Kilala.nl - Personal website of Tess Sluijter

Unimportant background
Login
  RSS feed

About me

Blog archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

> Weblog

> Sysadmin articles

> Maths teaching

Short review of the PT1-003 Pentest+ beta

2024-06-09 14:18:00

It's been a busy weekend! After spending yesterday at AnimeCon, today I focused on household and on another CompTIA beta exam. About a month ago I wrote about the betas for Pentest+ and SecurityX, today I did Pentest+ PT1-003.

The PT1-003 objectives are available here.

Here's my thoughts on the exam:

In short: I think it's good! At least as good as the SecurityX beta, maybe even better. And much better than the Cloud+ beta which was kinda bad. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Short review of the CA1-005 CASP+ / SecurityX beta

2024-05-20 19:47:00

This morning I woke way too early to take CompTIA's CA1-005 SecurityX beta. 

118 questions and I used two hours (out of the three allotted). I thought the invite said four hours max, but okay, fine. I thought the MC questions were mostly pretty good, only a very small amount of stinkers. The PBQ weren't that exciting though, could've been more.

One thing that stands out: CAS-004 was the first CompTIA exam to introduce a PBQ in a real Linux virtual machine. CA1-005 has removed all of the Linux commands from the objectives, which suggests that CompTIA decided to kill that particular subject and the VM PBQ. I for one did not encounter the VM at all.

All in all, is the CASP+ / SecurityX a competent, more technical alternative to CISSP? I think it's not far off! Now the problem to tackle is brandname recognition.


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA goes live with two new beta exams: SecurityX and Pentest+

2024-05-18 00:17:00

I guess most people know by now that I'm a sucker for beta-testing exams. CompTIA went live with not one, but two new betas!

They have published the exam objectives here.

I just spent five hours doing a comparison of the PT0-002 and PT1-003 objectives. The changes to Pentest+ are pretty extensive. Many small details are swapped out. Two big areas are swapped: there is much less focus on mobile (app) pentesting and there is much more focus on the SDLC and containers. 

Here's my comparison. It shows which objectives were carried over from 002 to 003, but also which were added (green) or removed (red).


kilala.nl tags: ,

View or add comments (curr. 0)

MCCT (Modern Classroom Certified Trainer) done

2024-05-13 08:58:00

This weekend I had a few spare hours to laze around in my hammock. What better way to spend them, than to do some quick brushing up on my training skillset?

Logical Operations, have a training and certification they call MCCT: Modern Classroom Certified Trainer. It is currently discounted to $95, including the exam and cert. 

MCCT is very clearly targeted at trainers who need to migrate from classroom to digital teaching. The training and certification do not go into didactics and curriculum creation, it is purely about achieving success in digital / remote / asynchronous training.

MCCT is by no means a replacement for CompTIA's now-retired CTT+. 

Training materials consist of 2.5h of video, a PDF book and slide decks. The exam are 48 multiplechoice questions, 36/48 needed to pass. The exam is untimed, unproctored and open book. 

My opinions on the matter:

Jon's training impressed upon me once again the importance of community-building, especially in an async class. Yet again that makes me amazed that Practical DevSecOps appear to actively discourage community-building in their trainings. 


kilala.nl tags: ,

View or add comments (curr. 0)

Rescuing my homelab

2024-05-10 17:12:00

It's been almost a year since I last fired up my homelab. I haven't had a need for the 20+ VMs since I did my Ansible and CDP exams as just about all the other exams I prepared on a smaller, local env. 

A few weeks back I decided to fire up my R710 again, to see if everything still works. It's antiquated and it runs a version of VMWare ESXi 6.5.x. Since its boot drive is a USB flash drive, I was a bit worried.

Lo and behold, I am greeted by a pink/purple screen that says:

failed to mount boot tardisk

Whelp... I have some inclination what that means and I don't like it. Unfortunately the Internet also wasn't of much help, as that exact error appeared once on a German forum. 

After some messing about, I'm happy to learn that my USB boot drive still had a recovery option! Pressing <shift><r> when told to, pops me into recovery mode. It tells me I can restore a previous install (which curiously had the exact same OS version), which I did.

By the sounds of it, all my VMs are booting again. :)

Now to make a backup of that flash drive!


kilala.nl tags: , ,

View or add comments (curr. 0)

Book recommendation: Microservice APIs, by José Haro Peralta

2024-01-21 15:21:00

In the months leading up to my PDSO CASP studies I read José Haro Peralto's "Microservice APIs". On and off, between classes and between other things I was learning. It's been a long read, but I can heartily recommend it. 

I can honestly say that José's excellent book is what taught me the most I now know about how APIs work! And it most certainly made a lot of things clear, which I also learned about in CASP. 

Before I read "Microservice APIs" I had a foundational grasp of how REST and SOAP APIs look from the outside, as consumer. I'd used OpenAPI specs, I'd read through WSDL files and I'd made API calls through HTTP. But I never really understood how it all worked on the server side. 

José's book makes all of that server side magic crystal clear!

The book explains foundational and deep technical aspects of building multiple interacting APIs, which together form the backend of an online coffee product shop. And José shows all of it! All the Python code to load the frameworks, to write the queries and to build the endpoints. All of the code needed for GraphQL and two different REST implementations. And even a bit of authentication and authorization! Heck, appendix C of the book turns out to have exactly what I was looking for when I wanted to learn about integrating OIDC and OAuth into the authorization checks of an API!

If you hadn't guessed yet: "A+ would recommend".


kilala.nl tags: , ,

View or add comments (curr. 0)

PDSO CASP exam done! Let's review!

2024-01-21 11:22:00

Almost a month ago I started my studies for PDSO CASP, or Practical DevSecOps - Certified API Security Professional. That's a whole lot of words! 

I've taken two PDSO classes and exams before: CDP in 2021 and CTMP in 2023.

Yesterday I took the exam and boy-howdee! did I get off on the wrong foot! I thought I'd booked the exam to start at 0800, but when I was brushing my teeth at 0645 the exam instruction email arrived! My own fault and luckily I was at my desk in fifteen minutes... I didn't miss any time, I was just a lot less relaxed than I'd hoped to be. 

It was fun to do another hands-on hacking exam! Six hours of happy hacking! Having said that, I have one thing to nag about. 

The exam did not test anything new. PDSO themselves in their training materials always advise: (paraphrased) "if you do all the labs and take careful notes, you will do well on the exam". They said it with CASP, they said it with CTMP and with CDP. 

With CDP there was additional depth to the exam insofar that you needed to apply concepts that you had learned to new technology. For CASP that did not ring true. And I understand why PDSO took this approach. CDP was about implementing CI/CD pipelines, while CASP is about attacking (pentesting?) APIs. And one does not "simply pentest" five different APIs in six hours time. 

In my feedback to PDSO (and I gave plenty of it) I suggested that they could make a proper competitor to APISecU's ASCP exam by creating a second, longer and more in-depth exam. If PDSO made CASE (certified API security expert) which lasts twelve hours and has you do proper recon and attacking, I'd be all over that!

In essence the difficulty level of PDSO CASP is not defined by the technical challenges, but by time management and by foundational understanding. If you didn't do the training and labs, or if you don't have prior API pentesting experience you will fail. And if you cannot do those five challenges in six hours, while collecting evidence (screenshots, logging, code), you will fail. 

Speaking of which: the reason why my reporting went so well, is because I ahdere to the most important lesson I learned from BHIS and John Strand: "Document as you go."

You will need to be picky about how you attack the challenges and you will definitely need to timebox. In my case the challenges were worth 20, 20, 15, 25 and 20 points and I need 80 out of 100 points to pass. Having said that...

The exam assignments are clear and complete, as is the list of requirements for your reporting. PDSO make it very clear how you will be scored and they give you every opportunity not to fail. 

The team at PDSO are very responsive. Support for the training and exam are arranged via MatterMost and you will always find someone from the team online. If there's a technical issue, they will report on it very quickly and they will make good time in resolving the issues. 

Having said that, I am surprised at the lack of community building on MatterMost. They have 2500+ students on there and the community chat is very quiet. And every time that someone does ask a question about course contents, they are immediately approached by someone from PDSO to tackle the question in DMs. There is no community building or involvement. 

Then there's one final, big factor which I feel detracts from the professional value of the PDSO certifications: validation. 

At no point before, during or after my exam was my identity verified. There is no proctoring, no session recording, nothing. My exam could have been done by anyone. I could have used any method of cheating and they would not know. My report could have been written by anyone. 

This will automatically devalue the certification for prospective employers. Instead of relying on the certification body, the employer will need to apply their own bullshit detector to verify if the applicant actually has any API hacking experience. 

Mind you, this is not unique to PDSO. APISec University have the same problem with their CASA exam which is unproctored, unvalidated and open book. I haven't taken APISec's ASCP yet, so I don't know if that's proctored. 

...

About the CASP training itself? I liked it well enough and it did teach me quite a few new things. It's just that at a few points I really wish they'd gone more technically in-depth than they did. Don't get me wrong, they already go pretty deep on a lot of topics, but I wanted more. Case in point: I did two 6-8 hour deep dives on OAuth and on OAuth+OPA to really understand how a technical implementation in code would work. 

It was time and money well spent!


kilala.nl tags: ,

View or add comments (curr. 0)

Learning more about OIDC, OAuth and OPA

2024-01-15 20:12:00

Almost a month ago, I did a deepdive on how OAuth really works, as part of my preparations for the PDSO CASP exam. 

Well, it's time for another one! Because I really wanted to know how you would use OAuth in conjunction with OPA (open policy agent) to drive the access controls on your API and business logic. 

I spent another six hours, watching videos and reading through sample code to put two-and-two together. Here's linkks to resources that really helped me.


kilala.nl tags: ,

View or add comments (curr. 0)

Why can't vendors just make practice exams, just like the real thing?

2023-12-31 13:29:00

On Discord someone asked why it's so hard for vendors to "just" make practice exams that are just like the real thing? To them, it seemed like an obvious market gap! And to be honest, who wouldn't want a proper test run while prepping for Security+, LPIC1 or even CISSP?!

Now, I'm no expert, but here's what I told'm...

Most importantly it's because you absolutely have to blackbox the practice exam creation. There can never be any doubt whatsoever that you as vendor stole copyrighted materials or that you lifted questions and concepts from the official materials.

You have to have proof of your process and show that none of your personnel have ever taken the real exam. This means you have to hire a group of SMEs (subject matter experts) and have them create a testbank of 2000+ questions which cover all of the exam objectives for that one exam. But they're not allowed to look at official materials ever; possibly not even the objectives themselves.

And then you have to do that ten-or-so times, to cover all the exams. So basically at that point, you are making a brand new exam and you're competing with Linux Foundation, LPI, ISC2, CompTIA, etc.

It costs a huge amount of money.

Since we're in an IT forum I can safely point you towards this, which is strikingly comparable... Look into how Compaq reverse engineered the IBM PC BIOS, so they could make IBM PC compatible devices. Very similar.

For the exam questions, taking the Compaq analogy, it would mean that you need to have a team that creates a very precise set of requirements and design decisions. Theoretically they could look at what CompTIA and other vendors do.

Then you would need that second team of actual SMEs to write those hundreds or thousands of questions, based on the specifications written by the first team.

And then possibly, you could get exams which are very close to what CompTIA does. 


kilala.nl tags: ,

View or add comments (curr. 0)

Learning about OAuth

2023-12-27 20:33:00

OAuth is a topic that has popped up a few times in my certification studies (Security+, CISSP, CSC210), but in none of those cases the curriculum went in-depth on how it works. As in really, how do you implement it, what does it look like in action? 

I'm currently going through PDSO's API security training, preparing for the exam. OAuth gets about twenty minutes of video in there and they do a relatively good job of explaining. But yet again, there's still a lot of details missing. 

Today I spent five or six hours reading through the resources below, making a huge stack of flash cards so I can refresh what I learned at a later point in time. 

For those who might struggle a bit with OAuth and how it would be implemented in code, here's an absolutely great example of a Javascript SPA (single-page app).

