Saw some Twitter conversations around this article on Tripwire: “There Is No Cyber Talent Crunch; You’re Just Hiring Wrong”. I like it. It’s one of those viewpoints where it’s easy to disagree with 70% of it and yet agree with 70% of it at the same time. Go figure that out!

Ever since Hakin9 stopped being carried at Barnes & Noble, it’s been pretty persona non grata to me (I would read it for free over lunches spent at B&N). But I see it’s still alive with an article titled, “Web Application Penetration Testing: Local File Inclusion (LFI) Testing.” Is this the definitive guide? No, but it’s surprisingly useful and covers plenty of bases. Also uses DVWA for examples, meaning you can do some follow-alongs.

I do want to point out the php://filter/convert.base64-encode/resource=/etc/passwd section. This is highly useful if output of files isn’t very pretty, usually meaning carriage returns are not displayed properly. Outputting into base64 and then decoding it means things like long config files aren’t hell to read.

Everyone is at least thinking about cloud computing and security to some degree. Few people get or know what to look for, and fewer yet on how to do it. A multi-part article has been posted by Stratum//Security about building and using ThreatSim in the AWS cloud for several years. Part 1 is largely marketing fluff and context (though the security controls bullet list is very good to steal!), but the latter two parts start going down a bullet point list of things to keep in mind for cloud security.

This is certainly not all-inclusive, but every little bit to add to the body of cloud security knowledge, the better. Cloud security includes pretty much everything for more traditional security, but also almost doubled in order to cover things abstracted out to a whole new layer in the cloud platform tooling.

This is part 2 of a 2-part post. The previous post was more about me, while this post is more about advice for others. (There’s also a part 3.)

Success in this course comes from two things: experience and knowledge brought to the course up front, and how much quality time is put into the course while taking it. This makes it extremely difficult to gauge what someone needs to do to prepare or how one should approach and study. Some students will fly through the labs due to their large amount of free time or pre-existing skillsets, while others will take a few months to get the ball rolling up their steep learning curve. Every step of the course and the lab discovery and pwnage is a separate journey; even researching things that turn out to be false leads takes time and energy. The goal is to get the most out of the course, and that is often about putting the time into it.

Some Basic Foundation

Try to become familiar with the Kali Linux and the tools it has and the layout. This will be your home base for the course, and has pretty much everything you’ll need.

For those newer to Linux, start using a distro on a day-to-day system and find some online courses on Linux security and administration and shell scripting/commands. Linux+ level skills are good, anything beyond is great.

For those newer to Windows, find some courses on Windows security and OS administration. This includes hosting server-type applications (e.g. web platforms).

Learn some Metasploit. It’s worth it and it’ll get used, whether in the course or beyond as a pen tester. Off Sec has a free Metasploit Unleashed course.

Learn some basic, free, staple tools and get comfortable with working various switches: nmap, unicornscan, curl. Google the top 100 security tools.

To get familiar with some of the big issues over the past 15 years, grab a copy of Hacking Exposed (McClure, Scambray, Kurtz).

For pen testing theory, check Penetration Testing: A Hands-On Introduction to Hacking (Weidman) or the slightly more up-to-date The Hacker’s Playbook 2 (Kim).

Have a decent enough grasp of networking to know how TCP/IP works in general, use and read some Wireshark/tcpdump output, and understand IP addressing, firewalls, and ports.

Have a decent grasp of our web technology works, from configuring web servers, looking at simple HTML/PHP/ASP code, and how browsers interact with the web server.

Install some security-related browser add-ons and poke around the Developer tools in place in every major browser these days (F12).

Dive into Python or Perl enough to get into Socket programming. Very useful to start swimming in the ocean of editing or making exploit code or enumeration scripts. Having had a course of class in basic programming is great, as you can start to consume any language if you know the logic.

Start thinking like an attacker. This often comes with experience, but start thinking of ways you can get to Goal X or Access Y. What mistakes do you look for? What isn’t default?

Lastly, know that OSCP/PWK comes with course materials and videos that teach you everything you need. So don’t think you are going into this being tested from day 1. You’re going to be learning from day 1 until day X.

To Be a Successful Student…

For most students, this will be the very first taste of anything to do with pen testing beyond reading a pen testing report someone else produced. As such, think about what pen testers do with their jobs: scan and attack systems, keep and organize and protect notes, create client reports, research, and learn. Students should be going into this course looking to hone and taste and practice every piece of that job role.

This is an entry level course and certification for an IT discipline that is not itself entry level. Security combines everything and a little more from other IT disciplines. Pen testing touches them all, and is certainly not an entry level route into general IT. That said, the PWK/OSCP is, by necessity, still only a small taste. As such, students should have some exposure to Linux, Windows, networking, coding, web technologies, Metasploit, shell scripting, and Python, among other more specific experience. In general, the more enterprise level troubleshooting done in these topics, the better.

Find a support group somewhere to turn to, even if it’s the spoiler-free IRC channel. Be ready to put some time into this as well, from a social standpoint. Help others out and befriend a few peers. Don’t be that person who just wants to leech answers. Give something back and grow your network. Plan on this taking several hours out of each week to maintain relations. To be fair, this is the biggest difference in the course today from my previous experience; the social opportunities and other learning services are amazing today. Don’t ask for answers; don’t give answers away; help yourself and others learn by doing and figuring things out.

The course isn’t teaching anything brand new to the world. Be ready to consume resource material quickly, efficiently, and effectively. Sometimes there is the need to read manuals for tools or apps, or even find them first! Be good about using Google and analyzing search hits efficiently and effectively.

Rely on Metasploit exploits as little as possible. When source code is found, try to run the attacks manually. This is largely to help understanding, but also test prep since Metasploit use is explicitly limited. When time is available, put in some research and effort into manual attacks, even up to porting Metasploit ruby modules into standalone Python/Perl/Shell exploits.

It’s ok to find something obvious and focus on just that thing, but the better bang for the buck involves taking notes on ideas, but moving on and making sure to at least lightly touch everything available. There might be something even easier to exploit, especially since so many lab machines have multiple routes to root. This means going fast isn’t a great measure; it’s about being thorough and finding all the lessons offsec has prepared in the labs. When looking at the whole lab, it is known that every system has an issue. But it is not known if every system has more than 1 route to root. This adds realistic uncertainty to methods and time spend.

Figure out how to keep notes. Think about how to document vulnerabilities and exploits enough that allow a client or future pen tester to recreate the steps and validate the results or the fixes. Test the notes in a few weeks by re-rooting boxes from the notes.

Do the course exercises and lab report, and be aware these two items will eat up 2-3 weeks of time (that’s what it took for me with a full time job and other responsibilities).

Words to My Younger Self (of 3 months)
Clearly, what I brought to the labs and what I did in them helped me pass the exam, but I feel like I could have done even better had I changed some things. I had more than several takeaways from my lab and exam experience that I would pass on to my own self of 3 months ago:

Rely on the forums less. This is really a balance that is going to be very personal and difference for everyone. For me, I think I relied upon the forums too much for hints that lead to answers. I’m very good with puzzles like that, but I think I should have found more things on my own. It’s a balance between money spent for time on the course, against one’s own knowledge, against one’s own background and familiarity with the OS versions, against being able to troubleshoot the clear issues. I think I used the forums too much on my quest to get x roots in y days. The quality of the learning, methodology, and accuracy is more important than speeding through and tallying up pwned systems. I learned this way too late.

Just to reiterate: Do not put so much emphasis on the quest to get x roots in y days!

Even when rooting a box with hints, troubleshoot and fully understand the opening used. Do all payloads work? Do other characters work? What limitations are there or requirements? Can I leave off the null character or does it need it? Can I play around with various sqli bypasses or does only one work? This sort of curiosity helps go faster and more confidently on subsequent similar boxes. Don’t just get root, loot the box, and move on. Absorb and analyze the holes for full understanding.

Get better at knowing what is normal on a linux system for various distros. What are the default services and their runlevel? What are the default SGID and SUID files? What are the default cron jobs?

Once comfortable doing these manually, script out the very basics of the initial enumeration scanning. Unicornscan->nmap-> maybe a nikto or dirb or enum4linux scan immediately. Those are time consuming to wait through. I may as well throw in a few curl gets since I do those every time I see a web server/port. Taking this too far snowballs into huge scripts that steals away learning from doing things manually, though. The real goal: to be able to kick off a scan of x boxes while working on a different one without interruptions. This will help on the exam, but also in the field. But don’t take this so far that manual tests and results are missed.

The methodology is king, but the vulnerability trivia and experience in the labs is a close runner-up. But still, make the methodology the main key. I’m a big believer in checklists, and I have enumeration checklists that I continued to update and maintain from even my early lab wins. Learn from others and continue to build what works for me.

With every rooting look back at my process and ask: What can I do to find things like this quicker? Am I missing steps? What clues lead me to this answer and how do I make sure not to miss them? Always review your process after each box and update your process/checklist. I did this, but not enough for my taste.

Make a list of lessons learned from each box. Try to keep them in one location so you can review later and make sure you do know those things. incorporate every experience into your full body of knowledge and skill. I also did this, but again I should have slowed down and done it more.

Train a bit for the exam. 5 boxes, 24 hours. Sit down some day and tell yourself “I will spend 3-4 hours on this box and be done.” See how that goes. See how your work space and notes look when you hit your cutoff. Move to another box and spend 4-5 hours again. Any success? Weaknesses? Fatigue? Did the break from the first box spark some ideas? During my time in the labs, I sat down on a box and stuck with that one box until rooted (30 minutes to 16 hours) with only 2 exceptions where I had to walk away for a while. This didn’t prepare me for the exam.

Do not be afraid of the exam! For me, I learned almost as much about myself and my knowledge during 48 hours of exam time and cooldown as I did in about a month of lab time. Failure is not embarrassing on this exam! It’s a chance to figure out what needs to be done to succeed further. I should have been ready for the basics of it and taken a crack earlier. If I had failed my first attempt when I took it at 90+ days, I would have had to look elsewhere beyond the labs to improve myself for subsequent attempts.

Figure out a way to stay organized on the desktop. After the exam, I had about 30 terminal windows, 4 firefox windows (with several tabs each), and 10 unsaved text files hanging out. Doing 3-4 systems at one time means being organized, not just inside your mind, but also on the desktop. Get better at tmux or other terminal helpers like screen or get dual screens going. I did fine when doing one box at a time, which is how I tackled the labs, but this got out of hand during the exam with 5 boxes at once.

Figure out a way to automatically record commands issued and/or terminal output. It’s a waste of time to do this manually. asciicinema and screen.

Get better at DLL sideloading and windows executable payloads. I just didn’t find as many opportunities in the labs to do this as I thought I would, but that likely means I just missed them.

I still have lab time this month, and I plan to tackle a few of the last items on this list while I have that time available.

This is part 1 of a 2-part post. This post is more about me, and the next post more for advice for others. (And part 3.)

Passed the Exam
Over this past holiday weekend, I took and passed my OSCP exam. I started this course back in 2008 as detailed previously, but nothing I did back then really carried over to my knowledge base today other than knowing how the course works. I became interested in completing this unfinished task in November 2016 and I signed up for 90 days as March 2017 rolled in. My initial goal was to get about half the boxes over my 90 days of lab time, but I exceeded that pace and adjusted my goals as I went along. After 66 out of 90 days, I had rooted every target system in the labs at least one way (many systems have multiple avenues of success, and I by no means found close to all of them). I extended my lab time 30 days just before taking the exam (for further research regardless of pass/fail), and took the exam on day 90+3.

The point of this and the next post is to give my insight into the course and exam experience. There are dozens upon dozens of exam reviews and stories out there, so I’ll try to keep this somewhat different from the many others. There won’t be a litany of links to cover topics to study (which is a bit ironic considering my links menu on the side). To be honest, others have proctored far better lists than I would provide. Go search them up!

My Background
I have 17+ years casual own-time interest in security. 14 years of IT technical work, mostly systems and networking plus security defense management. I am comfortable with scripting and coding principles, comfortable in PowerShell, novice-to-intermediate in Linux administration and working inside it, good with general networking, and extremely knowledgeable about Windows and systems/servers.

This means I bring a pretty decent history of knowledge and exposure to security concepts, even if I’m not always actively utilizing those skills and putting off-sec-style boots on the ground. My professional IT jobs have included doing things with security in mind. I use Linux Ubuntu as a day-to-day desktop at home. I’ve used BackTrack and Kali, and I’ve rooted a handful of boxes in the past using Metasploit or very simple tricks. I’m pretty learned over the years and understand technical concepts, but would still consider myself a bit of a neophyte to the deeper workings of hands-on pen testing.

My Pre-Course Activities
I did a bunch of things to lead up to my PWK/OSCP sign up, but the most important was simply reading other OSCP reviews and feedback and study lists on blogs, reddit, forums, youtube, etc. In doing so, I made an absolutely unattainable list of things to reference and check out, and I sort of tried to prioritize and tackle that list.

I checked out vulnhub and built a better lab environment at home for further study.

I slowly found some of the new and old places that students hang out and socialize, notably a private Discord server off the TechExams.net forum, a Slack off the netsec sub-Reddit, and the #offsec IRC channel.

I signed up for Cybrary and Pluralsight to take some courses to shore up some of my weaknesses and areas I’ve not been heavily exposed to: shell scripting basics, python basics, linux administration, kali and enumeration basics. To be honest, those Pluralsight courses were overall very helpful!

