Ahead of SANS London 2012, Europe’s largest IT security training event, a top security expert and trainer is warning that a big challenge and knowledge gap for penetration testers is the growth of operating systems that include new anti-exploitation defences, “Although developers and operators still make coding and configuration mistakes, discovering or adapting an exploit to handle modern-day defences is more difficult than ever,” comments Stephen Sims, the author of SANS’ only 700-level course, SEC710: Advanced Exploit Development.
According to Sims, with operating systems becoming more and more secure, attackers look for any opportunity to compromise a target. “This could range from common client-side attacks against well-known browsers, to attacking network devices containing vulnerabilities in the IPv6 protocol stack.”
In his view, a good penetration tester should have many techniques and skill-sets available, “Gone are the days where we can simply run vulnerability scans and perform generic testing. The attackers are much smarter in this day and age,” and Sims points to skills like reverse engineering, scripting, and patch diffing to identify code changes that can help a security team understand how to identify vulnerabilities and validate fixes.
With the arrival of new versions of Windows and the previously “closed” mobile operating systems becoming more accessible and mainstream, the ability to develop penetration techniques across these platforms is a key part of what clients are looking for in an experienced penetration tester.
“When I hire a penetration tester, one of the first things I have them do is take a Metasploit script written for a vulnerability on one version of Windows and have them fix it to get it working on a different, but still vulnerable, version of Windows,” explains Sims, “Those with this skill can do it in less than five minutes and I consider this a test to determine if the candidate is someone who will solve a problem where others will likely fail.”
The SEC710: Advanced Exploit Development course will be offered in Europe for the first time at SANS London this November. The two-day course on exploit development requires students to know their way around a debugger and have prior experience exploiting basic stack overflows on both Windows and Linux
Sims will be teaching SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking in London with a syllabus that has been updated considerably since it was offered in Amsterdam earlier in the year. “SEC660 has evolved into a course that helps a senior pen-tester work through and around deficiencies in tools combined with the exploit development skills necessary to adapt old attacks to bypass new defences.”
“Even if you’re not going to be writing 0-days for a living, a seasoned pen-tester should know how to modify broken exploit code to get it working, port an exploit module to Metasploit, and understand exploit mitigation controls. If you can’t someone else will,” Sims warns. SEC660 dives into network booting attacks and escaping restricted environments, return oriented programming (ROP), Windows 7 and 8 attacks and exploitation, IPv6, and many other pertinent areas.