Skip to content

Category: Hacking

Thoughts on OSCP being ‘outdated’

Published by Will Chatham on 8/31/2019

In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”

I believe most of these comments are directed at the lab environment and course materials. It is true that you won’t find many systems in modern pentesting engagements that are exploitable with older things such as EternalBlue (MS17-010).

But that is beside the point.

The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you.

It is true that Hack The Box (HTB) and other modern online capture-the-flag frameworks are more leading-edge in that regard, which is great, and they can certainly be an excellent way to augment and prepare for the PWK/OSCP journey.

But the point is that it really doesn’t matter if you drive a 2019 Ferrari 488 Spider or a 1996 Honda Accord, it is whether or not you figure out how to get to the destination.

OWASP Attack Surface Detector Project

Published by Will Chatham on 3/8/2019

When I did a short work stint at Secure Decisions in 2018, one of the projects I got to work on was helping to create the Attack Surface Detector plugin for ZAP and Burp Suite. I left that position before the project got published, but I am happy to see that it was a success.

Here it is in all its glory.

From the OWASP description:

The Attack Surface Detector tool uncovers the endpoints of a web application, the parameters these endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won’t find in client-side code, or optional parameters totally unused in client-side code. It also has the capability to calculate the changes in attack surface between two versions of an application.

There is a video that demonstrates the plugin, and yes, that is me doing the voice-over.

I made some shirts

Published by Will Chatham on 11/18/2018

Over the years, I have kept a running list of t-shirt ideas in the back of my mind, thinking that someday “I should make a t-shirt out of that.”

I finally made the effort, and now I have a shop set up where you can buy some silly things I created. Not only are they available as shirts, but you can order them as hoodies, onesies, notebooks, stickers, coffee mugs, and more.

It’s a Festivus miracle!  

Check out the shop, or browse some of the available things below.

A few new resources for pentesting/OSCP/CTFs

Published by Will Chatham on 11/11/2018

Here are a few new resources I’ve run across in the last month or so. I’ve gone back to add these to some of my older posts, such as the Windows Privesc Resources, so hopefully you’ll find them, one way or another.

Windows-Privilege-Escalation-Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
https://pentesterslife.blog/2018/06/28/jsgen/

So you want to be a security engineer?
https://medium.com/@niruragu/so-you-want-to-be-a-security-engineer-d8775976afb7

Local and Remote File Inclusion Cheat Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

External XML Entity (XXE) Injection Payloads
https://gist.github.com/staaldraad/01415b990939494879b4

Enjoy!

The Unofficial OSCP FAQ

Published by Will Chatham on 10/4/2018

It has been close to a year since I took the Penetration Testing with Kali (PWK) course and subsequently obtained the Offensive Security Certified Professional (OSCP) certification. Since then, I have been hanging out in a lot of Slack, Discord, and MatterMost chat rooms for security professionals and enthusiasts (not to mention various subreddits). When discussing the topic of obtaining the OSCP certfication, I have noticed *a lot* of prospective PWK/OSCP students asking the same questions, over and over.

The OffSec website itself covers some of the answers to some of these questions, but whether its because people don’t read it, or that it wasn’t made very clear, these questions keep coming back. Here, I will attempt to answer them as best I can.

Disclaimer: I am not an OffSec employee, nor do I make the claim that anything that follows is OffSec’s official opinion about the matter. These are my opinions; use them at your own risk.

  1. Do I have enough experience to attempt this?
  2. How much lab time should I buy?
  3. Can I use tool X on the exam?
  4. What note keeping app should I use?
  5. How do I format my reports?
  6. Is the HackTheBox.eu lab similar to the OSCP/PWK lab?
  7. Are VulnHub VM’s similar to the OSCP/PWK lab?
  8. What other resources can I use to help me prepare for the PWK course?

According to the official OffSec FAQ you do need some foundational skills before you attempt this course. You should certainly know your way around the Linux command line before diving in, and having a little bash or python scripting under your belt is recommended. That said, it’s more important that you can read code and understand what it is doing than being able to sit down and write something from scratch.

