Category Archives: hacking

How to prepare for PWK/OSCP, a noob-friendly guide

Few months ago, I didn’t know what Bash was, only heard of SSH tunneling, no practical knowledge. I also didn’t like paying for the PWK lab time without using it, so I went through a number of resources till I felt ready for starting the course.

Warning: Don’t expect to be spoon-fed if you’re doing OSCP, you’ll need to spend a lot of time researching, neither the admins or the other students will give you answers easily.

1. PWK Syllabus
1.1 *nix and Bash
1.2 Basic tools
1.3 Passive Recon
1.4 Active Recon
1.5 Buffer Overflow
1.6 Using public exploits
1.7 File Transfer
1.8 Privilege Escalation
1.9 Client-Side Attacks
1.10 Web Application Attacks
1.11 Password Attacks
1.12 Port Redirection/Tunneling
1.13 Metasploit Framework
1.14 Antivirus Bypassing
2. Wargames
2.1 Over The Wire: Bandit
2.2 Over The Wire: Natas
2.3 Root-me.org
3. Vulnerable VMs

1. PWK Syllabus:

Simply the most important reference in the list, it shows the course modules in a detailed way. Entire preparation I did was based on it. Can be found here.

1.1 *nix and Bash:

You don’t need to use Kali Linux right away, a good alternative is Ubuntu till you get comfortable with Linux.

1. Bash for Beginners: Best Bash reference IMO.
2. Bandit on Over The Wire: Great start for people who aren’t used to using a terminal, aren’t familiar with Bash or other *nix in general. Each challenge gives you hints on which commands you can use, you need to research them.
3.  Explainshell: Does NOT replace man pages, but breaks down commands easily for new comers.

1.2 Basic tools:

You will use these tools a lot. Make sure you understand what they do and how you can utilize them.

Netcat: Most important tool in the entire course. Understand what it does, what options you have, difference between a reverse shell and a bind shell. Experiment a lot with it.
Ncat: Netcat’s mature brother, supports SSL. Part of Nmap.
Wireshark: Network analysis tool, play with it while browsing the internet, connecting to FTP, read/write PCAP files.
TCPdump: Not all machines have that cute GUI, you could be stuck with a terminal.

1.3 Passive Recon:

Read about the following tools/techniques, experiment as much as possible.

1. Google dorks
2. Whois
3. Netcraft
4. Recon-ng: Make sure you check the Usage guide to know how it works.

1.4 Active Recon:

  • Understand what DNS is, how it works, how to perform forward and reverse lookup, what zone transfers are and how to perform them. Great resource here.
  • Nmap: One of the most used tools during the course (if not the most). I’d recommend to start by reading the man pages, understand different scanning techniques and other capabilities it has (scripts, OS detection, Service detection, …)
  • Services enumeration: SMTP, SNMP, SMB, and a lot others. Don’t just enumerate them, understand what they’re used for and how they work.
  • Great list for enumeration and tools.

1.5 Buffer Overflow:

Most fun part in my opinion. There are countless resources on how to get started, I’d recommend Corelan’s series. You probably need the first part only for PWK.

1.6 Using public exploits:

Occasionally, you’ll need to use a public exploit, maybe even modify the shellcode or other parts. Just go to Exploit-db and pick one of the older more reliable exploits (FTP ones for example). The vulnerable version is usually present with the exploit code.

1.7 File Transfer:

Not every machine has netcat installed, you’ll need to find a way around it to upload exploits or other tools you need. Great post on this is here.

1.8 Privilege Escalation:

A never ending topic, there are a lot of techniques, ranging from having an admin password to kernel exploits. Great way to practice this is by using Vulnhub VMs for practice. Check my OSCP-like VMs list here.

Windows:Elevating privileges by exploiting weak folder permissions
Windows: Privilege Escalation Fundamentals
Windows: Windows-Exploit-Suggester
Windows: Privilege Escalation Commands
Linux: Basic Linux Privilege Escalation
Linux: linuxprivchecker.py
Linux: LinEnum
Practical Windows Privilege Escalation
MySQL Root to System Root with UDF

1.9 Client Side Attacks:

Try out the techniques provided in Metasploit Unleashed or an IE client side exploit.

