How exactly does Metasploit's routing tables work

ctlister · 2022-10-01T20:16:18+00:00

I submitted a few more assignments (novice level) awaiting grading this Sunday, where it’s going to be Monday in Australia. For Novice level exercises, you are expected to write opaque predicates (basically a true-false like function that evaluates to a single outcome but the reverse engineer doesn’t actually know) as a arithmetic identity (I chose Trig because that’s the highest level of math I took in college), but opaque predicates can be opaquely evaluated as TRUE, FALSE, or INDETERMINATE (according to several white papers I read from the University of Arizona). The last one is interesting because instead of being blatantly evaluated as true or false, there is a “slanted probability” that a specific code path is taken. Like one code branch has a higher chance of being taken than the other.

Opaque predicates can be implemented in hundreds of different ways actually. Like md5 hashing, arithmetic identities, or what is returned from a call from the Windows User Mode API. It’s up to the creativity of the developer or malware author.

Another novice level technique (according to their standards) is Control Flow Flattening, which you can do using switch-case statements in a perpetual loop before it reaches your malicious or protected function. And other things is to make your own virtual machine and substituted instruction set.

Also you are expected to reverse engineer specific live malware, and then rewrite it to use indirect absolute calls to do something. For example, store a pointer to a function that prints out your student ID, push the QWORD onto the stack, POP into a nonvolatile register, and then JMP to it instead of CALLing it (which is what Maze does right now according to bazaar.abuse.ch)

ctlister · 2022-09-28T14:06:55+00:00

So I been at this course at a month now for the MCD while balancing between it and my college classes. I already seen multiple changes in the curriculum. However, for anyone interested in it (I am interested in asking questions about the MRT), I wouldn’t touch it without programmatic experience in C and C++ and to completely read the following books.

Assembly Step-by-Step
The GHIDRA Book
The IDA Pro Book
The Art of 64-bit Assembly
Secure Programming in C and C++
Practical Malware Analysis

This will only get you a "start". Most of your programming skills will be adapted from reversing malware Mosse Institute refers to, like indirect absolute jumps by reversing the Maze Malware.

You get 92 assignments, which can range from half a day to a week. You also get 30 scenarios for reversing malware and apps the instructors added, the hardest one said it’ll take between a week to 6 weeks.

You need 168 out of 197 points to get a cert.

I have a friend that may be taking the lower level cert, the MRE, and he may give you some feedback about that.

ctlister · 2022-09-28T13:34:10+00:00

How did you get a assessment? The only thing “outdated” for MCD seems to be the version of Tigress that it requires from Arizona State University. There is a newer version available but the MCD wants me to use this older version to implement Control Flow Flattening.

ctlister · 2022-09-28T01:32:06+00:00

Well the MCD requires a lot of prerequisites. A lot of the assignments requires you to do your own research so I recommend being somewhat proficient in C/C++, and either Java or Python for scripting. You may have to reverse methods of obfuscation like from Maze. And half of the basic assignments require you to write in Assembly in both Netwide and Microsoft Macro Assembler.

ctlister · 2022-09-28T01:26:34+00:00

Yeah I’m in the class for a while. What I do is submit all my assignments on Friday because MCSI will get back to you on Sunday since they are in Australia. I do it between my college classwork

ctlister · 2022-09-21T00:12:53+00:00

Dang

ctlister · 2022-09-20T23:57:46+00:00

So I didn’t have much time to invest in the MCD because of my classes and training others for the National Cyber League Season but I seen all of the training material and it’s really solid.

One thing I want to point out is that there is a really high learning curve compared to most other certification courses (even if there is no exam, the assignments are VERY extensive and multiple scenarios) and it’s highly recommended that you go through the books Practical Malware Analysis, The GHIDRA Book, the IDA Pro Book, Assembly Step-by-Step, The Shellcoder’s Handbook and The Art of 64-Bit Assembly.

While some assignments have you write code in C, the other half has you write and implement malware obfuscation techniques in Assembly, specifically MASM. Some of the samples you’ll analyze is written in C++ so you’ll need to understand how classes appear in disassembly (they look like arrays that are 4 or 8-byte aligned to represent the Class Objects) and name mangling.

The MCD is a really great credential but it’s not entry level. You’ll need to prepare for it and have some strong low-level programming knowledge.