Being a previous student, I was allowed to upgrade my course materials for a small upgrade fee and download them without having to purchase more lab time. This proved to be awesome, as it allowed me to start studying the material without having it happen while my lab clock counts down.

I installed and started getting used to Kali Linux again as both a VM and a dedicated laptop, plus incorporated KeepNote into those installations and my normal Desktops and synced using Dropbox. (Note: In the actual PWK labs I only used my Kali VM that was downloaded as part of the student lab signup and never did an update to it nor had to ever revert it. I also switched away from KeepNote to CherryTree about 2 weeks into my lab time due to issues.)

Importantly, I made sure that I could sign up for the labs during a time where me, my job, and my loved ones were ready to accommodate the time-suck that is required for this course.

Just to keep myself accountable, I wanted to make mention that this last weekend I passed the 45-day mark of my 90-day lab access time. I’ve root 41 systems with maybe a dozen-ish more to go, and have gained access to all networks. My rate of success slowed down in the past week, but that’s partly a function of having less targets to choose from, but also taking some days off to reset myself. I’ve had a few boxes here recently that I felt pretty burnt out while doing, and my performance suffered for it. However, the lessons being learned, even when not successful, have been wonderful and help build out my knowledge and experience.

At this point, I need to start looking forward to scheduling an exam time, and efficiently mapping out the rest of my lab time and/or time leading up to the exam date. I’ve over-achieved what I had as a soft goal early on (getting 50% of the lab machines done 50% of the way through my lab time), which is a good thing. This means I can have a shot at actually clearing the labs and still have some time to prepare for the exam specifically. I may still not meet that goal, as I have some tough systems ahead yet, but should be a healthy goal to shoot for.

Other tasks I have to accomplish yet: Finish the exercises in the PDF for bonus points on the exam and CPE credits. Master the Buffer Overflow concepts. Run through the lab systems again while tightening up my processes, documentation, and reinforce exposure to the vulnerabilities and exploits I’ve leveraged. Tighten up my quick reference notes and checklists.

Back in 2008 I signed up for the Pentesting with BackTrack course and Offensive Security Certified Professional exam put on by the folks at Offensive Security. I even blogged about enrolling and getting started on it. Just to put this into perspective, this was back in 2008…when BackTrack 3 was still in beta! I also have a 4 digit OS-ID number…old school!

As alluded to in those old posts, I ended up getting immediately swamped with unexpected work at the exact same time I signed up for the course. And while I was able to slowly consume the videos and PDF materials over small moments, I was never able to really get much going in the labs. I was pretty mentally spent in those days after work. My lab time expired with no exam attempt made.

But I’ve never wavered in my interest in the certification itself and in finishing the cert out.

So last year I renewed my course materials for a small upgrade fee, and near the end of February renewed my lab time.

I’ve had 20+ days in the labs out of 90 so far and have rooted 28 out of the 50-ish systems that exist. I’m pretty happy and stoked with the experience and learning that is happening this time around. And while I do like my progress, I still have plenty of room to grow. I need to get faster and more practiced with my process if I want to feel good going into the exam. I also have avoided some of the known harder systems in favor of “easier” wins and gradual escalation in difficulty. At least as much as I can with otherwise blindly picking targets. I’m at least happy that I’ve been able to make progress and not have to walk away from any targets yet due to lack of success; if I’ve targeted a system to take down, it has always eventually gone down.

I do have other sub-goals as well to accomplish during my 90 days of access that go beyond just preparing for the exam. I want to get every box in the labs down, and then I want to do them again with only minimal assistance from my past notes; I want to make sure I know the clues to look for, why they’re clues, why certain things work, and maybe even find new avenues of attack as many boxes have additional issues. I want to also run OpenVAS against as many as I can get credentials to, to see if I can find things I missed. I also want to make sure that I can run through as much of the labs as I can with Metasploit and without the automated tools. The exam will limit usage of automated tools, but the real world of pen testing will not, and I’d like to take advantage of the excellent lab environment while I have access to it.

So far it’s been a blast, and while things might slow as I hit harder systems, I hope to continue my success over the next few months!

You’re moving to Iowa and you’re a security geek. Or you’re new to the profession and looking to get on with your career. Where do you go to hob-knob with your people? Here’s a quick 2017 rundown of what I know about the central Iowa/Des Moines security scene.

