SANS is bringing world-class training to Queensland for SANS Brisbane 2010 on 24-29 May! (http://www.sans.org/info/54773) Why not choose the beauty of the city along the Brisbane River as the backdrop for your training? Register by 14 April to receive the best savings on the following courses:

- Security 401: SANS Security Essentials Bootcamp Style (GSEC) taught by Mark Hofman, SANS Certified Instructor

- Security 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by Eric Conrad, SANS Certified Instructor

Below is a brief snapshot of what each course covers. For complete course descriptions see: http://www.sans.org/info/54774

- SEC 401: Security 401: SANS Security Essentials Bootcamp Style (GSEC).
In this course you will learn the language and underlying theory of computer security. At the same time you will learn the essential, up-to-the-minute knowledge and skills required for effective performance if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will gain up-to-the-minute knowledge you can put into practice immediately upon returning to work; and, (2) You will be
taught by the best security instructors in the industry.

Maximize your training time and turbo-charge your career in information security by learning the full SANS Security Essentials curriculum needed to qualify for the GSEC certification.

- SEC 560: Network Penetration Testing and Ethical Hacking (GPEN) covers the ingredients for successful network penetration testing to help attendees improve their enterprise’s security stance.

FIND SECURITY FLAWS BEFORE THE BAD GUYS DO! We address detailed pre-test planning, including setting up an effective penetration testing infrastructure and establishing ground rules with the target organization to avoid surprises and misunderstanding. Then, we discuss a time-tested methodology for penetration and ethical hacking across the network, evaluating the security of network services and the operating systems behind them.

Both courses are associated with a GIAC Certification (GSEC and GPEN). Put the skills you’ll learn to practical use and more than GIAC certified professionals who make the info sec industry safe!  Visit http://www.giac.org/info/54779 for more information and register for your certification attempt today!

SANS training is well-known for being relevant and pragmatic. All SANS instructors are industry leaders and experts who understand the challenges you face on a daily basis.  Their real-world experience increases the practical value of the course material.  Here are some comments from recent alumni:

“The SANS class (SEC401) stands out above the rest because of the subject matter experts who teach the classes and labs.” – Shirlee Eitel-Birgham, State of Nevada

“Anyone who is in the network penetration testing field should take this course (SEC560) to improve your current skills and learn new ones.” - Nick Ramser, Ohio State University

“This is the way you need to learn: roll up your sleeves, dig in to the fundamentals and the nitty-gritty technical details, and then go ’hands-on’ to practice and reinforce what you’ve been taught.” – Joseph Price, DoD

Classes will be held at the Marque Brisbane Hotel, which is located in the heart of the city and just a minute walk to the Brisbane River. The central location is the ideal base from which to explore some of Brisbane’s best attractions. Cruise the river, shop along Queen Street, enjoy the Treasury Casino or the South Bank Parklands. A special discount rate of AUS $179 S/D will be honored based on space availability. This discount is only available through 22 April, so take advantage of this special offer and make your reservations today! For more information see http://www.sans.org/info/54784

To follow or tweet about this event, use hashtag #sansbrisbane. Follow SANS at http://twitter.com/SANSInstitute

Get the training you need to advance your career.  Start making your training and travel plans now to join us for SANS Brisbane 2010! (http://www.sans.org/info/54773)

Hi kids!! It’s been a few weeks now since I resat the OSCP exam. GOOD NEWS!! I PASSED!! Now I guess I should chronicle the trials and tribulations of journey that was the Offensive-Security Pentesting with Backtrack course. Grab a drink, make yourself comfortable and read on!

The road to the OSCP certification is a long and intense one. I went into it after completing a few SANS courses that I really thought would have given me the basics for this cert, and to a point, they did .. but it was only the very basics. Now don’t get me wrong, the SANS courses are excellent, and I will always be a massive fan of the great work they have done, but this my friends, was something totally different!

Full of bravado I looked at the overview of the course and secretly thought to myself “pinch of piss” (thats an Australian term by the way – I’m not sure how I could translate it into other languages) and signed up for 4 weeks of lab access. That was the easiest part! I was about to have my ass handed to me in ways that I have never experienced before in my life! I was about to hear the term “try harder” more than I ever expected, at my most confused/annoyed/frustrated states, those 2 words can send you over the edge! Heading into the IRC channel to discuss things often resulted in someone typing !bob, this triggers the channel bot to message you with “Bob is laughing at you!” EFF BOB!!

But, these things, as annoying as they sound, are what in fact make you try harder, and understand things that little bit more. When you research something and work it out yourself, you stand a much better chance of remembering it. The basics in the lab book (which to most people aren’t really basic) gives you the foundation to do so much more. The basics, along with your own crazy imagination, are what will get you through the exam. Did I mention that the exam was 24 hours? Oh yeah .. it’s 24 hours!

