2025-01-24 20:41:00
Three weeks ago I mentioned that I'm going for my OSCP certification, again.
Since then I've been working my way through the Hack The Box Academy pentest learning path. On the one hand to refresh what I already know, on the other hand to learn some new tricks... And in general to get back into a regular process loop of research-enumerate-attack-privesc-loot.
Overal the HTB course has been pretty great!
I've recently also taken a look at Try Hack Me (though not as extensively as HTB) and I like the THM interface a lot less than HTB. In almost every aspect (UI, writing, examples and labs) I like HTB a lot more than THM.
There's one module where I feel HTB could've done things differently: Password Attacks. In that module, they could give just a little more guidance in the brute forcing exercises, to ensure students don't have to spend 2+ hours waiting for a test to run.
I know: it's realistic! In real life you could have a cracker like hashcat run for days without results. You could have a brute forcer like Hydra come up dry after six hours. But when you're going through a training and most sections in a module take 30 minutes, it really grinds your pace to a halt when one section takes 2+ hours, just because you're waiting.
When the example files give you 100 users and 200 passwords, even without permutations that gives you 20.000 login attempts to try. Adding the custom permutation rules the HTB lab suggests, you're looking at 94k possible passwords, so nine million login attempts.
For a lab, that just doesn't fly. For the final exam? Sure! But not while you're trying to learn and practice.
kilala.nl tags: studies,
View or add comments (curr. 0)
2025-01-20 20:59:00
A few days ago I was moping about how slow my laptops and other computers are too slow for password cracking. Someone tipped me about vast.ai, which offers GPU-workloads in the cloud.
It cost me $0.04 to rent fifteen minutes of time on someone's 4090. The actual cracking took less than a minute, the other fourteen were spent moving in my password list and the hashes.
This is great :D
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2025-01-06 15:37:00
Just a gentle reminder that you really shouldn't try to use Hashcat (the password cracker) in a virtual machine. Not even in UTM on aarch64.
Instead, install it on your host OS so it can properly make use of the GPU in your computer for accelerated cracking. On MacOS it's as simple as "brew install hashcat".
It's not super-fast on my M2 Macbook Air, I'll give you that.
Running: hashcat --username -m 7300 ipmi.txt -a 3 "?1?1?1?1?1?1?1?1" -1 "?d?u"
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: 0d7bd5208204000049bc6aa3b42dabc39b36794995510217ff9...c8bbc7
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#1.........: 134.2 MH/s (10.98ms) @ Accel:192 Loops:16 Thr:64 Vec:1
Hardware.Mon.#1..: Util:100%
EDIT:
I've reconsidered. I uninstalled the Homebrew version of Hashcat and built it from source. Running it now, it doesn't use Metal but OpenCL. Performance is somewhat better on my M2.
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: 0d7bd5208204000049bc6aa3b42dabc39b36794995510217ff9...c8bbc7
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Speed.#2.........: 157.7 MH/s (10.20ms) @ Accel:256 Loops:512 Thr:64 Vec:1
Hardware.Mon.#2..: Util:100%
kilala.nl tags: work, studies,
View or add comments (curr. 4)
2025-01-06 14:28:00
Hack The Box have a nice lab, where we're introduced to the basics of poking at the Oracle TNS service.
In this lab, they offer a set of commands to download and setup ODAT (Oracle Database Attacking Tool) on your Linux workstation. They assume you're working on Parrot OS, on x86_64.
Meanwhile, I'm working on Kali Linux, inside UTM, in MacOS on aarch64. The instructions are different. Here's what worked for me.
#!/bin/bash
sudo apt-get install libaio1t64 python3-dev alien -y
cd ~
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basic-linux-arm64.zip
unzip instantclient-basic-linux-arm64.zip
wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-sqlplus-linux-arm64.zip
unzip instantclient-sqlplus-linux-arm64.zip
export LD_LIBRARY_PATH=$(pwd)/instantclient_19_25:$LD_LIBRARY_PATH
export PATH="$PATH:$(pwd)/instantclient_19_25"
echo "export LD_LIBRARY_PATH=\"$(pwd)/instantclient_19_25:\$LD_LIBRARY_PATH\"" >> ~/.bashrc
echo "export PATH=\"\$PATH:$(pwd)/instantclient_19_25\"" >> ~/.bashrc
sudo apt-get install -y python3-cx-oracle python3-scapy
sudo apt-get install -y python3-colorlog python3-termcolor python3-passlib python3-pycryptodome python3-pyinstaller python3-libnmap
sudo apt-get install -y build-essential libgmp-dev
Next to this, you will also need to make one small change to CVE_2012_3137.py in the ODAT directory. The import statement at the top (at least on my Kali box) needs to be changed to read: "from Cryptodome.Crypto import AES".
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2025-01-05 19:03:00
I know, I know, I'm not a fan of Kali Linux. But for the OSCP exam it's kind of required that you use it, so I thought I'd set it up on my Mac workstations. Both have an M1/M2 ARM processor, meaning I need to forego the usual VirtualBox + x86 install. Instead, I'm using UTM.
Luckily it's a perfectly viable setup, with a caveat.
The installer will show a black screen, or if you run it in "expert mode" it'll look like the system got stuck booting. As per the screenshot above.
Turns out, it's running just fine, but the installer lacks the required drivers to make the UTM / Qemu video display work. The UTM documentation gives clear guidance: you need to enable a serial port on the VM, at least for the duration of the install. The installation TUI will be available on the serial port (also shown in the screenshot).
After that, everything works perfectly fine!
Except that cmd-tab-ing back and forth between UTM and other apps, keeps popping up the applications menu in XFCE. Aggravating!
Luckily, that's easily solved by going into the XFCE Settings Manager > Keyboard > Shortcuts and disabling the "Super L" shortcut for "xfce4-popup-whiskermenu".
Also: if you want to enable the sharing of files and if you want to have copy/paste between MacOS and Kali, you will need to install two additional packages. You'll need to install: spice-vdagent and spice-webdavd.
Also: if you'd like to have a permanent mount of that shared folder, via VirtFS, add this to /etc/fstab:
share /mnt/utm 9p trans=virtio,version=9p2000.L,rw,_netdev,nofail,auto 0 0
Full details here in the UTM docu.
kilala.nl tags: work,
View or add comments (curr. 0)
2025-01-03 09:46:00
In May 2017 I got to quote that great line from Dredd:
"She's a pass."
After months of hard work I completed my OSCP certification exam.
Since then a lot has happened!
I've done projects for governments, banks and the military covering a lot of infosec fields. These days I'm mostly on DevSecOps. In the seven years since then I've done pentesting "on the side" with each of my customers, but I've never been a pentester. It's never been my primary role description.
Imposter syndrome is no stranger to me, so I've often felt a bit out of place claiming "I understand and can do pentesting", while not exercising that particular field regularly. It irks me; I want to do something about it.
Per November 1st 2024 Offensive Security introduced the new OSCP+, a CE-version (Continuing Education) of the OSCP certification. Unlike the original which was good for life, OSCP+ needs to be renewed every three years.
For current holders of OSCP, OffSec offer a discounted exam attempt ($199 instead of $799), enabling anyone certified to upgrade relatively cheaply towards the CE-version of OSCP.
Now there's a great chance to beat that Imposter-monster. :D
I've bought my exam voucher. Now I have exactly 120 days to prepare for and pass the exam!
kilala.nl tags: studies,
View or add comments (curr. 0)
2025-01-02 13:02:00
Yes, it's official now: I am also LFCS certified. Not because I need it for my resumé, but because I want to be certified for every class/course I teach.
Yesterday I mentioned I took the LFCS exam. I'd been wanting to do it for a while now, out of professional interest, but I kept putting it off. Spurred on by December's success with LPIC-1, I decided to take the plunge.
It was fun. I truly enjoyed the LFCS exam and preparation.
As I mentioned in yesterday's review of the big four Linux sysadmin exams, the LFCS fee includes two exam takes, but also two practice exams! That's some great value!
Like with my CKA Kubernetes exam, the practice exams are arranged via Killer.sh. They offer excellent exam simulations, which work exactly like the real exams! I mean: the user interface and the process are the same. Of course the assignments are not. ;)
As many have said: the Killer.sh practice exams are actually harder than the real LFCS exam. On my first practice round I needed 90 minutes for 17 assignments. When I did the real exam, I only needed 60 mins for 17 tasks.
The exam environment is solid, the interface is good, the assignments/tasks are clear. I absolutely love that every task has its own VM/container! With RedHat's exams you get one system for all your tasks and if you break that system you outright fail the whole exam. That's not a risk you run with Linux Foundation! Great stuff.
I can heartily recommend this exam; it's my favourite of the four!
kilala.nl tags: studies, work,
View or add comments (curr. 0)
2025-01-02 05:06:00
On the tail end of 2024 I have finally achieved my goal of holding all four entry-level Linux system administration certifications. I set this goal so I can test-run all four exams for my students, to see which one's "the best".
Spoiler alert: there is no singular "the best".
I will be taking a look at the four big brand names: CompTIA, Linux Professional Institute, Linux Foundation and RedHat.
