SANS GSE study – your sure it does what the notes say?

So, now making notecards for the commands and tools mentioned in the last post. Tonight was iptables and some nmap. Funny thing; the SANS 401.3 book (p2-37) says that the default run for a sweep would be –sP (probe scan), and that this is an ICMP ‘ping sweep’. Well, looking at the SANS nmap cheat sheet it says the default probe is TCP 80,443 and ICMP. Guess what it actually is? [For nmap version 6.40] ICMP 8,0, TCP SYN to 443 and TCP ACK to 80, finally an ICMP 13,0 (timestamp request). There is also a reverse lookup (DNS) unless you use the -n switch.  You get the same result for a host or a range. The exception is if you are scanning a host (or a range) on your local subnet. In that case you get ARP requests only (well, you also get a reverse name lookup unless you use the –n option). Sometimes you need to just play with this stuff and figure it out for yourself. . . I was a bit surprised at the ACK to 80, but I’m sure Fyodor has a good reason for that.


SANS GSE – tools to study up on

I feel like I have a better handle on the packet analysis stuff – enough for this exam at any rate. Either way, I need to move on and work on making sure I’m fresh on the various labs for GCIH and GSEC. The main SANS GSE page lists some tools specifically; it’s time to go over those.

There is specific mention of office LibreOffice – something I’m not terribly excited about. Don’t get me wrong, open source is great, I just have an issue with office applications that have a tendency of crashing while I’m trying to write a report in them.

So, it’s on to creating flash cards for the most common command tools and ones specifically mentioned on the SANS GSE page. The below are ones I’m not totally comfortable on – basic unix commands like cd, rm, chmod, useradd I’m totally skipping. Some are rather extensive. The windows ‘net’ and ‘netsh’ commands have tons of options. . . Then there is PowerShell. Anyway, in rough order of perceived importance:

  • namp/nmapfe/zenmap
  • snort
  • GPG
  • iptables (probably only filter rules, not mangle or nat)
  • snort
  • tcpdump / tshark
  • Putty / ssh
  • winscp (I’ll do scp too)
  • netcat (I’m good with the standard stuff, but the ns scan methods and backpipe pivot . . not so much. Also, very handy when copy/paste fails in VMs)

Others I’ll include:

  • p0f
  • net (use, user)
  • netsh (advfirewall firewall set rule, )
  • powershell (well, that narrows this down, amirite? Searching for events, process list)
  • wmic (probably not a big concern – they aren’t going to have a 20+ node windows domain to look for a process on)

And still others:

  • dumpsec
  • mbsa (Microsoft Baseline Security Analyzer)
  • enum
  • Cain
  • md5sum
  • dd
  • jtr
  • stools/stegdetect. . . ?
  • apt/yum

Work Stoppage!

Well, I was off to a great start, then basically shut down during the holidays. There was a little studying here and there, but nothing like there should have been. There are about eight weeks left till the test.


Just to see, I decided to try to tackle the SANS 2013 holiday hack challenge. I fired up the Linux VM from SANS 503 with wireshark, SNORT, etc and dug through the pcap. After spending about 6 hours on it I decided to look through the winning answer write-up.

Not good.

I missed basic stuff like ARP poisoning, malicious email, SQL injection. The good: I saw the scans (looked like nmap), SMB password guessing attack (hyrda?), buffer overflow attempts. metasploit use with PSEXEC and VNC. I spent a while trying to playback VNC using chaosreader, but no go. Some of the network was mapped well, but the initial malicious host was missed.

Not good. . . not horrific either.

Now I’m working on better organizing my method for going through a pcap.

  1. Look at Statistics à Conversations, TCP tab. Sort bytes column to see top talker sessions. Check UDP too. (In the challenge, the top session was a video device – resolved by filtering that traffic out and re-saving the PCAP – made things much faster)
    1. Two-packet conversations likely indicate trying to connect to a closed port. (SYN –> RST/ACK)
    2. Three-packet conversations likely indicate a TCP SYN scan (half open) can finding an open port (SYN à SYN/ACK à RST)
    3. More on detecting scans here:
  2. Look at Analyze à Expert filter. Look at errors and warnings tabs. Warnings tab has indicators of ARP attacks.
  3. I’ll work on this more later. . .

Starting study plan for GSE 2-day lab

I’ve slacked off the past two weeks after the written test. Between end of semester and taking the GSE written I felt like I had earned some time off. I may not get started this weekend, but I do want to formulate my plan of attack for the lab in March.

I have Kali 1.0, but needed Fedora 20 (torrent link HERE:

I’ve started trolling through the giac-study Google group e-mails I’ve collected for GSE lab tips and tricks – there is some good (dated, but good) stuff in there. A notable quote: “If you don’t do IR as a day job , then continuous hands-on practice is the only way to pass the two day exam. Practice all the hands-on labs until you can do them without the books”. Another suggests making sure you are especially familiar with Wireshark (including extended features, analysis and extraction abilities), Metasploit (including the tasks performed in the lab sessions of GCIH), and command line tools. Suggestions for practice from various sources; the below is mostly packet analysis/network forensics based, the topic I feel weakest on:



A big list of pcap files to look at/ analyze from CTF events, honeypots, etc:


Cheat sheets:


additional education training/videos:


additional challenges, including walkthroughs (not free, don’t know much about this other than they run a contest at DefCon):



My first order of business is to improve my packet analysis skills. I can do some generic BPF filtering, but the additional features of wireshark and tshark I’m still fuzzy on. . . I also need to get SiLK and BRO better in my head – specifically when, where, and how to use them.

