Core Netwars Continuous Hones New Skills - FREE with OnDemand Training for One Week Only!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.


Featuring 15 Papers as of October 25, 2016

  • The Information We Seek by Jose Ramos - October 25, 2016 

    Whether you are performing a penetration test, conducting an investigation, or are skilled attackers closing in on a target, information gathering is the foundation that is needed to carry out the assessment. Having the right information paves the way for proper enumeration and simplifies attack strategies against a given target. Throughout this paper, we will walk through some strategies used to identify information on both people and networks. Some people claim that all data can be found using Google's search engine; but can third party tools found in Linux security distributions such as Kali Linux outperform the search engine giant? Maltego and The Harvester yield a wealth of information, but will the results be enough to identify a target? The right tool for the right job is essential when working with any project in life. Let's take a journey through the information gathering process to determine if there is a one size fits all tool, or if a multi-tool approach is needed to gather the essential information on a given target. We will compare and contrast many of the industry tools to determine the proper tool or tools needed to perform an adequate information gathering assessment.

  • Keys to Effective Anomaly Detection by Matt Bromiley - October 25, 2016 

    Simply put, an anomaly is something that seems abnormal or doesn’t t within an environment. A car with ve driving wheels would be an anomaly. In the context of an enterprise network, an anomaly is very much the same—something that does not t or is out of place. While anomalies in an enterprise network may be indicative of a con guration fault, they are often evidence of something much more worrisome: a malicious presence on the network.

  • Finding the Advanced Persistent Adversary by Fayyaz Rajpari - October 10, 2014 

    The Advanced Persistent Threat was born long before the days of computers. However, the security industry has brought more emphasis to this “scare-word”. Its first real use as the term APT came from the US Air force in 2006 due to the sole fact that nation state and government backed espionage turned to significantly more advanced attacks.

  • The Hacker Always Gets Through by TJ O'Connor - April 15, 2014 

    In early 2010, security analysts started noticing something really interesting.

  • Profiling Hackers by Larisa Long - February 7, 2012 

    Hacking without permission and authorization is considered illegal. But let's face it, that's why the subject of hacking is so appealing. But for much of the population, hacking is an elusive subject.

  • The User Agent Field: Analyzing and Detecting the Abnormal or Malicious in your Organization by Darren Manners - February 7, 2012 

    In the early days of the Internet, users had to type in text commands to navigate. Tools were later developed, E.g. early browsers, to be the "user's agent" so that commands did not have to be typed in to navigate -­‐ the user could simply click to navigate.

  • Using Windows Script Host and COM to Hack Windows by Alex Ginos - January 3, 2011 

    During the exploitation phase of penetration testing, the attacker may establish a “beachhead” on a target machine by running an exploit against a vulnerable network service. Often this results in a command prompt. At this point, the question becomes: “How can the command line be used to advantage to access sensitive information, escalate privileges and find and attack other hosts?” There are numerous useful hacking tools that can help with this but initially they are unlikely to be present on the compromised system. The attacker needs to bootstrap the process of further discovery and exploitation using only the limited tools and privileges available at the command prompt. In some cases, it may be necessary to evade detection by avoiding suspicious executables that may be flagged by anti-malware software running on the target. This paper explores the possibilities of using command line scripting tools and software components that are likely to be present on most Microsoft Windows systems to facilitate penetration testing.

  • Attack vs. Defense on an Organizational Scale by Omar Fink - December 11, 2007 

    Historically, the motivation behind most cyber attacks was similar to graffiti, in that the main purpose was to make a mark on somebody else’s territory, to demonstrate technical skill by compromising a web server and defacing the main page, with the primary goal seeming to be simply to make a statement of existence. In recent years, this has evolved to being more concerned about making a profit or creating a political impact.

  • Three Different Shades of Ethical Hacking: Black, White and Gray by David Hafele - May 2, 2004 

    Corporations and other entities are faced with the unenviable task of trying to defend their networks against various types of intrusive attacks.

  • Crossing the Line: Ethics for the Security Professional by Scott Carle - March 21, 2003 

    This paper briefly talks about several systems of ethics and then we will apply them to situations that we as IT security personnel face.

  • Can Hackers Turn Your Lights Off? The Vulnerability of the US Power Grid to Electronic Attack by Jonathan Stidham - September 26, 2001 

    This paper addresses specific areas of vulnerabilities within the U.S. power grid, and suggests an overall strategy and some specific actions appropriate for these vulnerabilities.

  • The Brazilian Connection: Brazilian Defacement Groups Stake their Claim by Michael Poor - July 16, 2001 

    This paper takes look at three separate Brazilian hacker groups, two of whom were interviewed by the author of this paper.

  • Corporate LAN Intranet Server Compromise by Jason DePriest - May 22, 2001 

    A detailed account of how one company's Intranet server administrator tested his organization's server security by successfully hacking into the server.

  • Hacking: The Basics by Zachary Wilson - April 4, 2001 

    The basics of IT security for less security conscious IT professionals and end-users on exactly who is out there and what they are doing to get in.

  • The Fundamentals Of Computer HACKING by Ida Boyd - December 3, 2000 

    This paper outlines the steps that a hacker must follow to make a foot print of an organization.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.