Posted in Penetration Testing, Thoughts

Don’t skip anything

I’ve been a Junior Security Tester for nearly a month now. It’s been really good.
It was scary to leave the comfort zone of being a hobbyist hacker, however, when opportunity knocks, you need to open the door. Learning new things everyday and a few familiar things I seen in PWK that I have to go over again.

oscp-certs

OSCP has become a strange word in my vocabulary. I am very proud to have achieved it, don’t get me wrong, however, I came out of that exam pass with an odd sense that I had climbed a very hard and long ladder (I did). Somehow at the top, the world I was about to head into would be easier to handle and I could learn anything the world put in front of me.

The last part is true. Instead of having weeks to learn something, I now have a day at best. It’s not a criticism, it’s pretty impressive to be able to do that, and I doubt if it wasn’t for OSCP, I’d probably have struggled. It has, however, made me think about how I approached the Penetration Testing with Kali Linux (PWK) course.

Many people have their own way of starting a learning process. Each is unique to them, and everyone will get something different out of it. I chose to set a time goal on my efforts. I needed to pass OSCP in a set time frame. Not because I had to, but it seemed like a good idea at the time. I think it’s fair to say, I may have missed a few memos along the way. There was times I glanced over some of the material or touched on something pretty cool and used it once, never to see it again.

I’m writing this to tell you, not to do that.

PWK is a great platform to learn everything you want, or nothing. The goal is to root as much as you can, and yes, that might put you high up on the social ladder, but I can assure you now, it won’t help you later.

OK Paul, get to the point!!

I’ve had to learn a few things pretty fast. Obviously I can’t tell you what jobs I’ve been doing because I not only value my position in the company, but I respect our clients anonymity and the hard work of my colleagues. What I can say is, you shouldn’t try to put a time pressure on your journey through PWK. Obviously if financial pressure prevents your progress, I can only sympathise and you should set your own goals.

You have a unique position. A controlled environment where you can do no real damage from your failures. Mess something up? Just revert the server and start again. Offensive Security play the genius card here by making sure you mess it up at least a few times. The learning process here is priceless.

Don’t skip over the small stuff. If you’re new to Linux, here’s some things you really shouldn’t glaze over.

  • File and folder permissions
  • Use of sudo and managing users
  • Learn the relationship between /etc/passwd & /etc/shadow
  • Identify what password hash is being used to encrypt password in the shadow file
  • Using tools like cut, sed and awk to manipulate data in large files (very important)
  • Fix things that go wrong in Linux. Don’t just dump a new VM in place
  • Using MySQL would be a good one too.
  • Learn how to code a simple PHP web app and connect it to MySQL with users

I probably have a few more, that I’ll add, but these were certainly the things I thought I could have spent more time on.

Being a Windows sysadmin for 10 years, I thought I knew a lot in that space. In my PWK journey, I learned more. Where the account hashes are stored, how to get to them, and using accesschk.exe to interrogate file permissions from the shell. You don’t need to do all that in Windows as you have a GUI to handle it all.

Always give yourself options. Learn the GUI side of things, but also learn how to do it all in a shell too. Sometimes all you have is a shell. You need to be able to feel your way around a system and fast.

Speed and Accuracy

Two words that when combined usually end in disaster. The faster you go, the more likely you are to make mistakes. If you try to be more accurate, you will be slower. When you start in a job, you need both. Accuracy is extremely important. You can’t rock up to a client on an external test launching an aggressive nmap scan. Chances are you’ll get rate limited, and waste 7 hours of your day. But that worked in PWK? Sorry, but you need to become more stealthy. Sometimes the slowest scan can yield the fastest results. It’s crazy, but worth investigating. Have a read at the Timing & Performance notes on the site.

Nmap Timing & Performance

The same rule can apply to a lot of things you can do in PWK. Think about your enumeration techniques. I’m not an expert. I’m still learning my own, but you need to be accurate. Do you really trust what an output tells you about the Operating System? Is it accurate? There’s a lot of false positives out there from automated scanning.

