Archive for March, 2016

Final thoughts before taking the SANS GSE lab

Well, this will be my last entry before the test. I have been studying for this test for quite a while, and hopefully all this preparation will pay off. If there is one parting thought to give it would be this: just because you read about a tool, technique or procedure does not mean you know what it does or how to do it. It’s a little bit like that line by Seraph in The Matrix Reloaded ‘You do not truly know someone until you fight them’. It sounds odd when applied to people, but it makes TOTAL SENSE when applied to computers:

One doesn’t really understand until one actually applies the knowledge; make it work, play around with it and break things, then get it working again. Once you’ve done that, only THEN do you really have an understanding of that tool, technique or procedure. Because hearing about a thing and being able to actually USE that thing are two, totally different. . . . . . things!

 

Oh, and don’t try to use Ettercap in VMWARE with NAT mode enabled. 😉

 

My parting gift (because I can’t do this after I take the test):

SANS GSE bring-along guide 2015-03-08

Ettercap, sslstrip, and Wireshark testing for SANS GSE study

Never actually played with ettercap and sslstrip until tonight. Grabbed everything in Wireshark and looked through it for IOCs after I was finished. ARP poisoning really sticks out if you know what to look for (because we all look, right? Yeaaahhhh). It also made the victim machine have some odd, slightly buggy network comms (especially web browsing). This may have been because all this was over wireless through VMware on a somewhat underpowered laptop. . . Either way, it worked and my notes have been updated with the technique and how to detect it.

I also went through a printed copy of the 100-page GSE document on google groups. Some information needed to be updated, including some variations of what a given command does. Overall it’s a great document that you should check out; however, don’t just print it out without going through the commands to understand what’s going on.

 

Return top