Monthly Archives: July 2012
As a Rookie, Joe provides us with plenty to do. We are always asked to give some “cycles” for work. These cycles go towards a multitude of things. Things like blog posts all the way to constructing lab manuals. Most of the time Joe needs the work done yesterday and we spend countless hours trying to accomplish the tasks he provided. Sometimes we have a little bit more time to work on projects and what not. It’s evident that as a Rookie I possess very little skills and understanding regarding information security. Because of this, I personally have become great at working but getting nothing done.
How do I work yet get nothing accomplished? Easy, I get lost trying to figure out what’s going on or where I am. Sometimes I feel like just got thrown into a foreign country where they speak a language that I don’t know. I spend more time figuring out what the heck they are talking about then I do actually producing work towards the goal. For instance, pretend you knew nothing about security and the tools that come along with the trade. Now envision you see this:
SSH Login into your Asterisk VM as root
Get the exploit scripts
DNS running on UDP port 53
we will use netcat’s UDP mode (-u) for the transport.
perl dproxy1.pl | nc -u xx.yy.aa.bb 53
gdb -core core.9999 — load core files
info registers — inspect registers
x/64x $reg — examine memory at a particular register
x/64x $esp — examine memory at ESP
q — quit
x/10i $eip — disassemble 10 instructions beginning at EIP
perl dproxy1.pl | nc -u 192.168.128.140 53
gdb -core core.8888
What the heck is this? First I have to install Virtual Machine (VM) software. Then download a VM, extract it, run it up, and configure the network so I get into it. Where the heck do I get these scripts from. What the heck is Netcat and how do I make it work on Windows. What’s Perl. Do I run these commands on the host or the guest? GDB…..thats going to take a lot of Googling before I know what the !#@ that is. For what it’s worth, gdb is GNU Debugger. Why can’t I see these so called registers? What the heck is a register? Am I doing this right? My head hurts! All this right here, took me about 2.5 hours and I am no further now to completing a lab manual then I was when I started. Better yet the clock is striking 1 a.m. and I have to get up for work in 4.5 hours. This is how I get nothing done.
Being lost in a fog of confusion and the amount of time spent configuring machines is exactly how I get nothing done. This is why I get to tell Joe that I did absolutely nothing for him during our weekly call. Let me take a step back and re-evaluate quickly though. While there is no tangible lab manual produced, I did learn a ton. This is why it’s great to be Rookie. I have learned how to configure VM’s, install and run Perl, and now know what gdb is. I consider myself the sole beneficiary of this supposed fail operation. Being a Rookie is about learning and about late nights. As mentioned by another Rookie, all this work is a trick to teach us by doing. Being thrown into this “foreign country” is the perfect recipe for success by learning for survival. It can be stressful to feel lost and to have your work call you names because the notes are smarter than you. But it pays off in the end. As I burn through “cycles” I spend a ton of time learning, but getting nothing done.
One of the assignments that the rookies got was to go through the various broken web applications, such as WebGoat, WebMaven, Hacme Casino, Hacme Bank, and Hacme books and complete them. While we worked through our various tasks we were to thoroughly document the steps, take screen captures and ensure that all steps necessary were shown on how to exploit these applications. Joe had asked for volunteers so I stepped up and picked WebGoat.
Prior to Joe handing out this task I had worked with WebGoat for about 15 minutes and I really liked it, hence why I choose it. What I did not realize at the time was the scope of WebGoat and just how large it was. Unlike the broken web applications like WebMaven, WebGoat covers a lot of content including: SQL injection, XSS, session cookie manipulation, hidden forms and fail open authentication just to name a few. Webgoat covers all of this in somewhere around 30 lessons.
Being able to get the WebGoat work done in a timely manner is very important to Joe and working on WebGoat was going to be a learning experience. In typical Joe fashion I got my deadline for this project; he wanted it done in two days, which in fact is better than his usual “I need this yesterday.” I start working on this project having no real experience with any of the covered concepts. After two very long days report balloons to over 45 pages of documentation outlining the steps. I winded up having to call in for some help on a few of the lessons due to some issues with WebScarab not working for me but we pulled it off.
After completing this task I was one, tired; two, sick of seeing WebGoat; and three, pretty well educated with the low level, fundamental hacks on web applications. While I do not think I could hack a website there is some significant value add in understanding the lessons contained in WebGoat. Also I will say that while I tried as much to avoid the built-in documentation, WebGoat has a very comprehensive built-in documentation guide for any beginners looking to learn these concepts. I have to say that the developers or this OWASP project did a fantastic job on building a system that can teach you how to hack web applications and more importantly how to help secure them through understanding. I would encourage anyone looking to get into the Infosec career field to check out WebGoat.
OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Maven Security WebMaven – http://www.mavensecurity.com/WebMaven/
McAfee Hacme Casino – http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx/
McAfee Hacme Books – http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
McAfee Hacme Bank – http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx/
Being a part of Joe McCray’s Security Rookies program has been a blessing and a curse. The man will work you. He will give you stuff to do that needed to be done yesterday and keep you pumping out material. It’s all a trick though. The entire time you feel like you’re slaving away editing or creating docs, VMs, networks, etc, you’re learning and progressing. I’m a senior systems engineer by title. I know systems, networks, how to build, how to fix. I didn’t have any idea how to hack four months ago. That’s changing now little by little and it’s due to this program. It started with doing simple web based challenges on enigmagroup.org. Then it was on to exploiting ready-made VMs such as Ultimate Lamp. For me, the coolest thing I’ve gotten to do so far was going through and updating two Metasploit course documents. First off I learned how to manipulate the framework and make it work for me. Secondly, how cool is it to realize Chris Gates produced the document you’re editing? I’m learning from the best trying to be the best. It’s a lot of work but it’s definitely worth it.
And don’t worry the fun never stops. When it comes to SQL injection there’s plenty of work to be done. Updating all the screenshots for Joe’s SQL courses was brutal. By the time I was all done and had everything up to Joe’s standards I actually felt like I was starting to understand how it worked. Who knew there was so much power in just a little tick’. You will learn in this program what you’ve been trying to learn on your own from scrapping IRC, googlefu, and staring at code. You’ll also learn Joe will need something done on a Friday and it needs to be done that night. If you can’t commit don’t sign up. We work as hard as we play.