OSCP and Pentesting 101

Viewing 15 reply threads
  • Author
    Posts
    • #7503
      sil
      Participant

      I wanted to take some time to give those taking the OSCP and similar exams, a bit of food for thought when taking these exams. The food will come via taking time to create a repeatable framework in order to perform necessary objectives on the road to “owning the box.” Be it Windows, Linux, BSD, the flavor is irrelevant. I urge anyone taking the exam to go over the PTES (Penetration Testing Execution Standard) as it more detailed than what you will see here.

      The OSCP exam seems to eat up a lot of time for a lot of individuals taking the exam. Time is crucial in this exam as you are going to be allotted 24 hours. In the real world, your SOW will also have a cut off time. So how can you maximize your time without having your work all over the place. The answer is to create
      yourself a framework.

      In the following mindmap (http://www.infiltrated.net/mgz/oscp.jpeg), I have a target and the tasks I would take in trying to exploit the target. In the enumeration/identification step, I will begin with, but not rely on, NMAP. I try to use p0f whenever possible since it offers a better mechanism of identifying a target.

      I try to use p0f especially when identifying webservers, since I can use a proxy server to connect without triggering anything out of the ordinary. In the following snippet, I will connect from my desktop (FreeBSD 9.0) to a forensic workstation I created using Ubuntu, on port 80.


      [root@kenji ~]# uname -a
      FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012    root@kenji:/usr/obj/usr/src/sys/SARU  i386
      [root@kenji ~]# nmap -sS -P0 -sV -T2 -vvv 10.4.4.86

      Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-09 14:47 EDT
      NSE: Loaded 16 scripts for scanning.
      Initiating Parallel DNS resolution of 1 host. at 14:47
      Completed Parallel DNS resolution of 1 host. at 14:47, 0.03s elapsed
      DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
      Initiating SYN Stealth Scan at 14:47
      Scanning 10.4.4.86 [1000 ports]
      Discovered open port 22/tcp on 10.4.4.86
      Discovered open port 80/tcp on 10.4.4.86
      Completed SYN Stealth Scan at 14:54, 401.81s elapsed (1000 total ports)
      Initiating Service scan at 14:54
      Scanning 2 services on 10.4.4.86
      Completed Service scan at 14:54, 6.38s elapsed (2 services on 1 host)
      NSE: Script scanning 10.4.4.86.
      NSE: Starting runlevel 1 (of 1) scan.
      Nmap scan report for 10.4.4.86
      Host is up (0.00038s latency).
      Scanned at 2012-04-09 14:47:38 EDT for 409s
      Not shown: 998 closed ports
      PORT  STATE SERVICE VERSION
      22/tcp open  ssh    OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
      80/tcp open  http    Apache httpd 2.2.20 ((Ubuntu))
      Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

      Read data files from: /usr/local/share/nmap
      Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 408.69 seconds
                Raw packets sent: 1000 (44.000KB) | Rcvd: 1000 (40.008KB)

      NMAP states this is Ubuntu, what does p0f state?


      [root@kenji ~]# p0f -o /tmp/p0f.output

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (syn) ]-
      |
      | client  = 10.4.4.72/16070
      | os      = FreeBSD 9.x
      | dist    = 0
      | params  = none
      | raw_sig  = 4:64+0:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0
      |
      `----

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (mtu) ]-
      |
      | client  = 10.4.4.72/16070
      | link    = Ethernet or modem
      | raw_mtu  = 1500
      |
      `----

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (uptime) ]-
      |
      | client  = 10.4.4.72/16070
      | uptime  = 20 days 2 hrs 47 min (modulo 49 days)
      | raw_freq = 999.93 Hz
      |
      `----

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (syn+ack) ]-
      |
      | server  = 10.4.4.86/80
      | os      = Linux 3.x
      | dist    = 0
      | params  = none
      | raw_sig  = 4:64+0:0:1460:mss*10,4:mss,sok,ts,nop,ws:df:0
      |
      `----

