Title: OSCP and Pentesting 101
Post by: sil on April 09, 2012, 03:21:35 PM

I wanted to take some time to give those taking the OSCP and similar exams, a bit of food for thought when taking these exams. The food will come via taking time to create a repeatable framework in order to perform necessary objectives on the road to "owning the box." Be it Windows, Linux, BSD, the flavor is irrelevant. I urge anyone taking the exam to go over the PTES (Penetration Testing Execution Standard) as it more detailed than what you will see here.

The OSCP exam seems to eat up a lot of time for a lot of individuals taking the exam. Time is crucial in this exam as you are going to be allotted 24 hours. In the real world, your SOW will also have a cut off time. So how can you maximize your time without having your work all over the place. The answer is to create
yourself a framework.

In the following mindmap (http://www.infiltrated.net/mgz/oscp.jpeg (http://www.infiltrated.net/mgz/oscp.jpeg)), I have a target and the tasks I would take in trying to exploit the target. In the enumeration/identification step, I will begin with, but not rely on, NMAP. I try to use p0f whenever possible since it offers a better mechanism of identifying a target.

I try to use p0f especially when identifying webservers, since I can use a proxy server to connect without triggering anything out of the ordinary. In the following snippet, I will connect from my desktop (FreeBSD 9.0) to a forensic workstation I created using Ubuntu, on port 80.

Code:

[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012 root@kenji:/usr/obj/usr/src/sys/SARU i386
[root@kenji ~]# nmap -sS -P0 -sV -T2 -vvv 10.4.4.86

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-09 14:47 EDT
NSE: Loaded 16 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 14:47
Completed Parallel DNS resolution of 1 host. at 14:47, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:47
Scanning 10.4.4.86 [1000 ports]
Discovered open port 22/tcp on 10.4.4.86
Discovered open port 80/tcp on 10.4.4.86
Completed SYN Stealth Scan at 14:54, 401.81s elapsed (1000 total ports)
Initiating Service scan at 14:54
Scanning 2 services on 10.4.4.86
Completed Service scan at 14:54, 6.38s elapsed (2 services on 1 host)
NSE: Script scanning 10.4.4.86.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for 10.4.4.86
Host is up (0.00038s latency).
Scanned at 2012-04-09 14:47:38 EDT for 409s
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.20 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Read data files from: /usr/local/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 408.69 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 1000 (40.008KB)

NMAP states this is Ubuntu, what does p0f state?

Code:

[root@kenji ~]# p0f -o /tmp/p0f.output

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (syn) ]-
|
| client = 10.4.4.72/16070
| os = FreeBSD 9.x
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (mtu) ]-
|
| client = 10.4.4.72/16070
| link = Ethernet or modem
| raw_mtu = 1500
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (uptime) ]-
|
| client = 10.4.4.72/16070
| uptime = 20 days 2 hrs 47 min (modulo 49 days)
| raw_freq = 999.93 Hz
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (syn+ack) ]-
|
| server = 10.4.4.86/80
| os = Linux 3.x
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*10,4:mss,sok,ts,nop,ws:df:0
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (mtu) ]-
|
| server = 10.4.4.86/80
| link = Ethernet or modem
| raw_mtu = 1500
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (http request) ]-
|
| client = 10.4.4.72/16070
| app = ???
| lang = English
| params = none
| raw_sig =
1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],Accept-Language=[en-us,en;q=0.5],Accept-Encoding=[gzip,deflate],Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Proxy-Connection=[keep-alive],?If-Modified-Since,?If-None-Match:Connection:Mozilla/5.0
(X11; U; FreeBSD i386; en-US; rv:1.9.2.27) Gecko/20120314 Firefox/3.6.27
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (http response) ]-
|
| server = 10.4.4.86/80
| app = ???
| lang = none
| params = none
| raw_sig = 1:Date,Server,?ETag,?Vary:Content-Type,Connection,Keep-Alive,Accept-Ranges:Apache/2.2.20 (Ubuntu)
|
`----

We can validate whether or not out nmap output is accurate but we can assess how long the server has been running and get an idea of the patch level of a machine. Now, in order to minimize time, I might sweep a subnet for specifics: HTTP, SMTP, POP and so forth. The reasoning for this, is that when under time constraints, it allows me to focus specific attacks and probes against those specific targets that I know are running the service. This allows me to spend time elsewhere (running other nmap sweeps, etc)

For example, I can sweep a /24 for ONLY port 80, begin launching more probes in the background, while I launch other scans and other probes at another service.

Code:

printf "Enter host\n\n"
read HOST

WEB=`nmap -sS -p80 $HOST -v | awk '/open port/{print $2}' |grep -vi dis`

if [ "$WEB" == open ]

then

nikto -host $HOST

fi

exit 0

In any event, if you're doing ONE thing and ONE THING only on the OSCP exam, you're wasting time. There is nothing stopping you from opening a terminal and creating your own little framework for doing this exam:

Code:

mkdir {HTTP-OUTPUT,HYDRA-RECON,NIKTO-OUTPUT,SNMP-OUTPUT}

printf "Enter host\n\n"
read HOST

WEB=`nmap -sS -p80 $HOST -v | awk '/open port/{print $2}' |grep -vi dis`

if [ "$WEB" == open ]

then
cd HTTP-OUTPUT
nikto -host $HOST > $HOST.nikto,output
echo "Completed Nikto" | wall
fi

exit 0

Get the picture?

1) Make relevant directories (way beforehand)
2) Enter a target
3) Go check if the target is running anything on port 80
4) If it is, then run nikto against it
5) When done write it everywhere in case I am on 50 different terminals

You can continue something like this to fire off dozens of tests, probes, and so on. What you do with your time is always going to be critical since time is irreplaceable. Same applies when performing real world testing. You may be in a bind for time, if you're waiting on the output of one tool, you're wasting time. Moving back to the mindmap, take some time to think about a structured way to attack this exam. There is no reason you cannot fork off processes way before you even get started. Practice in your own environment:

Code:

if $THIS_TARGET is running SNMP
then run hydra
else if $THIS_TARGET is running HTTP
then use $TOOL_OF_CHOICE
fi

Same applies in the real world. When performing tests, it is critical that not only you perform necessary testing, but it is also critical you manage your time while doing so. (Time is money) Creativity goes a long way in this field (pentesting) however, it makes no sense to throw paint on a canvas and once done, determine you are now going to start painting the Mona Lisa. Planning goes a long way

Food for though

Title: Re: OSCP and Pentesting 101
Post by: hayabusa on April 09, 2012, 03:36:08 PM

++1

Multitasking is essential, both in real-world pentesting, and in these courses. You WILL NOT complete the exams in OSCP, if you remain single-threaded...

sil's advice is spot on.

Title: Re: OSCP and Pentesting 101
Post by: unicityd on April 09, 2012, 03:43:47 PM

Very nice write-up.

Title: Re: OSCP and Pentesting 101
Post by: sil on April 09, 2012, 03:45:27 PM

Quote from: hayabusa on April 09, 2012, 03:36:08 PM

++1

Multitasking is essential, both in real-world pentesting, and in these courses. You WILL NOT complete the exams in OSCP, if you remain single-threaded...

sil's advice is spot on.

Real world is funny and sometimes fool around with the admins watching me perform my tests thinking they're going to do something stupid like stop me. Before I even start most tests, I fire off dozens of decoys (sometimes including their IP space) so they don't turn around and block me. Once I'm running though, I usually blend right since people will be so confused by the amount of stuff they're seeing.

Title: Re: OSCP and Pentesting 101
Post by: j0rDy on April 10, 2012, 07:50:12 AM

great post, i remember someone saying that pentesting consists for the most part of waiting. This is only true if you truly master the skill, and by that i mean automate, automate and automate...let the computer do the work for you and use the fact it can multitask like no other...

some other tips:
try to separate automated scans. Sometimes tools get in eachother way. An example from my experience is that nmap and nessus can be working against each other during UDP-scans.

Talking about nikto, sometimes tools provide you with false positives (which is perfectly shown in the ubuntu/freebsd example) so NEVER trust the output of tools blind, always perform a manual check or use a second/third tool to confirm.

Title: Re: OSCP and Pentesting 101
Post by: impelse on April 10, 2012, 10:27:24 AM

This is a great post, last night I was enumerating users in a smtp service, during that time I was thinking how can I increase the performance or do something else with this? and I remember your post.

