+ Reply to Thread
Page 1 of 5 1 2345 Last
Results 1 to 25 of 109
  1. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #1

    Default OSCP for fun and entertainment.

    Welp I'm starting down the rabbit hole in 12 hours (Why the hell they wont send it to me till 8pm at night IDK)
    I'm not exactly prepared but have 20 years of random IT/Networking/Programming behind me. I'm not a Linux guy or a C programmer but I have no doubt I'll get thru it, its just how long it will take. I've started by signing up for 90 days.

    The whole process just sounds fun to me, I love challenges and am very persistent. Its more like a video game to me. I haven't read any books in preparation, I prefer hands on and the motivation based learning of a problem at hand. I did work on setting up the vm and familiarizing myself with it a bit. And I did go ahead and work thru metasploit to practice a MS08-67 exploit on a xp box. I plan on trying both automated and manual exploits when I can. Ignorance of a tool, even disallowed on the exam, doesn't benefit me in any way.

    I'm planning on the usual approach, Keepnotes for example, and have read the forums of various people such as Jolly Frogs.

    A couple preparation things I've learned already, such as when you do your VPN check , you should SCAN the test network for the hell of it, but only the .200-254 address range. Doesn't hurt to scope it out in advance ( I think Jollyfrog did it, or at least some I read did). You can use it to identify likely windows and linux targets.

    Also your student login credentials for the VPN also get you into the OFFSEC forums on there site. You can start reading up in advance, and looking at any tips or info that.s not a spoiler, depending on your mindset. Think of it as the non-invasive Enumeration/research of any pen test. Also you can log into the #OFFSEC Webchat and reading what students are looking at, I also collated quite a few hints about boxes via the !Bob style message hints. Not having seen the course material I also documented box names to IP address from forum posts.

    I doubt I'll do a day by day log, but I'll try and post the resources I find and use as I go.
    Reply With Quote Quote  

  2. SS -->
  3. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,848

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #2
    Good luck! Doing this cert currently and it has been pretty awesome so far. I suspect by Wednesday I will have all of the videos and lab manual completed. Then it time to play in the lab
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Sep 2015
    Location
    Sweden
    Posts
    29

    Certifications
    GCFA, GCFE
    #3
    Yes, good luck!
    I' m having my last full lab access day today and it has been one hell of a journey ; )
    Reply With Quote Quote  

  5. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #4
    Day 1 , OFFSEC doesn't do Day Light Savings Time, everything arrived 1 hour early.
    Reply With Quote Quote  

  6. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #5
    Day 2

    Made 1/3-1/2 way thru the pdf and Videos. There pretty concise and to the point, learned quite a few things from them about Linux, not so much as weak point for me, but a gaping hole. Still trying to find my rhythm for the documentation aspect, too much little too little who knows.

    Got add at one point, Ive been running some nmap scans in the background while I studied. Picked a target I was comfortable was an older 2000 machine. Hit it up with Metasploit MS08-067 and took it down. I'll follow up with the non Meta attack later, but just wanted to try. Forgot to revert it and noticed, it had been violated by numerous students. Utilities, proof and hashes just laying in the root. So I reverted it and did it clean again.

    Started a spreadsheet to organize Machine info/status, and a separate tab to track exploits vs OS versions for future/exam.

    Lessons learned:
    Check your Control Panel and confirm how long since last revert before beginning.
    Don't be a slob and clean up after yourself, preferably group your files in a sub directory when looting/uploading.
    Document everything.
    Reply With Quote Quote  

  7. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,848

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #6
    Nice! I think I know the box you are talking about. I've taken the track of going through all of the material first and then jumping into the lab. Either way works and it really does come down to the person. My thought on attacking machines is to go with the non-Metasploit option since your use of Metasploit on the exam is limited (I suspect it is allowed merely for the creation of shellcode). Practice like you play as it were. Look forward to your continued thoughts on the course!
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  8. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #7
    I agree without MSF is probably better, and that will be one of my requirements. But the reality is you need to know both ways in the real world, and I do think its highly unlikely that MS08-067 will be on the exam, that's not low hanging from, that's on the ground but I could be wrong.

    I also should point out the material provided, videos and pdf, should be reviewed at the same time / alternating. I started just by doing the pdf, thinking it would direct me to the videos. In reality they cover the same general material. But each has its own little additions, such as additional tools to use , and the exercises. So now I watch some chapters and then go read the PDF and do the exercises.
    Reply With Quote Quote  

  9. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #8
    Day 3.5

    Well I read/watched more of the study material, but also knocked off some low hanging fruit and did some exploring, up to 6 boxes rooted with MSF and then I went back this morning and did them manually with a different script. Its nothing to brag about, it was just repeating a similar exploit. I do a preliminary look around, but document that I need to come back and fully loot at a later date. I also haven't had to work at elevating any privileges yet, that will be a separate area of development . Like I said these are low hanging. Oh I did find a 2nd nic to another network, but I'll come back and purse that later.