Exam type:
Exam format:
Exam time:
Exam costs (no training, only examination):
Current version:
Certification vendors are expected to provide continuous improvements to their exams. CompTIA is on a solid three year renewal cycle, where their Linux+ exam and objectives are completely refreshed. LPI on the other hand is really dragging things along, with an exam that's now over six years old.
Linux Foundation and RedHat frequently update their exams and their objectives, but don't offer much clarity about the content changes.
Exam objectives documentation:
CompTIA and LPI reign supreme when it comes down to publishing their exam objectives. They provide very clear documents, detailing exactly which topics, concepts, commands, etc will be covered in their exams.
LF and RH on the other hand offer short bullet point lists of one-sentence task descriptions which provide no guidance whatsoever as to what a student would need to learn or practice. With them, you will need to rely upon a training or book to give you guidance.
My opinion on the curriculum and exam contents:
I have compared the exam objectives for all four exams. You can read the full details in this blog post.
For Linux+ I did a beta-test of the upcoming version 6 and I'm not as happy about those objectives, compared to version 5. Here's my review.
Study materials:
All four vendors offer exams in test centers. The amount of available testing centers differs per region. I haven't done exams in test centers for years now, I always test remotely, so I'll only compare on that basis.
Remote testing software:
Remote testing ease-of-use and user-friendliness:
You will find so many people on Reddit and Discord who complain about, or fear, the OnVue remote testing for CompTIA exams. Horror stories about mean proctors, or bad software abound. I have now taken over twenty remote exams via OnVue and I have had four situations in which I could not start or finish the exam, three of which were my own fault. 1:20 failed because of the proctoring solution, 19:20 went fine.
The RedHat Kiosk solution is something I hate because the process of setting it up is abysmal. You have to make a bootable USB with their custom Kiosk OS which is known to have hardware compatibility issues, plus you have to have two webcams. Here's my experience from 2023.
The exam itself:
As far as I am aware, the Red Hat hands-on exam will give you two virtual machines and you do most of your work on one of them. The risk in this is huge: if you manage to break that one single machine, you will fail the exam outright!
I like Linux Foundation's approach a lot better: (almost) every assignment runs in its own virtual machine or container. If you break one assignment, all others will still be scored!
I disliked the LPIC exams, their questions were boring and dry. As usual I like how CompTIA write their multiple choice questions, but their PBQs generally range from "meh" to "awful".
This is a tough nut to crack, as return on investment will differ greatly per region/country. For example, CompTIA is a big brand name in the US but in EUW it may garner a "comp-who-now?".
Brand name recognition, by checking LinkedIn jobs that ask for this cert (in the Netherlands, as per today):
Oddly, some positions on LinkedIn ask for "LPIC2, RHCE or Linux+", suggesting they feel Linux+ is equivalent to higher level certs. Which it isn't.
Four job postings ask for "a Linux certification such as ...". I have not included those in the totals shown about, but you could consider that a +4 on each.
It's odd, but LFCE from Linux Foundation seems to be more well-known than LFCS, with 3 vs 1 job listings asking for it.
I can't tell you which Linux certification you should pick, most importantly because of that last paragraph: return on investment is heavily regional. You must always check your local job boards! See which certifications are, or are not, in demand in your area.
My personal view points?
It's clear that RedHat's certifications offer very big resumé value, as they are world-renowned. Everybody knows and respects them. The big downside is their price point, although they compensate this by offering one free retake since 2023. Before that, their proposition was awful, with every retake also costing €500.
I'm a fan of Linux Foundation and the work they do. Their exams are also excellent and I love their at-home testing solution; it just works.
LPI? I don't like. They feel stuffy and outdated. Done.
I like CompTIA's exams well enough, their curriculum is great, their price point is the best. It's unfortunate that Linux+ doesn't get the recognition it deserves. Because of that, I wrote in 2023: "CompTIA Linux+ is not worthless, it's just worth less".
It's ironic that the two exams/vendors I like best, are also the least well-known.
I feel CompTIA offers a better theoretical exam than LPI and I feel Linux Foundation's hands-on exam is much better than Redhat's. But the resumé value of both throws a spanner in the works. :(
Well-known author and fellow-trainer Sander van Vugt and I spoke on LinkedIn about this article. To quote him:
"...I do agree to your conclusions. RHCSA has a huge market value, LFCS is more interesting and more about Linux. Linux+ is important for NA customers, and LPIC-1, well, I dropped that about a decade ago. Their way of testing doesn't make sense to me."
kilala.nl tags: work, studies, mentor,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.