The path from zero to a skilled pentester (part 1)

For pentester VSEC - BLOG

Perhaps this topic is the one that really impresses me. It’s October, the month that I feel warm and ambitious.

This is the sharing of my personal opinion, so if you have different ideas, please feel welcome to email me to discuss

I started as an IT specialist but security is my passion. I used to be a professional programmer and perhaps, my close friends and teachers at Ha Noi University of Science and Technology encouraged me to this field. It’s true that I hadn’t known anything about security before. So in my third year of university, as the requirement of my major, I joined a company for an internship and met my instructor there. This company specialized in information security, but in a short period of three months, I just got some basic stuff about DVWA (Damn Vulnerable Web App) from my instructor to study and attack. By chance, the company Director let me take a field trip for experience. There, I got acquainted with SIEM, to manage events by QRADA, … for a bank. Every day, I came to check the events and emailed my senior to notify me of any abnormalities. It might be a little boring that I decided to resign, frankly speaking, it was the end of my internship and I resigned. Realizing that it was time for further studying and practicing, I decided to pursue Information Security despite not being so sure of what this field was for.

After reading and researching, I found that IT is the broadest field. Information Security is narrower but still quite wide. Information Security is also divided into many areas. When I applied for an internship at the company where I’m working, I was oriented to Pentest (Penetration testing), and deeper into the website Pentest.

 

First, we need to understand what pentest is. Pentest stands for Penetration Testing, which means “An authorized simulated attack performed on a computer system to evaluate its security”. More simply, pen-testers can be considered as the hackers in black, wearing masks to attack the system. Such an explanation makes it easier to imagine. As far as my knowledge, pentest can be divided into 3 following areas:

  • Evaluation of network infrastructure: network structure, policies (firewall), logging, VPN, Router, Switch,…
  • Evaluation of servers system: Configuration, services update, patches, account and password policies, logging policies, authorization review, reserved capacity, load balancing, distributed database.
  • Evaluation of website apps: evaluation of vulnerabilities such as buffer overflow, SQL injection attack, and XSS,… evaluation of the checking of web source codes in order to identify problems on authentication, authorization, data verification, session management, and encryption. In my opinion, we should call this “apps evaluation” because, besides web apps, there are other ones such as mobile,… 

 

There are 2 concepts that many people may still be confused about vulnerability and threat.

  • Vulnerability: weak points in the system that can be exploited and manipulated to cause damage to the system
  • Threat: behaviors that are potentially harmful to the system,

So, What are the types of pentest?

  • Black box pentest: This is a kind of evaluation from the outside to the inside. Pentesters have no information about the target system other than what has been publicized. This is the most common type of attack.
  • Gray box pentest: Pentesters will be provided some or limited information about the target system
  • White box pentest: Evaluation from inside to the outside, Pentesters will be provided all system and network information such as: network infrastructure, source code, IP address details, OS, and policies,…

 

Next, I will discuss the procedure of an attack which can be summarized in three stages:

Prepare for attack:

  • Reconnaissance/Footprinting
  • Scanning

Conduct the attack

  • Gaining access
  • Maintaining access

Clearing tracks

In details:

Reconnaissance/Footprinting
  • Actions of the attacker to gather information about the system: users, customers, business activities, organizational information…
  • Can be repeated periodically until there is an easier chance to attack
  • Active reconnaissance: Interact with the target
  • Passive reconnaissance: not interact with the target: Social Engineering
  • Search engine: Google, Shodan, Censys
  • Information from social networks: Facebook, Twitter, Linkedin
  • Email reconnaissance: whois/smartphones, Email Extractor
  • Internet connection reconnaissance: traceroute
  • DNS information: dnsenum / nslookup, dnswatch.info
  • File robots.txt: This is the file for… Google
  • What web
  • DNS-enum
  • The harvester: gathering emails, names, subdomains, Ips, and ULRs
  • Email extractor

 

Scanning
  • Scanning to identify information of the system based on information gathered from the reconnaissance stage
  • The attacker will get an in-depth and more detailed view of the system: services provided, open service ports, IPs, OS, and software.
  • Extraction information from this stage allows the attackers to plan details for the attack.

 

Gaining Access
  • The attackers with information gathered from the previous stage will conduct the attack on the system to gain access using web security gaps such as SQLi, RCE,…

 

Maintaining Access
  • Once access has been gained, the attacker will use some techniques to maintain access without relaunching the attack such as creating a back door, opening a network connection,…

 

Clearing Tracks 
  • This is an important stage to clear tracks of your penetration into the system so that no one can detect it. It will be very difficult for the investigator to identify who you are or what you have done as you have deleted the system logs,…

 

Seem like a lot of theories, but it’s the door to Pentester

For myself, first, I did a thorough research about the above contents. Next is to choose the way and I have chosen the mobile and website application Pentest.

In this section, my presentation about the path focuses on the evaluation of website applications.

During the internship at the company, I first learned about the network starting with OSI and TCP/IP reference model, the TCP three-way handshake process, using Wireshark, nmap, hping.

This is the introduction step about the network. Going deeper into the website, you need to understand website technology, Client, Server, HTTP protocol, URL, URI, and what headers in HTTP protocol are used for.

The first book I came across was:

“The Web Application Hacker’s Handbook”.

