February 13, 2019
SEC660, GXPN, and the NetWars Tournament of Champions
A Brief Introduction
I prefer to keep a low profile. I’ve always avoided security conferences, I don’t have a Twitter account, and I certainly don’t blog. Prior to joining Datto in 2017, I was entirely self-taught. I only opted to obtain my OSCP because I thought it would make getting a job easier, not necessarily because I thought I would learn anything. As it turns out, I was wildly mistaken, but that’s a story for another time.
After my first year at Datto, the company’s CISO Ryan Weeks challenged me to find an outlet for my inspiration. Simply put, he offered me the opportunity to attend any conference or earn any accreditation within the world of information security, so long as it may benefit the company. I spent time combing through the usual suspects – Black Hat, Def Con, ShmooCon, etc. – until I stumbled onto something I’d never even heard of: SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking, available during SANSFIRE 2018 in Washington, DC. Just reading the course syllabus made my stomach turn:
Exploiting OSPF authentication to inject malicious routing updates…..
Using Taof for quick protocol mutation fuzzing…..
Now, I have a personal rule for situations like this. When I want to do something, but fear creeps into my gut, then I know I have to do it. Trying and failing will hurt for a while, but quitting out of fear will hurt for a lifetime.
Looks like I’m headed to Washington.
The conference was held in downtown Washington at the Marriott Wardman Park Hotel. I was surprised by the sheer number of attendees. There must’ve been at least a thousand people from all over the world packed in this one hotel. Most of them were here to learn or teach, but some of the attendees would admit they were just here to socialize.
I’ll admit that I assumed the worst about the kinds of people I would meet. I expected less hygiene and more awkward behavior. In truth, I met a lot of brilliant people who were equally as fun to be around, particularly during late night at the lobby bar. It’s a pretty unique thing to strike up a conversation with some strangers, only to find that one of them is the creator of CrackMapExec as well as the writer of my favorite NTLM Relaying guide ever. I don’t know if many other conferences are capable of attracting that kind of talent without them being inaccessibly washed away in a sea of endless attendees. I was happy to buy him a drink as we discussed the subtleties of Russian versus Romanian botnets.
Walking into the classroom and feeling like I’d need all the help I could get, I grabbed an empty seat next to the course assistant Jaime Geiger, and made an effort to take notes on everything I thought could possibly make it onto an exam. In fact, consider those my first two words of advice: sit by the course assistant, and take good, clean notes.
The amount of raw material in this course was like nothing I’d imagined. From Monday to Friday, participants of SEC660 would spend 9am to 7pm in a classroom learning everything from escaping captive portals and sandboxes, to hash length extension attacks, to bypassing DEP with a ROP chain. All of this would culminate in a classwide CTF on Saturday.
The exact syllabus was as follows:
Day 1: Network Attacks for Penetration Testers
Day 2: Crypto and Post Exploitation
Day 3: Python, Scapy, and Fuzzing
Day 4: Exploiting Linux for Penetration Testers
Day 5: Exploiting Windows for Penetration Testers
Day 6: Capture the Flag Challenge
The speed at which the class moved was blinding. Just when you thought you kinda, sorta understood something, you were moving onto an entirely new topic. I was very lucky to have Tim Medin as my instructor, and I would highly recommend him to anyone else attempting this course. He has a way of explaining the material in practical terms that makes you feel like you’re in the right place. He also maintains his humility in spite of having earned every right not to. He’s an all around great guy.
One thing I didn’t realize until the course was over is that the most valuable thing isn’t the class lessons themselves. The real value of the course is the access to the people. You can learn most of the material from the books and exercises, but there are some concepts which are best taught by another human being.
This brings me to my next tip: Make the effort to ask your instructors and classmates questions about the material that will help you understand it in your own way. Take advantage of being surrounded by experts for an entire week.
When I’d first checked into the conference to receive my badge, a staff member asked me if I would like to participate in a NetWars tournament. As it turns out, there are several types of NetWars tournaments and I knew nothing about any of them. Our conversation went a bit like this:
“Will you be participating in a NetWars tournament?”
“Okay, which one?”
“Uhh… the main one.”
“Core? Or Cyber Defense? Or DFIR?”
“So Core then?”
The Core NetWars tournament took place toward the end of the week. It’s a two day event, three hours a day, in which participants race against the clock to score as many points as possible. A USB drive with a VMware virtual machine is provided that contains everything you need to play (although it’s perfectly OK to bring your own tools).
The game itself is a piece of art. When it begins, you’re presented with a story that takes place in the Star Wars universe; an R2 droid holds evidence of an imperial hacker’s evil doings, and the rebels need you to run an investigation. The actual efforts involve things such as “figure out where the backdoor was stashed”, or “decode the hidden message inside of this ransom note”. Other activities include packet capture analysis, password cracking, and good ol’ SQL injection.
