[beardednose]

In a bit I will be attending a 2-day SANS wireless auditing class. Anyone taken it yet? If so, any comments?

Also interested in whether anyone has gone to any other SANS stuff and what they thought of it. Note the class topic, the length in days, and what you thought of it. Would you recommend it?

After I go to this class, I'll report back....

[swimmer116]

beardednose, on Nov 25 2004, 04:00 AM, said:

In a bit I will be attending a 2-day SANS wireless auditing class. Anyone taken it yet? If so, any comments?

Also interested in whether anyone has gone to any other SANS stuff and what they thought of it. Note the class topic, the length in days, and what you thought of it. Would you recommend it?

After I go to this class, I'll report back....

<{POST_SNAPBACK}>

I attended the Intrusion Detection Indepth course and I was very happy with the class/instructor/materials. It was 5 days in length, and very useful.

[beardednose]

Thanks. Who was the instructor? What city? Just curious. Not trying to track you down or anything.

[swimmer116]

The instructor was Mike Poor, in Denver last fall. He was one of the authors of the Snort 2.1 Intrusion Detection book (probably the best on the subject) by Syngress. The class moved at a pretty good pace, and the material is probably the most readable (for me at least) that I have seen on the topic. Overall I would say that SANS is some of the best training I have come across. I know some folks who have taken other courses with them and they all seem to have the same opinon of the instructors and the material for the courses that they attended. Enjoy the class.

[beardednose]

WOW! That's quite a testimony. Thanks. I feel better about SANS now.

[swimmer116]

If you have any other questions feel free to ask.

[Spookie]

I've taken several of the SANS courses Beardednose, this was some time ago back in 2001 and it wasn't as impressive as I had expected. Granted the instructors were notables and did have a good syllabus, and the information was good if the person was new to security or tasked with security responsibilities as a secondary duty. One problem was with the seating arrangements, which took place at a large conference.

When you have a large class, side discussions tend to break out amoungst the students and need to be squashed quite rapidly to avoid distracting the rest of the class. Unfortunately in our class that was not the case, and it was quite annoying. Maybe the instructor was new to teaching, maybe the class was larger then expected regardless the instructor should take charge of the class and not get distracted by questions that really have no bearing on the course topic.

That's just my opinion.

The one instructor I would say is in the top category of teaching at SANS would be Ed Skoudis. Outstanding instructor, ,very sharp mind and he has the unique talent of being able to "breadbox" complex issues so there understandable by the newest person.

Highly recommend Skoudis as an instructor, and if you get a chance to speak with him in person he is about the most down to earth "geek" who is extremely passionate about what he does.

In my opinion that is what seperates the true security practitioner from the do your 8 and hit the gate type of security admin.

The company he founded has been absorbed, and my understanding is they are swamped with projects and don't have enough people. I've heard nothing but good things about the company from several associates who are either employed by the company or have had dealings with them.

Spookie

[beardednose]

Spookie, please educate me on the following...elaborate....

Quote

do your 8 and hit the gate type of security admin.

The class was great. I'll have some comments on this soon as well as some great tools. The guy would wrote the cirruculum also wrote asleap and wpa_??? hack tools. WOW (I can remember the name of the wpa tool, I'll find it later).

Busy on vacation right now.

[Spookie]

Cool Beardednose, glad you had a good experience and I look forward to your review of the class.

What I mean by do your 8 and hit the gate is someone just counting time punching the clock looking for a paycheck.

This post has been edited by Spookie: 18 December 2004 - 06:33 AM

[beardednose]

Spookie, thanks. I knew I was missing something obvious. I wasn't thinking 8 hrs. Makes sense. A good phrase :D

As for the class, it was developed by Joshua Wright, who wrote the asleap tool for cracking LEAP authentication. Awesome. He has also written the only known WPA wireless cracking tool. The teacher was Matt Luallen, who was a wireless expert (among other subjects). He explained things fairly well and is a total geek. I'd recommend the class to you all, but I had a few issues with it, which I think SANS will remedy.

The class is calling Auditing Wireless Networks, but it is really should have been called "Everything You Ever Wanted to Know About Wireless and How to Hack it." Here's my long, play by play....

(see the next post for the GREAT open source tool collection)

1) It was a 3- or 4-day class crammed into 2 days. Most of the class was lecture with little time for labs. There's 8 labs, but we only did 4 of them and were encouraged to do 2 others. I did all six and will go back to do the other 2. This was only the second time the class was run, so they're still working out the kinks and stinks.

