Notes from the OSCP

This information is here more for me to learn...but feel free to learn as well. :-)

1. If there is phpMyAdmin on the box, check for webdav. There's a good chance if it's a Windows box, that it's running XAMPP, and the webdav creds haven't been changed from wampp/xampp.

2. MS11-080 doesn't work on everything. Heh.

3. Ditto #2 for MS08-067.

4. Always pick the low hanging fruit first, don't wait, because you may run out of time.

5. Screenshot EVERYTHING.

6. Learn how to make the Linux Terminal log EVERYTHING. It's the best way to keep track of how you did that thing you did.

7. Precompile as many exploits as you can.

8. Learn how Python works with PyWin and PyInstaller so that your exploits fire off right.

9. Once you're inside the box, look for other avenues to do privesc besides kernel exploitation. Kernel exploitation won't always work, even on Windows.

10. Check the patch level on every box you can.

11. If you can, build out servers as much of an exact replica as you can.

12. Learn how to privesc when you have EXTREMELY reduced privileges. (LMGTFY: "Bypassing Group Policy Restrictions")

13. Learn how to reboot a server when you can't reboot a server.

14. Always check the services running on a box.

15. mingw32 doesn't have ALL needed Windows libraries.

16. Learn how to use msfvenom properly. Ugh. (-t != -f ...so much wasted time)

17. Write your report as you go.

18. Add to that document all the PrivEsc exploits you can find...then see #7.

19. Prepare yourself that you may not be prepared for what's coming.

20. See #19.

21. Set up a Windows dev environment. Learn how to use it to fix/compile code quickly.

22. Probably still better to run Kali in a VM unless you just absolutely need the computing power to crack passwords. If you do need that, set up a separate cracking machine.

23. Learn how to code in Python better.

24. Learn how to fix broken exploits faster.

25. nmap -sS -iL -p 1-65535 > IP_range_filename

26. After 25, nmap -A the ports and IPs you found.

27. Run nikto and dirb on all webservers...you can't hurt the servers on the test...this may not apply to real-world scenarios.

28. VNCInject payloads can be your friend, just remember, they are INCREDIBLY SLOW.

29. Nmap's scripting engine is there for a reason. Use it.

30. Take your time, take breaks, take a powernap. 4 Rockstars in a row are not good for your body.

31. Metasploit doesn't always work on things you think it will. Especially if the version number isn't mentioned in the sploit.

32. BACKUP EVERYTHING. If there's not a log or a screenshot of it, it didn't happen.

33. Read everything you can get your hands on. If you're going to be good at this, you need to be as good as you can be.

**UPDATE** -- After doing some research, I realized that one of my exploits probably would have worked, if I hadn't already screwed up the machine with other failed exploits...sooooooooooooooo...

34. (This applies to the exam and labs only, not real life...) ALWAYS REVERT THE MACHINE AFTER A FAILED EXPLOIT.

This is why we can't have nice things...

Spotted on Hack In The Box, the reason I don't have ANY wireless access setup as guest, and you shouldn't either. I barely even give people my wireless password, for this reason, among others.

Someone near San Francisco, CA got onto their "friend's" (I use this term loosely) wireless network, and started downloading child pornography. The thought of it makes me sick actually, being that I have 4 kids of my own, and if I caught someone doing that here...well...they probably wouldn't make it to the police. That's all I'm saying.

Anyway, from HITB:

"Case in point: Marin County, California, just north of San Francisco's Golden Gate Bridge. Local police in Marin communities like Novato are members of the regional Internet Crimes Against Children (ICAC) task force, and as such they participate in the common law enforcement practice of monitoring peer-to-peer file-sharing networks for possible child pornography files. In September 2013, Novato detective Amy Yardley was looking for such files being traded from Marin County IP addresses, and she scored a hit on the Ares network with a suspicious file downloaded by a Sausalito Internet subscriber."

Scary, no? Good thing that there's people out there watching for this kind of thing though. I guess the biggest problem is knowing who your "friends" really are. 

QUICK POST - SANS SEC401 Mentor Style in Tulsa starting next week

Ok, last call for anyone in the Tulsa area that's looking to earn their GIAC GSEC certification, PLEASE sign up. This is from the SANS Institute, the most trusted name in Network Security. 

Here's the link: http://www.sans.org/mentor/class/sec401-tulsa-03jun2014-aaron-moss

This is for the SANS Security Essentials - Mentor class, that I will be teaching, starting June 3rd. I have one more seat available for over 30% off, just ask me!

This class is a 10 week course, 2-3 hours a night, where we will go over key aspects of the course, including the labs. Please contact me with any questions. Thanks and...

PASS THIS ON!

Jailbreaking the AppleTV 2 with 5.3 and Seas0nPass...and iFaith

My AppleTV has been flaking out lately. Netflix is been really slow to buffer, XBMC was getting to a point that I had to listen to the button clicks when I changed something to make sure that it was working correctly, or the video would be REALLY choppy. Not fun when you're trying to enjoy The Simpsons with the kids, and they're yelling at you to fix it (that's another issue...:-D).

So, I decided it was time to upgrade the AppleTV to the latest firmware that could be jailbroken (5.3) and after a little research, I found Seas0nPass seemed to be the way to go...

I was....semi-right.

I found pretty keen instructions on a couple different blogs, but the ones at iDownloadBlog seemed to be pretty simple and straight to the point...except I was working on a Windows box, but it's all good, I know how to convert between Win/Mac (hint: if you don't know how, just download the Windows version, run it, and follow the instructions :) )

So, I downloaded the 5.3 version of the software from here, and put it on the desktop. Well, once you open Seas0nPass, it will automatically download the software for you, and put it in your Documents folder under Seas0nPass\Downloads. No big deal.

After clicking on Create IPSW, letting it download the software, and patch it all, it goes to install it. I enter the ATV into DFU mode, it tries to install, and I wait. And wait. Annnnnnddddd.....wait.

Then the error pops up. "Firmware restore failed."

Ugh.

So, while Googling the error, I came across many different forums that had ALL KINDS of different fixes...but nothing was working.

Enter iFaith.

After a bit more research, I came across a post (#6), that said to use Seas0nPass to create the custom IPSW, but to use iFaith/iReb to get the ATV into DFU mode, then use iTunes to update the firmware by holding Shift when clicking restore, and using the custom firmware built at the aforementioned Documents location ending with "SP_restore.ipsw". It WORKED!!!!

So, the AppleTV has XBMC added again, I've got my video sources added back, and the Movies/TV Shows are getting all the databases updated as I write this.

Damn it feels good to be a gangsta. ;-)

EDIT: I wanna give a BIG SHOUTOUT to all those iOS hackers out there, the XBMC hackers and the guys on the XBMC forums...you guys make the world a better place. :-)

--Aaron

Starting anew...

Ok, so I'm starting anew. It's been a bit since I've blogged ANYTHING (other than the occasional FB/Twitter post)...so I've decided to start all over. Here goes nothing. Enjoy.