Sunday, March 25, 2012

Passed OSCE "Cracking the Perimeter"

First, I want to start by saying that I enjoyed the OffSec "Cracking the Perimeter" course and exam a lot. It was difficult, frustrating, time consuming, sleep depriving, exciting and very, very informative. It is a little different from the OffSec "Pentesting with Backtrack" (PwB). Ok, well, it is very different.  There are specific hacks that are to be learned and performed in the OSCE course. You learn about a variety of buffer overflow and web application exploits. You will also learn about 0day hunting thru the use of fuzzing and how it leads to computer, and later, network compromise. I found that the OSCE is shorter than the OSCP course. I think anyone trying to take the CTP course should do 60 days. That should be enough time to get all the concepts down and to practice in the OffSec lab environment.  The OSCP course was a lot longer as far as time for me. But with both courses, it was worth the time and effort. If you take a look at the course outline, you will see that you have 9 very tough modules.  All I can say is take your time. This course is all about the concepts. Make sure that you understand them, and you will do fine on the exam. Of course, practice, practice, practice.

Ok, you have looked at the syllabus and you are very excited. Ok, but first you have to take the prerequisite.  I know, lol.  This course is tough so what better way to find out if you are ready, then to take a pre-exam.  You start at http://www.fc4.me/. You need to find the "code" and final key.  Now, I took this prereq right after I passed the OSCP just to see if I could do it. I was able to do it in a day and a half. That was in April of last year. I took a break to relax and to save money for the OSCE.  I took the prereq again in November-December. This time, there was a new wrinkle. I do not want to give it away but be prepared to do some research and think. Once you get past that, and sign up, you will get the OffSec PDF(s) and the OffSec videos. I did the pdfs first and then the videos. Then, I went into the lab to practice.  That has always worked for me during the OffSec courses.  Why change now I guess. 

I'm just going to say that the 8th module, is by far, the hardest. I spent maybe two weeks just on that one module. It was worth it however, to understand manually encoding shellcode with bitwise operations. By the end of the course, you will be amazed by how much you have learned. From fuzzing, to exploit development to exploit writing.  You can manually encode executables to bypass an antivirus and can get a shell from misconfigured web applications. The course came to an end with me learning more about scapy for packet creation and manipulation. 

I took the exam after three weeks of the course ending. In that time, I studied from a number of resources besides the coursework. I would suggest to anyone about to take the exam, to practice from the exploitdb.com site. Practice using egghunters and OllyDBG/Immunity. Then, read:

http://grey-corner.blogspot.com
http://resources.infosecinstitute.com/author/lupin/
http://www.corelan.be/


Those three weeks really help me understand each module.  It helps that I had VMware Workstation on my laptop so I could practice no matter where I was. Barnes and Noble, library, dinner, etc. The family understood. :) I also loaded the laptop with 16 GB of memory just so I could use multiple VM's going.  It helped me.  Anyway, the exam email came and it was time.  I was able to get most of the exam done in the first day. I had one problem that held me up. It took me literally 21 hours to finally figure it out for the most part.  Of course, that meant I had 3 hours left to really exploit it. You have to love it. After the clock ran out, I decided to give myself a two hour break before the write up.  The write up took longer than I thought but it was on time. :) I did not have to wait the full 3 days which was cool. You are always nervous until you get that email telling you how you did. After about a day, I got the email saying I passed!

I got congrats from the fam and all of my co-workers. I had a lot of support since they knew I worked really hard on the course. You get what you put in from the offsec courses so when you get that pass email, it makes it so much sweeter.  Of course, I have the SANS560 course a week later but that is another post. For now, the OSCE is done and loved every minute of it.

Friday, March 9, 2012

Practice: OSCE


DVD X Player 5.5 Pro (SEH) Buffer Overflow Exploit
Preparing for the Offensive Security Certified Expert (OSCE) exam, I hopped on exploitdb.com to find vulnerable software to exploit buffer overflows.  Now, for the exam, I wanted to pick one, then ignore the exploit file, download the application and find out how to exploit it myself.  I think this would be the best way to simulate finding a 0day (besides finding a 0day), and exploiting it. I found the DVD X Player 5.5 software.  It is a computer media player that can run on Windows.  I am installing the software on Windows XP SP3 and Windows Vista.  Let start with Windows XP.




After the install it looks like it uses a playlist like WinAmp. The file extensions are PLF and SLS.  That goes with the original exploit for the software. Well, let's open up the FileFuzzer script and create a file with the buffer of 1000. Why not start small. We need to first open the DVD X Player app and then, open up OllyDbg. We will then attach the application running so we can catch the application's reaction to the buffer. 






