try harder or go home
TRANSCRIPT
Try HarderOR GO HOME
DisclaimerCha-HA is a "Red Team" social and training group.
Organizers and teachers of Cha-HA are not compensated financially for their time. They do this simply because they enjoy the topic and like to share.
Some of the skills and tools taught at Cha-HA meetings can be used for malicious purposes.
Cha-HA organizers and teachers only condone and encourage responsible and lawful use of such skills and tools.
Code of ConductI will treat all other members respectfully during Cha-HA events.
I will not use tools and skills shared at Cha-HA for unlawful purposes.
If I ignore the previous point and get caught in an unlawful act then it is nobody's fault but my own.
Whoami● Jared Haight● Former Sysadmin● Current Security Engineer● OSCP as of August 13th● @jaredhaight● https://words.photosandtext.com
What am I talking about?● What I already knew that helped me with the OSCP● Stuff I learned while studying for the OSCP● Things you should focus on if you want to take the OSCP
○ Without getting too specific as to ruin the fun (or get in trouble with Offensive Security)
What makes a hacker?
My Background● Using computers for 17 years
○ Started using Linux about 14 years ago
● Sysadmin for 10 years○ Covered everything from Firewalls down to the desktop
○ Administered both Windows and Linux environments
● Hobbyist Web dev for 4 years○ Started learning Python in 2011, still suck at it.
○ Currently learning Javascript, really suck at it.
What makes an effective hacker● Learn quickly and be able to intuit how things work● Constantly think about how you can abuse your current position
○ Focus on your long term goals but not to the point that it distracts you from what’s in front of you
● Understand your opponent○ In the OSCP lab it’s a lot of stupid and lazy admins
Recon
NMAP● Scan ALL of the ports
○ TCP (1 - 65000)
○ UDP (--top 200 or whatever)
● Read the scan output, not just the overview○ Thats where all the NSE output is!
● Zenmap is really great
Dirbuster● Invaluable tool for finding directories/files on webserver● List in /usr/share/wordlists/dirbuster
○ Use the big one
● Set threads to like 100
Other Enumerators● SMBEnum
○ Old and/or misconfigured Windows boxes give TONs of info through SMB
● SNMPwalk ○ Can be great for identifying OS
○ Misconfigured OS’s will give a lot of info over SNMP
● Probably more..
Misc● Save EVERYTHING
○ Notes, NMAP output, Enum Output, etc
● Make sure you can find everything● My structure:
○ ~/recon/192.168.13/■ 68/ (host ip)
● notes
● nikto.log
● smbenum.log
● misc loot..
Exploitation
SearchsploitWhy you’d use it:
● You need an exploit● Searching exploit-db.com is really slow
How you’d use it:● searchsploit <switches> <terms>● Example: searchsploit -w windows exec
○ By default lists out exploit name and location on disk
○ -w lists exploit-db url instead of location on disk
MetasploitWhy you’d use it
● Cause it’s fucking metasploitHow you’d use it
● Very carefully if you’re taking the exam○ Usage is limited to multi handler, meterpreter and msfvenom
○ You can use Auxiliary, Exploit and Post modules against ONE allowed machine.
○ Double check the rules before you do something stupid on your exam
MeterpreterWhy you’d use it:
● It’s like normal shell but with special sauce.How you’d use it:
● Very carefully if you’re taking your exam○ Usage is restricted to File System, Network and a subset of System commands
○ All other usage is only allowed the one machine you use Metasploit on.
How do I know what I’m allowed to do?Metasploit
● If you’re in msfconsole, you can use exploit/multi/handler○ That’s it. If you want to use more of the metasploit console you can do it only once and only on an allowed
box
● No restrictions on msfvenomMeterpreter
● If you’re in a meterpreter session run “help”○ It will list out all meterpreter commands, categorized by section.
Buffer OverflowsWhy you’d want to learn this
● You’re a hacker, you want to know how things work.○ Buffer overflows are core to the fun stuff we get to do
● You want to be able to edit (or even find) exploitsHow you’d learn this
● Go over the documentation provided by Offensive Security○ Keep going over it until it makes sense
○ Do the exercises provided by Offensive Security
○ Go find more stuff to exploit (plenty of resources on the internet)
Exploits in the lab environment● Lots of finding and editing existing exploits● Build up a collection of scripts and tools that hit common exploits
○ MS08-067, Linux Kernel Priv Esc, etc
● Learn how to read basic C, it’ll help.● Some of the servers are old, your compiled code won’t run on them
○ Download an ISO of the old OS and spin it up in a VM
○ Google “Debootstrap” to setup builds of old Debian/Ubuntu installs on your Kali box.■ Once setup you can use “chroot” to switch into them
■ Note that Debian changed their file hashes from MD5 to SHA a while back. You may need to find an old version of debootstrap to work on really old OSs.
Tips and Tricks
● If you have a root shell on a box but don’t know the root password, echo your SSH key to /root/.ssh/authorized_keys
○ Boom. Passwordless login.
● Exploit chains can get complicated and VMs get reset often. Script out exploits that you find yourself doing over and over again.
● The documentation walks you through writing a “wget script” generating script for Windows. Do that, it comes in handy.
○ Actually, just do all the exercises that they walk you through.
● Do a report on the lab and do it as you go along○ The lab is big, there’s a lot of stuff to document. Don’t put it off.
○ The lab report can help to sway whether you pass the OSCP or not
Tips and Tricks Part 2: Too fast too tricky● Sometimes the easiest way to get shell on a box is to create a new account.
○ If you have privileged code execution on a box, why not just create a new account?
● Pillage○ Check every single box you get into for loot. There are some boxes in the labs that you can only get into
with info gleaned elsewhere
○ Think. Where would the good stuff be?■ /home
■ /etc
■ /var/log
■ C:\
■ C:\Users (C:\Documents and Settings)
○ Use scp, meterpreter or existing services (http, ftp) to get files off a box
Pivoting
Pivoting is Fun● There are three networks in the OSCP lab
○ You start out with access to one
○ Be on the lookout for dual-homed boxes
● How do you pivot○ SSH
■ Forward Proxy: ssh -D [Port Number] [user]@[Remote IP]
● Example: ssh -D 9995 [email protected]
■ Reverse Proxy: ssh -R [Remote Port]:localhost:[Local Port] [user]@[Remote IP]
● Example: ssh -R 8081:localhost:3000 [email protected]
● Note: Requires “GatewayPorts Yes” in remote sshd_config
○ ProxyChains■ Routes any TCP network traffic over proxy
Wrap Up
Recap● Don’t be afraid to learn● Be aggressive in your scanning● Keep notes, be organized● Do your lab report● Don’t use metasploit● Be really comfortable with basic Buffer Overflows● Pillage everything● Hack the planet
Questions?● @jaredhaight● [email protected]