SANS 617 so far

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
For the last few weeks I've been doing OnDemand for SANS 617 (Wireless Ethical Hacking, Penetration Testing, and Defenses) and man is this course a mouthful. It's interesting in that it covers the crypto details much more in-depth than Offensive Security's Wireless Attacks course ever did. I think OffSec's offering is more "fun" with all the videos, but I feel so far that overall 617 is much more complete.

However, it's not an apples-to-apples comparison since one is designed as a short course with a very low price point while the other is a six-day SANS class. 617 also covers 802.1X as well as other non-Wi-Fi technologies which makes it much more relevant to someone who has to approach an enterprise network rather than home or SOHO networks with consumer-grade access points.

I'm still on Day 4 and the labs have been good so far as they get the subject matter across. I wish there was a way to mash up the teaching style of OffSec with SANS' slide / lab workflow.

I have the course materials for both the older BackTrack Wifu as well as the newer 3.0 version (which I haven't had time to go through). While skimming through some of the videos in the new version as well as the updated lab guide, WPA attacks are covered much better. In the previous BackTrack Wifu, it was reviewed only briefly. However, 617 hits you with a lot more on how TKIP works, for example. It has helped fill in a lot of gaps for me as well as leaving me with a deer-in-the-headlights stare. I have to review some of this material a few more times to grok it.
Hopefully-useful stuff I've written:


  • azmattazmatt Member Posts: 114
    Very cool docrice, thanks for the quckie review!
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    It sounds like you are really experienced with the OnDemand material - When you're listening to MP3's, are you completing large chunks at a time? I feel like on a good day during my work week two hours is about it for me. At that rate it would take me a month to get through everything for a long course.

    What are your thoughts on this?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I generally listen to the MP3s during my commutes, which means about an hour's worth a day. My personal approach generally involves three phases: 1) go through the OnDemand slides and labs to replicate the "live" instructor experience; this takes anywhere from a couple of weeks to months depending on my work schedule, then 2) listening to the MP3s for a while during the morning / evening drives, and finally 3) going through the course books and work on my exam index.

    This ends up becoming a three-step reinforcement process to help ingrain the material into my head. It also helps if I happen to be doing a project at work along the same subject matter area.

    When going through a SANS course and figuring out how long it'll take you, I think it's important to factor in several things - how familiar you already are with the subject, how quickly you can pick it up, and your schedule. I used to be able to bang through a course and finish the exam with a few weeks. For SANS 542 and the GWAPT, I had to take the entire four months due to the subject difficulty for me as well as a grueling work schedule. And for 542, I had to go through the entire MP3 set at least four times.
    Hopefully-useful stuff I've written:
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Thanks for the insight - I tried to 'rep' for that, but apparently you were the last person I gave rep points to and I cannot do that twice in a row.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAAdmin Posts: 11,525 Admin
    For the GSEC, I did pretty much what docrise said. I listened to the OnDemand A/V and took the module quizzes at work, and I listened to the MP3s on my cell phone any other time I could. I would read/highlight/index at the library or Starbucks for several hours on the weekends. I also copy-pasted the quizzes and practice exams and used them for review material as well.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I also want to mention that unlike my previous OnDemand enrollments, this time around I've been providing feedback for all the module quiz questions which I found issues with (grammar mistakes, questions which I thought the answers were too obvious, etc.). I tried to be very nitipicky in order to help improve the SANS experience for future students. So far I've submitted maybe fifteen or more comments.

    The folks at SANS are very responsive, seemingly always by next business day. They usually agree with my assessment and retire questions that we both felt were way too easy or flag questions which may require further clarification. For issues with the labs, the virtual mentor has been also very responsive, even replying via email over Thanksgiving weekend.
    Hopefully-useful stuff I've written:
  • JDMurrayJDMurray Certification Invigilator Surf City, USAAdmin Posts: 11,525 Admin
    Oh yes, I forgot to mention that I submitted comments on the OnDemand module quiz items and the actual GSEC exam items too. (I don't remember if the practice exams also have a "submit comments" feature.) GIAC was prompt with acking my comment submissions and even gave me some personal feedback too.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    So my original estimation of being able to get through SEC-617 within a couple of weeks was a bit too optimistic and didn't pan out so well. I started the OnDemand back at the end of October but it's now mid-January. This was mostly due to a work schedule and a set of project timelines that didn't accommodate off-hours study. It has taken me quite a while, but I'm finally at the point where I'm finishing up. Overall, 617's consistent in general student experience with the other OnDemand courses I've taken. Based on a practice exam I got last year (which someone freely gave me) and attaining a score that was close to the passing mark, already being a holder of the OSWP, and considering that I've occasionally worked with 802.1X networks and EAP auth ever since 2002, I figured 617 would be a relative piece of cake.

