SlideShare a Scribd company logo

Try harder or go home

Download as PPTX, PDF
J
jaredhaight

This presentation covers tips and tricks on how to do well on the OSCP.

Technology
1 of 31
Try Harder OR GO HOME
Disclaimer Cha-HA is a "Red Team" social and training group. Organizers and teachers of Cha-HA are not compensated financially for their time. They do this simply because they enjoy the topic and like to share. Some of the skills and tools taught at Cha-HA meetings can be used for malicious purposes. Cha-HA organizers and teachers only condone and encourage responsible and lawful use of such skills and tools.
Code of Conduct I will treat all other members respectfully during Cha-HA events. I will not use tools and skills shared at Cha-HA for unlawful purposes. If I ignore the previous point and get caught in an unlawful act then it is nobody's fault but my own.
Whoami ● Jared Haight ● Former Sysadmin ● Current Security Engineer ● OSCP as of August 13th ● @jaredhaight ● https://words.photosandtext.com
What am I talking about? ● What I already knew that helped me with the OSCP ● Stuff I learned while studying for the OSCP ● Things you should focus on if you want to take the OSCP ○ Without getting too specific as to ruin the fun (or get in trouble with Offensive Security)
What makes a hacker?
My Background ● Using computers for 17 years ○ Started using Linux about 14 years ago ● Sysadmin for 10 years ○ Covered everything from Firewalls down to the desktop ○ Administered both Windows and Linux environments ● Hobbyist Web dev for 4 years ○ Started learning Python in 2011, still suck at it. ○ Currently learning Javascript, really suck at it.
What makes an effective hacker ● Learn quickly and be able to intuit how things work ● Constantly think about how you can abuse your current position ○ Focus on your long term goals but not to the point that it distracts you from what’s in front of you ● Understand your opponent ○ In the OSCP lab it’s a lot of stupid and lazy admins
Recon
NMAP ● Scan ALL of the ports ○ TCP (1 - 65000) ○ UDP (--top 200 or whatever) ● Read the scan output, not just the overview ○ Thats where all the NSE output is! ● Zenmap is really great
Dirbuster ● Invaluable tool for finding directories/files on webserver ● List in /usr/share/wordlists/dirbuster ○ Use the big one ● Set threads to like 100
Other Enumerators ● SMBEnum ○ Old and/or misconfigured Windows boxes give TONs of info through SMB ● SNMPwalk ○ Can be great for identifying OS ○ Misconfigured OS’s will give a lot of info over SNMP ● Probably more..
Misc ● Save EVERYTHING ○ Notes, NMAP output, Enum Output, etc ● Make sure you can find everything ● My structure: ○ ~/recon/192.168.13/ ■ 68/ (host ip) ● notes ● nikto.log ● smbenum.log ● misc loot..
Exploitation
Searchsploit Why you’d use it: ● You need an exploit ● Searching exploit-db.com is really slow How you’d use it: ● searchsploit <switches> <terms> ● Example: searchsploit -w windows exec ○ By default lists out exploit name and location on disk ○ -w lists exploit-db url instead of location on disk
Metasploit Why you’d use it ● Cause it’s fucking metasploit How you’d use it ● Very carefully if you’re taking the exam ○ Usage is limited to multi handler, meterpreter and msfvenom ○ You can use Auxiliary, Exploit and Post modules against ONE allowed machine. ○ Double check the rules before you do something stupid on your exam
Meterpreter Why you’d use it: ● It’s like normal shell but with special sauce. How you’d use it: ● Very carefully if you’re taking your exam ○ Usage is restricted to File System, Network and a subset of System commands ○ All other usage is only allowed the one machine you use Metasploit on.
How do I know what I’m allowed to do? Metasploit ● If you’re in msfconsole, you can use exploit/multi/handler ○ That’s it. If you want to use more of the metasploit console you can do it only once and only on an allowed box ● No restrictions on msfvenom Meterpreter ● If you’re in a meterpreter session run “help” ○ It will list out all meterpreter commands, categorized by section.
Buffer Overflows Why you’d want to learn this ● You’re a hacker, you want to know how things work. ○ Buffer overflows are core to the fun stuff we get to do ● You want to be able to edit (or even find) exploits How you’d learn this ● Go over the documentation provided by Offensive Security ○ Keep going over it until it makes sense ○ Do the exercises provided by Offensive Security ○ Go find more stuff to exploit (plenty of resources on the internet)
Exploits in the lab environment ● Lots of finding and editing existing exploits ● Build up a collection of scripts and tools that hit common exploits ○ MS08-067, Linux Kernel Priv Esc, etc ● Learn how to read basic C, it’ll help. ● Some of the servers are old, your compiled code won’t run on them ○ Download an ISO of the old OS and spin it up in a VM ○ Google “Debootstrap” to setup builds of old Debian/Ubuntu installs on your Kali box. ■ Once setup you can use “chroot” to switch into them ■ Note that Debian changed their file hashes from MD5 to SHA a while back. You may need to find an old version of debootstrap to work on really old OSs.
Tips and Tricks ● If you have a root shell on a box but don’t know the root password, echo your SSH key to /root/.ssh/authorized_keys ○ Boom. Passwordless login. ● Exploit chains can get complicated and VMs get reset often. Script out exploits that you find yourself doing over and over again. ● The documentation walks you through writing a “wget script” generating script for Windows. Do that, it comes in handy. ○ Actually, just do all the exercises that they walk you through. ● Do a report on the lab and do it as you go along ○ The lab is big, there’s a lot of stuff to document. Don’t put it off. ○ The lab report can help to sway whether you pass the OSCP or not
Tips and Tricks Part 2: Too fast too tricky ● Sometimes the easiest way to get shell on a box is to create a new account. ○ If you have privileged code execution on a box, why not just create a new account? ● Pillage ○ Check every single box you get into for loot. There are some boxes in the labs that you can only get into with info gleaned elsewhere ○ Think. Where would the good stuff be? ■ /home ■ /etc ■ /var/log ■ C: ■ C:Users (C:Documents and Settings) ○ Use scp, meterpreter or existing services (http, ftp) to get files off a box
Pivoting
Pivoting is Fun ● There are three networks in the OSCP lab ○ You start out with access to one ○ Be on the lookout for dual-homed boxes ● How do you pivot ○ SSH ■ Forward Proxy: ssh -D [Port Number] [user]@[Remote IP] ● Example: ssh -D 9995 root@192.168.1.10 ■ Reverse Proxy: ssh -R [Remote Port]:localhost:[Local Port] [user]@[Remote IP] ● Example: ssh -R 8081:localhost:3000 root@192.168.1.10 ● Note: Requires “GatewayPorts Yes” in remote sshd_config ○ ProxyChains ■ Routes any TCP network traffic over proxy
Wrap Up
Recap ● Don’t be afraid to learn ● Be aggressive in your scanning ● Keep notes, be organized ● Do your lab report ● Don’t use metasploit ● Be really comfortable with basic Buffer Overflows ● Pillage everything ● Hack the planet
Questions? ● @jaredhaight ● jaredhaight@protonmail.com

