No-OSCP

This blog went dead about the time that I started training for OSCP two years ago, in November 2016. After getting my CISSP in 2015, this was the next step in personal and professional goals in the form of a certification. My employer footed the bill for 90 days lab time. Following through with that I sat my first exam attempt in February of 2017. I did not pass. In what became a pattern I would get one privilege escalation away from passing multiple times. After my last attempt in the fall of 2017 I decided to put any further attempts on hold. I’m not sure when or if I’ll pick it up again. 

I did not walk away empty handed. Training for the OSCP has taught me that nothing is unattainable regarding software. I learned the sequence of enumerate, analyze, exploit, report on a level where it’s as familiar to me as my name. I apply it to interactions that have nothing to do with software, or pentesting, or computers. 

Enumerating in the OSCP labs is turning over every rock, googling every string, every version number, and learning how to combine your results. Everything is vulnerable. Either by its defaults, its configuration, its construction, or sometimes just the admin’s laziness. Exploits too, take different forms in ways I could not have predicted. Sometimes it’s editing or writing a script to send raw string data to a network source, abusing defaults, exploiting poor authorization, or just getting lucky and finding a data dump. 

Exploits built this way, analyzing piece of information, and every possible combination teaches one thing, over and over and over. Nothing is perfect, nothing is insurmountable. With these lessons in hand it further illustrates what every security practitioner knows. Security is a HARD JOB. It takes vigilance in planning, choosing a tech stack, deploying, configuring, and maintaining. The lessons I learned with the OSCP are used every day, in meetings with product owners, developers, educators, customers, prospects, pentesters, sysadmins. 

If you’re curious about penetration testing, or learning security by exploit, I encourage you to make the time. OSCP is not the only answer. I have and will continue to post walkthroughs of VMs from VulnHub, and recently started working on Hack the Box

Books 2015 61-7976

I grew up idolizing pilots, particularly fighter pilots, and with them the space program. I have a very clear memory of visiting the JPL when I was five or six years old. Someone there was giving my dad a tour and I was able to tag along. Other cool places I learned about flight were airshows. It was always a big deal to go see the Blue Angels when they were nearby. I think part of it was Navy pride, and part of it was my dad’s memory of living at NAS Pensacola, the winter home of the Angels. I was born in Pensacola, but the only memories I have of it were vacations there later in life.

We moved to Ohio in 1989, and the absolute best part of it was moving minutes away from the United States Air Force Museum. 3 hangers FULL of airplanes, spacecraft, and all the associated memorabilia, videos, stickers, models, dioramas and displays. A few years later I remember staying home from school to go sit on a hill and watch one of the last Blackbirds fly in. 61-7976 is the tail number, and I’ll never forget the feeling. Even from a mile or more away, the sound shook you. This is an aircraft that cruised with the afterburners on. It flew at three times the speed of sound. I still cannot believe I was lucky enough to see one in the air.

Over the weekend I was stuck at a car dealership, as one gets sometimes when you need necessary repairs on short notice. Bored, and looking for something to pass time that wouldn’t drain all my batteries, I found Sled Driver: Flying the World’s Fastest Jet on my hard drive. I’m not sure where I acquired it, but it was great timing. This book chronicles the section of its author’s career driving the “Sled”, the “Habu”, the “Blackbird”, the SR-71. The author recounts every step, from volunteering, interviewing, training, and finally flying the fastest airplane built by humankind. I’ve always known about the machine scientifically, it’s fast. Really Fast. It leaks fuel on the ground, because its skin was designed so expand under the friction of the air as it cruised at two or three times the speed of sound. This book tells you the human elements. How stressful it is to understand that you cannot make mistakes. Every mission the pilot holds the life of himself and his RSO(Reconnaissance Systems Officer) in his hands. I think the author wisely avoids much discussion of the actual missions, but instead focuses on relating what its like to sit in that cockpit, hurtling forward faster than a rifle bullet. For four years, that was this man’s day job. I’ve had a couple of jobs in life, but I don’t think I’ll ever do something like that.

