No-OSCP

This blog went dead about the time that I started training for OSCP two years ago, in November 2016. After getting my CISSP in 2015, this was the next step in personal and professional goals in the form of a certification. My employer footed the bill for 90 days lab time. Following through with that I sat my first exam attempt in February of 2017. I did not pass. In what became a pattern I would get one privilege escalation away from passing multiple times. After my last attempt in the fall of 2017 I decided to put any further attempts on hold. I’m not sure when or if I’ll pick it up again. 

I did not walk away empty handed. Training for the OSCP has taught me that nothing is unattainable regarding software. I learned the sequence of enumerate, analyze, exploit, report on a level where it’s as familiar to me as my name. I apply it to interactions that have nothing to do with software, or pentesting, or computers. 

Enumerating in the OSCP labs is turning over every rock, googling every string, every version number, and learning how to combine your results. Everything is vulnerable. Either by its defaults, its configuration, its construction, or sometimes just the admin’s laziness. Exploits too, take different forms in ways I could not have predicted. Sometimes it’s editing or writing a script to send raw string data to a network source, abusing defaults, exploiting poor authorization, or just getting lucky and finding a data dump. 

Exploits built this way, analyzing piece of information, and every possible combination teaches one thing, over and over and over. Nothing is perfect, nothing is insurmountable. With these lessons in hand it further illustrates what every security practitioner knows. Security is a HARD JOB. It takes vigilance in planning, choosing a tech stack, deploying, configuring, and maintaining. The lessons I learned with the OSCP are used every day, in meetings with product owners, developers, educators, customers, prospects, pentesters, sysadmins. 

If you’re curious about penetration testing, or learning security by exploit, I encourage you to make the time. OSCP is not the only answer. I have and will continue to post walkthroughs of VMs from VulnHub, and recently started working on Hack the Box

Nothing New Under the Sun?

This morning I saw this article: https://room362.com/post/2016/snagging-creds-from-locked-machines/ and it really blew my mind. The simple, but incredibly effective method is tremendous. I know, physical access means you own everything one way or another, but this example is elegant in its simplicity.

This simple article has been running around my head all day, and have struggled to figure out why. A little background, I’ve been following Rob, or Mubix as he’s also known, for a couple years now. When I first heard of him it was a talk he gave about how to create a career for yourself in infosec. As I was desperately looking to do that, I must have watched his talk a dozen times. And I followed his advice. I started creating a brand for myself, I started talking to more people. I’ve continued to follow Rob, learning by picking up the scraps he drops around him with his career. He is a very busy man. He has a day job, a part time job, and a family. I’ve met him once in passing at Derbycon and he’s a great guy, quiet, humble, but very open. He’s one of the many people that have inspired me to take my career seriously.

I fell backwards into infosec like a lot of folks have, by generally being interested in tech, getting some jobs I didn’t like, some I did, and slowly adding security into it. As I have recently come into more of a mentor role than a mentee, reading Rob’s first line in that article is what sent my mind spinning all day.

Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)

One thing I’ve found to be true among almost every competent tech person is discomfort with their abilities. They’re not scared really, just unwilling to boldly lay claim to things without research, testing, and if possible, independent third party verification. I have suffered from this my whole life, and it somehow makes me more comfortable with peoples skills if they ask you to verify things rather than trust them.

The important thing about this feeling is, that’s what makes the industry not just great, but incredible. I have found myself doing the same things I was shocked to find people I looked up to doing. Giving back. Replying to questions from strangers with annotated lists of resources and interpretations.  I’m sure at some level there is community to many career paths, but in security, community is the only way to succeed. Rob inspires me every day because he may not be right, or new, or original, but he’s working hard and putting it out there for other people to learn from. This takes all forms. Conversations, blogs, podcasts, conference talks, sample code, tutorial videos, vulnerable vms, encouragement. It’s not hard to find someone doing something inspiring, or someone that can easily be inspired. Infosec has taught me community is not the gathering of people. I spent a great deal of my life thinking that simply a group of like minded people creates a community. This is not the case. Community is the action of building each other up so that the whole is greater than the parts.

