The short version of this posting is that I completely recommend them, they're awesome!
The first class, Penetration Testing with Metasploit is exactly what the title promises. It's the perfect class for someone who, like me, is fairly familiar with the tools of our trade, but has never taken the time to learn how to use Metasploit. Yes, you can just read a book or the user docs, but learning how to use it by attacking realistic targets is a much better way to learn. (And much more fun!)
Even if you're relatively new to security, I think you can still get a lot from the class. Here's a test: If I say "Port 80 on localhost", or "cracking hashes from /etc/shadow", does that mean anything to you? Do you think you can stand up a pre-configured virtual machine using VMware player or VirtualBox? If your answer to these is "yes", I think you'll be able to participate in this class. The focus is on using Metasploit, and a few other tools ... so if you can follow directions, you should be able to keep up. Keep in mind, the point of Metasploit is to package exploits so that you can use them without knowing the details of how they work. Even if you don't completely understand the exploits being demonstrated, seeing them in action is extremely valuable.
The class is entirely hands on. Prior to the class, Georgia sends you two virtual machines, one running Windows XP and one running Ubuntu Linux. She also instructs you to grab a copy of the Kali virtual machine (Kali, nee BackTrack, is a collection of pentesting tools.) You'll be shocked to hear that both of the virtual machines she provides have some vulnerabilities. :-)
Georgia runs the class using an on-line webinar system that lets her talk to everyone while she shares her screen. She also gives out a set of slides, which provide a written backup to what she's showing. The basic flow of the class is that you use the Kali VM to attack the XP and Ubuntu "victim" virtual machines. On the screen she's sharing, Georgia is running the same exploit you are, discussing it while she demonstrates it. This is not some instructor reading from a power-point deck, it's more like watching reality TV for hackers ... except you get to play along! Finally, the webinar system allows students to submit questions, which Georgia is good about answering quickly and clearly.
Of course, the class is not without glitches. As an instructor, you can't spin up a bunch of virtual machines on your laptop, interactively run malicious exploits against them and share the entire mess via a webinar/screen-sharing service from your home, without something breaking. In both classes, some time was lost dealing with glitches, resulting in the class running 9 hours long instead of the scheduled 8. Even with a few breaks thrown in, 9 hours is a long time. By the end of each class I was a quivering bowl of Jello ... I have no idea how Georgia was able to keep going for 9 hours. But each time, while I was pretty fried by the end I was also grinning like a mad man.
After the class is over, Georgia provides access to a video of the class. She also will be granting students access to a lab network which contains additional machines to practice on.
So here's the best part ... the class costs only $100!
<Rant> I've gotten very frustrated at the cost of decent training these days. For example, I'm a huge fan of some of the SANS courses, but there's no way I can afford them personally, and many employers simply can't afford to drop that kind of money on training. I'm fully aware of, and OK with, the profit motive. But it feels like the best and biggest training organizations are heavy on "what the market will bear", and light on "what's best for the industry". Thank goodness for events like DEFCON, BSides or SNOWFROC ... without those there would be nothing for those of us who make up the "middle class" of security.</Rant>
In summary, this class is by far the best training deal I've ever encountered. I learned some valuable skills taught by a real pro, I had a total blast and I didn't have to max out the credit card to do it.
I'm not sure when it'll be offered next, but check out: http://www.bulbsecurity.com/online-security-training/penetration-testing-with-metasploit/ for more information.
The second class, Penetration Testing Level 2, is very much a continuation of the first. It's assumed you're familiar with the material from the first class, and goes into detail about more sophisticated attacks. In addition to the VMs from the first class, an additional Windows-7 VM is provided. Metasploit is still the primary tool, but other tools are also used for more sophisticated attacks. For example msfvenom, the Social Engineering Toolkit and Hyperion are all used to package exploits. In another exercise, one of the virtual machines is compromised and then used to pivot and attack a second machine. These are still "elementary" pentesting techniques, but the hands-on nature of the class really takes it beyond the purely academic and makes it a valuable learning experience.
Penetration Testing Level 2 costs a whopping $200, and is worth every penny. Again, I'm not sure when it's going to be offered again, check out: http://www.bulbsecurity.com/online-security-training/penetration-testing-level-2/
A couple of recommendations if you take one of these classes:
- Grab the virtual machines ahead of time and make sure you've got them running well. If you're building your environment the morning of the class, you're already behind the curve.
- If possible, use a two monitor setup. Having Georgia's shared screen on one monitor, and running Kali on the second monitor, is the trick setup for these classes.
It sounds like Georgia may create an entire series of classes along these lines ... at this sort of price point, given the high quality (and fun quotient) of the first two classes, I think that the entire series would be a pretty interesting training option.
