OSCP: The chain to loot

piratSo you want to be a super evil pirate ninja leet hax0r ??

Well seems so, because even after I finished my oscp I still get some dm in the oscp forums and even direct email about “ Well my exam is tomorrow .. plz help”.


Well so you want the evil super s3crät l00t ? So you need to know the super s3cr3t sectret:


The Exploit chain.


The chain consist out of the following links:

The exploit

The recon

The delivery

The payload

The receiver


Let’s talk about the solitary pieces of the chain, shall we ?

The exploit

Well everybody is always crazed out about this super evil 0days.

So you are a super script kiddie who got a mad super s3crit exploit from his friends in this dark irc channel and owns now 1000 shells around the world. Great could you please step in this corner over there ? Great .. so you are this super pro nsa hacker with his pre packed ethernalblue exploit .. great step also in the corner … Ohh so you are one of this elitist guys from the offsec irc preaching that using metasploit is bad and only handcrafted manual exploits from your grandma are the real deal . .well you know where the corner is.

We don’t care about the exploit in this article .. because if you master the rest of the chain the exploit is the most unimportant piece of all. It is the weakest link of our chain. A exploit can and will fail, after all you are using a buffer overflow or some other bug in your targets software. So you are quite likely to crash or break something. If the rest of your chain is not secure well .. no shell for you.


The recon


Let’s use a Lego analogy again: You say you want a Lego brick. Great which of the 51k possible different types do you want ? https://www.bricklink.com/catalogTree.asp?itemType=P&itemBrand=1000  That is the reason why I made so much fun in the exploit part, imagine how much different configurations a international company with different offices around the globe has ? I bet more than a easy 51k possible versions 😉 So any more information you can get makes the job easier. So if you say a gray piece I could ask you wich type of gray https://www.bricklink.com/catalogColors.asp?utm_content=subnav Light bluish gray, Dark Gray, Light gray etc etc 😉 Any information about the age of the piece ? Because different years had different types of gray (like say Windows or Linux OS have a release date, so if you know the version of say IIS or Apache you can tell which OS will be the most likely one). PROTIP: Make a list of Apache, IIS , Windows and Linux Versions and their release date. Quite handy now and then.

You can get more precise of course, so if you say slope 2×1 with a 2/3 cutout in light bluish gray .. well we are in business. Same with a precise version number of a software. Makes finding the right exploit easier. Or finding all hidden pages on a webserver, or even the Tomcat administration interface with the default password. Good precise recon is the key to a good chain to a shell. Any information you can present in a structured way makes your chain stronger.


The delivery

What do I mean with delivery ? Well you might have a cool RFI thing on that server you are attacking but if you can’t debug your own webserver and make sure that that super evil payload is actually delivered to the target. Or if you don’t deactivate all scripting on your server you might get another shell than the one you expected. So make sure you can debug all ways you want to deliver you payload to the target. Make sure you go through the upload filter or that your payload has the right format to be working in the website etc. Or that you have the right url encoding for your sql payload etc . Or if you use a exploit script you might want to make sure with wireshark or tcpdump that the exploit actually send something to the target. Make sure that you can take the stuff you want on the target to the target. If you can’t insure that you can have the fanciest vulnerability on a server if you can’t reach it.

The payload

Well you have a fancy exploit but you let the default payload in it and now calc.exe is open on your target. Great work. You might want to be able to pick the right payload for the target. Know the difference between staged or unstaged payloads are in msfvenom. If you are in the labs it might be a good idea to spent time with a working exploit in metasploit and try every payload on the target. Make a list which payload works best on which os. What ports are working most of the time because they are open on most firewalls ? Knowing how to debug a payload or use the payload to ping all the open ports etc. Make sure you can verify that a payload is working. Juggling to many unknowns  is a disaster. Have you ever tried to solve a math problem with 5 unknowns ? It is harder than solving y=2. Just saying that you should also be able to make sure that you can pick the right payload, the right port to connect back to you and be generally able to debug your payload.

The receiver

Well the receiving part is a chain link which is often overlooked by many people. But think about it: It would be really shameful if your firewall kills the incoming shell … wouldn’t it be ? So you should be able to debug your end of the connection. Also it is common to try to catch a encrypted payload connection with nc. It can be done but not with the default settings you might expect. There is a reason why I set up msf/exploit/multi/handler for every payload. This way I can have one thing all the time I can practice and debug and have a proven method of handling my shells without fear of nc crashing on the first attempt and me forgetting of restarting it again etc.


