Monday, December 18, 2017

Try Harder

Well, it happened.  I finally passed the OSCP exam!  It was, without a doubt, the most challenging and rewarding single endeavor of my career.

I know that when I was working on it, I was hungry for any insight those who had gone before me could provide.  So I thought I would share a few things I came across during the process.

Offensive Security, PWK And The OSCP


For those who aren't familiar with either the OSCP, PWK or Offensive Security ... Offensive Security (https://www.offensive-security.com/) is the company which brings us the Kali Linux distribution, the exploit-db (https://www.exploit-db.com/), and the free training course on Metasploit, Metasploit Unleashed (https://www.offensive-security.com/metasploit-unleashed/).

More to the point here, they also provide a variety of training opportunities in computer security, focusing on the offense side of security.

One of the classes they provide is "Penetration Testing With Kali", otherwise known as "PWK".  The PWK course focuses on how to do penetration testing (using Kali Linux) and prepares one to take the test for the "Offense Security Certified Professional" certification, commonly called the "OSCP".

Unlike most security certifications, the OSCP is exclusively hands on.  There is no written exam, no test of some knowledge base ... being good at memorizing will do you no good here.  The exam consists of you being given access for 24 hours to a network with some computers on it.  If you compromise enough of those computers, you pass (you have another 24 hour to write up the required report on your efforts.)

Who Is The OSCP For?


One of the things I've learned while working on the OSCP is that there are a variety of folks working on it.
  • There are some folks who already work as experienced penetration testers - for them PWK and the OSCP are a validation of what they already know.  Dare I say it, the OSCP is something of a check-box for them.  They might have their sights set on the more advanced OSCE certification (https://www.offensive-security.com/information-security-training/cracking-the-perimeter/), which the OSCP is a stepping stone to.
  • There are security neophytes taking the course as well. Maybe they're making a move from some other IT discipline, maybe they're completely new to IT and security.  You have to admire their courage, jumping into the deep end like that.  I suspect however that a good number of these folks do well.  I say that because I believe that PWK and the OSCP reward hard work and motivation more than they reward book knowledge.
  • Finally, there are folks who work in security, but not as penetration testers.  I fall into that category, I've worked in many areas of security - and I like to think I have a good handle on the fundamentals. While I've done lots of assessments with automated tools, and occasionally poke at things manually, I've never worked as a professional pentester. 

I've tried to orient this post towards the second and third group.

BTW, although I don't work as a pentester, I'm of the opinion that earning the OSCP doesn't make you an 31337 security pentester.  There are many parts of an enterprises' potential attack surface which the PWK course doesn't have time to get into.  In my opinion, I think an OSCP would make a very strong junior pentester.  If you want to get in on the ground floor as a pentester, I can't think of a better certification than the OSCP.  Not only has an OSCP demonstrated a clear understanding of the fundamental skills required for serious pentesting, but he/she has demonstrated a tenacity which is a huge asset.

I also think the OSCP is a fantastic certification for other security folks.  For example, my day-to-day job doesn't involve pentesting - but what I've learned in the PWK and in earning the OSCP gives me a tremendous insight and "toolset" that I bring to my job every day.

What Is The PWK Class Like?


There are three main components to the PWK, and then a couple of extra resources you should be aware of:

