Category Archives: Pentesting

No comments

OSCP Achieved – Offensive Security Certified Professional

  By , , , ,

For the past 10 months, I have been entrenched in studying to pass the OSCP exam — a goal that, one year ago, I thought was a distant dream.

What the heck is OSCP? This is from the OffSec description:

The Offensive Security Certified Professional (OSCP) is … the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

An OSCP has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.

In other words, it means you are pretty good at hacking into computers through various means.

Preparation

I did 6 months of “pre-studying” by reading, researching, learning, and hacking away at vulnerable Virtual Machines offered by vulnhub.com. You may have seen some of my walk-through write-ups on this blog.

Three months ago, the Pentesting With Kali Linux (PWK) course began, which is the immersive, self-guided course offered by Offensive Security in preparation for the OSCP exam. This course consumed me, as it required a lot of time and effort to complete. If you are married and have kids, I cannot stress strongly enough the need to get their buy-in before you take this endeavor. You will not be available much during this process!

Not only do you need to get through the 375 page lessons and exercise workbook, you have to do the 8 hours of training videos that go with it. On top of that, you are given access to a virtual lab filled with 50+ computers for you to practice your hacking skills on.

The lab is designed to emulate a real-world corporation, and you are playing the role of the adversary, attempting to compromise your way into each and every machine you can find. In the end, you have to provide documentation of your efforts and successes as if you were a real-world security penetration testing professional hired to find the weaknesses in the company’s network and systems.

Needless to say, all of this takes a lot of time, effort, research, and patience. The oft-repeated mantra of the OSCP course is, “TRY HARDER!”

The Exam

This past weekend, I took the exam. The exam is a grueling 48 hour test in which you are given 5 computers that you must hack into as far as you can within the first 24 hours. The second 24 hours is for writing up your reports and documenting your efforts with detailed, step-by-step instructions and screenshots on how you did what you did.

Sleep is optional. Sustenance is highly recommended.

I opted to start the exam at 3pm Friday, based on what I had read from others who have taken the test. This gave me enough time that day to gather my thoughts, my notes, and to practice buffer overflow attacks. More importantly, it gave me a chance to nap from about 2am to 5am, which proved to be a much-needed recharge for my brain.

I hacked away for a solid 21 hours with that 3 hour nap in the middle. By the end, I had rooted 3 systems, and had a low-privilege shell on a fourth. I had enumerated the fifth system pretty well, including discovery of some valuable information. Still, I wasn’t entirely sure I had achieved the requisite 70 points (out of 100) to pass the exam.

At 3pm I went back to sleep for a few hours. I woke up about 6, then got to work on the documentation, which I completed around midnight.

Documentation

All in all, my documentation consisted of:

  • All exercises from the PWK course.
  • Documentation of 10 compromised machines from the Lab. I ended up compromising a total of 25 machines, but 10 are required to be documented.
  • Documentation of the exam machines.

All of this ended up being about 230 pages long!

I submitted everything, then spent most of Sunday snoozing and worrying about whether or not I had passed. I felt like a truck had run over me, backed up over me, then ran over me again. Plus, the anticipation was terrible. Thinking that I might have to go through all of that again was not very pleasant.

I woke up this morning (Monday) to find out that they had reviewed everything, and that I had passed!

Lessons Learned

A topic of constant debate on the NetSecFocus Slack channel is whether or not people should do the Exercise and Lab documentation, which earns you 5 points on the Exam, or if they should just skip it and go right into the Labs, do the exam, and hope to get more than 70 points.

I am a shining example of why you should submit that documentation. You might need those 5 points to pass the exam, and you are doing yourself a disservice if you skip all that valuable materials in the course anyway. It really teaches you a lot even though it can get rather dry at times.

Resources

At some point soon, I will update this blog post with resources and tips for those of you thinking about doing this certification course. It was one of the hardest things I have ever done, but also one of the most rewarding.

No comments

BSides Asheville – 2nd Place CTF

  By , , , ,

I attended BSides Asheville today, the “other” hacker conference for IT security folks. This was Asheville’s fourth such conference (they happen in cities all over the world), and it was my first chance to go to one.

I wasn’t disappointed. I ended up spending most of my time in the “Lockpick Village” and working on the Capture The Flag competition.

The Lockpick Village was a challenge, even for someone who used to be a professional locksmith. It turns out that working under the pressure of an 8-minute timer, with people surrounding you to jeer and cheer you on does not make it easy to operate.

I was able to get out of the handcuffs rather quickly (about 1 minute), and then I picked the first lock relatively soon therafter (2 minute mark). However, my crucial mistake was that I picked it in the wrong direction, so I had to start over, and it took me much longer.

By the time I made it to the second lock, I only had about 2 minutes left, and it proved to be too much for me to conquer. It didn’t help that I’m used to using rake picks on pin tumbler locks, and they didn’t have any for me to use.

I ventured into the Capture The Flag contest after that, where I was able to put into practice all of the penetration testing skills I’ve been working diligently on since January. The Penetration Testing with Kali Linux course I’m enrolled in helped too.

I was the first person to root a Windows 2008 server and gain enough points on other servers to get into the top-three.

This turned out to be a positive affirmation that my hard work has paid off, as I took home the Second Place prize, a brand new Raspberry Pi 3 with the Canakit add-ons.

Granted, the first place winner forfeited and the team ahead of me was three professionals working together. Still, I took 2nd place after all that, and it was my first CTF.