So that was my introduction to the magic chain to the loot.


As usual feel free to give me feedback.


Greetings ucki


Scripting my way through the OSCP labs …

My way through the PWK course was, in retrospect, clearly divided in 3 phases.

In this blog I will gve a ovierview over all my scripts and tools I build during the course and I will give some information about my progress through the labs. My time in the labs was dominated by a 7 month break (because of a new job).


Phase 1: Keeping my Boat afloat and scripting all the things …

My first phase (2 months roughly) was dedicated by my own hubris. I had enough experience in the IT-Sec field .. boy was I wrong 😉 I had my little boat and everything was dandy. I had to many targets so scripting my enumeration was a logical step.I looked into different enumeration scripts.

My absolute faforite was this:


Second place was sparta (also written by a student during the oscp course by the way).

But both of them were not modular enough for me. So I build my own recon pack.

Version 1 was this: https://github.com/ucki/URP It worked quite fine (Explanation for the pack is here: https://0daylego.wordpress.com/2016/05/08/when-reality-clashes-with-ideas-another-blog-post-about-enumeration-presenting-urp/

After using it for a while I found the naming etc not perfect so I build https://github.com/ucki/URP-T-v.01

Well I failed the exam and started my new job .. so I had a 7 month break. And followed by phase 2:


Phase 2: Making the boat better and working on details.

In my second round I found a little private community (join up techexams and then you will find it) and it helped a lot to have other persons struggle with you. Sounds silly but you keep sane this way because you learn that you are not stupid and other persons have also trouble. Most persons don’t blog about failing the OSCP. You read more storys like “yeah I did it in 4h, was a breeze” than “OMG I FAILED SO HARD”.

I had a smaller target pool so I tried more to learn more about manual scanning and a more thoughtfull way on doing things. Slowly and deliberate so to say. While I still built stupid little scripts like that to list all win local exploits in metasploit https://github.com/ucki/lazypentest and everybody was joking about my bad scripts, I was actually doing most of the stuff by hand. Only if I always forgot the parameters etc for a tool I would write a little wrapper to make my life a little bit easier and more comfortable. Like this one here https://github.com/ucki/multipass to generate a folderstructure with exploits with only giving your local host ip. The basic Idea came from unfo (greetings mate) but I took the laziness a step further and also included a variable for the ip and some php stuff. So setting up shop with a new ip was easy. I also wrote some set up notes, they grew over time to a little cheat sheet and command reference: https://github.com/ucki/umpf


Phase 3: Getting down all the TECHNICs

My 3rd phase was dominated by redoing a lot of my older hosts, and actually learning a lot from other persons. Just by picking up new ideas from our shared link list etc. While I only did a bit around 60% of the lab machines (around +-10% or so .. ) and skipped all of the BIG NAMES I think I learned more in my last machines because I thought a lot about red herrings, false positive detection and reporting than on a lot of the easier ones were you just fire and get your root.

During that time I finished my lab exercise report (ok technical while in phase 2) and I practiced reporting with EVERY machine I rooted. During that phase I also learned that my skills in note taking were less than optimal. So I started to write the report and notes right into my reporting framework. https://github.com/ucki/zauberfeder Even if that meant to clean up 100 pages of notes and to cut it down to a 2 page report on some of the more deeper rabbit holes …. My cheat sheet also grew during that time and I finished my multipass multi payload msfvenom encoder. This gave rise to the name “uckivenom” and the chat always trolled me with my scripts. But that escalated in a different way and is a total different blog post. 😉

As a bonus I include a list of stupid mistakes. Not including the idea to write a blog in the first place 😉

Snip from a forum post of mine:

So here is a collection of stupid errors I did .. if I remember more I will post more.

1) Meterpreter shells are cool .. but just give you gibberisch if you try to catch them with a nc listener

2) Staged payloads also require a next stage and not nc

3) Never assume anything

4) Trust your guts

5) Don’t trust your feelings enumerate better

6) If you want to wget something from your machine first make sure that apache is running

7) If you want to load a php webshell from your server make sure that php is not running on your box .. or you found a complicated way to your local root .. congratulations

8) If you want to transfer a file make sure that the folders are the right one

9) If you transfer stuff you might have to check permissions .. that includes your own box

10) Don’t switch up LHOST and RHOST

11) If you work on exercises and something is not working .. REDO EVERY step .. might be that you just skipped a step earlier and reskipping doesn’t improve the situation

12) When scripting stuff / coding exploits etc always put out intermediate results etc in the command line or echo it into a file so you can see where your script breaks

13) Check your path in your scripts .. might be that you are to stupid for backslashes etc

14) The offsec pdf is great for copy pasting commands ..exept for the moments were the stupid encoding screws you over

15) Build your own copy paste command list and cheat sheet .. just to have pdf encoding screwing you over again

16) Copy your commands from the source of the pdf .. till your comments in the source screw you over.