  • The primary "reference" is the instructional document they provide.  The version I received was a .pdf document which is over 370 pages long.  This document is intended to teach you the skills and tools you'll need to compromise  machines in the lab.  It's a well written and comprehensive tutorial which takes you from very basic things such as how to boot Kali through writing your own buffer overflow exploits.  Check out the PWK syllabus here, which follows  the document's table of contents: https://www.offensive-security.com/documentation/penetration-testing-with- kali.pdf
    • The manual also includes exercises to work through.  These are hands on exercises which give you experience with the techniques and tools you'll need  to use in the lab. When you take the OSCP, you can get a few points by handing in the completed exercises.  
    • In addition to the written document, Offensive Security also provides a series of videos.  Each video is a lecture which typically demos a procedure or tool.  The videos pretty much correspond 1:1 to the sections in the written document.   Sometimes the video will show some detail not in the written document, or visa-versa.  But essentially each video is a live presentation of a section in the written document.  This can be very handy when there's some aspect of using a tool which eludes you ... seeing a demo of somebody running it can make all the difference. And of course, some folks are visual learners and some folks do better reading - Offensive Security has got you're covered either way.
    • The third, and far away most important part of the course, is the lab.  This is what separates PWK from most other classes.  As part of the course, you get access via a VPN to a network which hosts some 50+ machines spread across several networks.  The machines are all different, and each machine has some vulnerabilities which can be exploited to fully compromise the machine.  The network is modeled after a real corporate network, with a variety of different types of workstations, servers, and other corporate networks you can pivot to.  One of the things I like about the network is that the vulnerabilities are all "real world" vulnerabilities.  This isn't some Capture The Flag (CTF) exercise where you'll find some cute vulnerability that you would never see in the real world.  The vulnerabilities you'll find here are the types of mistakes, bugs and oversights you might find on a real corporate network (perhaps one with sloppy admins, but still real world.) Lab time is a valuable commodity.  When you sign up for PWK, you sign up for a certain number of days you'll have access to the lab.  If necessary, you can buy more lab time.
    There are a couple of other resources that you'll want to be aware of:
    • As a student, you'll have access to a set of forums maintained by Offensive Security.  This is where Offense Security will notify you of issues you need to be aware of.  However, the primary focus of the forums is for students to discuss both lessons, and machines in the lab.  If you have a question about something in the course materials, this is a good place to ask.  Other students, and Offensive Security instructors can respond to you here.  This is also where you'll find a unique forum dedicated to every machine in the lab.  When you get stuck on a machine (and you will, trust me) this is place where you can seek a hint to get you unstuck.  
    • There is also a private chat facility where you can connect to an Offensive Security instructor.  This is where you can get help if you're having technical issue, such as problems connecting to the VPN.  It's also another resource if you're stuck on a machine.

    Hints

    Especially in the forums, you'll quickly encounter what I call the PWK "Code of Silence".  In the forums, and when you're interacting with instructors, there's a very strong tradition of not giving away how to compromise a machine. Almost every forum post about a machine is edited to avoid hints which give away too much about how to compromise a machine.  

    The whole culture of PWK is oriented towards encouraging you to "Try Harder" and figure out for yourself how to compromise a machine.  Permitted hints are mostly encouragement or perhaps something cryptic which will only mean something to you if you're already on the right path.  The same thing will happen if you contact an instructor via chat - if you're on the right path, he/she may toss you a few crumbs of encouragement. But you'll never get something like "try CVE-1234-567".

    OK, so those are the resources.  How do you use them to maximize what you get from PWK and earn the cherished OSCP? :-)



     Some Lessons Learned



    The Lab

    The first lesson I'll mention is one I learned the hard way: the essence of the course is working through the machines in the lab.  The reason for this is because the limiting factor in the course is access to the lab.  i.e. how much lab time have you purchased?  If you're lucky, you'll have the resources to buy more lab time as you need it, but it can get pricey.  If your employer is paying for the class, you may have a very hard limit on lab time (unless you can fund lab extensions on your own.)  

    Why is this a hard earned lesson?  The first (of many) mistake I made with the PWK was assuming it was like other technical classes I had taken. I started the course planning to study the manual, watch the videos, do the exercises and then at the end spend time practicing what was in the manual using the lab.  WRONG!  I ended up wasting a significant part of the lab time I purchased with the course, studiously working though the manual.  If there was an exercise, not only did I do it - I played with it, doing it different ways or writing a program I would never use again to do it.  I had a lot of fun, but when I was done and turned my attention to the lab I was horrified (and thrilled) to discover that while I needed to use the techniques and tools from the manual, each machine in the lab presented a different challenge which was new to me and wasn't simply a matter of applying by rote what was in the class lessons.   Not only that, but the lab was huge.  When I finally did a host scan to see how many hosts were in the lab, I was surprised to discover that there were 30+ machines immediately visible (plus more on networks I couldn't see yet.).

    This is a core thing to understand about PWK.  What PWK teaches you isn't a catalog of tricks you can use to compromise machines.  Rather, PWK teaches you how to bang your head against a machine, fighting, persisting, cursing, praying, clawing at it, until you finally find a chink in the machine's armor and can work you way past its defenses.  

