While at ToorCon X, I had the opportunity to attend the ‘Crash Course In Penetration Testing’ workshop by Joe McCray and Chris Gates. I have heard of them before; Chris from the Carnal0wnage blog, and Joe from Learn Security Online. But how much could a crash course in penetration testing be actually taught in two days?

This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We’ll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.

The course will come with a complementary USB Harddrive loaded with the lab Virtual Machine images for you to play with so you can continue to hone your skills and learn new techniques even after the course is finished. Attendees will walk away with a current knowledge of how to pen-test both a network and a web application, all of the basic tools needed, and a set of practice exercises that they can use to improve their skills.

To me, the title of the course is misleading. If I only read the title, I would think the course talked about all aspects of penetration testing, and not just the technical testing part. But okay, the description changes my expectations quite a bit. 

What type of background is needed for this class?

Because this was more of an introductory class, I think anyone interested in penetration testing could take this class. But there were twelve people in the class, and everyone was in some sort of role that was related to information security. A few of the job roles were development, security consulting, network security, and CISO.

What was actually covered and taught at the course?

The first day was mainly lecture, and they pretty much covered all the topics from the first paragraph of their description. But all of that was discussion only, and not labs. They did have pre-built VM images to go along with the lecture, but because of the short time, it was lecture only. The second day was mostly labs. Joe built a vulnerable bookstore application so everyone could get hands on experience with XSS and SQL Injection attacks.

How was the class?

I had a lot of fun in the class. Getting the time to talk to Chris and Joe was great. Lots of ideas and advice were thrown around between the three of us. I picked up several things to take home and do further research on.

How were the speakers?

Both Joe and Chris do penetration testing for their day job, and they know their stuff. They are great speakers and I really enjoyed the various stories that they shared with us. This was their second time teaching the course, and they did a good job of covering the majority of topics from the course description.

Any suggestions for improvement?

  • Based on everyone’s feedback at the end of the class, there should be more labs and less discussion.
  • Extend the course to more days. They covered a lot of topics in two days, but people need to try and do those things for it to click in their heads.
  • Don’t require attendees to bring their own computers for labs. Have computers setup with the labs all ready to go because the time it takes for everyone to get setup is time lost.

Would you suggest this course to others?

Joe and Chris are very knowledgeable, and their content was accurate and up to date. If the course was longer, I would definitely recommend the course for people interested in the field. With two days and a packaged agenda, some material was glossed over, or not talked about at all. I am not sure how this course compares to the competition like Foundstone, SANS, and SensePost.