Nothing is there by mistake

Offensive Security should probably win an award for how they teach the course. It has a knack of accelerating keen individuals or killing off the people who like the badge of wanting to be a Pen Tester. I nearly died off a few times myself, but I “Tried Harder” (cries)

Nothing they include in the course is there by mistake. It’s not there to pad it out or be used as a filler. It’s important to make sure you go through the materials and enumerate the network and treat it for what it is. A living network. It’s not just vulnerable VM’s with IP addresses that you pick off one at a time and bask in the glory of showing everyone a screenshot with the ID ROOT (guilty). You’ll be doing yourself a grave injustice if you attack it like that.

Vulnerabilities

The whole reason most of us are here. Everything is vulnerable to something. Someone has either found it or hasn’t yet. We live off the idea that we will find whatever the vulnerability is and exploit it (in PWK). This is where I feel a lot can be learned in from the course. Normal practice for most, is to find the vulnerability, exploit it, get shell and move on to Privilege Escalation. At no point did I ever go back and try to understand why a machine was vulnerable, or whether there was any other vulnerabilities. It’s a good idea to expand your vulnerability landscape. A company might be happy you found something for them to fix, but did you find anything else? Think about that as it can prove useful later. Get into the mindset of finding all that you can.

Reporting

My oh my, reporting! Thee single most important part of the process. The client deliverable. The single piece of evidence a client needs to support your claims and their requirement for more staff, funding, systems or whatever. Many people don’t do a Lab Report in PWK. I would stress that it is really important to get it done. It’s going to teach you some of the basics. Lots of companies do their reports in their own way but if you miss this out, you not only lose points, but good experience in writing. Being able to write down everything you find is kind of a big deal. Don’t think for one second you’ll never be asked to do it.

WOW! that was big!

I’m not even sure I covered everything I wanted to talk about. I just started typing. In summary I’d change my advice on how to approach PWK/OSCP. You’re going to need every ounce of data you can pull from that course. Use it as a platform for learning. Don’t just fly in there with an idea to root a loot everything you see. If you want a job as a Pen Tester, use PWK to expand your knowledge base and build confidence in your ability to spot vulnerabilities, navigate Linux and Windows with ease and trust your accuracy in any given task.

Of course, you can do all of that BEFORE you commit to PWK. One thing I wish I did, was just using Ubuntu as a daily driver as a sysadmin. I wish I had linux servers to work on. Web servers to administer and MySQL databases. You can learn all that now. Don’t skip anything!!

Thanks for reading the mindless ramblings of a madman 🙂

 

Posted in Thoughts, Uncategorized

What I would do differently – PWK

training

Giving back to the InfoSec community is something I’ve always strived towards. Other professionals have always had time for me and it’s only right that if I can, I would relay my experiences to other people.

Penetration Testing with Kali Linux

Some may know that I took up this monumental challenge around 200 days ago. I say monumental because I was a lost lamb with limited knowledge of Pen Testing before I enrolled in PWK.

Like many, I had such a fear of the course. I read so many stories, reviews and some scare mongering from various online resources. I’m a “into the deep end” type of guy and I needed something to focus on. PWK was that focus. It wasn’t plain sailing at the start so to help ease the stress or preconceived ideas about PWK that would otherwise put you off, I’ve put together a few things to help you out.

I’ll break it down into parts.

  • Kali Tips
  • Lab Tips
  • Reporting
  • If you get stuck

This is based on my own experience of what I would do differently, having been on the course for 200 days ( I know, I’m a slow burner at times). Your experience may differ.

Kali Tips

  • Create directories for each target. Dump all exploit scripts, enumeration files and anything related to that target in that directory.
  • Use symbolic names for your exploit code or document it in your notes. For example, 3456.c doesn’t mean anything at a glance. Months later you’ll come across it in your file system and if you didn’t document it’s use or change its name it is useless to you.
  • Create a directory for your ‘fixed’ exploits. Find your own way of doing this. You could use CVE numbers, exploit name or anything that you can call on later. Remember to document any change made to the code and name of the file.
  • Work on your speed of execution and how you can utilise your hardware to execute a task faster. For example, using more threads while using Dirbuster.
  • Don’t be foolish and neglect the use of Metasploit. It’s an amazing tool, and can build confidence.

