Home
CyberSec
PEN-200

2. PWK General Introduction

I have tried, to use chatgpt, to enhance my notes, with mixture of the newer pwk modules, i hope you will find it helpful.
2. PWK General Introduction

I’ve just started the Penetration Testing with Kali Linux (PWK) course. This course is designed for System and Network Administrators, as well as security professionals like me, who want to dive deeper into professional penetration testing.

The main goal of this course is to help me understand and replicate the kinds of attacks used by malicious entities on computers and networks. By learning how to perform these attacks, I’ll gain insight into how to improve security defenses.

The PWK course includes two main learning methods: Learning Modules and Challenge Labs. The Learning Modules teach me specific penetration testing concepts or techniques, while the Challenge Labs let me apply the skills I’ve learned.

Each Learning Module is broken down into smaller Learning Units, each focused on helping me achieve specific objectives. In this module, I’ll be covering the following topics:

  • Getting Started with PWK
  • How to Approach the Course
  • Summary of PWK Learning Modules
Table of Contents

2.1 Getting Started with PWK

I’m diving into the "Getting Started with PWK" unit. Here’s what I’m going to cover:

  1. I’ll first take a look at what’s included in the course, making sure I know all the materials available to me.
  2. Then, I’ll set up my Attacking Kali VM, which is crucial for all the hands-on practice I’ll be doing.
  3. Finally, I’ll connect to the PWK labs using a VPN, which is where I’ll be applying what I learn.

I’m treating this training like learning a musical instrument—it’s about balancing knowledge with practice. This unit is all about getting the essentials in place so I can start practicing.

2.1.1 PWK Course Materials

I’ve got access to both Learning Modules and course videos. They overlap in content, so I can read the Modules and then watch the videos to fill in gaps, or do it the other way around. Sometimes the Modules are more detailed, other times the videos explain things better. It’s important for me to pay attention to both.

The Learning Modules come with various exercises. By completing these, I’ll get better at finding and exploiting vulnerabilities in the lab machines. Some exercises are straightforward, just asking for a solution from the text. 

Others are more involved, requiring me to work with a machine (or group of machines) to find a flag, which I’ll submit to the OffSec Learning Portal (OLP). The OLP will track my progress and let me know if my submission is correct.

Flags are generated when the machine boots up and expire when it shuts down. I need to submit the flag before reverting or powering off the machine, or else the OLP won’t accept it.

When connecting to Module Exercise VMs that need SSH, I should use specific options to avoid corrupting the known-hosts file on my Kali machine: 

ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" learner@192.168.50.52

This ensures my SSH sessions are smooth. I’ll also remember that Module Exercises only work on the x86-64 version of Kali Linux.

I’m ready to dive into these exercises and get hands-on with the material.

2.1.2 Studet Mentors and Support

I can access the community chat on Discord through the Profile drop-down in the OffSec Learning Portal. Here, I can connect with Student Mentors and the Technical Services Team for help.

The Technical Services Team is there to assist me with any technical issues. If I need clarification on course material or exercises, I can turn to the Student Mentors. They can also offer small hints if I’m really stuck on an exercise or lab machine, but it’s important I’ve tried everything I can first.

The more details I provide about what I’ve tried and what happened, the better the Student Mentors can assist me. Being specific will help them guide me more effectively.

2.1.3 Setting up Kali

To complete the Module Exercises and Challenge Labs, I’ll be using virtual machines (VMs) in a lab environment. This setup includes:

  • My Kali Linux VM
  • The OffSec Learning Portal
  • A lab with target machines I can deploy
  • A VPN connection between my Kali VM and the lab

Kali Linux is an operating system designed for penetration testing and information security, and it’s open source and free. If I’m already familiar with Kali, I can skip this part, but if not, I need to install Kali on a VM.

Using a VM is more convenient and safer than installing Kali on a dedicated machine. It allows me to run Kali alongside my main OS (like Windows or macOS). I’ll use a hypervisor like VMware Workstation Player on Windows or VMware Fusion on macOS to install the Kali Linux VMware image.