1.10 Web Application Attacks

Another lengthy subject, understand what XSS is, SQL injection, LFI, RFI, directory traversal, how to use a proxy like Burp Suite. Solve as much as you can from Natas on Over The Wire. It has great examples on Code Injection, Session hijacking and other web vulnerabilities.

Key is research till you feel comfortable.

1.11 Password Attacks:

Understand the basics of password attacks, difference between online and offline attacks. How to use Hydra, JTR, Medusa, what rainbow tables are, the list goes on. Excellent post on this topic here.

1.12 Port redirection/tunneling:

Not all machines are directly accessible, some are dual homed, connected to an internal network. You’ll use such techniques a lot in non-public networks. This post did a great job explaining it.

1.13 Metasploit Framework:

Decided to skip this part, but if you still want to study it, check out Metasploit Unleashed course.

 

1.14 Antivirus Bypassing:

Skipped this part too.

2. Wargames

Use them as a prep for vulnerable machines.

2.1 Over The Wire: Bandit

Great start for people who aren’t familiar with Linux or Bash.

2.2 Over The Wire: Natas

Focused on web application, many challenges aren’t required for OSCP, but it helps for sure.

2.3 Root-me.org

Has great challenges on privilege escalation, SQL injection, Javascript obfuscation, password cracking and analyzing PCAP files

3. Vulnerable Machines

Boot-to-root VMs are excellent for pentesting, you import a VM, run it and start enumerating from your attacking machine. Most of them result in getting root access. Check the post on which machines are the closest to OSCP, there is also the https://lab.pentestit.ru/ .

Blog posts regarding my journey through Pentestit.ru.:

Pentestit Lab v10 – Introduction & Setup
Pentestit Lab v10 – The Mail Token
Pentestit Lab v10 – The Site Token
Advertisements

Vault 7: CIA Hacking Tools – Press Release

On Tuesday 7 March 2017, WikiLeaks began its new series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7” by WikiLeaks, it’s the largest ever publication of confidential documents on the agency.

The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

“Year Zero” introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers. The agency’s hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA’s hacking capacities.

By the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

Once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike.

Julian Assange, WikiLeaks editor stated that “There is an extreme proliferation risk in the development of cyber ‘weapons’. Comparisons can be drawn between the uncontrolled proliferation of such ‘weapons’, which results from the inability to contain them combined with their high market value, and the global arms trade. But the significance of “Year Zero” goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective.”

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in “Vault 7” part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Pentestit Lab v10 – Introduction & Setup

Ever wondered how it feels like to hack a company? To breach their systems, traverse their network, and gain complete and total control of their domain – but all in bounds of legality? Well, look no longer!

I’ve been scouring the inter-webs looking for decent resources that I can use to practice and hone my hacking skills. Although VulnHub was great, it didn’t provide me with a sense of realism. I wanted something more, something similar to the OSCP Labs and Exam… something with a “real world” structure, a real network that I can compromise, domain and all. All in all, I needed something to test and practice without breaking the bank or a company styled setup.

After many-a-hour of searching, I have come across a site called Pentestit Labs. It was a unique Russian “Corporate Laboratory” set up and led by the Pentestit Information Security Firm, allowing security professionals to test their penetration testing skills.

I decided to dig deeper into the site and was generally amazed by how well everything was put together and how realistic the lab felt. I decided to give the lab a shot and completed it with a 100% success rate. I will be posting my write-ups for the lab and how I successfully “hacked” the “real life” lab in the upcoming days.

But, before I am able to post my write-up’s let’s go over the basics of what the lab is, what it consists of, and what is to be done.

About the “Test Lab”:

The Test lab contains penetration testing laboratories that emulate the IT infrastructure of real companies and are created for legal pentesting and improving penetration testing skills. Laboratories are always unique and include the most recent and known vulnerabilities.

The Test lab is presented as a computer network of virtual companies containing widely of distributed misconfigurations and vulnerabilities. Participants, playing a pentester role, are trying to exploit them – and in the case of success, gain access to particular lab nodes which contain a token. The winner is the one who collects all tokens.

