Pwb Part One

PWB in the Caribbean, Part 1

Quite often, people tend to wonder what it’s like to experience an Offensive Security live training course. At our most recent live Pentesting with BackTrack course in St. Kitts, we had in attendance, Johnny Long of Hackers for Charity and he kept a journal of his experiences during the course. In this series of blog posts, we hope to give you a glimpse into what it is like to experience our live training and hope that you will join us for our next course in the Caribbean!

We’ll let Johnny take it from here:

Day One

st.kitts pwb class
” There is a reality behind these tools. There are stories. Stories of security, vulnerabilities, and weaknesses. Stories of real machines with real data on real networks run by and serving real people. It’s easy to begin to believe that this is a game when you’re fooling around with these tools, but this course brings the reality of security into sharp focus.

For years, I have relied on which and find on my Linux systems to find things I needed. I was introduced to locate and its companion updatedb, which works much better and much faster than find. I’ve been using Linux for over ten years and I don’t consider myself an expert, but it was refreshing to learn a few new Linux tricks within the first hour of the course.

Muts is teaching about bash scripting, imploring the benefits of strong “bash-fu” and knowledge of five helpful UNIX commands: sed, awk, grep, cut and paste. As a long-time Linux user, this is a pleasant surprise. These tools are the foundation for most of the work we do as pentesters. I read way too much forum jabber from frustrated users trying to do something highly technical only to be stymied by a misunderstanding of these fundamentals.

This is fact. But is it accepted fact? Well, for anyone that might be on the fence about this, let me break it down as simply as I can. There are at least six solid reasons you should take the time to learn shell scripting and the “big five”:

  1. Shell syntax can be a stumbling block when you’re learning the ropes. If you’re working through a tutorial and running commands you’re barely familiar with, you’re faced with many variables that can kill the learning process. Eliminate at least one of them by learning shell syntax. Most of us will notice the difference between “cd ..” and “cd..”, but when an HTML-hungry blog post turns “cat << EOF” into “cat EOF”, a solid understanding of shell syntax will flatten your learning curve and ease your frustration.
  2. Shell pipelines glue together strings of commands, feeding the output from one command to the input of another. This is necessary since there is hardly ever one tool that gives you exactly what you’re looking for. Most often, you’ll need to run several commands in sequence, feeding bits and pieces of your output into another command. Some graphical tools are nice, but command-line tools allow for more depth. Real power exists in chaining command-line tools together, even manually. Strong bash-fu allows you to channel this power into speed, and time is of the essence on a pen test.
  3. Compound commands (like for, select, case and others) allow you to run commands iteratively. This is especially useful when you need a quick and dirty way to run a command with a variety of inputs. Many command-line security tools allow for this type of iteration through the use of parameters but it’s important to remember that there will be situations when you’ll need to use a tool in a way the developer never intended. Isn’t this hacking?
  4. The “big five” (sed, awk, grep, cut and paste) are indispensable for too many reasons to list. Personally, I find them indispensable for data mining. In my days of pen testing, one skill that set me apart as an expert was my ability to properly wrangle large quantities of data to get to the information I was after. I always relied on these tools along with bash scripting to accomplish this very quickly. Too often, I see seasoned security experts wrestling with a specialized tool when awk would accomplish their needs just fine.
  5. Chaining tools together and parsing the output for useful information will enhance your understanding of the individual tools and will also expand your understanding of the underlying technologies that make the tools so effective. Along the way, you will get a real feel for the underpinnings of the process of pen testing and will inevitably discover ways to improve and expand the process, which leads to mastery. There is no real shortcutting this with graphical tools.
  6. Once you’ve gained some confidence with these tools and techniques, you’ll begin to create specialized shell scripts that harness the speed and power gains into your own customized, flexible, and reusable toolsets. These toolsets will serve you well and will grow with you as your skills improve. I’ve lost a lot of things through the years thanks to pathetic discipline with backups and a penchant for fiddling too much with my machines. Of all the things I’ve lost, I miss my mind the most. Of all the things I’ve lost, I miss my collection of shell scripts the second-most. Tools can always be downloaded again, and operating systems can be rebuilt. But my shell scripts represented months of personal time investment and contained the distilled output of my years of experience in the field. Start your own collection, and back them up.

