Monthly Archives: March 2011

Elearnsecuity BETA Testing of new labs

Elearn Security Online Labs and Challenges BETA Review

I was lucky enough to be asked to join in with a small team of beta testers to experience firsthand the latest developments by Elearnsecurity. The new online labs that are dedicated sandboxed cloud based environment for each student, accessible from the main learning material interface/portal.

On the 29 March 2011 at 8PM GMT; I eagerly await access to get a look at the concepts and ideas that up to then had only read about in discussions and suggestions by Armando in the forums.

The whole process I should add came off the back of consultation with the existing student community, so good to see a provider listening to the demands of the customer.

Reading the text in the forums, I could tell that Armando was excited about this project as it would bring yet another perspective to the learning model on offer from Elearnsecurity and ultimately would enhance the learner’s experience.

My experience I would have to say lived up to anticipated hype!

Perhaps partly due to having another chance to log in with equal minded folks keen to get their hands on the latest information and experience they could.

I need to mention, matugm who pretty much pwnd it before we really got off and running, last time I seen him posting he was trying to get a shell!

4 hours flashed passed in a blink of an eye.

Roughly about 30 mins after the agreed meet up time; we were off and running. The only real reason for this late start in my mind was due to getting some testers initial technical issues resolved and giving us group instruction via text based chat. (A head ache I would imagine if you’re on the supporting side)

The test itself involved what appeared to be at the outset a simple enough challenge for anyone who has experience in this field or perhaps has recently studied a course like ecppt.

Though as we attacked the challenge set out in front of us, I started to realise how this setup could give me an advantage to expand my inner working knowledge of both SQLi and of the popular tool sqlmap.

Most of what I have read or the guides I have seen up to now focus in on GET method via URL vulnerable parameters. I struggled to see many discussions around other input channels or POST method choices while studying for ecppt.

This challenge was exactly what I wanted to see, exactly what I wanted to try out and lucky for me gave me a chance to yet again apply what I had learnt up to know. Having developed new skills you are keen to try to keep them sharp, in hacking as we know only really achievable if you have labs if you want to stay on the side of the good.

As well as the actual objective of retrieving information from a database and inserting data into a database, I found I was starting to think “you know what I am going to try this from different angles from the point of view of learning more about the use of Sqlmap, from a burp log, from config file and straight off the CLI”. Giving me a chance to work with the tool in the different ways I wanted, so I could feel I was making progress towards being comfortable with the options that up to now I had really only read from the manual.

I collected a whole bunch of data that I plan to look at from the tool and study/research a bit further to understand as much as I can from the SQL used and look to ways to refine  and focus my attacks.

All of this from a single login page, I could hardly believe it, now I was wishing I had more time and energy left in me to keep chatting and testing with some very experienced specialists in the field. Alas work beckoned in the morning and the lure of sleep forced me to concede, well at least to go to bed and leave my laptop cracking the hashes I had obtained from the dump (not actually an objective but fun none the less, there was talk of removing this as I don’t think it was intended but I suggest leave it in)

As far as other enhancements are concerned; my understanding is there is a plan to have more exercises with step by step walkthrough examples to get those needing extra assistance off the ground, which in turn will help them pass the cert/gain skills.

More challenges are to be released to keep the more experienced students coming back for more; this in turn should in my view build on what is already showing signs of growing as a community.

The challenges do come with hints, but I know from chat with Armando and the team that these hints will affect the participants scores and plans of giving away goodies for challenge winners will probably keep the hardcore away from these but still give others at least a good learning tool until they build up their skills and experience.

Details of the goodies and prices for access have yet to be disclosed.

In my humble view a good addition to give us who are interested in researching security the hands on approach that is needed to close in on a sector that needs more good guys/gals on side.

Lets face it so far the bad guys/gals appear to be winning.

Advertisements

eCPPT – Review and Passed

I am pleased to be able to report I am now a proud holder of eCPPT.

From my own background and perspective the course and exam was a very enjoyable experience. I would recommend this to anyone interested in security and perhaps on a limited budget.

I had done CEH prior to this course and personally found CEH useful in giving me a good foundation to approach this course. My day-to-day working life is not at the moment centred on security.

From my initial contact with eLearn security, I was impressed by the way I was handled as a potential customer and supported in terms of believing that I could achieve.

I did ponder long and hard before I parted with my own hard-earned cash.

After making my decision to join the course, I initially did feel a bit unsure in what I had bought into, mainly due to my concerns that perhaps I could not do this on my own in a distance learning fashion.

My fears where quickly put to rest, once I seen responses to my questions and I had read every post in the forums to make sure I was not adding posts already answered and just creating a general nuisance of myself.

The responses I received gave me matters to think about and pointers as to where to head to next, which is useful when you’re learning; building on my understanding was a combination of taking in the good advice and information in the slides/videos and asking appropriate questions.

I never felt at any time that if I had tried on my own and had to request for more info that I would not be given some sort of support, be it from someone experienced on the course or Armando the creator himself.

I would also say that experience from network+ and CCNA came in useful, as did some of my previous studies in relation to web technology including HTML, CSS (limited PHP and SQL), a basic understanding of Linux is also helpful.

The challenge of the exam really does focus on expecting you to apply what you learn; I believe this to be an excellent approach. No exam cram sessions on this one I am afraid, if you’re really only looking for another CV filler.

I had good fun and I believe that Armando is building on its success and looking to provide new and interesting experiences for current and potential new students. I look forward to this and hope to continue on as a student/contributor as I learn and have more fun.

If like me you wondered if you had what it took to perform a manual web application penetration test, then this is the one for you!

Details of the course content can be found at http://www.elearnsecurity.com/

Tagged ,

The Blog effort

These days I find most of my time is spent spinning plates.

The constant juggle of work, study and trying to make sure I’m also taking in a film, meal or just general distraction away from technology is a fine balance. I am guilty of allowing the balance to sway toward technology, it’s hard not too, there is so much going on.

From the beginning of my role and current source of income as a tutor, I find that the more I’m looking at trying to convey what I know about technology, the more I feel I need to also learn.

Been a busy time from when I decided to concentrate more on security. Each question answered opening up more questions to look into further.

My hope for my blog is I may use it as I feel needed to reflect and learn. Anything you read here, you may wish to check and double check for accuracy!

Tagged