Thursday, 27 May 2010

Training courses - Nerd steroids

A few years ago when I was trying to break free of the more mundane trappings of IT, I decided to take some certifications. I began with compTIA and took my Network+ and Security+ exams. Imagine my surprise when these certification exams took me no more than 15 minutes apiece to ACE. They were so easy it became embarrassing to tell people that i had bothered to take them. I have considered many times going for my CCNA and CCSP but never gotten around to it. I am now in the process of taking a 10day course from infosecinstitute. This course is actually comprised of two courses jammed together into a single bootcamp. I am doing the online version of the course, unable to get my company to buy in for the additional costs of actually attending a physical class. these courses are centered around the CEH, CPT, and CEPT certifications. I am not very far into the first week of material and I am starting to get that sinking feeling again.

I don't want to bad mouth infosecinstitute and it's least not yet. However, the entire first day was essential an introduction into using vmware and linux. They do this because they want to be able to cater to people who might not have experience in those areas. My question is, what are such people doing taking courses on pentesting? If you don't know how to set up a VM, or how to kill a process in linux, you've got a long way to before you can be a pentester, and it is going to take a lot longer than two weeks. This is where the steroid analogy comes in. People seem to approach these classes as a quick fix, rather like steroids. "If I take this class, i will learn to be a 1337 h4x0r".

DarkNet has a post about training courses right now too. In it he talks about how the CEH is pathetic(I am inclined to agree so far) and then talks about a few other courses/certs. Frankly speaking, these look much the same as every other one I've looked at. They seem tantalizing at first, then you realize it's the same recap bullshit and you learn nothing new.

 Let's give up on steroids guys, and start thinking about some workout regimens. I want to see training courses out there that say outright "If you don't know what the different kinds of vulnerabilities are, or if you don't know how to find SQL injection, xss etc...don't take this class" Let's have some classes that start with "So you know how to find some vulnerabilities, let's talk about advanced techniques, and things you never thought to try before". Let's talk about how you maximize your extraction from a SQL injection, or what things work in Oracle or in MSSQL, or U2, or Sybase etc. Let's talk about some advanced encoding tricks, and how to pack javascript to get around filters. Let's talk about writing shellcode to try and exploit in a buffer overflow.

I am tired of having to rehash the same crap over and over again. Then I read what things RSnake or someone else is up to. I stop and think "hrm, what are they doing differently than me. What do they do better than me. Why?" I want to see training courses that answer those questions. I want something that says "okay, you're a pentester. now let me show you how the big boys do it"

Anyways, that is my rant for the day. Stay tuned as I am going to be working on putting together a bit of a SQL Injection cheat sheet in the coming weeks. I hope to have something comparable to RSnake's XSS cheat sheet and a lot better than the other ones I've seen.


  1. The tool authors are usually the best pen-testers. If you want to learn web app pen-testing, learn from Portswigger (or his book with Marcus Pinto) because he wrote the best tool in the biz -- Burp Suite Professional. They are teaching a class at Blackhat US.

    If you want to learn network pen-testing, learn from the Metasploit Express dev team (hdm, jduck, et al). Rapid7 will likely provide training on Metasploit, but for now Offensive-Security appears to be the top brass, followed by the attackresearch guys such as Chris Gates.

    I suggest picking a focus area and mastering it once you've got the basics down (and it seems that you do). A few of the Gotham guys specialized in a few topics such as WCF, Flex, Oracle ADF Faces, etc. Most of these languages have a few things in common: they are new, they are being used by Enterprises, and they have the potential for a lot of new or exciting vulnerabilities.

    If you don't have access to apps or network to pen-test, then build your own apps and networks. Then break them. This is the best way to learn. Build a Java Enterprise REST service and make it wickedly complex. Then learn how to poke at it until it falls over or coughs up some stolen data. Then write your own tools that make breaking it more fun and easier

  2. dre,
    I just worry that classes taught by tool authours are just going to be "here's how you use our tools". i don't need classes on burp suite I use it every day. I don't need classes on metasploit, or backtrack etc. I am just looking to mature the skills I have already developed. Learning how to use a tool doesn't really help imho, it just makes you a skiddie.

  3. Hello Mr. Cosine.  I’m Keatron Evans the person conducting the training you’re taking.  First of all, let me say thanks for taking the course, glad to have you!  I just wanted to see if I’m able to shed any light on the content of the pentesting course you’re taking.  The first lab deals with Vmware and Linux, because we too have been surprised over the years at the number of people who take the course without any vmware or linux experience.  So the position we take is to give them a basic intro to both, then really teach it to them by using it throughout the course.  I must say that in this field I’ve met some people who are extremely sharp when it comes to .NET, other such languages and hacking windows from windows. But they just sometimes need a little push in the right direction concerning Linux and virtualization. I have no doubt you’ll be satisfied by the end of the first week.  Let me know if I can be of any more help!

    Keatron Evans, Director of Training Services
    Infosec Institute