I did all the course work, did most of the “Extra-mile” work (the extra-mile questions are the really good juicy questions that get you ready for the exam .. if you don’t do them, you won’t pass – I promise you), extended my lab time by another month and felt real good going into the exam. WRONG!! I spent 24 hours going around in circles. I went in with a game plan, got a rush of blood, put my game plan in another pair of pants, washed that pair of pants, and then lent said pants to a friend! My friend Chris has done an awesome write up of this event! Now, I did manage to get a root on a couple of servers, and shell access on a couple more, but it was never going to be a pass (my exam was actually just before Christmas, I was praying on the Christmas spirit to pass me hahaha).

I was never in the mindset of giving up anywhere along the line, after 24 hours with no sleep I was still really excited about how much I had achieved! Sure, I didn’t pass, but who would have thought that after 8 weeks I would be able to do what I was doing (I don’t want to tell you .. it’ll give away too much information). I was pumped and I was going to redo the exam and pass!! This is where poor Chris fell apart, it was ok, we sat him down, slapped him stupid and got him back on board! Getting Chris back on track was the best thing .. he really helped motivate me when I really couldn’t be assed to study. When I got stuck on stuff, he was there to try and explain stuff. Try and get a study buddy if you can, it makes a heap of difference!

We booked our exam again, and gave ourselves a bit of time off before getting back into it. This time we were a lot more focused. We knew what we had to do, and we had a great plan (that we wouldn’t blow away this time). We both did a lot of pre work for this second attempt (Chris probably did more than me, but who’s keeping track – hahaha). Then the big day came …

WE BOTH SMASHED IT!!!

It all paid off for! I managed to get quite a lot done in the first 45 mins (to the point where I could have passed), but I wanted to get the lot, I was going to get all the machines! The final machines were tough, tough because one was so blindingly easy that I missed that my exploit I did had actually worked (RETARD!!), I believe that I did the exact same thing on my first attempt and only realised about an hour before my exam was up hahaha. The other machine was just hard .. hard, hard, hard!

The end result is, I got all of the goals! I passed the exam, I am now an OSCP! The exam was the most rewarding thing I have done, and I am proud to say this is the first security related exam that I have EVER failed! This course has already given me opportunities I would have never had before, It was one of the best things I have done and I couldn’t be happier.

If you’re reading this and thinking about taking the course, DO IT! Leave yourself enough time to go through the material a few times, leave yourself enough time to try and get root on ALL the lab machines, have fun and don’t get too bogged down in things. When it’s all too hard, go and get some fresh air or move on to something else. I hope everyone enjoys the course as much as I did!! I actually enjoyed it so much, that I have just signed up for the WiFu course that is offered – but that’s a post for another time!

So it’s time to build a bit of a test lab at home. There’s time when you want to test an exploit .. or just have a hack at a few things. You can’t just get out on the internet and have a crack at other peoples machines now can you!

So I decided that I was going to knock something together real quick (after all  .. I have to go back to work in a few days). So this is my first version of my test lab (if you’re interested). I’m thinking of it more as a work in progress than anything else, I’m sure it will evolve as time goes by.

For hardware I just went and got a cheap Dell tower machine. It’s nothing special, Core 2 quad, at the moment it only has 4gig of ram in it, but I’ll bump it up to 8 next week. My base OS is Windows 7 (I’m hoping the I can end up using it for more than just a test lab, having said that I’m already wishing I’d built it on 2003) and I’m using VMware Server for the virtual machines. As for the virtual machines I’m running

• de-ice.net scenario 1 & 2 (get them by registering for the forums at http://forums.heorot.net)
• pWnOS (also get it by registering at http://forums.heorot.net)
• Damn Vulnerable Linux 1.4 (http://www.damnvulnerablelinux.org or google)
• Fedora Core 4 – current (google that one – the old versions are unsupported now)
• Windows Server 2000 SP4
• Multiple Windows XP (Vanilla through to SP3)
• Backtrack 3 & 4 (get it from http://www.remote-exploit.org/backtrack.html)
• and a few other bits and bobs

This is all great .. but only a few of those are purpose built with exploits right? So what we want to do is be able to build something with an exploitable service or application .. thats when we go to sites like http://www.crackmes.de/ & https://www.securinfos.info/old-softwares-vulnerable.php & http://www.oldapps.com/ etc. With a bit of research on sites such as milw0rm and exploit-db you should be able to create something that will be a bit of fun.

When I set my lab up I also set up a VPN server so I could remote into the lab rom work, or allow friends of mine to remote in and have a bang at getting some of these boxes as well.