Looks like we have a winner. The EIP and SE Handler was over-written.  Now, I increased the buffer size to 2000 once I saw where in the buffer overwrote the SEH. I figured that out by using the ruby script pattern_create.rb by MetaSploit. That will create a specific pattern of characters so we can find where EIP is.  Once we find what is located in the SEH, we can use another MetaSploit script called pattern_offset to find out how many characters(bytes) are before the SEH.  We put in the value for SEH and put it as a parameter for the script. It gives a value of 612.  So, after 612 "A" characters, you can control EIP and thus, execution flow. Sweet.


























Alright, next, we want to start making a exploit file now that we know the necessary buffer length. This will help us ensure that we have the right length of the buffer and how much space we have remaining to inject shellcode. That is easy enough.  We create 612 "A"s and 4 "B"s and the rest "C"s. Hopefully, our buffer gets to one of the registers, (if we are lucky). It looks like this is like most SEH exploits. It looks like our "C"s are after the exception handler so if we can find an address to get to a "POP POP RETN", we can land there. We go to 'View -> Executable Modules'.  Now, we have to avoid any ASLR enabled dll's and executables. We have one at #603022B8 in the "Configurations.dll".






































We want to follow the flow by creating a breakpoint(F2) on our "POP POP RETN" at the address just mentioned. Then, by pressing F7, we can step thru execution one step at a time. After the "POP POP RETN", we land exactly 4 bytes behind our SEH.  Now, it looks like we have the option to either to make a jump forward or backwards. We have a space of roughly 608 bytes going back and approxiamately 1300 bytes ahead. I chose to jump ahead since it is a larger space.  If you  want to learn more about jumping, please go to CORELAN (https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/).








































Now, to jump ahead, we want to make sure we jump at least 6 bytes over to avoid overwriting our SEH jump. We want to land in 'NOP' AKA '\x90' commands to slide into the actual shellcode. Let's leave 10 'NOP' commands to slide into so we can go straight into our shellcode. Using MetaSploit, I generate a shellcode that will send a reverse shell to my local IP address on port 4444. We want to make sure that the size of our shellcode does not exceed our buffer. It is only 314 bytes so we are very safe from that. We just need to remember to subtract that from our remaining buffer size. We are looking at 1374 - 314 = 1060 which should be the remaining 'C's for our buffer.































Lastly, before creating our new PLF file, we want to create a listener to catch the new network connection coming from our 'victim'.  Bring on netcat! The command, 'nc -lvvp 4444' should do it. Now, run our new file to create the final PLF file. Run it on our victim, without the debugger and see what we get.






Wonderful.  We can do changes to the file to see how it would work.  We can jump backwards instead of forwards from the SEH. We could add an egghunter which I think I will do later. Hopefully, this helps another student of infosec besides myself. 


Tuesday, March 6, 2012

SEC560/EthicalHacker.Net

At the end of March, I will be experiencing my first SAN class, SEC560! I was awarded this chance by ETHICALHACKER.NET.  On the site, they hold monthly prizes for their registered users. I have been on the site since 2009 I do believe.  They have had discussions on Google, LulzSec, Anonymous, Breaches, FBI, etc.  It is where you can find and discuss IT security issues currently happening today.  It is a very informative site with some of the top security professionals posting articles from time to time.  If you want more information, check out this link (http://www.ethicalhacker.net/content/view/405/8/).  It was definitely a surprise since I usually do not win anything.  I guess it points out even further, that everyone has a chance to win the monthly prizes hosted at EthicalHacker.net. If you have time, try to check out the DIY Career article from Don Donzal if anything else (http://www.ethicalhacker.net/content/view/236/24/). 

Well, I just wanted to give a shot-out to the site before I take the SANS course. The SANS course will be all online which works out well for me.  It will be instructed by Ed Skoudis which I have heard is a great instructor by security professionals.  It will focus on network security and pen testing.  I like the fact that it will include the soft skills needs to be an effective penetration tester.  I have heard Mike Murray press on the fact that a pentester should have equally strong soft and technical skills to be beneficial to the client that you are pentesting.  WIN! The web application scanning looks good but I wonder how far they go.  Also, it looks like it has a CTF event too which I have never been in either.  I think this course (and the OSCE exam) will give me a good gauge to my progress in InfoSec. 

Once I am done, I want to do a review of the SANS course compared to the three Offsec security courses I have taken, OSWP, OSCP and OSCE.  I think the Offensive Security team are on their way to making courses that will set the standard for information security education.  Right now, C|EH by EC-Council, seems to be the standard, (at least for HR) which does not seem right to me.  When I did the self study for the C|EH course, and then, passed the exam, I had never even used netcat.  Uh, yeah that will not fly when you take a OffSec course.  I am not saying that they are perfect, but I would suggest to anyone that is serious about their security career, find a way to start taking the offsec courses.  Soon,  I will know if I need to include the SANS courses as well to that last statement.  From what I hear already, I should.  I will have the review by the end of April hopefully.   

