Took the exam tonight, completed all the required challenges and sent off the proof to be marked.

I had a few minor problems trying to get my connection details to start the exam, but these were swift resolve by one of the very able admins in the IRC #offsec channel. He was a gentleman and got me underway swiftly.

The actual exam is straightforward and is derived from the course material. Learn and study the material, be able to do all the practicals on your own systems and you should pass.

Unlike the PWB course, this is designed for beginners to wireless theory and attacks. The wifu course provides a solid grounding in the 802.11x fundamentals and is a well balanced, straightforward introduction, but is focused toward WEP.

Obviously WEP is still alive and well, so the content is still relevant but if you’re looking for more in-depth and all encompassing wireless technologies, such as Bluetooth, Zigbee, and so on , Joshua Wright’s SANS Wireless Ethical Hacking, Penetration Testing, and Defenses would be more appropriate.

Anyway, it was a fun hour and a bit exam and I can claim my 10 CPE for all that work too!

The Aireplay-ng  attack on SKA was not going well. This was annoying, to say the least.

My command airodump-ng  –channel 1 –bssid 00:01:02:03:04:05 –w ska wlan0 was running fine and capturing traffic happily from my test  Linksys WAP54G firmware v3.1

The four output files generated from the command appeared, but the magic .xor file refused to appear despite issuing numerous de-authentication commands

airodump-ng  -0 10 –a 00:01:02:03:04:05  -c 00:00:DE:AD:BE:EF wlan0

Turning off and on the wireless client machine’s NIC didn’t fix this either.

I noticed the banner of the airodump-ng output:

CH 1 ][ Elapsed: 10 mins ][ 2010-04-01 09:48 ][ Broken SKA: 00:01:02:03:04:05

A quick search turned up a link to http://www.aircrack-ng.org/doku.php?id=airbase-ng, then the searching turned up various people ranting and talking madness.

Just to finish off my evening study on a sane note, I dug out an old Netgear wireless router and set it up for shared WEP encryption. Joy of joys airodump-ng saw the authentication handshake and dumped it out in to a .xor file just as it did in the notes.

I was then able to crack the massively secure 64 bit (okay 40 bit) shared WEP key in about 10 seconds after generating enough IV’s – Hurra!

This time I blame Ash for making me take this one, but the deluded voices in my head also have something to answer for.

Four months to get to grips with the 25 hours of study material and play with exercises. Should be simple right?

What is this training I speak of, well this from the web site:

“Offensive Security Wireless Attacks”, also known as “BackTrack WiFu” is a course designed for penetration testers and security enthusiasts who need to learn to implement various active and passive Wireless (802.11 2.4 GHz) attacks. The course is based on the Wireless Attack suite – Aircrack-ng.

The course was designed by Thomas d’Otreppe and Mati Aharoni in an attempt to organize and summarize today’s relevant WiFi attacks. This course will kick-start your WiFu abilities, and get you cracking WEP and WPA using the latest tools and attacks in no time!

http://www.offensive-security.com/backtrack-wifu-online-training.php

This should be fun, and hopefully not quite as a steep learning curve as Penetration Testing with BackTrack.

Time will tell.

• Not being prepared to spend the full 24 hours to complete the exam
• Not having the right mind set to work through processes and think like an attacker
• Not documenting fully and double checking and confirming results
• Not taking a fresh air breaks
• Not having enough experience
• Quite possibly being a whiner

For mere mortals, like myself, that don’t spend time looking for applications and systems to attack, the simple frustration of working through each service to find a hole to get a foot hold is “interesting”*.

*Insert swear words of choice

When attacking a system, the process is simple:

1. Find a live IP address
2. Discover the services on the IP address
3. Search for vulnerabilities for that service

After that successful discovery process, I developed this totally unsuccessful process steps:

1. Ignore the blinding obvious results from your own scans
2. Spend ages Googling and finding nothing that really fits
3. Grasp at straws and download anything that had the service name in it or sounds vaguely like it.
4. Try to adapt code that mostly wasn’t going to work, while not understanding how the author was attempting to do it in the first place
5. Watch the poorly complied code fail to do anything and wonder why I didn’t have a root shell prompt
6. Stare into space for long periods
7. Muttering to myself
8. Contemplate a career in herding mice with elephants, blowing stuff up or becoming a reality-tv star
9. Come up with something equally unlikely to work
10. Back to step 1

After a number of hours of going through this process it’s somewhat disheartening, especially when you seem to get zip-all back. Letting all that frustration build up and not taking time to have a break is how to fail the exam. Simple

The exam –a post mortem

While reviewing of what went wrong during the exam, a friend commented that I should be used to dealing with similar frustrations as a sys admin. My response was without experience of the methods to get a foot hole, you effectively end up throwing mud at the target and see what sticks. As a Sys Admin, that’s usually the last resort, which you should never do with production systems.

