.

OSCP and Pentesting 101

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Apr 09, 2012 3:21 pm

OSCP and Pentesting 101

I wanted to take some time to give those taking the OSCP and similar exams, a bit of food for thought when taking these exams. The food will come via taking time to create a repeatable framework in order to perform necessary objectives on the road to "owning the box." Be it Windows, Linux, BSD, the flavor is irrelevant. I urge anyone taking the exam to go over the PTES (Penetration Testing Execution Standard) as it more detailed than what you will see here.

The OSCP exam seems to eat up a lot of time for a lot of individuals taking the exam. Time is crucial in this exam as you are going to be allotted 24 hours. In the real world, your SOW will also have a cut off time. So how can you maximize your time without having your work all over the place. The answer is to create
yourself a framework.

In the following mindmap (http://www.infiltrated.net/mgz/oscp.jpeg), I have a target and the tasks I would take in trying to exploit the target. In the enumeration/identification step, I will begin with, but not rely on, NMAP. I try to use p0f whenever possible since it offers a better mechanism of identifying a target.

I try to use p0f especially when identifying webservers, since I can use a proxy server to connect without triggering anything out of the ordinary. In the following snippet, I will connect from my desktop (FreeBSD 9.0) to a forensic workstation I created using Ubuntu, on port 80.

  Code:
[root@kenji ~]# uname -a
FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012     root@kenji:/usr/obj/usr/src/sys/SARU  i386
[root@kenji ~]# nmap -sS -P0 -sV -T2 -vvv 10.4.4.86

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-09 14:47 EDT
NSE: Loaded 16 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 14:47
Completed Parallel DNS resolution of 1 host. at 14:47, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:47
Scanning 10.4.4.86 [1000 ports]
Discovered open port 22/tcp on 10.4.4.86
Discovered open port 80/tcp on 10.4.4.86
Completed SYN Stealth Scan at 14:54, 401.81s elapsed (1000 total ports)
Initiating Service scan at 14:54
Scanning 2 services on 10.4.4.86
Completed Service scan at 14:54, 6.38s elapsed (2 services on 1 host)
NSE: Script scanning 10.4.4.86.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for 10.4.4.86
Host is up (0.00038s latency).
Scanned at 2012-04-09 14:47:38 EDT for 409s
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.20 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Read data files from: /usr/local/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 408.69 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 1000 (40.008KB)



NMAP states this is Ubuntu, what does p0f state?

  Code:
[root@kenji ~]# p0f -o /tmp/p0f.output

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (syn) ]-
|
| client   = 10.4.4.72/16070
| os       = FreeBSD 9.x
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (mtu) ]-
|
| client   = 10.4.4.72/16070
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (uptime) ]-
|
| client   = 10.4.4.72/16070
| uptime   = 20 days 2 hrs 47 min (modulo 49 days)
| raw_freq = 999.93 Hz
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (syn+ack) ]-
|
| server   = 10.4.4.86/80
| os       = Linux 3.x
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*10,4:mss,sok,ts,nop,ws:df:0
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (mtu) ]-
|
| server   = 10.4.4.86/80
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (http request) ]-
|
| client   = 10.4.4.72/16070
| app      = ???
| lang     = English
| params   = none
| raw_sig  =
1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],Accept-Language=[en-us,en;q=0.5],Accept-Encoding=[gzip,deflate],Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Proxy-Connection=[keep-alive],?If-Modified-Since,?If-None-Match:Connection:Mozilla/5.0
(X11; U; FreeBSD i386; en-US; rv:1.9.2.27) Gecko/20120314 Firefox/3.6.27
|
`----

.-[ 10.4.4.72/16070 -> 10.4.4.86/80 (http response) ]-
|
| server   = 10.4.4.86/80
| app      = ???
| lang     = none
| params   = none
| raw_sig  = 1:Date,Server,?ETag,?Vary:Content-Type,Connection,Keep-Alive,Accept-Ranges:Apache/2.2.20 (Ubuntu)
|
`----


We can validate whether or not out nmap output is accurate but we can assess how long the server has been running and get an idea of the patch level of a machine. Now, in order to minimize time, I might sweep a subnet for specifics: HTTP, SMTP, POP and so forth. The reasoning for this, is that when under time constraints, it allows me to focus specific attacks and probes against those specific targets that I know are running the service. This allows me to spend time elsewhere (running other nmap sweeps, etc)

For example, I can sweep a /24 for ONLY port 80, begin launching more probes in the background, while I launch other scans and other probes at another service.

  Code:
printf "Enter host\n\n"
read HOST

WEB=`nmap -sS -p80 $HOST -v | awk '/open port/{print $2}' |grep -vi dis`


   if [ "$WEB" == open ]

      then

         nikto -host $HOST

   fi 


exit 0


In any event, if you're doing ONE thing and ONE THING only on the OSCP exam, you're wasting time. There is nothing stopping you from opening a terminal and creating your own little framework for doing this exam:

  Code:
mkdir {HTTP-OUTPUT,HYDRA-RECON,NIKTO-OUTPUT,SNMP-OUTPUT}

printf "Enter host\n\n"
read HOST

WEB=`nmap -sS -p80 $HOST -v | awk '/open port/{print $2}' |grep -vi dis`


   if [ "$WEB" == open ]

      then
         cd HTTP-OUTPUT
         nikto -host $HOST > $HOST.nikto,output
         echo "Completed Nikto" | wall
   fi 


exit 0


Get the picture?