I was born at a time when America was just getting comfortable with the idea of going into space. We had been to the moon, and the Space Shuttle was just really getting her start. At the same time the cold war was raging, so the military and NASA got all the money they could ask for. Since then the Cold war has ended, and NASA feels forgotten to a kid that grew up drawing of space as something both science fiction and science fact. You can debate the politics of the situation all day long, but the SR-71 was a monument to human achievement. It was designed, planned, tested, built, and put into production(they built thirty two of those crazy machines) at a time when computers were not a commodity device. I’ve had access to more computing power for almost my entire life than the entire project team designing the fastest airplane every built.Reading this book makes me hope that the legacy of my generation can hopefully come up with some achievement more meaningful than another version of Flappy Bird, or another slick source code version control system.

Good Deals

I’m an Apple guy. This started when my dad was in grad school, the lab had Macs. I got to spend an hour or two when I was super young playing with MacPaint. I thought this was great, but didn’t appreciate the significance until much later. The important part here is that my dad got to like Apple gear, Macs in particular. Quite some time later the first family computer was an old Mac Plus. After that came a Performa. When I went away to college I ordered an iBook.

That iBook. Man, I abused that computer. I learned so very, very much about having and supporting myself with it. I had no support structure, the few people I was close with all had Windows machines. One friend was into Macs, but I only talked to him over AIM. Which meant I had to have a working computer and network connection. This was not often the case, since I was perpetually installing, re-installing, re-installing, un-installing all kinds of things. In addition to the basics of computergeekery that I picked up, there was also the freedom. At the time it was a slow machine, wireless wasn’t really a thing, and it had nearly no storage, but it was portable. It even had a handle. I lived from that machine for almost two years. It went everywhere with me. Across campus to print something, home on the weekends, across country on vacation. Once I decided on a major, I needed to upgrade. Of course I picked another Mac, upgrading to a PowerMac and handing the iBook down. It was a revolution to me to be able to move my entire computing world with me from place to place. In retrospect, it was categorically not a good deal. After taxes it was over $1800. Nevermind the specs, because they’re less than an original iPod touch, but for the time it was expensive. Looking back it was a terrific waste of cash. I don’t regret the purchase, because if nothing else it began teaching me how to support my equipment with only the internet.

There are a lot of things I do not miss about that computer, but from the day I moved on, I missed being able to have my Mac with me. Along the way, I kept trying other things to find a portable machine that was super light, super mobile, and had what I wanted. I tried a few Dells, from the weird and compromised Dell Latitude X300, I briefly had an e4300, and lastly with a frankensteined e4310. They were good enough computers, and for the little bit of money I paid for them, nice. But they were Dells, and only ran Windows or Linux. The X300 was an early “ultrabook” which translated to it was thin because it had no optical drive. The X300 was released in 2003. I bought mine around 2009. I wasn’t able to find a comparable model for the price in the 5 years after that was as small and light. Latitudes as a group are great workhorse computers. They’re easy to fix, there’s tons of parts, meh. They’re boring and have shitty keyboards too.

Where is all this leading? I got a new laptop last year. And, for the first time since 2001, it’s an Apple laptop. That is mine. It was a good deal too; 2 year old MacBook Air 11″. For $350. That’s at the top end of “good deal”, edging towards “great deal”. It’s tiny, has an SSD, so its fast, and it works. Well, it works now. I had barely gotten it up and running, wiped the drive, registered for the Yosemite beta, gotten it installed. Then I opened it, thrilled to have MY laptop running an OS X beta , finally I can help Apple find bugs, and nothing happened. I plugged it in. No lights lit up on the MagSafe adapter. Oh. Goody.

