Top Instructors Share Their Expertise ONLINE at SANS - Special Offers Available NOW!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Penetration Testing

Featuring 67 Papers as of April 21, 2021

  • Pentest as a Service with Cobalt Analyst Paper (requires membership in community)
    by Matt Bromiley - March 16, 2021 

    What if organizations could turn external penetration testing into an interactive experience they could use to regularly evaluate and increase their security posture? It is possible. SANS instructor Matt Bromiley reviews Cobalt's "pentest as a service" platform, an experience he describes as "an information security experience unlike many others"--but in a good way. In this paper, Bromiley examines using Cobalt to schedule, perform, interact with, and act upon penetration testing results. And more.

  • Fear of the Unknown: A Meta-Analysis of Insecure Object Deserialization Vulnerabilities Graduate Student Research
    by Karim Lalji - October 28, 2020 

    Deserialization vulnerabilities have gained significant traction in the past few years, resulting in this category of weakness taking eighth place on the OWASP Top 10. Despite the severity, deserialization vulnerabilities tend to be among the less popular application exploits discussed (Bekerman, 2020) and frequently misunderstood by security consultants and penetration testers without a development background. This knowledge discrepancy leaves adversaries with an advantage and security professionals with a disadvantage. This research will aim to demonstrate exploitation techniques using insecure deserialization on multiple platforms, including Java, .NET, PHP, and Android, to obtain a metanalysis of exploitation techniques and defensive strategies.

  • Remote Penetration Testing with Ninja Pi by Jeremy Druin - September 28, 2020 

    Remote penetration testing can have significant advantages over on-site tests but some types of testing require a physical presence. However, having testers on-premise may increase costs, duration, and difficulty. Penetration testing "drop boxes" can provide the physical connectivity needed while allowing the testing team to work off-site. These drop boxes can be built with readily available hardware such as Raspberry Pi. When paired with Kali Linux and a few helpful scripts, the drop box becomes a viable alternative to onsite testing for many use-cases. Such drop boxes are available for purchase, but a pen tester can build their own in less than a day that connects to a cloud server for maximum flexibility. These custom boxes are less expensive, offer the opportunity to learn new skills, can be customized to get around challenging connectivity issues, and built to fit specific use-cases.

  • Preventing Living off the Land Attacks Graduate Student Research
    by David Brown - March 5, 2020 

    Increasingly, attackers are relying on trusted Microsoft programs to carry out attacks against individuals and organizations (Symantec, 2017). The software typically comes installed by default in Windows and is often required for the essential functionality of the operating system. These types of attacks are called “living off the land,” and they can be challenging to detect and prevent. This paper examines the viability of using Microsoft AppLocker to thwart living off the land attacks without impacting the legitimate operating system and administrative use of the underlying Microsoft programs.

  • Unix-style approach to web application testing by Andras Veres-Szentkiralyi - February 27, 2020 

    Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.

  • Pass-the-Hash in Windows 10 Graduate Student Research
    by Lukasz Cyra - September 27, 2019 

    Attackers have used the Pass-the-Hash (PtH) attack for over two decades. Its effectiveness has led to several changes to the design of Windows. Those changes influenced the feasibility of the attack and the effectiveness of the tools used to execute it. At the same time, novel PtH attack strategies appeared. All this has led to confusion about what is still feasible and what configurations of Windows are vulnerable. This paper examines various methods of hash extraction and execution of the PtH attack. It identifies the prerequisites for the attack and suggests hardening options. Testing in Windows 10 v1903 supports the findings. Ultimately, this paper shows the level of risk posed by PtH to environments using the latest version of Windows 10.