Theory should be combined with practice to study and install environments such as DVWA, BWAPP (I found it far more interesting and difficult than DVWA),… Finishing BWAPP, you will have the background knowledge because BWAPP follows the OWASP assessment standard, the famous name is OWASP Top Ten. By trying to study these labs and always asking “Why”, you will get a better understanding.

If you don’t want to build a lab, you can learn here, There’s a lab and tutorial, and I think they are quite good:  

https://portswigger.net/web-security

After gaining enough background knowledge, you can take CTF tests to improve your skills.

I personally go straight forward to bug bounty programs instead of taking CTF. These programs offer rewards when you find bugs and report to them. The most important thing here is “money”- which motivated me to fight. Right, when you have high motivation, you will try and fight with all your best. When first joining such programs,  you should choose easy targets for gradual learning. In my case, the company had this kind of program in private form for people to participate. In addition, there are public programs in Vietnam that you can find out for yourself, In the world, some famous programs are:

https://hackerone.com/

https://www.bugcrowd.com/

One more thing, You guys who have been reading my blog can see that I always talk about CVE, right? CVE seemed too luxurious for me before, but I have overcome myself and improved my knowledge to look for it and find open sources to install and run it. The most important thing is to choose my favorite language. I personally prefer PHP,… with CMS like WorldPress, Joomla!, Drupal,…

In addition to CVE, you can pursue more advanced education for such certificates as OSCP, OSCE, AWAE,… or learn about other certificates like GPEN,…

There is a very valuable information source on GitHub:

https://github.com/swisskyrepo/PayloadsAllTheThings

Maybe, it is mind

https://github.com/HoangKien1020/pentest

TOP 4 RANSOMWARE VULNERABILITIES EXPOSING YOUR COMPANY AT RISK

Cyber world trending VSEC - BLOG

In 2023, there are two organization groups: those having been attacked by ransomware and those that will shortly be targeted. The current state of cybersecurity resembles an ongoing cyber arms race between ransomware groups and cybersecurity professionals. Experts in cybersecurity have developed the necessary tools and strategies to combat ransomware groups. This cat-and-mouse game is an endless war of attrition with no distinct victor. While in some aspects the situations are probably out of the IT team’s control, there are a number of measures that can be taken to reduce the risks of successful ransomware attacks.

According to research from Securin, hundreds of organizations’ security vulnerabilities are asserted to be exposed. A brief overview of the four most prevalent categories that should be well aware of is listed as follows.

 

1- Vulnerability allowing intruders to enter the network

According to the research conducted by Securin, external tele services, VPNs, and public apps contain 133 ransomware-related vulnerabilities that can be exploited for initial access.

External tele services including Windows Server Message Block (SMB) and Microsoft Remote Desktop Protocol, since the pandemic’s outbreak and the evolution of work-from-home (WFH), have become more common. Some of them with misconfigurations or popular exploited technology, are easily attacked. For instance, one of the largest ransomware attacks in history, WannaCry in 2017, exploited the SMB vulnerability. In addition to the Log4Shell vulnerability affecting 176 products from 21 vendors and having been exploited by six ransomware groups, including Conti and AvosLocker, there are many other unpatched ones.

 

2- Vulnerability requiring user’s action

It is noted that “vulnerability” not only relates to software or hardware problems but also to user mistakes. In fact, a significant proportion of ransomware attacks result from this factor. By acting as a friend, colleague, or supervisor of the victim for example, ransomware groups are able to achieve their objectives. Users may inadvertently enter malicious code when accessing email attachments, links, or files. Unfortunately, users become more observant. Now it is the turn of the thief to modify their tools.

The human problem requires human solution response: intensive face-to-face proper training in which IT team members instruct employees from other departments on how to identify potential threats (and what to do if they accidentally allow someone into the system). It is imperative that IT departments stay social-technology-trend-updated and routinely inform the company of what to be cautious.

 

3- Vulnerability allowing advanced access

The vulnerabilities that have been discussed thus far mention methods hackers attempt to breach into your network. Sadly, it is usually the first step only. Once hackers have exploited vulnerabilities to gain access to your system, they can exploit additional vulnerabilities— those permit privilege escalations—to execute malicious software and take deeper control of the network. In other words, if the hackers have enough understanding of active vulnerabilities in your system, they can approach a restricted account and become an admin whose access to more sensitive data.

According to Securin’s research mentioned above, there are 75 ransomware-related vulnerabilities that could allow ransomware groups to escalate privileges and facilitate movement across organizational domains, including the Privilege Escalation attack of Windows CLFS and Microsoft Exchange Server.

 

4- Vulnerability allowing stealthy access

Hackers have been employing techniques such as disabling security software or preventing script execution from breaking into vulnerable networks without being detected. Mark-of-the-web bypass (T1553.005), is a typical example that ransomware groups apply to exploit certain file formats and override controls.

Or, BlackByte, a new ransomware group about which the FBI issued a warning last year, according to ZDNet, is famous for a technique “allowing attacks to bypass security products’ detection by exploiting vulnerabilities in more than 1,000 drivers of anti-virus software.” This issue, considered as “Bring your own drivers”, shows a significant and alarming aspect during the war against ransomware attacks.

Ransomware considerably increases and every organization, regardless of field or size, may face such attacks as no system could guarantee to be completely protected. What organizations can do is avoid simple errors through appropriate employee training, a deeper understanding of their systems’ vulnerabilities, and appropriate solutions. The war against ransomware may not end soon, but we can take measures to limit the losses.

According to Cyber Security

$4,000 salary is not difficult if you have these 5 important cybersecurity certifications

Outstanding Security for Newbie VSEC - BLOG

Up to now, cybersecurity has been globally recognized as a “hot” major in the field of information technology and has attracted a lot of attention from youngsters as well as domestic and international corporations. Besides, the salary of a cybersecurity staff can rise up to tens of thousands of dollars. Having certified can contribute to enhancing both your skillset and earning.

At the global workshop and exhibition on the safety of cyberspace (Vietnam Security Summit 2021), cybersecurity experts see that Vietnam belongs to a group that has a high rate of malware infection and cyberbullying suffering. Criminal activities in cyberspace also tend to increase. 

However, these days, human resources for the need of cybersecurity seem to be in contrast to the risks of information security and safety. The lack of human resources mostly comes from a group of those who are high-qualified information safety experts. So, what is crucial to becoming a Vietnamese cybersecurity engineer and professor?

In order to make a more clear-cut vision and be well-prepared for the future, VSEC specialists suggest 5 “must-have” fundamental certifications for a cyber safety professor:

1. Offensive Security Certified Professional (OSCP)

OSCP Certification

White hat hackers all rate OSCP as the most difficult cybersecurity certification exam. OSCP is a rigorous, real-world test for penetration testers who want to seek promotions for their careers. To join OSCP, you must have extensive experience in cybersecurity. Sure, you need knowledge of a programming language like Python as well as basic Linux skills. You also need to know about TCP/IP networking.

VSEC Specialist Comments on OSCP Certification

2. Certified Information Systems Security Professional (CISSP)

Even though the OSCP exam is the hardest due to time limitations and practical approaches, CISSP is regarded as the best of cybersecurity certification. CISSP is for those who want to examine the intruding ability and cyber safety experts who crave to keep the gold standard of the excellence of cybersecurity certification. 

The CISSP exam has 100-150 multiple-choice and “advanced” questions, lasting 3 hours. 

The passing score is 700 out of 1000.

CISSP Certification

3. Offensive Security Web Expert (OSWE)

The OSWE certification is one of the security certifications of Offensive Security – an American international company operating in the fields of information security, penetration testing, and digital forensics. The OSWE certification is invaluable to any individual pursuing a career in web application security.

OSWE Certification

4. Certified Ethical Hacker (CEH)

The CEH is an intermediate-level certification issued by the International Council of Electronic Commerce Consultants (EC-Council) that any IT professional who wants to pursue a career in security needs to equip themselves. CEH-certified professionals have knowledge and skills in areas such as network exploratory testing, investigations, Trojans, viruses, system attack prevention, home page attacks, wireless and other web applications, SQL penetration, cryptography, penetration testing, IDS evasion, firewalls, etc.

In order to sit on this exam, you need to be CEH trained first. The exam also includes 125 questions and lasts for 4 hours.

CEH Certification

5. Computer Hacking Forensics Investigator (CHFI)

CHFI is a professional security certification with the skills and knowledge to detect and analyze complex digital evidence. This is a difficult exam, but the time is shorter and less intense than the above exams.

CHFI Certification

 

The Vietnamese Security Company Network” (VSEC) with 20 years of experience is a member of the G-Group technology group (which was voted to be the best place to work in Asia for 2 years consecutively by HR Asia magazine). VSEC has a team of leading experts and has achieved many achievements in the international market–leading innovation in the field of investigation and analysis of information security threats. VSEC is also the first unit to conduct information security assessment in Vietnam, and the first Vietnamese security service provider who obtain CREST certification for security assessment services – Pentest and Supervisor. information security monitoring – SOC. VSEC has cooperated to organize Training – Rehearsals for many large domestic units such as Electricity of Vietnam and its member units, the Ministry of Health, the State Bank, Ministries and departments of provinces and cities,…”

Cloud Data Security – Not the responsibility of any individual

Outstanding Security on Cloud VSEC - BLOG

On May 13th, The Vietnamese Security Network Joint Stock Company (VSEC), in collaboration with CIO Vietnam community and Noventiq, organized a sharing and practical session on solving cybersecurity incidents in the Azure cloud computing platform. The event was attended by representatives from the Department of Information Security, Ministry of Information and Communications, who shared about security policies in cloud computing environment for businesses.

In addition to providing general updates on global security trends and emphasizing the importance of digital transformation to the cloud computing environment, participants also gained a clearer insight into the community activities of CIO Vietnam, policies and regulations ensuring Information Security when using cloud, and NIST framework aiding organizations in arranging security operations, and the tools that Microsoft equips in Azure environment.

On May 13th, 2023, the “Cyber Security in the Cloud” Boot Camps were held in Ho Chi Minh City.

