security.crudtastic.com

Hi kids!! It’s been a few weeks now since I resat the OSCP exam. GOOD NEWS!! I PASSED!! Now I guess I should chronicle the trials and tribulations of journey that was the Offensive-Security Pentesting with Backtrack course. Grab a drink, make yourself comfortable and read on!

The road to the OSCP certification is a long and intense one. I went into it after completing a few SANS courses that I really thought would have given me the basics for this cert, and to a point, they did .. but it was only the very basics. Now don’t get me wrong, the SANS courses are excellent, and I will always be a massive fan of the great work they have done, but this my friends, was something totally different!

Full of bravado I looked at the overview of the course and secretly thought to myself “pinch of piss” (thats an Australian term by the way – I’m not sure how I could translate it into other languages) and signed up for 4 weeks of lab access. That was the easiest part! I was about to have my ass handed to me in ways that I have never experienced before in my life! I was about to hear the term “try harder” more than I ever expected, at my most confused/annoyed/frustrated states, those 2 words can send you over the edge! Heading into the IRC channel to discuss things often resulted in someone typing !bob, this triggers the channel bot to message you with “Bob is laughing at you!” EFF BOB!!

But, these things, as annoying as they sound, are what in fact make you try harder, and understand things that little bit more. When you research something and work it out yourself, you stand a much better chance of remembering it. The basics in the lab book (which to most people aren’t really basic) gives you the foundation to do so much more. The basics, along with your own crazy imagination, are what will get you through the exam. Did I mention that the exam was 24 hours? Oh yeah .. it’s 24 hours!

I did all the course work, did most of the “Extra-mile” work (the extra-mile questions are the really good juicy questions that get you ready for the exam .. if you don’t do them, you won’t pass – I promise you), extended my lab time by another month and felt real good going into the exam. WRONG!! I spent 24 hours going around in circles. I went in with a game plan, got a rush of blood, put my game plan in another pair of pants, washed that pair of pants, and then lent said pants to a friend! My friend Chris has done an awesome write up of this event! Now, I did manage to get a root on a couple of servers, and shell access on a couple more, but it was never going to be a pass (my exam was actually just before Christmas, I was praying on the Christmas spirit to pass me hahaha).

I was never in the mindset of giving up anywhere along the line, after 24 hours with no sleep I was still really excited about how much I had achieved! Sure, I didn’t pass, but who would have thought that after 8 weeks I would be able to do what I was doing (I don’t want to tell you .. it’ll give away too much information). I was pumped and I was going to redo the exam and pass!! This is where poor Chris fell apart, it was ok, we sat him down, slapped him stupid and got him back on board! Getting Chris back on track was the best thing .. he really helped motivate me when I really couldn’t be assed to study. When I got stuck on stuff, he was there to try and explain stuff. Try and get a study buddy if you can, it makes a heap of difference!

We booked our exam again, and gave ourselves a bit of time off before getting back into it. This time we were a lot more focused. We knew what we had to do, and we had a great plan (that we wouldn’t blow away this time). We both did a lot of pre work for this second attempt (Chris probably did more than me, but who’s keeping track – hahaha). Then the big day came …

WE BOTH SMASHED IT!!!

It all paid off for! I managed to get quite a lot done in the first 45 mins (to the point where I could have passed), but I wanted to get the lot, I was going to get all the machines! The final machines were tough, tough because one was so blindingly easy that I missed that my exploit I did had actually worked (RETARD!!), I believe that I did the exact same thing on my first attempt and only realised about an hour before my exam was up hahaha. The other machine was just hard .. hard, hard, hard!

The end result is, I got all of the goals! I passed the exam, I am now an OSCP! The exam was the most rewarding thing I have done, and I am proud to say this is the first security related exam that I have EVER failed! This course has already given me opportunities I would have never had before, It was one of the best things I have done and I couldn’t be happier.

If you’re reading this and thinking about taking the course, DO IT! Leave yourself enough time to go through the material a few times, leave yourself enough time to try and get root on ALL the lab machines, have fun and don’t get too bogged down in things. When it’s all too hard, go and get some fresh air or move on to something else. I hope everyone enjoys the course as much as I did!! I actually enjoyed it so much, that I have just signed up for the WiFu course that is offered – but that’s a post for another time!

By no means is this information useful to many people at all! This is the insane ramblings going through my head that I want to keep handy for when I get a rush of blood and start going totally off course. There are probably a few mistakes in some of the stuff here (it was written in haste) – but I’m sure if you’re interested, or know about what is written here, then you’ll know the correct syntax for the commands (or be able to work it out).

If you do find some of this information of any use to you … AWESOME!! Otherwise, move along, there’s nothing to see here.

These notes are just brain jerkers for my OFFSEC101 / OSCP exam that I will be taking on Monday the 21st December. It’s a 24hr lab challenge where you are meant to be hack 5 separate machines and gain root/admin/system access. All in all I feel ok about it .. I’m more worried about the unknown factor in these types of exams (it’s not a learn and repeat type thing) where you’re thinking outside of your normal boundaries, there’s also the fact that it goes for 24hrs and fatigue can make people do silly things!

I’ll let you all know how I go after the event! Now, back to the notes …

Notes

Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.

Scan network for live hosts

(nmap/zenmap)

For NMAP –

nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt

cat hosts_up.txt | grep -i “up”

nmap -PN 192.168.9.200-254

(this will also show open ports for each host)

Identify OS

(nmap/zenmap)

For NMAP –

nmap -O 192.168.0.100 (just OS fingerprint)

nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traeroute)

Check hosts for services

(nmap/zenmap)

For NMAP

- nmap -sS 192.168.9.254 (TCP)

- nmap -sU 192.168.9.254 (UDP)

(Could be better to do this in zenmap and group servers by services)

FOR SNMP

-  snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f

For a known port

- nmap – p 139 192.168.9.254

DNS Lookups/Hostnames

host -l <domain> <dns server>

e.g. host -l acme.local 192.168.0.220

Banner grab/Version services

(nmap/zenmap/SNMP)

Check versions of software/services against milw0rm and security focus)

For NMAP

- nmap -sV 192.168.9.254

For SNMP

snmpenum -t 192.168.0.100 (displays all snmp informations for that server)

For SMTP

nc -v <mailserver> 25

- Will give mailserver version. Can also VRFY to find valid usernames/email accounts

Netbios/SMB

- smb4k (graphical interface – lists shares)

- smbserverscan

- metasploit auxiliary scanner

./msfconsole

show

use scanner/smb/version

set RHOSTS 192.168.0.1-192.168.0.254

run

Enumerate Usernames

(SNMP/SMTP/SMB[NETBIOS]/Add others here)

For SMB

- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)

(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)

For SNMP

- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)

- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4

For SMTP – (/pentest/enumeration/vrfy)

- ./smtp_VRFY.py <mailserver IP>

** NEED TO MAKE THREADED – VERY SLOW **

SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)

- ./samrdump.py SNMP server

*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***

*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***

Crack Passwords

(hydra/THC bruter)

(need mil-dict.txt from Milw0rm – cracked hashs)

FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V

POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V

MS VPN – dos2unix words (whatever word list)

cat words | thc-pptp-bruter VPN server

Look for known vulnerable services

(refer nmap/zenmap output)

Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com

Compile exploit code if possible

(milw0rm archive)

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep “#include”

Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h

Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u

LINUX

Move along .. nothing to see here!!

If you know what these are .. you’re probably happy to see them here. Damn you Metasploit for getting rid of the opcode DB!!