  • Container-Based Networks: Lowering the TCO of the Modern Cyber Range Graduate Student Research
    by Bryan Scarbrough - August 26, 2019 

    The rapid pace and ever-changing environment of cybersecurity make it difficult for companies to find qualified individuals, and for those same individuals to receive the training and experience they need to succeed. Some are fortunate enough to use cyber ranges for training and proficiency testing, but access is often limited to company employees. Limited access to cyber ranges precludes outsiders or newcomers from learning the skills necessary to meet the ever-growing demand for cybersecurity professionals. There have been several open-sourced initiatives such as Japan's Cybersecurity Training and Operation Network Environment (CyTrONE), and the University of Rhode Island's Open Cyber Challenge Platform (OCCP), but they require significant hardware to support. The average security professional needs a cyber range environment that replicates real-world Internet topologies, networks, and services, but operates on affordable equipment.

  • Template Injection Attacks - Bypassing Security Controls by Living off the Land by Brian Wiltse - February 1, 2019 

    As adversary tactics continue to adapt and embrace the concept of living off the land by using legitimate company software instead of a virus or other malwareRut15, their tactics techniques and procedures (TTPs) often leverage programs and features in target environments that are normal and expected. The adversaries leverage these features in a way that enables them to bypass security controls to complete their objective. In May of 2017, a suspected APT group began to leverage one such feature in Microsoft Office, utilizing a Template Injection attack to harvest credentials, or gain access to end users computers at a US power plant operator, Wolf Creek Nuclear Operating Corp. In this Gold Paper, we will review in detail what the Template Injection attacks may have looked like against this target, and assess their ability to bypass security controls.

  • Learning CBC Bit-flipping Through Gamification by Jeremy Druin - April 24, 2018 

    Cryptanalysis concepts like CBC Bit-flipping can be difficult to grasp through study alone. Working through "hands-on" exercises is a common teaching technique intended to assist, but freely available training tools may not be readily available for advanced web application penetration testing practice. To this end, this paper will describe CBC bit-flipping and offer instruction on trying this cryptanalysis technique. Also, a CBC bit-flipping game will be provided within the OWASP Mutillidae II web application. Mutillidae is a large collection of deliberately vulnerable web application challenges designed to teach web security in a stand-alone, local environment.

  • Hacking Humans: The Evolving Paradigm with Virtual Reality Graduate Student Research
    by Andrew Andrasik - November 22, 2017 

    Virtual reality (VR) systems are evolving from high-end gaming and military applications to being used in day-to-day business operations and daily life. Cyber security professionals must begin now to prepare proactive threat analysis and incident handling plans that cover information systems and users. Previous compromises illustrate the devastating effects malware can have on the confidentiality, integrity, and availability of information systems. These disastrous consequences may be transferred directly to the user given his or her perception of events. Even in the early stages, VR represents a new paradigm within the information age. Today, users view information systems through a monitor that acts as a window into a virtual environment. Within VR, a user may become completely immersed while absorbing information from all five senses. VR represents a dichotomy that adds a potential human component to an information system compromise. This research project examines offensive tactics, techniques, and procedures, then exploits and extrapolates them to a compromised VR system and the user to illustrate the hazards associated with VR.

  • Tackling DoD Cyber Red Team Deficiencies Through Systems Engineering Graduate Student Research
    by John Schab - September 15, 2017 

    Red teaming is an essential capability in preparing and assessing the Department of Defense's (DoD) ability to execute their mission in a contested cyber environment. The identified deficiencies in DoD's overall red team capability resulting from their adhoc implementation creates unknown mission risk to the Combatant Commands and Services leading to a significant threat to national security. Unfortunately, many senior DoD officials are citing a lack of resources as the reason for the deficiencies and believe an increase in funding will solve the issues. However, funding alone is not scalable to address DoD's gaps in red team capability, and throwing more money to the existing adhoc process is quickly becoming a huge money pit for the DoD. This paper analyzes the deficiencies and concludes the primary cause to be a lack of a structured process needed to define, design, build, and sustain the required DoD red team capability. The solution presented is to treat the overall DoD cyber red team function as a complex system operating within a system of systems and apply the systems engineering process. Implementing a systems engineering process will eliminate some of the identified deficiencies through design and will identify feasible solutions or alternatives to the deficient areas which design cannot eliminate. The systems engineering process can help DoD build an effective and efficient red team capability which is needed to ensure the military can successfully execute its missions in the contestant cyber environment.

