OSCP exam in 1 week – Advice?

Viewing 72 reply threads
  • Author
    Posts
    • #5467
      caissyd
      Participant

      Hi everyone,

      I am challenging the OSCP certification next Saturday (August 21st). I think I am ready now. I have done all exercices and practice all techniques in the lab. I did many “extra mile” exercices. I have hacked into several servers in the lab and I now have many scripts to help me automate tasks. I should be done organizing my notes this afternoon.

      So, with only one week left, I was thinking of, in priority order:

      1) Review the exercices I have done a while ago, to refresh my memory

      2) Prepare a “game plan” and practice it on a few lab machines. What I mean by that is to, for example, pick up 5 lab machines I haven’t exploited yet and act like if they were part of was the real exam. So go through reconnaissance, scanning, etc

      3) Relax and rest properly Thursday and Friday.

      So, any other ideas?

      Thanks

    • #34511
      Darktaurus
      Participant

      I have not taken it so I cannot give any helpful hints.  But I still wanted to wish you good luck.  And like you said, relax.  I did find these links for inspiration and recommendations:

      http://www.chris-mohan.com/2010/02/how-to-fail-the-offensive-security-101-exam/

      http://xyberpix.blogspot.com/2007/08/oscp-certification-challenge-most.html

      http://www.elwood.net/post/39599202/offensive-security-oscp

      OSCP (Offensive Security Certified Professional) Training and Challenge

    • #34512
      KrisTeason
      Participant

      Are you doing the report in the class? Before I ran out of lab time, I actually zipped up the vulnerable web application they had written for students to break (on your assigned XP machine), and stuck it on a VM of mine to practice on.

      About a week before the exam, I spent it going over owning some of the lab machines I had already penetrated but focusing mainly on the Multi-Step machines as oppose to the launch a remote-root exploit and gain access to the machines. I also spent it getting together the final lab report.

      Don’t know if this will help you prep but here’s my review of it:
      PWB v3.0 Review

    • #34513
      caissyd
      Participant

      Thanks guys, great reading.

      focusing mainly on the Multi-Step machines as oppose to the launch a remote-root exploit and gain access to the machines

      @xXxKrisxXx – Could you give me a few examples (in the lab, not the exam!) of multi-step exploitation? I have done many so far in the lab, but I want to know if I have missed some… (which is propably the case!)  ???

    • #34514
      hayabusa
      Participant

      Two things I’d do, prior to the exam:

      1.)  As you’ll be tired after the exam (unless you get enough points, fairly early on, like I did, to pass), make sure your report is done, up to the point of adding the exam data into it, as you only get an additional 24 hours after the exam to submit it all.

      2.) Forgot about any scripts you’ve currently got written…  (no kidding)  While the knowledge of HOW to script stuff comes in handy, and you might script a few things, most of the scripting I’d done during the labs ended up wasting time in the exam.  I won’t explain exactly why, as to not give anything away, but for the most part, very little extra scripting was needed, when I sat the exam.  You could do a few minor things, in an automated fashion, but aside of that, you’ll spend more time working on your attack vectors, etc., and less time on heavy scripting.  I saw someone else, not long ago, had said something similar…  All of the extra effort he put into automating and scripting up things, before the exam, ended up being a waste of time and he threw them out the window fairly early on, and what scripts he DID use, he wrote, quickly, during the exam.

      My  2 cents, anyway…

    • #34515
      hayabusa
      Participant

      Oh yeah, and as I’d said before in a few of the other OSCP-related threads…

      Be prepared to take breaks, regain composure and focus, and relax!

    • #34516
      Dark_Knight
      Participant

      – Rest.Rest.Rest and more Rest prior to sitting the exam.

    • #34517
      caissyd
      Participant

      Thanks hayabusa

      Man it is stressful to wait for this test… It’s difficult to know what to do to get ready for this exam…

      I guess I will continue working in the lab and hack into more machines…

    • #34518
      Dutchie
      Participant

      @xXxKrisxXx wrote:

      Don’t know if this will help you prep but here’s my review of it:
      PWB v3.0 Review

      Maybe it is a good idea to post the review also on this forum as reference for futher candidates of the PWB.

      I found it a very constructive article!

      Many thanks!!

    • #34519
      KrisTeason
      Participant

      @Dutchie – Thanks, took me awhile to write it up.

      @xXxKrisxXx – Could you give me a few examples (in the lab, not the exam!) of multi-step exploitation? I have done many so far in the lab, but I want to know if I have missed some… (which is propably the case!)  Huh

      H1t M0nk3y – Sure. These are the machines that have taken multiple steps to penetrate that you’ve gotten. Like for example, you had to social engineer a client to click a link to enumerate software versions on the machine then social engineer them to open a malicious pdf file. Or even like step 1 – crack an ssh account, 2 – wget a privilege escalation exploit onto the machine 3 – Compile / chmod permissions 4 – run the exploit and get root privs. This would be considered a multi-step process because it’s just not like, launch the remote exploit get a shell type thing. These are useful to practice because you can’t expect the exam to be a simple launch an existing remote-exploit against a machine and get root privileges on it.

    • #34520
      zeroflaw
      Participant

      My exam seems still far away with about 12 days of lab time left. I’ve owned several machines now, including some linux boxes that took multiple steps to get root on. I still don’t feel ready for the exam at all. Though it feels like my “skills” are improving 😛

      I’ll make sure I have all the exercises completed etc, because I’ve heard it can help you pass the exam.

    • #34521
      j0rDy
      Participant

      great advice guys! i will look into some of them tomorrow…i think you can all guess why you havent heard from me in a little while. im alos in the last days of my lab time and i want to use every last minute of it. i think i feel the same way as zeroflaw: i have learned a lot these past 2 months, but i am really afraid i am not ready. i got though on about 50% of the systems (some root, some just a shell), which makes it even more exiting to see whats coming at the exam. i must say i enjoyed every minute of it! heck, you would almost intentionally fail the exam just to take the whole course again for the fun of it! expect a new written part of the walkthrough soon!

    • #34522
      caissyd
      Participant

      i think i feel the same way as zeroflaw: i have learned a lot these past 2 months, but i am really afraid i am not ready

      I think we are all feeling the same about this test!!!  ???

      @xXxKrisxXx – Thanks! Here is another example. Compromise a web server, sniff legitimate traffic and use a client-side attack (a variation of one of your examples)

      I am sooo humble right now. Regarding this exam, I feel like I am throwing dices…

    • #34523
      hayabusa
      Participant

      OK, next hint…

      Don’t over-stress yourself!  Believe me when I tell you, if you’ve honestly put in the hours on the lab machines, and have successfully exploited numerous different Windows AND Linux machines, you ARE capable of passing the exam.  That’s NOT to say it’s a simple thing, but if you understand how to enumerate services, how to find exploits on the exploitdb and other sites, and have some idea how to customize existing exploits, like the course teaches you, for differing OS service packs, etc, then you should be able to pass.