Once set up, my Kali VM will have its own IP address and function much like it’s installed on a separate machine. The physical system running my main OS is called the "host machine," while the Kali VM is the "guest machine."

I’ll use the latest 64-bit VMware image of Kali Linux from the OffSec VM image download page. While other VM images (like VirtualBox or Hyper-V) or a dedicated installation could work, support is only provided for the VMware images.

Next, I’ll be setting up the VPN connection to access the lab.

2.1.4 Connecting to the PWK Lab

VPN creates an encrypted tunnel over the public Internet to securely connect to a private network.Each connection to the lab is unique, so I won’t interfere with other learners. However, I should treat the lab environment as hostile and avoid storing sensitive data on my Kali VM.

Steps to Connect to the VPN

Step 1. Start Kali VM:-

Open Kali Linux and sign in to the OffSec Learning Portal using a browser.

Step 2. Download VPN Configuration:-

  1. Go to the Course drop-down menu and select PEN200.
  2. Click on the VPN download option to get a .ovpn file. Note where this file is saved.

3. Connect to VPN:-

Open the terminal in Kali Linux.
Locate the .ovpn file:
    sudo updatedb
    locate pen200.ovpn

Move the .ovpn file to a new directory for easier management:
    mkdir /home/kali/offsec
    mv pen200.ovpn /home/kali/offsec/pen200.ovpn
    cd /home/kali/offsec

Connect using OpenVPN:
    sudo openvpn pen200.ovpn

Watch for the message "Initialization Sequence Completed" in the terminal to confirm a successful connection. Keep this terminal open as closing it will disconnect the VPN.

Step 4. Verify VPN Connection:-

Open another terminal tab (File > New Tab).
Check the TUN0 interface with:
    ip a

The TUN0 interface should have an IP address like 192.168.119.X.

Step 5. Lab IP Addresses:-

Lab machines will have IPs in the format 192.168.X.Y, where X matches the third octet of my TUN0 address.

Step 6. Lab Access and Extensions:-

  • Lab time starts when the course begins and is continuous.
  • To extend lab access, use the Extend link in the OffSec Training Library. If access expires, purchase a new VPN pack from the course lab page.

2.2 How to Approach the Course

In this unit, I’ll focus on:

  • Developing a learning model based on increasing uncertainty.
  • Understanding the different components of PWK.

2.2.1 A Model of Increasing Uncertainty

Penetration testing is like poker, not chess. Unlike chess, where I know everything about the game state, in penetration testing, I don’t have all the information about the target. This means I have to make predictions and assumptions based on incomplete data. As a defender, I must protect my systems from possible vulnerabilities I might not fully understand.

In essence, hacking takes time because there’s always something unknown. If I knew everything about a target, I’d know exactly how to compromise it.

PWK teaches two main sets of skills:

1. Penetration Testing Techniques: I’ll learn how to gather information, exploit defenses, escalate privileges, and move laterally between machines.

2. Methodology and Approach: This part is about how to think and act in new situations, which is crucial because penetration testing often involves unfamiliar scenarios.

PWK includes seven types of learning methods:

  1. Learning Modules
  2. Demonstration Module Exercises
  3. Application Module Exercises
  4. Capstone Module Exercises
  5. Assembling the Pieces Module
  6. Challenge Labs (type one)
  7. Challenge Labs (type two)

These methods help me deal with increasing levels of uncertainty as I progress through the course.

2.2.2 Learning Modules

The Learning Modules are text-based and cover specific penetration testing concepts, techniques, and skills. Each module is about 30 to 50 pages long and comes with accompanying videos that visually and interactively present the same concepts. They’re organized to build on previously learned skills.

In terms of uncertainty, these modules are considered to have no or low uncertainty because I only need to read or watch the content. To get the most out of them, I should start the relevant lab machines and actively practice by typing commands and following along with the demonstrations. This approach helps me better internalize the material.

2.2.3 Demonstration Module Exercises

Demonstration Module Exercises help me absorb content by following along with demonstrations. These exercises usually involve:

  • Answering factual questions or obtaining a randomized flag by copying exact commands shown in the course material.
  • The level of uncertainty is very low because I can get the solution directly from the Module content.