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (mtu) ]-
      |
      | server  = 10.4.4.86/80
      | link    = Ethernet or modem
      | raw_mtu  = 1500
      |
      `----

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (http request) ]-
      |
      | client  = 10.4.4.72/16070
      | app      = ???
      | lang    = English
      | params  = none
      | raw_sig  =
      1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],Accept-Language=[en-us,en;q=0.5],Accept-Encoding=[gzip,deflate],Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Proxy-Connection=[keep-alive],?If-Modified-Since,?If-None-Match:Connection:Mozilla/5.0
      (X11; U; FreeBSD i386; en-US; rv:1.9.2.27) Gecko/20120314 Firefox/3.6.27
      |
      `----

      .-[ 10.4.4.72/16070 -> 10.4.4.86/80 (http response) ]-
      |
      | server  = 10.4.4.86/80
      | app      = ???
      | lang    = none
      | params  = none
      | raw_sig  = 1:Date,Server,?ETag,?Vary:Content-Type,Connection,Keep-Alive,Accept-Ranges:Apache/2.2.20 (Ubuntu)
      |
      `----

      We can validate whether or not out nmap output is accurate but we can assess how long the server has been running and get an idea of the patch level of a machine. Now, in order to minimize time, I might sweep a subnet for specifics: HTTP, SMTP, POP and so forth. The reasoning for this, is that when under time constraints, it allows me to focus specific attacks and probes against those specific targets that I know are running the service. This allows me to spend time elsewhere (running other nmap sweeps, etc)

      For example, I can sweep a /24 for ONLY port 80, begin launching more probes in the background, while I launch other scans and other probes at another service.


      printf "Enter hostnn"
      read HOST

      WEB=`nmap -sS -p80 $HOST -v | awk '/open port/{print $2}' |grep -vi dis`


      if [ "$WEB" == open ]

      then

      nikto -host $HOST

      fi 


      exit 0

      In any event, if you’re doing ONE thing and ONE THING only on the OSCP exam, you’re wasting time. There is nothing stopping you from opening a terminal and creating your own little framework for doing this exam:


      mkdir {HTTP-OUTPUT,HYDRA-RECON,NIKTO-OUTPUT,SNMP-OUTPUT}

      printf "Enter hostnn"
      read HOST

      WEB=`nmap -sS -p80 $HOST -v | awk '/open port/{print $2}' |grep -vi dis`


      if [ "$WEB" == open ]

      then
      cd HTTP-OUTPUT
      nikto -host $HOST > $HOST.nikto,output
      echo "Completed Nikto" | wall
      fi 


      exit 0

      Get the picture?

      1) Make relevant directories (way beforehand)
      2) Enter a target
      3) Go check if the target is running anything on port 80
      4) If it is, then run nikto against it
      5) When done write it everywhere in case I am on 50 different terminals

      You can continue something like this to fire off dozens of tests, probes, and so on. What you do with your time is always going to be critical since time is irreplaceable. Same applies when performing real world testing. You may be in a bind for time, if you’re waiting on the output of one tool, you’re wasting time. Moving back to the mindmap, take some time to think about a structured way to attack this exam. There is no reason you cannot fork off processes way before you even get started. Practice in your own environment:



      if $THIS_TARGET is running SNMP
      then run hydra
      else if $THIS_TARGET is running HTTP
      then use $TOOL_OF_CHOICE
      fi

      Same applies in the real world. When performing tests, it is critical that not only you perform necessary testing, but it is also critical you manage your time while doing so. (Time is money) Creativity goes a long way in this field (pentesting) however, it makes no sense to throw paint on a canvas and once done, determine you are now going to start painting the Mona Lisa. Planning goes a long way

      Food for though

    • #46793
      hayabusa
      Participant

      ++1

      Multitasking is essential, both in real-world pentesting, and in these courses.  You WILL NOT complete the exams in OSCP, if you remain single-threaded…

      sil’s advice is spot on.

    • #46794
      unicityd
      Participant

      Very nice write-up.