I then also read:

I also had no clue whatsoever about how those links worked, where you do something in a browser and it pops up an app on your smartphone, tablet or computer. I learned that's called app deep linking and it's something that's both really cool and that's had its share of vulnerabilities as well. This was a great read which taught me how the URI schema for app deep links work and how they can be attacked. 

EDIT:

Oh my gosh, the folks at Curity made a great 8-part mini training that introduces OIDC and OAuth. Parts 7 and 8 perfectly explain 90% of what I wanted to know when I started my research.


kilala.nl tags: ,

View or add comments (curr. 0)

CompTIA ITF+ exam

2023-12-03 11:01:00

After my frustrating start with the exam check-in (started at 08:15, finished at 09:00), I did get to do the CompTIA ITF+ (IT Fundamentals) exam. 

Tess? Why do this most entry-level of junior exams? Two reasons:

  1. I'm test-running it for my students at ITVitae, to see if the curriculum and exam are decent.
  2. I've built a webshop selling heavily discounted CompTIA vouchers and wanted to test the payment process, by buying the cheapest voucher.

So what did I think? 

I like the curriculum / objectives. They cover a wide range of topics, which I feel most people in IT should really be familiar with.

The exam itself was decent, though I'm not a huge fan of how a lot of the questions were worded. In some cases the grammar felt a lot more clunky than I'm used to from Linux+, Pentest+, etc. 

I scored much lower than I'd expected! The range is 100 - 900 points, with a pass at 650. I scored 730, which suggests that I misread questions or that CompTIA wanted me to think about a question differently. Plus, I do believe that one or two questions, I got tripped up by the very weird wording. 

Do I think ITF+ is worth it for the most junior students I will be teaching? Yes, the curriculum is worth it. But I do feel that the exam might be a bit frustrating for them. 


kilala.nl tags: ,

View or add comments (curr. 0)

My first real frustrating encounter with OnVue remote testing

2023-12-03 10:46:00

Two screenshots of a photo app

Today I took CompTIA's ITF+ exam at my office, using PearsonVue's OnVue testing software. This has gone wel for me 10+ times, but today it didn't. 

What changed? I used a desktop Mac instead of my usual laptop. What else went wrong? The check-in process. 

Let's start with that last one: the check-in process.

This has gone perfectly well for me 10+ times. You visit https://mobile.onvue.com on your smartphone, you enter the exam ID and you go through the wizard to take photographs of yourself, your ID and the room. 

The big problem is that the "shutter" button to take the photograph went missing. It was impossible to take the photo.

In the screenshot above, you will see that:

This made it impossible to photograph my ID and to proceed with the check-in. 

I contacted the PearsonVue support team via chat and they did not understand my problem. They asked for error messages, or told me to use my phone (I was), or told me to try my laptop (I didn't have one). 

Why use a laptop? There is a secondary method of taking the photos inside the OnVue exam app itself. It uses your computer's camera for the photographs. This would have worked to some degree, were it not that I was using a desktop PC with a wired camera. 

Plus it turns out that the Logitech 720p camera I have is not good enough to take these pictures as it has fixed focus. 

After a lot of back and forth with support, I accidentally found out (by flicking the screen on my phone) that the camera shutter button is in fact on the ID page, but it's out of view. You have to scroll the layer with the overlay. That was 200% un-intuitive. 

Later on I was also informed that my Wacom pen-tablet is not a permitted peripheral; that was on me, I should have know. Quickly switched to an old mouse.

Lessons learned from todays OnVue exam:

The rest of the exam, after checkin? Zero technical problems. I'll write about ITF+ separately. 


kilala.nl tags: ,

View or add comments (curr. 0)

Study resources for ISC2's CC exam

2023-11-23 11:39:00

In the summer of 2022, ISC2 introduced what was then called their ELCC exam. These days it's just "CC": Certified in CyberSecurity. At the time I concluded that ISC2's CC is a decent curriculum and exam, for people who need foundational understanding of enterprise-level cybersecurity. 

In October of 2022 and 2023 I ran in-house "study challenges" for my customer, with 10-20 people attempting to pass the CC exam within the one CyberSecurity Awareness Month (CSAM). When we started, all there was to study were the free video trainings from ISC2. 

Since then, new and much better resources have become available!

Remember to never pay full price on Udemy! They run huge discounts very regularly.


kilala.nl tags: ,

View or add comments (curr. 0)

Virtualization, Linux labs on Apple Silicon

2023-07-17 20:18:00

I've held off on spending money on a new Mac for a long, long time. I have two Macbook Airs from 2017, which are still holding up admirably for my studies and work. Honestly, their 8GB of RAM and aged i5 are still plenty good for most of my work. 

Sure, I did get an Asus laptop with a beefy Ryzen in there, for teaching purposes. But even that's an ultra-portable and nothing hugely expensive. 

I've had to bite the bullet though: the chances of me getting students with Apple Silicon laptops are growing. My current group at ITVitae has my first one and it's a matter of time before a commercial customer pops in with an M1 or M2. 

So, I got myself a second hand 2020 M1 Mac Mini from Mac Voor Minder. Good store, I'd highly recommend. 

I had hoped that, in the three years we've had the Apple Silicon systems out, virtualization would be a solved problem. Well... it's not really, if you want one of the big names. 

VirtualBox, forget about that. It's highly in beta and is useless. VMWare Fusion supposedly works, but I didn't manage to get it to do anything for me. And I'm not paying for Parallels, because most likely my students won't either! I need cheap/free solutions.

Turns out there's two.

  1. UTM, which uses Qemu under the hood. It's brilliant. Looks spiffy, has good options and does both virtualization (aarch64) and emulation (many other architectures). It does not have an API and it does not work with Vagrant. But I love it. 
  2. You can also install Qemu via Homebrew and then use the Vagrant-Qemu plugin to build VMs. It works well, although it doesn't support all great Vagrant options yet. One downside is that the amount of aarch64 images for Qemu on VagrantUp is small. 

I'm now rewriting the lab files for my classes, to make them work on M1/M2 ARM systems. I'm starting with the lab VM for my DevSecOps class and then moving onward to two small projects that I use in class. Updating my Linux+ class will take more work.

Maybe I should start making my own Vagrant box images. :)


kilala.nl tags: , ,

View or add comments (curr. 1)

Preparing for (and passing) Red Hat's EX188, specialist in containers

2023-06-24 12:55:00

It's been well over a decade since I started doing Red Hat certifications, back in th RHEL6 era. Since then I've gone after many exams and certs, taking a few every year although not limited to Red Hat stuff. For Red Hat I'm basically making sure to take a new every 2.5-3 years, so I can offically retain my "RHCE" status from 2014. 

After my frustrating encounter with EX413 (security, 2017) and the fun EX407 (Ansible, 2020), it was time again! Since my agenda and wishlist are so incredibly stuffed, I will admit that I took "the easy way out" in renewing my RHCE by taking EX188.

EX188 is Red Hat's first exam in the line of certifying on the subject of container administration and development. It's about using Podman/Docker, to build and run containers in a local environment. No high availability, no Kubernetes or OpenShift... Basically a big step back from my CKA exam from last year.

But, pragmatism has its place. This year I've got a lot of other plans for my own studies and my work as teacher and this was a solid and educational way to get to a goal quickly.

Preparations

To make sure I'm well enough prepared:

Testing from home

I still very much like that Red Hat will let you take their practical exams from home. Unfortunately they use a much harder-to-use setup than people like Linux Foundation. Preparing to take CKA from home was dead simple. Preparing for Red Hat Kiosk exams is a chore.

 The e-book says my Macbook Air from 2017 should work, but it doesn't. So I used Dick's Lenovo gaming laptop again. It only works with the 2020-08 ISO, because of it's built-in M970 GPU. I also had to buy a cheap Logitech webcam, because my Razer cam didn't work. 

Important: make really, really sure that you test your computer fully way before the scheduled exam date. You must do this. 

The exam itself

I enjoyed it! It's 2.5 hours, for a handful of tasks. Red Hat advise you to first read through all assignments before starting, because one task may rely on another. Reading all tasks will take about fifteen minutes. I advise that you really do read all tasks before starting. 

The task descriptions for EX188 are good. They are thorough and detailed, they give you all the information you need for success. I have two minor squibles with the task texts.

  1. One choice of words that is repeated in each task is ambiguous (but you don't have to worry about it).
  2. One task had two lines in it that 100% contradict each other. They offer an impossible conflict. After discussing the conflict with the proctor, I followed their advice to use a logical approach which rules out the impossibility itself. 

I needed the full 2.5 hours for the exam. I had 85% of the work done after ~1.5, but then needed the remaining 45 minutes for debugging the final 15%.

Again, I really enjoyed the exam. It's well put together, not frustrating at all.


kilala.nl tags: ,

View or add comments (curr. 0)

PECB ISO/IEC 27001 Lead Implementer: training, examination and certification

2023-04-19 11:29:00

This month, I've put some time into formalizing my experience with the ISO 27001 standard for "Information Security Management Systems". That is, the business processes and security controls which an organization needs to have in place to be accredited as "ISO27001 certified"... which translates into: this organization has put the right things into place to identify, address and manage risk and to provide personnel and management with policies, standards and guidelines on how to securely operate their IT environment. 

It's a cliché that people in IT have a distaste for "auditing" and "compliance". And sure, I've never had much fun with it either! But I felt I was doing myself a disservice by not formalizing what I've learned over the past decades. Or to put it the other way around: making sure I properly learn the fundamentals, means that I can assist my customers better in properly structuring their IT security. 

So off I went, to my favored vendor of InfoSec trainings: TSTC in Veenendaal. :) 

They provide the PECB version of the ISO27001 LI training and examination. The PECB materials aren't awesome, but they get the job done. And yes, if you're a hands-on techie, then the material can be rather dreary. But overall I had a fun four days at TSTC, with a great class and a solid trainer. 

The exam experience was a bit different from what I'm used to with other vendors.

TLDR, in short:


kilala.nl tags: , ,

View or add comments (curr. 0)

CFR 410: quick follow-up

2023-03-29 21:41:00

As a quick follow-up to this week's post about CSC 210 and CFR 410: I've now also gone through the majority of the course book for CFR 410. 

Like CSC I can say I'm of the opinion that the course book for CFR is solid. It's good. I might not like the CFR exam, but the book is good!


kilala.nl tags: ,

View or add comments (curr. 0)

CertNexus CSC 210 and CFR 410

2023-03-24 10:27:00

About a month ago I re-sat CompTIA's Linux+ exam, to make sure I am still preparing my students properly for their own exams. I still like the Linux+ exam (which I first beta-tested in 2021) and I'm happy to say that my course's curriculum properly covers all "my kids" need to know.

This week I sat not one, but two exams. That makes four this year, so far. :D

Why the sudden rush, with two exams in a week? I'm applying as CertNexus Authorized Instructor, through an acceleration programme that CN are running. They invited professional trainer to prepare and take their exams for free, so CN can expand their pool of international trainers. 

I feel that's absolutely marvelous. What a great opportunity! I heartily applaud CertNexus for this step.

The first exam which I took was CSC-210: Cyber Secure Coder. The curriculum had a nice overlap with the secure coding / app hacking classes that our team taught at ${Customer}, which means it's a class I would feel comfortable teaching. It's not programming per sé, it's about having a properly secure design and way-of-work in building your software. The curriculum is language agnostic, though the example projects are mostly in Python and NodeJS. 

I went through the official book for CSC and I like the quality. I actually enjoyed it a lot more than CompTIA's style. I haven't gone through the slide decks yet, so I can't say anything about those yet. The exam, I really liked. The questions often tested for insight and when it asked to define certain concepts, it wasn't just dry regurgitation. 

I can definitely recommend CertNexus CSC to anyone who needs an entry-level training and/or certification for secure development. 

Now, CFR-410 (CyberSec First Responder) is a different beast. I took the beta back in 2021 and at the time I was not overly impressed. The exam has stayed the same: it still asks about outdated concepts and it still has dry fact-regurgitation questions. 

I haven't gone through the book and slides yet, I'll do that this weekend so I can update this post. 

have contact CertNexus to offer them feedback and help, so we can improve CFR. Simply complaining about it won't help anyone, I'd rather help them improve their product.

