We learn Security!

Career Path Security Researcher & Bug Bounty

Security Researchers work in the field of bug bounties and exploitation, often they are independent but sometimes they also work as employees. I think that both paths are not easy, but of course it can be done. On both paths you can earn lots of $$$ but I also heard of people who came out disappointed. Some people starting this as a side job and then go independent. If you don’t know some basics look here and here.

The reason why I put both paths in one post is that for me you need a similar mindset. You have to be highly motivated, need to learn a lot before you gain some success (well, at least for most people) and if you go independent you work on your own. For both you need a plan or tactics, you can’t just start hacking and hope to find something.

When you want to participate in bug bounties normally you are using platforms like hackerone or bugcrowd, but lot’s of companies have their own bounty programs. Since most of these programs are public this makes starting easy.

On the other hand, when you want to start as a researcher and do exploit development, you also have some public resources like ZDI or zerodium. But what is more important than in bug bounty, is networking with other researchers and companies. One way is to go at conferences and trainings, have a look at the links section of this article.

Both paths might take months or even years until you get into it, so this article can only be a starting point that I hope is helpful.

Links

Bug Bounty

Blog Articles, programs

LevelUp 0x02 – Bug Bounty Hunter Methodology v3

Advanced Web Attacks and Exploitation (AWAE)

Probably interesting for both paths, but web hacking is more bug bounty for me…
https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/

Exploiting

35C3 – From Zero to Zero Day

The Exploit tutorials from corelan

https://www.corelan.be/index.php/articles/
That said, I can highly recommend the trainings that you can book at several conferences:
https://www.corelan-training.com/

OSCE- Cracking the Perimeter (CTP)

Also mentioned here before, the Offensive Security course and certification:
https://www.offensive-security.com/information-security-training/cracking-the-perimeter/

OSEE – Advanced Windows Exploitation (AWE)

I also heard great things about the AWE (OSEE) for more in depth exploitation, but I don’t have personal experience here.

Even more links:
https://www.zerodayinitiative.com/
https://zerodium.com/
https://googleprojectzero.blogspot.com/
and especially this article from project zero:
https://googleprojectzero.blogspot.com/p/working-at-project-zero.html

Conferences

As said before, learning new things and networking is really important, so here are some conferences that seem good, you should also consider to take some trainings:

Books

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner

The Shellcoder’s Handbook
Authors: Chris Anley, John Heasman, Felix “FX” Lindner, Gerardo Richarte
Content: Exploiting security holes for Windows, Solaris, MacOSX, Cisco. Although from 2007 still worth reading.
Career: Penetration Tester, Exploiter
Level: Intermediate, Experts

Hacking: The Art of Exploitation
Author: Jon Erickson
Content: Goes from the first steps in Bash and C to in depth exploitation and debugging on Linux.
Career: Penetration Tester, Exploit Developer
Level: Beginner, Intermediate, Expert

And here is a great free book:
Modern Windows Exploit Development
http://docs.alexomar.com/biblioteca/Modern%20Windows%20Exploit%20Development.pdf

Book review The Hacker Playbook 3

The Hacker Playbook 3
Authors: Peter Kim
Content: Main focus is on Red Teaming
Career: Penetration Tester
Level: Intermediate, Expert

This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.

Content:

Difference between pentesting and red teaming
MITRE ATT&CK framework
Tools setup
Reconnaissance phase
optional lab setup & exercises
about web attacks like node.js, nosql injections, deserializiation attacks and more
hacking the (windows) network for example with responder, password spraying
privilege escalation with misconfigured services, exploit suggester and more
mimikatz magic of course
attacks on macs with empire
bloodhound and sharphound
lateral movement using different techniques
pivoting
social engineering campaings & physical attacks
recompile meterpreter dlls for avoiding detection
password cracking
write your own droppers

I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.

Write-up hackthebox netmon

After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.

Portscan

Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152

Nmap scan report for 10.10.10.152

Host is up (0.043s latency).

