Final thoughts before taking the SANS GSE lab

Well, this will be my last entry before the test. I have been studying for this test for quite a while, and hopefully all this preparation will pay off. If there is one parting thought to give it would be this: just because you read about a tool, technique or procedure does not mean you know what it does or how to do it. It’s a little bit like that line by Seraph in The Matrix Reloaded ‘You do not truly know someone until you fight them’. It sounds odd when applied to people, but it makes TOTAL SENSE when applied to computers:

One doesn’t really understand until one actually applies the knowledge; make it work, play around with it and break things, then get it working again. Once you’ve done that, only THEN do you really have an understanding of that tool, technique or procedure. Because hearing about a thing and being able to actually USE that thing are two, totally different. . . . . . things!


Oh, and don’t try to use Ettercap in VMWARE with NAT mode enabled. 😉


My parting gift (because I can’t do this after I take the test):

SANS GSE bring-along guide 2015-03-08

Ettercap, sslstrip, and Wireshark testing for SANS GSE study

Never actually played with ettercap and sslstrip until tonight. Grabbed everything in Wireshark and looked through it for IOCs after I was finished. ARP poisoning really sticks out if you know what to look for (because we all look, right? Yeaaahhhh). It also made the victim machine have some odd, slightly buggy network comms (especially web browsing). This may have been because all this was over wireless through VMware on a somewhat underpowered laptop. . . Either way, it worked and my notes have been updated with the technique and how to detect it.

I also went through a printed copy of the 100-page GSE document on google groups. Some information needed to be updated, including some variations of what a given command does. Overall it’s a great document that you should check out; however, don’t just print it out without going through the commands to understand what’s going on.


GSE study – writing incident reports

The one thing I just can’t seem to locate is a good sample computer security incident handling report. The closest thing I can find is documentation on what to include in a report and the write-ups for things like the SANS holiday challenge. What I’m going to go with is my own notes from the 6-step incident handling process from the SANS Hacker Techniques and Incident Handling class (504.1) and the report from the 2013 SANS holiday hack challenge.

Study progress – Windows Event logs and BRO commands

The SANS GSE lab is getting close now. Currently I’m trying to consolidate my notes and cheat-sheets. While looking for important Windows eventIDs I came across a great, up to date (YEA!) cheat-sheet for Windows Indicators of Compromise at malwarearcheology Also, some good Bro IDS log manipulation tips on the BRO website – I’m just looking for the basics here – top 10 talkers and stuff .

SANS GSE – testing against Mutillidae

Got Ubuntu server 15 installed. Looking at Mutillidae for testing things like SQL injection and XSS. There is a version bundled as a VM called mesploitable, but there is an issue with the database name in a config (fixed, not horrible, but annoying). The big issue is that there is a newer version of Mutillidae out there and I’d rather use that. After installing it, finding and changing Database name, user password, etc – it doesn’t really work with the database components. . . . blah. Maybe I’ll just install it on the Ubuntu server.

Work continues on flash cards, the nmap one keeps growing and I still need to add nmap scripting engine stuff. There is a great SANS reading room page on nmap windows scanning here: Besides that, running all the commands mentioned before and understanding how they work is the task for now. My understanding is that the SANS GSE is somewhat time sensitive, and not having to lookup command syntax will save a good amount of time. Just as long as there is no expectation of blurting out an esoteric tar command off the cuff, right?

I’ve been in touch with a few other candidates that will be sitting the same day. Most seem to be about as prepared as I am. There were a few candidates a year or two ago that built a 100-page-ish GSE study guide and posted it to the Google groups page. There is a lot of stuff in there.

SANS GSE study – current progress

Got an e-mail yesterday from SANS. They are switching from Fedora to Ubuntu and apparently Burp Suite is included in the lab. I know about Burp Suite, but hadn’t used it because there were no labs in any of the courses. The labs had used ZAP, but that was back in 2014 – they probably changed it since then. I DO know that it is extremely popular, so I’m glad about that part. [ZAP is still on Kali, so one could use either]

The studying is going somewhat slowly this week. I haven’t gotten much sleep, and the midnight schedule is causing me to nod off a lot. One thing I’ve noticed – that even with 16G or RAM, having three VMs on a MacBook Pro laptop doesn’t do it any favors. It’s slow and prone to hanging for 30+ seconds while switching between windows. Using a tower PC with multiple drives (at least one for host OS and another for guests) would have been the way to go.

SANS GSE study – your sure it does what the notes say?

So, now making notecards for the commands and tools mentioned in the last post. Tonight was iptables and some nmap. Funny thing; the SANS 401.3 book (p2-37) says that the default run for a sweep would be –sP (probe scan), and that this is an ICMP ‘ping sweep’. Well, looking at the SANS nmap cheat sheet it says the default probe is TCP 80,443 and ICMP. Guess what it actually is? [For nmap version 6.40] ICMP 8,0, TCP SYN to 443 and TCP ACK to 80, finally an ICMP 13,0 (timestamp request). There is also a reverse lookup (DNS) unless you use the -n switch.  You get the same result for a host or a range. The exception is if you are scanning a host (or a range) on your local subnet. In that case you get ARP requests only (well, you also get a reverse name lookup unless you use the –n option). Sometimes you need to just play with this stuff and figure it out for yourself. . . I was a bit surprised at the ACK to 80, but I’m sure Fyodor has a good reason for that.

