Security West 2018

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.

Windows

You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware

You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player or later or the commercial VMware Workstation 8 or later installed on your system prior to coming to class. You can download VMware Workstation Player for free https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

• x86- or x64-compatible 2.0 GHz CPU minimum or higher.
• An available USB port.
• 4 GB or higher recommended.
• Ethernet adapter: A wired connection is required in class. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.
• 15 GB available hard drive space.

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

• Security professionals who benefit from automating routine tasks so they can focus on what's most important
• Forensics Analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts
• Network Defenders who sift through mountains of logs and packets to find evildoers in their networks
• Penetration testers who are ready to advance from script kiddie to professional offensive computer operations operator
• Security professionals who want to evolve from security tool consumer to security solution provider

A basic understanding of any programming or scripting language is highly recommended but not required for this class.

Other Courses People Have Taken

Courses that lead in to SEC573:

• SEC504
• SEC560
• SEC660
• SEC542
• SEC642

Courses that are good follow-ups to SEC573:

• SEC560
• SEC660
• SEC542
• SEC642

• A virtual machine with sample code and working examples.
• A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically-praised book that shows readers how to forge their own weapons using the Python programming language.
• MP3 audio files of the complete course lecture.

• Develop forensics tool to carve artifacts from forensics evidence for which no other tool exists or use third party modules for well-known artifacts to hidden evidence relevant to your investigations.
• Create defensive tools to automate the analysis of log file and network packets using hunt team techniques to track down attackers in your network. Implement custom whitelisting, blacklisting, signature detection, long tail and short tail analysis, and other data analysis techniques to find attacks overlooked by conventional methods.
• Write penetration testing tools including a several backdoors with features like process execution, upload and download payloads, port scanning and more. Build essential tools that evade antivirus software and allow you to establish that required foothold inside your target.
• Understand Python coding fundamentals required to automate common information security tasks. Language essentials like variables, loops, if then else, logic, file operations, command line arguments, debugging are all covered assuming no prerequisite knowledge.
• Tap into the wealth of existing Python modules to complete tasks using Regular Expressions, Database interactions with SQL, IP Networking, Exception handling, Interact with websites using Requests, Packet Analysis, Packet reassembly techniques and much more.

The Python Essentials Workshop labs - Variables, functions, modules, if/elif/else, for, while, list, dictionaries, sets and more

pyWars labs - An online programming competition that runs the first five days of class with additional hands on labs for beginners and expert challenges. Challenges include reverse engineering malware, malware covert channels, cryptography essentials, advanced regular expressions, advanced network communications and more.

Practical application labs - The application of coding concept are applied to build tools for defenders, forensicators and penetration testers. The labs cover Parsing logs files to identify hackers, Long Tail/Short Tail analysis of logs, Capturing and Parsing Network Packets, Carving forensics artifacts from binary data, Retrieving SQL data, Interacting with Websites, Process execution, Exception handling, synchronous and asynchronous network communications and more. The Python modules and concepts covered in these labs include: File Operations, Python Sets, Regular Expressions, gzip, collections module, freq.py, Geolite, scapy, reassembler.py, struct, sockets, select, Python Objects, argument packing and unpacking, sqlite3 , urllib,urllib2, cookielib, requests, StringIO, and more.

Capture the flag - Test your ability to apply your new tools and coding skills

"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions

"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation