This is my paper from the OPP module - where I can choose any subject. I picked Cybersecurity. You can read my Digital Leadership paper, my Data Analytics Paper, and my Business and Technology essay.

I've previously written about the Art of Hacking course. The middle two parts of this paper are about that - why I chose it and how I put it into practice. The first and fourth parts are, as far as I can tell, unrelated. We have to write about reflection in the workplace. I am not very introspective, and I don't really enjoy it. So it was somewhat tedious to churn out.

Nevertheless, I was happy with a mark of 64%. (In the English system 50% is a pass, 60% is a commendation, 70% is distinction.)

The main feedback was that I needed to do more reflection (ugh!) and write in more flowing paragraphs rather than staccato points. This is a consequence of my Assignment Writing Algorithm - which reverse engineers the marking scheme. But I'm only aiming for a pass, so I'm content to stick with that strategy.

Oh, and the other feedback was that my Personal Development Plan was a little "unorthodox"! Again, I've no real plans to change something which is working for me.

A few disclaimers:

• I don't claim it to be brilliant. I am not very good at academic-style writing.
• It is fairly inaccurate. Many of the concepts on reflection were not relevant to my workplace, so there is a lot of fudging.
• This isn't how I'd write a normal document for work - and the facts have not been independently verified.
• This isn't the policy of my employer, nor does it represent their opinions. It has only been assessed from an academic point of view.
• It has not been peer reviewed, nor are the data guaranteed to be an accurate reflection of reality. Cite at your own peril.
• I've quickly converted this from Google Docs + Zotero into MarkDown. Who knows what weird formatting that'll introduce!
• All references are clickable - going straight to the source. Reference list is at the end, most links converted using DOI2HT.ML.

And, once more, this is not official policy. It was not commissioned by anyone. It is an academic exercise. Adjust your expectations accordingly.

Abstract

This paper describes the author's experience with reflection in the workplace and how modern forms of reflection can be applied in their current workplace. It considers different models of reflection, and their comparative strengths and weaknesses.

It also discusses the selection and application of a cyber-security focussed piece of Continuing Professional Development. The author reflects on their experience and discusses how they will adjust their nascent Personal Development Plan based on what they have learned.

Finally, the author considers the topic of mentoring as a way to bring reflective practice into their workplace. What advantages does mentoring bring to employees and organisations? Are reverse mentors a suitable way to upskill senior leaders? Is the organisation ready to support a culture of mentoring and reflection?

1. A critical review of reflective activities as typically practised in your profession compared to two well-known reflective models used in academia

Reflective Activity At Work

In the author's 20 years of industry experience they have never experienced any form of formal reflective activity within an organisation. In their experience, reflection rarely occurs in delivery-led organisations and, when it does, it is sporadic and informal. Although annual appraisals have long been a feature of the UK Civil Service (Fletcher, 2008), they can be treated as a "tick box" exercise rather than formal periods of reflection.

Although the author believes that this could be an area for improvement, there has been very little study of whether reflective practises in digital organisations are effective (Dors et al., 2020). The author cannot tell if this is either a cause or a symptom of the unpopularity of reflective activity.

The author's current organisation uses a modified form of Agile product management modelled on a SCRUM (Schwaber, 2004). Teams produce estimates of what can be delivered in a "sprint" (Popli and Chauhan, 2019), i.e. a time-bound period of work. At the end of a sprint, a retrospective takes place. This is an opportunity for colleagues to reflect on what went well during the sprint and what could have been improved (Andriyani, Hoda and Amor, 2017). A retrospective is a lightweight tool to enable teams to refine their estimates for the future and it may also help the team discover "blockers" (Guckenbiehl and Theobald, 2020) - i.e. people, processes, and events which disrupted or delayed the planned work.

In the author's organisation, what is being delivered is neither computer code nor technological features. Rather it is guidance, presentations, publications, and stakeholder engagement. The measurement of success is not as well defined as it is in the engineering profession. This makes more structured reflection difficult.

Well-known Reflective Models

The author will consider Johns' model for structured reflection (Johns, 1995). Although designed for the nursing profession, it is occasionally used in other industries. It focuses on internal and external views of the self. It helps the user describe the situation, how they reacted to it, and what influenced them. There is a strong focus on emotions - which some users may find challenging (Croom and Svetina, 2021).

A different perspective is provided by Moon's "Levels of Learning" (Moon, 2013) - focusing on an weakly-defined concept of "common sense". It is designed for individuals undertaking a learning journey rather than teams engaged in delivery. Much like John's model, it also focuses on understanding emotions.

The author has considered these three models and made a brief assessment of them:

While the retrospective has limitations, it enjoys strong support in the author's current organisation. It may be possible to improve the quality of a retrospective sprint assessment by applying rigorous statistical techniques (Erdoğan, Pekkaya and Gök, 2018). By comprehensively analysing the team's estimates and how well they match up with delivery, more reliable estimates could be obtained.

John's model might be useful for individuals who decide to engage in reflective practice. But the author considers it unsuitable for team-based reflection. The author's organisation strongly believes that "The unit of delivery is the team" (Barabas, 2020). This means that any form of reflective practice needs to be focused on the team rather than any particular individual.

Similarly, Moon's model may work well for individuals engaged in learning, but it is unsuited to facilitating teams to reflect on how well they have met their delivery goals due to its focus on individuals.

2. A reflective discussion of the selection of CPD in relation to the wider technical area, the context within your organisation, and your specific role

I am a Senior Technology Policy Advisor with a background in technology. Although I have extensive experience in cybersecurity, I did not have any formal training or qualifications. An assessment was made of my team's skills and weaknesses. An opportunity was identified to improve the credibility of the team's guidance by gaining demonstrable qualifications - for example, in cybersecurity.

With my extensive knowledge of cybersecurity - and my team's need of qualified personnel - I concluded that this course would be a suitable way for me to upskill while also meeting organisational needs. Given my ability to put this learning into practice, I thought it would enhance my retention of the knowledge. In Continuing Professional Development (CPD), the learner learns through an experiential process, then interrogates their experience, recognises what has occurred, and then puts their learning into practice.

This is often a cyclic process (Osterman and Kottkamp, 1993) which allows the learner to experiment, experience, analyse, and abstract.

Figure 1 - Experiential Learning Cycle

(Osterman and Kottkamp, 1993)

As noted in my Personal Development Plan (See "Appendix: Professional Development Plan"), I am looking for interesting new career opportunities which may arise. Cybersecurity is currently an in-demand profession (Maurer et al., 2021) and I hope this certification will enable me to explore a wide range of roles in the future. I also hoped that this course would improve my knowledge of legal and ethical matters in the field.

Reflective Activities

In order to better reflect on the experience, I have written a series of blog posts. Some of these have been published on my personal blog (Eden, 2021). The resultant discussion from readers has highlighted that there were a number of outdated concepts and that some of the information taught was factually incorrect.

In order to improve my personal brand within the organisation, I have written a blog post for the Cabinet Office Intranet. Writing this has enabled me to reflect on how I want to be perceived in a formal and professional setting.

I was unsure if I wanted to be identified as an apprentice. I recognised there can be a negative perception around the academic rigour of apprenticeship degrees. I was concerned whether I could write honestly about my experience while still demonstrating value for money for taxpayers.

I was also nervous that discussion of "hacking" on a Government website could be seen as inappropriate. I sometimes struggle to write in the Government "House Style" and I was concerned that the technical discussion could be misinterpreted.

3. An overview of how the CPD has been applied within your own professional practice

3.1 An overview of the CPD

The CPD undertaken was "Certified in The Art of Hacking" (QA.com, 2021). For a full overview, see Appendix: CPD Course Description.

I will reflect on the experience using the DIEP model (Rogers, 2001):

Describe

A basic cybersecurity course. It covered an older version of the Open Web Application Security Project's "Top 10" issues (OWASP Foundation, 2017) - which is a list of common computer security vulnerabilities.

Interpret

While my background gives me confidence in cybersecurity, I wished to further develop my skills and gain formal recognition.

Evaluate effectiveness

I found the "rote learning" style of the class challenging. My preferred learning style is based around understanding concepts rather than memorising commands.

Through this experience, I gained confidence in my existing skills. I was also reminded that my expertise didn't expand beyond the Linux operating system. It was useful to see how other operating systems work.

Plan for the future

In future, I hope to encourage more cybersecurity awareness among my peers. However, early feedback from the wider cybersecurity community suggests that this CPD may not be relevant to the modern workplace.

Evaluation

I was delighted to pass the exam with a score of 80%. I was able to consolidate my learning by writing blog posts about what I learned, tutoring other students on the course, and building my own Kali Linux lab to experiment in.