Lab Tips

  • Don’t jump into the labs instantly if you are new. Read the course materials and watch the videos. The information is extremely useful.
  • Revert each machine before you enumerate it.
  • If a machine was reverted in the last few hours, someone may be working on it. Be kind, and move on.
  • Check the forums for the machine in question to see if it requires frequent reverts.
  • Run the fullest enumeration scan possible, full TCP scan, and UDP scan
  • DO NOT shy away from anything in the labs. Despite any rumours you may have heard about certain targets, try your hand at everything to have a better shot at the challenge.

Reporting

  • Read G0tmilks tutorial on Alpha on the forums. It gives a great insight on how to report. Also this can give a great entry point and feel for how it’s done.
  • Read through the Offsec dummy report –> https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
  • Use the Reporting template from Offsec. It’s a good baseline. No point in reinventing the wheel.
  • I will add that using something like Keepnote is essential. Even more important to that step is keeping good notes. If you don’t, you will have nothing to report. Remember, you will need to explain these steps to someone who can follow them exactly as you did.

If you get stuck

  • Offsec Forums are fantastic for tips
  • Offsec chat function has been really helpful for me at times. Cleverly delivered tips that sometimes show you an answer without even giving you a hint. Great resource.
  • There’s the IRC channel too. Personally I never used it.
  • Refer to the course materials, and videos.

Summary

I could likely add more into this post as time goes on. No matter what stage you are at, you are always learning. Despite me failing the exam challenge twice and rooting 30 of the lab machines, I still have a lot to learn from PWK. The learning never stops. Enjoy the time you have in the labs. It’s an amazing experience.

Posted in Penetration Testing, Thoughts

Good enough?

nature-sky-sunset-man

Writing gives me space to offload things that could be swirling around in my mind. Almost like a program caught in RAM, this blog serves as a Task Manager to clean out any unwanted processes in my head.

One particular annoyance lately, has been an echoing thought of meeting the grade. I have thrown myself into the lions den so to speak, or in a less aggressive manner, thrown myself into the deep end. Training in OSCP has been a challenge, and I feel that with 23 boxes rooted, it’s a modest number for someone who didn’t know anything about hacking only 12 months ago.

OSCP can have you living in a protected bubble. It can lure you into a false sense of security. It’s not a criticism of the course or certification, but merely an observation. You can become so captivated by the lab environment that you lose track of everything else around you. There are other aspects to Penetration Testing, however, your mind is focussed on the task of hacking lab machines. This is great for learning, however, when you speak to other professionals, it can leave you feeling distant if the conversation isn’t about OSCP.

Do you belong here?

I ask myself this question quite regularly. I see amazing things happen on a daily basis in the industry. That’s just from the people I follow on Twitter. Am I putting enough effort in to expand my knowledge past that of the OSCP? Where else should I turn for information?

OSCP hasn’t been a walk in the park for me. It’s often classed as an entry level certification in Penetration Testing. Entry level? Really? I’ll either need to put overtime in or readdress my goals. Don’t be fooled by the notion that this is an entry level certification if you are new to Penetration Testing. I can understand why they say it’s entry level, because it’s such a vast space, however, entry level doesn’t mean easy.

False sense of security

Finding your flow in OSCP can take some time. There is a lot of material to go through and when you start hacking the labs it can be a slow and frustrating process. Once you get more confident with identifying vulnerable services and exploits related to those services, you slowly and surely start believing in your ability. If for some reason you get ahead of yourself, there are some machines in the lab that can bring you back down to earth. This constant fluctuation in feelings can be unnerving at times. One day you’re full of confidence, and other days you just feel like a fake.  Training yourself to look past failure and turn it into success can take some time. The lab teaches you more about yourself than the vulnerabilities you uncover.