  • Cracking Active Directory Passwords or "How to Cook AD Crack" by Martin Boller - August 23, 2017 

    It is too early to write the obituary on passwords, and they are still the most prevalent form of authentication for most corporations. You may be using Multi-Factor Authentication for some users, but there's still a password in use somewhere. Many end-users and IT Pros does not understand the art of creating and maintaining good passwords, and most organizations utilize Active Directory, which stores unsalted passwords using a weak hashing algorithm, further weakening their security. This paper discusses several methods to acquire the password hashes from Active Directory, how to use them in Pass the Hash attacks, and how to crack them, revealing the clear text passwords they represent. It ends with a short discussion on how to report on the password security of the organization tested.

  • Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement Graduate Student Research
    by Shaun McCullough - July 3, 2017 

    Docker, a program for running applications in containers, can be used to create multi-container infrastructures that mimic a more sophisticated network for research in penetration techniques. This paper will demonstrate how Docker can be used by information security researchers to build and share complex environments for recreation by anyone. The scenarios in this paper recreate previous research done in SSH tunneling, pivoting, and other lateral movement operations. By using Docker to build sharable and reusable test infrastructure, information security researchers can help readers recreate the research in their own environments, enhancing learning with a more immersive and hands on research project.

  • Attack and Defend: Linux Privilege Escalation Techniques of 2016 Graduate Student Research
    by Michael Long II - January 30, 2017 

    Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks.

  • Triaging the Enterprise for Application Security Assessments Graduate Student Research
    by Rebecca Deck - November 4, 2016 

    Conducting a full array of security tests on all applications in an enterprise may be infeasible due to both time and cost. According to the Center for Internet Security, the purpose of application specific and penetration testing is to discover previously unknown vulnerabilities and security gaps within the enterprise. These activities are only warranted after an organization attains significant security maturity, which results in a large backlog of systems that need testing. When organizations finally undertake the efforts of penetration testing and application security, it can be difficult to choose where to begin. Computing environments are often filled with hundreds or thousands of different systems to test and each test can be long and costly. At this point in the testing process, little information is available about an application beyond the computers involved, the owners, data classification, and the extent to which the system is exposed. With so few variables, many systems are likely to have equal priority. This paper suggests a battery of technical checks that testers can quickly perform to stratify the vast array of applications that exist in the enterprise ecosystem. This process allows the security team to focus efforts on the riskiest systems first.

  • In but not Out: Protecting Confidentiality during Penetration Testing Graduate Student Research
    by Andrew Andrasik - August 22, 2016 

    In but not Out: Protecting Confidentiality during Penetration Testing Abstract:Penetration testing is imperative for organizations committed to security. However, independent penetration testers are rarely greeted with open arms when initiating an assessment. As firms implement the Critical Security Controls or the Risk Management Framework, independent penetration testing will likely become standard practice as opposed to supplemental exercises. Ethical hacking is a common tactic to view a company’s network from an attacker’s perspective, but inviting external personnel into a network may increase risk. Penetration testers strive to gain superuser privileges wherever possible and utilize thousands of open-source tools and scripts, many of which do not originate from validated sources. Penetration testers may gain access to all compartmented sections of a network and document how to repeat successful exploits while saving restricted data to their laptops. This paper illustrates secure Tactics, Techniques, and Procedures (TTPs) to enable ethical hackers to complete their tests within scope while reducing managerial stress regarding confidentiality. A properly conducted independent penetration test should provide essential intelligence about a network without jeopardizing the confidentiality of proprietary data.

