localhost exposed

« Previous | Next »

Path to OSCP - Part 6, Day 2 and 3

https://www.youtube.com/watch?v=Hncq0NwSMh8

After 8 more hours of studying, I have progressed +50 pages and +1:40h in video material. Most of my time has been spent running scans or fiddling around in hexadecimal trying to get exploits working.

Yesterday I was severely overwhelmed by how much data I am already beginning to gather -- open ftp servers, Samba shares, public SNMP enumeration etc.

I decided that I'll gather the raw data in KeepNote for further reading, but I am beginning to collect the main bits -- IP, hostname, domain/workgroup, OS etc. -- into a simple Excel spreadsheet that I am evolving as needed.

So far I have seen so many different Windows versions that this Wikipedia page came in handy since I haven't been in touch with the Windows world and forgot the version numbers :)

I also learned how you can resume nmap scans if needed!

nmap -oN your-results.nmap $HOST
Ctrl-C^ here
# then later
nmap --resume your-results.nmap

And done! But as I learned, this does not work over VM suspends since it somehow relies on mmap() in the background -- I got an error when I tried...

Also, just some info on why progress with exercises takes longer than watching the relevant video:

# Single target scan that took ~2 hours
Completed SYN Stealth Scan at 18:02, 6768.89s elapsed (42000 total ports)

# The scan that wouldn't end:
NSE Timing: About 6.96% done; ETC: 00:21 (5:37:21 remaining)
NSE Timing: About 6.96% done; ETC: 00:41 (5:56:04 remaining)
NSE Timing: About 6.96% done; ETC: 01:02 (6:15:28 remaining)
NSE Timing: About 6.96% done; ETC: 01:24 (6:36:12 remaining)
NSE Timing: About 9.43% done; ETC: 23:39 (4:50:17 remaining)
NSE Timing: About 33.08% done; ETC: 19:51 (1:02:09 remaining)
NSE Timing: About 62.16% done; ETC: 19:08 (0:19:00 remaining)
NSE Timing: About 91.44% done; ETC: 18:53 (0:02:58 remaining)
Stats: 1:39:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.92% done; ETC: 19:57 (0:00:04 remaining)
Stats: 1:43:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (0 waiting)
...
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.92% done; ETC: 20:32 (0:00:06 remaining)

Yeah.. that's from a single nmap scan of a single host! It was stuck at 99.92% for 1,5 hours before I went to sleep last night.

Another snippet of interest to anyone going to work with Kali:

alias ss='import ~/ss-$(date +%F_%H%M_%S).png'

It'll create a screenshot of the selected area and save the file in your home dir.

I'm really happy I've now had actual dealings with OllyDbg, Immunity debugger and edb (Evans Debugger) -- these will come in handy when I start focusing on reverse engineering after my OSCP course :)

Big thanks to anyone watching and especially leaving feedback of any form!

« Previous | Next »