Books 2015 Part 1

The intention of this post was to be an annual reflection of my reading habits. Since I’ve kept at it for seven months, I’m not going to delay it until 2016, I’ll just drop monthly updates whenever I work my way through a book or two.

January 2015

I started re-reading Shadowrun novels after trying to plan a blog post relating my Macbook to a cyberdeck in this universe. I got sucked in because they’re entertaining. I haven’t read many of these since early college, and it is fascinating to see what predictions about the future they totally missed. Fax machines are still a thing in this universe. And payphones, called telecoms, but the principal is the same.

Streets of Blood

Nosferatu

Striper Assassin

February 2015

Just a single entry, because Neal Stephenson writes books that are forever long. Snow Crash is the next book out of people’s mouths after Neuromancer. I’ve read most of William Gibson’s cyberpunk stuff, so I decided it was time to give this one a shot. It’s got some great stuff in it, but is way to long to develop what really was a fairly simple story. I think I’ll be avoiding Neal Stephenson for awhile. I still love Cryptonomicon, but I was pretty unhappy at the end of reading this book, despite the utterly badass notion of a hacker with swords that wrote a sword-fighting engine to match his reality.

Snow Crash

March 2015

March is nonfiction month. I’ve spent two months this year reading fiction, so now it’s time to get on track with something else. I’ve got a backlog of want and need to read stuff. I don’t really have any goal except to read new books rather than re-read old books, and for them to be non-fiction. However, they’re obviously closely matched to my interests, one has Macintosh in the title.

The Macintosh Way Picked this up when Guy put these out for free. I am nostalgic about Classic Mac stuff, probably because it was my first exposure to computing. I’ve read folklore.org on and off for almost ten years. Now that I have experience watching and interacting with the management of a fair sized corporation, these sorts of books are a lot more interesting. — After finishing the book its very funny to compare 1990 Apple to 2015 Apple. There’s a lot that they didn’t do or believe in now that is a staple of their business, mostly retail and hands on support. There are many other things that stand out as exactly the same, namely they want developers to create fantastic Mac and iOS applications. Apple does not want ports from other operating systems, they don’t want good enough, they want their platform to run the best software.

Lauren Ipsum I think I saw this on one too many infosec slides and need a short break to something completely different. Its borderline non-fiction. There’s a little girl lost in a strange world, which turns out to directly map to computing concepts. Its kind of like Tron meets Through the Looking Glass. It’s not a bad story, just feels, exaggerated for the effect of the metaphor. I probably will not be reading this again.

April 2015

Continuing non-fiction, I started with Creativity, Inc. Mostly because I bought a copy for my Dad and I know he will want to discuss it. Well, that and Ed Catmull and Pixar have proven to be one of the most clever groups to deal with people.

May 2015

Finally finished Creativity, Inc. To crudely sum it up, the entire book focuses on intrinsic honesty. Pixar’s success is based on the fact that anyone can tell anyone anything, no repercussions. Catmull presents this in different ways, talking about his own history, John Lasseter and the other film directors, and of course Steve Jobs. They all have a different way of looking at it and phrasing it, but honesty is what drives their professions and the company they work for. Its impressive to read about a company that both says they work for that kind of honesty, then shows it. Catmull describes many painful moments that they needed the honesty to make the films work. He also talks about “Notes Day”, when they turned to the company at large to help them become more effective. This struck me because he describes the thoughts leading up to it, its execution, and it’s followthrough. I’ve never seen something like that executed on that scale by an organization so … honestly.

June 2015

Busy month, nothing to report here other than I’ve pledged to myself that I need to read more books I’ve never read before. I spent a fair bit of time thinking about it and realized I’ve been reading the same couple of dozen books every few years for roughly twenty years. No more. I’ll need a break eventually, but for now I need to stop reading pulp sci-fi and horror books. I need to spend more time reading different things. For now that’s all pretty technical non-fiction, but we’ll see where this path ends.

