More free Pentesting resources

While I wrote the articles about how to start a pentesting career I came accross more great resources that I did not mention before, so here they are. Most of it is hands-on :).

The Complete Beginner Network Penetration Testing Course for 2019

CTP/OSCE Prep – Wrapping Up Our Prep
Article with OSCE resources.
https://h0mbre.github.io/CTP_Summary/#

Web Application Exploits and Defenses
Online Webapp hacking.
https://google-gruyere.appspot.com/

XSS challenges
Online XSS challenges.
http://xss-quiz.int21h.jp/

XXE Lab
XXE Lab for downloading and hacking.
https://github.com/jbarone/xxelab

Root Me
Hacking challenges online.
https://www.root-me.org/

Cryptopals
Crypto hacking CTF.
https://cryptopals.com/

RingZer0 CTF
https://ringzer0ctf.com/challenges

Damn Vulnerable Web Application (DVWA)
Vulnerable weeb hacking VM (download).
http://www.dvwa.co.uk/

Pentesterlab
List of the free Webapp hacking excercises.
https://pentesterlab.com/exercises?dir=desc&only=free&sort=published_at

Link List with more CTFs and excercises
https://wheresmykeyboard.com/2016/07/hacking-sites-ctfs-wargames-practice-hacking-skills/

Kali Training
https://kali.training/

Vulnhub
Loads of challenges and VMs (downloads).
https://www.vulnhub.com/

Book review The Hacker Playbook 3

The Hacker Playbook 3
Authors: Peter Kim
Content: Main focus is on Red Teaming
Career: Penetration Tester
Level: Intermediate, Expert
Buy at Amazon U.S.
Buy at Amazon Germany

This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.


Content:

  • Difference between pentesting and red teaming
  • MITRE ATT&CK framework
  • Tools setup
  • Reconnaissance phase
  • optional lab setup & exercises
  • about web attacks like node.js, nosql injections, deserializiation attacks and more
  • hacking the (windows) network for example with responder, password spraying
  • privilege escalation with misconfigured services, exploit suggester and more
  • mimikatz magic of course
  • attacks on macs with empire
  • bloodhound and sharphound
  • lateral movement using different techniques
  • pivoting
  • social engineering campaings & physical attacks
  • recompile meterpreter dlls for avoiding detection
  • password cracking
  • write your own droppers

I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.

Write-up hackthebox netmon

After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.

Portscan

Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.043s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM inetpub
| 07-16-16 09:18AM PerfLogs
| 02-25-19 10:56PM Program Files
| 02-03-19 12:28AM Program Files (x86)
| 02-03-19 08:08AM Users
|02-25-19 11:49PM Windows | ftp-syst: | SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/23%OT=21%CT=1%CU=30959%PV=Y%DS=2%DC=T%G=Y%TM=5CE6F6C
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%CI=I%II=I%TS=A)SEQ(SP=1
OS:07%GCD=1%ISR=108%TS=A)SEQ(SP=107%GCD=1%ISR=108%II=I%TS=A)OPS(O1=M54DNW8S
OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D
OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=
OS:80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2
OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%
OS:F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: mean: 11s, deviation: 0s, median: 10s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported | message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-05-23 21:38:48
|_ start_date: 2019-05-23 21:34:54
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 54.00 ms 10.10.12.1
2 54.08 ms 10.10.10.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds

Connect via FTP

The user hash is easily found:

Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…

But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:

Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.

Also in c:\windows:

c:\ProgrammData is hidden but can be seen if you access it directly:

Get netmon prtgadmin credentials:

Something interesting in PRTG Configuration.old.bak:

After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453

Add a notification:

Leave defaults and choose “Execute Program” with the following settings:

Success, we can now get the hash from the test,txt file:

Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.

Career Path Penetration Testing Basics

Penetration Testing – “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” (From wikipedia)

The scope of the article is to help to get your first job as a penetration tester. If you have more great links or recommendations please add them in the comments section. Becoming a good penetration tester requires much more skills than described here. It also means that you never stop learning.

If you don’t know the IT- and IT security basics yet, please have a look here. When you want to start a career in Penetration Testing you should know that most of the penetration tests performed today are Web Application tests. Therefore this article is focusing on this topic. Later I will add new posts with Specializiation Paths for more advanced topics like exploitation, red teaming and so on.

As already mentioned in the article Career Path Security Basics, I strongly suggest that you make a plan what goal you want to reach. For example playing CTF all the time might be fun for some people, but if you need the OSCP it might not be helpful to waste too much time.