Recommended

Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
pyschedelicsupernova
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
n|u - The Open Security Community
 

Recommended

Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
pyschedelicsupernova
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
n|u - The Open Security Community
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
VeilFramework
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
chrisortman
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
Automated testing in Drupal
Automated testing in DrupalAutomated testing in Drupal
Automated testing in Drupal
Artem Berdishev
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
Jason Lang
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 

More Related Content

What's hot

What's hot (20)

Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Automated testing in Drupal
Automated testing in DrupalAutomated testing in Drupal
Automated testing in Drupal
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
 

Viewers also liked

PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
Concentrated Technology
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
Chris Conte
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
Concentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Don Reese
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
Concentrated Technology
 

Viewers also liked (20)

ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointPowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepoint
 
Automating ad with powershell
Automating ad with powershellAutomating ad with powershell
Automating ad with powershell
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
 
PowerShell 8tips
PowerShell 8tipsPowerShell 8tips
PowerShell 8tips
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
 
Combining output from multiple sources
Combining output from multiple sourcesCombining output from multiple sources
Combining output from multiple sources
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom properties
 
Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourse
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
 

Similar to Try harder or go home

How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
Red Hat Developers
 
Mp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is bliss
Montreal Python
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFs
Docker, Inc.
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Linuxmalaysia Malaysia
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine Learning
Tarek Hoteit
 

Similar to Try harder or go home (20)

Spaghetti gate
Spaghetti gateSpaghetti gate
Spaghetti gate
 
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
How To Get The Most Out Of Your Hibernate, JBoss EAP 7 Application (Ståle Ped...
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
 
Mp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is bliss
 
Pentester++
Pentester++Pentester++
Pentester++
 
Techhub Riga - tm 27.07
Techhub Riga - tm 27.07Techhub Riga - tm 27.07
Techhub Riga - tm 27.07
 