This lab is far from perfect, in fact, it’s been quite rushed and there’s a lot of things I would already like to change about it (which I will do when I get time to play), but for now it’s going just fine!

I hope this offers some form of help to you guys out there that are wanting to start up a quick lab somewhere, the media used here as the basis of my lab is a great and easy start.

By no means is this information useful to many people at all! This is the insane ramblings going through my head that I want to keep handy for when I get a rush of blood and start going totally off course. There are probably a few mistakes in some of the stuff here (it was written in haste) – but I’m sure if you’re interested, or know about what is written here, then you’ll know the correct syntax for the commands (or be able to work it out).

If you do find some of this information of any use to you … AWESOME!! Otherwise, move along, there’s nothing to see here.

These notes are just brain jerkers for my OFFSEC101 / OSCP exam that I will be taking on Monday the 21st December. It’s a 24hr lab challenge where you are meant to be hack 5 separate machines and gain root/admin/system access. All in all I feel ok about it .. I’m more worried about the unknown factor in these types of exams (it’s not a learn and repeat type thing) where you’re thinking outside of your normal boundaries, there’s also the fact that it goes for 24hrs and fatigue can make people do silly things!

I’ll let you all know how I go after the event! Now, back to the notes …

Notes

Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.

Scan network for live hosts

(nmap/zenmap)

For NMAP –

nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt

cat hosts_up.txt | grep -i “up”

nmap -PN 192.168.9.200-254

(this will also show open ports for each host)

Identify OS

(nmap/zenmap)

For NMAP –

nmap -O 192.168.0.100 (just OS fingerprint)

nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traeroute)

Check hosts for services

(nmap/zenmap)

For NMAP

- nmap -sS 192.168.9.254 (TCP)

- nmap -sU 192.168.9.254 (UDP)

(Could be better to do this in zenmap and group servers by services)

FOR SNMP

-  snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f

For a known port

- nmap – p 139 192.168.9.254

DNS Lookups/Hostnames

host -l <domain> <dns server>

e.g. host -l acme.local 192.168.0.220

Banner grab/Version services

(nmap/zenmap/SNMP)

Check versions of software/services against milw0rm and security focus)

For NMAP

- nmap -sV 192.168.9.254

For SNMP

snmpenum -t 192.168.0.100 (displays all snmp informations for that server)

For SMTP

nc -v <mailserver> 25

- Will give mailserver version. Can also VRFY to find valid usernames/email accounts

Netbios/SMB

- smb4k (graphical interface – lists shares)

- smbserverscan

- metasploit auxiliary scanner

./msfconsole

show

use scanner/smb/version

set RHOSTS 192.168.0.1-192.168.0.254

run

Enumerate Usernames

(SNMP/SMTP/SMB[NETBIOS]/Add others here)

For SMB

- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)

(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)

For SNMP

- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)

- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4

For SMTP – (/pentest/enumeration/vrfy)

- ./smtp_VRFY.py <mailserver IP>

** NEED TO MAKE THREADED – VERY SLOW **

SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)

- ./samrdump.py SNMP server

*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***

*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***

Crack Passwords

(hydra/THC bruter)

(need mil-dict.txt from Milw0rm – cracked hashs)

FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V

POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V

MS VPN – dos2unix words (whatever word list)

cat words | thc-pptp-bruter VPN server

Look for known vulnerable services

(refer nmap/zenmap output)

Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com

Compile exploit code if possible

(milw0rm archive)

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep “#include”

Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h

Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u

LINUX

Well it’s just a little over a week before I sit the OffSec PWB exam. To be brutally honest I am shitting myself! This has been one of the most fun, yet difficult courses that I have done to date.

I have purposely left a couple of sections to complete in the last week of my lab time before the exam, I get the feeling that I will need to know a lot about fuzzing and writing exploits. I’m hoping that by leaving them to the end (I’ve already done them before, but I want to spend some serious time on them) that these sections will be fresh in my mind.

Having said that, I got one of my big final challenges this weekend. I successfully got root on the lab Fedora Core 4 machine. I’d like to give you details in here, but it would give it away for future students, and I really don’t want to do that. All I will say is that it’s not a point and shoot exploit. There was a lot of thinking outside of the square here .. and I’m not all that great at that It was a hard challenge, and I’m very happy that I got through that one.

To anyone doing the course (or potentially doing it in the future) I still have Bob’s machine to get. I am very close to getting his machine. There has been a lot of work and frustration to get to the point I’m at now .. and I still don’t have it. That is my final goal that I need to get before my exam. I’ll spend a little time on it later on this week .. but it may have to wait till the very last minute for me to try and get it (and I may not even get it in the end).