Web App Penetration Testing

Port Swigger: Web Security Academy
Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs.
Career: Penetration Test but I recommend it also for everyone interested in security
Level: Beginner
Price: Free

Recommended Link about Web App Hacking:

 

General

OSCP
If you want to start a career in Penetration Testing you might consider to make the OSCP certification. But you should have in mind that the OSCP is extremely time consuming and it is not a must have, but definitely a door opener. Therefore I recommend to do the OSCP certification. Here is an article about pros & cons of certifications.

Hands On

Here are some hands on for labs and learning. Some of them are online, others have to be installed and run by yourself.

Books

The Web Application Hackers Handbook
Authors: Daffy Stuttard, Marcus Pinto
Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit.
Career: Penetration Tester
Level: Good for beginners, but also useful for experienced penetration testers
Buy at Amazon U.S.
Buy at Amazon Germany

Penetration Testing: A Hands-On Introduction to Hacking
Author: Georgia Weidman
Content: A great introduction into penetration testing.
Career: Penetration Tester
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

Metasploit: A Penetration Tester’s Guide
Authors: David Kennedy, Jim O’Gorman, Devon Kearns, Mati Aharoni
Content: Introduction to Metasploit and penetration testing
Career: Penetration Tester
Level: Beginner, Intermediate
Buy at Amazon U.S.
Buy at Amazon Germany

The Hacker Playbook 2
Author: Peter Kim
Content: Book for penetration testing, hands on hacking, pivoting, evasion and so on. 
Career: Penetration Tester
Level: All
Buy at Amazon U.S.
Buy at Amazon Germany

Network Security Assessment
Author: Chris McNab
Content: Assessment of various network services.
Career: Penetration Tester
Level: All
Buy at Amazon U.S.
Buy at Amazon Germany

German Book: Hacking mit Metasploit
Author: Michael Messner
Content: Great introduction to penetration testing and metasploit.
Career: Penetration Tester 
Level: Beginner/Intermediate
Buy at Amazon U.S.
Buy at Amazon Germany

Links

Thanks @SparkyS04 for proofreading.

Review Wargames Over the Wire

URL: http://overthewire.org/wargames/
Career Path: Pentesters, Beginners in Security
Level: All, good for beginners

The wargames are free & fun, I tested two games so far, Bandit and Natas, but there are much more that include also crypto and explotation wargames.

Bandit

From the website:

  • aimed to absolute beginners
  • connection over ssh with given credentials, no registration needed
  • for learning linux commands/hacking
  • in each level you have to find the password for the next level
  • exercides are for example search for the password in hidden files, files with special characters, learning commands
  • Reading the exercise makes absolute sense here 😉

Example:
The password for the next level is stored somewhere on the server and has all of the following properties:* owned by user bandit7* owned by group bandit6* 33 bytes in size

For starting you get your first credentials and then hack on:

http://overthewire.org/wargames/bandit/

Natas
Natas is for learning webserver security. You can just start right away and log into the first exercise:

http://natas0.natas.labs.overthewire.org/
  • Read the source code
  • Use a proxy like Burpsuite might be useful
  • starting simple, but you should read a bit about html and http before starting
  • first find tokens in code, files, change cookies and so on

I hope I will have some time to write about the other wargames too.

Hack on!

Getting started with hackthebox

Career Path, Labs: Penetration Tester
Challenges: Penetration Tester, Forensics, Malware
Level: All

Until now I never realized that hackthebox also offers free accounts, so I decided to test it and write a short post. 

After a challenge here you can create your login. With the connection pack for openvpn it is possible to connect to the labs with a Kali machine (or any other Linux I guess), easy.

With the free account you can solve challenges and active machines.

Active machines
For owning systems and users there are flags that are stored in files on the machines, for example:

The labs remind me about the OSCP labs, and lots of people are using them for training before the OSCP certification (which might be a good idea, though I did not) or to get an impression about the labs and the exam.

For more information and getting an impression about owning boxes look here, lot’s of walkthoughs for retired boxes.

At the time of this writing 20 machines were online, with different OS versions (Linux, Windows, BSD) and different scenarios. I had a closer look at some boxes and solved one so far in a couple of hours. 

The lab looks really fun, and I would recommend it for everyone who wants to train and learn hacking.