So I did what you’re supposed to do. I made an appointment and took it to the Genius Bar. They did not have good news. They could replace the Logic Board, for something like $500, or they could send it to the depot. The depot has a flat repair charge, $300, they send it back working. I opted for the depot. I spent all my “loose” money buying the damn thing, I can’t afford to trust that its simply the logic board. In no way could I spend five hundred dollars on this. A few days later they called, it was back and working. I picked it up, I paid my fee. For those of you playing the home game, my cheap MacBook has now cost me $650. At the time that was $70 less than a refurbished 2014 model. And if only the story ended there.

The night after I picked it up, I sat down on the couch to finally enjoy the freedom to surf and watch TV. I opened it and the display was dark. Going through common troubleshooting steps I found it was working, charging was fine, external video was fine. So I checked the display with a flashlight. Dead backlight. By shining a bright flashlight near the display I could see it was getting signal, but there was nothing lighting it. Back to the Genius Bar. This time I learned my favorite bit of Genius jargon, “looper”. Since it was a repeat-offender, all the repairs are on Apple. They replaced the entire top half of the laptop for free. I’ve got the receipt, bottom line reads, “amount due: $0.00”. That was a great day. Too bad I was back less than a week later. By this time half the staff of the Genius Bar knew me on site. They tried to help, told me to ask for a replacement because I have, “no confidence”, in that particular machine. Thankfully that wasn’t necessary. They replaced the display assembly(lid) again AND the logic board. This adds up to nearly two computers worth of parts I’ve gotten for my $300 depot repair investment. Which isn’t bad. It’s still not a good deal, but I’ve got my own working laptop, legitimately running OS X.

I’ve returned to the days when I can just grab a bag and go out the door, trusting that I can solve any problem with what I’ve got on me. The bag is a lot lighter now, too.

shortcuts

I’m always looking for a better way to do things. I’ve spent hours, days, weeks, months trying to learn how to do things the most effective way possible. This often means deluding myself that there’s a way around hard work. That’s part of the impetus of this blog. It is here until I stop paying for the hosting. Staring at me. Every time I see it, I see the goal that I set for myself, *write more*. There’s not an easy way around this, there’s no shortcut key or macro, I have to do the work.

The hardest part is starting. When I’m trying to do something I’ve never done before, I can, and have, gotten lost. I’ve never written a blog, or done much writing since the 8th grade. So I look for shortcuts. For optimizations, for fun things that help me pretend that I am moving forward. But there aren’t any. The best advice about writing is, “write more”.

I had never started a new career, but I had had a few different jobs that could have become careers. Five years ago I rejected them and moved in a new direction. I was working in a job that I had gotten because I had “Photoshop Skills” on my resume, and my interviewers all were impressed with my communication. I told them in plain language what I had been doing, how I felt I had progressed with it, and what I could and could not do. The job combined a lot of project planning and implementation, and some prepress work. This is a fancy word that describes altering someone else’s artwork to get it to print the way they like or expect. For awhile this was fun.

When I found myself spending all my free time installing Ubuntu or FreeBSD, my reading was blogs or books about shell scripting or programming, then I felt it was time to move. I looked back at what held my attention consistently since high school. “Computers” was the simple answer, but I had a job with “computers”. On that front I couldn’t be happier. I spent every week day in a nice office, with free coffee, working on a brand new *Mac*. High School and College me couldn’t be happier. Future me was upset though. Future me didn’t want this. So I researched. I spent days and months searching the internet to learn where I could go with this. Network Engineer, Network Admin, HelpDesk, IT Support, SysAdmin, Operations Engineer, I applied to them all.

There were no shortcuts here. I knew I wanted to be an IT professional. I knew it would take years to get the understanding and experience I needed for this to be a career. I had success. Not immediately, and it took hard work. I had a job that I didn’t like, and it did not prepare me, so I studied, I practiced, I worked hard to get a job as “IT Support”. Matching the adage that titles mean nothing, this job was amazing. It was hard work every day. I had to learn EVERYTHING. Active Directory, IIS, SQL Server, Apache, DNS, cable routing, hardware installation, troubleshooting, user support, business continuity, everything was new. I had arrived. I was an IT professional, a sysadmin to be specific. And it was still not enough.