Title: Re: OSCP and Pentesting 101
Post by: sil on April 10, 2012, 01:07:30 PM

Quote from: impelse on April 10, 2012, 10:27:24 AM

Another thing I do to cut time, is distributed password cracking. I fortunately have access to quite a few machines. What I do is parse out my word lists and split it between machines. For example:

Code:

[root@kenji ~/WORDLISTS]# wc -l MEGALIST.txt
472567089 MEGALIST.txt

I will split this into about 16 files, and send them to 8 different machines. Since they're sorted alphanumerically, it becomes a divide and conquer. Where as if I had one machine starting at say A, it would take N amount of time to reach Z. If each file consisted of say 3.5 of the alphabet, my time is shortened. (File 1 = A - Ch, File 2 = Ch - Fa, File 3....). My wordlists are created using a buckload of words, iterations on those words and contain the MD5 and SHA1's of each instance. So I can just grep a word or a hash and see one another:

Code:

[root@kenji ~/WORDLISTS]# grep 1361067 MHASHED.txt
1361067 db402c6afef2cbe85da35ebe4e40cba3

[root@kenji ~/WORDLISTS]# grep d3d0472e95296db8d01e401e7d8206d6 MHASHED.txt
123098 d3d0472e95296db8d01e401e7d8206d6

Rather than wait until the last second, these are little things anyone can lay out beforehand. Before I even go the cracking route though I will try out some stuff online so I waste even less time: http://www.md5decrypter.co.uk/

Title: Re: OSCP and Pentesting 101
Post by: DragonGorge on April 10, 2012, 02:52:56 PM

Quick question - I've read several OSCP reviews where the person states something to the effect: "I would have cracked that first box in half the time had I not [made a programming error]."

This confuses me. Are the programs you create for the test the kind where you don't get any feedback (i.e. find out you made a mistake) until they're finished running?

Title: Re: OSCP and Pentesting 101
Post by: sil on April 10, 2012, 03:23:14 PM

Quote from: DragonGorge on April 10, 2012, 02:52:56 PM

If you're writing your own tool, its up to you to direct how the output appears to you. Think about that for a moment... YOU are the one writing the program, what is it you want you're program to do. How should it connect, what should it do when it connects, what should it do if successful, if it fails.

Title: Re: OSCP and Pentesting 101
Post by: SephStorm on April 11, 2012, 06:03:55 AM

Sil, in thouse examples above, are those examples of scripting?

Title: Re: OSCP and Pentesting 101
Post by: sil on April 11, 2012, 07:48:41 AM

Some are, some aren't. Scripting is nothing more than running successive commands. For example, I need to check if there is a shadow or master.passwd file on this machine, and if so, I since I may not have privileges to copy or view it, let me see who in the sudoers group may have access to do what I need done (this helps since I can also attack that account as opposed to targeting root) and also who from the passwd file may have privs

Code:

# more ehnet-scripting-example
if [ -e /etc/shadow ]

then cp /etc/shadow /tmp

else

if [ -e /etc/master.passwd ]

then

printf "must be a BSD machine\nFinding out who has sudo privs\n"

awk '!/#/ && !/\n/' /usr/local/etc/sudoers | sort -u
grep ":0:" /etc/passwd
fi

fi
# sh ehnet-scripting-example
must be a BSD machine
Finding out who has sudo privs

%wheel ALL=(ALL) NOPASSWD: ALL
root ALL=(ALL) ALL
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:
sil:*:1001:0:sil:/home/sil:/bin/sh

As explained, scripting is nothing more than successive commands. I would run something like this as it gives me more targets to aim for as opposed to aiming for the holy grail. I wouldn't need to as I can also target the account "sil" who is in group wheel, who has sudo privs without a password.

Title: Re: OSCP and Pentesting 101
Post by: ajohnson on April 11, 2012, 08:47:44 AM

Quote from: sil on April 09, 2012, 03:21:35 PM

Practice in your own environment:

This is actually an excellent use of OffSec lab time as well. Instead of solely focusing on compromising systems, spend some time developing a game plan and attack methodology for the actual exam.

I'm a fan of running smaller, quicker scans, so I can obtain information to start working with expeditiously.

The following one-line script takes a start number, end number, and tcp/udp input, and returns a comma-separated list of ports from the nmap services file based on popularity

Code: ("ports.sh")

For example, the following command scans the top ten TCP ports (note: the start/end numbers are popularity rankings, not actual port numbers).

Code: ("Sample Usage")

root@bt:~# nmap -p`./ports.sh 1 10 tcp` 192.168.1.1 -oA scan

Reviewing the scan.nmap file shows the actual command that was run: nmap -p80,23,443,21,22,25,3389,110,445,139 -oA scan 192.168.1.1

You could do the same thing with --top-ports 10 for this specific scan, but if you performed subsequent scans of 20, 30, etc., you'd be rescanning the same ports over and over instead of being able to increment by 10 (or whatever amount). Starting with popular ports will typically give you the most information in the shortest amount of time. Once you have enough to keep you busy for awhile, you can expand the range and do 50, 100, etc. ports at a time.

