Samurai Skills Update #4

Between work, the holiday and other demands on my time (I’ve got another cert test coming up this week) I haven’t had a ton of time to play around in the attack-secure student labs but I wanted to give a quick update.

Video seven (there are eight total) is a five hour monster which I’m about two hours into so I’m getting close to the end of the videos.

My wife had to work on a late night project Thanksgiving evening so I had a few ‘free’ hours which I spent playing around in the lab. I decided to go SQL injection hunting and ended up finding a box which looked promising. I fired up the command line tool ‘sqlmap’ and fed it a tasty looking URL. Within a minute sqlmap came back and confirmed that the web app was indeed vulnerable to a SQL injection attack.

I was able to use sqlmap to enumerate the databases, to dump the content and even crack a password hash found in one of the databases.

NOTE: The initial password cracking attempt of sqlmap only takes a minute or so but when sqlmap asks you if you want to try common suffixes for the passwords and warns you that it will be slow, it means S L O W. I sat there for an hour wishing I had not pressed yes but not wanting to cancel the process.

I took the file grabbing options of sqlmap for a test drive and downloaded the /etc/passwd and /etc/hosts files. I tried to grab the /etc/shadow file but didn’t have rights to the file.

I ran into a hiccup trying to obtain shell using sqlmap and haven’t had a chance to go play on the box more but hopefully I can parlay progress on that box into shell and root.

As usual, the videos were quite helpful on this one. The penetration testing field requires a ton of Google searching and there are a lot of free video resources on sites like security tube but it’s still nice to have a course like this which is laid out in logical manor and lets you watch the tool being used while you listen to the author explain what’s happening.

I’ve learned a ton from the videos (with a ton more to learn) but the labs have remained the big draw for me. Having a student network to play in and work on my skills has been awesome.

There is a huge difference in knowing what an attack or a process is and actually trying to get it to work on a box. I’m not where I want to be yet but I’m very happy with the progress I’m making.

SANS Index How To Guide with Pictures

I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others.

I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable.

A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index.

Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS mentor) named Neal Bridges who gave me some slightly different advice. Neal said that he tells his students that a 10 page index is a recipe for failure unless you’re a super genius. A bit tongue in cheek? Probably, but I’m so far from being a super genius that I needed all the help I can get.

When I asked Neal how long he thought an index should be he replied “fifty pages” without blinking. I followed up with a question on how he formatted his indexes and he offered to have his wife bring one of his when she came into town the next day.

The next day he showed me a copy of his GSEC index and I was impressed. It was close to 50 pages and had been professionally bound at Kinkos. I promised myself that I would put together an index like that for my GCIH exam.

Putting together a comprehensive index proved to be an incredible time investment but as I was going book by book putting it together I was also learning.

I went through the course via On Demand from Ed Skoudis and in person from John Strand. Even after double exposure from two of the best instructors in the world that third exposure to the material (from the books) really helped solidify a few of the concepts. At first I thought that was weird but when you look at the sheer volume of information covered in the course it makes sense. Also, since a lot of the material was new to me my learning went from exposure to concepts to specifics.

I ended up getting a 94 on my GCIH exam which I was obviously thrilled with and I think the index (both preparation and usage) was a big reason why.

My index ended up being 31 pages I created plus a few pages I copied (IvP4 breakdown etc. type stuff) tacked onto the end in a “misc.” section. My created content was broken down into two big sections (main and tools) and two small sections (windows commands and Linux commands).

The main section consisted of both items and concepts. If something wasn’t a tool or a windows or Linux command, it went in this section.

The tools section is self-explanatory. Any tool mentioned in a book went in here. If they mention a functionality and then listed 7 tools, all 7 tools went into this section.

The windows commands and Linux commands are also self-explanatory. I listed the commands, a brief description and sometimes a command line example. Any examples I made bold.

Getting a quick look at someone else’s SANS index (even though it was for a different course) really helped me out so here are a few pictures of mine.

Front:

SANS index cover example

Side:

side of SANS GCIH index

Main:

GIAC index example

Tools:

SANS tool index

Linux commands:

GSEC or GCIH index example

If you’ve taken a few GIAC tests and have had good results, then by all means keep doing what you’re doing. But if you have your first SANS/GIAC exam coming up and feel like you could use a little extra help, I would seriously consider taking the time to make a comprehensive index. You’ll be glad you did for many reasons.

NOTE: I am unable to provide copies of this index so please do not ask. This post is meant solely to help students who have never seen an in-depth index get a feel for how they could design one of their own.

GCIH Passed

I’m a few days late in posting this but last Monday I passed my GCIH exam with a 94. SANS advisory board here I come!!!

I watched the course in the On Demand format taught by Ed Skoudis and attended the live training taught by John Strand. It was very time consuming but well worth it to get the material from two world class instructors with different points of view.

