SANS SEC542 + GIAC GWAPT Review

I February 2017 I participated in the SANS course SEC542 (Web App Penetration Testing and Ethical Hacking) held by spanish instructor Raul Siles in Oslo, which I followed up taking the certificate attempt for GIAC GWAPT. Here is my feedback on it.

Class Environment

The course was held in Radisson Blu Plaza Hotel which was really amazing. The class room was clean, big and everything you would except from a premium hotel. Everything from coffee, smoothies, cookies, fruits and other fancy small dishes were available throughout each day right outside the class room. In the first days we were disappointed by the lunch, because it was too little food. We were just given a single plate with some grams of fancy food on it. This was quickly changed and we got free for all buffee with tenderloin and other premium tasty food for the rest of the course.

Class Content

The course material is of really high quality and seems to be updated and polished by feedback after each held course. I wish we also got the materiall as PDFs and not just on paper, but the reasoning being subject to pirating. The amount of theory and practise seems perfect, but overall the material is rushed through. The reason is that there is so much content and so little time. Be aware that if you lack general Linux and web skills you will fall behind very quickly. I would never suggest going to this class without the prerequisites described in the course details. On the other hand I think you will learn a lot from this course even if you know 90% of the content before hand, because you will relearn everything from a another angle and make you think differently about things. The capture the flag contest was really fun and a perfect ending for the course!

Each day lasted from 9:00 a.m. to 5:00 p.m and the content was structured over the week like this:

  • Intruduction and Information Gathering
  • Configuration, Identity, and Authentication Testing
  • Injection
  • JavaScript and XSS
  • CSRF, Logic Flaws, and Advanced Tools
  • Capture the Flag

I wish each day started earlier and/or lasted longer to get through the content at a more peaceful phase.

The Instructor

The instructor, Raul Siles, which works as a pentester outside of holding SANS courses, seems highly technically talented and always keeps up with the scene. The only issue I have with him is that his English is far from perfect, pronouncing word quite different from the way thay are ment, mix this with is really fast way of talking and you have a bad combo. He is also a mastermind at referencing The Matrix, which I value as an important skill.

The GIAC GWAPT Certification

Some time after the course I started a practise exam without rereading the content to see where I was standing. I passed the exam with ease, which is built up with 75 questions with multiple choice answers. I can’t stress enough how bad this concept is, because this is the worst form of an exam there is. A certificate should be practical and hard, to reward talented people and not be available to anyone with money. Not only are questions stupid, but there are questions that try to trick you, which doesn’t prove anything at all. Questions like “How do you write a comment in programming language X?” is worthless. I took my other included practise test the day before the actual exam and I passed both. I would say about 20-30% of the questions from the practise exams show up in the final exam, and if you really want to I bet there are braindumps all around on the Internet, which will improve your chances of passing even more, but I doubt anyone will need it. I gave feedback on a lot of questions and we will see if they will do anything about them.

I really hope no employer takes this certificate seriously, because this is pure pay to get. I will probably write another blog post about how rotten the certificate industry is and compare each one.

Pricing

The total price for the whole course including two online practise exams and an actual formal exam on location was 6509 Euro. I was lucky enough to live nearby so I didn’t have to rent a hotel room, which would up the price even more. Although the course is quite expensive, I honestly think you get more from this one week than multiple classes at a university. 5645 Euro is a lot of money and feels like a robbery when you compare it to OSCP, where you get 30 days lab time, course material and a certification attempt for $800. Although not taking into account the class environment with food, snacks and peers to form connections with.

Discplaimer

This is only my subjective personal view and should not be affiliated with my employer.

Read More

Riddles in the Dark - Blue Eyes

This riddle, or rather puzzle or what you want to call it got famous from xkcd and you can read the challenge there, but myself and others got confused from the wording. Here I will present my own version, which I think is more simple and clear. The “offical” answer is very beautiful, but I will here present my alternative solution as well.

My Wording of the Puzzle

On an island there is 100 blue eyed and 100 brown eyed men. The men are all very intelligent and to quote the xkcd wording “if a conclusion can be logically deduced, they will do it instantly”. They don’t know their own eye color and if they find out, they will magically be teleported to paradise at midnight, but they need to be 100% sure of their color. They can not communicate with each other in any form. They can just observe. One day an angel comes down from the sky and says infront of them all: “I see someone with blue eyes”, then the angel leaves and never returns.