      Don’t underestimate yourselves, and remember, while you may or may not pass, with a perfect score or otherwise, even after OSCP, the world of pentesting is a neverending learning stream. 

      I’ll also tell you this.  There may be more than one way to ‘skin the cat’ against the exam machines, just as some of the lab machines had more than one way to attack / penetrate / exploit them, and you’d often find in real-world pentests.  I can tell you, based on discussions with others who have passed, that in a few cases, we approached some of the exam machines VERY differently, yet we all still exploited / root’d them.  When you pass, you’ll enjoy talking to others, and learning from their experiences / methods.  I’ve already learned some new things, SINCE taking the test, from the others’ discussions.  Well worth the time, effort, and comradery that you’ll have put in, and received, in the end.

      So feel comfortable with what you’ve accomplished in the labs so far, and if you UNDERSTAND what you’ve done, and the logic and methods behind it, you’re well on your way to a passing score on the exam, already.  Don’t stress, relax, and just make sure that you get plenty of rest, prior to taking it.  In fact, someone else on here had mentioned that they’d only spent time on about 7 of the lab machines, before taking and passing OSCP.  Not to say it’s EASY, and that means that person has some wealth of knowledge and experience to draw from, obviously, but to say that the key behind the labs is to get you thinking like a hacker / pentester, and to teach you how to engineer your own methods / solutions to situations.  Not necessarily to hand you exact duplicates of exam machines, so that if you’ve beaten every lab box, you’ll definitely know how to accomplish root on every exam machine.  It’s all about learning and preparation for things to come.

      Good luck to all, and let us know, pass or fail, so that we can congratulate you, or encourage you to work harder and pass the next time!

    • #34524
      caissyd
      Participant

      if you understand how to enumerate services, how to find exploits on the exploitdb and other sites, and have some idea how to customize existing exploits, like the course teaches you, for differing OS service packs, etc, then you should be able to pass.

      Thanks for encouraging us hayabusa!

      I will definitively continue working in the lab this week. I will also make sure I revise all the course material before Saturday.

      Long week ahead of me, but I like this course so much! 🙂

    • #34525
      eternal_security
      Participant

      @H1t M0nk3y wrote:

      Hi everyone,

      I am challenging the OSCP certification next Saturday (August 21st). I think I am ready now. I have done all exercices and practice all techniques in the lab. I did many “extra mile” exercices. I have hacked into several servers in the lab and I now have many scripts to help me automate tasks. I should be done organizing my notes this afternoon.

      So, with only one week left, I was thinking of, in priority order:

      1) Review the exercices I have done a while ago, to refresh my memory

      2) Prepare a “game plan” and practice it on a few lab machines. What I mean by that is to, for example, pick up 5 lab machines I haven’t exploited yet and act like if they were part of was the real exam. So go through reconnaissance, scanning, etc

      3) Relax and rest properly Thursday and Friday.

      So, any other ideas?

      Thanks

      – Be well-rested before taking the exam.
      – Have food prepared ahead of time so it is easy to refuel without taking too much time away from the exam (I generally ate and worked at the same time)
      – Relax
      – Take breaks, frequently if necessary (you’d be really surprised at what you’ll see if you’ve been staring at a problem for an hour and simply walk away for 5 minutes)
      – Relax
      – Take breaks (ok, yeah, I repeated myself – means I think it’s important)
      – Don’t be afraid to take a short nap if you need to
      – Try Harder!

      That’s about it.  If you made it through the course and the “extra mile” exercises, you should be pretty well prepared.  Don’t forget, they expect you to actually think when you take this exam, just like you did for the labs.  If you did it in the labs, you should be able to do it on the exam.

      Good luck!

      eternal_security

    • #34526
      caissyd
      Participant

      Another question, I know we won’t be allow to use some tools during the exam, like Core Impact or Ettercap.

      Do you guys know if we will be allow to use Metasploit, since it is part of the course? If we aren’t, I will make sure I study some other stuff…

    • #34527
      eternal_security
      Participant

      @H1t M0nk3y wrote:

      Another question, I know we won’t be allow to use some tools during the exam, like Core Impact or Ettercap.

      Do you guys know if we will be allow to use Metasploit, since it is part of the course? If we aren’t, I will make sure I study some other stuff…

      I can’t necessarily tell you what tools you will or will not be able to use, as I believe that would be a breach of NDA; however, I will tell you, you are correct that there are some that will be off-limits.  Just be able to do what you learned in the class (i.e. hack “manually”) and you won’t need to worry about it.  Does that help?

      Kind regards,
      eternal_security

    • #34528
      caissyd
      Participant

      It does help, thanks!  🙂

    • #34529
      Dutchie
      Participant

      Good Luck tomorrow on the exam!!

    • #34530
      caissyd
      Participant

      Thanks Dutchie

      I will tell you, you are correct that there are some that will be off-limits.

      I talk to the guys at Offensive-Security and their answer was: “Metasploit is forbidden on some machines”.

      So it is good, they want to know if we can do without on some machines and if we know how to use it on others.

    • #34531
      eternal_security
      Participant

      @H1t M0nk3y wrote:

      Thanks Dutchie

      I will tell you, you are correct that there are some that will be off-limits.

      I talk to the guys at Offensive-Security and their answer was: “Metasploit is forbidden on some machines”.

      So it is good, they want to know if we can do without on some machines and if we know how to use it on others.

      Glad you were able to find out.  I just didn’t want to say anything out of place or that may have violated NDA.  Good luck on the exam!!!

      Kind regards,
      eternal_security

    • #34532
      caissyd
      Participant

      I understand eternal_security!
      I should have asked them first anyway…

    • #34533
      hayabusa
      Participant

        They’ll definitely challenge you, to show your mettle!  😉

      But seriously, get some rest, take your breaks during, and you should do ifne, if you did well at all, in the labs.

    • #34534
      impelse
      Participant

      how was the exam?

    • #34535
      dynamik
      Participant

      @impelse wrote:

      how was the exam?

      I’d assume it’s still going. It’s a 24-hour exam after all. I’m sure he’ll fill us in ASAP.

    • #34536
      impelse
      Participant

      Everthing is going to be fine.

    • #34537
      caissyd
      Participant

      Thanks guys for your support.

      I am waiting for the official results before posting. I am kind of border line…
      Hopefully, I will get an answer today and regardless of the result, I will be posting my experience soon!

      Stay tune…

    • #34538
      j0rDy
      Participant

      i’m keeping my fingers crossed! cant wait to read about your experience!

    • #34539
      hayabusa
      Participant

      @H1t M0nk3y wrote:

      Thanks guys for your support.

      I am waiting for the official results before posting. I am kind of border line…
      Hopefully, I will get an answer today and regardless of the result, I will be posting my experience soon!

      Stay tune…

      Understood on that.  I KNEW I got past mine, but you always wonder if something eluded you, in the back of your mind.  I can say, for instance, that I achieved the goal on the one machine (without giving any specifics,) but wasn’t sure if my method / reasoning for that one machine was going to suffice for the final, and if it hadn’t, I would’ve fallen just shy of passing.  (It did suffice, though, so I was stoked!)