Participants are awarded points for correct answers, and deducted points for too many incorrect guesses. Hints can be taken without penalty, and will only be used against you in the event of a tie.
The competition is divided into four separate divisions:
- Individual First-Timers
- Individual Veterans
- Team First-Timers
- Team Veterans
Although the competition was stiff, the atmosphere was very laid back, with plenty of booze and conversation flowing at every table.
— SANS Pen Test (@SANSPenTest) July 19, 2018
You unlock new levels as you earn points, with each level progressing the story into a new chapter and presenting new challenges:
Level 1: Local Linux image without root
Level 2: Local Linux image with root
Level 3: Attack a DMZ
Level 4: Pivot to intranet
Level 5: Castle versus castle (players face each other “king of the hill” style)
In the end I placed 4th in the Individual First-Timers division, which earned me a NetWars coin and an invitation to the Tournament of Champions.
Final Scores for Core NetWars at #SANSFIRE 2018
Total Players = 279
* New = 245
* Veteran = 34
Teams = 40
Solo = 146
Great job to all the NetWars players! pic.twitter.com/kM3WsrL9DC
— SANS Pen Test (@SANSPenTest) July 23, 2018
The Tournament of Champions wouldn’t take place for another five months. In the meantime, I had an exam to prepare for.
Taking the GXPN
After my time in Washington had ended, I returned to Connecticut and spent the following four months studying the books, building an index, and completing the lab exercises until I knew them inside and out. I would say that the 90% of what I learned came to me during this time. Make no mistake, the course was great, but some of the material can take a very long time to digest, and I wanted to truly master the exercises so that I could apply them in real life – not just pass an exam.
For every section of each book, I wrote at least one sentence that briefly explained the purpose of the tool or technique being featured, as well as notes about any special values, use cases, version information, tricks, caveats, etc. I also made sure to create “walkthroughs” for every exercise and bootcamp in the books as I encountered them. Preparing this index was exhausting, but paramount to my exam efforts.
As an example, my index was filled with lots of notes like this:
cpscam ("Captive Portal Scam")
Book 1, Page 45
Builds a list of MACs / IPs that are useful for client impersonation. Also tells idle time. Similar to the "pul" tool.
Since I’d never taken a GIAC exam before, I also purchased and completed three practice exams. I’m happy I did, as I later came to find that GIAC questions tend to be… tricky. They’re often presented in a way that requires you to pay very close attention to their wording, else you’ll foolishly choose a similar but incorrect answer. The exam is open book, but this hardly feels like it helps.
My exam had 55 multiple choice questions and 5 practical ones in which I was provided a virtual machine that required me to utilize my lab skills. I found the multiple choice questions to be much harder than the practical questions, as they required a deep and thorough understanding of the material. The practical questions were very simplistic as long as you knew which tools and techniques you were supposed to be using.
I had my doubts during the exam, especially since they hit me with some painfully difficult crypto questions right at the start. In the end, I was ecstatic to submit the final answer and immediately receive notification that I’d passed, scoring a 93%. This achievement would later be legitimized by a very nicely framed certificate and an invitation to join the GIAC Advisory Board.
The NetWars Tournament of Champions
Less than one month after my exam, I would return to Washington along with dozens of others to be greeted by Jason Blanchard and Ed Skoudis in the champions’ reception hall. This was a time for us to form teams, receive our complimentary T-shirt and jacket, and learn how this tournament would differ from one which got us here.
After the reception was over, participants headed down to the ballroom to take their seats in a reserved area.
Both to my comfort and chagrin, the champions’ tournament was exactly the same as the previous one – same questions, same answers. If you were smart enough to save your answers from last time, you could just plug them in and pick up where you left off. As a result, the majority of players catapulted to Levels 4 and 5 within the first 30 minutes of the game’s start.
For me, this was disheartening. I hadn’t saved any of my answers from the last tournament, and so I was starting all over from scratch. I honestly considered just getting up and heading to the local bar as others in my situation already had.
But then I remembered why I was here.
The only reason I’d even stumbled on this tournament in the first place was because I wanted to challenge myself. I decided I would stick around, if only to top my own high score.
In the end, I’d reached Level 4 again, but this time with 322 points – a solid 61 points higher than before.
There’s something addictive about passing a course or earning a certificate that makes you want to come back for more. By the time I was home from Washington, I was already tempted to jump right into the OSCE. Ultimately, I decided it would be best to let my new skills marinate for a while and see how they apply to my daily life’s work at Datto.
In the meantime, I’ll try to be more open-minded about security conferences and blogs. Who knows... maybe I’ll even make that Twitter account.