SecDSM – Probably the most informal of the groups here and stays vendor-neutral. Has a Slack that I’ve not visited. No registration, so just show up! Meetings are after working hours
ISSA – 4th monday of every month, meetings should usually be open to the public.
ISACA – third Tuesday of every month, meetings do often have a door fee attached, with discount for ISACA members.
Infragard – most meetings require pre-vetted membership, so inquire before attending. Background check is part of the vetting process.
ISEAGE Red Team events – get yourself on the mailing list for invites to be part of the red or blue (green?) teams for regular events every year hosted in Ames (usually) for high school and college level competitions.

BSidesIowa conference – April 22, 2017 (Saturday)
SecureIowa conference – October 3, 2017 (Tuesday)
DataConnectors – traveling tour of security presentations and marketers, which just visited Des Moines earlier this month.

And here are some local-ish businesses and friends that make for great places to check into for upcoming events beyond things listed up above. I know I particularly love seeing a major geeky movie at Flix Brewhouse for free with my friends and co-workers!
AOS
Integrity
IPPathways
OneNeck
Cisco West Des Moines Office (I don’t actually know how to track this one. I usually hear this through the grapevines…) If you’re a purchaser of Cisco products, check with your local rep/seller to get on this mailing list!

What else is sort of nearby? Typically, events in Cedar Rapids, Iowa City, Ames, Omaha (NE), and Kansas City (MO) are attendable if you don’t mind the various drive distances. Chicago (IL) and Minneapolis/St. Paul (MN) regions are also doable.

And, if nothing else, there are tons of places to hang out, have fun, or eat sushi (or anything else) and drink away some security frustrations with small groups and friends.

Saw an article saying that Arby’s has reports of a mid-January data breach of more than 350,000 credit and debit cards. This echoes a breach from 2016 by Wendy’s. I would link to this article, but it’s not necessarily a source I usually look at. If I find this mentioned elsewhere, I’ll add the link. If true, I’m at least interested in the short gestation time for that malware being present and someone noticing it! (Just like every breach, I’d love the full, un-redacted story from infection to discovery so I can gauge how truly impressed I may or may not be.)

One comment I noticed was asking if it’s time to ditch the useless PCI framework and get back to real security?

That’s a good question, and an easy answer for any company that is already enlightened about digital security.

But many are not, and PCI has been the only driver for any type of interest in security. Granted, those companies may still just be filling the checkboxes of the PCI requirements and not really doing much of anything of real ongoing value, but it does do a few things.

First, it mandates pen tests and third party examinations of an environment. You’re still only getting what you pay for, but this could at least expose some low hanging fruit.

Second, it gets a few extra tools in place that a company may normally not even bother with, such as IDS/IPS and code reviews or a WAF or firewall rule reviews. How many SMB environments run any sort of vulnerability assessment internally if they’re not asked to by a regulation? Very few. And those reports expose many small and large issues that can be fixed for little effort and high value.

Third, some of these checkboxes are in part driving the UTM market and other conglomerated boxes that combine many tools into one pane of glass and management umbrella. This is (arguably) good for everyone, and especially so as prices go down (a little) and quality goes up (a little), especially in comparison to an environment that just has outdated Antivirus, an old firewall, and nothing else.

Security efforts (and even things like making sure backups are successfully created) are things that almost always fall into second place behind revenue-generating events or tasks that support revenue generation. They just get done “tomorrow.”

We also need to remember that PCI DSS was created more to cover the butts of the card processors than it was to protect merchants and end-users. It’s also not the ultimate answer to security; it’s a framework that needs to be implemented properly for an environment and continuously effective. So maybe crying about the state of PCI isn’t even the correct place to be looking.

And no discussion of this topic would be complete without diving into the world of cyber/data breach insurance. If we don’t want to abide by rules, maybe we’ll just start eating the costs and call it part of business lumped into the insurance payments.

And lastly, it’s our duty in security to accept that axiom that breaches are inevitable. Even if you have a great security team or follow PCI DSS to the letter, you still have to assume a breach will occur. Hopefully many are prevented and the successful ones are detected and mitigated quickly.

If someone wants to say PCI DSS is useless, I’d really want them to offer up alternative solutions that can be applied to enterprises in many industries and or many sizes. Don’t just say, “Do *real* security now.”

Kim Jones recently had a wonderful article talking about Building Security Warrior 2.0. I really liked his points and bullet items. I don’t think this is the whole answer, but it’s a very good one.

1. Defense Alone Is Not Enough – I’m not sure this is a really new point, but he does tie this in later on with how we’re shifting from governance and programmatic defense over to being able to think like an attacker on a technical level. It’s one thing to just play defense, but another to start anticipating the moves and weaknesses. That said, he’s also correct to walk this back a bit; it’s not about a security team attacking attackers (or would-be attackers), but it’s about thinking like them. And maybe, if you have a large enough organization that is a big enough target, to actually keep a finger near the pulse of parts of the attacker industry.

