Book Review: Instant Penetration Testing: Setting Up a Test Lab How-to

We’ve all been there before, we know what we want to do but don’t quite have the knowledge or skill to do more or move the plan forward.  Had I had a resource like the Instant Penetration Testing: Setting Up a Test Lab How-to by Vyacheslav Fadyushin, I probably could’ve saved myself a flame or two on the boards.

I really like the break out of the different types of labs that can be setup and even more important the note of “Must Know”, “Should Know”, and “Become and Expert”.  By providing this type of classification when setting up the labs helps guide anyone new to the field on where to start, even if they’ve got a technical background.

Something else that is very helpful starts on Page 17,” Choosing virtualization solutions – pros and cons”.  I’ve gotten many questions on where should I start, which VM is the best, should I pay for software, and where do I go to download.  This table gives a good breakdown of the Pros and Cons and the brand in my opinion.  So while the religious war of which is better rages on, this will help to at least level the playing field in the decision-making process.

The two labs that I really enjoyed seeing were the ones for setting up a Web App and the Wireless labs.  While the other network based ones are relevant and will continue to be relevant, it doesn’t seem that there is a whole of formalized and published information on the others.  For those in the “know” DVWA has been out and used by many to sharpen their Web App testing skills.  It’s nice to see this used for the purposes of the lab.  One thing I noticed was what it doesn’t go into much detail on where to download the package within the steps (could be an oversight on my part).  Not a big deal but for someone who’s new or may have been netsec focused they may need a little more guidance.

Overall this was a great resource and one I intend to use with some buddies that are interested in the security-testing field.  A big hats off to Vyacheslav on this one!  Finally, a lab resource for those needing more guidance on where to start.  I look forward to seeing more guides like this from Packt Publishing.

Here’s the link to the book:  http://www.packtpub.com/penetration-testing-to-setup-test-lab/book

Book Review: Metasploit Penetration Testing Cookbook

At the very beginning of getting into pentesting most users come across Metasploit as an embedded tool in Back Track.  And many times our first experience is this… cd /opt/framework3/msf/ ….  Scratching our heads wondering what’s next.  Well after some Google searches we come up with the answer “ah, yes! I must enter msfconsole or was it ./msfconsole” and this most glorious low-tech ascii picture comes up, sometime a cow, sometimes the word Metasploit, but it’s splendor lays in that blinking cursor preceded by ” msf >” it’s laying there waiting, wanting for a command to do it’s master’s bidding.  Then reality hits you over the head like Hacksaw Jim Duggan with a 2×4 – I don’t know what to do!  This is where Metasploit Penetration Testing Cookbook by Abhinav Singh comes in handy.

The book does a really good job of providing a beginning foundation with escalating use of difficulty.  It was not overly difficult to follow along but I think it’s strong point will be in providing reference for different areas in the use of Metasploit.

I really think the book was a stand out in a few areas:

– The quick walk through of what could go wrong during setup and how to potentially fix the issue.  The screen shots served as a good reference point of what to expect in that regard.  From memory I cannot recall very many technical security books that addressed what could go wrong and the fix(es).

– The use of SSH to help save on memory resources.  I think many like to use the Linux UI to get to the Metasploit framework and this is a great alternative to reach Metasploit and really exercise ones command line skillz. (yes, I actually used “z” instead of “s”… Gotta keep street cred Yo!)

– The inclusion of multiple OS’s for targeting against.  This was great run through as most will only have Windows XP SP2 and a Linux flavor listed.  This actually brought the exercises to feel more real.  Unfortunately though, it didn’t go into more depth on the OS exploitation and felt limited.

– The inclusion of Armitage was a nice surprise, but far to little in comparison to the rest of the Metasploit chapters.  The introduction to fast and easy hacking was far to little.

– The introduction to the Social Engineering Toolkit (SET) was nice as well.  Again in my opinion, it could’ve used a little more exposure along with Armitage.