Regarding the issue of many participants was interested in during the process of digital transformation to the cloud environment, such as regulations on data management in the cloud environment. Mr. Tran Nguyen Chung, the Head of Information System Security Department at the Department of Information Security, shared insights from the perspective of the regulatory agency, the information security is a core issue for successful digital transformation, it is as the brake that facilitates the achievement of digital transformation, rather than being an obstacle. He also recommended that businesses ensure various considerations while utilizing the cloud, such as: Assessing the current situation – actual needs to choose the appropriate cloud model, adhering to regulations and documents issued by Government Authorities, following data center standards, complying with the 4-layer management regulations to enhance the capabilities of organizations, agencies, organizations, etc. and adhering to data sovereignty regulations to promote transparency in data and safeguard the interests of businesses.

With the two documents that the Department of Information Security has advised the Ministry of Information and Communications for issuance, namely Document No. 1145/BTTTT-CATTT dated April 3rd, 2020, regarding guidelines for criteria and technical indicators to assess and select cloud computing platform solutions for E-Government/E-Administration, and Document No. 2612/BTTTT-CATTT dated July 17th, 2021, concerning the supplementation of criteria and indicators to assess and select cloud computing platform solutions for E-Government/E-Administration, these two documents assist enterprises in ensuring network information security issues during the digital transformation process, up to the present time.

Mr. Tran Nguyen Chung, Head of the Information System Security Department, Department of Information Security, shared his insights at Boot Camps.

In response to questions regarding data security in the cloud environment, both Mr. Chung and Mr. Huan Tran – Chairman of CIO Vietnam, emphasized that whether the data on the cloud is the original or backup version, it’s essential to consider whether the data is usable or not. The responsibility for data storage is not solely assumed by the cloud computing service provider; rather, enterprises and their IT teams also must actively backup and safeguard their own data systems.

From another perspective, the responsibility for the exploitation of user data originating from any business lies primarily with the entity that owns the customer data rather than solely attributing the responsibility to the unit entrusted with storage. Mr. Huan Tran shared, “As time goes by, the act of collecting data for competitive advantage will progressively tighten; this is no longer a new concept worldwide. Customer data ownership belongs to the customers. When customers entrust us with their data in exchange for enhanced services, the responsibility of the exploiting entity is to ensure proper and secure usage in order to retain the trust of users.” Therefore, proactively selecting service providers or methods to secure user data is a responsibility that businesses need to prioritize during the safe digital transformation process.

Proactively selecting service providers or methods to secure user data is a responsibility that businesses need to prioritize during the safe digital transformation process” – Mr. Huan Tran – Chairman of CIO Vietnam stated.

In the role of an information security management service provider, Mr. Le Minh Quy  – Senior solution consultant, raises the question about the awareness of information security within businesses. With 20 years of conducting security audits in various companies of both large and small scales, VSEC has observed that sometimes the most unforeseeable vulnerabilities are located in what appears to be the most secure positions, which might not be apparent without scanning thoroughly. It could be the network system, misconfigurations during cloud migration, etc. or simply due to the lack of information and knowledge, practical drills related to information security for the “human” aspect – the employees in the organization.

“In a cybersecurity survey conducted among end users, despite having awareness of information security issues, up to 45% of respondents still clicked on phishing links. In many cases, ransomware doesn’t directly come from hackers, but hackers will attack a specific object or employee, thereby infiltrate the company’s systems from there. Humans are considered the “weakest link” in information security management.” Mr. Le Minh Quy from VSEC said.

Mr. Le Minh Quy – VSEC Security Solution Consultant shared about information security issues during the digital transformation process at Boot Camps

Despite significant investments in information technology systems with substantial costs, neglecting the human factor could pose hidden risks that businesses should not overlook. Therefore, equipping businesses with information security training and drills is a necessary proactive measure, depending on each enterprise’s scale. Similar to the challenges that startups in Vietnam currently face, which involve reducing or even cutting costs for security audits and enhancing security features in applications to ensure solution, application delivery time and optimize operating costs. Mr. Tran Thanh Long, CEO of VSEC, and Mr. Huan Tran both agree that opting for cloud environments to expedite development while disregarding cybersecurity is a difficult dilemma for startups.

However, startups or businesses investing in cloud-based services can consider the option of investing each step or each important segment in high-security measures. Moreover, the crucial aspect is that when startups complete their offering service to Big ENT, the question these enterprises raise revolves around whether the product adheres to specific security standards, whether there are any cybersecurity risks, and so on, rather than solely focusing on the product’s features. Thus, it can be acknowledged that network security and information safety will remain the foremost concerns that businesses need to carefully consider during the service development and cloud transformation process.

Mr. Pham Minh Sang – Representative of Novetiq

Mr. Vu The Hai – Head of VSEC Security Monitoring Center  – guiding the participating units before participating in the Practical Training Session.

During the final session of the event, representatives from both Noventiq and VSEC also shared about the security tools equipped in the Azure system – Microsoft 365 Defender, which is developed based on the core value of the Zero Trust model. Participants gained detailed information about the operational model of the service and, in particular, had the opportunity to directly experience practicing malware scanning, detecting, and handling malicious code in the cloud environment.

The participating units engaged in practical drills on the training field

According to VSEC

Which type of Network Security Operation and Monitoring Center is suitable for the Banking – Finance sector?

Outstanding Security for Newbie VSEC - BLOG

The Security Operations Center – SOC – assumes the role of detecting and handling attacks in the fastest way to reduce risks to the enterprise’s information technology system. Especially for Banking and Finance units, which are the top targets of hackers. Depending on the size of the IT system, and human resources, which models of SOC centers will be reviewed for use by these units?