    Lesson Learned:
    Obviously each machine has an available exploit path, but some likely have more than one, plan on going back and reviewing the enumeration data and look for alternate exploits.
    Not all machines are there as a challenge, some appear to be staging for moving on to other machines. Looting will be key.
    OFFSEC has a sense of humor, I wouldn't call them Easter eggs but some items are funny/
    Reply With Quote Quote  

  10. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #9
    Day 4
    I'm a bit ADD this week, so I'm bouncing around between the material and playing in the lab. I ran into the my first box requiring privilege escalation, I have a limited shell. Now I'm looking into what to do from here, interesting enough I can see another student working on it, but hes taken a different approach to working on it than I have, its the 2nd time I've seen artifacts from others on this type of box. I conclude theres another known exploit that I haven't run across but I need to find just for thoroughness. Oh I should clarify I've targeted Windows boxes as my 1st choice due to familiarity.

    Currently I have:
    MSF 7 Full
    Manually 5 Full 1 Limited

    Yeah shells aren't everything but its a reasonable metric. And I ran into my first 'Hint' confirmation.

    I'm also going to take a page from previous students, and build a Exploit vs OS Spreadsheet. I believe it will be crucial to have a way to cross reference Tools/exploits vs OS versions(including SPs) as well as things like Open Port Requirements. Keepnote is great for keeping track but I'm very much spreadsheet oriented.
    Reply With Quote Quote  

  11. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #10
    Day 6
    I'll slow down the updates as the success's get get fewer ad farther between. I did mange to get Bob last night, taking my limited shell to full, it was a bit painful, but mostly just involved a lot of googling for different techniques. It did highlight the requirement to get comfortable with compiling published exploits under different platforms. One complaint I have is many published explits are just code dumps, often without any identifier as to the language or compiling requirements. I guess thats one of those things your just supposed to 'get' over time and experience.

    Some usefull references I have found:

    Search for CVEs with CVE security vulnerability database. Security vulnerabilities, exploits, references and more then once a CVE is identified use it to search one of the Vulnerability Databases such as https://www.exploit-db.com

    And no matter how well you think you know DOS commands, http://commandwindows.com/ has something to teach you, it proved very useful.
    Last edited by Jebjeb; 11-13-2015 at 03:03 PM.
    Reply With Quote Quote  

  12. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,848

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #11
    Ha, thanks for the info! This will prove useful as I've just completed the videos and was going to start attacking systems tonight.
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  13. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #12
    **Edit
    Day 6
    forgot I got another web server on Friday via a Web Content system

    Day 7/8
    Well that was long and full of self inflicted suffering. I popped another box, Combination of abusing services and a modified MSF exploit. A few of the boxes are intended to be exploited via msf, but it doesn't mean you cant go back afterwards and work up a standalone scripted version The self inflicted part stemmed from accepting an nmap OS identification, which turned out to be incorrect. Thus everything I looked into was misleading, only after spending many hours researching options did I end up double checking via another method. 20 minutes later I was in. I did set a new personal record going thru 18 reverts on one machine, Occasionally it wouldn't actually revert either. But even in frustration you still learning things.

    I did some recon on another box, which due to a previous note led me back to a previously rooted machine. It seems apparent I'm going to have t use 1 machine to get to another. This is actually the 2nd pair of interconnected machines like this i've noticed.

    Web shells are very useful to know. and My ADD self still hasn't finished reading the material.

    Score
    9/7 now I think , total is actually 11 theres some overlap between MSF and Manually

    Lessons learned:
    Double check your info via different tools sometimes
    Netstat every machine and take note of connections from other lab machines, you'll thank me later.


    Resources:
    Home | Offset-DB.com This is sometimes helpful.
    Online Tools - RingZer0 CTF
    Last edited by Jebjeb; 11-16-2015 at 02:18 PM. Reason: forgot a day
    Reply With Quote Quote  

  14. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #13
    Day 9

    Well kinda just flailing around scouting machines, decided to go back and look at a machine I knew was dual homed. Used the same exploit as before and it connected, but went to test something and reverted it, but the exploit wouldn't work again! Came to realize after some more testing that the port wasn't open. Apparently I got a hold of it after someone had dropped the firewall. I didn't know it, but I had dumped the hashes so actually have a valid RDP capable password, so I can still get into it at will. But I really feel the need to figure out the method I was supposed to use.