  • Using Sulley to Protocol Fuzz for Linux Software Vulnerabilities Graduate Student Research
    by Aron Warren - April 25, 2016 

    Fuzzers are useful for discovering vulnerabilities in software services. Sulley is a common fuzzer with an ability to fuzz network protocols. This paper will describe the process for using Sulley to fuzz for a vulnerability in an implementation of the unencrypted telnet protocol. Specifically, Sulley will be used to detect the vulnerability that was found in CVE-2011-4862 implemented on the RedHat Enterprise Linux 3 distribution.

  • Intrusion Detection and Prevention Systems Cheat Sheet: Choosing the Best Solution, Common Misconfigurations, Evasion Techniques, and Recommendations. Graduate Student Research
    by Phillip Bosco - January 25, 2016 

    There are many decisions a company must make while choosing an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for their infrastructure. Pricing questions will arise to determine if it will fit into their budget.

  • Testing stateful web application workflows by András Veres-Szentkirályi - January 14, 2016 

    When technology made it possible for web servers to return dynamic content, web applications started out simple. As the development of more and more applications shifted from desktop operating systems to the web, complexity grew.

  • Clickbait: Owning SSL via Heartbleed, POODLE, and Superfish Graduate Student Research
    by Matthew Toussain - December 23, 2015 

    SSL is dead. Security researchers have now broken nearly every method of implementing the Secure Socket Layer (SSL). Unfortunately, the Internet is struggling to catch up to the new world order. SSL version 3.0 is still supported by 31.5% of public web servers (Kario, 2015). As a result attackers can gain access to key confidential information.

  • Web Application File Upload Vulnerabilities Graduate Student Research
    by Matthew Koch - December 7, 2015 

    File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration an attacker can quickly compromise an affected system. This paper will discuss types of file upload vulnerabilities, how to discover, exploit, and maintain persistence using upload vulnerabilities.

  • Cloud Assessment Survival Guide Graduate Student Research
    by Edward Zamora - November 10, 2015 

    The time has come where the society at large is living in the cloud. Many have questioned the security of information in the cloud and many have been told that information is safe there. But how can one be sure that information is indeed safe in the cloud? In this day and age where there is an increased dependence on such complex technology as cloud systems, there are needs for methodologies to test cloud deployments. For organizations that have or seek to implement cloud technology in their environment, this paper will present a brief background on cloud technology and a methodology for assessing the security of their cloud implementation based on penetration testing principles.

  • Tunneling, Pivoting, and Web Application Penetration Testing Graduate Student Research
    by Gordon Fraser - August 3, 2015 

    When conducting a web application penetration test there are times when you want to be able to pivot through a system to which you have gained access, to other systems in order to continue testing. There are many channels that can be used as avenues for pivoting. This paper examines five commonly used channels for pivoting: Netcat relays, SSH local port forwarding, SSH dynamic port forwarding (SOCKS proxy), Meterpreter sessions. and Ncat HTTP proxy; within the context of using them with key tools in the penetration tester’s arsenal including: Nmap, the Burp Suite, w3af, Nikto, Iceweasel, and Metasploit.

  • Automated Security Testing of Oracle Forms Applications by Balint Varga-Perke - May 26, 2015 

    To keep up with the increasing rate of web application attacks (Imperva, 2014) a wide variety of automated security testing tools have been developed (OWASP, 2014).

  • Powercat by Mick Douglas - March 4, 2015 

    Powercat started as a proof-of-concept tool that I initially developed.

  • Penetration Testing: Alternative to Password Cracking by Maxim Catanoi - February 2, 2015 

    Penetration testing success directly depends on the skills, knowledge and resources available to each member of the penetration testing team (Wilhelm).

  • AIX for penetration testers by Zoltan Panczel - January 8, 2015 

    AIX (Advanced Interactive eXecutive) is a series of UNIX operating systems developed by IBM. AIX is based on System V UNIX with 4.2 BSD extensions. Nowadays it supports only RISC based machines. The operating system is widely used by banks, governments, hospitals and power plants.