EDIT: CertNexus have indicated they will welcome any feedback I can provide them for CFR, so that's ace. I will work with them in the coming weeks. 


kilala.nl tags: , ,

View or add comments (curr. 0)

The value (or not) of Linux+

2023-03-18 19:30:00

On Discord, people frequently ask whether "is Linux+ worth it?". Here's my take.

The value depends on your market and on what you get out of it. In the US and UK, CompTIA is a well-known vendor but in other parts of the world they aren't. But left or right, Linux+ is not very well known.

I teach at a local school to prep young adults for the Linux+ exam. The school chose Linux+ because they can get heavily discounted vouchers for the exams, versus LPI, LF and others. For the school it was a matter of money: they really don't have much money and every dollar helps. 

Personally, I feel that the Linux+ curriculum is pretty solid as far as Linux sysadmin certs go. The exam itself is also decent and the vendor is mature. 

So in this case the value you'll get is from learning Linux system administration pretty in-depth. You'll also get a slip of paper which some might recognize and others will go "*cool, you passed a cert exam, good job*" (in a positivie sense). 

Linux+ is not worthless, it's just worth less (when compared to LFCS, LPIC1 and RHCSA).


kilala.nl tags: , ,

View or add comments (curr. 0)

You've got your Security+. Now what?

2023-02-26 12:55:17

On /r/comptia and Discord, there's a lot of people hopeful to break into cybersecurity. The get their Security+ (because CompTIA's marketing promises a lot of jobs), but... then what?

Here's something I told someone on Discord the other day.

CompTIA will have a big list of options in their marketing fluff, but as I said I personally don't believe Sec+ preps you for any particular roles.

That doesn't mean it's not valuable! Quite the opposite! Having passed Sec+ means you bring fundamental InfoSec knowledge to any role you'll work in, be that user support, systems administration, network operations, DevOps, IAM, risk management, or whatever.

Career wise, it makes sense to define short and longterm goals for yourself. Investigate what different jobs in your local marketplace mean, what the work involved actually is and check their requirements.

${Deity}, I'm saying the things I hated hearing twenty years ago, but here we are.

Next to those goals, also investigate the options available to you in your local marketplace. Also take stock of your current set of experience and skills. This information will help you figure out what kind of tools are at your disposal to meet your goals.

For example, say that your long term goal is to have a hardcore technical role in cyber security. Like pen-tester maybe, DevSecOps engineer or cloud security engineer.

From that you would start figuring out which of those roles sound best to you and figure out what you need to learn to get there. This will help you define short term goals... mile stones, if you will.

For example, if you already have some prior IT experience and you've dabbled with programming and Linux, then you could aim for junior devops or sysadmin roles for the short term. If you've already done a lot of TryHackMe, HackTheBox then a junior pentesting role, or junior devsecops.

Now, if you have zero IT experience, then you're going to have to take a different route. One option is to start way lower in the IT ladder, like IT support. Another option is to go for a soft-skills based role! Like user awareness training, or risk management.

Here's a very long Reddit thread about why it's hard to break into InfoSec right from the start.

Which reminds me of a solid tip: check your local market for MSSPs: managed security service providers. They are often in a position to train juniors with little IT experience into the job. They need warm bodies to take care of the low-level work influx and can help you build experience and knowledge on the job.


kilala.nl tags: ,

View or add comments (curr. 0)

Preparing for Server+: labs?

2023-02-26 11:56:00

On the CompTIA sub-reddit, people often ask for labs to work through while prepping for an exam. For Linux+, I've made all the labs for my class freely available on Github. 

Server+ is a less common CompTIA exam, which focuses on sysadmin / data center admin roles. There's quite some overlap between A+, Linux+ and Security+; I kinda liked it!

Here's a few suggestions which I gave for practice for SK0-005 Server+

Unfortunately a lot of the aspects of Server+ relate to actually working in a data center, so it'll be hard to have labs for those sections.

Most of objective 1 you will need to have actual hardware for. If you're in the US, you can check LabGopher to find gear for your homelab. Otherwise, check your local nerdery forums or just eBay. A Dell R410 or R420 with Perc and RAID controller will set you back 100-400 dollars depending on specs and if hardware is included.

If you're already in IT, you can also ask your server admin team if they'd be willing to show you the ropes for objective 1.

Many of the topics in objective 2 can be practiced if you have a few VMs that run Windows, Windows Server and Linux to try out the various related tools. You can run these VMs on just about any recent laptop with 8GB or more of RAM and an i5/i7/i9 or similar Zen2 processor.

Virtual networking on objective 2 can be practiced with VMWare ESXi and pfSense.

The good part is that the software mentioned so far can be gotten for free legally. Windows is available for free use on 180-day licenses (which can be renewed multiple times). VMWare ESXi can be gotten on a free license, also for studying/lab purposes.

Licensing and asset management are mostly theoretical on Server+

Objective 3 is partially theoretical/conceptual, but there's a few practical aspects as well. Server hardening is something you can practice with the aforementioned VMs by reading and applying STIGs or CIS Benchmarks. If you're familiar with Ansible, you can even dive into the relevant playbooks. IAM can be practiced with Active Directory and/or Azure AD.

Objective 4 again is a nice mix of theory and practice. LogHub is a nice resource to read through all types of different log files. A lot of the other troubleshooting objectives can be exercised with the lab VMs and hardware I mentioned simply by trying to get it all to work :D That can sometimes already be a struggle, so you're troubleshooting!

Multiple objectives relate to services which you can run, configure and test on Linux VMs. NTP and SSH are two common ones, which I also include in my Linux+ labs. Ditto for the networking config + troubleshooting.


kilala.nl tags: ,

View or add comments (curr. 0)

Practical DevSecOps CTMP course and exam

2023-01-16 07:20:00

In early 2021 I needed to learn about DevSecOps and CI/CD and I needed it fast. A crash course if you will, into all things automation, pipelines, SAST, SCA, DAST and more. I went with PDSO's Certified DevSecOps Professional course, which included a 12h hands-on exam.

Here's my review from back then, TLDR: I learned a huge amount, their labs were great, their videos are good, their PDF was really not to my liking. 

Since then I've worked with a great team of people, team Strongbow at ${Bank}, and we've taught over a thousand engineers about PKI, about pentesting, about API security and about threat modelling. So when PDSO introduced their CTMP course (Certified Threat Modelling Professional) I jumped at the chance to formalize my understanding of the topic.

My review of the training materials is going to be very similar to that of CDP:

I took the exam yesterday and it was great, better than I expected!

For anyone looking for tips to take the CTMP exam:


kilala.nl tags: , ,

View or add comments (curr. 0)

Practicing with azcli, to build an Azure DevOps lab

2022-07-09 20:52:00

This fall I am scheduled to teach an introductory class on DevSecOps, to my Linux+ students at ITVitae. Ideally, if things work out, this will be a class that I'll teach more frequently! It's not just the cyber-security students who need to learn about DevSecOps, it's just as important (if not more) to the developers and data scientists!

Since this course is going to be hands-on, I'm prepping the tooling to configure a lab environment with students forming small teams of 2-4. I'd hate to manually set up all the Azure DevOps and Azure Portal resources for each group! So, I'm experimenting with azcli, the Azure management command line tool. 

Sure, I could probably work even more efficient with Terraform or ARM templates, but I don't have time enough on my hands to learn those from scratch. azcli is close enough to what I know already (shell scripting and JSON parsing), to get the show on the road. 

Here's a fun thing that I've learned: every time one of my commands fails, I need to go back and make sure that I didn't forget to stipulate the organization name. :D 

For example:

% az devops security group membership add --group-id "vssgp.Uy0xLTktMT....NDk0" --member-id "aad.ODU0MjMyZTAtN...0MmVk"

Value cannot be null.

Parameter name: memberDescriptor

That command was supposed to add one of the student accounts from the external AD, to one of the Azure DevOps teams I'd defined. But it keeps saying that I've left the --member-id as an empty value (which I clearly haven't).

Mulling it over and scrolling through the output for --verbose --debug, I just realized: "Wait, I have to add --org to all the previous commands! I'm forgetting it here!". 

And presto:

az devops security group membership add --group-id "vssgp.Uy0xLTktMT....NDk0" --member-id "aad.ODU0MjMyZTAtN...0MmVk" --org "https://dev.azure.com/Unixerius-learning/"

That was it!

 


kilala.nl tags: , ,

View or add comments (curr. 1)

More beta exams! ISC2 ELCC and CompTIA Linux+ 005

2022-06-29 21:28:00

At the end of 2021 I took the beta version of Comptia's XK0-005, which went live earlier this month as XK1-005. My opinions on the exam still stand: it's a solid exam with a good set of objectives. And luckily I passed. :D

Yesterday, I took part in another beta / pilot: (ISC)2's ELCC, also known as their Entry Level Cybersecurity Certification. I didn't take it to pad my own resumé, I did it to see if ELCC will make a good addition to my student's learning path. So far they've been using Microsoft's MTA Security (which is going away).

(ISC)2, most famously known for their CISSP certification, saw an opportunity in the market for an entry level security certificate. Some would call it a moneygrab... But the outcome of it, is their ELCC.

Looking at the ELCC exam objectives I have to say I like the overall curriculum: the body of knowledge covers most of the enterprise-level infosec knowledge any starter in infosec would need to know. It's very light on the technical stuff and focuses mostly on the business side, which I think is very important!

I've heard less-than-flattering reviews of (ISC)2's online training materials, meaning that I'd steer students to another source. And, having taken the exam, I have to admit that I think it's weak. 

Maybe it's because this was a beta exam, but a few topics kept on popping up in questions with the same question and expected-answer being given in slightly different wordings. With 100 questions on the test, I was expecting a bit more diversity. 

I also feel that a lot of the questions were about dry regurgitation: you learn definitions and when provided a description, you pick the right term from A, B, C or D. CompTIA's exams take a very different approach, where you're offered situations and varying approaches/solutions to choose from. 

Overall take-aways regarding ISC's entry-level cybersecurity certification:


kilala.nl tags: , ,

View or add comments (curr. 0)

Nostalgia: VMEbus and OS-9

2022-06-15 06:35:55

Recently I've been thinking back about old computing gear I used to own, or worked on in college. Nostalgia has a tendency to tint things rose, but that's okay. I get pangs of regret for getting rid of all my "antiques" (like the Televideo vt100 terminal, the 8088 IBM clone, my first own computer the Pressario CDS524) but to paraphrase the meme: "Ain't nobody got room fo' all that!"

Still, it was really cool to run RedHat 5 on the Compaq and having the Televideo hang off COM1 to act as extra screen and keyboard.

Anyway... that blog post I linked to, regarding RH5, also mentions OS-9. OS-9 was (is, thanks to NitrOS9). It was an OS ahead of its time, with true multi-user and multi-processing, with realtime processing all on at the time relatively affordable hardware. It had MacOS and Windows beat by at least a decade and Linux was but a glint in the eyes of the future.

I've been doing some learning! In that linked blog post I referred to a non-descript orange "server". Turns out, that's the wrong word to use!

In reality that was a VMEbus "crate" (probably 6U) with space for about 8-10 boards. Yes it used Arcnet to communicate with our workstations, but those also turn out to be VMEbus "crates", but more like development boxen with room for 1-2 boards in a desktop box.

Looking at pictures on the web, it's very likely that the lab ran OS-9 on MVME147 boards that were in each of the crates.

Color me surprised to learn that VMEbus and its successors are still very much in active use, in places like CERN but also in the military! But also in big medical gear, like this teardown of an Afga X-Ray machine shows.

Cool stuff! Now I wanna play with an MC68k box again. :)


kilala.nl tags: , , ,

View or add comments (curr. 1)

Comparing Linux+ objectives between XK0-004 and XK0-005

2022-05-11 17:43:00

Finally, the CompTIA Linux+ beta embargo has lifted! I can post the comparison I made of the objectives between XK-004 and 005!

In the spreadsheet, you'll see:


kilala.nl tags: ,

View or add comments (curr. 0)

Passed the CKA exam

2022-05-08 09:19:00

It's been a very long time in coming, but I finally passed my CKA (Certified Kubernetes Admin) exam yesterday. 

