HeartBleed Shows How to Quickly Assess Vulnerabilities


heartbleedAhead of Pen Test Berlin 2014, Europe’s largest dedicated educational event for penetration testers and ethical hackers, course author Mark Baggett suggests system admins and defenders can also benefit from coding knowledge.

In response to HeartBleed, a serious vulnerability in OpenSSL 1.0.1 that allows a remote attacker to extract data from the memory of a target computer, a number of new tools that exploit the vulnerability have been released into the InfoSec community in just a few weeks from the discovery of the flaw.

Tools such as SSLTEST, HB-TEST, HEARTBEAT_SCANNER have quickly gone into wider circulation to develop exploits that demonstrate the seriousness of the vulnerability. “The thing these tools all have in common is that they were written in Python,” says Mark Baggett, SANS Certified Instructor, “Why? Because Python is a “rapid deployment”, “batteries included” language that includes the core set of libraries and everything that you need to perform a wide variety of tasks, including developing exploits with most exploit tools only requiring a few lines of code.”

Baggett is also the course author of SANS SEC573: Python for Penetration Testers, a course designed to help penetration testers customise existing open source code or develop their own tools. As course instructor Tim Medin explains, “You know, I’ve been a little surprised by the number of systems administrators and network defenders that attend SEC573. It was written with the penetration tester in mind but it is clear that the skills are relevant across a wider group.”

This course is designed to meet students at their current skill level, appealing to a wide variety of backgrounds ranging from people without a drop of coding experience all the way up to skilled Python developers looking to increase their expertise and map their capabilities to penetration testing. The course includes language essentials and the development of a SQL Injection tool, a password guesser and a custom backdoors and a network reconnaissance tool. “These are certainly tools that every penetration tester needs while most security professionals find the skills required to develop those tools are easily applied to all kinds of situations. In short, everyone can easily benefit from the Python skills that are certainly developed in this course,” says Medin.

The upcoming SANS Pen Test Berlin 2014 is the largest dedicated training event for ethical hackers in Europe and runs at the Radisson Blu Hotel in Berlin from the 15th to the 21st of June. Across 6 days, attendees will participate in advanced penetration testing and ethical hacking courses led by SANS’ globally renowned, expert instructors. Each evening, SANS will host a series of @Night talks and social functions across a wide range of subject areas.

Alongside SANS SEC573: Python for Penetration Testers, Pen Test Berlin 2014 will also host:

SANS SEC760: Advanced Exploit Development for Penetration Testers with Stephen Sims
SEC542: Web App Penetration Testing and Ethical Hacking with Pieter Danhieux
SEC560: Network Penetration Testing and Ethical Hacking with James Lyne
SEC575: Mobile Device Security and Ethical Hacking with Raul Siles

The courses provide essential preparation for a number of Global Information Assurance Certification (GIAC) exams including GIAC Penetration Tester (GPEN), GIAC Assessing and Auditing Wireless Networks (GAWN) and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN). For more information or to register, please visit: http://www.sans.org/info/160430

Leave a Comment

You must be logged in to post a comment.