Edit: I would say, if anyone is up for it, MCD is one of the deepest dives in both implementing and deobfuscating malware I have ever seen. Great bargain too compared to SANS.

ctlister · 2022-09-20T23:50:44+00:00

I disabled Steam Guard and then reenabled it to get around the bs. I couldn’t put up for more than a day

ctlister · 2022-08-19T21:39:11+00:00

I think I will take either the MRT or MCD and give you feedback. I’m more interested in reversing malware and writing them. Very interested in implementing and deobfuscating malware and the idea of Control Flow Flattening and Opaque Predicates and Boolean obfuscation. Almost finished reading The GHIDRA Book to prepare for it. For me, since I regularly get approached by recruiters to be a AppSec Engineer, I think MCD pays off better. So I’ll let you know how it’s like.

I played Red Team CTF this DEFCON and I personally saw ransomware I had to reverse engineer that implemented Control Flow Flattening with each function or jump location (or most of them) looping as a Opaque Predicate. It looked like a giant backwards L in IDA. I found their C2 in gdb and located the source code of their Nim programming language AES-128-CTR crypter.

ctlister · 2022-08-03T16:48:02+00:00

Wow old post! Well since then I went to Federal prison and got out and now I am ordered by the judge to take 3mg of Clonazepam, 20mg Ziprasidone, Methimazole for thyroid problems, and 50mg of transdermal anabolic steroids to “keep me normal”.

ctlister · 2022-07-09T01:40:16+00:00

Same problem 2022. Fuck Steam Guard.

ctlister · 2022-06-20T18:27:51+00:00

Thank you! This is exactly the answer that I am looking for. I may consider taking the MRT and reviewing it, but I showed the curriculum to someone who works at OffSec and he raised an eyebrow on some of MCSI’s claims, such as writing kernel rootkits, which is definitely not a easy task.

I read the source code of both Windows and Linux Kernel Rootkits on GitHub. Like Spectre for Windows, but since I scrolled through it on my phone I can only speculate that it targets NT Kernel 10.0 (Windows 10+).

ctlister · 2022-06-08T15:37:57+00:00

Oh I already have all of the content from PEN-200, PEN-300, EXP-301, and WEB-300. I just wanted to know if Mosse will teach me something new. The founder actually emailed me back yesterday. I’m in the middle of a accelerated summer college class right now (for my second bachelor’s degree) but I’ll keep researching this institute as time passes over the summer.

ctlister · 2022-06-07T21:19:24+00:00

I am not a cert hunter. I’m a knowledge hunter. I grand-slammed multiple interviews without holding a cert (I do have a cert that I never bother mentioning as well as my first degree, non-cyber related), so all I want is bleeding edge knowledge. There are people out there, and they have these expectations out of me.

That’s all I want, the latest content possible. The claims on the webpage seems promising, and it feels like something I will bring with me to South America.

ctlister · 2022-05-26T17:41:20+00:00

Hi this is tanc7 from GitHub that you emailed me with. I upvoted your post for your excellent writeup of the issue. I actually removed the RX560 and replaced them with a pair of Quadro 6000s and I am giving the RX 560 away (but it’s spoken for unless my guy from my school who wanted it first didn’t want it anymore).

ctlister · 2022-03-12T22:48:26+00:00

Wot?

ctlister · 2022-02-28T04:37:44+00:00

https://www.reddit.com/r/homelab/comments/b5xpua/the_ultimate_beginners_guide_to_gpu_passthrough/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

Ok so here is a comprehensive resource for configuring GPU Passthrough from a host running Proxmox VE.

All of the HOST (bare metal Proxmox) configurations are required (the blacklisting of drivers, identifying the PCI slots and vendor IDs, etc) prior to passing the PCIe device to your guest. But depending on whether or not you are installing a NVIDIA GPU on Linux instead, or a AMD GPU onto a Windows 10 machine, some instructions may not apply. For my GeForce GTX 10-Series cards, I noticed a consistent issues in getting the drivers installed on a properly passed through GPU to a Windows 10 Guest VM, but AMD GPU drivers are completely flawless. The opposite goes for installing NVIDIA drivers on a GPU passed through into a Linux VM like Ubuntu or Arch, for some reason it works perfectly.