When I say "a long time", I mean that this path of studying started back in August 2021 right after finishing teaching group 41 at IT Vitae. Back then, I started out on the Docker learning path at KodeKloud, to get more familiar with containerization in general. I'd considered going for the DCA exam, but comparing it to CKA I reconsidered and added a lot more studytime to just hop onward to Kubernetes.

I can not say enough positive things about KodeKloud. The team has put a lot of effort into making great educational content, as well as solid lab environments. The cost-value comparison for KodeKloud is excellent! I plan on finishing their DCA content later this year, so I can then turn to RedHat's EX180 (Docker/Podman and OpenShift) exam.

Aside from KodeKloud's training materials, the practice exams at Killer.sh were great. You get two free practice exams as part of your CKA exam voucher and I earned a third run by submitting some bug reports. 

Again, the value for money at killer.sh is great: in-depth exercises, a stable testing environment and a exam setup that properly prepares you for the online CKA testing environment. 

Finally, the actual exam: registration was an okay process, signing in with the proctor went excellent and the exam itself worked fine as well. I did learn that Linux Foundation are very strict about the name put on your registration. I put in "T.F. Sluijter-Stek" because legally that is my identity, but they actually wanted "${FirstName} ${LastName}" so for me my "${DeadName} ${MaidenName}". Oh well; no biggy. The proctor was very patient while I went and updated my name on the portal. 

So to summarize: 


kilala.nl tags: , ,

View or add comments (curr. 0)

Took the CompTIA Project+ beta

2022-01-29 11:04:00

Back in November, CompTIA announced the upcoming Project+ v5 certification exam. My day-to-day job does not entail project management, but I was curious about the exam anyway.

It's no secret that beta-testing CompTIA exams has become a hobby of mine. Thus, I jumped at the chance to take it, when someone posted about it on Reddit. As has become tradition, I pludged the exam: i.e. I went in with zero preparation, only browsing through the exam objectives document

My impressions of Project+ PK1-005 (to become PK0-005):

Overall, I'm feeling pretty good about this update to Project+. 

Will it be a valuable certificate for your resumé? Maybe not, with bigger brand names having more recognized project management certs. But will it rank up there with something like PSM-I or PSPO-I? Or something like PRINCE2 fundamentals? Yeah, probably. 

Finally, do I think I passed? I expect I didn't: my experience and knowledge of formal project management, especially things like PRINCE2, is very meager. 


kilala.nl tags: , ,

View or add comments (curr. 0)

VirtualBox and Vagrant error: E_ACCESSDENIED (0x80070005) - Access denied

2022-01-23 09:25:00

I've been using Vagrant for a lot of my quick tests and my classes for a while now. A few weeks ago, my old Vagrantfile configurations stopped working, with Vagrant and Virtualbox throwing errors like these:

There was an error while executing `VBoxManage`, a CLI used by Vagrant for controlling VirtualBox.The command and stderr is shown below.

Command: ["hostonlyif", "ipconfig", "vboxnet0", "--ip", "192.168.33.1", "--netmask", "255.255.255.0"]

Stderr: VBoxManage: error: Code E_ACCESSDENIED (0x80070005) - Access denied (extended info not available) 

VBoxManage: error: Context: "EnableStaticIPConfig(Bstr(pszIp).raw(), Bstr(pszNetmask).raw())" at line 242 of file VBoxManageHostonly.cpp

 

Or, in a more recent version of Virtualbox:

The IP address configured for the host-only network is not within the allowed ranges. Please update the address used to be within the allowed ranges and run the command again.

 Address: 192.168.200.11

 Ranges: 192.168.56.0/21

Valid ranges can be modified in the /etc/vbox/networks.conf file.

 

A search with Google shows that a few versions ago VirtualBox introduced a new security feature: you're now only allowed to whip up NAT networks in specific preconfigured ranges. Source 1. Source 2. Source 3.

The work-arounds are do-able. 

While the prior is more correct, I like the latter since it's a quicker fix for the end-user. 

BEFORE:

stat1.vm.network "private_network", ip: "192.168.200.33"

 

AFTER:

stat1.vm.network "private_network", ip: "192.168.200.33", virtualbox__intnet: "08net"

 

 

Apparently it's enough to give Virtualbox a new, custom NAT network name. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

That one time I didn't beta-test two Mile2 exams

2022-01-22 16:00:00

Mile2 are a training company, aiming to provide vendor-neutral InfoSec training and certification exams. I've heard their name a few times, but have never taken any of their trainings. Reddit and TechExams also have little experiences posted about them.

That's why I was very curious and interested to join Mile2's beta program for their C)ISSO and C)PTE exams. These new versions are ANSI accredited (meaning they will require CPE points every three years) and have been renewed in a few other ways. Sounds like a great opportunity to give them a shot. Besides, taking beta exams is a hobby of mine.

Requesting access was a solid process, as you needed to submit a bit of a resumé to prove you'd be a valued reviewer/tester. I was approved for the program pretty swiftly, with clear instructions from their marketing team. 

I reported back to the team, with a few doubts about the sign-up process.

Half an hour later my access was revoked and I was ejected from the beta program, the team citing my "obvious distrust of their organization". Oh well.


kilala.nl tags: , ,

View or add comments (curr. 0)

Explanation of the Log4j vulnerability and how we got here

2021-12-27 15:37:00

two options for resolving variables in logging

Fabian Faessler, aka LiveOverflow, runs a wonderful YouTube channel where he explains all kinds of InfoSec and other hacking related topics. I'm a huge fan of his two-part explanation of the recent Log4j vulnerability. 

We've seen plenty of proofs-of-concept and rehahshes of JNDI-problems. In his video, Fabian instead delves into the matter of how we even got into this mess.

The screenshot above is from part 2. It asks developers the honest question: what would have been better, more secure? Do we want a logging solution which can resolve arbitrary variables and macros? Or should we have a plain logger, which needs to be spoon-fed what it needs to log?

In secure design, we should always choose for option B. But I guess that historically "features" and "shiny factor" won over "basic design".

If you have half an hour, I suggest you grab some coffee and go give this series a watch!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Mike Sass' excellent infosec training retrospective

2021-12-27 11:07:00

I just found this awesome page (a very long read), which is a retrospective of Mike Sass' five-year education path. Lots of good advice about studying infosec, and mini-reviews of many trainings (SANS and others). 

https://shellsharks.com/training-retrospective


kilala.nl tags: , ,

View or add comments (curr. 0)

I sat the CFR-410 beta: CertNexus CyberSec First Responder

2021-12-27 08:37:00

A few weeks ago CertNexus announced the public beta of their CyberSec First Responder (CFR) exam, version 410. Three years ago I took the beta for CFR-310. At the time I wasn't overly impressed by the exam, so I decided to take it again to see if they improved.

They did not. I can actually literally repeat what I said three years ago, while replacing "Examity" with "OnVue".

Comparing this to CySA+, I like CompTIA's exam a lot better.

My take-away: if you're in the US and must get a DoD 8570-listed certificate for one of the CSSP roles, then you may find CFR to be easier than CompTIA's CySA+ or Pentest+.

CFR is also marginally cheaper than CySA+ ($350 vs $370). But it's the renewal fees where you may want to opt for CompTIA, if you have more than one of their certs. Both companies charge $150 per three years, but in CompTIA's case the fees for multiple certs are often combined, so you don't have to pay multiple. 

I'm curious to see what the end-result of my scoring will be. But if I do pass, I will not be paying my CFR annual fees.

EDIT:
One thing I don't like about the CFR-410 exam is this section on page 5 of the objectives document:

"The information that follows is meant to help you prepare for your certification exam. This information does not represent an exhaustive list of all the concepts and skills that you may be tested on during your exam. [...] The information beyond the domains and objectives is meant to provide examples of the types of concepts, tools, skills, and abilities that relate to the corresponding domains and objectives. All of this information [...] does not necessarily correlate one-to-one with the content covered in your training program or on your exam.

It sounds like they're saying: the exam may include specific tools and techniques not listed as examples on the objectives document. 

You could argue that's fair enough, because it's impossible to list all tools that you'll ever run into on the job. But on the other it creates a moving target for students who are already anxious enough about taking a big exam. 

With CompTIA's exam objectives you can always count on it that "if it's not on the objectives, it's not on the exam". 


kilala.nl tags: , ,

View or add comments (curr. 0)

Another month, another beta: CertNexus CFR-410 and Project+

2021-12-22 16:16:00

Back in 2018, I took the CertNexus CFR-310 beta exam. It was okay. 

This week I learned that CN are launching CFR-410 with another beta (quoting their Facebook):

"Due to the high demand for the CFR-410 beta testers, we have decided to offer 75% off the voucher for the CFR-410 beta exam for a limited time. To participate, please go to https://bit.ly/CFR-410-voucher, create an account (or sign in), add the exam voucher to your cart and enter coupon code CFRBETA75 during checkout.

For more information on #CFR go to https://certnexus.com/certifica.../cybersec-first-responder/."

Final cost after discount: USD 87.50. I booked it and am waiting for the beta to open up. 

As a reminder, CFR-410 (and 310) are a security incident response exam, the acronym referring to CyberSec First Responder. It's comparable to CompTIA's CySA+ (cybersec security analyst) and the much better GCIH (GIAC incident handler). I'm curious how this'll play out!

Speaking of other upcoming betas: Project+ 005 from CompTIA is coming up. And yes, they will run a beta exam, starting in January. I might be curious enough to just give it a shot, see what it's about. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Took the CompTIA XK0-005 Linux+ beta

2021-12-05 09:09:00

Less than 48h ago, the new beta version of CompTIA's Linux+ exam, XK0-005, was opened to the general public. Or is it XK1-005?! I've asked them what's up with that XK0/XK1. Since taking CompTIA's beta exams is a big hobby of mine, I jumped onboard immediately!

Three years ago I was not very impressed by the XK0-004 beta. I felt it was too easy and too heavily focused on git and legacy software like init. Since there's an embargo on the objectives (which you can download from the official page I linked above) I can't discuss the objectives nor what's on the test. But I can tell you this much:

Some of the questions were really, really long. Like, "print this on A4 and it fills a whole page" long. I felt that might scare off the intended entry-level audience, so I put that in the comments. 

My conclusion: this exam is looking good! I would say that, content-wise, it's now on par with what I'd expect from RHCSA. I don't have recent experiences with LPIC or LFCS, I should give those a look sometime soon. 

I expect that my next group of students at IT Vitae will still be testing against version 004, but I will start updating my training materials for the next groups. The objectives have changed thoroughly. 


kilala.nl tags: , ,

View or add comments (curr. 0)

I tested CompTIA Server+ and it wasn't great

2021-10-29 09:21:00

I just passed CompTIA's Server+ exam, which was a "meh" experience. 

The exam crashed twice on the same PBQ (literally the very first question!), but the proctors were awesome about it.

In the first crash, not even the chat tool worked, so I powered down and not 1 minute later my phone rang. The proctor was very helpful in getting me back to my exam. The second time I went back to that broken question it hung again, but luckily chat was still working so the proctor reset my connection. 

In short: the exam has solidified my opinion that the CompTIA PBQs work badly on MacOS systems. The OnVue software clearly puts stress on the system, because my fans were going wild nonstop.

Based on the Server+ exam contents (I did not read any of the books) this is not a course/exam I would recommend to anyone with over a year of data center experience. It would make a nice introduction to someone starting as DC tech or Unix/Windows admin.


kilala.nl tags: , ,

View or add comments (curr. 0)

Renewing CompTIA certification

2021-10-12 13:08:00

A question that comes up pretty frequently on Discord, is about CompTIA's renewal process. Like ISC2, ECC and SANS/GIAC, CompTIA also have a program that works with CPE/CEU (study credits). However, they're actually a bit more flexible than the others.

Here's a nice comparison of the "easiest" ways to renew.

TLDR, you either:

 

Me, I've always gone for the last option, which is silly because getting PT+, CYSA+ and CASP+ would have renewed all my certs for free. 😐 Wasted money


kilala.nl tags: , ,

View or add comments (curr. 0)

Where to go after Security+

2021-10-10 11:32:00

There's a question which commonly comes up on Discord. I thought I'd just make a blogpost out of my most common response.

"I need you to suggest me onto path after security+. I want to develop my pen-testing and web security skills."

