SANS SEC575 Mobile Device Security and Ethical Hacking Review

IMG_1654I recently attended the SANS SEC575 Mobile Device Security and Ethical Hacking class in Las Vegas and I wanted to post some of my thoughts on the course.

Day One: Architecture and Management

Day one started off with a quick overview of mobile device issues that would be addressed in the course and a lab which has the students extract sensitive data from a network capture file with mobile device traffic. After that there are four “what you need to know” sections about iOS, Android, Blackberry and Windows Phone devices. The sections cover technical specifications, key points, protection mechanisms etc. These sections are well done and provide a solid foundation for the rest of the class.

The next section in the book covers building your own lab using devices, emulators and simulators. There are two exercises where you configure an Android emulator and interact with it using ADB commands. The labs throughout the entire course were very well done and helped reinforce the topics being taught.

The next portion of the book discussed Mobile Device Management (MDM) systems used for enforcing device policy settings. This section included an exercise that had you take a policy for a company and create a profile enforcing the rules of that policy using the iPhone Configuration Utility.

Mobile Malware was next up and we started off covering some basics, progressed to examining specific historical malware attacks and finished by discussing preventative measures to protect your devices. That concluded the class portion of day one but the day one book also has an Appendix on policies and practices as well as a section on miscellaneous topics.

Day Two: Security Controls and Platform Access

Day two begins with a lengthy section on mitigating the threat from stolen devices and includes an exercise where the students recover the swipe pattern from a locked Android. Backups, fingerprints and passcodes were all discussed as well.

Next up was a section on unlocking, rooting and jailbreaking iOS and Android devices. The section started off with general topics and then covered a specific iOS jailbreak and a root for an Android Nexus 7.

The next section was small but packed with great information on data storage and filesystems. Plist, SQLite and XML were all covered as were locations within the filesystem which could contain sensitive data. This section concluded with a lab where the students searched an iPhone backup to look for key pieces of information.

Most of the remainder of day two was spent covering capturing and analyzing mobile application network activity using tools such as Burp Suite, NetworkMiner and Wireshark. There were two well-done exercises in the afternoon which gave the students a chance to utilize these tools.

Tacked on to the end of the day two book was a section on Blackberry classic PIN cracking and backup access as well as a few other miscellaneous topics.

Day Three: Application Analysis

Day three brought 280 pages of hardcore application analysis and I loved every minute of it. Before I give an overview of the day’s content I would like to state that a majority of the class had little to no programming experience and still got a lot out of this section. You don’t need to be a programmer to go through the exercises you just need to understand the concepts taught and use analytical thinking.

The first section is on static application analysis (Android and iOS) and ends with an exercise analyzing an Android application.

The next section is on automating app analysis and has a lab where the student analyzes a piece of Android malware and then another where the student finds a vulnerability in an Android application that can be exploited.

Next up was a lengthy section on manipulating an application’s behavior which includes a lab on modifying Android applications.

The day ends with a short but awesome “App Analysis Walkthrough” where the author goes through the steps he took each day on a near real world analysis of an iOS application and a small section on filesystem monitoring.

By the end of the day your brain is cooked but you’ve learned quite a bit about analyzing mobile device applications in different ways.

Day Four: Penetration Testing Mobile – Part 1

Day’s four and five of this course are really interesting. Day’s one through three covered topics that were largely mobile device related but there is obviously a lot of crossover between mobile device hacking and traditional hacking and that is where day’s 4 and 5 come in.

Day four is a one day mini primer on Wireless hacking and it is FANTASTIC. It starts off with a section on wireless network scanning where it discusses topics like using monitor mode on Linux, Windows and OS X and intros a few basic tools. The first section ends with a lab where students use Kismet to figure out the SSID of a network which is hiding it.

Next up is a short but sweet section on mapping probe requests which includes a lab where the students generate a visual graph of client probe requests.

The next few sections progress through the different levels of encryption.

• On an open network with a captive portal? You’ll cover ways around it.
• On a WEP encrypted network? You’ll crack it in a lab.
• On a WPA-PSK encrypted network? You’ll discusses your options and you’ll crack one in a lab.
• Facing a WPA Enterprise network? You’ll discuss setting up your own modified RADIUS server to grab login credentials.

The day ends with a section and lab on mobile device fingerprinting.

I seriously couldn’t imagine a better one day walkthrough of wireless topics. For the small number of students who had attended the SANS SEC617 wireless or other in depth wireless courses it was a nice refresher but for everyone else it was a fantastic mini wireless course hidden within a course on Mobile Device Security.

Day Five: Penetration Testing Mobile – Part 2

What day four was to wireless day five was to web application type attacks. Day five covers network manipulation attacks like ARP spoofing, sidejacking attacks, SSL/TLS attacks, client side injection attacks, HTTP parameter tampering, XSS attacks and SQL injection.

While the tools the students use are web application testing standards like Burp Suite and SQLmap the labs have you attacking the transactions and infrastructure for mobile device applications you’re running in emulators.

Just like day four they did a fantastic job of boiling down what would have been a week’s worth of content into a day worth great overviews and hands on experience.

Day Six: Hand-on Mobile Security Event (Capture The Flag)

The CTF for day 6 of the 575 course uses the Netwars scoring engine and is very well done. Every student in class got a chance to practice the skills they had been exposed to over the past five days and it really seemed to help add to the learning process. There were the moments of frustration found in any CTF but everyone seemed to really enjoy the day.

Summary

The 575 was a very enjoyable class. There were some topics which I was already a little bit familiar with but now have a much better understanding of after a week of hands on learning and instruction from a world class expert.

The class was taught by Chris Crowley who did a great job teaching and entertaining. He seemed sincerely interested in helping students get what they wanted out of the class, had many sidebar conversations with students at break and after hours and spent the better part of one lunch period going over the previous day’s labs for a few students who wanted to see a walk through. I would take a class from Chris again in a heartbeat.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more