Not shown: 995 closed ports

PORT    STATE SERVICE      VERSION

21/tcp  open  ftp          Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 02-03-19  12:18AM                 1024 .rnd

| 02-25-19  10:15PM                 inetpub

| 07-16-16  09:18AM                 PerfLogs

| 02-25-19  10:56PM                 Program Files

| 02-03-19  12:28AM                 Program Files (x86)

| 02-03-19  08:08AM                 Users

|02-25-19  11:49PM                 Windows
| ftp-syst:
|  SYST: Windows_NT

80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)

|_http-server-header: PRTG/18.1.37.13946

| http-title: Welcome | PRTG Network Monitor (NETMON)

|_Requested resource was /index.htm

|_http-trane-info: Problem with XML parsing of /evox/about

135/tcp open  msrpc        Microsoft Windows RPC

139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.70%E=4%D=5/23%OT=21%CT=1%CU=30959%PV=Y%DS=2%DC=T%G=Y%TM=5CE6F6C

OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%CI=I%II=I%TS=A)SEQ(SP=1

OS:07%GCD=1%ISR=108%TS=A)SEQ(SP=107%GCD=1%ISR=108%II=I%TS=A)OPS(O1=M54DNW8S

OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D

OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=

OS:80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2

OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%

OS:F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%

OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD

OS:=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL

OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:

|clock-skew: mean: 11s, deviation: 0s, median: 10s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|  message_signing: disabled (dangerous, but default)

| smb2-security-mode:

|   2.02:

|_    Message signing enabled but not required

| smb2-time:

|   date: 2019-05-23 21:38:48

|_  start_date: 2019-05-23 21:34:54

TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   54.00 ms 10.10.12.1

2   54.08 ms 10.10.10.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds

Connect via FTP

The user hash is easily found:

Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…

But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:

Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.

Also in c:\windows:

c:\ProgrammData is hidden but can be seen if you access it directly:

Get netmon prtgadmin credentials:

Something interesting in PRTG Configuration.old.bak:

After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453

Add a notification:

Leave defaults and choose “Execute Program” with the following settings:

Success, we can now get the hash from the test,txt file:

Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.

Book Review Hands-on Bug Hunting for Penetration Testers

The main audience of Bug Hunting for Penetration Testers are coders and penetration testers interested in bug bounties. The book goes through bug bounty programs, penetration testing and the usual web security vulnerabilites like XSS, SQL injections, XEE and so on.

As the title sais, the book was written for people with prior knowledge in penetration testing. So the vulnerabtilies are not explained in depth, but nevertheless it is suitable also for beginners if they are willing to go deeper later and using other sources, after each chapter there are some recommendations for it.

For me the perspective as a bug hunter is pretty interesting, and the book is going into automatisation of some tasks and which vulnerabilites are usually interesting for bug bounty programs and how to report them. For getting an impression about the coding have a look here, unfortunatelly the code base is for python 2.7 and not python 3. The books is also informing about information gathering and bug bounty strategies. What I also like are the end-to-end examples, from finding and exploiting a vulnerability to a short example report. Later reporting is explained into more detail.

If you are interested in Bug Bounty programs you should have a look into this book.

Career Path Penetration Testing Basics

Penetration Testing – “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” (From wikipedia)

The scope of the article is to help to get your first job as a penetration tester. If you have more great links or recommendations please add them in the comments section. Becoming a good penetration tester requires much more skills than described here. It also means that you never stop learning.

If you don’t know the IT- and IT security basics yet, please have a look here. When you want to start a career in Penetration Testing you should know that most of the penetration tests performed today are Web Application tests. Therefore this article is focusing on this topic. Later I will add new posts with Specializiation Paths for more advanced topics like exploitation, red teaming and so on.

As already mentioned in the article Career Path Security Basics, I strongly suggest that you make a plan what goal you want to reach. For example playing CTF all the time might be fun for some people, but if you need the OSCP it might not be helpful to waste too much time.

Web App Penetration Testing

Port Swigger: Web Security Academy
Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs.
Career: Penetration Test but I recommend it also for everyone interested in security
Level: Beginner
Price: Free

Review Portswigger Web Security Academy

Update 2020/08

The materials and labs exloded over the last months:
Web cache poisoning
Information disclosure vulnerabilities
Insecure deserialization
Authentication
SQL injection
Cross-site scripting
Cross-site request forgery (CSRF)
XML external entity (XXE) injection
Clickjacking (UI redressing)
Cross-origin resource sharing (CORS)
Server-side request forgery (SSRF)
HTTP request smuggling
OS command injection
Server-side template injection
Directory traversal
Access control vulnerabilities and privilege escalation
Testing for WebSockets security vulnerabilities
DOM-based vulnerabilities

The full list of labs is not included here, it is simply too long!