What Your Tech Lead Thinks You Know (But Didn't Teach You)
What Your Tech Lead Thinks You Know (But Didn't Teach You)What Your Tech Lead Thinks You Know (But Didn't Teach You)
What Your Tech Lead Thinks You Know (But Didn't Teach You)
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
PostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya Kosmodemiansky
PostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya KosmodemianskyPostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya Kosmodemiansky
PostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya Kosmodemiansky
 
LXC Containers and AUFs
LXC Containers and AUFsLXC Containers and AUFs
LXC Containers and AUFs
 
I Know What You Did Last Summer
I Know What You Did Last SummerI Know What You Did Last Summer
I Know What You Did Last Summer
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
DIY Applied Machine Learning
DIY Applied Machine LearningDIY Applied Machine Learning
DIY Applied Machine Learning
 
Software Development Whats & Whys
Software Development Whats & Whys Software Development Whats & Whys
Software Development Whats & Whys
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
How to write bioinformatics software no one will use
How to write bioinformatics software no one will useHow to write bioinformatics software no one will use
How to write bioinformatics software no one will use
 
SDEC2011 Mahout - the what, the how and the why
SDEC2011 Mahout - the what, the how and the whySDEC2011 Mahout - the what, the how and the why
SDEC2011 Mahout - the what, the how and the why
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Try harder or go home