I see many people asking about work experience, which isn’t really covered by OffSec. For example, people wondering if 3 years of networking and/or 1 year being a SOC analyst is “enough.” These questions are impossible to quantify and just as impossible to answer. What you should focus on is your skills as they relate to what is needed for the course.

To do that, head over to the PWK Syllabus page and go through each section. Take notes about things that you are not sure about, or know that you lack skills and expertise in.

Once you have a list made, start your research and find ways to learn about what you need to get up to speed on. For example, when I was preparing for PWK, I knew very little about buffer overflows. I spent a while watching various YouTube videos, reading up on the methods by which you can use a buffer overflow exploit, and taking notes for future reference. Once I started the course, I was able to dive into the exercises and understand what was going on, at least a little bit beyond the very basics, which helped me save time.

In the same boat? Check out this excellent blog post about buffer overflows for something similar to what you will see in the PWK course. Also, while I haven’t tried it yet, I hear that this is a good buffer overflow challenge you can practice on.

Buy the 90 day course in order to get the most out of the experience and not feel crunched for time — especially if you work full time and/or have a family.

With 90 days, you can complete the exercises in the PWK courseware first, and still have plenty of time left for compromising lab machines.

I see this question a lot, perhaps more than any other. People want to know if it is safe to use a specific tool on the exam, such as Sn1per. The official exam guide from OffSec enumerates the types of tools that are restricted on the exam. It is pretty clear that you cannot use commercial tools or automated exploit tools. Keep this statement in mind when wondering if you can use a certain tool:

The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.

If a tools helps you enumerate a system (nmap, nikto, dirbuster, e.g.), then it is OK to use.

If a tool automates the attacking and exploiting (sqlmap, Sn1per, *autopwn tools), then stay away from it.

Don’t forget the restrictions on Metasploit, too.

From what I have heard, even though OffSec states that they will not discuss anything about it further, people have successfully messaged the admins to ask about a certain tool and gotten replies. Try that if you are still unsure.

I wrote a lot about this already, so be sure to check out that write-up. In short, these are the main takeaways:

  • Do not use KeepNote (which is actually recommended in the PWK course), because it is no longer updated or maintained. People have lost their work because it has crashed on them.
  • CherryTree is an excellent replacement for KeepNote and is easily installed on the OffSec PWK Kali VM (it is bundled by default on the latest/greatest version of Kali).
  • OneNote covers all the bases you might need, is available via the web on your Kali box, and has clients for Mac and Windows.
  • Other options boil down to personal choice: Evernote, markdown, etc.

Check out the example reports that OffSec provides. From those, you can document your PWK exercises, your 10 lab machines (both of which contribute towards the 5 bonus points on the exam), and your exam notes.

I do not recommend skipping the exercise and 10 lab machine documentation, thus forfeiting your 5 extra exam points. I am a living example of someone who would not have passed the exam had I not provided that documentation. Yes, it is time consuming, but it prepares you for the exam documentation and helps you solidify what you have learned in the course.

There are definitely some worthy machine on Hack The Box (HTB) that can help you prepare for OSCP. The enumeration skills alone will help you work on the OSCP labs as you develop a methodology.

There are definitely some more “puzzle-ish” machines in HTB, similar to what you might find in a Capture The Flag event, but there are also plenty of OSCP-like boxes to be found. It is a good way to practice and prepare.

See the above answer about Hack The Box, as much of it applies to the VulnHub machines too. I used VulnHub to help me pre-study for OSCP, and it was a big help. The famous post by Abatchy about OSCP-like VulnHub VM’s is a great resource. My favorites were:

  • All the Kioptrix machines
  • SickOS
  • FrisitLeaks
  • Stapler

There are a lot of resources that can help you pre-study before you dive into the course. I will post some here.

Books

Online Guides

Captured The Flag

Published by Will Chatham on 6/23/2018

Along with my friend eth3real (and some pitching in from our new friend Brian), we teamed up as DefCon828 and won the Capture the Flag contest at BSides Asheville today. The loot was some cool WiFi Pineapple gear.

Last month, Jess and I won 1st and 2nd place respectively at BlueRidgeCon. I do feel bad about missing out on the lectures, talks, and socialization at these awesome conferences, but I can’t stay away from the CTFs. It’s bad.