Day Two: SANS Network Security 2008

Today was day two of SANS' Web App Penetration Testing In-Depth. The focus of day two was information gathering.

Scouting your client is an essential part of the process and the course presents methods and tools for accomplishing this. Google is your friend. Johnny Long's Google Hacking For Penetration Testers will be a trusted companion. Some less well-known, but highly useful methods were covered. If you've studied pen testing, you may have knowledge of these. If it seems I'm being vague, that's because I am. I respect the work that Kevin has put into developing the course and I'm not going to give it all away.

I do wish the course had more hands-on with some of the tools that are presented. I know from talking to Kevin that the course is going to be expanded. Perhaps the expanded version will include more exercises with some of these tools.

After gathering useful info about the company, we drill down and gather details about the technologies that are being used. The usual tools for gathering information about systems are covered, but there were a few that I have not used including RSnake's Fierce.

There was a discussion of some issues relating to web application server architecture and some of the caveats that can throw off a pen tester and ways to work around those obstacles.

We continued to drill down, from the servers to the apps on those servers and ways to gather useful information about those applications. Most of the tools discussed were ones I'd had experience with before. One exception was OWASP's DirBuster. I'd seen it before, but never bothered to try it out. Now I have and will incorporate it into my testing.

All in all, another good day in class and I'm really looking forward to tomorrow when we enter the discovery phase where we will uncover weaknesses in the app.