Now all my down time I was learning about Information Security. I had learned that this was a thing during my previous job search, and maintained a few contacts, attended a local user group. This taught me to have a new dream. Information security was sysadmin++. You have to know systems, networks, software, people, businesses, and all their interactions. This became my goal. This continues to be my goal. I’m at a different job now, with a title that has “application security” in it, but I know how little I know, and how quickly the space is changing.

Hard work continues. I am an information Security professional. I know what the security concerns are of our product. I work hard to keep learning. I work hard to get better. Sometimes I forget that effort is the most effective way to do something. Sometimes I keep hoping there’s a quick blog post I can read that will unlock the next door. There isn’t. There are distractions. There are obstacles. Sometimes they might help, but they’ll never move me forward the same way hard work will.

How I got here and where I’m going

Last night I was catching up with an old friend, and in refreshing the last 24-36 months I told him what I had been up to. In hearing his story, it is striking how close it is to my own. He has a decent job, wonderful wife, and if the construction ever finishes, a lovely home. He told me he doesn’t dislike his job, but it feels like he’s not getting there quick enough. I told him about my trials with work, and how I got to where I am now.

After college I had no idea what I wanted to do. I suffered from nearly terminal lack of motivation. I watched my friends move out to jobs and grad school, while I just stayed put, working in a Bob Evans. Eventually it was time to move, so I got a short-term job as a liquidation manager in New Jersey of all places. This was a few months of intense work, sales at that, which gave me enough money to move to Cleveland. Once I got to Cleveland, I still had no job, and very little professional motivation to follow my college degree career path. I did, however, have the motivation of rent. I did a little construction, building decks and installing siding for a few months, odds and ends contractor stuff as a laborer. This was nice through the summer, but wouldn’t work in the winter.

I applied and got hired at CompUSA, to work in the warehouse. This was a blessing, because if there’s anything I do not like, it is trying to sell things to people. I made a few friends in the “Tech Shop”, where customers could bring their computers for repair or upgrade. This started to teach me both how much I already knew about troubleshooting and how much fun it would be to do that as a job. I started to see how being “into computers” could result in a paycheck. After about a year there, a friend said I should send my resume to his company, he would recommend me and they were a great place to work. I did, and was interviewed to do QA for their internal and external websites. The interview went great, but apparently shortly following it the manager who I interviewed with left that company. My application was left hanging as one of his open items, and it took me a few months of following up to get a second interview. This interview was even better than the first. I talked with a lead developer and the VP who was running the IT department temporarily. I was offered a job with no real description or title, but they said with my graphics experience I would be inbetween their IT department and digital print shop, not QA. I gladly accepted, this was my first full-time, for real job, with benefits, perks, salary, everything.

I was in that role for about 3 years. Flux in the company bounced me around to 3 or 4 managers, a few different desks, and many, many projects. I learned a great deal about digital pre-press work, and how to configure the web and print graphics for their custom print-on-demand solution. The biggest thing I learned there was that I had no desire to pursue this any further, and that it was worth a gamble to get out of the print/graphics career field. After talking it over with my wife, we agreed that now was the time to gamble. I had experience enough to get another prepress job, but no interest in it.

Finding a low-level IT job with no experience or certifications is pretty difficult. I applied to anything IT related that said “junior” or “entry-level”, with nearly no success. One company, an information security consultant firm, replied to my application with “you’re the second or third person with graphic design experience we’ve had apply, what makes you interested in this?” So I started a dialog with this person, who I later found out is the owner/lead consultant, about how unsatisfied I was with graphics and print, and my ever increasing interest in computers, networks, software, etc. We setup an interview and I went. After a little smalltalk, they got down to it and explained what they were expecting from the position, then provided examples of the work environment and the tasks that would be assigned. During this I only had the faintest notion of what they were talking about, and said so. I thanked them for their time, but told them I was woefully under-equipped for the position, no matter how interested I was. They respected this and gave me a few pointers to build up the skills and knowledge to get to that level. One of these was attending the local infosec group, NEOISF.

