Samurai Skills Update #5

While I still haven’t been able to devout nearly as much time as I would like to play in the student labs I still wanted to post another update on how the Samurai Skills course is going for me.

I’ve now watched all of the videos except for the last one on windows exploit development. I’m looking forward to watching it but I want to wait until I have a full day or two to devote to practicing the techniques covered.

On the lab front, it’s a very weird dynamic. I still go long periods of time with little to no progress which is frustrating and leads to a lot of doubt but I also tell myself that I’m light-years ahead of where I was before I started the class.

The student lab network recently got modified so I had to duplicate the enumeration and scanning phase. Before I started the attack-secure course I had already been exposed to Nmap, Nessus, Nikto and Enum from my SANS 504 course. I had ran all of these tools on the student network previously and now it was time to run them again. The difference was this time I felt a lot more confident and I ran the scans much more efficiently.

My first step was running an Nmap scan across the entire subnet. That scan identified 20 targets which I then piped into Nessus to start that scan. As soon as the Nessus scan started I cranked out the following quick little bash script to check all of the targets with Nikto.

#!/bin/bash
for i in {129..164}
do (cd /pentest/web/nikto/ ; ./nikto.pl -host 172.16.222.$i - output /pentest/web/nikto/student_remix/172_16_222_$i.txt)
Done

And a similar script for enum4linux

#!/bin/bash
for i in {129..164}
do /root/enum4linux-0.8.8/enum4linux.pl -M 172.16.222.$i
Done

These are about the simplest shell scripts imaginable but three months ago I had never written a shell script in my life so I’m proud of them 🙂 Even basic scripts like this can make your Linux life much easier.

I’ve also started being able to spot the low hanging fruit of the ethical hacking world. If Nikto shows that HTTP PUT is allowed, I’ll throw a php web shell or backdoor if the box runs php or use the IIS webdav upload exploit in Metasploit if it’s an IIS box. Once again, about as simple as it gets but it’s still information I didn’t know a few months ago.

I’ve also been able to acquire shell on several boxes where a CMS allows me to upload a file (perhaps as part of a comment or post) or modify a file (a little php backdoor code in a WordPress theme never hurt).

I’m still not great at popping shells but even when I do get a shell I’m horrible at Linux privilege escalation. Most exploits you stumble across on the internet require you to modify them to get them to work on your machine and I don’t have enough knowledge in that area to determine what to modify yet.

I have started running ‘ps aux’ on any Linux shell I get to see what programs are running as root but I only know how to exploit a few of them if I find them like MySQL. I understand the basics of why SUID is important but not quite enough to make it work for me yet.

As I stated earlier it’s a weird feeling when you aren’t making much progress but deep down you know you’re learning. I keep failing, but I’m failing better and better every day.

I’m Now Network+ Certified

The news is a few weeks late (I’ve been swamped with a few projects) but I’m now Network+ certified. The cert was a little anti-climactic after the GCIH exam but it’s one of the baseline certs that I wanted to get out of the way.

I’ve had several people ask me why I bothered to get certs like A+ and Net+ after possessing higher level certs such as GCFA and GCIH. My answer was that I got started late and I skipped over a lot of the “basics”.

I’ve been messing with computers my whole life and for several years the duties at my job revolved around programming, data mining from SQL databases etc.  Despite this I was never a systems administrator or network technician and while I’ve developed and ran simple databases I was never a real DBA.

I’ve found that when taking “higher level” courses, a lot of the knowledge one would acquire from doing jobs such as a systems administrator is assumed. I haven’t run into any problems yet but I wanted to be proactive in trying to fill in any knowledge holes. I’m planning on taking my GSEC and SEC+ early in 2013 to try to round out what I feel I need for a “knowledge baseline”.

Violent Python Quick Thoughts

I eagerly pre-ordered the book Violent Python
and while I’ve only had a chance to go completely through chapter 1 and pick through chapter 6, I wanted to write a quick post with my thoughts on the book.

Chapter one is called introduction to Python and while the author starts off showing an example of a list, of a dictionary etc. the content quickly escalates into projects it has you work on. I’ve done a tiny bit of python coding in the past but my python was extremely rusty. Chapter one definitely helped shake the rust off.

What chapter one would not be good for is teaching someone python that has no programing experience whatsoever. One perfect example is the indentation that is such a fundamental part of python is never addressed. That could be awfully confusing to someone with zero experience. I understand people with zero programming experience are not the target demographic for a book like this; it’s just one caveat to consider before recommending the book. I’ve already recommended the book to multiple people but there are a few I haven’t recommended it to because I think they would experience some frustration due do their lack of experience.

The old recommendation would be to get an introduction to python book first but I’m not sure that’s necessary anymore. There are enough websites out there with free “learn python” courses out there that do a fantastic job on getting people started. Spending a few hours with one of those courses getting comfortable with python syntax, loops, basic libraries etc. would prepare someone to start Violent Python
.

If you’re at all interested in the content contained in Violent Python
the book is a must read. I had a blast creating and then modifying the projects in chapter one and then I jumped to chapter 6 to help me with a web scraping project I needed to write. The book has been fantastic and I’ll be making several more posts about it but I wanted to get some quick thoughts “down on paper”.