2. Disclaimer
Cha-HA is a "Red Team" social and training group.
Organizers and teachers of Cha-HA are not compensated financially for their time. They do this simply because they enjoy
the topic and like to share.
Some of the skills and tools taught at Cha-HA meetings can be used for malicious purposes.
Cha-HA organizers and teachers only condone and encourage responsible and lawful use of such skills and tools.
3. Code of Conduct
I will treat all other members respectfully during Cha-HA events.
I will not use tools and skills shared at Cha-HA for unlawful purposes.
If I ignore the previous point and get caught in an unlawful act then it is nobody's fault but my own.
4. Whoami
● Jared Haight
● Former Sysadmin
● Current Security Engineer
● OSCP as of August 13th
● @jaredhaight
● https://words.photosandtext.com
5. What am I talking about?
● What I already knew that helped me with the OSCP
● Stuff I learned while studying for the OSCP
● Things you should focus on if you want to take the OSCP
○ Without getting too specific as to ruin the fun (or get in trouble with Offensive Security)
10. My Background
● Using computers for 17 years
○ Started using Linux about 14 years ago
● Sysadmin for 10 years
○ Covered everything from Firewalls down to the desktop
○ Administered both Windows and Linux environments
● Hobbyist Web dev for 4 years
○ Started learning Python in 2011, still suck at it.
○ Currently learning Javascript, really suck at it.
11. What makes an effective hacker
● Learn quickly and be able to intuit how things work
● Constantly think about how you can abuse your current position
○ Focus on your long term goals but not to the point that it distracts you from what’s in front of you
● Understand your opponent
○ In the OSCP lab it’s a lot of stupid and lazy admins
13. NMAP
● Scan ALL of the ports
○ TCP (1 - 65000)
○ UDP (--top 200 or whatever)
● Read the scan output, not just the overview
○ Thats where all the NSE output is!
● Zenmap is really great
14. Dirbuster
● Invaluable tool for finding directories/files on webserver
● List in /usr/share/wordlists/dirbuster
○ Use the big one
● Set threads to like 100
15. Other Enumerators
● SMBEnum
○ Old and/or misconfigured Windows boxes give TONs of info through SMB
● SNMPwalk
○ Can be great for identifying OS
○ Misconfigured OS’s will give a lot of info over SNMP
● Probably more..
16. Misc
● Save EVERYTHING
○ Notes, NMAP output, Enum Output, etc
● Make sure you can find everything
● My structure:
○ ~/recon/192.168.13/
■ 68/ (host ip)
● notes
● nikto.log
● smbenum.log
● misc loot..
18. Searchsploit
Why you’d use it:
● You need an exploit
● Searching exploit-db.com is really slow
How you’d use it:
● searchsploit <switches> <terms>
● Example: searchsploit -w windows exec
○ By default lists out exploit name and location on disk
○ -w lists exploit-db url instead of location on disk
19.
20. Metasploit
Why you’d use it
● Cause it’s fucking metasploit
How you’d use it
● Very carefully if you’re taking the exam
○ Usage is limited to multi handler, meterpreter and msfvenom
○ You can use Auxiliary, Exploit and Post modules against ONE allowed machine.
○ Double check the rules before you do something stupid on your exam
21. Meterpreter
Why you’d use it:
● It’s like normal shell but with special sauce.
How you’d use it:
● Very carefully if you’re taking your exam
○ Usage is restricted to File System, Network and a subset of System commands
○ All other usage is only allowed the one machine you use Metasploit on.
22. How do I know what I’m allowed to do?
Metasploit
● If you’re in msfconsole, you can use exploit/multi/handler
○ That’s it. If you want to use more of the metasploit console you can do it only once and only on an allowed
box
● No restrictions on msfvenom
Meterpreter
● If you’re in a meterpreter session run “help”
○ It will list out all meterpreter commands, categorized by section.
23. Buffer Overflows
Why you’d want to learn this
● You’re a hacker, you want to know how things work.
○ Buffer overflows are core to the fun stuff we get to do
● You want to be able to edit (or even find) exploits
How you’d learn this
● Go over the documentation provided by Offensive Security
○ Keep going over it until it makes sense
○ Do the exercises provided by Offensive Security
○ Go find more stuff to exploit (plenty of resources on the internet)
24. Exploits in the lab environment
● Lots of finding and editing existing exploits
● Build up a collection of scripts and tools that hit common exploits
○ MS08-067, Linux Kernel Priv Esc, etc
● Learn how to read basic C, it’ll help.
● Some of the servers are old, your compiled code won’t run on them
○ Download an ISO of the old OS and spin it up in a VM
○ Google “Debootstrap” to setup builds of old Debian/Ubuntu installs on your Kali box.
■ Once setup you can use “chroot” to switch into them
■ Note that Debian changed their file hashes from MD5 to SHA a while back. You may need to find an old version of debootstrap
to work on really old OSs.
25. Tips and Tricks
● If you have a root shell on a box but don’t know the root password, echo your SSH key to
/root/.ssh/authorized_keys
○ Boom. Passwordless login.
● Exploit chains can get complicated and VMs get reset often. Script out exploits that you find yourself
doing over and over again.
● The documentation walks you through writing a “wget script” generating script for Windows. Do that,
it comes in handy.
○ Actually, just do all the exercises that they walk you through.
● Do a report on the lab and do it as you go along
○ The lab is big, there’s a lot of stuff to document. Don’t put it off.
○ The lab report can help to sway whether you pass the OSCP or not
26. Tips and Tricks Part 2: Too fast too tricky
● Sometimes the easiest way to get shell on a box is to create a new account.
○ If you have privileged code execution on a box, why not just create a new account?
● Pillage
○ Check every single box you get into for loot. There are some boxes in the labs that you can only get into
with info gleaned elsewhere
○ Think. Where would the good stuff be?
■ /home
■ /etc
■ /var/log
■ C:
■ C:Users (C:Documents and Settings)
○ Use scp, meterpreter or existing services (http, ftp) to get files off a box
28. Pivoting is Fun
● There are three networks in the OSCP lab
○ You start out with access to one
○ Be on the lookout for dual-homed boxes
● How do you pivot
○ SSH
■ Forward Proxy: ssh -D [Port Number] [user]@[Remote IP]
● Example: ssh -D 9995 root@192.168.1.10
■ Reverse Proxy: ssh -R [Remote Port]:localhost:[Local Port] [user]@[Remote IP]
● Example: ssh -R 8081:localhost:3000 root@192.168.1.10
● Note: Requires “GatewayPorts Yes” in remote sshd_config
○ ProxyChains
■ Routes any TCP network traffic over proxy
30. Recap
● Don’t be afraid to learn
● Be aggressive in your scanning
● Keep notes, be organized
● Do your lab report
● Don’t use metasploit
● Be really comfortable with basic Buffer Overflows
● Pillage everything
● Hack the planet