As a great example of this, I was oddly very hesitant to run things that I didn’t really understand that could break it. I struggled to get the simple statement the lab machine are there to be broken. It was weird, I build hundreds of machines each year with the purpose of testing – and invariably breaking them , so why was this different?

It wasn’t different, it was a failure of adjusting my mindset to fit the situation and letting implied pressure of the exam get to me. I’d read other blogs about how people struggled and let their stories compound the “this is going to be really hard” mindset. I hit a wall at a certain point and refused to attempt to climb it.

That’s when I failed.

I honestly though “Well I’m crap at this, let’s never bother with penetration testing again and I’ll stick with my day job.”

Take Two

This where friends, time and a good night’s sleep make the world of difference.

The few days after the failing the exam I gathered up all my notes and records, review them and cleared them up in to an ordered fashion. I realised I had a huge amount of information I hadn’t applied, taken in to account or even tried. With some, okay – a lot, encouragement from friends the exam re-booked.I had twenty days to get back on the program. I did some serious reading and re-practicing of some of the lessons, while attacking home built systems.

My second exam try was a very different experience. I went in with goals and enforced break times. My notes and thoughts were well detailed and ordered. I review my notes and findings after each break, which helped keep a clear perspective of what I was doing and what I’d tried. This time round I completed the exam in 8 hours, successfully getting all the targets in that time. I still made some stupid mistakes, but being able to review my notes I corrected my mistakes after taking a break or two. The only real mistake I didn’t correct was burning the same pot twice while attempting to cook pasta during food breaks. Oops.

Lessons Learnt

Failing the exam was actually a great lesson in itself and worth the 12 hours I spend feeling sorry for myself , staring at “impossible” targets to hack during the first exam. I knew the targets could be hacked, but by putting them in the” too hard bucket” I wasn’t giving myself a fair chance.

Top three tips

Study with someone else, great to bounce ideas off and helps get a better understanding of questions and topics.

Lurk in the IRC chat room and troll through the forums, there’s great gems in there.

Remember to review your findings and double check your findings. It’s all too easy to make simple mistakes and get dishearten despite having the right freakin’ answer all along.

Thanks Damian and Ash for your encouragement and having to put up with my whining/rants.

So far, it looks excellent and for a great cause too.

METASPLOIT UNLEASHED – MASTERING THE FRAMEWORK

This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.      This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.  The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.

I have my email from the BackTrack team confirming access to the training material, videos and labs.

Downloaded all the files, checked the videos ran and the PDFs had content, then connected to the labs.

The VPM worked as advertised, so I could ping a system at the far end. Now, you have access to an XP machine, so using the command

rdesktop -u username – p password IP address of my XP machine

Bingo, straight in.

Work is picking up the bill for this course, so I have opted for the two months of labs. Well, it would be rude not too.

The plan, I say this in the loose possible fashion, is to spend an hour a day working through the material and the supplemental links. Whether this actually takes place is up to me, but being goaded in to putting in the effort to keep up with Ash and Damian should be a major help. Or hindrance.

As an aside, the folks over at Ethicalhacker.net have a piece up on one of them taking the course. Look forward to see how he finds it.

Now as a Windows Admin, I have to updated everything. I have no choice, otherwise my MCSE status is revoked.

Once you have logged in to the laptop, plugged it in to LAN connection and are then faced the $ promp:

sudo start-network

This starts the networking manager (wicd) and will kick off DHCP, then to the updating of the OS and core BackTrack components.This includes a whole heap of the tools.

