7 Things you didn't know about passing the OSCP!

Every time I teach a class, there is always a lot talk about the Offensive Security Certified Professional (OSCP) test and Pentesting with Kali (PWK) class. I passed my OSCP a couple of years ago and still think it's a pretty good cert. I asked a bunch of other OSCP certified folks about tips and tricks to passing the test, not doing well in the labs or doing the classwork! There are lots of details about the test, how many systems there are, points, etc. I'm not going to talk about all that, but just want to talk about how to maximize your chances of passing the exam the first time out, getting your monies worth, and being an efficient pentester. Also, this is just to the best of my knowledge. No guarantees!

7 tricks to passing the OSCP!

1. Get root/admin on every box in the lab. Don't do the classwork.

This is probably a pretty big shock, I know. And maybe it's too black and white. If you are a complete newbie, the videos and pdf are helpful. If you know what metasploit is, basic nmap, and what exploitdb is, you should be fine without. Know that you will have to exploit systems without metasploit in the test, so don't get used to it in the labs!

Why ignore the class/PDF? First, the classwork is not going to be on the test. Second, you will learn far more by going through all the systems in the labs and making good notes on how you hacked the boxes you did and how you figured it out. Third, I know you can get extra points for doing this, but it is barely relevant because it's only a tie breaker if you are close. If you do the math, it almost never makes a difference. Finally, it takes huge amount of time to do the things in the class vs. hacking stuff in the lab. Since this is a practical test where you hack stuff, I say practice hacking!

Bottom line, hack stuff in the lab and go flip through the pdf and watch videos when you get stuck.

2. K.I.S.S (Keep It Simple Stupid), a.k.a. it's probably more straightforward than you think

I see folks over complicating basic exploitation a lot and privilege escalation like crazy. Most of the time, the answer is pretty vanilla. This is excluding some sneaky stuff they pull in the lab that isn't on the test, as far as I know.

3. Post-exploitation is a waste of time

While a critical skill in real-world penetration testing, the lab systems aren't interconnected and neither are the test systems. So, data mining, recovering hashes, passwords etc., don't help much unless you are working on privilege escalation. In which case, they may be handy!

4. Get good at privilege escalation

You will do it on the test and this is where I see folks get stuck really often. Know how to use the command line on the target. It's a critical skill to find the information you need to escalate privileges. This is more than patch based vulnerabilities! You need to know how to identify system misconfigurations and use them to gain additional access.

5. Automated tools won't get you there

This is the other thing I see all the time. People run exploit-suggester, privilege-escalation-suggester, etc. and expect that this will get them root/admin. I'm sure that OffSec is aware of these tools and they make sure that the don't work very well. This is no surprise because they want to see that you understand the problem and not just running someone else's tools. There are no shortcuts here. 

6. Do ALL of the exploit development stuff in the course

I know I said don't do the classwork, but this is the exception. You will have to do exploit development to pass the test. The good news is there is likely nothing exotic about it and it is pretty likely to be a Windows based system . I would recommend that you also do the Windows based exploit development tutorials that Corelan has. If you can do the basic ones on your own, you should be ok on the test. 

7. They won't test you on something they didn't teach

This is pretty basic, but if they didn't teach it, talk about it, or you don't have to do it in the lab you probably don't have to know it. This is stuff like ROP, or ASLR bypass and other stuff like antivirus bypasses. See #2 :)

 

GOOD LUCK ON THE TEST!

- Exumbra

EXUMBRA's Hands-on Hacking: Essential Attack Techniques Bootcamp (Weekend Training)

Join us for a 2 day weekend workshop in the LA area!

Course Description

This 2 day hands-on, focused course is designed to get you started with penetration testing/red teaming and then take your attack skills to the next level with guidance from an experienced full-time penetration tester. Featuring a multi-level network with more than 30 vulnerable systems that incorporates multiple Windows domains, Unix variants, and OSI layer 2 & 3 (Cisco switch) exploitation, the class will also give each student a video of the class, and walkthroughs for each target to take home. Students will be guided through the phases of exploitation using lecture, demonstrations, and practical exercises for each topic. Covering practical exploitation strategies, Metasploit, antivirus evasion, privilege escalation, and Windows domain exploitation, this course is a “must have” for anyone in the information security industry.

Student Prerequisites

In order to be successful, students should have a basic understanding of IP networking, as well as the Linux and Windows command-line. Students will need to have a 64bit system capable of booting from an external USB drive and a working ethernet port supported by Kali Linux.