In developed countries, SOC (Security Operations Center) is very familiar to government agencies, large enterprises, banks, and financial institutions. Since the early years of the 21st century, Asian businesses have tended to use SOC as an indispensable part of their information technology system. However, this model has not been applied much in Vietnam due to cost and lack of specialized personnel

Each unit can develop a different SOC model; however, it is aimed at meeting the security needs of enterprises in general. Thanks to large transaction volume, multi-point connection, and rapid development of digital banking, mobile banking, virtual payment, etc., the SOC model for the financial and banking sector has to be designed to be better suitable to the system scale

5 levels of SOC center

  • Level 1: Basic Detection & Prevention
  • Level 2: Context, Control & Coverage,
  • Level 3: Basic Hunting & APT,
  • Level 4: Remediation
  • Level 5: Deep Hunting

For each of these levels, the business operator will need a team of staff with similar levels of expertise; namely warning and monitoring, prevention staff, and staff with more complex levels of analysts, other than threat researchers and threat hunters

On average, a SOC center will need a minimum of 10 to 20 personnel to undertake specialized work. The more complex the SOC model, the larger the number of employees, and the more challenging the cost for managers. Because the payment is not only salaries for the expert but also the cost of recruiting and hiring people from the initial stage of SOC development. As a result, the world has divided into 3 SOC models that according to Gartner, businesses can choose, namely: fully insourced, fully outsourced, and Hybrid/co-managed SOC

Whether it is fully insourced or hybrid/co-managed SOC, business managers must also pay attention to the costs of maintaining personnel and investing in equipment and technology. Even though a new SOC system is being planned, the business has to pay the cost of designers and developing the operating model before it can achieve measurable effects. Therefore, banks and financial institutions do not always build a fully insourced or hybrid/co-managed SOC even with large capital.

Fully outsourced model – VSEC

“In 20 years of providing security services in Vietnam, serving more than 50% of banks and financial institutions, we believe that fully outsourced SCO can satisfy the story of optimizing financial resources and investment for businesses. We can spend thousands of hours to save technology systems after an attack, but it only takes less than 4 hours to find and stop threats through the SOC center” – Mr. Vu The Hai, SOC Manager of VSEC shared.

VSEC – Vietnamese Security Network Joint Stock Company expands the scope of service provision in accordance with the criteria of MSSP – Managed Security Service Provider – A comprehensive security service provider in Vietnam. VSEC’s SOC Center is also the first SOC center in Vietnam to receive a CREST certificate – meeting international standards in terms of expert competence, professional experience, technological capabilities, policies, and procedures. Processes and professional ethics related to the provision of SOC center services. Not only providing a complete solution of SOC, but VSEC can also consult, train, and test international standard SOC model in accordance with the needs of each business.

Security Operations Center – SOC -VSEC

According to ictnews: https://ictnews.vietnamnet.vn/cuoc-song-so/loai-hinh-trung-tam-van-hanh-va-giam-sat-an-ninh-mang-nao-phu-hop-voi-doanh-nghiep-tai-chinh-ngan-hang-418237.html

 

SOC Intern (HN)

Tech Job EN
  1. Job description:
  • Learn and perform analysis and handling of cyber attacks such as web application attacks, account attacks, malware, etc.
  • Learn and participate in the research of new attack techniques, develop a code of detecting attack techniques.
  • Learn and participate in the administration of SOC’s technology systems and solutions: SIEM, SOAR, TIP,….

 

  1. Job requirements:
  • Senior students majoring in Information Security/IT; Having a certificate or having completed a CEH course is an advantage.
  • Have basic knowledge of operating systems, Windows and Linux operating systems administration.
  • Have basic knowledge about network: OSI model, TCP/IP, IP protocols.
  • Learn and have basic programming ability in any language: C/C++, C#, Python, Java,…

 

  1. Benefits:
  • Internship certificate and wages.
  • Participating in real projects, professional working process and clear and methodical training route.
  • Opportunity to become a full-time employee with competitive salary and good benefits.
  • Professional, modern and dynamic working environment; Friendly, open-minded colleagues.
  • Opportunity to become a member of VSEC’s successor team project with attractive remuneration and the company creates all resources to develop.
  • Enjoy other benefits according to the company’s regulations.

 

  1. Contact:
  • Human Resources Department – hr@vsec.com.vn
  • Address: Hanoi: M Floor, N01A Golden land Building, 275 Nguyen Trai, Thanh Xuan Trung Ward, Thanh Xuan District, Hanoi City.

How did I pass the OSCP certificate?

Security for Newbie VSEC - BLOG

Hi, it’s time we meet again, I make a new blog at the end of the month. This time the theme will be a little different. Basically at the beginning of this June, after a year of so-called temporary graduation, I took the first security exam in my life, which was OSCP, and fortunately, without humiliating myself, I passed:’ >. So this post will be about my recent OSCP experience and the takeaways from it. Hope this information is useful

 

OSCP Examination

First of all, what is OSCP? Offensive Security Certified Professional (OSCP) is a certification program that focuses on security testing and attack skills. It consists of 2 parts: a pentest lasts within 23 hours and 45 minutes and a report submitted within 24 hours after that. OSCP is a very practical test.