  • H.O.T. | Security by Luis Rocha - August 21, 2014 

    The information security industry will continue to grow in size, density and specialization (Tipton, 2010). The demand for qualified security professionals who possess relevant knowledge and required skills is growing and will increase substantially (Miller, 2012) (Suby, 2013).

  • Web Application Penetration Testing for PCI Graduate Student Research
    by Michael Hoehl - June 26, 2014 

    The Verizon 2014 Data Breach Investigations Report reported 3,937 total web application related incidents, with 490 confirmed unauthorized data disclosures (Verizon, 2014).

  • iPwn Apps: Pentesting iOS Applications by Adam Kliarsky - May 12, 2014 

    The growth of mobile device usage in both personal and professional environments continues to grow.

  • Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment by Jeremy Druin - October 22, 2013 

    Web application security has become increasingly important to organizations.

  • Implementing Redmine for Secure Project Management Graduate Student Research
    by Russ McRee - March 12, 2013 

    One of the core tenets of a good project management practice is the safekeeping of project information in a readily available, secure resource.

  • Exploiting Embedded Devices by Neil Jones - October 25, 2012 

    The majority of routers operate using a form of embedded Linux OS. This is an advantage to the majority of penetration testers as Linux is likely to be a familiar platform to work with; however the distributions that routers tend to run are very optimised, and as such the entire firmware for a router is generally only a few Megabytes in size.

  • Exploiting Financial Information Exchange (FIX) Protocol? by Darren DeMarco - July 3, 2012 

    The FIX Protocol website defines The Financial Information eXchange ("FIX") Protocol as “a series of messaging specifications for the electronic communication of trade-related messages” (FIX Protocol Ltd, 2012).

  • Penetration Testing Of A Web Application Using Dangerous HTTP Methods by Issac Kim - May 22, 2012 

    HTTP methods are functions that a web server provides to process a request. For example, the "GET" method is used to retrieve the web page from the server.

  • Post Exploitation using Metasploit pivot & port forward by David Dodd - March 29, 2012 

    The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penetration test.

  • iPhone Backup Files. A Penetration Tester's Treasure by Darren Manners - February 7, 2012 

    One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.

  • OS fingerprinting with IPv6 by Christoph Eckstein - September 21, 2011 

    In real life human fingerprints are used as a method of identification. As of today no two fingerprints were found to be alike, hence fingerprints are an excellent way to positively identify a person beyond reasonable doubt.

  • Mass SQL Injection for Malware Distribution by Larry Wichman - April 20, 2011 

    Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

  • Using Windows Script Host and COM to Hack Windows by Alex Ginos - January 3, 2011 

    During the exploitation phase of penetration testing, the attacker may establish a “beachhead” on a target machine by running an exploit against a vulnerable network service. Often this results in a command prompt. At this point, the question becomes: “How can the command line be used to advantage to access sensitive information, escalate privileges and find and attack other hosts?” There are numerous useful hacking tools that can help with this but initially they are unlikely to be present on the compromised system. The attacker needs to bootstrap the process of further discovery and exploitation using only the limited tools and privileges available at the command prompt. In some cases, it may be necessary to evade detection by avoiding suspicious executables that may be flagged by anti-malware software running on the target. This paper explores the possibilities of using command line scripting tools and software components that are likely to be present on most Microsoft Windows systems to facilitate penetration testing.

  • About Face: Defending Your Organization Against Penetration Testing Teams Graduate Student Research
    by Terrence OConnor - December 6, 2010 

    In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing team’s time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.

  • Client Fingerprinting via Analysis of Browser Scripting Environment by Mark Fioravanti - September 22, 2010 

    During a Web Application Penetration Test, it is important to test the security of the clients that are interacting with the application. Although not all Web Application Penetration Testing engagements include this activity, when it is performed it is essential to properly identify the client that is being exploited. Beyond simply identifying the browser, it is also important to identify the operating system (O/S) before attempting to manipulate or exploit the client. An accurate assessment of the characteristics of the client allows for the execution of optimized scripts and/or executing a few exploits instead of executing all of the available exploits and hoping the client does not notice or crash.

