PWK/OSCP – Stack Buffer Overflow Practice

When I started PWK, I initially only signed up for 1 month access. I was putting in a huge amount of time in the labs, learning what I thought would be enough to get through the exam, without completing the buffer overflow section of the exam.

I was scared of buffer overflows, all that hex and assembly, shellcode, memory addresses, endianness… I tried to skip it.

Continue reading PWK/OSCP – Stack Buffer Overflow Practice

OSCP Exam – Preparation, Exam Day & Report Day

In December 2016 I set the goal of achieving the OSCP certification by the end of June 2017. I have been in a development role at my current employer for 8 years – they’ve been incredibly good to me and I love working there – but I want to move into more of a security focussed role so I figured I would need a serious certification to achieve this. I’d love to stay with the employer I am with, and our current security team has said my skillset is such that I compliment their skills, and would be great to assist our other developers with security.

This week I achieved that goal!

Continue reading OSCP Exam – Preparation, Exam Day & Report Day

Try Harder. No, harder! Keep going… TRY HARDER!

Try Harder! It sounds like an annoying catch phrase, doesn’t it. I thought the same, when I started PWK in January.

I thought that you do, or you do not. There is no try.

Well, having now completed my OSCP exam and lab report and having been granted the OSCP certification, I now know there is no do – there is only TRY HARDER!

“Try Harder” is a hard concept to explain. It’s probably even a very individual concept to each person who does the certification – but I know for certain that the PWK labs and the OSCP certification exam challenged me more in a short period of time than just about anything else in my professional career!

I’ve done some challenging things as a developer. Designing a secure solution for single sign on from a custom mobile application into another custom application was challenging. Designing a protocol to allow a staff member to emulate student access to a major system in an afternoon was challenging. But, these were challenging in a different way. At 3pm in the afternoon after documenting the protocol for HMAC data validation in a custom mobile application, if I get tired, and assuming I have managed my time correctly, I can task-switch to something else for the rest of the day to give the grey matter a break.

That’s challenging. Putting yourself in the mindset of an attacker for hours on end, considering what they could see on the wire, what the protocols in use are, what known weaknesses the protocols have and how they can be mitigated – that’s all pretty challenging stuff. It’s also a place I thrive in!

Then 5pm comes along – and off to the pub you go. It simmers in the back of your mind over the weekend, but not much more thought is given than that.

But PWK and the OSCP exam take the concept of challenging to a whole other level. 24 hour exam. 5 hosts. 70 points required. Metasploit on one host only. No commercial tools. But, then it’s not over. Not by a long shot. You then have 24 hours to prepare and submit your lab & exam report. This in itself is a tough challenge, and if you’re also submitting your 10 lab hosts you’d better make sure they’re finished BEFORE you need to document your 5 lab hosts!

The OSCP exam itself isn’t just a penetration testing challenge, it’s a test of your stamina. It’s a test of your preparation. It’s a test of your time management skills.

It is a test of YOU.

It gets tough.

It gets really tough.

But, if your preparation is right, if your skills are on, and if the luck is with you – it all falls into place.

But. Here’s the thing. It only falls into place if you…

TRY HARDER!

It’s kind of intangible. It’s hard to explain.

If you’re considering doing PWK, you’ll just have to jump in and find out for yourself.

 

 

 

Running Keepnote on OS-X/macOS.

I sat down tonight to work on my PWK/OSCP lab report (Yeah, I’ve been doing PWK!) before my upcoming exam, and intended to use Microsoft Word on my Mac to do write it up in, just because I’m familiar with it. But, of course, all my notes are in Keepnote which runs on Kali.

Sure, I can run Kali in a VM on my laptop, and I actually already do, but I don’t at all fancy wrangling with cross-VM copy/paste etc. Sure, my data is stored in a synced cloud service, so it’s actually already even available on my macOS drive anyway, but, it would be nice to just use Keepnote natively to access the notes.

Turned out there’s a couple of hoops to jump through, to be expected I suppose – as unfortunately Keepnote appears to be all but abandoned, given the latest version is from 2012.

I found some details at highon.coffee, which were a good start. Unfortunately, there was perhaps already a dependency installed on the laptop used there, or perhaps Brew has just changed that much, that the dependencies suggested didn’t work for me.

I used the first couple of suggestions, but needed to work out an issue with Glade missing from pygtk.,but a couple of Google’s later, and I have it worked out. The updated pygtk install command required is:

brew install --verbose pygtk --with-libglade

Possibly the .dmg installed on highon.coffee provided glade, but brew doesn’t. Not sure… Anyway, Keepnote works on macOS 🙂

I’m intending to blog once a week once I’m done with OSCP, but we’ll see how that goes. Hopefully I will be certified OSCP by July, which was my goal when I signed up at the start of the year 🙂

 

SecTalks 0x05 – December Meeting – Modern Honey Net

I did a short presentation at SecTalks Adelaide 0x05 on December 7th.

