SANS SEC542/GWAPT Review

PLEASE DO NOT ASK FOR MATERIALS FROM THE COURSE OR INSIGHT INTO THE QUESTIONS ON THE EXAM.

TLDR

This course did an excellent job of building a solid foundation around how protocols/services are intended to work before showing how to exploit them manually. While this course is not designed to produce world-class, cutting-edge red-teamers, it does lay the groundwork to begin that journey if you want to pursue it further. Many of the techniques used are great for illustrating exploits/methodologies but require additional strategies to bypass modern defenses. This course will help me become a better defender after learning about the core tactics that attackers have at their disposal.


WHAT…. IS ANY OF THIS?

SEC542 is a course offered by SANS that covers Web App Penetration Testing and Ethical Hacking.
GIAC Web Application Penetration Tester (GWAPT)is the corresponding certification to the course.

AUDIENCE

This course was designed for a broad range of IT specialists:

  • Aspiring pen-testers wanting to build a solid foundation in web pen-testing
  • Defenders wanting to better understand the attacker’s perspective
  • Developers who want to visualize the impact of writing insecure code

In my opinion, the type of person who can stand to gain the most from the class is someone who is comfortable in the Linux CLI and has a decent networking foundation without much pen-testing experience.

To directly apply most of the tools and techniques in the real world, you’ll need to have a role/permission to launch attacks on web applications.

To better understand where I am coming from, I have worked on the blue side of the industry for all of my career but have recently wanted to learn more about the attackers perspective. I have worked through most of the TryHackMe tutorials and have just started branching out to tackle hosts without walkthroughs. All said, not that much of a red background.

COURSE CONTENT

The content followed the latest OWASP Top 10 and mapped each course section to the OWASP Testing Guide (OTG). I believe that the 2021 version of the OWASP is slated to come out in Fall. Based on how I understand this course to be designed/maintained, content changes to adopt the new list will quickly follow the official OWASP release.

The class approached each new section through a process I call “Learn -> Break -> Automate” that allowed you to jump in without much prior knowledge.

  1. Learn legitimate functionality of protocol/software
  2. Break intended functionality using manual exploitation
  3. Automate using exploitation tools

This progression allowed people of different backgrounds to gain a functional understanding of the exploitation tool without handwaving what is actually happening under the hood.

DAY 1 - INTRO AND INFORMATION GATHERING

The first day of this course was a refreshing departure from most SANS courses. Instead of talking about process or softer topics, it jumps right into recon and how to perform it with various approaches/protocols. The DNS recon methodologies were eye-opening as a defender of how easy it is for an attacker to find “hidden” hosts exposed to the public web. The Heartbleed lab was my favorite hands-on lab of the day and highlighted how damaging this relatively easy exploit could be.

DAY 2 - CONFIGURATION, IDENTITY, AND AUTHENTICATION TESTING

Day 2 continued the theme of recon and information gathering through exercises demonstrating the differences in spidering and forced browsing. The authentication portion went through the strengths and weaknesses of different authentication methods. The technique of username harvesting based on side-channel information was beneficial and has opened my eyes to less apparent methods for gaining info from a target.

DAY 3 - INJECTION

This day starts with a look into how sessions are managed for web applications (HTTP protocol offers no help here) and, more importantly, how to leverage poor session management practices to gain access to restricted portions of a web application. The Command Injections and File Inclusion sections were brief and gave the class an intro to interacting with the underlying operating system via the web application.

The entire second half of this day covered SQL injection, which went well past the simple “or 1=1; –”. True to the rest of this course, this section spent some time explaining the syntax of SQL before discussing how to exploit it to that return unexpected data.
The content increased in complexity as it covered how to navigate blind injections (attack doesn’t see direct output from a web application), interpret error messages to craft attacks, and use advanced injections to retrieve data from more sections of the database. After building a solid foundation, it covered how to automate these techniques using sqlmap.