    • #46795
      sil
      Participant

      @hayabusa wrote:

      ++1

      Multitasking is essential, both in real-world pentesting, and in these courses.  You WILL NOT complete the exams in OSCP, if you remain single-threaded…

      sil’s advice is spot on.

      Real world is funny and sometimes fool around with the admins watching me perform my tests thinking they’re going to do something stupid like stop me. Before I even start most tests, I fire off dozens of decoys (sometimes including their IP space) so they don’t turn around and block me. Once I’m running though, I usually blend right since people will be so confused by the amount of stuff they’re seeing.

    • #46796
      j0rDy
      Participant

      great post, i remember someone saying that pentesting consists for the most part of waiting. This is only true if you truly master the skill, and by that i mean automate, automate and automate…let the computer do the work for you and use the fact it can multitask like no other…

      some other tips:
      try to separate automated scans. Sometimes tools get in eachother way. An example from my experience is that nmap and nessus can be working against each other during UDP-scans.

      Talking about nikto, sometimes tools provide you with false positives (which is perfectly shown in the ubuntu/freebsd example) so NEVER trust the output of tools blind, always perform a manual check or use a second/third tool to confirm.

    • #46797
      impelse
      Participant

      This is a great post, last night I was enumerating users in a smtp service, during that time I was thinking how can I increase the performance or do something else with this? and I remember your post.

    • #46798
      sil
      Participant

      @impelse wrote:

      This is a great post, last night I was enumerating users in a smtp service, during that time I was thinking how can I increase the performance or do something else with this? and I remember your post.

      Another thing I do to cut time, is distributed password cracking. I fortunately have access to quite a few machines. What I do is parse out my word lists and split it between machines. For example:


      [root@kenji ~/WORDLISTS]# wc -l MEGALIST.txt
        472567089 MEGALIST.txt

      I will split this into about 16 files, and send them to 8 different machines. Since they’re sorted alphanumerically, it becomes a divide and conquer. Where as if I had one machine starting at say A, it would take N amount of time to reach Z. If each file consisted of say 3.5 of the alphabet, my time is shortened. (File 1 = A – Ch, File 2 = Ch – Fa, File 3….). My wordlists are created using a buckload of words, iterations on those words and contain the MD5 and SHA1’s of each instance. So I can just grep a word or a hash and see one another:


      [root@kenji ~/WORDLISTS]# grep 1361067 MHASHED.txt
      1361067 db402c6afef2cbe85da35ebe4e40cba3

      [root@kenji ~/WORDLISTS]# grep d3d0472e95296db8d01e401e7d8206d6 MHASHED.txt
      123098  d3d0472e95296db8d01e401e7d8206d6

      Rather than wait until the last second, these are little things anyone can lay out beforehand. Before I even go the cracking route though I will try out some stuff online so I waste even less time: http://www.md5decrypter.co.uk/

    • #46799
      DragonGorge
      Participant

      Quick question – I’ve read several OSCP reviews where the person states something to the effect: “I would have cracked that first box in half the time had I not [made a programming error].”

      This confuses me. Are the programs you create for the test the kind where you don’t get any feedback (i.e. find out you made a mistake) until they’re finished running?

    • #46800
      sil
      Participant

      @DragonGorge wrote:

      Quick question – I’ve read several OSCP reviews where the person states something to the effect: “I would have cracked that first box in half the time had I not [made a programming error].”

      This confuses me. Are the programs you create for the test the kind where you don’t get any feedback (i.e. find out you made a mistake) until they’re finished running?

      If you’re writing your own tool, its up to you to direct how the output appears to you. Think about that for a moment… YOU are the one writing the program, what is it you want you’re program to do. How should it connect, what should it do when it connects, what should it do if successful, if it fails.

    • #46801
      SephStorm
      Participant

      Sil, in thouse examples above, are those examples of scripting?

