One of the odd things about working in an OS that you hardly ever use is there’s no “where is everything and how do I use it” button. Google brings up fifty ways to do the same thing, yet the syntax doesn’t quite work. I’m pretty sure most of the learned *Nix folks would be shaking their heads at the blundering of a Windows Admin in their home turf.

Thank goodness for the “revert to snapshot” button on in VMware workstation for when I download every piece of software for no real reason and stuff up a perfectly working environment.

Let me give you an example.

One of the objectives in the GSE is a simple netcat relay followed by lots of weird and twisted relays, then shove shell back to you with the lovely # prompt.

Normally this is easy, jump on to the final box type in nc –l –p 80 –e /bin/sh. Not on Fedora, which doen’t like the -l and –p being run together. So nc –l 80 –e /bin/sh then?

No – Fedora’s default installed out of the box netcat stops the evil shenanigans of the –e excution command. Oops, so you have to go and get then install another version of netcat, such as the original written by the Hobbit (make netcat, as along as long as there’s a complier on the box) which is on all Ed Skoudis’ SANS course materials or pulled download socat or one its friends.

Then using –e to shove a shell works tricks works fine.

Okay, so different OS have different versions of applications, but surely we could keep command syntax similar? Apparently not.

I decided to reach out for a bit of help and guidance, in the form of what books to read. The two I settled on were both recommendations by people in the know:

A Practical Guide to Fedora and Red Hat Enterprise Linux – Fifth Edition by Mark G. Sobell.

It’s all about Fedora 12, which is the subject of the current GSE Linux tests. Very solid and clear layout, comprehensively covering the features of Fedora and its syntax proving excellent examples

Unix and Linux System Administration Handbook – Forth Edition by Evi Nemeth, Garth Snyder, Trent Hein and Ben Whaley.

This one was recommended by Hal_Pomeranz, who wrote the SANS Linux 506 track, after I hassled him on twitter. This one goes covers many flavours of Linux and Unix, but it’s a marvelous journey through a SysAdmin approach to using *nix, making it a surprisingly easy read.

I don’t expect either book will make me a super admin over the next few weeks, but they go a great way to make me feel somewhat more at home and relaxed in Linux, rather than feeling like I just broken in to someone’s place and set fire to it.

The 18th of September is D-Day and I have to make it through to some point in the evening of the 19th, surviving what ever the fiendish SANS team have to throw at me at Caesars Palace in Las Vegas.

I still have a giant pile of books next to my bed read through and plenty of hands of exercises to drill tools, techniques and best practices in to what ever space I have left in my brain.

Just when the GSE exam ends, the main event of SANS Network Security 2010 kicks off on the 20th. 41 different SANS tracks are running, meaning a huge number of security professionals there to learn, understand and have a great time. Seems so unfair, so much to learn and so little time.

Steve Sims has just posted up two YouTube videos on brute-forcing Address Space Layout Randomization (ASLR) on Linux straight out of the 709 courseware. Excellent timing.

Part 1: http://www.youtube.com/watch?v=DcaVyy4yu88
Part 2: http://www.youtube.com/watch?v=LRjsv5zAHjQ

Plus here is his article in Hackin9 on Hacking ASLR & Stack Canaries on Modern Linux http://hakin9.org/magazine/918-21st-century-hacking-technique

Mike Poor has created:

www.packetstan.com 

for all things packet-like.

It’s all about packets and crazy things people do to them.

If that wasn’t enough the first article has been written by Judy Novak. Judy is a rock star of the analyst world and recent received a lifetime achievement award from SANS for her work in this field, plus was one of the authors of the Intrusion Detection In-Depth SANS 503 course. 

If you have no idea what I’m on about, or why I think this is amazing for network/security professionals sign up for Intrusion Detection In-Depth immediately. Do it now, right now. I’ll still be here once you’ve taken a magical trip in to the core of the Internet’s communication DNA and peeked in to a world full of Hex, binary and payloads.

I can only hope Mike convinces Judy to spill some more of her secrets and tips, plus get  many more people to chime in with articles, as this would be an utterly amazing resources for anyone that has to deal with analysing packets on or off the wire.