    • #34540
      caissyd
      Participant

      Ok, I finally got their answer: I failed.

      But, I take it with a smile. I needed 70 points and I got 60. Without saying too much about the exam, each machine is worth a different amount of points and you need to be root/admin/system to earn the max amount of points.

      I got root or admin on 2 boxes and only a shell on a third one. If I would have had admin privileges on the third box, I would have had 70 points total.

      The exam was tough but fair (and also fun actually). I took many little breaks, but I didn’t sleep at all (5 espressos and 3 red bulls keep you awake!) and I didn’t even had time for breakfast! So yes, it was tough…

      I started studying in IT security exactly a year ago. So I am still pretty happy with what I have learned since then!

      But come one, 2 days before the exam, I was asking on this forum how to achieve privilege escalation!!! In addition, I only hacked my way into 8 machines in the lab… So it is entirely my fault…

      But I enjoyed doing the exam. Call me a masochist, but I truly had fun doing it. Maybe my years in the infantry helped me stay awake all night, but it felt like 7 hours instead of 24. I had a big smile on my face at the end, and here is why:

      I learned many things during this exam. I rooted a box in the first 2 hours and then, I had to work for a full 16 hours before getting a shell on the next one (at exactly 4:40 am). But then, things when much quicker. It is hard to explain, but it is like I said: “now I get it!”. After that, every 20 minutes on so, I was making important discoveries. I new what to do! I changed my way of approaching the exam and things got “easier” for me: I got admin privileges then another shell, then… I ran out of time!  :-

      So my feeling after the exam was changing rapidly:

      1) I first hope they will consider all the exercises I have done and let me pass.

      2) Then I though a bit more. I shouldn’t pass. I don’t deserve it. So if I end up passing, I would act like if I failed: buy more lab time until I feel I know what I am talking about! I wouldn’t feel very happy about the result. I am not doing it for a piece of paper, but to learn and gain experience!

      Then when I learned  today that I have failed, it kind of felt right. In a sense, I am happy they failed me because it gives more credibility to the certification. They don’t give it to anyone. But I was very close to make it. Very close!  So I am not that hopeless… 😉

      Another thing, my VM at home froze at 7:30am. After restarting it, my leo file was corrupted!!!! I lost 30 minutes trying to rebuild it and as a result, I lost many scan results… That pissed me off big time!!! >:(

      Oh and by the way, because I had this technical issue and because I was very close to making it (I guess!), the Offensive Security team gave me a free exam! So kudos to them, they were fair to the others by not letting me go away with the cert but at the same time, they made me feel like I was someone, not just another student…  ;D

      So now what?

      I am waiting for my new exam date. I will buy more lab time and I will practice, practice and practice more! I need to practice mainly two things: my methodology and privilege escalation. I want to pwn at least 20 boxes before I write the exam again! I am close and I will not let this discourage me!!!  😉

      One of my favorite quotes is: “What does not kill you, makes you stronger!”

      So I will be stronger next time…  😉

      Thanks everyone for your encouragement, you are the only one I know who really understand what I am going through right now… But I keep the moral!!!  😀

    • #34541
      impelse
      Participant

      Sorry to hear that, BUT KEEP GOING. I failed some exams and after I passed I felt that I learnt more.

    • #34542
      dynamik
      Participant

      That sounds like a really beneficial experience for you. You’ve come a very long way in just a year, so it sounds like you did very well, all things considered. I need to upgrade my materials and take a shot at it later this year. I’m already getting anxious 😉

      That’s awesome you got a free retake. I’m sure you’ll slay it the next time around.

    • #34543
      ziggy_567
      Participant

      It sucks that you didn’t get the little piece of paper at the end of it all, but congratulations on making through the process and being happy with the outcome! To me, that means you put in the level of effort and got as much out of it as you could. I know if I took the class/exam right now, I’d probably do much worse than 10 points from passing! But, believe it or not, your previous post makes me want to take the class….

      I guess I’m a masochist along with you…

    • #34544
      zeroflaw
      Participant

      That’s too bad 🙁 Well at least you learned something from it and were close to passing.

      I also have trouble escalating privileges usually. You spawn a shell and think you’re in, only to realise you have to hack it again to achieve the goal 😛

      Keep going and hopefully you will pass next time!

    • #34545
      rattis
      Participant

      Sorry you didn’t pass, but look at it this way. It was worth it to learn what you didn’t know. I loved the write up.

      Some how I have a feeling you’re going to blow the number 70 out of the water next time.

    • #34546
      caissyd
      Participant

      Thank you very much guys, I currently have a big smile on my face just by reading your posts!!!  ;D

      Next time will come pretty soon. No it’s time to hack and hack and hack!!!

      Now I really now how to prepare myself!

    • #34547
      hayabusa
      Participant

      I think you’ll knock it out of the park, next attempt, H1tM0nk3y!  Having passed it, myself, and talked to others, some of whom have told me they’d taken it a couple of times to pass, I think you’ll be more confident on the second go ’round, and will get through it.

    • #34548
      j0rDy
      Participant

      first of all, too bad you didnt pass, but second of all, thats a hell of a score for someone as fresh as you! i am currently in the same boat (which got me scared a little bit right now) cause i am in the security business for a year myself, but giving the fact i had so much fun in the labs i would not call it a downside if you get the chance to play in it again! just dont give up cause i know you will pass it for sure! if i can help in any way just let me know!

    • #34549
      Anquilas
      Participant

      I’m just gonna go ahead and say ‘congratulations!’ anyway, since it seems that you really got a lot out of the whole experience!

      Go get’em at the second try, that 70 will be perfectly achievable the second time around 🙂

      Thanks for keeping us updated so well, looking forward to the rest of the story!

    • #34550
      BillV
      Participant

      Nice post and sorry you didn’t pass this attempt. As you’ve mentioned, certainly nothing to worry or feel ashamed about, you’ve learned a whole lot along the way! 🙂 For that, job well done. Continue to press on and knock it out on your next attempt (pretty sweet that’s at no additional cost to you!).

      You haven’t failed, you just haven’t passed yet. My dad always kept a big sign hanging in our garage that always reminded me to keep going, no matter what it was: “You never fail until you stop trying.” Good luck on the next round.

      BillV

    • #34551
      caissyd
      Participant

      You never fail until you stop trying

      That’s a very good one! I will remember it, thanks!

    • #34552
      sil
      Participant

      Sorry you didn’t pass the exam I know the feeling, I felt cheated for failing the CISM even after I tried to not think in technical terms this time around. Anyhow, so now that you know what it’s like, it’s time to think about strategies.