Monday, March 5, 2012

FileFuzzer

While going through the OSCE course, I have created a number of fuzzing templates and files.  One that comes in handy, the python file fuzzer I made.  It is not mind blowing, but I have found some overflows with so it is nice to have for me at least.


#!/usr/bin/python

# File  Fuzzer
# By Agoonie
# Dated created 2/26/2012
# Kind of basic and wordy, but hey it works for me....

print "--------------------------------------------------------------------------------"
print "                                      Fuzzer Template                                   "
print "                                      Agoonie FileFuzz                                 "
print "--------------------------------------------------------------------------------"




fuzzchoice = raw_input('Do you want to create one file with a specific buffer size? yes or no. ')
if (fuzzchoice == 'y') or (fuzzchoice =='yes') or (fuzzchoice == 'Yes') or (fuzzchoice == 'Y'):
buff = raw_input('What is the buffer size for the file you want? ')
newextension = raw_input('What is the extension for the file you want? ')
print "Next, think of the character(s) you want to use in the buffer.  For example, A, B, C, %, *, X, &, ), (, #, @, !, etc. "
bchar= raw_input('What is the character(s) that will file the buffer in the file? ')
print "The filename will be: "
filename = "stest."+newextension
print filename
newbuff = int(buff)
if (newextension == 'm3u'):
junkchar = "#EXTM3U\n"
  junkchar += "#EXTINF:123,Agoonie - A goonie was here\n"
junkchar += bchar*newbuff
else:
junkchar = bchar*newbuff
bigbang = junkchar
bangcount = len(bigbang)
print "Just a reminder, this is the number of characters you have in your buffer: "
print bangcount
textfile = open(filename,"w")
textfile.write(bigbang)
textfile.close()
elif (fuzzchoice == 'n') or (fuzzchoice =='no') or (fuzzchoice == 'No') or (fuzzchoice == 'N'):
print "Buffer starts at 200 bytes and increments by 200 bytes "
buffsize = raw_input('What is the MAX buffer size for the file you want? ')
mbuffsize = int(buffsize)
cbuff = 200   # Current buffer size; starts at 200
num = 1
extension = raw_input('What is the extension for the file you want? ')
print "Next, think of the character(s) you want to use in the buffer.  For example, A, B, C, %, *, X, &, ), (, #, @, !, etc. "
bcharacter= raw_input('What is the character(s) that will file the buffer in the file? ')
while (cbuff <= mbuffsize):
print "The buffer size for the file is: "
print cbuff
snum = str(num)
filenames = snum+"_test."+extension
print filenames
junk = bcharacter*cbuff
num = num + 1
cbuff = cbuff + 200
exploit = junk
textfile = open(filenames,"w")
textfile.write(exploit)
textfile.close()
else:
print "I didn't understand your answer. Please run again. ./filefuzzer.py "






Sunday, March 4, 2012

Laptop Rebuild

I am taking the OSCE course.  The first thing I did, besides saving major capital was to get some new hardware.  I built a new desktop and bought a new laptop.  I wanted to make my desktop a cheaper version of the computer here [http://pauldotcom.com/2010/10/your-password-cracking-system.html].  However, the desktop as of this moment needs to be redone.  I need a motherboard that can handle 4-way SLI with better video cards.  I want to use the desktop for password cracking using the GPUs' and SSD drives.  That is going to take some serious cash so it may take me a minute.  Moving on.  I got the ASUS G74SX RH71 laptop.  I grabbed another 4GB RAM stick and my 2 SSD hard drives from my older laptop.  I setup the usual dual-boot of Windows 7 and Backtrack 5 R1.  (And yes, I know Backtrack 5 R2 is officially going to be released in a few days.  I am sure I am going to have to do this whole process again.  Meh, I would have done it again anyway at some point).  Both installed were x64 bit since I wanted to use all of the RAM without any issues.  It worked out great in the long run. I was able to add addition programs to help with every work too. I was able to save my bookmarks and shortcuts from old Chrome and Firefox clients along with the usual addons. However, I did run into the usual problems that I found solutions for, for the most part anyway.

