Real world is funny and sometimes fool around with the admins watching me perform my tests thinking they're going to do something stupid like stop me. Before I even start most tests, I fire off dozens of decoys (sometimes including their IP space) so they don't turn around and block me. Once I'm running though, I usually blend right since people will be so confused by the amount of stuff they're seeing.

I wanted to take some time to give those taking the OSCP and similar exams, a bit of food for thought when taking these exams. The food will come via taking time to create a repeatable framework in order to perform necessary objectives on the road to "owning the box." Be it Windows, Linux, BSD, the flavor is irrelevant. I urge anyone taking the exam to go over the PTES (Penetration Testing Execution Standard) as it more detailed than what you will see here.

The OSCP exam seems to eat up a lot of time for a lot of individuals taking the exam. Time is crucial in this exam as you are going to be allotted 24 hours. In the real world, your SOW will also have a cut off time. So how can you maximize your time without having your work all over the place. The answer is to create
yourself a framework.

In the following mindmap (http://www.infiltrated.net/mgz/oscp.jpeg), I have a target and the tasks I would take in trying to exploit the target. In the enumeration/identification step, I will begin with, but not rely on, NMAP. I try to use p0f whenever possible since it offers a better mechanism of identifying a target.

I try to use p0f especially when identifying webservers, since I can use a proxy server to connect without triggering anything out of the ordinary. In the following snippet, I will connect from my desktop (FreeBSD 9.0) to a forensic workstation I created using Ubuntu, on port 80.


NMAP states this is Ubuntu, what does p0f state?


We can validate whether or not out nmap output is accurate but we can assess how long the server has been running and get an idea of the patch level of a machine. Now, in order to minimize time, I might sweep a subnet for specifics: HTTP, SMTP, POP and so forth. The reasoning for this, is that when under time constraints, it allows me to focus specific attacks and probes against those specific targets that I know are running the service. This allows me to spend time elsewhere (running other nmap sweeps, etc)

For example, I can sweep a /24 for ONLY port 80, begin launching more probes in the background, while I launch other scans and other probes at another service.


In any event, if you're doing ONE thing and ONE THING only on the OSCP exam, you're wasting time. There is nothing stopping you from opening a terminal and creating your own little framework for doing this exam:


Get the picture?

1) Make relevant directories (way beforehand)
2) Enter a target
3) Go check if the target is running anything on port 80
4) If it is, then run nikto against it
5) When done write it everywhere in case I am on 50 different terminals

You can continue something like this to fire off dozens of tests, probes, and so on. What you do with your time is always going to be critical since time is irreplaceable. Same applies when performing real world testing. You may be in a bind for time, if you're waiting on the output of one tool, you're wasting time. Moving back to the mindmap, take some time to think about a structured way to attack this exam. There is no reason you cannot fork off processes way before you even get started. Practice in your own environment:


Same applies in the real world. When performing tests, it is critical that not only you perform necessary testing, but it is also critical you manage your time while doing so. (Time is money) Creativity goes a long way in this field (pentesting) however, it makes no sense to throw paint on a canvas and once done, determine you are now going to start painting the Mona Lisa. Planning goes a long way

Food for though

Here is a starting point:

http://infiltrated.net/TechnicalSecurityRoadmap.html

Shoot me a message with any and all certs and what area of security they're in. So far solely found eCPPT, want to add it correctly to the security certification roadmap I'm making

I make crap up as I go along. VLANSPOTTING to me is the ability to determine the VLANs used in a network, and which machines in the network are trunked into other VLANs. Those are the ones I like... Trunked VLAN access especially when there is no port security or filtering

Depends on what they're using for NAC. If its something stupid like MAC addresses, I may try to fire something on the wire to check for someone elses MAC if possible, spoof that, it all depends. To fiddle around and tamper with NAC, it all depends on what I'm doing, what they're using for NAC and so forth. I have PacketFence lying around on a VM machine and have fiddled with it a but have never had to attack this head on... I look for workarounds all the time though Same applies for VLANs (VLAN hopping, trunkspotting (you read it here first from me )

Client sides. I am a stickler for spelling things out from the jump. When we meet with clients, I often take the time to explain to them the differences in attacks and attackers. I always explain to them the realities and costs associated with an attack because there is a cost for an attacker, and there are different types of attackers.

Once a client understands the differences (an INTENT attacker - someone who wants in no matter what the cost) they almost always allow me to try anything and everything. So most of the times I perform 4 types of tests. I've documented those different tests in the document I wrote for the RWSP (outside attacker, outside attacker w/creds, insider, insider w/creds). By insider, it does not solely mean: "Joe who works for the IT department" it extends to the social engineerer who'll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.

