After taking on the challenge of Offensive Securities “Pentesting With Kali” (PWK) course I knew I was addicted. The buffer overflow section was so much fun I knew I needed more. There was something about subverting a program to do your own bidding by sending it a special string that to me was the epitome of hacking. Considering the extremely good experience I had with Offensive Security they were the natural choice for my next training step into the world of exploit development.
What is it?
Cracking the Perimeter (CTP) is an online / live training course provided by Offensive Security, the core developers of the ever popular Kali Linux and PWK training course. Upon completion you receive the Offensive Security Certified Expert (OSCE) qualification. It’s billed as an ‘intermediate’ course and builds on some of the knowledge of PWK. The course material, as the name suggests, is focused on techniques used to ‘crack the perimeter’ of an organizations network. Roughly speaking the course can be divided into four sections. Web based attacks, backdooring executables & AV avoidance, exploit development and finally a internet based man in the middle attack.
Who should take it?
Although it’s billed as an intermediate course I think that anyone who is interested in the subject material should have a good crack at the course. CTP is unique in the sense to register for the course you need to complete a pre-registration challenge located at http://www.fc4.me/. Being capable of cracking this challenge without looking for hints elsewhere is a decent indication of how much trouble you’ll have with the course. Really it comes down to if you’re interested in the topics outlined above it’s a great course. If you’re after PWK v2 you may be disappointed however – CTP teaches fewer topics more in depth as opposed to the ‘generalized’ nature of PWK.
As always this section attempts to balance giving the reader a good idea of what to expect in the course with respecting Offensive Securities wishes to keep some information in the domain of those undertaking the course. What I’m discussing here relates to the publicly available syllabus here. As always the materials and video’s provided by Offensive Security were fantastic quality.
The web attack section is useful considering how often the web application is the largest attack surface of an organization today. The course looks at different methods to gain access to organizations through XSS attacks, from the typical stealing of cookies through to more advanced techniques of form manipulation. Another section looks at some interesting LFI attacks, logic errors for their filters and some non-traditional ways of extracting sensitive information from the system leading to it’s compromise. I viewed this section as quite useful mainly because it focuses on “lower” perceived threats such as XSS and LFI and how to turn exploit them to their full potential. It would be nice if all the targets we looked at had remote code vulnerabilities, but realistically finding a XSS is much more likley. An interesting and valuable section.
Backdooring & AV Avoidance
Why do we need to know how an exploit works when we can simply fire up Metasploit and point and click of a shell? That’s the question I pose to anyone who asks why do we need to learn how to manually backdoor or obfuscate a file to avoid anti-virus. These sections give a much better understanding of how you can patch in arbitrary code into any executable and make it run undetected. Yes I might still use a tool to automatically do it in the majority of the cases from now, but it’s always nice to understand what’s happening under the hood. The same goes for manually creating obfuscation routines to bypass AV, yes it was always possible to fire up veil and cross our fingers, but now I have a much better idea of how AV actually works, detection methodology and what I can actually do to knock out those last few results on virus total. I’m not suggesting I’m going to manually encode everything I touch from now on but that isn’t the learning objective. An interesting section that I don’t regret learning, but perhaps not as much utility as some of the other skills picked up from the course.
In my opinion this was the real fun stuff in the course. A number of techniques are taught including bypassing ASLR on Vista, how to deal with very confined payload space and then the “Pain / Sufferance / Humble (PWK reference)” of the course, the NNM exploit which covers a very interesting manual encoding technique. Many of the exploits in this section cover the development process from fuzzing to shell, which is fantastic for those who are interested not only in modifying someone else’s discovered vulnerabilities but going searching for bugs on their own. At the end of the course you know how you can exploit something with buffer spaces smaller than 35 bytes to play with, something I would had struggled with before learning the material. The final NNM exploit also shows how with even extreme restrictions on valid characters there is always a way to get a payload working. Essentially the ‘intermediate’ nature of the course comes into play in this section. Slightly more complex topics than the standard stack based buffer overflow are examined (SEH overflows, etc) – but not the latest techniques used today. Some concerns have been raised about this, rightfully pointing out that new exploitation prevention methods such as DEP, EMET, etc have been implemented in later versions of Windows 7 and 8. To that I’d pose the question – Is it worth while for a beginner to learn about stack based buffer overflows on Windows XP without ASLR and multiple other protections? Of course it is, and this step is a great way to introduce people to slightly more complex topics, in preparation for the Advanced Windows Exploitation course if they wish to proceed that far. I don’t think it’s fair to say the course is out of date, simply that it doesn’t cover all of the topics that are available in exploit development today. This section is still incredibly valuable and interesting for those looking at exploit development. It’s a great way to take a step forward from the traditional simple overflows into more technical attacks, while also laying a solid foundation for the really advanced stuff in the future.
Finally the last section involves an interesting examination of what evil things you can do when you’re in control of a companies boarder routers. Using SNMP vulnerabilities the course illustrates a method of taking over the router and performing an internet based man in the middle attack where you can remotely sniff the organizations traffic. It’s pretty fun mind bending stuff and exposes you to some enterprise level networking configurations that some students may not have experienced before. I think this section was a little situational to be filed away in the everyday playbook for compromising a client, but it’s useful in reinforcing the “out of the box” thinking that is sometimes required to crack the perimeter in organizations that are increasingly becoming security aware.
Ok ok – I’ll expand on it some more, but only because my therapist who deals in PTSD recommends sharing the experience to lessen the pain. The exam was pretty brutal, you’ve got 48 hours to gather the required points to pass the course and different challenges are worth different points. It’s absolutely true that all the material required to pass the exam is taught within the course – but it certainly tests whether you really know the material, or if you’re just familiar with the concepts. The challenges require you to actively think about what you’ve learnt and apply it in ways that may be different from the examples originally provided in the course. Looking back it’s not really surprising – how else is Offensive Security going to make a challenging exam? All I can really say though is I learnt just as much new content in the exam as I did almost through out the whole course. That’s in no way a criticism, in fact it’s fantastic that students are pushed that hard, but I certainly have a lot more respect for the OSCE certification than I did before going into the exam. Personally with about 12 hours to go I was certain I would fail, I had around 25% of the required points but managed to knock out all the challenges with only 3 hours to spare.
Overall I think Cracking the Perimeter is a great value and worthwhile course that I’d recommend to a lot of people. Saying that, it’s different from PWK and starts becoming more specialized in terms of what it’s teaching. PWK is and always will be Offensive Securities flagship course with the most content and the most variety. If you’re still looking to focus just on the generalized “hacking” of PWK then it might be a fun course to take, but perhaps not targeted towards you. If you enjoy getting more in depth knowledge on exploit development and loved the buffer overflow section in PWK? This course if for you. I wouldn’t say anything in the course is ‘out of date’ as some people have raised concerns about, but don’t go signing up thinking that it would teach you every bleeding edge technique in exploit development – that’s what Advanced Windows Exploitation is for.