Come on guys, I've been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)
How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.
Here is something I will give a tip on concerning the OCSP and others like it: If you're machine is doing only one thing, and your focused on one thing... You're doing it wrong.
You're capable of opening up the amount of terminals allowed by the amount of memory on your machine to perform functions. If you're doing the exam or others like it using a Unix based system, I suggest creating desktops for specific tasks, e.g:
Desktop 1 - Scanning and Enumeration
Desktop 2 - brute forcing / password cracking
Desktop 3 - Web applications
etc
etc
This allows you to go back and forth and perform multiple tasks without getting lost. Scripting helps, e.g.:
nmap -sS -sV -O this.block/24 -oX this.block-scan.xml ; printf "\n\nDone"|wall
You don't necessarily have to wait for nmap to finish to perform another task. You can move on and do what you need to do. Let's better this example:
[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012 root@kenji:/usr/obj/usr/src/sys/SARU i386
[root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89
Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-05 08:47 EDT
NSE: Loaded 16 scripts for scanning.
Initiating Ping Scan at 08:47
Scanning 10.4.64.89 [4 ports]
Completed Ping Scan at 08:47, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:47
Completed Parallel DNS resolution of 1 host. at 08:47, 0.08s elapsed
Initiating SYN Stealth Scan at 08:47
Scanning 89.64.4.10.in-addr.arpa (10.4.64.89) [1 port]
Discovered open port 80/tcp on 10.4.64.89
Completed SYN Stealth Scan at 08:47, 0.21s elapsed (1 total ports)
Initiating Service scan at 08:47
Scanning 1 service on 89.64.4.10.in-addr.arpa (10.4.64.89)
Completed Service scan at 08:47, 6.00s elapsed (1 service on 1 host)
NSE: Script scanning 10.4.64.89.
Nmap scan report for 89.64.4.10.in-addr.arpa (10.4.64.89)
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
80/tcp open http VMware Server 2 http config
Service Info: Host: 89.vonworldwide.com
Read data files from: /usr/local/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds
Raw packets sent: 6 (240B) | Rcvd: 2 (72B)
This is fine, but a waste of time. My goal is to find whether or not this host was running a webserver. Simply because I needed to enumerate it after the fact. Maybe with dirbuster or Nikto. I know that I need to do something AFTER the fact, and I don't want to sit around waiting for this to finish to get to the next stage.
[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012 root@kenji:/usr/obj/usr/src/sys/SARU i386
[root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89 | awk '/open/ {
> print a[NR%2] "\n" a[(NR+1)%2]
> print;getline;print;getline;exit
> }
> {a[NR%2]=$0}
> '|awk '/open port/{print $6}'
10.4.64.89
[root@kenji ~]#
Now that this solves one problem, I can create a script that does something like:
if [ this server runs http ]
then
run nikto using this directory list I created
fi
Let's see it in action:
[root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89 | awk '/open/ {
print a[NR%2] "\n" a[(NR+1)%2]
print;getline;print;getline;exit
}
{a[NR%2]=$0}
'|awk '/open port/{print "nikto -host "$6}'|sh
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 10.4.64.89
+ Target Hostname: 10.4.64.89
+ Target Port: 80
+ Start Time: 2012-04-06 08:53:41
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Root page / redirects to: https://10.4.64.89/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
^C[root@kenji ~]#
I killed it as it was only an example. In exams like this where time is a factor, don't get bogged down with waiting on anything. There is nothing stopping you from automating a lot of tasks to narrow down the information you will need. This applies in the REAL world of penetration testing. Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you've read any of my posts before, I use a LOT of decoys
I also tend to use alternative means for extracting data. E.g., I will use DNS, ICMP UDP, SSL tunnels at a rate limited speed. I will throw data into comments on a webpage, then view the webpage and parse out the comments. Think outside the box. For some of these exams, its not always about an 0day either. There is escalation and so forth. Config files, sniffing the wire from one machine to another. I would add: "Try DIFFERENTLY" to their Try Harder motto
News Items and General Discussion About EH-Net : ÌÀÃÀÇÈÍ ÌÎÄÍÎÉ ÎÄÅÆÄÛ APPLE-FASHION!
