This was the first time that we have done the class in the Caribbean, and we were really curious to see how it would go – as there is no denying there are some obstacles to overcome. First off, there are many US companies that will not sent employes to training outside the US. Second, when you are looking at training and you see a location in what amounts to paradise, you can’t help but wonder how much work is actually going to be done.

However, Offensive Security has a strong reputation for working our students hard and that reputation allowed us to fill the class to capacity. Any thoughts of leisure time while class was in session were quickly dashed. You know the class is going well when you are on a tropical paradise and when the class is dismissed for the day.. and no one leaves the room as they are so engrossed in the work they had been doing.

Sign-up for PWB Live Training Sign-up for AWE Live Training

We had to literally kick some students out at the end of the day, so they would go get something to eat. This level of engagement is what we as trainers love to see.

This being our first class at this location, we had a few interesting lessons we learned:

• Far from being a distraction, the location turned out to be a huge asset for the success of the class. Students were far enough away from their employers to allow a focus on the class while still being available for emergencies. One of the biggest problems in any live training is when the student can’t focus on the material due to employer interruptions. And the easier it is to get ahold of the employee, the more likely it is to have happen. By conducting the training in St. Kitts we found that there was far less of this sort of interruption then any other class we conducted.

• Offensive Security classes are known for requiring a lot from the students in and out of the class room. Evening distractions are a real issue, as we like for students to be able to focus on the material so that they can come to class prepared the next day. Compared to conducting the training in other popular training locations, St. Kitts was a great mix of a pleasant peaceful location while still not being a party location full of evening distractions.

• The facilities were such that we had total control over the entire computing infrastructure. With computers that Offensive Security provided as well the mini lab that we were able to deploy in the environment worked out great. With over 25 different systems for the students to target during class to test out techniques they were learning, students had every opportunity to put their new skills to test.

All of this lead to a wonderful learning environment for all involved. We saw a great degree of teamwork from the students and such positive attitudes, the entire class should be proud of themselves.

If that was not enough, we were also able to bring Johnny Long to the class as a surprise guest. Johnny was able to contribute to the class his many years of penetration testing experience and unique perspective. We are pleased that Johnny will be joining us in future trainings in St. Kitts. It was such a positive experience that we could not wait to do it again!

We are proud to announce that December 3rd-7th, 2012 we will be conducting Penetration Testing with BackTrack (PWB) and Advanced Windows Exploitation (AWE), Live in the Caribbean!

A few student testimonials of the St. Kitts PWB course

The course itself was a humbling and enlightening experience, all the instructors were not only knowledgeable but did not have an arrogant demeanor, on the contrary, everyone was extremely accessible, friendly and helpful. Asking a question was comfortable, and that is rare.

The location and facilities were amazing, the beach setting makes this really appealing, the food, people and atmosphere were very welcoming. Hard to beat.

The classroom and systems were just great, I was expecting outages and interruptions due to the nature of the attendants; but I was surprised by the opposite. All systems seemed very stable, solid and reliable for the class.

Find out more

Don’t wait to sign up, as both of these classes sell out on a constant basis. And once word gets out as for how good the first PWB class in St. Kitts went, we are sure this one will be at capacity very soon.

International direct flights  are available from London, Toronto, New York, Atlanta, Charlotte, and Miami.

If you have any questions about the class, please contact us.

Sign-up for PWB Live Training Sign-up for AWE Live Training

Unfortunately, this was all documented …and very soon, the screenshots and youtube videos arrived. The ones voted the best, somehow involved me getting blown up (as you can see below).

At a first glance, there’s nothing really exciting in these videos. However, if you take some time to notice the characters involved… On the top video, you will see what seems to be a rocket propelled grenade making its way to my face. On the bottom video, you will see me heroically walking into a claymore. In both cases, the ones responsible for my virtual demise are forever appreciated by past, present and future offsec students.

Needless to say, the event was a blast…and we will will be holding our next event on Saturday, 11th of Febuary, 2:00 PM EST

We will announce the registration date in a future post. Keep tuned!

I’m excited on a couple different levels.

