Time vs Effort vs Noise

Well yesterday I spent some time reading up on the recon phase.

Again everything with a grain of salt and some Sherlock Holming ;).

First, I was thinking about this blog. I really like the vlog style of jw. But on the other side searching for a webcam in my electronics bin and uploading videos = EFFORT. Well so I have a topic for today. And I will keep this rambling, direct out of my mind style. Just need to make sure that I don’t sound like yoda to much.


AAAANNNDDDD back to the blog.

Recon is quite important. Ask any military person. But they will tell you also about the concept of the “fog of war”. https://en.wikipedia.org/wiki/Fog_of_war Most people will think back to Starcraft, and yeah just send a unit over there and the fog will be gone. But that concept falls short. The fog of war is caused by two factors. A leader without any information about the enemy is useless. A leader with detailed information about every fricking detail of the enemy is also useless.

Actually if you didn’t read him … do it NOW ! read up Sun Tzu (or all the other transcriptions of his name) “The Art of War” https://en.wikipedia.org/wiki/The_Art_of_War

There are so many great quotes to link here .. well have some.


Managing the level of information is critical for military forces. That is the reason why there are “Information management officers” etc …

So we learned that too much informations are as bad as too few. First lesson of the day done.

Next up is our time problem. In the exam I will have 24h. A recon phase lasting 25h is useless. So ever script and every action has to be quick. Again “Move swift as the Wind and closely-formed as the Wood. Attack like the Fire and be still as the Mountain.” Sun Tzu. Great guy .. back in the old china, around 2500 years ago writing about recon in a pentest. Visionary guy or ?

Well if the quote is general enough you can hammer it in place 😉

Coming to the effort. Ever heard from the 80:20 rule ? 20% of the effort netting 80% of the results ? https://en.wikipedia.org/wiki/Pareto_principle I will spare some nice formulas etc (otherwise I had to install a LateX plugin here or so .. EFFORT). In short 20% of th work will usually net you 80% of the results. That is the reason why a smart student will not study blindly .. it is much smarter to identify which 20% of the material of the course will net you 80% of the answers (assuming you need 70% to pass the test).

Ok now mix everything together and come back to our recon problem.

Do you ever tried nmap with all flags .. against the internet, on all ports. No don’t do it. If you do it your result will be :

a) Depending on your country, a nice visit

b) A totally useless dataset

c) A really long scan, taking ages

d) all of the above

My goal is to identify the scan, with 80% of my NEEDED informations, in the minimal time with the minimal effort. You might ask : “What about this super duper hidden, hardened, ninja SPEC FORCES OPSEC MILITARY GRADE NSA SUPERCOMPUTER”

Well first: My Sherlock Holems power tells me that the lab will try to mimick the real life. And every family has the akward cousin Steve. You know that stinking dude you just have to invite because of family reasons. And every network has the unpatched Win XP machine (or equivalent). You can’t patch stupidity. And if you know what your “normal” network looks like you can find your super special SPEC FORCES. Yeah even if the military the super douper secret guys will be easy to spot. If you have 5000 soldiers running around and this one guy being “TACTICOOL” with desert uniform etc, while all the other dudes wear woodland ?? Let me guess what ? SPEC OPS … being “special” will stand out as long as you know the baseline. Just look up special forces badges





If you are “special” you will stand out.


Same for our hardened host, firewalls and honeypots. If I compare them to the akward cousin Steve they will act different. I have no clue how. But I know that I first want to meet Steve.

How do I get to meet him ? Well with the minimal nmap scan. Looking up the nmap documentation the top 1000 ports will net me 93-95% (TCP or UDP) . WOW .. compared to 65535 possible ports this is roughly 1/65 of the effort for over 90% of services.


Beat that Pareto !!!

Nmap is also quite good in guessing the OS. Of course not perfect .. but everything better than 0% is good in my eyes.

So my plan for day 1 of the lab time and the course so far:

1) Connect to the lab

2) Start a stopwatch

3) run a nmap scan netting me 90%+ services against the “normal” host, saving that in every possible format of nmap output (to test my nmap to latex workflow, to make reporting easier)

4) Download the course material

5) Get a estimate of my bandwidth to the labs, and how long a scan in my vm takes

6) Start drawing my network graph with the basic infos

7) Start reading

Looks like a minimal effort route. Because why should I start SCANNING EVERYTHING on day 1 ?? TO MUCH INFORMATION .. I will not be able to understand half of the output with a nmap -FULL GIVE GIVE GIVE scan .. .and it will take ages to read. Nice little information bites. 20% effort, 20% time, 80% information.

So far ucki

First steps and more SOP

So today I had the first contact with the labs. Connection test done, VM image downloaded and fee paid.

Little small things I also did as a SOP.

1) I changed the passwords on the VM .. obvious.

2) I changed the Background Image on my Host and on the VM. Might sound silly. But having a different colortheme going on helps actually to differentiate the different machines. While working I found it helpful to know on which server your connection was. Machine Red, Blue etc.

3) I worked a little bit on the post exploitation phase. Might seem silly. But I have a forensic background. So normally I don’t work on exploits. But I think I can look through files 😉 And I don’t want to look like these stupid criminals.



I mean there will be a situation were I will break into a server during this course. I mean that is the whole goal in that lab. So my list for after the fact is so far:


Of course I have to make this list for each OS I will encounter.

Assuming I have a root shell what should I do ?

1) Persistence

I want to stay .. so persistence is needed. Basically it is a admin task. Adding a new user with root, maybe install some new programs or services. Basic admin stuff. I need to look up some of the commands. OS X etc …

2) The grab phase. What do I want. Lets start on my normal forensic checklist.

