You might be surprised to learn that there are accredited classes out there that will teach you how to break into computer systems and networks. I recently had the opportunity to attend the six day SANS SEC560: Network Penetration Testing and Ethical Hacking class here in New York. Here is what I learned.
It’s important that security professionals see the world from the modern-day hacker’s perspective. Practice with their techniques is referred to as “ethical hacking” or “white hat” penetration testing. The SANS SEC560 class is fantastic at explaining the patterns and mindset of an attacker. It teaches how an attacker can leverage information that might seem benign and then use it against you get into a network, maintain a presence, and steal data. The course walked me through the steps of reconnaissance, scanning, exploitation, and post-exploitation. Each section of the six-day course also had several labs that allowed me to apply the material.
The first day started with reconnaissance. This is where we were taught how to look for potentially useful public information. This information ranged from “Who is” domain retrieval, to methods on retrieving directory listings from servers, to the use of Google “dorking” to find information about an organization from office documents posted on websites that leak potentially sensitive information.
We then moved to the scanning phase. This is the point in an attack when the hacker starts to focus on the infrastructure of the network. We did simple scans with Nmap (a free and open source utility for network mapping) to perform “ping sweeps” of IP addresses in order to determine which machines were active. We also performed full vulnerability scans with Tenauble’s Nessus to ascertain which vulnerable or outdated operating systems and applications were running on any of the discoverable machines.
We then learned how to use the data gleaned in the first two phases to exploit a system and gain access from an open port or vulnerable web application. Once we learned how to establish a foothold, we focused on post-exploitation. This is when an attacker will move around inside a network to harvest additional network accounts and to gain access to other internal systems. This is a critical aspect of an attack that organizations should understand in order to better deal with incidents. Too often organizations respond to a single incident, on a single asset, not realizing that there might be many more user accounts or computer systems that may have been compromised by attackers.
Once we were in the network, we learned how to maintain a presence and hide our tracks though the creation of backdoors and relays. These techniques allow me to maintain access even if my initial point of entry is discovered and removed. The final hacker technique I learned was how to exfiltrate, or remove, data from a network through different network protocols and applications. This is the goal of most malicious attackers.
All of this intense training lead to a Capture the Flag (“CTF”) competition on the sixth day of the class. The goal of this CTF was to simulate a full penetration test in a real world scenario. I used the techniques I learned to gain access to sensitive encrypted information stored on a protected server. I got past all the security measures, decrypted the data, got the hidden information, and won a SANS Security 560 Pen Test Coin.
The SANS SEC560 course was thorough. Even though I perform security assessments and penetration tests daily, I learned many new techniques. I also got a valuable look into the mindset of an attacker. System administrators, users, and business owners often think that the publicly discoverable information about them or their organization is benign and can’t be used against them. Once you learn the techniques and tricks of hackers, you can truly appreciate the attack life-cycle, from data gathering to data exfiltration, and take effective steps to mitigate the threats in your environment.