basics. Given a lot of the recent work with SNMP that folks like GNU Citizen have done with SNMP I would have liked to delve into it a little further, but we covered enough for me to get started on my own research.

Finally we covered a "hackers" introduction to networking protocols. The obligatory run through of TCP/UDP/ICMP that most introductory classes cover. This section was interesting because it was fairly targeted and is obviously foundation material for later things. I did have to make a note to go back and (re)memorized the OSI model (again!).

The day finished up with a simple capture the flag involving SNMP and DNS queries. Unfortunately the CTF server was DOA but Jeremy reacted quickly and brought up a VMWare image we could run the exercise on.

Throughout the day there was food, snacks and soda provided. The room was comfortable and the class size was relatively small (around 2 dozen people) which made question and answer sessions possible. The demonstration and slides were informative and wide ranging enough to hold folks attention. The material was in-depth enough to keep the experienced students involved but didn't seem to be so technical that the more novice folks were getting lost. All in all my first day exceeded my expectations and I'm really looking forward to the rest of the class.