So why should you take the OSCP test? I have 2 main reasons:

  • To learn and improve knowledge and skills about security testing. As mentioned in the previous post, I just switched to Pentest recently, so I need something more oriented about this area. When you register for the test, you will be able to experience more than 54 very practical labs and have a very clear and specific set of instructions.
  • To increase salary (of course). Last time, there was an article from Cyradar that said that OSCP certification helps increase salary by 200%. OSCP is now a rising certificate, because of its practicality and difficulty. It is ranked in the TOP 5 desirable and necessary pentest certificates for pentester. It will greatly increase your self-worth because besides CEH, this is a required certificate for many contractors.

The skills you will acquire through the OSCP course:

– Passive Information Gathering

– Active Information Gathering

– Vulnerability Scanning

– Buffer Overflows

– Working with Exploits

– File Transfers

– Privilege Escalation

– Client-Side Attack

– Web Application Attacks

– Password Attacks

– Port Redirection and Tunneling

– The Metasploit Framework

– Bypassing Antivirus

My OSCP journey

Let’s go into the main part of this article. I will cover what I went through in the OSCP course and what I learned (experience and advice).

Because the company requires a certain employee to have an OSCP certificate, and if that employee has one, they will get a salary raise =))) and I feel that I am quite predestined with all kinds of tests, so I accept it :v

The journey will be divided into 3 main stages:

Preparation stage:

There are a few things you need to prepare before you register for the test.

First is the information about the certification, You must know what you are taking and what the test format is, right? It will be located here https://support.offensive-security.com/oscp-exam-guide/.

Second is the necessary knowledge and skills. When you register for the test, you will have to buy a package that includes the exam fee, Penetration Pentesting with Kali Course includes an 800+ page PDF and over 8 hours of video tutorials, and a VPN to connect you to the lab environment (the most valuable in the package). For Lab, you can buy 30-day, 60-day, or 90-day types depending on your intentions. I chose 60 days. Because time is money, before you buy this package, you need to prepare the right knowledge and spirit, otherwise, you will be overwhelmed (like me) in terms of knowledge and skills, and in those 60 days, I’m sure you will not have enough time to practice enough for the test. Because at school, I have been taught and practiced these things, I am quite familiar so I am not surprised.

 

So what you need to prepare in terms of knowledge is:

  • Linux and Windows environments. This is what I consider the most important. You need to have knowledge and familiarity when working with both Windows and Linux environments, especially Command Line Interface on Linux because that’s where you work the most, especially Kali. If you are new, this book may come in handy: Kali Linux Revealed.
  • Basic programming skills. This includes reading, understanding, and being able to modify Python, Bash, Perl code, etc. You won’t need to write a complete exploit, but you should at least understand how it works. There are millions of websites out there that can help you get familiar with Python. Before I jumped straight into it, I didn’t have a very useful method :v
  • Web Application Attacks (SQLi, Local File Inclusion, Remote File Inclusion, Command Injection, …), In the labs you will have to exploit mainly Web Applications, so you need to have a certain understanding of these types of attacks. Web Application Hackers Handbook, this book is very useful for those who are new to this problem.
  • Tools that run on Kali/Linux: The last thing is that you need to be familiar with or at least know how the tools work – which you need to rely on to be able to complete the test. Some tools you need to know are Metasploit, Nmap, and Netcat.
  • Get familiar with the lab environment: To avoid being surprised when attacking a computer. You can familiarize yourself with the labs similar to OSCP on Hack The Box, or refer to the link here OSCP Like Vulnerable Machines List by abatchy.

 

Before taking the test stage:

Once you’re confident and mentally prepared, you can register to get started on the Offensive Security homepage. After you sign up for the lab term, on the day you sign up, you’ll receive an email with course materials and instructions for connecting to the lab environment.

I don’t know about you, but I always have the habit of having basic knowledge first, knowing what I have to do before I start doing it. So I divided this stage into 2 parts, theory and practice.

 

Theory:

I spent almost the first month just reading and studying the material provided. It includes an 800+ page PDF book and a set of accompanying visual videos. There are also Exercises in the book at the end of each section, if you do all the work and submit the reports you will get 5 extra points of attendance on the final test result. My opinion about the document is that it is very complete, it is designed so that a complete beginner can get the most basic knowledge, and it is also very broad and comprehensive in all areas. If there is no preparatory stage, you will really be overwhelmed by the amount of information it brings.

My advice and experience is that you may not need to see and know the whole thing, but you should read it once. You can skip the parts you think you already know, and read the parts that feel new to you. Because there are information and tools in the material that are very good and useful, which will directly help you do the lab exercises and tests easier.

 

Practice:

This is the most valuable part of the whole package, according to the comments of most people. Because this is what helps you prepare for your test, it can also serve as a sample question.

There are a total of 57 public servers for you to attack, and in addition, there are 3 internal servers that you can pivot to when you get the keys from a certain public computer. During the lab time, I was able to root about 52/57 computers.