First, I’m excited to get back to St. Kitts. Maybe it’s the inner pirate calling me back to the Caribbean, or maybe it’s just that the place is so exotic and beautiful. I enjoyed the breathtaking views with white beaches, mountains, and electric blue water so much that on some days I wonder why I haven’t just packed up and moved there. It will be so great to see my Kittitian friends, enjoy another pig roast and lobster roast and take in the cool sea breeze on the deck of the Catamaran during the all-expense-paid cruise to Nevis marking the end of the course.

Second, I’m excited about the course itself. It was such a rush seeing the students just blossom before my eyes. They all came in at different levels of skill and experience, but each one of them came away stronger and more well-rounded pen testers with lots of new tricks up their sleeves. The CTF was especially thrilling as they put their skills to the test, conquered a few machines, and learned where their weaknesses were. At the end of the course, each student seemed to have gained confidence and everyone was excited to get into the Offsec labs to learn, play, and discover.

Third, I’m excited to do what I can to improve the course. In the past few months, I’ve been poring over the course material looking for ways to smooth out the presentation and fill in some of the gaps I picked up on. It’s my goal to up the ante as much as possible while keeping the amazing balance of the course intact. The students should always Try Harder™, but I want to be sure their foundation is a bit stronger before we push them over the edge to try out their wings. I also want to make sure the stronger students aren’t bored, so I’ll be working through the “extra mile” activities to keep them challenged.

I will admit to being a bit intimidated about the course, though. As you know from my previous posts, some of the material was new to me. So as I’m going over the course with a fine-toothed comb to improve it, I’ll also be digging in and doing some hardcore studying and playing to fill in the gaps in my own knowledge so that I know exactly what I’m doing. I also want to be able to field tough questions from the sharpshooters and be able to properly diagnose any problems the students might run into.

There is still time left to register although seats will fill up fast, so if you’re interested, now’s the time. Head on over to the Pentesting with BackTrack course page and register. I’m looking forward to seeing you in the Caribbean in December!

SIGN UP TODAY

The OSEE joins our OSWP, OSCP, and OSCE certifications and fully adheres to the Offensive Security “lack of sleep” standards with its grueling 72-hour time frame in which to develop exploits for specific unknown vulnerabilities in our dedicated certification exam lab.

As our AWE students know all too well, this certification, in keeping with Offensive Security tradition, will not be a walk in the park, but the pain and agony will be well worth it in earning this most difficult of certifications. The OSEE certification exam thoroughly assesses not only the students understanding of the course content, but also their ability to think laterally and adapt to new challenges.

New Certification

For more information, please see the Advanced Windows Exploitation (AWE) Syllabus. If you’d like to take your exploitation skills to the next level and have the opportunity to “enjoy” the unique experience of the OSEE challenge, our next AWE course will be held in St. Kitts this March and seats are still available so Sign-Up today.

For years we have been running classes that take great joy in torturing our students. We ask a lot of you, and the classes and certifications prove it. However there is no way around it: Some times we can drive you nuts. Here’s your chance to get even, MW3-style.

Of course, we take great pride in driving you crazy. Sometimes it’s the highlight of our day. When you come up with a question and we say Try Harder™, its because we want to not only turn you into a better person but we also love that look of despair on your face.

But we understand. Sometimes you would love to just get even.

Well, now you can.

This Friday January 13th starting at 6PM EST, we will be running a students vs instructors match on Call of Duty Modern Warfare 3 on Xbox Live. If you’ve ever wanted to shoot us, stab us, frag us, or noob-tube us, this is your chance.

This will be a private match with the bloodbath open to registered students, past and present, and you will need to “register” first. In order to take part, you will need to have a copy of Modern Warfare 3 for the Xbox, be on Xbox Live, and have a decent Internet connection (no lag!). Let us know your LiveID and be online Friday the 13th at 6PM EST. (PS3 and PC players, sorry!)

Due to size limitations, we will only be able to accept the first 9 students along with 4 alternates. So sign up soon using the form at the bottom of this post. If you don’t get in on this match, don’t despair. If this works well, we will do another of these in February. There is no prize, just the satisfaction of getting even. This is the first one of these we are doing, so come with a bag of patience as we figure out what works best.