-userlist and hashes

-a list of all running processes into a file

-a list of all open network connections

-all important config files, especially for all the running services

-look around for other interesting files, especially ssh keys or stuff left behind from a attacker

-timeline Well I will likely not need a timeline of my attack for a judge .. WELL I HOPE SO 😉



So seems a nice start. Okay I will not upload a bunch of forensic tools to the “victim”. So I will have to think about how to exfiltrate the files. But the basic procedure is clear.

1) create a folder for each host

2) copy the files into their “normal folders”

3) Look through them or just run a dif against the “normal” config files to find interesting parts.

So far.


Preparing for OSCP: SOP

Okay first off: I will not spoil anything about the actual lab in this blog. Well easy at the moment, since I never connected to it so far. But I can put on my Sherlock Holmes hat and DEDUCE some informations, and this is the topic of this post.

Second point: I’m not a native english speaker. I write this to give back to the community, to help me to get used to write reports in english and to structure my thoughts. It might be a little bit less then perfect. You have to cope.

Right now I’m preparing for this challenge (should start 1st may). Most persons I read would start doing ctfs , search for exploits etc … I will go a slightly different route. Because most people I saw did’t fail on the exploiting part. You fail this challenge because you miss information and you can’t cope with the pressure.

So two key findings:

1) I need a way to calm down. Give my brain a rest and to power it down. Only if I’m mentally relaxed I can come up with brilliant ideas. Well I found a way while visiting a friend and his kids. Look at the blog address and guess 😉 RIGHT LEGO !! It is quite relaxing to build toys for a 4 year old. Just put the bricks in place.

2) I need to work structured.


So I will start to define procedures for myself, which will hopefully capture all informations.

Back during university we would have lab rules and notebooks. Time to go back in memory lane and start building some check-lists. So far I have 3 in my mind: A SOP (Standard Operating Procedure), a Pre Flight List and a Post Flight list.

The SOP Outlines:

1) Keep it SIMPLE !!! It is more realistic that going on TV with your passwords will ruin your dai then a crazy 0Day. http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

KEEP IT SIMPLE AND STUPID. Every solution has to be the lowest energy one.

2) Write everything down. I have a great idea how to do X ? Great first write it down then test it. I have to look something up ? Good first write down the question. Then find the answer and WRITE IT DOWN !!! Keep a notebook at hand to ALL TIMES !! I don’t want to loose the random genius idea in the bathroom.

3) Be as structured as possible. Even if it looks painfull first: 6xP: proper preparation prevents piss poor performance

4) Check your body fluids. Make sure you drink and eat enough.

5) Every found password will be added to a list of known passwords

My note keeping approach so far :

I went and bought two A4 notebooks:

One will hold my lab notes (engineers notebook)





The second one is for more general stuff. Actually the idea is to make a condensed “cheat” sheet notebook. So every step I have to take to gain Root on a win XP for example. Hopefully during the exam I don’t have to search for ideas, just flip to the page.

I grabbed some flip chart paper. The lab will not be to big to draw a nice network graph by hand. I mean I could use MS Visio or so. But EFFORT. Most simple solutin: PAPER: I learned to make lines on paper as a small kid. Why should I spend brain power on a computer tool ?

I started to build my folder structure. Basic Idea is I have a OSCP main folder. Under it is all reference material etc and a subfolder DATE. Every day in the morning I copy all the stuff from the day before in a new working folder and rename the working folder from the day before into <DATE (insert current date)>. So I always have a backup of my working files and I have no risk of overwriting a critical file with garbage only because I was to lazy with copy pasting a command. I make stupid mistakes, better be prepared for them.

I started building a latex file parsing nmap etc for the report. I made a “reporting template” for hosts in the lab. Each host will have its own *.tex file with basic infos, exploits etc. So if I find something new, I will put it on my flipchart, into my notebook and wil lfill in the *.tex file. So actually I will generate my final report while using the lab. Or at least have the information.

Preflight Checklist(so far):

1) Boot both machines

2) Grab something to drink.

3) Read through your lab notes from the day before, maybe you get an idea

4) Look at your flipchart and identify your first area of operation

5) Start the bruteforcer on the big machine, use all your findings from the day before, or at least change the ruleset. With all the known password files and hashes you have. Maybe you find gold. Turn off the monitor of that machine again.

6) Copy your bash history to the working folder

7) Copy your working folder from yesterday into the archive

8) Copy your archive to your backup

9) Enter a comment into the bash history: Starting Date: XXXXXXXXXX (idea maybe https://www.howtoforge.com/adding-date-and-time-to-your-bash-history have to look more into it)

10) Start with the most stupid and easy attack you can think of. Don’t waste brainpower on some high level stuff if there is something stupid to do. Have you checked that the password is not empty or password ?

11) Revert a machine were I have root and I exploited. MAke sure that the exploit is working reliable and I can reproduce my steps. Try to minimise the time needed for that exploit. Test the post exploitation SOP and check if I can make it more efficent. Try to minimize effort, raise reproducability and minimise time. Train for the exam. Goal is to have a list of ways to attack a target with minimal effort.

Postflight Checklist( so far):

1) Write down your final thoughts. Any loose ends ?

2) Check the brute forcer. Write down the findings. Add found Passwords to the list (assuming I didn’t look earlier). Power down that machine.

3) Check if there is any scan or so running. Nmap doesn’t like being suspended.

And how about making SOPs for the actual lab ?

If you look realistically at the course the challenge is:

1) Make a good network inventory (I can work on procedures for that right now)

2) Make some magic (aka exploit) (Well I hope I will learn it in the course)

3) Do some admin task (aka post exploitation) (I can work on that)

4) Enumerate (aka find some files and infos) (Again this is actually basic forensic)

Well I will look up something about all that but that is for another blog post. I mean we are talking about basic admin stuff: Finding config files, add user and check your network configuration. No need to make life harder as it should be.

So long Ucki