Penetration testing in the labs are based on a “grey box” methodology: participants have network infrastructure information in form of a schema and a text description. Participants can use different methods of penetration – exploiting network services, the web, social engineering, buffer overflow and etc.

During development of the labs, we try to cover almost all IT areas: network security, security of OSs and applications. Participants are supposed to exploit the variety of vulnerabilities in the network components and cryptographic mechanisms, in configurations and code, and also the human factor. The outstanding features of “Test lab” is the unique story and whole scenery which links tasks with each other. For example, one can use already found mail credentials to attack other services and machines (Active Directory, for example). This is more real than standalone tasks in CTF contests, which can be done separately.

The Network:

Before you are able to access the Network Information and VPN Connection to the lab – you have to register. Once you are registered and verified you will be able to access the “Test Lab V.10” Main Screen.

From here you will be able to access the Network Diagram, Forums, Chat and also be allowed to enter any “Tokens” found during your pentest.

When you click on the Network Diagram link, you will be presented with the layout of the lab – in other terms you will be presented with the Companies Network Layout for your Grey-Box pentest.

From the initial image, we can see that we will have access to the Lab via VPN or Virtual Private Network.

Once in the network, we will only have access to one public facing host called “gw” – possibly sitting in the DMZ. From the small fire graphic – it also seems that the system has a running Firewall to prevent any attacks from getting into the Internal Network.

Our objective would be to compromise that host, get remote access, and then pivot into the Internal Network to continue our pentest.

Our “main” objective would be to compromise the WIN-DC0 host as that is the Domain Controller for the network. If we can compromise that, then we will have the keys to the kingdom. Overall, that is also the goal in any Network Pentest, to see if we can get access to the Domain.

Connecting to the Lab:

Once you are registered and at the main “Test Lab” screen, if you look at the top right corner of your screen, you will see a “HOW TO CONNECT” button, right next to your Progress Meter.

 

Once you click on “HOW TO CONNECT” you will be redirected to the Instructions Screen.

 

You can connect using either Linux or Windows. I used my Linux Kali Distribution along with OpenVPN and Pentestit’s OpenVPN config file.

If you want, you can download their custom Kali 2 VirtualBox OVA Image, but I preferred to use my own custom setup… plus I didn’t know what else they might have installed/not installed on there, and I didn’t want any headaches during testing.

Once you login to the website, get your VPN credentials and download the OpenVPN config file to your Kali Box, we can go ahead and connect to the Lab.

This can be simply done by running the OpenVPN Command with the Pentestit config file as the argument, like so:

root@kali:~# openvpn lab.pentestit.ru.conf 
Sat Mar 13 22:15:43 2017 OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 23 2016
Sat Mar 13 22:15:43 2017 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Enter Auth Username: ******
Enter Auth Password: ********
---snip---
Sat Mar 13 22:15:53 2017 /sbin/ip route add 192.168.101.0/24 via 10.10.200.121
Sat Mar 13 22:15:53 2017 /sbin/ip route add 10.10.0.1/32 via 10.10.200.121
Sat Mar 13 22:15:53 2017 Initialization Sequence Completed

After you see “Sequence Completed” then you are successfully in the lab and can start pentesting! You can test this by pinging 192.168.101.9 and you should get a reply.

Alright, that’s all for today! Stay tuned for more posts in the upcoming days on how to compromise the lab!

The WikiLeaks Just Keep on Dripping (Vault7)

This past Tuesday (March 7, 2017), the internet’s online library of cool stuff, WikiLeaks, published the first of what it promises to be many more materials related to the CIA’s cyberspying arsenal (or should that be “cyber spying?”).  The site has dubbed this treasure trove of purloined materials “Vault 7.” The outward dismay and deep concern this dump has caused is probably only the tip of the dismay and concern iceberg. One can only imagine the wailing and gnashing of teeth that’s currently in process behind closed doors in Langley, VA.

There are a whole lot of goodies bundled with this info dump and I’m not just referring to the leaked docs. The docs are really secondary to the many teachable moments offered up to us Cybrarians relating to a wide range of courses here on Cybrary.