      1) You should have already learned about enumeration
      2) You should have already learned about mapping vulnerabilities to enumeration
      3) Who the hell said you can’t multitask

      I could be wrong, but when I read your post (description of the exam your hours spent, etc.) I couldn’t help but wonder what kind of strategy you used. Compromising a machine is best when you have a strategy and for the OSCP exam, you need to create a form of strategy. No one at OSCP is telling you: “You must attack/compromise in this order” This means, you’re free to tackle the exam anyway you want. Strategize for the exam. e.g.:

      cd ~
      mkdir {networkMaps,HostTypes,PasswordCracking,WebsiteHkng,SQLHkng}

      You know have a framework to work with. In your networkMaps folder, you don’t have to wait for the output of nmap to move on to the next task. Placing things in the background works wonders OR you can split it up. E.g.:

      nmap -sA -P0 -vvv --version-all -oG first.target.txt first.target &
      nmap -sA -P0 -vvv --version-all -oG second.target.txt second.target &

      Those scans are now in the background and you could move on to another or even another block if need be. The syntax may differ for what you’re doing as should the variables -T0 -T5 depending on your impatience.

      cd ~/PasswordCracking
      cp /path/to/your/wordlists .

      Prep your directories with whatever wordlists you’re going to use to get them ready. From here is where a few things should occur. 1) bruteforcing if that’s what you choose, hydra, crack, etc. e.g.:

      mkdir ~/PasswordCracking/{hydraoutput,john,etc}

      And so on and so forth. Be wise with your time remember, time is of the essence here and you should NEVER waste it waiting on nmap or some other process to finish before you move to another process. If you’re not doing something, you’re wasting your time!



      I haz shell now what?!

      Remember that post? So you have a shell account… Not the right privs eh? Know something, take a look at /etc/passwd, jot down the users and feed it into hydra, jot down the OS and place the information into a quick vi/nano $this.host.txt Can you sniff the wire? So you rooted one box… Did you run a sniffer on that machine after it was owned? If not… Why didn’t you? systemtools systemtools, systemtools… grep is your friend (or awk ‘/regexp/’ or whatever you choose)…

      find / | xargs grep -i passw > ~/PasswordCracking/hostname.passwds-found.txt 

      Doesn’t matter that you will likely find a trove of garbage, you’d likely find something of interest as well. Same goes for configuration files: (.conf, cfg, etc)

      find | grep ".conf$"

      Why not view configs… Treasure trove of information… Strategize. Plot and plan instead of swinging wildly 😉 Now guess what? All the data you lost because of vmware, is still around. You can take this data to create your presentation. Be descriptive about it.

      When I took the exam, (and I believe I mentioned it before), I actually scripted out a shell script just like this. I made my directories for the data I would accumulate, then shellscripted in commands (attacks) to run based on the output of what it was I was doing, e.g.:

      if [ -f /path/to/your/nmap/output/target ]

      then

      check vuln ports and versions and do something here

      else do something else here

      done

      fi

      Imagination + scripting + strategy … Strategy IS key though

    • #34553
      dynamik
      Participant

      I’m definitely going to work the phrase “a trove of garbage” into as many conversations as I can. That’s hilarious!

    • #34554
      sil
      Participant

      @dynamik wrote:

      I’m definitely going to work the phrase “a trove of garbage” into as many conversations as I can. That’s hilarious!

      trove of garbage 😉 kid ya not. Configuration files rock on pentests and many testers overlook this. E.g., webserver? I’d be the first to find /path/to/apache||http||www and make an entire list:

      find /var/www/htdocs > wwwdir.txt

      Then parse it out for stuff. Know how many times I’ve seen junior/inexperienced admins throw up some crazily misconfigured binary. E.g., I did an incident response on a VoIP company (one of Columbia’s (the country) biggest providers). Their admins had all sorts of personal wordpress, joomla directories in there. All with readable config.php files… DB = Game over. Passwords were the same as their logins (ssh)… Logins all had sudo privs with NOPASSWD: ALL was funny as heck…

      ONE machine was all I needed to traverse their network between two continents (North and South America) spread throughout 1 /22 and about 3 /27’s. Sure most of their devices had ipfw/ipchains/Checkpoint rules to disallow X from untrusted sources… It was their admins who weren’t to be trusted.

      Config files for all their VoIP devices (ATA’s, PBX’s) since they had exposed autoprovisioning online… Was a seriously scary thing for them since they had so much exposed that they never even thought about. It’s one thing for silly admin joomla accounts, but another to have client configs in plain readale sight. I mopped up that pentest in no time. Userdata? Access to maybe 700k+ accounts.

      So let’s think about how easy it would have been for me to call and say: “Hi, I’m a client, this is my MAC, this is my account ID, this is my name, etc., what card do you have on file, I’d like to change it… ” Caller ID, no problem my company does VoIP, I could have mimicked the account holders Caller ID and make it more believable. (you’d be surprised how many ppl rely on CID as an identifier)

      When I disclosed this in a report to their CEO he was livid and sad. I explained to him about proper training, the need to create groups and roles and have oversight. I still do IR for them from time to time but its like FAAAAAAAAR and between. After the pentest, OSSIM went in with OSSIM-AGENTS, OSSEC-AGENTS, sudo with strong passwords and a centralized logging system. Scripted OSSIM to be responsive to alarms… He decided to send two of his admins for OSCP training to handle system administration and security. (Unsure if they did it or not, this was about a year ago).

      Nowadays I still get emails to an account I created to monitor for events:

      OSSEC HIDS Notification.
      2010 Aug 24 19:16:39

      Received From: RADIUS12->/var/log/messages
      Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
      Portion of the log(s):

      Aug 24 19:16:38 RADIUS12 ast-rad-acc[2355]: RADIUS host '' ERROR



      --END OF NOTIFICATION

      Nothing major though… But yup… treasure trove or garbage I found on their machines 😉

    • #34555
      caissyd
      Participant

      I have read your comments and as usual, I am taking notes!

      Let me explain what I meant by a “change of strategy”. When I started the exam, I was more or less doing the following:

      1) Quick and basic scan of an host using nmap (10 sec)

      2) Then launch a longer scan, looking at all TCP ports (1-65535) and UDP ports. This takes quite a while (30 min)

      3) While the second scan was running, I was, for example, trying to connect to the FTP server, browse to their web site and search the internet for exploits matching services installed. I would also try enumerate users through SNMP, SMTP, FINGER, etc. Try to find a vulnerability on the web server using nikto, etc. I wouldn’t do much more…

      But I was so wrong!!!

      This is how I was proceeding at the end of the exam:

      1) Quick and basic scan of an host using nmap (10 sec)

      2) Adapt my second set of scans based on what I have found in step 1! For example, if TCP 80 was open, I would launch nikto against it. I would READ the scan results and dig. Again for example, if directory /admin/ was found on the web server, I would go see what is there. From there, I would go deeper…

      3) When I used, for example, telnet to connect to a service to see what is there, I was sniffing the connection with wireshark and learn from it!

      4) I was much, much more relax. I didn’t want to go fast. Instead, I was READING the scan outputs and test results slowly. This is when I started to understand that although you definitively don’t want to waste time (like sil mentionned!), you definitively don’t want to read scan results in diagonal! I missed many very important pieces of information by looking at scan results too fast…

      5) After a 5 min break, I would review all my findings in leo before deciding what to do next. I am quite structured in my notes, so this would only take a few minutes.