If you have not played Modern Warfare before, be sure to watch this before you consider starting: http://youtu.be/zuzaxlddWbk

To sign up for the Offsec MW3 0×1 Tournament, please fill out the form below. We will not use this information for anything other than our MW3 Tournaments and only Offsec students with an OSID may apply.

PLEASE verify that you will be available at 6:00PM EST on Friday, Jan 13 2012 before submitting!

“This is tough. There’s a lot going on. This connecting to that.. all over the place. If you need help, tough luck.” -Muts

The astute reader may be asking an interesting question: “Why in the world is Johnny Long taking a PWB course in the Caribbean?”

Itʼs a fair question. After all, I spent more than ten years in the field of security as my sole profession. Iʼve performed hundreds of penetration tests and physical assessments for scores of government, military and Fortune-100 clients with a nearly flawless kill ratio. It stands to reason that I would have little to learn from a class like this. Well, Iʼve already outlined pretty clearly how the course filled in a lot of gaps for me, despite a spectacular career in the industry. Itʼs clear that anyone at any level can benefit from the course.

But the question still stands. After all, Iʼm “semi-retired”. I ran off to Africa to run Hackers for Charity and Iʼve been living off a shoestring budget for the past couple of years, on the peripheral of the industry in a developing country where I suffer technical atrophy each and every day. So why in the world did I invest in a jaunt to the Caribbean to sit in the PWB course? It doesnʼt seem to map properly to my current career tangent, and it certainly begs the question of where, exactly, as a self-employed charity hacker, I came up with the funds.

In an effort to properly answer these questions, I must employ a bit of full-disclosure. Muts and the entire Offensive Security organization have been long-time friends of mine and big supporters of my work with Hackers For Charity. Weʼve been connected at the hip through many joint podcasts, fund-raising events, and conference activities. Through the years, weʼve gotten to be a bit like family, we share a mutual respect for each other, and get along famously.

Muts and I have had several lengthy discussions through the years about “whatʼs next” not only for Hackers for Charity but also for BackTrack and Offensive Security. Most of our discussions would end tangentially, with both of us retreating to our separate corners to unravel some heady, tangled webs of ideas. Some of those ideas bore fruit (such as the fundraisers for the BT4 release and Metasploit Unleashed and the migration of the Google Hacking Database into Exploit DB) while too many others were put on hold thanks in no small part to our mutually busy schedules.

Since this past Defcon, and more specifically since DerbyCon, a few of our discussion points started to converge and bubble back to the surface.
For example, I would whine to Muts that I missed the industry, missed doing pen tests and hated the technical atrophy that I felt in Uganda. I told him on more than one occasion that even though the work in Uganda was worthwhile, “I felt like a piece of me was dying.” Muts would scratch his head, and ask how he could help and I would reply with a pathetic, “I dunno, whatcha got?”

Or, I would ask Muts why the highly-regarded Offsec training doesnʼt expand and he would reply, “We need more great instructors,” followed by an all-too-knowing response of, “Know of anyone who might be interested?”

At some point, Muts and I realized that there were too many unexplored possibilities in our relationship and it was time to see if there was any potential in a partnership. (Ehh.. Be good. You know what I mean.)

With the PWB course around the corner, Muts offered to fly me from Uganda to check out the course. He paid for all my expenses and admittedly it was a risky business proposition for him, but this wasnʼt really like business at all. Rather, it was the logical next step. He was in essence saying, “Hereʼs what we do.” He did ask one thing of me. He asked if I would audit the class, keep an honest record of my experience, and provide the class with “war stories” as I saw fit.

What you have read over these past few posts is my honest account.

My glowing review is in no part due to Offsec funding my trip. If my review had been negative, Offsec would have likely used it to improve the course and not blogged about it.

As youʼve read, my experience was well beyond every expectation. The instructors are top-notch. The material is well-thought-out, balanced, relevant and challenging. My bond with this team strengthened and on so many levels, I realized I wanted to be a part of the magic that is Offensive Security.
Since the course, Muts and I have had more focused discussions. Muts was genuinely surprised when I asked if there was a part-time slot on the Offsec team for me.