Since passing the GSE written exam, I’ve been building up a lab, practical practice examples and a stock of reading reference materials. I’ll blab on about the books and what they are at some later point. An interesting aside, some of the operating systems used in the GSE exam have been updated. Backtrack 1 now becomes Backtrack 4 and Fedora 4 becomes Fedora 12 so a great time to master more current OS’s.

The two day practical part of the GSE exam takes place in Las Vegas on the 18th and 19th of September. This means I’ll finish two days of examination hell just in time for the SANS Network Security 2010 conference

As I’m in Las Vegas and SANS is running on of its biggest conferences of the year, I’d be remiss to not try to squeeze in a bit more training.

I’ve applied to be a volunteer as part of SANS work study program and crossing my fingers to be accepted. With forty courses on offer, my number one choice is Steve Sim’s Developing Exploits for Penetration Testers and Security Researchers.

This course is really out of my comfort zone and a huge challenge in itself, nevermind the GSE study that I’m doing. I’ve only really played with the skills the course has taught while studying for OffSec’s PWB exam, but the topic is compelling and will help lift the shroud of script kiddie tools that I use. With both Steve Sims and Jim Shewmaker teaching the course it, should be absolutely brilliant to be able to learn from both these guys and mature my understanding this complex piece of IT security.

I’ve noticed that some very smart cookies are taking this course, including Wesley McGrew. Great, real security researchers, coding gurus and me. Well,  at least I know I asking the person sitting next to me what this all means  should get a sensible answer 

While stuck on a bus, I was idly sifting through Apple’s app store when I found Packet Decode. Some what intrigued, I have a look at it and noticed it was made by my old SANS instructor. Hoping this wasn’t some wacky joke by Chris, I bought the app and had a play. The simple description is that is it a IP/ICMP/TCP & UDP (v4 and v6) cheetsheet on steroids.

This is pretty darn helpful as Chris has written clear description of each field within the packet and has some nifty filters for wireshark and TCPdump. Some though on how the info is displayed means this isn’t cumbersome to navigate, making it a function and useful portable reference. Now if only he added DNS section and my paper SANS TCP/IP cheetsheet could rest happy.

Great as a quick reference, memory jogger or, as I intend to unleash at the next geek pub crawl, away to torture those around me with random facts and demands to know the tcpdump filter syntax for detecting tcp packets with windows size of less than 100. Hours of fun!

Mr Brenton’s web site http://www.chrisbrenton.org/ has some great articles and a number of packet challenges well worth taking the time to work through.

Four six day courses of security goodness:

Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman

Security 503: Intrusion Detection In-Depth (GCIA) taught by Johannes Ullrich, Ph.D.

Audit 507: Auditing Networks, Perimeters, and Systems (GSNA) taught by James Tarala

Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques (GREM) taught by Michael Murr

Plus the two day Security 577: Virtualization Security Fundamentals, taught by James Tarala, on its first appearance in Oz!

Get in early to save those dollars and get early bird savings: http://www.sans.org/info/57274

I hope to sneak in to Michael Murr’s Reverse-Engineering Malware course, should all the stars align… If I do get there, let’s hope the convention centre doesn’t catch fire this time

For any of you out there thinking about the GSE, Intrusion Detection In-Depth is one of the core exams. Book it now and I know Johannes will knock your socks off.

Sadly, I’m not taking either of the two excellent courses, but I will be in town for that week. I may pop my delightful face in on the proceedings once or twice and keep and eye on Ash, who on the Network Penetration Testing and Ethical Hacking (SANS 560) course  being taught by Eric Conrad, SANS Certified Instructor.

The most excellent Mark Hofman is teaching SANS Security Essentials Bootcamp Style (SANS 401) so get along there and soak up all that security goodness.

Eric’s a GSE, so I’ll be attempting to convince him it’s a great idea to help me out with my GSE study. Some, Alot Massive quantities of alcohol may be required to persuade him this is something he wants to do. This may make me the first SANS GSE stalker…. Moving on swiftly, see you in Sunny BrisVegas.

The exam was very fair and tested knowledge and skills from all three courses. Had a few sweaty palm moments and a couple of “Doh!” when picking the wrong answer.

Now for the hard work and study to get ready for the two day practical. Will be charting the progress on the other blog to avoid insanity slip in here.

- Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor

- Security 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by Eric Conrad, SANS Certified Instructor