    There's a reason the motto for the class is "Try Harder".  What Offensive Security is trying to teach you is to find ways to keep trying.  This is an insanely valuable lesson.   A good pen-tester can't just use the same exploits every day, he/she needs to be able to successfully compromise a machine with vulnerabilities they've never seen before.

    That's why the lab is the core of the class.  The only way you'll develop the experience to have a chance at the OSCP is to work your way through the different machines in the lab.  It's what will turn "book" learning into an actual ability to compromise machines.  It's also what will force you to develop the mental toughness to keep trying 19 hours into the 24 hour OSCP exam and not give up.


    Forums

    So here's where I get to talk about another mistake I made.  Even though the forums are heavily edited to avoid giving away too much, they're not content free either.  Typically, if you're on the right path to solving a machine, there might be a comment which will confirm that you're going on the right direction.  For example (and I'm making this up), let's say you found a directory traversal attack against an application.  If somebody in the forum for that machine says "enumerate the file system", that tells you that maybe if you keep using the directory traversal attack, you'll find something useful.

    The mistake I made was that I got lazy and started to rely on these hints.  I got pretty good at using these hints to validate that I was on the right track (or not).  But, developing a sense of when you're on the right track is part of what the lab should teach you.  Remember, there are no forums for the machines in the OSCP exam.  So if you become too used to using the forums to nudge you in the right direction, you'll be handicapped when you take the OSCP exam.  Having said that, sometimes it's important to just get a little bit of encouragement.  Several times I reached the point where it seemed like a machine was impossible.  At times like that, seeing that somebody else had finally figured it out was just the encouragement I needed to go back and try again (harder.)

    So, plan to use the forums as a resource.  But be careful not to over-use them.  If you're planning to take the OSCP exam, try to treat every machine you attack in the lab like it's part of the OSCP exam and try to use only the resources you would have during the exam.  If you go to the forums or instructors for a hint, do so with the intent of learning something when you're really stuck, not just to save time on that machine.

    Notes

    Here's something I did right!  One of the things I quickly learned while working on the PWK lab is the incredible importance of taking good notes.  I don't know how to over-emphasize this, you've got to develop good note taking skills while working in the lab.  

    When taking the OSCP exam, after your 24 hours to attack the exam machines, you have another 24 hours to write up a lab report.  This report is required, and it must meet certain standards.  No report, no OSCP.  The report requires you to be able to describe the vulnerabilities found and the successful attack used for each machine.   The quality of your report will be a direct function of the quality of your notes.  If you left something out of your notes, it may not make it into your report.  And don't forget, after your 24 hours of access to the exam network are up, and you're writing the report, you can't go back to the exam network because you forgot a screen shot or because you forgot how you did something.

    Also, taking good notes while you work on a machine in the lab can be very helpful while trying to compromise it.  On occasion "life" would intrude on my working in the lab, and I would find myself coming back to a machine after being away from the lab for awhile.  Having notes to remind me what I've already tried, and what I still needed to do, was very handy.

    Finally, there may arise occasions where a machine you've compromised in the lab, later on serves a useful purpose in attacking some other machines.  You can't take advantage of a machine you compromised weeks ago if your notes about that machine are incomplete or illegible. 

    In my opinion, there are two requirements for good note taking software.  The first is to be able to easily impose structure on your notes.  You will need to refer back to your notes, and without structure, finding information in what will literally become thousands of pages of notes would become impossible.

    The second requirement is to be able to quickly and easily incorporate screen shots into your notes.  Screen shots are critical because Offensive Security requires them as proof that you've done something.  In the exam report, you are required to provide screen shots showing every step required to compromise a machine (along with the contents of a trophy file.)

    You're allowed to use whatever program you want for notes.  However, Kali Linux comes with an open-source note taking program called "keepnote", which I would strongly recommend - unless you already have an good program you're familiar with (such as OneNote, Evernote, ...)

    How to Prepare


    So here's the really good news.  While the amount of time you have in the lab is a limited, there's no limit on how much preparation you can do prior to starting the course.  And there's a ton of resources available to help you prepare ahead of time for the PWK.  Again, having learned my lesson by doing the opposite, I would strongly encourage you to embark on a pre-PWK course of study. 

