OSCP diary – week 02

August 9th, 2022

Or is it week 3 already? Haha, looks like I lost track already.

Finished that Perl script to get nameservers from a domain. Finally.
Not that Perl might be a particular scripting language, but…. not chomping an input breaks a loop because of an empty variable? Although the same variable holds a value as evidenced in the loop?
Can’t really say I understand this so far.

Got through the scanning basics but I’m undecided on the inclusion of Nessus in the ‘textbook’. Not checked yet whether you’re allowed to use Nessus during the exam, but I guess no. It was good to do some hands-on exercises with Nessus but if the basis of the coure is the open-source Kali Linux, then including tools like VMware Fusion and Nessus in the course materials feels somewhat …. off.

Anyway, moving on web application security now.

OSCP diary – week 01

July 29th, 2022

As mentioned in earlier posts, the OSCP certification is something I wanted to try for a while.

Thankfully it’s (somewhat) related to my work so the company was willing to financially support me for this course. After getting the final confirmation, I signed up for the PEN-200 course.

After signing up, students are required to hand in an official piece of identification before allowed access to the course and the labs, so I needed to comply with this as well.

Obstacle OpenPGP-encrypted emails – honestly, never used this much. Maybe shame on me? Not sure. Anyway, since I’m mostly using webmailers these days, how do I get this to work? Answer: Mailvelope, a Firefox extension.

After a couple of tries sending in the required information, it finally worked out and I was granted access to the course and the labs.

Obstacle VMware – I’m not Offensive Security so obviously it was their decision but I would have welcomed pre-prepared Kali VMs for virtualbox, not VMware. Even getting a trial version of VMware Fusion is a pain. brew.sh saved my sanity, at least until the trial period expires.

In the course (I’m doing the basics now, can’t tell about the later exercises), there are browser-based exercises [browser, openvpn, terminal] where you connect to a prepared machine but there are also exercises where you need to run your own Kali (presumably) virtual machines to do something.

Obstacle openvpn – this cost me a lot of nerves to set up because I was looking in the wrong place. openvpn itself can be easily installed but it needs a openvpn config file – which was nowhere linked on any page I browsed (introduction, help, FAQ – you name it). I had previously downloaded the config but just couldn’t find the file / link anymore – because it’s hidden – or linked – in the VPN link right at the top of every page in the course. Argh – well, I mentioned it cost me a lot of nerves. Obviously, I know now.

After all that, I was finally able to get started and I’m doing the basics now. No need to rush, I’m looking at this as a long-term project anyway.

CPE tracker

July 14th, 2022

If you are lucky enough, you are certified in some field. Very likely, you need to gather continuous professional education credit to keep the certification valid. Actually, not a bad thing in itself and it does make sense in fast-paced fields like technology.

However, if you have several certifications that you need to keep alive, then keeping track of your CPE credits can be challenging.

Enter the CPE tracker I put together. It’s free to use, obviously, but use it at your own risk.

Warning points:

  • Not all CPEs are equal. Please check with your certification organisation what is acceptable as CPE and what is not
  • Most organisations make a recommendation such as “in order to make re-certification achievable, please try to achieve <insert_arbitrary_number> CPE credits per year – this might differ per organisation and the CPE credit you can earn might differ as per definition
  • Same as with the recommended number of CPE credits per year, the cut-off date per 12-months cycle might not always be January 1st – keep this in mind

Here is the general usage:

  • Copy the 2021 and rename it to 2022, 2023, etc.
  • In the A column, enter the name of the CPE you earned, e.g. “Codecademy SecDevOps in Python”
  • In the B column in the same row, enter how many CPE credits this will give you, e.g. 3 (this might differ per organisation, see the warning points)
  • In the certification column, drop an x if you want to use the CPE with a certification. This will automatically add those CPE credits to the amount of credit you have earned for this certification
  • Most organisations require some CPE proof, like the upload of course completion certification. Once you complete the upload, you can set the UL column (stands for “upload”) to the y value from the dropdown field

Some features:

  • Left top indicates how many days are left in the current year, giving you a rough indication how much you will have to hurry.
    This is based on the Settings sheet and calculated using today’s date. The general settings is using January 1st of the next calendar year but obviously you can change that e.g. to August 1st
  • The CPE credit score is conditionally formatted in red until the score equals or becomes greater than the recommended CPE score per year, also in the Settings sheet
  • No macros are used or were harmed while making the sheet. If you are asked to activate macros, it’s not my original sheet, be very careful.

