This too shall pass.
The most striking (you locksmiths will get that joke) thing about this is that an expensive “smart” lock was made with little to no physical security features in mind. I like how the article points out the difficulty of physically compromising a good-ole-fashioned steel, “dumb” mortise lock.
Is it true that “smart” lock manufacturers are forgetting about physical security when designing locks? Isn’t that the point of a lock?
In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”
I believe most of these comments are directed at the lab environment and course materials. It is true that you won’t find many systems in modern pentesting engagements that are exploitable with older things such as EternalBlue (MS17-010).
But that is beside the point.
The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you.
It is true that Hack The Box (HTB) and other modern online capture-the-flag frameworks are more leading-edge in that regard, which is great, and they can certainly be an excellent way to augment and prepare for the PWK/OSCP journey.
But the point is that it really doesn’t matter if you drive a 2019 Ferrari 488 Spider or a 1996 Honda Accord, it is whether or not you figure out how to get to the destination.
It’s been a while since I posted any musical updates here, and I don’t have a ton to share, but I did get a surprise email from the venerable Jason Lowenstein the other day, with a remastered set of Crain’s studio appearance on WMBR in Boston back in 1991 that he had made.
The previous version of this, mastered by Bob Weston, who initially recorded it in the studio late that evening way back when, is still here on my Music downloads page, and it is great, but I thought I’d add Jason’s version for you to download in one fell swoop.
Enjoy it, and let me know what you think!
As you may or may not know, I was a locksmith for the better part of a decade, working on campus at Warren Wilson College as a student, learning the trade as I earned my BA in psychology, then being hired to work there and train other students after I graduated for about 4 years. I also ran my own business (Chatham’s Lock & Key) for about two years, and I did a stint at Willis Klein up in Louisville for a summer.
So it was interesting to me that once I started attending information security conferences, I saw how popular lock picking has become among that otherwise computer-based hacking crowd. They have “lock picking villages” where you can learn to pick locks, contests to pit your skills against others, and there are now loads of videos and tutorials online for “locksport” enthusiasts.
I was resistant to get into “locksport” for a while, perhaps because I had “been there, done that,” but also because the phrase “locksport” annoyed me.
However, I lost that battle when I found my old lock pick set from back in the day, and then found myself working a Master lock I had in the garage. Check out my first contribution to the Locksport community in this video.
Stay tuned for more.
When I did a short work stint at Secure Decisions in 2018, one of the projects I got to work on was helping to create the Attack Surface Detector plugin for ZAP and Burp Suite. I left that position before the project got published, but I am happy to see that it was a success.
From the OWASP description:
The Attack Surface Detector tool uncovers the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won’t find in client-side code, or optional parameters totally unused in client-side code. It also has the capability to calculate the changes in attack surface between two versions of an application.
There is a video that demonstrates the plugin, and yes, that is me doing the voice-over.
Since recently discovering there is now an official Kali Linux docker image, I’ve been fiddling with it and tweaking my own setup to get it to how I like it for the things I use it for. I have a work version and a personal version. What follows is my personal version, used mostly for R&D, CTF challenges, and bug hunting in my free time.
# The Kali linux base imageFROM kalilinux/kali-linux-docker# Update all the things, then install my personal favesRUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get install -y \ cadaver \ dirb \ exploitdb \ exploitdb-bin-sploits \ git \ gdb \ gobuster \ hashcat \ hydra \ man-db \ medusa \ minicom \ nasm \ nikto \ nmap \ sqlmap \ sslscan \ webshells \ wpscan \ wordlists # Create known_hosts for git cloning things I wantRUN mkdir /root/.sshRUN touch /root/.ssh/known_hosts# Add host keysRUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hostsRUN ssh-keyscan github.com >> /root/.ssh/known_hosts# Clone git reposRUN git clone https://github.com/danielmiessler/SecLists.git /opt/seclistsRUN git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploitRUN git clone https://github.com/hashcat/hashcat /opt/hashcatRUN git clone https://github.com/rebootuser/LinEnum /opt/linenumRUN git clone https://github.com/maurosoria/dirsearch /opt/dirsearchRUN git clone https://github.com/sdushantha/sherlock.git /opt/sherlock# Other installs of things I needRUN apt-get install -y \ python-pipRUN pip install pwntools# Update ENVENV PATH=$PATH:/opt/powersploitENV PATH=$PATH:/opt/hashcatENV PATH=$PATH:/opt/dirsearchENV PATH=$PATH:/opt/sherlock# Set entrypoint and working directory (Mac specific)WORKDIR /Users/wchatham/kali/# Expose ports 80 and 443EXPOSE 80/tcp 443/tcpdocker build -t yourname/imagename path/to/theDockerfile (don’t actually put ‘Dockerfile’ in the path). Do change ‘imagename’ to something apropos, such as ‘kali’
docker run -ti -p 80:80 -p 443:443 -v /Users/yourname/Desktop:/root yourname/imagenameThe above examples require you to replace ‘yourname’ with your Mac username
-ti
Indicates that we want a tty and to keep STDIN open for interactive processes
-p
Expose the listed ports
-v
Mount the defined folders to be shared from host to docker.
Hope that’s useful to someone!
Hat tip: https://www.pentestpartners.com/security-blog/docker-for-hackers-a-pen-testers-guide/
I just updated my My Music page, which was long overdue. There’s not a lot of new stuff to report just yet, but I am in a ska band that is practicing and trying to determine a name. Stay tuned for more about that.
Here is a Spotify playlist featuring my songs, or songs I played on over the years:
And here’s an open directory from which you can download a lot of these goodies:
https://www.willchatham.com/songs/
Lastly, here’s a crappy video I made of me playing with myself the other day:
Welcome to 2019, everyone! The future is bright, and I am sure we will all experience a lot of fun and unexpected things in the world of security. So far this year, we haven’t see anything along the lines of Specre/Meltdown, which helped usher in 2018.
One thing I did realize is that the turning of the calendar to this new year, remarkably, means that there is less than one year until Python 2.7 is officially “unsupported.”
Just check the Python 2.7 Countdown clock if you don’t believe me. Everything should be well on the way to Python 3 by now. Or so you would hope.
I find it somewhat humorous (mildly) that the infosec community still relies so heavily on Python 2.7, given its impending doom. I still see new tools being actively developed in this version of Python crossing my news feed almost daily. So many things on Kali Linux rely on Python 2.7.
I have oberved that longstanding, popular open source stalwarts of the trade have shown little interest in moving to 3.x.
I really have no idea what to do about this, other than encourage contributors to migrate, and to lend a hand if and where possible. But it’s getting really late, and I still have to use python2.7 far too much in my day-to-day pentesting and security research life.
How about a New Year Resolution?
Here are a few new resources I’ve run across in the last month or so. I’ve gone back to add these to some of my older posts, such as the Windows Privesc Resources, so hopefully you’ll find them, one way or another.
Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
https://pentesterslife.blog/2018/06/28/jsgen/
So you want to be a security engineer?
https://medium.com/@niruragu/so-you-want-to-be-a-security-engineer-d8775976afb7
Local and Remote File Inclusion Cheat Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal
External XML Entity (XXE) Injection Payloads
https://gist.github.com/staaldraad/01415b990939494879b4
Enjoy!
It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.
The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.
Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.
According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.
I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.
To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.
Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.
In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.
Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.
With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.
I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:
The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.
If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.
If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.
Don’t forget the restrictions on Metasploit, too.
From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.
I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:
Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.
I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.
There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.
There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.
See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:
There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.