Review - InfoSec Institute Advanced Ethical Hacking: Expert Penetration Testing
May 7th, 2007 by chitchcock Posted in Vendors
I just returned from attending InfoSec Institute’s AEH course. Given the relevance of penetration testing to PCI, I thought that it would be worthwhile to post a review for anyone who’s considering attending.
Vendor:
InfoSec Institute
I hadn’t heard much about InfoSec Institute previous to doing research into pen-testing training. What ultimately helped to make my decision was my familiarity with The Shellcoder’s Handbook and that it’s lead author was going to be teaching the particular session that I was considering attending.
Course:
Advanced Ethical Hacking: Expert Penetration Testing
The course is styled for those who have an interest in moving beyond simply launching exploits at a target, as the meat of the course is in vulnerability discovery and exploitation. This is a 5-day/40-hour training session.
Prerequisites:
In addition to the prerequisites noted on the webpage, the instructor stated that some knowledge of C/C++, knowledge of basic assembly/memory management, and familiarity with the first five chapters of The Shellcoder’s Handbook were required to get the most out of the course.
Instructor:
Jack Koziol
Jack was certainly one of the most knowledgeable instructors that I’ve had. The great part about him was his ability manifest that knowledge in the form of a concise and self-assured teaching style. Not only did he readily provide clarification with regard to the course material, but he had plenty of real-world information and anecdotes from his various pen-testing engagements.
Course Materials:
I found the course materials to be very good overall. Each student received a copy of The Shellcoder’s Handbook, a high-quality lab manual, a CD containing PDF copies of the instructor’s PowerPoint slides and a CD containing a number of “ethical hacking” tools. The book and lab manual were the best resources by-far; the CDs were lacking however. The slides were merely provided speaking points for the instructor, and so were void of much in the way of detailed information. The hacking tools — while useful — were certainly outdated (e.g. nmap 3.75, circa 2004).
Certification:
Certified Expert Penetration Tester (CEPT). I’ve been known to assert that certifications that don’t include practical exams are worthless. I’m quite happy to report that the CEPT has gone from a simple 100-question multiple-choice exam to a 50-question multiple-choice exam with a practical. I found the multiple-choice portion to be not unlike other certifications — exceedingly easy. Though we had 2 hours allotted to us, I was able to finish within 15 minutes with a 98%. However, a passing grade on the multiple-choice means that the student receives an e-mail within a week that contains instructions for the practical exam. According to the instructor, the practical consists of finding vulnerabilities in 2 binaries, writing exploits for them, and reverse-engineering a 3rd binary.
Daily summary:
Day 1: The first day was somewhat disappointing, as it was much more tool-centric than I had anticipated. We looked at “advanced” recon and stealth techniques such as idle scanning, moon-bouncing, IDS blinding, and so forth. I’m not — by trade — a pen-tester, but nothing presented here was very novel or surprising. Still, going through the lab exercises and actually using the tools was a nice confidence builder. The day ended with a capture-the-flag exercise that was somewhat glitch-prone (network/target stability issues), so it wasn’t all that fun.
Days 2-3: Days 2-3 blended together somewhat and were definitely the core of the course. Topics included buffer overflows, fuzzing for vulnerabilities, writing exploits with Metasploit, writing shellcode, and format string bugs. Jack was able to simplify these complex ideas and — at least on a basic level — make them accessible to the class. The capture-the-flag exercises on each day went much more smoothly than the first day; both centering around finding vulnerabilities and writing exploits for them. Whee!
Day 4: Though I learned a great deal from the day 4 modules, the material was only tangentially related to penetration testing. Cracking binaries, CDROM protections, cracking with SoftICE, cracking with IDAPro and detecting debuggers/disassemblers. The capture-the-flag exercise involved cracking a couple crackmes.
Day 5: This was the short day, as the goal was to end the class by 3pm. Unfortunately, trying to stick to this time-table meant that the quality of the course suffered a bit. We were supposed to study web application penetration testing — SQL Injection, proxy poisoning, and the like — but were only able to get through 2 of the 5 modules.
Critiques:
Slides: As previously mentioned, the slides lacked detailed content. I would have preferred either better slides or supplementary MP3s.
