I finally got the opportunity to take Penetration Testing with Kali Linux (PWK) and the accompanying Offensive Security Professional Certification (OSCP) exam. There are already lots of great reviews about the course, content, labs, etc. that you can find here: https://www.offensive-security.com/testimonials-and-reviews/ This is more of a half review / half brain dump of my thoughts about PWK and the OSCP. I tried to include some new information or tools, like batchconfig (https://github.com/opsdisk/batchconfig), that may help you succeed during and after PWK. Overall, it was a fantastic experience and I would highly recommend it for anyone that wants to "Try Harder".
The PDF and videos are great for establishing the building blocks to becoming a penetration tester and infosec professional. Go through them even if you are familiar with the material...you can always learn something new!
Documenting with Confluence
I used Atlassian's Confluence (https://www.atlassian.com/software/confluence) wiki software to document my lab exercises and lab machines. It is free to trial, but will take some time to setup and get working. Confluence allowed me to organize my labs and notes effectively for my work flow. It was nice formatting options, keyboard shortcuts, and quick copy paste of screen shots. Another great feature was the ability to export a pages as PDFs. I exported the "Exercises" section and the sub-pages (e.g., "1.4.3") as a PDF and attached it as an appendix to my Lab Report.
The different flavors of boxes and attack vectors offered in the lab allows you to experiment with different techniques, exploits, and scripts. Midway through my second 90 days, they updated the lab and changed the IP scheme, some of the target vulnerabilities, added/removed some new targets, and updated a few of the usernames and passwords. This was frustrating at first, but not entirely unrealistic in the real world. Some of the boxes had to be re-whacked with one previously easy one taking a whole Saturday! After a final 5 day blitz clearing out the remaining boxes, I got all of the original lab boxes except for HUMBLE and SUFFERANCE.
I ended up using the entire 24 hours for the exam. The 10 point box was slayed quickly, then I spent the next seven hours on a 20 point one to get a partial shell. Unable to immediately escalate my privileges to on that box, I moved on to the two 25 point boxes. I was able to knock these out in about four hours, despite my internet service going down three times in a half hour. It was almost a blessing as it forced me to stop, think, and re-examine some code. Escalating privileges on one of them took a whole 5 minutes.
I modified the provided template for the Lab and Exam Report. If you are not a professional penetration tester already, write the Lab Report. Writing a report is the unglamorous part of being a penetration tester, but a critical skill. Writing the Lab Report forces you to translate the technical mumbo jumbo of an attack into a digestible story (including screenshots) for the client. You get additional points towards your final score anyway that may help in the end. Writing the Lab Report allows you to flesh out the structure of the Exam Report.
Random Tips / Thoughts
If your goal is total network compromise, create a network map as you go along...even if it is just pencil and paper (you will likely be doing some erasing!).
Keep a spreadsheet of box names, IPs, operating systems, usernames/passwords, domain/workgroups, etc. It helps to see potential connections between the boxes.
The web chat interface is great, easy-to-use, and the admins are responsive and professional.
For Windows post-exploitation enumeration, I repurposed batchconfig (https://github.com/opsdisk/batchconfig) to survey the box and find potential privilege escalation paths. Midway through the labs, I added the
-fswitch to dump all the results to one file and the
-wswitch to disable WMIC commands (that do not work on earlier Windows operating systems).
The Windows Meterpreter is a great payload and really robust in its capabilities. I would recommend sticking to plain old Windows cmd.exe shells though. You learn much more by "living off the land" and using the native Windows binaries and capabilities (debug.exe, tftp.exe, powershell).
The 8 virtual machine reverts per day does not sound like a lot, but it is more than enough. I used all of them once or twice. Be sure to revert before scanning a target.
If you are stronger with Windows (or Linux), start with those boxes in the lab at the beginning. This allows you to build your techniques and scripts for that specific OS. I was stronger with Windows so I started with those boxes first. After the end of the labs though, I was almost as strong in Linux and enjoyed the privilege escalation more.
The ability to tunnel, redirect, and bend traffic is critical in pen testing. Learn to utilize SSH tunneling and the difference between the
-Dssh switches. Leverage the SSH command shell shortcut
~Cto setup/tear-down ssh tunnels in an active SSH connect instead of exiting out of the SSH shell connection. If you decide to use the Meterpreter payload, checkout the
portfwdcommand, which is the equivalent of SSH's
-L. I utilized the
portfwdcommand on one box with a limited shell to throw a remote exploit at the same box against a port previously blocked by a firewall in order to gain an elevated shell. The vulnerable service was not available from my attack box, but since the traffic was originating from the box itself (localhost), I was able to exploit it and get an elevated system shell.
You can find batchconfig here https://github.com/opsdisk/batchconfig and follow @opsdisk on Twitter.