Tips from an expert pen tester for passing the C|PENT exam

C|PENT Preparation Tips

I started preparing by watching all the videos and then moving on to the course materials. My advice would be not to skip any pages, because there is always something new, even when the subject seems repetitive. For example, I was amazed when I noticed something new in Linux even though I’ve been using it for a long time. One of the best things about C|PENT is that you learn to do the same thing in multiple ways; this ensures that you always have a backup plan during a real penetration test.

When considering for the C|PENT exam, keep the following in mind. My most important advice is to take thorough notes, because it will save your life. During the exam, you don’t want to spend time looking for the command that will give you root or admin access. I suggest making two sets of notes:

1. Explanation of the theory: In these notes, you describe how something works and how it can be exploited, the theory behind certain exploits, etc.

2. Commands with brief explanations: This set of notes is more important and will come in handy throughout your cybersecurity journey. Write down the commands and provide a brief explanation. Preferably, use variables that you can set in your penetration testing exercise. The ones I used in my notes were:

• $MYIP: IP of my attacking machine
• $IP: IP of the machine I wanted to attack
• $IPRANGE: Range of the IP address I wanted to scan or mine (for password spraying, Nmap and others)
• $HOSTNAME: DNS name of the host I wanted to attack

Practice all feats and concepts. Although you have 6 months of access to iLabs, the time will pass quickly, because there is a lot to learn. While doing the labs and practicing on the Cyber ​​Range, I also wrote aliases, functions and scripts in Bash and Python for make sure I can do it faster next time. I had lots of aliases set for many commands, and with practice I had most of them dedicated to muscle memory.

Practice pivoting if you’re not used to it. You won’t initially realize how difficult it can be to operate a box when you can’t reach it directly, but having a good understanding of networking and how subnets work will help you in the long run. term. And don’t forget that the double pivot requires double the practice, if not more.

Let’s take an example of the script I used. I called it connect.sh and only used it to connect to whatever host I had compromised. First, I had a text file (named creds.txt) that contained details of how I wanted to login to the machine. It looked like this:

ssh|1.1.1.1|user1|pass1

winrm|2.2.2.2|user2|pass2

As you can see the fields are separated by a pipe symbol and each line has a login method, IP address, username and password. Now for the script:

#!/bin/bash

## Read creds.txt file in current folder to get creds and login method

rdp=’xfreerdp /dynamic-resolution +clipboard /cert-ignore +auto-reconnect /auto-reconnect-max-retries:3 /v:$IP /u:$USER /p:$PASS /t:$IP /rfx +fonts ‘

rdph=’xfreerdp /dynamic-resolution +clipboard /cert-ignore +auto-reconnect /auto-reconnect-max-retries:3 /v:$IP /u:$USER /pth:$PASS /t:$IP /rfx +fonts ‘

ssh=’sshpass -p $PASS ssh -l $USER $IP’

winrm=’evil-winrm -u $USER -i $IP -p $PASS’

winrmh=’evil-winrm -u $USER -i $IP -H $PASS’

smb=’impacket-smbexec “$USER:[email protected]$IP”’

ps=’impacket-psexec “$USER:[email protected]$IP”’

w=( $(grep $1 creds.txt | sed ‘s/|/ /g’) )

export IP=${w[1]}

export USER=${w[2]}

export PASS=${w[3]}

echo ${!w[0]} |envsubst

if [[ $2 == p* || $3 == p* ]]then

eval proxychains4 ${!w[0]}

go out

If

if [[ $2!= “” ]]

then

w=( $(grep $1 creds.txt|grep $2 | sed ‘s/|/ /g’) )

export IP=${w[1]}

export USER=${w[2]}

export PASS=${w[3]}

echo ${!w[0]} |envsubst

evaluate ${!w[0]}

other

evaluate ${!w[0]}

If

Note that this script saved me a lot of time and served two purposes. By the end of the review, I had all usernames, passwords, and access mechanisms in one file (i.e., creds.txt) for reference. Additionally, and most importantly, despite the number of machines and ranges, I had no trouble looking up usernames or passwords in my notes. This is just an example script I used; I have created many others during my practice in iLabs and on the Cyber ​​range, which have been useful to me. The scripts will also allow you to organize the logs and your report.