2021-10-12 13:08:00
A question that comes up pretty frequently on Discord, is about CompTIA's renewal process. Like ISC2, ECC and SANS/GIAC, CompTIA also have a program that works with CPE/CEU (study credits). However, they're actually a bit more flexible than the others.
Here's a nice comparison of the "easiest" ways to renew.
TLDR, you either:
Me, I've always gone for the last option, which is silly because getting PT+, CYSA+ and CASP+ would have renewed all my certs for free. 😐 Wasted money
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-10-10 17:23:00
Here's a list of practice resources I suggest to my Linux+ students, for Bash and Linux in general.
Special mention:
Complete newb level:
Early on, for beginners:
Advanced:
kilala.nl tags: work, linux, teaching,
View or add comments (curr. 0)
2021-10-10 11:32:00
There's a question which commonly comes up on Discord. I thought I'd just make a blogpost out of my most common response.
"I need you to suggest me onto path after security+. I want to develop my pen-testing and web security skills."
Here's a great overview of all kinds of security certification tracks -> https://pauljerimy.com/security-certification-roadmap/
If you're a rookie pen-tester and need a start with the basics, then eLearnSec's eJPT was always a decent start.
Pentest+ is CompTIA's cert that tests for 1-2 years of professional experience (or bruteforce book-learning). In Paul's overview it's lower ("easier") than eJPT, which I disagree with.
For a little more experienced people, eWPT and eCPPT from eLearnSec were also decent. Or, if you want to pack a bit more oomph, go for PWK (pentesting with Kali) from Offensive Security. The capstone to PWK is the now famous OSCP practical hacking exam.
OSCP combines research skills, time management and documentation with technical challenges which are not "too hard" (their difficulty lies mostly in the huge variety offered).
There are many cool sites that offer free or affordable education through labs, like TryHackMe and HackTheBox. Personally I've been a fan of PentesterAcademy, who put out good quality content and whose courses can go really in-depth.
If you have an employer who's not afraid to spend some money on you and you still have budget left, consider the SANS trainings + GIAC exams. They're expensive, but have a good reputation and the trainings are awesome.
GSEC can be considered their next step after Security+. GCIH and GPEN are the GIAC "better-than" certs compared to CySA+ and Pentest+... Their training courses SEC504 and SEC560 are awesome... and ?
Finally I'd like to plug Antisyphon trainings
They offer very good value for money, via online trainings. Some of these are pay-what-you-can, letting you pay somewhere between $25 and $495. Others are fixed price, but well worth it.
Case in point -> Modern webapp pentesting with B.B. King.
That's $495 for 16 hours (4*4h) of online training with a group of fun students and the excellent B.B. King. It goes into a whole bunch of very important tactics and testing methods for modern web applications. Recommended!
kilala.nl tags: work, studies, teaching,
View or add comments (curr. 0)
2021-10-09 17:57:00
Halfway through May I started teaching Linux+ to the cyber-security "Group 41" at ITVitae. It's been 16 classes since then, nearly a hundred contact hours with a marvelous group of students.
And now, like I've had before after finishing a big project, I'm feeling a bit empty. In 2017, not a day after finishing my OSCP exam, I quickly felt empty and lost. And now that I'm officially done with "my" kids, I'm also at a loss. It feels odd, not teaching them anymore.
So. Best look to the future! Hopefully I'll teach a new group in a few months and until then I'd like to shoot for the DCA and CKA Docker/K8S exams.
kilala.nl tags: work, teaching,
View or add comments (curr. 0)
2021-08-23 21:22:00
Back in early 2019 I first learned how to properly apply CSP to my site's code. It was a very educational learning experience and by the end of it I managed to score an A+ in Mozilla's Observatory (which does compatibility and security checks on your site).
Imagine my surprise when earlier today I learned that A) my CSP wasn't being used anymore, the header wasn't even set and B) my Observatory score had dropped to an F! Wow, what happened?!
It turns out that Dreamhost's PHP wasn't using my .htaccess file anymore, on the PHP 7.3 setup that it was running. A switch to PHP 7.4 with their FastCGI setup and we're back in business.
Also, hooray for the CSP Evaluator tool!
That'll teach me to regularly scan and check my own site. :|
I was prompted to go check out my own CSP settings, thanks to Scott Helme's recent post -> I turned on CSP and all I got was this crappy lawsuit
kilala.nl tags: website,
View or add comments (curr. 0)
2021-08-11 08:14:00
Image courtesy of UN Climate Action.