      6) I was no longer searching within the metasploit framework, exploit-db or securiotyfocus databases for ready made exploits. I lost many hours doing so at the beginning of the exam…

      I know this is probably not the best approach, but it is much better than the first one…

      So basicaly, now:

      – I read slowly all scan results;
      – I stopped looking like crazy for exploits
      – I am a lot more relax
      – I adapt my search based on what I have found so far. This may seem obvious, but I was searching for complicated stuff right at the beginning instead of looking at the low hanging fruit…
      – Spend a lot more time on reconnaissance and learning what I am against to!!!

      Back in the lab last night, I was making faster progress by going… slower! It’s like riding a motorcycle on a racetrack: Getting into a turn slower will allow you to pick the proper line and get out of the turn faster!

    • #34556
      hayabusa
      Participant

      Yep, just make sure that, like a good motorcycle racer, you don’t decrease speed / brake WHILE in that corner.  You must maintain focus throughout, and continue at a constant pace, or you’ll either highside, or turn too abruptly and be thrown off course.

      (ie – by this I don’t mean you can’t stop and take a rest break, before returning to concentration.  Just that you don’t want to constantly change course / speed, while committed to one thing, until you’re confident you’re through it, or have made a full, conscious decision to go in another direction.)

      Trust me when I say, from what I’ve heard, your second go should progress a bit easier for you, based on what you’ve learned and experienced, thus far.  I can’t be more clear, without stepping on NDA.  Just make sure that when you realize what I’m saying, by that (during your next exam attempt,) that you don’t explain it to anyone else, any more clearly than this, either, who is planning on taking the test.  (NDA)

    • #34557
      caissyd
      Participant

      Oh yes, for sure hayabusa. In fact, I have change many facts on purpose in my explaination! But you are right, I am getting border line with my explaination… I will be more careful…

      I have another question: Would you guys go after one single machine for hours and then switch to the second one, or do you go in phases (1- scan them all, 2- Banner grabbing for all, etc)?

      I am personnaly erratic. I quick scan them all, then I focus on one until I get blocked, then I ago after another one, then I come back later, etc. I am not sure this is the best approach…

    • #34558
      ziggy_567
      Participant

      I am not a professional pentester, so take what I say with a grain of salt. The answer about how to proceed is “it depends.”

      From my experience (which as I stated earlier is limited), you get a feel for what is going to be easy and what is going to be difficult. If in your initial scans there is an OS or a port/application that stands out as being easy to get a foothold on, then it might be a good idea to focus in on that first. If the environment is fairly heterogeneous, until your scans drill down into enough detail that the purpose of the box is more obvious, you need to focus on the network as a whole.

    • #34559
      sil
      Participant

      @H1t M0nk3y wrote:

      2) Then launch a longer scan, looking at all TCP ports (1-65535) and UDP ports. This takes quite a while (30 min)

      nmap -T5 is your friend when timing is crucial. It can also be your enemy because it can trigger IPS’ and if someone is using scripting to autoblock an attack, you’re screwed:

      # date ; nmap -T5 localhost ; date
      Wed Aug 25 10:20:55 EDT 2010

      Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2010-08-25 10:20 EDT
      Interesting ports on localhost.localdomain (127.0.0.1):
      (The 1656 ports scanned but not shown below are in state: closed)
      PORT    STATE SERVICE
      22/tcp  open  ssh
      25/tcp  open  smtp
      80/tcp  open  http

      Nmap run completed — 1 IP address (1 host up) scanned in 0.232 seconds
      Wed Aug 25 10:20:55 EDT 2010

      # date ; nmap -T5 localhost -p 1-65535 ; date
      Wed Aug 25 10:21:17 EDT 2010

      Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2010-08-25 10:21 EDT
      Interesting ports on localhost.localdomain (127.0.0.1):
      (The 65529 ports scanned but not shown below are in state: closed)
      PORT    STATE SERVICE
      22/tcp  open  ssh
      25/tcp  open  smtp
      80/tcp  open  http
      5335/tcp open  unknown

      Nmap run completed — 1 IP address (1 host up) scanned in 6.521 seconds
      Wed Aug 25 10:21:23 EDT 2010

      @H1t M0nk3y wrote:

      1) Quick and basic scan of an host using nmap (10 sec)

      Rule of thumb to remember from here on out: Never do quick scans. That is of unless you don’t care about what’s running on the machine. Make sense? The purpose of a scan is to determine if something is running. From an admin perspective, we do scans to confirm whether or not something is running on our network/host. From a pentester’s perspective, you need a way in no matter HOW you get in. Therefore EVERYTHING needs to be checked. “Treasure troves of garbage (@dynamik) are often found when doing a full scan” The key is to “get in where you fit in[1]” with your scanning techniques ([1]I’m in a hip hop mood today listening to Jedi Mind Tricks http://www.youtube.com/watch?v=7r0KpWMNxnM)

      date ; nmap -T5 -sSV -vvv localhost -p 5038 ; date
      Wed Aug 25 10:29:59 EDT 2010

      Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2010-08-25 10:29 EDT
      Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1) [1 port] at 10:29
      Discovered open port 5038/tcp on 127.0.0.1
      The SYN Stealth Scan took 0.01s to scan 1 total ports.
      Initiating service scan against 1 service on localhost.localdomain (127.0.0.1) at 10:29
      The service scan took 100.01s to scan 1 service on 1 host.
      Host localhost.localdomain (127.0.0.1) appears to be up … good.
      Interesting ports on localhost.localdomain (127.0.0.1):
      PORT    STATE SERVICE VERSION
      5038/tcp open  unknown
      1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
      SF-Port5038-TCP:V=3.70%D=8/25%Time=4C7528EC%P=i386-redhat-linux-gnu%r(NULL
      SF:,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(GenericLines,89,”Asterisk
      SF:x20Callx20Manager/1.0rnResponse:x20ErrorrnMessage:x20Missingx
      SF:20actionx20inx20requestrnrnResponse:x20ErrorrnMessage:x20Miss
      SF:ingx20actionx20inx20requestrnrn”)%r(GetRequest,52,”Asteriskx20C
      SF:allx20Manager/1.0rnResponse:x20ErrorrnMessage:x20Missingx20act
      SF:ionx20inx20requestrnrn”)%r(HTTPOptions,52,”Asteriskx20Callx20Ma
      SF:nager/1.0rnResponse:x20ErrorrnMessage:x20Missingx20actionx20in
      SF:x20requestrnrn”)%r(RTSPRequest,52,”Asteriskx20Callx20Manager/1.
      SF:0rnResponse:x20ErrorrnMessage:x20Missingx20actionx20inx20reque
      SF:strnrn”)%r(RPCCheck,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(DN
      SF:SVersionBindReq,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(DNSStatusR
      SF:equest,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(Help,1B,”Asteriskx
      SF:20Callx20Manager/1.0rn”)%r(SSLSessionReq,1B,”Asteriskx20Callx20Ma
      SF:nager/1.0rn”)%r(SMBProgNeg,1B,”Asteriskx20Callx20Manager/1.0rn”
      SF:)%r(X11Probe,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(LPDString,1B,
      SF:”Asteriskx20Callx20Manager/1.0rn”)%r(LDAPBindReq,1B,”Asteriskx20C
      SF:allx20Manager/1.0rn”)%r(LANDesk-RC,1B,”Asteriskx20Callx20Manager/
      SF:1.0rn”)%r(TerminalServer,1B,”Asteriskx20Callx20Manager/1.0rn”)%
      SF:r(NCP,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(NotesRPC,1B,”Asteris
      SF:kx20Callx20Manager/1.0rn”)%r(WMSRequest,1B,”Asteriskx20Callx20Ma
      SF:nager/1.0rn”)%r(oracle-tns,1B,”Asteriskx20Callx20Manager/1.0rn”
      SF:);