For instance, in the Client Side Attacks Module, there’s a Learning Unit on exploiting Microsoft Office. Here, I’ll perform the demonstrated techniques on a copy of the machine used in the demonstration.

2.2.4 Applied Module Exercises

Applied Module Exercises introduce more uncertainty by requiring me to apply my skills in new, but still limited, scenarios. Instead of just copying exact steps, I need to adapt my techniques to novel situations.

For example, in the Microsoft Office Learning Unit, I might work with a second machine that’s slightly modified from the first. I’ll use the same techniques but must adapt to the changes. This exercise helps reinforce what I learned from the demonstration and encourages me to think creatively.

2.2.5 Capstone Module Exercises

Capstone Module Exercises cover an entire Module and involve more uncertainty because I won’t know exactly which techniques or concepts from the module are needed.

For example, if I’m working on the Client Side Attacks Module, which includes units on Microsoft Office exploitation, reconnaissance, and Windows Library files, a capstone exercise might ask me to attack a specific machine using one of the client-side attacks. I’ll need to explore and figure out which technique to apply.

The goal of Capstone exercises is to practice hacking from start to finish under specific but broad parameters. I’ll know the type of attacks to use and the machines to target, but I have to determine the exact approach through exploration.

2.2.6 Assembling the Pieces

The Assembling the Pieces Module is a bridge between the learning modules and Challenge Labs. Here’s how it fits in:

  1. Read and Watch: Start by going through the Module content and following along.
  2. Demonstration Exercises: Complete these by copying the provided inputs.
  3. Application Exercises: Use specific techniques to work through these exercises.
  4. Capstone Exercises: Attack machines from start to finish using what I’ve learned.

This module offers a complete walkthrough of a small penetration test, essentially serving me as a demonstration exercise for the entire set of Challenge Labs. It prepares me for the more complex Challenge Labs by summarizing and applying the skills from the previous modules.

2.2.7 Challenge Labs 1-3: Scenario Based

Objective: Obtain access to a Domain Administrator account on an Active Directory domain and compromise as many machines as possible.

Context: Each scenario includes a set of networked machines and a background story.

Complexity: Increases progressively with additional machines, subnetworks, and attack vectors.

Key Points:

  • Uncertainty: High. You will not know which machines are vulnerable or what attacks to use.
  • Interdependencies: Some machines may rely on information or credentials found on other machines or may only be exploitable after compromising the Domain Controller.
  • Proof of Compromise: Machines contain local.txt and/or proof.txt files with randomized hashes. Submit these to the OLP to log compromises. Note that contents change with each revert of the machine.

Next Steps:

  • Details and strategies for these scenarios will be covered in the final Module of PWK.

2.2.8 Challenge Labs 4-6: OSCP Mock

Each lab consists of six OSCP machines:

  • Three Active Directory Machines: Connected via Active Directory.
  • Three Standalone Machines: No dependencies or intranet connections. Each has a local.txt and a proof.txt for proof of compromise.

Scoring and Points details:

  • Standalone Machines: Worth 20 points each (total 60 points).
  • Active Directory Machines: Worth 40 points total. You need to compromise the entire domain to earn these points.
Techniques for these challenges are covered in PEN-200 Modules or used in earlier Challenge Labs. I must adapt demonstrated exploitation techniques to fit the specific environment of the Challenge Labs.

2.3 Summary of PWK Learning Modules

I got an overview of what each PEN-200 Learning Module covers. I reviewed the general structure and components of PWK in previous units. Now, I’m summarizing each Learning Module.

2.3.1 Getting Started: Optional Ramp-up Modules

I learned about the current state of Cybersecurity, including threats, threat actors, security principles, controls, laws, regulations, and industry career opportunities. I explored OffSec’s unique teaching approach. I learned how learning happens, how OffSec materials are constructed, and practical learning strategies and tactics. I got tips on writing notes and penetration testing reports. I need to practice these skills, as I’ll need to submit a report for the OSCP exam.