I’ve been attending meetings ever since. I’d like to say i’ve been every month, but life gets in the way sometimes. The first few meetings I attended I felt like the speakers were using a different language. I typically got lost in the talks right after the “Hello, my name is…”. Taking notes, reading blogs and tech articles discussed in the talks, trying out some of the things demoed, they’ve all slowly built up my knowledge and skills.

I had one other interview that went well, and resulted in a job offer as a “systems operator”. I optimistically thought this would be a path to a real systems administrator position. Sadly, this was not the case. The job amounted to a little bit of software and website QA, running a few reports, and monitoring the monitoring system so we could alert people if something broke. After about a week of this, I started looking for jobs again. Over the course of the next 18 months I tried to build myself up professionally. I got the A+ and Network+ to actually add IT things to my resume. Finally my constant applications paid off. I had two interviews that went great, one at a colocation facility, and another at the company I had done the graphics work. Both companies had a great offer. The colo said they support linux & windows customers of every different stripe, and that I would get a ton of hands on time with server administration, but it would be 3rd shift only for at least the first year. The other company offered me a spot on the IT admin team. They were expecting an acquisition to be completed soon, which would amplify the day to day work, and would be an excellent time to start my IT career. Between the normal schedule offered and my experience working for the company, I took the safe bet and went back.

The next 18 months were fantastic. I worked on a team of people who gave me difficult, challenging projects almost every day. They were great to work with and I added an dozen lines to my resume, things like .NET website setup and migration, QA/Dev/Production environment configuration and maintenance, desktop support(Mac OS and Windows), SQL Server maintenance, version control migration, and much more. I didn’t know it at the time, but here’s where I became a sysadmin, the title I had been reaching for since I discovered it existed. Other events forced me to leave that job, unrelated to the team or the work. It was a sad day, and I still miss working with a team where everyone is challenged together. This environment taught me how to be self sufficient with new technologies and just how valuable another set of eyes at the crucial moment can be.

In my current role, I’m straddling the QA and sysadmin roles at an enterprise software company. I spend a good bit of time administering a large virtual machine farm, creating/configuring/upgrading machines, monitoring the environment, and maintaining access. Other tasks are replicating customer environments to repeat problems for development and QA, so that we can verify the software gets fixed. QA tasks are pretty limited compared to the rest of the QA department. My team is responsible for a very small set of features, mostly authentication and database related, because we have access to create complicated test environments at will. The big perk of this job is professional development. Previous employers of mine were either not at all interested in this, or only superficially. Now it’s a full time item, they will supply budget and educational materials to support my goals.

Now I’m looking at where I want to be. After working into the IT field and attending NEOISF meetings for roughly the same amount of time, it’s infosec, or Information Security. Bringing this up with my current manager met great enthusiasm, as building out an accountable security team is one of the company’s current goals. So now I have an environment to grow in, a company enthusiastically supporing my growth, and no experience. Oh, and I have the same workload as before, just with the added action item of “get better at security”. I’ve started attending conferences and asking for training, reading as much as I can get my hands on, and researching certifications that can be used as a milestone to show development. Outside of work I’ve built a test lab machine to house VMs for testing “red-team” attacks and analysis. Rather than watching TV or movies, I tend to spend my free time watching talks recorded at infosec conferences. And I started this blog to just add one more point of forcing myself to both do something new and keep track of it.

A group of like-minded individuals in the QA department have started meeting to try and figure out both what kinds of things our software has been vulnerable to in the past, and discussing what it would take to find these sorts of problems going forward. I think our biggest problem is no one has any real experience with security.

Does anyone know how to build a QA security program or team?

Walk Away

One of the rules of troubleshooting is never change more than one thing at a time. Given that I have effectively become a professional troubleshooter as a sysadmin, you’d think that I would be capable of remembering this, turns out, not so much.