– The “How it works…” sections were nice as well.  I know some just want to get it working but there are those of us who want to go deeper into the rabbit hole to understand how and why it works, but alas it seems like there can never be enough information.

Even though the book didn’t go as in-depth, the reality is you can’t otherwise we’d all be toting 10 lbs. book that could go on for days and days.  But I do think that a few of the subjects like Armitage and SET could’ve been expanded upon a little more as they’re are becoming more and more important tools in the security professionals toolkit for finding vulnerabilities and exploiting them.  Overall, there are quite a few good book on this subject out there and this is one that should be included on your reference shelf.

Free Gift from Packt Publishing!!

All, if you like getting free info sec materials as much as I do have a look at Packt Publishing’s website.  It seems that they are getting ready to publish their 1000th title and will have gifts to registered users.

Here’s a blurb from their press release:

Birmingham-based IT publisher Packt Publishing is about to publish its 1000th title. Packt books are
renowned among developers for being uniquely practical and focused. Packt books cover highly specific
tools and technologies which IT professionals might not expect to see a high quality book on.

Packt would like you to join them in celebrating this milestone with a surprise gift – to get involved you
just need to have already registered, or sign up for a free Packt account before 30 th September 2012.

……..

Packt supports many of the Open Source projects covered by its books through a project royalty
donation, which has contributed over £300,000 to Open Source projects up to now. As part of the
celebration Packt is allocating $30,000 to share between projects and authors in a genuinely unique
way, soon to be disclosed on their website.

The part I really like about his publisher is that they do contribute to open source projects!!  So, if you’re looking for another good tech book publisher to buy from I would recommend these guys.  The books I have so far are easy to read and serve as good references as well.

Go to PacktPub to register for some great giveaways!

BOOK REVIEW: Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide by Lee Allen

Alright, alright already… Another Pen Testing book… Many, if not all of us have purchased or downloaded purchased *cough, cough* copies of Pen Testing books in its many forms and have gone through them only to find it was fairly similar to the last one purchased.  Does it lay out the phases of a pen test? Check. Does it mention the scanners we all know and love?  Check.  Does it mention and give examples of using Metasploit?  Check.  Well, for all the experienced testers out there and for us noobs alike there is a new Sheriff-in-Town and he, or she, is looking really promising!  The book is called Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide by Lee Allen.

I know you’re probably thinking, “what another book on pen testing?, whatever…”, but I think that this one picks up where the others have left off or left out.  I’m not going to go chapter by chapter but highlight areas that I think are great to read and with methods to use.  So away we go!

It’s quite refreshing that it is assumed the reader is somewhat technical and doesn’t need to be fully hand held through the lab setup process so not a lot is wasted on setting up your VMs or debating what flavor is the best.  It can also be said that the information is also great for getting the noob up and running.  The one part that I really appreciated reading was on setting up BackTrack and the snippets of commands used to get it up and running, installed, and updated (for all us noobs it shortens the amount of time spent in the forums, but doesn’t alleviate the need to “TRY HARDER!!”).

This book is also great in introducing tools that I hadn’t had much exposure to and the thought of using Magic Tree as a means to help create your report is great!  I know that we’ve all muddled through results trying to ensure that our text files are somewhat organized.  Having Magic Tree help to collect your information and then format into a report is invaluable.  I also like that Dradis is introduced as a means to gather all of you information into one place that can be shared.  This would be very helpful when working on a team test.

One thing that I’ve enjoyed through the book is the use of the Metasploit framework and the Social Engineering  (SET) Toolkit.  I know that Metasploit has been covered in-depth within other books but I think it’s the presentation of use and updating that makes it really refreshing!  I also really like that a small part of SET is discussed and walked through.  Those two tools have become di rigueur in the pen tester’s bag of tricks!  Even though it’s not deep it gives enough for the reader to get started down the path.

One chapter that I haven’t really seen anywhere else is on Post Exploitation.  To read about and try some of the methods in the chapter has been fun.  More so it has the old brain-housing group really thinking about how to positively perform post exploitation that gives the customer or client a solid feel for what can be had in their environment.

