Open source software security

InfoSec Institute Ethical Hacking Day 3

30 November -0001

Day three of ethical hacking didn't end until about 7 PM and with the CPT exam scheduled for the end of day four I didn't get a chance to blog. Instead I went back to my room, studied for a bit, and fell asleep. The course is nothing if not exhausting. Day three was another whirlwind. We covered everything from buffer overflows to privilege escalation. The day's slides went from how to break into a server using tools like Metasploit or Canvas, to privilege escalation, to installing backdoors, trojans, and rootkits. The material was far ranging and indepth. The labs covered deploying a rootkit, using Metasploit, information leaking via SUID root bugs and password cracking. While previous days had covered reconnaissance and information gathering, day three was definitely focused on active attack.

Day three was full of good information, but the pace was frenetic. Covering such a wide array of topics, and platforms (we saw examples in Windows and Linux), was a bit dizzying. You could spend a full five day course on almost any one of the topics we covered in day three. This meant the exposure was somewhat superficial, but it was a great introduction to the topics, and provided enough information for further research.

With the examinations fast approaching the class became increasingly concerned about the questions on the tests. This is one of the major downfalls of training of this sort, in my opinion. Students become fixated on passing the test and shift focus from learning and absorbing information. Of course, this is a risk in any learning environment, but it's disheartening. The exams, by necessity, only ask a few targeted questions and never provide a very thorough gauge of a test takers' knowledge. I'm sure the exams will be fine, but there is a lot of great material being presented and many students seem to be getting hung up on trying to figure out what material will be important to the exam, rather than what material is important for operating in a security profession. Of course, people are paying money for this training, and the only tangible take away is the certification, so it's understandable that some people will feel that if they don't get their certification they didn't get a good return on their investment. In fact, the course material is much more valuable than the piece of paper will ever be in terms of actually working to protect assets in real life.

I spent the end of day three and the morning of day four re-reading the instructional material. This mainly consists of a large book of the slides used in class that includes extensive sidebars and footnotes. There is also a lab book and a study guide. Both of these are also chock full of information. It's a lot to absorb in a short time, but they're all well written, documented and include screenshots for many of the instructions.