So what now?

I’ve broken past the point where training in Penetration Testing is a hobby for me. It’s not a matter of whether I’d like to do this as a career. It will be my career at some point. I love the art of enumeration and the craft of transparently learning everything about your target. There is always room for improvement. OSCP helps engineer your mind into learning. It’s not there to teach you how to hack. It’s function is to show people that you have the ability to learn and apply complex procedures in practice. How that translates to real world testing remains to be seen. Not everything in the world is vulnerable.

Ready, Set, GO!

I was fearful of moving away from my job in IT because of the job security. I knew my bubble and it was safe, but now I feel more confident that I can learn anything. That’s what OSCP teaches you. Work hard, learn, work harder, learn and apply in practice with confidence. It’s a genius concept once it sinks in.

You can do anything in life. Set goals, and if you want it bad enough it will fall into place.

Posted in Thoughts

OSCP // PWK – So far

man-notebook-notes-macbook

30 days to go out of the 90 days of PWK lab time I purchased with Offensive Security.

Mixed emotions really, because due to (helping) to plan my wedding, having a really busy time in my work and other life things I’ve felt that I’ve hardly had great use out of my 60 days so far.

In the time I’ve been in the labs, I feel a sense of accelerated learning has been required. Your brain resists the input until one day it cracks and allows it all in. Normally after you smash your first box without using Metasploit. I had some serious issues with self doubt though.

I’ll never be able to do this. It looks really hard

I was utterly lost in the first 20 days. I’m big enough to admit my own failings and in hindsight I should have worked harder to get into the labs earlier, however, hindsight is what it is and I can’t really be too angry about it.

Personal battles

The task of hacking machines in a lab of varying difficulty might seem easy to some people, and hard to others. You won’t know how hard it is until you try. Here’s the kicker though, your success is based around a high level of confidence in your ability to enumerate a target. If you are lacking skills in this department, you will spend a long time starting at an nmap output not knowing where to go next. Hence why I wasted 20 days in the beginning.

PWK teaches you more about yourself than any other life experience.In the face of growing opposition what are you going to do? turn and run, or keep pushing through the barrier?

Try Harder

The OffSec moto that can either spur you on to greatness, or have you crumbling into a pile of your own disappointment (depending on how you feel that day). You will experience both emotions at some point, trust me.

There is, however, an air of disappointment to have gained shell or rooted a box based off a tip from someone. It’s almost tainted glory. Something you can’t really celebrate. True glory and elation comes from totally owning a box from nothing to root all by yourself. It’s one of the best feelings in PWK. For me the reward is equal to the effort put in. Only problem is, that, you can’t tell anyone how you did it, only that you did. The only proof that you have the determination, skill and mental ability is when you have that OSCP certification. Until then, it’s just hearsay.

What is the best way to approach PWK?

I’d say that the most important part of any engagement is to get your enumeration skills down to a fine art. Exhaust  every possibility, however, don’t waste time on tools not fit for the task at hand. I’ve seen people asking why enum4linux doesn’t work when it’s clear ports 139 & 445 are closed. Learn what the switches in the tools do. They can save time. Time is your enemy in PWK. You might think that 90 days is a long time, but it’s not. A lot of people advise new people about what to expect from PWK and it’s all pretty generic but I’d work on enumeration because the information you gather determines your next move.

  • Learn about Windows and Linux, and mostly where things live.
  • Learn how to get the most out of nmap and NSE scripts
  • When you think you’ve enumerated a box, you’ll have missed something.

More time

I’ll be adding more time to my labs for sure, as it’s taken me a while to get a fire going, but now the flame has started it’s easy enough to keep it alight.

My learning process can be annoying. I can’t just run an exploit, get root and be happy. I have to know why so I read the blurbs of exploits, and any associated information. Who knows, it may stick, and you never know when you’ll need to use it again.