The course did not cover the UK legislation relevant to the exploitation of computer vulnerability. The UK has strict laws which regulate how interactions with computers are governed (Computer Misuse Act, 1990). As such, I have made recommendations to the training provider, and have added a legal refresher to my CPD plan.

Similarly, there was no discussion of ethics. As a Member of the British Computer society - I am expected to follow a professional code of conduct (British Computer Society, 2021). This is also a requirement of my other professional memberships (The Institution of Engineering and Technology, 2019). The ethics of cybersecurity is not a new field (Denning, 1999) - and I consider it crucial that practitioners understand the ethical issues which may occur if they practice these skills outside of a tightly controlled laboratory environment.

3.2 Identification of specific projects for which this CPD has had or could have (had) an impact.

I am working with the National Cyber Security Centre (NCSC) to implement "security.txt" (Shafranovich, 2021). This is a new cybersecurity standard which provides easily-accessible metadata to cybersecurity researchers. This promotes "responsible disclosure" of security issues to the website owner (Mori and Goto, 2018) by providing metadata relating to encryption keys, disclosure programmes, and expiration dates of security policies.

Figure 2 - Example security.txt file

(Shafranovich and Foudil, 2021)

This CPD will allow me to better provide a security assessment of standards and how they are implemented. With an increased knowledge of common flaws and how they can be exploited, I will be able to help my team create guidance for the above standard which is more security focussed. This will lead to an increased awareness of cybersecurity issues throughout the organisation.

My team regularly provides input to international treaties and Memoranda of Understanding (MOU) as they relate to international open standards. Having a heightened security perspective will allow me to engage in higher level discussions about vulnerabilities and their potential for exploitation.

As our team creates the first comprehensive API Catalogue for Government, I am now able to discuss security issues with our developers, and to comprehensively identify misconfigurations which might lead to security issues on a sensitive government web server.

3.3 A discussion of how you have applied or will apply the new skills or knowledge gained

I have applied these new skills by obtaining consent from a number of administrators to run automated scanning tools against their servers. I made several discoveries which I responsibly disclosed. This has led to an increase of the security posture of our IT estate. While I am not at liberty to disclose the vulnerabilities found, these tools typically discover misconfigured servers, outdated software, and weak default passwords.

I will apply this new knowledge in several ways. As part of my work conducting Service Assessments, I will be able to query teams on their ability to defend against common threats and the steps they will take to secure new systems.

As I consult with developers on a regular basis, I will be able to make suggestions on how to properly sanitise user generated content and ensure that it does not pose a threat to our internal infrastructure. While these flaws can be detected using machine learning (Melicher et al., 2021) there are often simpler, framework-based methods of protection (Weinberger et al., 2011) - i.e. HTML escaping of supplied content.

I will discuss with stakeholders how we can assist the IETF ratification process for the proposed "security.txt" - and how we can use it to promote a culture of cybersecurity throughout the organisation. This should reduce the number of cybersecurity incidents and drive down the cost to the organisation of reacting to attacks.

3.4 A summary of next steps in your professional development based on your experience.

Having completed this short course, I can now evidence that I am familiar with modern cybersecurity issues and how they impact both the workplace and the government.

There is a concerted effort within the British Government to encourage people into cybersecurity related jobs (Dowden, 2020). With an increase in cybercrime during the COVID19 pandemic (Lallie et al., 2021) it is clear that there is high demand for people with professional cybersecurity qualifications and experience.

I am already recognised as a cybersecurity expert in the media (Seals, 2018) (O’Donnell, 2018) (Hayward, 2015). I've won bug bounties against Twitter (Vaas, 2018), Samsung (Whittaker, 2013), and most recently, Google (Eden, 2021).This certification gives me further credibility in the professional world.

I need to ensure a synergy between my organisation's goals and my personal development goals. I will achieve this by amending my CPD plan (see Appendix: Professional Development Plan to include:

• Completing the MSc and, by consulting with my manager and peers, ensuring my next module aligns with their goals.
• Undertaking further courses recommended by my peers
• Teaching others about cybersecurity. I find that explaining a subject is an excellent way to crystalise my understanding.
• Blogging about the experience for work. I think it is important to publicise the educational opportunities which exist in our organisation.

Reflective Activity

I approached the task of reflection by assessing several models of Retrospective Reflection (Gonçalves and Linders, 2014). Because of the nature of the event (CPD based training) I decided to reflect using the key questions identified for discrete events (Kerth, 2001).

4. A discussion on whether and how reflective practice could be integrated or further developed as a standard activity in an organisation like your own

The author considers that the most practical form of reflective practice in their workplace is likely to be reflective mentoring. Mentoring would allow more junior staff to learn - and receive support - from more senior staff.

Interdisciplinary mentoring in digital industries has a long history (Hamburg, 2021). There is a concerted effort within the author's organisation to encourage mentoring relationships between staff (Stevens, 2019).

In a typical mentoring situation, the mentee (the person being mentored) is usually a new starter to the organisation, or someone new to their job role. The mentor is usually someone who has been practising their craft for several years.

By pairing employees in this way, the organisation can facilitate knowledge sharing in both directions. That is, both mentoring and "reverse mentoring".

Reflective Mentoring

This allows mentees to reflect on their own experiences in the workplace, and encourages them to address any issues that they might be facing (Khamis, 2000).

It is important that the mentor / mentee relationship is that as of equals - rather than the outmoded master / apprentice relationship. Having a mentor who steps in to "fix" all the mentee's problems deprives the mentee of the experience of fixing their own problems in their own way. Without a mentee being able to develop their own way of working, there is a risk that they will imitate their mentor and thus perpetuate outdated practises (Hargreaves and Fullan, 2000).

Reverse Mentoring

Reverse mentoring is part of the two-way dialectic process which encourages the mentor to learn from the mentee.

This is how the modern workforce expects to learn and socialise. Millennials in the workplace place a great emphasis on being able to reflect their culture back to the organisation (Hershatter and Epstein, 2010).

This typically takes place in two distinct spheres - technical and cultural.

Technical

In the technical sphere, reverse mentors may choose to help their mentees to understand and use modern technical practice. Although our leaders have enough technical literacy to understand that printing out email is an "archaic strategy" (Robinson, 2012) - the pace of digital change in our sector means it is easy for an individual or team to overlook new ways of working.

This also extends to new productivity tools, and new ways of promoting work on social media.

Finally, the reverse mentor may bring valuable experiences from different employment sectors. Not only does this help "cross-pollinate" technologies - but it also brings in cultural changes.

Cultural

In the author's lifetime, there have been enormous changes in society and social norms. Where once any suggestion of homosexuality was enough to be banned from the Civil Service (Southern, 2017), nowadays the organisation openly welcomes people from across the LGBTQIA+ spectrum. With younger people increasingly likely to have a more tolerant attitude to the Trans community (Faye, 2021), it could be extremely useful for senior leaders to understand how a more diverse workforce could benefit the organisation.

Finding Mentors

It is common in the technology industry to find mentors who are experts in their field, but who lack any formal training in mentoring (Stelter, Kupersmidt and Stump, 2021). The author considers there to be a need to establish best practises around mentoring.

Creating a centre of excellence within the organisation would allow for a formal mentoring programme to model itself on best practice. It should be used to encourage traditionally excluded groups into participating at all levels of the programme.

Better diversity means the organisation is better able to reflect the population it serves.

Reflections on Reflection

The author is unsure whether there is an appetite for adopting a culture of reflection within their workplace. In conversations with teammates, they found that there was little understanding of why reflection was important to their day-to-day practice.

While some individual reflection undoubtedly occurs, wholesale cultural transformation is likely to be difficult to achieve - especially given the paucity of evidence that it would be useful.

Appendix

Professional Development Plan

History

In my 20+ year career I have never had, nor needed a PDP. My career thus far has consisted of waiting for interesting opportunities to arrive and then deciding whether I want to take them. In a world where the only constant is change, it strikes me as unnecessary and a little foolhardy to try and work out what the future looks like and how to fit in with it.

Current

I have reached a level of professional success which means that my material needs are more than satisfied, my intellectual curiosity is sated, and my reputation in the industry is well regarded.

Future

When considering my career so far, I think I have progressed as far as I want to. While a higher salary is always nice, I don't think it offsets the downsides of added work stress, more responsibilities, and management chores. I have no desire to pursue a management pathway - having previously managed people, I quickly realised that it was neither a good fit for my skills nor my interests.

Overarching Goals

Pursue interesting opportunities when they arise within a wide variety of industries, as bounded by my interests.

