Samurai Skills Update #6 – Review

After popping shell on almost every box in the Attack-Secure student lab I finally got shell on the computer which held the key.txt file which had the hash I needed to earn my Attack-Secure Penetration Tester (AS|PT) certificate.  I went to bed with a smile that was still plastered on my face when I woke up 🙂

I still have a bit of unfinished business in the lab that I’d like to clean up and I still haven’t watched the 8th and final video of the series (exploit development) but I can give my opinion on what I have seen and experienced.

Attack-Secure.com is relatively new  to the penetration tester training market but the instructor Mohamed Ramadan has proven his skills by collecting several valuable “bug bounties”  including finding a flaw in the Facebook app on the iPhone.

Before I give me thoughts about the course, let me answer two questions that I’ve been asked about the course.

Q: Is the AS|PT certification recognized by employers?

A: Probably not at this time but I wouldn’t be surprised if it is more recognized in the near future as more and more people are exposed to the course.

If you already have penetration skills and are just looking for a certificate to help you get a job, then the CEH is probably the way to go. I didn’t have those skills and wanted to learn them so this course was perfect for me.

As a result of taking this course, I don’t think I’ll have any problems passing the CEH exam.  Most importantly, as a result of taking this course I now kind of know what I’m doing.

Q: How is the English in the instructional videos?

A: It never bothered me but you don’t have to take my word for it, you can check it out for yourself for free. Mohamed has a one hour YouTube video of him hacking the Kioptrix 4 distro at http://www.youtube.com/watch?feature=player_embedded&v=SR7tmgDloIA .

I watched a good chunk of the video before I signed up for the course and it gave me an idea of what to expect in the course videos. The videos have a “live and unedited” feel which I personally love.  I really felt like I was sitting behind Mohamed and looking over his shoulder as he demonstrated these techniques.  Because the videos show the tools running in real time instead of just cutting to the results I was able to get a feel for how long tools take and what results I could expect.

With those two questions out of the way, here are my thoughts on the course: it rocks!

The Attack-Secure Samurai Skills course is the best value I’ve ever received for any technical training. I bought the course during one of the 50% off sales so for a little under $400 I got 17 hours of instructional videos, corresponding PDFs AND 90 days of lab time to run all of the tools I needed to learn and practice the techniques I needed to practice. That is a ridiculously good value.

Speaking of the 90 days of lab time….. When I saw the 50% off sale I decided that it was a no risk opportunity and worst case, I was out $400. I had some other stuff going on in my life (all positive) so when I signed up I asked Mohamed if I could please receive the materials now but delay my 90 days of lab time until I had time to utilize it. He responded right away with “Absolutely, just shoot me an email when you’d like me to start your lab time.”

That experience was the first of many times that I found Mohamed knowledgeable, responsive, friendly and helpful. Not “Run exploit XXX” helpful, just “keep trying, you’ll get it” helpful. When I sent emails asking for boxes in the lab to be reset, I would sometimes get a response within minutes. It took a bit longer sometimes but we’re on opposite sides of the earth and the man needs to sleep sometime 🙂

I had a blast doing this course, learned a ton and will be at the front of the line to get the upcoming “Ninja Skills” course.

If you’re in the same situation I was (heavy on desire, light on skills) then watch the video I linked above. If you like that style of demonstration then do yourself a favor and sign up. You’ll get a lot more videos and a place to work on your new found samurai skills.

I’ll post an update of the exploit development section as soon as I watch them. If you have any specific questions about my experience with the course, feel free to ask them here and I’ll do my best to answer them.

Telling sqlmap to Try Harder

When I first started learning about penetration testing sqlmap quickly became one of my favorite tools. For those who haven’t used it, sqlmap is a command line tool which automates the detection and exploitation of SQL injection flaws.

I started by feeding sqlmap  URLs which contains a variable in the URL. The command for a URL like this is:

./sqlmap.py -u "http://172.16.222.100/gallery/gallery.php?id=null"

Once the command is run sqlmap will automatically try a variety of SQL injection techniques to find vulnerabilities.  If it finds a vulnerability it will ask you if it can stop, once you say yes then you can rerun sqlmap with a variety of different options which can do everything from attempting to use the injection vulnerability to give you a shell to using the vulnerability to dump all of the information from the database. If you’re dumping a database and sqlmap recognizes encrypted password hashes it will even ask you if you’d like it to try to crack the password.

After I had already fallen in love with sqlmap I started to notice that quite a few websites didn’t have the variables in the URL as they were using POST instead of GET. That forced me to slightly broaden my repertoire and insert Burp Suite into the mix.

Burp Suite has a ton of functions (most of which I’m not familiar with yet) but it’s main function is acting as an intercept proxy between your web browser and the website it’s viewing. By starting up Burp Suite and telling your web browser to send all traffic through Burp Suite (usually done by switching settings to port 8080) Burp Suite will then act as a middle man and capture all of the traffic routed through it, including traffic that would otherwise not be seen such as components of a HTTP POST request.

Once you have the data from the POST request then you can incorporate that information into your sqlmap request with the –data command like this:

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login"

If sqlmap finds a SQL injection vulnerability from this command great, but mine did not. The first thing I tacked on was to specify which database the web application is using with the dbms command like this

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login” –dbms=mysql

Sqlmap then knows to A: not waste it’s time  with commands designed for other database systems and B: format generic commands to be MySQL specific.

How would you know what database a web application was using? Methods I’ve been able to use so far are:

  • Forcing a bunch of junk data into an input field to get an error. The error will usually give away which database system is being used.
  • Check the nmap scan results to see which services were identified as it will often discover the database server.
  • Make an educated guess based upon OS fingerprinting.

Even with me specifying that the database was MySQL sqlmap still wasn’t able to find an SQL injection vulnerability.

My next option was to tell sqlmap (to borrow a phrase from Offensive Security) to “try harder” by adding a level argument:

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login” –dbms=mysql –level=5

This literally makes sqlmap try harder. For example, by default sqlmap checks for MySQL UNION query 1-10 columns. By adding in –level 5 sqlmap goes all the way to 50 columns. I’ve already found one database that wasn’t compromised until the 40-50 column scan.

Even after all of this sqlmap STILL didn’t find a SQL injection vulnerability. I ended up trying one last thing, I used the risk argument to tell sqlmap to go ahead and run “riskier” commands in an attempt to find vulnerabilities. The command is used just like level:

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login” –dbms=mysql –level=5 –risk=3

FINALLY after a lengthy scan sqlmap found a sql injection vulnerability on this system and I was up and running. The level and risk arguments can make the scan take A LOT longer but if you have the time they’re well worth trying. They don’t work every time but they’ve worked often enough for me to keep on using them.