.

Offensive Security Exploitation

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed Feb 29, 2012 1:35 pm

Offensive Security Exploitation

Are all of the exploits for the course available in exploit-db and if so are they sanity checked for malicious code? That might sound like a dumb question as I am sure it is likely to be the case, however the reason I ask is because a number of forums explain that exploits in the course will need to be compiled and in some cases "adjusted to fit" in order for them to work.

I am very sceptical about using code from third party sites and wouldn't have thought that the course would encourage downloading code/scripts from these sites? I am aware that any exploits code should be reviewed for any backdoors etc, but you are likely to get people doing the course whom have no idea how to review code and therefore will just use the exploits as they are or is this incorrect?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Feb 29, 2012 2:34 pm

Re: Offensive Security Exploitation

Well, 'compiled' and 'adjusted to fit' are both because you have different target OS's or Service Packs, in many cases, and need to adjust them, accordingly.

Not sure if ALL are there, that the course needs.  I know I pulled some from outside of there, to use, when I took the course, but may or may not have had to.  Additionally, if you're testing exploits, specifically in their labs, then you can always revert, if you blow up a target, or your attacking machine.  No harm, no foul.  

I'm saying that because IF some nasty ones got in, which may or may not be the case, it shouldn't matter, in terms of completing the course.  Remember, these are to be used against THEIR target machines, not run on YOUR lab, in 99.999% of cases.  Everything you need to run code for, in the labs and exam, can be done from their VM's.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 29, 2012 2:36 pm

Re: Offensive Security Exploitation

For the CTP (Cracking the Perimeter) course, most if not all of the exploits are available at the Exploit-DB or Metasploit, and yes all of them are manually added, some are verified, and therefore it's hard for backdoors to slip by the EDB Crew.  :)

Those that are verified, are almost guaranteed that they will definitely not contain backdoors. In general, using code from The Exploit Database is safe, compared to other sites where malicious script kiddies and blackhats operate, where the actual site could host exploit kits, and the actual exploits, tools, etc., could contain backdoors / trojans.

Keep in mind The Exploit Database is hosted by (kind of like a subsidiary of) Offensive Security, so it's professionals, freelancers and enthusiasts with good intentions that hosts the database, checks the submitted exploits, etc., so you won't find many other sites like that, where you know you can trust the people behind.

You are right, that some exploitation vectors, including proof of concepts (actual exploit code), may need to be adjusted to fit to the scenario(s), just like a real pentest, but when you use e.g., pocs with premade shellcode, always check what it does with e.g., disassembly, before running it.

Most PoC's use Metasploit shellcode, and eventually if not already, you'll be able to spot a Metasploit payload from miles away just by looking at the beginning of the shellcode. Keep in mind, that even the Metasploit project could at some point, get infected (unlikely but not impossible), and whenever someone used the program they could potentially become victims of backdoors. This site you're browsing, could get compromised too and host unknown exploit kits that uses 0days, so trust is quite relative on the Internet  :)

Therefore, always be careful with what you run. Especially from sites you don't know if you can trust. If the PoC's are only available in executable format (PE or ELF), you should of course, always be careful  ;) When the source is available, try to read through the source and identify any bad code, or introduced errors to prevent abuse by e.g., script kiddies. (This is quite common in some PoC's.)

As you say, you're sceptical about using code from third party sites and you wouldn't have thought the course would encourage using these, but the thing is, The Exploit Database, BackTrack, and Offensive Security, are under the same roof, so none of them are third party to each other. They are in essence, one.

You are right, that some students may not be able to review and fully understand the exploit code / poc they are using during e.g., PWB, but CTP students should be able to.

I've never heard a student from Offensive Security have any malware problems with the PoC's they've used from e.g., The Exploit Database though, so if people stick to this site, I think they'll be safe for the moment. The PoC's on Exploit-DB, that works with the OffSec labs, has probably been reviewed by themselves, so they know that yes, there's a PoC on Exploit-DB and it works as intended.  :)


I hope my feedback helped answering your questions  ;)
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Feb 29, 2012 3:51 pm

Re: Offensive Security Exploitation

Your concerns can be easily quelled:

  • Disconnect non-test systems from your network
  • Disconnect any drives or other media from your testing system that are not required for the exam
  • Perform a clean installation of whatever attack platform you're going to use (probably BT) on empty media
  • Apply any available updates and perform any desired customizations
  • Pass exam
  • Securely wipe the media used for the testing OS and reinstall a clean OS; reconnect other devices to your network
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 29, 2012 4:51 pm

Re: Offensive Security Exploitation

ajohnson wrote:Your concerns can be easily quelled:

  • Disconnect non-test systems from your network
  • Disconnect any drives or other media from your testing system that are not required for the exam
  • Perform a clean installation of whatever attack platform you're going to use (probably BT) on empty media
  • Apply any available updates and perform any desired customizations
  • Pass exam
  • Securely wipe the media used for the testing OS and reinstall a clean OS; reconnect other devices to your network


If there was a +rep or "like" button here I would've clicked that, even though hayabusa was on the same page and I should've quoted him too  ;D I fully agree on using this vector, will eliminate most of your worries  :)
I'm an InterN0T'er
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed Feb 29, 2012 5:59 pm

Re: Offensive Security Exploitation

That makes sense and am actually intending to do just those steps. Guess I was curious and wanted to see what you guys thought :)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Feb 29, 2012 6:42 pm

Re: Offensive Security Exploitation

Yep...  If all remains 'self-contained' for purposes of the course and exam, you really shouldn't be concerned.  And if you're worried about time, snapshot and backup your attack VM, so you can quickly dive back in.

Sounds like you fully get the idea, so I'm sure you'll be fine.  ;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software