What’s in the vault?

The materials that were published on WikiLeaks are the first part of a series comprising 8,761 documents. WikiLeaks has dubbed this first release, “Year Zero.” WikiLeaks states that the CIA recently lost control of the majority of its hacking arsenal, which includes such nice stuff like malware, viruses, Trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation developed by a CIA-entity known as the Engineering Development Group. Sounds like Christmas morning in Hackerville. It’s best to go directly to the source for the details, which is WikiLeaks, rather than getting your news secondhand. I drifted off to sleep last night reading the WikiLeaks “Vault 7” article.

WikiLeaks claims that this trove already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks. Competitive much? And the competition doesn’t end there. It seems the NSA and CIA have an on-going competition in the cyber warfare arena. Again, according to WikiLeaks, the CIA bristled that they had to get hand-me-downs from the NSA. Eventually, the CIA’s budget for cyberwarfare development increased and they were able to finally go their own way, possibly out-pacing the NSA’s efforts.

Hacking the endpoint is where it’s at

Many consider the zero day exploits to be the most interesting as well as the most frightening revelation in all this. It appears that despite an agreement forged between the U.S. technology industry and the Obama administration, that the government would disclose – on an on-going basis – “serious vulnerabilities, exploits, bugs, or ‘zero days’ to Apple, Google, Microsoft, and other US-based manufacturers. However, like 19th century peace treaties with Native Americans, Uncle Sam apparently had his fingers crossed when making the deal. It now seems that the CIA held back dozens of zero day exploits for their own use.

This brings us to a hacking trend that’s gaining a lot of momentum and one discussed frequently in courses here on Cybrary.it: hacking the endpoint. Malicious activity on end points such as mobile devices and laptops often presents itself to detection methods as typical end user stupidity and thus evading detection. Attacking from the perimeter allows an adversary to gradually work its way further into the network, escalating privileges and working its way up the access chain as it goes. It was zero day exploits in Apple, Google, and Microsoft products that allowed CIA hackers to circumvent the encryption feature in WhatsApp, Signal, and Telegram to read users’ encrypted text messages.

And let’s not get started on the cursed IoT fiasco. The CIA devised a nifty little piece of malware that produces a “fake off” mode in Samsung internet-connected TVs, effectively turning them into good old fashioned bugs. “Get Smart” anyone? If you’re old enough to remember. Paging George Orwell. Big Brother has finally arrived. A talking head on the NBC Nightly news said to protect yourself simply unplug your TV when done watching. Sure, OK.

Who done it?

It’s little consolation that the docs containing code for these cyber tools apparently haven’t been released in their entirety. The fact that the world has been alerted to their existence is enough to undermine much of the effectiveness of both these tools and tactics. And you can bet CIA brass is scrambling to find out who is responsible for the leak which appears to be massive. Two possibilities exist: a disgruntled or whistle-blowing insider or could it be…the Russians! Who else better to blame than those scary Russian hackers?

My money is on a CIA insider. Neither the NSA or CIA has been successfully hacked to my knowledge other than their websites and some email accounts. A full-on data breach like the Target or GAO breach has yet to occur and if it did, well, shame on them. Data exfiltration executed by an insider is really tough to prevent let alone, discover. It’s only when the data is leaked, as in this case, or held for ransom that the victim is even aware that the exfiltration occurred.

Ethical Issues

Even less consolation comes as a result of knowing that these tools were used in support of cyberespionage campaigns directed at Europe and South America. Having them fall into the wrong hands could easily get the tables turned around and have them pointed at U.S. citizens and government agencies. Perhaps it’s a false equivalency to compare these tools to chemical and biological weapons, but the potential for unintended infection and ethical concerns arise. Some argue that “enhanced interrogation” techniques such as waterboarding are justified to protect the homeland from terrorist attack. It seems a similar argument can be made for tools that are dangerous and vile when directed at innocent victims but are justified when applied against America’s enemies.