So this will serve as my official announcement. Beginning in mid-December, I began working with Offensive Security on a part-time basis. My work with Hackers for Charity will continue, but for twenty hours a week I will do what I can to forward the goals of Backtrack and Offensive Security. Iʼm thrilled to be a part of such an amazing team and I look forward to working with a group Iʼve come to think of as family.
Initially, I will be focused on the PWB course. I will be reviewing the content, updating the course and lab manual, digging deep into the material to solidify my knowledge in each disciple we cover, and eventually Iʼll be stepping in as an instructor.

So like I said, PWB was quite literally a transformative course. Iʼm excited to have been a part of it, and Iʼll hope youʼll join us for the next one in the Caribbean in March 2012.

“I donʼt care about eating. I want shell.” – Student

The day continued and the content became increasingly more technical and the exercises became more difficult. A demonstration of the ANI exploit involved an EIP overwrite, several NOP sleds and a couple of pointer redirects that produced a trampoline effect that eventually landed on our payload and executed a shell. I was like poetry in motion, explosive yet graceful. The class was in awe. It was as if the exploit writer had assembled a complex puzzle by expertly placing lit firecrackers into a box full of pieces.

The demonstrations were impressive, but they werenʼt designed to impress us with the allure of the magicianʼs talent. Instead, through follow-on exercises, the magician took us back-stage, taught us his secrets and put us confidently on stage in our own show.

But even though it seemed like magic, this was no illusion and these werenʼt mere parlor tricks. This was the heart and soul of what defines a hacker, the truest definition, devoid of morality and ethics. And by extension, this was the essence of our profession, a perfect example of the art that is true penetration testing. More holistic than just “hacking”, we had been taught a critical, reproducible process that eventually landed us here, perched precariously on the sharpest of edges, manipulating the system at its lowest level, one byte at time.

Through demonstration, intense hands-on exercises executed under the watchful eye of some of the finest instructors I have even encountered, each and every student, regardless of their level of experience, was empowered. Sure we learned, but more than that we were thrilled and excited; our eyes opened. Each student left changed.

This was transformative technical training at itʼs very best.

Iʼve described PWB as “transformative technical training at itʼs very best”, and I meant that.
I spoke to many students about the course and each one shared the excitement I felt. Most of them were excited to get out of class and play in the lab.
Each student gains access to the Offensive Security labs, which are stocked with dozens of virtual machines, multiple subnets, and routers all stood up with real-world configurations that simulate a wide range of challenges youʼll face in a real pen test. However, the Offsec staff have taken pride in creating several mind-bending situations within the labs that will fray even the most hardened professional. The virtual walls of the Offsec lab are spattered with the blood, sweat, and tears of more than one security expert. Just the thought of attacking these beastly machines is intimidating, but each and every student was anxious for their login so they could sharpen their skills and claim the most relevant and challenging security certifications in the industry.

I canʼt speak for every student in the class. But I can speak for my experience and I can definitely say that I left the PWB class changed in more than one way.
I left the class with a clear view of where my weaknesses lie. It was a humbling experience. So for the past few weeks, Iʼve been consumed by a hunger to learn more, to fill in those personal weaknesses I discovered. Iʼm heads down in a debugger and working my way through several books on Metasploit, Assembly and shellcode. And Iʼm learning fast. Not too shabby for an old dog who was convinced he couldnʼt learn new tricks. I left the course encouraged and excited to get to work building my knowledge. More than that, I have a clear plan, the tools I need, access to a massive virtual lab to play in, and a knowledge foundation that will propel me to the next level. I also have access to the best instructors in the business and thought-leaders in the industry as well as a solid community of past Offsec students who are just as excited as I am.

Something else has changed as well…

Stayed tuned for our next installment of “Memoirs of a Cyber Pirate”. If you want to experience Pentesting with BackTrack or Advanced Windows Exploitation yourself, we are running both courses this March in St. Kitts so Sign-up today while there are still some seats available.