2) As I noted above, there was too much lecture and not enough labs and practical exercises. I also thought that the class went way too far into details, such as dissecting an 802.11 frame header (what each field is, all the options, etc.). Most of it was useful, but you didn't need to understand all that to use the tools. I know I'm sounding like a skiddie saying that---I found the details interesting, but it's kinda like a buddy describing his new techno toy--who cares, just let me try it. I'd rather have a summary, play with the tools, and then dig in (my learning style).

Others there told me that's how all SANS classes are, crammed with details on everything. Well, it was a 500-level class, so I guess you could expect that. A few others were a bit lost in the class, but most of them seemed more advanced and lapped it all up.

3) We did do an exercise one night where SANS had hid 3 rogue access points throughout the hotel and you had to find them. I only found one, came close to the second one, and detected, but couldn't find the third one. I deduced that the third one was in the hotel room of the seminar organizer (the person who makes sure everything works and runs special errands and takes care of equipment failures, etc.), but I couldn't find out which one (I tried to social eng the front desk and tried to bride the organizer to no avail :P ). I knew it was either one or two floors directly above my room, but I was too tired to attempt to track it down.

Only 3 guys in the class of 20 found 2 APs, so I didn't feel too bad. One guy won a linksys AP as a prize and the other two won wireless books.

The reason no one found the third one was because it died during the first day and the non-technical organizer simply replaced it with another AP, but didn't realize it was supposed to be config'd a certain way. We were given the SSID of the first two and only the first 5 sets of numbers of the MAC address of the third (which wasn't broadcasting it's SSID like the other two). The "replaced" third one was broadcasting it's SSID, so we all ignored it (I still tried to locate it, wondering if it was a trick).

I felt bad that I did so poorly. If I can't find rogues in class, how am I going to do it back at the office? :angry: :o :ph34r:

4) Another small-time beef I had was that at the beginning, they didn't have us tell the class our name, company, and position. I always find that useful as I then key in on certain folks on breaks and at lunch, finding people who do the same thing I do at companies similiar to mine. I gathered most of the folks are not THE SECURITY GUY like myself.

5) Of course the class was all Linux. We did not Windows stuff, which was refreshing to a windowpane guy like myself. We did a lot of terminal cmd line stuff and I feel a lot more comfortable with Linux now.

6) The class started at 9 and went to 5 or 6. I told the instructor to start at 7. When I travel and meet with my business folks, we never start later than 7:30. If you've been drinking all night, tough. Also, there were 3 (tres!) breaks again INCLUDING lunch. With such tech material you need to break every 1.5 hours IMHO.

The food was great and the service excellent.

[beardednose]

The class description is at http://www.sans.org/...ion.php?tid=108

Note the equipment that you get. The yagi antenna looks like a 6-inch tube with a 2-inch radius. It sucks the waves out of the air at a good distance. We used it to locate rogues. There's a program in the collection that calculates how strong the signal is by sampling the signal for 30 seconds. Based on that info and a couple other samples, you can tell which direction provides the strongest signal. The gps is used with kismet to pinpoint the range of the wireless net and draw them on maps from terra server (cool!).

p.s. The class was about $1600 plus hotel and food.

As for the tools, the linux bootable disk is the Auditor. Download for free with no registration at http://www.remote-ex...nt/mirrors.html.

Go back to the homepage and follow the Auditor links for more info.

Just download the iso and burn it to a CD (when you boot, there's an option to save it to your hard drive to boot permanently).

When you boot, you better watch it as you have to choose the screen resolution AND THE KEYBOARD. If you're not watching the keyboard defaults to Belgium or something like that and the slashes will be pluses, etc.. If that happens, just start over.

It works with most wireless cards (my cisco 350 works and all the cards the folks in the class brought worked - WITHOUT LOADING DRIVERS AND CONFIG!

What's in the collection and why is it special?

No other collection has all the tools and EVERYTHING you need loaded and ready to attack like this one. It also includes documentation for almost every tool. (I couldn't figure out how to capture a screen shot due to my junior status in linux--Somebody grab a screenshoot of the GO tab expanded, showing all the tools and drool with pour from your mouth!)

