*  Bring a system compromised during testing with Metasploit into the IMPACT environment and deploy an IMPACT Pro Agent. The Agent is a patented, syscall proxy payload that allows users to:

1. Launch IMPACT Pro’s full range of automated penetration testing capabilities from the compromised system.
2. Leverage IMPACT’s broad selection of commercial-grade exploits, plus multiple pre- and post-exploitation capabilities for in-depth, comprehensive attack replication.
3. Pivot penetration tests to other systems, mimicking an attacker’s attempts at identifying and exploiting paths of weakness to backend systems and data.

* Use IMPACT Pro’s automated Rapid Penetration Test (RPT) to exploit vulnerabilities, then launch Metasploit’s db-autopwn feature and subsequently upload the results back into IMPACT Pro. This allows users with less training and expertise to view Metasploit testing information within the IMPACT environment.

I for one am looking forward to playing with this

Press Release

Blog Announcement

But you’re not going to get one… well not a full one anyway.

I have had some pretty dramatic changes happening this year thus far. These are causing a re-evaluation to what I do and what has become my primary focus. There will be some big announcements this year, but I can’t give you anything just yet.

So I’m still here and I haven’t forgotten about you. I am just busier than ever trying to organize some stuff that I hope you will like

This site will be blacked out between now and the 29th of January 2010.

If you would also like to support the cause, visit www.internetblackout.com.au to find out how to black out your site.

I found it so worthwhile I’ve decided to give it a review. So let’s start from the start and I’ll give you as much detail as I think I am legally allowed.

Getting Access

First of all the sign up process is not quite what I have experienced with other certifications. I psyched myself up, sat down with my bosses’ credit card and was all ready to spend some of his money… but no… The guys at offensive-security don’t want your money straight off. Instead they email you with an openVPN configuration attachment with the purpose confirming that you can actually connect to their labs before taking your (or your bosses ) hard earned money.

Now a point of note for those located behind an Ironport Mail Gateway: I waited days for the response email and heard nothing. I was actually starting to get a rather cranky at their (lack of) service. I mean, I had employer dollars to spend. I managed to get in contact with them and deduced that Ironport* have given the Offensive-Security mail server IP a reputation of -3 which is well under our drop by reputation thresholds. After rearranging with them to send all correspondence to my Gmail account we were away.

The Course

So with email working and the VPN confirmed operational we arranged payment for the course (which again was a problem due to the credit card not being in my name… but we won’t go into that) and I got my material and 60 days lab time. What you actually get for your $700USD is quite impressive.

• One PDF containing the course lessons.
• One set of SWF video files where Muts walks you through all but the last few of the course modules.
• 24/7 access to the Labs for 60 days via VPN which is full of vulnerable devices to attack; and,
• Hours of guaranteed pain, suffering, joy, frustration and exhilaration.

The combination of these materials creates a very comprehensive learning environment. Overall there are 16 modules of delightfully wicked goodness. The PDF covers each of them in fair detail but the videos are the real meat of the course. Each module covers a specific aspect of penetration testing. These range from the information gathering stage, all the way to keeping access and rootkits.

Muts, through the videos, keeps you company as you make your way through the course material. He pushes you to learn more and he provides links to more information in case you would like to expand your knowledge in any of the areas that can’t be covered in depth through a 5 minute presentation. I found him to be very articulate and the videos are of quite high quality.

The videos only cover from chapters 1 – 13 and then you are left with the PDF to guide you through the rest. This turns out ok however as the last 3 modules are more of a brief and require more external reading through the provided links rather than the total immersion that is the previous modules.

Most modules allow for hands on practice through the labs. This was of the most benefit to me as this is how I learn best. Often I find you can read something that sounds simple and easy but when it comes to actually putting it into practice things just don’t go according to plan. Hours were spent by me working through the exercises and trying to smooth out the lumps and bumps and believe me… there were plenty of lumps and bumps

Lastly once you have finished the modules you are free to (and actively encouraged to) attack the rest of the lab network with the exception of the other student machines. A list of final challenges is set upon you and the goal is simply to get root or admin access to each device. This is quite a lot of fun, and far from easy.

The Exam

The first thing I have to say about this exam is that it’s a really tough exam. You are given 24 hours to gain root or admin access on 5 devices. From what I have seen in the field, these devices are as close to the real deal as you can get.