    Didn't stop me from scouting what I presume is the IT network, I identified some of the address's, and other dual homed machines. But I'll step away from exploiting it till I figure out the other methods.

    I've also seen instances of an FTP exploit that creates long random looking folder names. I don't know what it is, But I've seem evidence of others using it. So far I figured out other alternatives for those sites, but I also want to identify that vulnerability if anyone knows it.
    Reply With Quote Quote  

  15. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #14
    Day 10

    Well last night was rewarding, I went back to address the machine I 'cheated' on and tore it up. I identified the vulnerability and modified an exploit withe proper memory address's and boom shell. One interesting twist is the shell died every x seconds. So it became a race condition to follow up quickly with a secondary approach to deal with that. Once resolved, I confirmed in the new state that the previous vulnerability also worked now.

    Seeing that the 2nd machine was dual homed I decided to start my scouting of the next network. Not sure if its the machine or vms or what but a couple standard approached to access the other network remotely failed. MSF's Pivot crashed the shell, bridging the network cards crashed the entire machine, or at least made it inaccessible, and enabling IP forwarding appeared to do nothing. Ultimately I added a route, net enabled a proxy and was able to proxy chain nmap thru the machine. Went to bed leaving it scanning 6 identified targets via nmap. Haven't looked at the results yet.

    I've been focusing on only the windows machines for now, and am half way them in the initial network. I'm going to take some time and start reorganizing my documentation to clearly show exploit requirements in a searchable format. I have all next week off, so I have a little more time to work on things.

    Proxy Chains are SLOOOOOOW or at least how I'm doing it.
    Reply With Quote Quote  

  16. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,848

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #15
    Loving the daily updates! I've been having a consistent issue with OpenVAS (I got some new hardware today so maybe that will fix it), but I have enough of a report to go with to start. Hopefully pop at least one box tonight! Keep posting as I've been reading every day!
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  17. Junior Member Registered Member
    Join Date
    Nov 2015
    Posts
    4
    #16
    Love the daily updates, good luck bro
    Reply With Quote Quote  

  18. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #17
    Day 12.5

    Not a ton of progress the last couple of days, I caught up on a little more of the video material, and went back and tried to re-exploit all the machines I had compromised so far, and do a little more looting. Im taking special care to pull netstats among other things, I'm looking for connections between machines, as there's 100% indication that client side exploits are required.

    the Proxy chains experiment in scouting didn't work, not sure why but it was only showing the same 2 ports open on all the different targets. I obviously am missing a piece there.

    I moved on to a different target that I'm sure has access to the same network ( IT I believe). Its a web target, and I accidentally figured out a password login, while trying to watch for cookies via Tamperdata I typed in a common application default we use at work just to trigger it. And it turned out to be right. I'd rather be lucky than good any day. As it was I did go back to figure out how you were supposed to figure that out, but it was hashed, which I haven't figured out how you were supposed to know the hash or just pass it.

    Regardless, its moved me forward into the world of XSS and Beef. Very interesting, but I'm flailing around a bit after detected an unexpected connection to it that I'm trying to exploit now. I've got 9 more days off work so I hope to start making more progress. I actually get to spend alot more time than most people I believe, due to an understanding girlfriend and discretionary responsibilities at work ( I work on what i want
    Reply With Quote Quote  

  19. Junior Member
    Join Date
    Feb 2010
    Location
    UK
    Posts
    3

    Certifications
    OWSP, ITIL SO, VCP5, ITIL ITSM, Security+, Network+, MCSE+I, BSc (Hons)
    #18
    Enjoying your posts Jebjeb. I am working through my videos, pdf, mindmaps prior to going back on the labs next month.
    Reply With Quote Quote  

  20. Junior Member
    Join Date
    Sep 2015
    Location
    Sweden
    Posts
    29

    Certifications
    GCFA, GCFE
    #19
    I also had big problems with OpenVAS, it timed out or crashed frequently.
    After a while I got fed up with it and installed and used Nessus instead, it worked flawlessly.
    Last edited by Janne4; 11-21-2015 at 06:49 PM.
    Reply With Quote Quote  

  21. Stayed at a Holiday Inn.. the_Grinch's Avatar
    Join Date
    May 2007
    Posts
    3,848

    Certifications
    BS-CST CISSP GMON MPSC Security+ XRY 1+2+3 XAMN AAA AA CMFF CCO CCPA
    #20
    Yup OpenVAS has just been a real nightmare to deal with. I'll probably be jumping to Nessus as well.
    WIP:
    MS in Legal Studies - Drexel University
    Mobile Forensics
    Kotlin
    Python
    Reply With Quote Quote  

  22. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #21
    Day 13.5 ( meaning my details bleed over from 2 different days of attempts)

    First i'd like to say thanks for the feedback/encouragement . Its what assures I should continue posting.