I'll try a text description of the Auditor tool collection.............
From the GO button (similar to START), there's 5 categories:
- Auditor (all the hacking tools)
- Applications (browser, term serv client, ftp client, graphics, editors)
- Utilities (sound, filemanager, rdesktop, vnc, calculator, pdf viewer, xkill)
- Configuration (configure your USB, NIC, Wireless Nic, Install Auditor on HDD)
- Documentation (on ALL tools - sweet)

Under the Auditor section, you'll tools for:
- Footprinting
- Scanning (security scanner: Nessus, metasploit & more; webserver scanner, network scanner: Nmapfe, ike-scan, & more; protocol scanner; application scanner; smb scanner; router scanner)
- Analyzing (network analyzers: ethereal, etherape, ettercap, hunt, iptraf: password analzers: dsniff; application analyzers: mailsnarf, urlsnarf, interception proxies;
- Spoofing (are you drooling yet? if not, check for a heartbeat)
- Bluetooth (btscanner)
- Wireless (where we spent most of our time--tools for analyzing & breaking wep, wpa, leap, plus more!)
- Bruteforce (for smb, ldap, snmp, vnc, http, ssh, including password lists ** by the way, the best place for wordlists is thepurdue website)
- Password cracker (john, rainbowcrack, bkhive, samdump2, zipfileracker)
- Digital forensics
- Honeypot

Notice that these categories are listed in the order that you'd do an "audit"

If you haven't stopped and downloaded this iso yet, you're on the wrong board -- go back to AOL ;)

On the wireless stuff, remember to put your card in monitor mode:
# iwconfig wlan0 mode monitor

If you use Auditor from CD and go to crack WEP using wep_crack, you better have at least 512 MBs ram or more. I couldn't do this on my laptop with only 256, hence I've order 1 GIG. Once you capture 200,000 initialization vectors with this tool, a crack is almost guaranteed, but that takes hefty ram and lots of traffic and time.

If enough of you beg me (and send me CHRISTmas gifts), I might just write a mini tutorial for all you folks like me that are too lazy to read the documentation for all the tools we learned.

[Spookie]

Sounds like a pretty interesting class Beardednose. The comment

Quote

As I noted above, there was too much lecture and not enough labs and practical exercises

Is somewhat typical of SANS from what I encountered. But being it's a new class/course the kinks will be worked out and they'll try and even out lecture and hands on time.

That was evident by going indepth. Most times what you find is someone who has a unique "niche" in the NetSec field and is so full of knowledge they try to push everything to you as much as possible. There passion for what they due comes across and at times the class can be over whelmed by information that though is relevant, just doesn't needed to be given to the class because most will not be either at that level of expertise, or will get to that level because the job does not require them.

I had that problem also when I first started, and as time went on I have learned to ease up on certain areas. Now when I give a class I do it via the lecture method supplemented by visual aids, handouts, and hands on time.

This helps me break the class up into sections and it also helps me keep track of the time. If I go a little to in depth in a certain area I can readjust during the visual aids or handouts, and move into the hands on without "stealing" from the student. I am also a firm believer that the mind can only retain what the butt can tolerate. So breaks should be given when the instructor notices he/she is losing the class.

Quote

I felt bad that I did so poorly. If I can't find rogues in class, how am I going to do it back at the office?

No need to feel bad, thats why you went to the class, to learn. If you knew everything before hand why take the class right.

Thanks for the input on the class, much appreciated. I've been contemplating taking the Intense Bootcamp class Wireless Networking and Security now from your response I'll look into the SANS course also before I send any money.

Spookie

[beardednose]

I took the cissp boot camp with intense, which was great, but the folks doing the scheduling and taking your "order" were horrible. No followup. Had to pester them to do anything or provide info. I had to reschedule my boot camp, and while that's a lot of work for them, they should just do it. Plus the hotel we were in for 7 days had no broadband to the hotel. Can you imagine?

They don't use that hotel anymore, but that really soured me on intense. the class itself, the materials, the instructor, etc., were exceptional. No one else I've talked to had a similar experience.

And yes, I passed. :P

[Spookie]

Congrats on obtaining the CISSP. I'll let you know how things go for me after January.

Who was the instructor? I hear good things about Shon Harris.Any feedback?

Yeah I've heard good and bad things about intense "sales". We've had decent luck so far with them as several have gone through the Forensics class and a few others. I'll see how things go after I take the course right now I'm knee deep in another class, non it related, and it's pretty cool. Next up after this will be ITIL.

I think after March I may be classed out for awhile, mind can only retain what the butt can tolerate so sitting down for long periods of time just drives me bonkers.

[beardednose]

I had Larry Greenblatt, who's an expert in too many things. Yikes. He's also a 7th or so degree blackbel in tai chi. Boy, that guy can teach. Made some really tough stuff really easy to understand. Also really good sense of humor.

Our class was really cool as we have a guy that runs DOD IT in Columbia and a guy from the NSA. They had some guarded stories to tell.

the only reference I could find on the internet to larry was a critique of another intense class he taught....