DAY 4 - XXE AND XSS

The majority of this day focused on the different types of Cross-Site Scripting and how to find/exploit poorly implemented websites. The content spends some well-prioritized time covering how to show the true impact of XSS to a business which is much more helpful than showing an executive an alert popup. The BeEF lab near the end of the day was incredible and made the impact of these attacks much more tangible by allowing the student to launch various attacks at a “victim’s browser” easily. These attacks were so impactful because BeEF comes with many social engineering modules to simply pop up a convincing Gmail login page or other credential-stealing methods for the victim to fall for.

DAY 5 - CSRF, LOGIC FLAWS, AND ADVANCED TOOLS

The main point of this day was to highlight the importance of understanding exploits and the scripts that attempt to launch them. In this section, we tried to launch an exploit from Metasploit only to have it fail. After digging into the exploit and the MS module, we modified it and relaunched it successfully.

The very last part covered the soft topics under the section “Business of Pentesting.” If I’m honest, this was the perfect place for this content. After five days on the business end of a knowledge firehose, I welcomed the break from technical information. This info in this section was excellent for people who may not have the business perspective as it focused on WHY companies get pen tests and the importance of communicating at the technical level of your audience.

DAY 6 - CAPSTONE CHALLENGE

COMPETITION OVERVIEW

The day 6 challenge revolved around a team-based Capture the Flag competition. In my class, the teams were determined early on (day 2) and effort was made to split the teams evenly based on the number of students. Day 6 starts with the instructor giving the class instructions on connecting to the VPN and setting the rules of engagement for the day’s competition.

The CTF started with some basic terminology questions in the first few sections but quickly escalated in difficulty. The bulk of the questions revolved around discovering and exploiting multiple virtual hosts on the VPN network. The first few technical sections have questions that guide you to some key steps, but as you work through the challenges, the training wheels come off, and you are expected to work your way through the exploitation without much guidance.

Everything you need to be successful in the CTF can be found in the preceding five days of content/instruction. Other than the suggested networking and Linux backgrounds, no other external knowledge is necessary.

SCORING/WIN CONDITION

The goal is the complete the challenges quickly and accurately. Your team can lose points one of two ways:

  1. Answering a question incorrectly twice
  2. Taking a hint for a question

The team with the highest score (or in the case of a tie, the fastest completion) will walk away from the victors and get to take home the coveted challenge coin for the course.

I was lucky enough to be on a highly talented team that communicated well, and we were able to secure the win!

LESSONS LEARNED

  • Building a workflow within ZAP or Burp Suite that takes you from Recon to Exploitation makes organization a breeze and allows easy pivoting between targets.
  • Working in pairs makes it easier to get a sanity check because someone has been following along with the process
  • Swapping members of these groups can lead to breakthroughs because this allows for a new set of eyes to work with someone with the background/history on the problem
  • Keeping hosts/work organized is challenging and much easier to do if you document things as you move through the process

TIPS

  • Avoid the urge to try to bring a super awesome external script or hacking tool into the CTF. In my experience, this approach doesn’t provide a huge advantage and typically produces a bunch of extra data/red herrings without much to show for it. Worse than that, it takes time away from using the tools that the competition was designed for.
  • If attending this event virtually, use a tool like Discord or Slack to communicate using voice AND chat.
    • Voice allows for quick idea exchange and strategy discussions
    • Text chat allows for quick validation and exchange of commands/flags
  • Take the time to verify your findings with a teammate before submitting them to the CTF.

BIG PICTURE TAKEAWAYS

  • Most web-based attack vectors are concentrated on a few core concepts.
  • Documenting your process as you are doing it helps you understand what has worked and what your next steps are. It also makes reporting writing a breeze after the fact.
  • Exploitation tools love screaming about what they are. Learning how to modify/silence these indicators is key to getting past basic detection.
  • A critical part of a pen tester’s job is to demonstrate the impact of vulnerabilities to the business. Don’t expect leadership to extrapolate what damage an attacker could do by only showing them a basic XSS alert pop-up.