The key to my high score was taking some great advice from a SANS teaching assistant & mentor named Neal Bridges who encouraged me to make a detailed (mine ended up around 30 pages) index and was kind enough to show me his GSEC index so I had an idea on how to format mine. I’ll write up a blog post soon where I’ll discuss my index and show a few samples.

 

 

Samurai Skills Update #3

I’m in the final stages of studying for a certification test so I haven’t had a chance to watch many of the attack-secure videos yet but on the advice of the course creator I did make time to go watch the section on exploiting Unix systems to look for tips to get into my problem box and I ended up finding exactly what I needed to get root on that system.

Also, Mohamed THANK YOU for putting “prepare to be frustrated” on the slide talking about trying to get privilege escalation running on a Linux box. I’m glad to know I’m not the only one who’s spent hours trying to acquire root only to end the day unsuccessful.

While I’ve been unable (so far) to escalate my privileges locally on the box from shell, I was able to use another exploit to remotely provide me a root shell. The answer was to take a more holistic approach to examining vulnerabilities.

A Nessus scan report of the box in question revealed a samba weakness on port 445. The report was also kind enough to tell me which Metasploit exploit to use on the server. I tried that exploit multiple times and was greeted with a message notifying me that the system I was trying to hack into wasn’t susceptible to that exploit. After that I chalked up that exploit as “not working” and moved on to the next listed vulnerability. BIG mistake.

Now that I’ve told you what I did (aka, the wrong way), I’ll tell you what I should have done.

I was right to run Nessus. I was right to try the exploit that it recommended. I was wrong to move on after that didn’t work. What I should have done was remind myself that the box DID have a samba service running on that port, and realize that it was probably worth my time to type “search samba” into Metasploit and look for other samba exploits to try. There was a multi-platform exploit listed as excellent that dropped me straight into a root shell first try.

A small part of my felt like a chump for not thinking of that on my own, a bigger part of me was happy that I’m learning. After spending all of those hours earlier, that is a lesson I won’t soon forget.

So far I’m very happy with the course content, the support and the practice network. They’re providing a great value for the price.

Samurai Skills Update #2

I’ve now had a few days to ‘play’ with the Samurai Skills course online hacking lab and I wanted to post some early thoughts.

I’ve found the labs both awesome and frustrating. Awesome because it’s nice to have a network to test all of my new-found ethical hacking knowledge on. Frustrating because my knowledge isn’t where I want it to be yet so I found myself spinning my wheels for a few hours this afternoon trying to get various privilege escalations running on a Linux box.

My first act upon receiving access to the “student network” (the easiest of the three networks in the lab) was to run an Nmap scan. The scan showed about two dozen machines running a mix of operating systems.

My next step was to run a Nessus scan to look for vulnerabilities on the machines Nmap found. There were quite a few exploits found on some of the systems so I picked a juicy looking windows box and decided it would be target number one.

I combed through the Nessus report on that box looking for vulnerabilities which had exploits available in Metasploit. I tried a few different exploits which all failed but finally hit on one which after a few seconds popped up the prompt every penetration tester dreams of, meterpreter.

For those new to ethical hacking & penetration testing, meterpreter is a payload in Metasploit which gives you a ton of great options (dumping password hashes in Windows, obtaining shell etc.). My first meterpreter command was dumping the password hashes on the target machine and then firing up John the Ripper on my computer while I obtained shell on the target machine and poked around.

My first hacking session ended on an incredible high note.

Last night I decided to target a Linux box. After trying (and failing) to get several exploits to work I finally picked one which targeted a vulnerable web application hosted on the machine and was able to get meterpreter running on that machine. All was well in hacking land, or so I thought…..

My first act was grabbing the contents of the “passwd” file. The file showed quite a few accounts. I didn’t expect to be able to view the contents of the shadow file but I had to try. That didn’t work. Why? The application I exploited wasn’t running as root so when broke out of that application and into shell, I was running as that user and not root. I went to bed last night figuring I would wake up in the morning and get my privilege escalation on.

After a nice breakfast out with my wife I came back to watch football and try to get root on that Linux box. While I was half paying attention to the football games on TV, I was also going through exploit-db.com and trying to find some privilege escalation code (mostly c) which I could get running on the machine. I tried around a dozen different attacks, all appropriate for the kernel version my target machine was running but I couldn’t get any of them to work.

A few wouldn’t compile, a few needed services which weren’t on the target machine and a few just plain didn’t work. It was very frustrating to spend several hours trying to accomplish something and finally stop (due to other obligations, not frustration) without having made any progress.

The only good thing about my experience this afternoon was that I knew exactly what needed to be done, I researched correctly, had no problems getting the code onto my target machine, was able to compile several of the exploits (no small achievement for a lifelong Windows guy).

While I take all of this for granted now, I would have had no idea what to do several months ago. I feel like I’ve learned so much and I’m only getting started. Still, I’m in the same situation I was in last night. I have a funny feeling I may be skipping ahead to the privilege exploitation video of the course very soon 🙂