Here's a great overview of all kinds of security certification tracks -> https://pauljerimy.com/security-certification-roadmap/

If you're a rookie pen-tester and need a start with the basics, then eLearnSec's eJPT was always a decent start.

Pentest+ is CompTIA's cert that tests for 1-2 years of professional experience (or bruteforce book-learning). In Paul's overview it's lower ("easier") than eJPT, which I disagree with.

For a little more experienced people, eWPT and eCPPT from eLearnSec were also decent. Or, if you want to pack a bit more oomph, go for PWK (pentesting with Kali) from Offensive Security. The capstone to PWK is the now famous OSCP practical hacking exam.

OSCP combines research skills, time management and documentation with technical challenges which are not "too hard" (their difficulty lies mostly in the huge variety offered).

There are many cool sites that offer free or affordable education through labs, like TryHackMe and HackTheBox. Personally I've been a fan of PentesterAcademy, who put out good quality content and whose courses can go really in-depth.

If you have an employer who's not afraid to spend some money on you and you still have budget left, consider the SANS trainings + GIAC exams. They're expensive, but have a good reputation and the trainings are awesome.

GSEC can be considered their next step after Security+. GCIH and GPEN are the GIAC "better-than" certs compared to CySA+ and Pentest+... Their training courses SEC504 and SEC560 are awesome... and ?

Finally I'd like to plug Antisyphon trainings

They offer very good value for money, via online trainings. Some of these are pay-what-you-can, letting you pay somewhere between $25 and $495. Others are fixed price, but well worth it.

Case in point -> Modern webapp pentesting with B.B. King.

That's $495 for 16 hours (4*4h) of online training with a group of fun students and the excellent B.B. King. It goes into a whole bunch of very important tactics and testing methods for modern web applications. Recommended!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Automatically integrate Vagrant-built VMs into VMWare ESXi and Active Directory

2021-08-05 15:49:00

I've been using Vagrant to build new VMs in my homelab, which saves me a boat-load of time. Afterwards I still needed to do a few manual tasks, to make sure the VMs integrate nicely into my Active Directory and my VMWare ESXi server. 

With a bit of fiddling, while setting up the Kubernetes cluster, I came to a pretty decent Vagrant provisioning script. It does the following:

The spots with ${MYUSER} and ${MYPASSWORD} are a privileged domain admin account. 


apt-get install -y open-vm-tools
systemctl enable open-vm-tools
systemctl start open-vm-tools

apt-get install -y oddjob oddjob-mkhomedir sssd sssd-tools realmd adcli \
samba-common-bin sssd-tools sssd libnss-sss libpam-sss adcli policykit-1 \
packagekit

cp /vagrant/realmd.conf /etc/realmd.conf
realm join --unattended --user ${MYUSER} corp.broehaha.nl <<< ${MYPASSWORD}

echo "sudoers: files sss" >> /etc/nsswitch.conf
cp /vagrant/sssd.conf /etc/sssd/sssd.conf

cat >> /etc/ssh/sshd_config << EOF
AllowGroups linux-login
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
EOF

systemctl enable sssd realmd ssh
systemctl restart sssd realmd

kilala.nl tags: , ,

View or add comments (curr. 0)

Is OSCP a good place to start pen-testing certification?

2021-08-05 07:46:00

Someone on Discord recently asked me: "Is OSCP a good first cert for someone who wants to go into pentesting?"

I thought I'd share the response I gave them. I hope it's still a valid viewpoint, what with my OSCP being a few years ago.

========================

Yes, but no.

OSCP is entry-level stuff when you look at it from a technical perspective. All the exploits and vulns we need to work with during the exam are relatively clear-cut and you don't have to do any development yourself. 

What makes OSCP a heavy-hitter is the non-technical aspects: you are under incredible pressure (X boxes in Y hours, plus a full report), you are given a black-box environment with targets that could be (almost) anything. OSCP is about research skills, about time management, about perseverance.

If you do the PWK class work before the exam, you are almost fully prepped for the technical aspects (vuln types, exploiting vulns, etc). Doing a large part of the PWK labs will prepare you for the research part of the exam. Which leaves time management and perseverance, which are personal skills that you need to bring yourself. 

If you were to ask me for a better place to start, I'd look at eJPT first. 

Get your feet wet with the basics and something that's also recognized as a solid first start. 

I personally think OSCP isn't a good first cert because, if you're still getting to know your way around the tech basics, then you won't have enough time to learn-on-the-job during the exam. 

If you have a good background on Linux/Unix and Windows, knowing how their services can be abused and how privesc can be done, and you've actually done it a few times, then you're on the way. Ditto for vulns and exploits in webapps or other network services: if you understand them and can apply them, then at least you have the basics out of the way.

With the OSCP exam, there's no telling what you're getting! It could be relatively new software on a new OS, or it could be an antique application in a weird old language. 

If you know the basics of vulns and exploits, then you at least know what you're looking for. You will only have to learn the actual target on-the-fly.


kilala.nl tags: ,

View or add comments (curr. 0)

Dick would have enjoyed this: new addition to the lab

2021-07-29 14:45:00

A stack of servers and a phone

Last week was awesome! It was the last Friday before summer break, so I decided to move the class on Vagrant and Docker forward. This would give my Linux+ students a few cool things to play with during their holiday!

Next to that very fun day, one of my colleagues at ITVitae also gifted me a piece of old gear: a lovely, 2009 Apple XServe 3.1. Dick would've loved that, what with us both being Apple-geeks.

The drives were wiped, so I've found a way to image the MacOS 10.11 installer onto one of them. Aside from that: it has dual Xeons like my R410 and R710, 3x2TB of disks (one of which will move to the R710 for my lab) and 24GB of RAM.

This baby might be noisy and a bit underpowered, but it'll make a great Docker-host to complete my lab. Awww yeah!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Not renewing my CEH

2021-06-23 15:27:00

Over the past decade or two, I've put in a lot of study-time to garner certificates for continued professionalization. Some of'm I'm really proud of, some were fun or cool, some were frustrating and some were just "meh".

EC Council's CEH (Certified Ethical Hacker) is one of those "meh" certificates, where my biggest motivation for continued renewal was the dreaded HR-checklist. EC Council have a great marketing department, that's ensured that "CEH" is on many corporate security job requirements.

That's the only reason why I kept paying my annual dues. Never because I'm proud of it, or because I feel it adds to my profession, always for the market value. 

Not any more. 

Between recent social media muck-ups, between debatable practices and mediocre professional value, I've decided to stop sending my money to ECC. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Failure is a great teacher

2021-06-20 21:19:00

A few weeks ago I noticed that my Win2012 trial licenses are no longer tennable: a big change to my homelab is needed! Since then I've worked dilligently on a few projects, all happening in parallel.

That's a lot of stuff going on!

As the title of this post says: failure is a great teacher and boy did I have a lot of failures! 😂

For now there's too much to sum up in great detail, so I'll get back to the deets later. For now, some stuff I ran into:

After a weekend with lots of hard work, my AD domain is stable and usable again. All GPOs work again, the syncing between DCs works, the DFSR for SYSVOL works again. And the migration of the issuing CA to 2019 has also completed, with hosts being able to auto-enroll and validate certs again. 

There's so much more to do though! Thank ${Deity} for my Jira boards!


kilala.nl tags: , , ,

View or add comments (curr. 0)

CompTIA Pentest+: objectives comparison between PT0-001 and PT0-002

2021-06-01 19:08:00

It's a bit late, but people studying for the Pentest+ PT0-002 beta exam can probably use a list of all the differences between versions 001 and 002 of the objectives. I reckon the list could also be useful for students who want to give it a shot in October / November, because very few study materials will be available. 

I've done a quick cross-reference of the objectives documents (also linked below), to make an Excel / CSV with the differences between the objectives. Careful, they're probably not 100% on the money.

CompTIA trainers get a licensed document that does a better job at explaining the differences, but we can hardly share that, right? My comparison document was made the hard way, literally cross-matching both objective documents. Hence why I may have made a few mistakes.

The official objective documents:

And here's CompTIA's official blog about the two exam versions.


kilala.nl tags: ,

View or add comments (curr. 0)

Dynamic DNS and a discovery about Unifi equipment

2021-05-29 21:07:00

It's odd that I've never had much of a use for dynamic DNS solutions, but now that I'm testing VPN to my homelab I've also taken a look at AFraid's FreeDNS

So far I'm enjoying the late 90s, early 2000s look-and-feel of their management interface. It's endearing!


kilala.nl tags: ,

View or add comments (curr. 0)

Homelab rebuild needed

2021-05-29 20:39:00

Well darn. The "slmgr -rearm" trick will no longer work, after renewing the trial licenses on my WinSrv 2012 boxen a few times. This means I'll have to rebuild my Active Directory and Certificate Services infrastructure on short notice. Better yet, it's time to do something with my/our partnership contract with Microsoft, to get official licenses for Win2016. 

Oddly, Nicola's instructions on making the iDRAC6 remote console work on MacOS now fail for me. The connection that worked a month ago now reliably fails as "Connection failed". 

Luckily, Github user DomiStyle is awesome! They've prepared a Docker container that runs the iDRAC connection software and makes two local ports available: 5900 for VNC and 5800 for the web interface. It's excellent!


kilala.nl tags: , ,

View or add comments (curr. 0)

Know your limitations, even if it's "too late"

2021-05-27 10:55:00

I don't know if my old classmate René is still reading along. If he is, he'll nod approvingly and think to himself: "told you so". :)

I feel very heavy-hearted, because I feel that I’m letting a few awesome people (Stephen, Thomasina, Rick B. at CompTIA) down. 

I'm backing down from teaching the Pentest+ TTT. It seems that I’ve been harboring a lot of stress, piling on way too much for myself, without really noticing it. To make sure that I can still pay full attention to my family, my primary customer, my students at IT Vitae and my own studies, I have to drop this responsibility.

I was very much looking forward to helping CompTIA with Pentest+, but right now it would not be a smart thing to continue with.


kilala.nl tags: , ,

View or add comments (curr. 0)

DevChamps "Extreme Automation" training

2021-05-17 06:56:00

After completing PDSO's CDP (Certified DevSecOps Professional) two months ago, I was left wanting more. More CI/CD, more pipelines, more automation. That's when, via-via, I met Andrey Adamovich via LinkedIn. Andrey works with a collective of DevOps trainers, to teach his XA: Extreme Automation training.

To sum it up: I was looking for a little extra fun, to expand upon what I'd learned in the past two years and the price was right at €700 for a three-day training with all the labs neatly arranged for students. 

To summarize my impressions:

Would I recommend Andreys class? Yes, especially to folks in my shoes (security engineer) who need a quick introduction to modern-day IT infrastructure.

As to what I've learned during class? Well, Ansible and Docker weren't new to me, but that's perfectly okay. Terraform was very nice to get to know better, while Packer and Kubernetes were eye-opening. 

My biggest take-away is that I'm behind the times on modern-day infrastructure. This class has helped me recognize some of my bigger knowledge-gaps, which means I can now address them. 

My first order of business in my homelab should be to attempt a complete rebuild, using Packer to create golden images and using Terraform to drive VMWare ESXi, instead of using Vagrant. From there on out, I should try to use my Gitlab instance together with K8s and Docker to run many of my services. Luckily I have two Dell servers for my lab, so I can repurpose an old laptop as Terraform+Packer box while using the smaller Dell to first test-run my configs. 

The sad part is, as Andrey mentioned halfway through day 3: he expects that within a few years many apps and services will move to a server-less model, like Lambda or Azure Functions. That means that >60% of what we learned in XA will become much less useful. 


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA closed beta for CASP+ CAS-004

2021-05-13 10:33:00

CompTIA often have beta releases for new versions of their exams. You'll notice my blog has articles dating back a few years, where I keep doing these beta tests, "for fun and profit". Most betas are open to all takers, but the CASP+ (advanced security practitioner) is "closed". With thanks to some very nice people at CompTIA I managed to get accepted into the closed beta. 

Took the test this morning, at home via the OnVue testing solution. As before my experiences with OnVue were decent. 