 

My learned experience is that:

  • You should start with Alpha and Beta machines first, with IPs of .71 and .72. Because these are samples, there are sample reports on the student’s forum that are very detailed on the approach and methodology to attack and gain permission to a server.
  • There are 2 keywords you always need to remember which are “Enumerate more” and “Try Harder”. Really after you finish this one, you’ll definitely stick to these two phrases, because they’re the keywords every time you get stuck somewhere. Sometimes it’s only a hidden port away before you find the answer or sub-directories that you haven’t enumerated yet. Regarding enumerations, I found a pretty good and detailed tool that helped me with one computer for the final test: https://github.com/Tib3rius/AutoRecon.
  • Always take note of what you find and achieve. I have an Excel file to record what I enumerated, as well as the exploit code I used to exploit and gain permission. Because there are some computers that require you to hack into another machine in order for you to access it. This will make it easier to go back to that computer and know the link between each computer to go back to.
  • You can refer to the student’s forum for instructions if you are stuck somewhere for too long. There are posts to discuss each computer, or you can also inbox your fellow test takers for more approaches. However, you should not abuse it, because you will not have it when you take the test.
  • Always revert a computer before doing it. Because you are not the only one accessing that lab environment. You should revert to what others have done on it before to make sure the environment is as clean as possible.

 

On the test day:

Before the test day, you should prepare very carefully, both physically and mentally. Because it’s a 24-hour test. No help, no suggestions, just you and your supervisor.

Prepare your health, food, and drink plan you need to complete the test. Get enough sleep. For the duration of the test, you are allowed to leave your seat, move around, and rest. Don’t stress when you’re stuck somewhere, stop, pause, or switch to another computer. Never let stress, panic, and anxiety take over your mind. On the test day, during the first 12 hours, I didn’t have a shell on a single computer, everything was missing a tiny bit, and I swear you don’t know how much I swear on this question. After 3/4 of the time, it improved a bit when I finished each Buffer Overflow exercise (similar to drawing a function graph in the university entrance exam). But after I went out to breathe for about 20 minutes, I came back and suddenly I saw something I hadn’t seen before, and I found my reel again. As a result, I finished the test with only 1 computer that could not be rooted. One result I know is more than enough to pass. From there, I understood the two spells “Enumerate more” and “Try Harder”.

Within the next 24 hours, you must complete and submit a report, about the enumeration process as well as how you exploit and gain permission. The report requires specific screenshots and instructions to reproduce, so you must make sure to take pictures of the steps during the test, because when you finish the test, the VPN connection will be disconnected, and no there will be no chance for you to connect to the server to do it again.

And finally, after submitting the reports, the results will be available within 10 working days. And when the results come, yayyy, I finally have a chance to get a salary raise =))))

 

Conclusion

And in both the study and test process, always find enjoyment. There’s always a certain happiness either small or big when you learn something new, something that makes you surprised, or when you successfully root a computer that took you days to do. :’> So have fun.

Be Duy ( aka chalizard )

TOP 6 HACKERS’ CYBER ATTACKS THAT SHOCKED THE WORLD

Cyber world trending VSEC - BLOG

Along with the trend of global digital transformation, the number of cyber attacks is also increasing year by year, with increasing severity and sophistication.

Let’s take a look at some of the largest recorded cyberattacks in the world with VSEC

 

1. Hackers infiltrated the data of the famous software company Adobe (2013)

Adobe announced in October 2013 that hackers had stolen data from the internet, including up to 2.9 million accounts’ personal information (usernames, passwords, real names, credit card numbers, and expiration dates). Soon after, internet hackers reported that this database had up to 150 million accounts (38 million of which are still active).

 

2. Sony’s expensive lesson in ignoring hackers’ warnings.

  • In April 2011, hackers targeted Sony PlayStation Network (PSN), causing Sony’s Multiplayer gaming service, online game purchases, and other content to be leaked. The personal information of 77 million global gamers was involved in the incident, and hackers acquired access to their banking accounts.
  • Sony was forced to pay $15 million in compensation to individuals harmed in order to pacify users. This corporation, on the other hand, detested hackers at the time when it rejected the warning for exposing the database vulnerability. The data is entirely unprotected and vulnerable to SQL Injection attacks.

Sony Pictures Entertainment, a Sony subsidiary, was attacked in November 2014 by a virus called “Guardians of Peace,” and the damage was significantly worse than before, surpassing 100 terabytes (1TB = roughly 1000 GB) with stolen confidential data. This time, hackers utilized the internet to steal movie scripts, emails, and personal information from 47,000 employees, forcing many to resign as a result of the loss.

 

3. A nightmare for the Korean banking system in 2014.

The key lesson learned by the Korean government after the cyber attack in January 2014 when hackers stole up to 100 million credit card numbers. 20 million more bank accounts were also compromised. The number of clients in these banks decreased by 2 million due to their concern that their personal information would be revealed, therefore they went to the bank to deactivate the card or switch to a safer bank.

 

4. The American credit company, Equifax, was on the verge of bankruptcy (2017)

 

Equifax, the credit reporting agency in the United States, acknowledged in a report that it has been dealing with a problem for months as a result of an internet attack. In July of 2017, they discovered the attack, which exposed the sensitive personal information of 143 million users in the United States, Canada, and the United Kingdom, as well as roughly 200,000 credit card numbers. 