Something else that I’ve really enjoyed seeing is that there are progressively harder challenges through the use of Kioptrix.  The reader has the chance to start at level one and move up to more advanced techniques, which the user can use to practice against.  Reminds me a lot of Web Goat and hacking challenges from Astalavista in that you have progressively harder challenges to get through.

There are so many good qualities to this book that I’ve enjoyed that I would recommend this to my friends and colleagues, even if it were only for a reference.  The pacing of the read and the examples were good enough to keep me from saying “WTF how did he set that up?” and actually kept me engaged in the content.  If you’re in the market for a good book that is not only a great primer on the subject but also an excellent reference, this is one I would recommend considering.

Off the grid…. and on to the cons!

Just like any good spook it’s time to come in out of the cold and back into the warmth of HQ. It’s been quite a while since my last post and I need to just make the time to do it. I will get better….  As many of you can recite from memory, “Do or Do not, there is no try!” – Yoda

So begins the summer of the Cons!! There are many good one coming up and I was going to try to get to Security B-sides Detroit. The Rust Belt, the Midwest, West Virginia, and Northern Kentucy and the robustness of security cons is not to be trifled with. Here’s a list (I’ve probably missed a few so I apologize in advance!):

– Notacon up in Cleveland just happened
– Thotcon in Chi-town back in April
– 2 Security B-Sides in June/July (Detroit/Cleveland)
– Not in the region but DefCon and BlackHat is the summer biggie
– DerbyCon in Louisville, KY in September
– GrrCON in Grand Rapids, MI in September
– Hack3rcon in Charleston, WV in October

So there is virtually no shortage of quality conferences to go to and pick up a bit of knowledge. In fact, for someone living in the Midwest they can get to quite a few conferences, not boondoggles (well okay a little bit because Hackers love Hooch!), for the same cost of hitting the major July out west event. This may be the right amount of cost savings for any company wanting to keep their security pogues happy and brains filled with teh knowledge.

Why conferences? It is truly amazing how much you actually can learn, if you can break thru the booze haze and hangover! It’s also a great opportunity to see old friends and make new ones. For us poor saps cloistered in the buildings we call offices or home offices it’s a welcome reprieve to let our hair down, or in my case last year cut off for Mowhawks-for-Charity. The look on the CISO’s face was awesome when he saw me walking into the office. It sparked a great conversation of what is a hacker and what the security rank-and-file will look like in 5-10 years. It is always great to have those “educational” conversations with senior management!

The networking portion is also a good time and it’s great to meet others in the same profession but in different industries to hear about this issues. The conversations may be different but the content is common… “OWASP Top 10 is what we’re focusing on”, “Access is a huge security headache”, and my favorite “the users in our company have no regard for security”. The nice thing is that even with that commonality there is a lot of ways to address the problem.

If we should ever have a chance to meet, please don’t take it wrong if I don’t say much at first. I’m the type of guy that will listen a lot, digest the information, and begin to ask you a ton of questions. I’m not asking so many questions to be a jerk, I just have a genuine interest in learning. I like adventuring into rabbit holes and going deep until my brain hurts.

For those reading; yes I’m back, yes will be more diligent in posting, and yes I may rant a time or two!

0ddj0b

The Derby Rolls On

Ok, second day not quite down, but wanted to get this out before the evening festivities begin.  So many great talks and too little time…  A few of the highlights:

– Tactical Post Exploitation with Carlos Perez (darkoperator).  This is is a topic that I’d like to see gather some really good steam.  This was a great subject to go over as many of the talks focus on the post exploitation pieces of pentesting.  It’s always great to show how you got in, but for me the meat and potatoes is showing what you got and could do with it.  As management and many Information Security Officers become more complacent with their networks becoming more secure through penetration testing and vulnerability scanning, they’ll become even more lax with the data security pieces.  As we all know they like a good show and tell because they tend not to believe what their security team has been telling them for years.  Oh, and because firewalls make an impenetrable wall of steel to keep out the huns, H4x0rs, and baddies.  After the talk it further enamored me with the idea of becoming a modern day James Bond and getting the goods, the girl, and the getaway all with a smile and a martini; shaken, not stirred.  This talk just solidifies my thought of all of the standard OS tools that we tend to ignore as security/pentest professionals to get more information on the target outside of what is normally presented (e.g. IP addresses, database names….).