This is really just for me

English Windows XP SP 2 User32.dll JMP ESP 0x77db41bc
English Windows XP SP 1 User32.dll JMP ESP 0x77d718fc
English Windows 2003 SP0 and SP1 User32.dll JMP ESP 0x77d74adc
English Windows 2000 SP 4 User32.dll JMP ESP 0x77e3c256
French Windows XP Pro SP2 JMP ESP 0x77d8519f
German/Italian/Dutch/Polish Windows XP SP2 JMP ESP 0x77d873a0
Spainish Windows XP Pro SP2 JMP ESP 0x77d9932f
French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 JMP ESP 0x77e04c29
French/Italian/Chineese Windows 2000 Server SP4 JMP ESP 0x77df4c29

I’m also absolutely stoked that I found an international opcode database (here) – much thanks to secureinfos.info for their work with this (it really fills the void left by the closure of the metasploit opcode db)
PS – WordPress and it’s so called “Code” tags are craptastic! (sorry for all the updates to everyone on the RSS feeds)

UPDATE – Exam is over and done with. I got 91% so I was really happy. Even though the SANS exams are open book exams, unless you know what you’re talking about and understand it you really aren’t going to do too brilliantly. I indexed the hell out of the 504 books which really helped, but there aren’t really too many questions that say What is XYZ where you can go and look up XYZ directly. The other thing is that the exams go for 4 hours (5 for the GSEC exam) and that in itself can be quite daunting! It really pays to use your 2 practice tests before hand to get into the groove (I did mine on the 2 days before the exam). The practice tests will give you a fair indication of how you will perform in final exam, at the end it gives you a print out of each section and how well you did, it makes it easy to know where to target to gain some extra marks. All in all though, as long as you make sure you do enough work before hand and know what you’re doing you should be fine. Make sure to take it easy during the exam, don’t rush (I have a tendency to do that – I did this exam in less than 2 hours, I did my CISA exam in 90 mins), and read all the questions carefully! My final words about taking this SANS course as well would be that the On Demand bundle was absolutely brilliant! This is the first time i’ve had access to a SANS On Demand course (and only because I was a facilitator at the Canberra 2009 event), and I was really impressed with it. There’s a series of MP3 files that have been recorded during an actual class, and they are shown along the slides used for the actual courses. At the end of each section there’s a mini quiz that you must get 80% on to move on to the next section, this ensures that you really do understand what you just watched before you move on. All in all, I really enjoyed this course, probably more than any of the other ones i’ve done (even non SANS ones) and I really felt like I got some seriously useful hands on knowledge that I can use in my daily job. Hopefully these notes will help anyone looking to do a GIAC GCIH .. or any other similar SANS or GIAC exam. Feel free to email me or post a comment if you need any other information about any of this stuff .. I’m more than happy to help!

So like last year, my lead up to sit my latest SANS exam has been a very last minute decision You can read about my follies last year HERE. Basically last year (for those who can’t be bothered reading my old post) I only had a week to study for the GIAC GSEC certification (SANS SEC401 Security Essentials Course). So I posted a few notes abotu how I was going to try and attack it and hopefully pass it. Well, I passed it and was pretty pleased with my results (you always know you can do better). Well, this year I’m getting ready to sit the GCIH (SANS SEC504) .. and guess what .. I have a week and a half to study!! hahhaha

So my crazy scheme is pretty much the same as last year, except I have an ace up my sleeve this year .. I have 4 full days in a row to study before the exam! I think I’ll be fine on this exam though. A lot of the content is tasks I do all the time in the office (and also a few good things I play around with at home). So let’s have a recap of how I’m going to attack this

1. Create an index of all the books for easy reference during the exam
2. Also mark the sections in the book with page tags (those little sticky notes)
3. Read through all the slides again
4. Sit a practice exam
5. Read through the book again, picking up on parts that I did poorly on
6. Sit a final practice exam (you only get 2)
7. Repeat step 5
8. Sit exam and do well/pass
9. Celebrate
10. Prepare for next certification/course

I won’t lie to you, there’s a lot of work to accomplish in a short amount of time. I really need to knuckle down and get into it (instead of writing a blog post about what I’m going to do). I feel really confident that I will pass this GIAC GCIH and hopefull even hit the magic marker to be a part of the GIAC Advisory Board.