      Nmap run completed — 1 IP address (1 host up) scanned in 100.115 seconds
      Wed Aug 25 10:31:39 EDT 2010

      So nmap reported this 5038 as unknown however, 1) you can Google the port of you can do a version scan and parse out the data. In the you can see this is a PBX. So notes:

      1) Run FULL scans on ALL machines. Fiddle with your timing.
      2) Make a PLAN acting on the output of those scans. For example, web application attacking… If you took the time to scan all the targets, you’d be able to weed out which solely need webapplication testing:

      nmap -sS -p 80 this.network/24 >> webservers.txt

      V is your friend as well as timing which can be your friend, or enemy. Fragments work a long ways sometimes:

      # nmap -f -sSV -P0 –source_port 80 -p 1-65535 -n -T5 –min_parallelism 40 localhost

      Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2010-08-25 10:42 EDT
      Interesting ports on 127.0.0.1:
      (The 65529 ports scanned but not shown below are in state: closed)
      PORT    STATE SERVICE    VERSION
      22/tcp  open  ssh        OpenSSH 3.9p1 (protocol 1.99)
      25/tcp  open  smtp      Sendmail 8.13.1/8.13.1
      80/tcp  open  http-proxy Squid webproxy 2.5.STABLE11
      2000/tcp open  callbook?
      5038/tcp open  unknown
      5335/tcp open  unknown
      1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
      SF-Port5038-TCP:V=3.70%D=8/25%Time=4C752BF3%P=i386-redhat-linux-gnu%r(NULL
      SF:,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(GenericLines,89,”Asterisk
      SF:x20Callx20Manager/1.0rnResponse:x20ErrorrnMessage:x20Missingx
      SF:20actionx20inx20requestrnrnResponse:x20ErrorrnMessage:x20Miss
      SF:ingx20actionx20inx20requestrnrn”)%r(GetRequest,52,”Asteriskx20C
      SF:allx20Manager/1.0rnResponse:x20ErrorrnMessage:x20Missingx20act
      SF:ionx20inx20requestrnrn”)%r(HTTPOptions,52,”Asteriskx20Callx20Ma
      SF:nager/1.0rnResponse:x20ErrorrnMessage:x20Missingx20actionx20in
      SF:x20requestrnrn”)%r(RTSPRequest,52,”Asteriskx20Callx20Manager/1.
      SF:0rnResponse:x20ErrorrnMessage:x20Missingx20actionx20inx20reque
      SF:strnrn”)%r(RPCCheck,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(DN
      SF:SVersionBindReq,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(DNSStatusR
      SF:equest,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(Help,1B,”Asteriskx
      SF:20Callx20Manager/1.0rn”)%r(SSLSessionReq,1B,”Asteriskx20Callx20Ma
      SF:nager/1.0rn”)%r(SMBProgNeg,1B,”Asteriskx20Callx20Manager/1.0rn”
      SF:)%r(X11Probe,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(LPDString,1B,
      SF:”Asteriskx20Callx20Manager/1.0rn”)%r(LDAPBindReq,1B,”Asteriskx20C
      SF:allx20Manager/1.0rn”)%r(LANDesk-RC,1B,”Asteriskx20Callx20Manager/
      SF:1.0rn”)%r(TerminalServer,1B,”Asteriskx20Callx20Manager/1.0rn”)%
      SF:r(NCP,1B,”Asteriskx20Callx20Manager/1.0rn”)%r(NotesRPC,1B,”Asteris
      SF:kx20Callx20Manager/1.0rn”)%r(WMSRequest,1B,”Asteriskx20Callx20Ma
      SF:nager/1.0rn”)%r(oracle-tns,1B,”Asteriskx20Callx20Manager/1.0rn”
      SF:);

      Nmap run completed — 1 IP address (1 host up) scanned in 106.794 seconds

      So going back now: FULL SCANS from now on. You can fiddle with your timing to make them faster or slower. If you’re scanning netblocks: –randomize_hosts is your friend when you want to avoid incremental IP scans which often trigger stuff. You can also fiddle with min_parallelism and other options in nmap. Don’t be afraid to “man nmap” instead of just typing “nmap -h.” NMAP has some seriously cool stuff you know.

      @H1t M0nk3y wrote:

      6) I was no longer searching within the metasploit framework, exploit-db or securiotyfocus databases for ready made exploits. I lost many hours doing so at the beginning of the exam…

      Touche 😉 If I recall (it’s been I don’t know like 3 years now…) OSCP will test you on what you learn in the labs. It’s doubtful they’ll throw up some crazy brand shiny new 0day on a server without teaching you about it and or explaining what it is or what it does. (Maybe not to that extreme). So… Think about this for a moment, you did your labs, so you should have an idea of what’s “targetable”, how about you create a dir and place as many local and remote exploits as you can find in that dir so you don’t have to go out and search for them 😉

      @H1t M0nk3y wrote:

      Back in the lab last night, I was making faster progress by going… slower! It’s like riding a motorcycle on a racetrack: Getting into a turn slower will allow you to pick the proper line and get out of the turn faster!