All in all .. whether I pass or fail the final exam, this is one of the greatest courses I’ve done yet. I want you all to go and do it. You can find a million links to the Offensive Security guys and the course in some of my previous posts.

You probably won’t be hearing from me until after the exam! Be prepared for tears!! hahahahaah

(oh yeah – two things you need to get used to “Try Harder” & “Bob is laughing at you!”. Don’t forget to talk to the guys in the irc channel, they’re all really cool and helpful guys.)

After upgrading a Sophos Antivirus solution there was an issue where you could not install the new Sophos Console 4 on a Windows 7 machine. This was a bit of a pain in the butt as the user needed to either have access to another XP/Vista machine to install a remote console or to log into the server and run the console from there. I personally wasn’t a big fan of either.

After looking up another issue on the Sophos knowledgebase I noticed a new link that happened to go off to Sophos’ brand new shiny forums. As with most forums I often feel a little let down and underwhelmed at the amout and quality of responses. As I looked through the posts (there weren’t too many as the forums had only been officialy open for a week or so) I noticed someone posting about installing the console on Windows 7. Can you imagine how happy I was to not only see a response .. but a resonse that was a working solution!

Here my friends, is how to install Console 4 on Windows 7 (if you need to know)

The more supported way:

Install Windows XP Mode if your Windows 7 licence permits. It is available here:

http://www.microsoft.com/windows/virtual-pc/download.aspx

You can then install the Enterprise Console role only on the virtual XP machine.

On the Windows 7 machine, you can then launch Enterprise Console from Start – All Programs – Windows Virtual PC – Windows XP Mode Applications – Sophos – Enterprise Console (XP Mode).

For information, the shortcut to the application becomes something like:

%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchVMSal "Windows XP Mode" "||325d262f" "Enterprise Console "

The unsupported way

Please note, this is performed at your own risk as it is currently untested to run this version of the console on Windows 7. Please take any necessary system backups/restore points prior to continuing. Upgrading to a future version may also not work when employing this method.

1. Copy the unpacked “sec_40” directory (as generated by the SFX download) to the Windows 7 machine. E.g. "C:\sec_40".

2. Open a command prompt (cmd.exe) running as Administrator (This is important otherwise the installation will fail). To do so, search for cmd.exe in the “Search programs and files” search field in the Start menu. When it appears above, you can right click and choose “Run as administrator”.

3. In the command prompt, change directory to C:\sec_40\ServerInstaller\.

CD C:\sec_40\ServerInstaller\

4. Run: "Sophos Enterprise Console.msi" OVERRIDECHECKS=TRUE

5. At the “Setup Type” page, choose “Custom” and then ensure just the “Management console” feature is selected. Do not choose a “Complete” installation or choose to install any other components.

6. On the “Management Server” page choose the IP, or hostname of the machine where the Sophos Management Service is installed and then continue with the install.

7. Before launching Enterprise Console, ensure that your account is a member of the necessary groups, namely “Sophos Console Administrators” and if the user hasn’t be granted specific access through RBA then also “Sophos Full Administrators".

8. From the Start menu you should be able to launch "Enterprise Console".

So, I’m sure anyone who reads this site knows that I am currently studying this Pentesting with Bactrack course from the Offensive Security guys. Well, it seems it is a little harder than I first thought!!

I’ve done quite a few security certs over the last few years (CISSP, CISA, CISM, GSEC, GCIH) but nothing has really come close to what this course has to offer. The SANS stuff is by far the closest .. and I think that if I had done the SANS SEC560 – Network Penetration and Ethical Hacking I would be in a much better position than what I am now. The stuff I’ve done with SANS has all been at live events, so you get the added comfort of being able to ask questions of actual people when you don’t understand something (as well as the whole classroom type of thing where everyone seems to help each other out). The Offensive Security course doesn’t really give you that luxury .. you have the ability to ask questions of people in their IRC chatroom, but if like me, you’re in an odd timezone, sometimes you can sit there for hours without a single thing happening. Having said that, there is nothing like researching and finding the information out for yourself (it just takes a little longer).

Anyway, I have succumbed to the pressures and extended my labs for another 30 days. I really want to make sure I’m totally on top of this course as much as I can be, I’d really like to pass it first go if I can (I hate having to re-sit exams). I’m going to try and sit the exam before Christmas (fingers crossed).

Now, for all you kids following the bouncing ball, over the next 30 days I’ll probably be sharing ALL the information that I get out of the exercises from this course! For some of you this will all be old hat and trivial, for some of you it will hopefully be enlightening (and possibly somewhat boring). I’ll try not to give anything away to other people sitting the PWB course, I want people to think and learn for themselves .. just like me!

Until next time …

(I really need to have more pictures in my posts .. everyone likes pictures and popup books right?)