hands on hacking essentials (hohe) @ clarified security
the training was given by taavi sonets, and it lasted 2 days. the other attendees were sysadmins and devs from larger companies
first on the menu was an introduction to hacking history, with some funny and scary stories thrown in
then it’s straight into some action! they have a nice ‘scoring server’ which supplies targets and sub-goals with point values, gives hints (which subtract points), and into which one enters proofs. you get extra points for being first in the group to complete a goal
i’d say there were 3 main parts to the course
first up is ‘old school’ hacking: no frameworks, no GUIs, basically no modern convenience tools — just command line. having completed offensive security’s oscp course i’m very familar with this style of penetration and its considerable frustrations, since that course aims to teach you the fundamentals and what’s ‘under the hood’ of all the niceties that are available nowadays. i’ve been told that some professional penetration testers who were ‘raised’ solely on today’s convenience tools actually have trouble with the oscp because it’s so low level (relatively speaking)
next up is an introduction to modern tooling as applied to solitary targets — we’re talking metasploit and armitage. i’d used the msfconsole only a handful of times before in the oscp, apart from reverse shell handling with meterpreter of course, because the oscp tells you to avoid it (and its use is heavily restricted in the exam, so better not to rely on them at all!). however, i had separately followed offensive security’s ‘metasploit unleashed’ free online course and played around, so i was in pretty familiar territory there
my first look at armitage was the day before the course, viewing the instructional videos created by the tool’s creator. i was pretty blown away. and it was 10x better to actually use the thing in the course and marvel at the convenience it affords. sure, it’s got some bugs and idiosyncracies, but it’s free, and is just generally awesome. apparently it is a pita to manage its relationship with metasploit though, and end user fixups are sometimes needed to make them work properly together. the same author also created ‘cobalt strike’, a pro (paid) tool designed for red teams which i’m told has no metasploit dependency AT ALL! it’s worth pointing out that we didn’t cover armitage’s team support capabilities in this course. this is probably covered on one of clarified’s more advanced courses, and using cobalt strike instead
the last part of the course lasted all of day 2, and was almost exclusively working with armitage to perform a network takeover of a phony company with 3 internal networks — the usual suspects of recon, exploitation of various sorts (remote, client side, watering hole, …), privilege escalation, evading or pwning firewalls, pivoting and port forwarding, network sniffing, credential extraction, pass-the-hash… the other 10% was concerned with necessary support tools along the way for backdooring/trojaning, antivirus avoidance (modern avoidance that actually works well!), and so on.
so although i was familiar with pen testing ‘the old school way’, from rooting and looting 60 machines in the the oscp, i picked up a heap of interesting and useful stuff from this course about more modern tooling
regarding the competitive aspect of the course, namely the points, i made many mistakes. firstly, i did not ‘play to win’ at first. i took one hint just to see how it would make the scoring server behave! i took another one with a mis-click… more points lost. i also got way ahead of the actual class instruction and took some hints because they were pretty much necessary in order to continue without instruction (for example the goal was vague enough that one could be ferreting around all over the place for hours trying to find a piece of information, whereas the hint narrowed it down nicely). the rest of the group were pretty much following along with the actual instruction, and so were getting spoon-fed answers — no hints required at all
on day two i started to play competitively, took only a few hints, and completed everything ahead of the game — racking up those bonus points for being first to achieve a goal, to offset the necessary hint cost. i also managed to achieve a goal which apparently had not been completed by anybody else for about a year! i was pleasantly surprised by that. anyway, despite my game-playing not being totally on-point, i managed to get first place, and won a mug :-p
everybody agreed it was a great course: “eye opening”, “scary”, “fun”, “got what i came for”, “highly educational”, “very interesting”, etc. people were generally in agreement that the course was quite fast-paced, which is a lot better than it being too slow
thanks to taavi and clarified security!