Previous Steps

• Started an MSc - with a view to engaging with the academic mindset to see if it would be a good fit for me in the future.
• Identified a qualification gap with regard to Cyber Security skills - attended CPD to rectify.
• Attended "Policy School" - to better understand policy making decisions.

Next Steps

• Continue this MSc - with a view to exposing myself to a variety of new concepts.
• Improve my understanding of legal and ethical issues - with a view to instilling more ethical behaviour in those I work with.
• Become more involved with Trade Union training - with a view to improving the lives of those I work with.
• Attend mentoring workshops - with a view to increasing the diversity of the organisation.

Career

• Look for interesting opportunities in my current department which keep me roughly at the same level of work and responsibilities.
• Once my MSc is completed, consider opportunities outside my current department.

References

Andriyani, Yanti & Hoda, Rashina & Amor, Robert Reflection in Agile Retrospectives (2017) Springer International Publishing. doi:10.1007/978-3-319-57633-6_1

Barabas, E. (2020) 10 years since Genesys | Computer Science | The University of Sheffield. Available at: https://www.sheffield.ac.uk/dcs/blog/10-years-genesys (Accessed: 21 October 2021).

British Computer Society (2021) BCS Code of Conduct | BCS. Available at: https://www.bcs.org/membership/become-a-member/bcs-code-of-conduct/ (Accessed: 14 November 2021).

Computer Misuse Act (1990). Statute Law Database. Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents (Accessed: 9 November 2021).

Croom, Simon & Svetina, Marko Psychometric properties of the psychopathic personality inventory: Application to high-functioning business population (2021) Springer Science and Business Media LLC. doi:10.1007/s12144-021-01413-3

Denning, D. E. R. (1999) Information warfare and security. New York : Reading, Ma: ACM Press ; Addison-Wesley.

Dingwall, Gavin & Hillier, Tim Blamestorming, Blamemongers and Scapegoats (2015) Bristol University Press. doi:10.2307/j.ctt1sq5vnt

Dors, Tania Mara & Van Amstel, Frederick M. C. & Binder, Fabio & Reinehr, Sheila & Malucelli, Andreia Reflective Practice in Software Development Studios: Findings from an Ethnographic Study (2020) IEEE. doi:10.1109/cseet49119.2020.9206217

Dowden, O. (2020) ‘To those tweeting re #Fatima This is not something from @DCMS & I agree it was crass This was a partner campaign encouraging people from all walks of life to think about a career in cyber security I want to save jobs in the arts which is why we are investing £1.57bn’, @OliverDowden, 12 October. Available at: https://twitter.com/OliverDowden/status/1315586209415073793 (Accessed: 17 October 2021).

Eden, T. (2021) 1242315 - Security: Manifest.json can display overlay on non-origin tabs - chromium, Chromium Bugs. Available at: https://bugs.chromium.org/p/chromium/issues/detail?id=1242315 (Accessed: 8 December 2021).

Eden, T. (2021) Certified in The Art of Hacking, Terence Eden’s Blog. Available at: https://shkspr.mobi/blog/tag/certified-in-the-art-of-hacking/ (Accessed: 28 November 2021).

Erdoğan, Onur & Pekkaya, Muhammed Emre & Gök, Halime More effective sprint retrospective with statistical analysis (2018) Wiley. doi:10.1002/smr.1933

Faye, S. (2021) The transgender issue: an argument for justice.

Fletcher, C. (2008) Appraisal, feedback and development: making performance review work. 4th ed. London ; New York: Routledge.

Gonçalves, L. and Linders, B. (2014) Getting value out of agile retrospectives: a toolbox of retrospective exercises.

Guckenbiehl, Pascal & Theobald, Sven Impediment Management of Agile Software Development Teams (2020) Springer International Publishing. doi:10.1007/978-3-030-64148-1_4

Hamburg, Ileana Interdisciplinary Training and Mentoring for Cyber Security in Companies (2021) IGI Global. doi:10.4018/978-1-7998-5728-0.ch018

Hargreaves, A. and Fullan, M. (2000) ‘Mentoring in the New Millennium’, Theory Into Practice, 39(1), pp. 50–56. Available at: https://www.jstor.org/stable/1477441 (Accessed: 10 October 2021).

Hayward, S. (2015) Criminals are selling Viagra and diet pills from hacked NHS websites, mirror. Available at: http://www.mirror.co.uk/news/technology-science/technology/hacked-nhs-websites-used-criminals-5935415 (Accessed: 17 October 2021).

Hershatter, A. and Epstein, M. (2010) ‘Millennials and the World of Work: An Organization and Management Perspective’, Journal of Business and Psychology, 25(2), pp. 211–223. Available at: https://www.jstor.org/stable/40605780 (Accessed: 10 October 2021).

Johns, Christopher Framing learning through reflection within Carper's fundamental ways of knowing in nursing (1995) Wiley. doi:10.1046/j.1365-2648.1995.22020226.x

Kerth, N. L. (2001) Project retrospectives: a handbook for team reviews. New York: Dorset House. Available at: https://dl.acm.org/doi/book/10.5555/367065.

Khamis, M. (2000) ‘The beginning teacher’, Teaching in context.

Lallie, Harjinder Singh & Shepherd, Lynsay A. & Nurse, Jason R.C. & Erola, Arnau & Epiphaniou, Gregory & Maple, Carsten & Bellekens, Xavier Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic (2021) Elsevier BV. doi:10.1016/j.cose.2021.102248

Maurer, Chris & Sumner, Mary & Mazzola, Dan & Pearlson, Keri & Jacks, Tim The Cybersecurity Skills Survey: Response to the 2020 SIM IT Trends Study (2021) ACM. doi:10.1145/3458026.3462153

Melicher, William & Fung, Clement & Bauer, Lujo & Jia, Limin Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning (2021) ACM. doi:10.1145/3442381.3450062

Moon, Jennifer A. Reflection in Learning and Professional Development (2013) Routledge. doi:10.4324/9780203822296

Mori, S. and Goto, A. (2018) ‘Review of National Cybersecurity Policies’, p. 9.

O’Donnell, L. (2018) Twitter Fixes Bugs That Expose Data. Available at: https://threatpost.com/twitter-data-privacy-bugs/140007/ (Accessed: 17 October 2021).

Osterman, K. F. and Kottkamp, R. B. (1993) Reflective practice for educators: improving schooling through professional development. Newbury Park, Calif: Corwin Press.

OWASP Foundation (2017) 2017 Top 10 | OWASP. Available at: https://owasp.org/www-project-top-ten/2017/Top_10.html (Accessed: 14 November 2021).

Popli, Rashmi & Chauhan, Naresh A Sprint Point Based Tool for Agile Estimation (2019) Springer Singapore. doi:10.1007/978-981-10-8848-3_6

QA.com (2021) qa.com | Certified in The Art of Hacking (QATAOH). Available at: https://www.qa.com/course-catalogue/courses/certified-in-the-art-of-hacking-qataoh/ (Accessed: 17 October 2021).

Robinson, H. M. (2012) Emergent computer literacy: a developmental perspective. London: Routledge.

Rogers, Russell R.(2001) Springer Science and Business Media LLC. doi:10.1023/a:1010986404527

Schwaber, K. (2004) Agile project management with Scrum. Redmond, Wash: Microsoft Press.

Seals, T. (2018) MailChimp Found Leaking Email Addresses, Infosecurity Magazine. Available at: https://www.infosecurity-magazine.com/news/mailchimp-found-leaking-email/ (Accessed: 17 October 2021).

Shafranovich, Y. (2021) security.txt, security.txt. Available at: https://securitytxt.org/ (Accessed: 17 October 2021).

Shafranovich, Y. and Foudil, E. (2021) ‘A File Format to Aid in Security Vulnerability Disclosure’. IETF. Available at: https://www.ietf.org/id/draft-foudil-securitytxt-12.txt (Accessed: 8 December 2021).

Southern, J. (2017) Homosexuality at the FCO, 1967-1991. Available at: https://issuu.com/fcohistorians/docs/homosexuality_and_the_fco (Accessed: 14 November 2021).

Stelter, Rebecca L. & Kupersmidt, Janis B. & Stump, Kathryn N. Establishing effective STEM mentoring relationships through mentor training (2021) Wiley. doi:10.1111/nyas.14470

Stevens, K. (2019) Learn more about the new mentoring scheme from the GDS Women’s Network - Government Digital Service. Available at: https://gds.blog.gov.uk/2019/03/08/learn-more-about-the-new-mentoring-scheme-from-the-gds-womens-network/ (Accessed: 14 November 2021).