      It’s not necessarily that you’re going slower. Focused is the word you should use. You can do it, I believe most are capable of passing the exam however, I also know that many are impatient and I interpret this based on their posts: “What’s the fastest…” Stop. It’s not about the fastest. If you spend 2 hours banging away aimlessly at a keyboard, furiously paced without a focus/goal, you’re wasting time. Create a framework for YOURSELF:

      1) Figure out what the heck am I up against and take notes of what they are (nmap: OS, versions, ALL ports)
      2) Figure out via the versions and OS if there is anything I have in my toolchest (exploits you either coded or downloaded) and prepare to use them at some point
      3) While I’m here, I might as well keep tshark (or Wireshark) running. As a matter of fact, if I can maybe I’ll open an instance for EVERY single host I’m targeting:
      ip.src == target and ip.dst == target
      4) Figure out if I can enumerate users, hydra (snmp, smtp, http, etc.)
      5) Let me go back now and isolate programs (e.g., which are webservers, which aren’t) then target those programs based on what they are (nikto, other tools)
      6) Now that I have a full dossier on anything and everything via nmap… I’ll create a directory for each target…
      7) Ready to test target … cd /path/to/target & WHATEVER_I_RUN >> program_name.output.txt e.g.,

      hydra –options_here > this.target
      nmap -sSV this.target -oG this.target.nmpaout.txt
      john –options_here > john_output_this.target.txt
      wikto –options_here > wikto_output.this.target.txt

      Why would you do this? Simple: 1) It helps with your LEO later on. 2) It ensures you didn’t get scattered and forget testing something 3) it simplifies and speeds things up believe it or not. I wonder how many have said during or after the exam… “Did I try…”

      It also helps that you can go back to a target’s directory and keep your token there, you could also store data/info you find on a machine there. So if you “pwn” say an apache server and you have uid=0 – as I posted before – you BETTER make sure you check history files, configs, passwd for usernames. You MAY find that one of those usernames can be used on another machine.

      You should ALSO if possible run a sniffer on the machine you compromised… How do you know there isn’t something as simple as an NFS share between the compromised host and another machine? It might be something as simple as that however, most won’t think about this. They’re often happy to say “yes! Got root?!” Leaving out crucial things on that machine… Scripting is your friend! Use it. Write yourself some down and dirty scripts to do most of the “low hanging fruit” grunt work. NMAP from the machine you compromised if possible 😉 How do you know another target is set to block ALL but the machine you pwnd… Creativity goes a long way.

      Also … There is nothing stopping you (from what I remember) from using 0day or known vulnerabilities as far as I recall. With that said, making directories of local 0day stuff and publicly available for escalation MAY also save you time. E.g.

      mkdir localsploits ; mkdir localsploits{irix,linux,windows,aix,,etc}

      cd localsploits/irix & wget http://yourfavorite/exploit/site/irix

    • #34560
      dynamik
      Participant

      Also, I believe UDP scans on Linux take one second per port. I can’t find a source for that at the moment, but that’s what I recall. Point of the story is, be careful when performing massive UDP scans (-PN -p1-65535 across a class C) because you might really tie yourself up.

    • #34561
      caissyd
      Participant

      Sil, I have told you this before: You should write a book!!!  😉

      So going back now: FULL SCANS from now on. You can fiddle with your timing to make them faster or slower. If you’re scanning netblocks: –randomize_hosts  is your friend when you want to avoid incremental IP scans which often trigger stuff. You can also fiddle with min_parallelism and other options in nmap. Don’t be afraid to “man nmap” instead of just typing “nmap -h.” NMAP has some seriously cool stuff you know.

      I can see why I was wrong doing quick scans first and very long ones after. I will start practicing that tonight…

      Write yourself some down and dirty scripts to do most of the “low hanging fruit” grunt work.

      I am starting to have a few now. My list of little scripts is growing every day!  🙂

      1) Figure out what the heck am I up against and take notes of what they are (nmap: OS, versions, ALL ports)
      2) Figure out via the versions and OS if there is anything I have in my toolchest (exploits you either coded or downloaded) and prepare to use them at some point
      3) While I’m here, I might as well keep tshark (or Wireshark) running. As a matter of fact, if I can maybe I’ll open an instance for EVERY single host I’m targeting:
      ip.src == target and ip.dst == target
      4) Figure out if I can enumerate users, hydra (snmp, smtp, http, etc.)
      5) Let me go back now and isolate programs (e.g., which are webservers, which aren’t) then target those programs based on what they are (nikto, other tools)
      6) Now that I have a full dossier on anything and everything via nmap… I’ll create a directory for each target…
      7) Ready to test target … cd /path/to/target & WHATEVER_I_RUN >> program_name.output.txt e.g.,

      I understand more and more what i should be doing. I will practice this too in the lab.

      Thanks Sil. I definitively need and appeciate help from guys like you.  ;D

    • #34562
      hayabusa
      Participant

      I started replying earlier, and yet again, because of the meds, wasn’t thinking, and did so outside of notepad, etc (so all my changes got lost, when the connection timed out, just before submitting.)

      In a nutshell, H1tM0kn3y, what I’d planned to say was, remember, too, to stick to the basics.  If you approach the ENTIRE exam with pentesting methodology in mind (OSSTMM, etc) and approach it in phases, you’ll do alright.  (Doesn’t mean you can’t progress to the next step on one machine, while the others are still in the info gathering stage…)

      With regards to your notes about taking too much time on one machine, etc, I would have to agree, that you should NOT let one machine tie you up for too long (especially on the timed exam,) if you’ve not already compromised enough to pass.  Now, if you get down to where you think you’ve gotten all of the easier ones done, and still have multiple LONG ones left to do, at that point, you’ll need to pick and choose.

      And follow sil’s advice, with regards to timing your scans, and such.  But make absolutely certain not to try to do basic / common port scans.  Do full scans, else you may / may not miss some things that make a target MUCH easier to attack.  Without giving any detail, even with a good, solid, DETAILED scan, I almost overlooked one that should’ve been an obvious one.  (Mainly because I was focusing on another box that had previously finished enumeration, and admittedly wasted a bit of time parsing it’s results looking for something that I could do, rather than attacking the simpler one.)

      Moral of the story is:  Just as in test taking, when you’re allowed to skip questions and come back, etc…  Knock out the quick ones / ones you know first, then come back to the ones that’ll take more time.  You might even be surprised at what those ‘easy’ machines might give you access to, or detail for, with regards to the tougher ones.

    • #34563
      caissyd
      Participant

      It’s good to know I wasn’t too far off regarding how much time to spend on each machines. Thanks hayabusa.

      Now I need more practice! So back to work… 

    • #34564
      ziggy_567
      Participant

      @sil

      Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2010-08-25 10:20 EDT

      Wow! I think its time to update!  😛 ;D

    • #34565
      sil
      Participant

      @ziggy_567 wrote:

      Wow! I think its time to update!  😛 ;D

      😉 Was a machine I had at term opened on at the time. E.g., 5 machines I’m on right now

      # nmap -V

      nmap version 3.70 ( http://www.insecure.org/nmap/ )

      # nmap -V

      Nmap version 4.11 ( http://www.insecure.org/nmap/ )

      # nmap -V

      Nmap version 4.11 ( http://www.insecure.org/nmap/ )

      # nmap -V

      nmap version 3.70 ( http://www.insecure.org/nmap/ )

      # nmap -V

      Nmap version 5.00 ( http://nmap.org )

      To be honest… I don’t use nmap as much as I should most of the times. I like doing things the hard way.

    • #34566
      j0rDy
      Participant

      great posts guys! i think this will help me a lot in a few weeks! comparing my knowledge to that of hit monkey i think we are at the same skill level, so i am preparing as much as possible. I’m working on the report now and will soon start on some extra exercises to keep it all fresh.

