.

PWB/OSCP course related question

<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Mon Apr 23, 2012 1:50 pm

PWB/OSCP course related question

PWB course discourages using tools like Nessus and Metasploit for exploting the lab machines. I am fine with it. My question is what should be the approach to find the vulnerabilities. Do you follow any pattern or just go through each service and test them manually? I appreciate if someone can give insights on how much time to spend on each host. The course examples use ftp fuzzing but I am not sure how to apply that technique to other services/ports that are open. Please share your thoughts.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Apr 23, 2012 3:00 pm

Re: PWB/OSCP course related question

Nmap version scanning would give you the most info the quickest. Then just research on exploit-db or the other vuln sites. If you run into problems with the results, you may need to dig a little deeper manually. For example, maybe the banner was changed and that's all nmap reviewed. In the case of a web server, try HTTPrint in addition to nmap.

Also, see if you can find another service that discloses information (i.e. snmp may show ports / processes).

Some may require manual review. Instead of there being a vuln with the web server, maybe you have to explore the web app (view source, etc.) to find the version of the app and see if it has any associated vulnerabilities with that.

I don't think you need to do any fuzzing unless you do the Extra Mile exercises in the exploitation module.
The day you stop learning is the day you start becoming obsolete.
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Mon Apr 23, 2012 6:04 pm

Re: PWB/OSCP course related question

Thanks for posting your inputs. I like your views on the port 80 stuff.
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Mon Apr 23, 2012 6:34 pm

Re: PWB/OSCP course related question

I did to arrive to the lab yet, but I think the fuzzing is good. I am doing the extra mile and you begin to understand how to manage the exploit and modify it. This is showing me a good understanding how to attack machines no just copy and paste tools.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Tue Apr 24, 2012 3:59 am

Re: PWB/OSCP course related question

An important lesson I learnt was to make sure you check UDP ports as well as TCP.

Only checking the TCP could mean that you miss a critical vulnerability :)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Apr 24, 2012 7:07 am

Re: PWB/OSCP course related question

TheXero wrote:An important lesson I learnt was to make sure you check UDP ports as well as TCP.

Only checking the TCP could mean that you miss a critical vulnerability :)


if you only check TCP you are doing a half penetration test. ALWAYS check UDP!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Apr 24, 2012 2:19 pm

Re: PWB/OSCP course related question

Hint: TFTP and especially SNMP can be quite big sinners on any network.

j0rDy wrote:
TheXero wrote:An important lesson I learnt was to make sure you check UDP ports as well as TCP.

Only checking the TCP could mean that you miss a critical vulnerability :)


if you only check TCP you are doing a half penetration test. ALWAYS check UDP!


I agree  ;D
I'm an InterN0T'er
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Tue Apr 24, 2012 4:31 pm

Re: PWB/OSCP course related question

Thanks for sharing your views. I have seen people using the term "Low Hanging Fruit". Any tips how to identify these?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Apr 24, 2012 8:43 pm

Re: PWB/OSCP course related question

blueaxis wrote:Thanks for sharing your views. I have seen people using the term "Low Hanging Fruit". Any tips how to identify these?


You're going to have to rely on your intuition and experience here. Think about what *obvious* problems could be present with a given service. Does it require authentication? Maybe blank, default, or easily-guessable credentials are being used. Does the it disclose it's name and version? Check Exploit DB, maybe you can get a root shell by simply providing a script with the target IP address.
The day you stop learning is the day you start becoming obsolete.
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Tue Apr 24, 2012 9:01 pm

Re: PWB/OSCP course related question

Thanks very much!
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Apr 25, 2012 3:08 am

Re: PWB/OSCP course related question

low hanging fruit refers to easily hackable hosts. Often these hosts can be hacked using automated attacks like DBautopwn or simple password guessing (root/toor) for example. Other hosts that require more skills are considered harder. My advice is look for the low hanging fruit in the labs first, do not worry about skipping a few hosts because they seem too hard, go for the hosts that seem fun/challenging and have a crack at those.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

amol_d

Newbie
Newbie

Posts: 12

Joined: Tue Apr 10, 2012 8:49 am

Post Sat Apr 28, 2012 9:24 am

Re: PWB/OSCP course related question

WHen i was stuck and did not know how to proceed, I found it useful to look at videos on youtube and securitytube.net to see how others had approached similar problems. g0tmi1k.blogspot.com has a lot of videos as well, although the machines being hacked are totally different, when you see the videos you understand the approach that is taken from info gathering to validating possible vulnerabilities to getting a shell and the final privilege escalation. Once you understand the approach, it should help you progress faster
OSCP CISSP CSSLP CISA

Return to OSCP - Offensive Security Certified Professional

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software