SANS 542 – Winning the CTF Event – Coinage

SANS 542 – Winning the CTF Event

I just finished taking the SANS 542 vLive class on Web Application Penetration testing. During the last week (week 6) of the course, we have a CTF (Capture The Flag) event, where you team up with other classmates to exploit systems in a special SANS virtualized environment.

In our event, it started off being a bit unfair where the team I was on had 1 other person with me. While, the team on the other end had 4 members, so it was a 4 vs. 2 battle for most of the CTF. SANS has a similar environment as to one you would see at SANS Netwars. There is an area to create a team name, see your team rank and scores, as well as questions that are asked to you.

In the event our team thepentestninjas won the event leading the other team by over 100 points. We compromised all of the servers on the network, and completed the Level 3 mark. We however, got the very last system with 1 minute to spare.

SANS now has started a new program where they give out special SANS coins to winners of these types of events.

What is a SANS Pentest Coin?


Wappalyzer – Identify technology on websites

Wappalyzer – Identify technology on websites

During one of my SANS vLive courses I am currently taking part in. My instructor introduced us to a nifty tool called Wappalyzer. He said he does use it as “one” of his tools of arsenal for pentesting servers and websites. I decided to take a look for myself since it wasn’t part of our SANS course. And, when you have a SANS instructor discussing a tool they use… well you just can’t go wrong by checking it out for yourself.

Finding technologies on a website

One of the most important aspects of pen testing online is to conduct proper recon. You need information to be able to devise a plan to more forward with the pen test. Information gathering is key and Wappalyzer can definetly help with recon. I decided to use as an example to see what type of technologies would show up. (more…)

DNSTwist – Domain Phishing Enumeration

DNSTwist – A Look at Domain Phishing Enumeration

A few weeks ago, I happened to stumble upon a tool called DNSTwist. And, like every tool I ever encounter, I always like investigate more into a tools capabilities and what it can offer. After reading more about the tool through another blog I was reading at that time. I was pointed towards the official Github page for DNSTwist. The tool itself is great and something every company should at least look at on a yearly basis. Phishing attacks are on a rise, and the expectation is that they will continue to increase over time. So, I’ve decided to create a very quick tutorial on how to use DNSTwist, and what it can offer for anyone that wants to make use of it. This is a great tool for Pen Testers and Security Analysts!

What can DNSTwist do for me?

I found using this tool gave me great insight into major phishing attacks that could be conducted against users or companies. Now how is this a good thing? Well, if you know the type of attacks that can take place, or how a certain attack can take place. Then, you are better able to find ways to defend against this type of attack. At the minimum, you can at least detect this specific type of attack. In my experience there are more stats revealing that there is now a rise in phishing attacks against companies and users.

So how does this tool help me? (more…)