Path to OSCP - Part 21, some Qs and As
July 21, 2016
You asked and I ans-- ramble-answered!
Q Hey do you have any intresting links or guide about pivoting or intresting recon tools to recommend?
A Unfortunately most recon tools are already well-known and by themselves are not 'interesting' -- e.g. nmap, enum4linux etc. I just learned of unicornscan and one-twopunch.sh
Pivoting -- check out sshuttle, proxychains and msf module autoroute. I mostly just run the scans from meterp.
Q Is it possible to re-take the exam, for instance two months later, without renting lab time?
A Yes, exam re-take does not require lab time, lab time does however include an exam re-take! There's some time limits but a few months should be fine -- check your student panel to be sure.
Q Why did you get only 30d and then 30d
A Initial queue + IRL booked holidays; Any project I do, takes up all the time I give it
Q What is your time management like / How much time do you put in daily
A 1st month 4-5 hrs per day, weekends 11-12; 2nd month: on-keyboard 2-3 hrs, thinking 2 hrs; weekends 8 + 2;
Tricky situation of having done most of the easy-to-me machines i have found.
Q Do you need to know Assembly for the BOF?
A No. You need to know how to google 'site:exploit-db.com software version'
Q Do you need a fast internet conn for labs
A No, but a *stable* one is much more useful. 100/100 Mbps is not a significant advantage over 1/1. 99,9% of the time, you are the weakest/slowest link and bottleneck, not how fast you can send your exploit.
Q Have you found darkc0de pw list
A Yes! Found it in the seclists github repo, but I've yet to use it
Q what kind of linux distros you face at OSCP i mean ubuntu's or debians or centOs ?
A Yes. All of them. ALL THE DISTROS
Q How has your CISSP has prepared you for your OSCP at all
A CISSP itself probably didn't prep me, but CISSP opened up work opportunities to do this thing at work => experience => helped :)
There are common misunderstandings and mistreatments of the cert and just recently I saw a buddy describe CISSP very concisely on IRC
CISSP means you know a little about a lot and can (usually) have a (semi) intelligent conversation with different IT groups and understand risk from a business perspective
CISSP is a generalist cert not a specialist one. CISSP is the elementary school of infosec -- you learn a bit of everything so you know where you want to focus.
CISSP mostly taught me about the things I didn't know before that well -- physical security, disaster recovery etc. I paid less attention on the software security chapters since I was quite familiar with it at the depth required in CISSP.
On the other hand a devops background helps a LOT.
Q What sort of support structure do you have (tech / social)
A I have a very supportive wife who let's me curse and cheer to my heart's content and even made sure I took breaks during my exam. My company is paying for my certification as it directly ties into what I am doing and will help the company win more bids.
I also have some peers in tech / security with whom I can have a level playing field discussion of difficult/complex subjects.
Short status update to the end: managed to get the CTF machine + PAIN(!!!) + another (for me) difficult machine that had been taunting me already in March. Feeling quite a bit better about the exam again.
Although there might be a heavy workload on my plate for the 2 weeks prior to exam so I am hoping it does not interfere.
And ending on a useful set of tips and links:
Remember to always run very light port scans first to get a list of any that are open. Only then do any sort of probing / version guessing. Your probes might actually crash the service and if you try to do it all in one go, you might just miss critical services since you just crashed them.
Also crashing services is very very noisy and would be bad in a real encounter.
Remember always to revert the machine before any recon. As g0tmi1k pointed out in an excellent writeup: Recon is the thing that all of your next steps rely on. If you mess it up you cannot win! So be careful and pay attention!
Do not attempt to run full 65k port scans of the entire subnet, you will fail. Machines will be in inconsistent states of being exploited, reverted or crashing. Some might have firewalls turned off for a student's own purposes and you might see ports that are not publically visible -- or ports that are tied to a student's exfil / exploitation toolset.
Revert. Check ports. Check versions. Probe for service specific information. Repeat.
Other cool links:
Yes. Yes that is multiple links to g0tm1k. Yes I am a fanboi, thanks for asking ;)