Try harder or go home

download Try harder or go home

of 31

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Try harder or go home

  1. 1. Try Harder OR GO HOME
  2. 2. Disclaimer Cha-HA is a "Red Team" social and training group. Organizers and teachers of Cha-HA are not compensated financially for their time. They do this simply because they enjoy the topic and like to share. Some of the skills and tools taught at Cha-HA meetings can be used for malicious purposes. Cha-HA organizers and teachers only condone and encourage responsible and lawful use of such skills and tools.
  3. 3. Code of Conduct I will treat all other members respectfully during Cha-HA events. I will not use tools and skills shared at Cha-HA for unlawful purposes. If I ignore the previous point and get caught in an unlawful act then it is nobody's fault but my own.
  4. 4. Whoami Jared Haight Former Sysadmin Current Security Engineer OSCP as of August 13th @jaredhaight
  5. 5. What am I talking about? What I already knew that helped me with the OSCP Stuff I learned while studying for the OSCP Things you should focus on if you want to take the OSCP Without getting too specific as to ruin the fun (or get in trouble with Offensive Security)
  6. 6. What makes a hacker?
  7. 7. My Background Using computers for 17 years Started using Linux about 14 years ago Sysadmin for 10 years Covered everything from Firewalls down to the desktop Administered both Windows and Linux environments Hobbyist Web dev for 4 years Started learning Python in 2011, still suck at it. Currently learning Javascript, really suck at it.
  8. 8. What makes an effective hacker Learn quickly and be able to intuit how things work Constantly think about how you can abuse your current position Focus on your long term goals but not to the point that it distracts you from whats in front of you Understand your opponent In the OSCP lab its a lot of stupid and lazy admins
  9. 9. Recon
  10. 10. NMAP Scan ALL of the ports TCP (1 - 65000) UDP (--top 200 or whatever) Read the scan output, not just the overview Thats where all the NSE output is! Zenmap is really great
  11. 11. Dirbuster Invaluable tool for finding directories/files on webserver List in /usr/share/wordlists/dirbuster Use the big one Set threads to like 100
  12. 12. Other Enumerators SMBEnum Old and/or misconfigured Windows boxes give TONs of info through SMB SNMPwalk Can be great for identifying OS Misconfigured OSs will give a lot of info over SNMP Probably more..
  13. 13. Misc Save EVERYTHING Notes, NMAP output, Enum Output, etc Make sure you can find everything My structure: ~/recon/192.168.13/ 68/ (host ip) notes nikto.log smbenum.log misc loot..
  14. 14. Exploitation
  15. 15. Searchsploit Why youd use it: You need an exploit Searching is really slow How youd use it: searchsploit Example: searchsploit -w windows exec By default lists out exploit name and location on disk -w lists exploit-db url instead of location on disk
  16. 16. Metasploit Why youd use it Cause its fucking metasploit How youd use it Very carefully if youre taking the exam Usage is limited to multi handler, meterpreter and msfvenom You can use Auxiliary, Exploit and Post modules against ONE allowed machine. Double check the rules before you do something stupid on your exam
  17. 17. Meterpreter Why youd use it: Its like normal shell but with special sauce. How youd use it: Very carefully if youre taking your exam Usage is restricted to File System, Network and a subset of System commands All other usage is only allowed the one machine you use Metasploit on.
  18. 18. How do I know what Im allowed to do? Metasploit If youre in msfconsole, you can use exploit/multi/handler Thats it. If you want to use more of the metasploit console you can do it only once and only on an allowed box No restrictions on msfvenom Meterpreter If youre in a meterpreter session run help It will list out all meterpreter commands, categorized by section.
  19. 19. Buffer Overflows Why youd want to learn this Youre a hacker, you want to know how things work. Buffer overflows are core to the fun stuff we get to do You want to be able to edit (or even find) exploits How youd learn this Go over the documentation provided by Offensive Security Keep going over it until it makes sense Do the exercises provided by Offensive Security Go find more stuff to exploit (plenty of resources on the internet)
  20. 20. Exploits in the lab environment Lots of finding and editing existing exploits Build up a collection of scripts and tools that hit common exploits MS08-067, Linux Kernel Priv Esc, etc Learn how to read basic C, itll help. Some of the servers are old, your compiled code wont run on them Download an ISO of the old OS and spin it up in a VM Google Debootstrap to setup builds of old Debian/Ubuntu installs on your Kali box. Once setup you can use chroot to switch into them Note that Debian changed their file hashes from MD5 to SHA a while back. You may need to find an old version of debootstrap to work on really old OSs.
  21. 21. Tips and Tricks If you have a root shell on a box but dont know the root password, echo your SSH key to /root/.ssh/authorized_keys Boom. Passwordless login. Exploit chains can get complicated and VMs get reset often. Script out exploits that you find yourself doing over and over again. The documentation walks you through writing a wget script generating script for Windows. Do that, it comes in handy. Actually, just do all the exercises that they walk you through. Do a report on the lab and do it as you go along The lab is big, theres a lot of stuff to document. Dont put it off. The lab report can help to sway whether you pass the OSCP or not
  22. 22. Tips and Tricks Part 2: Too fast too tricky Sometimes the easiest way to get shell on a box is to create a new account. If you have privileged code execution on a box, why not just create a new account? Pillage Check every single box you get into for loot. There are some boxes in the labs that you can only get into with info gleaned elsewhere Think. Where would the good stuff be? /home /etc /var/log C: C:Users (C:Documents and Settings) Use scp, meterpreter or existing services (http, ftp) to get files off a box
  23. 23. Pivoting
  24. 24. Pivoting is Fun There are three networks in the OSCP lab You start out with access to one Be on the lookout for dual-homed boxes How do you pivot SSH Forward Proxy: ssh -D [Port Number] [user]@[Remote IP] Example: ssh -D 9995 root@ Reverse Proxy: ssh -R [Remote Port]:localhost:[Local Port] [user]@[Remote IP] Example: ssh -R 8081:localhost:3000 root@ Note: Requires GatewayPorts Yes in remote sshd_config ProxyChains Routes any TCP network traffic over proxy
  25. 25. Wrap Up
  26. 26. Recap Dont be afraid to learn Be aggressive in your scanning Keep notes, be organized Do your lab report Dont use metasploit Be really comfortable with basic Buffer Overflows Pillage everything Hack the planet
  27. 27. Questions? @jaredhaight