And lastly, there’s a political angle to this story: it seems the CIA has curated a suite of malware created in Russia with all the signatures of having originated in Russia. The potential to use these tools to create a “false flag” incident is available to anyone so inclined. Regardless if anyone in the U.S. government directed the CIA to conduct such a campaign occurred, the timing of this release by WikiLeaks as the drumbeat grows louder for a special prosecutor to investigate Russian government interference into the 2016 U.S. election is curious. Let that one sink in for a millisecond while you tally up the Easter eggs I left for you.

Demystifying Modern Sorcery (Coding)

post-42-1067436912
90s kids thought that this was what programming looked like…
Coding (or programming/black magic/delete as appropriate) is one of those things everyone talks about, acknowledges that everyone needs to know something about, but barely anyone actually does. Coders have this weirdly conflicting aura; they are the kingmakers, modern day sorcerers who, with seemingly an incomprehensible wave of the hand, can conjure a piece of software out of thin air, and in many cases, a billion dollar IPO at the blink of an eye. Yet at the same time, there persists the stigma of a loner nerd with dark rings under his eyes, eliciting vast worlds from his fingertips yet barely able to keep a conversation going after the first sentence. Is this image problem accurate in these days of teenage billionaires?
Some time ago, I started thinking that I should learn how to code because one thing is clear in 2016; much of how the modern world works depends on lines of code and people with the ability to create it. Unfortunately, perhaps the combination of its seemingly high barrier to entry (do I need to be brilliant at maths? Do I have to be a savant? Those numbers and symbols and colons look scary) coupled with the aforementioned image problem might be a little off-putting for many, despite the almost limitless job prospects and high salaries.
I have no problem being around nerds since I am one myself, so that poindexter cliche never mattered to me anyway. Coding, though, was something I always presumed was forever out of my reach. It just looked so alien, like descending into an ancient cave and stumbling upon some lost civilisation’s hieroglyphics. Code is a pure kind of distillation of logic, and our common spoken/written languages rarely adhere to logic because they’ve been devised, deconstructed, remodelled and butchered according to our needs over thousands of years. Coding languages do not undergo this process of entanglement, but iterate based on what might make it simple work better or more elegantly, and always with its end game (i.e. whatever it was designed to work with, whether that’s an ugly database or a lovely piece of software with a beautiful GUI).
s9didcc
…and this was what a hacker looked like
It was this article from Lifehacker that made want to give it a go, so I took its advice and plunged headfirst into Zed Shaw’s freely available book, deceptively titled ‘Learn Python the Hard Way’. Shaw’s withering, no-nonsense approach to the fundamentals of code has allowed me to drop all the fear and magical thinking I had built up about what is essentially an exercise in learning to apply logic, problem solve, and become adept at proof reading my own work. Yes, it gets increasingly difficult and complex the deeper you go, as with any new skill, but Shaw manages to be both a reassuring and strict master, telling us not to worry if a piece of code makes no sense right now, but reserving no sympathy for anyone who tries to shortcut their way through it either.
I can look at a clump of python code and at least have a grasp at what it’s trying to achieve. I mightn’t be quite ready to churn out the next Windows, but I’ve passed that sticky point where it all seemed crazy hard and confusing to  feeling like I actually know what I’m doing. I remember watching this video about why people should learn to code, and Gabe Newell recalls the first time he ran a piece of code that produced the words ‘Hello World’ onto a console. That tiny spark of creation is the magic inside code at work, and if you want to think of it that way then I would recommend reading this article on why coding is so often compared with magic, which hints that computer code may provide more clues as to the nature of reality than we think.
Here are some great resources for fearful coding n00bs like me:
  • ‘Learn Python the Hard Way’ by Zed Shaw, available for free here
  • Code Academy, which offers free courses on many languages with an easy to follow, gamified learning system.
  • Google’s Python Class
  • Github – a repository for programmers to store and share their open source code with the world. Worth a rummage to find beginners’ projects, figure out what others are up to, or just see what kinds of things are possible
It might take years to become a whizz kid programmer extraordinaire (at which point i’ll be more likely nicknamed something like ‘that old whizz man’), but my point is that learning enough to at least know what the hell is making everything happen is nowhere near as abstract as you had built it up to be.