2. Security Is An Interdisciplinary Problem. – This times ten, although I do think he left off a bullet item in the list: Systems administration fundamentals. He lists network and app disciplines, but leaves out the system level. Anyway, it’s true otherwise. Some roles in security really are high level communication and leadership positions, while others are in-the-trenches technical ones. But there is almost always some level of upwards tendencies for all security people these days. You may be helping on a project with other teams at or above your pay grade or assisting with an incident that involves people *way* above your pay grade, and the ability to communicate and understand a wide range of security topics is important. This is why I find it harder to coach brand new employees out of college looking to get into security; often (not always) people should get some other sort of IT experience under their belt before sliding over into security, in my opinion. I suppose there are entry level SOC/NOC types of positions, but for anything above that, having some other fundamental skill specialties is really awesome.

3. We Need To Bring Back Critical Thinking. – This sort of goes without saying. Security professionals are fighting a game of innovation and discovery, and doing so across all functions of IT and across other non-IT functions. This means you need critical thinking skills that put you in and out of the box at all times. Often, security can be brought into project planning or operations incidents largely due to their wide and deep expertise and critical thinking skills, even if the issue at hand is not strictly a security one.

4. You Do Not Have The Option Not To Communicate. – Pretty much echoes points made above, but it’s nice to separate this out. As a security person, you’ll *have* to communicate to some degree, since security is (almost) always about making things a little harder (but more secure) for users and data and customers internal or external. Now, this doesn’t mean everyone in security needs to be able to talk and play golf with the CEO or be buddy-buddy with executive leadership. You just need to be able to talk to your audience, technical and non-technical, to get things done and understood. (Honestly, this is a key point for any level of IT support these days. You get every level of employee or boss that may come to you on any given day…)

5. Reality Matters. – Definitely this. Theory and book smarts and unrealistic research only goes so far. I definitely encourage anyone new in security to get their hands dirty, whether it’s with security topics, network/systems/app work, or sitting along for capture the flag competitions or shadowing current professionals. Security is not just technical, but it’s also part creativity and part gut feeling.

6. Information Assurance (IA) and Cybersecurity are Neither Synonymous not Mutually Exclusive. – Jones starts to get into some terminology here and this is where we tie back into the very first bullet point about programmatic governance and technical aptitude for attacks. I really like this line, “Part of that [pendulum swing towards IA] result…has been the increased volume and severity of data exposures, combined with the erroneous labeling of suck attacks as ‘sophisticated.'” Too many of these attacks are not sophisticated. Now, that’s a huge topic in itself…

Jones finishes the article with a list of attributes for the Security Warrior 2.0, and they really read like any security job description should start out. I think this is a really good foundational goal for anyone coming into security or looking to square their shoulders up again to where we’re headed.

Now that I’ve gently pivoted my career, I have a chance to identify and work on some of my knowledge gaps and desires over the next couple years. This is
especially important to me, as over the past 4 years or so, I’d a) gotten comfortable where I was, b) been really busy with business-critical work, and c) drifted away from learning a ton. While work was busy, I had a few new hobbies/people show up afterhours that took away time as well. That’s partly the point of the gentle pivot from being systems *and* security work, to doing full time security work. It should free up some energy to get my learning back on track. I also hadn’t put much money back into myself as far as training, but then again, neither did my previous employer. Sure, I was always offered it verbally, but there was really very little follow-thru on proposed options if they weren’t immediately in line with devices or projects we had already on the books. And security for security itself was not a priority.

This is partly why I posted several weeks ago about the various security roles that exist. It not only helps me decide what I want to do for my career, but also what I want to continue to study and strive for over the next 3-5 years. I test and study well, and sponge up information all the time.

This is certainly not all-inclusive for my interests, skills, and what I want to do on the job today and tomorrow. This is simply a small guide for myself on what to do next, if I’m ever looking towards the professional horizon and wondering what’s next on a quiet winter day. Obviously, this is also ever-changing.

PWK/OSCP from Offensive Security – Not prohibitively expensive, well-regarded, satisfying, self-paced study and a cert to show for it after.

CTP/OSCE from Offensive Security – Not prohibitively expensive, well-regarded, satisfying, self-paced study and a cert to show for it after.

CCNA – Not expensive, satisfying, but might be a bit below me and require some extra effort to utilize some labs.

Linux – local class? – night class during the summer, not expensive, quality might be hard to know beforehand.

Linux – other (further research required) – There are plenty of other accessible options from SUSE/Red Hat specific all the way down to Linux+ for the heck of it.