Take my advice and Mati’s as well: Begin with at least a few days of study in bash scripting and never stop learning more. Learn grep, sed and awk. Learn cut and paste, and memorize the bash built-ins. Start building your own collection of self-made bash scripts for the functions you perform most often. They will serve you well.

There simply is no substitute for strong bash-fu.

Muts is talking about wireshark. He made a mention of a goofy sniffer back in the day that had all these crazy dashboards and was confusing to say the least.. I remember sniffers like this. When I was getting my start in IT, sniffers were dedicated hardware devices for hardcore geeks. They were bulky, confusing and kludgey. Looking back, I realize that the device itself kept me from learning more about networking. It seemed “too hard” and way too close to electrical engineering to make any sense to me.

Then came tcpdump, followed by ethereal, followed by wireshark. Now, sniffers are apps. Yes, there are still hardware sniffers that can hang with terabit, but it doesn’t take much to learn about networking these days. You fire up your sniffer app (wireshark is the de-facto standard today), you generate network traffic and you check it out.

This is another one of those exercises I think is shortcutted far too often. With sniffers being easily accessible (and bundled with BackTrack of course), there’s no reason not to dig into networking. You can (and should) read books on the subject, but if you’re at all like me, it’s easier to learn when you can see the subject in action.

A solid understanding of networking is critical to success in this field. Jump in, get messy. And when you think it’s too hard, just be thankful you’re not wrangling with dedicated hardware like we did back in the day. You youngsters have it so easy.

We’ve spent an entire day of class learning manual techniques for reconnaissance and enumeration. I’m pleasantly surprised at this.

I’ve lost years of my life doing the digital doggy paddle through a sea of enumeration logs searching for elusive targets on sprawling networks. To this day, I get twitchy when I hear the word dig regardless of the context. But I know these are critical concepts to learn. It’s generally difficult to hack targets you can’t find. It’s just not fun. It’s time consuming and ugly.

st.kitts pwb beaches
As a result, by the end of day one, the students were a bit burned out. I felt a bit sorry for Muts at this point because I knew there was no better way to explain the concepts other than to drag us through the mud a bit. At the top of the last hour, I had begun to long for a slick tool that would help with all this stuff. I wanted something sexy and smart, something a bit less .. blah.

My old friend Roelof Temmingh was about to come to the rescue.

I met Roelof in 2004 at the Blackhat conference in Las Vegas. I was scheduled to give my first talk on Google hacking and I was nervous because my talk was “clever” but only lightly technical. Roelof, an industry rockstar, encouraged me. He told me how cool “clever” recon and enumeration could be and gave me a private demo of his BiLE tool as well as a predecessor to something he called BiDiBLAH. He was fanatical and brilliant and I caught his excitement. Thanks in no small part to this conversation, I went on to write the Google Hacking book and ever since I’ve had a much better understanding of the importance of the gray area between recon and enumeration. Roelof’s passion and brilliance was fully realized years later when he founded Paterva and released the Maltego tool set. Just like that, recon and enum was on its way to becoming sexy.

I had nearly forgotten about my old friend Roelof until Jim O’Gorman took the stage and launched Maltego on his Mac. I was shocked. Roelof had done it. The interface was gorgeous. The transforms list had exploded. Maltego was sexy.

Jim led the class out of the desert and miraculously parted the sea of information with Roelof’s staff. Dramatic? Hardly. It was an expert stroke. The class understood the concepts and the more astute students realized the power behind Maltego’s gorgeous, shiny interface. The class came away with the answers to both the “How?” and the often-elusive “Why?” and as a result Offensive Security spawned exactly zero tool monkeys on this day.

Well done, Roelof. And thanks to the crew at Offensive Security for dragging us through the desert so we could better appreciate the miracle of the parting sea. ”

Quotes of the Day

  • “Anyone who claims to teach you any profession in five days is .. lying.” -Muts
  • “This defensive security ninja could be outsmarted by a twelve-year old who had no clue what he was doing. We need to bridge the gap. How on earth can you defend if you don’t know how to attack?” -Muts
  • “If you don’t leave here more paranoid than when you came in, we haven’t done our job” -Muts

Hopefully, this in-depth account of Day 1 of Pentesting with BackTrack has given you some insight into what we have to offer. If we have piqued your interest, our next live training in St. Kitts will have not one, but two courses. In addition to Pentesting with BackTrack, we will also be offering the very demanding Advanced Windows Exploitation so SIGN-UP today and join us in the Caribbean.