    Well this has been a frustrating couple of days. I haven't made a lot of progress in shelling things, but I'd like to believe I have learned multiple things. Beef was interesting but less than productive, While it was able to confirm remote connections, I could not keep the sessions open persistently. I assume its due to the restart scripts the use. It did serve the function of confirming client side connections. I was able to trigger multiple client side download attempts from my own server, but could not get a shell. Its like they never ran.

    I was getting frustrated so I moved onto other targets. I'll mention one of my personal peeves, I wanted to go back to a previous target I wanted to further exploit, but in due diligence I checked the revert status. It was reverted an hour before! I will give it some time and monitor the status, I don't want to interfere with someone else's efforts.

    I choose another target, and within a short time I have some access, the Proof.txt was relatively easy to access, but I don't have a shell. That's what I'm going to work on going forward. Default logins are your friend, at it to your procedural checklist.


    Lesson of the day:

    I've been doing this for years but it may not be intuitive to others. Long Directory names are a development of the last 10-15 years. But not all applications for command syntax support them. Older applications or some DOS commands, support 8.3 naming conventions. What does this mean?

    Assume directory entries such as :

    10/25/2015 08:07 AM <DIR> Program Files
    11/11/2015 09:31 PM <DIR> Program Files (x86)

    can be accessed multiple ways

    1) C:\>cd program Files but only when it supports long filenames/paths
    2) C:\>cd progra~1 - this is how 8.3 is interpreted. The first program in the list resolves to ~1 in some case ~2 will resolve to the 2nd entry. Use the first 6 characters and then ~# instance number
    3) cd Pr* will also work, this is my personal favorite, its by the far the fastest and works in Linux as well as windows, though is case sensitive in LINUX. Use how many significant characters required to make it unique
    4) CD "Program Files"

    The versions can be used in multiple directory changes such as cd OS*/Tools.
    And as I just learned cd pro*2 will access the 2nd entry.

    I really like the * wildcard versions as it really helps ease of navigation.

    Hope this helps some what, though in the sense of full disclosure I AM on vacation and the following post was inspired by Jaegar and Johnny Cash.
    Last edited by Jebjeb; 11-22-2015 at 04:45 PM. Reason: Switched to Cruxshadows
    Reply With Quote Quote  

  23. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #22
    Day 14.5

    Yesterday was a long day, not very rewarding, ended up switching between a couple 3 hard targets ( for me), but ended up with lost ground as various people would reset them.

    This morning was a bust until lunch when I figured out that somehow my NC.exe I was uploading for the last week was corrupt ( from one of my web machines) I managed to work around it, but it certainly explained a few things. I then proceeded to trash the OTRS server and moved on.

    After that moment of clarity I succeeded in a client side exploit thru a proxy which tool me to a machine in the IT network. This scored my first Network Secret, YAY! It also revealed another new network, not sure which yet. And in a twist of fate I turned right back around and mapped to the Web server I passed my client exploit thru, with discovered admin creds. I haven't finished looting it yet, or getting a shell, but the exposed creds let me just pillage the web services and file system, so its only a matter of time.

    I haven't figured out the best way to exploit the new networks yet, whether it be proxy chaining or just exploiting victims and launching from them.

    I can certainly say I'll have to revisit some targets that I've been trying to get to with metasploit. There shells are convenient, but I'm still using mostly a combination of techniques. have I mentioned how frustrating the reset scripts are? The ones that make sure services are up? I've learned to build cut and paste lists to dump in everything quickly. I'm a big fan of a combined CMD statement to drop the firewall,enable RDP, and add a user, and promote him to admin in one paste. I should look at BASH scripts for metasploit sessons as well. Some of these attempts only give me 30 secs in which to take over.

    So the last 4 days have resulted in 2 fully shelled, 1 about to be, 1 new network, and 1 more I'm trying to piggy back thru.
    Reply With Quote Quote  

  24. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #23
    Day 15.5

    Short one today, I was overthinking the last one I had direct file/web access too. Trying to look thru exploits and LFI's and SQL inserts. But I mapped to the drive with the damn Admin creds. So I just RDPed to it. I've really been abusing RDP. Once I did that one I went back to scouting networks, I should have clarified, while I only received 1 Network Secret. The machine I compromised was dual homed, so I RDP chain thru to the next network, and installed NMAP. I've spent the morning scanning and documenting scans,ports , server names.