Added Apps:
VLC
Hexeditor
OpenOffice
Synaptic
UFW/GUFW
WireShark
KCalc
TouchPad Indicator
NoteCase
Compiz
Gimp
Evince
Tsclient
Xchat
Elinks
xscreensaver-gl
rss-glx

KeyPad issues:
sudo add-apt-repository ppa:atareao/atareao && sudo apt-get update   
sudo apt-get install touchpad-indicator

Gnome: waiting for audio system to respond
Go to System->Preferences -> Startup Applications
Make sure you’re in the tab ‘Startup programs’
-> Click on "Add"
Name: Pulseaudio daemon
Command:/usr/bin/pulseaudio
Comment: Start the sound daemon
Now logout, then login again.

System Beep:
In the terminal:
run 'alsamixer'
move to PC Beep
press m to mute
press escape

Disable ASUS touchpad:
sudo add-apt-repository ppa:atareao/atareao
sudo apt-get update
sudo apt-get install touchpad-indicator
******xinput needs to be installed.

VMware 7.1:
chmod +x VMware-*.bundle
./VMware-*.bundle

mkdir /tmp/vmware && cd /tmp/vmware
cp -R /usr/lib/vmware/modules/source/ .
cd /tmp/vmware/source
for i in ./*.tar; do tar -xf $i; done
for i in ./*.tar; do mv $i $i.orginal; done
patch -t -f -p1 < /root/vmware2.6.39fixed.patch
tar cf vmblock.tar vmblock-only
tar cf vmci.tar vmci-only
tar cf vmmon.tar vmmon-only
tar cf vmnet.tar vmnet-only
tar cf vsock.tar vsock-only
cp -vf *.tar /usr/lib/vmware/modules/source/

Give me CHROME!!:
Installing and running Google Chrome
Download chrome from http://google.com/chrome 
and then do:
dpkg -i ./google-chrome-stable_current_amd64.deb
You may get a complaint about running this as root, so either create an account for browsing, or start the browser with the following command:
/opt/google/chrome/google-chrome %U --user-data-dir
**** I just added a shortcut with the parameters already set. 

FLASH:
wget http://samiux.volospin.com/flash/install_flash_player_10_linux.tar.gz
tar xvfz install_flash_player_10_linux.tar.gz
mkdir ~/.mozilla/plugins
mv -f libflashplayer.so ~/.mozilla/plugins/

Credit Due:
Now, I did not create these instructions, I just kept a list for an easier rebuild when I needed it.  Here are all the links I have on trying to make the rebuild quick and painless.  If I did not list it, my apologies, I was not trying to go all Zuckerberg on people:

http://rog.asus.com/forum/showthread.php?3220-Asus-G74SX-A1-Keypad-Problem/page6&s=5d5ad2019d4b8ffffaa73c10b18c66f3
http://www.backtrack-linux.org/forums/backtrack-5-fixes/44739-fix-vmware-workstation-vmware-player-compiling-2-6-39-x-kernel.html
http://insidetrust.blogspot.com/2011/08/backtrack-5-r1-some-things-fixed-some.html
http://www.backtrack-linux.org/forums/showthread.php?t=43954
http://www.backtrack-linux.org/forums/showthread.php?t=44739
http://www.backtrack-linux.org/forums/showthread.php?t=45100
http://www.backtrack-linux.org/forums/showthread.php?t=45314
http://www.backtrack-linux.org/forums/showthread.php?t=40271

I have not added these programs yet, but I still thought it was worth noting here, but I will update later if they are not working out too well.  I found these will searching for fuzzers and web application vulnerability hunters:

http://code.google.com/p/pyrats/
http://code.google.com/p/sprillis/
http://google-gruyere.appspot.com/


I cannot forget to add:
apt-get update
apt-get dist-upgrade

Friday, March 2, 2012

Agoonie Update

I have not posted anything in four months, but I have been busy in my defense.  Not only was I trying to manage my OffSec knowledge intake, but also trying to give my full effort to my family and job.  I have been doing my best so far. I have to come out and say it: I put off the CCNA again but I could not put off the OSCE.  The chance to learn more about fuzzing and debugging was too much. Come on, who could blame me. I will add individual posts later this weekend but I wanted to make a post that was a short rundown of my progress:




October
Passing the OSWP exam.
Amazon + OffSec books: Nuff Said






November
Rebuild Laptop (Backtrack 5 R1)
Amazon + OffSec books: Nuff Said
Practice Egghunters and MetaSploit Fuzzing







December
Amazon + OffSec books: Nuff Said
Signed up for the Cracking the Perimeter!
Time off (Star Wars: The Old Republic)
Studying the CTP material
Won SAN560 course from EthicalHacker.Net







January
Rebuild Laptop (ASUS)
Studying the CTP material
Time off (Star Wars: The Old Republic)











February
Scheduling the OSCE exam for March
Studying the CTP material
Creating Fuzzing files/scripts in Spike and Python
Practice Egghunters and Fuzzing