Tools: The free toolkit seriously needs updating.
Thoroughness: Due to the amount and depth of material that we needed to cover, several modules were glossed over or skipped altogether. IMHO, InfoSec needs to either re-focus on the core (days 2 and 3) material or extend the course to 7-days. It should also be noted that the course — minus the capture-the-flag exercises — was supposed to be 40-hours in length, but the shortened final day meant that we only went through 3-hours of material vs. 8-hours in previous days.
Content: The web-app modules were obviously an after-thought and their presence didn’t make as much sense as the other modules. Again, there needs to be a re-focus on the core material.
Prerequisites: Unfortunately, there were a few people in the class who not only lacked the extended prerequisites mentioned above, but the base prerequisites mentioned on the website. This meant that the instructor was tied up with basic/mundane questions, rather than spending more time with questions on the course content. Somewhat along these lines, several students — myself included — had their copies of The Shellcoder’s Handbook shipped to them late (distributor error). InfoSec’s operations manager stated that “it will not hurt you in any way with the progression of class“, which was in direct contradiction to the instructors assertions.
Class size: The InfoSec website states “Guaranteed small class size (less than 10-16 Students)“; I counted at least 22 students in my class. While not a deal breaker, I believe that we could have gotten though more content had there been fewer students.
Conclusion:
My expectation wasn’t to become an expert vulnerability researcher, but simply to further my knowledge a bit. Despite my critiques, I was quite happy with the course overall, as well as the support that I got from the sales team. I wouldn’t hesitate to recommend the AEH course to anyone with a technical bent who is interested in progressing beyond point-and-click pen-testing.
Update - 2007.07.31:
Based on the critiques of the course, I am attempting to take advantage of their free re-sit policy. On 05.08, I was “confirmed” for a re-sit of the August class in Las Vegas and was told that the details (e.g., times, location, etc) would be forwarded on. After no contact for a month, I e-mailed again on 07.08, 07.13 and again today…still no response.
Update - 2007.08.02:
After CC’ing another InfoSec Institute employee and posting an update to this blog, I finally received a response to my 07.31 e-mail. It looks like I’ll be at the Las Vegas class later this month. I’ll continue to post updates and any critiques of the class.
Update - 2007.09.27:
Unfortunately, my re-sit was pushed back by my employer (too busy). I’ll add another update if/when I eventually do the re-sit. On the positive side, I was contacted by InfoSec and was told that I had passed the practical portion of my CEPT. One odd thing about it — when I completed the multiple-choice test, the screen clearly stated that I passed with a 98%. When I got my CEPT certification — which included a breakdown of grades — it stated that I had received an 86% on the multiple-choice portion. I didn’t address it with anyone however; a pass is a pass, and I don’t care enough to pursue it.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
6 Responses to “Review - InfoSec Institute Advanced Ethical Hacking: Expert Penetration Testing”
By Michael Dahn on May 8, 2007
Thanks for the review.
I’d like to comment that many people ask the question, “is there a PCI approved penetration testing methodology?” Everyone seems to know what a pen test is, but they want clarification on where to draw the boundaries.
I’ve commented that the emphasis is on (1) network-level and (2) application-level testing, and referenced the OSSTM but people still ask for more.
By Moe W. on Aug 9, 2007
I hope to hear more about your resit, Im am about to take this with the ceh course they offer, Im hoping it will give me good grounding to enter the world of pen testing…. would you say it accomplishes this or is there another course you would recommend?..
By chitchcock on Aug 9, 2007
I can’t speak to the EH class since I never took it.
The real issue is background…unless you have a solid understanding of systems, networking, and the like, you’ll end up being able to run the tools without knowing why/how they work.
As for the AEH class, I’d recommend against taking it without a decent understanding of programming/systems. At the very least, read the first 5 chapters of The Shellcoder’s Handbook. If you’re completely lost, then wait to take the AEH class.
By Moe W. on Aug 9, 2007
I believe I have a good understanding of networking, but Ill try reading the first five chapters and se how far I get… I have some time, the class I plan to take is in Nov/Dec.
By Moe W. on Sep 11, 2007
SO how did you find the class to be the 2nd time around?