[update]  The nmap man page has this in detail.  I hadn’t bothered to look.  Note to self: Keep those man pages handy!

SANS GSE – tools to study up on

I feel like I have a better handle on the packet analysis stuff – enough for this exam at any rate. Either way, I need to move on and work on making sure I’m fresh on the various labs for GCIH and GSEC. The main SANS GSE page lists some tools specifically; it’s time to go over those.

There is specific mention of office LibreOffice – something I’m not terribly excited about. Don’t get me wrong, open source is great, I just have an issue with office applications that have a tendency of crashing while I’m trying to write a report in them.

So, it’s on to creating flash cards for the most common command tools and ones specifically mentioned on the SANS GSE page. The below are ones I’m not totally comfortable on – basic unix commands like cd, rm, chmod, useradd I’m totally skipping. Some are rather extensive. The windows ‘net’ and ‘netsh’ commands have tons of options. . . Then there is PowerShell. Anyway, in rough order of perceived importance:

  • namp/nmapfe/zenmap
  • snort
  • GPG
  • iptables (probably only filter rules, not mangle or nat)
  • snort
  • tcpdump / tshark
  • Putty / ssh
  • winscp (I’ll do scp too)
  • netcat (I’m good with the standard stuff, but the ns scan methods and backpipe pivot . . not so much. Also, very handy when copy/paste fails in VMs)

Others I’ll include:

  • p0f
  • net (use, user)
  • netsh (advfirewall firewall set rule, )
  • powershell (well, that narrows this down, amirite? Searching for events, process list)
  • wmic (probably not a big concern – they aren’t going to have a 20+ node windows domain to look for a process on)

And still others:

  • dumpsec
  • mbsa (Microsoft Baseline Security Analyzer)
  • enum
  • Cain
  • md5sum
  • dd
  • jtr
  • stools/stegdetect. . . ?
  • apt/yum

Work Stoppage!

Well, I was off to a great start, then basically shut down during the holidays. There was a little studying here and there, but nothing like there should have been. There are about eight weeks left till the test.


Just to see, I decided to try to tackle the SANS 2013 holiday hack challenge. I fired up the Linux VM from SANS 503 with wireshark, SNORT, etc and dug through the pcap. After spending about 6 hours on it I decided to look through the winning answer write-up.

Not good.

I missed basic stuff like ARP poisoning, malicious email, SQL injection. The good: I saw the scans (looked like nmap), SMB password guessing attack (hyrda?), buffer overflow attempts. metasploit use with PSEXEC and VNC. I spent a while trying to playback VNC using chaosreader, but no go. Some of the network was mapped well, but the initial malicious host was missed.

Not good. . . not horrific either.

Now I’m working on better organizing my method for going through a pcap.

  1. Look at Statistics à Conversations, TCP tab. Sort bytes column to see top talker sessions. Check UDP too. (In the challenge, the top session was a video device – resolved by filtering that traffic out and re-saving the PCAP – made things much faster)
    1. Two-packet conversations likely indicate trying to connect to a closed port. (SYN –> RST/ACK)
    2. Three-packet conversations likely indicate a TCP SYN scan (half open) can finding an open port (SYN à SYN/ACK à RST)
    3. More on detecting scans here:
  2. Look at Analyze à Expert filter. Look at errors and warnings tabs. Warnings tab has indicators of ARP attacks.
  3. I’ll work on this more later. . .

Starting study plan for GSE 2-day lab

I’ve slacked off the past two weeks after the written test. Between end of semester and taking the GSE written I felt like I had earned some time off. I may not get started this weekend, but I do want to formulate my plan of attack for the lab in March.

I have Kali 1.0, but needed Fedora 20 (torrent link HERE:

I’ve started trolling through the giac-study Google group e-mails I’ve collected for GSE lab tips and tricks – there is some good (dated, but good) stuff in there. A notable quote: “If you don’t do IR as a day job , then continuous hands-on practice is the only way to pass the two day exam. Practice all the hands-on labs until you can do them without the books”. Another suggests making sure you are especially familiar with Wireshark (including extended features, analysis and extraction abilities), Metasploit (including the tasks performed in the lab sessions of GCIH), and command line tools. Suggestions for practice from various sources; the below is mostly packet analysis/network forensics based, the topic I feel weakest on:



A big list of pcap files to look at/ analyze from CTF events, honeypots, etc:


Cheat sheets:


additional education training/videos:


additional challenges, including walkthroughs (not free, don’t know much about this other than they run a contest at DefCon):



My first order of business is to improve my packet analysis skills. I can do some generic BPF filtering, but the additional features of wireshark and tshark I’m still fuzzy on. . . I also need to get SiLK and BRO better in my head – specifically when, where, and how to use them.

Return top