Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
76
The “kali@kali:~$” is what will appear on the screen for a user who is following along. Everything
that appears in blue text (in this case, “ls -l chmodfix”) is a command that we can type into the
terminal. The text that follows is the output.
It’s also important to understand where the focus is, which brings us to
the skill, not the tool
.
If you are already familiar with chmod, you may have noticed that we chose one of many different
methods to use this tool. We chose, for example, not to explore how the permissions for our
script (before we were able to execute) could have been represented
with the numerical
expression 644, which we could have fixed by running chmod 755.
Of course, it’s almost impossible to remember every specific command and syntax, and piling on
too much information increases cognitive load, making it more difficult to remember the material
later. Even the most experienced security researchers find themselves looking things up now and
then, and so we encourage learners to focus on
why
a command is being run versus what
command is being run.
Sometimes when new ideas are introduced or when there is an opportunity to learn more outside
the text, we might introduce a footnote. Getting used to “leaving” the immediate problem in order
to go do a bit of research is also a critical skill. There have been a number of footnotes in this
module already, and they appear in numbered superscript in the text.
Interleaving is inevitable with this type of hands-on training. As a quick reminder, in the context of
education, interleaving is mixing of multiple subjects. In this case, we reviewed the touch, cat, and
ls
commands, even though they weren’t directly related to the things we were trying to study.
They were, of course, related to our ability to modify chmod and our employee name script.
Another way of thinking about this is that the OffSec training materials are organized around
concepts
, not commands.
Finally, teaching learners how to
expect the unexpected
is not always easy to deliver. However, we
often accomplish this by taking an indirect route to our goal with the intention of realistically
highlighting issues you may experience in the field. Again, we hope to convey the logic behind our
decisions instead of simply presenting commands and syntax.
In this example, we mentioned a potential pitfall with
directory permissions
(in a sidebar). We also
knew that ./chmodfix +x /usr/bin/chmod wouldn’t work, but we included it and ran it. We’ll often
walk through “unexpected” scenarios when we present new Modules and we’ll
include
unexpected outcomes in many of our challenges.
As students, it’s imperative that we grow comfortable being in situations we don’t fully
understand and try things that might not work. The only way to
really be prepared for the
“unexpected” is to become comfortable in situations where we don’t know exactly how things will
pan out.
Not only this, but we cannot afford to avoid situations where we might feel stuck. In cyber
security, it’s extremely rare that the first approach we try works. In order to accurately represent
this field, OffSec’s approach is to teach the material in such a way
that students can become
more resilient and agile, working through a particular problem until we are “unstuck”.
There is often more than one way to accomplish any goal, and we encourage you to attempt
other paths to reaching the goals we present.
A curious learner might ask if, in the example
presented, we could solve the issue by simply running sudo chmod +x /usr/bin/chmod. This is
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
77
exactly the sort of thinking that we encourage, and why many of the challenges are presented in a
virtual environment where learners can experiment and try things. Trying out an approach that
doesn’t work is also a valuable learning experience.
This experiment-and-experiment-again mindset is at the heart of what we believe it takes to be
highly successful in this field, and at the risk of being redundant, the goal of our training is always
to teach the methodology and the mindset.
4.5
Tactics and Common Methods
Next, we need to think about strategy and tactics. Consider the following quote from Sun Tzu:
Yüklə
Dostları ilə paylaş: