====== Sans 2008 ======
===== Audit 521 (Day 1 & 2) =====

[[http://www.archlinux.org/]]

Randy's cell phone 250-7618

jungledisk.com  cheap storage.

ips -- intrusion protection system

metasploit -- pen testing tool.

tripwire

===== 514 (Day 3) =====
iftop, ntop, dnstop

honeywall  -- installed on a box with 3 interfaces can work as a tap.

block outbound 80,443 on web servers

===== 531 Windows Command-Line Kung Fu In-Depth (Day 4) =====

powershell available for windows, but that is not what we are covering today.

pwd:
  cd 

command prompt location
  c:\windows\system32\cmd.exe

with colors:
  start /t:0a

Windows File protection
  wfp

service control query
  sc query

command line registry editor
  reg
  reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

network configuration
  netsh

starting control cpl's"

[[http://www.vlaurie.com/computers2/Articles/control.htm]]

netsh firewall set opmode disable







===== Security 601 Reverse-Engineering Malware (Day 5 & 6) =====
Behavioral analysis
  * controlled VMware "laboratory"
  * System monitor tools
    * Process monitor
    * Process explorer
    * snort
  snort -vd | tee /tmp/sniff.log
Code Analysis
  * disassembler
    * IDA Pro -freeware version
  *debugger 
    * OllyDbg free
      * f7 step
      * f8 step with skip
      * f2 breakpoint
      * Ctrl-f9 runs
      * Ctrl-N to list symbolic names
      
      * eax is used for returns a pointer to a value of strings

products to revert a system

[[www.coreprotect.com|CoreRestore hardware board $150]]

[[www.faronics.com DeepFreeze|]]

[[www.microsoft.com|WindowsSteadyState]]

[[www.returnilvirtualsystem.com|Returnil]]

Rebuild PE headers
  imprec 
----
common passwords
  infected
  virus
  malware
----
Windows diff command.  This works on binaries!
  fc
----

Analyzing Malicious Sites

Use a text based browser
  wget
  lynx

wget "http://malicious.com/" --user-agent="Mozilla/4.0...Page 4-29.." let you pose as another browser.

Javascript decoder if encoded with the Microsoft encoder tool jscript.encode. not used much since not compatible with other browses.
  c:>scrdec14.exe installer.htm decoded.htm

Now custom obfuscation techniques used
  print script text to page and don't execute.

  firebug for firefox
don't execute scripts
  noscript

===== ARUBA Networks =====
[[http://www.willhackforsushi.com/Home/Home.html|willhackforsushi.com]]
  airPwn
  Karma
  metasploit
  kismit
  newcore

[[http://labs.arubanetworks.com]]
  WiFiDEnum  wireless Driver vulneralbility assessment