One of the odd things about working in an OS that you hardly ever use is there’s no “where is everything and how do I use it” button. Google brings up fifty ways to do the same thing, yet the syntax doesn’t quite work. I’m pretty sure most of the learned *Nix folks would be shaking their heads at the blundering of a Windows Admin in their home turf.

Thank goodness for the “revert to snapshot” button on in VMware workstation for when I download every piece of software for no real reason and stuff up a perfectly working environment.

Let me give you an example.

One of the objectives in the GSE is a simple netcat relay followed by lots of weird and twisted relays, then shove shell back to you with the lovely # prompt.

Normally this is easy, jump on to the final box type in nc –l –p 80 –e /bin/sh. Not on Fedora, which doen’t like the -l and –p being run together. So nc –l 80 –e /bin/sh then?

No – Fedora’s default installed out of the box netcat stops the evil shenanigans of the –e excution command. Oops, so you have to go and get then install another version of netcat, such as the original written by the Hobbit (make netcat, as along as long as there’s a complier on the box) which is on all Ed Skoudis’ SANS course materials or pulled download socat or one its friends.

Then using –e to shove a shell works tricks works fine.

Okay, so different OS have different versions of applications, but surely we could keep command syntax similar? Apparently not.

I decided to reach out for a bit of help and guidance, in the form of what books to read. The two I settled on were both recommendations by people in the know:

A Practical Guide to Fedora and Red Hat Enterprise Linux – Fifth Edition by Mark G. Sobell.

It’s all about Fedora 12, which is the subject of the current GSE Linux tests. Very solid and clear layout, comprehensively covering the features of Fedora and its syntax proving excellent examples

Unix and Linux System Administration Handbook – Forth Edition by Evi Nemeth, Garth Snyder, Trent Hein and Ben Whaley.

This one was recommended by Hal_Pomeranz, who wrote the SANS Linux 506 track, after I hassled him on twitter. This one goes covers many flavours of Linux and Unix, but it’s a marvelous journey through a SysAdmin approach to using *nix, making it a surprisingly easy read.

I don’t expect either book will make me a super admin over the next few weeks, but they go a great way to make me feel somewhat more at home and relaxed in Linux, rather than feeling like I just broken in to someone’s place and set fire to it.

The 18th of September is D-Day and I have to make it through to some point in the evening of the 19th, surviving what ever the fiendish SANS team have to throw at me at Caesars Palace in Las Vegas.

I still have a giant pile of books next to my bed read through and plenty of hands of exercises to drill tools, techniques and best practices in to what ever space I have left in my brain.

Just when the GSE exam ends, the main event of SANS Network Security 2010 kicks off on the 20th. 41 different SANS tracks are running, meaning a huge number of security professionals there to learn, understand and have a great time. Seems so unfair, so much to learn and so little time.

This is nothing new or exciting, I just keep forget the syntax so I’m leaving here to make it much easier to find/remember.

Interface Configuration

Interface named Local Area Connection with the static IP address 192.168.66.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.66.1:

netsh interface ip set address name=”Local Area Connection” static 192.168.66.100 255.255.255.0 192.168.66.1 1

Add multiple ip addresses

netsh interface ip add address ” Local Area Connection ” 192.168.66.101 255.255.255.0

netsh interface ip add address ” Local Area Connection ” 192.168.66.102 255.255.255.0

Configure DNS

netsh interface ip set dns “Local Area Connection” static 192.168.66.200

Add multiple DNS entries

netsh interface ip set dns “Local Area Connection” static 192.168.66.200primary
netsh interface ip add dns name=”Local Area Connection” 192.168.66.201 index=2

Configure WINS

netsh interface ip set wins “Local Area Connection” static 192.168.66.200

DHCP

Automatically obtain an IP address from a DHCP server:
netsh interface ip set address “Local Area Connection” dhcp

Get DHCP DNS/WINS settings:

netsh interface ip set dns “Local Area Connection” dhcp

netsh interface ip set wins “Local Area Connection” wins

Rename interface names

netsh.exe interface set interface name = “Local Area Connection” newname = “INT”

netsh.exe interface set interface name = “Local Area Connection(2)” newname = “Internet”

Disabling/enabling an interface

netsh interface set interface name = “Local Area Connection” admin = disabled

netsh interface set interface name = “Local Area Connection” admin = enable

Export your current IP settings

netsh -c interface dump > c:\current1.txt
import your IP settings
netsh -f c:\current1.txt
You can also use the global EXEC switch instead of -F:
netsh exec c:\current1.txt

LOOPS

FOR /L %I IN (2,1,20) DO netsh interface ip add address “Local Area Connection” 192.168.66.%I 255.255.255.0

This will add ip addresses from 192.168.66.2 to 192.168.66.20 with 1 step each time.