Almost no solutions could assist the organization in recovering the information that was leaked as a result of the 2017 cyber attack. This incident was discovered as a result of an Apache Struts vulnerability that hackers completely exploited. The consequences were so severe that the company’s top shareholders and management were obliged to sell their stock quickly in order to avoid the crisis.

 

5. Online dating app Tinder was also a victim (2015)

This online dating app was hacked over the internet in 2015 with the intention of collecting all of its customers’ information. The genuine name, date of birth, postal code, IP address, and even sexual preferences of 4 million users have been made public on a forum accessible via the Tor browser.

But Tinder has not yet come to its senses; in 2016, it experienced greater losses, and the effects were 100 times worse this time. 400 million accounts have had sensitive information stolen, and 20 years of data from the massive dating service is now publicly available online. The Local File Inclusion approach (an attack technique for transferring a local file straight to the hacker’s internet resource repository) was utilized by the hackers.

 

6. Hotel Marriott customers’ information was exposed

This internet attack was carried out by hackers who targeted a database of up to 500 million Starwood hotel guests (including bank accounts) owned by Marriott. The security flaw has existed since 2014, however, the vulnerability just became apparent in September 2018. Marriott was only involved in the largest security litigation ever once.

The number of online attacks continues to climb year after year, necessitating the development of a well-defended, comprehensive network security system for information security. VSEC, Vietnam Network Security Joint Stock Company, provides the most cost-effective security solutions for organizations in information security evaluation, monitoring, warning, and troubleshooting.

Practical exercise for the largest energy corporation in Vietnam

Event VSEC - BLOG

Leading energy corporation in Vietnam, operating in key national sectors, ensuring energy security for Vietnam

As a large Corporation with many member units, there is a difference in qualifications in the field of information security between units. It is necessary to comply with the regulations of the State management agencies on ensuring information security for key systems. The exam is constructed in accordance with the application’s information safety incident response process. The teams are geographically spread out.

VSEC provides information security exercise services for officers who are in charge of information safety at all affiliated units, with a scale of more than 150 people. VSEC organized 2 exercises in 2021 with a gradually increasing level in accordance with the qualifications of the participating officers. The regulations and policies of the state and the unit are researched and combined to build a suitable set of exams for the characteristics of the unit. A common test system is created and virtual machines are provided for each team to exercise practically. Multiple bridge points are created to connect and monitor teams during exercises. Call centers and online support groups are created before, during, and after the competition.

This helps equip information security knowledge from basic to advanced for officers in charge of information safety. Officers can also be familiar with possible information security loss situations, and plans and solutions to be implemented to overcome information security incidents.

Millions of websites are at risk

Cyber world trending VSEC - BLOG

Today, WordPress is one of the most popular website-building tools all over the world, and it is no exception in Vietnam. Data thieves will naturally direct their attention here. Consequently, its plugin – Elementor Pro – has been exploited by malicious cybercriminals who are taking advantage of a security flaw that was just patched with the intention of stealing sensitive information.

This flaw, identified as a flawed access control situation, is present in 3.11.6 and earlier releases. In the plugin’s latest version, 3.11.7, released on March 22nd, the issue was fixed. 

The Tel Aviv-based firm claimed in its release notes, “Improve code security enforcement in WooCommerce components. It is estimated that over 12 million websites use the premium plugin. An authenticated attacker can completely take over a WordPress site with WooCommerce functionality if they are able to exploit this highly critical vulnerability.”

 

“A malicious user only needs to turn on the sign-up page (if it’s off) and change the default user role to admin and they can instantly create an account with administrative privileges. With this authority, they can “redirect the site to another malware domain, upload an unauthorized plugin, or backdoor, and further exploit the site” Patchstack claimed in a warning released on March 30th, 2023.

Patchstack also reports that the flaw is being exploited from many IP addresses in an attempt to upload arbitrary PHP and ZIP packages. Users of the Elementor Pro plugin should upgrade to version 3.11.7 or the most recent version, 3.12.0, as soon as possible to protect themselves from security breaches.

State Bank of Vietnam has begun deploying information security drills.

Event VSEC - BLOG

The State Bank of Vietnam is an agency of the Vietnamese government that is responsible for managing the country’s currency and reports directly to the government. The Department of Information Technology – SBV is the government agency in Vietnam responsible for overseeing and administering banking IT operations in general and information security in particular.

 

With over 40 financial institutions and banks taking part in the drill, there are a great deal of systems that need to be ready and running smoothly. It was difficult to coordinate the BTC with the experimental locations since the participating banks and financial institutions were located all over Vietnam, from North to South and used both online and offline methods of communication. Due to the high general capacity of the units and the specialized nature of the troops involved in the information security drills, significant investment in terms of content is always required, yet the drills must remain grounded in reality.

More than 40 banks and financial institutions active in the Vietnamese market are represented by competition teams with the State Bank acting as the regulatory body for VSEC, which provides security training services. Participating banks and financial institutions spread across the North and South, with both online and offline forms, making the organization and connection between the organizers and the test sites very complicated. During practice, they set up a network of bridges to facilitate communication and keep tabs on the various groups. They set up hotlines and online forums to help customers before, during, and after the event.

Officers in charge of data security can benefit from VSEC’s ability to equip them with fundamental to advanced information security expertise. They also help increase their awareness of potential information security loss scenarios and the plans and solutions that can be put into action to address such incidents.