Penetration with Kali (PWK) Review Guide after having completed 90 lab. Resources and tips to help fellow hackers develop & execute a plan for attacking the lab network.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Abstract
This overview will be a 10,000ft internal view of Penetration with Kail (PWK )course/lab and explain procedures, contain personal thoughts and methodologies used throughout the 90 day training window purchased. This is to be used as a resource guide and will NOT contain any specifics pertaining to actual machines in the lab.
Initial Impressions:
Penetration with Kali (PWK) course provided an environment to develop and hone in experience to aid in the completion of the Offensive Security Certified Professional (OSCP) certification.
Many throughout the web liken a comparison to Hackthebox (HTB) to which there are some similarities but having completed a 90 day training window I can attest that vaguely speaking I find HTB more challenging in that the rabbit holes are easier to find yourself in. Having practiced with multiple Vulnhub machines, countless hours of “his greatness” IppSec YouTube videos and hours spend reading and researching in preparation
Goal: Keep it simple develop foundation and build upon and grab every piece of prep material I can find along the way to help. Step two don’t get crushed.
Prior reading material/Courses
- Ethical Hacking - Cybrary
-
Advanced Ethical Hacking - Cybrary
- Linux Basics for Hackers - Occupytheweb - https://amzn.to/2OpdJ4c
- Hacking The Art of Exploitation - Jon Erickson - https://amzn.to/31SNiYw
- The Shellcoder’s Handbook - Chris Anley - https://amzn.to/2Oo0l09
- The Web Application Hacker’s Handbook 2nd Edition - Dafydd Stuttard - https://amzn.to/354e9Db
- OWASP Top 10 - OWASP - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- Red Team Field Manual - Ben Clark - https://amzn.to/2OmOfV7
- The Hacker Playbook - Peter Kim - https://amzn.to/2VizUL6
- The Hacker Playbook 2 - Peter Kim - https://amzn.to/2Mn8Vdg
- The Hacker Playbook 3 - Peter Kim - https://amzn.to/31PHxLl
- Violent Python - TJ O’Connor - https://amzn.to/31U4I7e
- Penetration Testing - Georgia Weidman - https://amzn.to/2OkEKG5
System Setup / Configuration
Hardware:
- 2013 Macbook Pro - https://amzn.to/2AKcJ2D
- 2.4 GHz Intel Core i5 - 8GB DDR3
- 1TB Samsung 970 - https://amzn.to/2ALF9cD
-
Undervolted with Volta
- Custom Small Form PC (sfpc)
- DAN A4 Case - https://www.sfflab.com/products/dan_a4-sfx
- Ryzen 7 1700 (would recommend 3rd gen) - https://amzn.to/31LNzfU
- TridentZ RGB 32GB DDR4 3200 - https://amzn.to/35cffws
- Samsung 4TB - https://amzn.to/2MamWdS
-
MSI GTX 1070 - https://amzn.to/2LMUlwq
- x1 Pwnogatchi via @evilsocket:(https://twitter.com/pwnagotchi)https://twitter.com/pwnagotchi
Software:
- VMware Fusion (mac) - https://amzn.to/2VdouIq
- VMware Workcenter (Windows10)
- Virtual Box (mac/Windows10)
Offensive Security Custom Kali Image - Would highly recommend using it and customizing it to your own needs as new distros can cause issues while performing PWK exercises.
Exported VMware image to OVA imported to Virtual Box. Personally prefer Virtual Box to VMware do to the simplicity and consistency. Maintaining image across multiple virtualization software also aid in redundancy when dealing with disaster recovery.
Managing VMs and Disaster Recovery
With my main PWK image being used within VMware to connect to Offsec VPNs for the course as mentioned keeping multiple backups is KEY throughout this course. Horror stories of people losing data and having to start from scratch. This doesn’t have to be you.
Real Life Example: Salute to @Djax_Alpha misery - “another one bites the dust”
source: https://twitter.com/Djax_Alpha/status/1174436036417597440
These are the steps I used to safeguard and backup my image:
Firstly, as soon as you have configured the PWK image
- Take an immediate snapshot.
- Export an OVF to an external thumb drive.
