The theme of the webcast was: First look featuring the brand new
I must admit that the title of this webcast is what really attracted me and made me register. I was also please to see it would be a FULL three hours which is plenty of time to present on brand new topics. Usually one hours webcast are too short to really get into detailed content.
The webcast consisted of an introduction, then they showed two modules of the CEH on web application testing and vulnerability assessment, the last portion was a presentation by Core Security showing the use and features of Core Impact.
As you know some of the modules within the CEH are fairly large in size, attempting to go through two full modules in such a short time frame made this a challenge for the presenter. The presenter demonstrated good knowledge of the suject matter presented but was bound to stay within the slides presented.
Thre first module presented was most certainly disappointing and there was nothing elite or "BRAND NEW"
Within the module there was a slide on IIS7 but this was mostly skipped and covered in about 15 seconds. I would have like to see a lot more about the latest version of web servers such as IIS and others as well. Instead we were taken on a tour of IIS 4.0 and 5.0 vulnerabilities and the demonstration were all agains a target that was a Windows 2000 server (this is not a typo) without any service pack applied. Not what I was expecing from a presentation with "Brand New" in the title.
The first module showed us COOL directory traversal attacks that were done on older version of IIS using a series of cut and paste strings, I doubt any of this would work against modern platform that have been properly hardened and configured. This was a bit disappointing. It is COOL but not very useful in real life today against well maintained targets.
The first module also showed some aging in it's description of Metasploit where it is still being reference as a PERL tool.
Dave Aitel would have been disappointed to see the coverage of CANVAS within this module It was mostly mentioned as a name and very quickly push aside. I think that even thou CANVAS is not as well integrated or polished as CORE IMPACT it should have been covered in more depth as it is a VERY powerful tool as well. Immunity has been doing lots of great work in the security testing community.
Another sign of aging is Nessus being listed as and open source tool. It has not been Open Source and Free for quite a whiile. This would need to be updated.
The modules themselves still have numerous slides showing TOOLS. Only the leading tools should be covered and the long list should be included in the student manual. Powerpoint is not a high content tool, a page in the student book can cover easily a list of 25 tools with description instead of one slide per tool. That would be a lot better.
Some basic SQL injection using the goold old buggy login form was demonstrated and well explained. It would have been great to have more web exploitation demonstration or some advanced and brand new SQL injection techniques demonstrated.
As far as applications are concerned showing how drive by install, trojan and backdoor installation, and other form of social engineering attacks are really done today would have been great. The people behind the technology is the target of many organized criminal groups.
By far the last portion of the presentation was the best. The engineer from Core concentrated on today's hacker playground which is Layer 7 within the OSI model or application security. Once again they clearly showed and demonstrated that you could have layers of firewalls, IDS, and other protection mechanism but the weak link is the person sitting behind the technology.
IMPROVEMENT
The instructor did a great job in module two where he just went on his own instead of staying only within the slide content. He attempted to explain things using the Whiteboard in Webex but the tool is not easy to use. I would recommend adding a few slides on the subjects that he covered.
I would also cover less in future webcast but cover it with more depth. The whole webcast talked about LOTS of things but did not show those things. People do not want to be told about things they want to be educated on how things happen and how people take advantage of their systems and networks.
As far as the core presentation is concerned, I think it was done a bit too quicly for people who have never seen or use the interface. A slide introducing and showing the systems involved in the attacks to be demonstrated would have made it easier to grasp for some of the attendees. The demo were good and all worked as expected but the speed at which it was done made it a bit hard to follow for people that are not used to the product. In fact it went so fast that the moderator was not back yet to take over when they finished.
BEING ETHICAL
A live web site on the internet was demonstrated with Hidden Form Fields being used. Even thou it is very stupid to use Hidden Form Fiedl for sensitive information such as pricing, I think that ethically it was not OK to use such a web site. Even if the instructor claimed that the owner of the website knows about it that does not make it OK to show it on a webcast. It would be like knowing how to steal money from a bank and showing it live on a webcast. That should be avoided in the future.
I understand that the Actualtests.com website did not work as expected but it would have been better to simply explain it and not show a live website as far as I am concerned. You always expose yourself when you show such vulnerabiltiy to a public audience. It was even mentioned that the web site has been used for the past past 5 years within live classes.
It could have been great to mention Server Side validation instead of only Client Side validation.
CONCLUSION
The two most commonly used word throught the presentation was TOOLS and COOL. Myself I strongly believe that you do not need 300 tools to be a good pen tester. A good brain and a browser would probably take you a lot further.
Doing testing in real life is NOT always cool, there are time you are scratching your head and you could be hitting a wall for days before you can make it to the other side of the wall. Such is reality.
Overall it was a good presentation but definitively no what I expected. I expected to get a presentation on web application vulnerabilities that we face today on a day to day basis. Instead I was presented with very basic and older vulnerability that are well documented on the Internet.
Unfortunately the two websites that were to be used for demo purpose did not seem to work as expected and they could not be used. That would have made the instructor presentation a lot easier and a better presentation overall.
In the future, I would at least expect the demo to be done against a modern operating system with service packs and patches applied. Or at least a Windows 2003 as a platform with some patches missing but not Windows 2000 with no service packs.
Best regards
Clement
Environment for testing tools help