Challenges
The challenges also look quite good, i had a look but honestly, I am much more into owning. Here are the categories for the challenges:

For solving for example the Stego challenges, you download a file with a hidden message and have to find it. I was surprised that there are also some Forensics challenges, I will defilnetly have a look into those too.

Conclusion
This is definetly a great playground for everyone who is into solving challenges and pwn boxes. I am not sure if hackthebox is good for total beginners, there are no big explanations or tutorials for the machines or what is to do. There are the official forums with hints and some websites offering more in depth explanations, although the rules say that this should not be done, and somehow as an OSCP taker (“Try harder”) this feels like cheating. With the VIP membership you also have the retired machines with walkthroughs.

For your career hands-on and solving challenges is a very important part, so I recommend: sign up.

Links:
https://www.secjuice.com/hack-the-box-starter-pack-edit/
https://veteransec.com/category/hack-the-box-write-ups/
https://resources.infosecinstitute.com/hack-the-box-htb-machines-walkthrough-series-jerry/#gref

From Beginner to Expert as Penetration Tester

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career
Part 2: From Beginner to Expert as Penetration Tester (this part)
Part 3: Working at a CERT and shifting to Technical Lead

My first job
The first job as a penetration tester was pretty exciting for me. I was lucky to have many collegues that engaged very much with the newcomers, and for the beginning everyone got at least three workshops lasting 2-4 days, if I remember correctly. The OSCP prepared me pretty well to the thinking of solving the day to day problems on the job. The job was at a consultancy company that mainly is doing penetration testing engagements in Germany. During that time I also started researching about antivirus evasion (in my free time btw). I most consultant jobs time on the job is short. For me that was a huge advantage, I was able to do web app testing in short time. Besides learning from colleagues I also read some books like The Web Application Hackers Handbook, The Shellcoder’s Handbook and Network Security Assessment.
I had my first presentation (in German at the Backtrack Day 2013) about antivirus evasion, which made me very proud of course. 
During the first job that lasted 18 months I also visited the CCC Congress twice, had several chances to conduct interesting pentests (mostly web and mobile) and did an interesting online course (Malicious Software and its Underground Economy: Two Sides to Every Story). Because I liked the hole exploitation topics I made the SLAE certification, which was a lot of fun and I highly recommend, also for preparing the OSCE. Now there is also a 64 Bit version.

My second job
I learned a lot and had great colleagues, but for me it was time to move on to my second job as a penetration tester, where I had the chance to travel more and to work for clients on site. Further I had the chance to do some Digital Forensics and Indident Response (DFIR) under the condition I do any certification, so I choosed the one the looked easiest for me, that was the CHFI (Certified Hacking Forensics Investigator). I would not necessarily recommend it, but at this time it helped me improving my career and also to do some forensics and incident response work. For the preparations I bought “The Official CHFI Exam Study Guide”. For gaining more in depth knowledge about forensics I attended a course at the University of Applied Sciences Albstadt-Sigmaringen about data storage forensics.
Besides the work I continued my research on antivirus evasion and gave a talk at the Deepsec conference 2014 (“Why Antivirus Software fails“).
Also I had the chance to speak at public and closed events from my employer and started to visit the OWASP chapter Cologne. For education and to get from professional to expert level I decided to make the OSCE certification. That was a blast for me. I never had such a challenging time in my career and I fell through the first test and had to take a second shot. The OSCE is highly recognized especially in the Red Team and Exploitation community. Like the OSCP for me it is not about teaching certain techniques, but training the right attitude you need for breaking stuff (Try harder). I was glad when I got the famous mail from offensive security after the second exam.
After 17 months on that job I took my chance and hired at a CERT, this will be the story for part 3.


Conclusion & some notes

  • be grateful for the knowledge and support of friends and colleagues – sometimes I forget to say this… so to everyone who helped me during my career: thank you!
  • when it is time to move on, move on, after all it is about business and your personal development
  • Giving talks gave me the great opportunity to network in the community and also to improve self esteem and public speaking
  • Be flexible, I moved for each job in the IT security field
  • for more networking I started to use twitter
  • Don’t give up, “Try harder”, the motto by offensive security also applies to searching for jobs and many more lessons in life, this attitude helped me also with my research
  • Working at a consultancy company is helpful, since it teaches you to be effective (time and costs), you learn to deal with pressure

Further reading:
https://danielmiessler.com/study/infosec_interview_questions/
https://netsec.ws/?p=517
https://coffeegist.com/security/my-osce-review/
https://master-digitale-forensik.de/