Forum Replies Created
January 4, 2015 at 3:17 am #54066
However if I do the same and show 5 words i get this:
(gdb) x/5xw 0xbffff834
0xbffff834: 0x00000005 0xbffff898 0xb7eafebc 0x00000001
Here is what is going on. 4 words = 16 bytes. What you are seeing here is the 5 words, printing out 16 bytes at a time for readability. The first grouping of 16 bytes starts out at 0xbffff834, when you add 16 to it, it becomes 0xbffff844. Treat each line as a 16 byte array and it explains what you’re looking at
00 00 00 05 bf ff f8 98 b7 ea fe bc 00 00 00 01
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
When you do 5xw at a memory address it will print 5 words (5*4 bytes) = 20 bytes. That’s why you have 16 on one line, then 4 on the next. It will continue to walk down the memory locations from there, 6xw would print 8 additional bytes on the next line.
Does this make sense ?
July 9, 2012 at 10:24 pm #47995
I think we all agree that plain text passwords are not a good idea. And while this is “just a forum”, to me it’s a matter of practicing what you preach. However, in saying that, I don’t really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn’t worth the benefit.
Agreed. The real question is, with Don’s limited time, what is the level of importance. Between trying to make sure that the site stays up and dealing with getting contest rewards, publishing articles, deleting spam, updating the site, and everything else, what would it be best if it slipped so that some serious time could be spent re-vamping the site to use hashed passwords.
I mean as such, if we’re going to do it right, using something simple and salted would be bad, so like SHA1 with a salt would be less optimal than something more sophisticated than that with time built into cracking passwords as well as generating them such as bcrypt.
There’s tons of other things that should probably be done, ensure that the linkages between the two systems are using SSL for instance. With that said, I think that if this is important to people, that they write up a synopsis of things that they think should be done to improve the security of the site, research what it would take, and propose doing a project with Don to get it done.
In the end, good resume builder, Don will owe you one, and people who help out with stuff on the site tend to get rewarded.
Just a thought.
July 1, 2012 at 5:26 pm #47891
If you’re doing this freqeutnly, I’d tke a look at hashcat (http://www.hashcat.net). It has the ability to do a mask attack, and you can easily setup brute lists with just numbers using the masks. This saves disk space when you want to enumerate over large groups in a static pattern.
June 30, 2012 at 4:48 am #47888
Just to be clear, Cobalt Strike leverages Metasploit for a lot of it’s attacks. It’s a further development for the Armitage front end that acts as a Java based front end for Metasploit, but Cobalt Strike has addressed a lot of the workflow, reporting, and other automation that isn’t easy from within Armitage, Metasploit base install or other tools that leverage Metasploit. Cobalt Strike is a step forward from just “using Metasploit” to letting a Pen Tester take advantage of the framework core functions, but allowing a lot of the things that become tedious to be made easy through the GUI interface. It is session aware, allows you to set easy pre-sets that are selectable, allow you to run exploits against groups of hosts, and other things that the other tools just don’t let you do as easily.
May 30, 2012 at 12:18 pm #47514
I’ve still got to read that. I’m a little disappointed there was no C/C++ or Assembler primer. Since I need help on those for the ElearnSec class. But still happy I have a copy. Maybe I’ll get to read it soon, like around October.
What sort of things would you like to see with c/c++/asm ? I’m pretty sure we can build a whole ‘nother book out of that. The only things that I’ve been using c/c++ for lately are for network tools that require serious speed (ettercap/skipfish). For asm, I can see some of that for exploit dev and for some minor speed enhancements, but would be curious how deep for something like that you’d like to see. Assembly is one that we’d have to really have targeted, as what you want to do with it is kind of important. Especially if it’s exploit dev, there would have to be coverage of ROP and some of the other more complex aspects.
Hopefully when you get some time you can give the scripting a go, and let us know if theres other stuff that people would like to see in there.
February 28, 2011 at 5:58 pm #38455
It does have a Metasploit module. Have you tried reading the source to figure out what’s going on?
Theres a whole set of info on bypassing NX protection in the comments, as well as information about the handle you have to bind to as well as the type of dceprc call that triggers the vulnerability. I was currious what additional info was in the Metasploit module, and i just learned quite a bit about bypassing NX protection.
If you are going to be re-creating this in python, the Metasploit dcerpc library is pretty easy to decypher, so you can probably pull what you need from there. The RFCs are pretty helpful as well, but understanding how something works in theory and then looking at a protocol interaction in reality is often more helpful.
Hope this helps.
February 8, 2011 at 9:07 pm #37977
The thing that will help you most in OSCE is to verify you really understand each lesson as it is presented. For instance, you will be walked through an exercise, then you will have to complete it on your own. You should try this:
1) Do the exercise with the video
2) At end of chapter, re-create the exercise referencing the manual
3) Rinse and Repeat until you don’t need to reference the manual at all
This takes more time, but the worst time to figure out that you didn’t really get what was going on is during the exam. Also, don’t be afraid to reference other material. When I didn’t get the explanation of something, I hit up google and on occasion found some complimentary stuff which helped.