1) Make relevant directories (way beforehand)
2) Enter a target
3) Go check if the target is running anything on port 80
4) If it is, then run nikto against it
5) When done write it everywhere in case I am on 50 different terminals

You can continue something like this to fire off dozens of tests, probes, and so on. What you do with your time is always going to be critical since time is irreplaceable. Same applies when performing real world testing. You may be in a bind for time, if you're waiting on the output of one tool, you're wasting time. Moving back to the mindmap, take some time to think about a structured way to attack this exam. There is no reason you cannot fork off processes way before you even get started. Practice in your own environment:

  Code:

if $THIS_TARGET is running SNMP
then run hydra
else if $THIS_TARGET is running HTTP
then use $TOOL_OF_CHOICE
fi



Same applies in the real world. When performing tests, it is critical that not only you perform necessary testing, but it is also critical you manage your time while doing so. (Time is money) Creativity goes a long way in this field (pentesting) however, it makes no sense to throw paint on a canvas and once done, determine you are now going to start painting the Mona Lisa. Planning goes a long way

Food for though
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Apr 09, 2012 3:36 pm

Re: OSCP and Pentesting 101

++1

Multitasking is essential, both in real-world pentesting, and in these courses.  You WILL NOT complete the exams in OSCP, if you remain single-threaded...

sil's advice is spot on.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Apr 09, 2012 3:43 pm

Re: OSCP and Pentesting 101

Very nice write-up.
BS in IT, CISSP, MS in IS Management (in progress)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Apr 09, 2012 3:45 pm

Re: OSCP and Pentesting 101

hayabusa wrote:++1

Multitasking is essential, both in real-world pentesting, and in these courses.  You WILL NOT complete the exams in OSCP, if you remain single-threaded...

sil's advice is spot on.


Real world is funny and sometimes fool around with the admins watching me perform my tests thinking they're going to do something stupid like stop me. Before I even start most tests, I fire off dozens of decoys (sometimes including their IP space) so they don't turn around and block me. Once I'm running though, I usually blend right since people will be so confused by the amount of stuff they're seeing.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Apr 10, 2012 7:50 am

Re: OSCP and Pentesting 101

great post, i remember someone saying that pentesting consists for the most part of waiting. This is only true if you truly master the skill, and by that i mean automate, automate and automate...let the computer do the work for you and use the fact it can multitask like no other...

some other tips:
try to separate automated scans. Sometimes tools get in eachother way. An example from my experience is that nmap and nessus can be working against each other during UDP-scans.

Talking about nikto, sometimes tools provide you with false positives (which is perfectly shown in the ubuntu/freebsd example) so NEVER trust the output of tools blind, always perform a manual check or use a second/third tool to confirm.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Tue Apr 10, 2012 10:27 am

Re: OSCP and Pentesting 101

This is a great post, last night I was enumerating users in a smtp service, during that time I was thinking how can I increase the performance or do something else with this? and I remember your post.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Apr 10, 2012 1:07 pm

Re: OSCP and Pentesting 101

impelse wrote:This is a great post, last night I was enumerating users in a smtp service, during that time I was thinking how can I increase the performance or do something else with this? and I remember your post.


Another thing I do to cut time, is distributed password cracking. I fortunately have access to quite a few machines. What I do is parse out my word lists and split it between machines. For example:


  Code:
[root@kenji ~/WORDLISTS]# wc -l MEGALIST.txt
  472567089 MEGALIST.txt


I will split this into about 16 files, and send them to 8 different machines. Since they're sorted alphanumerically, it becomes a divide and conquer. Where as if I had one machine starting at say A, it would take N amount of time to reach Z. If each file consisted of say 3.5 of the alphabet, my time is shortened. (File 1 = A - Ch, File 2 = Ch - Fa, File 3....). My wordlists are created using a buckload of words, iterations on those words and contain the MD5 and SHA1's of each instance. So I can just grep a word or a hash and see one another:

  Code:
[root@kenji ~/WORDLISTS]# grep 1361067 MHASHED.txt
1361067 db402c6afef2cbe85da35ebe4e40cba3

[root@kenji ~/WORDLISTS]# grep d3d0472e95296db8d01e401e7d8206d6 MHASHED.txt
123098  d3d0472e95296db8d01e401e7d8206d6


Rather than wait until the last second, these are little things anyone can lay out beforehand. Before I even go the cracking route though I will try out some stuff online so I waste even less time: http://www.md5decrypter.co.uk/
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Tue Apr 10, 2012 2:52 pm

Re: OSCP and Pentesting 101

Quick question - I've read several OSCP reviews where the person states something to the effect: "I would have cracked that first box in half the time had I not [made a programming error]."