Examples:

http://technet.microsoft.com/en-us/library/bb490943.aspx

http://ss64.com/nt/netsh.html

Steve Sims has just posted up two YouTube videos on brute-forcing Address Space Layout Randomization (ASLR) on Linux straight out of the 709 courseware. Excellent timing.

Part 1: http://www.youtube.com/watch?v=DcaVyy4yu88
Part 2: http://www.youtube.com/watch?v=LRjsv5zAHjQ

Plus here is his article in Hackin9 on Hacking ASLR & Stack Canaries on Modern Linux http://hakin9.org/magazine/918-21st-century-hacking-technique

Jason Haddix linked this

http://measuringmeasures.com/blog/2010/4/19/7-tips-for-successful-self-learning.html

The folks at Cisco Security linked this:

http://etherealmind.com/why-the-ccie-program-is-more-useful-than-the-certification-itself/

I like to think each of us has to find our own way to study, whether it be driven by passion, need or simple curiosity.

My current method is to block out an hour from 8 to 9 pm for serious study. This means avoid distractions – random browsing, tv, tweets, books, arranging DVD’s in alphabetical order and so on – and focusing on one topic.

This, so far, has sort of worked.

Since passing the GSE written exam, I’ve been building up a lab, practical practice examples and a stock of reading reference materials. I’ll blab on about the books and what they are at some later point. An interesting aside, some of the operating systems used in the GSE exam have been updated. Backtrack 1 now becomes Backtrack 4 and Fedora 4 becomes Fedora 12 so a great time to master more current OS’s.

The two day practical part of the GSE exam takes place in Las Vegas on the 18th and 19th of September. This means I’ll finish two days of examination hell just in time for the SANS Network Security 2010 conference

As I’m in Las Vegas and SANS is running on of its biggest conferences of the year, I’d be remiss to not try to squeeze in a bit more training.

I’ve applied to be a volunteer as part of SANS work study program and crossing my fingers to be accepted. With forty courses on offer, my number one choice is Steve Sim’s Developing Exploits for Penetration Testers and Security Researchers.

This course is really out of my comfort zone and a huge challenge in itself, nevermind the GSE study that I’m doing. I’ve only really played with the skills the course has taught while studying for OffSec’s PWB exam, but the topic is compelling and will help lift the shroud of script kiddie tools that I use. With both Steve Sims and Jim Shewmaker teaching the course it, should be absolutely brilliant to be able to learn from both these guys and mature my understanding this complex piece of IT security.

I’ve noticed that some very smart cookies are taking this course, including Wesley McGrew. Great, real security researchers, coding gurus and me. Well,  at least I know I asking the person sitting next to me what this all means  should get a sensible answer 

While stuck on a bus, I was idly sifting through Apple’s app store when I found Packet Decode. Some what intrigued, I have a look at it and noticed it was made by my old SANS instructor. Hoping this wasn’t some wacky joke by Chris, I bought the app and had a play. The simple description is that is it a IP/ICMP/TCP & UDP (v4 and v6) cheetsheet on steroids.

This is pretty darn helpful as Chris has written clear description of each field within the packet and has some nifty filters for wireshark and TCPdump. Some though on how the info is displayed means this isn’t cumbersome to navigate, making it a function and useful portable reference. Now if only he added DNS section and my paper SANS TCP/IP cheetsheet could rest happy.

Great as a quick reference, memory jogger or, as I intend to unleash at the next geek pub crawl, away to torture those around me with random facts and demands to know the tcpdump filter syntax for detecting tcp packets with windows size of less than 100. Hours of fun!

Mr Brenton’s web site http://www.chrisbrenton.org/ has some great articles and a number of packet challenges well worth taking the time to work through.

The exam was very fair and tested knowledge and skills from all three courses. Had a few sweaty palm moments and a couple of “Doh!” when picking the wrong answer.

Now for the hard work and study to get ready for the two day practical. Will be charting the progress on the other blog to avoid insanity slip in here.

So far, it looks excellent and for a great cause too.

METASPLOIT UNLEASHED – MASTERING THE FRAMEWORK

This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.      This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.  The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.

I have my email from the BackTrack team confirming access to the training material, videos and labs.

Downloaded all the files, checked the videos ran and the PDFs had content, then connected to the labs.

The VPM worked as advertised, so I could ping a system at the far end. Now, you have access to an XP machine, so using the command

rdesktop -u username – p password IP address of my XP machine

Bingo, straight in.

Work is picking up the bill for this course, so I have opted for the two months of labs. Well, it would be rude not too.

The plan, I say this in the loose possible fashion, is to spend an hour a day working through the material and the supplemental links. Whether this actually takes place is up to me, but being goaded in to putting in the effort to keep up with Ash and Damian should be a major help. Or hindrance.

As an aside, the folks over at Ethicalhacker.net have a piece up on one of them taking the course. Look forward to see how he finds it.