I just returned from the training portion of in Las Vegas. This was my second Black Hat, and it was just as good as the first. I took the Combat edition of the Hacking By Numbers course, here is my review:
The Hacking By Numbers courses are a done by , a South African security company. The courses are presented as Cadet, Bootcamp, Web 2.0, Combat, and Chief of Staff editions. I had previously attended the Bootcamp edition (which reminds me, I need to write a review on that), which is the recommended pre-req for Combat edition.
Here is the overview found on the Black Hat website:
This course is the flagship course of the established Hacking by Numbers series. From the first hour to the final minutes students are placed in different attacker scenarios as they race the clock to “capture the flag”. In the SensePost tradition, the solutions lie much more in technique and an out-of-box thought process than in the use of scripts or tools. Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures. The “Capture the Flag” exercises have all been designed to replicate real-life scenarios with real-life-hacker stumbling blocks along the way. Students will have to deal with multiple firewalls, IDS devices and home spun red herrings in their quests to complete the challenge. During the exercises SensePost’s leading technical specialists will discuss possible attacks, possible alternatives and even possible defenses for thescenario in question. The exercises range from simple layer one attacks to more complex attacks requiring combinations of web application vulnerabilities and TCP/IP covert channels. All tools, documentation and required reading material will be provided to the students.
The course is two-days in length, and is completely hands on. The instructor, Marco, did a fantastic job as a guide, rather than a lecturer. The entire course is a series of “pracs”, in which a different pen testing technique is exercised. It is important to note that these “pracs” were created based on real world assessments. After a 20 minute intro which primarily included pearls of wisdom gleaned from SensePost’s experience, we were thrown straight into the fray; just as advertised, this course was all hack.
For each “prac” you are given three things: the Objective, Recommended tools, and Obscure hints. The objective gives you the endpoint, as well as the end goal. Most of the end goals was to place yourself on a Wall of Fame (typical of CTF challenges). The recommended tools portion is meant to be a very basic hint if you had no idea where to start. The obscure hints were just that. They served a valuable purpose in the end learning objective of the course. After the completion of the “prac”, a review of the hints would show a clear reverse thinking process that would serve you well on a pen test if you were to internalize it.
As a hurdle would be overcome during a “prac”, the instructor would start giving assistance to those struggling. In some cases he would give further clues, but mostly he would help describe the underlying technology being used for those unfamiliar with it. This ensured that you could get the most out of the exercise by not getting hung-up on step-one. Otherwise you might end up missing out on the rest of the fun.
After each “prac”, the instructor would then poll the class on the methods they used to achieve the objective. I was amazed at his ability to instantly recreate and model a student’s method on multiple platforms. Unlike many trainings in which you can get board waiting for a demo to work, the instructor was in complete sync with the pace of the students, not going too fast, nor dragging on the time.
The content was definitely the masterpiece of this training. Some trainings are simply over priced “script kiddie” tutorials that could be found on YouTube. However, HBN: Combat was nothing like this. Not once did I touch Nessus, Metasploit, or any other framework. I was pleasantly surprised at the small span of tools utilized during the whole process. Mostly it was a mixture of , , some sort of inline proxy, and your CLI.
While speaking with one of the SensePost testers, he explained to me that one of the issues within the industry is the limited “sight” of the testers. So many pen tests are conducted by running , , or some other vulnerability scanner, and dumping the report on their client. Even if they do go on to verify vulnerabilities, it is usually done using , or another exploitation framework. This obviously leaves many false positives, and even worse, false negatives. This is why HBN: Combat is so effective. The course is built upon the principle that no system is completely secure; you simply need to find the hole that takes real skill to discover.
In line with that principle, the exercises were highly technical, and very clever; they only required recognizing patterns and thinking outside the box. Some of my favorite practices involved doing:
Overall, I left the course feeling very well equipped and much better prepared.
This was a fantastic course! It was essentially two days of learning pen testing skills gleaned from real world assessments. I feel like I have a better understanding of the underlying technology in common (and uncommon) implementations. There were very few (if any) technical issues, and the instructor was friendly, and a true expert; he demonstrated an exhaustive understanding of all technologies used. I highly recommend that everyone take this course. It will definetly widen your “sight” in your pen tests, while also teaching you awesome little tricks.
Visit SensePost’s webiste !