    • #46802
      sil
      Participant

      Some are, some aren’t. Scripting is nothing more than running successive commands. For example, I need to check if there is a shadow or master.passwd file on this machine, and if so, I since I may not have privileges to copy or view it, let me see who in the sudoers group may have access to do what I need done (this helps since I can also attack that account as opposed to targeting root) and also who from the passwd file may have privs


      # more ehnet-scripting-example
      if [ -e /etc/shadow ]

      then cp /etc/shadow /tmp

      else

      if [ -e /etc/master.passwd ]

      then

      printf "must be a BSD machinenFinding out who has sudo privsn"

      awk '!/#/ && !/n/' /usr/local/etc/sudoers | sort -u
      grep ":0:" /etc/passwd
      fi

      fi
      # sh ehnet-scripting-example
      must be a BSD machine
      Finding out who has sudo privs

      %wheel ALL=(ALL) NOPASSWD: ALL
      root ALL=(ALL) ALL
      root:*:0:0:Charlie &:/root:/usr/local/bin/bash
      toor:*:0:0:Bourne-again Superuser:/root:
      sil:*:1001:0:sil:/home/sil:/bin/sh

      As explained, scripting is nothing more than successive commands. I would run something like this as it gives me more targets to aim for as opposed to aiming for the holy grail. I wouldn’t need to as I can also target the account “sil” who is in group wheel, who has sudo privs without a password.

    • #46803
      dynamik
      Participant

      @sil wrote:

      Practice in your own environment:

      This is actually an excellent use of OffSec lab time as well. Instead of solely focusing on compromising systems, spend some time developing a game plan and attack methodology for the actual exam.

      I’m a fan of running smaller, quicker scans, so I can obtain information to start working with expeditiously.

      The following one-line script takes a start number, end number, and tcp/udp input, and returns a comma-separated list of ports from the nmap services file based on popularity

      Code:
      sort -r -k3 /usr/local/share/nmap/nmap-services | grep $3 | grep -v ^# | sed -n “$1,$2p” | cut -d”/” -f1 | cut -f2 | tr “n” “,” | sed s/.$//

      For example, the following command scans the top ten TCP ports (note: the start/end numbers are popularity rankings, not actual port numbers).

      Code:
      root@bt:~# nmap -p`./ports.sh 1 10 tcp` 192.168.1.1 -oA scan

      Reviewing the scan.nmap file shows the actual command that was run: nmap -p80,23,443,21,22,25,3389,110,445,139 -oA scan 192.168.1.1

      You could do the same thing with –top-ports 10 for this specific scan, but if you performed subsequent scans of 20, 30, etc., you’d be rescanning the same ports over and over instead of being able to increment by 10 (or whatever amount). Starting with popular ports will typically give you the most information in the shortest amount of time. Once you have enough to keep you busy for awhile, you can expand the range and do 50, 100, etc. ports at a time.

      Much more functionality could obviously be included. For example, the nmap command could be included in the script and add -sU if UDP was chosen, the ports could be included in the output file name so you don’t accidentally overwrite previous scans, and so on.

    • #46804
      sil
      Participant

      @ajohnson wrote:

      Code:
      sort -r -k3 /usr/local/share/nmap/nmap-services | grep $3 | grep -v ^# | sed -n “$1,$2p” | cut -d”/” -f1 | cut -f2 | tr “n” “,” | sed s/.$//

      Would never work in BSD or Solaris 😛

      awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |
      awk -F "/" '!/^#/{print $1}' |
      awk '{print $2}'|
      perl -p -e 's:n:,:g'|
      ruby -pe 'gsub(/,$/, "")'

      In action via FreeBSD:


      # nmap -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |
      awk -F "/" '!/^#/{print $1}' |
      awk '{print $2}'|
      perl -p -e 's:n:,:g'|
      ruby -pe 'gsub(/,$/, "")'` 10.4.4.72

      Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:29 EDT
      Nmap scan report for kenji.infiltrated.net (10.4.4.72)
      Host is up (0.000018s latency).
      PORT    STATE  SERVICE
      80/tcp  open  http
      123/tcp  closed ntp
      137/tcp  closed netbios-ns
      138/tcp  closed netbios-dgm
      161/tcp  closed snmp
      445/tcp  closed microsoft-ds
      631/tcp  closed ipp
      1434/tcp closed ms-sql-m

      Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

    • #46805
      sil
      Participant

      By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation

    • #46806
      dynamik
      Participant

      @sil wrote:

      By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation

      I knew I was setting myself to get schooled, yet I posted anyway… 😮

    • #46807
      sil
      Participant

      @ajohnson wrote:

      @sil wrote:

      By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation

      I knew I was setting myself to get schooled, yet I posted anyway… 😮

      Nah no way, not schooling at all, offering the same in an alternative form 😉

      I don’t really use oA at all with nmap, here is how I would do it if using nmap with your one liners based off the crap in my office:


      [root@kenji ~]# nmap -sS -O --version-intensity 7 -sV -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |
      awk -F "/" '!/^#/{print $1}' |
      awk '{print $2}'|
      perl -p -e 's:n:,:g'|
      ruby -pe 'gsub(/,$/, "")'` 10.4.4.1,55,72 |awk '!/closed|filtered/'

      Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:49 EDT
      Nmap scan report for 10.4.4.1
      Host is up (0.00041s latency).
      PORT    STATE  SERVICE      VERSION
      MAC Address: 00:16:76:2F:A1:6E (Intel)
      Device type: firewall|general purpose
      Running: Genua OpenBSD 4.X, OpenBSD 4.X|5.X
      OS CPE: cpe:/o:genua:openbsd:4 cpe:/o:openbsd:openbsd:4.1 cpe:/o:openbsd:openbsd:5
      OS details: Genua GeNUGate Firewall 7.0 (OpenBSD 4.6), OpenBSD 4.1, OpenBSD 4.1 (x86), OpenBSD 4.1 - 4.3, OpenBSD 4.3, OpenBSD 4.5, OpenBSD 5.0 GENERIC
      Network Distance: 1 hop

      Nmap scan report for 10.4.4.55
      Host is up (0.00018s latency).
      PORT    STATE  SERVICE    VERSION
      80/tcp  open  http        Apache httpd 2.2.10 ((Linux/SUSE))
      445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: SHISEI)
      Device type: general purpose
      Running: Linux 2.6.X
      OS CPE: cpe:/o:linux:kernel:2.6
      OS details: Linux 2.6.13 - 2.6.32
      Network Distance: 1 hop

      Nmap scan report for kenji.infiltrated.net (10.4.4.72)
      Host is up (0.000017s latency).
      PORT    STATE  SERVICE      VERSION
      80/tcp  open  http        Apache httpd 2.2.22 ((FreeBSD) PHP/5.3.10 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/0.9.8q DAV/2)
      No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
      TCP/IP fingerprint:
      OS:SCAN(V=5.61TEST5%E=4%D=4/11%OT=80%CT=123%CU=35801%PV=Y%DS=0%DC=L%G=Y%TM=
      OS:4F859A3E%P=i386-portbld-freebsd9.0)SEQ(SP=101%GCD=2%ISR=10C%TI=I%CI=I%TS
      OS:=21)OPS(O1=M5B4NW6ST11%O2=M578NW6ST11%O3=M280NW6NNT11%O4=M3FD8NW6ST11%O5
      OS:=M218NW6ST11%O6=M109ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
      OS:FFFF)ECN(R=Y%DF=Y%T=41%W=FFFF%O=M5B4NW6SLL%CC=N%Q=)T1(R=Y%DF=Y%T=41%S=O%
      OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=FFFF%S=O%A=S+%F=AS%O=M109NW6
      OS:ST11%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4
      OS:1%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%
      OS:Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=38%
      OS:UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=41%CD=S)

      Network Distance: 0 hops

      OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
      Nmap done: 3 IP addresses (3 hosts up) scanned in 39.06 seconds
      [root@kenji ~]#

      My scans tend to stay in SYN land 😉 and I always (without fail) go deep in versioning when possible.

Viewing 15 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?