The Institution of Engineering and Technology (2019) Rules of Conduct. Available at: https://www.theiet.org/about/governance/rules-of-conduct/ (Accessed: 14 November 2021).

Vaas, L. (2018) ‘Twitter fixes bug that lets unauthorized apps get access to DMs’, Naked Security, 18 December. Available at: https://news.sophos.com/en-us/2018/12/18/twitter-fixes-bug-that-lets-unauthorized-apps-get-access-to-dms/ (Accessed: 8 December 2021).

Weinberger, Joel & Saxena, Prateek & Akhawe, Devdatta & Finifter, Matthew & Shin, Richard & Song, Dawn A Systematic Analysis of XSS Sanitization in Web Application Frameworks (2011) Springer Berlin Heidelberg. doi:10.1007/978-3-642-23822-2_9

Whittaker, Z. (2013) Samsung flaw allows attackers to bypass Android lock screen, ZDNet. Available at: https://www.zdnet.com/article/samsung-flaw-allows-attackers-to-bypass-android-lock-screen/ (Accessed: 8 December 2021).

Copyright and Copyleft

This document is 🄯 Terence Eden CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/

It may not be used or retained in electronic systems for the detection of plagiarism. No part of it may be used for commercial purposes without prior permission.

Any source code is under the MIT Licence

This document contains public sector information licensed under the Open Government Licence v3.0. https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

I'm delighted to say that the examiners - APMG - were understanding about my plight. They were aware of ProctorU's limitations and had a workaround.

They had me install Beyond Trust's "bomgar" Linux client - which is a simple Remote Desktop app. It was preconfigured with my invigilator's details and they were able to remotely see my screen and control my keyboard & mouse. The app didn't run as root, thankfully! Once I closed the app, it automatically deleted itself - and I couldn't find any trace of it. As it happens, I'm paranoid so I had made a separate user account on a freshly installed Linux partition, which was wiped immediately afterwards.

The Remote Desktop didn't have access to my webcam, so we jumped on a Microsoft Teams call in the browser. There the invigilator (a nice guy called Dave) had me point my webcam around my room to make sure I didn't have any notes visible, or a person crouching behind my desk feeding me answers. Dave then spent an hour watching me pick my nose scrunching up my face as I tried to remember arcane security trivia. He also got to listen to me mutter to myself. Fun! The invigilator was also there in case I had any technical problems with the exam. But, luckily, it all went well.

Sadly, the exam wasn't keyboard accessible. The buttons for marking your multiple choice answers couldn't be selected by the keyboard. And, annoyingly, they are presented horizontally while the questions are vertical.

(Taken from their practice papers)

Quite why that couldn't be a normal radio button next to each answer, I don't know!

The testing platform was a little slow - which made going back over my answers a little annoying.

All that notwithstanding, I passed!

70 questions, 35 correct needed for a pass. So I was delighted with a score of 80%.

I reckon it was just about possible to pass the exam using only the slides. But there were questions on there about, say, FREAK and POODLE. They were mentioned in the lectures - but not in enough detail to successfully answer the questions.

Similarly, some of the questions were very much "it depends". Here's one taken from my memory:

How would you find hidden directories in a web app?

1. Look at `robots.txt`
2. Examine the source code
3. Use a web spider
4. Run a brute force scan

In the class, we learned DirBuster. Which is a brute-force tool. So I put that. But I also think it is totally legitimate to use robots.txt; it's a great source of finding directories that the owner doesn't want you scurrying around in. Similarly, commented out bits in source code is a valuable intelligence tool. A spider will show you all the directories which are publicly linked to.

I've no idea if "Brute Force" is the correct answer. And that's kinda the limitation of multiple-choice exams. If the question had been "describe the advantages and disadvantages of each of these techniques" then I think that would show the student had understood the material. But, of course, that takes longer to mark and is more expensive to run.

I don't think I've taken an exam since I was at university the first time around. And, to be quite honest, I've no desire to repeat the experience. It was a stressful time leading up to it and, frankly, a little demeaning to have to go through so much rigmarole to prove I wasn't cheating. And I'm not convinced that multiple choice questions about pub trivia is the best way to test knowledge.

I have two more training sessions coming up and I'm going to pick ones with a better attitude to testing.

Verdicts

Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one because the question told me to go to one URl, but I had to guess the one which was vulnerable. Felt like a bit of a "gotcha" moment. Perhaps in a proper lab environment it might have made more sense - but because we're mostly just learning how to use tools, I wasn't really prepared to use my critical thinking skills!

Only a half day, again. Good discussion of XSS and CSRF - but only a surface discussion of what they can do and how to prevent them. That's the problem with these sorts of courses - they can only say "sanitise user input", they can't explain how to do it for every environment.

SQL Injection. Good length of session. The standard Little Bobby Tables joke. And quite focused on Burp Suite and SQLMAP. A small bit on preventing them with parametrised queries.

CIA triad was briefly mentioned - but not really discussed. I would have expected more on that as it is fairly fundamental.

XXE. Malicious XML files. Billion Laughs Attack was (very) briefly covered.

Web shells from insecure file upload. A few tricks on how to fool UGC checkers. But not too much on defending.

The object serialisation stuff seemed a bit obscure. Not sure how relevant that is to the real world - but interesting none the less.

In the end, my overall verdict is that this is a good practical course. But because it covers so much, and spends so long setting up environments, it only gives a brief overview. It's rather geared towards specific tools - and that means lots of syntax memorisation for the exam.

The Exam

I fucking hate exams. There are very few times in life where you have a hard deadline, no one to help, and no ability to consult external sources.

Because of the intrusive spyware used on their proctoring system (more on that tomorrow), I'm going to have to go to a test centre to take the exam.

The exam gives 70 minutes to complete 50 multiple choice questions. 50% needed for a pass mark. That seems achievable. But it really depends on how many Windows questions there are, and how many ask me to precisely remember command line options.

Practice questions

The first time I scored 10/10. I know this stuff ☺

1. John has run dirbuster against a target website looking for possible pages to investigate and receives the following results. What does the 401 response mean?
   • HTTP 401 response means that the page is not available
   • HTTP 401 response means that the server has returned an internal error
   • HTTP 401 response means that the client should use the version in its cache
   • HTTP 401 response means that the resource is available, but requires authentication credentials to be able to be accessed
2. What port does BurpSuite use by default?
   • 80
   • 4444
   • 8888
   • 8080
3. What file is commonly used to inform search engines about the folders/files they are forbidden to index?
   • robots.txt
   • index.html
   • search.csv
   • spider.txt
4. Sally wishes to retrieve all the pdf documents from targetsite.com. Which of the following Google Dorks would satisfy that demand?
   • intitle:index_of *.pdf location:targetsite.com
   • site:targetsite.com filetype:pdf
   • pdf domain:targetsite.com
   • targetsite.com filetype:pdf
5. Connor is experimenting with a XSS vulnerability on a website. He uploads the following script but gets no response. What is the issue here? <script>alert(XSS);</script>
   • The syntax should be <script>alert("XSS");</script>
   • The syntax should be <script alert("XSS); />
   • syntax should be <script>alert="XSS";</script>
   • syntax should be <script>display.alert("XSS");</script>
6. Fiona has identified a vulnerable web app that allows her to perform SQLi. She wants to identify what database is behind the web app. What SQLi command would allow Fiona to get this data?
   • SELECT @@information_schema --
   • @@version --
   • @@database --
   • @@schema--
7. Jonas has identified a vulnerable web app that allows SQLi. He is using SQLMap to explore the system. What command should Jonas use to enumerate the available databases on the server?
   • --database
   • --layout
   • --dbs
   • --db
8. Which of the following file uploads should you prohibit if you wanted to ensure no-one can upload malicious files to your webserver?
   • file.asp:.jpg
   • file.php.jpg
   • php%00.jpg
   • All of them
9. True or False, SSL v3.0 offers better encryption than TLS v1.2
   • True
   • False
10. Complete the sentence... HTTP is classed as a ________ protocol
    • secure
    • stateless
    • web 2.0
    • dynamic

Notes

XSS. Recap. Can be from HTTP headers, cookies, and other weird things - not just GET. Can persist on the server.

Impact - phishing, hijack cookies, use browser exploitation, BitCoin mining.

Bug bounties available.

How not to prevent. Don't use blacklist regex - easy to bypass. XSS can work without script tags, eg onmouseover. UTF-7 encoding, URL encoding.

CSRF - cross site request forgery. Not stealing cookies and credentials. Force the user's browser to connect to a previously authorised site. Session Riding or Confused Deputy. Eg craft a link which forces the user to change their password on a different site. Relies on predictable patterns. Use of random tokens per request - which are then verified. Tokens shouldn't be reusable.

