Archive for February, 2016

GSE study – writing incident reports

The one thing I just can’t seem to locate is a good sample computer security incident handling report. The closest thing I can find is documentation on what to include in a report and the write-ups for things like the SANS holiday challenge. What I’m going to go with is my own notes from the 6-step incident handling process from the SANS Hacker Techniques and Incident Handling class (504.1) and the report from the 2013 SANS holiday hack challenge.

Study progress – Windows Event logs and BRO commands

The SANS GSE lab is getting close now. Currently I’m trying to consolidate my notes and cheat-sheets. While looking for important Windows eventIDs I came across a great, up to date (YEA!) cheat-sheet for Windows Indicators of Compromise at malwarearcheology Also, some good Bro IDS log manipulation tips on the BRO website – I’m just looking for the basics here – top 10 talkers and stuff .

SANS GSE – testing against Mutillidae

Got Ubuntu server 15 installed. Looking at Mutillidae for testing things like SQL injection and XSS. There is a version bundled as a VM called mesploitable, but there is an issue with the database name in a config (fixed, not horrible, but annoying). The big issue is that there is a newer version of Mutillidae out there and I’d rather use that. After installing it, finding and changing Database name, user password, etc – it doesn’t really work with the database components. . . . blah. Maybe I’ll just install it on the Ubuntu server.

Work continues on flash cards, the nmap one keeps growing and I still need to add nmap scripting engine stuff. There is a great SANS reading room page on nmap windows scanning here: Besides that, running all the commands mentioned before and understanding how they work is the task for now. My understanding is that the SANS GSE is somewhat time sensitive, and not having to lookup command syntax will save a good amount of time. Just as long as there is no expectation of blurting out an esoteric tar command off the cuff, right?

I’ve been in touch with a few other candidates that will be sitting the same day. Most seem to be about as prepared as I am. There were a few candidates a year or two ago that built a 100-page-ish GSE study guide and posted it to the Google groups page. There is a lot of stuff in there.

SANS GSE study – current progress

Got an e-mail yesterday from SANS. They are switching from Fedora to Ubuntu and apparently Burp Suite is included in the lab. I know about Burp Suite, but hadn’t used it because there were no labs in any of the courses. The labs had used ZAP, but that was back in 2014 – they probably changed it since then. I DO know that it is extremely popular, so I’m glad about that part. [ZAP is still on Kali, so one could use either]

The studying is going somewhat slowly this week. I haven’t gotten much sleep, and the midnight schedule is causing me to nod off a lot. One thing I’ve noticed – that even with 16G or RAM, having three VMs on a MacBook Pro laptop doesn’t do it any favors. It’s slow and prone to hanging for 30+ seconds while switching between windows. Using a tower PC with multiple drives (at least one for host OS and another for guests) would have been the way to go.

SANS GSE study – your sure it does what the notes say?

So, now making notecards for the commands and tools mentioned in the last post. Tonight was iptables and some nmap. Funny thing; the SANS 401.3 book (p2-37) says that the default run for a sweep would be –sP (probe scan), and that this is an ICMP ‘ping sweep’. Well, looking at the SANS nmap cheat sheet it says the default probe is TCP 80,443 and ICMP. Guess what it actually is? [For nmap version 6.40] ICMP 8,0, TCP SYN to 443 and TCP ACK to 80, finally an ICMP 13,0 (timestamp request). There is also a reverse lookup (DNS) unless you use the -n switch.  You get the same result for a host or a range. The exception is if you are scanning a host (or a range) on your local subnet. In that case you get ARP requests only (well, you also get a reverse name lookup unless you use the –n option). Sometimes you need to just play with this stuff and figure it out for yourself. . . I was a bit surprised at the ACK to 80, but I’m sure Fyodor has a good reason for that.

[update]  The nmap man page has this in detail.  I hadn’t bothered to look.  Note to self: Keep those man pages handy!

SANS GSE – tools to study up on

I feel like I have a better handle on the packet analysis stuff – enough for this exam at any rate. Either way, I need to move on and work on making sure I’m fresh on the various labs for GCIH and GSEC. The main SANS GSE page lists some tools specifically; it’s time to go over those.

There is specific mention of office LibreOffice – something I’m not terribly excited about. Don’t get me wrong, open source is great, I just have an issue with office applications that have a tendency of crashing while I’m trying to write a report in them.

So, it’s on to creating flash cards for the most common command tools and ones specifically mentioned on the SANS GSE page. The below are ones I’m not totally comfortable on – basic unix commands like cd, rm, chmod, useradd I’m totally skipping. Some are rather extensive. The windows ‘net’ and ‘netsh’ commands have tons of options. . . Then there is PowerShell. Anyway, in rough order of perceived importance:

  • namp/nmapfe/zenmap
  • snort
  • GPG
  • iptables (probably only filter rules, not mangle or nat)
  • snort
  • tcpdump / tshark
  • Putty / ssh
  • winscp (I’ll do scp too)
  • netcat (I’m good with the standard stuff, but the ns scan methods and backpipe pivot . . not so much. Also, very handy when copy/paste fails in VMs)

Others I’ll include:

  • p0f
  • net (use, user)
  • netsh (advfirewall firewall set rule, )
  • powershell (well, that narrows this down, amirite? Searching for events, process list)
  • wmic (probably not a big concern – they aren’t going to have a 20+ node windows domain to look for a process on)

And still others:

  • dumpsec
  • mbsa (Microsoft Baseline Security Analyzer)
  • enum
  • Cain
  • md5sum
  • dd
  • jtr
  • stools/stegdetect. . . ?
  • apt/yum
Return top