OSCP- The Deep Dive – A sort of review

dive1Well, I’m coming to the end of my lab time. Ten more days to go. So this post will be both a rant and also a sort of review on my experience so far.

Well to not spoil something I will use another methaphor. Lets talk about diving 😉

There are several ways to make your diving license. You could join the seals or just make a 2 day course in some holiday resort. While one of the both options will teach you maybe something more, about the limits of diving, dry suits, diving in limited visibility and technical diving and how to use re-breather and the other gets you just under water. But both will get you into diving.

dive3.jpg

Most tech certs I did were in the holiday pool category. Just do some courses in the path to MSCE with a major provider. It will be a week of powerpoint warfare and after that you get a multiple choice test and you are a pro diver .. ehhh Microsoft expert.

On the other hand I did some quality courses with hpm (if you ever need a german forensics course http://www.4n6.de/ ). While it was just about some tools, these courses were on the spot and just around the tools with a lot of examples and practice.

Like when I did my dry suit brevet. I trained with my dry diving suit and got a lot of theories about dry suit diving. Deep diving course ? A lot about the effects on pressure on your brain (hint not to positive). A lot about funny ways to die with funky stuff in your pressure bottles etc etc. And of course a lot of practice. And after that I got the tools and knowledge to dive deeper then most recreational scuba divers. And the insight that a lot of nice wrecks and diving spots are in a spot where I gladly would stay in the safe zones.

dive2.jpgIf you look into diving forums everybody will give you tips (okay if you honest some are just better ways to die) and banter with you.

How does the oscp course compare to diving ?

Well imagine you sign up for a diving course. You are flown to one of the most beautiful diving spots in the world. Nice hotel, in the middle of the reefs. On the first day you are shown the facility, all the best diving gear of the world. You name the brand, they have it. Sounds cool or ?

Well only problem. They show you how to use some parts of the gear (not enough for a proper training) and then say : “Well her you go, enjoy”.

In my two months in the labs, I ENJOYED THE LABS, but if I’m honest I learned about that amount of stuff a good course would cover in a week. It could be a better experience with a little bit more guidance for the beginning of the labs.

dive4.jpg

Right now you just have a bunch of exercises with you personal vm, then you are in the wild. So basically going from the hotel pool into a seal course, where the instructor just dumps some guns and equipment in front of you and just says “see you in two months for you final exercise”.

This is actually not the problem of offensive security. It is a general problem of the it security branch. Just have a look at these two essays: https://danielmiessler.com/blog/fixing-the-culture-of-infosec-presentations/ & http://grugq.github.io/blog/2014/05/11/the-episode-17/

Here we have the wiki page on the scuba training: https://en.wikipedia.org/wiki/Recreational_diver_training

A wiki page on pentesting training or on digital forensic training ? NOPE .. sorry .. it is still in the magic phase ….

How could you make the oscp course better ?? Well just imagine that in the course material would focus more on methodology .. and you would have a kiddie pool. So lets say 10 hosts or so where each vector etc is described in the course material. And how to get to the attack vector from your recon output. Then a section with “good” exploits of the last years, and WHY they are good exploits from a pentester perspective.

Right now I will go to the certification test, knowing that I will fail without luck. After that I will do 1-2 months of vul hubs and redefining my tool chains, pre compiling exploits etc. And after that round 2 of lab time.

Because if you have pentesting experience you will love the lab, but if you are from the it security management side, with the last pentesting experience a while back. Well you will get a better mileage out of a good book first.

Greetings Ucki

The LEGO Hacking News Vol 1. 14.06.2016

hacknews-1

Hello Good Evening, welcome to the LEGO Hacking News, were we cover LEGO and IT Security news. Because we can …

LEGO NEWS:

As you can see the LEGO people in the park set is finally here.

Other news: There will be a VW beetle set coming soon. http://brickset.com/article/22070/10252-vw-beetle-press-release It is a nice contrast to the porsche set released earlier this month : http://brickset.com/sets/42056-1/Porsche-911-GT3-RS

Hacking & IT Security news and thoughts:

Microsoft bought LinkedIn http://www.theregister.co.uk/2016/06/14/welcome_to_the_microsoftlinkedin_apocalypse/

While that piece of the register is troubling enough, there is other news.

http://www.theregister.co.uk/2016/05/24/linkedin_password_leak_hack_crack/

There was a nice leak of a lot of linkedIn passwords out. And microsoft wants to make LinkedIn a central feature of their “services”. Think about it. Maybe we sit now on 30something million passwords for computer systems. Just look up who is the ceo of a company, suddendly domain admin. Troubling idea.

Also this will mean that the statistical insights in passwords we have duto the linkedin breach will maybe transfer into domain passwords.

Also concerning microsoft: In my previous blog I wrote about combining forensics and pentesting. After thinking a while over win 10. Well where is the the difference between locky and win 10 ? Well with locky you get at least a nice gui for getting the key for your files back.

Ok folks so far for the first installment of my random thoughts about the last days.

Greetings Ucki

OSCP: Forensics and Pentesting combined: Dark mad sience.

madsience

While sitting on the lab I while helping a friend with some forensics, I had a bad idea. I mean serious troubling.

First off lets start with EVE ONLINE, this nice cozy game. In the lore they use human cadavers to build empty human clones, when you die in game your brain is transferred to an empty shell and you go again. https://community.eveonline.com/backstory/scientific-articles/cloning/

Second thing: In the world of police, government and forensics there are methods to acquire a machine for forensics and evidence etc. Normally you would use a format called ewf. But some tools also just do a dd dump. Well and it is not unheard off that you use a network to send or acquire these evidence. In the world of forensics there is this nice tool called xmount. This nice thing allows you to mount a ewf or dd image into a vdk and then boot it with your favorite virtualisation solution. Normal daywork in forensics. (Side note with qemu-img convert source.vmdk -O raw /target/drive/ you can make a dd out of a vdk).

Now let us think about pentesting. During fishing etc you clone a website. But think about it for a second. With phising etc you clone the website of a target. Well how about jut taking the complete network of the customer and just virtualise their stuff. You know suck them totally in the matrix. Even the website admin could log in and just everything would feel more or less normal.

If you get a system shell on a victim you could run the normal forensic tools and just look for files not being the unmodified systemfiles (there are databases for this). Grab all of them and then just put them on a empty shell clone of the victim. Or just grab everything and build your vm machine from there.

Just a troubling thought .. steal the enemy cloud installation, put them on your own and then redirect them to you … just mad sience …

Greetings ucki

OSCP: Shorty: Easy VPN

Just a quick thing, you can edit the connection file of the lab vpn to include your password, so you can automate the system and vpn startup. Just a little less typing …

Include the line auth-user-pass auth.txt into the ovpn config file. And the auth.txt is username in one line and the pass in another one. Easy peasy. Not super secure but well … effort and such ^^