Who will leave the island and on which day?

Here are some other pointers:

  • They can not see the reflection of their eye color from the water or anything of the kind.
  • It’s not relevant how long they have been on the island.
  • There is no stupid answer. The answer is pure logic and really amazing.
  • The angel is not relevant. They could just as well have found a note on the ground stating the same thing.
  • Remember that every blue eyed person see 100 brown eyed and 99 blue eyed, and it’s tempting for every blue eyed to assume there is 100 of each and that way know their color, but there might be 101 brown and 99 blue eyed. And it’s of course vice versa.
  • What do you mean by “which day”? Well, there is only one referance point.

My Problems with the Original Wording

  • Introducing a “guru” with green eye color. Useless information that pollutes the puzzle.
  • Mentioning a ferry might indicate that there is a captain that they need to submit their eye color to. What if anyone is listening when a person submits his answer? And is there a restriction on how many times they can try to leave with the ferry? Can a person try “blue” one day and “brown” the next?

The “Offical” Answer

You can read the answer on xkcd, but I will try with my own wording here.

If we start with only one blue eyed and one brown eyed, the answer is simple. After the angel speaks, the blue eyed will look at the brown eyed and instantly know that himself must have blue eyes and leave day 1.

Notice this answer applies also if there was 1000 brown eyed and 1 blue eyed.

If there was two blue eyed and 1 brown eyed on the island, the blue eyed can think like this “If I have brown eyes, then this dude with blue eyes will know for certain that he has blue eyes, because he sees two brown eyed, and will leave today. If he doesn’t leave today, then I must also have blue eyes”. They both think like this, because they are equal intelligent and they will both observe that the other guy didn’t leave on the first day and they will both leave on day 2. Notice also that we can introduce 1000 brown eyed and there will be no difference, so we can conclude that the brown eyed are irrelevant and will never leave.

If there was three blue eyed, then each of them see two other blue eyed and thinks “If I have brown eyes, these two blue eyed will leave on day 2”. Now, if the other two doesn’t leave on day 2, each person knows they have blue eyes and leaves day 3.

See a pattern now? The 100 blue eyed will leave the island on day 100. Every person must use the same logic and think “I see 99 blue eyed, then if no one leaves on day 99, then I must have blue eyes as well and leave the next day”.

If you think you get the answer you can try asking yourself these questions quoted from the xkcd answer:

  • What is the quantified piece of information that the Guru/angel provides that each person did not already have?
  • Each person knows, from the beginning, that there are no less than 99 blue-eyed people on the island. How, then, is considering the 1 and 2-person cases relevant, if they can all rule them out immediately as possibilities?
  • Why do they have to wait 99 nights if, on the first 98 or so of these nights, they’re simply verifying something that they already know?

My Alternative Answer

It starts with one guy just standing up. Then another guy will stand next beside him. Let’s say one has blue and one has brown eyes. They have now formed this row: B/B (Bold being blue and regular brown)

The third person will see the colors of these guys and he will place himself in the middle. It doesn’t matter which color his eyes are, but let’s say they are brown. Updated Row: B/B/B

If the two initial guys have both the same color, the third guy will just move to one of either side.

The forth guy comes and he will place himself in the middle where blue and brown eyed are separated. His goal is to have one blue eyed and one brown eyed on each side. Let’s say he has blue eyes, which makes the row like this: B/B/B/B

The next guy will do the same and so on, until everyone is standing in the row, where the 100 men from the left is blue and the 100 men on the right is brown eyed.

Now everyone will know their eye color, just by looking around, except the two guys in the middle. They don’t know where the distinction between blue and brown is. They will see only blue eyes in one direction and only brown in the other, but they can’t know their own color. But for the other 198 men, they can leave the island on day 1.

I submited this answer to Randall (the creator of xkcd), but he claimed this answer was not valid because there was too much communication between the men :’(

Read More

Coherent Knowledge-based Operations (CKO)

I was introduced to CKO in the class Information Warfare at my university (NTNU). I couldn’t gather much information about it online, so I decided to share some notes about what my understanding of it is.

Read More