– The Dirty Little Secrets They Didn’t Teach You in Pentesting Class with Chris Gates and Rob Fuller (carnal0wnage, mubix).  Both of these guys were awesome and covered quite a bit of material in a very short amount of time.  Again this talk had a bit more focus on the post exploitation aspect of the test rather than on how to exploit.  The fact that they did talk about the extension of the current toolset within Meterpreter and some of the other tools and techniques that they use was extremely valuable.  Again, the extensibility of the tools to provide additional information on the targets versus just obtaining the information of what was compromised and how is going to become more important to prove out that the soft chewy center needs to be hardened just as much as the perimeter.  It’s like that old Tootsie Roll Tootsie Pop commercial with the owl:

Boy: Mr. Owl, how many licks does it take to get to the center of a Tootsie Roll Tootsie Pop?
Owl: I’m not sure, let find out… A one, A two, A three, crrruuuunch! A three.
Boy: *Scowls*

Now put management into the role of the boy and security as the owl.  Hmmmm….. eerily it fits all to well.  Okay enough on that tangent.

– I spent sometime in the Lock Picking Village and Hardware hacking room as well.  The 3D printer was incredible and so was the robotic pony!!!  It’s amazing to see what happens with art meets technology.  I spent the majority of my time learning how to pick locks.  All I can say is that the movies make it all to easy.  I spent a fair amount of time trying to unlock some of the locks at the table in the middle of the room.  After reading the directions selecting my lock, positioning the tensioner and inserting the rake, I went to work.  Applying that tension ever so slightly and operating the rake so that the pins would align and lock in the down position was a bit difficult at first but the more I jiggled and moved the rake back and forth the pins started to fall.  Alas, the final pin the back was not complying!  I kept at it for quite a while before moving onto a much easier set of locks to gain some confidence back that I could to it.  Once I did those I went back to the original lock that I started with, the same one that many others had even said was tough.  Just like the beginning of that song “Rock and Roll Fantasy”… I feel the pins drop, one, two three… and that’s where the song ends.  While I did keep at it for quite a while I still couldn’t “pop the lock”.  With head held high and with what pride I had left, I told everyone good bye and promptly sought out a barley pop.

With day two coming to a close, I”m going to attend a few more talks for the day and then head out for dinner.  If you didn’t make it out for DerbyCon all I’ve got to say, “you missed out sucka!”.

M, I’m coming in.  Have Q get the Astin Martin ready for the evening operation. Thanks, J.

DerbyCon the beginning…

I have to say without a doubt that the first day at DerbyCon was tremendous!  Everything seemed very well run from the beginning and organized.  The Hyatt Regency has very nice conference facilities that are easy to access; literally just through the main entrance.  It’s also nice having the track rooms and other activities (Lock Picking village, Hardware Hacking, Vendors) on the same floor and accessible within an extremely short walk.  Some of the sponsors of the event such as Accuvant, fishnet security, Rapid7, No Starch Press, and Syngress were onsite.  Enjoy the venue for now, I suspect as it continues to grow in popularity a much bigger space will need to be found.