Passed SANS GSE written!

Just got back from taking the test. Scored a 94.6% with 20 min left. Test was 150 questions with a 3-ish hour time limit (I forget if it was 3 or 3.5 hr). The study plan was to get a 91%, so I’m pleasantly surprised. The minimum passing score is somewhere in the mid 70’s, but I wanted plenty of wiggle room with the lab portion of the exam, and what GSE would want to pass with the bare minimum? The first half hour of the test was the most stressful. After that, I hit my stride and methodically worked through it, checking my time remaining at every checkpoint to make sure I wasn’t taking too long looking up items to verify my answers. If you have ever taken a GIAC test, you know that you get checkpoint scores every so often. . .

At any rate, you now know the materials I used to study, what I brought with me and how I created my index for the written portion of the SANS GSE.  Good luck to you!

Now the real preparation begins – for the GSE lab, hopefully in March :)


Final preparations for SANS GSE written test

Getting a little nervous I haven’t studied enough for the GSE written – you know, 20+ hours a week for 3 months and change. Looked at a few sites dealing with the multiple choice portion here: (yes, it’s from almost 5 years ago) and here ( – the ‘official word’ on the matter). There is also a helpful post from Courtney Imbert to the giac-study google groups e-mail list (dated 10/15/13? I don’t tend to delete e-mails very often.), although it seems directed more to the lab portion of the exam. For those who don’t know, Courtney is the GIAC tech director and has a GSE, so her advice merits close attention on two counts.


Oh, and I caved and started printing man pages. Couldn’t find a good one online, so I went into the SANS 503 virtual machine, did a ‘man snort | col –b > snort.txt’, then used netcat to move it to my OSX box (repeated for syslog, tcpdump and nc). Pro-tip: if you do this, use narrow margins to prevent occasional wordwrap in MS word.

SANS GSE certification progress – indexes, colored tabs, and verify what you’ve done!

[had a post for Nov 26 – lost it due to a computer crash while watching a youtube video on Clash of Clans. . . CURSE YOU GAME ADDICTION!!!!!]


Completed indexes, including SANS GCIA (503) workbook (that thing is a monster). Saved them, made a copy, sorted them, verified the term, page number, and any notes all line up. This may sound goofy, but one thing to double-check before going to a SANS test: verify your index is correct before you take any GIAC test! Why make such a silly statement? Because I happen to know someone who didn’t verify their index before they went to the test. On Question 2 they realized that something was horribly wrong; when they sorted the index, they only sorted the term and page columns, not the book column. Sucks right? Yeaahhh, ok – it was me. . . That was on the GPEN exam I took last year. Thankfully, I knew the material well, had tabs in the books for major topics, and still managed a good grade.

Oh, and tabs – put tabs in your books for major topics. I also sometimes put tabs along the top for major tools. Yes, I go through colored tabs frequently.


Anyway – the final index is 150+ pages, so I put that in a three-ring binder. Yes, I made an index with over 6500 entries for SANS 504, 503, and 401. Also going in there: the various cheat sheets, and all those pretty header diagrams from SANS 503.


Oh, and I just pillaged the GSE Google docs repository. Some good stuff in there, but I’m not going to print off the 50+ manpage references. . . now that I say that. . . maybe I shoul. . .NO!!! I’m not gonna do it. . . nooooooo.


This is getting a little sad at this point – I’m listening to SANS recordings instead of music. Hour long drive to work? You can fit a session in each way. Going to the grocery store? That’s 15min. Putting the final index together? You should really re-listen to GCIH 504 Day 2 (currently on hour 3, Maltego – and reconnaissance. You did the lab, right?).


Oh. . format string vulnerabilities – I still don’t get that. (504.3 p164-180)

SANS GSE test study update – getting everything organized and in one place

Felt pretty crappy today, so I stayed home to rest. One of the things I’ve saved till last is the SANS 503 Intrusion Detection In-Depth workbook. It’s big.

The only non-workbook. . . book I have left is SANS Security Essentials 401.5 (The Windows day). Now to start getting all the indexes in one place. The question is – do I combine them into one master index of SANS 401, 503 & 504 or keep them all separate? Probably both, just to be safe. I’ll be bringing a stack of books over a foot high to the testing center. . .what’s another ¼ inch?

One other thing – I need to get organized. I’ve left various SANS books, CDs and cheat-sheets here and there. Now getting everything organized and figuring out what’s the newest version has taken over an hour to do.   Ugh.

SANS GSE progress – what order to study/outline books

I’ve taken one day off every other week to try to get ahead, but there is also a holiday in there, that’s helping me out. Yea! Currently I’m a little ahead, with only three books left (one is the massive 503 GCIA lab book). I’ve found indexing the 401 material to be somewhat basic – I’m wishing I had done that first to get it out of the way and have the more difficult material fresh in mind.

So far, it seems that I’m on track to take the test the first week of December as planned. IF all goes well, I’ll have four months or so to study for the practical part of the exam.

Need more time to study for SANS GSE test

Thinking of taking one day off / week from work until test day. If I take one day off every other week, I won’t be burning too much vacation time. . .

Return top