    What to study?  Well of course, it really depends on what your strengths and weaknesses are.  I would say that the goal of preparing for the PWK is to make sure you're in a position to immediately absorb what the PWK gives you, without having to backup and learn some "fundamentals."  Here are a few suggestions to cover the most likely gaps.

    A Good Textbook

    My first suggestion is that you definitely look at the book "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman.  

    By the time you're done with her book, you'll have a Kali machine set up, you'll have learned the basics of getting around, and you'll have learned how to use the most commonly used tools in Kali.  Better yet, you also will have tasted the sweet, forbidden, addictive, fruit of breaking into a machine and started to develop a feel for how that process works.  In fact, you'll have touched on many of the primary subjects covered by the PWK.

    The only warning I would give you about her book is that several of the exploits she walks you through are against Windows-XP, and it's getting harder and harder to find a Windows-XP VM you can use, let alone one which is vulnerable to some of the exploits she shows.  But the Linux stuff is still available, and even if you just read about the Windows-XP exploits you'll still get something out of it.

    There are some other books which are also good, such as "The Hacker Playbook" by Peter Kim, but none of the ones I'm familiar with, track the PWK as closely as Weideman's book.

    Linux

    Kali is a Linux distribution, and at its core PWK is partially about learning how to use Kali.  So being able to work in a Linux environment is pretty important.  There are a ton of online resources for learning Linux.  Just google something like "Intro to Linux", and pick one that looks good to you.

    A great resource for getting started with Kali is "Kali Linux Revealed" available for free at: https://www.kali.org/download-kali-linux-revealed-book/.  Chapter 3 will give you a great introduction to using Linux.

    If you want to have some fun with basic Linux commands, check out this CTF which is an intro CTF using basic Linux commands: http://overthewire.org/wargames/bandit/. If you're never tried to break into a computer before, this is a chance to dip your toes in and sample the thrill.

    When it comes out, this book looks like it will be the go-to resource for getting up to speed with Linux for the PWK: https://www.nostarch.com/linuxbasicsforhackers

    Networking

    Networks are the media a pentester uses to communicate with his/her target, so PWK teaches you to understand how networking works, and the tools used to manipulate network traffic.  For example, PWK shows you how to use sniffers like Wireshark and tcpdump, tools you'll need to debug your attacks.

    But in order to understand what these tools are telling you, you'll need to understand some networking basics.  If the terms "ARP", "UDP", and "Three-way-handshake" mean something to you, you shouldn't have any problems with PWK.  If not, you probably want to find an introductory lesson on TCP/IP.

    There are tons of these lessons on the Internet, although many of them go into much more detail than you need to start.  For example, you don't need to understand the OSI-model, routing, NAT, IPv6, subnetting, or how networking hardware works.

    Find one you like.  Networking is critical to almost any endeavor in security, so in a way you can't learn too much.  But for the PWK, avoid getting too far in the weeds.

    Programming Skilz

    You will need to have some basic programming ability.  Part of what you need to be able to do in PWK is download an exploit's source code, review it for safety and applicability, and perhaps make some changes.  Most of the exploit's you'll encounter are written in either Python or C.  If you can already load a python program into vi, maneuver around, maybe change the value of a variable (and exit from vi!) then you're good to go.  Kali does have a notepad like editor, so even being able to use vi is optional.

    If you're new to programming, I would focus on learning some Python.  If you can get around in Python, the minimal amount of C code you'll need to modify should not be a big deal.

    Frankly, there are so many "Intro to Python" resources, it's hard to find just one to recommend.  Find one you like, and just work through it.  Just as an example, here's one that Google makes available: https://developers.google.com/edu/python/?hl=en

    If you prefer to learn from a book, here's a book that I like (you just need Part 1), although it might be a bit of overkill: https://www.nostarch.com/pythoncrashcourse

    Buffer Overflows and Hacking in Binary (OK, Hex)

    Related to basic programming, the PWK spends some time showing you how to write a classic buffer-overflow exploit.  It's really fun stuff, and they keep it at an approachable level.  The basic tools you'll need to understand these modules are an understanding of:
    • How a program uses memory 
    • What a stack is and how it's related to calling a procedure.  
    • What the instruction pointer is
    • What Hex is
    • You'll also need to be comfortable learning how to use a debugger.

    Those things sounds scarier than they are.  But if you've seen them before you'll find the buffer overflow part of PWK easier.

