Practice for OSCP

There are several excellent places online you can practice for the PWK/OSCP course and certification. In no certain order, they include: OverTheWire HackThisSite VulnHub HackSplaining CTF365 Root-Me Hacking Lab Pentester Lab [Read More]

Learning remote enumeration (Part 2)

In Part 1, I introduced some sound methodology for approaching remote enumeration, which I now realize needs a bit of revision. It’s not that it’s a bad approach, it’s just too aggressive and would potentially miss certain aspects of the target that may prove useful or time-saving. Act like a user, not a hacker The first thing I’ve learned is that it’s best to act like a user, not an attacker. [Read More]

We are doing networking all wrong

For years now – decades, really – the idea of whitelisting, in one form or another, has pervaded the infosec community’s thinking as to what constitutes a best practice. We use firewalls to allow only those ports and protocols we have approved. We use email whitelists to only accept email from vetted sources. We deploy 802.1X to ensure only those devices we’ve blessed can connect to an Ethernet port. We have MAC address whitelists on wireless access points. [Read More]

Walking through a basic buffer overflow

I’m learning about buffer overflows in preparation for the PWK course and OSCP exam. I haven’t touched assembly language in more than 20 years, and the protections present in modern OSes just didn’t exist back when I first learned all this (let alone the fact that I was working on 680x0 and 650x assembly at the time). After trying desperately to make the mental leap from the 1990s to modern operating systems and following along in Aleph One’s Smashing The Stack For Fun And Profit, I decided to use the material from Chapter 16 of Georgia Weidman’s excellent Penetration Testing: A Hands-On Introduction to Hacking, and write this to ensure I understand exactly what I’m doing and what’s going on in that chapter. [Read More]

Quick tips for linux screenshots from the shell

As part of your workflow, you may need to take multiple screenshots quickly. There are several methods to do this within Linux, but the easiest and most efficient I’ve found is called import. The manpage deatails all the options, but my most typical usage is simply: import foo.png (substituting the actual name I want to use for “foo”, of course) This will cause your cursor to change to crosshairs. You can then position the crosshairs and draw a bounding box around the area you want to capture by pressing and holding the left mouse button. [Read More]

My OSCP workflow

Taking the Offensive Security PWK class and their OSCP exam while working a full-time job presents several challenges, the greatest of which is time management. To make effective use of my available time, I need to ensure I can work wherever and whenever I have a spare few moments. This means a few things: I need to have access to my notes from everywhere I need to have access to all collected lab information from everywhere I need to be able to access the labs from everywhere All of these boil down to personal preference. [Read More]

Remote enumeration script

In preparation for taking the PWK class and OSCP exam, I’ve been working on a remote enumeration script. It’s not finished yet, but what I’ve got so far is available in GitHub. You can grab it (and a few other things I’ve stashed away) by running: git clone https://github.com/treebuilder/scripts.git The work is based heavily on this script by Kevin Ostrin. His approach mirrored the one I’ve been taking with an earlier attempt to write an enumeration script which I called remenum.py. [Read More]

Learning remote enumeration (Part 1)

When many people hear the term “enumeration”, they think “port scanning.” But enumeration is so much more than that. There are two major categories of enumeration: Remote enumeration Local enumeration To properly perform remote enumeration on an unknown target, I prefer the following steps: Quickly determine what hosts are on the network Quickly port scan the discovered hosts for low-hanging fruit Perform a more thorough port scan of the discovered hosts Begin enumerating the hosts via the various available services Start looking for possible remote vulnerabilities 1. [Read More]

Converting pcap files to network flow data

Pcap data is a wonderful resource; indispensible when doing certain kinds of analyses. Sometimes, however, you want to be able to use network flow data instead. Flow is much more compact, and allows you to more easily explore the relationships among hosts on a network before digging into the nuts and bolts with pcap. It also allows you to archive months or years of data in a much more efficient manner than you can with pcap. [Read More]