SQL injection. Can take input from the user, no filtering, pass requests directly to the DB. Good way to exfiltrate data - or even destroy it. Use of single quotes, boolean operators, balancing syntax.

Error based SQLi - see the stack trace etc from error messages. UNION operator - concatenate multiple queries - first legit, 2nd malicious. Blind - you can't see the results. Time Based - if my request is OK, sleep for 5 seconds. Out of Band - rare, depends of privileges being enabled when they shouldn't be.

String vs integer.

Select X from Y where Z UNION SELECT @@version--

Metadata table - information_schema

Pentest Monkey cheat sheets.

Concatenate results.

UDF - user defined functions to run code on machine. Local File Access. Create web shell by browsing to maliciously uploaded code.

Use of ASCII values rather than quoted strings. Blind injection - observe the difference in what is returned by a true or false query.

Principle of least privilege. Make sure the website can only read. A separate trusted process to write. root and sa(?) shouldn't be enabled from the web.

SQLMAP tool. Use of, find vulns, get tables, set up proxy to Burp.

Defend using input validation - blocklists not enough. Paramatise the SQL. ORM(?) Object-relational-mapping Frameworks. Principle of Least Privilege. Don't roll your own!

CIA (Confidentiality, Integrity, Availability)

XXE to get /etc/passwd - weakly configured XML parser. Anything which accepts user-created XML could be vulnerable. Very common on SOAP.

Insecure file upload. Get Web Shell. Filenames can have XSS. Distribute malware or warez.

%00 null byte to avoid extension check file.php%00.jpg

Change content type header - send a .php file as image/jpg. Fiddle with magic bytes. malicious.asp;jpg on IIS. Or file.php.jpg

WebDAV and Put might be available.

WebShell provides a web interface to the OS level commands. What context are you running in? Might not be root. Upload and download. Execute SQL. Kali stores them in /usr/share/webshells

C99 Shell - and other tools. Hacking tools are often backdoored. The creator has access to the shell you've created.

EICAR test to see if anti-malware is running. Change MiMe type when uploading. Is JS checking for file types?

Validate headers and MIME. Check file size. Don't rely on client side - always server side. Only upload to web root. Rename files after upload. Upload to temporary, then virus scan. Change the extension. Restrict folder permissions.

Serialise / Deserialise.

Take PHP, serialise it to an object. PHP warms of passing untrusted user input to unserialize. JSON is better than serialised objects. Must use magic method to attack (??) eg __construct() Trying to force the server to gadget chain??

pickle.load in Python. Marshal.load() in Ruby. Allow list for the things you want to serealised. Some firewalls

Use !ENTITY (variables). Inject external XML files. Calls to SMB servers to get NTLM hashes. Then SMBRelay to pass the hash. Using PSexec. Back to Windows ☹. Disable XXE in the parser - or have very strict allow-lists.

The penultimate day. Try not to worry about the upcoming exam!

Today was lots of HTTP, TLS, and other low-ish level stuff like that. But mostly focussed on common website attacks.

Verdict

Bit of a repeat of yesterday's Windows session to make up for the broken labs. The exam requires 50% right answers to pass - so I feel quite relaxed if I fail the Windows portion. I reckon I should be about to get a few correct questions either by guesswork or memorising metasploit commands. With a bit of luck, I'll never have to interact with Windows in my professional life!

Painful start trying to get half-a-dozen students to correctly configure Burp suite. Sort of thing which either needs to be built into the labs, or have fool-proof instructions.

Discussion of OWASP - but only up to 2017. Lots of the stuff is a bit outdated. Tutor seemed to think the 2021 Top 10 was only in draft...

There was a good demo website to attack NotSoSecureApp.com - lots of playing around with Burp and DirBuster.

Again, only a short bit on mitigation. I think that would have been more useful for the target audience.

And, again, lots of trivia. There was one slide on Certificate Authorities. What could have been an interesting discussion on how they work and their weaknesses, was reduced to "they exist".

Similarly - there's an attack called POODLE. What is it? How does it work? Can it be defended against? Nothing.

But, overall, good. It was really focussed on Burp and SSLscan - just learning the tools rather than the underlying problems.

Practice Questions

From the Windows session. Through guesswork, I got 7/10.

1. What Windows service typically uses UDP port 5353? (This question was wrong. Should be 5355.)
   • Kerberos
   • LLMNBR
   • NBTNS
   • NetBIOS
2. Responder is often used with the -f switch, but what does that switch do?
   • Perform DNS lookups
   • Enables fast mode
   • Responds with false answers to DNS lookups
   • Enables fingerprinting of hosts that issue LLMNR queries
3. James has run the nbtstat command against a device and receives a code 1C. what does this code denote?
   • The machine is a File Server Service
   • The machine is a Domain Master Browser
   • machine is a Workgroup member
   • machine is a Domain Controller
4. What does the RID value 502 denote?
   • The account is an administrator account
   • The account is a guest account
   • The account is a bespoke user account
   • The account is a Kerberos Key Distribution service
5. A common command when using PowerShell is the IEX command. What does IEX stand for?
   • IEX is an alias for Invoke-Expression
   • IEX stands for Import Executable
   • IEX stands for Interactive Executable
   • IEX is an alias for Import-External module
6. Simon has PowerShell capabilities on a Windows 10 device and wants to record details about the default program installation paths, etc. What command should Simon use?
   • Get-ChildItem env:
   • ComputerInfo
   • System
   • AppvStatus
7. Carl has attempted to run enum4linux against a Windows host device and has received the following error message: Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. What is the most likely cause of this error message?
   • The host isn't a Windows host
   • Carl needs to run enum4linux with the -NT switch
   • RestrictAnonymous registry key on the host is most likely set to 1
   • RestrictAnonymous registry key on the host is most likely set to 0
8. Sandra has access via PowerShell to a Windows 10 host and wants to enumerate the machine to try to identify those users who are members of the Domain Admins group. What does she need to do to do in order to get this information?
   • Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroupMember -identity "Domain Admins"
   • Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroup -identity "Domain Admins"
   • Use the Get-SmbShare command to access the $IPC share on the domain controller and then run Get-GroupMember -Identity "Domain Admins"
   • Run the Get-DomainAdmins command
9. Vernon has downloaded a ps1 file he wrote from his server to a Windows Server device, and now wishes to execute the file. What should he check before attempting to run the script?
   • The ExecutionPolicy should be checked to allow Vernon to run the unsigned script which has been downloaded from the Internet
   • That the PowerShell service has been started
   • That windows bitlocker is disabled
   • That he is an administrator
10. James has gained access to a Windows network and has enumerated a device for SIDs. He has received the following 4 SIDs: S-1-5-21-2000478354-1708537768-1957994488-500 S-1-5-21-2000478354-1708537768-1957994488-502 S-1-5-21-2000478354-1708537768-1957994488-1000 S-1-5-21-2000478354-1708537768-1957994488-1001
    • Which of the SIDs is identified as the default admin account?

Notes

HOSTS file manipulation

Basics of HTTP. Statelessness. Requests. Headers. User Agents.

curl -v -X TRACE http://www.example.com

Intro to Burp. Would have been better off watching https://www.youtube.com/embed/nECt-0zW0O4

DirBuster. Automated finding of common directories

Passive Scanning with Google.

Bug Bounties (!)

Useful info - defaults, directories, plugins, cms, server version, error messages. Extra methods like WebDAV being enabled.

Google "Dorks" - search for filetypes and common patterns.

2FA, authentication, OAuth.

GitHub info leakage.

OWASP cheat sheet.

Base64 basic auth. Digest MD5. NTLM.

Username enumeration. Login error messages can leak info.

Burp intruder - generates lots of server side logs. Intruder to iterate through usernames and passwords.

Password strength, HaveIBeenPwned. Password recovery. Stored hashed and salted. Poor account recovery questions like Mother's Maiden Name,

Increase security means reduced usability.

Use of sslscan to look for SSL/TLS errors.

Hash collisions. Store above SHA1. Token expiration times and reuse.

Don't store sensitive info in logs etc.

TLS to encrypt in transit. How to share keys? Diffie-Helman!

AES for symmetrical.

TLS stages - asym to start, then sym. Certificate authorities issue certs and validate them.

SSL is obsolete. TLS1.1 also obsolete. Disable old ones. Cupers > 128 bit.

Vertical attack - standard user elevating themselve. Horizontal - accessing someone else's info. Business logic attacks.

Parameter tampering.

