SOCNET

Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #1  
Old 27 September 2020, 13:20
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,331
OSCP

So, I'll start by saying I'm an unrepentant blue teamer. Background in intrusion detection, forensics, incident response, malware reversing, and threat intelligence. I'm currently working as a threat hunting consultant. All that said, I'm looking to bring a little more "purple" into the skillset, so I'm set to start PWK next week. I bought the 90 day lab access, and work is going to allow me to dedicate time to the class. I've dabbled with some basic exploit development, but haven't ever gone beyond that. In other words, there's a decent chance I could pop a shell on a server if I needed to, but I'd have no clue what to do from there, or how to do it.


For those out there who have been doing the pentesting thing, what advice can you give for OSCP? Beyond that, what are the pitfalls to watch out for? Differences between the training and actually doing the job, that sort of thing.


Thanks, in advance!
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #2  
Old 27 September 2020, 13:47
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: USA
Posts: 8,929
My advice: Try harder

OSCP is the most practical exam you'll ever take. No amount of definition-cramming will help you. You either get into the systems, pivot and escalate, or you don't. PM me a good email address, I'll send you a dump of info.

Mastering enumeration and learning to automate it is going to get you the most gains.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #3  
Old 27 September 2020, 14:32
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,331
Quote:
Originally Posted by CV View Post
My advice: Try harder

OSCP is the most practical exam you'll ever take. No amount of definition-cramming will help you. You either get into the systems, pivot and escalate, or you don't. PM me a good email address, I'll send you a dump of info.

Mastering enumeration and learning to automate it is going to get you the most gains.



PM sent. I'm a little more intimidated by this one than I was by any of the GIAC stuff, but I'm relatively certain I'll get it all figured out, eventually.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #4  
Old 27 September 2020, 15:52
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,629
For anyone following this thread

As CV points out, enumeration and exploitation are key to the exam.

But, as a member of the blue team, detection of the artifacts of enumeration and exploitation are the best way to know if you’ve been compromised.

When a system is compromised, the malware has the permissions of the machine and account that are active. The bad actor will rarely know what machine they are on, the user account, or the privileges that the user account possesses. They have to figure these things out.

You should be Making a library of these artifacts and Implementing detective controls that look for them.

While not a legitimate security boundary, a load balancer can make this discovery and exploitation even more complex because the bad actor may not be able to return to same machine. I’ve seen this first hand. The bad actor compromises a load balanced machine and begins to try to exploit. A detective control alerts the security team that begins to respond. Meanwhile, the bad actor gets load balanced to another similar server and has to start over. Hulk smash.

It wasn’t the initial infection that ended the event; it was the fact that the team had 350 or so sysmon Based detective alerts focused on enumeration and exploitation techniques.

Just keep that in mind. In a well defended network, you’ll have to move and make noise to get to the prize. All of that will leave artifacts for a blue team that is paying attention. A red teamer that doesn’t know what artifacts he or she is leaving isn’t a value add in my book - OSCP or not.
.
__________________
Come for the infosec, stay for the dumpster fires.

God made machine language; all the rest is the work of man.
Reply With Quote
  #5  
Old 27 September 2020, 16:05
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,331
Quote:
Originally Posted by HighDragLowSpeed View Post
For anyone following this thread

As CV points out, enumeration and exploitation are key to the exam.

But, as a member of the blue team, detection of the artifacts of enumeration and exploitation are the best way to know if youíve been compromised.

When a system is compromised, the malware has the permissions of the machine and account that are active. The bad actor will rarely know what machine they are on, the user account, or the privileges that the user account possesses. They have to figure these things out.

You should be Making a library of these artifacts and Implementing detective controls that look for them.

While not a legitimate security boundary, a load balancer can make this discovery and exploitation even more complex because the bad actor may not be able to return to same machine. Iíve seen this first hand. The bad actor compromises a load balanced machine and begins to try to exploit. A detective control alerts the security team that begins to respond. Meanwhile, the bad actor gets load balanced to another similar server and has to start over. Hulk smash.

It wasnít the initial infection that ended the event; it was the fact that the team had 350 or so sysmon Based detective alerts focused on enumeration and exploitation techniques.

Just keep that in mind. In a well defended network, youíll have to move and make noise to get to the prize. All of that will leave artifacts for a blue team that is paying attention. A red teamer that doesnít know what artifacts he or she is leaving isnít a value add in my book - OSCP or not.
.



This, x1000! Those artifacts, and knowing how to find and analyze/interpret them, are what pays my bills.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #6  
Old 27 September 2020, 18:56
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: USA
Posts: 8,929
Dropped you a line about taking the OSCP course and exam. Have fun, and ping me if you get stuck on a concept.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #7  
Old 28 September 2020, 10:36
Atrax's Avatar
Atrax Atrax is offline
Confirmed User
 
Join Date: Sep 2005
Location: CONUS
Posts: 403
Good luck! Been interested in OSCP for a while, but I'm likely years away from even thinking about it.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 05:36.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
© SOCNET 1996-2020