  • Bypassing Malware Defenses by Morton Christiansen - June 3, 2010 

    Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself. Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.

  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)

  • Solution Architecture for Cyber Deterrence by Thomas Mowbray - April 29, 2010 

    The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).

  • Identifying Load Balancers in Penetration Testing by Curt Shaffer - March 9, 2010 

    More and more applications are moving to a web-based platform because there is a need to have applications that can run on multiple platforms without the need to write different code for each. People are using different operating systems and CPU architectures such as 32 or 64 bit. Being able to write code one time to support all of these platforms is invaluable. Businesses are becoming more reliant on their web presence to offer 24-hour access to their services and goods. Thus, it is becoming more important that these applications are highly available. Over the past several years companies have dedicated substantial resources to achieve this flexibility and to use the increased ability to become more productive. One of the first methods used to achieve this was to use DNS load balancing. Using DNS to achieve redundancy is probably the easiest way to give an appearance of load balancing. It then became apparent that a better way to load balance was needed because this method has some serious limitations. The major limitation to this type of load balancing was that the DNS servers do not know if a host that a resource record points to is up and ready to receive requests or not. If someone attempts to connect to a server in this case, the request will not be successful, giving the user an error or not responding properly. Another issue with this is that DNS servers tend to cache requests. If a person’s DNS server has cached the record of the server that is down, the request will again fail.

  • Penetration Testing in the Financial Services Industry by Christopher Olson - March 9, 2010 

    The financial services industry is under attack from numerous and significant cybercriminal threats. Recent breach data numbers reveal that hackers have successfully compromised many financial institutions with the trend being that more records containing personally identifiable information (PII) are being stolen each year. In many cases where systems were breached the method of compromise was attributed to simple errors that gave rise to significant vulnerability. Given the ever present competitive pressure and the current economic strain to operate more efficiently banks are allocating resources with added care and may miss the opportunity to rally and mitigate existing deficiencies in basic operational and process controls. In lieu of allocating resources to implement appropriate preventative controls, penetration testing is one alternative detective control that can highlight areas of risk created when overburdened system administrators inadvertently create vulnerabilities.

  • Pass-the-hash attacks: Tools and Mitigation by Bashar Ewaida - February 23, 2010 

    Passwords are the most commonly used security tool in the world today (Skoudis & Liston, 2006). Strong passwords are the single most important aspect of information security, and weak passwords are the single greatest failure (Burnett, 2006). Password attacks, such as password guessing or password cracking, are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly. However, there is storage cost and time consumption related to the generation of those precompiled tables; this is especially true if the algorithm used to generate these passwords is relatively strong, and the passwords are complex and long (greater than 10 characters). In a pass-the-hash attack, the goal is to use the hash directly without cracking it, this makes time-consuming password attacks less needed.

  • A Taste of Scapy by Judy Novak - December 24, 2009 

    Have you ever envisioned that there may be an easy way to craft a TCP session beginning with the TCP three-way handshake so that you can emulate a client side of a TCP connection?

  • Why Crack When You Can Pass the Hash? by Christopher Hummel - November 3, 2009 

    While the concept of passing a Windows password hash has been around for some time, the release of publicly available tools has taken the first major step towards harnessing the true power of this attack. Although such tools have not yet targeted Microsoft’s implementation of Kerberos, all organizations are strongly encouraged to move towards pure Kerberos deployments in preparation for PKI integration. The evolving nature of this attack puts under pressure the issue of passwords as a valid identifier thus requiring organizations to use an alternate credential form such as digital certificates.

  • A Fuzzing Approach to Credentials Discovery using Burp Intruder by Karl Dawson - October 29, 2009 

    A general overview of the components of Burp that are used to crack a password. This is followed by an analysis of usernames; a step that is often overlooked in the rush to crack a password.