Link: Web Security Academy
Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs.
Career: Penetration Tester but I recommend it also for everyone interested in security
Level: Beginner
Price: Free

The description from the originial website:
“Welcome to the Web Security Academy. This is a brand new learning resource providing free training on web security vulnerabilities, techniques for finding and exploiting bugs, and defensive measures for avoiding them.
The Web Security Academy contains high-quality learning materials, interactive vulnerability labs, and video tutorials. You can learn at your own pace, wherever and whenever suits you. Best of all, everything is free!”

For tracking and doing the labs you need to create an accout.

I found the explanations and the labs very suitable for beginners and I think it is a great starting point for web application security.

The team behind it is the same that is behind the Burpsuite and the famous Web Application Hackers Handbook (consider buying it if you want to go deeper into the topic):

The Web Application Hackers Handbook
Authors: Daffy Stuttard, Marcus Pinto
Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit.
Career: Penetration Tester
Level: Good for beginners, but also useful for experienced penetration testers

Career Path Security Basics

Most people starting a career in IT security have a huge interest in topics like hacking, programming, system administration, networking and so on. When you apply for a junior position, employers normally expect basic skills and huge motivation. In this article you can find some useful resources for learning the basic skills that are useful for all career paths in IT security. More specific articles for specialized career paths like penetration tester, DFIR expert, malware expert and so on, are about to follow.

If you have any ideas or suggestions for additional useful courses, please feel free to leave a reply in the comment section below or just add them to your personal training list.

I suggest to look for suitable courses or certifications, to set yourself a goal and make a plan how to reach your goal.

If you want to read how I started my career in IT security have a look here.

Programming

Depending on your career, you should have knowledge in various programming languages. As a penetration tester, these could be assembly, C, javascript, HTML, python and bash for the beginning. Programming skills are not only useful for penetration testers, but also for other career paths. For example in a blue team, programming skills are very useful for automatization.

In this section you can find some examples for learning basic programming, more specialized examples follow in the career path sections.

HTML

Html & JavaScript

Learn Basics by building your own Computer

Build a Modern Computer from First Principles: From Nand to Tetris
Content: Teaches the basics of computer sience by building a computer from ground up. There is also a great TED talk about the course.
Career: All
Level: Beginner
Price: Free or with certificate

Programming Python

Python might be the most important language to learn as a starter.

Programming for Everybody (Getting Started with Python)
Content: Python Basics
Career: All
Level: Beginner
Price: Free or with certificate

There is a ton of free resources on the web, this also looks useful:
https://www.python.org/about/gettingstarted/
https://www.learnpython.org/

More EDX courses: https://www.edx.org/learn/computer-programming

More coursera courses: https://www.coursera.org/browse/computer-science/software-development

Programming Bash, Learning Linux

For all career paths, you will need Linux skills.

https://www.bash.academy/
https://www.learnshell.org/
http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO.html

If you lack of basics in Hardware, OS and so on consider this one:
https://www.professormesser.com/free-a-plus-training/220-901/comptia-220-900-course/

Networking

Professor Messer’s CompTIA N10-007 Network+ Course
Content: Great and free video course for preparing the CompTIA Network+ exam, I recommend to add a book nevertheless.
Career: All
Level: Beginner
Price: Videos are free

All in One CompTIA Network+
Author: Mike Meyers
Content: Coverage of the CompTIA Network+ certification exam objectives, goes into the topics in depth. I liked the questions after each chapter. Came with a CD with an exam simulator long ago, now the content is online.
Career: All
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

You may consider to do the certification for the CV.

More Coursera courses: https://www.coursera.org/browse/computer-science/computer-security-and-networks

Learn about http:
https://developer.mozilla.org/en-US/docs/Web/HTTP
https://www.tutorialspoint.com/http/

Basis Security

The Cuckoo’s Egg Decompiled Course
Content: Highly recommended course by Chris Sanders, teaching the basics of attacking and defending networks through the lens of the famous “The cuckoos Egg” book by Clifford Stoll.
Career: All
Level: Beginner
Price: Free

Professor Messer’s CompTIA SY0-501 Security+ Course
Content: Same as the Network+ course for Security+, I also recommend to read a book additional for preparation.
Career: All
Level: Beginner
Price: Videos are free

Mike Meyers’ CompTIA Security+ Certification Passport
Author: Dawn Dunkerley
Content: For preparing the CompTIA Security+ Certification this book is recommended. It covers every topic from the exam and also includes review questions as well as a practice exam.
Career: All
Level: Beginner

You may consider to do the certification for the CV.