Download:

  • Zip file containing a LibreOffice Calc version and an Excel version

sha256 checksum:

shasum -a 256 CPEtrackerArchive.zip
e6370259b0be5015e85040ef5876fb5c1ee8ef94d0d323925c3f33b0e8e03629 CPEtrackerArchive.zip

Update 20220721:

Nothing like using your own tools…. I started tracking my own CPEs but also found a problem with the number of days calculation so I’ll fix that and upload the newer version. stay tuned.

CISSP-ISSMP – happy ….

July 11th, 2022

…. to report that I passed the exam last week. It’s been in the making a couple of months and I finally found the courage to take the plunge.

On the weekend, I sent in the endorsement and it will take a couple of weeks for (ISC)2 to process it, as usual.

Now with both those exams (ISACA CRISC and CISSP-ISSMP) finally (and successfully) behind me, I can move on to something new.

I’ve previously dabbled in some pentesting and I would like very much give OSCP a try while casually reading about and learning for the ISACA CDPSE. Let’s see how it goes and how far I can take it….

Update from 1 week later: Already processed by (ISC)2. All good. Certified. Yay me.

Sad Kanji Kentei news – failed level 4

July 11th, 2022

Some rare sad news…. I failed the Kanji Kentei level 4 exam (漢字検定試験4級) by enough points to actually say “ok, this was not just bad luck”)

Level 4 is 315 kanji, significantly more than level 5 which has 220 or so kanji. Subsequently I spent much more time studying for level 4 than I spent on level 5. What’s a bit vexing is that although I spent all that time, I think I mainly failed the exam because of kanji from earlier levels (such as 5, 6 etc.) for the following reasons:

  • I just can’t remember all of them since I’m not actively using them
  • There is a lot more vocabulary derived from kanji combinations than in previous levels

What’s not so vexing is that the exam is “only” 3500 yen per taking. Could have been much more expensive.

So, this happened after I dumped memrise…

May 15th, 2022

I’m not blaming anyone if they don’t follow my blog…. it’s not exactly moving quickly with lots of updates.

One of the things I posted about often was memrise and how many points I got etc. It was nice while it lasted but the horrible ads in between exercises made me delete that app faster than Hazel can say booze (see “Girls with Slingshots”)

So I ended up with a lot free time after dumping memrise. Or not really. I rather ended up with time that was not blocked by memrise anymore. Not the same thing.

Anyway, what’s a man got to do with a brain the size of the earth, an ego the size of Jupiter and a language-curiosity as big as the sun?

One word: Kanken.

Although that’s actually 5 words:
Japan Kanji Aptitude Test (日本漢字能力検定, Nihon Kanji Nōryoku Kentei)

It’s just that nobody calls it the full name. Mostly it’s Kanji Kentei or Kanken.

Anyway, it’s about Kanji (surprise, suprise) and here you can find all of them, by level:
https://www.nihongo-pro.com/kanji-pal/list/kanken

As usual in Japan, it’s start at the highest number with the simplest level (still not sure why they do this… it’s limiting) and I quickly rushed through 10 and 9, then decided to officially take level 8 (paper version), then proceeded to use the computer-based test to take (and pass) 7, 6 and 5.

Which means I’m currently studying for level 4. I just need to keep working at it, I guess. It’s doable. and it gives me brain something to do apart from all the other stuff I do.

Keep your fingers crossed for me.

CISSP-ISSMP…. still WIP

May 15th, 2022

I’ve been working at this for a while…. I got a paid self-study course which I finished but access to the learning material expired already. At least I can still access the flash cards.

The official CBK book has terrible reviews on Amazon. I wonder what that leaves me with. I’m tempted to pay for some online ISSMP questions.

Since there is a big overlap of material with the ISACA CISM and ISACA CRISC, I actually should be able to nail this anyway (see my other posts)

Update 20220519:

I ordered the official CBK book. Several people pointed out how they were using that book to study for the exam and it’s a much cheaper alternative to re-purchase the CISSP-ISSMP online self-study course. So I guess it can’t hard. Plus I like physical books.

CRISC – passed the exam

May 15th, 2022

This took a long time. I was hesitant to book the exam because I never felt quite ready.

During the exam, I felt I was in terrible physical shape but I scraped through.

Getting certified is a different matter though…. I looked at the requirements and apart from doing some risk assessments and explaining risk assessments, I cannot really claim a lot. We’ll see….

CISA me

May 15th, 2022

Same with the CISM, I finally get certified. Thank to my current position, I was able to gather enough work experience to get certified. Yay. And I finally got the paper version of the certificate as well.

CISM me

February 21st, 2022

CISM done

After passing the ISACA CISM exam in January 2020 (more than 2 years ago :o), I was finally certified this month.

In other news, I’m also gathering the required work experience for CISA certification.