July 2015

June was weird and as such I didn’t actually finish things. I slowly moved through this, Dissecting the Hack: The F0rb1dd3n Network, Revised Edition , at home and WOW is all I can think to say. If you ever know anyone interested in the nuts and bolts of infosec, this is the book for them. It’s got a cheesy narrative story in the first half of the book, which feels like a true-to-life adaptation of the movie hackers. However the second half is astoundingly verbose, contextualizing every bit of jargon, in-joke, or techy thing that happens in the story. After reading this I feel like if I had read this two year ago, I would be in a very different position in my life. This book compiles all the things that I’ve picked up from blog posts, con talks, conversations, twitter, and every other source that has helped me learn about infosec. Totally worth the time for anyone that considers themselves new to the industry, or anyone willing to learn a little bit more.

At work I’m also trying to branch out, but this time with a lot less success than my home book. Metasploit, The Penetration Tester’s Guide felt list a mis-guided mess. The book opens with a quick once over through Metasploit features, where and why to use them, but left me with lots of “how?” questions. The most glaring example is database use. The book guides you through using nmap directly in Metasploit, storing the results in a database, and then . . . nothing. That’s the last reference to the database that I saw. WHY would you store all your scan results, then not use them as a variable in every module for the rest of the book?! That failure definitely biased me through the rest of the book, because for every example I’m asking, “Why the HELL am I typing RHOST again?!”. Another sin that bugged me, but honestly is not the authors fault, is that two thirds of the exploit examples are based on Windows XP SP2. In 2010, when the book was published, that wasn’t that big of a deal to find. Now? In 2015? I’ve got access to a software testing library, and we don’t keep those laying around. I blame this on the editorial staff not being technically foresighted enough. There are plenty of intentionally vulnerable linux distros that could have stood in for Windows. Enough ranting. If you’re reading this and interested in Metasploit, read the Offensive Security version of this book, Metasploit Unleashed.

A gesture

The reason Apple nearly ignored the Mac Mini is control. I nearly missed the revolution of gestures on the desktop because my only Mac was a Mini with a mouse. With the MacBooks, and in recent years, the iMacs, the default input has changed from a mouse to a trackpad. For a lot of people, Apple invented the mouse, how could they take it away? They took it away because they found a better experience. Watching the changes in Safari that were showcased in Monday’s keynote, it finally clicked home in my head.

From my point of view, gestures are the convergence point of iOS and Mac OS. Since the first release of the iPhone, bloggers and others have been wringing their hands about the iOS-ification of Mac OS. I have always thought they were missing something serious, “who will be writing and compiling Objective C on an iPad?”. I think that I, too, was missing a point. The convergence of these two things will be based on the design.

“Most people make the mistake of thinking design is what it looks like. People think it’s this veneer — that the designers are handed this box and told, ‘Make it look good!’ That’s not what we think design is. It’s not just what it looks like and feels like. Design is how it works.” –Steve Jobs

If design just gets out of the way, old metaphors like scroll wheels on mice just don’t cut it. Swipe, pinch, drag, grab gestures, they just make more sense. More and more of our computing experiences are moving to the browser. The easier the browser is to use, the better the experience you have with the computer, and past that, the Internet. I was shocked the first time I used two fingers to scroll on an Apple trackpad, or two fingers to right-click, or swipe to go forward or back. It just seemed right.

I’ve always loved Apple for the experience, the little things. With my Macs, I’ve always had a gigabit Ethernet ports, wifi, DVD players, and great trackpads. Not good, great. I cannot recall on missing a tap. Or failing to scroll, or losing the cursor because its taken a mind of its own. In other laptops, all these features seem to be optional or add-ons, if they are available at all.

Walk Away

One of the rules of troubleshooting is never change more than one thing at a time. Given that I have effectively become a professional troubleshooter as a sysadmin, you’d think that I would be capable of remembering this, turns out, not so much.

After spending the better part of 3 months acquiring, configuring, reconfiguring, and using my test lab ESXi machine, I decided it needs one last bit of reconfiguring. Since the purpose of this is to have a platform for testing exploits, it is a good idea to create a DMZ network to wall the virtual machines off from the rest of my home LAN. “This should be easy”, I told myself. Add a NIC to the router(an old Dell running PFSense) and one to the ESXi host(a less old Dell), connect the two and tell PFSense what to do with traffic.