It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing

When I did my exam, I created literally a script to do the entire thing and at the last minute, many of my machines were firewalled, bastille linux'd, etc., so I have to modify it and parse out sections on the fly. I submitted the script to them as well and explained what it was I did and why. Unsure if that gave me brownie points heh....

So an approach would be something like:

if [ this scan shows http ]

then

run these http based tools against those

else

if [ this scan show snmp ]

then

run these snmp based tools

else

if [ this scan shows http login forms ]

then

run hydra using this wordlist and dictionary list

fi
fi
fi

I would throw in wall's after each command so you'll know step X was finished

Here is something I will give a tip on concerning the OCSP and others like it: If you're machine is doing only one thing, and your focused on one thing... You're doing it wrong.

You're capable of opening up the amount of terminals allowed by the amount of memory on your machine to perform functions. If you're doing the exam or others like it using a Unix based system, I suggest creating desktops for specific tasks, e.g:

Desktop 1 - Scanning and Enumeration
Desktop 2 - brute forcing / password cracking
Desktop 3 - Web applications
etc
etc

This allows you to go back and forth and perform multiple tasks without getting lost. Scripting helps, e.g.:

nmap -sS -sV -O this.block/24 -oX this.block-scan.xml ; printf "\n\nDone"|wall

You don't necessarily have to wait for nmap to finish to perform another task. You can move on and do what you need to do. Let's better this example:


This is fine, but a waste of time. My goal is to find whether or not this host was running a webserver. Simply because I needed to enumerate it after the fact. Maybe with dirbuster or Nikto. I know that I need to do something AFTER the fact, and I don't want to sit around waiting for this to finish to get to the next stage.


Now that this solves one problem, I can create a script that does something like:

if [ this server runs http ]

then

run nikto using this directory list I created

fi

Let's see it in action:


I killed it as it was only an example. In exams like this where time is a factor, don't get bogged down with waiting on anything. There is nothing stopping you from automating a lot of tasks to narrow down the information you will need. This applies in the REAL world of penetration testing. Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you've read any of my posts before, I use a LOT of decoys I also tend to use alternative means for extracting data. E.g., I will use DNS, ICMP UDP, SSL tunnels at a rate limited speed. I will throw data into comments on a webpage, then view the webpage and parse out the comments. Think outside the box. For some of these exams, its not always about an 0day either. There is escalation and so forth. Config files, sniffing the wire from one machine to another. I would add: "Try DIFFERENTLY" to their Try Harder motto

Now in a situation like this (mile2, SU. SecurityCertified) I don't even wanna pull a trump card because they have their place in the industry that I don't want to get involved in. None of the three map to any DoD 8750 so the reality is, I won't bother. Aside from that, I wouldn't want anyone coming around to me saying: "man that really sucked", "they robbed me blind", etc., etc., etc. Bad enough I threw ECC up there

I was trying to be politically nice

Not willing to bother with Mile2 and this is why:

* Certified Penetration Testing Engineer (formerly CPTS)
* Certified Penetration Testing Consultant (formerly old CPTE)

Which would you perceive I should post? CPTC

They are a bit too scattered for me to browse through their information. I will go over Security University's offerings, but they too are a bit scattered for me. I will check out IACIS however, my list is based on a few criteria: I have heard about it, read about it, it is in demand (visible in say a Dice.com or Monster.com search) and it makes sense to me. There should be no reason why I would have to go to a "certification" giver and try to make sense of what they're offering. Under: http://mile2.com/mile2-courses.html they state one thing, then on the other page they state another: Course: CPTE followed by.... "formerly old CPTE" which is it? Let them sort it out.

I would place (likely going to) under Incident Response and Forensics as thats where it belongs I haven't started on Network Security yet because I am likely going to do something NO ONE WILL LIKE and that is to post information relevant to CCNA/CCDP which teaches A LOT about networking from the protocol on up and includes security. While it is vendor specific, those two courses will teach you more about NETWORK security than the GCIA would. A network to me are OSI layers 1 - 4 and function outside of Windows/Linux, etc. Networking will also be forked into specifics, likely Firewalls, IDS/IPS and "Broad" for other certs like SANS' GCED, etc. still working on it.

As much as I write, I hate writing. A book from me would be incoherent since I come from different areas of security. I actually started a book two years ago but it was so scattered I gave up. Besides the things I would write about would likely get me put on watchlists or some other form of trouble

ADDED (forgot to mention):
Updated the page with links... Still working on it

Working on the others when time allows, like I said just started... I will likely add links directly from a cert to the proctors site, then tree it to suggested reading, etc.