A great course

I must admit. PWK is one of the best and worst courses I’ve ever done. It’s great because it’s freeroam to do as you wish to computers. You can learn a lot from failure, and you do fail a lot. That’s ok. This brings me to why it’s the worst. You’re on your own. There’s no two ways about it. There is some help, but it goes back to that tainted glory thing. They never talk about the human qualities needed for PWK

  • Natural curiosity
  • Stubbornness
  • Being able to think outside the box
  • Being inventive
  • Pre-visualisation
  • Willpower

All of which shine through in the labs as your mental dexterity is tested to the max.

I don’t have anything else to add without giving too much away, however, I would just say that enjoy your time in the labs. Don’t chase the exam or the cert. Do it in your own time. You’ll learn more that way.

Also Documentation is a must. Whatever method you chose it up to you, however, just make sure you document everything you’ve tried because you may have to leave boxes if you’re spending too much time on them. Mental exhaustion can kick in fast, so it’s best to move off to another box, and come back. Sometimes this is days or weeks, so your notes need to be on point.

Have Fun

 

Posted in Thoughts, web app testing

Where did that come from?

road-clouds-street-path

The scene above is one every person, new to InfoSec, should get used to. A vast empty road that rolls on for miles and miles with what looks like, no end.

I feel I’ve reached a pivotal point in my journey. I haven’t written anything in my blog for a few weeks, because I’ve been so immersed in learning. Attacking the Vulnhub VM’s was a great step in the ladder on my road to OSCP, however, I feel I was neglecting my real passion for Web Application Pen Testing so I switched up the format a little in the last few weeks.

The Journey is long

This industry will take you to your limit and beyond. It will test you until you break. Unfortunately I feel I’ve stalled a little in the last few days. When that happens I tend to write about it to iron out the creases.

In the next few days I start the OSCP journey. I would like to have entered into it with more confidence and ability, however, lately things haven’t been going to plan. I felt I was walking the road no problem until I stalled for no reason.

Web Application Pen Testing (WAPT)

On every CTF I gravitated to the Web App challenges. Excitement filled the air. The reality of WAPT is very different to CTF’s and I guess it was something I wasn’t really prepared for. Websites aren’t designed to be vulnerable. Sometimes they just are, sometimes they aren’t. The key is to find the vulnerabilities by way of utilising every skill you have at your disposal.

There lies the problem. A true test of what you think you know comes from entering the world of Bug Hunting on Bug Bounty websites. There is no introductory medium.

Vulnerable beginner Apps —————————–> Live site testing

There’s no medium. One minute your pushing the same XSS payloads to different Vuln Web Apps and likewise with SQLi . One day you just have to jump into the real world.

Sucking it up

You get down about failing. It’s human nature. You feel embarrassed. You want to crawl into a cupboard and let the storm blow over, however, get over it.

There’s teenagers that know more than I do about WAPT. It’s depressing to read disclosure reports and not know one thing about what’s in them. Your silly little XSS payloads that worked so well in your vulnerable web app won’t work here. You’re going to need to come up with something more special to fool decades of experience in web development.

I’ve been told I need a solid grounding in WAPT experience to get by in OSCP. Of course that was a kick in the groin. I had a difficult last few days trying out Bug Hunting getting my rear end handed to me on a plate. I’ve learned a lot in two days, and that’s important.

Moving On…

I expect a lot from myself. Sometimes it causes greater crashes, however, I don’t walk the road. I run it. I just need to train harder, give myself a slap and use my time more effectively.

Soon new roads won’t seem so daunting. You won’t fear the journey. You’ll get excited about what you’ll learn on the way. Writing about how you feel can make a massive difference. Even if no one reads it, it can help you clear the cobwebs and confusion.

Seize the Day!!

