Thursday, March 15, 2012

No news today

Well, what a lazy poster i am. But i can explain it, i have a family, some projects running at the moment and not too much time to test out a nice lvm setup and other interesting stuff...but read on.

Hacking Hacking-Lab

Trying to become more involved with the world of penetration testing i made myself an account for Hacking Lab. A swiss based online training lab setup, partly for free.
To use the lab you will either need a live cd which can be downloaded from their homepage (after registering) or setup your PC to match their VPN environment. I am working on the latter a bit to have BackBox as my core platform. But the live cd includes some nice tools which should be looked up too.

After you registered you can choose an event. Inside this event you find different challenges inside a lab which can only be reached through VPN.
The labs themselves are made with different virtual hosts that needs to be hacked, mostly in a capture-the-flag style. So become root and get a file from the system. But there are also more riddle-like hacking activities like notpron or application relevant todos. Some stuff can be done locally without the access to the lab. From what i have done until now (which isn't that much) the challenges seem to be more mis-configuration relevant, i was not able to exploit a system.

Once you made a challenge you can send your solution together with some proof/logfiles (don't forget the gold nuggets) to the jury/teacher and if you have done well, you will receive points based on the difficulty and your solution.

Sounds fun? Then go on, register and try it out. A better (and more important - visual) introduction was made by the hacking lab guys themselves and can be watched here.

Become MSFE

Yeah, i registered for SMFE. While it is focused "only" on the famous Metasploit Framework it is still a great opportunity, the price is affordable for a private person and super cheap for an IT sec related course.
I have choosen the Exam plus 30 day lab access (which i haven't enrolled at the moment). But you can also do all the things on a private lab setup and just choose to do the exam. Look up the options on the website.

As usual Securitytube offers you all training videos for free. Vivek does a great job explaining and showing you the internals of Metasploit. Sadly i find the lab questions a bit confusing and apart from all courses i took in the past, they seem to apply for the next chapter, not the current. But to be honest i haven't read them all.

If you are a professional you sure should choose another training, especially since you will use Metasploit Pro which has some extended capabilities (best and most important thing sure is reporting) and is usually handled through the webinterface. But everyone must decide this for himself.

If i really find the time to do the lab and finally make the exam i will maybe go for the PWB certification. This is a more general course from the tools included with Backtrack Linux and from what i have read doesn't allow Metasploit during the certification at all.
I know, i switched to BackBox but the toolbox from Backtrack is much bigger. BackBox only want's one tool for a task while BackTrack includes almost all famous tools. Question of philosophy, i can understand both.

Bashing kdump

Well, actually what every sysadmin ever dreamed about - crashing a server system the whole day without any trouble. But the reason is, as  usual, not the fun.
After some unexpected crashes of our systems we need to get a crash dump for our RHEL 6 installations (RH: Looks like a hardware failure, do you have a dump?). Usually an easy task - install kexec-tools, configure /etc/kdump.conf, start kdump and you're done. Well, reserve some memory for the crashkernel...

kdump will insert an additional initrd image inside RAM. Once the "main kernel" crashes, this will dump the memory contents at time of the crash to a device, network share or via ssh to another system. So RH will have something to look at.
The memory for the extra kernel gets allocated during boot time via the crashkernel=X@Y parameter (or auto for the lucky and lazy). X means the size of the region and Y is the offset.

But then why do i have to enter the prominent echo c > /proc/sysrq-trigger all the day?
As it turned out the HP servers we are using have a controller that the crash kernel can't handle. Nice! NFS is not an option so we choose ssh. Works with a fresh install in an VM out of the box, dumps just nice.
But not in our environment - we have to use the prior kernel version because the net performance with the current kernel is too slow and additionally we have a huge amount of RAM, which doesn't seem to be handled well by the kexec-tools and our kernel. The crashkernel allocation is limited to something between 820MB and 1024MB (still testing - looks like 850MB - but that is really not for sure). With the current kernel in RH 6.1 this seems to be sufficient - or at least i think so. But bug hunting is sometimes a task where you crawl all day behind those little creatures without really catching one of them, they just slip through your fingers. So crashing, waiting (takes around 6 minutes before you know that the crash dump will be written), changing the crashkernel size, installing different versions of kdump and so on.

Well, we have a support contract with RH, so why not ask them? As it turns out, they also have to play the old trial and error game. Not really helpful with all of our problems so far. Just do it yourself.
But i had no filesystem or any other problem during my current tests which are more than 30! So crashing RH systems work without a problem.

Enough moaned...

See you soon!

No comments:

Post a Comment