Certified in The Art of Hacking - Day 1
As part of my MSc, I have to take three "Professional Practice" courses. The course provider, QA.com, let me choose anything from their online catalogue. The first I'm doing is Certified in The Art of Hacking.
As regular readers will know, I'm pretty reasonable at hacking. I have received bug bounties from Google, Twitter, Samsung, and a bunch of others. I don't claim to be an expert - and I doubt I'll be on any top-10 lists - but I have a reasonable, albeit informal, background. It's that "informal" which is annoying me. I want a bit of paper which says that, yes, actually, I do know what I'm talking about.
Computer Science - and hackers especially - eschew formal qualifications. The earliest hackers and phreakers learned their craft on the mean streets of the early Infobahn. Geeks don't need qualifications! We're not nerds!
But, hey, a free qualification is not to be sniffed at. I know it probably won't be as rigorous as some other certifications - but it was all that was available to me.
Looking through the course agenda there were a few things I knew well - XSS, Port Scanning, Password Hashing - but it's always good to pick up a reminder. Some things I've heard of but not used - Burp, Heartbleed, Metasploit - so will be good to get a solid understanding. And some things way outside my experience - Windows stuff, Tomcat, XXE - yay new learning!
The thing that I'm looking forward to the least is the exam at the end. It's multiple choice and requires 50% correct - but I always find myself second-guessing those sorts of questions. Especially if there's lots of "well, technically" type questions. Also - concentrating for 70 minutes!!? And proctored? Does that mean I can't run to Wikipedia for help?!?
Anyway, I'm going to try and keep a diary of what I've learned. Hopefully that will let other learners know what the course is like, and if it is worthwhile.
Verdict
A bit more theory than I was expecting. Diving straight in to TCP flags was a bit alienating for some students - although I already knew about them. Similarly, lots of discussion of ports - but didn't actually explain the fundamentals of what they are.
Lots of terminology thrown at people - so probably not great for complete beginners.
Similarly, the nmap
discussion was a bit whistle-stop. It was mostly a case of following the PDF instructions without much explanation. Lots of people (me included!) got tripped up by the command line flags.
Some of the practical exercises were a bit copy-and-paste without much understanding of what was going on.
Not much feedback from students. No one was asked to prove they'd got the right answer.
Crucially - I have no idea what sort of questions are going to be on the exam! Is it the port numbers? The name of tools? The specific syntax?
Had to ask. Turns out will need to remember port numbers, nmap options, etc.
Day 1 Notes
Started on a poor note - had to use GoToMyPC which doesn't have a Linux client. The Linux option was use OpenVPN to connect to the provider's infrastructure, and then SSH into a Kali Linux image. Installing your own Kali would also be possible, but you still need to connect to the VPN to "attack" the provided vulnerabilities.
Would have been useful if they gave those instructions beforehand. Wasted half an hour while people worked out what to do.
Brief discussion of password cracking. Looking at HaveIBeenPwned and various top 10 lists.
Basics of the Cyber Kill Chain. Enumerate, identify vulnerabilities, exploit, post-exploit, use privileges, repeat. No real discussion of it, or its shortcomings.
Module 1 - port scanning
ARP - layer 2 of OSI. Below IPv4. ARP maps hardware MAC to IP. Note - only for IPv4. ARP broadcast can ask machines on a local network for the IP addresses.
arp-scan
to find the live hosts.
Basics of TCP. 3 way handshake. Flags. Segment Header format. SYN. SYN/ACK. ACK.
Use of Wireshark to examine TCP packets.
UDP - what it is, why it is unreliable, header formats.
Ports - what they are, reserved ports, port state. Basics of netstat
.
Basics of nmap
. 3 way handshake then RST
. Don't need special privileges - handy if you have compromised a machine. Plays by the rules, so less likely to trip firewalls. Slower than a half-open scan, so use -sS
for SYN, SYN/ACK, RST. Requires privileges, and might get picked up by Intrusion Detection Systems (IDS).
UDP scan -sU
. Requires privileges, sends empty UDP packet to every targeted port. Can send specific data --data
. Might be blocked by firewalls. Ports can be filtered. UDP is often used on VPN, NTP, DNS, SNMP.
Dump to file(s) for later ingestion into metasploit: nmap -sS -sV -nvv -O 192.168.3.0/24 -oA portscan_tcp
Module 2 - password attacks
Online and offline attacks. Sending repeated requests vs looking though a dumped file.
Enumerate users. What are lockout policies? Admins are often exempt from lockout. Throttle brute-force attempts. Often generates lots of log entries and / or alarms.
Intro to SNMP. UDP 161. 1 & 2c have no auth or encryption. Need to know the "community string" or use manufacturer's default. Public string vs Private string.
onesixtyone
can bruteforce common strings.
OID values. No real explanation of what they were.
snmpwalk -v 1 -c ???? 192.168.?.? <OID>
Need to learn that syntax.
Attacking MySQL
Old RCE. SQL Injection. Abusing phpMyAdmin. Brute force. Root user is almost always there and has no lockout.
hydra
to guess passwords
Once logged in, can use Select LOAD_FILE('/etc/passwd');
Or Select * from mysql.user;
to get all users.
Quite a good exercise, find a MySQL server via nmap
, use hydra
to try common passwords, log in, get credit card data and other password info.
Chaining
Using the above, use nmap
to find the ssh
port. Use one of the users found and brute force their password.
use ssh -t
to exfiltrate data. ssh -t user@192.168.3.123 -p 1234 "cat /etc/passwd"
Then brute the postgres user password and get shell using sqlmap -f -d postgres://postgres:password@192.168.3.123:5432/postgres --os-shell
Metasploit basics
Loading output of nmap
into it. msfconsole
. Most exploits can be detected by common anti-virus. Use show axillary
and show exploits
and show payloads
to get list.
bind - waits for a response. reverse shell - the machine connects directly to you. Useful for bypassing firewalls.
meterpreter
is the most advanced payload.
Grepping through metasploit. Getting reverse shell on an IRC (!) server.
Cracking Passwords
MD5, SHA1, LM/NTLM, Blowfish, SHA256, SHA512 hashing etc. Rainbow tables to use offline attacks. Salting etc.
Encoding, encrypting, hashing. Transforming clear text via a reversible algorithm eg Base64. Asymmetric encryption relying on public and private keys. Hashing is a one-way function - usually produces a fixed length string.
Salting - a way to obfuscate the hash.
openssl passwd -1 -salt 123 password
use MD5 password with salt.
Salt can be cached domain credentials like the username. Unix uses random salt.
LM (LanMan) is an insecure Windows hashing for XP and earlier.
John The Ripper - can brute force per character (slow) or a word list (faster). unshadow /etc/passwd /etc/shadow > hashes
john --single hashes
john -w=wordlist
Hashcat can use a GPU for password cracking.
What links here from around this blog?