P.S. – This was me trying to kick my own ass today. I sat with my head in my hands wondering where the hell I was going and what I was doing. That won’t happen again.
Posted in Thoughts

You’re not good enough

pexels-photo-48566

Training in Penetration Testing can be a very difficult and frustrating experience. It’s filled with coma inducing highs and equally worrying lows. There’s no rule or routine to it. Grabbing a Domain Admin account using an exploit found 8 years ago can leave you feeling both sets of feelings when it sinks in that you managed it using something that has either been patched since then or never enabled on default server builds.

To prevent the damaging lows, we try our best to progress  everyday or at least have learned something new every few days. When you hit a wall it can have quite devastating effects. Much like every other journey, there are pathways. When training in Infosec you hit many crossroads and forks with no signs to tell you where they lead. You just have to trust your gut. Experience helps over time, however, at the beginning there is a lot of direction changing as you jump from one subject to another with no real direction.

You’re not good enough!

Something you tell yourself every other day. You read a tweet, view a job advertisement or watch a video from 6 years ago and have no idea what they are talking about. You want to cry out for a mentor. Someone to say “It’s ok, here’s where you need to be” however, sometimes you’re too proud to ask. Sometimes a snippet of information can open up a whole world of new information. This can also lead you to feel very behind as it seems like it’s already been done before.

You are good enough!!

It’s difficult to see how far we’ve come when we’re always looking ahead. Remember when you couldn’t understand Nmap? or when you just inserted ‘ OR 1=1 — on every login prompt because you thought it worked on everything? What about the time you couldn’t recognise a Caesar Cipher in a CTF or when a password is base64 encoded and you closed down the window.

The things that get you down now may well be the thing you excel at later. I’ve seen a few give up already, and while it’s a difficult industry, not only to get a job in, but to stand out in, it’s a worthwhile adventure. If you can learn your breaking points, how to move past them or when to actually take a break, you will achieve more.

Stop worrying

Having a job in infosec is of course, the ultimate aim. However, you cannot let that focus derail you. You need to bring something to the table when someone invites you for dinner.

  • Enthusiasm
  • Professionalism
  • Willingness to learn

All qualities that can’t be taught in a course or online. You’re either keen as a fox or you’re not. More often than not people see the work involved and give up. For those who continue to climb that mountain with no real view of the top. Well Done! keep going.  For me I’ll continue trusting my gut and seek out the information on-line. After all what kind of Pen Tester would I be if I kept asking questions of people all the time? If you can’t find the information for yourself, you’re not going to be a very good Pen Tester.

Peace

 

Posted in Thoughts

You can’t help all the time

writing-notes-idea-conference

Training in Penetration Testing is as rewarding as it is difficult. A massive soul searching path that can teach you a lot about yourself, how you think and react to different environments.

I try my best to help others if my expertise supports it. Sometimes it’s better for the person asking, if you did not help. There’s a few reasons for that.

  1. They may ask far too many questions
  2. The things they ask can be found easily on searches
  3. There seems to be no effort on their part

It’s not easily identifiable at first, however, shortly after you open yourself to help some people, the questions come flooding in and fast.

The Journey

pexels-photo-47415

This is what your view is like when you start Penetration Testing training. You know there’s a path but where do you start? What if you go the wrong way?

If you go the wrong way you just need to find yourself a new route. You don’t know if it’s a sound path, however, you give it a shot because you are determined to find the path. Some people don’t want to find the path. They want you to tell them where the path is, skipping that crucial learning experience of being able to find a way through the mess.

Testing yourself, knowing your limits and reaching your breaking points are key to learning as much about yourself as the test itself. Catching sight of your goal through the trees will do wonders for your confidence. Even better if you find it on your own.

Some helpful souls will recognise your efforts and leave little arrow signs on the trees to help you on your way. It’s a measure of their faith in you so keep going.

For those who find frustration with receiving no answers to questions on forums. Those who feel like giving up because “No one ever helps me” or those who want the title of a Pen Tester but are work shy, I can offer this advice.

Beat yourself to achieve your goals. Set yourself realistic goals. Kill self doubt and learn to find what you are looking for. Talk face to face with other InfoSec people and jump into the deep end whenever you feel scared.