This confuses me. Are the programs you create for the test the kind where you don't get any feedback (i.e. find out you made a mistake) until they're finished running?
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Apr 10, 2012 3:23 pm

Re: OSCP and Pentesting 101

DragonGorge wrote:Quick question - I've read several OSCP reviews where the person states something to the effect: "I would have cracked that first box in half the time had I not [made a programming error]."

This confuses me. Are the programs you create for the test the kind where you don't get any feedback (i.e. find out you made a mistake) until they're finished running?


If you're writing your own tool, its up to you to direct how the output appears to you. Think about that for a moment... YOU are the one writing the program, what is it you want you're program to do. How should it connect, what should it do when it connects, what should it do if successful, if it fails.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Apr 11, 2012 6:03 am

Re: OSCP and Pentesting 101

Sil, in thouse examples above, are those examples of scripting?
sectestanalysis.blogspot.com/‎
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Apr 11, 2012 7:48 am

Re: OSCP and Pentesting 101

Some are, some aren't. Scripting is nothing more than running successive commands. For example, I need to check if there is a shadow or master.passwd file on this machine, and if so, I since I may not have privileges to copy or view it, let me see who in the sudoers group may have access to do what I need done (this helps since I can also attack that account as opposed to targeting root) and also who from the passwd file may have privs

  Code:
# more ehnet-scripting-example
if [ -e /etc/shadow ]

then cp /etc/shadow /tmp

else

if [ -e /etc/master.passwd ]

then

printf "must be a BSD machine\nFinding out who has sudo privs\n"

awk '!/#/ && !/\n/' /usr/local/etc/sudoers | sort -u
grep ":0:" /etc/passwd
fi

fi
# sh ehnet-scripting-example
must be a BSD machine
Finding out who has sudo privs

%wheel ALL=(ALL) NOPASSWD: ALL
root ALL=(ALL) ALL
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:
sil:*:1001:0:sil:/home/sil:/bin/sh



As explained, scripting is nothing more than successive commands. I would run something like this as it gives me more targets to aim for as opposed to aiming for the holy grail. I wouldn't need to as I can also target the account "sil" who is in group wheel, who has sudo privs without a password.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 11, 2012 8:47 am

Re: OSCP and Pentesting 101

sil wrote:Practice in your own environment:

This is actually an excellent use of OffSec lab time as well. Instead of solely focusing on compromising systems, spend some time developing a game plan and attack methodology for the actual exam.

I'm a fan of running smaller, quicker scans, so I can obtain information to start working with expeditiously.

The following one-line script takes a start number, end number, and tcp/udp input, and returns a comma-separated list of ports from the nmap services file based on popularity

[code="ports.sh"]sort -r -k3 /usr/local/share/nmap/nmap-services | grep $3 | grep -v ^# | sed -n "$1,$2p" | cut -d"/" -f1 | cut -f2 | tr "\n" "," | sed s/.$//[/code]

For example, the following command scans the top ten TCP ports (note: the start/end numbers are popularity rankings, not actual port numbers).

[code="Sample Usage"]root@bt:~# nmap -p`./ports.sh 1 10 tcp` 192.168.1.1 -oA scan[/code]

Reviewing the scan.nmap file shows the actual command that was run: nmap -p80,23,443,21,22,25,3389,110,445,139 -oA scan 192.168.1.1

You could do the same thing with --top-ports 10 for this specific scan, but if you performed subsequent scans of 20, 30, etc., you'd be rescanning the same ports over and over instead of being able to increment by 10 (or whatever amount). Starting with popular ports will typically give you the most information in the shortest amount of time. Once you have enough to keep you busy for awhile, you can expand the range and do 50, 100, etc. ports at a time.

Much more functionality could obviously be included. For example, the nmap command could be included in the script and add -sU if UDP was chosen, the ports could be included in the output file name so you don't accidentally overwrite previous scans, and so on.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Apr 11, 2012 9:29 am

Re: OSCP and Pentesting 101

ajohnson wrote:[code="ports.sh"]sort -r -k3 /usr/local/share/nmap/nmap-services | grep $3 | grep -v ^# | sed -n "$1,$2p" | cut -d"/" -f1 | cut -f2 | tr "\n" "," | sed s/.$//[/code]


Would never work in BSD or Solaris :P

  Code:
awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'


In action via FreeBSD:

  Code:
# nmap -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'` 10.4.4.72

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:29 EDT
Nmap scan report for kenji.infiltrated.net (10.4.4.72)
Host is up (0.000018s latency).
PORT     STATE  SERVICE
80/tcp   open   http
123/tcp  closed ntp
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
161/tcp  closed snmp
445/tcp  closed microsoft-ds
631/tcp  closed ipp
1434/tcp closed ms-sql-m

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Apr 11, 2012 9:30 am

Re: OSCP and Pentesting 101

By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 11, 2012 9:37 am

Re: OSCP and Pentesting 101

sil wrote:By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation


I knew I was setting myself to get schooled, yet I posted anyway... :o
The day you stop learning is the day you start becoming obsolete.
Next

Return to General Certification

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software