December 3, 2010 at 12:49 am #36744
Hehe.. NOP is a funny little cert. Immunity is still offering it it seems based on their site, but I think it started out as a marketing tool. The deal was, get a random vulnerable binary, and see if you can write a working sploit in 45 mins using immunity debugger and their drag and drop sploit creation tool. You end up having to understand how concepts like pattern offsets work to find offsets, and basically their tools help you a lot. Their drag and drop sploit creation tool is pretty neat, but of course, it’s all out of my personal price range.
In all, unless you wanna do it for fun, NOP isn’t going to teach you anything. Going the OSCE path will teach you stuff unless you’re already at a level where you think ASLR is a “cute defense” and laugh as you code around it or you don’t deal with conventional exploitation any more because ROP is the future.
I Reaaaaaalllly wanna take Advanced Windows Exploitation. I wish it were offered more places than Black Hat. I have heard some interesting things about SANS 660 and their 700 level exploit writing classes. They are way more expensive though, so will have to figure out how to do that.
December 2, 2010 at 6:53 pm #36742
MaXe is spot on. You don’t have to be able to write assembly, but you generally need to get binary math (bit shifting, OR, AND, XOR etc) and you should have a base understanding of registers from PWB. From there, if you have a good assembly reference you can look stuff up, but the more you’ve dealt with looking at assembly the faster you will pick stuff up.
I did pass the OSCE. I didn’t pass it anywhere near as quickly as I did the OSCP. OSCP took me between 6-8 hrs, OSCE took me 40 hrs total with a 4 hr nap, a 6 hr nap, and a few time taking the dog for 20 min walks cause I was frustrated 🙂
In retrospect, I followed along with the course manual too closely when I was doing labs on my own. Some of the things where I thought I understood them, I was wrong and then I figured it out on the test. One challenge, had I done a better job of doing labs in the course, i would have taken something that took me about 10 hrs down to probably about 4 hrs. Although, at this point, I REALLY understand it, but in retrospect I wish I had done a better job of going through some of the labs.
November 8, 2010 at 5:24 pm #36217
Check out http://sourceforge.net/projects/laudanum/ . They have some things that will do what you want. There are also some cleansed versions of what the evil folks out there are using. They have some advanced functionality such as ability to escalate privileges, deal with databases, etc.
Then, there’s a fun one. If you can turn it into a remote file injection, metasploit has a payload (exploit/unix/webapp/php_include) that will allow you to inject a php meterpreter. It may be injectable on it’s own, but you can then route traffic through that php file and do further enumeration, scanning, and ssh brute-force in order to get what you want. And of course, you will have a shell, so you can do most of what you’re looking for.
Hope this helps
November 8, 2010 at 5:20 pm #36228
For the CCNA, you can use y200emu emulator. Unless they have changed it substantially since i took it, most of the links required are serial, and most of the things you will have to do should work within the emulator, and most of all, no hardware required.
They even have sample virtual lab setups for CCNA.
November 4, 2010 at 8:09 pm #36145
NSE’s are written in LUA. The biggest challenge when I was working on NSE devel is that LUA is missing some things I really wanted. Read a basic LUA tutorial, and then on the Nmap site in the docs there’s a section dedicated to working with NSEs. Once you understand the basics, you can look at the stock stuff to figure out more. The big thing is that libraries are changing pretty quickly and growing. Make sure when you are doing devel, you are using the latest nmap release, otherwise you are going to be missing a ton of libraries and other examples.
hope this helps
November 4, 2010 at 8:06 pm #36153
So, their response isn’t business related it’s emotional. So, in my opinion, you need to make an emotional case as well as a business case.
For instance, knowing that during an outage, it cost you X, but it may have also meant that a manager had to explain him/herself to someone. Nobody wants to be at the helm when the ship hits the iceburg, so you may be able to play that card at the same time.
Figure out how your company makes money, create some scenarios, demonstrate the pre-cursors for those scenarios to take place, and then talk about what could be lost and how much can be gained from some initially simple steps.
If they got every single box, figure out how to make that harder, my guess is you can probably improve things with some things starting simple and then leverage those changes into having a “security specalist” and then work the specialist into a team over time.
November 2, 2010 at 11:45 am #36019
Good luck! OSCE was extremely challenging. Knowing what you do now, I’m sure it will help a lot on the next attempt. Let us know how you do!
H1t M0nk3y, that wasn’t my understanding, so thanks for sharing your experience.
November 1, 2010 at 1:18 pm #36016
There is another aspect to remember here in addition to the time management. Your bonus points from the class (I assume you did them, if you didn’t get started now) apply to your final score. So, you don’t have to get everything, you just have to get enough points to add up with your bonus points to pass. I would say don’t shoot for 100%, instead, evaluate what you are working with before you start concentrating on anything.
The points are important, but before you set out to own anything, get your recon done. Figure out what you are dealing with. Don’t spend more than the allotted time on any one box. Document everything you do, and then if you have extra time once you’ve gotten other objectives go back and finish. By getting as much info as you can about all the boxes, you have the opportunity for them to determine what amount of credit you get for each objective. If you haven’t done anything, there is no room to give you the benefit of the doubt.