Introducion to Cybersecurity
Content: Short non technical introduction course for everyone who is curious about cybersecurity. Explains the basic concepts from a higher level.
Career: All
Level: Beginner
Price: Free or with certificate

More EDX courses: https://www.edx.org/learn/cybersecurity

More Coursera courses: https://www.coursera.org/browse/computer-science/computer-security-and-networks

Stay tuned, my next article will be about the career path for penetration testers.

Links

Thanks @SparkyS04 for proofreading.

Certifications Pro & Con

A lot has been written about certifications and whether you should have them or not. For me it is pretty simple, certifications helped me finding jobs and improving my career.

As a penetration tester I made OSCP and OSCE, for getting a bit more into DFIR I made the CHFI certification. At the beginning of my career I did CompTIA Network+ and Security+ for learning and prooving my skills. At some companies it is simply a door opener. I know enough people who never certified and are great at their jobs and also don’t have problems making a good career.

But of course there are other ways to show your motivation:

have projects or a blog that are showing your skills
have you found vulnerabilites? write them down in your CV
found something great? consider to give a talk at a conference
maybe you are a great CTF player?
don’t forget your personal network

Besides that, what certification you want to do strongly depends on your career path and the budget. SANS courses & certs cost a ton if you have to pay for yourself and are mainly useful if you want to go into DFIR.

On the other end there are certifications from EDX or coursera that are cheap but of course not that recognized. Certifications from securitytube are also worth a look.

After all it is the mix of certifiations, courses, experience, personality, connections and so on that enables your career.

Review Wargames Over the Wire

URL: http://overthewire.org/wargames/
Career Path: Pentesters, Beginners in Security
Level: All, good for beginners

The wargames are free & fun, I tested two games so far, Bandit and Natas, but there are much more that include also crypto and explotation wargames.

Bandit

From the website:

aimed to absolute beginners
connection over ssh with given credentials, no registration needed
for learning linux commands/hacking
in each level you have to find the password for the next level
exercides are for example search for the password in hidden files, files with special characters, learning commands
Reading the exercise makes absolute sense here 😉

Example:
The password for the next level is stored somewhere on the server and has all of the following properties:* owned by user bandit7* owned by group bandit6* 33 bytes in size

For starting you get your first credentials and then hack on:

Natas
Natas is for learning webserver security. You can just start right away and log into the first exercise:

http://natas0.natas.labs.overthewire.org/

Read the source code
Use a proxy like Burpsuite might be useful
starting simple, but you should read a bit about html and http before starting
first find tokens in code, files, change cookies and so on

I hope I will have some time to write about the other wargames too.

Hack on!

Getting started with hackthebox

Career Path, Labs: Penetration Tester
Challenges: Penetration Tester, Forensics, Malware
Level: All

Until now I never realized that hackthebox also offers free accounts, so I decided to test it and write a short post.

After a challenge here you can create your login. With the connection pack for openvpn it is possible to connect to the labs with a Kali machine (or any other Linux I guess), easy.

With the free account you can solve challenges and active machines.

Active machines
For owning systems and users there are flags that are stored in files on the machines, for example:

The labs remind me about the OSCP labs, and lots of people are using them for training before the OSCP certification (which might be a good idea, though I did not) or to get an impression about the labs and the exam.

For more information and getting an impression about owning boxes look here, lot’s of walkthoughs for retired boxes.

At the time of this writing 20 machines were online, with different OS versions (Linux, Windows, BSD) and different scenarios. I had a closer look at some boxes and solved one so far in a couple of hours.

The lab looks really fun, and I would recommend it for everyone who wants to train and learn hacking.

Challenges
The challenges also look quite good, i had a look but honestly, I am much more into owning. Here are the categories for the challenges:

For solving for example the Stego challenges, you download a file with a hidden message and have to find it. I was surprised that there are also some Forensics challenges, I will defilnetly have a look into those too.

Conclusion
This is definetly a great playground for everyone who is into solving challenges and pwn boxes. I am not sure if hackthebox is good for total beginners, there are no big explanations or tutorials for the machines or what is to do. There are the official forums with hints and some websites offering more in depth explanations, although the rules say that this should not be done, and somehow as an OSCP taker (“Try harder”) this feels like cheating. With the VIP membership you also have the retired machines with walkthroughs.

For your career hands-on and solving challenges is a very important part, so I recommend: sign up.

Links:
https://www.secjuice.com/hack-the-box-starter-pack-edit/
https://veteransec.com/category/hack-the-box-write-ups/
https://resources.infosecinstitute.com/hack-the-box-htb-machines-walkthrough-series-jerry/#gref