2025-02-12 19:52:00
On the CompTIA Instructor's Network, Greg wondered whether DOGE (the newly minted NGO in the US) is actually a threat to national security. A lively discussion broke out, where Hank remarked:
"In this case, I am not sure how to discuss the technical issues without politics."
I suggested that we can discuss the issue, from the point of view of the aspects of infosec which we teach: Risk management. Threat modeling. Assumed breach. Access controls. Data destruction.
So here's a threat modeling exercise:
The case:
Question to the students:
Which security controls can we put in place to disrupt the threat actor's activities and to prevent or mitigate the threat actor's interests and activities?
View or add comments (curr. 0)
2025-01-24 20:41:00
Three weeks ago I mentioned that I'm going for my OSCP certification, again.
Since then I've been working my way through the Hack The Box Academy pentest learning path. On the one hand to refresh what I already know, on the other hand to learn some new tricks... And in general to get back into a regular process loop of research-enumerate-attack-privesc-loot.
Overal the HTB course has been pretty great!
I've recently also taken a look at Try Hack Me (though not as extensively as HTB) and I like the THM interface a lot less than HTB. In almost every aspect (UI, writing, examples and labs) I like HTB a lot more than THM.
There's one module where I feel HTB could've done things differently: Password Attacks. In that module, they could give just a little more guidance in the brute forcing exercises, to ensure students don't have to spend 2+ hours waiting for a test to run.
I know: it's realistic! In real life you could have a cracker like hashcat run for days without results. You could have a brute forcer like Hydra come up dry after six hours. But when you're going through a training and most sections in a module take 30 minutes, it really grinds your pace to a halt when one section takes 2+ hours, just because you're waiting.
When the example files give you 100 users and 200 passwords, even without permutations that gives you 20.000 login attempts to try. Adding the custom permutation rules the HTB lab suggests, you're looking at 94k possible passwords, so nine million login attempts.
For a lab, that just doesn't fly. For the final exam? Sure! But not while you're trying to learn and practice.
kilala.nl tags: studies,
View or add comments (curr. 0)
2025-01-20 20:59:00
A few days ago I was moping about how slow my laptops and other computers are too slow for password cracking. Someone tipped me about vast.ai, which offers GPU-workloads in the cloud.
It cost me $0.04 to rent fifteen minutes of time on someone's 4090. The actual cracking took less than a minute, the other fourteen were spent moving in my password list and the hashes.
This is great :D
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2025-01-06 15:37:00
Just a gentle reminder that you really shouldn't try to use Hashcat (the password cracker) in a virtual machine. Not even in UTM on aarch64.
Instead, install it on your host OS so it can properly make use of the GPU in your computer for accelerated cracking. On MacOS it's as simple as "brew install hashcat".
It's not super-fast on my M2 Macbook Air, I'll give you that.
Running: hashcat --username -m 7300 ipmi.txt -a 3 "?1?1?1?1?1?1?1?1" -1 "?d?u"
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: 0d7bd5208204000049bc6aa3b42dabc39b36794995510217ff9...c8bbc7
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#1.........: 134.2 MH/s (10.98ms) @ Accel:192 Loops:16 Thr:64 Vec:1
Hardware.Mon.#1..: Util:100%
EDIT:
I've reconsidered. I uninstalled the Homebrew version of Hashcat and built it from source. Running it now, it doesn't use Metal but OpenCL. Performance is somewhat better on my M2.
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: 0d7bd5208204000049bc6aa3b42dabc39b36794995510217ff9...c8bbc7
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#2.........: 157.7 MH/s (10.20ms) @ Accel:256 Loops:512 Thr:64 Vec:1
Hardware.Mon.#2..: Util:100%
kilala.nl tags: work, studies,
View or add comments (curr. 4)
2025-01-06 14:28:00
Hack The Box have a nice lab, where we're introduced to the basics of poking at the Oracle TNS service.
In this lab, they offer a set of commands to download and setup ODAT (Oracle Database Attacking Tool) on your Linux workstation. They assume you're working on Parrot OS, on x86_64.
Meanwhile, I'm working on Kali Linux, inside UTM, in MacOS on aarch64. The instructions are different. Here's what worked for me.