Much more functionality could obviously be included. For example, the nmap command could be included in the script and add -sU if UDP was chosen, the ports could be included in the output file name so you don't accidentally overwrite previous scans, and so on.

Title: Re: OSCP and Pentesting 101
Post by: sil on April 11, 2012, 09:29:04 AM

Quote from: ajohnson on April 11, 2012, 08:47:44 AM

Code: ("ports.sh")

Would never work in BSD or Solaris :P

Code:

awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'

In action via FreeBSD:

Code:

# nmap -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'` 10.4.4.72

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:29 EDT
Nmap scan report for kenji.infiltrated.net (10.4.4.72)
Host is up (0.000018s latency).
PORT STATE SERVICE
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
161/tcp closed snmp
445/tcp closed microsoft-ds
631/tcp closed ipp
1434/tcp closed ms-sql-m

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

Title: Re: OSCP and Pentesting 101
Post by: sil on April 11, 2012, 09:30:52 AM

By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation

Title: Re: OSCP and Pentesting 101
Post by: ajohnson on April 11, 2012, 09:37:05 AM

Quote from: sil on April 11, 2012, 09:30:52 AM

By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation

I knew I was setting myself to get schooled, yet I posted anyway... :o

Title: Re: OSCP and Pentesting 101
Post by: sil on April 11, 2012, 09:51:04 AM

Quote from: ajohnson on April 11, 2012, 09:37:05 AM

Quote from: sil on April 11, 2012, 09:30:52 AM

By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation

I knew I was setting myself to get schooled, yet I posted anyway... :o

Nah no way, not schooling at all, offering the same in an alternative form ;)

I don't really use oA at all with nmap, here is how I would do it if using nmap with your one liners based off the crap in my office:

Code:

[root@kenji ~]# nmap -sS -O --version-intensity 7 -sV -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'` 10.4.4.1,55,72 |awk '!/closed|filtered/'

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:49 EDT
Nmap scan report for 10.4.4.1
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
MAC Address: 00:16:76:2F:A1:6E (Intel)
Device type: firewall|general purpose
Running: Genua OpenBSD 4.X, OpenBSD 4.X|5.X
OS CPE: cpe:/o:genua:openbsd:4 cpe:/o:openbsd:openbsd:4.1 cpe:/o:openbsd:openbsd:5
OS details: Genua GeNUGate Firewall 7.0 (OpenBSD 4.6), OpenBSD 4.1, OpenBSD 4.1 (x86), OpenBSD 4.1 - 4.3, OpenBSD 4.3, OpenBSD 4.5, OpenBSD 5.0 GENERIC
Network Distance: 1 hop

Nmap scan report for 10.4.4.55
Host is up (0.00018s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.10 ((Linux/SUSE))
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SHISEI)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop

Nmap scan report for kenji.infiltrated.net (10.4.4.72)
Host is up (0.000017s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((FreeBSD) PHP/5.3.10 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/0.9.8q DAV/2)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.61TEST5%E=4%D=4/11%OT=80%CT=123%CU=35801%PV=Y%DS=0%DC=L%G=Y%TM=
OS:4F859A3E%P=i386-portbld-freebsd9.0)SEQ(SP=101%GCD=2%ISR=10C%TI=I%CI=I%TS
OS:=21)OPS(O1=M5B4NW6ST11%O2=M578NW6ST11%O3=M280NW6NNT11%O4=M3FD8NW6ST11%O5
OS:=M218NW6ST11%O6=M109ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
OS:FFFF)ECN(R=Y%DF=Y%T=41%W=FFFF%O=M5B4NW6SLL%CC=N%Q=)T1(R=Y%DF=Y%T=41%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=FFFF%S=O%A=S+%F=AS%O=M109NW6
OS:ST11%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4
OS:1%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=38%
OS:UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=41%CD=S)

Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 39.06 seconds
[root@kenji ~]#

My scans tend to stay in SYN land ;) and I always (without fail) go deep in versioning when possible.

EH-Net

Ethical Hacking Discussions and Related Certifications => General Certification => Topic started by: sil on April 09, 2012, 03:21:35 PM