17) If using wordlists check the encoding before running it .. the german wordlist as example is worthless if ö is encoded as ~3 or so ..

18) Check your encoding from your hashes .. if you forget one part of the hash you GAINED a lot of brute force time …

19) Safe your vm .. really I have used up 5 vm images during my time

20) make a list of all installed tools etc to have easier time reinstalling

21) Learn how to take USEFUL notes .. Tip: A Page with a big WIN across the page captures the feeling of a local root perfectly but might be hard to redo it afterwards if that is your only note …

OSCP and SPACESHIP – The final Review

Finally: SPAAAACCCEEESHIIIPP ahh yes and OSCP -Final Thoughts and review.

Ok guys finally after sitting on my shelf and collecting dust in the box for nearly 9 months it was finally time for the SPACESHIP SPACESHIP SPACESHIP !!! I bought it shortly before I did my first exam try (left over stock .. quite rare) to motivate me. You know saying to myself I will build it next week when I have my OSCP. Well didn’t work out that way. So last week finally I had the chance to build it.


So finally I have my certification. Lets do the final review on the course. This will be a series of two blog posts. In this post I do the review and in the next one in the following days I will give an overview over my tools and cheat sheets I produced during my time in the labs.


So to the review:

First off this certification is the one I’m most proud of. Not getting the naval officer qualifications to navigate warships (ok was a cool one) or my firefighter cert and other professional certifications. This cert is also the cert were I hated the experience most.

spaceship-1The point is OffSec is not a teaching company. They are a pentesting company offering some pentesting training. If you pay a teaching company you will get persons teaching you stuff, answering your questions and with a bit of luck you will leave the course with a cert and maybe you will learn some valuable lessons.

To paint a different picture: If offsec would offer swimming courses, they would drop you into a cold pool. In my first review I used the diving licence as a picture.

While I hate this type of teaching I value the lab so much. The cold pool so to say is a very nice one .

And for the teaching you have to learn for yourself. And I can only recommend to get some friends or other people around you (be it in real live or via the internet) to turn you in the right direction now and then. It might sound stupid but my new job helped. In our it sec department we have one guy with oscp and a bunch of people having failed to get it. This helps with the morale, after two failed attempts I was doubting myself. But realising that this cert is hard it helped a lot.

Overall I LOVE THE LABS !!! will resubscribe in the future to test and learn a bit more. And thanks to all the people chearing me up in real live and in the dark back rooms of the internet. Thanks a lot !!

Thanks offsec (and also thank you to give me the nice chance to troll you back with a nice aprils fools joke 😉 )


And if you go into the labs . .remember here be dragons


Attack on Fort Clara

So a while back I wrote about a Lego Fort:  https://0daylego.wordpress.com/2016/04/14/spoiler-free-spoilers-what-lego-tought-me-about-it-security/


Now today we go through a way how some pirates could attack the fort. This is a spoilerfree spoiler to a real machine I wrote a report on it .. if you see how it works you might have done the same machine. Because some of my pictures are more a riddle than a spoiler 😉 So here we go.


First our pirates do a little recon on the fort.


With all their informations they go to the wise island magician who knows all the good tricks. From him they get a all seeing telescope …

With that telescope they can see everything on that fort ….


With that information it is easy to find some stupid soldier ….


as wich they can disguise …


to deliver their evil dynamite ..


but unfortunatly dynamite is not allowed on the fort …


so they need a flimsy disguise for the payload .. so they can put it on the fort to trigger it later with another method ..

and game over …attackonfortclarie-9

OSCP: The travel to local privilege escalation

So I wanted to write another “standard operations procedure” blog. And then it hit me .. the whole process of hacking host was familiar to me. As you might know I spent a year travellingand the whole thing is like traveling. Bear with me:

First you pick your target, read a bit about it etc .. then you try to cross the border. Have some nice chat with the immigration officers, duty & customs etc etc. Try to convince the security that you can have indeed a knife in your hand luggage etc .. You know the most annoying part of the whole thing. You spent most of your time just crossing that damn security measurements. You know all that circus we all know stopping nobody trying really hard.