Course Objectives

The course will teach students the fundamentals of exploitation and the practical approaches to attacking a system or group of systems using lecture, visual, and hands-on learning. At the end of the course the student will have a solid understanding of the penetration testing cycle and will be able to conduct all phases independently. 

Training Outline

This course focuses on a practical approach to penetration testing and exploitation. The course is progressive and starts by giving the student a solid understanding of the fundamentals of exploitation. It will then go on to more advanced exploitation where multiple vulnerabilities are combined to gain access. It guides students through various reconnaissance and attack techniques using lecture, demonstrations, and practical exercises in a live environment. 

Day 1

  • Review 
    • Shells, IP/networking
    • Penetration testing methodology/exploitation cycle
    • Reconnaissance with nmap
    • Identifying vulnerabilities
    • Exploitation without exploits, Metasploit basics, and using public exploit code
  • Exploitation hands-on lab 1 (Apprentice Level)
  • Exploitation hands-on lab 2 (Apprentice Level)
  • Exploitation hands-on lab 3 (Journeyman Level)

Day 2

  • Exploitation hands-on lab 4 (Journeyman Level)
  • Post exploitation (Metasploit, lateral movement, reusing credentials, password cracking, pass the hash)
  • Elevating privileges in Unix and Windows 
  • Evading antivirus
  • Attacking Windows domains (Kerberos abuse, pass the ticket, golden & silver tickets, responder)
  • Attacking Cisco switches (layer 2/3 attacks)
  • Exploitation hands-on lab  5 (Journeyman Level)
  • Exploitation hands-on challenge labs (4 networks & 30+ targets)

Student take-home items

  • Video of the class
  • Slides from the class
  • Cheat sheets

Interested? Sign up!

Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws

This is a quick run-down for anyone who missed my talk at LayerOne this year

Background

The vulnerabilities and techniques are based on abuse of the Kerberos v5 protocol, but all of this should work on earlier versions too. In my mind, these kinds of bugs are better than memory corruption exploits because they are unlikely to get fixed and are hard to patch out.  As a bonus Kerberos is the underlying mechanism for all of the multi-factor authentication schemes in Windows, e.g. RSA SecureID, smart-card, biometrics, etc and once we get a Kerberos ticket for the user, we can bypass all of that other stuff. We also never send any packets to the target systems to do this, only to the domain controller so these techniques are super stealthy and are unlikely to ever get identified by an IDS, IPS, or other attack detection tool.

I tested against Windows Server 2008 and 2012, but all of these attacks are likely to apply to other implementations too (MIT, Heimdal, Centrify, etc.)

Kerberos party tricks toolkit capabilities

  • Enumerate/brute force domain users
  • Get Kerberos TGS-REP and AS-REPs interactively
  • Parse PCAPs for Kerberos tickets
  • Identify accounts with weak pre-auth configurations
  • Crack account passwords
  • Enumerate services on the domain (SPN scan)

So how do we do all of these things?

User enumeration

We brute force usernames from by sending legacy Kerberos V4 Authentication Requests (AS-REQ) and examine the error codes to determine if a user exists, if they are locked out, and if they have "Do not use Kerberos pre-authentication" set.  If the user has "Do not use Kerberos pre-authentication" set, then we recover an Kerberos AS-REP encrypted with the users RC4-HMAC'd password.  We can attempt to crack this ticket offline.  As a bonus, this does not trigger Microsoft's account lockout policy.

Recover Kerberos tickets interactively and from packet captures

Just like before, if we know a user has "Do not use Kerberos pre-authentication" set, then we recover an Kerberos AS-REP encrypted with the users RC4-HMAC'd password. With authentication, we can request "Service Tickets" or TGS-REP.  As with the AS-REPs, these are encrypted with the service account's password, but any user can request a ticket for any service. Even if they are not authorized to use it.  This is because the service is responsible for determining who is authorized to access it and the Key Distribution Center (KDC), typically the domain controller, is only responsible for creating and controlling the tickets and not determining access levels.

We can also parse PCAP style packet captures for encrypted AS-REPs and TGS-REPs.

Identify accounts with weak pre-auth configurations

We can search the LDAP directory for accounts with a specific account setting, if we have domain authentication. We can then request AS-REPs for those accounts. 

Crack passwords offline

Because all of the tickets are signed with the RC4-HMAC'd version of the account's password, we can take a wordlist, run it through the RC4-HMAC algorithm, and compare the values.  If they match, we know the password!