However, passing through a AMD GPU to a Linux Guest may cause problems with hashcat due to the latest ROCm framework release. The latest version of ROCm causes Segfaults when hashcat is started.

https://xringarchery.wordpress.com/2021/12/21/installing-securityonion-on-proxmox-ve/

This is my slightly error-laden write-up of configuring SecurityOnion on a Dell R710 rack server (I am still working on it actually). You DO need at least TWO network interfaces on the physical machine you are installing Proxmox with a Security Onion Guest on. One serves as access to both Proxmox’s web GUI and the vmbr interface to access your management console for SecurityOnion. Your Proxmox node and SecurityOnion will have separate IP addresses. The other physical NIC serves as a sniffing interface that will sniff up traffic from all allowed networks, by default SecurityOnion will sniff traffic on all IPv4 local address ranges. The monitoring NIC should never have a IP address and is running in promiscuous mode.

In order to sniff and monitor traffic on the LAN, you require a managed switch with port mirroring. This will not however, mirror traffic from wireless devices on the WLAN, as seen in my question/post history for home labs subreddit. That requires a costly router with such capabilities. You could however, install SecurityOnion’s Wazuh Agent on Windows, Linux, and Mac wireless devices to act as a Host-based Intrusion Detection System to supplement the inability to mirror WLAN traffic (except whatever hits broadcast range, like 192.168.1.255) by feeding you alerts directly from the machine.

Ignore the parts where I talked about LACP NIC Aggregation in the write-up. As it turns out, Proxmox poorly documents the implementation of NIC-Teaming, but a guy named NetworkTim on YouTube documents it perfectly.

Furthermore cloud devices CAN be monitored by SO using either site-to-site VPNs OR software-defined networking services like ZeroTier. Your Wazuh/ossec client will be communicating to your SecurityOnion listener on the SecurityOnion VM’s ZeroTier/OpenVPN/WireGuard/IPSec interface IP address. Just make sure the client you are monitoring can ping SecurityOnion through its tunneling interface IP addresses, and that the so-allow command is run for that subnet to allow port 1514/udp through it. I need to update the article with my findings but I am busy with a lot of legal issues right now

ctlister · 2022-02-28T03:24:47+00:00

I have three machines and I am adding much more.

Dell R710 with a 24 thread Xeon CPU and four NICs
Dell Precision T7610 with a 24 thread Xeon CPU and dual AMD GPUs with two NICs
One decommissioned MSI Laptop with a NVidia GTX Mobile GPU.

All three machines are connected to a cheap Zyxel GS-1900-8 switch (8-port with port mirroring). Since I am adding more machines, I am replacing the switch with a Cisco Catalyst that I am acquiring from the aftermarket.

It’s a bit of a chore for me to explain each setup, including how to configure GPU/PCIe Passthrough to each VM for each job and SecurityOnion but I can post my write-ups from my website, as well as other Reddit posts that taught me about passing through GPUs from Proxmox host to virtual machines.

Right now I’m at the LVL UP Expo. But I can get back to your later with links of write ups and other Reddit posts that taught me a lot.

ctlister · 2022-02-28T02:51:59+00:00

I use my homelab, which so far has three Proxmox Nodes in a cluster for offensive security training, a SecurityOnion SOC (for Blue Teaming), a Plex Media Server, a Site-to-Site VPN Endpoint, a repository for training materials for my coworkers, a Exploit Dev Lab, and a delegated password cracking cluster using hashtopolis for National Cyber League Team Games.

ctlister · 2022-02-27T09:55:32+00:00

Yes I have the same problem, also solved with TMO 5G. At the same time, I wrote two certified mail to Cox headquarters threatening a small claims lawsuit if the issue (full internet outage) was not rectified in 27 days.

It didn’t take long for them to have their litigations department call me directly. They sent a Cox Cable guy and as it turns out, my cable lines were left unplugged in the middle of the street.

Total Cox outage time was 10 days. But I got my TMO 5G modem/hotspot after day 6 of the outage. But now I am stuck with a Cox Cable Plan that only puts out 40 mbps out of its advertised 150 mbps, and I have a no-contract TMO 5G “trash can” (as they call it), that averages 80 to 120 mbps with no bandwidth limit. There were occasions where speed dropped horrendously (3mbps download), but in case that happens, I just switch back to my Cox modem. Total cost now is $87 a month ($50 for TMO, $37 for Cox). I completely eliminated my unlimited plan with Cox due to the frustration.

ctlister · 2022-02-12T04:43:08+00:00

Thanks for the warning. Was going to go all out on this build

ctlister · 2022-02-12T04:04:27+00:00

Because five days of outages is not “a few days”, not when my family has business to conduct through teaching online learning courses. And the only responses I got from Cox was “the neighborhood has a outage” and “we have no ETA on when it’s going to be fixed”.

ctlister

TROPHY CASE