However! In a not-so-fun move, PearsonVue decided to do a big and unannounced IAM change! Anyone who's testing via PearsonVue for CompTIA, whom also has tested for other companies (such as Microsoft) has now been forced to take a new username. They literally changed everybody's login names, without warning them up front. And no, you also don't get an email. Now they have a warning on their login page, but last night I got a big fright because there was zero information!

Here's a few things I took away from the CAS-004 beta.

The exam gave me three hours time and took me between a bit less than two hours to power through without going back to any questions. There were plenty "bad" questions in there (see above) and a few where I honestly would not know the answer. Since this is a beta I decided to pludge it without studying any of the books or materials.


kilala.nl tags: ,

View or add comments (curr. 0)

A short review of CompTIA Security+

2021-04-30 09:41:00

Earlier this year I completed CIN's TTT (train-the-trainer) for Security+, CompTIA's entry-evel InfoSec certification. I hope to teach the subject matter at ITVitae or elsewhere in the near future, so I'd better prepare myself on the exam objectives. 

Overall I'm pleased with the body of knowledge covered by Security+; there's a reason why I frequently recommend the learning path to colleagues starting out in IT security. The BoK covers security fundamentals which I feel should be understood by anyone in IT: developer, engineer, risk management, I don't care. Everybody in IT should know this stuff. :)

Paul Jerimy's excellent security certification roadmap places Sec+ at the foundational level. There's no shortness of comparisons between Security+, SSCP, CISSP, GSEC, CEH and others on the Internet, for example this one. Most of us agree: Sec+ is foundational knowledge for those starting in IT. 

I sat the exam this morning, version 601, and I passed. Would've been worrisome if I hadn't! ;) 

I'm pretty happy with the exam's contents: there's a decent spread of topics covered and only two out of my 82 questions were worded sub-optimally. The PBQs actually were pretty good!


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA PT1-002 Pentest+ beta

2021-04-23 09:45:00

A little under three years have passed since I last took the CompTIA Pentest+ exam. Like last time, I took the beta-version of the exam. Just like last time, I decided to go into the exam completely blank, only taking a glance at the official objectives beforehand.

The OnVue at-home testing experience offered by PearsonVue, like always, was decent. The tooling works well enough, the proctor was communicative, waiting times weren't too bad. The software feels kind of intrusive, as to what it wants to do on your laptop, but at least it didn't want me to install anything, nor does it require admin-level rights. 

As to the exam itself, my experiences mirror what I felt back in 2018: 

I feel that the PT1-002 exam needs some polishing and a few corrections, but overall the level of difficulty and the type of questions asked do in fact do a fairly good job at testing someone with 2-3 years of pentesting experience.

I'm curious whether I've passed! As was said: I went in without preparation and there's definitely a number of objective areas where I don't have experience. 

EDIT:

A forum acquaintance reminded me of the following:

"You see a preponderance of exam items referring the same concept because the vendor is attempting to determine which of those (experimental) items to include in the (production) exam item pool. ... When taking a beta exam, you are helping to create the exam item pool for the initial public release of the exam, not taking the initial public release of the exam itself."


kilala.nl tags: , ,

View or add comments (curr. 1)

Finished a lot of hard work: the CDP exam, Certified DevSecOps Professional

2021-03-04 10:10:00

I know, I know: the past weeks it's been nothing but Gitlab over here :D That's going to quiet down now. How did all of that get started though?

Back in January, I posted the following question on the BHIS Discord:

"When it comes to CICD, microservices and the whole modern API reality I'm quite out of my depth. I never was a developer, can't code my way out of a wet paper bag; was always on the sysadmin and secops side. 

Are you guys aware of any trainings or bootcamps that are squarely aimed at grabbing my demography (sysadmin, secops) by the scruff of their neck and dumping them through the whole process of building a sample API, automated building and testing and then ramming it onto something like Azure of CloudFoundry? 

I've been on the sidelines of plenty CICD, helping DevOps teams with their Linux and security troubles... but now I really need to know what they do all day.

Anything commercial, that lasts multiple days and is from a reputable vendor would be absolutely great. I don't care too much about which solutions are used in said training. Key words may include: Spring.boot, Maven, Git, Azure DevOps, Github Actions, Fortify. Just an all-in-one "journey" would be lovely."

I asked around with friends and colleagues. Most folks weren't aware of any such trainings, though one pointed me at Kode Kloud, another suggested Dev Champs and two of them suggested Practical DevSecOps.

PDSO's CDP course, Certified DevSecOps Professional, listed selling points that matched what I wanted:

Having now completed the whole course and having passed the exam, here's my impressions about PDSO's CDP course:

My overall verdict, was the CDP course worth it? Yes, it was. I learned a lot, I got to mess around with a lot of cool tools and the exam was challenging.

One tip that I'd give students is to also run a CI/CD environment of their own, with more projects than the one or two in the labs. I have gained so much extra knowledge from running Gitlab in my homelab, with 6-7 vulnerable apps! It's been awesome and educational. 

A few of my fellow students asked for pointers on the exam. I wouldn't want to give anything away that's covered by the NDAs, but I can tell you this much:

Basically, be ready to do high-paced learning and studying on-the-fly. In that regards, this exam isn't too different from the OSCP pen-testing exam: the concepts are the same, but you will need to do research on the job :)

Most importantly:

  1. As John Strand always says: "Document as you go!" Take notes all the way through your work, don't put that off until the end.
  2. Clone your exam repository to your local computer and pull updates regularly! I lost 11 hours of work on my exam, because my Gitlab got reprovisioned.

kilala.nl tags: , ,

View or add comments (curr. 0)

Quick notes: script to setup Gitlab runners and run as Ansible

2021-02-26 10:55:00

Just some quick notes I've been making on how to quickly get gitlab-runner up on a Linux box. I still feel very yucky about curl-in a file into sudo bash, so I'll probs grab the file locally instead and make sure it doesn't do anything nasty.

The following example was used on my Ansible host, to install gitlab-runner and to have it run as the local "ansible" user account instead of root. It registers and starts two runners.

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
 
export GITLAB_RUNNER_DISABLE_SKEL=true; sudo -E yum install -y gitlab-runner
 
sudo gitlab-runner uninstall
 
sudo mkdir /etc/systemd/system/gitlab-runner.service.d/
cat > /tmp/exec_start.conf << EOF
 
[Service]
ExecStart=
ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "/home/ansible/gitlab" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--user" "ansible"
EOF
 
sudo mv /tmp/exec_start.conf /etc/systemd/system/gitlab-runner.service.d/exec_start.conf
 
sudo systemctl daemon-reload
sudo systemctl enable gitlab-runner
sudo systemctl start gitlab-runner
 
sudo cp /tmp/broehaha-cachain.pem /etc/gitlab-runner/cachain.pem
 
read -p "gitlab reg token: " GITLAB_TOKEN
 
sudo gitlab-runner register --non-interactive
--tls-ca-file=/etc/gitlab-runner/cachain.pem
--tag-list ansible
--name ansible.corp.broehaha.nl
--registration-token ${GITLAB_TOKEN}
--url https://gitlab.corp.broehaha.nl
--executor shell
--locked=false
 
sudo gitlab-runner register --non-interactive
--tls-ca-file=/etc/gitlab-runner/cachain.pem
--tag-list ansible
--name ansible.corp.broehaha.nl
--registration-token ${GITLAB_TOKEN}
--url https://gitlab.corp.broehaha.nl
--executor shell
--locked=false

kilala.nl tags: , ,

View or add comments (curr. 0)

Security testing OWASP Juice Shop in Gitlab CI/CD

2021-02-20 16:10:00

Gitlab pipeline

After finishing the awesome BHIS "Modern Webapp Pen-testing" class (January), I immediately rolled into the "Certified DevSecOps Professional" course. I am lacking in experience with CI/CD, while having to support DevOps engineers every day.

The CDP labs by Practical SecDevOps are okay, but only testing Django.NV got stale.

What better way to learn about SAST, DAST, SCA and more than by running our beloved Juice Shop webapp through my own CI/CD pipeline?! :D 

Not only does this give me a private Juice Shop in a safe environment (my homelab), but it got me more familiar with Gitlab and all the things that come with DevSecOps / SecDevOps / Security in DevOps / however you wanna call it. 

The image above shows the Juice Shop project in my Gitlab, with its security testing and deployment stages. The last "Compliance" stage (with Inspec) didn't fit into the pic.

Running the pipeline builds a Docker image for Juice Shop, runs SAST, SCA, secret scanning and linters, then runs the Docker image on my testbox and runs Nikto, ZAP and SSLyze against it as DAST. All very much default/basic, but it's a start!


kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps and their CDP training

2021-02-19 07:42:00

I've been mentioning Gitlab for a while now and you might wonder why the sudden change. :D I'm working my way through the CDP training from Practical DevSecOps.

I needed a crash course that took me through a practical example of CI/CD pipelines, from A to Z, in a hurry. I'm in security and I need to advise DevOps engineers who work on those pipelines every day. I found it harder and harder to relate to them without having gone through their journey myself. Intellectually I understood most of the concepts, but everything stayed very vauge without me actually doing it hands-on.

So far the course is a resounding "okay". It's not wonderful, it's not bad, it's just that: pretty good. The slide decks are decent, the trainer narrating the videos has a nice voice, but the narration is quite literally reading from the text book. Some of the text on slides and in the labs was lifted directly from third party sources such as projects' Github pages or from articles like Annie Hedgpeth's series on running Inspec

They have a huge amount of online labs, which is good, even if they get repetitive. So what I've done is setup Gitlab in my homelab as well, and apply all the things the course teaches me to multiple intentionally-vulnerable web apps.

So I've got Git repos for Juice Shop (Node.JS and Angular), django.nv (Python and JS), Webgoat (Java), GoVWA (Go) and others, which I'm treating like they were projects for my simulated company. Each of these gets its own CI/CD pipeline to run code quality checks, SAST, DAST and automated build + deploy through Docker.

It's been one heck of a learning experience and I'm looking forward to the closing exam, which is another 24h practical exam. I love those!


kilala.nl tags: , ,

View or add comments (curr. 0)

Challenges running "owasp/zap2docker-stable" without docker:dind

2021-02-17 19:35:00

As part of the CDP course we're running unattended ZAP scans as part of integration testing, using the "owasp/zap2docker-stable" Docker container. The course materials tell you to run the CI/CD task using "docker:dind", a Docker-in-Docker solution. For some reason my Docker boxen aren't a fan of that; I'll have to debug that later.

Trying to run the ZAP container with a simple "shell" executor through gitlab-runner led to some fun challenges though! The course material suggests the following Docker run command:

docker run --user $(id -u):$(id -g) -w /zap -v $(pwd):/zap/wrk:rw --rm owasp/zap2docker-stable zap-baseline.py -t https://target:port -J zap-output.json

To sum it up: start the ZAP container, run the ZAP baseline script using your current UID and GID, mount your local directory as /zap/wrk and then write the results as a JSON file onto the mounted local directory.

This approach fails in two ways if you're not doing the fastest, dirty approach: running as the "root" user account.

Either you use it with "--user $(id -u):$(id -g)" and then you get the error message "Failed to start ZAP :(". Or you run it without that setting, then ZAP runs but it cannot save the output file, with a "permission denied: /zap/wrk/zap-output.json" message.

The issue here is that container has a very limited setup of users (as it should) and your uid+gid are most likely not in there. Under normal conditions, the ZAP scripts inside the container run as "zap:1000:1000" but that user doesn't have write access to your user's directory on the Docker host.

So... If you're running the ZAP container directly on your host and not as DinD, then you'll need to setup a temporary directory and setup write access for either uid:1000 or gid:1000 to it. The latter feels "better" to me. Then we'll end up with this (assuming Gitlab):

zap-baseline:
    stage: integration
    dependencies: []
    allow_failure: true
    tags:
        - shell
    before_script:
        - docker pull owasp/zap2docker-stable
        - mkdir output; chgrp -f 1000 output; chmod 770 output; cd output
    script: 
        - docker run --rm -v $(pwd):/zap/wrk owasp/zap2docker-stable zap-baseline.py -t http://target:port -J zap-output.json
    artifacts:
        paths: [output/zap-output.json]
        when: always 

kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps: CDP labs example pipeline

2021-02-07 22:08:00

A pipeline in Gitlab

I'll talk about it in more detail at a later point in time, but I'm about a week's worth into the Certified DevSecOps Professional training by Practical DevSecOps. So far my impressions are moderately positive, more about that later. 