    Well, no ... not really. It seems no matter how much I think I already know about the subject, I'll still get a drink-from-the-firehose experience with SANS. Joshua Wright is simply the right person to author and teach the class. He knows the subject very well, has experience working at wireless solutions vendors, and also developed techniques as well as quite a few open source tools that many wireless pentesters use.

    When most people think about wireless network security, 802.11, WEP, and WPA are what comes to mind. 617 goes further, covering Bluetooth, ZigBee, DECT, GSM, and other technologies, although Wi-Fi is clearly the lion's share of the content. While the material probably isn't as in-depth about wireless in regards to RF and complete low-level protocol specifics like what the CWNA / CWSP would examine, this class is probably the best wireless pentesting class out there in terms of breadth. OSWP doesn't really come close to it. As mentioned previously, 617 and OSWP are marketed for different audiences and OffSec has their own approach which I highly enjoyed (and highly recommend for the price, although you have to buy your own equipment).

    If you want to look at wireless offense / defense from an enterprise security perspective, 617 is the better choice. There are lots of tools covered, lots of detail on wireless encryption (which I didn't expect and made my head dizzy), and you get a SWAT package (SANS Wireless Auditing Toolkit) that includes a shrink-wrapped Linksys WRT54GL, Alpha Networks AWUS051NH (which I had always wanted to get anyway), GlobalSat BU-353 GPS navigation receiver, and a Sena UD100 Bluetooth adapter ... all for the various labs with the supplied BackTrack 5-based VMware virtual machine.

    There's enough in 617 that I feel overwhelmed like a n00b. This isn't just about using coWPAtty or aircrack-ng to break into home networks, but also looks at issues with wireless pentesting (for example, be mindful about accidentally pentesting an AP that seems to belong to your client but is really owned by another business across the hallway in the same building), access point deployment, intrusion detection, enterprise client configuration, rogue access points, fuzzing, EAP selection, 802.11 header interpretation, etc.. All of a sudden I feel very unworthy to configure my own AP.

    There are quite a few labs in this course as one would expect. There's no capture-the-flag though, even for the live instructor-led version of the class, which is unfortunate but also understandable due to the difficulty in creating a reliable environment which also has to share the same air-space with other networks. The OnDemand section quizzes were relatively thin in quality like all the other OnDemand SANS courses I've taken. This is considering the low number of questions (usually ten to twenty) as well as occasional difficulty (or lack thereof). Some questions had very, VERY obvious answers and I left feedback for each one of them. I think an offering like OnDemand should gruel students for maximum value in the learning experience, especially considering the costs of SEC-617 ($4,410 as of this writing, and that doesn't include the $549 GAWN certification attempt).

    That said, there are quite a few takeaways that I could immediately use at work when auditing my company's own wireless network. Wireless assessment is a huge task in and of itself and it's something that I'll have to further incorporate while I do my daily gig as a network security engineer. It can be a daunting task to manage the wired side itself, but to then also understand and perform due diligence on the wireless part with all its own nuances is an additional challenge, one which is probably overlooked frequently at most organizations.

    The only minor complaint I have is that the instructor has a certain habit of speech that I found a bit distracting, namely his consistent ending of sentences with, "...okay?" Everyone has their own habit though, and I've certainly experienced this to some degree with just about every instructor I've dealt with. Other than that, he no doubt extended my perception of wireless technologies and the careful scrutiny requiring it.

    I realize that this is a 600-level course. I wasn't sure how different it would be from the 500-level offerings I've previously gone through. I think what really hit me hard is all the crypto topics. It doesn't get into hardcore math, but it does make you look more in-depth at how the wireless security we take for granted actually works. In order to understand the deficiencies of their security, you need to understand these details under the cover, at least in layman's terms.

    If you're thinking of taking this course, I'd recommend reading through a basic primer on 802.1X. It's not really needed since Joshua Wright covers it, but at the same time I think it's a technology that many people don't implement and making sense of it will take time. Absorbing it all during the course might prove to be a bit difficult for some.

    Once I finish up one more OnDemand section and then go through a few labs again, it's time to study for the GAWN certification. Before starting 617 I thought I might be able to attain this easily. Looks like I was wrong and I'll have to really fight for it.
    Hopefully-useful stuff I've written:
  • azmattazmatt Member Posts: 114
    Once again, awesome review.
Sign In or Register to comment.