We can do this with any of the tickets we have recovered, either directly through interaction or from packet captures.

Enumerate services on the domain (SPN scan)

Active Directory uses “Service Principal Names” (SPNs) to register user accounts with “services”.  A SPN looks something like:

  • Service Type/host.domain.com:port

For example. the SPN below represents a Microsoft SQL server running on port 1433 on a system named domainw7.onlyfor.hax.  

  • MSSQLSvc/domainw7.onlyfor.hax:1433

We can use LDAP to lookup all of the SPNs in a domain and determine the username of the service, the groups that the account is in, the type of service, the host it is running on, and the port we need to connect to so that we can access the service.

You may be asking why all of this is in Active Directory.  It is because it allows “Single Sign On” (SSO) for domain services.  For example, when user wants to connect to service X they request a ticket from the Key Distribution Center (KDC), typically the Domain Controller.

Once you have account and passwords for a service you can generate a Silver Ticket with Mimikatz and impersonate any user to that service since the key is considered a shared secret between the service account and the KDC.  We can't create a legitimate Privileged Attribute Certificate (PAC), but we don't have to.  This is because the services never validate the PAC with the KDC for performance reasons.  If they did, they would have to send every ticket for every request to the KDC and wait for it to validate the connection, creating a huge amount of work for both the service and KDC. 

If you happened to recover the password for a domain admin, you can user mimikatz to inject a ticket into your current session, impersonate another domain controller, and ask it to synchronize the account database with you. You end up with the encrypted versions of the passwords for any domain user without getting a shell and it all happens over RPC!

Slides and toolkit are here.

Join EXUMBRA @ ISSA Ventura

Join us at ISSA Ventura on June 25th for a Penetration Testing 101 and live demos.

We will be demonstrating methods to find and exploit:

  • Misconfigurations
  • Missing patches
  • Plain-text Credentials 
  • File Permissions
  • Local Services
  • Network Services

Date: Saturday June 25th 9am to 5pm
Location: 
Cal Lutheran University
60 West Olsen Road : Ullman 101
Thousand Oaks, CA 91360

Don't forget to install the extra tools, instructions are here.

Penetration Testing training Dec 14-18 2015

We are running a 5 day penetration testing course in the Los Angeles area starting December 14th.  

Contact us to schedule!

Course Outline

Day 1

  • Introduction & Setup
  • Methodology
  • Reconnaissance
  • Exploitation
  • Metasploit Basics part 1

Day 2

  • Metasploit Basics part 2
  • Unix Privilege Escalation

Day 3

  • Windows Privilege Escalation
  • Metasploit Post Exploitation
  • Windows Domain Exploitation

Day 4

  • Post exploitation w/o Metasploit
  • Pivoting
  • Layer 2/3 attacks, combo attacks

Day 5

  • Network Tradecraft
  • Web Exploitation

 

One Team. Two Team. Red Team. Blue Team.

Like many areas in the tech industry, a lot of jargon gets used in Information Security.  You may have heard the terms ‘Red Team’ or ‘Blue Team’ or maybe even ‘Purple Team’ get thrown around, but what do they actually mean? 

Well, first some background, the terms originate in with the military where they do exercises all of the time and have, not surprisingly, lots of jargon to go along with it.  In this scenario, the ‘Blue Force’ is your military and the ‘Red Force’ is the opposing military.  We then borrow those colors to identify which side you are modeling in a penetration test, so a ‘Red Team’ assessment is conducted from the perspective of a potential attacker.

Red Team’ assessments typically includes areas that go well beyond a network penetration test and include techniques like Social Engineering, lock and access control bypass, tailgating, creating fake badges, covert data exfiltration, in addition to the live exploitation executed during a network penetration test.  This type of assessment models an aggressive first-world intelligence service and leverages everything can they can throw at you.  Ultimately, the team will attempt to exercise all of an organizations defenses.  It is an intense, thorough, and eye-opening experience for many organizations.

Conversely, a ‘Blue Team’ assessment is conducted as a friendly insider with access to engineers, designs, and documentation.  This allows the ‘Blue Team’ to cover a much larger number of potential vulnerabilities, but will not exercise the defenses of an organization and will not give an outside perspective of the security posture.  These types of assessments are also typically more driven by documentation and process, whereas a ‘Red Team’ is solely practically focused.

A ‘Purple Team’ is, not surprisingly, a mix of the two, with some exploitation as would be conducted by a ‘Red Team’ and an open look at process and design as conducted by a ‘Blue Team’.

What is right for you