    • #34567
      Determ
      Participant

      Is metasploit banned at OSCP exam? I find metasploit auxiliary scanners quite useful.

    • #34568
      Anquilas
      Participant

      When I ever have a chance to start the OSCP course, I’m going to digg in to this thread like there is no tomorrow 🙂 You guys are writing gold here!

      Oh and Sil: you really, really should write that book indeed :p (or a couple of them)

    • #34569
      hayabusa
      Participant

      @Anquilas – That’s what EH-Net is for – encouragement, tutoring, or simply general explanation… doesn’t really matter, as long as others benefit and grow.  I’m glad our input is good for you, and yes, when you take the course, I’d encourage you to go back through this thread a few times, as it’ll likely come in handy.

    • #34570
      sil
      Participant

      @Anquilas wrote:

      Oh and Sil: you really, really should write that book indeed :p (or a couple of them)

      Nah… I wouldn’t know where to begin. My posts at times come across the wrong way to so many people, I think anyone who would buy the book would only do so to throw it at me.

    • #34571
      ziggy_567
      Participant

      @sil wrote:

      Nah… I wouldn’t know where to begin. My posts at times come across the wrong way to so many people, I think anyone who would buy the book would only do so to throw it at me.

      Make it a paperback then!!!  ;D

    • #34572
      sil
      Participant

      @ziggy_567 wrote:

      @sil wrote:

      Nah… I wouldn’t know where to begin. My posts at times come across the wrong way to so many people, I think anyone who would buy the book would only do so to throw it at me.

      Make it a paperback then!!!  ;D

      It’s flammable 😉 They’d firebomb me. Which brings me to funny news of the day…

      “WTF… No kill -9 bitch?! I got something for your ass”

      Drunken employee pops cap in server
      http://www.theregister.co.uk/2010/08/26/server_shooting/

      An employee of a Salt Lake City mortgage company allegedly got drunk and popped a cap in the firm’s $100k server, the Salt Lake Tribune reports. … Joshua Lee Campbell, 23, had apparently been enjoying a few liveners … later nipped back to work to shoot the server with a .45-calibre automatic. … he claimed he’d been “mugged, assaulted with his own firearm and drugged” by a “mystery assailant” who’d then carried out the execution at RANLife Home Loans.

    • #34573
      caissyd
      Participant

      @j0rDy: Nice to see I am not alone in my “knowledge area”.  🙂

      @Anquilas: I really feel like theres is 20 people in my leaving room, waiting to see if I will pass. Very motivating…

      Just to follow up, I have practiced nmap yesterday in the lab.

      I compared my “old ways” of running scans with your “proposed ways”. I indeed saw a nice difference. It seems I am learning at a crazy rate right now!!!  ;D

      I hacked another machine in the lab yesterday and it felt good: I felt “organized” and not like “a hen without head” (translated a French expression). I will continue tonight! I want to go through as many machines as possible before my retake.

    • #34574
      hayabusa
      Participant

      @sil wrote:

      Which brings me to funny news of the day…

      “WTF… No kill -9 bitch?! I got something for your ass”

      Drunken employee pops cap in server
      http://www.theregister.co.uk/2010/08/26/server_shooting/

      An employee of a Salt Lake City mortgage company allegedly got drunk and popped a cap in the firm’s $100k server, the Salt Lake Tribune reports. … Joshua Lee Campbell, 23, had apparently been enjoying a few liveners … later nipped back to work to shoot the server with a .45-calibre automatic. … he claimed he’d been “mugged, assaulted with his own firearm and drugged” by a “mystery assailant” who’d then carried out the execution at RANLife Home Loans.

      Hahahahahaha!!!!  That one put a much needed smile on my face!  Thanks, sil!

    • #34575
      Anquilas
      Participant

      @hayabusa wrote:

      @Anquilas – That’s what EH-Net is for – encouragement, tutoring, or simply general explanation… doesn’t really matter, as long as others benefit and grow. 

      Perfectly said, and the exact reason why this place is so great. You guys are contributing in a fantastic way, and I’m sure to pay it back in kind when I’m further down the path.

      @sil wrote:

      Nah… I wouldn’t know where to begin. My posts at times come across the wrong way to so many people, I think anyone who would buy the book would only do so to throw it at me.

      Of course you are most entitled to your opinion 😉
      Still, if you ever feel like putting all that knowledge in a book, you can be certain that everyone here will be dying to get a copy.
      But by all means, keep writing like you do now, it’s incredibly educational for many of us.

      @H1t M0nk3y wrote:

      @Anquilas: I really feel like theres is 20 people in my leaving room, waiting to see if I will pass. Very motivating…

      I can imagine 🙂
      Now just imagine us waving banners and cheering, and you get the whole picture m8 o/

    • #34576
      caissyd
      Participant

      Ok, here’s an update.

      I am taking the test again in 2 days (starting Friday). So I will be posting my results on this forum sometime this weekend. Stay tune!

      I just wanted to say that, after reading all the good comments/suggestions you have wrote on this thread, I feel much more confident now. As I said a few times already, I feel like I finally got it. I wasn’t ready the first time around. I was missing a few key things…

      Before my first attempt, I felt like a boxer with 19 victories and no defeat going in the ring against another boxer having 17 victories and no defeat. You haven’t lost yet, but neither is your opponent! So I didn’t have a big confidence in my abilities. It was more of a 50/50 chance for me…

      But since then, mainly because of your very good advice, I feel a lot more confident! The main reason for this is:

      • I have compromized many more machines in the last 2 weeks and more importantly, I am much faster doing so!  ;D
      • I know more about privilege escalation (thanks again to you guys!!!!)
      • I know now that the exam is representative of the lab. It is like having another 5 lab machines to hack
      • I was able to work on my other weaknesses

      So I am a lot more relax this time around. Regardless if I pass or fail, I feel like I can finally “put it all together” now.

      So a thousand thanks to you guys!!!

    • #34577
      UNIX
      Participant

      Good luck, I’m sure you will do fine this time.

    • #34578
      dynamik
      Participant

      Sounds like you’re in pretty good shape. Good luck!

    • #34579
      hayabusa
      Participant

      Keep us posted, H1tM0nk3y.  I’m confident you’ll do well.

    • #34580
      munch137
      Participant

      Any update H1t M0nk3y? You’ve chronicled your journey well thus far.  Don’t leave us hanging!

    • #34581
      caissyd
      Participant

      I have been quite busy at work recently and I was forced to postpone the exam test. I have work about 70 hours a week for the last three week!!!

      One of my client got very late in providing me requirements, and since I had already signed another contrat with another company, I am stuck working on two contract at once… I should be over with the first contract next week… :-

      The new test date will be November 11 (Rememberance day in Canada). That will give me enough time to study and get ready. At least, I know what to work on!

      Thanks to all my “fans”!!!  ;D

    • #34582
      impelse
      Participant

      Greate. I remember that you were talking that the exam week you did not have project ” you said bad/good luck”. Now you have TWO

Viewing 72 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?