"There's a price our grand-children will have to pay."
Remember that one? About the climate? We've been saying that for so long that we forgot what it means. Well, fun's over: we are those grand-children. My generation, the twenty-somethings I teach at school, my daughter Dana! We're all going to pay the piper, starting this decade.
The IPCC, an international cooperation of hundreds of scientists, has recently confirmed that what they've been saying for decades is not only true, it's also happening right now.
The full report is a whopping 1300 pages, which is too much for mere mortals such as you and me to take in. But luckily there's friendly folks who create summaries.
Or as Zentouro puts it, if you really want to panic and feel desperate, try playing with the IPCC's Interactive Atlas which shows you exactly how things will be changing on the short term.
To put it bluntly: all of us will need to pull together and start taking measures that we will not like. Forego travel-for-fun, drastically cut down meat consumption and your consumption of luxury goods overall. Bitter pills to swallow and all that. But if that means that the earth will only burn for fifty years instead of a hundred, I guess that'll be worth it.
To make sure that it's not just us putting in the efforts, make sure to influence your local politics! It's not just the people who need to change, it's our nations and our companies.
Write to your representatives, to your congressmen, to your politicians. Refer them to the IPCC's summary for policy makers, refer them to the IPCC's FAQ on the AR6 report.
It's time to get angry and to help make changes. It was time thirty years ago, but better late than never.
kilala.nl tags: life,
View or add comments (curr. 2)
2021-08-05 15:49:00
I've been using Vagrant to build new VMs in my homelab, which saves me a boat-load of time. Afterwards I still needed to do a few manual tasks, to make sure the VMs integrate nicely into my Active Directory and my VMWare ESXi server.
With a bit of fiddling, while setting up the Kubernetes cluster, I came to a pretty decent Vagrant provisioning script. It does the following:
The spots with ${MYUSER} and ${MYPASSWORD} are a privileged domain admin account.
apt-get install -y open-vm-tools
systemctl enable open-vm-tools
systemctl start open-vm-tools
apt-get install -y oddjob oddjob-mkhomedir sssd sssd-tools realmd adcli \
samba-common-bin sssd-tools sssd libnss-sss libpam-sss adcli policykit-1 \
packagekit
cp /vagrant/realmd.conf /etc/realmd.conf
realm join --unattended --user ${MYUSER} corp.broehaha.nl <<< ${MYPASSWORD}
echo "sudoers: files sss" >> /etc/nsswitch.conf
cp /vagrant/sssd.conf /etc/sssd/sssd.conf
cat >> /etc/ssh/sshd_config << EOF
AllowGroups linux-login
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
EOF
systemctl enable sssd realmd ssh
systemctl restart sssd realmd
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-08-05 07:46:00
Someone on Discord recently asked me: "Is OSCP a good first cert for someone who wants to go into pentesting?"
I thought I'd share the response I gave them. I hope it's still a valid viewpoint, what with my OSCP being a few years ago.
========================
Yes, but no.
OSCP is entry-level stuff when you look at it from a technical perspective. All the exploits and vulns we need to work with during the exam are relatively clear-cut and you don't have to do any development yourself.
What makes OSCP a heavy-hitter is the non-technical aspects: you are under incredible pressure (X boxes in Y hours, plus a full report), you are given a black-box environment with targets that could be (almost) anything. OSCP is about research skills, about time management, about perseverance.
If you do the PWK class work before the exam, you are almost fully prepped for the technical aspects (vuln types, exploiting vulns, etc). Doing a large part of the PWK labs will prepare you for the research part of the exam. Which leaves time management and perseverance, which are personal skills that you need to bring yourself.
If you were to ask me for a better place to start, I'd look at eJPT first.
Get your feet wet with the basics and something that's also recognized as a solid first start.
I personally think OSCP isn't a good first cert because, if you're still getting to know your way around the tech basics, then you won't have enough time to learn-on-the-job during the exam.
If you have a good background on Linux/Unix and Windows, knowing how their services can be abused and how privesc can be done, and you've actually done it a few times, then you're on the way. Ditto for vulns and exploits in webapps or other network services: if you understand them and can apply them, then at least you have the basics out of the way.
With the OSCP exam, there's no telling what you're getting! It could be relatively new software on a new OS, or it could be an antique application in a weird old language.
If you know the basics of vulns and exploits, then you at least know what you're looking for. You will only have to learn the actual target on-the-fly.
kilala.nl tags: studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.