The BSides team and volunteers put on a great day of fun. I am already looking forward to next year’s conference.

No comments

4 External USB Wifi Adapters for Kali Linux Pentesting

  By , , , , , , ,

If you are like me, you have been working with Kali Linux, the Linux distribution for penetration testing and ethical hacking, and have been running it as a virtual machine on your 2015 Macbook Pro. And, you have been having issues with sniffing packets because your 2015 Macbook’s built-in wifi adapter is not going into true promiscuous mode — only a limited version that doesn’t give you everything you need. Sadly, other versions of the Macbook don’t seem to have this problem at all, so you may be finding yourself in need of an additional interface.

Or, perhaps you are not like me, and the chipset driving your PC’s Wifi adapter doesn’t let you do much at all, and you just want an external USB Wifi adapter that will make it easy to use tools such as Aircrack-ng for ethical hacking jobs.

Whatever the case, I’ve done some research and will present a few options that don’t break the bank and should provide you with a quick and easy way to do all the proper packet sniffing you deserve.

TP-Link N150

The first option on this list is the $13.45 TP-Link N150 dongle. A small USB device that sports a detachable antenna, it should get the job done if you prefer portability over power. This device uses the Atheros AR9271 chipset, which is known to work smoothly in Kali Linux (and probably most other distros).

USB Rt3070

The cheapest USB adapter, at a paltry $11.99, is the generic USB Rt3070, another dongle style device that is also the smallest you will find here. With similar specs as the TP-Link device, this one is even easier to conceal, and probably won’t raise any suspicions if you have it plugged into your laptop in a crowded place. While not the most powerful device by any means, if you are near the router you want to connect to, it shouldn’t be a problem.

Alfa AWUS051NH

Taking a big step up in everything, including features, power, and profile, we have the Alfa AWUS051NH. This one has been sitting on my Amazon wishlist for quite a while, and I think it’s about time I pick it up. It even has a holster with suction cups to stick to a window, and it will pick signals up from long range.

If you are needing to physically stay away from the target you are testing, while still being able to test it, try this sucker.

Alfa AWUS036NHA

Lastly, we have another Alfa device, both of which get really good reviews for Kali Linux in particular. At only $6 more than the AWUS051NH, the Alfa AWUS036NHA looks cooler and has a boost in power to let it pick up signals from even farther away. It also comes with the holster and suction cups for the windows of your vehicle, office, or home. According to its description, what sets it apart is the “High Transmitter Power of 28dBm – for Long-Rang and High Gain Wi-Fi.”

 

Are there others?

Have you tried any of these? What did you think? Know of any others that do a good job?

No comments

Tool Sharpening

  By , , , , ,

As honest Abe Lincoln said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

For the last six months, I have been playing the part of Hey Blinkin, getting the tools in my toolbox sharpened, honed, configured, and ready as I am inches away from starting the PWK/OSCP course. As soon as some paperwork clears, I’ll be signing up, hopefully to start in mid-July. You may have seen me posting things I’ve learned so far here on my blog. I intend to keep it up, as finding other OSCP adventurer blogs, tips, and tools along my journey has been invaluable. I hope to pay it forward here.

That said, here are a few very sharp tools I’ve come to love (as recently as this evening):

iTerm 2 – http://iterm2.com/ – a better Terminal app for Mac. Highly configurable, integrative, and versatile. Not exactly a pentesting tool, but something anyone doing command line work on a Mac should check out.

Sn1per – https://github.com/1N3/Sn1per – a super-thorough and invasive reconnaissance tool. It is very noisy and not recommended for actual pentesting, but it is great for working on CTF and Vulnhub VMs.

OSINT Framework – http://osintframework.com/ – a hefty, well-organized set of free tools for gathering all kinds of information. Originally geared towards security, it includes a lot of other fields as well. Follow it on GitHub here.

 

No comments

Metasploit Tidbits

  By , , , , ,

I’ve been working through Metasploit Unleashed in preparation for the PWK course and the ensuing OSCP exam. Looks like I’ll be signing up for that in early July. While you can’t use Metasploit on the OSCP exam, they do teach it in the PWK course itself, and it’s a very powerful tool anyway, so learning it now seemed like a good idea.

I’ve been taking a lot of notes in OneNote as I progress on all things OSCP, but I thought I’d share some of the handier Metasploit tricks that I might find myself using from day to day. Additionally, writing all this out and thinking about it as I do so helps me commit it to memory, so this blog post isn’t an entirely selfless effort 😉

Find Hosts on Your Network

The arp_sweep auxiliary module comes in handy to find hosts on your network. In the below example, you select the arp_sweep tool, show its options, then set the RHOSTS variable accordingly for you your network range.

Running the above will return some output that looks something like this:

If you want to be sneaky when you do this (and why would you need to be sneaky on your home network? 😉 ) you can spoof the source host (you) and the source MAC address so that it doesn’t look like you have been scanning anything. Typically, you might set this to appear to be coming from your router.

Scan a Host

Metasploit lets you scan hosts that you discover.

You can set THREADS (10) and CONCURRENCY (20) too, to help speed things up without getting too crazy.

You can even use nmap from within Metasploit, and store the results in the database, or import normal nmap results (saved as xml) into the Metasploit database. The advantage of doing this is that you can save your work and results in workspaces in Metasploit. Workspaces let you create projects and keep things organized, which is useful when working on many targets, or with a team.

I will provide some examples of this soon. Stay tuned. For now, here’s what looks like a great reference for this.