2.3.2 Enumeration and Information Gathering

I started with a focus on Information Gathering, a key part of penetration testing. This process, also known as enumeration, takes up most of the time during a test.  At the start of a penetration test, I learned how to approach a network for gathering information. I explored Vulnerability Scanning to enhance my toolkit.

Vulnerability scanning helps me narrow down the scope by identifying machines that are likely to be vulnerable. I noted that these vulnerable machines are often referred to as low-hanging fruit, which are easy targets in the network.

2.3.3 Web Application and Client Side Attacks

Perimeter Attacks, These attacks are done from the internet without needing access to an internal network. I learned that they are methods of infiltration from outside an organization.

Web Application Attacks, we start here because web vulnerabilities are common and web apps let users submit data. I find it helpful that web applications are visual, making it easier to understand how attacks work. I covered the methodology, toolset, and enumeration framework for web applications. The first vulnerability we studied is Cross-Site Scripting (XSS), which targets users rather than the server. I see XSS as intuitive since it relates directly to how we use web apps daily.

I learned about four vulnerabilities:

  1. Directory Traversal: How to access unauthorized information.
  2. File Inclusion: Issues with poor configuration by web admins.
  3. File Upload Vulnerabilities: Exploiting the ability to upload files to a server.
  4. Command Injection: Running arbitrary code on the web server.

SQL Injection (SQLi), this vulnerability is common and crucial. It shows how complex interactions between components can lead to weaknesses. I understand SQLi well because it involves both the web server and database setup.

Client-Side Attacks, these attacks exploit human users. I will learn about performing reconnaissance, attacking users of programs like Microsoft Office, and abusing Microsoft Library Files.

2.3.4 Other Perimeter Attacks

I learned that penetration tests often reveal external services vulnerable to attacks. I found out that during tests, I usually don't have time to create my own exploits. Luckily, I can use existing exploits from Kali Linux and the internet. I can also fix these exploits to fit my needs. 

I discovered the basics of Anti Virus (AV) evasion. Even though it's not a perimeter attack, knowing how to bypass AV is useful since most enterprises use AV solutions. I studied cryptography and password attacks. Weak passwords are common, and this module taught me how to attack network services and crack credentials.

2.3.5 Privilege Escalation and Lateral Movement

Once I access a machine, I can perform more actions. I might need to increase my privileges to fully control the machine or use it to access other machines on the network. After compromising a Windows target, I can use the new permissions to become an Administrator. I'll gather information, exploit services, and attack Windows components.

Similarly, I’ll learn how to gain root level permissions on Linux targets, reinforcing what I learned earlier with Linux-specific techniques. Escalating permissions is crucial as it provides more access. I should consider the impact of my attacks on the network to provide the most value to clients. Accessing another machine in the network can be very effective.

Moving from one machine to another on the same network is called pivoting. Moving into another subnetwork is called tunneling. Port Redirection and SSH Tunneling cover basic techniques, while Tunneling through Deep Packet Inspection helps evade network-layer defenses. I’ll explore MSF, which automates many of the steps in enumeration and exploitation that I've learned so far.

2.3.6 Active Directory

It’s crucial for penetration testers to understand because it’s common in enterprise environments.

I learned to approach Windows machines within an AD domain. This module focuses on gathering information to compromise the network.I explored methods to enhance my presence on the network by attacking or bypassing authentication protocols. I applied pivoting techniques in complex AD environments to move within the network effectively.

2.3.7 Challenge Lab Preparation

I learned that the last two PWK Modules connect text, video, and exercises to the Challenge Labs. I will have done over 300 exercises and compromised about 25 machines by now.

In "Assembling the Pieces," I practice a simulated penetration test on five machines. I need to use techniques from Information Gathering to Lateral Movement in Active Directory. This will help me see the process of targeting a new environment from start to finish. "Trying Harder: The Challenge Labs" gives extra instructions and details. I should complete all Modules, including "Assembling the Pieces," before starting the Challenge Labs.

2.4 Wrapping Up

I’ve finished the introduction module for PEN200. I set up my attacking environment and connected to the PWK labs. I learned about the course design and reviewed each module's summary. Now, I’m ready to dive in and get started!

Post a Comment