Same with a host. You know you will likely find a way around every firewall with enough time.

After you arrived at your destination, still annoyed from all the hurdles you had to take you will find a place to make yourself a home. Nothing fancy just a little spot to rest and take a look around.

You might not have all the best things you might want.

So you look around and search for a better place, get some more infos … and after a while you learn the local language, find the best spots .. and finally own that place ..

Same in the pentesting world:

-First you get in

-Find a folder with write permissions

-Look around if your place has some execute restrictions (mount)

-Get your tools in place and enumerate locally


You see it is all about the journey 😉

Greeting Ucki



Spoiler Free Spoilers: What LEGO tought me about IT-Security

After watching unfos last vlog https://localhost.exposed/2016/04/12/path-to-oscp-appendix-a-how-to-ask-for-help/ I decided that I need a blogpost to help people without bringing myself in the danger of making OS angry. So here it is. A spoiler free spoiler page. Remember kids, I have no materials from OffSec, I have no clue how the lab looks like. So I CAN’T help you with SERVER X. And this blog is just about LEGO, if somebody gets a nice idea for the labs. Well this is your idea congratulation. I’m talking about LEGO here. Just to be clear. No lab discussion here. JUST LEGO !

So lets assume I give you a LEGO Set number. What can you do with it, without any knowledge at all ?

Here it is: LEGO 70412

Well lets google it ….


What did we learn ??

Its the Soldiers Fort. The last bastion of the brave Imperials against the scurvy Pirates.

bild11 cannon and one small stud shooter, armed guards jada jada.

Did we learn more … lets have a look here. It seems there is a website listing all the nitty gritty details of every LEGO set.


Number of pieces, ohhh it is from 2015 and out of production. MMM

bild3Seems like LEGO doesn’t support it any further.

Lets dig a little bit deeper on that website.

Oh here we have product reviews.


It seems that there are some older folks, who think that this new version of that pirate theme is just a money grab and just flashy and the old version is better. I guess there are people around still displaying the old version and being proud with doing it so. Lets write that fact down. And of course all the other nice little details we found. Like that you can discover the old sets, because the Imperial Soldiers had Red Shoulder pieces, well except for that short period with red uniforms.


badaboomAnd that this new cannons pack a better punch then the old versions. So the old version seems to be a easier target. But we are just interested in this set for the moment. But anyways good little details to know. Just in chase.

Lets see what the manufacture has to say to that set.


Well a bunch of measurements.



Every little detail about this product in a handy pdf. How every brick fits into its place. How helpful. Lets have a look at this pdf .. well looks nice, building building. Well that steps looks weird. I bet a lot of folks get that wrong. How handy that wall from the prison cell can be pulled out. So a backdoor for the prison. How handy. What could possible go wronig the bad guys know about it ?? Hey there are no backwalls. So our mighty fort is totally open from a attack from behind. How handy.


So we figured out some ways to attack it. We identified some possible misconfigurations of that set. And this without even touching it. Nice or ?

And as always in lego, you just could tear everything apart and try to build it in a slightly different way. Or just look at every piece for itself. Like the arches in that set. They are the new version ..



so there are some differences compared to the “classic” version. Will it help us .. maybe.

Just saying. Sometimes just looking at one piece of the puzzle help a lot. Just make sure that THIS ONE PIECE is the right one for your set. If I use the old one or wrong one the whole set will not work.

So much for LEGO Post 1

Greetings ucki

(guess which set I build yesterday)

The right mindset: Pirate Ninja

Yesterday I joined the irc channel to the OSCP course the first time. And I noted one thing. Maybe all the recommended books are wrong. I mean “the red team field manual” is a cool book for example. But one thing I missing in all the book recommendations: the right mindset. I actually somehow got my first shell, without being in the lab. But my talking about the book I was talking about got someone the right idea …

That course is about hacking .. but what is hacking ?

Entrance of the PIRATE NINJA !!!


I’m talking about https://en.wikipedia.org/wiki/The_Martian_%28Weir_novel%29 the martian.

It is one of the best hacking novels in the last time. Hacking is about solving a problem in a unusual way. And heck in that novel are some pretty dam nice hacks.

Just think about it, it is all about solving a problem .. I can teach a person some nice 0days .. but to be honest they are tools, like a hammer or a screwdriver. It is the mindset which solves the problem.