    Weideman's book devotes 3 chapters to writing buffer-overflow exploits, or there are a bunch of buffer-overflow tutorials on the Internet.

    A Google search for "intro buffer overflow" will give you a starting point.  Remember though, you don't need to learn assembly language, or how to reverse engineer a program.  Just go with one of the resources which demo a simple buffer overflow.

    Metasploit

    Metasploit is a "framework" for writing and running exploits.  What that means is that Metasploit provides a bunch of tools which simplify writing and then running exploits.  There's a huge community which has grown up around Metasploit, with the result that for a lot of known vulnerabilities, somebody has written an exploit in Metasploit which "just works". Put another way, Metasploit makes it trivial to exploit a large number of vulnerabilities without knowing a thing about how the exploit works.

    Metasploit is an important tools for pentesters to know. But it's somewhat antithetical to what PWK is all about, namely learning how to compromise a machine with your own two hands.  PWK devotes some time to learning how to use Metasploit, and on the OSCP exam you're allowed to use Metasploit on one machine if you want, so it's not a bad idea to study Metasploit before taking the PWK.   As with most aspects of the PWK, Weideman's book covers how to use Metasploit.  

    Although it goes into more detail than you need for the PWK, Offense Security makes available a great resource on using Metasploit, Metasploit Unleashed:  https://www.offensive-security.com/metasploit-unleashed/. If you want to play with Metasploit in more detail, grab a copy of the latest version of "Metasploitable", which is a VM running software specifically designed to be vulnerable to exploits in Metasploit.  You can then use Metasploit to attack the vulnerabilities on this VM.

    Finally, one warning about Metasploit.  When working in the PWK lab, it's possible to become too dependent on using Metasploit.  There's nothing to stop you from using Metasploit against every machine in the lab, but if you do you'll be completely lost during the OSCP exam where your use of Metasploit is severely limited.

    Machines to Attack

    The key activity in the PWK class is to attack the machines in the lab.  Although I wouldn't describe it as a requirement, it's clearly beneficial to get practice actually attacking machines before starting the class.  Fortunately, there are a lot of opportunities to legally attack something.  The hard part is knowing ahead of time that a particular target is a good match for the machines in the PWK.

    To address that, an excellent resource is the list of PWK like machines put together by "abatchy":  http://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html

    The site vulnhub.com serves as a repository of vulnerable VMs.  In general, a lot of the machines at vulnhub can teach you something, even if they're not all aligned with what the machines in the PWK lab teach you: https://www.vulnhub.com/

    Final Thoughts


    If you're "new" to security, keep in mind that almost everything is documented for free somewhere on the Internet.  That means that if you're willing to dig a lot, and work hard, you can learn everything you need to do well in the PWK before going into it.  Coincidentally, those skills (digging and working hard) are among the ones you'll need once you start actually doing the PWK.

    When working in the PWK lab, learn to stay focused and try to dispatch machines as quickly and efficiently as possible.  This is a critical skill for professional pentesters, and is one of the skills that the OSCP mercilessly measures during the exam.

    Finally, preparing ahead of time can make the difference between success and failure.  Do not underestimate the PWK (but don't be afraid of it either.)

    Resources

    In addition to references sprinkled above, here's a list of some resources on preparing for the OSCP that I came across during my OSCP journey:

    http://www.securitysift.com/offsec-pwb-oscp/
    https://www.keiththome.com/oscp-course-review/
    https://theslickgeek.com/oscp/
    http://netsec.ws/?p=398
    https://leonjza.github.io/blog/2014/11/22/trying-harder-oscp-and-me/
    http://www.en-lightn.com/?p=941
    https://medium.com/@rubyroobs/offensive-security-s-penetration-testing-with-kali-linux-course-and-why-it-s-possibly-the-best-9142092d13d1
    http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale-2.html
    https://securism.wordpress.com/oscp-notes-password-attacks/
    https://backdoorshell.gitbooks.io/oscp-useful-links/content/
    https://www.peerlyst.com/posts/the-how-to-get-the-oscp-certification-wiki-peerlyst
    https://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-i-accidentally-the-whole-thing-part-2/

    Update 3/2020  - Best resource yet! (This is an update of what was here before.)
    https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0

    No comments:

    Post a Comment