It honestly wasn’t anything too groundbreaking, but I have enjoyed running an SSH honeypot so far; I really enjoy the fact I’m collecting malware and submitting it to VirusTotal. So far I have about 35 malware samples that VT didn’t know about that I have submitted! Every little bit helps!

Here are my slides: ModernHoneyNet

Google Dork; WordPress debug.log

This is an epic sigh, failure moment.

via GIPHY

According to the documentation, WordPress allows the setup of debugging to a file, when issues are encountered inside the software. All well and good, I’d expect that. What I wouldn’t expect is the file it dumps the data into – to be WORLD READABLE!

But I suppose this is WordPress, and they’re well known for doing dumb shit like this constantly.

Google Dork: https://google.com/search?q=inurl:wp-content/debug.log

If you run WordPress, please make sure this file is not world-readable – please protect it with your Apache/Nginx/IIS config – don’t rely on it not being visible in a directory list!

I’ve submitted this to exploit-db and their Google Hacking database.

Belgian Saison, with Brettanomyces

After really enjoying the last “vanilla”(i.e. Saison yeast only) Belgian Saison I brewed, I took more of a dive into the commercial beers available in this style. There are a range of reasonably common Belgian Saisons available here; De Ranke and Dupont to name a couple, and a few from American breweries like Golden Road can be found occasionally along side Australian breweries like Bridge Road Brewers who are now also dabbling in the funkier end of the spectrum.

Unfortunately I’ve not yet had the guts to spend $35+ AUD on the bottles of Jester King that are available here, though I’m sure they will be awesome.

Continue reading Belgian Saison, with Brettanomyces

Sentraq S60x – Massdrop

Picked up this awesome little keyboard recently via Massdrop. Typically it took a while to get here, but it’s everything I wanted 😀

sentraq

I wanted clicky keys so I picked Cherry Blues. Yep. It’s clicky! Very clicky! Such a pleasurable experience typing on it. Anyway it’s billed as ‘entry level’ but Massdrop unfortunately don’t provide anything in the way of instructions or anything to assist in building or flashing firmware.

So I luckily found some images on geekhack which helped with the mounting of the stabilisers, the key is to do these FIRST before you start soldering or you’re in trouble… Also, make sure you click the wire bit into the plastic bit (if you build the kit, you’ll see what I mean) or you’ll be in a world of pain.

Next… Flashing. If you’re like me and use Linux at home, you’ll need to do this – especially if you use ‘vi’ – as the default firmware doesn’t have an ‘esc’ key mapped! That makes exiting vi, err, tricky.

To flash a new layout on Linux:
Install dfu-programmer via your favourite package manager.
Connect keyboard. Hold button for 5 seconds.
‘lsusb’ should show the keyboard in DFU bootloader mode: Bus 003 Device 020: ID 03eb:2ff4 Atmel Corp. atmega32u4 DFU bootloader
sudo dfu-programmer atmega32u4 erase
sudo dfu-programmer atmega32u4 flash <your .hex file>
sudo dfu-programmer atmega32u4 reset (or, unplug and replug – worked ok for me)
Done

DEFCON 2017

Yes, I said 2017. DEFCON 2016 hasn’t even happened as yet, but the Mrs has given approval for me to attend DEFCON 2017!

So, now to commence saving and researching flights, transfers and accommodation.

I’d like to fly over a few days before and spend some time in San Francisco, then drive down to Las Vegas over the course of a day and a bit for DEFCON. After the conference I’m likely to be pretty tired – so will probably fly from Las Vegas to Los Angeles, then home again.

Lots of flying… But I’m sure it’ll be awesome!

Bellini Supercook Yumi Wi-Fi. The (in)security Perspective.

Oh, IoT. Internet of Things. How promising you are. Like most geeks I’ve dreamed of having everything electronic I own connected to the Internet. Ever since seeing the NetBSD Toaster online in 2005, my own mind and that of other developers, has clearly wandered into areas we never thought possible previously.

But, as anyone with any interest in Security will already be acutely aware of, the actual security of the software running on many of these things is, to put it lightly, COMPLETELY AND ABSOLUTELY TERRIBLE!

We were provided a beta device for assessment of the operation, and one of the things we said to the manufacturer at the time was that we would perform a security assessment of the device and provide our findings to them.

We did that. They went silent. I have no idea if any of this is resolved, or will ever be. We have reached out to the vendor to find out if they have resolved these issues. At the time of writing, we are running the same firmware version as the latest available on Supercook.me.

Read on for my full assessment of the Supercook Wi-Fi Yumi security.

Continue reading Bellini Supercook Yumi Wi-Fi. The (in)security Perspective.