Some my greatest hacking heroes never used a computer.

Ernest Shackleton https://en.wikipedia.org/wiki/Ernest_Shackleton used his great skills to keep his crew alive .. just read it up. Great problem solving and team leading.

Right now I’m watching again the Mythbusters.

So much tinkering and great problem solving.

And so much great quotes: “Everything worth doing is worth overdoing” “When in doubt C4” etc.

Just think about it .. maybe it is worth more to have the right mindset then to have read that batch scripting book.

Hera a little list of “getting in the moode stuff”:

-The oceans eleven triologie



-The martian

-Iron man 1


Greetings ucki


EDIT: http://blog.codinghorror.com/separating-programming-sheep-from-non-programming-goats/

Prepwork: Latex reporting.

So a little update for my preparations.

I try to get into the old hacker mode … Right now watching some episodes of mythbusters. That glee of destruction of exploration.

I started reading other persons blogs and found some of their old recon scrips etc.

To be honest I don’t like the idea of scripting my basic recon.

A nmap OS-Discoveryscan is nothing I would run so often that making a script would save me much time (I mean nmap -arguments is not to hard to type).

You might know the xkcd comics:





But a place were automation helps me: Latex …

My report setup is right now:

OSCP Mainfolder (aka workingfolder)

→Report Subfolder


→Subfolder for each host (Folder Names 1 till n)

→Screenshots (in each host subfolder)

My reportfile sits in the Report Subfolder. Each Server etc gets its own folder were I document all my findings in a *.tex template. Host 1 gets folder 1 with host1.tex. Simple.

A Script in my report pulls the “hostreports” into the report.

Sample code would be :

\foreach \c in {1,…,2}{\input{\c/host\c.tex} }

That pulls the file 1/host1.tex into the report. I just have to set the number of the host I found and need to report on.

Inside the Hosttemplate I now have the “reporting template from OS” .. well also the screenshots are imported automatically.

Sample code:

\foreach \x in {1,….,13}

(minimal image import, will do it a little bit more flashy)

You know each screenshot takes 5 seconds to import into Office. Then maybe 5 second to resize. This makes 10 seconds per screenshot. 10 seconds x number required screenshots x number hosts = worth the time.

Caveats right now:

-I have to set the number of reports

-I have to set the folder in each host*.tex for the graphics. So the number of screenshots and the foldernr.

After all not to bad for the first time using a complicated latex multi part document. Right now I’m thinking about using the subfile packet (which would allow easier writing) or not .. well we will see.

Greetings Ucki

Time vs Effort vs Noise

Well yesterday I spent some time reading up on the recon phase.

Again everything with a grain of salt and some Sherlock Holming ;).

First, I was thinking about this blog. I really like the vlog style of jw. But on the other side searching for a webcam in my electronics bin and uploading videos = EFFORT. Well so I have a topic for today. And I will keep this rambling, direct out of my mind style. Just need to make sure that I don’t sound like yoda to much.


AAAANNNDDDD back to the blog.

Recon is quite important. Ask any military person. But they will tell you also about the concept of the “fog of war”. https://en.wikipedia.org/wiki/Fog_of_war Most people will think back to Starcraft, and yeah just send a unit over there and the fog will be gone. But that concept falls short. The fog of war is caused by two factors. A leader without any information about the enemy is useless. A leader with detailed information about every fricking detail of the enemy is also useless.

Actually if you didn’t read him … do it NOW ! read up Sun Tzu (or all the other transcriptions of his name) “The Art of War” https://en.wikipedia.org/wiki/The_Art_of_War

There are so many great quotes to link here .. well have some.


Managing the level of information is critical for military forces. That is the reason why there are “Information management officers” etc …

So we learned that too much informations are as bad as too few. First lesson of the day done.

Next up is our time problem. In the exam I will have 24h. A recon phase lasting 25h is useless. So ever script and every action has to be quick. Again “Move swift as the Wind and closely-formed as the Wood. Attack like the Fire and be still as the Mountain.” Sun Tzu. Great guy .. back in the old china, around 2500 years ago writing about recon in a pentest. Visionary guy or ?