Certified Ethical Hacker from EC Council – Not prohibitively expensive, popular even if much maligned, doable and something to add on the resume. (You’re allowed to hate on this; I get it.)

python, powershell, .net self study for coding knowledge (even C++/assembly) – This is less structured, but I could acquire books or online learning goals to help with them.

OSWP from Offensive Security and CWNA (wireless) into CWSP from CWNP – These are wireless specific goals of mine. Attainable, not terribly expensive self-paced study.

web app sec self study or other certs (further research required) – In a really quick search, I was surprised to not find any useful web app sec related certs.

get other small gadets or toys (hackerwarehouse type stuff, great scott gadets…) – A bullet item reminder about this.

get a Mac – This is really to broaden my horizons with a new platform/tool investment for myself.

Arduino learning – Hey, I have an Arduino learning kit I can make use of.

cons and local groups – A bullet item reminder that these exist!

other specific tools self study – A bullet item reminder that I can look at any other specific tool in depth and will.

further lab building – Maybe purchase more hardware for the lab and build it out further. I was really thinking hardware, but even trying to admin it better could be a useful project.

SEC560 (GPEN) – Network Penetration Testing and Ethical Hacking – Just time and cost prohibitive, but if I had the sudden bonus budget, this is where I’d start right now.

forensics and reversing self study or other certs – further research required, most of these are expensive or product specific

ISACA offerings (CISA/CISM) – book cost, self-study webinars, exam cost and trip make this somewhat prohibitive

CSSLP from ISC2 (web app) – An app sec certification for SDLC work and experience. Not expensive, but annual ISC2 maintenance, of course.

Other SANS/GIAC – Basically just cost and time prohibitive. Will look into it on my own personal dime when budgets allow.

I am usually snarky about lists, yet I can’t help but love this list from ESET’s WeLiveSecurity site, 10 gadgets every white hat hacker needs in their toolkit. I am actually woefully behind on this list, and need to fix that! Is there anything amiss with this list? Well, if I wanted to be picky, all of these tools are useful to the hacker with physical or wireless proximity access. Then again, we’re talking about physical gadgets, aren’t we? And it does underline an often missed part of corporate security: do physical walk-thrus to check for rogue hardware! This list is also a sort of training/shopping list for anyone wanting to do wireless or physical pen testing or defense.

Raspberry Pi 3
Wifi Pineapple
Alfa Network Board
Rubber Ducky
LAN Turtle
HackRF One
Ubertooth One
Proxmark3 Kit
Lockpicks
Keylogger

It’s been years since I had a working lab at home, and I’m finding myself ready to build a new one. Building and maintaining your security lab is less about being a security expert and more about wearing your Systems Administrator hat. Maybe even your shiny new devops hat! It takes work, and you better get used to it and get efficient about it. You want to spend your time doing security magicks, not wrestling with your VMs.

Developers already have a leg up in this regard if they are already using devops-y tools like Docker or Vagrant to quickly rebuild and share development environments as a VM. Modern Sysadmins also are learning these techniques. It’s worth getting a taste for it as a security professional as well. Don’t discredit blogs and articles from developers in this field.

The simplest lab will be installing a virtual hypervisor on your local workstation right now, and carving out a VM or two. You can always use your local system as the attacking box, and the VM guests as victims by allowing the host and guests to talk to each other. That’s all quick and dirty, but most of us don’t want to screw up our main box by testing weird things out on it, or vice versa screw up our lab that took hours and days to set up by doing something unexpected on our main box.

The second easiest route is to forage from your local company desktop and systems folks. Do they have old workstations being sold for cheap or thrown away? Do they have extra copies of old OS media they no longer need that you could use to install from? Even just having a few extra workstation-class systems on hand can be enough for a lab, even if they’re not powerful enough to run virtualization tools on.

But let’s say you’re ready for the next step. You want to stand up a virtualized pen testing lab. Below are some topics to think about and answer before getting started.

What is your purpose?
You might want to do some pen testing, which is probably the most typical use case of a security lab. But you might instead be looking to detonate malware or evaluate security tools in a controlled environment. Keep your use cases in mind when answering some of the following topics. For instance, detonating malware might mean you have a particular interest in keeping your guest VMs absolutely isolated!

Choose your hypervisor platform: Virtual Box, Hyper-V, VMWare, XenServer
Picking a platform you already know will probably help you get up and running more quickly. But you could take this chance to learn something new and pick an option outside of your comfortable zone, but plan for some extra learning time. All are pretty capable, though Hyper-V is still fighting to prove itself in the enterprise and VirtualBox is usually limited to small scale use like for our lab project. Learning VMWare and XenServer are things you can effectively add to a sysadmin resume. XenServer and VMware can be loaded onto bare metal, but Virtual Box will require an OS to install onto.