It was a lot of fun when I wasn’t stressing to the hilt. The different ways to break into these devices was very good and bound to stretch your mind.

What else can I say about this exam… well not much. I’m not allowed to… sorry

After you successfully pass the exam you are given access to a forum just for OSCP’s where you are free to discuss all aspects of the exam and course. I found it interesting that students worked out multiple different ways to get into the same devices. This brings on my only real point of angst about this course. I was unable to crack one device, so as soon as I got access to the forums I jumped in to find out how to crack this nut. It turns out everyone before me (that posted) had done it using a particular exploit that works on a particular port (could I be any more obscure ). So moving back to my pain point… That port was not even open on that device during my exam!!! So, I still have no idea how to get into this device.

Conclusion

This is a brilliant course!

I have done many courses both from vendors and course providers such as SANS and the Offensive-Security. While a lot of the other courses have been great, the Pentesting with Backtrack (OSCP) has easily provided me with the most value. I walk away from this course actually feeling like I have achieved something solid. This is both due to the time it takes to work through the course at your own pace and the quality of the content.

This course is by no means for beginners into IT. It works through some very complex topics and concepts. It is recommended that you have at least some coding experience as well as an operational knowledge of Windows and Linux.

For $700USD I think it’s a must for anyone in the IT security industry to work towards and I expect to see the certification gain serious traction and the respect it deserves in the near future. I know I’d be looking for an OSCP if I was hiring.

But I did it!!! I received confirmation this morning that I passed the CISSP exam.

I’ll send off my Endorsement form and CV tomorrow and then I should be officially CISSP Certified.

I have to say a big thanks to my wonderful wife and boys for putting up with me, and the lack of time I could dedicate to them while I was studying… although strangely, they seem to be happier .

Hey, only two more exams to go before Christmas… maybe I’ll be able to spend Christmas Day with the family

Due to this embarrassing incident I have recoded pattern2code based on some code that Jamie provided. He is somewhat of a stella coder so this version looks much nicer than anything I have provided thus far.

The new code can be downloaded from the tools section and more information about the script can be found here.

Special thanks to Jamie for the feedback and showing my some new coding tricks.

Pattern_create.rb is a great little tool that can be found in the /tools directory of your Metasploit framework. It is used to create a pattern of characters to a specified length which you can then inject into applications as a buffer overflow. Its sister script, pattern_offset.rb, is then  used to identify how many bytes from the start of the string a particular part of the pattern occurred.

pattern2code.py is a script I created to save me manually modifying the pattern_create.rb patterns to fit into my fuzzing code. Its simple to use and will output the pattern into either Python, Perl or C code.

Running the script is as simple as piping the output from pattern_create.rb into the pattern2code.py and specifying a name for the buffer, a length of each split, and the language output.

The instructions below can also be found in the script if required;

[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>
[+] <buffername> = Custom buffer name
[+] <length> = Length of each split
[+] <languagename> = Perl, Python or C
[+] <input> piped input from pattern_create.rb

Output examples:

# ./pattern_create.rb 180 | ./splitter.py overflowbuff 50 python

overflowbuff = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab”
overflowbuff += “6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A”
overflowbuff += “d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9″
overflowbuff += “Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9″

^ Python code output with a 50 character split.

# ./pattern_create.rb 260 | ./splitter.py newbuffer 40 perl

my $newbuffer =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A” .
“b3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac” .
“6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9″ .
“Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A” .
“f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag” .
“6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9″ .
“Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ Perl code output with 40 a character split

# ./pattern_create.rb 260 | ./splitter.py newbuffer 55 c

unsigned char newbuffer[] =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7A”
“b8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad”
“6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4″
“Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2A”
“h3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ C code output with a 55 character split.

Here is the code for your enjoyment

The code can also be downloaded here

Enjoy!

P.S. I would love to hear feedback on how to improve my code so please leave a comment…

There is another interesting track being run in Australia for the first time. “Advanced Security Essentials – Enterprise Defender” being taught by Eric Cole is the next step up from the GSEC (Security Essentials) course. It looks really interesting, and being taught by Eric Cole is sure to be fun.

Kick off is in less than two weeks (9th – 14th Nov) so if you haven’t already booked you’d better hurry.

For those that are going, i’ll see you there!

Local Administrator Privilege Escalation Techniques

Domain Admin Privilege Escalation Techniques