I’ll let all you kids know how I go in a few weeks!

I can now add CISA to my resume!

I got my results emailed to me during the night. For some reason the first thing I did when I woke up this morning was to check my email, and it said I had passed!

So I’m pretty much certified out now .. I still have to sit my GIAC GCIH exam from SANS Canberra this year (which I’m trying to get sorted out now).

Anyway .. if anyone is planning on sitting their CISM or CISA exams at the end of the year have a look through some of my old study notes for a few tips etc. If you have any more specific questions feel free to leave me a comment or send me an email.

So, tomorrow I will sit the ISACA CISA exam.

I’m feeling fairly well prepared .. I had a fair bit of time to study leading up to the exam. Here’s a few things I noted while getting ready for the exam.

1. Don’t bother with testkings or braindump or any of those sites. I spent a few hundred dollars on sims/practice exams .. all pretty well worthless in my eyes.
2. Only use the ISACA CISA review manual .. they’re the ones writing the questions from THEIR manual .. all the answers are in there
3. Make sure you actually have some working experience for this exam. Although your job may not cover all of the subject areas, you are likely to have touched on a few, and that makes life a lot easier
4. The exam was written with the company in mind. A lot of things boil back to “what’s best for the company”
5. Try and get along to some review courses before the exam date. this year there were none in my area .. but luckily SANS put on a free 3hr review session (it was good too)

So today has been a day of very light review, it was time to relax. What I don’t know now .. well .. I probably won’t remember anyway! I’ll have a nice dinner tonight, watch a bit of TV, and then head off to bed nice and early.

Hopefully in 6-8 weeks you’ll be seeing a post here saying that I’ve passed

Good luck to anyone else sitting their exam tomorrow

** UPDATE **

I just thought I’d add a little more information in here (just to keep in the back of your mind). The exam weightings .. you should have probably taken note of those before now (if you haven’t .. I’m sure you’ll be fine) are as follows

• Ch1 – IS Audit Process – 10%
• Ch2 – IT Governance – 15%
• Ch3 – Systems and Inf Life Cycle Management – 16%
• Ch4 – IT Service Delivery – 14%
• Ch5 – Protection of Info Assets – 31%
• Ch6 – BCP & DR – 14%

So, Chapter 5 is the big one – Protection of Information Assets. If you have a working technical knowledge, most of this stuff you will know, If you’re a Financial auditor wanting to get your CISA, this could be a bit more of a challenge. The other dark horse here is Chapter 3, it’s a big section of the book that not a lot of places do (or at least do it well) .. keep that one in your mind

Now everyone relax, take some time out .. and make sure you’re ready for tomorrow. Make sure you know where you’re going and how to get there (don’t get caught in traffic – give yourselves plenty of time to travel). Have a nice breakfast, nothing too big that will put you to sleep, take a light jacket to keep yourself warm (in case the air con is a bit cold), take some water and some snacks (and not the annoying loud one in wrappers – damn you guy from my CISM exam!!).

Hey security chums!!

The ISACA CISA certification exam is coming up (June 13th if memory serves me correctly). So for those of you who haven’t started studying yet, it’s time to get crackin!

I’m publishing some of my study notes as I go along through all my material .. this information is more so for myself to keep my brain bombarded with all this knowledge in preparation, but it could be of some use to someone (who knows). You can find it HERE. As usual I have used the trusty ZOHO.COM for this

If you’re registered for the CISA exam in Brisbane Australia, there is a review course about to start every Wednesday night that goes until the exam date. If you need any more details drop me a line or leave me a comment.

EDIT – Seems the Zoho link was a bit screwed .. try this one instead – https://notebook.zoho.com/nb/public/crudtastic/book/174509000000015001