“Let me not hack myself for a sec…” Muts

Within minutes, he was tracing through some code. He clicked a few buttons in Immunity Debugger, changed one JMP instruction to a JNZ and bypassed a registration screen in a piece of windows software. (He also explained that he had purchased the software, and explained the ethical dilemma caused by this type of activity). Muts made it look so simple and I was stunned to realize that I actually understood what he was doing. He unfolded the demo with such finesse that even a noob like me understood the concepts. It was like magic.

Muts whisked us over to the Exploit Database and pointed out a Windows remote overflow exploit. With the vulnerable service already loaded on our student VM, he walked through the serviceʼs code in the debugger, explaining how it worked and then directed us to a very basic python script that connected to the service and fed it data. He was fuzzing the application, searching for the vulnerable input vector. It was new stuff for me and it was relatively advanced, but like the simple JMP-turned-JNZ from the previous exercise, I understood what was going on. Muts had this way of making advanced topics actually make sense.

Eventually, the service barfed and Muts flipped back to the debugger. He stepped through the code, revealing exactly what had happened when the buffer finally overflowed. There were familiar terms like “stack” and “EIP” and “NOP sled”. I knew the terms, but I had never actually seen them put to use. Muts flipped over to Metasploit, generated shellcode, encoded it and stuffed it into the ever-growing python fuzzer script.

He launched the script and just like that, he had shell, and much to my surprise, I understood exactly how it happened.

The demo took about a half hour and my posture gradually improved as he rolled through it. I wasnʼt slumped in my chair on the brink of despair anymore. I was sitting upright on the edge of my seat, hungry for more. The rest of the class was fully engaged as well. Then Muts spoke up. “Now, itʼs your turn.” I was thrilled. I so wanted to do this.
Muts was still talking, probably giving us advice, but I didnʼt hear a word he said. I was firing up my debugger, launching the vulnerable service and fuzzing my way through the exercise. I knew this feeling well, but after years of pen testing and years of semi-retirement, I had almost forgotten how this felt. It was amazing. With my environment set up and my adrenaline pumping, I flipped over to the debugger and froze.

“What button did he click in the debugger to set a breakpoint?” I thought.

The details were in the lab guide, so I started flipping through the pages to figure out the finer details I had already forgotten from the demo. At first, it was a color-by-numbers affair, but after a while, things started making more sense as I gained confidence with not only the applied concepts, but the syntaxes and mechanisms of the tools.
Iʼd like to say that everything worked out perfectly for me during this exercise. Iʼd really like to say that. But eventually I hit a brick wall. No matter what I did, I couldnʼt get my shellcode to execute. I doubled checked my offsets and stepped through my exploit in the debugger. Everything looked great until my shellcode began to execute and then.. nothing.

No one else seemed to be having this problem and most of the other students already had shell. I should have asked for help, but pride got the better of me and I feverishly worked through the break to sort out the problem. This was a mistake. My frustration was mounting and the clock was ticking. With the break nearing an end, I let out the faintest squeak of a plea for help and the instructors immediately started tag-teaming the problem to get me through the exercise. I was amazed at their competence. They flew through the debugger and tore through my code and came up with a consensus: I had an “off by one” issue and to make matters worse, Metasploit was, for some unknown reason, producing bad shellcode. It was reproducible and only happened on my machine. After a few tweaks to the work environment, my code executed without modification. My own code produced a shell. Needless to say, I was thrilled!

The instructors were a great encouragement, telling me that “off-by-oneʼs are common” and that they, “hadnʼt seen Metasploit do that before,” and that, “I had done really well.” I came away with a great deal of respect for the instructors. They took the time to help one struggling student so that no one would be left behind. They did this time and time again, not just for the “celebrity student” but for anyone that ran into a problem. During each exercise, the full staff was out of their seats, moving through the class looking for opportunities to help.
In my case, their diligence helped me turn a corner. I was really in the pit of despair when I eventually let on that I was struggling, but that didnʼt diminish the excitement I felt when I got that shell, because I knew, for the first time, every detail that made that shell possible. This was not at all like the thousands of shells I had popped thanks to someone elseʼs exploit.