WebScarab to check entropy of cookies. Session fixation - copy cookies to get access. Session ID in URl. Can be resused to get access. Use POST for those requests.

Basics of XSS. Reflected (sent by user). Stored (on server). Header manipulation.

Day 3 - the day I was dreading most of all… Windows!

I've been avoiding M$ WinDoze (LOL!!!) since long before it was fashionable. Even at my earliest jobs, I'd find a way to convince the IT department to let me run Linux on their kit. I'm penguin-powered, baby!

So, what can an Ubuntu toting geek learn about the gentle art of cracking Windows wide open?

Not much. It was mostly a whistle-stop tour of various Linux tools and a brief explanation of Windows security models.

Verdict

The demo Windows network wasn't working, so all a bit theoretical to start. Once it was up, we had another "script kiddie" day. Run nmap, run enum4linux, run metasploit. Vaguely interesting, but not sure what parts we need to remember for the exam.

Some of the tasks weren't possible unless you had a Windows machine. Most people had a "GoToMyPC" instance they could use - but those of us on Linux machines were basically stuck watching the tutor run some demos. Lots of memorising of Windows Powershell commands. But, again, no idea if they'll be on the exam.

Some team exercises which was a nice change. I hosted an exploit, another student executed it. But, in the end, the code didn't work. The labs are a bit broken.

Afternoon descended into farce because GoToMyPC went down and lots of students couldn't get back in. Combined with yesterday's inexplicable half-day, meant a lot of confused and frustrated students.

The course description was:

Unlike [Certified Ethical Hacker], where the focus is to run a tool to achieve an objective which helps attendees pass the exam, we focus on the underlying principles on which tools work and provide attendees an understanding on what is the root cause of the vulnerability and how does the tool work to exploit it. We also talk about how the vulnerability should be mitigated.

But, at the moment, it is just running metasploit and a few other tools. Nothing much about the principles. And only a passing comment on how to defend against things.

Similarly, it says:

we do not talk about hacking windows XP and 2003 servers (unlike CEH) but talk about circumventing controls in Modern OS such as Windows 2012 / 16 servers. High impact vulnerabilities such and or mass compromise vulnerabilities are taught in the class.

Yet there was lots of discussion of Windows 7 and outdated versions of Chrome. Not quite what was advertised.

Turns out the exam isn't on Friday. We have a voucher and we can book the exam in the next 12 months. Think I'll take it sooner rather than later - but will give myself enough time to cram and memorise every command line option in existence.

Practice Questions - Linux Hacking

Here are the test questions from yesterday. Once again, it's mostly "can you remember the exact command line without running --help - which I'm not sure is useful. I got 6/10. This really needs a practical exam. A CTF or similar. Sure, with a bunch of hackers, it could turn into the "Kobayashi Maru" exercise. But that's better than trying to rote learn the command line.

1. Which of the following is NOT an attack against SSL?
   • Heartbleed
   • POODLE
   • FREAK
   • RowHammer
2. What is the maximum amount of data retrievable by each Heartbleed heartbeat?
   • 64kb
   • 1Mb
   • 512kb
   • 256kb
3. True of false, Shellshock affects BASH v 4.4
   • True
   • False
4. Which command allows you to display the full kernel version on a Linux system?
   • cat /etc/kernel
   • uname -a
   • echo version
   • cat /env/kernel
5. Jenkins is a popular continuous integration service, often run on Linux servers. What port does Jenkins listen on by default?
   • 80
   • 443
   • 666
   • 8080
6. True or false - The Jenkins web console is vulnerable to a deserialization attack?
   • True
   • False
7. Simon has managed to obtain a meterpreter shell on a remote Linux machine by exploiting a weak implementation of WordPress. What command should he run to see what user-instance he is using?
   • sysinfo
   • ps
   • whoami
   • getuid
8. Rebecca has managed to get a meterpreter payload on a victim machine which is configured with a reverse TCP setting which will attempt to connect to ker Kali machine on 80.17.222.34:4444. She needs to set up a netcat listener on her Kali machine to receive any TCP sessions from the victim machine when the payload is executed. Which of the following commands would do this?
   • nc --listen 4444
   • nc -nlp 4444
   • nc -tup 4444
   • nc -nl 4444
9. James has obtained a meterpreter shell on a remote machine but only has restricted user access. He decides to try using a post-exploitation command to try to elevate his privilege level, but he needs to return to his msfconsole prompt to load an auxiliary tool. What command should James use to keep the meterpreter session alive, but allow him to return the msfconsole prompt
   • back
   • exit
   • suspend
   • background
10. James has identified a suitable auxiliary command to use in conjunction with an existing meterpreter instance. How can James identify which meterpreter instance to use?
    • session -i
    • session -l
    • sessions -l
    • meterpreter -l

Notes

netbios - old and unused, should probably be disabled. LLMNR useful is DNS resolution has failed. Generates a lot of sniffable traffic. Can force Windows machines to give up data. Set up a fake server to received the LLMR broadcasts.

Some services are blocked on IPv4 but open on IPv6.

If DNS fails to resolve a host, LLMNR and NBT-NS will ask other hosts in the network if they know the IP address. Net NTLMv2 Challenge response hash is sent by the victim, the fake machine intercepts the hash and can start to crack it. Tell john the --format=netntlmv2 to crack it.

If SMB signing is disabled on the target, you can relay the original hash to a new target.

NetBT is netbios over TCP/IP. It does IP to name resolution. A legacy protocol, should probably be disabled.

EPM is End Point Mapping (?). RPC is Remote Procedure Call (an API?). Bunch of other random acronyms and port numbers.

nbtstat on Window, nmblookup on Linux.

1c for domain controllers.

Windows enumeration usually on 135, 137 (UDP), 139, 445. Harder to detect attacks on 135 as it gets lots of traffic. 139 is obsolete from Vista.

Used to be able to connect to InterProcess Communication shares using anon / null session. rpcclient -U "" -N 192.168...

Relative Identified - RID. Unique but sequentially assigned. Can cycle through them, RID also identifies role of the user.

SID is the security ID. Primary key for objects in active directory. Unique. Has relative level, top level authority, the domain, the RID.

RID 500 is Admin, 501 Guest, 502 Kerberos. Everything else 1000+.

RPC can do user to SID and SID to user. ridenum and enum4linux both good tools for this.

Registry key has restrict anonymous usernames. Can be set to default, don't allow enumeration, no access.

RID cycling over NULL doesn't work on Win 2008+. If you can do RID cycling with a valid domain user it might leak interesting information.

Use of hash-identifier to see what sort of hash it is. Online services to check weak MD5 hashes.

Once into a Windows machine, use PowerShell as it runs in memory and isn't detected by antivirus. Use GetExecution Policy to change policies. Powershell is case insensitive. Variables start with $. There are per-user preferences. Can declare arrays $a = 1,2,3 etc.

To execute Import-Module .\scriptname.ext

IEX (iwr 'url') to execute a URL??

Get-ComputerInfo and Get-ChildIntem env to find out about the target. Get-ADDomainControler to find other stuff.

Open Shares an issue - can allow us to read and write.

Default installations of web apps are often insecure.

Printers are highly trusted, they receive all the hashes, so if you can get in with default credentials you can sniff everything. Printers have LDAP - can start malicious LDAP services.

Use of client side attacks. Use metasploit (again) to host the exploit - get the target to access the metasploit server. Can host malicious web pages, documents with macros. Use Metasploit handler to listen to what's going on. Chrome 72-73 are vulnerable to Array.map, buffer overflow, read arbitrary memory. Chrome must be in --no-sandbox

Electron - a shell around Chromium rendering and Node.js runtime - basically a web browser specifically for cross platform apps. Multiple processes.

Joplin, also built on Electron. Can POST to the /notes API to deploy a payload. Can use JS to exec() a local .exe

Looks for Kernel exploits, weak permissions, DLL hijacking etc with post/multi/recon/local_exploit_suggester. Look for PATH environment variable, and place DLLs earlier in the enumeration.

Look for credentials using things like findstr or reg query. Or User Access Controls.

Windows 7 issues. Cleartext creds in memory. No default antivirus. All apps are trusted.

Win10 security features. Device guard - hard and software, locks down device, code integrity, prevents malicious code. Cred guard. Virtualised, isolates LSASS secrets. Enabled via the registry. Returns encrypted strings rather than NTLM hash.

Local Security Authority (LSA). Prevents memory access to creds.

AMSI - anti malware scan interface. In memory scans for malicious powershell script execution.

whoami /priv to see privileges.

winpeas to automate searching.

CVE against things like IE, AppX, allow you to elevate privs.

CVE against cryptoAPI - crypt32.dll allows you to self sign a malicious executable.