#!/bin/bash
sudo apt-get install libaio1t64 python3-dev alien -y
cd ~
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basic-linux-arm64.zip
unzip instantclient-basic-linux-arm64.zip
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-sqlplus-linux-arm64.zip
unzip instantclient-sqlplus-linux-arm64.zip
export LD_LIBRARY_PATH=$(pwd)/instantclient_19_25:$LD_LIBRARY_PATH
export PATH="$PATH:$(pwd)/instantclient_19_25"
echo "export LD_LIBRARY_PATH=\"$(pwd)/instantclient_19_25:\$LD_LIBRARY_PATH\"" >> ~/.bashrc
echo "export PATH=\"\$PATH:$(pwd)/instantclient_19_25\"" >> ~/.bashrc
sudo apt-get install -y python3-cx-oracle python3-scapy
sudo apt-get install -y python3-colorlog python3-termcolor python3-passlib python3-pycryptodome python3-pyinstaller python3-libnmap
sudo apt-get install -y build-essential libgmp-dev
Next to this, you will also need to make one small change to CVE_2012_3137.py in the ODAT directory. The import statement at the top (at least on my Kali box) needs to be changed to read: "from Cryptodome.Crypto import AES".
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2025-01-05 19:03:00
I know, I know, I'm not a fan of Kali Linux. But for the OSCP exam it's kind of required that you use it, so I thought I'd set it up on my Mac workstations. Both have an M1/M2 ARM processor, meaning I need to forego the usual VirtualBox + x86 install. Instead, I'm using UTM.
Luckily it's a perfectly viable setup, with a caveat.
The installer will show a black screen, or if you run it in "expert mode" it'll look like the system got stuck booting. As per the screenshot above.
Turns out, it's running just fine, but the installer lacks the required drivers to make the UTM / Qemu video display work. The UTM documentation gives clear guidance: you need to enable a serial port on the VM, at least for the duration of the install. The installation TUI will be available on the serial port (also shown in the screenshot).
After that, everything works perfectly fine!
Except that cmd-tab-ing back and forth between UTM and other apps, keeps popping up the applications menu in XFCE. Aggravating!
Luckily, that's easily solved by going into the XFCE Settings Manager > Keyboard > Shortcuts and disabling the "Super L" shortcut for "xfce4-popup-whiskermenu".
Also: if you want to enable the sharing of files and if you want to have copy/paste between MacOS and Kali, you will need to install two additional packages. You'll need to install: spice-vdagent and spice-webdavd.
Also: if you'd like to have a permanent mount of that shared folder, via VirtFS, add this to /etc/fstab:
share /mnt/utm 9p trans=virtio,version=9p2000.L,rw,_netdev,nofail,auto 0 0
Full details here in the UTM docu.
kilala.nl tags: work,
View or add comments (curr. 0)
2025-01-03 09:46:00
In May 2017 I got to quote that great line from Dredd:
"She's a pass."
After months of hard work I completed my OSCP certification exam.
Since then a lot has happened!
I've done projects for governments, banks and the military covering a lot of infosec fields. These days I'm mostly on DevSecOps. In the seven years since then I've done pentesting "on the side" with each of my customers, but I've never been a pentester. It's never been my primary role description.
Imposter syndrome is no stranger to me, so I've often felt a bit out of place claiming "I understand and can do pentesting", while not exercising that particular field regularly. It irks me; I want to do something about it.
Per November 1st 2024 Offensive Security introduced the new OSCP+, a CE-version (Continuing Education) of the OSCP certification. Unlike the original which was good for life, OSCP+ needs to be renewed every three years.
For current holders of OSCP, OffSec offer a discounted exam attempt ($199 instead of $799), enabling anyone certified to upgrade relatively cheaply towards the CE-version of OSCP.
Now there's a great chance to beat that Imposter-monster. :D
I've bought my exam voucher. Now I have exactly 120 days to prepare for and pass the exam!
kilala.nl tags: studies,
View or add comments (curr. 0)
2025-01-02 13:02:00
Yes, it's official now: I am also LFCS certified. Not because I need it for my resumé, but because I want to be certified for every class/course I teach.
Yesterday I mentioned I took the LFCS exam. I'd been wanting to do it for a while now, out of professional interest, but I kept putting it off. Spurred on by December's success with LPIC-1, I decided to take the plunge.
It was fun. I truly enjoyed the LFCS exam and preparation.
As I mentioned in yesterday's review of the big four Linux sysadmin exams, the LFCS fee includes two exam takes, but also two practice exams! That's some great value!
Like with my CKA Kubernetes exam, the practice exams are arranged via Killer.sh. They offer excellent exam simulations, which work exactly like the real exams! I mean: the user interface and the process are the same. Of course the assignments are not. ;)
As many have said: the Killer.sh practice exams are actually harder than the real LFCS exam. On my first practice round I needed 90 minutes for 17 assignments. When I did the real exam, I only needed 60 mins for 17 tasks.
The exam environment is solid, the interface is good, the assignments/tasks are clear. I absolutely love that every task has its own VM/container! With RedHat's exams you get one system for all your tasks and if you break that system you outright fail the whole exam. That's not a risk you run with Linux Foundation! Great stuff.
I can heartily recommend this exam; it's my favourite of the four!
kilala.nl tags: studies, work,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.