    So I have basic maps of 3 of the 4 networks, I'm not sure which the the new one is. There is a network diagram on the OFFSEC site showing the it department firewall to the Admin network. But I'm not sure if that takes into account the dual home machines I've been running into. I may be in the Admin or I may be in the Dev Network. Either way I want to locate the subnet for the missing network, and that will give me an idea of what to look for.

    Score is 15 windows machines compromised (including the 2 dups in the lab network, 1 in the IT network), haven't even touched a linux box yet.

    One note, Ive found a lot of password hashes just dropping them into Google. hashkiller.co.uk has been very successful. Its key for me to hash the Admin accounts, as it skips me from re-exploiting a machine to just RDPing thru it quickly.
    Reply With Quote Quote  

  25. Senior Member Cyberscum's Avatar
    Join Date
    Oct 2014
    Location
    25.0000° N, 71.0000° W
    Posts
    738

    Certifications
    Certified Coccyx Inspector
    #24
    ^^^^^

    What main tools are you using. I plan on trying the exam in maybe 4-5 months from now and am getting familiar with the toolsets.

    From what I can gather you are using:

    OpenVAS
    Metasploit
    Nmap
    Nessus

    Are you using wireshark or any of the pass crackers?

    I want to really get a grasp on the toolset required for the test.

    Also, are all the tools you are using part of the Kali distro?


    Your posts really point out the fun in it all and I really am amped to try this cert! Thanks!
    Reply With Quote Quote  

  26. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #25
    Ironically I don't believe I'm doing a good job using the tools yet. I've brute forced my way thru a few things. But my skill set grows daily.

    Nmap is obviously the key tool for all recon. There's others that supplement it, but it all starts here.
    Metasploit - I've used it for about 6 vulnerabilities so far. And have manual methods for one or 2 of those attempts. I need to get back to checking for alternate scripts. Once I used it to show some/find some information I didn't know via a path scanner. And its Hashdump is very convenient. Twice I've had to edit payloads with new memory address's.
    Beef I used once - and while it IDed a target for me, I didn't need it to compromise the target. But it did reveal a browser version number which helped alot.
    Netcat or NC - key tool and exam friendly
    Wireshark - I use it weekly in real life, so its my goto status checker. ie is my XSS really trying to connect back?

    I've tried some of the snmp/dns/rps/etc scanners, but I tend to asses the low hanging fruit first. Then I look deeper as necessary.
    RDP and windows command line are my current bread and butter tools. I'll start over as I switch to linux targets.

    Couple things I recommend which I haven't organized yet. I've staged my vm as a web server, and keep tools and payloads on it. I recommend people organize and make available downloads. Arrange a couple of types of reverse shell scripts or exes. Start arranging web shell uploads, asp, perl, vbs, php. Store common tool downloads. Especially NC! I also used a Nmap installation package yesterday, rather than proxy thru machines, just installed it on the target.

    The basics tools can get you further than the kits. I have yet to use a vulnerability scanner other than nmaps vuln check. I started using Searchsploits yesterday, but found it of limited value at this time. I have Google, it may be less focused but I'm learning more along the way looking. Linux Locate command is great for locating my Metasploit syntax, I hate Case Sensitivity in file names/paths!

    Now does any know why the hell every time I use the Route command my scans (nmap) relayed thru a target only hit on 2 ports for every target, even when there down? Obviously I'm hitting myself somehow, and have something configured wrong.

    Upcoming Tasks/wishlist include:
    Test payloads prepared in advance, what can and can't be used on the exam and prepare for them.
    Use an alternate Hashdump than Metasploits. Something exam friendly -- Forgot I had previously used FGDUMP.exe updated Tool Folder accordingly
    Organize my download directories
    Try and arrange an alternate script for every metasploit module used before the exam.
    A method to reverse connect an RDP session would be great ( thru firewalls/proxys)

    My understanding is I can arrange metasploit payloads, just not use metasploit on the exam. I know not to use other automated vulnerability tools(nessus and openvas?) but what else is off limits?

    Also I'd like to point out I'm not trying to be stealthy, I'm LOUD. I hit machines 100 times if necessary. I'm sure at some point I'll have to slow it down a bit to avoid IDS and AV.

    This has been my best tool so far
    "reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & netsh firewall set opmode DISABLE & net user joe password /add & net localgroup administrators joe /add"

    Why use outside tools when the target gives me a desktop and their tools.
    Last edited by Jebjeb; 11-25-2015 at 02:08 PM. Reason: forgot wireshark. and FGDUMP
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 5 1 2345 Last

Social Networking & Bookmarks