NordbySec

I should mention that this isn’t the first time I’ve been here. I actually started studying for the CPTS over a year ago, before I had jumped back into university. I didn’t get very far, so this last few days I’ve been faced with the content in the beginner sections that I had already completed once. I had (apparently) finished the ‘Penetration Testing Process’ and ‘Getting Started’ modules and gotten about halfway through the introductory ‘Network Enumeration with Nmap’ module before giving up last time. I will say, in reviewing the content of the first two modules I can see why. The content itself is excellent, but I have a hard time staring down a wall of text and the small interactive sessions were evidently not enough to keep my attention last time.

The importance of methodology

In reviewing these sections, it has become abundantly clear that now is the time to be establishing a formal methodology to attacking a machine. While there are certainly quite a few platitudes sprinkled into the introductory modules, there is a clear focus on process that I had taken the time to take notes on without really trying to understand the reason behind it. It is labeled plainly as the “Penetration Testing Process”, an eight-stage deterministic process that plainly describes the steps in which an engagement is carried out. This process is roughly defined below:

• 1. Pre-Engagement: Scope and objectives are defined.
• 2. Information Gathering: Target is assessed and enumerated.
• 3. Vulnerability Assessment: Target services and versions are compared to known vulnerabilities and misconfigurations.
• 4. Exploitation: Vulnerabilities are exploited to provide a foothold.
• 5. Post-Exploitation: Internal reconnaissance is performed, privilege escalation is attempted
• 6. Lateral Movement: Other targets are identified and access is attempted.
• 7. Proof-Of-Concept: POC’s are created to demonstrate vulnerabilities and their triggers.
• 8. Post-Engagement: A deliverable is generated and a walkthrough is performed of the report to clarify findings. Shells and other things are cleaned up.

Looking past the obvious, these steps are specifically enabled by a personal methodology. This largely starts with reconnaissance and enumeration, which are fortunately the first things that the course covers. The methodology should essentially consist of a series of if-then statements that can be exhausted to ensure that all potential vectors of attack have been explored adequately. The most common advice I see from people who struggle with the CPTS and OSCP are feelings of being lost, and unable to discover a single foothold. These are failures in methodology. Enumeration procedure must be defined, even if roughly, if you want to experience consistent results and start to notice the patterns of vulnerable machines. Knowing this, I aim to avoid the pitfall of poor enumeration and lack of methodology and will begin to detail a more technical process as I progress.

In a brief side-note, while I was setting up my workspace today I experienced an issue where VirtualBox guest additions crashed my entire hypervisor and guest OS when I attempted to update them along with the 6 month old stale Kali image that I had left there. This pissed me off enough to switch entirely over to VMWare Workstation Pro, which absolutely blew me away on first boot. I dumped the default Kali image on it and the speed difference from VirtualBox was immediate. Not to mention I didn’t have to mess around with guest additions or any weird mount points to get bi-directional copy paste and host->guest file transfer working. It just werks ™, so I’ll be using this default Kali image and workstation pro for the duration of my study. I know there’s some contention about which security distro is best but I’m too busy getting 1337 to rice out an arch install or bother figuring out how Parrot is different. So in short, I’ll be using the most generic tools possible for this challenge. Let me know if you have other recommendations, I’ll likely ignore them.