And just like that, all my experience in the field was amplified and became crystalized. I was envious of the students in the class that were just beginning their careers in pentesting because their perspectives on security would have a clarity that mine had been lacking for far too long.

If you would like to experience the thrill of developing your first exploit or are looking to take your exploit skills to the next level, we are running both the Pentesting with BackTrack and Advanced Windows Exploitation courses in beautiful St. Kitts in March. Sign-up today while there are still seats left. No whining later!

The Pain Begins

Day three brings some pretty heavy discussion about Metasploit. My experience with Metasploit is dated by at least two major revisions, which means I have a lot of catching up to do. Jim picks up a portion of the instruction on day three, and one thing that strikes me is his proficiency with the framework. Muts frequently turns to Jim for esoteric-sounding advice and when Jim takes the podium, his confidence encourages us. Thereʼs so much to know about Metasploit; there are so many features and utilities, so many facets, and so many usage possibilities that it can be overwhelming. How in the world can anybody know so much about it?

Then I remember: Jim and Muts along with Devon Kearns and Dave Kennedy literally wrote the book on Metasploit. Their experience and efforts culminated in the recent release of Metasploit: The Penetration Testerʼs Guide, the best and only “sanctioned” book on the subject, authorized and assisted by none other than H.D. Moore and the Metasploit development team. Needless to say, their knowledge on the subject runs deep.

This is also evident in the teamʼs knowledge of BackTrack, the de-facto standard toolset for professional penetration testers. After all, the instructors are not only core developers and hardcore power users of BackTrack, but also career penetration testers.
In an industry awash in technical, security, and “hacking” training, there are very few courses developed, taught, and supported by such hardened, recognized experts in the field. As if thatʼs not rare enough, each of them is humble and approachable and can bring highly-technical material down to earth.
The more I work with this team, the more amazed I am by them.

“When you start slapping yourself for me, I know I’ve done a good job.” -Muts

Muts warned us. He told us that the class would increase in intensity and difficulty as the week progressed. I made it through the first modules relatively unscathed. My experience in the field kept me afloat as I adjusted to the challenges of student life (I never was a good student). Then, my worst nightmares were realized as muts casually announced the beginning of a section on buffer overflows.

In my days of pentesting, I served as an unofficial team leader (or mascot, Iʼm not sure which). This role(s) suited me well. I was able to remain conversational across different disciplines and recruit team members to serve as specialists in each discipline. After time, I became a jack-of-all-trades but unfortunately this meant that I was also a master of none. Because of this, I never took the time to learn Assembly. I was conversational about buffer overflow techniques. I could regurgitate definitions and techniques and hold an intelligent conversation on the subject. I could execute tools that exploited buffer overflows and more appropriately, I knew when to execute them. After a while, I convinced myself that Assembly was unnecessarily obtuse, a language relegated to the most hardcore geeks. Buffer overflows and other low-level software vulnerabilities by extension, were for the geekiest of the geeks. Members of my team loved that stuff, so I let them concentrate on it to the exclusion of all else. Because of this, I eventually convinced myself that I didnʼt really need to know much more about what was under the covers of my favorite exploits. So, I skipped over “all that low-level stuff” but secretly I dreaded the day when I would be forced to admit that I didnʼt know Assembly and that by extension, I wasnʼt a real hacker.
Mutsʼ words hung in the air. “Weʼll look at buffer overflows today,” he began. The room dipped as he fired of a string of dreaded nouns. “Disassembler. Assembly. Debugger. Fuzzer.”

I was so screwed, and I knew it.

I needed months, not hours, to absorb this stuff. There was no possible way I was going to be able to follow this. My survival instinct began to kick in and I found myself concocting a complex plan to bail without drawing any undue attention to myself, but it was too late. Muts had jumped right in…

Stay tuned for Johnny’s next installment coming soon. Want to experience Pentesting with BackTrack yourself? We still have seats available for both PWB and Advanced Windows Exploitation in beautiful St. Kitts so Sign-Up now before they run out.