RDP vulns.

EternalBlue (ancient!) and Fuzzbunch.

Microsoft COM RCE with device deserialisation flaws.

AMSI can be bypassed via signatures? And ScanBuffer? and C# version? WHAT?

Mimikatz can register a malicious DLL for a Security Support Provider and get creds. Can also bypass LSA.

ColdFusion - lots of exploits. Directory traversal, misconfiguration, default password, FCK Editor - doesn't sanitise input so can upload and execute.

Metasploit web server can bypass AV.

Post exploitation is vital. Once you're in, what can be done? Dump users, password hashes, escalate, pivot (use as a staging post to get further into the network), replay credentials to masquerade as someone else, persistent access, permanent backdoor.

Windows credential vault can store web passwords in plaintext. LSA has logged in user's passwords.

Security Accounts Manager (SAM) - can't be accessed while system is running. Might be able to grab a backup snapshot. Can be accessed on the Domain Controller.

Meterpreter can run hashdump in memory - so AV isn't triggered.

Previous 10 unique logins are cached if DC not available. This is to allow the user to login to the system. Salted hashs. Salt is the username. Encrypted with LSA NL$KM account (??) cachedump can do this.

LSA protected storage for passwords for users and tasks. System privs needed to extract.

LSASS process memory - cleartext passwords for RDP login.

Mimikatz is the main tool for this.

Adding new accounts to Domain Admin group is very noisy - great way to get noticed.

NTLM challenge response. 16 bit challenge, hashed with the user??

Pass the hash

Day 1 was all about password cracking and metasploit. Today? Linux Hacking! Sadly, we aren't learning anything to do with distributing 1337 cracks for warez (so 1998!).

One point to note is that the questions we're set are extremely vague. Here's a sample:

Exploit the HeartBleed vulnerability on 192.168.123.123 to get administrative access to the login interface on the server

That doesn't tell me anything about what HeartBleed is, what tools I should be using, or - importantly - what exactly I'll be tested on. Do I need to know the exact sequence of bit to fire at a server? The name of a tool? How it could be defended against? The teaching slides we have are OK - but make large logical leaps. For example, telling us to run a curl command against a specific path without telling us how we would know about that specific URl.

Practice Questions

Got a bit more info about the sort of questions. Mostly trivia really. Some of the topics weren't really discussed yesterday.

Here are the Port Scanning questions. I was a bit narked to get 50% (a barely passing grade). How well would you do?

1. Sam has scanned a device in his network with nmap, and has identified a service running on port 22. What service should Sam assume this is?
   • FTP
   • SSH
   • HTTP
   • SNMP
2. Jackie wants to scan all TCP ports with her nmap scan. What switch will enable Jackie to scan all ports?
   • -P
   • -p
   • -p-
   • -A
3. Simon wants to scan a number of devices in his network with a half-connect scan. What switch should Simon use to accomplish this?
   • -sU
   • -sT
   • -oA
   • -sS
4. If an nmap scan is executed with the -F (fast) switch set, how many ports does nmap scan?
   • The 1st 1000 ports
   • The first 100 ports
   • The top 1000 most common ports
   • The top 100 most common ports
5. Which timing switch is more commonly known as the insane mode?
   • -T1
   • -T5
   • -T0
   • -T9
6. James wants to scan the SSH service on his device. Which of the following will allow James to do this?
   • -p 22
   • -p ssh
   • -p T:22
7. Sandra has run the following scan; what does it do? nmap -Pn -O -sV -oA scan_results 192.168.0.1
   • Performs a ping scan, OS enumeration, Service enumeration, and outputs data to a file called scan_results
   • Performs a scan of all ports, performs OS enumeration, performs a half-connect scan and outputs results to a file called scan_results
   • Does not perform any nmap discovery scans, performs an overt scan, a verbose scan and outputs results to a file called scan_results
   • Does not perform any nmap discovery scans, performs an OS scan, a service enumeration scan, and outputs results to a file called scan_results
8. Which of the following outputs is NOT a nmap file output type
   • Normal
   • Grepable
   • XML
   • HTML
9. True or False, performing a TCP Half-Connect (-sS) scan required privleges on the scanning computer?
   • True
   • False
10. How many TCP ports does nmap scan by default unless told otherwise?
    • 100
    • 1,024
    • 1,000
    • 10,000

Mostly convinced me that most UNIX tools need a better CLI UI!

A DB quiz. Again, mostly trivia. And some stuff not covered. I got 7/9.

Art of Hacking - Database hacking

1. Sarah has scanned a server and has identified a service running on port 3306. What is this service likely to be?
   • MySQL
   • Postgresql
   • Microsoft SQL
   • Mongo DB
2. When attacking a MySQL server, which common account should you try to attack that is normally not configured to lockout?
   • Admin
   • User1
   • MySQL
   • Root
3. Gary has identified a weakness in a MySQL database installation and has managed to use the database to extract the contents of the /etc/passwd file from the underlying server. what command would Gary have used to do this?
   • select LOAD_FILE('/etc/passwd');
   • select READ_FILE('etc/passwd');
   • select * from /etc/passwd
   • select all from FILE('/etc/passwd');
4. What is the default port for a postgres SQL database?
   • 1234
   • 5544
   • 2345
   • 5432
5. What is the default user for a postgres SQL database?
   • root
   • admin
   • postgres
   • user0
6. James has recovered a set of credentials for a MySQL database running on IP address 192.168.0.43. The credentials he has discovered are: user = root password = P@55w0rd. What syntax should James use to gain access to the database?
   • mysql -u root -p P@55w0rd -h 192.168.0.43
   • mysql -u root -p -h 192.168.0.43
   • mysql -a root -p -u 192.168.0.43
   • mysql -u root --password -h 192.168.0.43
7. David has managed to locate a vulnerable Microsoft SQL database application and wants to find out the version of database in use. What syntax should David use to obtain the version data?
   • UNION SELECT @@version --
   • SELECT * FROM DB_VERSION #
   • VERSION FROM TB_DATABASE WHERE V >1 --
   • SELECT * FROM @@version #
8. What is the name of the file that all databases have that describes the database structure, including database names, table names, column names, and data types, amongst others?
   • DB_STRUCTURE
   • db_schema
   • data_definitions
   • information_schema
9. What sqlmap switch would you use to retrieve all the contents from a targeted database table?
   • --ALL
   • --download
   • --dump
   • --loot

Password questions - again, trivia. I got 7/10 with a few guesses.

1. Kali Linux comes with some pre-installed word lists for use when conducting password attacks. What is the location of these files?
   • /usr/share/wordlists
   • /var/temp/wordlists
   • /usr/wordlists
   • /etc/wordlists
2. What switch should Carl use to provide hydra with a single username to try in an online password attack?
   • -L
   • -D
   • -p
   • -l
3. Denise is trying to use hydra to attack an ftp server which is running on the non-standard port (2121) - what syntax should Denise use when configuring hydra to target this service?
   • :2121
   • -p 2121
   • -s 2121
   • p:2121
4. Joanne has extracted the following data from a Linux server; What hashing algorithm is the system using to generate the password hash? root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
   • SHA-512
   • Blowfish
   • SHA-256
   • MD5
5. What encryption standard did Windows LanMan use to secure its hashes?
   • DES
   • AES
   • 3DES
   • RSA
6. In order for John-the-Ripper to process Linux passwd & shadow files, they have to be unshadowed first and the results placed into a new file. What is the correct syntax to achieve this?
   • unshadow /etc/passwd /etc/shadow > hashfile
   • unshadow /etc/shadow /etc/passwd > hashfile
   • /etc/passwd /etc/shadow unshadow | hashfile
   • unshadow /etc/passwd /etc/shadow | hashfile
7. What does the "-a0" switch denote when using hashcat?
   • To use only 1 core of the CPU for processing
   • To output all results to the screen
   • To use a brute-force attack
   • To use a dictionary attack
8. Which password hashes does Windows salt
   • The SAM file
   • NTLM hashes
   • Cached domain hashes
   • The NTDS.dit file
9. Which of the following is not a hash function
   • MD5
   • Blowfish
   • SHA-1
   • RIPEMD-160
10. What is the maximum length of a LanMan password
    • 14 charters
    • 20 characters
    • 7 characters
    • 32 characters

Verdict

Lots of students hadn't been exposed to Linux or these tools before. Concern expressed about lots of rote memorisation. All the above questions could be answered with -h - but not able to do that one a proctored exam.

Quite a "script kiddie" day. Lots of loading up metasploit and just guessing until things work. A few infrastructure problems - broken test servers made things quite frustrating.