Even though Black Hat and DefCon were just last month the presenters had fresh and new material that had not been seen (at least that I can recall).  It was also nice only having the one track to choose from to ease one into the cornucopia of security goodness that will occur over the next few days.  A few notable moments and observations:

  • Those attending the con seem to be much more of the Black Hat crowd, the 30-something security professionals (there were a few mohawks out there but not many).
  • Dave Kennedy, Adrian Crenshaw, Martin Bos have pulled together the “who’s who” in information security for this event.  There’s not a talk on schedule that doesn’t pique my interest!
  • The venue is excellent for the inaugural event.  The audio/visual was excellent and there were no technical mishaps or outages during the technical presentations.
  • Seeing the Adaptive Penetration Testing session with Dave Kennedy and Kevin Mitnick may have been the icing on any Fanboy’s proverbial cake.  To see both present and then Dave reveal the new changes in the SET by performing a demo was awesome and I know made many anxious for the updated release this weekend.

There was one talk that really stood out and that was Johnny Long’s Hackers for Charity update.  It’s interesting and refreshing to see the community aspect of the Con.  With so much individual projects and presentations, to actually see what the Security and H4x0r community can accomplish for a great cause is very inspiring.  This is not the only Con to have this type of presentation for a need in the community but again, to hear of the scale and difference that people are trying to make with their skills, time, and resources is truly astounding!  I’m also impressed that regardless of the religious beliefs of Johnny that individuals can see that what he’s doing is much more than a calling for him.  Providing the Ugandans with food and a valuable skill, they are not only giving them a lively hood, they are giving them hope for a better life which they are realizing with Johnny’s non-proft and others that are linked with his group.  Another extension of what he’s doing can be found at InfoSec Without Borders.  This is an initiative to help charities and non-profits with their information security needs.  I hadn’t given it much thought in the past or even realized that non-profits don’t have the staff or ability to help secure their assets and data.  This struck me just as hard as what Johnny’s non-profit is doing in Uganda.  Both of these really have me wanting to give back both in time and money and I will definitely be reaching out to see what I can do to help.  I hope that others step-up and consider volunteering or donating to these worthy causes.

Great first day!  Heading off to the Accuvant party at the Maker’s Mark Lounge on 4th Street for some frosty adult beverages and a chill night.

Get ready for the ride, the next two days are gonna be off the hook!

DerbyCon is the Shizzle Bizzle!!

How many times do we as security professionals, nerds, and H4x0rs get to participate in a ground breaking industry event?  Not many, and this is one not to be missed!!  Better than the Shamwow and more versatile than the Magic Bullet DerbyCon is poised to give many other security conferences  a run for their money.  The schedule for the event reads like the “who’s who” in information security and is poised to be just as good as DefCon, ShmooCon, and ToorCon.

Interested?  Good, then click the image above!!

I’m thinking that this will the Sean Connery James Bond of Security Conferences to come.  I hope to see you there!

Certifiably certified certification

Outside of the normal security stuff from Dark Reading I came across an article on Security Certifications. I’ve had some great conversations with different risk and security individuals on this topic and while most agree that it shows you’re competent in the discipline it also has a dark side.  A side that hopefully the security certifications are not heading toward but I’ve seen evidence to the contrary.  I’ll keep from naming certs that, in my estimation, are being abused or at the very least misrepresented by some who have them but I’m fairly confident that you know what certifications.

REWIND… back to the late 90’s early 2k’s.  Radio ads blasting about the shortage of IT professionals  an the promise of a great salary after you obtain the latest and hottest certifications.  Take the test online to see if you have the aptitude and ability to get yours in 6 months!  What certification can you earn?  MCSE (Microsoft Certified System Engineer), CNA (Certified Novell Administrator), CCNA (Cisco Certified Network Administrator) among other top tier certifications…

Listener1:  Wow!  I can become certified in less than 6 months and they guarantee that I’ll pass!

Listener2:  And we can start making real money!!!!  Did you hear that?  Companies are paying more than 60k for someone with those!!!!

Listener1:  Yeah, let’s go and blow the 7k it’s gonna cost us to get certified!  We’ll be able to pay back the loan in no time once we get the job.