In the labs we'll go through a whole bunch of exercises, applying a multitude of security tests to a Gitlab repository with a vulnerable application. Most of the labs involve nVisium's sample webapp django.nV.

Having reached the half-way point after that one week, I had not encountered two crucial parts of the DevOps / CICD pipeline which I'm not at all familiar with. We're applying all kinds of tests, but we never did the steps you'd expect before or after: creating the artifacts, deploying and running them. As I've said before, I'm #NotACoder.

Instead of focusing on one of the next chapters, today I spent all day improving my Gitlab and Docker install by applying all the required trusts and TLS certificates. This, in the end, enabled me to create, push, pull and run a Docker image with the django.nV web app. 

If anyone's interested: here's my Dockerfile and gitlab-ci.yml that I'd used in my homelab. You cannot just throw them into your own env, without at least changing username, passwords and URLs. You'll of course also need a Docker host with a gitlab-runner for deployment.

Note: The Docker deploy and execute steps show a bad practice, hard-coded credentials in a pipeline configuration. Ideally this challenge should be solved with variables or even better: integration with a vault like Azure Vault, PasswordState or CyberArk PasswordVault. For now, since this is my homelab, I'll leave them in there as a test for Trufflehog and the other scanners ;)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Integrating Gitlab into your lab with private PKI

2021-02-07 19:45:00

My homelab runs its own PKI and most servers and services are provided with correct and trusted certificates. It's a matter of discipline and of testing as close to production as possible. 

Getting Gitlab on board is a fairly okay process, but takes a bit to figure out. 

So my quick and dirty way of getting things set up:

  1. On ADCS generate a new, exportable key pair with the right settings. 
  2. Run this keypair through a locally created .inf request file with an extension for the subject alt. name (see example).
  3. Issue the requested cert and import it.
  4. Export the full keypair plus cert as a PKCS12 / .pfx file.
  5. Transfer the .pfx to the Gitlab server and store safely in "/etc/gitlab/ssl/". Set to ownership by root, and only readable by root. 
  6. Use "openssl" to extract the private key and certificate from the .pfx file. Then use it as well to decrypt the private key. 
  7. Replace the pre-existing gitlabhostname.crt and gitlabhostname.key files with the newly extracted files.

Now, you also want Gitlab and your runners to trust your internal PKI! So you will need to ask your PKI admin (myself in this case) for the CA certificate chain. You will also need the individual certificates for the root and intermediary PKI servers. 

  1. In your Gitlab host, copy the individual PKI certificates into "/etc/gitlab/trusted-certs". 
  2. On your Gitlab runner hosts, copy the CA chain into "/etc/gitlab-runner" and reconfigure "/etc/gitlab-runner/config.toml" so each runner has a line for "tls-ca-file". 
  3. If you haven't done so already, make sure the rest of your Linux host also trusts your PKI by importing the certs.
  4. According to the Docker manuals, Docker uses both its own config file and the Linux/Windows central trust store. So completing step #3 is good enough. But, Docker will only pick up new certs after you restart the engine!

Don't forget to restart Gitlab itself, the runners and Docker after making these config changes!

You can then perform the following tests, to make sure everything's up and running with the right certs.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Debugging: Trufflehog reports no secrets in Gitlab CICD

2021-02-06 21:59:00

Durning the CDP class, one of the tools that gets discussed is Trufflehog. TLDR: yet another secrets scanner, this one built in Python. 

I ran into an odd situation running Trufflehog on my internal Gitlab CICD pipelines: despite running it against the intentionally vulnerable project Django.nv, it would come back with exit code 0 and no output at all. 

Why is this odd? Because it would report a large list of findings:

But whenever I let Gitlab do it all automated, it would always come up blank. So strange! All the troubleshooting I did confirmed that it should have worked: the files were all there, the location was recognized as a Git repository, Trufflehog itself runs perfectly. But it just wouldn't go...

I still don't know why it's not working, but I did find a filthy workaround:

trufflehog:
  stage: build
  allow_failure: true
  image: python:latest
  before_script:
    - pip3 install trufflehog
- git branch trufflehog
  script:
    - trufflehog --branch trufflehog --json . | tee trufflehog-output.json
  artifacts:
    paths: [ "trufflehog-output.json" ]
    when: always

If I first make a new branch and then hard-force Trufflehog to look at that branch locally, it will work as expected. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Gitlab-runner not picking up jobs after reboot

2021-02-06 19:35:00

As part of my studying for the CDP course, I've expanded my homelab with a private instance of Gitlab. I've got to say: I like it! A lot. It's good software! 

To accomodate my builds I expanded the RAM on my Docker host VM and set up three "gitlab-runners" to pick up jobs from Gitlab CICD pipelines. Microsoft's documentation is outstanding: the runners were installed and configured within minutes.

The only thing I really disliked was their instructions to "wget https://some-url | bash -". That always feels so fscking scary. 

As part of my change management process the Docker host of course needed a reboot, to see if things some up correctly. They did and the "gitlab-runner" process was there as well. But it wasn't picking up any jobs! Only when I SSHd into the host and ran "sudo gitlab-runner run" would jobs start flowing. 

At first I thought I just didn't understand the concept of the runner process well enough. Maybe I hadn't set them up correctly? Then I decided to do the logical thing: check the logs. I've been teaching my students to do so, so why didn't I? :D

"sudo systemctl status gitlab-runner -l" showed me the following:

$ sudo systemctl status gitlab-runner -l
● gitlab-runner.service - GitLab Runner
   Loaded: loaded
   Active: active

...
Feb 06 19:24:37 gitlab-runner[20361]: WARNING: Checking for jobs... failed
runner=REDACTED status=couldn't execute POST against https://REDACTED/api/v4/jobs/request: 
Post https://REDACTED/api/v4/jobs/request: x509: certificate signed by unknown authority

The self-signed cert isn't too surprising, since I still have a backlog item to get that fixed. I wanted to first get the basics right before getting a proper cert from my PKI. But I thought I had dealt with that by registering the runner with a CA cert override. 

Checking "/etc/gitlab-runner/config.toml" showed me where I had gone wrong: the CA cert override path was relative, not exact.

[[runners]]
  name = "REDACTED"
  url = "https://REDACTED"
  token = "REDACTED"
  tls-ca-file = "./gitlab.pem"
  executor = "docker"

I had assumed that the cert would be picked up by the runner config and stored elsewhere, instead of being referenced from the file system. Wrong! I made sure to copy the self-signed cert to "/etc/gitlab-runner/gitlab.pem" after which I corrected the "config.toml" file to use the correct path. 

One quick restart of the runner service and now jobs are automatically picked up!


kilala.nl tags: , , ,

View or add comments (curr. 3)

Updating my pen-testing experience: "Modern Webapp Pen-testing" by BHIS and WWHF

2021-01-29 16:14:00

I've been dabbling in pen-testing for a few years now; it's never been my main gig and I wonder whether it'll ever be. For now it's a wonderful challenge which makes its way into my work assignments. 

Case in point: at my new customer I'll be performing pen-tests on contemporary applications and services. Java backends, Javascript frontends and lots of APIs! It's in that area that I feel I need additional development: I've learned and practiced with a lot of vulnerabilities and software stacks, but not these. 

Which is why I yet again turned to Black Hills InfoSec and WWHF, for another training! This time around, it's "Modern webapp pen-testing with B.B. King".

Where the "Applied Purple Teaming" class I recently took was okay, B.B.'s class was excellent! All the labs use OWASP's Juice Shop project, which combines NodeJS on the backend (with REST APIs!) with AngularJS on the frontend. Throw in MongoDB for some NoSQL and you've got a party going!

All in all, B.B.'s teaching style is great and his interactions with us students were pure gold. In general, the Discord chat was lively and had great contributions from people all over the world. I'd highly recommend this class! I'll defo learn more with Juice Shop and other vulnerable apps in the upcoming months. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

"Applied Purple Teaming" training, by BHIS and Defensive Origins

2021-01-08 15:19:00

I fear that I may have been over-doing it a little bit the past few weeks. 

December 21st was my last day at my previous assignment, with my new assignment starting January 11th. The three weeks inbetween were spent on the holidays and on studying. I pushed through:

The latter two are both advertised as 16 hour trainings, but I've easily spent upwards of 20-25 hours on each to go through the labs and to research side quests. A few hours more on improvements to the labs for the latter, since I ran into many problems with their Terraforming scripts for Azure Cloud. Huzzah for cooperation through Github. 

While I found the APT class very educational, I can't shake the feeling that it could have been better. In some cases K&J skipped through a number of topics relatively quickly, as "these are basics, etc" and at some points there was rapid back-and-forth between slides. Granted, I did watch the VoD-recordings of their July session and I expect their more recent classes to have been more fluent. 

Thanks to K&J's class my todo list has grown tremendously. Between trainings and certifications added to my wishlist, I've also added a number of improvements that I would like to apply to my homelab. First and foremost: right-sizing my network segments and properly applying all local firewalls. This is a best-practice that will hinder lateral movement in simulations or real-world scenarios.


kilala.nl tags: , ,

View or add comments (curr. 0)

Powershell auditing: easy bypasses

2021-01-05 15:44:00

While I'm making my way through lab L1120 of BHIS' "Applied Purple Teaming" course, I noticed something interesting: none of my nefarious commands were showing up in HELK, despite me having enabled Powershell logging through a GPO.

In this lab, we're grabbing Sharphound.ps1 from the Bloodhound project, and either download and run it, or just load it into memory using Invoke-Expression. But none of that stuff was showing up in my Kibana dashboard, despite a "whoami" run from Powershell appearing correctly.

That's when I learned that A) downgrading your session to Powershell 2 kills all your logging, B) most of what you run in Powershell ISE (a script editor) is flat-out never logged. In my case: I make it a habit to work inside ISE, because I can easily edit script blocks.

See also this excellent blog post from 2018.

Luckily you can disable Powershell 2 with a GPO (which could end up breaking older scripts). But with regards to ISE: you'll have to completely uninstall, or deny-list it... if possible.

EDIT:

Based on this article by Microsoft themselves, it seems that turning on transcription will also work on Powershell ISE. I'll need to investigate a bit deeper... See if I haven't misconfigured my setup.

EDIT 2:

Yeah. The Powershell 2 logging bypass is valid, but the lack of logging through Powershell ISE was a case of #PEBCAK. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed AZ-900; experiences with OnVue exam at home

2021-01-02 14:48:00

It's nice when sidetracks during learning lead to measurable results. Case in point: while setting up the labs for the BHIS "Applied PurpleTeaming" training, I needed to quickly learn about Azure Cloud. ... And now I've passed the AZ-900 exam! :D

Microsoft offers (most of) their exams to take at-home remotely, through Pearson Vue's "OnVue" service. I already worked with OnVue back in August, when taking the Cloud+ beta exam. My experience this time around was very similar: the tooling works well, as long as you make sure to turn off your local outbound firewall like Little Snitch

As to the AZ-900 exam: it was a nice motivator (the proverbial carrot on the stick) for me to go through the six Azure Fundamentals modules on Microsoft Learn. I'm happy to have finally gotten some hands-on experience with Azure Cloud, or basically any cloud provider beyond running a shortlived VM on AWS.

After completing the BHIS APT training I intend to play around with Azure a bit more... Maybe I'll even rebuild this website on there!


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed RedHat EX407V27K, experiences with remote Kiosk exams

2020-12-23 23:06:00

As I mentioned earlier this week, I've been studying for RedHat's EX407 exam. Looking back at my CPE records / bookkeeping I've been at it an embarassingly long time: I started studying back in March of 2019. Almost two years ago! Just too many fun and interesting things kept coming in the way!

Between teaching Linux+ to a group of students, with passing CTT+, Linux+, CySA+ and CRTP, as well as classes on DFIR and PKI it was just tooooo tempting! And Ansible was just a little too boring! So as I said before: "booo!" to my lack of discipline! Dragging my feet on EX407 caused me to almost lose my RHCSA/RHCE certifications, because they needed to be renewed. 