Lots of technical jargon without any explanation. Jenkins, Groovy, Sandbox, Metaprogramming. What are they? What definitions are needed for the exam?

Nothing so far about law and ethics… Which is a bit worrying. We're only working on a restricted demo lab, and all the exploits are ancient.

There's still no checking if students have done the tasks. It would be helpful if each student had to, say, retrieve a specific file or string from the target and present it back to the tutor. I know a couple of students who are a bit bewildered but a bit nervous to ask for help.

A short day - so off to Cloud Academy to brush up on my skills.

Notes

Heartbleed - get up to 64KB data from memory. Ask for specific length, bounds aren't checked. Only on old versions of TLS. Can also check key length - under 128bit may be vulnerable.

Heartbleed to find username / password. Log in via the web. View source to find .cgi path.

Metasploit - use the right module and configure. Exploit and then cat the /etc/passwd file.

Shellshock - as above. Copy and paste commands.

LD_PRELOAD need to ensure you keep privileges.

Use of nc to get remote machine to connect to your machine in order to get a shell on it.

Use of history to check for entered passwords and other interesting bits.

Weak Linux permissions. Can you overwrite a command run by root?

cron jobs a good source of this.

Use of local Python server to transfer files across. linpeas.sh

Always compile exploits on target machine to ensure architecture compatibility.

Basic use of wget and chmod

Exploiting other Linux things like JBoss, Tomcat, Jenkins. What is our attack surface? Weak defaults. Outdated versions with CVE.

Data Serialisation. Can be weaponised into a payload which will be parsed and executed. Tools like CommonsCollections1.

CMS targets like Joomla, Drupal, WordPress. Lots of complexity leads to misconfiguration. Vulnerable plugins and add-ons. Version leakage.

joomscan and wpscan both useful automated tools. As are DroopeScan and DruPwn for Drupal

Injection of serialised objects into HTTP_HEADER. Chain with x-forward-for to trigger the payload.

Basics of scanning for unknown ports then running droopescan and wpscan.

EXIF metadata can also be used to hide information - old WP plugins particularly vulnerable.

Use of dirb to find directories on remote webservers.

As regular readers will know, I'm pretty reasonable at hacking. I have received bug bounties from Google, Twitter, Samsung, and a bunch of others. I don't claim to be an expert - and I doubt I'll be on any top-10 lists - but I have a reasonable, albeit informal, background. It's that "informal" which is annoying me. I want a bit of paper which says that, yes, actually, I do know what I'm talking about.

Computer Science - and hackers especially - eschew formal qualifications. The earliest hackers and phreakers learned their craft on the mean streets of the early Infobahn. Geeks don't need qualifications! We're not nerds!

But, hey, a free qualification is not to be sniffed at. I know it probably won't be as rigorous as some other certifications - but it was all that was available to me.

Looking through the course agenda there were a few things I knew well - XSS, Port Scanning, Password Hashing - but it's always good to pick up a reminder. Some things I've heard of but not used - Burp, Heartbleed, Metasploit - so will be good to get a solid understanding. And some things way outside my experience - Windows stuff, Tomcat, XXE - yay new learning!

The thing that I'm looking forward to the least is the exam at the end. It's multiple choice and requires 50% correct - but I always find myself second-guessing those sorts of questions. Especially if there's lots of "well, technically" type questions. Also - concentrating for 70 minutes!!? And proctored? Does that mean I can't run to Wikipedia for help?!?

Anyway, I'm going to try and keep a diary of what I've learned. Hopefully that will let other learners know what the course is like, and if it is worthwhile.

Verdict

A bit more theory than I was expecting. Diving straight in to TCP flags was a bit alienating for some students - although I already knew about them. Similarly, lots of discussion of ports - but didn't actually explain the fundamentals of what they are.

Lots of terminology thrown at people - so probably not great for complete beginners.

Similarly, the nmap discussion was a bit whistle-stop. It was mostly a case of following the PDF instructions without much explanation. Lots of people (me included!) got tripped up by the command line flags.

Some of the practical exercises were a bit copy-and-paste without much understanding of what was going on.

Not much feedback from students. No one was asked to prove they'd got the right answer.

Crucially - I have no idea what sort of questions are going to be on the exam! Is it the port numbers? The name of tools? The specific syntax?

Had to ask. Turns out will need to remember port numbers, nmap options, etc.

Day 1 Notes

Started on a poor note - had to use GoToMyPC which doesn't have a Linux client. The Linux option was use OpenVPN to connect to the provider's infrastructure, and then SSH into a Kali Linux image. Installing your own Kali would also be possible, but you still need to connect to the VPN to "attack" the provided vulnerabilities.

Would have been useful if they gave those instructions beforehand. Wasted half an hour while people worked out what to do.

Brief discussion of password cracking. Looking at HaveIBeenPwned and various top 10 lists.

Basics of the Cyber Kill Chain. Enumerate, identify vulnerabilities, exploit, post-exploit, use privileges, repeat. No real discussion of it, or its shortcomings.

Module 1 - port scanning

ARP - layer 2 of OSI. Below IPv4. ARP maps hardware MAC to IP. Note - only for IPv4. ARP broadcast can ask machines on a local network for the IP addresses.

arp-scan to find the live hosts.

Basics of TCP. 3 way handshake. Flags. Segment Header format. SYN. SYN/ACK. ACK.

Use of Wireshark to examine TCP packets.

UDP - what it is, why it is unreliable, header formats.

Ports - what they are, reserved ports, port state. Basics of netstat.

Basics of nmap. 3 way handshake then RST. Don't need special privileges - handy if you have compromised a machine. Plays by the rules, so less likely to trip firewalls. Slower than a half-open scan, so use -sS for SYN, SYN/ACK, RST. Requires privileges, and might get picked up by Intrusion Detection Systems (IDS).

UDP scan -sU. Requires privileges, sends empty UDP packet to every targeted port. Can send specific data --data. Might be blocked by firewalls. Ports can be filtered. UDP is often used on VPN, NTP, DNS, SNMP.

Dump to file(s) for later ingestion into metasploit: nmap -sS -sV -nvv -O 192.168.3.0/24 -oA portscan_tcp

Module 2 - password attacks

Online and offline attacks. Sending repeated requests vs looking though a dumped file.

Enumerate users. What are lockout policies? Admins are often exempt from lockout. Throttle brute-force attempts. Often generates lots of log entries and / or alarms.

Intro to SNMP. UDP 161. 1 & 2c have no auth or encryption. Need to know the "community string" or use manufacturer's default. Public string vs Private string.

onesixtyone can bruteforce common strings.

OID values. No real explanation of what they were.

snmpwalk -v 1 -c ???? 192.168.?.? <OID> Need to learn that syntax.

Attacking MySQL

Old RCE. SQL Injection. Abusing phpMyAdmin. Brute force. Root user is almost always there and has no lockout.

hydra to guess passwords

Once logged in, can use Select LOAD_FILE('/etc/passwd'); Or Select * from mysql.user; to get all users.

Quite a good exercise, find a MySQL server via nmap, use hydra to try common passwords, log in, get credit card data and other password info.

Chaining

Using the above, use nmap to find the ssh port. Use one of the users found and brute force their password.

use ssh -t to exfiltrate data. ssh -t user@192.168.3.123 -p 1234 "cat /etc/passwd"

Then brute the postgres user password and get shell using sqlmap -f -d postgres://postgres:password@192.168.3.123:5432/postgres --os-shell

Metasploit basics

Loading output of nmap into it. msfconsole. Most exploits can be detected by common anti-virus. Use show axillary and show exploits and show payloads to get list.

bind - waits for a response. reverse shell - the machine connects directly to you. Useful for bypassing firewalls.

meterpreter is the most advanced payload.

Grepping through metasploit. Getting reverse shell on an IRC (!) server.

Cracking Passwords

MD5, SHA1, LM/NTLM, Blowfish, SHA256, SHA512 hashing etc. Rainbow tables to use offline attacks. Salting etc.

Encoding, encrypting, hashing. Transforming clear text via a reversible algorithm eg Base64. Asymmetric encryption relying on public and private keys. Hashing is a one-way function - usually produces a fixed length string.

Salting - a way to obfuscate the hash.

openssl passwd -1 -salt 123 password use MD5 password with salt.

Salt can be cached domain credentials like the username. Unix uses random salt.

LM (LanMan) is an insecure Windows hashing for XP and earlier.

John The Ripper - can brute force per character (slow) or a word list (faster). unshadow /etc/passwd /etc/shadow > hashes john --single hashes john -w=wordlist

Hashcat can use a GPU for password cracking.