Posted in Penetration Testing, Thoughts

Don’t skip anything

I’ve been a Junior Security Tester for nearly a month now. It’s been really good.
It was scary to leave the comfort zone of being a hobbyist hacker, however, when opportunity knocks, you need to open the door. Learning new things everyday and a few familiar things I seen in PWK that I have to go over again.

oscp-certs

OSCP has become a strange word in my vocabulary. I am very proud to have achieved it, don’t get me wrong, however, I came out of that exam pass with an odd sense that I had climbed a very hard and long ladder (I did). Somehow at the top, the world I was about to head into would be easier to handle and I could learn anything the world put in front of me.

The last part is true. Instead of having weeks to learn something, I now have a day at best. It’s not a criticism, it’s pretty impressive to be able to do that, and I doubt if it wasn’t for OSCP, I’d probably have struggled. It has, however, made me think about how I approached the Penetration Testing with Kali Linux (PWK) course.

Many people have their own way of starting a learning process. Each is unique to them, and everyone will get something different out of it. I chose to set a time goal on my efforts. I needed to pass OSCP in a set time frame. Not because I had to, but it seemed like a good idea at the time. I think it’s fair to say, I may have missed a few memos along the way. There was times I glanced over some of the material or touched on something pretty cool and used it once, never to see it again.

I’m writing this to tell you, not to do that.

PWK is a great platform to learn everything you want, or nothing. The goal is to root as much as you can, and yes, that might put you high up on the social ladder, but I can assure you now, it won’t help you later.

OK Paul, get to the point!!

I’ve had to learn a few things pretty fast. Obviously I can’t tell you what jobs I’ve been doing because I not only value my position in the company, but I respect our clients anonymity and the hard work of my colleagues. What I can say is, you shouldn’t try to put a time pressure on your journey through PWK. Obviously if financial pressure prevents your progress, I can only sympathise and you should set your own goals.

You have a unique position. A controlled environment where you can do no real damage from your failures. Mess something up? Just revert the server and start again. Offensive Security play the genius card here by making sure you mess it up at least a few times. The learning process here is priceless.

Don’t skip over the small stuff. If you’re new to Linux, here’s some things you really shouldn’t glaze over.

  • File and folder permissions
  • Use of sudo and managing users
  • Learn the relationship between /etc/passwd & /etc/shadow
  • Identify what password hash is being used to encrypt password in the shadow file
  • Using tools like cut, sed and awk to manipulate data in large files (very important)
  • Fix things that go wrong in Linux. Don’t just dump a new VM in place
  • Using MySQL would be a good one too.
  • Learn how to code a simple PHP web app and connect it to MySQL with users

I probably have a few more, that I’ll add, but these were certainly the things I thought I could have spent more time on.

Being a Windows sysadmin for 10 years, I thought I knew a lot in that space. In my PWK journey, I learned more. Where the account hashes are stored, how to get to them, and using accesschk.exe to interrogate file permissions from the shell. You don’t need to do all that in Windows as you have a GUI to handle it all.

Always give yourself options. Learn the GUI side of things, but also learn how to do it all in a shell too. Sometimes all you have is a shell. You need to be able to feel your way around a system and fast.

Speed and Accuracy

Two words that when combined usually end in disaster. The faster you go, the more likely you are to make mistakes. If you try to be more accurate, you will be slower. When you start in a job, you need both. Accuracy is extremely important. You can’t rock up to a client on an external test launching an aggressive nmap scan. Chances are you’ll get rate limited, and waste 7 hours of your day. But that worked in PWK? Sorry, but you need to become more stealthy. Sometimes the slowest scan can yield the fastest results. It’s crazy, but worth investigating. Have a read at the Timing & Performance notes on the site.

Nmap Timing & Performance

The same rule can apply to a lot of things you can do in PWK. Think about your enumeration techniques. I’m not an expert. I’m still learning my own, but you need to be accurate. Do you really trust what an output tells you about the Operating System? Is it accurate? There’s a lot of false positives out there from automated scanning.

Nothing is there by mistake

Offensive Security should probably win an award for how they teach the course. It has a knack of accelerating keen individuals or killing off the people who like the badge of wanting to be a Pen Tester. I nearly died off a few times myself, but I “Tried Harder” (cries)

Nothing they include in the course is there by mistake. It’s not there to pad it out or be used as a filler. It’s important to make sure you go through the materials and enumerate the network and treat it for what it is. A living network. It’s not just vulnerable VM’s with IP addresses that you pick off one at a time and bask in the glory of showing everyone a screenshot with the ID ROOT (guilty). You’ll be doing yourself a grave injustice if you attack it like that.

Vulnerabilities

The whole reason most of us are here. Everything is vulnerable to something. Someone has either found it or hasn’t yet. We live off the idea that we will find whatever the vulnerability is and exploit it (in PWK). This is where I feel a lot can be learned in from the course. Normal practice for most, is to find the vulnerability, exploit it, get shell and move on to Privilege Escalation. At no point did I ever go back and try to understand why a machine was vulnerable, or whether there was any other vulnerabilities. It’s a good idea to expand your vulnerability landscape. A company might be happy you found something for them to fix, but did you find anything else? Think about that as it can prove useful later. Get into the mindset of finding all that you can.

Reporting

My oh my, reporting! Thee single most important part of the process. The client deliverable. The single piece of evidence a client needs to support your claims and their requirement for more staff, funding, systems or whatever. Many people don’t do a Lab Report in PWK. I would stress that it is really important to get it done. It’s going to teach you some of the basics. Lots of companies do their reports in their own way but if you miss this out, you not only lose points, but good experience in writing. Being able to write down everything you find is kind of a big deal. Don’t think for one second you’ll never be asked to do it.

WOW! that was big!

I’m not even sure I covered everything I wanted to talk about. I just started typing. In summary I’d change my advice on how to approach PWK/OSCP. You’re going to need every ounce of data you can pull from that course. Use it as a platform for learning. Don’t just fly in there with an idea to root a loot everything you see. If you want a job as a Pen Tester, use PWK to expand your knowledge base and build confidence in your ability to spot vulnerabilities, navigate Linux and Windows with ease and trust your accuracy in any given task.

Of course, you can do all of that BEFORE you commit to PWK. One thing I wish I did, was just using Ubuntu as a daily driver as a sysadmin. I wish I had linux servers to work on. Web servers to administer and MySQL databases. You can learn all that now. Don’t skip anything!!

Thanks for reading the mindless ramblings of a madman 🙂

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s