But enough about that! Let's talk some interesting points!

All those study materials I linked to, especially Tomas' practice exam, proved to be absolute gold. Without them I wouldn't have passed, because pass I did! Out of a max of 300 (I think?) and with a passing grade of 210 I scored 239 points.

I dropped points mostly due to inexperience with Jinja2 templating and its logic (tests, loops) and with Ansible Galaxy and requirements-files. Out of 16 tasks I knew up front that I'd fail 3 of them because I couldn't get the playbooks to work correctly. Lessons learned and I'll definitely try to practice more in my homelab!

Finally, after being one of the first 100 people to take a Red Hat Kiosk exam, I'll also weigh in on Red Hat's remote, at-home exams. RH had fallen behind to its competitors in that regard, still forcing students to come in to testing centers. What with Covid-19, that strategy needed to change, fast. So they did, in September of this year.

All in all I very much appreciate Red Hat's remote, at-home testing. To sum it up: you flash a RH-provided Linux image to a USB drive, plug that into your PC and boot it up. This turns your private PC into a RH Kiosk system, exactly like they use in their official testing centers! The only vexing part of the setup is that you need TWO functioning web cams, one of which MUST be cabled and pointed at you from the side. 

Overall, the bootable Kiosk Linux is great. It provides pre-exam setup testing to ensure you can actually take the exam. From there on out things work exactly like, or actually better than, the Kiosk at the testing center. Testing from home is absolutely great! After my bad experiences with EX413 I'd been turned off of RH's exams, but this has turned me around a bit. 

I'm happy to have passed EX407! Time to go over my plan for the next few months! I have a few pen-testing classes lined up and will also need to prepare for teaching my next group of students!


kilala.nl tags: , ,

View or add comments (curr. 0)

RedHat EX407 / EX294 study materials

2020-12-17 08:39:00

I've been studying on and off for the EX407 Ansible exam for ... lemme check... 1.8 years now. Started in March of 2019, hoping to renew my RHCE in time, but then I kept on getting distracted. Two certs and three other studies further, I still need to pass EX407 to renew my RHCE. Way to go on that discipline! ( ; ^_^)

Anywho, there's a few resources that proved to be helpful along the way; thought I'd share them here. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Finally! Red Hat offers at-home exams

2020-09-06 21:18:00

It's been a while in coming and I'm very happy they finally made it! Red Hat have joined the large number of companies who now offer at-home test taking for their professional certifications

I quite enjoyed the way CompTIA handled their at-home examinations, but it looks like Red Hat have taken a very different approach. I still need to take the EX407 exam, so I'd better take a quick look!

Back in 2013 I was one of the first hundred people to use the Red Hat Kiosk exams, still have the souvenir key chain on my laptop bag. Let's see if their at-home tests work better than the Kiosk ones. 


kilala.nl tags: , ,

View or add comments (curr. 1)

Taking the 2020 CompTIA Cloud+ beta

2020-08-13 11:35:00

It's become a bit of a hobby of mine, to take part in CompTIA's "beta" exams: upcoming versions of their certification tests, which are given a trial-run in a limited setting. I've gone through PenTest+, Linux+ and CySA+ so far :)

After failing to get through the payment process at PearsonVue a friendly acquaintaince at CompTIA helped me get access to the Cloud+ beta (whose new version will go live sometime early next year).

I sat the beta test this morning, using the new online, at-home testing provided by PearsonVue. Generally speaking I had the experiences as outlined in the big Reddit thread.

Most importantly, on MacOS the drag-n-drop on PBQs is really slow. You have to click and hold for three seconds before dragging something. Aside from that the experience was pleasurable and it all worked well enough.

I'm not as enthused about the Cloud+ beta as I was about Linux+ and PenTest+ at the time. The questions seemed very repetitive, sometimes very predictable (if "containers" was an option, two out of three times it'd be the correct answer) and some just unimaginative (just throw four abbreviations or acronyms at the test-taker, two or three of which are clearly unrelated). Knowing CompTIA I assume there will be plenty of fine-tuning happening in the next few months.

I'm pretty sure I didn't pass this one, but I'm happy to have had the chance to take a look :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Preparing for PearsonVue at home, online testing

2020-08-12 15:35:00

This Reddit thread offers a plethora of information on the at-home, online test taking offered by PearsonVue.

Big lesson I learned as MacOS user: disable Little Snitch and other filtering / security software while you're taking the test. It feels dirty, but to ensure the software does not encounter any hickups (which may result in you botching the test) you're going to have to. Better yet, don't disable, but quit the software because any popups on your screen will also alert the proctor.

Just to be safe, I made a dummy user account on my Macbook, so I can remove all trace of the software afterwards. Luckily it runs from your downloads folder and doesn't need any admin-level access.


kilala.nl tags: , ,

View or add comments (curr. 0)

Finding study goals

2019-12-27 13:52:00

2020's right around the corner and I've been poking colleagues, urging them to set study-goals for the upcoming year. In Dutch, we have saying equating a lack of progress to deterioration: "Stilstand is de dood" ("Stagnation is death"). I believe that this proverb applies very heavily to work in IT: if you're not keeping up with the times, you're going to get out-dated real quickly. 

A colleague asked for suggestions on how to set goals for yourself, to which I replied:

I'd suggest taking into account things like A) where do you want to be in 2-3 years? B) is your team or company lacking particular knowledge or experience? C) do you, or your team, have requirements that you need to fulfill through training? D) do you see any chances that will allow you to quickly up your perceived value?

Basically: train for the job you want, fill any gaps that your team has and make sure you're not dropping any balls.

For me, EX407 fills categories B and C (my current team has little Ansible experience and it will renew my RHCE which will lapse in 1.5 years). The Python for pen-testing course will help me with A (I want to move towards red-teaming and my current coding skills are almost nill).

This year's CySA+ was for category D (it was heavily discounted and I'm pretty sure I could pass it, thus adding a well-regarded cert to my name). Ditto for trying the SANS Work/Study programme, which gets me a heavy discount on a very big-name training and cert.

Finally: just keep a list of things that you want to investigate or work on. Maintain it throughout the year, add new things, remove unwanted things, change priorities. That way you're always set for A) next year's study plans and B) that all-time favorite interview question "Where do you see yourself in two years? What are your short-term development plans?"


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA CySA+ beta experience (CS1-002)

2019-12-09 12:53:00

Another day taken off from work for fun stuff! This time around I went in for yet another CompTIA beta exam, the new CS1-002 CySA+. Like before I sat the exam at my favorite testing center: IT Vitae in Amersfoort. The old Onze Lieve Vrouwe monastery and green surroundings make for a relaxing atmosphere! What was new this time, is that I sat the exam in tandem with my colleague D. She's great company, darn clever and she was looking to get back into the certification-game.

First up, let me point you at a great review of the CS1-002 beta exam, by u/blackvapt on Reddit. And here's the official thread on Reddit, inviting people to take part in the beta.

I will echo everything /u/blackvapt said. The new CySA+ exam is in fact good! The questions are in-depth and technical, without overly focusing on commandline options and flags. In that regard it matches my experience with the PenTest+ exam in 2018: the exam tests for insight and experience in the field of incident response. It's not something you can simply cram books for, you'll need to have experienced many of the situations discussed on the test. The thing is: it's nigh impossible to learn every log format and every OS out there, but if you can intuit the meaning of logs and commands based on your experience, you'll go a long way!

The PBQs (performance based questions) were great! I enjoyed most of them and thought them to be actually fun and a nice multi-layered puzzle. So much better than my experience with the Linux+ exam which only managed to frustrate me with its strict and limited PBQs. 

Preparation-wise I'll admit that I took it easy. I was relying mostly on A) my experience from the past 5-10 years, B) the Jason Dion practice exams for CS1-001 on Udemy and C) the Chapple & Seidl book from Sybase. I spent about twenty hours reviewing and researching, over a month's time.

I didn't spend more than $25 on the preparations, as the practice exams were on discount down to $10 and I got the C&S book through Humble Bundle in a large stack of awesome Sybex books. One note about Humble Bundle: I cannot recommend the Packt books or bundles! Skip those. But snag anything you can get from Sybex, NoStarch or O'Reilly!

Regarding the Dion practice tests: I was not passing any of these while preparing as I mentioned earlier this week. It was odd because I felt good on most of the answers I gave to Jason's questions, but I kept missing the passing grade by a fair margin. During the beta exam I felt great about ~85% of the questions, so it's really a crap-shoot on whether I passed the beta or not. :)

If I didn't pass, I wouldn't mind at all! This was a great exam, with solid challenging questions. If I don't make it, I will definitely take the exam again (at full price), now know what to expect.


kilala.nl tags: , ,

View or add comments (curr. 0)

Almost time for another Beta exam: CompTIA CySA+

2019-12-05 09:31:00

I've got my exam planned for Monday and I'm looking forward to it. I'll mostly treat it as a recon mission, doing it part for fun and part to see if I'd like to take the exam "for real" should I not pass.

I've got a sneaking suspicion I won't pass this time around though (unlike the Linux+, Pentest+ and CFR-310 betas) because my experience keeps tripping me up. Sounds like a #HumbleBrag, I know, sorry :D What I mean is that CompTIA mostly seems targeted at US-based SMB, while my experience comes from EU-based international enterprises. I've been doing a few of Jason Dion's test-exams for the previous version, to get into the right mindset, but I fail a lot of questions because of the aforementioned factors.

Well, let's see how it turns out. For now, I'll just go and have fun with it :)


kilala.nl tags: , ,

View or add comments (curr. 0)

In many cases, just cramming for an exam won't work

2019-11-18 20:44:00

Today, someone on Reddit posted the following question

"I have the [...] practice exams, I typed the entire [...] video course from YouTube and I just brought the exam cram book but no matter how much I study I don’t retain anything. Do you guys have tips?"

OP ran into the wall that is learning styles: cramming simply doesn't work for everybody! I'm no expert by any means, but I did explain the following:

It is entirely possible that your current method simply does not suit your personal learning style! If you start poking around the web a little bit, researching learning styles, you will find very quickly that there are many different methods!

You can try and keep brute-forcing your learning the way you have right now, but maybe that will simply not get the results you want. Why not have a think about your days in primary, middle and high school? What did the classes you did best in have in common?

Perhaps you're someone who simply needs something else than quiet self-study, taking notes while listening to a teacher.

Personally I have found that I put great importance on putting new information into context. I don't want to learn floating, individual topics, I want to put them into a context that I'm already familiar with, or build a context around them. This helps me better understand the new material's place. One thing that could help you with this is making mind maps.

Or perhaps you're someone who better learns by doing then by hearing. I understand that playing around with new tools and concepts in a lab can take a lot of time, but there's a reason why many books include lab exercises for the reader. It is often said that people learn <20% by hearing and >50% by doing.

Finally, it is also often said that one way to solidify and test your understanding of a subject, is to explain the topic to somebody else. If you can explain X or Y to a friend, your partner or a rubber ducky, then you can be sure that you've come to a proper understanding. Or perhaps you will find a few gaps in your knowledge that you need to fill out. Either way, it's a win-win.

 


kilala.nl tags: ,

View or add comments (curr. 0)

Network segmentation in the homelab

2019-03-01 22:36:00

My network layout

Continuing where I left off a few weeks ago, I've redone the network design for my homelab. When we last looked at the network, it was all flat with all VMs tucked in a single subnet behind a pfSense router. Because I want to work towards implementing the CSC in my lab, I've moved everything about quite a lot.


kilala.nl tags: , ,

View or add comments (curr. 0)

GIAC GCCC index and studying

2019-02-18 20:29:00

a stack of books

Ooofff!! I've spent the past three weeks building my personal index for the SANS SEC566 course books. It was quite a slog because the books are monotonous (twenty chapters with the exact same layout and structure), but I've made it through! 29 pages with 2030 keywords.

The index was built using the tried and true method made famous by Hacks4Pancakes and other InfoSec veterans.

Right after finishing the index I took my first practice exam and scored a 90%. That's a good start!


kilala.nl tags: , ,

View or add comments (curr. 2)

Older blog posts