REALITY… The market became flooded with these paper tigers who had no practical experience but they had a certification!  Like any good multi-level marketing scheme those who got in first realized the gain and got out while the rest rode out the trend without no realization on the salary claims being made.  Wah, wah, wahhhhhhh….. Thanks for playing!!!  I saw that time and time again with these guys coming in and not even being able to perform basic troubleshooting because it wasn’t something they learned how to fix or do in their class.  Or better yet, I’ve got some idiot telling me that what I’m doing is wrong, even if it corrects their mistake!  Sounds to me like the certification mills have churned out a true disparity of certified to practical skills.  I haven’t heard much about those lately, maybe my economics class was correct in saying the market will correct itself!

I’m not against certification at all.  I have a few myself, but they are in things that I actually have experience in that is backed up by my resume and a list of people that are willing to provide recommendations.  I also, don’t have any issue with the testing centers.  My issue is in how they’re marketing their services for certifications.  There are many which are reputable and have been used for those in the field who are looking to expand their repertoire.  My fear is that we have people with security certifications, because they’re the hottest, most sexy thing on the market that will make them beau-coup greenbacks.  In reality, all it is doing is detracting from the legitimate security professionals who’ve put the time into the profession and realize that the certifications are just another step in their career and not just a payday.  It’s also potentially promoting a false sense of comfort that the individual a company is hiring is fully competent.  To me this is the most disturbing part is we’ve not got people proselytizing security and not being able to practically help protect the company that’s hired them.  How many times have we been in meetings where a self-professed, certified, security guy starts spouting off “we need to secure…”, “if we don’t we’ll be hacked” and other self serving comments to instill FUD in those in the meeting.  In my mind, not only did they diminish the certification but they made the rest of us look like a bunch of Chicken Little’s.  Why?  Because they used emotion and passion to invoke a response from something they’ve read about rather than having the practical experience and data to back up the request or argument.

So you’re probably asking well what certifications would I select and why.  Here’ a small subset of my list:

  • If you’re going to be in Management then the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) are good.  As a bit of  a disclaimer, do not expect someone with a CISSP to be extremely technical.  The CISM is a bit more technically focused but not as in-depth technically as it could be.  Again, from the Management perspective I would expect a Manager to have one of these as the breadth of knowledge is required versus a certification that is more technically focused.
  • If you’re going to be a security assessment/pentester type, again this is my opinion, the OSCP (Offensive Security Certified Professional) is one of the more technically in-depth certifications.  Based on my experiences with those who have this certification, they really know how to get in and perform manual and tool based pentesting.  After learning that Dave Kennedy (ReL1k) has even gone through the testing has put the Offensive Security certifications even higher on my legitimacy radar.
  • There are also vendor certifications like Cisco’s which I think are valid but for my own path more of a way to get deeper into their technology.

I’ve ranted enough on this for the evening….  Paper tigers are a pet peeve and only serve to over saturate an already tough profession with their inexperience and inability to provide solid recommendations that actually make a company more secure.

Oddjob, grab your bowler and sharpen the new ceramic blade we bought… Time to go hunting!

Security is no guarantee, vigilance is!

Going through one of many portable drives I came across this video I made.  The company shall remain nameless but it was probably made around 2005 in a vacant office within the building.  I remember that we wanted to create an educational and fun video around the physical aspect of cabled laptops and the false sense of security they provide.  During that time there were a rash of thefts and the response to the thefts were to buy the cables and mandate that they be used.  Alas, the tools of our security became another challenge to the “Gone in 60 Seconds” crew.  Forget the fact that you can pop the top of the work surface and most of the cubical prairie dog population will ignore or have their iPod full blast.  This was much more subtle and effective.  During lunch or before/after hours, it was the perfect physical exploit.  Now Oddjob and Jaws had a physical asset to resell with the potential for access to valuable data that could be sold and resold in secondary markets.

The funny thing is that this is still as relevant today as it was back then…  Security is no guarantee, vigilance is!

  • July 2020
    M T W T F S S
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Categories

  • oddjob

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 61 other followers