  • Scanning Windows Deeper With the Nmap Scanning Engine by Ron Bowes - June 22, 2009 

    This paper will look at how SMB and Microsoft RPC services work, how the Nmap scripts take advantage of the services, what checks the scripts are able to do, and what can be done to prevent them.

  • Stack Based Overflows: Detect & Exploit by Morton Christiansen - November 6, 2007 

    Buffer overflows remain some of the most serious and widespread vulnerabilities that exist, often giving an attacker complete control over the compromised system. Thus, in depth knowledge of how these vulnerabilities and exploits work is of utmost importance to penetration testers and incident handlers. This report provides the reader with a basic understanding of how stack based overflows work in practice. This is illustrated, while at the same time uncovering new vulnerabilities in the latest version of Windows XP.

  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper (requires membership in community)
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.

  • War Dialing by Michael Gunn - June 22, 2006 

    This paper will give the reader general information on war dialing, war dialing tools and general steps you can take to protect your network from unwanted intruders who may try to gain access to your network via unauthorized or poorly managed modems.

  • Penetration Testing: The Third Party Hacker by Pieter Danhieux - May 17, 2006 

    This paper is intended to help managers decide on a penetration testing firm by providing them with some essential points of attention and critical questions to ask the prospective service providers.

  • An Overview of Remote Operating System Fingerprinting by Chris Trowbridge - October 31, 2003 

    This paper presents an overview of the various approaches to OS fingerprinting, some current tools available on the Internet together with their features, the underlying techniques they use, and suggestions for defeating these tools.

  • Battle for the Internet: The War is On! by Kevin Owens - June 3, 2003 

    There is a battle raging between security professionals and hackers. By placing people into the shoes of a hacker, and teaching them the skills to gain access to a system, one is better able to defend against them.

  • Penetration Studies - A Technical Overview by Timothy Layton - May 30, 2002 

    This paper builds on Jessica Lowery's research paper, Penetration Testing: The Third Party Hacker, by drilling down on some of the most common tools and applications used to perform penetration tests. This paper is divided into two parts: "Tools of the Trade" that identifies various tools for penetration testing and the second part is the technical breakdown and "how-to" of reconnaissance, scanning, and vulnerability testing.

  • Penetration 101 - Introduction to becoming a Penetration Tester by Dave Burrows - May 9, 2002 

    The purpose of this paper is to give you a brief and basic overview of what to look for when starting out in penetration testing and to build up an internal penetration test kit to aid you in performing both internal and external penetration tests on your company network. To also make you aware of the problems with new network technology like wireless networks, and remote access devices that can circumvent network perimeter security devices like firewalls and IDS.

  • Penetration Testing - Is it right for you? by Jimmy Braden - March 20, 2002 

    This paper will review the steps involved in preparing for and performing a penetration test.

  • A Model for Peer Vulnerability Assessment by Patricia Payne - December 17, 2001 

    This paper proposes a model for ongoing assessment to be performed by the system administrators that includes testing and assessment in a non-threatening environment that provides added value of education for those performing the assessments.

  • Finding dsniff on Your Network by Richard Duffy - November 28, 2001 

    This paper covers some ways to detect dsniff and two of its utilities, arpspoof and macof, on a network.

  • Instruments of the Information Security Trade by Mark Graff - November 27, 2001 

    This paper examines how penetration testing, if done properly, will benefit your organization's information security.

  • Security Life Cycle - 1. DIY Assessment by Lee Wai - November 13, 2001 

    This paper descibes a simplified and comprehensive way to accomplish vulnerability assessment, one phase of the Security Life Cycle.

  • Guidelines for Developing Penetration Rules of Behavior by Nancy Simpson - August 14, 2001 

    This paper examines how, If planned and executed appropriately, penetration testing can be a very useful tool for determining the current security posture of an organization.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.