While the others have free versions you can use just fine, Hyper-V has extra considerations that you’ll want to check up on, such as what you can or cannot license through it for a server class Windows OS. Honestly, chances are you will want to use something other than Hyper-V. Exception: If your company already has a Software Assurance subscription in place with Microsoft, perhaps you can convince someone to ask about including a free license for Windows Server Datacenter that you can use.

Think about how many systems you’re going to want to have running at any one given time.
This will increase your hardware needs the more you want running. For an initial run at a lab, plan for 2-5 concurrent guests running at once (20+gb disks, 2-3GB RAM…)

Think about portability.
This may influence your hardware choices: beefy laptop versus an old server chassis or maybe a portable-ish box? Do you want to power this off and take it various places, or will this just be on your home network in a corner forever?

Think about network needs as this might invoke further work on a router/firewall or on the hypervisor of choice.

• Do you want your local network to talk to these VMs and vice versa? you probably don’t, but maybe you want to use a physical kali laptop as your attacker…
• Do you just want the VM network to talk out to the Internet? Some systems will want this for patching or apt-gets or to build them!
• Do you want granular control over any of the above? Extra work!
• Keep this item open as your answer might change based on what you want in your lab.

Think about initial VM inventory.

• an attacker box (or two: 1 linux and 1 windows)
• a victim box.

But for your victim box, do you want to load a system purposely built to be vulnerable to things (like metasploitable), or do you want to build more or less default-ish systems? By default-ish, I mean not just out of the box, but maybe also configured with typical settings and best practices as needed. Or more than likely a mix of the two.

Linux VMs are pretty easy. You download the distribution iso, install it, optionally update, and you’re good to do whatever you want next. You can even snapshot the installation for quicker builds later with really no issues.

Windows OS VMs are a different story. Windows isn’t free. You can download limited trials from Microsoft, but they will expire. You can get things like MSDN copies or freebies alongside Software Assurance subscriptions, but those are not really free for home users. It can also be problematic to clone a Windows VM snapshot into new systems, depending on what you need, and the license will still be expired. This means you need to think about how you want to refresh your Windows OS VMs, which means channeling your inner devops (deployment infrastructure), scripting (quick configurationgs), or documentation skills (notes to follow each time) to rebuild efficiently and accurately. You should also think about how to get hands on with older, unpatched OS versions, such as older 2008 R2. Grabbing media from your ops team is always a good source.

What might you want for Windows boxes?

• a server class
• a workstation class
• a domain controller (with DNS, DHCP, Active Directory, Group Policy)
• a domain computer member (server or workstation or both)
• a file server, FTP server, IIS web server all in one? (also think about populating your file server with files!)
• once configured, snapshotted, and think about what you’ll do in 181 days when the license is expired.
• later on, you might want to add security systems like a Splunk server, IDS/IPS, packet capture monitor, etc.

Think about your install media and how you plan to keep it updated. You probably want to carve some of your VM host storage for an ISO section where you can plop ISO images of installs and mount them from, or maybe an external drive you can attach. Also think about how often you will get new ISOs and how will you know a new version is available? How will you get old ones if you need something older than a particular date or patch?

Are there any VMs you want that are going to need to be built all devops-style? Take the install process for Metasploitable3, for instance. How will you refresh this? Where will you build it? You might have to learn some devops skills to manage this without busting your box on accident. Maybe have another system nearby you can build VMs inside, export them out, and then import them into your lab host in the ISO storage location.

All of this should pave the way towards planning, acquiring the hardware for, and beginning to build a pen testing security lab.

On October 22, 2016, a two-factor authentication bypass against PayPal was released. If you just intercepted the post back from a form about security questions, the system would accept it and authorize a device to be sent the 2FA code over text messaging.  Now, this does require that you have the first part of the authentication process: username and password. But, that’s exactly the part that is weak enough to force the use of 2FA. Basically just opening a rogue email which installs a keylogger or other trojan is enough to leech that out.

Now, PayPal did fix this within a few weeks, but it’s really annoying to know that this system was so easily subverted. Just munge the data in transit and you’ve broken their system. To me, this suggests someone in QA or their security team didn’t do much for security testing against this piece of code before it went to production. And that’s just plain annoying to see. Nor was this designed with security in mind by the developer, either.

And if PayPal makes these makes mistakes, so does most everyone!