We’ll let Johnny take it from here:

Day One

” There is a reality behind these tools. There are stories. Stories of security, vulnerabilities, and weaknesses. Stories of real machines with real data on real networks run by and serving real people. It’s easy to begin to believe that this is a game when you’re fooling around with these tools, but this course brings the reality of security into sharp focus.

For years, I have relied on which and find on my Linux systems to find things I needed. I was introduced to locate and its companion updatedb, which works much better and much faster than find. I’ve been using Linux for over ten years and I don’t consider myself an expert, but it was refreshing to learn a few new Linux tricks within the first hour of the course.

Muts is teaching about bash scripting, imploring the benefits of strong “bash-fu” and knowledge of five helpful UNIX commands: sed, awk, grep, cut and paste. As a long-time Linux user, this is a pleasant surprise. These tools are the foundation for most of the work we do as pentesters. I read way too much forum jabber from frustrated users trying to do something highly technical only to be stymied by a misunderstanding of these fundamentals.

This is fact. But is it accepted fact? Well, for anyone that might be on the fence about this, let me break it down as simply as I can. There are at least six solid reasons you should take the time to learn shell scripting and the “big five”:

1. Shell syntax can be a stumbling block when you’re learning the ropes. If you’re working through a tutorial and running commands you’re barely familiar with, you’re faced with many variables that can kill the learning process. Eliminate at least one of them by learning shell syntax. Most of us will notice the difference between “cd ..” and “cd..”, but when an HTML-hungry blog post turns “cat << EOF” into “cat EOF”, a solid understanding of shell syntax will flatten your learning curve and ease your frustration.
2. Shell pipelines glue together strings of commands, feeding the output from one command to the input of another. This is necessary since there is hardly ever one tool that gives you exactly what you’re looking for. Most often, you’ll need to run several commands in sequence, feeding bits and pieces of your output into another command. Some graphical tools are nice, but command-line tools allow for more depth. Real power exists in chaining command-line tools together, even manually. Strong bash-fu allows you to channel this power into speed, and time is of the essence on a pen test.
3. Compound commands (like for, select, case and others) allow you to run commands iteratively. This is especially useful when you need a quick and dirty way to run a command with a variety of inputs. Many command-line security tools allow for this type of iteration through the use of parameters but it’s important to remember that there will be situations when you’ll need to use a tool in a way the developer never intended. Isn’t this hacking?
4. The “big five” (sed, awk, grep, cut and paste) are indispensable for too many reasons to list. Personally, I find them indispensable for data mining. In my days of pen testing, one skill that set me apart as an expert was my ability to properly wrangle large quantities of data to get to the information I was after. I always relied on these tools along with bash scripting to accomplish this very quickly. Too often, I see seasoned security experts wrestling with a specialized tool when awk would accomplish their needs just fine.
5. Chaining tools together and parsing the output for useful information will enhance your understanding of the individual tools and will also expand your understanding of the underlying technologies that make the tools so effective. Along the way, you will get a real feel for the underpinnings of the process of pen testing and will inevitably discover ways to improve and expand the process, which leads to mastery. There is no real shortcutting this with graphical tools.
6. Once you’ve gained some confidence with these tools and techniques, you’ll begin to create specialized shell scripts that harness the speed and power gains into your own customized, flexible, and reusable toolsets. These toolsets will serve you well and will grow with you as your skills improve. I’ve lost a lot of things through the years thanks to pathetic discipline with backups and a penchant for fiddling too much with my machines. Of all the things I’ve lost, I miss my mind the most. Of all the things I’ve lost, I miss my collection of shell scripts the second-most. Tools can always be downloaded again, and operating systems can be rebuilt. But my shell scripts represented months of personal time investment and contained the distilled output of my years of experience in the field. Start your own collection, and back them up.

Take my advice and Mati’s as well: Begin with at least a few days of study in bash scripting and never stop learning more. Learn grep, sed and awk. Learn cut and paste, and memorize the bash built-ins. Start building your own collection of self-made bash scripts for the functions you perform most often. They will serve you well.

There simply is no substitute for strong bash-fu.