After spending the better part of 3 months acquiring, configuring, reconfiguring, and using my test lab ESXi machine, I decided it needs one last bit of reconfiguring. Since the purpose of this is to have a platform for testing exploits, it is a good idea to create a DMZ network to wall the virtual machines off from the rest of my home LAN. “This should be easy”, I told myself. Add a NIC to the router(an old Dell running PFSense) and one to the ESXi host(a less old Dell), connect the two and tell PFSense what to do with traffic.

Turns out it really is just that easy. Once the link is active in PFSense, you just add the interface, rename from OPT1 to DMZ just to clean it up, and set the IP. Next, set a couple of simple firewall rules to allow any traffic from the DMZ interface to anywhere that is NOT the LAN interface, and any traffic from the internet to the DMZ interface. Then just turn on a DHCP server, and away you go.

Away I go, almost. The link is up and physically active, blinky lights and all, but no DHCP. “How did you check this?” Good question, glad you asked. In the configuration of the ESXi host, there’s a network adapters section. Looking at this, the LAN interface showed the IP range that I had configured on the LAN interface DHCP server. I *assumed* the same thing would happen when I connected the DMZ link. “Didn’t you try to verify another way?” Yes, and here’s where I totally dropped the ball. I tried rebooting the router and the ESXi host, nothing changed, I tried reconfiguring the ESXi connection, I tried reconfiguring the DMZ interface on the router, nothing changed. I added the interface to a vSwitch, connected only that vSwitch to a VM, and tried to force its NIC to update, even rebooted the VM. “Didn’t you say you were a sysadmin? You couldn’t figure out networking?” I was in a hurry, so I logged into a VM I had never used before, thinking it would be just as good as another. I was wrong.

In frustration, and knowing that I was already confused by something simple, I stopped, and came back the next night. For good measure, I rebooted both machines. I logged into a different VM, Backtrack. I’m comfortable with the OS at a commandline and GUI level. My assumption this time was, “it’s another day, before you change anything, just give it a shot”. TA-DA! Now it works. Connected immediately, could ping the gateway(DMZ interface) IP, could ping google.com, distrowatch.org, you name it. Internet connection live.

So I changed configuration and tested with something I didn’t fully understand. This time it didn’t really cost me anything, because getting that interface working was the goal of the night. But it did serve as a reminder not to get cocky. I’m fairly comfortable troubleshooting simple networking problems, provided I’m using tools I am comfortable with. I’m also thankful it only took me 24 hours to find the solution.

Post 1

So who am I?

Nobody, at least, not yet. I’m “from” the midwest, about average height/weight/build/etc. I’ve graduated from a school or two, then started to (slowly) learn about things. I’ve done art; ceramics, drawing, animation, sculpture, design, and probably a few other things. I’ve done hard work; restaurants, construction, yardwork, again, probably a few more I’m forgetting. I’ve been an “administrator”, a “coordinator”, an “analyst”, an “operator”. I don’t know how any of that really defines me. I like to read; blogs, books, manuals, instructions, stories, histories, accounts. If it’s words, I’ll probably read it, at least for a little while.

This is where it gets interesting, at least for me. In a recent blog post Shawn Blanc talks about his writing and gave the following bit of wisdom; “Reading about writing is not the same as writing”. My whole life I want to be a creator. I’ve spent years at this point reading things by writers about how to write and ignoring their #1 comment:

To be a writer, you have to write.

So I’m writing. I don’t know where it will lead, or how long I’ll be able to continue to do it, but I’m starting.

What are you writing about?

Probably everything I can think about for awhile. I need to find my voice. I know my opinions, but formating them in a logical fashion is not commonly my strong suit. So this will be all about the things I know; mostly Macs, a little about good design, and general tech; gadgets and computers. Probably, hopefully just as much about the
things I don’t know but want to; InfoSec, good design, moving forward with creating, doing things, rather than more reading.