  • 2. Disclaimer Cha-HA is a "Red Team" social and training group. Organizers and teachers of Cha-HA are not compensated financially for their time. They do this simply because they enjoy the topic and like to share. Some of the skills and tools taught at Cha-HA meetings can be used for malicious purposes. Cha-HA organizers and teachers only condone and encourage responsible and lawful use of such skills and tools.
  • 3. Code of Conduct I will treat all other members respectfully during Cha-HA events. I will not use tools and skills shared at Cha-HA for unlawful purposes. If I ignore the previous point and get caught in an unlawful act then it is nobody's fault but my own.
  • 4. Whoami ● Jared Haight ● Former Sysadmin ● Current Security Engineer ● OSCP as of August 13th ● @jaredhaight ● https://words.photosandtext.com
  • 5. What am I talking about? ● What I already knew that helped me with the OSCP ● Stuff I learned while studying for the OSCP ● Things you should focus on if you want to take the OSCP ○ Without getting too specific as to ruin the fun (or get in trouble with Offensive Security)
  • 6. What makes a hacker?
  • 7.
  • 8.
  • 9.
  • 10. My Background ● Using computers for 17 years ○ Started using Linux about 14 years ago ● Sysadmin for 10 years ○ Covered everything from Firewalls down to the desktop ○ Administered both Windows and Linux environments ● Hobbyist Web dev for 4 years ○ Started learning Python in 2011, still suck at it. ○ Currently learning Javascript, really suck at it.
  • 11. What makes an effective hacker ● Learn quickly and be able to intuit how things work ● Constantly think about how you can abuse your current position ○ Focus on your long term goals but not to the point that it distracts you from what’s in front of you ● Understand your opponent ○ In the OSCP lab it’s a lot of stupid and lazy admins
  • 12. Recon
  • 13. NMAP ● Scan ALL of the ports ○ TCP (1 - 65000) ○ UDP (--top 200 or whatever) ● Read the scan output, not just the overview ○ Thats where all the NSE output is! ● Zenmap is really great
  • 14. Dirbuster ● Invaluable tool for finding directories/files on webserver ● List in /usr/share/wordlists/dirbuster ○ Use the big one ● Set threads to like 100
  • 15. Other Enumerators ● SMBEnum ○ Old and/or misconfigured Windows boxes give TONs of info through SMB ● SNMPwalk ○ Can be great for identifying OS ○ Misconfigured OS’s will give a lot of info over SNMP ● Probably more..
  • 16. Misc ● Save EVERYTHING ○ Notes, NMAP output, Enum Output, etc ● Make sure you can find everything ● My structure: ○ ~/recon/192.168.13/ ■ 68/ (host ip) ● notes ● nikto.log ● smbenum.log ● misc loot..
  • 18. Searchsploit Why you’d use it: ● You need an exploit ● Searching exploit-db.com is really slow How you’d use it: ● searchsploit <switches> <terms> ● Example: searchsploit -w windows exec ○ By default lists out exploit name and location on disk ○ -w lists exploit-db url instead of location on disk
  • 19.
  • 20. Metasploit Why you’d use it ● Cause it’s fucking metasploit How you’d use it ● Very carefully if you’re taking the exam ○ Usage is limited to multi handler, meterpreter and msfvenom ○ You can use Auxiliary, Exploit and Post modules against ONE allowed machine. ○ Double check the rules before you do something stupid on your exam
  • 21. Meterpreter Why you’d use it: ● It’s like normal shell but with special sauce. How you’d use it: ● Very carefully if you’re taking your exam ○ Usage is restricted to File System, Network and a subset of System commands ○ All other usage is only allowed the one machine you use Metasploit on.
  • 22. How do I know what I’m allowed to do? Metasploit ● If you’re in msfconsole, you can use exploit/multi/handler ○ That’s it. If you want to use more of the metasploit console you can do it only once and only on an allowed box ● No restrictions on msfvenom Meterpreter ● If you’re in a meterpreter session run “help” ○ It will list out all meterpreter commands, categorized by section.
  • 23. Buffer Overflows Why you’d want to learn this ● You’re a hacker, you want to know how things work. ○ Buffer overflows are core to the fun stuff we get to do ● You want to be able to edit (or even find) exploits How you’d learn this ● Go over the documentation provided by Offensive Security ○ Keep going over it until it makes sense ○ Do the exercises provided by Offensive Security ○ Go find more stuff to exploit (plenty of resources on the internet)
  • 24. Exploits in the lab environment ● Lots of finding and editing existing exploits ● Build up a collection of scripts and tools that hit common exploits ○ MS08-067, Linux Kernel Priv Esc, etc ● Learn how to read basic C, it’ll help. ● Some of the servers are old, your compiled code won’t run on them ○ Download an ISO of the old OS and spin it up in a VM ○ Google “Debootstrap” to setup builds of old Debian/Ubuntu installs on your Kali box. ■ Once setup you can use “chroot” to switch into them ■ Note that Debian changed their file hashes from MD5 to SHA a while back. You may need to find an old version of debootstrap to work on really old OSs.
  • 25. Tips and Tricks ● If you have a root shell on a box but don’t know the root password, echo your SSH key to /root/.ssh/authorized_keys ○ Boom. Passwordless login. ● Exploit chains can get complicated and VMs get reset often. Script out exploits that you find yourself doing over and over again. ● The documentation walks you through writing a “wget script” generating script for Windows. Do that, it comes in handy. ○ Actually, just do all the exercises that they walk you through. ● Do a report on the lab and do it as you go along ○ The lab is big, there’s a lot of stuff to document. Don’t put it off. ○ The lab report can help to sway whether you pass the OSCP or not
  • 26. Tips and Tricks Part 2: Too fast too tricky ● Sometimes the easiest way to get shell on a box is to create a new account. ○ If you have privileged code execution on a box, why not just create a new account? ● Pillage ○ Check every single box you get into for loot. There are some boxes in the labs that you can only get into with info gleaned elsewhere ○ Think. Where would the good stuff be? ■ /home ■ /etc ■ /var/log ■ C: ■ C:Users (C:Documents and Settings) ○ Use scp, meterpreter or existing services (http, ftp) to get files off a box
  • 28. Pivoting is Fun ● There are three networks in the OSCP lab ○ You start out with access to one ○ Be on the lookout for dual-homed boxes ● How do you pivot ○ SSH ■ Forward Proxy: ssh -D [Port Number] [user]@[Remote IP] ● Example: ssh -D 9995 root@192.168.1.10 ■ Reverse Proxy: ssh -R [Remote Port]:localhost:[Local Port] [user]@[Remote IP] ● Example: ssh -R 8081:localhost:3000 root@192.168.1.10 ● Note: Requires “GatewayPorts Yes” in remote sshd_config ○ ProxyChains ■ Routes any TCP network traffic over proxy
  • 30. Recap ● Don’t be afraid to learn ● Be aggressive in your scanning ● Keep notes, be organized ● Do your lab report ● Don’t use metasploit ● Be really comfortable with basic Buffer Overflows ● Pillage everything ● Hack the planet

Editor's Notes

  1. Twitter - I specialize in retweeting people much smarter than myself.
  2. How many people are taking/studying for the OSCP now?
  3. I love hacker stock images
  4. This kid is wearing two pairs of glasses.
  5. All of this helped out
  6. Learn Quickly: I picked up real basic PHP and C while studying. Learned how Coldfusion and Tomcat worked. Multi chain exploits