Muts is talking about wireshark. He made a mention of a goofy sniffer back in the day that had all these crazy dashboards and was confusing to say the least.. I remember sniffers like this. When I was getting my start in IT, sniffers were dedicated hardware devices for hardcore geeks. They were bulky, confusing and kludgey. Looking back, I realize that the device itself kept me from learning more about networking. It seemed “too hard” and way too close to electrical engineering to make any sense to me.

Then came tcpdump, followed by ethereal, followed by wireshark. Now, sniffers are apps. Yes, there are still hardware sniffers that can hang with terabit, but it doesn’t take much to learn about networking these days. You fire up your sniffer app (wireshark is the de-facto standard today), you generate network traffic and you check it out.

This is another one of those exercises I think is shortcutted far too often. With sniffers being easily accessible (and bundled with BackTrack of course), there’s no reason not to dig into networking. You can (and should) read books on the subject, but if you’re at all like me, it’s easier to learn when you can see the subject in action.

A solid understanding of networking is critical to success in this field. Jump in, get messy. And when you think it’s too hard, just be thankful you’re not wrangling with dedicated hardware like we did back in the day. You youngsters have it so easy.

We’ve spent an entire day of class learning manual techniques for reconnaissance and enumeration. I’m pleasantly surprised at this.

I’ve lost years of my life doing the digital doggy paddle through a sea of enumeration logs searching for elusive targets on sprawling networks. To this day, I get twitchy when I hear the word dig regardless of the context. But I know these are critical concepts to learn. It’s generally difficult to hack targets you can’t find. It’s just not fun. It’s time consuming and ugly.

As a result, by the end of day one, the students were a bit burned out. I felt a bit sorry for Muts at this point because I knew there was no better way to explain the concepts other than to drag us through the mud a bit. At the top of the last hour, I had begun to long for a slick tool that would help with all this stuff. I wanted something sexy and smart, something a bit less .. blah.

My old friend Roelof Temmingh was about to come to the rescue.

I met Roelof in 2004 at the Blackhat conference in Las Vegas. I was scheduled to give my first talk on Google hacking and I was nervous because my talk was “clever” but only lightly technical. Roelof, an industry rockstar, encouraged me. He told me how cool “clever” recon and enumeration could be and gave me a private demo of his BiLE tool as well as a predecessor to something he called BiDiBLAH. He was fanatical and brilliant and I caught his excitement. Thanks in no small part to this conversation, I went on to write the Google Hacking book and ever since I’ve had a much better understanding of the importance of the gray area between recon and enumeration. Roelof’s passion and brilliance was fully realized years later when he founded Paterva and released the Maltego tool set. Just like that, recon and enum was on its way to becoming sexy.

I had nearly forgotten about my old friend Roelof until Jim O’Gorman took the stage and launched Maltego on his Mac. I was shocked. Roelof had done it. The interface was gorgeous. The transforms list had exploded. Maltego was sexy.

Jim led the class out of the desert and miraculously parted the sea of information with Roelof’s staff. Dramatic? Hardly. It was an expert stroke. The class understood the concepts and the more astute students realized the power behind Maltego’s gorgeous, shiny interface. The class came away with the answers to both the “How?” and the often-elusive “Why?” and as a result Offensive Security spawned exactly zero tool monkeys on this day.

Well done, Roelof. And thanks to the crew at Offensive Security for dragging us through the desert so we could better appreciate the miracle of the parting sea. “

Quotes of the Day

• “Anyone who claims to teach you any profession in five days is .. lying.” -Muts
• “This defensive security ninja could be outsmarted by a twelve-year old who had no clue what he was doing. We need to bridge the gap. How on earth can you defend if you don’t know how to attack?” -Muts
• “If you don’t leave here more paranoid than when you came in, we haven’t done our job” -Muts

Hopefully, this in-depth account of Day 1 of Pentesting with BackTrack has given you some insight into what we have to offer. If we have piqued your interest, our next live training in St. Kitts will have not one, but two courses. In addition to Pentesting with BackTrack, we will also be offering the very demanding Advanced Windows Exploitation so SIGN-UP today and join us in the Caribbean.

SIGN UP TODAY