Turns out it really is just that easy. Once the link is active in PFSense, you just add the interface, rename from OPT1 to DMZ just to clean it up, and set the IP. Next, set a couple of simple firewall rules to allow any traffic from the DMZ interface to anywhere that is NOT the LAN interface, and any traffic from the internet to the DMZ interface. Then just turn on a DHCP server, and away you go.

Away I go, almost. The link is up and physically active, blinky lights and all, but no DHCP. “How did you check this?” Good question, glad you asked. In the configuration of the ESXi host, there’s a network adapters section. Looking at this, the LAN interface showed the IP range that I had configured on the LAN interface DHCP server. I *assumed* the same thing would happen when I connected the DMZ link. “Didn’t you try to verify another way?” Yes, and here’s where I totally dropped the ball. I tried rebooting the router and the ESXi host, nothing changed, I tried reconfiguring the ESXi connection, I tried reconfiguring the DMZ interface on the router, nothing changed. I added the interface to a vSwitch, connected only that vSwitch to a VM, and tried to force its NIC to update, even rebooted the VM. “Didn’t you say you were a sysadmin? You couldn’t figure out networking?” I was in a hurry, so I logged into a VM I had never used before, thinking it would be just as good as another. I was wrong.

In frustration, and knowing that I was already confused by something simple, I stopped, and came back the next night. For good measure, I rebooted both machines. I logged into a different VM, Backtrack. I’m comfortable with the OS at a commandline and GUI level. My assumption this time was, “it’s another day, before you change anything, just give it a shot”. TA-DA! Now it works. Connected immediately, could ping the gateway(DMZ interface) IP, could ping google.com, distrowatch.org, you name it. Internet connection live.

So I changed configuration and tested with something I didn’t fully understand. This time it didn’t really cost me anything, because getting that interface working was the goal of the night. But it did serve as a reminder not to get cocky. I’m fairly comfortable troubleshooting simple networking problems, provided I’m using tools I am comfortable with. I’m also thankful it only took me 24 hours to find the solution.

Be Cool

I’ve watched people fumble in presentations, I’ve watched them lose audiences because they let a hiccup break their concentration.

Giant caveat here; I’ve done the same. For a long time, every time I was put on the spot I would make the same mistakes. Get lost in something loosely, or entirely unrelated, have glitches, or lose your place. Lose the concentration needed to pick right up.

The best speakers are the ones who take this all in stride and adapt their ideas on the fly. The first time I remember watching this failure to fail happen was in high school. Watching a garage band play, one guitar player broke a string towards the end of a song. The other members broke into a long, winding interlude while the other dropped out, strung a new string, retuned his guitar and picked back up. They didn’t pause, they didn’t even look at each other. Was this something they rehearsed?! It doesn’t matter. To most of the audience, they probably didn’t even notice that the band was short a member for 5 minutes, the show just went on.

This is the message I am trying to internalize. If you don’t act like something is wrong, nothing is wrong. I’ve seen presenters lose sound or video, and just keep right on trucking. Projector fails? Slides are wrong, missing, out of order, typo’ed? Just keep swimming.  If you show your audience that those things are unimportant to your message, it’s easy to get past. I was reminded of this situation recently by reading redteams.net.

  1. Look cool.
  2. Never get lost.
  3. If you get lost, look cool.

Looking cool is important to get your audience to believe you. To believe that you know your material. Acting cool is how you keep your audience, how you hold them tight when you’re going to shit. Public speaking is rarely as life-threatening as Special Forces operations, but those three rules still apply for the same reasons. Look cool; know your talk, know your slides. Be prepared to go it without slides, without a mike. Never Get Lost; don’t let something unexpected get in your head. If you do get lost, Look Cool; practice what you’re doing so that you can fall back on what you’re talking about, or how you’re talking. If you build your talk, your presentation, your meeting this way, you will succeed, you will get your message across, you will hold their attention.

This weighs heavy on my mind this year as I’ve started speaking at conferences, something I had never before even considered doing. Previously I was scared stiff of anything remotely related to public speaking, even in small meetings. Now I am forcing myself to build a simple message and deliver it to the best of my ability. I have rehearsed my talk, I have learned how to look cool while I’m doing it. It’s not easy, but it is a new muscle that needs flexing. Communication is always the most important thing in any job, so I am forcing myself to get better at the parts I know I struggle with.