- Set a reminder on your phone to every week to at minimum perform the off system backup.
- Put thumb drive in the same location you would store your passport. (known secure location)
Personally it didn’t take not more then 2 weeks into PWK that I encountered my first full system loss. Woke up fired up VMware Kali was toast and would not boot.
Notes Taking
An essential skill for any aspiring pentester. Anyone with the knowledge of how to exploit vulnerabilities but in the end it’s the management of information and being able to write a detailed report of an engagement that separates the Professionals from the rest.
Watching many saving their notes with a popular application CherryTree (Link) there was one fundamental problem with keeping notes on the application in the VM — Image Dies, so goes your notes unless backed up.
OSCP Michael LaSalvia of DigitalOffensive had a great video explaining on how to setup rsync to backup cherrytree files to a google drive account that I’ll link below:
source: https://youtu.be/BvLMQMjV9YE
Reiterating, this is a solution but not my personal as I’m not a fan of relying solely on the VM image.
exec Notes Backup Solution
- Download the CherryTree application for windows - cherrytree_0.38.9_setup.exe
- Setup an OSCP folder locally
- Backup folder with Google Backup and Sync application - Link
The cherrytree application functions exactly as is does within the VM and now you have the application in a windows 10 environment that is inherently more stable. Following more or less the same framework by utilizing the Google Back up and Sync application your files are saved automatically in the background to the cloud.
Target Engagement Notes
Enter - Paper by Dropbox
I highly recommend that you take the same approach to off machine saving of target notes. I found that utilizing Dropbox Paper as an OUTSTANDING solution. Paper, uses the markdown language for streamlined organization with code blocks but also has a search function that parses through all notes you have taken. Simple put GAMECHANGER!
I cannot express the full extent of how easy paper made the not taking process and it was completely backup to the cloud. (connection of other people’s computers)
YouTube Dropbox Tour: https://youtu.be/BVCe8v7opUs
Information / Tools (binaries) Management
Throughout the course you will be downloading/cloning many GitHub repositories and may have found a treasure trove of information from others in the same pursue. Initially, I felt like a hoarder
Every piece of everything I began trying to find a place for it with the “I might need later” … It all became too much. Saving links from twitter to Google Keep (note taking application) just became overwhelming.
To this day still don’t have quite a solution for how to cut through all these weeds.
Takeaway
Save important commands and syntax to Dropbox Paper and use a hierarchy structure. Lean on the search feature to parse through notes.
Very important that you ensure your files are only visible to “Only you”
Attack Methodology
My initial thoughts after having connected the VPN server was “Ok, now what…” a bit of an overwhelming feeling that soon will subside as soon a you just remember this is YOUR training battlefield.
Network recon: A collection of recon scripts that were clearly laid out and offered tailored enumeration should you so be inclined. At the very least worth checking out
- Ucki’s Recon & Enumeration Pack - https://github.com/ucki/URP
- verison v.01 - https://github.com/ucki/URP-T-v.01
Structure
- Recon
- Enumeration of all version numbers found
- Search version number vulnerabilities with both duckduckgo and Google (discovered variations in search results)
- Establish foothold && a secondary shell (backup)
- Interpret your environment
- Search for vulnerable processes
- Elevate - “insert song Drake - Elevate”
- Run proof scripts
- Document steps taken to achieve this point — important
🎁 Gift to those who have gotten this far — hang on to for safe keeping: https://guif.re/
Final Thoughts
Penetration with Kali was an experience to say none the least. The levels of frustrations hit absolute peek levels and the 90 days seemed to have breezed by.
Honest advice, the course at times could be overwhelming but the will to endure needs to be more. Treating the targets as CTF’s is not the way to approach this situation. Your job is to learn how to discover vulnerabilities and exploit them and manage the documentation. It is here within the lab you hone that systematic approach.
Personally, I achieved 41/50 targets across all networks and while you can spend your time fighting against the “Big 4” I personally left them for the end and only accomplished 2 of 4.
Lastly, do yourself a favor after you enter the lab plan to take breaks to manage your sanity. You will quickly get burnt out and I found that taking time to physically work out help balance the mental strain — Trust me on this one.
Believe in yourself.
-Executeatwill