Well if the quote is general enough you can hammer it in place 😉

Coming to the effort. Ever heard from the 80:20 rule ? 20% of the effort netting 80% of the results ? https://en.wikipedia.org/wiki/Pareto_principle I will spare some nice formulas etc (otherwise I had to install a LateX plugin here or so .. EFFORT). In short 20% of th work will usually net you 80% of the results. That is the reason why a smart student will not study blindly .. it is much smarter to identify which 20% of the material of the course will net you 80% of the answers (assuming you need 70% to pass the test).

Ok now mix everything together and come back to our recon problem.

Do you ever tried nmap with all flags .. against the internet, on all ports. No don’t do it. If you do it your result will be :

a) Depending on your country, a nice visit

b) A totally useless dataset

c) A really long scan, taking ages

d) all of the above

My goal is to identify the scan, with 80% of my NEEDED informations, in the minimal time with the minimal effort. You might ask : “What about this super duper hidden, hardened, ninja SPEC FORCES OPSEC MILITARY GRADE NSA SUPERCOMPUTER”

Well first: My Sherlock Holems power tells me that the lab will try to mimick the real life. And every family has the akward cousin Steve. You know that stinking dude you just have to invite because of family reasons. And every network has the unpatched Win XP machine (or equivalent). You can’t patch stupidity. And if you know what your “normal” network looks like you can find your super special SPEC FORCES. Yeah even if the military the super douper secret guys will be easy to spot. If you have 5000 soldiers running around and this one guy being “TACTICOOL” with desert uniform etc, while all the other dudes wear woodland ?? Let me guess what ? SPEC OPS … being “special” will stand out as long as you know the baseline. Just look up special forces badges





If you are “special” you will stand out.


Same for our hardened host, firewalls and honeypots. If I compare them to the akward cousin Steve they will act different. I have no clue how. But I know that I first want to meet Steve.

How do I get to meet him ? Well with the minimal nmap scan. Looking up the nmap documentation the top 1000 ports will net me 93-95% (TCP or UDP) . WOW .. compared to 65535 possible ports this is roughly 1/65 of the effort for over 90% of services.


Beat that Pareto !!!

Nmap is also quite good in guessing the OS. Of course not perfect .. but everything better than 0% is good in my eyes.

So my plan for day 1 of the lab time and the course so far:

1) Connect to the lab

2) Start a stopwatch

3) run a nmap scan netting me 90%+ services against the “normal” host, saving that in every possible format of nmap output (to test my nmap to latex workflow, to make reporting easier)

4) Download the course material

5) Get a estimate of my bandwidth to the labs, and how long a scan in my vm takes

6) Start drawing my network graph with the basic infos

7) Start reading

Looks like a minimal effort route. Because why should I start SCANNING EVERYTHING on day 1 ?? TO MUCH INFORMATION .. I will not be able to understand half of the output with a nmap -FULL GIVE GIVE GIVE scan .. .and it will take ages to read. Nice little information bites. 20% effort, 20% time, 80% information.

So far ucki

First steps and more SOP

So today I had the first contact with the labs. Connection test done, VM image downloaded and fee paid.

Little small things I also did as a SOP.

1) I changed the passwords on the VM .. obvious.

2) I changed the Background Image on my Host and on the VM. Might sound silly. But having a different colortheme going on helps actually to differentiate the different machines. While working I found it helpful to know on which server your connection was. Machine Red, Blue etc.

3) I worked a little bit on the post exploitation phase. Might seem silly. But I have a forensic background. So normally I don’t work on exploits. But I think I can look through files 😉 And I don’t want to look like these stupid criminals.



I mean there will be a situation were I will break into a server during this course. I mean that is the whole goal in that lab. So my list for after the fact is so far:


Of course I have to make this list for each OS I will encounter.

Assuming I have a root shell what should I do ?

1) Persistence

I want to stay .. so persistence is needed. Basically it is a admin task. Adding a new user with root, maybe install some new programs or services. Basic admin stuff. I need to look up some of the commands. OS X etc …

2) The grab phase. What do I want. Lets start on my normal forensic checklist.

-userlist and hashes

-a list of all running processes into a file

-a list of all open network connections

-all important config files, especially for all the running services

-look around for other interesting files, especially ssh keys or stuff left behind from a attacker

-timeline Well I will likely not need a timeline of my attack for a judge .. WELL I HOPE SO 😉



So seems a nice start. Okay I will not upload a bunch of forensic tools to the “victim”. So I will have to think about how to exfiltrate the files. But the basic procedure is clear.

1) create a folder for each host

2) copy the files into their “normal folders”

3) Look through them or just run a dif against the “normal” config files to find interesting parts.

So far.