From the Offensive security blog

sudo apt-get update
sudo apt-get install -d linux-image
cd /var/cache/apt/archives/
sudo dpkg -i –force-all linux-image-2.6.30.5_2.6.30.5-10.00.Custom_i386.deb
sudo apt-get dist-upgrade

UPDATE: something appears broken in the update in postgresql-8.3

Errors were encountered while processing:
postgresql-8.3
postgresql
E: Sub-process /usr/bin/dpkg returned an error code (1)

Full credits to Dave for posting this fix:

cd /etc/ssl/certs
make-ssl-cert generate-default-snakeoil –force-overwrite
/etc/init.d/postgresql-8.3 restart

Everything is happy again, back to the install -

sudo apt-get install madwifi-drivers
sudo apt-get install r8187-drivers

Sudo shutdown -r now

sudo fix-splash (This fixes the boot up screen to have the pretty BackTrack border)

NOTE there are two dashes (-) in front of the force all switch, if you don’t put in two dashes, it gives you a nasty error message.

This little lot is about 400mb in downloads.

Then type startx at the $ prompt to get back to the safe and comforting Windows environment – phew.

Now, I like all the shiny tools in MetaSploit and frankly want to have them all now, regardless if I can use them.

So from a terminal console window

cd /pentest/exploits/framework3/

$ sudo svn update

Then in to Firefox

Tools – AddOns and Find Updates

The only annoying thing is there is an old version of Wireshark which does not want to be updated. Will work on that.

Okay, latent skills may be a huge over exaggeration, but, in the wacky world of IT operations having to understand new, totally  unrelated skills is just one of those things.

So to get myself to a point that I won’t burst in to tears at the sight of a bash prompt, I install BT4 on an old laptop and nipped down to the bookshop.

Since the current BackTrack 4 distro is based on Ubuntu 8.04 (Hardy Heron) I picked this book to use as a reference source:

Ubuntu Unleashed 2008 Edition: Covering 8.04 and 8.10 (4th Edition) (Paperback) – roughly 700 pages
The Ubuntu book is a bit of a bust; it veers in odd directs and feels like the editor didn’t pay attention to the flow and feel of the book’s subject or target audience.

The book starts for me at chapter four, as the first three chapters are just confusingly written. The book has some useful information but I will probably use it for reference as it’s hard to follow. I’m not an Ubuntu expert, so I would have done much better with Keir Thomas’ Ubuntu Pocket Guide and Reference. It’s a free, about 100 pages and very well written.

As an overview of the fuzzing and programming concepts of the course I went for:

Gray Hat Hacking, Second Edition: The Ethical Hacker’s Handbook (Paperback) – roughly 500 pages

Great book, but it jumps in to the deep end without showing any remorse.  If your idea of programming is BASIC, nice cups of tea and biscuits, this is a nasty surprise. This should be tremendously useful should I be able to understand anything past chapter Six. Excellent step by step explanations, but still complex stuff to master.

I could spend a week, or five, walking through the chapters and the additional reading recommended.

Managing to read through the entire book was a challenge in itself. The later chapters require you to understand the previous chapters and be able to apply that knowledge to the chapter. I will have to re-read those chapters while slowly working through the exercises for the book.

For scripting, Ash and Damian recommended the following two:

Learning Python, 3rd Edition

Learning Perl, 5th Edition (Paperback)

Buying O’Reilly is never a waste of money or time, so I picked up both of these.

I have given myself the goal of reading, cover to cover, three of these books before the course starts in fifteen day.

Fortunate for me, I have a long bus commute to and from work. Thinking of getting a cap with a propeller on it as well, just in case the scary IT book, furrowed brow and constant muttering to myself doesn’t point out I’m a geek.

I did pretty well on the exam, and should have left the offensive security side there, going back to tending my ever-growing, defensive side of the fence.

But no.

Carried by the enthusiasm of Damian’s initial experiences with the Penetration Testing with BackTrack course, formally known as OffSec 101, I had a look at the material and course.

At first glance it appears very similar to SANS 560, with similar tools, approaches and steps to attack targets, but with a focus on using BackTrack as the primary tool.

What caught my eye were the casually thrown in mentions on Bash and Python scripting, then Ollydbg and finally fuzzing. Only mildly terrifying words to a humble windows admin.

After further goading and kicking by Ash, I approached my boss to get funding to take the course. He got the training approved and now all I have to do is apply.

Am I ready to take on this course? Was Don Quixote?

Watch this blog space.